@kya-os/mcp 1.6.1 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +117 -0
- package/README.md +228 -3
- package/dist/authz/index.d.ts +1 -0
- package/dist/authz/index.d.ts.map +1 -1
- package/dist/authz/index.js +1 -0
- package/dist/authz/index.js.map +1 -1
- package/dist/authz/oidc/oidc-adapter.d.ts +10 -2
- package/dist/authz/oidc/oidc-adapter.d.ts.map +1 -1
- package/dist/authz/oidc/oidc-adapter.js +18 -9
- package/dist/authz/oidc/oidc-adapter.js.map +1 -1
- package/dist/authz/oidc/pending-flow-store.d.ts +80 -0
- package/dist/authz/oidc/pending-flow-store.d.ts.map +1 -0
- package/dist/authz/oidc/pending-flow-store.js +82 -0
- package/dist/authz/oidc/pending-flow-store.js.map +1 -0
- package/dist/card/build.d.ts +41 -0
- package/dist/card/build.d.ts.map +1 -0
- package/dist/card/build.js +47 -0
- package/dist/card/build.js.map +1 -0
- package/dist/card/builder.d.ts +99 -0
- package/dist/card/builder.d.ts.map +1 -0
- package/dist/card/builder.js +147 -0
- package/dist/card/builder.js.map +1 -0
- package/dist/card/cimd.d.ts +92 -0
- package/dist/card/cimd.d.ts.map +1 -0
- package/dist/card/cimd.js +225 -0
- package/dist/card/cimd.js.map +1 -0
- package/dist/card/delegation.d.ts +145 -0
- package/dist/card/delegation.d.ts.map +1 -0
- package/dist/card/delegation.js +293 -0
- package/dist/card/delegation.js.map +1 -0
- package/dist/card/emit.d.ts +133 -0
- package/dist/card/emit.d.ts.map +1 -0
- package/dist/card/emit.js +127 -0
- package/dist/card/emit.js.map +1 -0
- package/dist/card/index.d.ts +43 -0
- package/dist/card/index.d.ts.map +1 -0
- package/dist/card/index.js +46 -0
- package/dist/card/index.js.map +1 -0
- package/dist/card/middleware.d.ts +112 -0
- package/dist/card/middleware.d.ts.map +1 -0
- package/dist/card/middleware.js +121 -0
- package/dist/card/middleware.js.map +1 -0
- package/dist/card/proof/build.d.ts +22 -0
- package/dist/card/proof/build.d.ts.map +1 -0
- package/dist/card/proof/build.js +55 -0
- package/dist/card/proof/build.js.map +1 -0
- package/dist/card/proof/canonical.d.ts +66 -0
- package/dist/card/proof/canonical.d.ts.map +1 -0
- package/dist/card/proof/canonical.js +131 -0
- package/dist/card/proof/canonical.js.map +1 -0
- package/dist/card/proof/http-sig.d.ts +69 -0
- package/dist/card/proof/http-sig.d.ts.map +1 -0
- package/dist/card/proof/http-sig.js +101 -0
- package/dist/card/proof/http-sig.js.map +1 -0
- package/dist/card/proof/index.d.ts +25 -0
- package/dist/card/proof/index.d.ts.map +1 -0
- package/dist/card/proof/index.js +25 -0
- package/dist/card/proof/index.js.map +1 -0
- package/dist/card/proof/nonce-cache.d.ts +67 -0
- package/dist/card/proof/nonce-cache.d.ts.map +1 -0
- package/dist/card/proof/nonce-cache.js +88 -0
- package/dist/card/proof/nonce-cache.js.map +1 -0
- package/dist/card/proof/signer.d.ts +32 -0
- package/dist/card/proof/signer.d.ts.map +1 -0
- package/dist/card/proof/signer.js +59 -0
- package/dist/card/proof/signer.js.map +1 -0
- package/dist/card/proof/types.d.ts +219 -0
- package/dist/card/proof/types.d.ts.map +1 -0
- package/dist/card/proof/types.js +87 -0
- package/dist/card/proof/types.js.map +1 -0
- package/dist/card/proof/verify.d.ts +27 -0
- package/dist/card/proof/verify.d.ts.map +1 -0
- package/dist/card/proof/verify.js +236 -0
- package/dist/card/proof/verify.js.map +1 -0
- package/dist/card/resolve.d.ts +97 -0
- package/dist/card/resolve.d.ts.map +1 -0
- package/dist/card/resolve.js +223 -0
- package/dist/card/resolve.js.map +1 -0
- package/dist/card/revocation.d.ts +96 -0
- package/dist/card/revocation.d.ts.map +1 -0
- package/dist/card/revocation.js +190 -0
- package/dist/card/revocation.js.map +1 -0
- package/dist/card/schema.d.ts +177 -0
- package/dist/card/schema.d.ts.map +1 -0
- package/dist/card/schema.js +119 -0
- package/dist/card/schema.js.map +1 -0
- package/dist/card/verify.d.ts +144 -0
- package/dist/card/verify.d.ts.map +1 -0
- package/dist/card/verify.js +132 -0
- package/dist/card/verify.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +9 -7
- package/dist/delegation/bitstring.d.ts.map +1 -1
- package/dist/delegation/bitstring.js +70 -37
- package/dist/delegation/bitstring.js.map +1 -1
- package/dist/delegation/did-linkage.d.ts +23 -0
- package/dist/delegation/did-linkage.d.ts.map +1 -0
- package/dist/delegation/did-linkage.js +57 -0
- package/dist/delegation/did-linkage.js.map +1 -0
- package/dist/delegation/did-resolver-registry.d.ts +7 -0
- package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
- package/dist/delegation/did-resolver-registry.js +20 -0
- package/dist/delegation/did-resolver-registry.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +29 -18
- package/dist/delegation/did-web-resolver.d.ts.map +1 -1
- package/dist/delegation/did-web-resolver.js +65 -35
- package/dist/delegation/did-web-resolver.js.map +1 -1
- package/dist/delegation/index.d.ts +3 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +3 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/statuslist-manager.d.ts.map +1 -1
- package/dist/delegation/statuslist-manager.js +16 -1
- package/dist/delegation/statuslist-manager.js.map +1 -1
- package/dist/delegation/vc-jwt-verify.d.ts +61 -0
- package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
- package/dist/delegation/vc-jwt-verify.js +131 -0
- package/dist/delegation/vc-jwt-verify.js.map +1 -0
- package/dist/delegation/vc-verification-checks.d.ts +50 -0
- package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
- package/dist/delegation/vc-verification-checks.js +212 -0
- package/dist/delegation/vc-verification-checks.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +24 -61
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +57 -180
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/delegation/vc-verifier.types.d.ts +88 -0
- package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.types.js +9 -0
