@kya-os/mcp 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +64 -0
- package/LICENSE +21 -0
- package/README.md +135 -0
- package/dist/auth/handshake.d.ts +119 -0
- package/dist/auth/handshake.d.ts.map +1 -0
- package/dist/auth/handshake.js +267 -0
- package/dist/auth/handshake.js.map +1 -0
- package/dist/auth/index.d.ts +3 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +2 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/types.d.ts +31 -0
- package/dist/auth/types.d.ts.map +1 -0
- package/dist/auth/types.js +7 -0
- package/dist/auth/types.js.map +1 -0
- package/dist/delegation/audience-validator.d.ts +9 -0
- package/dist/delegation/audience-validator.d.ts.map +1 -0
- package/dist/delegation/audience-validator.js +17 -0
- package/dist/delegation/audience-validator.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +37 -0
- package/dist/delegation/bitstring.d.ts.map +1 -0
- package/dist/delegation/bitstring.js +117 -0
- package/dist/delegation/bitstring.js.map +1 -0
- package/dist/delegation/cascading-revocation.d.ts +45 -0
- package/dist/delegation/cascading-revocation.d.ts.map +1 -0
- package/dist/delegation/cascading-revocation.js +150 -0
- package/dist/delegation/cascading-revocation.js.map +1 -0
- package/dist/delegation/delegation-graph.d.ts +49 -0
- package/dist/delegation/delegation-graph.d.ts.map +1 -0
- package/dist/delegation/delegation-graph.js +99 -0
- package/dist/delegation/delegation-graph.js.map +1 -0
- package/dist/delegation/did-key-resolver.d.ts +64 -0
- package/dist/delegation/did-key-resolver.d.ts.map +1 -0
- package/dist/delegation/did-key-resolver.js +157 -0
- package/dist/delegation/did-key-resolver.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +83 -0
- package/dist/delegation/did-web-resolver.d.ts.map +1 -0
- package/dist/delegation/did-web-resolver.js +218 -0
- package/dist/delegation/did-web-resolver.js.map +1 -0
- package/dist/delegation/index.d.ts +21 -0
- package/dist/delegation/index.d.ts.map +1 -0
- package/dist/delegation/index.js +21 -0
- package/dist/delegation/index.js.map +1 -0
- package/dist/delegation/outbound-headers.d.ts +79 -0
- package/dist/delegation/outbound-headers.d.ts.map +1 -0
- package/dist/delegation/outbound-headers.js +138 -0
- package/dist/delegation/outbound-headers.js.map +1 -0
- package/dist/delegation/outbound-proof.d.ts +43 -0
- package/dist/delegation/outbound-proof.d.ts.map +1 -0
- package/dist/delegation/outbound-proof.js +52 -0
- package/dist/delegation/outbound-proof.js.map +1 -0
- package/dist/delegation/statuslist-manager.d.ts +47 -0
- package/dist/delegation/statuslist-manager.d.ts.map +1 -0
- package/dist/delegation/statuslist-manager.js +139 -0
- package/dist/delegation/statuslist-manager.js.map +1 -0
- package/dist/delegation/storage/memory-graph-storage.d.ts +70 -0
- package/dist/delegation/storage/memory-graph-storage.d.ts.map +1 -0
- package/dist/delegation/storage/memory-graph-storage.js +145 -0
- package/dist/delegation/storage/memory-graph-storage.js.map +1 -0
- package/dist/delegation/storage/memory-statuslist-storage.d.ts +19 -0
- package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +1 -0
- package/dist/delegation/storage/memory-statuslist-storage.js +33 -0
- package/dist/delegation/storage/memory-statuslist-storage.js.map +1 -0
- package/dist/delegation/utils.d.ts +49 -0
- package/dist/delegation/utils.d.ts.map +1 -0
- package/dist/delegation/utils.js +131 -0
- package/dist/delegation/utils.js.map +1 -0
- package/dist/delegation/vc-issuer.d.ts +56 -0
- package/dist/delegation/vc-issuer.d.ts.map +1 -0
- package/dist/delegation/vc-issuer.js +80 -0
- package/dist/delegation/vc-issuer.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +112 -0
- package/dist/delegation/vc-verifier.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.js +280 -0
- package/dist/delegation/vc-verifier.js.map +1 -0
- package/dist/errors.d.ts +42 -0
- package/dist/errors.d.ts.map +1 -0
- package/dist/errors.js +45 -0
- package/dist/errors.js.map +1 -0
- package/dist/index.d.ts +47 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +56 -0
- package/dist/index.js.map +1 -0
- package/dist/logging/index.d.ts +2 -0
- package/dist/logging/index.d.ts.map +1 -0
- package/dist/logging/index.js +2 -0
- package/dist/logging/index.js.map +1 -0
- package/dist/logging/logger.d.ts +23 -0
- package/dist/logging/logger.d.ts.map +1 -0
- package/dist/logging/logger.js +82 -0
- package/dist/logging/logger.js.map +1 -0
- package/dist/middleware/index.d.ts +12 -0
- package/dist/middleware/index.d.ts.map +1 -0
- package/dist/middleware/index.js +12 -0
- package/dist/middleware/index.js.map +1 -0
- package/dist/middleware/mcpi-transport.d.ts +39 -0
- package/dist/middleware/mcpi-transport.d.ts.map +1 -0
- package/dist/middleware/mcpi-transport.js +121 -0
- package/dist/middleware/mcpi-transport.js.map +1 -0
- package/dist/middleware/with-mcpi-server.d.ts +78 -0
- package/dist/middleware/with-mcpi-server.d.ts.map +1 -0
- package/dist/middleware/with-mcpi-server.js +109 -0
- package/dist/middleware/with-mcpi-server.js.map +1 -0
