@kya-os/mcp-i 1.5.6-canary.1 → 1.5.6-canary.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/adapter-express.js +1 -1
- package/dist/runtime/adapter-nextjs.js +1 -1
- package/dist/runtime/http.js +1 -1
- package/dist/runtime/proof.d.ts +4 -0
- package/dist/runtime/proof.js +36 -5
- package/dist/runtime/stdio.js +1 -1
- package/dist/runtime/verifier-middleware.d.ts +25 -2
- package/dist/runtime/verifier-middleware.js +82 -6
- package/package.json +3 -3
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import type { Request, Response, NextFunction } from "express";
|
|
2
|
-
import type { ProofMeta } from "@kya-os/contracts/proof";
|
|
2
|
+
import type { ProofMeta, DetachedProof } from "@kya-os/contracts/proof";
|
|
3
3
|
import type { Receipt } from "@kya-os/contracts/registry";
|
|
4
4
|
import { type StructuredError } from "@kya-os/contracts/verifier";
|
|
5
|
+
import { type CryptoProvider } from "@kya-os/mcp-i-core";
|
|
5
6
|
/**
|
|
6
7
|
* Verifier middleware for proof and receipt validation
|
|
7
8
|
*/
|
|
@@ -26,6 +27,11 @@ export interface VerifierConfig {
|
|
|
26
27
|
* Allow mock data for testing
|
|
27
28
|
*/
|
|
28
29
|
allowMockData?: boolean;
|
|
30
|
+
/**
|
|
31
|
+
* Optional CryptoProvider for signature verification
|
|
32
|
+
* If provided, enables full JWS signature verification when DetachedProof is available
|
|
33
|
+
*/
|
|
34
|
+
cryptoProvider?: CryptoProvider;
|
|
29
35
|
}
|
|
30
36
|
export interface LocalVerifierResult {
|
|
31
37
|
success: boolean;
|
|
@@ -36,6 +42,11 @@ export interface VerifierContext {
|
|
|
36
42
|
proof: ProofMeta;
|
|
37
43
|
receipt?: Receipt;
|
|
38
44
|
delegationRef?: string;
|
|
45
|
+
/**
|
|
46
|
+
* Optional full DetachedProof with JWS for signature verification
|
|
47
|
+
* If provided, enables full cryptographic signature verification
|
|
48
|
+
*/
|
|
49
|
+
detachedProof?: DetachedProof;
|
|
39
50
|
}
|
|
40
51
|
/**
|
|
41
52
|
* Core verifier implementation
|
|
@@ -44,15 +55,27 @@ export declare class CoreVerifier {
|
|
|
44
55
|
private config;
|
|
45
56
|
private receiptVerifier;
|
|
46
57
|
private delegationManager;
|
|
58
|
+
private cryptoService?;
|
|
47
59
|
constructor(config?: VerifierConfig);
|
|
48
60
|
/**
|
|
49
61
|
* Verify proof with optional receipt checking
|
|
50
62
|
*/
|
|
51
63
|
verify(context: VerifierContext): Promise<LocalVerifierResult>;
|
|
52
64
|
/**
|
|
53
|
-
* Verify proof signature
|
|
65
|
+
* Verify proof signature
|
|
66
|
+
*
|
|
67
|
+
* Note: Full signature verification requires DetachedProof with JWS.
|
|
68
|
+
* If only ProofMeta is available, performs structure validation only.
|
|
69
|
+
* To enable full verification, provide detachedProof in VerifierContext.
|
|
54
70
|
*/
|
|
55
71
|
private verifySignature;
|
|
72
|
+
/**
|
|
73
|
+
* Fetch public key from DID document
|
|
74
|
+
*
|
|
75
|
+
* Note: This is a simplified implementation. Production code should use
|
|
76
|
+
* a proper DID resolver that supports multiple DID methods (did:key, did:web, etc.)
