@kya-os/mcp-i 0.1.0 → 1.2.0

package/dist/storage/delegation.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultDelegationManager = void 0;
+exports.createDelegationManager = createDelegationManager;
+exports.extractDelegationContext = extractDelegationContext;
+const config_1 = require("./config");
+/**
+ * Default delegation manager implementation
+ */
+class DefaultDelegationManager {
+    config;
+    constructor(config) {
+        this.config = (0, config_1.createStorageConfig)(config);
+    }
+    async issue(request) {
+        // TODO: Replace with actual KTA delegation API call
+        // This is a placeholder implementation
+        const now = Math.floor(Date.now() / 1000);
+        const duration = request.duration || 3600; // Default 1 hour
+        const delegation = {
+            issuer: "did:web:example.com:issuer", // TODO: Get from identity
+            subject: request.subject,
+            scopes: request.scopes,
+            nbf: now,
+            exp: now + duration,
+            aud: request.audience,
+        };
+        // Mock receipt
+        const receipt = {
+            $schema: "https://schemas.kya-os.ai/mcpi/receipt/v1.0.0.json",
+            ref: `del_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+            contentHash: `sha256:${Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join("")}`,
+            action: "issue",
+            ts: now,
+            logIndex: Math.floor(Math.random() * 10000),
+            logRoot: Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join(""),
+            inclusionProof: [
+                Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join(""),
+            ],
+        };
+        const response = {
+            delegation,
+            receipt,
+        };
+        // Add encrypted payload for ktaEncrypted mode
+        if (this.config.mode === "ktaEncrypted" && this.config.encryptionEnabled) {
+            response.encryptedPayload = await this.encryptDelegation(delegation, request.audience);
+        }
+        return response;
+    }
+    async revoke(_delegationRef) {
+        // TODO: Replace with actual KTA revocation API call
+        // This is a placeholder implementation
+        const receipt = {
+            $schema: "https://schemas.kya-os.ai/mcpi/receipt/v1.0.0.json",
+            ref: `rev_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+            contentHash: `sha256:${Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join("")}`,
+            action: "revoke",
+            ts: Math.floor(Date.now() / 1000),
+            logIndex: Math.floor(Math.random() * 10000),
+            logRoot: Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join(""),
+            inclusionProof: [
+                Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join(""),
+            ],
+        };
+        return receipt;
+    }
+    async isActive(delegationRef) {
+        // TODO: Replace with actual KTA status check
+        // This is a placeholder implementation
+        // Mock: assume delegation is active if ref looks valid
+        return delegationRef.startsWith("del_") && delegationRef.length > 10;
+    }
+    async get(delegationRef) {
+        // TODO: Replace with actual KTA lookup
+        // This is a placeholder implementation
+        if (!(await this.isActive(delegationRef))) {
+            return null;
+        }
+        // Mock delegation
+        const now = Math.floor(Date.now() / 1000);
+        return {
+            issuer: "did:web:example.com:issuer",
+            subject: "did:web:example.com:subject",
+            scopes: ["read", "write"],
+            nbf: now - 3600,
+            exp: now + 3600,
+            delegationRef,
+        };
+    }
+    async listBySubject(_subject) {
+        // TODO: Replace with actual KTA query
+        // This is a placeholder implementation
+        // Mock: return empty list for now
+        return [];
+    }
+    /**
+     * Encrypt delegation payload for audience
+     */
+    async encryptDelegation(delegation, _audience) {
+        // TODO: Implement actual audience-key encryption
+        // This is a placeholder implementation
+        const payload = JSON.stringify(delegation);
+        // Mock encryption: base64 encode for now
+        // In real implementation, this would use the audience's public key
+        return Buffer.from(payload).toString("base64");
+    }
+}
+exports.DefaultDelegationManager = DefaultDelegationManager;
+/**
+ * Create delegation manager instance
+ */
+function createDelegationManager(config) {
+    return new DefaultDelegationManager(config);
+}
+/**
+ * Extract delegation context from proof metadata
+ */
+function extractDelegationContext(delegationRef) {
+    if (!delegationRef) {
+        return null;
+    }
+    // TODO: Parse delegation reference and extract context
+    // This is a placeholder implementation
+    return {
+        delegationRef,
+        scopes: ["read", "write"], // Mock scopes
+        expiresAt: Date.now() + 3600000, // Mock expiry (1 hour from now)
+    };
+}

