@kya-os/mcp 1.3.2 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +198 -1
- package/dist/delegation/index.d.ts +2 -1
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +2 -1
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/scope-matcher.d.ts +35 -0
- package/dist/delegation/scope-matcher.d.ts.map +1 -0
- package/dist/delegation/scope-matcher.js +83 -0
- package/dist/delegation/scope-matcher.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +1 -11
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +5 -19
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/errors.d.ts +1 -0
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +1 -0
- package/dist/errors.js.map +1 -1
- package/dist/index.d.ts +8 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -3
- package/dist/index.js.map +1 -1
- package/dist/middleware/with-kya-os.d.ts +88 -31
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.js +327 -88
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/policy/approval.d.ts +34 -0
- package/dist/policy/approval.d.ts.map +1 -0
- package/dist/policy/approval.js +29 -0
- package/dist/policy/approval.js.map +1 -0
- package/dist/policy/classifier.d.ts +38 -0
- package/dist/policy/classifier.d.ts.map +1 -0
- package/dist/policy/classifier.js +97 -0
- package/dist/policy/classifier.js.map +1 -0
- package/dist/policy/default-engine.d.ts +24 -0
- package/dist/policy/default-engine.d.ts.map +1 -0
- package/dist/policy/default-engine.js +41 -0
- package/dist/policy/default-engine.js.map +1 -0
- package/dist/policy/engine.d.ts +12 -0
- package/dist/policy/engine.d.ts.map +1 -0
- package/dist/policy/engine.js +2 -0
- package/dist/policy/engine.js.map +1 -0
- package/dist/policy/index.d.ts +6 -0
- package/dist/policy/index.d.ts.map +1 -0
- package/dist/policy/index.js +6 -0
- package/dist/policy/index.js.map +1 -0
- package/dist/policy/types.d.ts +52 -0
- package/dist/policy/types.d.ts.map +1 -0
- package/dist/policy/types.js +10 -0
- package/dist/policy/types.js.map +1 -0
- package/dist/proof/errors.d.ts +1 -0
- package/dist/proof/errors.d.ts.map +1 -1
- package/dist/proof/errors.js +4 -0
- package/dist/proof/errors.js.map +1 -1
- package/dist/proof/generator.d.ts +28 -4
- package/dist/proof/generator.d.ts.map +1 -1
- package/dist/proof/generator.js +48 -20
- package/dist/proof/generator.js.map +1 -1
- package/dist/proof/verifier.d.ts +32 -3
- package/dist/proof/verifier.d.ts.map +1 -1
- package/dist/proof/verifier.js +85 -6
- package/dist/proof/verifier.js.map +1 -1
- package/dist/providers/audit-log.d.ts +62 -0
- package/dist/providers/audit-log.d.ts.map +1 -0
- package/dist/providers/audit-log.js +75 -0
- package/dist/providers/audit-log.js.map +1 -0
- package/dist/providers/index.d.ts +3 -0
- package/dist/providers/index.d.ts.map +1 -1
- package/dist/providers/index.js +3 -0
- package/dist/providers/index.js.map +1 -1
- package/dist/providers/runtime-fetch.d.ts +73 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -0
- package/dist/providers/runtime-fetch.js +169 -0
- package/dist/providers/runtime-fetch.js.map +1 -0
- package/dist/providers/system-clock.d.ts +39 -0
- package/dist/providers/system-clock.d.ts.map +1 -0
- package/dist/providers/system-clock.js +49 -0
- package/dist/providers/system-clock.js.map +1 -0
- package/dist/types/protocol.d.ts +38 -3
- package/dist/types/protocol.d.ts.map +1 -1
- package/dist/types/protocol.js +44 -9
- package/dist/types/protocol.js.map +1 -1
- package/package.json +4 -2
- package/schemas/README.md +1 -1
- package/schemas/delegation-credential.json +2 -2
- package/schemas/detached-proof.json +12 -3
- package/schemas/handshake-request.json +1 -1
- package/schemas/handshake-response.json +1 -1
- package/schemas/well-known-mcpi.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,7 +5,204 @@ All notable changes to @kya-os/mcp will be documented here.
|
|
|
5
5
|
Format: https://keepachangelog.com/en/1.0.0/
|
|
6
6
|
Versioning: https://semver.org/spec/v2.0.0.html
|
|
7
7
|
|
|
8
|
-
## [
|
|
8
|
+
## [1.4.0] - 2026-05-31
|
|
9
|
+
|
|
10
|
+
Ports the KYA-OS authorization primitives developed upstream (xmcp-i) into
|
|
11
|
+
`@kya-os/mcp`: a per-action policy / step-up gate, scope-matcher enforcement,
|
|
12
|
+
signed `needs_authorization` challenges with verifier content binding, and
|
|
13
|
+
shipped runtime providers. Additive over 1.3.x except where noted under
|
|
14
|
+
**Changed** and **Removed**.
|
|
15
|
+
|
|
16
|
+
### Added
|
|
17
|
+
|
|
18
|
+
- **Signed `needs_authorization` challenge.** The delegation challenge returned
|
|
19
|
+
when a protected tool is invoked without a credential now carries a signed
|
|
20
|
+
detached-JWS proof in `_meta` (`outcome: 'needs_authorization'`). The proof
|
|
21
|
+
binds a `responseHash` over the challenge content — including the
|
|
22
|
+
`authorizationUrl`. A verifier that recomputes the response hash over the
|
|
23
|
+
content it received — via the new `ProofVerifier` content binding (below) —
|
|
24
|
+
detects a tampered / MITM-swapped consent URL; the signature alone proves
|
|
25
|
+
authenticity, not content-match. The challenge content/shape is unchanged; attachment
|
|
26
|
+
is best-effort (no-ops when no session can be resolved). The proof `outcome`
|
|
27
|
+
enum widened to include `'needs_authorization'` across `ProofMeta`,
|
|
28
|
+
`ProofOptions`, `validateDetachedProof`, and the `detached-proof` JSON Schema.
|
|
29
|
+
Success proofs are byte-identical (unaffected).
|
|
30
|
+
- **`wrapWithDelegation` `formatChallenge` hook.** An optional config callback
|
|
31
|
+
that renders the `needs_authorization` challenge content (e.g. a clickable
|
|
32
|
+
markdown consent link for LLM / chat-style MCP clients) **before** the proof is
|
|
33
|
+
signed — so the challenge `responseHash` binds exactly what the client
|
|
34
|
+
receives, keeping the `authorizationUrl` tamper-evident regardless of
|
|
35
|
+
presentation. Defaults to the structured JSON challenge. The consent-basic /
|
|
36
|
+
consent-full examples now render their consent link via this hook instead of
|
|
37
|
+
rewriting the response after signing (which had left the proof bound to stale
|
|
38
|
+
content).
|
|
39
|
+
- **`ProofVerifier` content binding.** `verifyProof(proof, jwk, { request, response })`
|
|
40
|
+
recomputes `requestHash`/`responseHash` over the request/response the verifier
|
|
41
|
+
actually received — via a shared `computeCanonicalHashes` (single source of
|
|
42
|
+
truth with the signer, so they can't drift) — and fails `CONTENT_BINDING_MISMATCH`
|
|
43
|
+
on divergence. This is what realizes substitution detection (the signed
|
|
44
|
+
challenge's anti-MITM, and content-binding for any proof); the signature alone
|
|
45
|
+
proves only authenticity. New `CONTENT_BINDING_MISMATCH` proof-verification
|
|
46
|
+
error code.
