@kya-os/mcp-i 0.1.0-alpha.3.9 → 1.2.0

package/dist/test/local-verification.js

@@ -0,0 +1,342 @@
+"use strict";
+/**
+ * Local verification utilities for offline testing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyProofLocally = verifyProofLocally;
+exports.verifyDIDDocumentLocally = verifyDIDDocumentLocally;
+exports.createMockProof = createMockProof;
+const crypto_1 = require("crypto");
+const test_1 = require("@kya-os/contracts/test");
+const test_environment_1 = require("./test-environment");
+const mock_identity_provider_1 = require("./mock-identity-provider");
+/**
+ * Canonicalize data using JCS (JSON Canonicalization Scheme)
+ * For testing, we'll use a simplified version
+ */
+function canonicalizeJSON(data) {
+    // Simplified JCS implementation for testing
+    // In production, this would use a proper JCS library
+    return JSON.stringify(data, Object.keys(data).sort());
+}
+/**
+ * Generate SHA-256 hash with prefix
+ */
+function generateHash(data) {
+    return `sha256:${(0, crypto_1.createHash)("sha256").update(data).digest("hex")}`;
+}
+/**
+ * Verify Ed25519 signature locally (mock implementation for testing)
+ */
+function verifySignature(data, signature, publicKey) {
+    (0, test_environment_1.ensureTestMode)();
+    try {
+        // Mock signature verification for testing
+        // In production, this would use proper Ed25519 verification
+        const expectedSignature = (0, crypto_1.createHash)("sha256")
+            .update(data + publicKey)
+            .digest("base64");
+        const valid = signature === expectedSignature;
+        return {
+            valid,
+            error: valid ? undefined : "Signature verification failed",
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: error instanceof Error
+                ? error.message
+                : "Unknown signature verification error",
+        };
+    }
+}
+/**
+ * Verify proof structure and content
+ */
+function verifyProofStructure(proof) {
+    (0, test_environment_1.ensureTestMode)();
+    const errors = [];
+    // Check required fields
+    const requiredFields = ["jws", "meta"];
+    const requiredMetaFields = [
+        "did",
+        "kid",
+        "ts",
+        "nonce",
+        "audience",
+        "sessionId",
+        "requestHash",
+        "responseHash",
+    ];
+    let structure = true;
+    if (!proof || typeof proof !== "object") {
+        structure = false;
+        errors.push("Proof must be an object");
+    }
+    else {
+        for (const field of requiredFields) {
+            if (!(field in proof)) {
+                structure = false;
+                errors.push(`Missing required field: ${field}`);
+            }
+        }
+        if (proof.meta && typeof proof.meta === "object") {
+            for (const field of requiredMetaFields) {
+                if (!(field in proof.meta)) {
+                    structure = false;
+                    errors.push(`Missing required meta field: ${field}`);
+                }
+            }
+        }
+        else {
+            structure = false;
+            errors.push("Proof meta must be an object");
+        }
+    }
+    // Check timestamp validity (within reasonable bounds)
+    let timestamps = true;
+    if (proof?.meta?.ts) {
+        const now = Date.now() / 1000;
+        const proofTime = proof.meta.ts;
+        const skew = Math.abs(now - proofTime);
+        if (skew > 300) {
+            // 5 minutes for testing
+            timestamps = false;
+            errors.push(`Timestamp too far from current time: ${skew}s`);
+        }
+    }
+    else {
+        timestamps = false;
+        errors.push("Missing or invalid timestamp");
+    }
+    // Check hash format
+    let hashes = true;
+    if (proof?.meta?.requestHash &&
+        !proof.meta.requestHash.startsWith("sha256:")) {
+        hashes = false;
+        errors.push("Request hash must start with 'sha256:'");
+    }
+    if (proof?.meta?.responseHash &&
+        !proof.meta.responseHash.startsWith("sha256:")) {
+        hashes = false;
+        errors.push("Response hash must start with 'sha256:'");
+    }
+    const valid = structure && timestamps && hashes;
+    return {
+        valid,
+        structure,
+        timestamps,
+        hashes,
+        error: errors.length > 0 ? errors.join("; ") : undefined,
+    };
+}
+/**
+ * Verify session validity
+ */
+function verifySession(sessionId, timestamp) {
+    (0, test_environment_1.ensureTestMode)();
+    if (!sessionId || typeof sessionId !== "string") {
