@kya-os/mcp 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (89) hide show
  1. package/CHANGELOG.md +228 -1
  2. package/README.md +3 -3
  3. package/dist/delegation/index.d.ts +2 -1
  4. package/dist/delegation/index.d.ts.map +1 -1
  5. package/dist/delegation/index.js +2 -1
  6. package/dist/delegation/index.js.map +1 -1
  7. package/dist/delegation/scope-matcher.d.ts +35 -0
  8. package/dist/delegation/scope-matcher.d.ts.map +1 -0
  9. package/dist/delegation/scope-matcher.js +83 -0
  10. package/dist/delegation/scope-matcher.js.map +1 -0
  11. package/dist/delegation/vc-verifier.d.ts +7 -0
  12. package/dist/delegation/vc-verifier.d.ts.map +1 -1
  13. package/dist/delegation/vc-verifier.js +27 -0
  14. package/dist/delegation/vc-verifier.js.map +1 -1
  15. package/dist/errors.d.ts +2 -1
  16. package/dist/errors.d.ts.map +1 -1
  17. package/dist/errors.js +2 -1
  18. package/dist/errors.js.map +1 -1
  19. package/dist/index.d.ts +9 -4
  20. package/dist/index.d.ts.map +1 -1
  21. package/dist/index.js +10 -4
  22. package/dist/index.js.map +1 -1
  23. package/dist/middleware/with-kya-os.d.ts +88 -31
  24. package/dist/middleware/with-kya-os.d.ts.map +1 -1
  25. package/dist/middleware/with-kya-os.js +327 -88
  26. package/dist/middleware/with-kya-os.js.map +1 -1
  27. package/dist/policy/approval.d.ts +34 -0
  28. package/dist/policy/approval.d.ts.map +1 -0
  29. package/dist/policy/approval.js +29 -0
  30. package/dist/policy/approval.js.map +1 -0
  31. package/dist/policy/classifier.d.ts +38 -0
  32. package/dist/policy/classifier.d.ts.map +1 -0
  33. package/dist/policy/classifier.js +97 -0
  34. package/dist/policy/classifier.js.map +1 -0
  35. package/dist/policy/default-engine.d.ts +24 -0
  36. package/dist/policy/default-engine.d.ts.map +1 -0
  37. package/dist/policy/default-engine.js +41 -0
  38. package/dist/policy/default-engine.js.map +1 -0
  39. package/dist/policy/engine.d.ts +12 -0
  40. package/dist/policy/engine.d.ts.map +1 -0
  41. package/dist/policy/engine.js +2 -0
  42. package/dist/policy/engine.js.map +1 -0
  43. package/dist/policy/index.d.ts +6 -0
  44. package/dist/policy/index.d.ts.map +1 -0
  45. package/dist/policy/index.js +6 -0
  46. package/dist/policy/index.js.map +1 -0
  47. package/dist/policy/types.d.ts +52 -0
  48. package/dist/policy/types.d.ts.map +1 -0
  49. package/dist/policy/types.js +10 -0
  50. package/dist/policy/types.js.map +1 -0
  51. package/dist/proof/errors.d.ts +1 -0
  52. package/dist/proof/errors.d.ts.map +1 -1
  53. package/dist/proof/errors.js +4 -0
  54. package/dist/proof/errors.js.map +1 -1
  55. package/dist/proof/generator.d.ts +28 -4
  56. package/dist/proof/generator.d.ts.map +1 -1
  57. package/dist/proof/generator.js +48 -20
  58. package/dist/proof/generator.js.map +1 -1
  59. package/dist/proof/verifier.d.ts +32 -3
  60. package/dist/proof/verifier.d.ts.map +1 -1
  61. package/dist/proof/verifier.js +85 -6
  62. package/dist/proof/verifier.js.map +1 -1
  63. package/dist/providers/audit-log.d.ts +62 -0
  64. package/dist/providers/audit-log.d.ts.map +1 -0
  65. package/dist/providers/audit-log.js +75 -0
  66. package/dist/providers/audit-log.js.map +1 -0
  67. package/dist/providers/index.d.ts +3 -0
  68. package/dist/providers/index.d.ts.map +1 -1
  69. package/dist/providers/index.js +3 -0
  70. package/dist/providers/index.js.map +1 -1
  71. package/dist/providers/runtime-fetch.d.ts +73 -0
  72. package/dist/providers/runtime-fetch.d.ts.map +1 -0
  73. package/dist/providers/runtime-fetch.js +169 -0
  74. package/dist/providers/runtime-fetch.js.map +1 -0
  75. package/dist/providers/system-clock.d.ts +39 -0
  76. package/dist/providers/system-clock.d.ts.map +1 -0
  77. package/dist/providers/system-clock.js +49 -0
  78. package/dist/providers/system-clock.js.map +1 -0
  79. package/dist/types/protocol.d.ts +38 -3
  80. package/dist/types/protocol.d.ts.map +1 -1
  81. package/dist/types/protocol.js +44 -9
  82. package/dist/types/protocol.js.map +1 -1
  83. package/package.json +4 -2
  84. package/schemas/README.md +1 -1
  85. package/schemas/delegation-credential.json +2 -2
  86. package/schemas/detached-proof.json +12 -3
  87. package/schemas/handshake-request.json +1 -1
  88. package/schemas/handshake-response.json +1 -1
  89. package/schemas/well-known-mcpi.json +1 -1
package/CHANGELOG.md CHANGED
@@ -5,7 +5,234 @@ All notable changes to @kya-os/mcp will be documented here.
5
5
  Format: https://keepachangelog.com/en/1.0.0/
6
6
  Versioning: https://semver.org/spec/v2.0.0.html
7
7
 
8
- ## [Unreleased]
8
+ ## [1.4.0] - 2026-05-31
9
+
10
+ Ports the KYA-OS authorization primitives developed upstream (xmcp-i) into
11
+ `@kya-os/mcp`: a per-action policy / step-up gate, scope-matcher enforcement,
12
+ signed `needs_authorization` challenges with verifier content binding, and
13
+ shipped runtime providers. Additive over 1.3.x except where noted under
14
+ **Changed** and **Removed**.
15
+
16
+ ### Added
17
+
18
+ - **Signed `needs_authorization` challenge.** The delegation challenge returned
19
+ when a protected tool is invoked without a credential now carries a signed
20
+ detached-JWS proof in `_meta` (`outcome: 'needs_authorization'`). The proof
21
+ binds a `responseHash` over the challenge content — including the
22
+ `authorizationUrl`. A verifier that recomputes the response hash over the
23
+ content it received — via the new `ProofVerifier` content binding (below) —
24
+ detects a tampered / MITM-swapped consent URL; the signature alone proves
25
+ authenticity, not content-match. The challenge content/shape is unchanged; attachment
26
+ is best-effort (no-ops when no session can be resolved). The proof `outcome`
27
+ enum widened to include `'needs_authorization'` across `ProofMeta`,
28
+ `ProofOptions`, `validateDetachedProof`, and the `detached-proof` JSON Schema.
29
+ Success proofs are byte-identical (unaffected).