|
|
47
|
+
- **Concrete `SystemClockProvider` + `RuntimeFetchProvider`.** The package now
|
|
48
|
+
ships a wall-clock `ClockProvider` and a network-capable `FetchProvider`
|
|
49
|
+
(did:key resolved locally, did:web over HTTPS, StatusList2021 fetch) so a
|
|
50
|
+
consumer no longer hand-rolls them to drive `ProofVerifier`. `RuntimeFetchProvider`
|
|
51
|
+
is the default the middleware uses and replaces the prior internal stub (whose
|
|
52
|
+
`resolveDID` returned `null`); it refuses private-network targets by default
|
|
53
|
+
(see **Security**). The verify-proof / anti-MITM examples now consume both.
|
|
54
|
+
- **Per-action policy / step-up gate (`withPolicyGate`).** A new opt-in
|
|
55
|
+
middleware wrapper that classifies an action's risk (reversibility, blast
|
|
56
|
+
radius, severity) and consults a pluggable Policy-as-Code `PolicyEngine`:
|
|
57
|
+
`allow` runs the handler, `deny` returns a `policy_denied` error, and
|
|
58
|
+
`step_up` returns a `needs_approval` error until N-of-M signed `ApprovalGrant`s
|
|
59
|
+
— each bound to the request hash (TOCTOU-safe) — are supplied. Ships a
|
|
60
|
+
fail-closed `DefaultPolicyEngine` and a built-in `RiskClassifier`; OPA/Rego and
|
|
61
|
+
Cedar adapters are intended follow-ups. Composes after `wrapWithDelegation`;
|
|
62
|
+
no behavior change unless adopted.
|
|
63
|
+
- **`PolicyEngine` PaC port + `policy/` subsystem** (`PolicyRequest`,
|
|
64
|
+
`PolicyDecision`, `RiskClassifier`, `DefaultPolicyEngine`, `ApprovalGrant`,
|
|
65
|
+
`verifyApprovalQuorum`), exported from the package root.
|
|
66
|
+
- **`needs_approval` error** (`NeedsApprovalError`, `createNeedsApprovalError`,
|
|
67
|
+
`isNeedsApprovalError`) and the `policy_denied` error code.
|
|
68
|
+
- **`bytesToBase64` / `base64ToBytes`** are now re-exported from the package root
|
|
69
|
+
(standard-base64 byte helpers, alongside the existing base64url variants).
|
|
70
|
+
- **`AuditLogProvider` — pluggable sink for audit-record retention.** A new
|
|
71
|
+
provider (abstract base + `MemoryAuditLogProvider` / `NoopAuditLogProvider`
|
|
72
|
+
defaults, exported from the root and `./providers`) for persisting the frozen
|
|
73
|
+
`audit.v1` record of each verified tool call. Wire it via `KyaOsConfig.auditLog`
|
|
74
|
+
(default: no-op); `createKyaOsMiddleware` emits a record after each proofed
|
|
75
|
+
call, and a sink failure never breaks the tool response. `buildAuditRecord(ctx)`
|
|
76
|
+
exposes the context→record mapping. Records carry only DID/key id, session,
|
|
77
|
+
audience, scope, request/response hashes, and the verification result — never
|
|
78
|
+
key material or nonces. The storage backend is operator-provided (durable,
|
|
79
|
+
append-only); the package stays storage-agnostic, like the other providers.
|
|
80
|
+
- **Delegation scope on audit records.** Delegation-protected tools record the
|
|
81
|
+
scope they were authorized under: `wrapWithDelegation` threads its `scopeId`
|
|
82
|
+
through a new optional `KyaOsCallContext` (3rd handler argument) into the proof
|
|
83
|
+
meta, so the audit record's `scope` reflects it (was `'-'`). The argument is
|
|
84
|
+
optional and backward-compatible; tool handlers that ignore it are unaffected.
|
|
85
|
+
|
|
86
|
+
### Changed
|
|
87
|
+
|
|
88
|
+
- **`ProofMeta.responseHash` is now optional** (`string | undefined`). Denial /
|
|
89
|
+
step-up proofs carry no response, so code reading `responseHash` must treat it
|
|
90
|
+
as possibly-absent. `validateDetachedProof` and the `detached-proof` JSON
|
|
91
|
+
Schema no longer require it (and now permit `outcome`/`reason`).
|
|
92
|
+
- **`CrispScope` `prefix`/`regex` matchers are now enforced** (previously inert —
|
|
93
|
+
only exact membership in the flat `scopes[]` was checked). A credential
|
|
94
|
+
declaring a non-exact matcher now grants its pattern set, with ReDoS-safe regex
|
|
95
|
+
evaluation; flat `scopes[]` remain exact-match (unchanged). **Behavioral
|
|
96
|
+
change** for any credential that declared a `prefix`/`regex` matcher: it now
|
|
97
|
+
grants where it previously granted nothing, and a one-time warning is logged on
|
|
98
|
+
first non-exact use. Re-delegations may not introduce crisp matchers absent
|
|
99
|
+
from the parent.
|
|
100
|
+
- **`withPolicyGate`'s `scopeMatched` defaults to `false`** (fail-closed): compose
|
|
101
|
+
it after `wrapWithDelegation` and pass `scopeMatched: true`, or it denies.
|
|
102
|
+
`withPolicyGate` is an optional member of the `KyaOsMiddleware` interface
|
|
103
|
+
(additive; structural implementers/mocks are not broken). New in this release,
|
|
104
|
+
so no prior consumer is affected.
|
|
105
|
+
- **Bundled examples now consume the built `@kya-os/mcp` package** rather than
|
|
106
|
+
reaching into `src/` via relative paths. Nested example packages (consent-basic,
|
|
107
|
+
consent-full, context7, brave-search) link the local build via `file:../..`;
|
|
108
|
+
root-tree examples (node-server, verify-proof, outbound-delegation, statuslist)
|
|
109
|
+
resolve it by package self-reference. Fixes the context7 example, which had
|
|
110
|
+
pinned a stale published `@kya-os/mcp@^1.3.0` (pre-`withKyaOs` rename).
|
|
111
|
+
|
|
112
|
+
### Spec
|
|
113
|
+
|
|
114
|
+
- **§4.2 — normative MUST on key generation.** An agent's key pair MUST be
|
|
115
|
+
generated by the agent or its designated custodian; the secret key MUST NOT be
|
|
116
|
+
generated by, transmitted to, or escrowed with any registration, DID,
|
|
117
|
+
directory, or reputation service (which receive only the public key). Carves
|
|
118
|
+
out agent-side proxy/HSM custody (§11.0). Closes the key-escrow / IBE-style
|
|
119
|
+
concern where a directory service implicitly holds agents' secret keys.
|
|
120
|
+
- **§6.6 — revocation needs no global list.** Clarified that a verifier checks
|
|
121
|
+
revocation only for the resources it gates and MAY hold revocation state
|
|
122
|
+
locally; `StatusList2021` is the interoperable publish format, not a required
|
|
123
|
+
public certificate-revocation list.