+        return {
+            valid: false,
+            expired: false,
+            error: "Invalid session ID",
+        };
+    }
+    // For testing, assume sessions are valid for 30 minutes
+    const now = Date.now() / 1000;
+    const sessionAge = now - timestamp;
+    const expired = sessionAge > 1800; // 30 minutes
+    return {
+        valid: !expired,
+        expired,
+        error: expired ? "Session expired" : undefined,
+    };
+}
+/**
+ * Perform local verification of a proof without KTA calls
+ */
+async function verifyProofLocally(proof, request, response) {
+    (0, test_environment_1.ensureTestMode)();
+    try {
+        const errors = [];
+        const warnings = [];
+        // Verify proof structure
+        const proofCheck = verifyProofStructure(proof);
+        if (!proofCheck.valid && proofCheck.error) {
+            errors.push(proofCheck.error);
+        }
+        let signatureValid = false;
+        let did;
+        let keyId;
+        if (proofCheck.structure && proof?.meta) {
+            did = proof.meta.did;
+            keyId = proof.meta.kid;
+            // Get mock identity for verification
+            const mockProvider = (0, mock_identity_provider_1.getMockIdentityProvider)();
+            const identity = mockProvider.getIdentity("agent1") ||
+                mockProvider.getIdentity("agent2") ||
+                mockProvider.getIdentity("verifier1");
+            if (identity && identity.did === did && identity.keyId === keyId) {
+                // Verify signature using mock implementation
+                const canonicalMeta = canonicalizeJSON(proof.meta);
+                const signatureCheck = verifySignature(canonicalMeta, proof.jws, identity.publicKey);
+                signatureValid = signatureCheck.valid;
+                if (!signatureValid && signatureCheck.error) {
+                    errors.push(signatureCheck.error);
+                }
+            }
+            else {
+                errors.push(`No matching identity found for DID: ${did}, KeyID: ${keyId}`);
+            }
+        }
+        // Verify session
+        const sessionCheck = verifySession(proof?.meta?.sessionId, proof?.meta?.ts);
+        if (!sessionCheck.valid && sessionCheck.error) {
+            errors.push(sessionCheck.error);
+        }
+        if (sessionCheck.expired) {
+            warnings.push("Session is expired");
+        }
+        // Verify hashes if request/response provided
+        if (request && proof?.meta?.requestHash) {
+            const expectedRequestHash = generateHash(canonicalizeJSON(request));
+            if (expectedRequestHash !== proof.meta.requestHash) {
+                errors.push("Request hash mismatch");
+            }
+        }
+        if (response && proof?.meta?.responseHash) {
+            const expectedResponseHash = generateHash(canonicalizeJSON(response));
+            if (expectedResponseHash !== proof.meta.responseHash) {
+                errors.push("Response hash mismatch");
+            }
+        }
+        const result = {
+            valid: errors.length === 0,
+            did,
+            keyId,
+            signature: {
+                valid: signatureValid,
+                algorithm: "EdDSA",
+                error: signatureValid ? undefined : "Signature verification failed",
+            },
+            proof: proofCheck,
+            session: sessionCheck,
+            errors,
+            warnings,
+        };
+        return test_1.LocalVerificationResultSchema.parse(result);
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : "Unknown verification error";
+        return test_1.LocalVerificationResultSchema.parse({
+            valid: false,
+            signature: {
+                valid: false,
+                algorithm: "EdDSA",
+                error: "Verification failed",
+            },
+            proof: {
+                valid: false,
+                structure: false,
+                timestamps: false,
+                hashes: false,
+                error: errorMessage,
+            },
+            session: {
+                valid: false,
+                expired: false,
+                error: "Session verification failed",
+            },
+            errors: [errorMessage],
+            warnings: [],
+        });
+    }
+}
+/**
+ * Verify DID document locally (mock implementation)
+ */
+async function verifyDIDDocumentLocally(did) {
+    (0, test_environment_1.ensureTestMode)();
+    try {