package/dist/storage/merkle-verifier.d.ts

@@ -0,0 +1,84 @@
+import type { Receipt } from "@kya-os/contracts/registry";
+/**
+ * Merkle log verifier for receipt verification
+ */
+export interface MerkleProofNode {
+    hash: string;
+    isLeft: boolean;
+}
+export interface LogRoot {
+    root: string;
+    size: number;
+    timestamp: number;
+}
+export interface VerificationResult {
+    valid: boolean;
+    error?: string;
+    logRoot?: LogRoot;
+}
+/**
+ * Merkle log verifier implementation
+ */
+export declare class MerkleLogVerifier {
+    /**
+     * Verify a receipt's inclusion proof against a log root
+     */
+    static verifyInclusion(receipt: Receipt, logRoot: LogRoot): Promise<VerificationResult>;
+    /**
+     * Compute leaf hash from receipt content
+     */
+    private static computeLeafHash;
+    /**
+     * Compute root hash from inclusion proof
+     */
+    private static computeRootFromProof;
+    /**
+     * Hash a pair of nodes
+     */
+    private static hashPair;
+    /**
+     * Verify consistency between two log roots
+     */
+    static verifyConsistency(oldRoot: LogRoot, newRoot: LogRoot, consistencyProof: string[]): Promise<VerificationResult>;
+}
+/**
+ * Receipt verifier with policy controls
+ */
+export declare class ReceiptVerifier {
+    private options;
+    constructor(options?: ReceiptVerifierOptions);
+    /**
+     * Verify a receipt against KTA log
+     */
+    verify(receipt: Receipt): Promise<VerificationResult>;
+    /**
+     * Batch verify multiple receipts
+     */
+    verifyBatch(receipts: Receipt[]): Promise<VerificationResult[]>;
+    /**
+     * Fetch current log root from KTA
+     */
+    private fetchLogRoot;
+}
+export interface ReceiptVerifierOptions {
+    /**
+     * Enable receipt verification
+     */
+    enabled?: boolean;
+    /**
+     * KTA base URL
+     */
+    ktaBaseUrl?: string;
+    /**
+     * Allow mock data for testing
+     */
+    allowMockData?: boolean;
+    /**
+     * Cache log root for this duration (seconds)
+     */
+    cacheLogRootTtl?: number;
+}
+/**
+ * Create receipt verifier instance
+ */
+export declare function createReceiptVerifier(options?: ReceiptVerifierOptions): ReceiptVerifier;