- package/dist/delegation/vc-verifier.types.js.map +1 -0
- package/dist/index.d.ts +8 -4
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -3
- package/dist/index.js.map +1 -1
- package/dist/integrations/cheqd/dlr.d.ts +44 -0
- package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
- package/dist/integrations/cheqd/dlr.js +86 -0
- package/dist/integrations/cheqd/dlr.js.map +1 -0
- package/dist/integrations/cheqd/index.d.ts +5 -0
- package/dist/integrations/cheqd/index.d.ts.map +1 -0
- package/dist/integrations/cheqd/index.js +5 -0
- package/dist/integrations/cheqd/index.js.map +1 -0
- package/dist/integrations/cheqd/linkage.d.ts +20 -0
- package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
- package/dist/integrations/cheqd/linkage.js +32 -0
- package/dist/integrations/cheqd/linkage.js.map +1 -0
- package/dist/integrations/cheqd/registrar.d.ts +85 -0
- package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
- package/dist/integrations/cheqd/registrar.js +304 -0
- package/dist/integrations/cheqd/registrar.js.map +1 -0
- package/dist/integrations/cheqd/resolver.d.ts +38 -0
- package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
- package/dist/integrations/cheqd/resolver.js +156 -0
- package/dist/integrations/cheqd/resolver.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +5 -0
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/kya-os-transport.d.ts +2 -1
- package/dist/middleware/kya-os-transport.d.ts.map +1 -1
- package/dist/middleware/kya-os-transport.js +2 -1
- package/dist/middleware/kya-os-transport.js.map +1 -1
- package/dist/middleware/with-kya-os-server.d.ts +21 -4
- package/dist/middleware/with-kya-os-server.d.ts.map +1 -1
- package/dist/middleware/with-kya-os-server.js +4 -0
- package/dist/middleware/with-kya-os-server.js.map +1 -1
- package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
- package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.config-types.js +9 -0
- package/dist/middleware/with-kya-os.config-types.js.map +1 -0
- package/dist/middleware/with-kya-os.d.ts +10 -238
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
- package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
- package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
- package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
- package/dist/middleware/with-kya-os.deps.d.ts +40 -0
- package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.deps.js +9 -0
- package/dist/middleware/with-kya-os.deps.js.map +1 -0
- package/dist/middleware/with-kya-os.grants.d.ts +30 -0
- package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.grants.js +145 -0
- package/dist/middleware/with-kya-os.grants.js.map +1 -0
- package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
- package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.helpers.js +57 -0
- package/dist/middleware/with-kya-os.helpers.js.map +1 -0
- package/dist/middleware/with-kya-os.js +65 -703
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
- package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.policy-gate.js +98 -0
- package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
- package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.protocol.js +121 -0
- package/dist/middleware/with-kya-os.protocol.js.map +1 -0
- package/dist/middleware/with-kya-os.session.d.ts +32 -0
- package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.session.js +201 -0
- package/dist/middleware/with-kya-os.session.js.map +1 -0
- package/dist/middleware/with-kya-os.types.d.ts +178 -0
- package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.types.js +13 -0
- package/dist/middleware/with-kya-os.types.js.map +1 -0
- package/dist/proof/generator.d.ts +21 -0
- package/dist/proof/generator.d.ts.map +1 -1
- package/dist/proof/generator.js +21 -0
- package/dist/proof/generator.js.map +1 -1
- package/dist/proof/index.d.ts +1 -1
- package/dist/proof/index.d.ts.map +1 -1
- package/dist/proof/index.js +1 -1
- package/dist/proof/index.js.map +1 -1
- package/dist/proof/verifier.d.ts +26 -3
- package/dist/proof/verifier.d.ts.map +1 -1
- package/dist/proof/verifier.js +54 -24
- package/dist/proof/verifier.js.map +1 -1
- package/dist/providers/grant-store.d.ts +10 -1
- package/dist/providers/grant-store.d.ts.map +1 -1
- package/dist/providers/grant-store.js.map +1 -1
- package/dist/providers/runtime-fetch.d.ts +8 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +17 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts.map +1 -1
- package/dist/providers/web-crypto.js +15 -7
- package/dist/providers/web-crypto.js.map +1 -1
- package/dist/session/index.d.ts +1 -0
- package/dist/session/index.d.ts.map +1 -1
- package/dist/session/index.js +1 -0
- package/dist/session/index.js.map +1 -1
- package/dist/session/manager.d.ts +17 -6
- package/dist/session/manager.d.ts.map +1 -1
- package/dist/session/manager.js +16 -26
- package/dist/session/manager.js.map +1 -1
- package/dist/session/session-store.d.ts +78 -0
- package/dist/session/session-store.d.ts.map +1 -0
- package/dist/session/session-store.js +79 -0
- package/dist/session/session-store.js.map +1 -0
- package/dist/types/protocol.d.ts +9 -3
- package/dist/types/protocol.d.ts.map +1 -1
- package/dist/types/protocol.js.map +1 -1
- package/dist/utils/guards.d.ts +2 -0
- package/dist/utils/guards.d.ts.map +1 -0
- package/dist/utils/guards.js +4 -0
- package/dist/utils/guards.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +3 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-classifier.d.ts +12 -0
- package/dist/utils/ip-classifier.d.ts.map +1 -0
- package/dist/utils/ip-classifier.js +153 -0
- package/dist/utils/ip-classifier.js.map +1 -0
- package/dist/utils/safe-fetch-transports.d.ts +40 -0
- package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
