@kya-os/mcp 1.6.1 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/CHANGELOG.md +117 -0
  2. package/README.md +228 -3
  3. package/dist/authz/index.d.ts +1 -0
  4. package/dist/authz/index.d.ts.map +1 -1
  5. package/dist/authz/index.js +1 -0
  6. package/dist/authz/index.js.map +1 -1
  7. package/dist/authz/oidc/oidc-adapter.d.ts +10 -2
  8. package/dist/authz/oidc/oidc-adapter.d.ts.map +1 -1
  9. package/dist/authz/oidc/oidc-adapter.js +18 -9
  10. package/dist/authz/oidc/oidc-adapter.js.map +1 -1
  11. package/dist/authz/oidc/pending-flow-store.d.ts +80 -0
  12. package/dist/authz/oidc/pending-flow-store.d.ts.map +1 -0
  13. package/dist/authz/oidc/pending-flow-store.js +82 -0
  14. package/dist/authz/oidc/pending-flow-store.js.map +1 -0
  15. package/dist/card/build.d.ts +41 -0
  16. package/dist/card/build.d.ts.map +1 -0
  17. package/dist/card/build.js +47 -0
  18. package/dist/card/build.js.map +1 -0
  19. package/dist/card/builder.d.ts +99 -0
  20. package/dist/card/builder.d.ts.map +1 -0
  21. package/dist/card/builder.js +147 -0
  22. package/dist/card/builder.js.map +1 -0
  23. package/dist/card/cimd.d.ts +92 -0
  24. package/dist/card/cimd.d.ts.map +1 -0
  25. package/dist/card/cimd.js +225 -0
  26. package/dist/card/cimd.js.map +1 -0
  27. package/dist/card/delegation.d.ts +145 -0
  28. package/dist/card/delegation.d.ts.map +1 -0
  29. package/dist/card/delegation.js +293 -0
  30. package/dist/card/delegation.js.map +1 -0
  31. package/dist/card/emit.d.ts +133 -0
  32. package/dist/card/emit.d.ts.map +1 -0
  33. package/dist/card/emit.js +127 -0
  34. package/dist/card/emit.js.map +1 -0
  35. package/dist/card/index.d.ts +43 -0
  36. package/dist/card/index.d.ts.map +1 -0
  37. package/dist/card/index.js +46 -0
  38. package/dist/card/index.js.map +1 -0
  39. package/dist/card/middleware.d.ts +112 -0
  40. package/dist/card/middleware.d.ts.map +1 -0
  41. package/dist/card/middleware.js +121 -0
  42. package/dist/card/middleware.js.map +1 -0
  43. package/dist/card/proof/build.d.ts +22 -0
  44. package/dist/card/proof/build.d.ts.map +1 -0
  45. package/dist/card/proof/build.js +55 -0
  46. package/dist/card/proof/build.js.map +1 -0
  47. package/dist/card/proof/canonical.d.ts +66 -0
  48. package/dist/card/proof/canonical.d.ts.map +1 -0
  49. package/dist/card/proof/canonical.js +131 -0
  50. package/dist/card/proof/canonical.js.map +1 -0
  51. package/dist/card/proof/http-sig.d.ts +69 -0
  52. package/dist/card/proof/http-sig.d.ts.map +1 -0
  53. package/dist/card/proof/http-sig.js +101 -0
  54. package/dist/card/proof/http-sig.js.map +1 -0
  55. package/dist/card/proof/index.d.ts +25 -0
  56. package/dist/card/proof/index.d.ts.map +1 -0
  57. package/dist/card/proof/index.js +25 -0
  58. package/dist/card/proof/index.js.map +1 -0
  59. package/dist/card/proof/nonce-cache.d.ts +67 -0
  60. package/dist/card/proof/nonce-cache.d.ts.map +1 -0
  61. package/dist/card/proof/nonce-cache.js +88 -0
  62. package/dist/card/proof/nonce-cache.js.map +1 -0
  63. package/dist/card/proof/signer.d.ts +32 -0
  64. package/dist/card/proof/signer.d.ts.map +1 -0
  65. package/dist/card/proof/signer.js +59 -0
  66. package/dist/card/proof/signer.js.map +1 -0
  67. package/dist/card/proof/types.d.ts +219 -0
  68. package/dist/card/proof/types.d.ts.map +1 -0
  69. package/dist/card/proof/types.js +87 -0
  70. package/dist/card/proof/types.js.map +1 -0
  71. package/dist/card/proof/verify.d.ts +27 -0
  72. package/dist/card/proof/verify.d.ts.map +1 -0
  73. package/dist/card/proof/verify.js +236 -0
  74. package/dist/card/proof/verify.js.map +1 -0
  75. package/dist/card/resolve.d.ts +97 -0
  76. package/dist/card/resolve.d.ts.map +1 -0
  77. package/dist/card/resolve.js +223 -0
  78. package/dist/card/resolve.js.map +1 -0
  79. package/dist/card/revocation.d.ts +96 -0
  80. package/dist/card/revocation.d.ts.map +1 -0
  81. package/dist/card/revocation.js +190 -0
  82. package/dist/card/revocation.js.map +1 -0
  83. package/dist/card/schema.d.ts +177 -0
  84. package/dist/card/schema.d.ts.map +1 -0
  85. package/dist/card/schema.js +119 -0
  86. package/dist/card/schema.js.map +1 -0
  87. package/dist/card/verify.d.ts +144 -0
  88. package/dist/card/verify.d.ts.map +1 -0
  89. package/dist/card/verify.js +132 -0
  90. package/dist/card/verify.js.map +1 -0
  91. package/dist/delegation/bitstring.d.ts +9 -7
  92. package/dist/delegation/bitstring.d.ts.map +1 -1
  93. package/dist/delegation/bitstring.js +70 -37
  94. package/dist/delegation/bitstring.js.map +1 -1
  95. package/dist/delegation/did-linkage.d.ts +23 -0
  96. package/dist/delegation/did-linkage.d.ts.map +1 -0
  97. package/dist/delegation/did-linkage.js +57 -0
  98. package/dist/delegation/did-linkage.js.map +1 -0
  99. package/dist/delegation/did-resolver-registry.d.ts +7 -0
  100. package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
  101. package/dist/delegation/did-resolver-registry.js +20 -0
  102. package/dist/delegation/did-resolver-registry.js.map +1 -0
  103. package/dist/delegation/did-web-resolver.d.ts +29 -18
  104. package/dist/delegation/did-web-resolver.d.ts.map +1 -1
  105. package/dist/delegation/did-web-resolver.js +65 -35
  106. package/dist/delegation/did-web-resolver.js.map +1 -1
  107. package/dist/delegation/index.d.ts +3 -0
  108. package/dist/delegation/index.d.ts.map +1 -1
  109. package/dist/delegation/index.js +3 -0
  110. package/dist/delegation/index.js.map +1 -1
  111. package/dist/delegation/statuslist-manager.d.ts.map +1 -1
  112. package/dist/delegation/statuslist-manager.js +16 -1
  113. package/dist/delegation/statuslist-manager.js.map +1 -1
  114. package/dist/delegation/vc-jwt-verify.d.ts +61 -0
  115. package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
  116. package/dist/delegation/vc-jwt-verify.js +131 -0
  117. package/dist/delegation/vc-jwt-verify.js.map +1 -0
  118. package/dist/delegation/vc-verification-checks.d.ts +50 -0
  119. package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
  120. package/dist/delegation/vc-verification-checks.js +212 -0
  121. package/dist/delegation/vc-verification-checks.js.map +1 -0
