@kya-os/mcp 1.6.1 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +117 -0
- package/README.md +228 -3
- package/dist/authz/index.d.ts +1 -0
- package/dist/authz/index.d.ts.map +1 -1
- package/dist/authz/index.js +1 -0
- package/dist/authz/index.js.map +1 -1
- package/dist/authz/oidc/oidc-adapter.d.ts +10 -2
- package/dist/authz/oidc/oidc-adapter.d.ts.map +1 -1
- package/dist/authz/oidc/oidc-adapter.js +18 -9
- package/dist/authz/oidc/oidc-adapter.js.map +1 -1
- package/dist/authz/oidc/pending-flow-store.d.ts +80 -0
- package/dist/authz/oidc/pending-flow-store.d.ts.map +1 -0
- package/dist/authz/oidc/pending-flow-store.js +82 -0
- package/dist/authz/oidc/pending-flow-store.js.map +1 -0
- package/dist/card/build.d.ts +41 -0
- package/dist/card/build.d.ts.map +1 -0
- package/dist/card/build.js +47 -0
- package/dist/card/build.js.map +1 -0
- package/dist/card/builder.d.ts +99 -0
- package/dist/card/builder.d.ts.map +1 -0
- package/dist/card/builder.js +147 -0
- package/dist/card/builder.js.map +1 -0
- package/dist/card/cimd.d.ts +92 -0
- package/dist/card/cimd.d.ts.map +1 -0
- package/dist/card/cimd.js +225 -0
- package/dist/card/cimd.js.map +1 -0
- package/dist/card/delegation.d.ts +145 -0
- package/dist/card/delegation.d.ts.map +1 -0
- package/dist/card/delegation.js +293 -0
- package/dist/card/delegation.js.map +1 -0
- package/dist/card/emit.d.ts +133 -0
- package/dist/card/emit.d.ts.map +1 -0
- package/dist/card/emit.js +127 -0
- package/dist/card/emit.js.map +1 -0
- package/dist/card/index.d.ts +43 -0
- package/dist/card/index.d.ts.map +1 -0
- package/dist/card/index.js +46 -0
- package/dist/card/index.js.map +1 -0
- package/dist/card/middleware.d.ts +112 -0
- package/dist/card/middleware.d.ts.map +1 -0
- package/dist/card/middleware.js +121 -0
- package/dist/card/middleware.js.map +1 -0
- package/dist/card/proof/build.d.ts +22 -0
- package/dist/card/proof/build.d.ts.map +1 -0
- package/dist/card/proof/build.js +55 -0
- package/dist/card/proof/build.js.map +1 -0
- package/dist/card/proof/canonical.d.ts +66 -0
- package/dist/card/proof/canonical.d.ts.map +1 -0
- package/dist/card/proof/canonical.js +131 -0
- package/dist/card/proof/canonical.js.map +1 -0
- package/dist/card/proof/http-sig.d.ts +69 -0
- package/dist/card/proof/http-sig.d.ts.map +1 -0
- package/dist/card/proof/http-sig.js +101 -0
- package/dist/card/proof/http-sig.js.map +1 -0
- package/dist/card/proof/index.d.ts +25 -0
- package/dist/card/proof/index.d.ts.map +1 -0
- package/dist/card/proof/index.js +25 -0
- package/dist/card/proof/index.js.map +1 -0
- package/dist/card/proof/nonce-cache.d.ts +67 -0
- package/dist/card/proof/nonce-cache.d.ts.map +1 -0
- package/dist/card/proof/nonce-cache.js +88 -0
- package/dist/card/proof/nonce-cache.js.map +1 -0
- package/dist/card/proof/signer.d.ts +32 -0
- package/dist/card/proof/signer.d.ts.map +1 -0
- package/dist/card/proof/signer.js +59 -0
- package/dist/card/proof/signer.js.map +1 -0
- package/dist/card/proof/types.d.ts +219 -0
- package/dist/card/proof/types.d.ts.map +1 -0
- package/dist/card/proof/types.js +87 -0
- package/dist/card/proof/types.js.map +1 -0
- package/dist/card/proof/verify.d.ts +27 -0
- package/dist/card/proof/verify.d.ts.map +1 -0
- package/dist/card/proof/verify.js +236 -0
- package/dist/card/proof/verify.js.map +1 -0
- package/dist/card/resolve.d.ts +97 -0
- package/dist/card/resolve.d.ts.map +1 -0
- package/dist/card/resolve.js +223 -0
- package/dist/card/resolve.js.map +1 -0
- package/dist/card/revocation.d.ts +96 -0
- package/dist/card/revocation.d.ts.map +1 -0
- package/dist/card/revocation.js +190 -0
- package/dist/card/revocation.js.map +1 -0
- package/dist/card/schema.d.ts +177 -0
- package/dist/card/schema.d.ts.map +1 -0