- package/dist/middleware/with-mcpi.d.ts +202 -0
- package/dist/middleware/with-mcpi.d.ts.map +1 -0
- package/dist/middleware/with-mcpi.js +625 -0
- package/dist/middleware/with-mcpi.js.map +1 -0
- package/dist/proof/errors.d.ts +49 -0
- package/dist/proof/errors.d.ts.map +1 -0
- package/dist/proof/errors.js +61 -0
- package/dist/proof/errors.js.map +1 -0
- package/dist/proof/generator.d.ts +65 -0
- package/dist/proof/generator.d.ts.map +1 -0
- package/dist/proof/generator.js +163 -0
- package/dist/proof/generator.js.map +1 -0
- package/dist/proof/index.d.ts +4 -0
- package/dist/proof/index.d.ts.map +1 -0
- package/dist/proof/index.js +4 -0
- package/dist/proof/index.js.map +1 -0
- package/dist/proof/verifier.d.ts +108 -0
- package/dist/proof/verifier.d.ts.map +1 -0
- package/dist/proof/verifier.js +299 -0
- package/dist/proof/verifier.js.map +1 -0
- package/dist/providers/base.d.ts +64 -0
- package/dist/providers/base.d.ts.map +1 -0
- package/dist/providers/base.js +19 -0
- package/dist/providers/base.js.map +1 -0
- package/dist/providers/index.d.ts +4 -0
- package/dist/providers/index.d.ts.map +1 -0
- package/dist/providers/index.js +4 -0
- package/dist/providers/index.js.map +1 -0
- package/dist/providers/memory.d.ts +33 -0
- package/dist/providers/memory.d.ts.map +1 -0
- package/dist/providers/memory.js +102 -0
- package/dist/providers/memory.js.map +1 -0
- package/dist/providers/node-crypto.d.ts +26 -0
- package/dist/providers/node-crypto.d.ts.map +1 -0
- package/dist/providers/node-crypto.js +69 -0
- package/dist/providers/node-crypto.js.map +1 -0
- package/dist/session/index.d.ts +2 -0
- package/dist/session/index.d.ts.map +1 -0
- package/dist/session/index.js +2 -0
- package/dist/session/index.js.map +1 -0
- package/dist/session/manager.d.ts +83 -0
- package/dist/session/manager.d.ts.map +1 -0
- package/dist/session/manager.js +267 -0
- package/dist/session/manager.js.map +1 -0
- package/dist/types/protocol.d.ts +320 -0
- package/dist/types/protocol.d.ts.map +1 -0
- package/dist/types/protocol.js +229 -0
- package/dist/types/protocol.js.map +1 -0
- package/dist/utils/base58.d.ts +31 -0
- package/dist/utils/base58.d.ts.map +1 -0
- package/dist/utils/base58.js +104 -0
- package/dist/utils/base58.js.map +1 -0
- package/dist/utils/base64.d.ts +13 -0
- package/dist/utils/base64.d.ts.map +1 -0
- package/dist/utils/base64.js +99 -0
- package/dist/utils/base64.js.map +1 -0
- package/dist/utils/crypto-service.d.ts +37 -0
- package/dist/utils/crypto-service.d.ts.map +1 -0
- package/dist/utils/crypto-service.js +154 -0
- package/dist/utils/crypto-service.js.map +1 -0
- package/dist/utils/did-helpers.d.ts +168 -0
- package/dist/utils/did-helpers.d.ts.map +1 -0
- package/dist/utils/did-helpers.js +211 -0
- package/dist/utils/did-helpers.js.map +1 -0
- package/dist/utils/ed25519-constants.d.ts +18 -0
- package/dist/utils/ed25519-constants.d.ts.map +1 -0
- package/dist/utils/ed25519-constants.js +21 -0
- package/dist/utils/ed25519-constants.js.map +1 -0
- package/dist/utils/index.d.ts +5 -0
- package/dist/utils/index.d.ts.map +1 -0
- package/dist/utils/index.js +5 -0
- package/dist/utils/index.js.map +1 -0
- package/package.json +115 -0
- package/schemas/README.md +117 -0
- package/schemas/delegation-credential.json +312 -0
- package/schemas/detached-proof.json +97 -0
- package/schemas/handshake-request.json +84 -0
- package/schemas/handshake-response.json +67 -0
- package/schemas/well-known-mcpi.json +176 -0
package/CHANGELOG.md
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to @kya-os/mcp will be documented here.
|
|
4
|
+
|
|
5
|
+
Format: https://keepachangelog.com/en/1.0.0/
|
|
6
|
+
Versioning: https://semver.org/spec/v2.0.0.html
|
|
7
|
+
|
|
8
|
+
## [Unreleased]
|
|
9
|
+
|
|
10
|
+
### Changed
|
|
11
|
+
|
|
12
|
+
- **Package renamed from `@mcp-i/core` to `@kya-os/mcp`.** Reframed under
|
|
13
|
+
the KYA-OS taxonomy: MCP-I is the identity surface of KYA-OS (Know
|
|
14
|
+
Your Agent Operating System), the umbrella protocol for agent
|
|
15
|
+
identity, authorization, and observability. Version stays at 1.2.0 —
|
|
16
|
+
the wire format, exports (`MCPI*`), and behavior are unchanged. The
|
|
17
|
+
old `@mcp-i/core` package is deprecated and points at this one.
|
|
18
|
+
- **Spec cut to `1.0.0`** (was `0.1.0-draft` in `SPEC.md`, `1.0.0-draft`
|
|
19
|
+
in `CONFORMANCE.md`). The wire format was already pinned at `1.0.0`
|
|
20
|
+
in the handshake protocol-version field; the spec docs now match.
|
|
21
|
+
Status: Stable — donated to DIF TAAWG for ratification review. Spec
|
|
22
|
+
semver is independent of package semver: the spec describes the wire
|
|
23
|
+
protocol, the package describes the implementation shipping it.
|
|
24
|
+
- Delegation middleware remains strict by default for chain and status-list validation.
|
|
25
|
+
- Added `delegation.allowLegacyUnsafeDelegation` to `createMCPIMiddleware` as a temporary migration escape hatch for legacy integrations.
|
|
26
|
+
- Added middleware tests covering legacy-compatibility behavior for parent-linked and status-list credentials.