- package/dist/utils/safe-fetch-transports.js +121 -0
- package/dist/utils/safe-fetch-transports.js.map +1 -0
- package/dist/utils/safe-fetch-types.d.ts +66 -0
- package/dist/utils/safe-fetch-types.d.ts.map +1 -0
- package/dist/utils/safe-fetch-types.js +10 -0
- package/dist/utils/safe-fetch-types.js.map +1 -0
- package/dist/utils/safe-fetch.d.ts +40 -0
- package/dist/utils/safe-fetch.d.ts.map +1 -0
- package/dist/utils/safe-fetch.js +188 -0
- package/dist/utils/safe-fetch.js.map +1 -0
- package/dist/utils/statuslist-purpose.d.ts +12 -0
- package/dist/utils/statuslist-purpose.d.ts.map +1 -0
- package/dist/utils/statuslist-purpose.js +19 -0
- package/dist/utils/statuslist-purpose.js.map +1 -0
- package/dist/utils/url.d.ts +2 -0
- package/dist/utils/url.d.ts.map +1 -0
- package/dist/utils/url.js +8 -0
- package/dist/utils/url.js.map +1 -0
- package/package.json +25 -5
- package/schemas/README.md +2 -1
- package/schemas/card-delegation-credential.json +239 -0
- package/schemas/kya-os-card.schema.json +284 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"with-kya-os-server.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,EAGL,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,eAAe,EACrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAwB,KAAK,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAG7E,MAAM,WAAW,gBAAgB;IAC/B,yDAAyD;IACzD,MAAM,EAAE,cAAc,CAAC;IACvB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B
|
|
1
|
+
{"version":3,"file":"with-kya-os-server.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D,OAAO,EAGL,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,eAAe,EACrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAwB,KAAK,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAG7E,MAAM,WAAW,gBAAgB;IAC/B,yDAAyD;IACzD,MAAM,EAAE,cAAc,CAAC;IACvB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B;;;;OAIG;IACH,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAC5C,kEAAkE;IAClE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,0DAA0D;IAC1D,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,yCAAyC;IACzC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,qCAAqC;IACrC,UAAU,CAAC,EAAE,qBAAqB,CAAC;IACnC;;;;OAIG;IACH,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CACrC;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,mBAAmB,CAAC,CAS9B;AAED;;;GAGG;AACH,UAAU,aAAa;IACrB,OAAO,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,YAAY,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CACxC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,eAAe,CAAC,CA2E1B"}
|
|
@@ -58,6 +58,10 @@ export async function withKyaOs(server, options) {
|
|
|
58
58
|
session: options.session,
|
|
59
59
|
delegation: options.delegation,
|
|
60
60
|
autoSession: options.autoSession ?? true,
|
|
61
|
+
...(options.grantStore ? { grantStore: options.grantStore } : {}),
|
|
62
|
+
...(options.emitLegacyProofKey !== undefined
|
|
63
|
+
? { emitLegacyProofKey: options.emitLegacyProofKey }
|
|
64
|
+
: {}),
|
|
61
65
|
}, options.crypto);
|
|
62
66
|
if ((options.handshakeExposure ?? "tool") === "tool") {
|
|
63
67
|
// Register the unified _kyaos tool for protocol operations.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"with-kya-os-server.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;
|
|
1
|
+
{"version":3,"file":"with-kya-os-server.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,OAAO,EAAE,wBAAwB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACnF,OAAO,EACL,cAAc,EACd,qBAAqB,GAItB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,oBAAoB,EAAkB,MAAM,uBAAuB,CAAC;AAC7E,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA0CxB;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAsB;IAEtB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,wBAAwB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACxD,OAAO;QACL,GAAG;QACH,GAAG,EAAE,GAAG,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE;QACpC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;KAC7B,CAAC;AACJ,CAAC;AAWD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAqB,EACrB,OAAyB;IAEzB,MAAM,QAAQ,GACZ,OAAO,CAAC,QAAQ,IAAI,CAAC,MAAM,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IAE/D,MAAM,KAAK,GAAG,qBAAqB,CACjC;QACE,QAAQ;QACR,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;QACxC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,CAAC,kBAAkB,KAAK,SAAS;YAC1C,CAAC,CAAC,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,EAAE;YACpD,CAAC,CAAC,EAAE,CAAC;KACR,EACD,OAAO,CAAC,MAAM,CACf,CAAC;IAEF,IAAI,CAAC,OAAO,CAAC,iBAAiB,IAAI,MAAM,CAAC,KAAK,MAAM,EAAE,CAAC;QACrD,4DAA4D;QAC5D,MAAM,CAAC,YAAY,CACjB,QAAQ,EACR;YACE,WAAW,EACT,iFAAiF;YACnF,WAAW,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,YAAY,EAAE,IAAI,EAAE;YAC7D,WAAW,EAAE;gBACX,MAAM,EAAE,CAAC;qBACN,IAAI,CAAC,cAAc,CAAC;qBACpB,QAAQ,CAAC,+BAA+B,CAAC;gBAC5C,KAAK,EAAE,CAAC;qBACL,MAAM,EAAE;qBACR,QAAQ,EAAE;qBACV,QAAQ,CAAC,2CAA2C,CAAC;gBACxD,QAAQ,EAAE,CAAC;qBACR,MAAM,EAAE;qBACR,QAAQ,EAAE;qBACV,QAAQ,CAAC,+BAA+B,CAAC;gBAC5C,SAAS,EAAE,CAAC;qBACT,MAAM,EAAE;qBACR,QAAQ,EAAE;qBACV,QAAQ,CAAC,gCAAgC,CAAC;gBAC7C,QAAQ,EAAE,CAAC;qBACR,MAAM,EAAE;qBACR,QAAQ,EAAE;qBACV,QAAQ,CAAC,wCAAwC,CAAC;aACtD;SACF,EACD,KAAK,EAAE,IAAa,EAAE,EAAE;YACtB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,WAAW,CACpC,IAA+B,CAChC,CAAC;YACF,OAAO;gBACL,GAAG,MAAM;gBACT,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,CAAC,CAAC;aACtE,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,EAAE;IACF,yEAAyE;IACzE,oEAAoE;IACpE,uEAAuE;IACvE,uEAAuE;IACvE,IAAI,OAAO,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,CAAC,QAAQ,EAAE,kBAAkB,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;QAChF,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEpD,MAAM,CAAC,OAAO,GAAG,CAAC,SAAoB,EAAE,EAAE,CACxC,eAAe,CAAC,oBAAoB,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — configuration input types.