- package/dist/card/schema.js +119 -0
- package/dist/card/schema.js.map +1 -0
- package/dist/card/verify.d.ts +144 -0
- package/dist/card/verify.d.ts.map +1 -0
- package/dist/card/verify.js +132 -0
- package/dist/card/verify.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +9 -7
- package/dist/delegation/bitstring.d.ts.map +1 -1
- package/dist/delegation/bitstring.js +70 -37
- package/dist/delegation/bitstring.js.map +1 -1
- package/dist/delegation/did-linkage.d.ts +23 -0
- package/dist/delegation/did-linkage.d.ts.map +1 -0
- package/dist/delegation/did-linkage.js +57 -0
- package/dist/delegation/did-linkage.js.map +1 -0
- package/dist/delegation/did-resolver-registry.d.ts +7 -0
- package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
- package/dist/delegation/did-resolver-registry.js +20 -0
- package/dist/delegation/did-resolver-registry.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +29 -18
- package/dist/delegation/did-web-resolver.d.ts.map +1 -1
- package/dist/delegation/did-web-resolver.js +65 -35
- package/dist/delegation/did-web-resolver.js.map +1 -1
- package/dist/delegation/index.d.ts +3 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +3 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/statuslist-manager.d.ts.map +1 -1
- package/dist/delegation/statuslist-manager.js +16 -1
- package/dist/delegation/statuslist-manager.js.map +1 -1
- package/dist/delegation/vc-jwt-verify.d.ts +61 -0
- package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
- package/dist/delegation/vc-jwt-verify.js +131 -0
- package/dist/delegation/vc-jwt-verify.js.map +1 -0
- package/dist/delegation/vc-verification-checks.d.ts +50 -0
- package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
- package/dist/delegation/vc-verification-checks.js +212 -0
- package/dist/delegation/vc-verification-checks.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +24 -61
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +57 -180
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/delegation/vc-verifier.types.d.ts +88 -0
- package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.types.js +9 -0
- package/dist/delegation/vc-verifier.types.js.map +1 -0
- package/dist/index.d.ts +8 -4
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -3
- package/dist/index.js.map +1 -1
- package/dist/integrations/cheqd/dlr.d.ts +44 -0
- package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
- package/dist/integrations/cheqd/dlr.js +86 -0
- package/dist/integrations/cheqd/dlr.js.map +1 -0
- package/dist/integrations/cheqd/index.d.ts +5 -0
- package/dist/integrations/cheqd/index.d.ts.map +1 -0
- package/dist/integrations/cheqd/index.js +5 -0
- package/dist/integrations/cheqd/index.js.map +1 -0
- package/dist/integrations/cheqd/linkage.d.ts +20 -0
- package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
- package/dist/integrations/cheqd/linkage.js +32 -0
- package/dist/integrations/cheqd/linkage.js.map +1 -0
- package/dist/integrations/cheqd/registrar.d.ts +85 -0
- package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
- package/dist/integrations/cheqd/registrar.js +304 -0
- package/dist/integrations/cheqd/registrar.js.map +1 -0
- package/dist/integrations/cheqd/resolver.d.ts +38 -0
- package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
- package/dist/integrations/cheqd/resolver.js +156 -0
- package/dist/integrations/cheqd/resolver.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +5 -0
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/kya-os-transport.d.ts +2 -1
- package/dist/middleware/kya-os-transport.d.ts.map +1 -1
- package/dist/middleware/kya-os-transport.js +2 -1
- package/dist/middleware/kya-os-transport.js.map +1 -1