30
+ - **`wrapWithDelegation` `formatChallenge` hook.** An optional config callback
31
+ that renders the `needs_authorization` challenge content (e.g. a clickable
32
+ markdown consent link for LLM / chat-style MCP clients) **before** the proof is
33
+ signed — so the challenge `responseHash` binds exactly what the client
34
+ receives, keeping the `authorizationUrl` tamper-evident regardless of
35
+ presentation. Defaults to the structured JSON challenge. The consent-basic /
36
+ consent-full examples now render their consent link via this hook instead of
37
+ rewriting the response after signing (which had left the proof bound to stale
38
+ content).
39
+ - **`ProofVerifier` content binding.** `verifyProof(proof, jwk, { request, response })`
40
+ recomputes `requestHash`/`responseHash` over the request/response the verifier
41
+ actually received — via a shared `computeCanonicalHashes` (single source of
42
+ truth with the signer, so they can't drift) — and fails `CONTENT_BINDING_MISMATCH`
43
+ on divergence. This is what realizes substitution detection (the signed
44
+ challenge's anti-MITM, and content-binding for any proof); the signature alone
45
+ proves only authenticity. New `CONTENT_BINDING_MISMATCH` proof-verification
46
+ error code.
47
+ - **Concrete `SystemClockProvider` + `RuntimeFetchProvider`.** The package now
48
+ ships a wall-clock `ClockProvider` and a network-capable `FetchProvider`
49
+ (did:key resolved locally, did:web over HTTPS, StatusList2021 fetch) so a
50
+ consumer no longer hand-rolls them to drive `ProofVerifier`. `RuntimeFetchProvider`
51
+ is the default the middleware uses and replaces the prior internal stub (whose
52
+ `resolveDID` returned `null`); it refuses private-network targets by default
53
+ (see **Security**). The verify-proof / anti-MITM examples now consume both.
54
+ - **Per-action policy / step-up gate (`withPolicyGate`).** A new opt-in
55
+ middleware wrapper that classifies an action's risk (reversibility, blast
56
+ radius, severity) and consults a pluggable Policy-as-Code `PolicyEngine`:
57
+ `allow` runs the handler, `deny` returns a `policy_denied` error, and
58
+ `step_up` returns a `needs_approval` error until N-of-M signed `ApprovalGrant`s
59
+ — each bound to the request hash (TOCTOU-safe) — are supplied. Ships a
60
+ fail-closed `DefaultPolicyEngine` and a built-in `RiskClassifier`; OPA/Rego and
61
+ Cedar adapters are intended follow-ups. Composes after `wrapWithDelegation`;
62
+ no behavior change unless adopted.
63
+ - **`PolicyEngine` PaC port + `policy/` subsystem** (`PolicyRequest`,
64
+ `PolicyDecision`, `RiskClassifier`, `DefaultPolicyEngine`, `ApprovalGrant`,
65
+ `verifyApprovalQuorum`), exported from the package root.
66
+ - **`needs_approval` error** (`NeedsApprovalError`, `createNeedsApprovalError`,
67
+ `isNeedsApprovalError`) and the `policy_denied` error code.
68
+ - **`bytesToBase64` / `base64ToBytes`** are now re-exported from the package root
69
+ (standard-base64 byte helpers, alongside the existing base64url variants).
70
+ - **`AuditLogProvider` — pluggable sink for audit-record retention.** A new
71
+ provider (abstract base + `MemoryAuditLogProvider` / `NoopAuditLogProvider`
72
+ defaults, exported from the root and `./providers`) for persisting the frozen
73
+ `audit.v1` record of each verified tool call. Wire it via `KyaOsConfig.auditLog`
74
+ (default: no-op); `createKyaOsMiddleware` emits a record after each proofed
75
+ call, and a sink failure never breaks the tool response. `buildAuditRecord(ctx)`
76
+ exposes the context→record mapping. Records carry only DID/key id, session,
77
+ audience, scope, request/response hashes, and the verification result — never
78
+ key material or nonces. The storage backend is operator-provided (durable,
79
+ append-only); the package stays storage-agnostic, like the other providers.
80
+ - **Delegation scope on audit records.** Delegation-protected tools record the
81
+ scope they were authorized under: `wrapWithDelegation` threads its `scopeId`
82
+ through a new optional `KyaOsCallContext` (3rd handler argument) into the proof
83
+ meta, so the audit record's `scope` reflects it (was `'-'`). The argument is
84
+ optional and backward-compatible; tool handlers that ignore it are unaffected.
85
+
86
+ ### Changed
87
+
88
+ - **`ProofMeta.responseHash` is now optional** (`string | undefined`). Denial /
89
+ step-up proofs carry no response, so code reading `responseHash` must treat it
90
+ as possibly-absent. `validateDetachedProof` and the `detached-proof` JSON
91
+ Schema no longer require it (and now permit `outcome`/`reason`).
92
+ - **`CrispScope` `prefix`/`regex` matchers are now enforced** (previously inert —
93
+ only exact membership in the flat `scopes[]` was checked). A credential
94
+ declaring a non-exact matcher now grants its pattern set, with ReDoS-safe regex
95
+ evaluation; flat `scopes[]` remain exact-match (unchanged). **Behavioral
96
+ change** for any credential that declared a `prefix`/`regex` matcher: it now
97
+ grants where it previously granted nothing, and a one-time warning is logged on
98
+ first non-exact use. Re-delegations may not introduce crisp matchers absent
99
+ from the parent.
100
+ - **`withPolicyGate`'s `scopeMatched` defaults to `false`** (fail-closed): compose
101
+ it after `wrapWithDelegation` and pass `scopeMatched: true`, or it denies.
102
+ `withPolicyGate` is an optional member of the `KyaOsMiddleware` interface
103
+ (additive; structural implementers/mocks are not broken). New in this release,
104
+ so no prior consumer is affected.
105
+ - **Bundled examples now consume the built `@kya-os/mcp` package** rather than
106
+ reaching into `src/` via relative paths. Nested example packages (consent-basic,
107
+ consent-full, context7, brave-search) link the local build via `file:../..`;
108
+ root-tree examples (node-server, verify-proof, outbound-delegation, statuslist)
109
+ resolve it by package self-reference. Fixes the context7 example, which had
110
+ pinned a stale published `@kya-os/mcp@^1.3.0` (pre-`withKyaOs` rename).
111
+
112
+ ### Spec
113
+
114
+ - **§4.2 — normative MUST on key generation.** An agent's key pair MUST be
115
+ generated by the agent or its designated custodian; the secret key MUST NOT be
116
+ generated by, transmitted to, or escrowed with any registration, DID,
117
+ directory, or reputation service (which receive only the public key). Carves
118
+ out agent-side proxy/HSM custody (§11.0). Closes the key-escrow / IBE-style
119
+ concern where a directory service implicitly holds agents' secret keys.
120
+ - **§6.6 — revocation needs no global list.** Clarified that a verifier checks
121
+ revocation only for the resources it gates and MAY hold revocation state
122
+ locally; `StatusList2021` is the interoperable publish format, not a required
123
+ public certificate-revocation list.
