@kya-os/mcp 1.4.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +91 -0
- package/dist/authz/accountability.d.ts +35 -0
- package/dist/authz/accountability.d.ts.map +1 -0
- package/dist/authz/accountability.js +28 -0
- package/dist/authz/accountability.js.map +1 -0
- package/dist/authz/adapter.d.ts +47 -0
- package/dist/authz/adapter.d.ts.map +1 -0
- package/dist/authz/adapter.js +10 -0
- package/dist/authz/adapter.js.map +1 -0
- package/dist/authz/examples/inmemory-oidc.d.ts +29 -0
- package/dist/authz/examples/inmemory-oidc.d.ts.map +1 -0
- package/dist/authz/examples/inmemory-oidc.js +68 -0
- package/dist/authz/examples/inmemory-oidc.js.map +1 -0
- package/dist/authz/index.d.ts +19 -0
- package/dist/authz/index.d.ts.map +1 -0
- package/dist/authz/index.js +19 -0
- package/dist/authz/index.js.map +1 -0
- package/dist/authz/oidc/authorize.d.ts +25 -0
- package/dist/authz/oidc/authorize.d.ts.map +1 -0
- package/dist/authz/oidc/authorize.js +24 -0
- package/dist/authz/oidc/authorize.js.map +1 -0
- package/dist/authz/oidc/metadata.d.ts +43 -0
- package/dist/authz/oidc/metadata.d.ts.map +1 -0
- package/dist/authz/oidc/metadata.js +32 -0
- package/dist/authz/oidc/metadata.js.map +1 -0
- package/dist/authz/oidc/oidc-adapter.d.ts +52 -0
- package/dist/authz/oidc/oidc-adapter.d.ts.map +1 -0
- package/dist/authz/oidc/oidc-adapter.js +131 -0
- package/dist/authz/oidc/oidc-adapter.js.map +1 -0
- package/dist/authz/oidc/pkce.d.ts +20 -0
- package/dist/authz/oidc/pkce.d.ts.map +1 -0
- package/dist/authz/oidc/pkce.js +29 -0
- package/dist/authz/oidc/pkce.js.map +1 -0
- package/dist/authz/registry.d.ts +29 -0
- package/dist/authz/registry.d.ts.map +1 -0
- package/dist/authz/registry.js +48 -0
- package/dist/authz/registry.js.map +1 -0
- package/dist/authz/requirement.d.ts +38 -0
- package/dist/authz/requirement.d.ts.map +1 -0
- package/dist/authz/requirement.js +45 -0
- package/dist/authz/requirement.js.map +1 -0
- package/dist/delegation/chain-enforcement.d.ts +86 -0
- package/dist/delegation/chain-enforcement.d.ts.map +1 -0
- package/dist/delegation/chain-enforcement.js +224 -0
- package/dist/delegation/chain-enforcement.js.map +1 -0
- package/dist/delegation/holder-binding.d.ts +128 -0
- package/dist/delegation/holder-binding.d.ts.map +1 -0
- package/dist/delegation/holder-binding.js +175 -0
- package/dist/delegation/holder-binding.js.map +1 -0
- package/dist/delegation/index.d.ts +2 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +2 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/errors.d.ts +1 -0
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +1 -0
- package/dist/errors.js.map +1 -1
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -1
- package/dist/index.js.map +1 -1
- package/dist/middleware/with-kya-os.d.ts +35 -1
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.js +100 -200
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/policy/index.d.ts +1 -0
- package/dist/policy/index.d.ts.map +1 -1
- package/dist/policy/index.js +1 -0
- package/dist/policy/index.js.map +1 -1
- package/dist/policy/projection.d.ts +47 -0
- package/dist/policy/projection.d.ts.map +1 -0
- package/dist/policy/projection.js +33 -0
- package/dist/policy/projection.js.map +1 -0
- package/dist/providers/grant-store.d.ts +98 -0
- package/dist/providers/grant-store.d.ts.map +1 -0
- package/dist/providers/grant-store.js +92 -0
- package/dist/providers/grant-store.js.map +1 -0
- package/dist/providers/index.d.ts +2 -0
- package/dist/providers/index.d.ts.map +1 -1
- package/dist/providers/index.js +2 -0
- package/dist/providers/index.js.map +1 -1
- package/dist/providers/runtime-fetch.d.ts +14 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +22 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts +35 -0
- package/dist/providers/web-crypto.d.ts.map +1 -0
- package/dist/providers/web-crypto.js +91 -0
- package/dist/providers/web-crypto.js.map +1 -0
- package/package.json +14 -2
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* WebCrypto CryptoProvider
|
|
3
|
+
*
|
|
4
|
+
* Ed25519 crypto backed by the WebCrypto API (`globalThis.crypto.subtle`).
|
|
5
|
+
* Isomorphic — runs in Cloudflare Workers, Deno, modern browsers, and Node 20+
|
|
6
|
+
* — so an edge runtime (or the isomorphic `@kya-os/verifier`) can use the
|
|
7
|
+
* shared `ProofVerifier` without pulling in `node:crypto`.