  122. package/dist/delegation/vc-verifier.d.ts +24 -61
  123. package/dist/delegation/vc-verifier.d.ts.map +1 -1
  124. package/dist/delegation/vc-verifier.js +57 -180
  125. package/dist/delegation/vc-verifier.js.map +1 -1
  126. package/dist/delegation/vc-verifier.types.d.ts +88 -0
  127. package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
  128. package/dist/delegation/vc-verifier.types.js +9 -0
  129. package/dist/delegation/vc-verifier.types.js.map +1 -0
  130. package/dist/index.d.ts +8 -4
  131. package/dist/index.d.ts.map +1 -1
  132. package/dist/index.js +10 -3
  133. package/dist/index.js.map +1 -1
  134. package/dist/integrations/cheqd/dlr.d.ts +44 -0
  135. package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
  136. package/dist/integrations/cheqd/dlr.js +86 -0
  137. package/dist/integrations/cheqd/dlr.js.map +1 -0
  138. package/dist/integrations/cheqd/index.d.ts +5 -0
  139. package/dist/integrations/cheqd/index.d.ts.map +1 -0
  140. package/dist/integrations/cheqd/index.js +5 -0
  141. package/dist/integrations/cheqd/index.js.map +1 -0
  142. package/dist/integrations/cheqd/linkage.d.ts +20 -0
  143. package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
  144. package/dist/integrations/cheqd/linkage.js +32 -0
  145. package/dist/integrations/cheqd/linkage.js.map +1 -0
  146. package/dist/integrations/cheqd/registrar.d.ts +85 -0
  147. package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
  148. package/dist/integrations/cheqd/registrar.js +304 -0
  149. package/dist/integrations/cheqd/registrar.js.map +1 -0
  150. package/dist/integrations/cheqd/resolver.d.ts +38 -0
  151. package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
  152. package/dist/integrations/cheqd/resolver.js +156 -0
  153. package/dist/integrations/cheqd/resolver.js.map +1 -0
  154. package/dist/middleware/index.d.ts +2 -0
  155. package/dist/middleware/index.d.ts.map +1 -1
  156. package/dist/middleware/index.js +5 -0
  157. package/dist/middleware/index.js.map +1 -1
  158. package/dist/middleware/kya-os-transport.d.ts +2 -1
  159. package/dist/middleware/kya-os-transport.d.ts.map +1 -1
  160. package/dist/middleware/kya-os-transport.js +2 -1
  161. package/dist/middleware/kya-os-transport.js.map +1 -1
  162. package/dist/middleware/with-kya-os-server.d.ts +21 -4
  163. package/dist/middleware/with-kya-os-server.d.ts.map +1 -1
  164. package/dist/middleware/with-kya-os-server.js +4 -0
  165. package/dist/middleware/with-kya-os-server.js.map +1 -1
  166. package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
  167. package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
  168. package/dist/middleware/with-kya-os.config-types.js +9 -0
  169. package/dist/middleware/with-kya-os.config-types.js.map +1 -0
  170. package/dist/middleware/with-kya-os.d.ts +10 -238
  171. package/dist/middleware/with-kya-os.d.ts.map +1 -1
  172. package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
  173. package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
  174. package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
  175. package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
  176. package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
  177. package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
  178. package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
  179. package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
  180. package/dist/middleware/with-kya-os.deps.d.ts +40 -0
  181. package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
  182. package/dist/middleware/with-kya-os.deps.js +9 -0
  183. package/dist/middleware/with-kya-os.deps.js.map +1 -0
  184. package/dist/middleware/with-kya-os.grants.d.ts +30 -0
  185. package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
  186. package/dist/middleware/with-kya-os.grants.js +145 -0
  187. package/dist/middleware/with-kya-os.grants.js.map +1 -0
  188. package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
  189. package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
  190. package/dist/middleware/with-kya-os.helpers.js +57 -0
  191. package/dist/middleware/with-kya-os.helpers.js.map +1 -0
  192. package/dist/middleware/with-kya-os.js +65 -703
  193. package/dist/middleware/with-kya-os.js.map +1 -1
  194. package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
  195. package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
  196. package/dist/middleware/with-kya-os.policy-gate.js +98 -0
  197. package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
  198. package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
  199. package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
  200. package/dist/middleware/with-kya-os.protocol.js +121 -0
  201. package/dist/middleware/with-kya-os.protocol.js.map +1 -0
  202. package/dist/middleware/with-kya-os.session.d.ts +32 -0
  203. package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
  204. package/dist/middleware/with-kya-os.session.js +201 -0
  205. package/dist/middleware/with-kya-os.session.js.map +1 -0
  206. package/dist/middleware/with-kya-os.types.d.ts +178 -0
  207. package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
  208. package/dist/middleware/with-kya-os.types.js +13 -0
  209. package/dist/middleware/with-kya-os.types.js.map +1 -0
  210. package/dist/proof/generator.d.ts +21 -0
  211. package/dist/proof/generator.d.ts.map +1 -1
  212. package/dist/proof/generator.js +21 -0
  213. package/dist/proof/generator.js.map +1 -1
  214. package/dist/proof/index.d.ts +1 -1
  215. package/dist/proof/index.d.ts.map +1 -1
  216. package/dist/proof/index.js +1 -1
  217. package/dist/proof/index.js.map +1 -1
  218. package/dist/proof/verifier.d.ts +26 -3
  219. package/dist/proof/verifier.d.ts.map +1 -1
  220. package/dist/proof/verifier.js +54 -24
  221. package/dist/proof/verifier.js.map +1 -1
  222. package/dist/providers/grant-store.d.ts +10 -1
  223. package/dist/providers/grant-store.d.ts.map +1 -1
  224. package/dist/providers/grant-store.js.map +1 -1
  225. package/dist/providers/runtime-fetch.d.ts +8 -0