|
|
124
|
+
- **§11.0 — "L2+ is not OAuth-style client registration."** Direct (Level 2+)
|
|
125
|
+
verification still gates on the presented delegation chain, not the agent's
|
|
126
|
+
identity alone — inverting the OAuth Dynamic Client Registration pattern.
|
|
127
|
+
- **§12.5 — per-delegation keys (delegate unlinkability).** Non-normative
|
|
128
|
+
pattern: delegate to a fresh one-off public key per delegation to prevent
|
|
129
|
+
cross-delegation correlation through a shared subject DID.
|
|
130
|
+
- **§2 — reputation scope.** The Responsible Party definition now states that
|
|
131
|
+
reputation and accountability signals are scoped primarily to the Responsible
|
|
132
|
+
Party, not an agent's ephemeral identity.
|
|
133
|
+
- **Terminology.** Standardized on _secret key_ (synonymous with _private key_,
|
|
134
|
+
retained in PKCS#8 / JWK references); fixed the one residual _private key_
|
|
135
|
+
usage in §7.
|
|
136
|
+
|
|
137
|
+
### Security
|
|
138
|
+
|
|
139
|
+
- **Malformed delegation input no longer crashes.** A malformed `_kyaos_delegation`
|
|
140
|
+
(non-object, missing `credentialSubject.delegation`, or even a throwing
|
|
141
|
+
getter/Proxy accessor) previously surfaced as a JSON-RPC internal error (`-32603`);
|
|
142
|
+
it now returns a clean, signed `delegation_invalid` denial. `validateDelegationChain`
|
|
143
|
+
shape-checks the leaf and returns `{ valid, reason }` (honouring the
|
|
144
|
+
`verify*`/`validate*` never-throw contract); `extractDelegationFromVC` fails
|
|
145
|
+
with a clear error instead of a cryptic `TypeError`; the middleware try/catch is
|
|
146
|
+
now a pure backstop that logs the detail server-side and returns a generic
|
|
147
|
+
reason (no internal/stack detail leaks to the client). The invalid-VC-JWT path
|
|
148
|
+
is now signed as well.
|
|
149
|
+
- **Log-injection / reflection hardening.** Caller-derived values (credential
|
|
150
|
+
ids, scopes) interpolated into delegation-failure reasons and logs are now
|
|
151
|
+
stripped of control characters and length-capped before emission, so a hostile
|
|
152
|
+
credential cannot forge log lines, corrupt a terminal, or reflect raw control
|
|
153
|
+
bytes into a client response.
|
|
154
|
+
- **`RuntimeFetchProvider` refuses private-network targets by default (SSRF).**
|
|
155
|
+
did:web resolution and StatusList2021 fetches reject loopback / link-local /
|
|
156
|
+
RFC-1918 IP-literal hosts (e.g. `did:web:169.254.169.254`, the cloud-metadata
|
|
157
|
+
endpoint) unless constructed with `{ allowPrivateNetworkHosts: true }`. This
|
|
158
|
+
is best-effort defense-in-depth for IP literals — not DNS rebinding; run
|
|
159
|
+
verifiers behind an egress allowlist (`SECURITY.md`).
|
|
160
|
+
- **Signed proofs are now emitted on denial and step-up.** Delegation/scope
|
|
161
|
+
denials and policy step-ups previously produced no proof; they now attach a
|
|
162
|
+
signed detached-JWS proof (`outcome: 'denied' | 'step_up_required'`, no
|
|
163
|
+
`responseHash`), so rejected privileged attempts are non-repudiably auditable.
|
|
164
|
+
- **Fail-closed policy default.** Unclassified ("unknown") high-risk actions are
|
|
165
|
+
denied by the `DefaultPolicyEngine` rather than forwarded.
|
|
166
|
+
- **Denial/step-up proofs are verifiable end-to-end.** `validateDetachedProof`
|
|
167
|
+
and `ProofVerifier` accept response-less proofs (the earlier fix only corrected
|
|
168
|
+
canonical-payload reconstruction); added a real-crypto end-to-end test.
|
|
169
|
+
- **Crisp-scope attenuation.** Re-delegations cannot widen authority via crisp
|
|
170
|
+
matchers absent from the parent — closes a privilege-escalation path that
|
|
171
|
+
enforcing the matcher would otherwise have opened.
|
|
172
|
+
- **ReDoS hardening.** The `regex` matcher rejects nested-quantifier patterns and
|
|
173
|
+
bounds input length. This is a conservative guard, **not** a guarantee — prefer
|
|
174
|
+
`exact`/`prefix` for untrusted issuers, or evaluate via a linear-time engine.
|
|
175
|
+
The `prefix` matcher refuses an empty/`*`-only base (no universal grant).
|
|
176
|
+
|
|
177
|
+
### Removed
|
|
178
|
+
|
|
179
|
+
- **BREAKING: removed the three unsafe delegation opt-outs.** The
|
|
180
|
+
secure-by-default behavior they bypassed is now unconditional and cannot be
|
|
181
|
+
disabled:
|
|
182
|
+
- `delegation.requireAudienceOnRedelegation` — audience binding on every
|
|
183
|
+
non-root credential in a chain is now mandatory (`SPEC.md` §11.6).
|
|
184
|
+
- `delegation.allowLegacyUnsafeDelegation` — full delegation-chain resolution
|
|
185
|
+
and `credentialStatus` / StatusList revocation checks are always enforced;
|
|
186
|
+
parent-linked credentials without a `resolveDelegationChain` handler, and
|
|
187
|
+
`credentialStatus` without a `statusListResolver`, are rejected.
|
|
188
|
+
- `VerifyDelegationVCOptions.allowNonDelegationSubjectFields` — the
|
|
189
|
+
`credentialSubject` shape check (only `id` + `delegation`) is always
|
|
190
|
+
enforced (`SPEC.md` §6.2; conformance L3.5a).
|
|
191
|
+
|
|
192
|
+
The associated one-time `console.warn` notices are removed along with the
|
|
193
|
+
flags. Migration guidance: `SECURITY.md` → Mandatory Delegation Protections.
|
|
194
|
+
Consumers that did not set these flags are unaffected — the reference issuer
|
|
195
|
+
and all bundled examples already emit conformant credentials.
|
|
196
|
+
|
|
197
|
+
### Known limitations (policy gate — experimental, non-normative)
|
|
198
|
+
|
|
199
|
+
- Step-up approval grants are **not yet single-use or expiry-bound** (replayable
|
|
200
|
+
for the same action); a server-issued single-use challenge is a planned follow-up.
|
|
201
|
+
- The default approval-signature verifier **rejects all** — integrators must supply
|
|
202
|
+
a real verifier; `isValidApprovalSignature: async () => true` is test-only.
|
|
203
|
+
- `policy_denied` / `needs_approval`, the step-up flow, and the now-normative
|
|
204
|
+
`CrispScope` matcher semantics are **not yet documented in `SPEC.md` /
|
|
205
|
+
`CONFORMANCE.md`** (tracked as follow-ups).