124
+ - **§11.0 — "L2+ is not OAuth-style client registration."** Direct (Level 2+)
125
+ verification still gates on the presented delegation chain, not the agent's
126
+ identity alone — inverting the OAuth Dynamic Client Registration pattern.
127
+ - **§12.5 — per-delegation keys (delegate unlinkability).** Non-normative
128
+ pattern: delegate to a fresh one-off public key per delegation to prevent
129
+ cross-delegation correlation through a shared subject DID.
130
+ - **§2 — reputation scope.** The Responsible Party definition now states that
131
+ reputation and accountability signals are scoped primarily to the Responsible
132
+ Party, not an agent's ephemeral identity.
133
+ - **Terminology.** Standardized on _secret key_ (synonymous with _private key_,
134
+ retained in PKCS#8 / JWK references); fixed the one residual _private key_
135
+ usage in §7.
136
+
137
+ ### Security
138
+
139
+ - **Malformed delegation input no longer crashes.** A malformed `_kyaos_delegation`
140
+ (non-object, missing `credentialSubject.delegation`, or even a throwing
141
+ getter/Proxy accessor) previously surfaced as a JSON-RPC internal error (`-32603`);
142
+ it now returns a clean, signed `delegation_invalid` denial. `validateDelegationChain`
143
+ shape-checks the leaf and returns `{ valid, reason }` (honouring the
144
+ `verify*`/`validate*` never-throw contract); `extractDelegationFromVC` fails
145
+ with a clear error instead of a cryptic `TypeError`; the middleware try/catch is
146
+ now a pure backstop that logs the detail server-side and returns a generic
147
+ reason (no internal/stack detail leaks to the client). The invalid-VC-JWT path
148
+ is now signed as well.
149
+ - **Log-injection / reflection hardening.** Caller-derived values (credential
150
+ ids, scopes) interpolated into delegation-failure reasons and logs are now
151
+ stripped of control characters and length-capped before emission, so a hostile
152
+ credential cannot forge log lines, corrupt a terminal, or reflect raw control
153
+ bytes into a client response.
154
+ - **`RuntimeFetchProvider` refuses private-network targets by default (SSRF).**
155
+ did:web resolution and StatusList2021 fetches reject loopback / link-local /
156
+ RFC-1918 IP-literal hosts (e.g. `did:web:169.254.169.254`, the cloud-metadata
157
+ endpoint) unless constructed with `{ allowPrivateNetworkHosts: true }`. This
158
+ is best-effort defense-in-depth for IP literals — not DNS rebinding; run
159
+ verifiers behind an egress allowlist (`SECURITY.md`).
160
+ - **Signed proofs are now emitted on denial and step-up.** Delegation/scope
161
+ denials and policy step-ups previously produced no proof; they now attach a
162
+ signed detached-JWS proof (`outcome: 'denied' | 'step_up_required'`, no
163
+ `responseHash`), so rejected privileged attempts are non-repudiably auditable.
164
+ - **Fail-closed policy default.** Unclassified ("unknown") high-risk actions are
165
+ denied by the `DefaultPolicyEngine` rather than forwarded.
166
+ - **Denial/step-up proofs are verifiable end-to-end.** `validateDetachedProof`
167
+ and `ProofVerifier` accept response-less proofs (the earlier fix only corrected
168
+ canonical-payload reconstruction); added a real-crypto end-to-end test.
169
+ - **Crisp-scope attenuation.** Re-delegations cannot widen authority via crisp
170
+ matchers absent from the parent — closes a privilege-escalation path that
171
+ enforcing the matcher would otherwise have opened.
172
+ - **ReDoS hardening.** The `regex` matcher rejects nested-quantifier patterns and
173
+ bounds input length. This is a conservative guard, **not** a guarantee — prefer
174
+ `exact`/`prefix` for untrusted issuers, or evaluate via a linear-time engine.
175
+ The `prefix` matcher refuses an empty/`*`-only base (no universal grant).
176
+
177
+ ### Removed
178
+
179
+ - **BREAKING: removed the three unsafe delegation opt-outs.** The
180
+ secure-by-default behavior they bypassed is now unconditional and cannot be
181
+ disabled:
182
+ - `delegation.requireAudienceOnRedelegation` — audience binding on every
183
+ non-root credential in a chain is now mandatory (`SPEC.md` §11.6).
184
+ - `delegation.allowLegacyUnsafeDelegation` — full delegation-chain resolution
185
+ and `credentialStatus` / StatusList revocation checks are always enforced;
186
+ parent-linked credentials without a `resolveDelegationChain` handler, and
187
+ `credentialStatus` without a `statusListResolver`, are rejected.
188
+ - `VerifyDelegationVCOptions.allowNonDelegationSubjectFields` — the
189
+ `credentialSubject` shape check (only `id` + `delegation`) is always
190
+ enforced (`SPEC.md` §6.2; conformance L3.5a).
191
+
192
+ The associated one-time `console.warn` notices are removed along with the
193
+ flags. Migration guidance: `SECURITY.md` → Mandatory Delegation Protections.
194
+ Consumers that did not set these flags are unaffected — the reference issuer
195
+ and all bundled examples already emit conformant credentials.
196
+
197
+ ### Known limitations (policy gate — experimental, non-normative)
198
+
199
+ - Step-up approval grants are **not yet single-use or expiry-bound** (replayable
200
+ for the same action); a server-issued single-use challenge is a planned follow-up.
201
+ - The default approval-signature verifier **rejects all** — integrators must supply
202
+ a real verifier; `isValidApprovalSignature: async () => true` is test-only.
203
+ - `policy_denied` / `needs_approval`, the step-up flow, and the now-normative
204
+ `CrispScope` matcher semantics are **not yet documented in `SPEC.md` /
205
+ `CONFORMANCE.md`** (tracked as follow-ups).
206
+
207
+ ## [1.3.2] - 2026-05-26
208
+
209
+ ### Security
210
+
211
+ - **Verifier rejects claim-contaminated delegation credentials.** A
212
+ `DelegationCredential` whose `credentialSubject` carries properties beyond
213
+ `id` and `delegation` is now rejected by default — claim-bearing fields in a
214
+ permission credential separate designation from authorization (the
215
+ confused-deputy class, `SPEC.md` §6.2 / §11.6). The reference verifier exposes
216
+ `allowNonDelegationSubjectFields` (default `false`) as an audited opt-out that
217
+ logs a one-time per-process warning. Spec-conformant issuers are unaffected;
218
+ the reference issuer already emits `{ id, delegation }` subjects. New
219
+ conformance requirement L3.5a. (#67)
220
+
221
+ ### Changed
222
+
223
+ - **Schema `$id` and JSON-LD `@context` hosts migrated** off the
224
+ `modelcontextprotocol-identity.io` trademark domain to the foundation-owned
225
+ `schema.kya-os.ai`. All five shipped JSON Schemas (`schemas/*.json`), the
226
+ spec's context references, and the `DELEGATION_CREDENTIAL_CONTEXT` constant
227
+ now resolve under `schema.kya-os.ai`; schemas are served identically at both
228
+ hosts during the migration window (no `$id` is 301-redirected). (#65)
229
+
230
+ ## [1.3.1] - 2026-05-26
231
+
232
+ > These entries accreted across the 1.2.0 → 1.3.1 donation cutover and were
233
+ > published without strict per-version sectioning. They are grouped here for
234
+ > completeness; see `npm view @kya-os/mcp time` and git history for exact ship
235
+ > points. A clean per-version backfill is tracked separately.