|
|
27
|
+
|
|
28
|
+
## [1.0.0-draft] - 2026-03-12
|
|
29
|
+
|
|
30
|
+
### Added
|
|
31
|
+
|
|
32
|
+
- SPEC.md protocol specification defining MCP-I extension for cryptographic identity
|
|
33
|
+
- Supported DID methods: `did:key` (ephemeral/dev) and `did:web` (production)
|
|
34
|
+
- Ed25519/EdDSA cryptography for signing and verification
|
|
35
|
+
- Delegation module with W3C Verifiable Credential issuance and verification
|
|
36
|
+
- CRISP constraint envelopes for scope, budget, temporal bounds, and audience
|
|
37
|
+
- Delegation graph management with parent-child relationships
|
|
38
|
+
- Cascading revocation via StatusList2021
|
|
39
|
+
- `did:key` resolver for synchronous DID Document resolution
|
|
40
|
+
- `did:web` resolver with HTTPS fetching and caching
|
|
41
|
+
- Proof module with detached JWS generation over canonicalized request/response
|
|
42
|
+
- Proof verification with DID resolution and timestamp validation
|
|
43
|
+
- SHA-256 hashing with RFC 8785 JCS canonicalization
|
|
44
|
+
- Session module with handshake validation and nonce-based replay prevention
|
|
45
|
+
- Session TTL management with idle timeout tracking
|
|
46
|
+
- Auth module with `verifyOrHints` orchestration and sensitive scope detection
|
|
47
|
+
- Resume token storage for authorization flows
|
|
48
|
+
- `needs_authorization` hint response pattern
|
|
49
|
+
- MCP SDK middleware wrapper (`createMCPIMiddleware`)
|
|
50
|
+
- Tool wrapping with automatic proof generation
|
|
51
|
+
- Handshake tool registration and handling
|
|
52
|
+
- Provider abstractions: CryptoProvider, ClockProvider, FetchProvider, StorageProvider, NonceCacheProvider, IdentityProvider
|
|
53
|
+
- In-memory implementations for all providers (testing)
|
|
54
|
+
- Configurable logging with debug, info, warn, error levels
|
|
55
|
+
- Pure TypeScript protocol type definitions (zero runtime dependencies)
|
|
56
|
+
- Well-known endpoint (`/.well-known/mcpi`) for server discovery
|
|
57
|
+
- Outbound delegation proof JWT builder for downstream API calls
|
|
58
|
+
- Three-tier conformance levels:
|
|
59
|
+
- Level 1: Core Crypto (key generation, signing, hashing, DID resolution)
|
|
60
|
+
- Level 2: Full Session (handshake, nonce, replay prevention, proofs)
|
|
61
|
+
- Level 3: Full Delegation (VCs, CRISP, graphs, revocation, chain validation)
|
|
62
|
+
- Example implementations: Node.js server, proof verification, delegation issuance
|
|
63
|
+
- Vitest test suite covering all conformance levels
|
|
64
|
+
- GitHub Actions CI with type checking, build, test, and coverage
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 MCP-Identity
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<a href="https://modelcontextprotocol-identity.io">
|
|
3
|
+
<picture>
|
|
4
|
+
<source media="(prefers-color-scheme: dark)" srcset="https://modelcontextprotocol-identity.io/images/logo-mark_white.svg">
|
|
5
|
+
<img alt="MCP-I" src="https://modelcontextprotocol-identity.io/images/logo-mark_black.svg" width="64">
|
|
6
|
+
</picture>
|
|
7
|
+
</a>
|
|
8
|
+
</p>
|
|
9
|
+
|
|
10
|
+
<p align="center">
|
|
11
|
+
<strong>Identity, delegation, and proof for the Model Context Protocol.</strong>
|
|
12
|
+
</p>
|
|
13
|
+
|
|
14
|
+
<p align="center">
|
|
15
|
+
<a href="https://www.npmjs.com/package/@kya-os/mcp"><img src="https://img.shields.io/npm/v/@kya-os/mcp" alt="npm"></a>
|
|
16
|
+
<a href="https://modelcontextprotocol-identity.io"><img src="https://img.shields.io/badge/spec-modelcontextprotocol--identity.io-blue" alt="spec"></a>
|
|
17
|
+
<a href="https://identity.foundation/working-groups/agent-and-authorization.html"><img src="https://img.shields.io/badge/DIF-TAAWG-purple" alt="DIF TAAWG"></a>
|
|
18
|
+
<a href="./LICENSE"><img src="https://img.shields.io/github/license/modelcontextprotocol-identity/mcp-i-core" alt="license"></a>
|
|
19
|
+
</p>
|
|
20
|
+
|
|
21
|
+
<p align="center">
|
|
22
|
+
<em><code>@kya-os/mcp</code> is the reference implementation of <strong>MCP-I</strong>, the identity surface of <strong>KYA-OS</strong> (Know Your Agent Operating System). KYA-OS is the umbrella protocol for agent identity, authorization, and observability; MCP-I is its first surface, binding those primitives to Model Context Protocol servers.</em>
|
|
23
|
+
</p>
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
AI agents call tools on your behalf. But today, there's no way to know *who* called, *whether they were allowed to*, or *what actually happened*. MCP-I fixes that for Model Context Protocol servers.
|
|
28
|
+
|
|
29
|
+
- **Every server gets a cryptographic identity** (DID) — no accounts, no API keys, no central registry
|
|
30
|
+
- **Every tool call gets a signed proof** — a tamper-evident receipt the agent can't forge or deny
|
|
31
|
+
- **Protected tools require human consent** — per-tool authorization via W3C Delegation Credentials
|
|
32
|
+
- **The AI never knows** — identity, proofs, and consent happen transparently in the protocol layer
|
|
33
|
+
|
|
34
|
+
```
|
|
35
|
+
npm install @kya-os/mcp
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
---
|
|
39
|
+
|
|
40
|
+
## Migrate Any MCP Server in 2 Lines
|
|
41
|
+
|
|
42
|
+
**Before** — a standard MCP server with no identity or proofs:
|
|
43
|
+
|
|
44
|
+
```typescript
|
|
45
|
+
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
46
|
+
|
|
47
|
+
const server = new McpServer({ name: 'my-server', version: '1.0.0' });
|
|
48
|
+
|
|
49
|
+
server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
|
|
50
|
+
content: [{ type: 'text', text: `Hello, ${args.name}!` }],
|
|
51
|
+
}));
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
**After** — every tool response now carries a signed cryptographic proof:
|
|
55
|
+
|
|
56
|
+
```typescript
|
|
57
|
+
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
58
|
+
import { withMCPI, NodeCryptoProvider } from '@kya-os/mcp'; // +1 line
|
|
59
|
+
|
|
60
|
+
const server = new McpServer({ name: 'my-server', version: '1.0.0' });
|
|
61
|
+
await withMCPI(server, { crypto: new NodeCryptoProvider() }); // +1 line
|
|
62
|
+
|
|
63
|
+
server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
|
|
64
|
+
content: [{ type: 'text', text: `Hello, ${args.name}!` }],
|
|
65
|
+
}));
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
That's it. `withMCPI` auto-generates an Ed25519 identity, registers the `_mcpi` protocol tool, and wraps the transport so every tool response includes a detached JWS proof in `_meta` — invisible to the LLM, verifiable by anyone.
|
|
69
|
+
|
|
70
|
+
> See the full working example: [examples/context7-with-mcpi](./examples/context7-with-mcpi/) — a real MCP server (Context7) migrated with exactly 2 lines of code.