  226. package/dist/providers/runtime-fetch.d.ts.map +1 -1
  227. package/dist/providers/runtime-fetch.js +17 -0
  228. package/dist/providers/runtime-fetch.js.map +1 -1
  229. package/dist/providers/web-crypto.d.ts.map +1 -1
  230. package/dist/providers/web-crypto.js +15 -7
  231. package/dist/providers/web-crypto.js.map +1 -1
  232. package/dist/session/index.d.ts +1 -0
  233. package/dist/session/index.d.ts.map +1 -1
  234. package/dist/session/index.js +1 -0
  235. package/dist/session/index.js.map +1 -1
  236. package/dist/session/manager.d.ts +17 -6
  237. package/dist/session/manager.d.ts.map +1 -1
  238. package/dist/session/manager.js +16 -26
  239. package/dist/session/manager.js.map +1 -1
  240. package/dist/session/session-store.d.ts +78 -0
  241. package/dist/session/session-store.d.ts.map +1 -0
  242. package/dist/session/session-store.js +79 -0
  243. package/dist/session/session-store.js.map +1 -0
  244. package/dist/types/protocol.d.ts +9 -3
  245. package/dist/types/protocol.d.ts.map +1 -1
  246. package/dist/types/protocol.js.map +1 -1
  247. package/dist/utils/guards.d.ts +2 -0
  248. package/dist/utils/guards.d.ts.map +1 -0
  249. package/dist/utils/guards.js +4 -0
  250. package/dist/utils/guards.js.map +1 -0
  251. package/dist/utils/index.d.ts +3 -0
  252. package/dist/utils/index.d.ts.map +1 -1
  253. package/dist/utils/index.js +3 -0
  254. package/dist/utils/index.js.map +1 -1
  255. package/dist/utils/ip-classifier.d.ts +12 -0
  256. package/dist/utils/ip-classifier.d.ts.map +1 -0
  257. package/dist/utils/ip-classifier.js +153 -0
  258. package/dist/utils/ip-classifier.js.map +1 -0
  259. package/dist/utils/safe-fetch-transports.d.ts +40 -0
  260. package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
  261. package/dist/utils/safe-fetch-transports.js +121 -0
  262. package/dist/utils/safe-fetch-transports.js.map +1 -0
  263. package/dist/utils/safe-fetch-types.d.ts +66 -0
  264. package/dist/utils/safe-fetch-types.d.ts.map +1 -0
  265. package/dist/utils/safe-fetch-types.js +10 -0
  266. package/dist/utils/safe-fetch-types.js.map +1 -0
  267. package/dist/utils/safe-fetch.d.ts +40 -0
  268. package/dist/utils/safe-fetch.d.ts.map +1 -0
  269. package/dist/utils/safe-fetch.js +188 -0
  270. package/dist/utils/safe-fetch.js.map +1 -0
  271. package/dist/utils/statuslist-purpose.d.ts +12 -0
  272. package/dist/utils/statuslist-purpose.d.ts.map +1 -0
  273. package/dist/utils/statuslist-purpose.js +19 -0
  274. package/dist/utils/statuslist-purpose.js.map +1 -0
  275. package/dist/utils/url.d.ts +2 -0
  276. package/dist/utils/url.d.ts.map +1 -0
  277. package/dist/utils/url.js +8 -0
  278. package/dist/utils/url.js.map +1 -0
  279. package/package.json +25 -5
  280. package/schemas/README.md +2 -1
  281. package/schemas/card-delegation-credential.json +239 -0
  282. package/schemas/kya-os-card.schema.json +284 -0
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pending-flow-store.d.ts","sourceRoot":"","sources":["../../../src/authz/oidc/pending-flow-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,gFAAgF;AAChF,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,8BAAsB,gBAAgB;IACpC,iFAAiF;IACjF,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAC5E,oEAAoE;IACpE,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAC7D;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IACjE,gDAAgD;IAChD,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAC7C,4BAA4B;IAC5B,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,6BAA6B;IAC5C,uDAAuD;IACvD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,sBAAuB,SAAQ,gBAAgB;IAC1D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA+D;IACvF,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;gBAEvB,OAAO,GAAE,6BAAkC;IAKjD,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAInE,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAUpD,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAUxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAM/B"}
@@ -0,0 +1,82 @@
1
+ /**
2
+ * PendingFlowStore — the provider seam for in-flight OAuth/OIDC PKCE state.
3
+ *
4
+ * Between {@link GenericOidcAdapter.initiateFlow} (which mints a resume token and
5
+ * the PKCE `codeVerifier`) and the authorization callback (which exchanges the
6
+ * code), the verifier must be held server-side keyed by the resume token — it is
7
+ * never placed on the wire. Holding it in a per-process `Map` breaks the moment a
8
+ * second instance or a restart enters the picture: if the callback lands on
9
+ * another instance the verifier is gone, the token exchange fails closed, and no
10
+ * grant is ever minted.
11
+ *
12
+ * This seam mirrors {@link GrantStore} / `NonceCacheProvider`: the in-memory
13
+ * implementation here is the dev/reference impl; production injects a Redis /
14
+ * Durable Object / database-backed store behind the same interface so
15
+ * `initiateFlow` on instance A and the callback on instance B share one verifier.
16
+ *
17
+ * `get` (non-consuming read) and `delete` (consume) are kept separate so the
18
+ * adapter can preserve its one-time-use ordering: it reads the pending flow,
19
+ * validates `state`, performs the token exchange, and deletes ONLY after the
20
+ * exchange succeeds — so a transient IdP error does not burn the resume token.
21
+ *
22
+ * Production note: a durable backing SHOULD make `delete`-after-exchange atomic
23
+ * (e.g. Redis `GETDEL`, or a compare-and-set) to close the one-time-use replay
24
+ * window across instances.
25
+ */
26
+ /**
27
+ * Store for pending (awaiting-callback) OAuth/OIDC PKCE flows. Implementations
28
+ * persist a flow under a resume token with a TTL, read it back (non-consuming),
29
+ * consume it after a successful exchange, and sweep expired entries.
30
+ */
31
+ export class PendingFlowStore {
32
+ }
33
+ /**
34
+ * In-memory {@link PendingFlowStore} — the dev/reference implementation.
35
+ *
36
+ * NOT for production: pending flows are lost on restart and are invisible to a
37
+ * sibling instance, so a callback that lands elsewhere cannot complete. Inject a
38
+ * Redis / Durable Object / database-backed store for multi-instance deployments.