9
236
 
10
237
  ### Added
11
238
 
package/README.md CHANGED
@@ -1,8 +1,8 @@
1
1
  <p align="center">
2
2
  <a href="https://kya-os.ai">
3
3
  <picture>
4
- <source media="(prefers-color-scheme: dark)" srcset="https://modelcontextprotocol-identity.io/images/logo-mark_white.svg">
5
- <img alt="" src="https://modelcontextprotocol-identity.io/images/logo-mark_black.svg" width="64">
4
+ <source media="(prefers-color-scheme: dark)" srcset="https://kya-os.ai/mcp/images/logo-mark_white.svg">
5
+ <img alt="" src="https://kya-os.ai/mcp/images/logo-mark_black.svg" width="64">
6
6
  </picture>
7
7
  </a>
8
8
  </p>
@@ -13,7 +13,7 @@
13
13
 
14
14
  <p align="center">
15
15
  <a href="https://www.npmjs.com/package/@kya-os/mcp"><img src="https://img.shields.io/npm/v/@kya-os/mcp" alt="npm"></a>
16
- <a href="https://modelcontextprotocol-identity.io"><img src="https://img.shields.io/badge/spec-KYA--OS-blue" alt="spec"></a>
16
+ <a href="https://kya-os.ai/mcp"><img src="https://img.shields.io/badge/spec-KYA--OS-blue" alt="spec"></a>
17
17
  <a href="https://identity.foundation/working-groups/agent-and-authorization.html"><img src="https://img.shields.io/badge/DIF-TAAWG-purple" alt="DIF TAAWG"></a>
18
18
  <a href="./LICENSE"><img src="https://img.shields.io/github/license/decentralized-identity/kya-os-mcp" alt="license"></a>
19
19
  </p>
@@ -14,8 +14,9 @@ export * from './utils.js';
14
14
  export * from './outbound-proof.js';
15
15
  export * from './outbound-headers.js';
16
16
  export * from './audience-validator.js';
17
+ export * from './scope-matcher.js';
17
18
  export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
18
- export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
19
+ export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, buildDidWebDocument, } from './did-web-resolver.js';
19
20
  export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
20
21
  export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
21
22
  //# sourceMappingURL=index.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,EACX,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
@@ -14,8 +14,9 @@ export * from './utils.js';
14
14
  export * from './outbound-proof.js';
15
15
  export * from './outbound-headers.js';
16
16
  export * from './audience-validator.js';
17
+ export * from './scope-matcher.js';
17
18
  export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
18
- export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
19
+ export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, buildDidWebDocument, } from './did-web-resolver.js';
19
20
  export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
20
21
  export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
21
22
  //# sourceMappingURL=index.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,EACX,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
@@ -0,0 +1,35 @@
1
+ import type { DelegationCredential } from '../types/protocol.js';
2
+ export type ScopeMatcher = 'exact' | 'prefix' | 'regex';
3
+ /**
4
+ * Match a single requested scope/resource value against a pattern by matcher kind.
5
+ *
6
+ * - `exact` : strict string equality.
7
+ * - `prefix` : value starts with the pattern (a single trailing `*` is optional sugar).
8
+ * An empty base ('' or lone '*') matches nothing — it will NOT grant
9
+ * universal scope.
10
+ * - `regex` : anchored full-string match; never throws (invalid patterns → false).
11
+ *
12
+ * SECURITY: the regex pattern is supplied by the credential ISSUER. JS `RegExp`
13
+ * is not linear-time, so this guards against the common catastrophic-backtracking
14
+ * shapes (nested quantifiers) and bounds input length — but it is a conservative
15
+ * mitigation, not a guarantee. Deployments accepting `regex` matchers from
16
+ * untrusted issuers should prefer `exact`/`prefix` or evaluate via a linear-time
17
+ * engine (e.g. RE2).
18
+ */
19
+ export declare function matchScope(pattern: string, matcher: ScopeMatcher, value: string): boolean;
20
+ export interface ScopeSatisfaction {
21
+ satisfied: boolean;
22
+ /**
23
+ * True when satisfaction came via a non-exact (prefix|regex) CrispScope matcher.
24
+ * Callers should surface a warning — non-exact matchers widen effective authority.
25
+ */
26
+ usedNonExactMatcher: boolean;
27
+ }
28
+ /**
29
+ * Decide whether a required scope id is satisfied by a credential.
30
+ *
31
+ * Flat `scopes[]` are matched EXACTLY (backwards-compatible). The opt-in
32
+ * `constraints.crisp.scopes[]` entries are honored per their declared matcher.
33
+ */
34
+ export declare function scopeSatisfies(requiredScopeId: string, credential: DelegationCredential): ScopeSatisfaction;
35
+ //# sourceMappingURL=scope-matcher.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"scope-matcher.d.ts","sourceRoot":"","sources":["../../src/delegation/scope-matcher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAc,MAAM,sBAAsB,CAAC;AAY7E,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;AAExD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAsBzF;AAkBD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,oBAAoB,GAC/B,iBAAiB,CAUnB"}
@@ -0,0 +1,83 @@
1
+ const MAX_REGEX_LEN = 256;
2
+ const MAX_VALUE_LEN = 256;
3
+ /**
4
+ * Conservative detector for the classic catastrophic-backtracking shape — a
5
+ * quantified group whose body also contains a quantifier, e.g. `(a+)+`, `(a*)*`,
6
+ * `(.{1,9})+`. This is a heuristic reject, NOT a proof of safety.
7
+ */
8
+ const NESTED_QUANTIFIER = /\([^()]*[+*?{][^()]*\)\s*[+*{]/;
9
+ /**
10
+ * Match a single requested scope/resource value against a pattern by matcher kind.
11
+ *
12
+ * - `exact` : strict string equality.
13
+ * - `prefix` : value starts with the pattern (a single trailing `*` is optional sugar).
14
+ * An empty base ('' or lone '*') matches nothing — it will NOT grant
15
+ * universal scope.
16
+ * - `regex` : anchored full-string match; never throws (invalid patterns → false).
17
+ *
18
+ * SECURITY: the regex pattern is supplied by the credential ISSUER. JS `RegExp`
19
+ * is not linear-time, so this guards against the common catastrophic-backtracking
20
+ * shapes (nested quantifiers) and bounds input length — but it is a conservative
21
+ * mitigation, not a guarantee. Deployments accepting `regex` matchers from
22
+ * untrusted issuers should prefer `exact`/`prefix` or evaluate via a linear-time
23
+ * engine (e.g. RE2).
24
+ */
25
+ export function matchScope(pattern, matcher, value) {
26
+ switch (matcher) {
27
+ case 'exact':
28
+ return pattern === value;
29
+ case 'prefix': {
30
+ const base = pattern.endsWith('*') ? pattern.slice(0, -1) : pattern;
31
+ // Refuse to grant universal scope via an empty/`*`-only prefix.