|
|
9
206
|
|
|
10
207
|
## [1.3.2] - 2026-05-26
|
|
11
208
|
|
|
@@ -14,8 +14,9 @@ export * from './utils.js';
|
|
|
14
14
|
export * from './outbound-proof.js';
|
|
15
15
|
export * from './outbound-headers.js';
|
|
16
16
|
export * from './audience-validator.js';
|
|
17
|
+
export * from './scope-matcher.js';
|
|
17
18
|
export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
|
|
18
|
-
export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
|
|
19
|
+
export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, buildDidWebDocument, } from './did-web-resolver.js';
|
|
19
20
|
export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
|
|
20
21
|
export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
|
|
21
22
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,EACX,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
|
package/dist/delegation/index.js
CHANGED
|
@@ -14,8 +14,9 @@ export * from './utils.js';
|
|
|
14
14
|
export * from './outbound-proof.js';
|
|
15
15
|
export * from './outbound-headers.js';
|
|
16
16
|
export * from './audience-validator.js';
|
|
17
|
+
export * from './scope-matcher.js';
|
|
17
18
|
export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
|
|
18
|
-
export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
|
|
19
|
+
export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, buildDidWebDocument, } from './did-web-resolver.js';
|
|
19
20
|
export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
|
|
20
21
|
export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
|
|
21
22
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,EACX,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
import type { DelegationCredential } from '../types/protocol.js';
|
|
2
|
+
export type ScopeMatcher = 'exact' | 'prefix' | 'regex';
|
|
3
|
+
/**
|
|
4
|
+
* Match a single requested scope/resource value against a pattern by matcher kind.
|
|
5
|
+
*
|
|
6
|
+
* - `exact` : strict string equality.
|
|
7
|
+
* - `prefix` : value starts with the pattern (a single trailing `*` is optional sugar).
|
|
8
|
+
* An empty base ('' or lone '*') matches nothing — it will NOT grant
|
|
9
|
+
* universal scope.
|
|
10
|
+
* - `regex` : anchored full-string match; never throws (invalid patterns → false).
|
|
11
|
+
*
|
|
12
|
+
* SECURITY: the regex pattern is supplied by the credential ISSUER. JS `RegExp`
|
|
13
|
+
* is not linear-time, so this guards against the common catastrophic-backtracking
|
|
14
|
+
* shapes (nested quantifiers) and bounds input length — but it is a conservative
|
|
15
|
+
* mitigation, not a guarantee. Deployments accepting `regex` matchers from
|
|
16
|
+
* untrusted issuers should prefer `exact`/`prefix` or evaluate via a linear-time
|
|
17
|
+
* engine (e.g. RE2).
|
|
18
|
+
*/
|
|
19
|
+
export declare function matchScope(pattern: string, matcher: ScopeMatcher, value: string): boolean;
|
|
20
|
+
export interface ScopeSatisfaction {
|
|
21
|
+
satisfied: boolean;
|
|
22
|
+
/**
|
|
23
|
+
* True when satisfaction came via a non-exact (prefix|regex) CrispScope matcher.
|
|
24
|
+
* Callers should surface a warning — non-exact matchers widen effective authority.
|
|
25
|
+
*/
|
|
26
|
+
usedNonExactMatcher: boolean;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Decide whether a required scope id is satisfied by a credential.
|
|
30
|
+
*
|
|
31
|
+
* Flat `scopes[]` are matched EXACTLY (backwards-compatible). The opt-in
|
|
32
|
+
* `constraints.crisp.scopes[]` entries are honored per their declared matcher.
|
|
33
|
+
*/
|
|
34
|
+
export declare function scopeSatisfies(requiredScopeId: string, credential: DelegationCredential): ScopeSatisfaction;
|
|
35
|
+
//# sourceMappingURL=scope-matcher.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scope-matcher.d.ts","sourceRoot":"","sources":["../../src/delegation/scope-matcher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAc,MAAM,sBAAsB,CAAC;AAY7E,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;AAExD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAsBzF;AAkBD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB;;;OAGG;IACH,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE,oBAAoB,GAC/B,iBAAiB,CAUnB"}
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
const MAX_REGEX_LEN = 256;
|
|
2
|
+
const MAX_VALUE_LEN = 256;
|
|
3
|
+
/**
|
|
4
|
+
* Conservative detector for the classic catastrophic-backtracking shape — a
|
|
5
|
+
* quantified group whose body also contains a quantifier, e.g. `(a+)+`, `(a*)*`,
|
|
6
|
+
* `(.{1,9})+`. This is a heuristic reject, NOT a proof of safety.
|
|
7
|
+
*/
|
|
8
|
+
const NESTED_QUANTIFIER = /\([^()]*[+*?{][^()]*\)\s*[+*{]/;
|
|
9
|
+
/**
|
|
10
|
+
* Match a single requested scope/resource value against a pattern by matcher kind.
|
|
11
|
+
*
|
|
12
|
+
* - `exact` : strict string equality.
|
|
13
|
+
* - `prefix` : value starts with the pattern (a single trailing `*` is optional sugar).
|
|
14
|
+
* An empty base ('' or lone '*') matches nothing — it will NOT grant
|
|
15
|
+
* universal scope.
|
|
16
|
+
* - `regex` : anchored full-string match; never throws (invalid patterns → false).
|
|
17
|
+
*
|
|
18
|
+
* SECURITY: the regex pattern is supplied by the credential ISSUER. JS `RegExp`
|
|
19
|
+
* is not linear-time, so this guards against the common catastrophic-backtracking
|
|
20
|
+
* shapes (nested quantifiers) and bounds input length — but it is a conservative
|
|
21
|
+
* mitigation, not a guarantee. Deployments accepting `regex` matchers from
|
|
22
|
+
* untrusted issuers should prefer `exact`/`prefix` or evaluate via a linear-time
|
|
23
|
+
* engine (e.g. RE2).
|
|
24
|
+
*/
|
|
25
|
+
export function matchScope(pattern, matcher, value) {
|
|
26
|
+
switch (matcher) {
|
|
27
|
+
case 'exact':
|
|
28
|
+
return pattern === value;
|
|
29
|
+
case 'prefix': {
|
|
30
|
+
const base = pattern.endsWith('*') ? pattern.slice(0, -1) : pattern;
|
|
31
|
+
// Refuse to grant universal scope via an empty/`*`-only prefix.
|
|
32
|
+
if (base.length === 0)
|
|
33
|
+
return false;
|
|
34
|
+
return value.startsWith(base);
|
|
35
|
+
}
|
|
36
|
+
case 'regex': {
|
|
37
|
+
if (pattern.length > MAX_REGEX_LEN || value.length > MAX_VALUE_LEN)
|
|
38
|
+
return false;
|
|
39
|
+
if (NESTED_QUANTIFIER.test(pattern))
|
|
40
|
+
return false;
|
|
41
|
+
try {
|
|
42
|
+
return new RegExp(`^(?:${pattern})$`).test(value);
|
|
43
|
+
}
|
|
44
|
+
catch {
|
|
45
|
+
return false;
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
default:
|
|
49
|
+
return false;
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* Flat exact-match scope set: delegation.scopes ∪ constraints.scopes.
|
|
54
|
+
* Null-safe by design: scopeSatisfies is a public, never-throw predicate, so a
|
|
55
|
+
* structurally malformed credential (missing constraints) yields an empty set
|
|
56
|
+
* rather than a TypeError.