39
+ */
40
+ export class MemoryPendingFlowStore extends PendingFlowStore {
41
+ pending = new Map();
42
+ now;
43
+ constructor(options = {}) {
44
+ super();
45
+ this.now = options.now ?? (() => Date.now());
46
+ }
47
+ async put(token, flow, ttlMs) {
48
+ this.pending.set(token, { flow: { ...flow }, expiresAt: this.now() + ttlMs });
49
+ }
50
+ async get(token) {
51
+ const entry = this.pending.get(token);
52
+ if (!entry)
53
+ return undefined;
54
+ if (entry.expiresAt <= this.now()) {
55
+ this.pending.delete(token);
56
+ return undefined;
57
+ }
58
+ return { ...entry.flow };
59
+ }
60
+ async consume(token) {
61
+ // get + delete with NO await in between → atomic in single-threaded JS:
62
+ // a second consume() for the same token sees nothing.
63
+ const entry = this.pending.get(token);
64
+ if (!entry)
65
+ return undefined;
66
+ this.pending.delete(token);
67
+ if (entry.expiresAt <= this.now())
68
+ return undefined;
69
+ return { ...entry.flow };
70
+ }
71
+ async delete(token) {
72
+ this.pending.delete(token);
73
+ }
74
+ async cleanup() {
75
+ const now = this.now();
76
+ for (const [token, entry] of this.pending) {
77
+ if (entry.expiresAt <= now)
78
+ this.pending.delete(token);
79
+ }
80
+ }
81
+ }
82
+ //# sourceMappingURL=pending-flow-store.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"pending-flow-store.js","sourceRoot":"","sources":["../../../src/authz/oidc/pending-flow-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAWH;;;;GAIG;AACH,MAAM,OAAgB,gBAAgB;CAmBrC;AAOD;;;;;;GAMG;AACH,MAAM,OAAO,sBAAuB,SAAQ,gBAAgB;IACzC,OAAO,GAAG,IAAI,GAAG,EAAoD,CAAC;IACtE,GAAG,CAAe;IAEnC,YAAY,UAAyC,EAAE;QACrD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,IAAiB,EAAE,KAAa;QACvD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3B,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,wEAAwE;QACxE,sDAAsD;QACtD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK;YAAE,OAAO,SAAS,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,SAAS,CAAC;QACpD,OAAO,EAAE,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG;gBAAE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;CACF"}
@@ -0,0 +1,41 @@
1
+ /**
2
+ * KYA-OS Entity Card — EMIT.
3
+ *
4
+ * `buildCard` projects this entity's identity + declared facts into a card. Pure,
5
+ * claim-minimal: it asserts only identity + type + declared capabilities (trust-bearing
6
+ * claims are proven by the referenced credentials, not minted here). `conformanceLevel`
7
+ * is intentionally omitted — it is a derived value a verifier recomputes.
8
+ */
9
+ import type { Attestation, BitstringStatusListEntry, Capability, CimdBinding, Ed25519PublicJwk, EntityCard, EntityType, ProofProfile } from './schema.js';
10
+ export interface BuildCardFacts {
11
+ entityType: EntityType;
12
+ name: string;
13
+ capabilities?: Capability[];
14
+ responsibleParty?: string;
15
+ principal?: string;
16
+ delegationRef?: string;
17
+ attestations?: Attestation[];
18
+ didDocument?: string;
19
+ /** Card's Ed25519 public JWK (for a card that inlines its verification key). */
20
+ publicKeyJwk?: Ed25519PublicJwk;
21
+ /** Names the per-request holder-of-key proof profile this entity's requests carry. */
22
+ proofProfile?: ProofProfile;
23
+ /** L1 CIMD on-ramp coordinates (client_id ⇄ did:web, jwks_uri ⇄ DID keys). */
24
+ cimd?: CimdBinding;
25
+ /** W3C Bitstring Status List revocation entry (the post-issuance kill switch). */
26
+ revocation?: BitstringStatusListEntry;
27
+ }
28
+ /** Minimal identity shape this helper needs (structurally compatible with `Identity`). */
29
+ export interface CardIdentity {
30
+ did: string;
31
+ kid?: string;
32
+ createdAt?: string;
33
+ }
34
+ /**
35
+ * Build this entity's card from its identity + declared facts. Pure. Asserts only
36
+ * identity + type + declared capabilities (claim-minimalism — trust-bearing claims are
37
+ * proven by the referenced credentials, not minted here). `conformanceLevel` is
38
+ * intentionally omitted on emit: it is a derived value a verifier recomputes.
39
+ */
40
+ export declare function buildCard(identity: CardIdentity, facts: BuildCardFacts): EntityCard;
41
+ //# sourceMappingURL=build.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../src/card/build.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,wBAAwB,EACxB,UAAU,EACV,WAAW,EACX,gBAAgB,EAChB,UAAU,EACV,UAAU,EACV,YAAY,EACb,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,UAAU,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gFAAgF;IAChF,YAAY,CAAC,EAAE,gBAAgB,CAAC;IAChC,sFAAsF;IACtF,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,8EAA8E;IAC9E,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,kFAAkF;IAClF,UAAU,CAAC,EAAE,wBAAwB,CAAC;CACvC;AAED,0FAA0F;AAC1F,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,GAAG,UAAU,CAmBnF"}
@@ -0,0 +1,47 @@
1
+ /**
2
+ * KYA-OS Entity Card — EMIT.
3
+ *
4
+ * `buildCard` projects this entity's identity + declared facts into a card. Pure,
5
+ * claim-minimal: it asserts only identity + type + declared capabilities (trust-bearing
6
+ * claims are proven by the referenced credentials, not minted here). `conformanceLevel`
7
+ * is intentionally omitted — it is a derived value a verifier recomputes.
8
+ */
9
+ /**
10
+ * Build this entity's card from its identity + declared facts. Pure. Asserts only
11
+ * identity + type + declared capabilities (claim-minimalism — trust-bearing claims are
12
+ * proven by the referenced credentials, not minted here). `conformanceLevel` is
13
+ * intentionally omitted on emit: it is a derived value a verifier recomputes.