32
+ if (base.length === 0)
33
+ return false;
34
+ return value.startsWith(base);
35
+ }
36
+ case 'regex': {
37
+ if (pattern.length > MAX_REGEX_LEN || value.length > MAX_VALUE_LEN)
38
+ return false;
39
+ if (NESTED_QUANTIFIER.test(pattern))
40
+ return false;
41
+ try {
42
+ return new RegExp(`^(?:${pattern})$`).test(value);
43
+ }
44
+ catch {
45
+ return false;
46
+ }
47
+ }
48
+ default:
49
+ return false;
50
+ }
51
+ }
52
+ /**
53
+ * Flat exact-match scope set: delegation.scopes ∪ constraints.scopes.
54
+ * Null-safe by design: scopeSatisfies is a public, never-throw predicate, so a
55
+ * structurally malformed credential (missing constraints) yields an empty set
56
+ * rather than a TypeError.
57
+ */
58
+ function flatScopes(credential) {
59
+ const d = credential?.credentialSubject?.delegation;
60
+ return [...(d?.scopes ?? []), ...(d?.constraints?.scopes ?? [])];
61
+ }
62
+ /** Opt-in CrispScope[] entries (constraints.crisp.scopes), if any. Null-safe. */
63
+ function crispScopes(credential) {
64
+ return credential?.credentialSubject?.delegation?.constraints?.crisp?.scopes ?? [];
65
+ }
66
+ /**
67
+ * Decide whether a required scope id is satisfied by a credential.
68
+ *
69
+ * Flat `scopes[]` are matched EXACTLY (backwards-compatible). The opt-in
70
+ * `constraints.crisp.scopes[]` entries are honored per their declared matcher.
71
+ */
72
+ export function scopeSatisfies(requiredScopeId, credential) {
73
+ if (flatScopes(credential).includes(requiredScopeId)) {
74
+ return { satisfied: true, usedNonExactMatcher: false };
75
+ }
76
+ for (const cs of crispScopes(credential)) {
77
+ if (matchScope(cs.resource, cs.matcher, requiredScopeId)) {
78
+ return { satisfied: true, usedNonExactMatcher: cs.matcher !== 'exact' };
79
+ }
80
+ }
81
+ return { satisfied: false, usedNonExactMatcher: false };
82
+ }
83
+ //# sourceMappingURL=scope-matcher.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"scope-matcher.js","sourceRoot":"","sources":["../../src/delegation/scope-matcher.ts"],"names":[],"mappings":"AAEA,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,aAAa,GAAG,GAAG,CAAC;AAE1B;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,gCAAgC,CAAC;AAI3D;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,OAAqB,EAAE,KAAa;IAC9E,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,OAAO;YACV,OAAO,OAAO,KAAK,KAAK,CAAC;QAC3B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YACpE,gEAAgE;YAChE,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,OAAO,CAAC,MAAM,GAAG,aAAa,IAAI,KAAK,CAAC,MAAM,GAAG,aAAa;gBAAE,OAAO,KAAK,CAAC;YACjF,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,IAAI,CAAC;gBACH,OAAO,IAAI,MAAM,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,UAAgC;IAClD,MAAM,CAAC,GAAG,UAAU,EAAE,iBAAiB,EAAE,UAAU,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,iFAAiF;AACjF,SAAS,WAAW,CAAC,UAAgC;IACnD,OAAO,UAAU,EAAE,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,IAAI,EAAE,CAAC;AACrF,CAAC;AAWD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,eAAuB,EACvB,UAAgC;IAEhC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;IACD,KAAK,MAAM,EAAE,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QACzC,IAAI,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QAC1E,CAAC;IACH,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC;AAC1D,CAAC"}
@@ -96,6 +96,13 @@ export declare class DelegationCredentialVerifier {
96
96
  */
97
97
  verifyDelegationCredential(vc: DelegationCredential, options?: VerifyDelegationVCOptions): Promise<DelegationVCVerificationResult>;
98
98
  private validateBasicProperties;
99
+ /**
100
+ * Reject a delegation credential whose `credentialSubject` carries properties
101
+ * other than `id` and `delegation`. Claim-bearing fields in a permission
102
+ * credential separate designation from authorization — the confused-deputy
103
+ * class (KYA-OS §11.6). Unconditional as of 1.4.0.
104
+ */
105
+ private validateSubjectShape;
99
106
  private verifySignature;
100
107
  private checkCredentialStatus;
101
108
  private findVerificationMethod;
@@ -1 +1 @@
1
- {"version":3,"file":"vc-verifier.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,sBAAsB,CAAC;AAO9B,MAAM,WAAW,8BAA8B;IAC7C,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,MAAM,CAAC,EAAE;QACP,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;CACH;AAED,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC1C,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;IACjD,eAAe,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;CACnD;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,6BAA6B;IAC5C,CACE,EAAE,EAAE,oBAAoB,EACxB,YAAY,EAAE,OAAO,GACpB,OAAO,CAAC;QACT,KAAK,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,4BAA4B;IACvC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,kBAAkB,CAAC,CAAqB;IAChD,OAAO,CAAC,iBAAiB,CAAC,CAAgC;IAC1D,OAAO,CAAC,KAAK,CAGT;IACJ,OAAO,CAAC,mBAAmB,CAAgB;IAC3C,OAAO,CAAC,QAAQ,CAAS;IACzB;;;;OAIG;IACH,OAAO,CAAC,YAAY,CAAS;gBAEjB,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,WAAW,CAAC;QAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;QAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,2CAA2C;QAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB;IAQD;;;;;;;;;;OAUG;IACG,0BAA0B,CAC9B,EAAE,EAAE,oBAAoB,EACxB,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,8BAA8B,CAAC;IA6F1C,OAAO,CAAC,uBAAuB;YAuCjB,eAAe;YAkFf,qBAAqB;IAuCnC,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,UAAU;IAgBlB,UAAU,IAAI,IAAI;IAKlB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;CAOlC;AAED,wBAAgB,wBAAwB,CAAC,OAAO,CAAC,EAAE;IACjD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,4BAA4B,CAE/B"}
1
+ {"version":3,"file":"vc-verifier.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,sBAAsB,CAAC;AAc9B,MAAM,WAAW,8BAA8B;IAC7C,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,MAAM,CAAC,EAAE;QACP,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;CACH;AAED,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC1C,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;IACjD,eAAe,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;CACnD;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,6BAA6B;IAC5C,CACE,EAAE,EAAE,oBAAoB,EACxB,YAAY,EAAE,OAAO,GACpB,OAAO,CAAC;QACT,KAAK,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,4BAA4B;IACvC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,kBAAkB,CAAC,CAAqB;IAChD,OAAO,CAAC,iBAAiB,CAAC,CAAgC;IAC1D,OAAO,CAAC,KAAK,CAGT;IACJ,OAAO,CAAC,mBAAmB,CAAgB;IAC3C,OAAO,CAAC,QAAQ,CAAS;IACzB;;;;OAIG;IACH,OAAO,CAAC,YAAY,CAAS;gBAEjB,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,WAAW,CAAC;QAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;QAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,2CAA2C;QAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB;IAQD;;;;;;;;;;OAUG;IACG,0BAA0B,CAC9B,EAAE,EAAE,oBAAoB,EACxB,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,8BAA8B,CAAC;IA6F1C,OAAO,CAAC,uBAAuB;IA4C/B;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;YAoBd,eAAe;YAkFf,qBAAqB;IAuCnC,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,UAAU;IAgBlB,UAAU,IAAI,IAAI;IAKlB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;CAOlC;AAED,wBAAgB,wBAAwB,CAAC,OAAO,CAAC,EAAE;IACjD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,4BAA4B,CAE/B"}
@@ -11,6 +11,12 @@
11
11
  * Related Spec: KYA-OS §4.3, W3C VC Data Model 1.1
12
12
  */
13
13
  import { isDelegationCredentialExpired, isDelegationCredentialNotYetValid, validateDelegationCredential, } from "../types/protocol.js";
14
+ /**
15
+ * Properties a DelegationCredential `credentialSubject` may carry. Anything
16
+ * else is treated as a claim-intended field and rejected by default — a
17
+ * permission credential must not smuggle claims (KYA-OS §11.6).