|
|
57
|
+
*/
|
|
58
|
+
function flatScopes(credential) {
|
|
59
|
+
const d = credential?.credentialSubject?.delegation;
|
|
60
|
+
return [...(d?.scopes ?? []), ...(d?.constraints?.scopes ?? [])];
|
|
61
|
+
}
|
|
62
|
+
/** Opt-in CrispScope[] entries (constraints.crisp.scopes), if any. Null-safe. */
|
|
63
|
+
function crispScopes(credential) {
|
|
64
|
+
return credential?.credentialSubject?.delegation?.constraints?.crisp?.scopes ?? [];
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Decide whether a required scope id is satisfied by a credential.
|
|
68
|
+
*
|
|
69
|
+
* Flat `scopes[]` are matched EXACTLY (backwards-compatible). The opt-in
|
|
70
|
+
* `constraints.crisp.scopes[]` entries are honored per their declared matcher.
|
|
71
|
+
*/
|
|
72
|
+
export function scopeSatisfies(requiredScopeId, credential) {
|
|
73
|
+
if (flatScopes(credential).includes(requiredScopeId)) {
|
|
74
|
+
return { satisfied: true, usedNonExactMatcher: false };
|
|
75
|
+
}
|
|
76
|
+
for (const cs of crispScopes(credential)) {
|
|
77
|
+
if (matchScope(cs.resource, cs.matcher, requiredScopeId)) {
|
|
78
|
+
return { satisfied: true, usedNonExactMatcher: cs.matcher !== 'exact' };
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
return { satisfied: false, usedNonExactMatcher: false };
|
|
82
|
+
}
|
|
83
|
+
//# sourceMappingURL=scope-matcher.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scope-matcher.js","sourceRoot":"","sources":["../../src/delegation/scope-matcher.ts"],"names":[],"mappings":"AAEA,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,aAAa,GAAG,GAAG,CAAC;AAE1B;;;;GAIG;AACH,MAAM,iBAAiB,GAAG,gCAAgC,CAAC;AAI3D;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,OAAqB,EAAE,KAAa;IAC9E,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,OAAO;YACV,OAAO,OAAO,KAAK,KAAK,CAAC;QAC3B,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YACpE,gEAAgE;YAChE,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,OAAO,CAAC,MAAM,GAAG,aAAa,IAAI,KAAK,CAAC,MAAM,GAAG,aAAa;gBAAE,OAAO,KAAK,CAAC;YACjF,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,IAAI,CAAC;gBACH,OAAO,IAAI,MAAM,CAAC,OAAO,OAAO,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,UAAgC;IAClD,MAAM,CAAC,GAAG,UAAU,EAAE,iBAAiB,EAAE,UAAU,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,iFAAiF;AACjF,SAAS,WAAW,CAAC,UAAgC;IACnD,OAAO,UAAU,EAAE,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,IAAI,EAAE,CAAC;AACrF,CAAC;AAWD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,eAAuB,EACvB,UAAgC;IAEhC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC;IACzD,CAAC;IACD,KAAK,MAAM,EAAE,IAAI,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;QACzC,IAAI,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,EAAE,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;QAC1E,CAAC;IACH,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,CAAC;AAC1D,CAAC"}
|
|
@@ -34,15 +34,6 @@ export interface VerifyDelegationVCOptions {
|
|
|
34
34
|
skipStatus?: boolean;
|
|
35
35
|
didResolver?: DIDResolver;
|
|
36
36
|
statusListResolver?: StatusListResolver;
|
|
37
|
-
/**
|
|
38
|
-
* Accept a delegation credential whose `credentialSubject` carries properties
|
|
39
|
-
* beyond `id` and `delegation` (e.g. claim-bearing fields). UNSAFE: mixing
|
|
40
|
-
* claim semantics into a permission credential separates designation from
|
|
41
|
-
* authorization — the root of the confused-deputy class (KYA-OS §11.6).
|
|
42
|
-
* Defaults to `false` (strict). When `true`, the verifier emits a one-time
|
|
43
|
-
* per-process warning and accepts the credential.
|
|
44
|
-
*/
|
|
45
|
-
allowNonDelegationSubjectFields?: boolean;
|
|
46
37
|
}
|
|
47
38
|
export interface DIDResolver {
|
|
48
39
|
resolve(did: string): Promise<DIDDocument | null>;
|
|
@@ -109,8 +100,7 @@ export declare class DelegationCredentialVerifier {
|
|
|
109
100
|
* Reject a delegation credential whose `credentialSubject` carries properties
|
|
110
101
|
* other than `id` and `delegation`. Claim-bearing fields in a permission
|
|
111
102
|
* credential separate designation from authorization — the confused-deputy
|
|
112
|
-
* class (KYA-OS §11.6).
|
|
113
|
-
* one-time per-process warning.
|
|
103
|
+
* class (KYA-OS §11.6). Unconditional as of 1.4.0.
|
|
114
104
|
*/
|
|
115
105
|
private validateSubjectShape;
|
|
116
106
|
private verifySignature;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vc-verifier.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,sBAAsB,CAAC;
|
|
1
|
+
{"version":3,"file":"vc-verifier.d.ts","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,sBAAsB,CAAC;AAc9B,MAAM,WAAW,8BAA8B;IAC7C,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,MAAM,CAAC,EAAE;QACP,UAAU,CAAC,EAAE,OAAO,CAAC;QACrB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;CACH;AAED,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC1C,cAAc,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;IACjD,eAAe,CAAC,EAAE,CAAC,MAAM,GAAG,kBAAkB,CAAC,EAAE,CAAC;CACnD;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,6BAA6B;IAC5C,CACE,EAAE,EAAE,oBAAoB,EACxB,YAAY,EAAE,OAAO,GACpB,OAAO,CAAC;QACT,KAAK,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;CACJ;AAED,qBAAa,4BAA4B;IACvC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,kBAAkB,CAAC,CAAqB;IAChD,OAAO,CAAC,iBAAiB,CAAC,CAAgC;IAC1D,OAAO,CAAC,KAAK,CAGT;IACJ,OAAO,CAAC,mBAAmB,CAAgB;IAC3C,OAAO,CAAC,QAAQ,CAAS;IACzB;;;;OAIG;IACH,OAAO,CAAC,YAAY,CAAS;gBAEjB,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,WAAW,CAAC;QAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;QAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,2CAA2C;QAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB;IAQD;;;;;;;;;;OAUG;IACG,0BAA0B,CAC9B,EAAE,EAAE,oBAAoB,EACxB,OAAO,GAAE,yBAA8B,GACtC,OAAO,CAAC,8BAA8B,CAAC;IA6F1C,OAAO,CAAC,uBAAuB;IA4C/B;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;YAoBd,eAAe;YAkFf,qBAAqB;IAuCnC,OAAO,CAAC,sBAAsB;IAS9B,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,UAAU;IAgBlB,UAAU,IAAI,IAAI;IAKlB,eAAe,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;CAOlC;AAED,wBAAgB,wBAAwB,CAAC,OAAO,CAAC,EAAE;IACjD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,iBAAiB,CAAC,EAAE,6BAA6B,CAAC;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,4BAA4B,CAE/B"}
|
|
@@ -17,10 +17,6 @@ import { isDelegationCredentialExpired, isDelegationCredentialNotYetValid, valid
|
|
|
17
17
|
* permission credential must not smuggle claims (KYA-OS §11.6).