package/dist/storage/merkle-verifier.js

@@ -0,0 +1,261 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReceiptVerifier = exports.MerkleLogVerifier = void 0;
+exports.createReceiptVerifier = createReceiptVerifier;
+const crypto_1 = require("crypto");
+/**
+ * Merkle log verifier implementation
+ */
+class MerkleLogVerifier {
+    /**
+     * Verify a receipt's inclusion proof against a log root
+     */
+    static async verifyInclusion(receipt, logRoot) {
+        try {
+            // Validate receipt format
+            if (!receipt.inclusionProof || !Array.isArray(receipt.inclusionProof)) {
+                return {
+                    valid: false,
+                    error: "Invalid inclusion proof format",
+                };
+            }
+            if (receipt.logIndex < 0 || receipt.logIndex >= logRoot.size) {
+                return {
+                    valid: false,
+                    error: `Log index ${receipt.logIndex} out of bounds for log size ${logRoot.size}`,
+                };
+            }
+            // Compute leaf hash from receipt content
+            const leafHash = await this.computeLeafHash(receipt);
+            // Verify inclusion proof
+            const computedRoot = await this.computeRootFromProof(leafHash, receipt.logIndex, receipt.inclusionProof);
+            const isValid = computedRoot === logRoot.root;
+            return {
+                valid: isValid,
+                error: isValid ? undefined : "Inclusion proof verification failed",
+                logRoot,
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error ? error.message : "Verification failed",
+            };
+        }
+    }
+    /**
+     * Compute leaf hash from receipt content
+     */
+    static async computeLeafHash(receipt) {
+        // Create canonical representation of receipt for hashing
+        const canonical = {
+            ref: receipt.ref,
+            contentHash: receipt.contentHash,
+            action: receipt.action,
+            ts: receipt.ts,
+        };
+        const encoder = new TextEncoder();
+        const data = encoder.encode(JSON.stringify(canonical));
+        const hashBuffer = await crypto_1.webcrypto.subtle.digest("SHA-256", data);
+        const hashArray = new Uint8Array(hashBuffer);
+        return Array.from(hashArray)
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+    }
+    /**
+     * Compute root hash from inclusion proof
+     */
+    static async computeRootFromProof(leafHash, leafIndex, proof) {
+        let currentHash = leafHash;
+        let currentIndex = leafIndex;
+        for (const proofHash of proof) {
+            // Determine if current node is left or right child
+            const isLeftChild = currentIndex % 2 === 0;
+            if (isLeftChild) {
+                // Current node is left child, proof hash is right sibling
+                currentHash = await this.hashPair(currentHash, proofHash);
+            }
+            else {
+                // Current node is right child, proof hash is left sibling
+                currentHash = await this.hashPair(proofHash, currentHash);
+            }
+            // Move up to parent level
+            currentIndex = Math.floor(currentIndex / 2);
+        }
+        return currentHash;
+    }
+    /**
+     * Hash a pair of nodes
+     */
+    static async hashPair(left, right) {
+        const encoder = new TextEncoder();
+        const data = encoder.encode(left + right);
+        const hashBuffer = await crypto_1.webcrypto.subtle.digest("SHA-256", data);
+        const hashArray = new Uint8Array(hashBuffer);
+        return Array.from(hashArray)
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+    }
+    /**
+     * Verify consistency between two log roots
+     */
+    static async verifyConsistency(oldRoot, newRoot, consistencyProof) {
+        try {
+            if (oldRoot.size > newRoot.size) {
+                return {
+                    valid: false,
+                    error: "Old log size cannot be greater than new log size",
+                };
+            }
+            if (oldRoot.size === newRoot.size) {
+                // Same size, roots should be identical
+                return {
+                    valid: oldRoot.root === newRoot.root,
+                    error: oldRoot.root === newRoot.root
+                        ? undefined
+                        : "Roots don't match for same size logs",
+                };
+            }
+            // TODO: Implement full consistency proof verification