18
+ */
19
+ const DELEGATION_SUBJECT_KEYS = ["id", "delegation"];
14
20
  export class DelegationCredentialVerifier {
15
21
  didResolver;
16
22
  statusListResolver;
@@ -137,8 +143,29 @@ export class DelegationCredentialVerifier {
137
143
  if (!vc.proof) {
138
144
  return { valid: false, reason: "Missing proof" };
139
145
  }
146
+ const subjectShape = this.validateSubjectShape(vc);
147
+ if (!subjectShape.valid) {
148
+ return subjectShape;
149
+ }
140
150
  return { valid: true };
141
151
  }
152
+ /**
153
+ * Reject a delegation credential whose `credentialSubject` carries properties
154
+ * other than `id` and `delegation`. Claim-bearing fields in a permission
155
+ * credential separate designation from authorization — the confused-deputy
156
+ * class (KYA-OS §11.6). Unconditional as of 1.4.0.
157
+ */
158
+ validateSubjectShape(vc) {
159
+ const extraneous = Object.keys(vc.credentialSubject).filter((key) => !DELEGATION_SUBJECT_KEYS.includes(key));
160
+ if (extraneous.length === 0) {
161
+ return { valid: true };
162
+ }
163
+ return {
164
+ valid: false,
165
+ reason: `credentialSubject contains non-delegation field(s): ${extraneous.join(", ")}. ` +
166
+ `A DelegationCredential subject MUST carry only 'id' and 'delegation' (KYA-OS §11.6).`,
167
+ };
168
+ }
142
169
  async verifySignature(vc, didResolver) {
143
170
  const startTime = Date.now();
144
171
  try {
@@ -1 +1 @@
1
- {"version":3,"file":"vc-verifier.js","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EACL,6BAA6B,EAC7B,iCAAiC,EACjC,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AA+D9B,MAAM,OAAO,4BAA4B;IAC/B,WAAW,CAAe;IAC1B,kBAAkB,CAAsB;IACxC,iBAAiB,CAAiC;IAClD,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACI,mBAAmB,GAAa,EAAE,CAAC;IACnC,QAAQ,CAAS;IACzB;;;;OAIG;IACK,YAAY,CAAS;IAE7B,YAAY,OAOX;QACC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,MAAM,CAAC;QAC5C,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,0BAA0B,CAC9B,EAAwB,EACxB,UAAqC,EAAE;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;QAElD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAmC;gBAC7C,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,eAAe,CAAC,MAAM;gBAC9B,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE;oBACP,YAAY;oBACZ,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBAChC;gBACD,MAAM,EAAE;oBACN,UAAU,EAAE,KAAK;iBAClB;aACF,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,aAAa;YAC7C,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC;YACnE,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAEP,MAAM,aAAa,GACjB,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,gBAAgB;YACxC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CACxB,EAAE,CAAC,gBAAgB,EACnB,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,CACtD;YACH,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAET,MAAM,CAAC,eAAe,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACxD,gBAAgB;YAChB,aAAa;SACd,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,eAAe,CAAC,UAAU,IAAI,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,IAAI,CAAC,CAAC;QAEnD,MAAM,QAAQ,GACZ,eAAe,CAAC,KAAK,IAAI,eAAe,CAAC,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC;QAEvE,MAAM,MAAM,GAAmC;YAC7C,KAAK,EAAE,QAAQ;YACf,MAAM,EAAE,CAAC,QAAQ;gBACf,CAAC,CAAC,eAAe,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,IAAI,iBAAiB;gBACpE,CAAC,CAAC,SAAS;YACb,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE;gBACP,YAAY;gBACZ,gBAAgB;gBAChB,aAAa;gBACb,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aAChC;YACD,MAAM,EAAE;gBACN,UAAU,EAAE,eAAe,CAAC,KAAK;gBACjC,cAAc,EAAE,eAAe,CAAC,KAAK;gBACrC,WAAW,EAAE,YAAY,CAAC,KAAK;aAChC;SACF,CAAC;QAEF,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1B,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAAC,EAAwB;QAItD,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,6BAA6B,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,IAAI,6BAA6B,CAAC,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,iCAAiC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC;QACnD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;YACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACnD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,EAAwB,EACxB,WAAyB;QAEzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GACb,OAAO,EAAE,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;YAE3D,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,iFAAiF;oBACnF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,iCAAiC,SAAS,EAAE;oBACpD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kBAAkB;oBAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,oBAAoB,GAAG,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC5D,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kCAAkC;oBAC1C,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,sBAAsB,CACpD,MAAM,EACN,oBAA8B,CAC/B,CAAC;YACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,uBAAuB,oBAAoB,YAAY;oBAC/D,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,kBAAkB,CAAC,YAAY,CAAC;YACrD,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C;oBAClD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;YAE1E,OAAO;gBACL,KAAK,EAAE,kBAAkB,CAAC,KAAK;gBAC/B,MAAM,EAAE,kBAAkB,CAAC,MAAM;gBACjC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACnG,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB,CACjC,MAAwB,EACxB,kBAAuC;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,6GAA6G;oBAC/G,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAE/D,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C,MAAM,CAAC,aAAa,GAAG;oBACzE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACzF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,sBAAsB,CAC5B,MAAmB,EACnB,oBAA4B;QAE5B,OAAO,MAAM,CAAC,kBAAkB,EAAE,IAAI,CACpC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,oBAAoB,CACvC,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,EAAU;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,EAAU,EAAE,MAAsC;QACnE,iEAAiE;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnF,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE;YACjB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,mBAAmB,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,eAAe,CAAC,EAAU;QACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,wBAAwB,CAAC,OAKxC;IACC,OAAO,IAAI,4BAA4B,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC"}
1