|
|
18
18
|
*/
|
|
19
19
|
const DELEGATION_SUBJECT_KEYS = ["id", "delegation"];
|
|
20
|
-
// Module-level warn-once flag for the unsafe opt-out in validateSubjectShape.
|
|
21
|
-
// Per-process, mirroring the convention in middleware/with-kya-os.ts so
|
|
22
|
-
// operators see a single log line rather than one per verification.
|
|
23
|
-
let warnedNonDelegationSubjectFields = false;
|
|
24
20
|
export class DelegationCredentialVerifier {
|
|
25
21
|
didResolver;
|
|
26
22
|
statusListResolver;
|
|
@@ -61,7 +57,7 @@ export class DelegationCredentialVerifier {
|
|
|
61
57
|
}
|
|
62
58
|
}
|
|
63
59
|
const basicCheckStart = Date.now();
|
|
64
|
-
const basicValidation = this.validateBasicProperties(vc
|
|
60
|
+
const basicValidation = this.validateBasicProperties(vc);
|
|
65
61
|
const basicCheckMs = Date.now() - basicCheckStart;
|
|
66
62
|
if (!basicValidation.valid) {
|
|
67
63
|
const result = {
|
|
@@ -120,7 +116,7 @@ export class DelegationCredentialVerifier {
|
|
|
120
116
|
}
|
|
121
117
|
return result;
|
|
122
118
|
}
|
|
123
|
-
validateBasicProperties(vc
|
|
119
|
+
validateBasicProperties(vc) {
|
|
124
120
|
const schemaValidation = validateDelegationCredential(vc);
|
|
125
121
|
if (!schemaValidation.success) {
|
|
126
122
|
return {
|
|
@@ -147,7 +143,7 @@ export class DelegationCredentialVerifier {
|
|
|
147
143
|
if (!vc.proof) {
|
|
148
144
|
return { valid: false, reason: "Missing proof" };
|
|
149
145
|
}
|
|
150
|
-
const subjectShape = this.validateSubjectShape(vc
|
|
146
|
+
const subjectShape = this.validateSubjectShape(vc);
|
|
151
147
|
if (!subjectShape.valid) {
|
|
152
148
|
return subjectShape;
|
|
153
149
|
}
|
|
@@ -157,23 +153,13 @@ export class DelegationCredentialVerifier {
|
|
|
157
153
|
* Reject a delegation credential whose `credentialSubject` carries properties
|
|
158
154
|
* other than `id` and `delegation`. Claim-bearing fields in a permission
|
|
159
155
|
* credential separate designation from authorization — the confused-deputy
|
|
160
|
-
* class (KYA-OS §11.6).
|
|
161
|
-
* one-time per-process warning.
|
|
156
|
+
* class (KYA-OS §11.6). Unconditional as of 1.4.0.
|
|
162
157
|
*/
|
|
163
|
-
validateSubjectShape(vc
|
|
158
|
+
validateSubjectShape(vc) {
|
|
164
159
|
const extraneous = Object.keys(vc.credentialSubject).filter((key) => !DELEGATION_SUBJECT_KEYS.includes(key));
|
|
165
160
|
if (extraneous.length === 0) {
|
|
166
161
|
return { valid: true };
|
|
167
162
|
}
|
|
168
|
-
if (options.allowNonDelegationSubjectFields) {
|
|
169
|
-
if (!warnedNonDelegationSubjectFields) {
|
|
170
|
-
warnedNonDelegationSubjectFields = true;
|
|
171
|
-
console.warn(`[DelegationCredentialVerifier] allowNonDelegationSubjectFields is enabled — ` +
|
|
172
|
-
`accepting credentialSubject with non-delegation field(s): ${extraneous.join(", ")}. ` +
|
|
173
|
-
`Claim-bearing fields in a permission credential are a confused-deputy risk (KYA-OS §11.6).`);
|
|
174
|
-
}
|
|
175
|
-
return { valid: true };
|
|
176
|
-
}
|
|
177
163
|
return {
|
|
178
164
|
valid: false,
|
|
179
165
|
reason: `credentialSubject contains non-delegation field(s): ${extraneous.join(", ")}. ` +
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vc-verifier.js","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EACL,6BAA6B,EAC7B,iCAAiC,EACjC,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AAE9B;;;;GAIG;AACH,MAAM,uBAAuB,GAAsB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"vc-verifier.js","sourceRoot":"","sources":["../../src/delegation/vc-verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,OAAO,EACL,6BAA6B,EAC7B,iCAAiC,EACjC,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AAE9B;;;;GAIG;AACH,MAAM,uBAAuB,GAAsB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;AA+DxE,MAAM,OAAO,4BAA4B;IAC/B,WAAW,CAAe;IAC1B,kBAAkB,CAAsB;IACxC,iBAAiB,CAAiC;IAClD,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACI,mBAAmB,GAAa,EAAE,CAAC;IACnC,QAAQ,CAAS;IACzB;;;;OAIG;IACK,YAAY,CAAS;IAE7B,YAAY,OAOX;QACC,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;QACxC,IAAI,CAAC,kBAAkB,GAAG,OAAO,EAAE,kBAAkB,CAAC;QACtD,IAAI,CAAC,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,MAAM,CAAC;QAC5C,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC;IACpD,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,0BAA0B,CAC9B,EAAwB,EACxB,UAAqC,EAAE;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC;QAElD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAmC;gBAC7C,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,eAAe,CAAC,MAAM;gBAC9B,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE;oBACP,YAAY;oBACZ,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBAChC;gBACD,MAAM,EAAE;oBACN,UAAU,EAAE,KAAK;iBAClB;aACF,CAAC;YACF,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,aAAa;YAC7C,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC;YACnE,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAEP,MAAM,aAAa,GACjB,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC,gBAAgB;YACxC,CAAC,CAAC,IAAI,CAAC,qBAAqB,CACxB,EAAE,CAAC,gBAAgB,EACnB,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,CACtD;YACH,CAAC,CAAC,OAAO,CAAC,OAAO,CAIZ;gBACD,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,CAAC;aACd,CAAC,CAAC;QAET,MAAM,CAAC,eAAe,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACxD,gBAAgB;YAChB,aAAa;SACd,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,eAAe,CAAC,UAAU,IAAI,CAAC,CAAC;QACzD,MAAM,aAAa,GAAG,YAAY,CAAC,UAAU,IAAI,CAAC,CAAC;QAEnD,MAAM,QAAQ,GACZ,eAAe,CAAC,KAAK,IAAI,eAAe,CAAC,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC;QAEvE,MAAM,MAAM,GAAmC;YAC7C,KAAK,EAAE,QAAQ;YACf,MAAM,EAAE,CAAC,QAAQ;gBACf,CAAC,CAAC,eAAe,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,IAAI,iBAAiB;gBACpE,CAAC,CAAC,SAAS;YACb,KAAK,EAAE,UAAU;YACjB,OAAO,EAAE;gBACP,YAAY;gBACZ,gBAAgB;gBAChB,aAAa;gBACb,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aAChC;YACD,MAAM,EAAE;gBACN,UAAU,EAAE,eAAe,CAAC,KAAK;gBACjC,cAAc,EAAE,eAAe,CAAC,KAAK;gBACrC,WAAW,EAAE,YAAY,CAAC,KAAK;aAChC;SACF,CAAC;QAEF,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1B,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAAC,EAAwB;QAItD,MAAM,gBAAgB,GAAG,4BAA4B,CAAC,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,6BAA6B,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