- package/dist/middleware/with-kya-os-server.d.ts +21 -4
- package/dist/middleware/with-kya-os-server.d.ts.map +1 -1
- package/dist/middleware/with-kya-os-server.js +4 -0
- package/dist/middleware/with-kya-os-server.js.map +1 -1
- package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
- package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.config-types.js +9 -0
- package/dist/middleware/with-kya-os.config-types.js.map +1 -0
- package/dist/middleware/with-kya-os.d.ts +10 -238
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
- package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
- package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
- package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
- package/dist/middleware/with-kya-os.deps.d.ts +40 -0
- package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.deps.js +9 -0
- package/dist/middleware/with-kya-os.deps.js.map +1 -0
- package/dist/middleware/with-kya-os.grants.d.ts +30 -0
- package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.grants.js +145 -0
- package/dist/middleware/with-kya-os.grants.js.map +1 -0
- package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
- package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.helpers.js +57 -0
- package/dist/middleware/with-kya-os.helpers.js.map +1 -0
- package/dist/middleware/with-kya-os.js +65 -703
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
- package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.policy-gate.js +98 -0
- package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
- package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.protocol.js +121 -0
- package/dist/middleware/with-kya-os.protocol.js.map +1 -0
- package/dist/middleware/with-kya-os.session.d.ts +32 -0
- package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.session.js +201 -0
- package/dist/middleware/with-kya-os.session.js.map +1 -0
- package/dist/middleware/with-kya-os.types.d.ts +178 -0
- package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.types.js +13 -0
- package/dist/middleware/with-kya-os.types.js.map +1 -0
- package/dist/proof/generator.d.ts +21 -0
- package/dist/proof/generator.d.ts.map +1 -1
- package/dist/proof/generator.js +21 -0
- package/dist/proof/generator.js.map +1 -1
- package/dist/proof/index.d.ts +1 -1
- package/dist/proof/index.d.ts.map +1 -1
- package/dist/proof/index.js +1 -1
- package/dist/proof/index.js.map +1 -1
- package/dist/proof/verifier.d.ts +26 -3
- package/dist/proof/verifier.d.ts.map +1 -1
- package/dist/proof/verifier.js +54 -24
- package/dist/proof/verifier.js.map +1 -1
- package/dist/providers/grant-store.d.ts +10 -1
- package/dist/providers/grant-store.d.ts.map +1 -1
- package/dist/providers/grant-store.js.map +1 -1
- package/dist/providers/runtime-fetch.d.ts +8 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +17 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts.map +1 -1
- package/dist/providers/web-crypto.js +15 -7
- package/dist/providers/web-crypto.js.map +1 -1
- package/dist/session/index.d.ts +1 -0
- package/dist/session/index.d.ts.map +1 -1
- package/dist/session/index.js +1 -0
- package/dist/session/index.js.map +1 -1
- package/dist/session/manager.d.ts +17 -6
- package/dist/session/manager.d.ts.map +1 -1
- package/dist/session/manager.js +16 -26
- package/dist/session/manager.js.map +1 -1
- package/dist/session/session-store.d.ts +78 -0
- package/dist/session/session-store.d.ts.map +1 -0
- package/dist/session/session-store.js +79 -0
- package/dist/session/session-store.js.map +1 -0
- package/dist/types/protocol.d.ts +9 -3
- package/dist/types/protocol.d.ts.map +1 -1
- package/dist/types/protocol.js.map +1 -1