+        const mockProvider = (0, mock_identity_provider_1.getMockIdentityProvider)();
+        const identities = mockProvider.getAllIdentities();
+        // Find identity with matching DID
+        const identity = Object.values(identities).find((id) => id.did === did);
+        if (!identity) {
+            return {
+                valid: false,
+                error: `No identity found for DID: ${did}`,
+            };
+        }
+        // Generate mock DID document
+        const document = {
+            "@context": ["https://www.w3.org/ns/did/v1"],
+            id: did,
+            verificationMethod: [
+                {
+                    id: `${did}#${identity.keyId}`,
+                    type: "Ed25519VerificationKey2020",
+                    controller: did,
+                    publicKeyMultibase: `z${identity.publicKey}`,
+                },
+            ],
+            authentication: [`${did}#${identity.keyId}`],
+            assertionMethod: [`${did}#${identity.keyId}`],
+        };
+        return {
+            valid: true,
+            document,
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: error instanceof Error
+                ? error.message
+                : "Unknown DID verification error",
+        };
+    }
+}
+/**
+ * Create a mock proof for testing
+ */
+function createMockProof(options) {
+    (0, test_environment_1.ensureTestMode)();
+    const mockProvider = (0, mock_identity_provider_1.getMockIdentityProvider)();
+    const identity = mockProvider.getIdentity("agent1");
+    if (!identity) {
+        throw new Error(`${test_1.TEST_ERROR_CODES.LOCAL_VERIFICATION_FAILED}: No test identity available`);
+    }
+    const now = Math.floor(Date.now() / 1000);
+    const did = options.did || identity.did;
+    const keyId = options.keyId || identity.keyId;
+    const sessionId = options.sessionId || "sess_test_mock";
+    const nonce = options.nonce || "mock_nonce";
+    const audience = options.audience || "test.example.com";
+    const requestHash = options.request
+        ? generateHash(canonicalizeJSON(options.request))
+        : "sha256:mock_request_hash";
+    const responseHash = options.response
+        ? generateHash(canonicalizeJSON(options.response))
+        : "sha256:mock_response_hash";
+    const meta = {
+        did,
+        kid: keyId,
+        ts: now,
+        nonce,
+        audience,
+        sessionId,
+        requestHash,
+        responseHash,
+    };
+    // Generate mock JWS signature
+    const canonicalMeta = canonicalizeJSON(meta);
+    const jws = (0, crypto_1.createHash)("sha256")
+        .update(canonicalMeta + identity.publicKey)
+        .digest("base64");
+    return {
+        jws,
+        meta,
+    };
+}

package/dist/test/mock-identity-provider.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Mock Identity Provider for testing
+ */
+import { type MockIdentity, type MockDelegationStatus, type MockKTAFailureType, type MockIdentityProviderConfig } from "@kya-os/contracts/test";
+/**
+ * Mock Identity Provider for testing XMCP-I applications
+ */
+export declare class MockIdentityProvider {
+    private identities;
+    private delegations;
+    private ktaFailures;
+    private deterministicSeed?;
+    constructor(config?: Partial<MockIdentityProviderConfig>);
+    /**
+     * Configure the mock provider
+     */
+    configure(config: Partial<MockIdentityProviderConfig>): void;
+    /**
+     * Load predefined test identities
+     */
+    private loadPredefinedIdentities;
+    /**
+     * Set identity for a given key
+     */
+    setIdentity(key: string, identity: MockIdentity): void;
+    /**
+     * Get identity by key
+     */
+    getIdentity(key: string): MockIdentity | undefined;
+    /**
+     * Generate and set a new test identity
+     */
+    generateIdentity(key: string, testName: string, options?: {
+        did?: string;
+        keyId?: string;
+    }): MockIdentity;
+    /**
+     * Set delegation status for a DID:KeyID combination
+     */
+    setDelegation(didKeyId: string, status: MockDelegationStatus): void;
+    /**
+     * Get delegation status
+     */
+    getDelegationStatus(did: string, keyId: string): MockDelegationStatus;
+    /**
+     * Simulate KTA failure scenarios
+     */
+    simulateKTAFailure(errorType: MockKTAFailureType): void;
+    /**
+     * Clear KTA failure simulation
+     */
+    clearKTAFailure(errorType: MockKTAFailureType): void;
+    /**
+     * Check if a KTA failure should be simulated
+     */
+    shouldSimulateKTAFailure(errorType: MockKTAFailureType): boolean;