14
+ */
15
+ export function buildCard(identity, facts) {
16
+ const card = {
17
+ id: identity.did,
18
+ entityType: facts.entityType,
19
+ name: facts.name,
20
+ };
21
+ if (identity.kid !== undefined)
22
+ card.kid = identity.kid;
23
+ if (identity.createdAt !== undefined)
24
+ card.createdAt = identity.createdAt;
25
+ if (facts.capabilities !== undefined)
26
+ card.capabilities = facts.capabilities;
27
+ if (facts.responsibleParty !== undefined)
28
+ card.responsibleParty = facts.responsibleParty;
29
+ if (facts.principal !== undefined)
30
+ card.principal = facts.principal;
31
+ if (facts.delegationRef !== undefined)
32
+ card.delegationRef = facts.delegationRef;
33
+ if (facts.attestations !== undefined)
34
+ card.attestations = facts.attestations;
35
+ if (facts.didDocument !== undefined)
36
+ card.didDocument = facts.didDocument;
37
+ if (facts.publicKeyJwk !== undefined)
38
+ card.publicKeyJwk = facts.publicKeyJwk;
39
+ if (facts.proofProfile !== undefined)
40
+ card.proofProfile = facts.proofProfile;
41
+ if (facts.cimd !== undefined)
42
+ card.cimd = facts.cimd;
43
+ if (facts.revocation !== undefined)
44
+ card.revocation = facts.revocation;
45
+ return card;
46
+ }
47
+ //# sourceMappingURL=build.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/card/build.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAuCH;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,QAAsB,EAAE,KAAqB;IACrE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,QAAQ,CAAC,GAAG;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC;IACF,IAAI,QAAQ,CAAC,GAAG,KAAK,SAAS;QAAE,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;IACxD,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC1E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS;QAAE,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IACzF,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IACpE,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;IAChF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IAC1E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACrD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC"}
@@ -0,0 +1,99 @@
1
+ /**
2
+ * KYA-OS Entity Card — fluent BUILDER (the 10-minute adoption path).
3
+ *
4
+ * `card({ did, entityType, name })` opens a fluent chain that accumulates declared facts and
5
+ * `.build()`s them into an `EntityCard` — a thin, ergonomic front over {@link buildCard} that
6
+ * hides the card shape behind readable, self-documenting calls:
7
+ *
8
+ * card({ did, entityType: 'agent', name: 'Acme Pay' })
9
+ * .capability('search') // L1 bare-string capability
10
+ * .attestedCapability('payments.transfer', vc) // L2 attested capability (VC-backed)
11
+ * .accountableTo('did:web:acme.example', { via: 'vc_root>del_123' })
12
+ * .build();
13
+ *
14
+ * Claim-minimal like `buildCard`: it asserts only identity + type + declared capabilities +
15
+ * accountability locators; trust-bearing claims are PROVEN by the referenced credentials, not
16
+ * minted here. The infrastructure coordinates it can ALSO carry — `.usesProof()` (proof profile),
17
+ * `.cimd()`, `.revocation()`, `.didDocument()`, `.publicKey()` — are self-descriptive pointers, not
18
+ * credential-proven claims, so the ergonomic path can emit a card that plugs into the proof / CIMD /
19
+ * revocation machinery. `conformanceLevel` is intentionally never set — a verifier RECOMPUTES it.
20
+ * Pure, no I/O, no crypto: no runtime (`mcp-i-core`) dependency leaks in.
21
+ */
22
+ import type { Attestation, BitstringStatusListEntry, CapabilityAttestation, CimdBinding, Ed25519PublicJwk, EntityCard, EntityType } from './schema.js';
23
+ /** A Verifiable Credential value (a compact VC-JWT string or a pre-parsed object). */
24
+ export type VcInput = CapabilityAttestation['vc'];
25
+ /** The identity + type coordinates a card chain opens with. */
26
+ export interface CardBuilderInit {
27
+ did: string;
28
+ entityType: EntityType;
29
+ name: string;
30
+ kid?: string;
31
+ createdAt?: string;
32
+ }
33
+ /** Accountability locators for `accountableTo`: the delegation chain (`via`) + human `principal`. */
34
+ export interface AccountableToOptions {
35
+ /** Compact delegation-chain locator (`delegationRef`, e.g. `vc_root>del_123`) — resolved, not inlined. */
36
+ via?: string;
37
+ /** The immediate human delegator DID (`principal`), when distinct from the responsible party. */
38
+ principal?: string;
39
+ }
40
+ /**
41
+ * A fluent accumulator over one card's declared facts. Mutable + chainable (each method returns
42
+ * `this`); `.build()` projects the accumulated facts through {@link buildCard}. Prefer the `card()`
43
+ * factory over `new CardBuilder(...)`.
44
+ */
45
+ export declare class CardBuilder {
46
+ private readonly identity;
47
+ private readonly entityType;
48
+ private readonly name;
49
+ private readonly capabilities;
50
+ private readonly attestations;
51
+ private responsibleParty?;
52
+ private principal?;
53
+ private delegationRef?;
54
+ private proofProfile?;
55
+ private cimdBinding?;
56
+ private revocationEntry?;
57
+ private didDocumentUrl?;
58
+ private publicKeyJwk?;
59
+ constructor(init: CardBuilderInit);
60
+ /** Declare an L1 bare-string capability (self-asserted; a verifier floors it at L1). */
61
+ capability(name: string): this;
62
+ /**
63
+ * Declare an L2 capability backed by an attestation VC. Repeated calls for the SAME capability
64
+ * name accumulate onto its `attestations[]` (one capability, several proofs) rather than
65
+ * duplicating the entry.
66
+ */
67
+ attestedCapability(name: string, vc: VcInput): this;
68
+ /**
69
+ * Attach a standalone attestation (e.g. a KYC/KYB `IdentityVerification` VC on the responsible
70
+ * party) that is not tied to a single capability.
71
+ */
72
+ attestation(attestation: Attestation): this;
73
+ /**
74
+ * Declare the accountability edge: `responsibleParty` is the ultimately-accountable root (a
75
+ * KYC-able org), `opts.via` the compact `delegationRef` chain locator, and `opts.principal` the
76
+ * immediate human delegator. A verifier RECOMPUTES this edge (delegationRef → responsibleParty).
77
+ */
78
+ accountableTo(responsibleParty: string, opts?: AccountableToOptions): this;
79
+ /**
80
+ * Advertise the per-request holder-of-key proof profile (`org.kya-os/proof@1`). This only NAMES
81
+ * the profile — the proof itself is never on the static card; it rides per-request `_meta`.