|
|
3
|
+
*
|
|
4
|
+
* The identity / session / delegation configuration a caller passes to
|
|
5
|
+
* `withKyaOs` / `createKyaOsMiddleware`. Split from the API-surface types
|
|
6
|
+
* (`./with-kya-os.types.ts`), which re-exports these so importers are unchanged.
|
|
7
|
+
*/
|
|
8
|
+
import type { FetchProvider, NonceCacheProvider } from "../providers/base.js";
|
|
9
|
+
import type { AuditLogProvider } from "../providers/audit-log.js";
|
|
10
|
+
import type { GrantStore } from "../providers/grant-store.js";
|
|
11
|
+
import type { SessionConfig } from "../session/manager.js";
|
|
12
|
+
import type { DIDResolver, StatusListResolver } from "../delegation/vc-verifier.js";
|
|
13
|
+
import type { DIDResolverRegistry } from "../delegation/did-resolver-registry.js";
|
|
14
|
+
import type { RevocationChecker } from "../delegation/chain-enforcement.js";
|
|
15
|
+
import type { DelegationCredential } from "../types/protocol.js";
|
|
16
|
+
export interface KyaOsIdentityConfig {
|
|
17
|
+
did: string;
|
|
18
|
+
kid: string;
|
|
19
|
+
privateKey: string;
|
|
20
|
+
publicKey: string;
|
|
21
|
+
agentName?: string;
|
|
22
|
+
}
|
|
23
|
+
export declare const KYA_OS_ACTIONS: readonly ["handshake", "identity", "reputation"];
|
|
24
|
+
export type KyaOsAction = (typeof KYA_OS_ACTIONS)[number];
|
|
25
|
+
export interface KyaOsDelegationConfig {
|
|
26
|
+
/**
|
|
27
|
+
* Optional custom DID resolver. If it returns null, middleware falls back to
|
|
28
|
+
* built-in did:key resolution and fetch-backed did:web resolution.
|
|
29
|
+
*/
|
|
30
|
+
didResolver?: DIDResolver;
|
|
31
|
+
/**
|
|
32
|
+
* Optional fetch provider used for did:web resolution.
|
|
33
|
+
* If omitted, middleware falls back to the runtime global fetch when available.
|
|
34
|
+
*/
|
|
35
|
+
fetchProvider?: FetchProvider;
|
|
36
|
+
/**
|
|
37
|
+
* Optional DID method resolver registry. Entries are keyed by DID method
|
|
38
|
+
* (for example, "cheqd") and are checked before the built-in did:key and
|
|
39
|
+
* did:web fallback. Factory entries receive the active fetch provider.
|
|
40
|
+
*/
|
|
41
|
+
didResolvers?: DIDResolverRegistry;
|
|
42
|
+
/**
|
|
43
|
+
* Resolver for StatusList2021 checks. Credentials with credentialStatus are
|
|
44
|
+
* rejected when no resolver is configured.
|
|
45
|
+
*/
|
|
46
|
+
statusListResolver?: StatusListResolver;
|
|
47
|
+
/**
|
|
48
|
+
* Resolve ancestor credentials for a delegated chain. The returned array may
|
|
49
|
+
* contain only ancestors (root -> parent) or the full chain (root -> leaf).
|
|
50
|
+
*/
|
|
51
|
+
resolveDelegationChain?: (leafCredential: DelegationCredential) => Promise<DelegationCredential[]>;
|
|
52
|
+
/**
|
|
53
|
+
* Graph-backed ancestor-revocation check. When provided, the chain walk also
|
|
54
|
+
* verifies the leaf is not revoked via a cascade-revoked ANCESTOR — caught
|
|
55
|
+
* independently of how `resolveDelegationChain` hydrated the chain (it walks
|
|
56
|
+
* the delegation graph + StatusList). `CascadingRevocationManager` is the
|
|
57
|
+
* reference adapter. Omit to keep the prior per-credential-status behavior.
|
|
58
|
+
*/
|
|
59
|
+
revocationChecker?: RevocationChecker;
|
|
60
|
+
/**
|
|
61
|
+
* Holder-of-key enforcement for inbound calls (spec §11.8). A valid delegation
|
|
62
|
+
* is a *bearer* credential; holder binding additionally requires the caller to
|
|
63
|
+
* present a per-request proof (`_kyaos_proof`) signed by the delegation
|
|
64
|
+
* SUBJECT's key, closing theft-replay for the key-bearing population.
|
|
65
|
+
*
|
|
66
|
+
* - `'off'` (default): no holder-binding check — current behavior, unchanged.
|
|
67
|
+
* - `'warn'`: check and log failures (missing/unbound proof), but still allow.
|
|
68
|
+
* - `'enforce'`: reject calls whose proof is missing or does not bind the
|
|
69
|
+
* subject. **Breaking for callers that don't yet send `_kyaos_proof`** — opt
|
|
70
|
+
* in only once your agents mint request proofs.
|
|
71
|
+
*
|
|
72
|
+
* Scope is did:key subjects (the DID encodes the key). did:web and other
|
|
73
|
+
* subjects are deferred to cnf-based binding (phase 2) and logged, never
|
|
74
|
+
* rejected — so enabling `'enforce'` never breaks did:web traffic.
|
|
75
|
+
*/
|
|
76
|
+
holderBinding?: "off" | "warn" | "enforce";
|
|
77
|
+
}
|
|
78
|
+
export interface KyaOsConfig {
|
|
79
|
+
/** Agent identity (DID + key material) */
|
|
80
|
+
identity: KyaOsIdentityConfig;
|
|
81
|
+
/** Session configuration overrides */
|
|
82
|
+
session?: Omit<SessionConfig, "nonceCache">;
|
|
83
|
+
/**
|
|
84
|
+
* Replay-protection store, shared by the session handshake AND inbound holder
|
|
85
|
+
* binding so both draw on one nonce namespace. Defaults to an in-memory store
|
|
86
|
+
* (single-process only); inject a Redis / Durable Object / KV-backed
|
|
87
|
+
* {@link NonceCacheProvider} for multi-instance deployments. Set here, not on
|
|
88
|
+
* `session`, so there is exactly one cache and the two cannot diverge.
