@kya-os/mcp-i-core 1.3.12 → 1.3.14

package/src/delegation/delegation-graph.ts

@@ -1,299 +0,0 @@
-/**
- * Delegation Graph Manager
- *
- * Tracks parent-child relationships between delegation credentials.
- * Critical for cascading revocation per Delegation-Revocation.md.
- *
- * SOLID Principles:
- * - Single Responsibility: Only manages delegation relationships
- * - Open/Closed: Extensible via storage provider interface
- * - Liskov Substitution: Any storage provider can be used
- * - Interface Segregation: Minimal graph operations interface
- * - Dependency Inversion: Depends on storage abstraction
- *
- * Related Spec: MCP-I §4.4, Delegation Chains
- * Python Reference: Delegation-Revocation.md:45-67
- */
-
-/**
- * Delegation node in the graph
- */
-export interface DelegationNode {
-  /** Delegation credential ID */
-  id: string;
-
-  /** Parent delegation ID (null for root) */
-  parentId: string | null;
-
-  /** Child delegation IDs */
-  children: string[];
-
-  /** Issuer DID */
-  issuerDid: string;
-
-  /** Subject DID */
-  subjectDid: string;
-
-  /** Credential status reference (for revocation) */
-  credentialStatusId?: string;
-}
-
-/**
- * Storage provider interface for delegation graphs
- *
- * Platform-specific implementations (CloudflareKV, DynamoDB, etc.)
- */
-export interface DelegationGraphStorageProvider {
-  /**
-   * Get a delegation node by ID
-   */
-  getNode(delegationId: string): Promise<DelegationNode | null>;
-
-  /**
-   * Save a delegation node
-   */
-  setNode(node: DelegationNode): Promise<void>;
-
-  /**
-   * Get all children of a delegation
-   */
-  getChildren(delegationId: string): Promise<DelegationNode[]>;
-
-  /**
-   * Get the full chain from root to this delegation
-   */
-  getChain(delegationId: string): Promise<DelegationNode[]>;
-
-  /**
-   * Get all descendants (children, grandchildren, etc.)
-   */
-  getDescendants(delegationId: string): Promise<DelegationNode[]>;
-
-  /**
-   * Delete a node (used for cleanup)
-   */
-  deleteNode(delegationId: string): Promise<void>;
-}
-
-/**
- * Delegation Graph Manager
- *
- * Manages the tree/graph structure of delegations.
- * Per Delegation-Revocation.md:
- * - Track parent-child relationships
- * - Support chain validation
- * - Enable cascading revocation
- */
-export class DelegationGraphManager {
-  constructor(private storage: DelegationGraphStorageProvider) {}
-
-  /**
-   * Register a new delegation in the graph
-   *
-   * @param delegation - The delegation to register
-   * @returns The created node
-   */
-  async registerDelegation(params: {
-    id: string;
-    parentId: string | null;
-    issuerDid: string;
-    subjectDid: string;
-    credentialStatusId?: string;
-  }): Promise<DelegationNode> {
-    const node: DelegationNode = {
-      id: params.id,
-      parentId: params.parentId,
-      children: [],
-      issuerDid: params.issuerDid,
-      subjectDid: params.subjectDid,
-      credentialStatusId: params.credentialStatusId,
-    };
-
-    // Save the node
-    await this.storage.setNode(node);
-
-    // If has parent, add this as a child to parent
-    if (params.parentId) {
-      await this.addChildToParent(params.parentId, params.id);
-    }
-
-    return node;
-  }
-
-  /**
-   * Add a child to a parent node
-   *
-   * @param parentId - Parent delegation ID
-   * @param childId - Child delegation ID
-   */
-  private async addChildToParent(
-    parentId: string,
-    childId: string
-  ): Promise<void> {
-    const parent = await this.storage.getNode(parentId);
-    if (!parent) {
-      throw new Error(`Parent delegation not found: ${parentId}`);
-    }
-
-    // Add child if not already present
-    if (!parent.children.includes(childId)) {
-      parent.children.push(childId);
-      await this.storage.setNode(parent);
-    }
-  }
-
-  /**
-   * Get a delegation node
-   *
-   * @param delegationId - The delegation ID
-   * @returns The node, or null if not found
-   */
-  async getNode(delegationId: string): Promise<DelegationNode | null> {
-    return this.storage.getNode(delegationId);
-  }
-
-  /**
-   * Get all direct children of a delegation
-   *