82
+ */
83
+ usesProof(): this;
84
+ /** Bind the L1 CIMD on-ramp coordinates (`client_id` ⇄ `did:web`, `jwks_uri` ⇄ DID keys). */
85
+ cimd(binding: CimdBinding): this;
86
+ /** Attach the W3C Bitstring Status List revocation entry (the post-issuance kill switch). */
87
+ revocation(entry: BitstringStatusListEntry): this;
88
+ /** Record the entity's DID document URL (where the `KyaOsEntityCard` service entry lives). */
89
+ didDocument(url: string): this;
90
+ /** Inline the entity's Ed25519 public JWK (the card's self-contained verification key). */
91
+ publicKey(jwk: Ed25519PublicJwk): this;
92
+ /** Project the accumulated facts into an `EntityCard` (via {@link buildCard}). */
93
+ build(): EntityCard;
94
+ /** Find an already-declared attested capability by name (for attestation accumulation). */
95
+ private findAttested;
96
+ }
97
+ /** Open a fluent card-building chain (the ergonomic entry point). */
98
+ export declare function card(init: CardBuilderInit): CardBuilder;
99
+ //# sourceMappingURL=builder.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/card/builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,OAAO,KAAK,EACV,WAAW,EACX,wBAAwB,EAExB,qBAAqB,EACrB,WAAW,EACX,gBAAgB,EAChB,UAAU,EACV,UAAU,EAGX,MAAM,aAAa,CAAC;AAKrB,sFAAsF;AACtF,MAAM,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;AAElD,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qGAAqG;AACrG,MAAM,WAAW,oBAAoB;IACnC,0GAA0G;IAC1G,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iGAAiG;IACjG,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,gBAAgB,CAAC,CAAS;IAClC,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,YAAY,CAAC,CAAe;IACpC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,eAAe,CAAC,CAA2B;IACnD,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,YAAY,CAAC,CAAmB;gBAE5B,IAAI,EAAE,eAAe;IAQjC,wFAAwF;IACxF,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAK9B;;;;OAIG;IACH,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,GAAG,IAAI;IAOnD;;;OAGG;IACH,WAAW,CAAC,WAAW,EAAE,WAAW,GAAG,IAAI;IAK3C;;;;OAIG;IACH,aAAa,CAAC,gBAAgB,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI;IAO9E;;;OAGG;IACH,SAAS,IAAI,IAAI;IAKjB,6FAA6F;IAC7F,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAKhC,6FAA6F;IAC7F,UAAU,CAAC,KAAK,EAAE,wBAAwB,GAAG,IAAI;IAKjD,8FAA8F;IAC9F,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAK9B,2FAA2F;IAC3F,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,IAAI;IAKtC,kFAAkF;IAClF,KAAK,IAAI,UAAU;IAiBnB,2FAA2F;IAC3F,OAAO,CAAC,YAAY;CAKrB;AAED,qEAAqE;AACrE,wBAAgB,IAAI,CAAC,IAAI,EAAE,eAAe,GAAG,WAAW,CAEvD"}
@@ -0,0 +1,147 @@
1
+ /**
2
+ * KYA-OS Entity Card — fluent BUILDER (the 10-minute adoption path).
3
+ *
4
+ * `card({ did, entityType, name })` opens a fluent chain that accumulates declared facts and
5
+ * `.build()`s them into an `EntityCard` — a thin, ergonomic front over {@link buildCard} that
6
+ * hides the card shape behind readable, self-documenting calls:
7
+ *
8
+ * card({ did, entityType: 'agent', name: 'Acme Pay' })
9
+ * .capability('search') // L1 bare-string capability
10
+ * .attestedCapability('payments.transfer', vc) // L2 attested capability (VC-backed)
11
+ * .accountableTo('did:web:acme.example', { via: 'vc_root>del_123' })
12
+ * .build();
13
+ *
14
+ * Claim-minimal like `buildCard`: it asserts only identity + type + declared capabilities +
15
+ * accountability locators; trust-bearing claims are PROVEN by the referenced credentials, not
16
+ * minted here. The infrastructure coordinates it can ALSO carry — `.usesProof()` (proof profile),
17
+ * `.cimd()`, `.revocation()`, `.didDocument()`, `.publicKey()` — are self-descriptive pointers, not
18
+ * credential-proven claims, so the ergonomic path can emit a card that plugs into the proof / CIMD /
19
+ * revocation machinery. `conformanceLevel` is intentionally never set — a verifier RECOMPUTES it.
20
+ * Pure, no I/O, no crypto: no runtime (`mcp-i-core`) dependency leaks in.
21
+ */
22
+ import { buildCard } from './build.js';
23
+ import { PROOF_PROFILE_ID } from './schema.js';
24
+ /** The single proof profile a KYA-OS card advertises (holder-of-key, per-request `_meta`). */
25
+ const KYA_OS_PROOF_PROFILE = PROOF_PROFILE_ID;
26
+ /**
27
+ * A fluent accumulator over one card's declared facts. Mutable + chainable (each method returns
28
+ * `this`); `.build()` projects the accumulated facts through {@link buildCard}. Prefer the `card()`
29
+ * factory over `new CardBuilder(...)`.
30
+ */
31
+ export class CardBuilder {
32
+ identity;
33
+ entityType;
34
+ name;
35
+ capabilities = [];
36
+ attestations = [];
37
+ responsibleParty;
38
+ principal;
39
+ delegationRef;
40
+ proofProfile;
41
+ cimdBinding;
42
+ revocationEntry;
43
+ didDocumentUrl;
44
+ publicKeyJwk;
45
+ constructor(init) {
46
+ this.identity = { did: init.did };
47
+ if (init.kid !== undefined)
48
+ this.identity.kid = init.kid;
49
+ if (init.createdAt !== undefined)
50
+ this.identity.createdAt = init.createdAt;
51
+ this.entityType = init.entityType;
52
+ this.name = init.name;
53
+ }
54
+ /** Declare an L1 bare-string capability (self-asserted; a verifier floors it at L1). */
55
+ capability(name) {
56
+ this.capabilities.push(name);
57
+ return this;
58
+ }
59
+ /**
60
+ * Declare an L2 capability backed by an attestation VC. Repeated calls for the SAME capability
61
+ * name accumulate onto its `attestations[]` (one capability, several proofs) rather than
62
+ * duplicating the entry.
63
+ */
64
+ attestedCapability(name, vc) {
65
+ const existing = this.findAttested(name);
66
+ if (existing)
67
+ existing.attestations.push({ vc });
68
+ else
69
+ this.capabilities.push({ name, attestations: [{ vc }] });
70
+ return this;
71
+ }
72
+ /**
73
+ * Attach a standalone attestation (e.g. a KYC/KYB `IdentityVerification` VC on the responsible
74
+ * party) that is not tied to a single capability.
75
+ */
76
+ attestation(attestation) {
77
+ this.attestations.push(attestation);
78
+ return this;
79
+ }
80
+ /**
81
+ * Declare the accountability edge: `responsibleParty` is the ultimately-accountable root (a
82
+ * KYC-able org), `opts.via` the compact `delegationRef` chain locator, and `opts.principal` the
83
+ * immediate human delegator. A verifier RECOMPUTES this edge (delegationRef → responsibleParty).