|
|
89
|
+
*/
|
|
90
|
+
nonceCache?: NonceCacheProvider;
|
|
91
|
+
/**
|
|
92
|
+
* Durable store for approved authorization grants, enabling the no-paste
|
|
93
|
+
* retry: an agent that already obtained a grant can call again — even on a
|
|
94
|
+
* fresh instance with empty memory, or after a restart — without re-pasting
|
|
95
|
+
* the delegation. Defaults to an in-memory {@link MemoryGrantStore}
|
|
96
|
+
* (single-process only); inject a Redis / Durable Object / DB-backed
|
|
97
|
+
* {@link GrantStore} for multi-instance deployments. Mirrors `nonceCache?`.
|
|
98
|
+
*
|
|
99
|
+
* For the no-paste retry to actually RESOLVE a bound grant, the call must be
|
|
100
|
+
* resolvable: either holder binding is `'enforce'` and the agent presents a
|
|
101
|
+
* per-request `_kyaos_proof` (agent-anchored `getByAgent`), or the client
|
|
102
|
+
* threads its `sessionId` (session-bearer `getBySession`). A grant that would
|
|
103
|
+
* be unresolvable — holder binding `'off'` with no threaded `sessionId` — is
|
|
104
|
+
* NOT bound (it would only orphan a store row); such flows achieve durability
|
|
105
|
+
* by re-presenting the delegation instead.
|
|
106
|
+
*/
|
|
107
|
+
grantStore?: GrantStore;
|
|
108
|
+
/**
|
|
109
|
+
* Whether to ALSO emit the detached proof under the legacy bare `_meta.proof`
|
|
110
|
+
* key (in addition to the namespaced `org.kya-os/proof`). The value is
|
|
111
|
+
* identical under both keys and `_meta` is excluded from the response hash
|
|
112
|
+
* (§7.6), so the mirror never affects signatures or verification.
|
|
113
|
+
*
|
|
114
|
+
* Default `true` — a transition aid so pre-1.1 clients that still read bare
|
|
115
|
+
* `proof` keep working. Set `false` once your clients read the namespaced key
|
|
116
|
+
* (the examples do this for a clean single-key Inspector view).
|
|
117
|
+
*
|
|
118
|
+
* Stays ON by default for the whole 1.x line (a pre-1.1 reader of bare
|
|
119
|
+
* `_meta.proof` would otherwise silently get no proof); the legacy mirror is
|
|
120
|
+
* dropped at 2.0.
|
|
121
|
+
*/
|
|
122
|
+
emitLegacyProofKey?: boolean;
|
|
123
|
+
/** Delegation verification overrides */
|
|
124
|
+
delegation?: KyaOsDelegationConfig;
|
|
125
|
+
/**
|
|
126
|
+
* When true, automatically creates a session on the first tool call
|
|
127
|
+
* if no session exists. Useful for demos and development where
|
|
128
|
+
* MCP clients don't support the `_kyaos` handshake flow.
|
|
129
|
+
* In production, KYA-OS-aware runtimes should execute handshake before tool calls.
|
|
130
|
+
*/
|
|
131
|
+
autoSession?: boolean;
|
|
132
|
+
/**
|
|
133
|
+
* Sink for retaining audit records of verified tool calls. Defaults to a
|
|
134
|
+
* no-op; supply an {@link AuditLogProvider} (e.g. a durable, append-only
|
|
135
|
+
* implementation) to capture an audit trail.
|
|
136
|
+
*/
|
|
137
|
+
auditLog?: AuditLogProvider;
|
|
138
|
+
}
|
|
139
|
+
//# sourceMappingURL=with-kya-os.config-types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.config-types.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.config-types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EACnB,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAClF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,cAAc,kDAAmD,CAAC;AAC/E,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE1D,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;OAGG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B;;;;OAIG;IACH,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC;;;OAGG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC;;;OAGG;IACH,sBAAsB,CAAC,EAAE,CACvB,cAAc,EAAE,oBAAoB,KACjC,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;IACrC;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC;;;;;;;;;;;;;;;OAeG;IACH,aAAa,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;CAC5C;AAED,MAAM,WAAW,WAAW;IAC1B,0CAA0C;IAC1C,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,sCAAsC;IACtC,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC;;;;;;;;;;;;;;;OAeG;IACH,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB;;;;;;;;;;;;;OAaG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wCAAwC;IACxC,UAAU,CAAC,EAAE,qBAAqB,CAAC;IACnC;;;;;OAKG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;CAC7B"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — configuration input types.
|
|
3
|
+
*
|
|
4
|
+
* The identity / session / delegation configuration a caller passes to
|
|
5
|
+
* `withKyaOs` / `createKyaOsMiddleware`. Split from the API-surface types
|
|
6
|
+
* (`./with-kya-os.types.ts`), which re-exports these so importers are unchanged.
|
|
7
|
+
*/
|
|
8
|
+
export const KYA_OS_ACTIONS = ["handshake", "identity", "reputation"];
|
|
9
|
+
//# sourceMappingURL=with-kya-os.config-types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.config-types.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os.config-types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAsBH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,WAAW,EAAE,UAAU,EAAE,YAAY,CAAU,CAAC"}
|
|
@@ -14,240 +14,9 @@
|
|
|
14
14
|
* internally by `withKyaOs()` and for advanced use cases like the
|
|
15
15
|
* low-level `Server` API or custom request handler patterns.
|
|
16
16
|
*/
|
|
17
|
-
import { type CryptoProvider
|
|
18
|
-
import {
|
|
19
|
-
|
|
20
|
-
import { ProofGenerator } from "../proof/generator.js";
|
|
21
|
-
import { type DIDResolver, type StatusListResolver } from "../delegation/vc-verifier.js";
|
|
22
|
-
import { type RevocationChecker } from "../delegation/chain-enforcement.js";
|
|
23
|
-
import { type DelegationCredential, type NeedsAuthorizationError } from "../types/protocol.js";
|
|
24
|
-
import { RiskClassifier } from "../policy/classifier.js";
|
|
25
|
-
import { type ApprovalGrant } from "../policy/approval.js";
|
|
26
|
-
import type { PolicyEngine } from "../policy/engine.js";
|
|
27
|
-
export interface KyaOsIdentityConfig {
|
|
28
|
-
did: string;
|
|
29
|
-
kid: string;
|
|
30
|
-
privateKey: string;
|
|
31
|
-
publicKey: string;
|
|
32
|
-
agentName?: string;
|
|
33
|
-
}
|
|
34
|
-
export declare const KYA_OS_ACTIONS: readonly ["handshake", "identity", "reputation"];
|
|
35
|
-
export interface KyaOsDelegationConfig {
|
|
36
|
-
/**
|
|
37
|
-
* Optional custom DID resolver. If it returns null, middleware falls back to
|
|
38
|
-
* built-in did:key resolution and fetch-backed did:web resolution.