+            // This is a simplified version for demonstration
+            const isValid = consistencyProof.length > 0 && oldRoot.timestamp <= newRoot.timestamp;
+            return {
+                valid: isValid,
+                error: isValid ? undefined : "Consistency proof verification failed",
+                logRoot: newRoot,
+            };
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error
+                    ? error.message
+                    : "Consistency verification failed",
+            };
+        }
+    }
+}
+exports.MerkleLogVerifier = MerkleLogVerifier;
+/**
+ * Receipt verifier with policy controls
+ */
+class ReceiptVerifier {
+    options;
+    constructor(options = {}) {
+        this.options = options;
+    }
+    /**
+     * Verify a receipt against KTA log
+     */
+    async verify(receipt) {
+        try {
+            // Skip verification if disabled
+            if (!this.options.enabled) {
+                return {
+                    valid: true,
+                    error: "Receipt verification disabled",
+                };
+            }
+            // Fetch current log root from KTA
+            const logRoot = await this.fetchLogRoot();
+            if (!logRoot) {
+                return {
+                    valid: false,
+                    error: "Failed to fetch log root from KTA",
+                };
+            }
+            // Verify inclusion proof
+            return await MerkleLogVerifier.verifyInclusion(receipt, logRoot);
+        }
+        catch (error) {
+            return {
+                valid: false,
+                error: error instanceof Error
+                    ? error.message
+                    : "Receipt verification failed",
+            };
+        }
+    }
+    /**
+     * Batch verify multiple receipts
+     */
+    async verifyBatch(receipts) {
+        const results = [];
+        // Fetch log root once for all receipts
+        const logRoot = this.options.enabled ? await this.fetchLogRoot() : null;
+        for (const receipt of receipts) {
+            if (!this.options.enabled) {
+                results.push({
+                    valid: true,
+                    error: "Receipt verification disabled",
+                });
+                continue;
+            }
+            if (!logRoot) {
+                results.push({
+                    valid: false,
+                    error: "Failed to fetch log root from KTA",
+                });
+                continue;
+            }
+            try {
+                const result = await MerkleLogVerifier.verifyInclusion(receipt, logRoot);
+                results.push(result);
+            }
+            catch (error) {
+                results.push({
+                    valid: false,
+                    error: error instanceof Error
+                        ? error.message
+                        : "Receipt verification failed",
+                });
+            }
+        }
+        return results;
+    }
+    /**
+     * Fetch current log root from KTA
+     */
+    async fetchLogRoot() {
+        try {
+            // TODO: Replace with actual KTA API call
+            // This is a placeholder implementation
+            const ktaUrl = this.options.ktaBaseUrl || "https://knowthat.ai";
+            const response = await fetch(`${ktaUrl}/api/log/root`);
+            if (!response.ok) {
+                throw new Error(`KTA API error: ${response.status}`);
+            }
+            const data = await response.json();
+            return {
+                root: data.root,
+                size: data.size,
+                timestamp: data.timestamp,
+            };
+        }
+        catch (error) {
+            // In case of network error, return mock data for testing
+            if (this.options.allowMockData) {
+                return {
+                    root: Array.from({ length: 64 }, () => Math.floor(Math.random() * 16).toString(16)).join(""),
+                    size: 10000,
+                    timestamp: Math.floor(Date.now() / 1000),
+                };
+            }
+            console.warn("Failed to fetch log root from KTA:", error);
+            return null;
+        }
+    }
+}
+exports.ReceiptVerifier = ReceiptVerifier;
+/**
+ * Create receipt verifier instance
+ */
+function createReceiptVerifier(options) {
+    return new ReceiptVerifier({
+        enabled: true,
+        ktaBaseUrl: "https://knowthat.ai",
+        allowMockData: false,
+        cacheLogRootTtl: 300, // 5 minutes
+        ...options,
+    });
+}