+ {"version":3,"file":"vc-verifier.js","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EACL,6BAA6B,EAC7B,iCAAiC,EACjC,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AAE9B;;;;GAIG;AACH,MAAM,uBAAuB,GAAsB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;AA+DxE,MAAM,OAAO,4BAA4B;IAC/B,WAAW,CAAe;IAC1B,kBAAkB,CAAsB;IACxC,iBAAiB,CAAiC;IAClD,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACI,mBAAmB,GAAa,EAAE,CAAC;IACnC,QAAQ,CAAS;IACzB;;;;OAIG;IACK,YAAY,CAAS;IAE7B,YAAY,OAOX;QACC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,MAAM,CAAC;QAC5C,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,0BAA0B,CAC9B,EAAwB,EACxB,UAAqC,EAAE;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;QAElD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAmC;gBAC7C,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,eAAe,CAAC,MAAM;gBAC9B,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE;oBACP,YAAY;oBACZ,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBAChC;gBACD,MAAM,EAAE;oBACN,UAAU,EAAE,KAAK;iBAClB;aACF,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,aAAa;YAC7C,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC;YACnE,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAEP,MAAM,aAAa,GACjB,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,gBAAgB;YACxC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CACxB,EAAE,CAAC,gBAAgB,EACnB,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,CACtD;YACH,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAET,MAAM,CAAC,eAAe,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACxD,gBAAgB;YAChB,aAAa;SACd,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,eAAe,CAAC,UAAU,IAAI,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,IAAI,CAAC,CAAC;QAEnD,MAAM,QAAQ,GACZ,eAAe,CAAC,KAAK,IAAI,eAAe,CAAC,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC;QAEvE,MAAM,MAAM,GAAmC;YAC7C,KAAK,EAAE,QAAQ;YACf,MAAM,EAAE,CAAC,QAAQ;gBACf,CAAC,CAAC,eAAe,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,IAAI,iBAAiB;gBACpE,CAAC,CAAC,SAAS;YACb,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE;gBACP,YAAY;gBACZ,gBAAgB;gBAChB,aAAa;gBACb,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aAChC;YACD,MAAM,EAAE;gBACN,UAAU,EAAE,eAAe,CAAC,KAAK;gBACjC,cAAc,EAAE,eAAe,CAAC,KAAK;gBACrC,WAAW,EAAE,YAAY,CAAC,KAAK;aAChC;SACF,CAAC;QAEF,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1B,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAAC,EAAwB;QAItD,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,6BAA6B,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,IAAI,6BAA6B,CAAC,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,iCAAiC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC;QACnD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;YACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,EAAwB;QAInD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,iBAAiB,CAAC,CAAC,MAAM,CACzD,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,uBAAuB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAChD,CAAC;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EACJ,uDAAuD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBAChF,sFAAsF;SACzF,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,EAAwB,EACxB,WAAyB;QAEzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GACb,OAAO,EAAE,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;YAE3D,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,iFAAiF;oBACnF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,iCAAiC,SAAS,EAAE;oBACpD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kBAAkB;oBAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,oBAAoB,GAAG,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC5D,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kCAAkC;oBAC1C,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,sBAAsB,CACpD,MAAM,EACN,oBAA8B,CAC/B,CAAC;YACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,uBAAuB,oBAAoB,YAAY;oBAC/D,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,kBAAkB,CAAC,YAAY,CAAC;YACrD,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C;oBAClD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;YAE1E,OAAO;gBACL,KAAK,EAAE,kBAAkB,CAAC,KAAK;gBAC/B,MAAM,EAAE,kBAAkB,CAAC,MAAM;gBACjC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACnG,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB,CACjC,MAAwB,EACxB,kBAAuC;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,6GAA6G;oBAC/G,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAE/D,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C,MAAM,CAAC,aAAa,GAAG;oBACzE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACzF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,sBAAsB,CAC5B,MAAmB,EACnB,oBAA4B;QAE5B,OAAO,MAAM,CAAC,kBAAkB,EAAE,IAAI,CACpC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,oBAAoB,CACvC,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,EAAU;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,EAAU,EAAE,MAAsC;QACnE,iEAAiE;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnF,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE;YACjB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,mBAAmB,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,eAAe,CAAC,EAAU;QACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,wBAAwB,CAAC,OAKxC;IACC,OAAO,IAAI,4BAA4B,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC"}
package/dist/errors.d.ts CHANGED
@@ -2,7 +2,7 @@
2
2
  * KYA-OS Canonical Error Codes
3
3
  *
4
4
  * Single source of truth for all wire-format error codes.
5
- * Aligned with the error catalog at modelcontextprotocol-identity.io.
5
+ * Aligned with the error catalog at kya-os.ai/mcp.
6
6
  *
7
7
  * Naming convention: snake_case, no protocol prefix.
8
8
  * Follows OAuth 2.0 / Stripe conventions for readability and portability.
@@ -19,6 +19,7 @@ export declare const KYA_OS_ERROR_CODES: {
19
19
  readonly invalid_request: "invalid_request";
20
20
  readonly needs_authorization: "needs_authorization";
21
21
  readonly insufficient_scope: "insufficient_scope";
22
+ readonly policy_denied: "policy_denied";
22
23
  readonly delegation_expired: "delegation_expired";
23
24
  readonly delegation_not_yet_valid: "delegation_not_yet_valid";
24
25
  readonly delegation_revoked: "delegation_revoked";
@@ -1 +1 @@
1
- {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;CAqCrB,CAAC;AAEX,MAAM,MAAM,cAAc,GACxB,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC;AAE/D,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,cAAc,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,kBAAkB,CAEpB"}
1
+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;CAsCrB,CAAC;AAEX,MAAM,MAAM,cAAc,GACxB,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC;AAE/D,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,cAAc,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,kBAAkB,CAEpB"}
package/dist/errors.js CHANGED
@@ -2,7 +2,7 @@
2
2
  * KYA-OS Canonical Error Codes
3
3
  *
4
4
  * Single source of truth for all wire-format error codes.
5
- * Aligned with the error catalog at modelcontextprotocol-identity.io.
5
+ * Aligned with the error catalog at kya-os.ai/mcp.
6
6
  *
7
7
  * Naming convention: snake_case, no protocol prefix.
8
8
  * Follows OAuth 2.0 / Stripe conventions for readability and portability.