|
|
39
|
-
*/
|
|
40
|
-
didResolver?: DIDResolver;
|
|
41
|
-
/**
|
|
42
|
-
* Optional fetch provider used for did:web resolution.
|
|
43
|
-
* If omitted, middleware falls back to the runtime global fetch when available.
|
|
44
|
-
*/
|
|
45
|
-
fetchProvider?: FetchProvider;
|
|
46
|
-
/**
|
|
47
|
-
* Resolver for StatusList2021 checks. Credentials with credentialStatus are
|
|
48
|
-
* rejected when no resolver is configured.
|
|
49
|
-
*/
|
|
50
|
-
statusListResolver?: StatusListResolver;
|
|
51
|
-
/**
|
|
52
|
-
* Resolve ancestor credentials for a delegated chain. The returned array may
|
|
53
|
-
* contain only ancestors (root -> parent) or the full chain (root -> leaf).
|
|
54
|
-
*/
|
|
55
|
-
resolveDelegationChain?: (leafCredential: DelegationCredential) => Promise<DelegationCredential[]>;
|
|
56
|
-
/**
|
|
57
|
-
* Graph-backed ancestor-revocation check. When provided, the chain walk also
|
|
58
|
-
* verifies the leaf is not revoked via a cascade-revoked ANCESTOR — caught
|
|
59
|
-
* independently of how `resolveDelegationChain` hydrated the chain (it walks
|
|
60
|
-
* the delegation graph + StatusList). `CascadingRevocationManager` is the
|
|
61
|
-
* reference adapter. Omit to keep the prior per-credential-status behavior.
|
|
62
|
-
*/
|
|
63
|
-
revocationChecker?: RevocationChecker;
|
|
64
|
-
/**
|
|
65
|
-
* Holder-of-key enforcement for inbound calls (spec §11.8). A valid delegation
|
|
66
|
-
* is a *bearer* credential; holder binding additionally requires the caller to
|
|
67
|
-
* present a per-request proof (`_kyaos_proof`) signed by the delegation
|
|
68
|
-
* SUBJECT's key, closing theft-replay for the key-bearing population.
|
|
69
|
-
*
|
|
70
|
-
* - `'off'` (default): no holder-binding check — current behavior, unchanged.
|
|
71
|
-
* - `'warn'`: check and log failures (missing/unbound proof), but still allow.
|
|
72
|
-
* - `'enforce'`: reject calls whose proof is missing or does not bind the
|
|
73
|
-
* subject. **Breaking for callers that don't yet send `_kyaos_proof`** — opt
|
|
74
|
-
* in only once your agents mint request proofs.
|
|
75
|
-
*
|
|
76
|
-
* Scope is did:key subjects (the DID encodes the key). did:web and other
|
|
77
|
-
* subjects are deferred to cnf-based binding (phase 2) and logged, never
|
|
78
|
-
* rejected — so enabling `'enforce'` never breaks did:web traffic.
|
|
79
|
-
*/
|
|
80
|
-
holderBinding?: "off" | "warn" | "enforce";
|
|
81
|
-
}
|
|
82
|
-
export interface KyaOsConfig {
|
|
83
|
-
/** Agent identity (DID + key material) */
|
|
84
|
-
identity: KyaOsIdentityConfig;
|
|
85
|
-
/** Session configuration overrides */
|
|
86
|
-
session?: Omit<SessionConfig, "nonceCache">;
|
|
87
|
-
/**
|
|
88
|
-
* Replay-protection store, shared by the session handshake AND inbound holder
|
|
89
|
-
* binding so both draw on one nonce namespace. Defaults to an in-memory store
|
|
90
|
-
* (single-process only); inject a Redis / Durable Object / KV-backed
|
|
91
|
-
* {@link NonceCacheProvider} for multi-instance deployments. Set here, not on
|
|
92
|
-
* `session`, so there is exactly one cache and the two cannot diverge.
|
|
93
|
-
*/
|
|
94
|
-
nonceCache?: NonceCacheProvider;
|
|
95
|
-
/** Delegation verification overrides */
|
|
96
|
-
delegation?: KyaOsDelegationConfig;
|
|
97
|
-
/**
|
|
98
|
-
* When true, automatically creates a session on the first tool call
|
|
99
|
-
* if no session exists. Useful for demos and development where
|
|
100
|
-
* MCP clients don't support the `_kyaos` handshake flow.
|
|
101
|
-
* In production, KYA-OS-aware runtimes should execute handshake before tool calls.
|
|
102
|
-
*/
|
|
103
|
-
autoSession?: boolean;
|
|
104
|
-
/**
|
|
105
|
-
* Sink for retaining audit records of verified tool calls. Defaults to a
|
|
106
|
-
* no-op; supply an {@link AuditLogProvider} (e.g. a durable, append-only
|
|
107
|
-
* implementation) to capture an audit trail.
|
|
108
|
-
*/
|
|
109
|
-
auditLog?: AuditLogProvider;
|
|
110
|
-
}
|
|
111
|
-
export interface KyaOsToolDefinition {
|
|
112
|
-
name: string;
|
|
113
|
-
description?: string;
|
|
114
|
-
inputSchema: {
|
|
115
|
-
type: "object";
|
|
116
|
-
properties?: Record<string, unknown>;
|
|
117
|
-
required?: string[];
|
|
118
|
-
[key: string]: unknown;
|
|
119
|
-
};
|
|
120
|
-
}
|
|
121
|
-
/**
|
|
122
|
-
* Per-call context threaded through the middleware wrappers (not part of the
|
|
123
|
-
* tool's public arguments). `wrapWithDelegation` populates `scopeId` so the
|
|
124
|
-
* proof and audit record reflect the scope the call was authorized under.