,IAAI,6BAA6B,CAAC,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,iCAAiC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC;QACnD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;YACpD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QACnE,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YACd,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC;QACtB,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,EAAwB;QAInD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,iBAAiB,CAAC,CAAC,MAAM,CACzD,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,uBAAuB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAChD,CAAC;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EACJ,uDAAuD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBAChF,sFAAsF;SACzF,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,EAAwB,EACxB,WAAyB;QAEzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,SAAS,GACb,OAAO,EAAE,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;YAE3D,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,iFAAiF;oBACnF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,iCAAiC,SAAS,EAAE;oBACpD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kBAAkB;oBAC1B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,oBAAoB,GAAG,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC5D,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,kCAAkC;oBAC1C,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,sBAAsB,CACpD,MAAM,EACN,oBAA8B,CAC/B,CAAC;YACF,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,uBAAuB,oBAAoB,YAAY;oBAC/D,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,kBAAkB,CAAC,YAAY,CAAC;YACrD,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C;oBAClD,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC;YAE1E,OAAO;gBACL,KAAK,EAAE,kBAAkB,CAAC,KAAK;gBAC/B,MAAM,EAAE,kBAAkB,CAAC,MAAM;gBACjC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACnG,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB,CACjC,MAAwB,EACxB,kBAAuC;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EACJ,6GAA6G;oBAC/G,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAE/D,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,0CAA0C,MAAM,CAAC,aAAa,GAAG;oBACzE,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;gBACzF,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,sBAAsB,CAC5B,MAAmB,EACnB,oBAA4B;QAE5B,OAAO,MAAM,CAAC,kBAAkB,EAAE,IAAI,CACpC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,oBAAoB,CACvC,CAAC;IACJ,CAAC;IAEO,YAAY,CAAC,EAAU;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC;IACtB,CAAC;IAEO,UAAU,CAAC,EAAU,EAAE,MAAsC;QACnE,iEAAiE;QACjE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnF,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;YAClD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE;YACjB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,mBAAmB,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,eAAe,CAAC,EAAU;QACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,wBAAwB,CAAC,OAKxC;IACC,OAAO,IAAI,4BAA4B,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC"}
|
package/dist/errors.d.ts
CHANGED
|
@@ -19,6 +19,7 @@ export declare const KYA_OS_ERROR_CODES: {
|
|
|
19
19
|
readonly invalid_request: "invalid_request";
|
|
20
20
|
readonly needs_authorization: "needs_authorization";
|
|
21
21
|
readonly insufficient_scope: "insufficient_scope";
|
|
22
|
+
readonly policy_denied: "policy_denied";
|
|
22
23
|
readonly delegation_expired: "delegation_expired";
|
|
23
24
|
readonly delegation_not_yet_valid: "delegation_not_yet_valid";
|
|
24
25
|
readonly delegation_revoked: "delegation_revoked";
|
package/dist/errors.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,kBAAkB
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;CAsCrB,CAAC;AAEX,MAAM,MAAM,cAAc,GACxB,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC;AAE/D,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,cAAc,EACpB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,kBAAkB,CAEpB"}
|
package/dist/errors.js
CHANGED
|
@@ -23,6 +23,7 @@ export const KYA_OS_ERROR_CODES = {
|
|
|
23
23
|
// Delegation errors
|
|
24
24
|
needs_authorization: "needs_authorization",
|
|
25
25
|
insufficient_scope: "insufficient_scope",
|
|
26
|
+
policy_denied: "policy_denied",
|
|
26
27
|
delegation_expired: "delegation_expired",
|
|
27
28
|
delegation_not_yet_valid: "delegation_not_yet_valid",
|
|
28
29
|
delegation_revoked: "delegation_revoked",
|
package/dist/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,YAAY,EAAE,cAAc;IAC5B,cAAc,EAAE,gBAAgB;IAEhC,wBAAwB;IACxB,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IAExC,6BAA6B;IAC7B,gBAAgB,EAAE,kBAAkB;IACpC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAElC,oBAAoB;IACpB,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,wBAAwB,EAAE,0BAA0B;IACpD,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAE1C,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,aAAa,EAAE,eAAe;IAE9B,kBAAkB;IAClB,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,cAAc;IAE5B,gBAAgB;IAChB,mBAAmB,EAAE,qBAAqB;IAC1C,aAAa,EAAE,eAAe;CACtB,CAAC;AAWX,MAAM,UAAU,gBAAgB,CAC9B,IAAoB,EACpB,OAAe,EACf,OAAiC;IAEjC,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClE,CAAC"}
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,aAAa;IAC1B,YAAY,EAAE,cAAc;IAC5B,cAAc,EAAE,gBAAgB;IAEhC,wBAAwB;IACxB,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IAExC,6BAA6B;IAC7B,gBAAgB,EAAE,kBAAkB;IACpC,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;IAElC,oBAAoB;IACpB,mBAAmB,EAAE,qBAAqB;IAC1C,kBAAkB,EAAE,oBAAoB;IACxC,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,oBAAoB;IACxC,wBAAwB,EAAE,0BAA0B;IACpD,kBAAkB,EAAE,oBAAoB;IACxC,kBAAkB,EAAE,oBAAoB;IACxC,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,qBAAqB;IAE1C,eAAe;IACf,aAAa,EAAE,eAAe;IAC9B,aAAa,EAAE,eAAe;IAE9B,kBAAkB;IAClB,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,cAAc;IAE5B,gBAAgB;IAChB,mBAAmB,EAAE,qBAAqB;IAC1C,aAAa,EAAE,eAAe;CACtB,CAAC;AAWX,MAAM,UAAU,gBAAgB,CAC9B,IAAoB,EACpB,OAAe,EACf,OAAiC;IAEjC,OAAO,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAClE,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -15,9 +15,9 @@
|
|
|
15
15
|
* This ensures callers can always handle failures without try/catch on validation paths.
