@kya-os/mcp-i 1.7.6 → 1.7.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/runtime/auth-handshake.d.ts +5 -1
  2. package/dist/runtime/delegation/vc-verifier.d.ts +1 -1
  3. package/dist/runtime/delegation/vc-verifier.js +36 -18
  4. package/dist/runtime/delegation-verifier.d.ts +5 -1
  5. package/dist/runtime/tool-protection.d.ts +5 -1
  6. package/package.json +3 -3
package/dist/runtime/auth-handshake.d.ts CHANGED
@@ -77,9 +77,13 @@ export interface VerifyOrHintsResult {
77
77
  user_did: string;
78
78
  scopes: string[];
79
79
  authorization: {
80
- type: "oauth" | "credential" | "none";
80
+ type: "oauth" | "oauth2" | "password" | "credential" | "webauthn" | "siwe" | "none";
81
81
  provider?: string;
82
82
  credentialType?: string;
83
+ rpId?: string;
84
+ userVerification?: "required" | "preferred" | "discouraged";
85
+ chainId?: number;
86
+ domain?: string;
83
87
  };
84
88
  [key: string]: unknown;
85
89
  };
package/dist/runtime/delegation/vc-verifier.d.ts CHANGED
@@ -11,7 +11,7 @@
11
11
  * Related Spec: MCP-I §4.3, W3C VC Data Model 1.1
12
12
  * Python Reference: Edge-Delegation-Verification.md
13
13
  */
14
- import { JWK } from 'jose';
14
+ import type { JWK } from 'jose';
15
15
  import { DelegationCredential } from '@kya-os/contracts/delegation';
16
16
  import { CredentialStatus } from '@kya-os/contracts/vc';
17
17
  /**
package/dist/runtime/delegation/vc-verifier.js CHANGED
@@ -15,7 +15,6 @@
15
15
  Object.defineProperty(exports, "__esModule", { value: true });
16
16
  exports.DelegationCredentialVerifier = void 0;
17
17
  exports.createDelegationVerifier = createDelegationVerifier;
18
- const jose_1 = require("jose");
19
18
  const crypto_1 = require("crypto");
20
19
  const json_canonicalize_1 = require("json-canonicalize");
21
20
  const delegation_1 = require("@kya-os/contracts/delegation");
@@ -239,15 +238,14 @@ class DelegationCredentialVerifier {
239
238
  durationMs: Date.now() - startTime,
240
239
  };
241
240
  }
242
- // Verify signature using jose
243
- // The signature is over the canonical VC (without proof)
241
+ // Verify Ed25519 signature
242
+ // For Ed25519Signature2020:
243
+ // 1. The signing input is the canonicalized VC (without proofValue)
244
+ // 2. The proofValue is the base64url-encoded Ed25519 signature
244
245
  const vcWithoutProof = { ...vc };
245
246
  delete vcWithoutProof.proof;
246
- const canonicalVC = (0, json_canonicalize_1.canonicalize)(vcWithoutProof);
247
- // Create a hash of the canonical VC (what was actually signed)
248
- const digest = (0, crypto_1.createHash)('sha256').update(canonicalVC, 'utf8').digest();
249
- // The proof.proofValue is a base64url-encoded signature
250
- // We need to verify it
247
+ // The proof.proofValue is base64url-encoded Ed25519 signature
248
+ // The proof.jws is an alternative JWS-based signature format
251
249
  const proofValue = vc.proof?.proofValue || vc.proof?.jws;
252
250
  if (!proofValue) {
253
251
  return {
@@ -256,17 +254,37 @@ class DelegationCredentialVerifier {
256
254
  durationMs: Date.now() - startTime,
257
255
  };
258
256
  }
259
- // For Ed25519Signature2020, the proofValue is the raw signature
260
- // We'll verify it by creating a JWT with the digest and checking the signature
261
257
  try {
262
- const publicKey = await (0, jose_1.importJWK)(publicKeyJwk, 'EdDSA');
263
- // Create a minimal JWT to verify
264
- // Note: This is a simplified verification - proper implementation
265
- // would verify the exact signature format
266
- // For now, we'll just validate the proof structure is correct
267
- // A full implementation would:
268
- // 1. Reconstruct the signing input
269
- // 2. Verify the signature using the public key
258
+ // For Ed25519Signature2020, we need to:
259
+ // 1. Canonicalize the VC without proofValue
260
+ // 2. Canonicalize the proof options
261
+ // 3. Hash both and concatenate
262
+ // 4. Verify the signature
263
+ // Construct proof options (everything in proof except proofValue)
264
+ const proofOptions = { ...vc.proof };
265
+ delete proofOptions.proofValue;
266
+ delete proofOptions.jws;
267
+ delete proofOptions.signatureValue;
268
+ // Create signing input: hash(canonicalize(document)) + hash(canonicalize(proofOptions))
269
+ const canonicalDoc = (0, json_canonicalize_1.canonicalize)(vcWithoutProof);
270
+ const canonicalProof = (0, json_canonicalize_1.canonicalize)(proofOptions);
271
+ // For Ed25519Signature2020, signing input is:
272
+ // SHA-256(canonicalize(proofOptions)) || SHA-256(canonicalize(document))
273
+ const docHash = (0, crypto_1.createHash)('sha256').update(canonicalDoc, 'utf8').digest();
274
+ const proofHash = (0, crypto_1.createHash)('sha256').update(canonicalProof, 'utf8').digest();
275
+ const signingInput = Buffer.concat([proofHash, docHash]);
276
+ // Decode the base64url signature
277
+ const signatureBytes = Buffer.from(proofValue, 'base64url');
278
+ // Use subtle crypto for Ed25519 verification
279
+ const cryptoKey = await globalThis.crypto.subtle.importKey('jwk', publicKeyJwk, { name: 'Ed25519' }, false, ['verify']);
280
+ const isValid = await globalThis.crypto.subtle.verify({ name: 'Ed25519' }, cryptoKey, signatureBytes, signingInput);
281
+ if (!isValid) {
282
+ return {
283
+ valid: false,
284
+ reason: 'Ed25519 signature verification failed',
285
+ durationMs: Date.now() - startTime,
286
+ };
287
+ }
270
288
  return {
271
289
  valid: true,
272
290
  durationMs: Date.now() - startTime,
package/dist/runtime/delegation-verifier.d.ts CHANGED
@@ -27,9 +27,13 @@ export interface VerifyDelegationResult {
27
27
  user_did: string;
28
28
  scopes: string[];
29
29
  authorization: {
30
- type: 'oauth' | 'credential' | 'none';
30
+ type: 'oauth' | 'oauth2' | 'password' | 'credential' | 'webauthn' | 'siwe' | 'none';
31
31
  provider?: string;
32
32
  credentialType?: string;
33
+ rpId?: string;
34
+ userVerification?: 'required' | 'preferred' | 'discouraged';
35
+ chainId?: number;
36
+ domain?: string;
33
37
  };
34
38
  [key: string]: unknown;
35
39
  };
package/dist/runtime/tool-protection.d.ts CHANGED
@@ -23,9 +23,13 @@ export interface ToolProtectionConfig {
23
23
  authorizationUrl?: string;
24
24
  /** Authorization method required for this tool */
25
25
  authorization?: {
26
- type: 'oauth' | 'credential' | 'none';
26
+ type: 'oauth' | 'oauth2' | 'password' | 'credential' | 'webauthn' | 'siwe' | 'none';
27
27
  provider?: string;
28
28
  credentialType?: string;
29
+ rpId?: string;
30
+ userVerification?: 'required' | 'preferred' | 'discouraged';
31
+ chainId?: number;
32
+ domain?: string;
29
33
  };
30
34
  }
31
35
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kya-os/mcp-i",
3
- "version": "1.7.6",
3
+ "version": "1.7.8",
4
4
  "description": "The TypeScript MCP framework with identity features built-in",
5
5
  "type": "commonjs",
6
6
  "main": "dist/index.js",
@@ -63,8 +63,8 @@
63
63
  "model-context-protocol"
64
64
  ],
65
65
  "dependencies": {
66
- "@kya-os/contracts": "^1.7.11",
67
- "@kya-os/mcp-i-core": "^1.4.7",
66
+ "@kya-os/contracts": "^1.7.12",
67
+ "@kya-os/mcp-i-core": "^1.4.8",
68
68
  "@modelcontextprotocol/sdk": "^1.11.4",
69
69
  "@swc/core": "^1.11.24",
70
70
  "@types/express": "^5.0.1",