- package/dist/utils/guards.d.ts +2 -0
- package/dist/utils/guards.d.ts.map +1 -0
- package/dist/utils/guards.js +4 -0
- package/dist/utils/guards.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +3 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-classifier.d.ts +12 -0
- package/dist/utils/ip-classifier.d.ts.map +1 -0
- package/dist/utils/ip-classifier.js +153 -0
- package/dist/utils/ip-classifier.js.map +1 -0
- package/dist/utils/safe-fetch-transports.d.ts +40 -0
- package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
- package/dist/utils/safe-fetch-transports.js +121 -0
- package/dist/utils/safe-fetch-transports.js.map +1 -0
- package/dist/utils/safe-fetch-types.d.ts +66 -0
- package/dist/utils/safe-fetch-types.d.ts.map +1 -0
- package/dist/utils/safe-fetch-types.js +10 -0
- package/dist/utils/safe-fetch-types.js.map +1 -0
- package/dist/utils/safe-fetch.d.ts +40 -0
- package/dist/utils/safe-fetch.d.ts.map +1 -0
- package/dist/utils/safe-fetch.js +188 -0
- package/dist/utils/safe-fetch.js.map +1 -0
- package/dist/utils/statuslist-purpose.d.ts +12 -0
- package/dist/utils/statuslist-purpose.d.ts.map +1 -0
- package/dist/utils/statuslist-purpose.js +19 -0
- package/dist/utils/statuslist-purpose.js.map +1 -0
- package/dist/utils/url.d.ts +2 -0
- package/dist/utils/url.d.ts.map +1 -0
- package/dist/utils/url.js +8 -0
- package/dist/utils/url.js.map +1 -0
- package/package.json +25 -5
- package/schemas/README.md +2 -1
- package/schemas/card-delegation-credential.json +239 -0
- package/schemas/kya-os-card.schema.json +284 -0
|
@@ -0,0 +1,284 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://schema.kya-os.org/v1/protocol/identity/card/v1.1.0",
|
|
4
|
+
"title": "KYA-OS Entity Card",
|
|
5
|
+
"description": "A typed, DID-anchored identity card for a KYA-OS entity (mcp | agent | client | verifier | human). One canonical card is anchored by a `KyaOsEntityCard` service entry on the entity's did:web DID document and projected onto the four discovery surfaces the ecosystem already indexes (MCP server.json / catalog.json `_meta['org.kya-os/card']`, A2A AgentExtension, NANDA AgentFacts, and the MCP catalog entry). The card asserts identity + type + declared capabilities; everything trust-bearing (accountability, attested capabilities, KYC/KYB) is proven by referenced credentials, not self-claimed (claim-minimalism). The sender-constrained holder-of-key proof (`org.kya-os/proof@1`) is NEVER on the static card — it rides per-request `_meta` on top (see detached-proof); `proofProfile` only names the profile a verifier should expect.",
|
|
6
|
+
"type": "object",
|
|
7
|
+
"required": ["id", "entityType", "name"],
|
|
8
|
+
"properties": {
|
|
9
|
+
"id": {
|
|
10
|
+
"type": "string",
|
|
11
|
+
"pattern": "^did:(key|web):.+$",
|
|
12
|
+
"description": "The entity's DID. did:web cards are registry-anchored (trust tiers 1-2 + L2 + KYC/KYB eligible); did:key cards are self-asserted (dev/ephemeral; trust from holder-of-key-on-use only)."
|
|
13
|
+
},
|
|
14
|
+
"entityType": {
|
|
15
|
+
"type": "string",
|
|
16
|
+
"enum": ["mcp", "agent", "client", "verifier", "human"],
|
|
17
|
+
"description": "The kind of entity. tool/skill are sub-resources (capabilities), not entity types. Named 'entityType' to avoid colliding with the deployment-flavour AgentIdentity.type (development|production)."
|
|
18
|
+
},
|
|
19
|
+
"name": {
|
|
20
|
+
"type": "string",
|
|
21
|
+
"minLength": 1,
|
|
22
|
+
"description": "Human-readable display name."
|
|
23
|
+
},
|
|
24
|
+
"kid": {
|
|
25
|
+
"type": "string",
|
|
26
|
+
"description": "Key identifier for the entity's signing key (matches a verification method in the DID document and the JWS header kid of its proofs)."