|
|
16
16
|
*/
|
|
17
17
|
export { KYA_OS_ERROR_CODES, createKyaOsError, type KyaOsErrorCode, type KyaOsErrorResponse, } from './errors.js';
|
|
18
|
-
export { base64urlEncodeFromBytes, base64urlDecodeToBytes, } from './utils/base64.js';
|
|
19
|
-
export type { DelegationConstraints, DelegationRecord, DelegationCredential, DelegationStatus, CredentialStatus, StatusList2021Credential, Proof, HandshakeRequest, SessionContext, NonceCache, MCPClientInfo, MCPClientSessionInfo, SessionIdentityState, DetachedProof, ProofMeta, CanonicalHashes, AuditRecord, AuditContext, AuditEventContext, NeedsAuthorizationError, AuthorizationDisplay, CrispBudget, CrispScope, } from './types/protocol.js';
|
|
20
|
-
export { wrapDelegationAsVC, extractDelegationFromVC, isDelegationCredentialExpired, isDelegationCredentialNotYetValid, validateDelegationCredential, validateDetachedProof, createNeedsAuthorizationError, isNeedsAuthorizationError, DELEGATION_CREDENTIAL_CONTEXT, DEFAULT_SESSION_TTL_MINUTES, DEFAULT_TIMESTAMP_SKEW_SECONDS, NONCE_LENGTH_BYTES, AUTH_NONCE_TTL_MS, ANON_NONCE_TTL_MS, type MetaPolicy, } from './types/protocol.js';
|
|
18
|
+
export { base64urlEncodeFromBytes, base64urlDecodeToBytes, bytesToBase64, base64ToBytes, } from './utils/base64.js';
|
|
19
|
+
export type { DelegationConstraints, DelegationRecord, DelegationCredential, DelegationStatus, CredentialStatus, StatusList2021Credential, Proof, HandshakeRequest, SessionContext, NonceCache, MCPClientInfo, MCPClientSessionInfo, SessionIdentityState, DetachedProof, ProofMeta, CanonicalHashes, AuditRecord, AuditContext, AuditEventContext, NeedsAuthorizationError, NeedsApprovalError, AuthorizationDisplay, CrispBudget, CrispScope, } from './types/protocol.js';
|
|
20
|
+
export { wrapDelegationAsVC, extractDelegationFromVC, isDelegationCredentialExpired, isDelegationCredentialNotYetValid, validateDelegationCredential, validateDetachedProof, createNeedsAuthorizationError, isNeedsAuthorizationError, createNeedsApprovalError, isNeedsApprovalError, DELEGATION_CREDENTIAL_CONTEXT, DEFAULT_SESSION_TTL_MINUTES, DEFAULT_TIMESTAMP_SKEW_SECONDS, NONCE_LENGTH_BYTES, AUTH_NONCE_TTL_MS, ANON_NONCE_TTL_MS, type MetaPolicy, } from './types/protocol.js';
|
|
21
21
|
export { DelegationCredentialIssuer, createDelegationIssuer, type IssueDelegationOptions, type VCSigningFunction, type IdentityProvider as DelegationIdentityProvider, } from './delegation/vc-issuer.js';
|
|
22
22
|
export { DelegationCredentialVerifier, createDelegationVerifier, type DelegationVCVerificationResult, type VerifyDelegationVCOptions, type DIDResolver, type DIDDocument, type VerificationMethod, type StatusListResolver, type SignatureVerificationFunction, } from './delegation/vc-verifier.js';
|
|
23
23
|
export { DelegationGraphManager, createDelegationGraph, type DelegationNode, type DelegationGraphStorageProvider, } from './delegation/delegation-graph.js';
|
|
@@ -42,7 +42,12 @@ export { SessionManager, createHandshakeRequest, validateHandshakeFormat, type S
|
|
|
42
42
|
export { CryptoProvider, ClockProvider, FetchProvider, StorageProvider, NonceCacheProvider, IdentityProvider, type Identity, type AgentIdentity, } from './providers/base.js';
|
|
43
43
|
export { MemoryStorageProvider, MemoryNonceCacheProvider, MemoryIdentityProvider, } from './providers/memory.js';
|
|
44
44
|
export { NodeCryptoProvider } from './providers/node-crypto.js';
|
|
45
|
+
export { SystemClockProvider } from './providers/system-clock.js';
|
|
46
|
+
export { RuntimeFetchProvider } from './providers/runtime-fetch.js';
|
|
47
|
+
export { AuditLogProvider, MemoryAuditLogProvider, NoopAuditLogProvider, buildAuditRecord, } from './providers/audit-log.js';
|
|
45
48
|
export { createKyaOsMiddleware, type KyaOsConfig, type KyaOsDelegationConfig, type KyaOsIdentityConfig, type KyaOsMiddleware, type KyaOsToolDefinition, type KyaOsToolHandler, type KyaOsServer, withKyaOs, generateIdentity, type WithKyaOsOptions, } from './middleware/index.js';
|
|
49
|
+
export * from './policy/index.js';
|
|
50
|
+
export { matchScope, scopeSatisfies, type ScopeMatcher, type ScopeSatisfaction, } from './delegation/scope-matcher.js';
|
|
46
51
|
export { logger, createDefaultConsoleLogger, type Logger, type Level, } from './logging/index.js';
|
|
47
52
|
export { ED25519_PKCS8_DER_HEADER, ED25519_SPKI_DER_HEADER_LENGTH, ED25519_KEY_SIZE, } from './utils/index.js';
|
|
48
53
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,wBAAwB,EACxB,sBAAsB,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,cAAc,EACnB,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,wBAAwB,EACxB,sBAAsB,EACtB,aAAa,EACb,aAAa,GACd,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EACV,qBAAqB,EACrB,gBAAgB,EAChB,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,wBAAwB,EACxB,KAAK,EACL,gBAAgB,EAChB,cAAc,EACd,UAAU,EACV,aAAa,EACb,oBAAoB,EACpB,oBAAoB,EACpB,aAAa,EACb,SAAS,EACT,eAAe,EACf,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,uBAAuB,EACvB,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACX,UAAU,GACX,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,6BAA6B,EAC7B,iCAAiC,EACjC,4BAA4B,EAC5B,qBAAqB,EACrB,6BAA6B,EAC7B,yBAAyB,EACzB,wBAAwB,EACxB,oBAAoB,EACpB,6BAA6B,EAC7B,2BAA2B,EAC3B,8BAA8B,EAC9B,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,0BAA0B,EAC1B,sBAAsB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,IAAI,0BAA0B,GACpD,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC9B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,6BAA6B,GACnC,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,KAAK,cAAc,EACnB,KAAK,8BAA8B,GACpC,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,GAChC,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EACL,0BAA0B,EAC1B,gCAAgC,EAChC,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,0BAA0B,GAChC,MAAM,sCAAsC,CAAC;AAE9C,OAAO,EACL,gBAAgB,EAChB,UAAU,EACV,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,wBAAwB,GACzB,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,KAAK,sBAAsB,EAC3B,KAAK,iBAAiB,GACvB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,8BAA8B,EAC9B,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,GAC/B,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,KAAK,WAAW,EAChB,KAAK,YAAY,GAClB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,mDAAmD,CAAC;AAE5F,OAAO,EAAE,4BAA4B,EAAE,MAAM,8CAA8C,CAAC;AAE5F,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,EACX,mBAAmB,EACnB,KAAK,0BAA0B,GAChC,MAAM,kCAAkC,CAAC;AAG1C,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,uBAAuB,EACvB,wBAAwB,EACxB,cAAc,GACf,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,GAC5B,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,KAAK,YAAY,EACjB,KAAK,YAAY,GAClB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,EAC5B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,uBAAuB,EACvB,KAAK,aAAa,EAClB,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,QAAQ,EACb,KAAK,aAAa,GACnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAEpE,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,qBAAqB,EACrB,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,SAAS,EACT,gBAAgB,EAChB,KAAK,gBAAgB,GACtB,MAAM,uBAAuB,CAAC;AAG/B,cAAc,mBAAmB,CAAC;AAClC,OAAO,EACL,UAAU,EACV,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,iBAAiB,GACvB,MAAM,+BAA+B,CAAC;AAGvC,OAAO,EACL,MAAM,EACN,0BAA0B,EAC1B,KAAK,MAAM,EACX,KAAK,KAAK,GACX,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,wBAAwB,EACxB,8BAA8B,EAC9B,gBAAgB,GACjB,MAAM,kBAAkB,CAAC"}
|