+    /**
+     * Get all active KTA failures
+     */
+    getActiveKTAFailures(): MockKTAFailureType[];
+    /**
+     * Mock KTA registration call
+     */
+    mockRegister(did: string, _keyId: string): Promise<{
+        success: boolean;
+        agentURL?: string;
+        error?: string;
+    }>;
+    /**
+     * Mock KTA delegation check
+     */
+    mockCheckDelegation(did: string, keyId: string): Promise<{
+        status: MockDelegationStatus;
+        error?: string;
+    }>;
+    /**
+     * Reset the mock provider to initial state
+     */
+    reset(): void;
+    /**
+     * Get all configured identities
+     */
+    getAllIdentities(): Record<string, MockIdentity>;
+    /**
+     * Get all delegation statuses
+     */
+    getAllDelegations(): Record<string, MockDelegationStatus>;
+}
+/**
+ * Get or create the global mock identity provider
+ */
+export declare function getMockIdentityProvider(): MockIdentityProvider;
+/**
+ * Reset the global mock identity provider
+ */
+export declare function resetMockIdentityProvider(): void;

package/dist/test/mock-identity-provider.js

@@ -0,0 +1,243 @@
+"use strict";
+/**
+ * Mock Identity Provider for testing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MockIdentityProvider = void 0;
+exports.getMockIdentityProvider = getMockIdentityProvider;
+exports.resetMockIdentityProvider = resetMockIdentityProvider;
+const test_1 = require("@kya-os/contracts/test");
+const test_environment_1 = require("./test-environment");
+const deterministic_keys_1 = require("./deterministic-keys");
+/**
+ * Mock Identity Provider for testing XMCP-I applications
+ */
+class MockIdentityProvider {
+    identities = new Map();
+    delegations = new Map();
+    ktaFailures = new Set();
+    deterministicSeed;
+    constructor(config) {
+        (0, test_environment_1.ensureTestMode)();
+        if (config) {
+            this.configure(config);
+        }
+        else {
+            // Load predefined test identities by default
+            this.loadPredefinedIdentities();
+        }
+    }
+    /**
+     * Configure the mock provider
+     */
+    configure(config) {
+        (0, test_environment_1.ensureTestMode)();
+        // Validate configuration
+        const validatedConfig = test_1.MockIdentityProviderConfigSchema.partial().parse(config);
+        if (validatedConfig.identities) {
+            this.identities.clear();
+            Object.entries(validatedConfig.identities).forEach(([key, identity]) => {
+                this.identities.set(key, identity);
+            });
+        }
+        if (validatedConfig.delegations) {
+            this.delegations.clear();
+            Object.entries(validatedConfig.delegations).forEach(([key, status]) => {
+                this.delegations.set(key, status);
+            });
+        }
+        if (validatedConfig.ktaFailures) {
+            this.ktaFailures.clear();
+            validatedConfig.ktaFailures.forEach((failure) => {
+                this.ktaFailures.add(failure);
+            });
+        }
+        if (validatedConfig.deterministicSeed) {
+            this.deterministicSeed = validatedConfig.deterministicSeed;
+        }
+    }
+    /**
+     * Load predefined test identities
+     */
+    loadPredefinedIdentities() {
+        const predefined = (0, deterministic_keys_1.getPredefinedTestIdentities)();
+        Object.entries(predefined).forEach(([key, identity]) => {
+            this.identities.set(key, identity);
+            // Set all predefined identities as active by default
+            this.delegations.set(`${identity.did}:${identity.keyId}`, "active");
+        });
+    }
+    /**
+     * Set identity for a given key
+     */
+    setIdentity(key, identity) {
+        (0, test_environment_1.ensureTestMode)();
+        this.identities.set(key, identity);
+    }
+    /**
+     * Get identity by key
+     */
+    getIdentity(key) {
+        (0, test_environment_1.ensureTestMode)();
+        return this.identities.get(key);
+    }
+    /**
+     * Generate and set a new test identity
+     */
+    generateIdentity(key, testName, options) {
+        (0, test_environment_1.ensureTestMode)();
+        const identity = (0, deterministic_keys_1.generateTestIdentity)(testName, {
+            ...options,
+            seed: this.deterministicSeed,
+        });
+        this.setIdentity(key, identity);
+        this.setDelegation(`${identity.did}:${identity.keyId}`, "active");
+        return identity;
+    }
+    /**
+     * Set delegation status for a DID:KeyID combination