|
|
27
|
+
},
|
|
28
|
+
"publicKeyJwk": {
|
|
29
|
+
"$ref": "#/$defs/Ed25519PublicJwk",
|
|
30
|
+
"description": "Optional inline public key. MUST match the key published in the DID document; omit to require resolution from didDocument."
|
|
31
|
+
},
|
|
32
|
+
"createdAt": {
|
|
33
|
+
"type": "string",
|
|
34
|
+
"format": "date-time",
|
|
35
|
+
"description": "When the entity/card was created."
|
|
36
|
+
},
|
|
37
|
+
"capabilities": {
|
|
38
|
+
"type": "array",
|
|
39
|
+
"items": { "$ref": "#/$defs/Capability" },
|
|
40
|
+
"description": "Declared capabilities. Bare strings are L1 (self-declared, unattested); objects with attestations are L2 (capability-attested). tool/skill sub-resources appear here, not as top-level cards."
|
|
41
|
+
},
|
|
42
|
+
"conformanceLevel": {
|
|
43
|
+
"type": "string",
|
|
44
|
+
"enum": ["L1", "L2", "L3"],
|
|
45
|
+
"description": "DERIVED, verifier-recomputable summary of the entity's conformance floor: L1 self-declared, L2 capability-attested, L3 holder-of-key + delegation-chain resolution. NOT an independent claim — a verifier recomputes it from capabilities + the live per-request proof."
|
|
46
|
+
},
|
|
47
|
+
"responsibleParty": {
|
|
48
|
+
"type": "string",
|
|
49
|
+
"pattern": "^did:(key|web):.+$",
|
|
50
|
+
"description": "DID of the entity ultimately accountable (= root issuerDid of the delegation chain; SPEC Responsible Party). SHOULD be did:web. Verified via delegationRef against the signed DelegationCredential, not self-asserted."
|
|
51
|
+
},
|
|
52
|
+
"principal": {
|
|
53
|
+
"type": "string",
|
|
54
|
+
"pattern": "^did:(key|web):.+$",
|
|
55
|
+
"description": "Optional DID of the immediate delegator / authorizing human (the runtime userDid), when it differs from responsibleParty (SPEC Principal)."
|
|
56
|
+
},
|
|
57
|
+
"delegationRef": {
|
|
58
|
+
"type": "string",
|
|
59
|
+
"description": "Reference to the signed DelegationCredential chain backing responsibleParty/principal. Format 'vcId>delId', multi-hop joined with '>'. The DelegationCredential VC is authoritative (ADR-001); KYA-OS-Delegation-Chain/-Granted-Scopes headers are advisory."
|
|
60
|
+
},
|
|
61
|
+
"attestations": {
|
|
62
|
+
"type": "array",
|
|
63
|
+
"items": { "$ref": "#/$defs/Attestation" },
|
|
64
|
+
"description": "Resolvable, signed credentials about the entity or its responsibleParty (e.g. IdentityVerification = KYC/KYB). Referenced, not inlined; verified via the trusted-issuer + signature + expiry path. Assert the verification fact + level, not raw PII."
|
|
65
|
+
},
|
|
66
|
+
"didDocument": {
|
|
67
|
+
"type": "string",
|
|
68
|
+
"format": "uri",
|
|
69
|
+
"description": "URL of the entity's DID document (the trust anchor for did:web; integrity derives from domain control). The DID document carries the `KyaOsEntityCard` service entry that anchors this card."
|
|
70
|
+
},
|
|
71
|
+
"proofProfile": {
|
|
72
|
+
"const": "org.kya-os/proof@1",
|
|
73
|
+
"description": "Names the per-request holder-of-key proof profile this entity's requests carry — the stateless, sender-constrained `org.kya-os/proof@1` envelope (distinct from the legacy session-bound ProofMeta). The proof itself is NEVER on this static card; it rides per-request `_meta`. This field only advertises the profile a verifier should expect."
|
|
74
|
+
},
|
|
75
|
+
"cimd": {
|
|
76
|
+
"$ref": "#/$defs/CimdBinding",
|
|
77
|
+
"description": "L1 CIMD (draft-ietf-oauth-client-id-metadata-document) on-ramp coordinates binding the entity's did:web to its OAuth client identity and DID-keyed JWKS."