-   * @param delegationId - The parent delegation ID
-   * @returns Array of child nodes
-   */
-  async getChildren(delegationId: string): Promise<DelegationNode[]> {
-    return this.storage.getChildren(delegationId);
-  }
-
-  /**
-   * Get all descendants (children, grandchildren, etc.)
-   *
-   * Used for cascading revocation.
-   * Per Delegation-Revocation.md:56-67
-   *
-   * @param delegationId - The parent delegation ID
-   * @returns Array of all descendant nodes
-   */
-  async getDescendants(delegationId: string): Promise<DelegationNode[]> {
-    return this.storage.getDescendants(delegationId);
-  }
-
-  /**
-   * Get the full delegation chain from root to this node
-   *
-   * Used for chain validation.
-   *
-   * @param delegationId - The delegation ID
-   * @returns Array of nodes from root to this node
-   */
-  async getChain(delegationId: string): Promise<DelegationNode[]> {
-    return this.storage.getChain(delegationId);
-  }
-
-  /**
-   * Check if delegation A is an ancestor of delegation B
-   *
-   * @param ancestorId - Potential ancestor ID
-   * @param descendantId - Potential descendant ID
-   * @returns true if ancestorId is an ancestor of descendantId
-   */
-  async isAncestor(
-    ancestorId: string,
-    descendantId: string
-  ): Promise<boolean> {
-    const chain = await this.getChain(descendantId);
-    return chain.some((node) => node.id === ancestorId);
-  }
-
-  /**
-   * Get the depth of a delegation in the tree
-   *
-   * @param delegationId - The delegation ID
-   * @returns Depth (0 for root, 1 for immediate child, etc.)
-   */
-  async getDepth(delegationId: string): Promise<number> {
-    const chain = await this.getChain(delegationId);
-    return chain.length - 1; // -1 because chain includes the node itself
-  }
-
-  /**
-   * Validate that a delegation chain is properly formed
-   *
-   * Checks that:
-   * - Each child's issuer is the parent's subject
-   * - No cycles exist
-   * - Chain is continuous
-   *
-   * @param delegationId - The delegation ID to validate
-   * @returns Validation result
-   */
-  async validateChain(delegationId: string): Promise<{
-    valid: boolean;
-    reason?: string;
-  }> {
-    const chain = await this.getChain(delegationId);
-
-    if (chain.length === 0) {
-      return { valid: false, reason: 'Delegation not found' };
-    }
-
-    // Check each link in the chain
-    for (let i = 1; i < chain.length; i++) {
-      const parent = chain[i - 1];
-      const child = chain[i];
-
-      // Child's issuer must be parent's subject
-      if (child.issuerDid !== parent.subjectDid) {
-        return {
-          valid: false,
-          reason: `Invalid chain: ${child.id} issued by ${child.issuerDid} but parent ${parent.id} subject is ${parent.subjectDid}`,
-        };
-      }
-
-      // Child's parent pointer must match parent's ID
-      if (child.parentId !== parent.id) {
-        return {
-          valid: false,
-          reason: `Invalid chain: ${child.id} parentId=${child.parentId} but actual parent is ${parent.id}`,
-        };
-      }
-    }
-
-    return { valid: true };
-  }
-
-  /**
-   * Remove a delegation from the graph
-   *
-   * Note: This doesn't cascade - use CascadingRevocationManager for that.
-   *
-   * @param delegationId - The delegation ID to remove
-   */
-  async removeDelegation(delegationId: string): Promise<void> {
-    const node = await this.storage.getNode(delegationId);
-    if (!node) return;
-
-    // Remove from parent's children list
-    if (node.parentId) {
-      const parent = await this.storage.getNode(node.parentId);
-      if (parent) {
-        parent.children = parent.children.filter((id) => id !== delegationId);
-        await this.storage.setNode(parent);
-      }
-    }
-
-    // Delete the node
-    await this.storage.deleteNode(delegationId);
-  }
-}
-
-/**
- * Create a delegation graph manager
- *
- * Convenience factory function.
- *
- * @param storage - Storage provider
- * @returns DelegationGraphManager instance
- */
-export function createDelegationGraph(
-  storage: DelegationGraphStorageProvider
-): DelegationGraphManager {
-  return new DelegationGraphManager(storage);
-}