|
|
125
|
-
*/
|
|
126
|
-
export interface KyaOsCallContext {
|
|
127
|
-
scopeId?: string;
|
|
128
|
-
}
|
|
129
|
-
export interface KyaOsToolHandler<T extends Record<string, unknown> = Record<string, unknown>> {
|
|
130
|
-
(args: T, sessionId?: string, context?: KyaOsCallContext): Promise<{
|
|
131
|
-
content: Array<{
|
|
132
|
-
type: string;
|
|
133
|
-
text: string;
|
|
134
|
-
[key: string]: unknown;
|
|
135
|
-
}>;
|
|
136
|
-
isError?: boolean;
|
|
137
|
-
[key: string]: unknown;
|
|
138
|
-
}>;
|
|
139
|
-
}
|
|
140
|
-
/**
|
|
141
|
-
* Server interface — minimal subset of @modelcontextprotocol/sdk Server.
|
|
142
|
-
* This avoids a hard dependency on the SDK at the type level.
|
|
143
|
-
*/
|
|
144
|
-
export interface KyaOsServer {
|
|
145
|
-
setRequestHandler(schema: unknown, handler: (...args: unknown[]) => unknown): void;
|
|
146
|
-
}
|
|
147
|
-
export interface KyaOsMiddleware {
|
|
148
|
-
/** The identity config used by this middleware instance */
|
|
149
|
-
identity: KyaOsIdentityConfig;
|
|
150
|
-
/** The SessionManager instance for manual session operations */
|
|
151
|
-
sessionManager: SessionManager;
|
|
152
|
-
/** The ProofGenerator instance for manual proof operations */
|
|
153
|
-
proofGenerator: ProofGenerator;
|
|
154
|
-
/**
|
|
155
|
-
* Unified tool definition for `_kyaos`.
|
|
156
|
-
* Include this in your ListToolsRequest handler's tool list.
|
|
157
|
-
*/
|
|
158
|
-
kyaOsTool: KyaOsToolDefinition;
|
|
159
|
-
/**
|
|
160
|
-
* @deprecated Use `kyaOsTool` (`_kyaos` with `action: "handshake"`).
|
|
161
|
-
* Tool definition for `_kyaos_handshake`.
|
|
162
|
-
* Include this in your ListToolsRequest handler's tool list.
|
|
163
|
-
*/
|
|
164
|
-
handshakeTool: KyaOsToolDefinition;
|
|
165
|
-
/**
|
|
166
|
-
* Handle a unified `_kyaos` action. Use this in your CallToolRequest handler
|
|
167
|
-
* when `request.params.name === '_kyaos'`.
|
|
168
|
-
*/
|
|
169
|
-
handleKyaOs(args: Record<string, unknown>): Promise<{
|
|
170
|
-
content: Array<{
|
|
171
|
-
type: string;
|
|
172
|
-
text: string;
|
|
173
|
-
}>;
|
|
174
|
-
isError?: boolean;
|
|
175
|
-
}>;
|
|
176
|
-
/**
|
|
177
|
-
* @deprecated Use `handleKyaOs` with `action: "handshake"`.
|
|
178
|
-
* Handle a handshake call. Use this in your CallToolRequest handler
|
|
179
|
-
* when `request.params.name === '_kyaos_handshake'`.
|
|
180
|
-
*/
|
|
181
|
-
handleHandshake(args: Record<string, unknown>): Promise<{
|
|
182
|
-
content: Array<{
|
|
183
|
-
type: string;
|
|
184
|
-
text: string;
|
|
185
|
-
}>;
|
|
186
|
-
isError?: boolean;
|
|
187
|
-
}>;
|
|
188
|
-
/**
|
|
189
|
-
* Wrap a tool handler to automatically generate proofs.
|
|
190
|
-
* Returns a new handler that appends proof metadata to the response.
|
|
191
|
-
*/
|
|
192
|
-
wrapWithProof<T extends Record<string, unknown> = Record<string, unknown>>(toolName: string, handler: KyaOsToolHandler<T>): KyaOsToolHandler;
|
|
193
|
-
/**
|
|
194
|
-
* Wrap a tool handler to require a valid W3C Delegation Credential.
|
|
195
|
-
*
|
|
196
|
-
* Caller must pass the VC as `_kyaos_delegation` in the tool args.
|
|
197
|
-
* - If absent: returns a `needs_authorization` response with the consentUrl.
|
|
198
|
-
* - If present but invalid: returns a structured error with reason.
|
|
199
|
-
* - If valid with correct scope: strips `_kyaos_delegation` and calls the handler.
|
|
200
|
-
*/
|
|
201
|
-
wrapWithDelegation(toolName: string, config: {
|
|
202
|
-
scopeId: string;
|
|
203
|
-
consentUrl: string;
|
|
204
|
-
/**
|
|
205
|
-
* Optional presentation hook for the `needs_authorization` challenge.
|
|
206
|
-
* Given the structured challenge, return the tool-response content to emit
|
|
207
|
-
* (e.g. a markdown "Authorize" link for LLM / chat-style MCP clients that
|
|
208
|
-
* won't parse raw JSON). The signed challenge proof binds a `responseHash`
|
|
209
|
-
* over WHATEVER this returns, so the `authorizationUrl` stays tamper-evident
|
|
210
|
-
* regardless of presentation. Defaults to the structured challenge as JSON.
|
|
211
|
-
*/
|
|
212
|
-
formatChallenge?: (challenge: NeedsAuthorizationError) => Array<{
|
|
213
|
-
type: "text";
|
|
214
|
-
text: string;
|
|
215
|
-
}>;
|
|
216
|
-
}, handler: KyaOsToolHandler): KyaOsToolHandler;
|
|
217
|
-
/**
|
|
218
|
-
* Wrap a tool handler with a per-action policy / step-up gate.
|
|
219
|
-
*
|
|
220
|
-
* Compose after `wrapWithDelegation`. Classifies the action's risk and asks a
|
|
221
|
-
* pluggable PolicyEngine: allow → run handler; deny → signed denial proof;
|
|
222
|
-
* step_up → `needs_approval` until N-of-M signed approval grants (bound to the
|
|
223
|
-
* request hash) are supplied.