|
|
78
|
+
},
|
|
79
|
+
"revocation": {
|
|
80
|
+
"$ref": "#/$defs/BitstringStatusListEntry",
|
|
81
|
+
"description": "W3C Bitstring Status List v1.0 revocation entry for this card's backing credential, evaluated through the injected RevocationChecker seam (live at L3, cached/offline at L2)."
|
|
82
|
+
}
|
|
83
|
+
},
|
|
84
|
+
"additionalProperties": false,
|
|
85
|
+
"$defs": {
|
|
86
|
+
"Capability": {
|
|
87
|
+
"description": "A declared capability: an L1 bare-string name, or an L2 object carrying attestations.",
|
|
88
|
+
"oneOf": [
|
|
89
|
+
{
|
|
90
|
+
"type": "string",
|
|
91
|
+
"minLength": 1,
|
|
92
|
+
"description": "L1: self-declared capability name (unattested)."
|
|
93
|
+
},
|
|
94
|
+
{ "$ref": "#/$defs/Level2Capability" }
|
|
95
|
+
]
|
|
96
|
+
},
|
|
97
|
+
"Level2Capability": {
|
|
98
|
+
"type": "object",
|
|
99
|
+
"required": ["name", "attestations"],
|
|
100
|
+
"properties": {
|
|
101
|
+
"name": {
|
|
102
|
+
"type": "string",
|
|
103
|
+
"minLength": 1,
|
|
104
|
+
"description": "Capability name, e.g. 'payments.transfer'."
|
|
105
|
+
},
|
|
106
|
+
"attestations": {
|
|
107
|
+
"type": "array",
|
|
108
|
+
"minItems": 1,
|
|
109
|
+
"items": { "$ref": "#/$defs/CapabilityAttestation" },
|
|
110
|
+
"description": "At least one attestation; the capability is L2 if at least one verifies (signature + trusted issuer + subject + capability match + validity)."
|
|
111
|
+
}
|
|
112
|
+
},
|
|
113
|
+
"additionalProperties": false
|
|
114
|
+
},
|
|
115
|
+
"CapabilityAttestation": {
|
|
116
|
+
"type": "object",
|
|
117
|
+
"required": ["vc"],
|
|
118
|
+
"properties": {
|
|
119
|
+
"vc": {
|
|
120
|
+
"type": ["string", "object"],
|
|
121
|
+
"description": "A CapabilityAttestationCredential — compact VC-JWT string or pre-parsed object. issuer MUST be a trusted issuer (default did:web:example.com); credentialSubject.id MUST equal the card id; credentialSubject.capability MUST equal the capability name; validUntil MUST be in the future."
|
|
122
|
+
}
|
|
123
|
+
},
|
|
124
|
+
"additionalProperties": true
|
|
125
|
+
},
|
|
126
|
+
"Attestation": {
|
|
127
|
+
"type": "object",
|
|
128
|
+
"required": ["type", "vc"],
|
|
129
|
+
"properties": {
|
|
130
|
+
"type": {
|
|
131
|
+
"type": "string",
|
|
132
|
+
"enum": ["IdentityVerification", "CapabilityAttestation"],
|
|
133
|
+
"description": "Attestation kind. IdentityVerification is the registry-issued KYC (individual) / KYB (organization) credential."
|
|
134
|
+
},
|
|
135
|
+
"vc": {
|
|
136
|
+
"type": ["string", "object"],
|
|
137
|
+
"description": "The signed Verifiable Credential (compact VC-JWT string or object), resolved + verified via the trusted-issuer path. For IdentityVerification: credentialSubject = { id: <subject DID>, subjectType: 'individual'|'organization', verificationLevel: 'basic'|'enhanced'|'loa3', provider }."
|
|
138
|
+
},
|
|
139
|
+
"subject": {
|
|
140
|
+
"type": "string",
|
|
141
|
+
"pattern": "^did:(key|web):.+$",
|
|
142
|
+
"description": "DID the attestation is about. For KYC/KYB this is the responsibleParty, not the agent."