+     */
+    setDelegation(didKeyId, status) {
+        (0, test_environment_1.ensureTestMode)();
+        this.delegations.set(didKeyId, status);
+    }
+    /**
+     * Get delegation status
+     */
+    getDelegationStatus(did, keyId) {
+        (0, test_environment_1.ensureTestMode)();
+        return this.delegations.get(`${did}:${keyId}`) || "revoked";
+    }
+    /**
+     * Simulate KTA failure scenarios
+     */
+    simulateKTAFailure(errorType) {
+        (0, test_environment_1.ensureTestMode)();
+        this.ktaFailures.add(errorType);
+    }
+    /**
+     * Clear KTA failure simulation
+     */
+    clearKTAFailure(errorType) {
+        (0, test_environment_1.ensureTestMode)();
+        this.ktaFailures.delete(errorType);
+    }
+    /**
+     * Check if a KTA failure should be simulated
+     */
+    shouldSimulateKTAFailure(errorType) {
+        (0, test_environment_1.ensureTestMode)();
+        return this.ktaFailures.has(errorType);
+    }
+    /**
+     * Get all active KTA failures
+     */
+    getActiveKTAFailures() {
+        (0, test_environment_1.ensureTestMode)();
+        return Array.from(this.ktaFailures);
+    }
+    /**
+     * Mock KTA registration call
+     */
+    async mockRegister(did, _keyId) {
+        (0, test_environment_1.ensureTestMode)();
+        // Simulate network failure
+        if (this.shouldSimulateKTAFailure("network")) {
+            throw new Error(`${test_1.TEST_ERROR_CODES.MOCK_KTA_FAILURE}: Network error`);
+        }
+        // Simulate auth failure
+        if (this.shouldSimulateKTAFailure("auth")) {
+            return {
+                success: false,
+                error: "Authentication failed",
+            };
+        }
+        // Simulate invalid response
+        if (this.shouldSimulateKTAFailure("invalid")) {
+            return {
+                success: false,
+                error: "Invalid response from KTA",
+            };
+        }
+        // Simulate timeout
+        if (this.shouldSimulateKTAFailure("timeout")) {
+            await new Promise((resolve) => setTimeout(resolve, 5000));
+            throw new Error(`${test_1.TEST_ERROR_CODES.MOCK_KTA_FAILURE}: Request timeout`);
+        }
+        // Success case
+        return {
+            success: true,
+            agentURL: `https://test-kta.example.com/agents/${did.replace("did:test:", "")}`,
+        };
+    }
+    /**
+     * Mock KTA delegation check
+     */
+    async mockCheckDelegation(did, keyId) {
+        (0, test_environment_1.ensureTestMode)();
+        // Simulate failures if configured
+        if (this.shouldSimulateKTAFailure("network")) {
+            throw new Error(`${test_1.TEST_ERROR_CODES.MOCK_KTA_FAILURE}: Network error during delegation check`);
+        }
+        if (this.shouldSimulateKTAFailure("auth")) {
+            return {
+                status: "revoked",
+                error: "Authentication failed",
+            };
+        }
+        const status = this.getDelegationStatus(did, keyId);
+        return { status };
+    }
+    /**
+     * Reset the mock provider to initial state
+     */
+    reset() {
+        (0, test_environment_1.ensureTestMode)();
+        this.identities.clear();
+        this.delegations.clear();
+        this.ktaFailures.clear();
+        this.deterministicSeed = undefined;
+        this.loadPredefinedIdentities();
+    }
+    /**
+     * Get all configured identities
+     */
+    getAllIdentities() {
+        (0, test_environment_1.ensureTestMode)();
+        return Object.fromEntries(this.identities.entries());
+    }
+    /**
+     * Get all delegation statuses
+     */
+    getAllDelegations() {
+        (0, test_environment_1.ensureTestMode)();
+        return Object.fromEntries(this.delegations.entries());
+    }
+}
+exports.MockIdentityProvider = MockIdentityProvider;
+/**
+ * Global mock identity provider instance for testing
+ */
+let globalMockProvider;
+/**
+ * Get or create the global mock identity provider
+ */
+function getMockIdentityProvider() {
+    (0, test_environment_1.ensureTestMode)();
+    if (!globalMockProvider) {
+        globalMockProvider = new MockIdentityProvider();
+    }
+    return globalMockProvider;
+}
+/**
+ * Reset the global mock identity provider
+ */
+function resetMockIdentityProvider() {
+    (0, test_environment_1.ensureTestMode)();
+    if (globalMockProvider) {
+        globalMockProvider.reset();
+    }
+    else {
+        globalMockProvider = new MockIdentityProvider();
+    }
+}