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
## Protect Tools with Human Consent
|
|
75
|
+
|
|
76
|
+
Some tools shouldn't run without a human saying "yes." MCP-I adds per-tool authorization using W3C Verifiable Credentials:
|
|
77
|
+
|
|
78
|
+
```typescript
|
|
79
|
+
const checkout = mcpi.wrapWithDelegation(
|
|
80
|
+
'checkout',
|
|
81
|
+
{ scopeId: 'cart:write', consentUrl: 'https://example.com/consent' },
|
|
82
|
+
mcpi.wrapWithProof('checkout', async (args) => ({
|
|
83
|
+
content: [{ type: 'text', text: `Order placed: ${args.item}` }],
|
|
84
|
+
})),
|
|
85
|
+
);
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
When an agent calls `checkout` without a delegation credential, it gets back a `needs_authorization` response with a consent URL. The human approves, a scoped credential is issued, and the agent retries — now authorized.
|
|
89
|
+
|
|
90
|
+
> Try it yourself: [examples/consent-basic](./examples/consent-basic/) walks through the full consent flow end-to-end.
|
|
91
|
+
|
|
92
|
+
---
|
|
93
|
+
|
|
94
|
+
## See It in Action
|
|
95
|
+
|
|
96
|
+
```bash
|
|
97
|
+
git clone https://github.com/modelcontextprotocol-identity/mcp-i-core.git
|
|
98
|
+
cd mcp-i-core && npm install
|
|
99
|
+
bash scripts/demo.sh
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
This starts all example servers and opens [MCP Inspector](https://github.com/modelcontextprotocol/inspector). Connect to any server, call a tool, and inspect the proof in `_meta`:
|
|
103
|
+
|
|
104
|
+
| Port | Example | What it demonstrates |
|
|
105
|
+
|------|---------|---------------------|
|
|
106
|
+
| 3001 | [node-server](./examples/node-server/) | Proofs + restricted tools (low-level API) |
|
|
107
|
+
| 3002 | [consent-basic](./examples/consent-basic/) | Human consent flow with built-in UI |
|
|
108
|
+
| 3003 | [consent-full](./examples/consent-full/) | Production consent UI ([@kya-os/consent](https://www.npmjs.com/package/@kya-os/consent)) |
|
|
109
|
+
| 3004 | [context7-with-mcpi](./examples/context7-with-mcpi/) | 2-line migration of a real MCP server |
|
|
110
|
+
|
|
111
|
+
Also available: [outbound-delegation](./examples/outbound-delegation/) (gateway pattern), [verify-proof](./examples/verify-proof/) (standalone verification), [statuslist](./examples/statuslist/) (revocation lifecycle).
|
|
112
|
+
|
|
113
|
+
---
|
|
114
|
+
|
|
115
|
+
## What's Under the Hood
|
|
116
|
+
|
|
117
|
+
| Capability | How it works |
|
|
118
|
+
|-----------|-------------|
|
|
119
|
+
| **Cryptographic identity** | Ed25519 key pairs, `did:key` and `did:web` resolution |
|
|
120
|
+
| **Signed proofs** | Detached JWS over JCS-canonicalized request/response hashes |
|
|
121
|
+
| **Delegation credentials** | W3C Verifiable Credentials with scope constraints |
|
|
122
|
+
| **Revocation** | StatusList2021 bitstring with cascading revocation |
|
|
123
|
+
| **Replay prevention** | Nonce-based handshake with timestamp skew validation |
|
|
124
|
+
| **Extensible** | Bring your own KMS, HSM, nonce cache (Redis, DynamoDB, KV), or DID method |
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
## Links
|
|
129
|
+
|
|
130
|
+
- [Spec](https://modelcontextprotocol-identity.io) | [DIF TAAWG](https://identity.foundation/working-groups/agent-and-authorization.html) | [npm](https://www.npmjs.com/package/@kya-os/mcp)
|
|
131
|
+
- [CONTRIBUTING.md](./CONTRIBUTING.md) | [CONFORMANCE.md](./CONFORMANCE.md) | [SECURITY.md](./SECURITY.md) | [GOVERNANCE.md](./GOVERNANCE.md)
|
|
132
|
+
|
|
133
|
+
## License
|
|
134
|
+
|
|
135
|
+
MIT
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Authorization Handshake — Platform-agnostic Protocol Reference
|
|
3
|
+
*
|
|
4
|
+
* Orchestrates the MCP-I authorization flow:
|
|
5
|
+
* 1. Check agent reputation (optional)
|
|
6
|
+
* 2. Verify delegation exists
|
|
7
|
+
* 3. Return needs_authorization error if missing
|
|
8
|
+
*
|
|
9
|
+
* Uses only the global fetch API — no Node-specific imports.
|
|
10
|
+
* Safe to run on Node.js, Cloudflare Workers, and any fetch-capable runtime.
|
|
11
|
+
*/
|
|
12
|
+
import type { NeedsAuthorizationError } from '../types/protocol.js';
|
|
13
|
+
import type { DelegationRecord } from '../types/protocol.js';
|
|
14
|
+
import type { DelegationVerifier, VerifyDelegationResult } from './types.js';
|
|
15
|
+
export type { DelegationVerifier, VerifyDelegationResult };
|
|
16
|
+
export interface AgentReputation {
|
|
17
|
+
agentDid: string;
|
|
18
|
+
score: number | null;
|
|
19
|
+
totalInteractions: number;
|
|
20
|
+
successRate: number;
|
|
21
|
+
riskLevel: 'low' | 'medium' | 'high' | 'unknown';
|
|
22
|
+
updatedAt: number;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Policy for handling agents with no reputation history.