|
|
143
|
+
},
|
|
144
|
+
"issuer": {
|
|
145
|
+
"type": "string",
|
|
146
|
+
"pattern": "^did:(key|web):.+$",
|
|
147
|
+
"description": "Issuer DID. MUST be in the trusted-issuer allowlist (default did:web:example.com)."
|
|
148
|
+
}
|
|
149
|
+
},
|
|
150
|
+
"additionalProperties": false
|
|
151
|
+
},
|
|
152
|
+
"Ed25519PublicJwk": {
|
|
153
|
+
"type": "object",
|
|
154
|
+
"required": ["kty", "crv", "x"],
|
|
155
|
+
"properties": {
|
|
156
|
+
"kty": { "const": "OKP" },
|
|
157
|
+
"crv": { "const": "Ed25519" },
|
|
158
|
+
"x": { "type": "string", "description": "Base64url-encoded Ed25519 public key." },
|
|
159
|
+
"kid": { "type": "string" },
|
|
160
|
+
"use": { "type": "string" }
|
|
161
|
+
},
|
|
162
|
+
"additionalProperties": false
|
|
163
|
+
},
|
|
164
|
+
"CimdBinding": {
|
|
165
|
+
"type": "object",
|
|
166
|
+
"description": "CIMD on-ramp binding: the client_id ↔ did:web bijection and the DID-keyed JWKS the AS validates private_key_jwt against (so OAuth client-auth IS a DID-key proof, closing L1→L3).",
|
|
167
|
+
"required": ["clientId", "jwksUri"],
|
|
168
|
+
"properties": {
|
|
169
|
+
"clientId": {
|
|
170
|
+
"type": "string",
|
|
171
|
+
"minLength": 1,
|
|
172
|
+
"description": "The OAuth client_id — the did:web HTTPS form (did:web:host:a:b ⇄ https://host/a/b). Its origin MUST equal the did:web host and the jwksUri origin (origin-equality, fail-closed)."
|
|
173
|
+
},
|
|
174
|
+
"jwksUri": {
|
|
175
|
+
"type": "string",
|
|
176
|
+
"minLength": 1,
|
|
177
|
+
"description": "JWKS endpoint that is a mechanical projection of the DID document's verificationMethod[] (Ed25519 → OKP JWK, kid preserved)."
|
|
178
|
+
}
|
|
179
|
+
},
|
|
180
|
+
"additionalProperties": false
|
|
181
|
+
},
|
|
182
|
+
"BitstringStatusListEntry": {
|
|
183
|
+
"type": "object",
|
|
184
|
+
"description": "W3C Bitstring Status List v1.0 credentialStatus entry — the StatusList2021Entry successor. `statusListIndex` is an integer expressed as a string per the spec.",
|
|
185
|
+
"required": ["statusListCredential", "statusListIndex"],
|
|
186
|
+
"properties": {
|
|
187
|
+
"statusListCredential": {
|
|
188
|
+
"type": "string",
|
|
189
|
+
"minLength": 1,
|
|
190
|
+
"description": "URL of the Bitstring Status List credential."
|
|
191
|
+
},
|
|
192
|
+
"statusListIndex": {
|
|
193
|
+
"type": "string",
|
|
194
|
+
"pattern": "^[0-9]+$",
|
|
195
|
+
"description": "Index in the status-list bitstring — a non-negative canonical decimal string (no whitespace, hex, or scientific notation), matching the fail-closed runtime parse."