|
|
77
|
+
*/
|
|
78
|
+
private fetchPublicKeyFromDID;
|
|
56
79
|
/**
|
|
57
80
|
* Verify delegation status
|
|
58
81
|
*/
|
|
@@ -6,6 +6,7 @@ exports.verifyExpress = verifyExpress;
|
|
|
6
6
|
const verifier_1 = require("@kya-os/contracts/verifier");
|
|
7
7
|
const merkle_verifier_1 = require("../storage/merkle-verifier");
|
|
8
8
|
const delegation_1 = require("../storage/delegation");
|
|
9
|
+
const mcp_i_core_1 = require("@kya-os/mcp-i-core");
|
|
9
10
|
/**
|
|
10
11
|
* Core verifier implementation
|
|
11
12
|
*/
|
|
@@ -13,6 +14,7 @@ class CoreVerifier {
|
|
|
13
14
|
config;
|
|
14
15
|
receiptVerifier;
|
|
15
16
|
delegationManager;
|
|
17
|
+
cryptoService;
|
|
16
18
|
constructor(config = {}) {
|
|
17
19
|
this.config = config;
|
|
18
20
|
this.receiptVerifier = (0, merkle_verifier_1.createReceiptVerifier)({
|
|
@@ -23,6 +25,10 @@ class CoreVerifier {
|
|
|
23
25
|
this.delegationManager = (0, delegation_1.createDelegationManager)({
|
|
24
26
|
ktaBaseURL: config.ktaBaseUrl || "https://knowthat.ai",
|
|
25
27
|
});
|
|
28
|
+
// Initialize CryptoService if cryptoProvider is provided
|
|
29
|
+
if (config.cryptoProvider) {
|
|
30
|
+
this.cryptoService = new mcp_i_core_1.CryptoService(config.cryptoProvider);
|
|
31
|
+
}
|
|
26
32
|
}
|
|
27
33
|
/**
|
|
28
34
|
* Verify proof with optional receipt checking
|
|
@@ -30,7 +36,7 @@ class CoreVerifier {
|
|
|
30
36
|
async verify(context) {
|
|
31
37
|
try {
|
|
32
38
|
// 1. Verify proof signature (placeholder - would use actual crypto verification)
|
|
33
|
-
const signatureValid = await this.verifySignature(context.proof);
|
|
39
|
+
const signatureValid = await this.verifySignature(context.proof, context.detachedProof);
|
|
34
40
|
if (!signatureValid) {
|
|
35
41
|
return {
|
|
36
42
|
success: false,
|
|
@@ -89,12 +95,15 @@ class CoreVerifier {
|
|
|
89
95
|
}
|
|
90
96
|
}
|
|
91
97
|
/**
|
|
92
|
-
* Verify proof signature
|
|
98
|
+
* Verify proof signature
|
|
99
|
+
*
|
|
100
|
+
* Note: Full signature verification requires DetachedProof with JWS.
|
|
101
|
+
* If only ProofMeta is available, performs structure validation only.
|
|
102
|
+
* To enable full verification, provide detachedProof in VerifierContext.
|
|
93
103
|
*/
|
|
94
|
-
async verifySignature(proof) {
|
|
95
|
-
//
|
|
96
|
-
|
|
97
|
-
return !!(proof.did &&
|
|
104
|
+
async verifySignature(proof, detachedProof) {
|
|
105
|
+
// Basic structure validation
|
|
106
|
+
const hasRequiredFields = !!(proof.did &&
|
|
98
107
|
proof.kid &&
|
|
99
108
|
proof.ts &&
|
|
100
109
|
proof.nonce &&
|
|
@@ -102,6 +111,73 @@ class CoreVerifier {
|
|
|
102
111
|
proof.sessionId &&
|
|
103
112
|
proof.requestHash &&
|
|
104
113
|
proof.responseHash);
|
|
114
|
+
if (!hasRequiredFields) {
|
|
115
|
+
return false;
|
|
116
|
+
}
|
|
117
|
+
// If we have full DetachedProof with JWS and CryptoService, verify signature
|
|
118
|
+
if (detachedProof?.jws && this.cryptoService) {
|
|
119
|
+
try {
|
|
120
|
+
// Fetch public key from DID document
|
|
121
|
+
// Note: This is a simplified implementation - production should use proper DID resolver
|
|
122
|
+
const publicKeyJwk = await this.fetchPublicKeyFromDID(proof.did, proof.kid);
|
|
123
|
+
if (!publicKeyJwk) {
|
|
124
|
+
console.warn("[CoreVerifier] Could not resolve public key from DID, skipping signature verification");
|
|
125
|
+
return true; // Fall back to structure validation only
|
|
126
|
+
}
|
|
127
|
+
// Verify JWS signature
|
|
128
|
+
return await this.cryptoService.verifyJWS(detachedProof.jws, publicKeyJwk, {
|
|
129
|
+
expectedKid: proof.kid,
|
|
130
|
+
alg: "EdDSA",
|
|
131
|
+
});
|
|
132
|
+
}
|
|
133
|
+
catch (error) {
|
|
134
|
+
console.error("[CoreVerifier] Signature verification error:", error);
|
|
135
|
+
return false;
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Fallback: structure validation only (when JWS not available)
|
|
139
|
+
return true;
|
|
140
|
+
}
|
|
141
|
+
/**
|
|
142
|
+
* Fetch public key from DID document
|
|
143
|
+
*
|
|
144
|
+
* Note: This is a simplified implementation. Production code should use
|
|
145
|
+
* a proper DID resolver that supports multiple DID methods (did:key, did:web, etc.)