|
|
26
|
+
*
|
|
27
|
+
* - 'deny' — reject unknown agents outright (strict environments)
|
|
28
|
+
* - 'require-consent' — route to the consent/authorization flow (default)
|
|
29
|
+
* - 'allow' — let unknown agents through (reputation is advisory only)
|
|
30
|
+
*/
|
|
31
|
+
export type UnknownAgentPolicy = 'deny' | 'require-consent' | 'allow';
|
|
32
|
+
export interface AuthHandshakeConfig {
|
|
33
|
+
delegationVerifier: DelegationVerifier;
|
|
34
|
+
resumeTokenStore: ResumeTokenStore;
|
|
35
|
+
reputationService?: {
|
|
36
|
+
apiUrl: string;
|
|
37
|
+
apiKey?: string;
|
|
38
|
+
apiFormat?: 'v1' | 'v2';
|
|
39
|
+
};
|
|
40
|
+
authorization: {
|
|
41
|
+
authorizationUrl: string;
|
|
42
|
+
resumeTokenTtl?: number;
|
|
43
|
+
/**
|
|
44
|
+
* How to handle agents with no reputation history (404 from reputation
|
|
45
|
+
* service, network error, or first-time agent).
|
|
46
|
+
*
|
|
47
|
+
* - 'deny' — reject outright
|
|
48
|
+
* - 'require-consent' — route to consent flow (default)
|
|
49
|
+
* - 'allow' — skip reputation gate for unknowns
|
|
50
|
+
*/
|
|
51
|
+
unknownAgentPolicy?: UnknownAgentPolicy;
|
|
52
|
+
minReputationScore?: number;
|
|
53
|
+
};
|
|
54
|
+
debug?: boolean;
|
|
55
|
+
}
|
|
56
|
+
export interface VerifyOrHintsResult {
|
|
57
|
+
authorized: boolean;
|
|
58
|
+
delegation?: DelegationRecord;
|
|
59
|
+
credential?: {
|
|
60
|
+
agent_did: string;
|
|
61
|
+
user_did: string;
|
|
62
|
+
scopes: string[];
|
|
63
|
+
authorization: {
|
|
64
|
+
type: 'oauth' | 'oauth2' | 'password' | 'credential' | 'webauthn' | 'siwe' | 'none';
|
|
65
|
+
provider?: string;
|
|
66
|
+
credentialType?: string;
|
|
67
|
+
rpId?: string;
|
|
68
|
+
userVerification?: 'required' | 'preferred' | 'discouraged';
|
|
69
|
+
chainId?: number;
|
|
70
|
+
domain?: string;
|
|
71
|
+
};
|
|
72
|
+
[key: string]: unknown;
|
|
73
|
+
};
|
|
74
|
+
authError?: NeedsAuthorizationError;
|
|
75
|
+
reputation?: AgentReputation;
|
|
76
|
+
reason?: string;
|
|
77
|
+
}
|
|
78
|
+
export interface ResumeTokenStore {
|
|
79
|
+
create(agentDid: string, scopes: string[], metadata?: Record<string, unknown>): Promise<string>;
|
|
80
|
+
get(token: string): Promise<{
|
|
81
|
+
agentDid: string;
|
|
82
|
+
scopes: string[];
|
|
83
|
+
createdAt: number;
|
|
84
|
+
expiresAt: number;
|
|
85
|
+
metadata?: Record<string, unknown>;
|
|
86
|
+
} | null>;
|
|
87
|
+
fulfill(token: string): Promise<void>;
|
|
88
|
+
}
|
|
89
|
+
export declare class MemoryResumeTokenStore implements ResumeTokenStore {
|
|
90
|
+
private tokens;
|
|
91
|
+
private ttl;
|
|
92
|
+
constructor(ttlMs?: number);
|
|
93
|
+
create(agentDid: string, scopes: string[], metadata?: Record<string, unknown>): Promise<string>;
|
|
94
|
+
get(token: string): Promise<{
|
|
95
|
+
agentDid: string;
|
|
96
|
+
scopes: string[];
|
|
97
|
+
createdAt: number;
|
|
98
|
+
expiresAt: number;
|
|
99
|
+
metadata?: Record<string, unknown>;
|
|
100
|
+
} | null>;
|
|
101
|
+
fulfill(token: string): Promise<void>;
|
|
102
|
+
clear(): void;
|
|
103
|
+
}
|
|
104
|
+
/**
|
|
105
|
+
* Verify agent delegation or return authorization hints.
|
|
106
|
+
*
|
|
107
|
+
* Orchestrates the authorization flow:
|
|
108
|
+
* 1. Optionally check agent reputation against threshold
|
|
109
|
+
* 2. Verify existing delegation via DelegationVerifier
|
|
110
|
+
* 3. Return authorization hints if delegation is missing/invalid
|
|
111
|
+
*
|
|
112
|
+
* @param agentDid - The agent's DID to verify
|
|
113
|
+
* @param scopes - Required scopes for the operation
|
|
114
|
+
* @param config - Authorization configuration including verifier, token store, etc.
|
|
115
|
+
* @returns Result indicating authorization status, delegation, or auth hints
|
|
116
|
+
*/
|
|
117
|
+
export declare function verifyOrHints(agentDid: string, scopes: string[], config: AuthHandshakeConfig): Promise<VerifyOrHintsResult>;
|
|
118
|
+
export declare function hasSensitiveScopes(scopes: string[]): boolean;
|
|
119
|
+
//# sourceMappingURL=handshake.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,uBAAuB,EAExB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAE7E,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,CAAC;AAE3D,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG,iBAAiB,GAAG,OAAO,CAAC;AAEtE,MAAM,WAAW,mBAAmB;IAClC,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,CAAC,EAAE;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;KACzB,CAAC;IACF,aAAa,EAAE;QACb,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB;;;;;;;WAOG;QACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE;YACb,IAAI,EACA,OAAO,GACP,QAAQ,GACR,UAAU,GACV,YAAY,GACZ,UAAU,GACV,MAAM,GACN,MAAM,CAAC;YACX,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,gBAAgB,CAAC,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;YAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,MAAM,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnB,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC,CAAC;IAEV,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAED,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,MAAM,CAUV;IACJ,OAAO,CAAC,GAAG,CAAS;gBAER,KAAK,SAAU;IAIrB,MAAM,CACV,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC;IAmBZ,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC;IAoBH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO3C,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CA+I9B;AA8GD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAc5D"}
|
|
@@ -0,0 +1,267 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Authorization Handshake — Platform-agnostic Protocol Reference
|
|
3
|
+
*
|
|
4
|
+
* Orchestrates the MCP-I authorization flow:
|
|
5
|
+
* 1. Check agent reputation (optional)
|
|
6
|
+
* 2. Verify delegation exists
|
|
7
|
+
* 3. Return needs_authorization error if missing
|
|
8
|
+
*
|
|
9
|
+
* Uses only the global fetch API — no Node-specific imports.