package/dist/test/__tests__/nonce-cache-integration.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/__tests__/nonce-cache-integration.test.js

@@ -0,0 +1,116 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const index_js_1 = require("../../cache/index.js");
+/**
+ * Integration tests showing how nonce cache would be used in session management
+ */
+(0, vitest_1.describe)("Nonce Cache Integration", () => {
+    let cache;
+    (0, vitest_1.beforeEach)(async () => {
+        cache = await (0, index_js_1.createNonceCache)();
+    });
+    (0, vitest_1.describe)("Session Management Integration", () => {
+        class MockSessionManager {
+            nonceCache;
+            constructor(nonceCache) {
+                this.nonceCache = nonceCache;
+            }
+            async validateHandshake(nonce, sessionTtl) {
+                // Check for replay attack
+                if (await this.nonceCache.has(nonce)) {
+                    throw new Error("XMCP_I_EHANDSHAKE: Nonce already used - potential replay attack");
+                }
+                // Add nonce with session TTL to prevent replay
+                await this.nonceCache.add(nonce, sessionTtl);
+            }
+            async isNonceUsed(nonce) {
+                return await this.nonceCache.has(nonce);
+            }
+            async cleanup() {
+                await this.nonceCache.cleanup();
+            }
+        }
+        (0, vitest_1.it)("should prevent replay attacks in session management", async () => {
+            const sessionManager = new MockSessionManager(cache);
+            const nonce = "test-nonce-123";
+            const sessionTtl = 1800; // 30 minutes
+            // First handshake should succeed
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).resolves.not.toThrow();
+            // Verify nonce is now marked as used
+            (0, vitest_1.expect)(await sessionManager.isNonceUsed(nonce)).toBe(true);
+            // Second handshake with same nonce should fail (replay attack)
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).rejects.toThrow("potential replay attack");
+        });
+        (0, vitest_1.it)("should handle sequential nonce validation attempts", async () => {
+            const sessionManager = new MockSessionManager(cache);
+            const nonce = "sequential-nonce";
+            const sessionTtl = 1800;
+            // First attempt should succeed
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).resolves.not.toThrow();
+            // Subsequent attempts should fail (replay attack)
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).rejects.toThrow("potential replay attack");
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).rejects.toThrow("potential replay attack");
+        });
+        (0, vitest_1.it)("should allow different nonces in the same session window", async () => {
+            const sessionManager = new MockSessionManager(cache);
+            const sessionTtl = 1800;
+            // Different nonces should all be allowed
+            const nonces = ["nonce-1", "nonce-2", "nonce-3"];
+            for (const nonce of nonces) {
+                await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, sessionTtl)).resolves.not.toThrow();
+            }
+            // All nonces should be marked as used
+            for (const nonce of nonces) {
+                (0, vitest_1.expect)(await sessionManager.isNonceUsed(nonce)).toBe(true);
+            }
+        });
+        (0, vitest_1.it)("should handle nonce expiry correctly", async () => {
+            const sessionManager = new MockSessionManager(cache);
+            const nonce = "expiring-nonce";
+            const shortTtl = 0.1; // 0.1 seconds
+            // Add nonce with short TTL
+            await sessionManager.validateHandshake(nonce, shortTtl);
+            // Should be marked as used immediately
+            (0, vitest_1.expect)(await sessionManager.isNonceUsed(nonce)).toBe(true);
+            // Wait for expiry
+            await new Promise((resolve) => setTimeout(resolve, 150));
+            // Should no longer be marked as used after expiry
+            (0, vitest_1.expect)(await sessionManager.isNonceUsed(nonce)).toBe(false);
+            // Should be able to use the same nonce again after expiry
+            await (0, vitest_1.expect)(sessionManager.validateHandshake(nonce, shortTtl)).resolves.not.toThrow();
+        });
+        (0, vitest_1.it)("should handle cleanup operations safely", async () => {
+            const sessionManager = new MockSessionManager(cache);
+            // Add some nonces with different TTLs
+            await sessionManager.validateHandshake("long-lived", 3600);
+            await sessionManager.validateHandshake("short-lived", 0.1);
+            // Wait for short-lived to expire
+            await new Promise((resolve) => setTimeout(resolve, 150));
+            // Cleanup should not throw
+            await (0, vitest_1.expect)(sessionManager.cleanup()).resolves.not.toThrow();
+            // Long-lived should still exist, short-lived should be gone
+            (0, vitest_1.expect)(await sessionManager.isNonceUsed("long-lived")).toBe(true);
+            (0, vitest_1.expect)(await sessionManager.isNonceUsed("short-lived")).toBe(false);
+        });
+    });
+    (0, vitest_1.describe)("Error Handling Integration", () => {
+        (0, vitest_1.it)("should provide structured error messages for replay attacks", async () => {
+            const nonce = "error-test-nonce";
+            await cache.add(nonce, 60);
+            try {
+                await cache.add(nonce, 60);
+                vitest_1.expect.fail("Should have thrown an error");
+            }
+            catch (error) {
+                (0, vitest_1.expect)(error.message).toContain("Nonce error-test-nonce already exists");
+                (0, vitest_1.expect)(error.message).toContain("potential replay attack");
+            }
+        });
+        (0, vitest_1.it)("should handle cache backend failures gracefully", async () => {
+            // This test verifies that the factory falls back to memory cache
+            // when other backends fail (already tested in the factory tests)
+            (0, vitest_1.expect)(cache).toBeInstanceOf(index_js_1.MemoryNonceCache);
+        });
+    });
+});

package/dist/test/__tests__/nonce-cache.test.d.ts

@@ -0,0 +1 @@
+export {};