package/src/delegation/did-key-resolver.ts

@@ -1,179 +0,0 @@
-/**
- * DID:key Resolver
- *
- * Resolves did:key DIDs to DID Documents with verification methods.
- * Supports Ed25519 keys (multicodec prefix 0xed01).
- *
- * did:key format: did:key:z<multibase-base58btc(<multicodec-prefix><public-key>)>
- *
- * For Ed25519:
- * - Multicodec prefix: 0xed 0x01
- * - Public key: 32 bytes
- * - Multibase prefix: 'z' (base58btc)
- *
- * @see https://w3c-ccg.github.io/did-method-key/
- */
-
-import { base58Decode } from '../utils/base58';
-import { base64urlEncodeFromBytes } from '../utils/base64';
-import type { DIDResolver, DIDDocument, VerificationMethod } from './vc-verifier';
-
-/** Ed25519 multicodec prefix (0xed 0x01) */
-const ED25519_MULTICODEC_PREFIX = new Uint8Array([0xed, 0x01]);
-
-/** Ed25519 public key length */
-const ED25519_PUBLIC_KEY_LENGTH = 32;
-
-/**
- * Check if a DID is a valid did:key with Ed25519 key
- *
- * Ed25519 keys in did:key start with 'z6Mk' after the method prefix.
- * The 'z' is the multibase prefix for base58btc, and '6Mk' is the
- * base58-encoded prefix for Ed25519 (0xed 0x01).
- *
- * @param did - The DID to check
- * @returns true if it's a valid did:key with Ed25519 key
- */
-export function isEd25519DidKey(did: string): boolean {
-  return did.startsWith('did:key:z6Mk');
-}
-
-/**
- * Extract the public key bytes from a did:key DID
- *
- * @param did - The did:key DID
- * @returns Public key bytes or null if invalid
- */
-export function extractPublicKeyFromDidKey(did: string): Uint8Array | null {
-  if (!did.startsWith('did:key:z')) {
-    return null;
-  }
-
-  try {
-    // Extract the multibase-encoded part (after 'did:key:')
-    const multibaseKey = did.replace('did:key:', '');
-
-    // Remove the 'z' multibase prefix (base58btc)
-    const base58Encoded = multibaseKey.slice(1);
-
-    // Decode from base58
-    const multicodecBytes = base58Decode(base58Encoded);
-
-    // Check for Ed25519 multicodec prefix (0xed 0x01)
-    if (
-      multicodecBytes.length < ED25519_MULTICODEC_PREFIX.length + ED25519_PUBLIC_KEY_LENGTH ||
-      multicodecBytes[0] !== ED25519_MULTICODEC_PREFIX[0] ||
-      multicodecBytes[1] !== ED25519_MULTICODEC_PREFIX[1]
-    ) {
-      return null;
-    }
-
-    // Extract the public key (bytes after the prefix)
-    return multicodecBytes.slice(ED25519_MULTICODEC_PREFIX.length);
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Convert Ed25519 public key bytes to JWK format
- *
- * @param publicKeyBytes - 32-byte Ed25519 public key
- * @returns JWK object
- */
-export function publicKeyToJwk(publicKeyBytes: Uint8Array): {
-  kty: string;
-  crv: string;
-  x: string;
-} {
-  return {
-    kty: 'OKP',
-    crv: 'Ed25519',
-    x: base64urlEncodeFromBytes(publicKeyBytes),
-  };
-}
-
-/**
- * Create a DID:key resolver
- *
- * Returns a DIDResolver that can resolve did:key DIDs to DID Documents.
- * Currently supports only Ed25519 keys.
- *
- * @returns DIDResolver implementation for did:key
- */
-export function createDidKeyResolver(): DIDResolver {
-  return {
-    resolve: async (did: string): Promise<DIDDocument | null> => {
-      // Check if it's a did:key with Ed25519
-      if (!isEd25519DidKey(did)) {
-        return null;
-      }
-
-      // Extract the public key
-      const publicKeyBytes = extractPublicKeyFromDidKey(did);
-      if (!publicKeyBytes) {
-        return null;
-      }
-
-      // Convert to JWK
-      const publicKeyJwk = publicKeyToJwk(publicKeyBytes);
-
-      // Get the multibase-encoded key for publicKeyMultibase
-      const multibaseKey = did.replace('did:key:', '');
-
-      // Construct the verification method
-      const verificationMethod: VerificationMethod = {
-        id: `${did}#keys-1`,
-        type: 'Ed25519VerificationKey2020',
-        controller: did,
-        publicKeyJwk,
-        publicKeyMultibase: multibaseKey,
-      };
-
-      // Construct and return the DID Document
-      return {
-        id: did,
-        verificationMethod: [verificationMethod],
-        authentication: [`${did}#keys-1`],
-        assertionMethod: [`${did}#keys-1`],
-      };
-    },
-  };
-}
-
-/**
- * Resolve a did:key DID synchronously
- *
- * Convenience function for cases where async is not needed.
- *
- * @param did - The did:key DID to resolve
- * @returns DID Document or null if invalid
- */
-export function resolveDidKeySync(did: string): DIDDocument | null {
-  if (!isEd25519DidKey(did)) {
-    return null;
-  }
-
-  const publicKeyBytes = extractPublicKeyFromDidKey(did);
-  if (!publicKeyBytes) {
-    return null;
-  }
-
-  const publicKeyJwk = publicKeyToJwk(publicKeyBytes);
-  const multibaseKey = did.replace('did:key:', '');
-
-  const verificationMethod: VerificationMethod = {
-    id: `${did}#keys-1`,
-    type: 'Ed25519VerificationKey2020',
-    controller: did,
-    publicKeyJwk,
-    publicKeyMultibase: multibaseKey,
-  };
-
-  return {
-    id: did,
-    verificationMethod: [verificationMethod],
-    authentication: [`${did}#keys-1`],
-    assertionMethod: [`${did}#keys-1`],
-  };
-}

package/src/delegation/index.ts

@@ -1,14 +0,0 @@
-/**
- * Delegation Module Exports (Platform-Agnostic)
- *
- * W3C VC-based delegation issuance and verification.
- * Platform-specific adapters (Node.js, Cloudflare) provide signing/verification functions.
- */
-
-export * from './vc-issuer';
-export * from './vc-verifier';
-export * from './bitstring';
-export * from './statuslist-manager';
-export * from './delegation-graph';
-export * from './cascading-revocation';
-export * from './utils';