|
|
10
|
+
* Safe to run on Node.js, Cloudflare Workers, and any fetch-capable runtime.
|
|
11
|
+
*/
|
|
12
|
+
import { createNeedsAuthorizationError } from '../types/protocol.js';
|
|
13
|
+
import { logger } from '../logging/index.js';
|
|
14
|
+
export class MemoryResumeTokenStore {
|
|
15
|
+
tokens = new Map();
|
|
16
|
+
ttl;
|
|
17
|
+
constructor(ttlMs = 600_000) {
|
|
18
|
+
this.ttl = ttlMs;
|
|
19
|
+
}
|
|
20
|
+
async create(agentDid, scopes, metadata) {
|
|
21
|
+
const bytes = new Uint8Array(16);
|
|
22
|
+
globalThis.crypto.getRandomValues(bytes);
|
|
23
|
+
const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
|
|
24
|
+
const token = `rt_${hex}`;
|
|
25
|
+
const now = Date.now();
|
|
26
|
+
this.tokens.set(token, {
|
|
27
|
+
agentDid,
|
|
28
|
+
scopes,
|
|
29
|
+
createdAt: now,
|
|
30
|
+
expiresAt: now + this.ttl,
|
|
31
|
+
metadata,
|
|
32
|
+
fulfilled: false,
|
|
33
|
+
});
|
|
34
|
+
return token;
|
|
35
|
+
}
|
|
36
|
+
async get(token) {
|
|
37
|
+
const data = this.tokens.get(token);
|
|
38
|
+
if (!data)
|
|
39
|
+
return null;
|
|
40
|
+
if (Date.now() > data.expiresAt) {
|
|
41
|
+
this.tokens.delete(token);
|
|
42
|
+
return null;
|
|
43
|
+
}
|
|
44
|
+
if (data.fulfilled)
|
|
45
|
+
return null;
|
|
46
|
+
return {
|
|
47
|
+
agentDid: data.agentDid,
|
|
48
|
+
scopes: data.scopes,
|
|
49
|
+
createdAt: data.createdAt,
|
|
50
|
+
expiresAt: data.expiresAt,
|
|
51
|
+
metadata: data.metadata,
|
|
52
|
+
};
|
|
53
|
+
}
|
|
54
|
+
async fulfill(token) {
|
|
55
|
+
const data = this.tokens.get(token);
|
|
56
|
+
if (data) {
|
|
57
|
+
data.fulfilled = true;
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
clear() {
|
|
61
|
+
this.tokens.clear();
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Verify agent delegation or return authorization hints.
|
|
66
|
+
*
|
|
67
|
+
* Orchestrates the authorization flow:
|
|
68
|
+
* 1. Optionally check agent reputation against threshold
|
|
69
|
+
* 2. Verify existing delegation via DelegationVerifier
|
|
70
|
+
* 3. Return authorization hints if delegation is missing/invalid
|
|
71
|
+
*
|
|
72
|
+
* @param agentDid - The agent's DID to verify
|
|
73
|
+
* @param scopes - Required scopes for the operation
|
|
74
|
+
* @param config - Authorization configuration including verifier, token store, etc.
|
|
75
|
+
* @returns Result indicating authorization status, delegation, or auth hints
|
|
76
|
+
*/
|
|
77
|
+
export async function verifyOrHints(agentDid, scopes, config) {
|
|
78
|
+
const startTime = Date.now();
|
|
79
|
+
if (config.debug) {
|
|
80
|
+
logger.debug(`[AuthHandshake] Verifying ${agentDid} for scopes: ${scopes.join(', ')}`);
|
|
81
|
+
}
|
|
82
|
+
let reputation;
|
|
83
|
+
if (config.reputationService && config.authorization.minReputationScore !== undefined) {
|
|
84
|
+
const unknownPolicy = config.authorization.unknownAgentPolicy ?? 'require-consent';
|
|
85
|
+
try {
|
|
86
|
+
reputation = await fetchAgentReputation(agentDid, config.reputationService);
|
|
87
|
+
}
|
|
88
|
+
catch (error) {
|
|
89
|
+
logger.error('[AuthHandshake] Reputation service unreachable, treating agent as unknown:', error);
|
|
90
|
+
reputation = {
|
|
91
|
+
agentDid,
|
|
92
|
+
score: null,
|
|
93
|
+
totalInteractions: 0,
|
|
94
|
+
successRate: 0,
|
|
95
|
+
riskLevel: 'unknown',
|
|
96
|
+
updatedAt: Date.now(),
|
|
97
|
+
};
|
|
98
|
+
}
|
|
99
|
+
if (config.debug) {
|
|
100
|
+
logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
|
|
101
|
+
}
|
|
102
|
+
// Unknown agent (no reputation data)
|
|
103
|
+
if (reputation.score === null) {
|
|
104
|
+
if (unknownPolicy === 'deny') {
|
|
105
|
+
const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Unknown agent denied by policy');
|
|
106
|
+
return {
|
|
107
|
+
authorized: false,
|
|
108
|
+
authError,
|
|
109
|
+
reputation,
|
|
110
|
+
reason: 'Unknown agent — policy: deny',
|
|
111
|
+
};
|
|
112
|
+
}
|
|
113
|
+
if (unknownPolicy === 'require-consent') {
|
|
114
|
+
const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Unknown agent requires consent');
|
|
115
|
+
return {
|
|
116
|
+
authorized: false,
|
|
117
|
+
authError,
|
|
118
|
+
reputation,
|
|
119
|
+
reason: 'Unknown agent — policy: require-consent',