|
|
8
|
+
*
|
|
9
|
+
* Mirrors {@link NodeCryptoProvider}'s key formats EXACTLY — raw 32-byte
|
|
10
|
+
* Ed25519 keys, base64-encoded; `sha256:<hex>` digests — so the two are
|
|
11
|
+
* drop-in interchangeable: a proof signed under one verifies under the other.
|
|
12
|
+
* (Cross-provider parity is asserted in the tests.)
|
|
13
|
+
*
|
|
14
|
+
* Requires a runtime whose WebCrypto implements the Ed25519 curve (Workers,
|
|
15
|
+
* Deno, Node 20+, recent browsers). Throws a clear error if `crypto.subtle`
|
|
16
|
+
* is unavailable rather than failing obscurely deep in a verify call.
|
|
17
|
+
*
|
|
18
|
+
* @example
|
|
19
|
+
* ```typescript
|
|
20
|
+
* import { WebCryptoProvider } from '@kya-os/mcp/providers';
|
|
21
|
+
* const verifier = new ProofVerifier({ cryptoProvider: new WebCryptoProvider(), ... });
|
|
22
|
+
* ```
|
|
23
|
+
*/
|
|
24
|
+
import { CryptoProvider } from "./base.js";
|
|
25
|
+
import { base64ToBytes, bytesToBase64 } from "../utils/base64.js";
|
|
26
|
+
const ALG = "Ed25519";
|
|
27
|
+
/** PKCS8 DER header for Ed25519 private keys (16 bytes) — matches NodeCryptoProvider. */
|
|
28
|
+
const ED25519_PKCS8_PREFIX = Uint8Array.from([
|
|
29
|
+
0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
|
|
30
|
+
]);
|
|
31
|
+
function getCrypto() {
|
|
32
|
+
// `crypto` is the WebCrypto global (Node 20+, Cloudflare Workers, Deno,
|
|
33
|
+
// browsers). Typed via the runtime's lib/@types — referenced bare (like
|
|
34
|
+
// authz/oidc/pkce.ts) so this file needs no DOM lib in tsconfig.
|
|
35
|
+
if (typeof crypto === "undefined" || !crypto.subtle) {
|
|
36
|
+
throw new Error("WebCryptoProvider: WebCrypto (crypto.subtle) is unavailable in this runtime");
|
|
37
|
+
}
|
|
38
|
+
return crypto;
|
|
39
|
+
}
|
|
40
|
+
function toHex(bytes) {
|
|
41
|
+
let out = "";
|
|
42
|
+
for (const b of bytes)
|
|
43
|
+
out += b.toString(16).padStart(2, "0");
|
|
44
|
+
return out;
|
|
45
|
+
}
|
|
46
|
+
export class WebCryptoProvider extends CryptoProvider {
|
|
47
|
+
async sign(data, privateKeyBase64) {
|
|
48
|
+
const raw = base64ToBytes(privateKeyBase64);
|
|
49
|
+
// Accept both raw 32-byte and full 64-byte Ed25519 keys (use the seed).
|
|
50
|
+
const seed = raw.length === 64 ? raw.subarray(0, 32) : raw;
|
|
51
|
+
const pkcs8 = new Uint8Array(ED25519_PKCS8_PREFIX.length + seed.length);
|
|
52
|
+
pkcs8.set(ED25519_PKCS8_PREFIX, 0);
|
|
53
|
+
pkcs8.set(seed, ED25519_PKCS8_PREFIX.length);
|
|
54
|
+
const key = await getCrypto().subtle.importKey("pkcs8", pkcs8, { name: ALG }, false, ["sign"]);
|
|
55
|
+
const sig = await getCrypto().subtle.sign({ name: ALG }, key, data);
|
|
56
|
+
return new Uint8Array(sig);
|
|
57
|
+
}
|
|
58
|
+
async verify(data, signature, publicKeyBase64) {
|
|
59
|
+
try {
|
|
60
|
+
const raw = base64ToBytes(publicKeyBase64);
|
|
61
|
+
const key = await getCrypto().subtle.importKey("raw", raw, { name: ALG }, false, ["verify"]);
|
|
62
|
+
return await getCrypto().subtle.verify({ name: ALG }, key, signature, data);
|
|
63
|
+
}
|
|
64
|
+
catch {
|
|
65
|
+
// Never throw on a bad key/signature — verification simply fails.
|
|
66
|
+
return false;
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
async generateKeyPair() {
|
|
70
|
+
const kp = await getCrypto().subtle.generateKey({ name: ALG }, true, ["sign", "verify"]);
|
|
71
|
+
// generateKey returns CryptoKey | CryptoKeyPair; narrow to the pair without
|
|
72
|
+
// naming the DOM type (this file compiles without a DOM lib — see getCrypto).