|
|
146
|
+
*/
|
|
147
|
+
async fetchPublicKeyFromDID(did, kid) {
|
|
148
|
+
// For now, only support did:web resolution
|
|
149
|
+
// TODO: Add support for did:key and other DID methods
|
|
150
|
+
if (!did.startsWith("did:web:")) {
|
|
151
|
+
console.warn(`[CoreVerifier] Unsupported DID method: ${did}`);
|
|
152
|
+
return null;
|
|
153
|
+
}
|
|
154
|
+
try {
|
|
155
|
+
const domain = did.replace("did:web:", "").replace(/:/g, "/");
|
|
156
|
+
const didDocUrl = `https://${domain}/.well-known/did.json`;
|
|
157
|
+
const response = await fetch(didDocUrl);
|
|
158
|
+
if (!response.ok) {
|
|
159
|
+
console.warn(`[CoreVerifier] Failed to fetch DID document: ${response.status}`);
|
|
160
|
+
return null;
|
|
161
|
+
}
|
|
162
|
+
const didDoc = await response.json();
|
|
163
|
+
// Find verification method
|
|
164
|
+
const verificationMethod = didDoc.verificationMethod?.find((vm) => vm.id === `#${kid}` || vm.id === `${did}#${kid}` || vm.id === kid);
|
|
165
|
+
if (!verificationMethod?.publicKeyJwk) {
|
|
166
|
+
console.warn(`[CoreVerifier] Verification method ${kid} not found in DID document`);
|
|
167
|
+
return null;
|
|
168
|
+
}
|
|
169
|
+
// Validate JWK format
|
|
170
|
+
const jwk = verificationMethod.publicKeyJwk;
|
|
171
|
+
if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
|
|
172
|
+
console.warn(`[CoreVerifier] Invalid JWK format: expected Ed25519, got ${jwk.kty}/${jwk.crv}`);
|
|
173
|
+
return null;
|
|
174
|
+
}
|
|
175
|
+
return jwk;
|
|
176
|
+
}
|
|
177
|
+
catch (error) {
|
|
178
|
+
console.error("[CoreVerifier] DID resolution error:", error);
|
|
179
|
+
return null;
|
|
180
|
+
}
|
|
105
181
|
}
|
|
106
182
|
/**
|
|
107
183
|
* Verify delegation status
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/mcp-i",
|
|
3
|
-
"version": "1.5.6-canary.
|
|
3
|
+
"version": "1.5.6-canary.3",
|
|
4
4
|
"description": "The TypeScript MCP framework with identity features built-in",
|
|
5
5
|
"type": "commonjs",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -58,8 +58,8 @@
|
|
|
58
58
|
"model-context-protocol"
|
|
59
59
|
],
|
|
60
60
|
"dependencies": {
|
|
61
|
-
"@kya-os/contracts": "1.5.2-canary.
|
|
62
|
-
"@kya-os/mcp-i-core": "1.1.
|
|
61
|
+
"@kya-os/contracts": "1.5.2-canary.3",
|
|
62
|
+
"@kya-os/mcp-i-core": "1.1.14-canary.1",
|
|
63
63
|
"@modelcontextprotocol/sdk": "^1.11.4",
|
|
64
64
|
"@swc/core": "^1.11.24",
|
|
65
65
|
"@types/express": "^5.0.1",
|