|
|
120
|
+
};
|
|
121
|
+
}
|
|
122
|
+
// unknownPolicy === 'allow' — skip reputation gate, continue to delegation check
|
|
123
|
+
if (config.debug) {
|
|
124
|
+
logger.debug('[AuthHandshake] Unknown agent allowed by policy, skipping reputation gate');
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
// Known agent with score below threshold
|
|
128
|
+
if (reputation.score !== null && reputation.score < config.authorization.minReputationScore) {
|
|
129
|
+
if (config.debug) {
|
|
130
|
+
logger.debug(`[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`);
|
|
131
|
+
}
|
|
132
|
+
const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Agent reputation score below threshold');
|
|
133
|
+
return {
|
|
134
|
+
authorized: false,
|
|
135
|
+
authError,
|
|
136
|
+
reputation,
|
|
137
|
+
reason: 'Low reputation score',
|
|
138
|
+
};
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
let delegationResult;
|
|
142
|
+
try {
|
|
143
|
+
delegationResult = await config.delegationVerifier.verify(agentDid, scopes);
|
|
144
|
+
}
|
|
145
|
+
catch (error) {
|
|
146
|
+
logger.error('[AuthHandshake] Delegation verification failed:', error);
|
|
147
|
+
const errorMessage = `Delegation verification error: ${error instanceof Error ? error.message : 'Unknown error'}`;
|
|
148
|
+
const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, errorMessage);
|
|
149
|
+
return {
|
|
150
|
+
authorized: false,
|
|
151
|
+
authError,
|
|
152
|
+
reason: errorMessage,
|
|
153
|
+
};
|
|
154
|
+
}
|
|
155
|
+
if (delegationResult.valid && delegationResult.delegation) {
|
|
156
|
+
if (config.debug) {
|
|
157
|
+
logger.debug(`[AuthHandshake] Delegation valid, authorized (${Date.now() - startTime}ms)`);
|
|
158
|
+
}
|
|
159
|
+
return {
|
|
160
|
+
authorized: true,
|
|
161
|
+
delegation: delegationResult.delegation,
|
|
162
|
+
credential: delegationResult.credential,
|
|
163
|
+
reputation,
|
|
164
|
+
reason: 'Valid delegation found',
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
if (config.debug) {
|
|
168
|
+
logger.debug(`[AuthHandshake] No delegation found, returning needs_authorization (${Date.now() - startTime}ms)`);
|
|
169
|
+
}
|
|
170
|
+
const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, delegationResult.reason ?? 'No valid delegation found');
|
|
171
|
+
return {
|
|
172
|
+
authorized: false,
|
|
173
|
+
authError,
|
|
174
|
+
reputation,
|
|
175
|
+
reason: delegationResult.reason ?? 'No delegation',
|
|
176
|
+
};
|
|
177
|
+
}
|
|
178
|
+
async function fetchAgentReputation(agentDid, reputationConfig) {
|
|
179
|
+
const apiUrl = reputationConfig.apiUrl.replace(/\/$/, '');
|
|
180
|
+
const headers = {
|
|
181
|
+
'Content-Type': 'application/json',
|
|
182
|
+
};
|
|
183
|
+
if (reputationConfig.apiKey) {
|
|
184
|
+
headers['X-API-Key'] = reputationConfig.apiKey;
|
|
185
|
+
}
|
|
186
|
+
const isV2Format = reputationConfig.apiFormat === 'v2';
|
|
187
|
+
let response;
|
|
188
|
+
if (isV2Format) {
|
|
189
|
+
response = await fetch(`${apiUrl}/v1/reputation/${encodeURIComponent(agentDid)}`, {
|
|
190
|
+
method: 'POST',
|
|
191
|
+
headers,
|
|
192
|
+
body: JSON.stringify({ include_details: false }),
|
|
193
|
+
});
|
|
194
|
+
}
|
|
195
|
+
else {
|
|
196
|
+
response = await fetch(`${apiUrl}/api/v1/reputation/${encodeURIComponent(agentDid)}`, { method: 'GET', headers });
|
|
197
|
+
}
|
|
198
|
+
if (!response.ok) {
|
|
199
|
+
if (response.status === 404) {
|
|
200
|
+
return {
|
|
201
|
+
agentDid,
|
|
202
|
+
score: null,
|
|
203
|
+
totalInteractions: 0,
|
|
204
|
+
successRate: 0,
|
|
205
|
+
riskLevel: 'unknown',
|
|
206
|
+
updatedAt: Date.now(),
|
|
207
|
+
};
|
|
208
|
+
}
|
|
209
|
+
throw new Error(`Reputation API error: ${response.status} ${response.statusText}`);
|
|
210
|
+
}
|
|
211
|
+
const data = (await response.json());
|
|
212
|
+
const score = data['score'] ?? 0;
|
|
213
|
+
const levelRaw = (data['level'] ??
|
|
214
|
+
data['riskLevel'] ??
|
|
215
|
+
'unknown').toLowerCase();
|
|
216
|
+
const riskLevel = levelRaw === 'low' || levelRaw === 'medium' || levelRaw === 'high' ? levelRaw : 'unknown';
|
|
217
|
+
return {
|
|
218
|
+
agentDid: data['agent_did'] ??
|
|
219
|
+
data['agentDid'] ??