84
+ */
85
+ accountableTo(responsibleParty, opts = {}) {
86
+ this.responsibleParty = responsibleParty;
87
+ if (opts.via !== undefined)
88
+ this.delegationRef = opts.via;
89
+ if (opts.principal !== undefined)
90
+ this.principal = opts.principal;
91
+ return this;
92
+ }
93
+ /**
94
+ * Advertise the per-request holder-of-key proof profile (`org.kya-os/proof@1`). This only NAMES
95
+ * the profile — the proof itself is never on the static card; it rides per-request `_meta`.
96
+ */
97
+ usesProof() {
98
+ this.proofProfile = KYA_OS_PROOF_PROFILE;
99
+ return this;
100
+ }
101
+ /** Bind the L1 CIMD on-ramp coordinates (`client_id` ⇄ `did:web`, `jwks_uri` ⇄ DID keys). */
102
+ cimd(binding) {
103
+ this.cimdBinding = binding;
104
+ return this;
105
+ }
106
+ /** Attach the W3C Bitstring Status List revocation entry (the post-issuance kill switch). */
107
+ revocation(entry) {
108
+ this.revocationEntry = entry;
109
+ return this;
110
+ }
111
+ /** Record the entity's DID document URL (where the `KyaOsEntityCard` service entry lives). */
112
+ didDocument(url) {
113
+ this.didDocumentUrl = url;
114
+ return this;
115
+ }
116
+ /** Inline the entity's Ed25519 public JWK (the card's self-contained verification key). */
117
+ publicKey(jwk) {
118
+ this.publicKeyJwk = jwk;
119
+ return this;
120
+ }
121
+ /** Project the accumulated facts into an `EntityCard` (via {@link buildCard}). */
122
+ build() {
123
+ return buildCard(this.identity, {
124
+ entityType: this.entityType,
125
+ name: this.name,
126
+ ...(this.capabilities.length > 0 ? { capabilities: this.capabilities } : {}),
127
+ ...(this.attestations.length > 0 ? { attestations: this.attestations } : {}),
128
+ ...(this.responsibleParty !== undefined ? { responsibleParty: this.responsibleParty } : {}),
129
+ ...(this.principal !== undefined ? { principal: this.principal } : {}),
130
+ ...(this.delegationRef !== undefined ? { delegationRef: this.delegationRef } : {}),
131
+ ...(this.proofProfile !== undefined ? { proofProfile: this.proofProfile } : {}),
132
+ ...(this.cimdBinding !== undefined ? { cimd: this.cimdBinding } : {}),
133
+ ...(this.revocationEntry !== undefined ? { revocation: this.revocationEntry } : {}),
134
+ ...(this.didDocumentUrl !== undefined ? { didDocument: this.didDocumentUrl } : {}),
135
+ ...(this.publicKeyJwk !== undefined ? { publicKeyJwk: this.publicKeyJwk } : {}),
136
+ });
137
+ }
138
+ /** Find an already-declared attested capability by name (for attestation accumulation). */
139
+ findAttested(name) {
140
+ return this.capabilities.find((c) => typeof c !== 'string' && c.name === name);
141
+ }
142
+ }
143
+ /** Open a fluent card-building chain (the ergonomic entry point). */
144
+ export function card(init) {
145
+ return new CardBuilder(init);
146
+ }
147
+ //# sourceMappingURL=builder.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"builder.js","sourceRoot":"","sources":["../../src/card/builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,SAAS,EAAqB,MAAM,YAAY,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAc/C,8FAA8F;AAC9F,MAAM,oBAAoB,GAAiB,gBAAgB,CAAC;AAsB5D;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACL,QAAQ,CAAe;IACvB,UAAU,CAAa;IACvB,IAAI,CAAS;IACb,YAAY,GAAiB,EAAE,CAAC;IAChC,YAAY,GAAkB,EAAE,CAAC;IAC1C,gBAAgB,CAAU;IAC1B,SAAS,CAAU;IACnB,aAAa,CAAU;IACvB,YAAY,CAAgB;IAC5B,WAAW,CAAe;IAC1B,eAAe,CAA4B;IAC3C,cAAc,CAAU;IACxB,YAAY,CAAoB;IAExC,YAAY,IAAqB;QAC/B,IAAI,CAAC,QAAQ,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACzD,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC3E,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACxB,CAAC;IAED,wFAAwF;IACxF,UAAU,CAAC,IAAY;QACrB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;OAIG;IACH,kBAAkB,CAAC,IAAY,EAAE,EAAW;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,QAAQ;YAAE,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;;YAC5C,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,WAAwB;QAClC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,gBAAwB,EAAE,OAA6B,EAAE;QACrE,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;QACzC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;YAAE,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC;QAC1D,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS;YAAE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAClE,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,SAAS;QACP,IAAI,CAAC,YAAY,GAAG,oBAAoB,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6FAA6F;IAC7F,IAAI,CAAC,OAAoB;QACvB,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6FAA6F;IAC7F,UAAU,CAAC,KAA+B;QACxC,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8FAA8F;IAC9F,WAAW,CAAC,GAAW;QACrB,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2FAA2F;IAC3F,SAAS,CAAC,GAAqB;QAC7B,IAAI,CAAC,YAAY,GAAG,GAAG,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kFAAkF;IAClF,KAAK;QACH,OAAO,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE;YAC9B,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3F,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,IAAI,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/E,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnF,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChF,CAAC,CAAC;IACL,CAAC;IAED,2FAA2F;IACnF,YAAY,CAAC,IAAY;QAC/B,OAAO,IAAI,CAAC,YAAY,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAyB,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CACvE,CAAC;IACJ,CAAC;CACF;AAED,qEAAqE;AACrE,MAAM,UAAU,IAAI,CAAC,IAAqB;IACxC,OAAO,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC"}
@@ -0,0 +1,92 @@
1
+ /**
2
+ * KYA-OS Entity Card — CIMD L1 on-ramp bind.
3
+ *
4
+ * CIMD (draft-ietf-oauth-client-id-metadata-document, the MCP default since 2025-11-25) is
5
+ * the L1 on-ramp with zero new infra: the OAuth `client_id` IS the entity's `did:web` in its
6
+ * HTTPS form, and the `jwks_uri` the AS validates `private_key_jwt` against IS a mechanical
7
+ * projection of the DID document's keys — so OAuth client-authentication becomes a DID-key
8
+ * proof, and the access token the AS mints can be sender-constrained (RFC 9449 `cnf.jkt`) to
9
+ * the exact key the per-request holder-of-key proof later carries (closing L1 → L3).