@@ -23,6 +23,7 @@ export const KYA_OS_ERROR_CODES = {
23
23
  // Delegation errors
24
24
  needs_authorization: "needs_authorization",
25
25
  insufficient_scope: "insufficient_scope",
26
+ policy_denied: "policy_denied",
26
27
  delegation_expired: "delegation_expired",
27
28
  delegation_not_yet_valid: "delegation_not_yet_valid",
28
29
  delegation_revoked: "delegation_revoked",
@@ -1 +1 @@
1
- {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,YAAY,EAAE,cAAc;IAC5B,cAAc,EAAE,gBAAgB;IAEhC,wBAAwB;IACxB,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IAExC,6BAA6B;IAC7B,gBAAgB,EAAE,kBAAkB;IACpC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAElC,oBAAoB;IACpB,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,wBAAwB,EAAE,0BAA0B;IACpD,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAE1C,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,aAAa,EAAE,eAAe;IAE9B,kBAAkB;IAClB,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,cAAc;IAE5B,gBAAgB;IAChB,mBAAmB,EAAE,qBAAqB;IAC1C,aAAa,EAAE,eAAe;CACtB,CAAC;AAWX,MAAM,UAAU,gBAAgB,CAC9B,IAAoB,EACpB,OAAe,EACf,OAAiC;IAEjC,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClE,CAAC"}
1
+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,YAAY,EAAE,cAAc;IAC5B,cAAc,EAAE,gBAAgB;IAEhC,wBAAwB;IACxB,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IAExC,6BAA6B;IAC7B,gBAAgB,EAAE,kBAAkB;IACpC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAElC,oBAAoB;IACpB,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IACxC,wBAAwB,EAAE,0BAA0B;IACpD,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAE1C,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,aAAa,EAAE,eAAe;IAE9B,kBAAkB;IAClB,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,cAAc;IAE5B,gBAAgB;IAChB,mBAAmB,EAAE,qBAAqB;IAC1C,aAAa,EAAE,eAAe;CACtB,CAAC;AAWX,MAAM,UAAU,gBAAgB,CAC9B,IAAoB,EACpB,OAAe,EACf,OAAiC;IAEjC,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClE,CAAC"}
package/dist/index.d.ts CHANGED
@@ -4,7 +4,7 @@
4
4
  * Delegation, proof, and session for Model Context Protocol Identity.
5
5
  * This package is a DIF TAAWG protocol reference implementation.
6
6
  *
7
- * Related Spec: https://modelcontextprotocol-identity.io
7
+ * Related Spec: https://kya-os.ai/mcp
8
8
  *
9
9
  * ## Error handling strategy
10
10
  *
@@ -15,9 +15,9 @@
15
15
  * This ensures callers can always handle failures without try/catch on validation paths.
16
16
  */
17
17
  export { KYA_OS_ERROR_CODES, createKyaOsError, type KyaOsErrorCode, type KyaOsErrorResponse, } from './errors.js';
18
- export { base64urlEncodeFromBytes, base64urlDecodeToBytes, } from './utils/base64.js';
19
- export type { DelegationConstraints, DelegationRecord, DelegationCredential, DelegationStatus, CredentialStatus, StatusList2021Credential, Proof, HandshakeRequest, SessionContext, NonceCache, MCPClientInfo, MCPClientSessionInfo, SessionIdentityState, DetachedProof, ProofMeta, CanonicalHashes, AuditRecord, AuditContext, AuditEventContext, NeedsAuthorizationError, AuthorizationDisplay, CrispBudget, CrispScope, } from './types/protocol.js';
20
- export { wrapDelegationAsVC, extractDelegationFromVC, isDelegationCredentialExpired, isDelegationCredentialNotYetValid, validateDelegationCredential, validateDetachedProof, createNeedsAuthorizationError, isNeedsAuthorizationError, DELEGATION_CREDENTIAL_CONTEXT, DEFAULT_SESSION_TTL_MINUTES, DEFAULT_TIMESTAMP_SKEW_SECONDS, NONCE_LENGTH_BYTES, AUTH_NONCE_TTL_MS, ANON_NONCE_TTL_MS, type MetaPolicy, } from './types/protocol.js';
18
+ export { base64urlEncodeFromBytes, base64urlDecodeToBytes, bytesToBase64, base64ToBytes, } from './utils/base64.js';
19
+ export type { DelegationConstraints, DelegationRecord, DelegationCredential, DelegationStatus, CredentialStatus, StatusList2021Credential, Proof, HandshakeRequest, SessionContext, NonceCache, MCPClientInfo, MCPClientSessionInfo, SessionIdentityState, DetachedProof, ProofMeta, CanonicalHashes, AuditRecord, AuditContext, AuditEventContext, NeedsAuthorizationError, NeedsApprovalError, AuthorizationDisplay, CrispBudget, CrispScope, } from './types/protocol.js';
20
+ export { wrapDelegationAsVC, extractDelegationFromVC, isDelegationCredentialExpired, isDelegationCredentialNotYetValid, validateDelegationCredential, validateDetachedProof, createNeedsAuthorizationError, isNeedsAuthorizationError, createNeedsApprovalError, isNeedsApprovalError, DELEGATION_CREDENTIAL_CONTEXT, DEFAULT_SESSION_TTL_MINUTES, DEFAULT_TIMESTAMP_SKEW_SECONDS, NONCE_LENGTH_BYTES, AUTH_NONCE_TTL_MS, ANON_NONCE_TTL_MS, type MetaPolicy, } from './types/protocol.js';
21
21
  export { DelegationCredentialIssuer, createDelegationIssuer, type IssueDelegationOptions, type VCSigningFunction, type IdentityProvider as DelegationIdentityProvider, } from './delegation/vc-issuer.js';
22
22
  export { DelegationCredentialVerifier, createDelegationVerifier, type DelegationVCVerificationResult, type VerifyDelegationVCOptions, type DIDResolver, type DIDDocument, type VerificationMethod, type StatusListResolver, type SignatureVerificationFunction, } from './delegation/vc-verifier.js';
23
23
  export { DelegationGraphManager, createDelegationGraph, type DelegationNode, type DelegationGraphStorageProvider, } from './delegation/delegation-graph.js';
@@ -42,7 +42,12 @@ export { SessionManager, createHandshakeRequest, validateHandshakeFormat, type S
42
42
  export { CryptoProvider, ClockProvider, FetchProvider, StorageProvider, NonceCacheProvider, IdentityProvider, type Identity, type AgentIdentity, } from './providers/base.js';
43
43
  export { MemoryStorageProvider, MemoryNonceCacheProvider, MemoryIdentityProvider, } from './providers/memory.js';
44
44
  export { NodeCryptoProvider } from './providers/node-crypto.js';
45
+ export { SystemClockProvider } from './providers/system-clock.js';
46
+ export { RuntimeFetchProvider } from './providers/runtime-fetch.js';
47
+ export { AuditLogProvider, MemoryAuditLogProvider, NoopAuditLogProvider, buildAuditRecord, } from './providers/audit-log.js';
45
48
  export { createKyaOsMiddleware, type KyaOsConfig, type KyaOsDelegationConfig, type KyaOsIdentityConfig, type KyaOsMiddleware, type KyaOsToolDefinition, type KyaOsToolHandler, type KyaOsServer, withKyaOs, generateIdentity, type WithKyaOsOptions, } from './middleware/index.js';
49
+ export * from './policy/index.js';
50
+ export { matchScope, scopeSatisfies, type ScopeMatcher, type ScopeSatisfaction, } from './delegation/scope-matcher.js';
46
51
  export { logger, createDefaultConsoleLogger, type Logger, type Level, } from './logging/index.js';
47
52
  export { ED25519_PKCS8_DER_HEADER, ED25519_SPKI_DER_HEADER_LENGTH, ED25519_KEY_SIZE, } from './utils/index.js';
48
53
  //# sourceMappingURL=index.d.ts.map