|
|
220
|
+
agentDid,
|
|
221
|
+
score,
|
|
222
|
+
totalInteractions: data['totalInteractions'] ?? 0,
|
|
223
|
+
successRate: data['successRate'] ?? 0,
|
|
224
|
+
riskLevel,
|
|
225
|
+
updatedAt: data['calculatedAt']
|
|
226
|
+
? new Date(data['calculatedAt']).getTime()
|
|
227
|
+
: (data['updatedAt'] ?? Date.now()),
|
|
228
|
+
};
|
|
229
|
+
}
|
|
230
|
+
async function buildNeedsAuthorizationError(agentDid, scopes, config, message) {
|
|
231
|
+
const resumeToken = await config.resumeTokenStore.create(agentDid, scopes, {
|
|
232
|
+
requestedAt: Date.now(),
|
|
233
|
+
});
|
|
234
|
+
const expiresAt = Date.now() + (config.authorization.resumeTokenTtl ?? 600_000);
|
|
235
|
+
const authUrl = new URL(config.authorization.authorizationUrl);
|
|
236
|
+
authUrl.searchParams.set('agent_did', agentDid);
|
|
237
|
+
authUrl.searchParams.set('scopes', scopes.join(','));
|
|
238
|
+
authUrl.searchParams.set('resume_token', resumeToken);
|
|
239
|
+
const authCode = resumeToken.substring(0, 8).toUpperCase();
|
|
240
|
+
const display = {
|
|
241
|
+
title: 'Authorization Required',
|
|
242
|
+
hint: ['link', 'qr'],
|
|
243
|
+
authorizationCode: authCode,
|
|
244
|
+
qrUrl: `https://api.qrserver.com/v1/create-qr-code/?data=${encodeURIComponent(authUrl.toString())}`,
|
|
245
|
+
};
|
|
246
|
+
return createNeedsAuthorizationError({
|
|
247
|
+
message,
|
|
248
|
+
authorizationUrl: authUrl.toString(),
|
|
249
|
+
resumeToken,
|
|
250
|
+
expiresAt,
|
|
251
|
+
scopes,
|
|
252
|
+
display,
|
|
253
|
+
});
|
|
254
|
+
}
|
|
255
|
+
export function hasSensitiveScopes(scopes) {
|
|
256
|
+
const sensitivePatterns = [
|
|
257
|
+
'write',
|
|
258
|
+
'delete',
|
|
259
|
+
'admin',
|
|
260
|
+
'payment',
|
|
261
|
+
'transfer',
|
|
262
|
+
'execute',
|
|
263
|
+
'modify',
|
|
264
|
+
];
|
|
265
|
+
return scopes.some((scope) => sensitivePatterns.some((pattern) => scope.toLowerCase().includes(pattern)));
|
|
266
|
+
}
|
|
267
|
+
//# sourceMappingURL=handshake.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAErE,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAgG7C,MAAM,OAAO,sBAAsB;IACzB,MAAM,GAAG,IAAI,GAAG,EAUrB,CAAC;IACI,GAAG,CAAS;IAEpB,YAAY,KAAK,GAAG,OAAO;QACzB,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,MAAgB,EAChB,QAAkC;QAElC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG,MAAM,GAAG,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE;YACrB,QAAQ;YACR,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG;YACzB,QAAQ;YACR,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa;QAOrB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,MAAgB,EAChB,MAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CAAC,6BAA6B,QAAQ,gBAAgB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,UAAuC,CAAC;IAC5C,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,aAAa,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACtF,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,IAAI,iBAAiB,CAAC;QAEnF,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,4EAA4E,EAAE,KAAK,CAAC,CAAC;YAClG,UAAU,GAAG;gBACX,QAAQ;gBACR,KAAK,EAAE,IAAI;gBACX,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CAAC,qCAAqC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,qCAAqC;QACrC,IAAI,UAAU,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;YAC9B,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gCAAgC,CACjC,CAAC;gBACF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,8BAA8B;iBACvC,CAAC;YACJ,CAAC;YAED,IAAI,aAAa,KAAK,iBAAiB,EAAE,CAAC;gBACxC,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gCAAgC,CACjC,CAAC;gBACF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,yCAAyC;iBAClD,CAAC;YACJ,CAAC;YAED,iFAAiF;YACjF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;YAC5F,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,IAAI,UAAU,CAAC,KAAK,KAAK,IAAI,IAAI,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,CAAC;YAC5F,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CACV,8BAA8B,UAAU,CAAC,KAAK,MAAM,MAAM,CAAC,aAAa,CAAC,kBAAkB,2BAA2B,CACvH,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,wCAAwC,CACzC,CAAC;YAEF,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,SAAS;gBACT,UAAU;gBACV,MAAM,EAAE,sBAAsB;aAC/B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,gBAAwC,CAAC;IAE7C,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,iDAAiD,EAAE,KAAK,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,kCAAkC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;QAElH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE7F,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,SAAS;YACT,MAAM,EAAE,YAAY;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,gBAAgB,CAAC,KAAK,IAAI,gBAAgB,CAAC,UAAU,EAAE,CAAC;QAC1D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CACV,iDAAiD,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CAC7E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU;YACV,MAAM,EAAE,wBAAwB;SACjC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CACV,uEAAuE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CACnG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gBAAgB,CAAC,MAAM,IAAI,2BAA2B,CACvD,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,SAAS;QACT,UAAU;QACV,MAAM,EAAE,gBAAgB,CAAC,MAAM,IAAI,eAAe;KACnD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,gBAA8E;IAE9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,WAAW,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC;IACjD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,KAAK,IAAI,CAAC;IACvD,IAAI,QAAkB,CAAC;IAEvB,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,kBAAkB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EACzD;YACE,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SACjD,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ;gBACR,KAAK,EAAE,IAAI;gBACX,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEhE,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,CACd,IAAI,CAAC,OAAO,CAAwB;QACpC,IAAI,CAAC,WAAW,CAAwB;QACzC,SAAS,CACV,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,SAAS,GACb,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5F,OAAO;QACL,QAAQ,EACL,IAAI,CAAC,WAAW,CAAwB;YACxC,IAAI,CAAC,UAAU,CAAwB;YACxC,QAAQ;QACV,KAAK;QACL,iBAAiB,EAAG,IAAI,CAAC,mBAAmB,CAAwB,IAAI,CAAC;QACzE,WAAW,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,CAAC;QAC7D,SAAS;QACT,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,CAAW,CAAC,CAAC,OAAO,EAAE;YACpD,CAAC,CAAC,CAAE,IAAI,CAAC,WAAW,CAAwB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,OAAe;IAEf,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE;QACzE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;KACxB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC;IAEhF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC/D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3D,MAAM,OAAO,GAAyB;QACpC,KAAK,EAAE,wBAAwB;QAC/B,IAAI,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;QACpB,iBAAiB,EAAE,QAAQ;QAC3B,KAAK,EAAE,oDAAoD,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE;KACpG,CAAC;IAEF,OAAO,6BAA6B,CAAC;QACnC,OAAO;QACP,gBAAgB,EAAE,OAAO,CAAC,QAAQ,EAAE;QACpC,WAAW;QACX,SAAS;QACT,MAAM;QACN,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAgB;IACjD,MAAM,iBAAiB,GAAG;QACxB,OAAO;QACP,QAAQ;QACR,OAAO;QACP,SAAS;QACT,UAAU;QACV,SAAS;QACT,QAAQ;KACT,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC3B,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAC3E,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { verifyOrHints, hasSensitiveScopes, MemoryResumeTokenStore, type AuthHandshakeConfig, type VerifyOrHintsResult, type AgentReputation, type ResumeTokenStore, type UnknownAgentPolicy, } from './handshake.js';
|
|
2
|
+
export type { DelegationVerifier, VerifyDelegationResult } from './types.js';
|
|
3
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,GAMvB,MAAM,gBAAgB,CAAC"}
|