|
|
73
|
+
if (!("publicKey" in kp)) {
|
|
74
|
+
throw new Error("WebCryptoProvider: expected an Ed25519 key pair from generateKey");
|
|
75
|
+
}
|
|
76
|
+
const rawPub = new Uint8Array(await getCrypto().subtle.exportKey("raw", kp.publicKey));
|
|
77
|
+
const pkcs8 = new Uint8Array(await getCrypto().subtle.exportKey("pkcs8", kp.privateKey));
|
|
78
|
+
// Strip the 16-byte PKCS8 prefix to recover the raw 32-byte seed (mirrors
|
|
79
|
+
// NodeCryptoProvider, which slices [16,48) of the DER).
|
|
80
|
+
const seed = pkcs8.subarray(ED25519_PKCS8_PREFIX.length, ED25519_PKCS8_PREFIX.length + 32);
|
|
81
|
+
return { privateKey: bytesToBase64(seed), publicKey: bytesToBase64(rawPub) };
|
|
82
|
+
}
|
|
83
|
+
async hash(data) {
|
|
84
|
+
const digest = new Uint8Array(await getCrypto().subtle.digest("SHA-256", data));
|
|
85
|
+
return `sha256:${toHex(digest)}`;
|
|
86
|
+
}
|
|
87
|
+
async randomBytes(length) {
|
|
88
|
+
return getCrypto().getRandomValues(new Uint8Array(length));
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
//# sourceMappingURL=web-crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"web-crypto.js","sourceRoot":"","sources":["../../src/providers/web-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAElE,MAAM,GAAG,GAAG,SAAkB,CAAC;AAE/B,yFAAyF;AACzF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,CAAC;IAC3C,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;CAC/F,CAAC,CAAC;AAEH,SAAS,SAAS;IAChB,wEAAwE;IACxE,wEAAwE;IACxE,iEAAiE;IACjE,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,KAAK,CAAC,KAAiB;IAC9B,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,iBAAkB,SAAQ,cAAc;IACnD,KAAK,CAAC,IAAI,CAAC,IAAgB,EAAE,gBAAwB;QACnD,MAAM,GAAG,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;QAC5C,wEAAwE;QACxE,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC3D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,oBAAoB,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QACxE,KAAK,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QACnC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/F,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QACpE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,MAAM,CACV,IAAgB,EAChB,SAAqB,EACrB,eAAuB;QAEvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC;YAC3C,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC7F,OAAO,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAC9E,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;YAClE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,MAAM,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACzF,4EAA4E;QAC5E,8EAA8E;QAC9E,IAAI,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACtF,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QACvF,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QACzF,0EAA0E;QAC1E,wDAAwD;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;QAC3F,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAgB;QACzB,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,SAAS,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC;QAChF,OAAO,UAAU,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,OAAO,SAAS,EAAE,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/mcp",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.6.0",
|
|
4
4
|
"description": "Reference implementation of the KYA-OS protocol for Model Context Protocol servers: delegation, proof, and session primitives",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"type": "module",
|
|
@@ -43,6 +43,14 @@
|
|
|
43
43
|
"types": "./dist/middleware/index.d.ts",
|
|
44
44
|
"default": "./dist/middleware/index.js"
|
|
45
45
|
},
|
|
46
|
+
"./policy": {
|
|
47
|
+
"types": "./dist/policy/index.d.ts",
|
|
48
|
+
"default": "./dist/policy/index.js"
|
|
49
|
+
},
|
|
50
|
+
"./authz": {
|
|
51
|
+
"types": "./dist/authz/index.d.ts",
|
|
52
|
+
"default": "./dist/authz/index.js"
|
|
53
|
+
},
|
|
46
54
|
"./schemas/*.json": "./schemas/*.json",
|
|
47
55
|
"./package.json": "./package.json"
|
|
48
56
|
},
|
|
@@ -66,7 +74,11 @@
|
|
|
66
74
|
"example:server": "npx tsx examples/node-server/server.ts",
|
|
67
75
|
"example:inspector": "npx @modelcontextprotocol/inspector npx tsx examples/node-server/server.ts --stdio",
|
|
68
76
|
"example:verify-proof": "npx tsx examples/verify-proof/verify.ts",
|
|
69
|
-
"example:anti-mitm": "npx tsx examples/verify-proof/anti-mitm-demo.ts"
|
|
77
|
+
"example:anti-mitm": "npx tsx examples/verify-proof/anti-mitm-demo.ts",
|
|
78
|
+
"example:authz-inspector": "npx @modelcontextprotocol/inspector npx tsx examples/authz-inspector/src/stdio.ts",
|
|
79
|
+
"example:authz-inspector:http": "npx tsx examples/authz-inspector/src/inspector-http.ts",
|
|
80
|
+
"example:authz-inspector:http:server": "npx tsx examples/authz-inspector/src/http.ts",
|
|
81
|
+
"example:authz-inspector:stdio:server": "npx tsx examples/authz-inspector/src/stdio.ts"
|
|
70
82
|
},
|
|
71
83
|
"dependencies": {
|
|
72
84
|
"jose": "^5.6.3",
|