|
|
224
|
-
*/
|
|
225
|
-
withPolicyGate?(toolName: string, handler: KyaOsToolHandler, opts?: PolicyGateOptions): KyaOsToolHandler;
|
|
226
|
-
}
|
|
227
|
-
export interface PolicyGateOptions {
|
|
228
|
-
/** Policy decision engine. Defaults to a fail-closed DefaultPolicyEngine. */
|
|
229
|
-
engine?: PolicyEngine;
|
|
230
|
-
/** Risk classifier. Defaults to the built-in RiskClassifier. */
|
|
231
|
-
classifier?: RiskClassifier;
|
|
232
|
-
/** Derive the resource namespace from the tool args (defaults to the tool name). */
|
|
233
|
-
resolveNamespace?: (args: Record<string, unknown>) => string;
|
|
234
|
-
/** Tool-arg key carrying approval grants on resume. Default "_kyaos_approvals". */
|
|
235
|
-
approvalsArgKey?: string;
|
|
236
|
-
/** Verifier for approval-grant signatures (identity-layer). Default: reject all. */
|
|
237
|
-
isValidApprovalSignature?: (grant: ApprovalGrant) => Promise<boolean>;
|
|
238
|
-
/**
|
|
239
|
-
* Whether a prior step already authorized this action's scope/identity.
|
|
240
|
-
*
|
|
241
|
-
* Defaults to FALSE (fail-closed): used standalone, withPolicyGate enforces no
|
|
242
|
-
* scope or identity, so it must NOT be trusted to allow on its own. When you
|
|
243
|
-
* compose it AFTER wrapWithDelegation (the expected usage), pass
|
|
244
|
-
* `scopeMatched: true` to signal that the delegated scope was already verified.
|
|
245
|
-
* Note: principal facts are projected from the (unverified) `_kyaos_delegation`
|
|
246
|
-
* arg on a best-effort basis and must not be treated as authenticated unless
|
|
247
|
-
* wrapWithDelegation ran first.
|
|
248
|
-
*/
|
|
249
|
-
scopeMatched?: boolean;
|
|
250
|
-
}
|
|
17
|
+
import { type CryptoProvider } from "../providers/base.js";
|
|
18
|
+
import { type KyaOsConfig, type KyaOsMiddleware } from "./with-kya-os.types.js";
|
|
19
|
+
export * from "./with-kya-os.types.js";
|
|
251
20
|
/**
|
|
252
21
|
* Create KYA-OS middleware for a standard MCP SDK Server.
|
|
253
22
|
*
|
|
@@ -265,10 +34,13 @@ export interface PolicyGateOptions {
|
|
|
265
34
|
* @returns Middleware components for session management and proof generation
|
|
266
35
|
*
|
|
267
36
|
* @remarks
|
|
268
|
-
* **
|
|
269
|
-
*
|
|
270
|
-
*
|
|
271
|
-
*
|
|
37
|
+
* **Session resolution**: proof generation resolves the session from the explicit
|
|
38
|
+
* `sessionId` threaded into each wrapper. A single-process `activeSessionId`
|
|
39
|
+
* fallback (the established handshake/auto session) is consulted ONLY when no
|
|
40
|
+
* sessionId was threaded — e.g. non-KYA-OS clients (MCP Inspector) and the
|
|
41
|
+
* transport auto-proof path; a KYA-OS-aware call never depends on it. By default
|
|
42
|
+
* sessions live in an in-memory Map; for multi-instance deployments inject a
|
|
43
|
+
* durable `SessionStore` via `config.session.sessionStore`.
|
|
272
44
|
*/
|
|
273
45
|
export declare function createKyaOsMiddleware(config: KyaOsConfig, cryptoProvider: CryptoProvider): KyaOsMiddleware;
|
|
274
46
|
//# sourceMappingURL=with-kya-os.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"with-kya-os.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,
|
|
1
|
+
{"version":3,"file":"with-kya-os.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAa3D,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,eAAe,EACrB,MAAM,wBAAwB,CAAC;AAUhC,cAAc,wBAAwB,CAAC;AAEvC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,WAAW,EACnB,cAAc,EAAE,cAAc,GAC7B,eAAe,CA2GjB"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — the delegation gate (`wrapWithDelegation`).
|
|
3
|
+
*
|
|
4
|
+
* Requires a valid W3C Delegation Credential (or a durable grant / no-paste
|
|
5
|
+
* retry), enforces holder-of-key binding (spec §11.8) and scope, then strips the
|
|
6
|
+
* `_kyaos*` control namespace and runs the handler. Extracted from
|
|
7
|
+
* `./with-kya-os.ts`; verification plumbing lives in `./with-kya-os.delegation-verify.ts`.
|
|
8
|
+
*/
|
|
9
|
+
import type { KyaOsDelegationGate } from "./with-kya-os.types.js";
|
|
10
|
+
import type { MiddlewareDeps, AttachOutcomeProof } from "./with-kya-os.deps.js";
|
|
11
|
+
import type { GrantResolution } from "./with-kya-os.grants.js";
|
|
12
|
+
/** Collaborators the delegation gate borrows from its sibling sub-factories. */
|
|
13
|
+
export interface DelegationGateWiring {
|
|
14
|
+
attachOutcomeProof: AttachOutcomeProof;
|
|
15
|
+
resolveExistingGrant: GrantResolution["resolveExistingGrant"];
|
|
16
|
+
bindGrantOnSuccess: GrantResolution["bindGrantOnSuccess"];
|
|
17
|
+
}
|
|
18
|
+
export declare function createDelegationGate(deps: MiddlewareDeps, wiring: DelegationGateWiring): Pick<KyaOsDelegationGate, "wrapWithDelegation">;
|
|
19
|
+
//# sourceMappingURL=with-kya-os.delegation-gate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.delegation-gate.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.delegation-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAgBH,OAAO,KAAK,EAEV,mBAAmB,EACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAChF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAO/D,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,oBAAoB,EAAE,eAAe,CAAC,sBAAsB,CAAC,CAAC;IAC9D,kBAAkB,EAAE,eAAe,CAAC,oBAAoB,CAAC,CAAC;CAC3D;AAED,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,oBAAoB,GAC3B,IAAI,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAuPjD"}
|