10
+ *
11
+ * - `bindClientId` / `didFromClientId` — the W3C `did:web` ⇄ HTTPS bijection
12
+ * (`did:web:host:a:b` ⇄ `https://host/a/b`, the authority colon percent-encoded for ports).
13
+ * - `didKeyedJwks` — DID-document `verificationMethod[]` Ed25519 → an OKP JWK set
14
+ * (`kid` preserved), stripping any private `d` and skipping non-Ed25519 methods.
15
+ * - `toClientMetadata` — PROJECT the card into the CIMD doc served at the `client_id` URL
16
+ * (`token_endpoint_auth_method: private_key_jwt`, `_meta['org.kya-os/did']` = the DID).
17
+ * - `cardFromClientMetadata` — DERIVE the L1 card from a CIMD doc (a pure-CIMD client with
18
+ * no DID still onboards: a `did:web` is minted from its `client_id`).
19
+ * - `verifyCimdBind` — the anti-substitution graft, FAIL-CLOSED: origin-equality
20
+ * (`did:web` host === `client_id` origin === `jwks_uri` origin) AND a reciprocal
21
+ * `alsoKnownAs` bind, so a hostile CIMD pointing `jwks_uri` at someone else's keys (or
22
+ * claiming a victim's DID) fails closed.
23
+ *
24
+ * Pure + deterministic — no I/O, no crypto. All key material is projected, never minted, so
25
+ * no runtime (mcp-i-core) dependency leaks into `@kya-os/mcp`.
26
+ */
27
+ import type { CimdBinding, Ed25519PublicJwk, EntityCard } from './schema.js';
28
+ /** CIMD `token_endpoint_auth_method` — `private_key_jwt` IS the DID-key proof. */
29
+ export declare const PRIVATE_KEY_JWT = "private_key_jwt";
30
+ /** Reverse-DNS `_meta` key carrying the entity's DID inside a CIMD document. */
31
+ export declare const KYA_OS_DID_META_KEY = "org.kya-os/did";
32
+ /** A CIMD (client_id metadata document) projected from / parsed into an EntityCard. */
33
+ export interface ClientMetadata {
34
+ client_id: string;
35
+ client_name: string;
36
+ token_endpoint_auth_method: typeof PRIVATE_KEY_JWT;
37
+ jwks_uri: string;
38
+ _meta: Record<typeof KYA_OS_DID_META_KEY, string>;
39
+ }
40
+ /** A JSON Web Key Set — the DID-keyed JWKS served at a CIMD `jwks_uri`. */
41
+ export interface Jwks {
42
+ keys: Ed25519PublicJwk[];
43
+ }
44
+ /** The fail-closed result of `verifyCimdBind` — `ok` iff there are no `reasons`. */
45
+ export interface CimdBindResult {
46
+ ok: boolean;
47
+ reasons: string[];
48
+ }
49
+ /**
50
+ * Bind a `did:web` to its OAuth `client_id` (the W3C HTTPS form):
51
+ * `did:web:host:a:b` → `https://host/a/b`
52
+ * `did:web:host%3A3000:a` → `https://host:3000/a` (authority colon percent-decoded)
53
+ * `did:web:host` → `https://host`
54
+ */
55
+ export declare function bindClientId(did: string): string;
56
+ /**
57
+ * The inverse of `bindClientId`: an HTTPS `client_id` → its `did:web` (authority colon
58
+ * percent-encoded for ports). `https://host/a/b` → `did:web:host:a:b`. https-only,
59
+ * fail-closed.
60
+ */
61
+ export declare function didFromClientId(clientId: string): string;
62
+ /**
63
+ * Project a DID document's `verificationMethod[]` into the JWKS the AS validates
64
+ * `private_key_jwt` against. Only Ed25519 (`OKP`) keys are projected; `kid` is preserved
65
+ * (the JWK's own `kid`, else the verification method `id`); any private `d` is stripped.
66
+ */
67
+ export declare function didKeyedJwks(didDoc: unknown): Jwks;
68
+ /**
69
+ * Project a card into the CIMD document served at its `client_id` URL. The
70
+ * `token_endpoint_auth_method` is `private_key_jwt` — so the AS validating it against
71
+ * `jwks_uri` is verifying a DID-key signature.
72
+ */
73
+ export declare function toClientMetadata(card: EntityCard, opts: {
74
+ jwksUri: string;
75
+ }): ClientMetadata;
76
+ /**
77
+ * Derive the L1 card from a CIMD document. The DID is read from `_meta['org.kya-os/did']`
78
+ * when present, else MINTED from the `client_id` (a pure-CIMD client still onboards). The
79
+ * card is `entityType: 'client'` and carries the CIMD coordinates when a `jwks_uri` is given.
80
+ * Fail-closed: the result is validated through `parseCard`.
81
+ */
82
+ export declare function cardFromClientMetadata(meta: unknown): EntityCard;
83
+ /**
84
+ * Verify a CIMD binding against the entity's DID document, FAIL-CLOSED. Enforces:
85
+ * 1. origin-equality — `did:web` host === `client_id` origin === `jwks_uri` origin
86
+ * (a hostile CIMD pointing `jwks_uri` at another origin's keys fails here);
87
+ * 2. a reciprocal `alsoKnownAs` bind — the DID document lists the `client_id` URL, so a
88
+ * CIMD cannot unilaterally claim a DID it does not control.
89
+ * `ok` is true iff there are no `reasons`.
90
+ */
91
+ export declare function verifyCimdBind(cimd: CimdBinding, didDoc: unknown): CimdBindResult;
92
+ //# sourceMappingURL=cimd.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cimd.d.ts","sourceRoot":"","sources":["../../src/card/cimd.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK7E,kFAAkF;AAClF,eAAO,MAAM,eAAe,oBAAoB,CAAC;AAEjD,gFAAgF;AAChF,eAAO,MAAM,mBAAmB,mBAAmB,CAAC;AAIpD,uFAAuF;AACvF,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,0BAA0B,EAAE,OAAO,eAAe,CAAC;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,OAAO,mBAAmB,EAAE,MAAM,CAAC,CAAC;CACnD;AAED,2EAA2E;AAC3E,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,gBAAgB,EAAE,CAAC;CAC1B;AAED,oFAAoF;AACpF,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAID;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAQhD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAaxD;AAID;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CASlD;AAID;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,cAAc,CAQ5F;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,CAiBhE;AAID;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,GAAG,cAAc,CAqBjF"}