|
|
196
|
+
}
|
|
197
|
+
},
|
|
198
|
+
"additionalProperties": false
|
|
199
|
+
}
|
|
200
|
+
},
|
|
201
|
+
"examples": [
|
|
202
|
+
{
|
|
203
|
+
"id": "did:web:example.com:agents:acme-pay",
|
|
204
|
+
"entityType": "agent",
|
|
205
|
+
"name": "Acme Pay Agent",
|
|
206
|
+
"kid": "did:web:example.com:agents:acme-pay#key-1",
|
|
207
|
+
"createdAt": "2026-06-01T00:00:00Z",
|
|
208
|
+
"capabilities": [
|
|
209
|
+
"handshake",
|
|
210
|
+
{
|
|
211
|
+
"name": "payments.transfer",
|
|
212
|
+
"attestations": [
|
|
213
|
+
{ "vc": "eyJhbGciOiJFZERTQSJ9.eyJ2YyI6e319.sig" }
|
|
214
|
+
]
|
|
215
|
+
}
|
|
216
|
+
],
|
|
217
|
+
"conformanceLevel": "L2",
|
|
218
|
+
"responsibleParty": "did:web:example.com:org:acme",
|
|
219
|
+
"principal": "did:web:example.com:users:jane",
|
|
220
|
+
"delegationRef": "vc_root>del_123",
|
|
221
|
+
"attestations": [
|
|
222
|
+
{
|
|
223
|
+
"type": "IdentityVerification",
|
|
224
|
+
"vc": "eyJhbGciOiJFZERTQSJ9.eyJ2YyI6e319.sig",
|
|
225
|
+
"subject": "did:web:example.com:org:acme",
|
|
226
|
+
"issuer": "did:web:example.com"
|
|
227
|
+
}
|
|
228
|
+
],
|
|
229
|
+
"didDocument": "https://example.com/agents/acme-pay/did.json"
|
|
230
|
+
},
|
|
231
|
+
{
|
|
232
|
+
"id": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
|
|
233
|
+
"entityType": "client",
|
|
234
|
+
"name": "KYA-OS Inspector (dev)",
|
|
235
|
+
"capabilities": ["handshake", "signing", "verification"],
|
|
236
|
+
"conformanceLevel": "L1",
|
|
237
|
+
"proofProfile": "org.kya-os/proof@1"
|
|
238
|
+
},
|
|
239
|
+
{
|
|
240
|
+
"id": "did:web:example.com:mcp:acme-search",
|
|
241
|
+
"entityType": "mcp",
|
|
242
|
+
"name": "Acme Search MCP",
|
|
243
|
+
"kid": "did:web:example.com:mcp:acme-search#key-1",
|
|
244
|
+
"createdAt": "2026-06-01T00:00:00Z",
|
|
245
|
+
"capabilities": [
|
|
246
|
+
"tools.list",
|
|
247
|
+
{
|
|
248
|
+
"name": "tools.call",
|
|
249
|
+
"attestations": [
|
|
250
|
+
{ "vc": "eyJhbGciOiJFZERTQSJ9.eyJ2YyI6e319.sig" }
|
|
251
|
+
]
|
|
252
|
+
}
|
|
253
|
+
],
|
|
254
|
+
"conformanceLevel": "L3",
|
|
255
|
+
"responsibleParty": "did:web:example.com:org:acme",
|
|
256
|
+
"delegationRef": "vc_root>del_mcp",
|
|
257
|
+
"didDocument": "https://example.com/mcp/acme-search/did.json",
|
|
258
|
+
"proofProfile": "org.kya-os/proof@1",
|
|
259
|
+
"cimd": {
|
|
260
|
+
"clientId": "https://example.com/mcp/acme-search",
|
|
261
|
+
"jwksUri": "https://example.com/mcp/acme-search/jwks.json"
|
|
262
|
+
},
|
|
263
|
+
"revocation": {
|
|
264
|
+
"statusListCredential": "https://example.com/status/1",
|
|
265
|
+
"statusListIndex": "94567"
|
|
266
|
+
}
|
|
267
|
+
},
|
|
268
|
+
{
|
|
269
|
+
"id": "did:web:example.com:clients:acme-cli",
|
|
270
|
+
"entityType": "client",
|
|
271
|
+
"name": "Acme CLI",
|
|
272
|
+
"kid": "did:web:example.com:clients:acme-cli#key-1",
|
|
273
|
+
"capabilities": ["handshake"],
|
|
274
|
+
"conformanceLevel": "L1",
|
|
275
|
+
"responsibleParty": "did:web:example.com:org:acme",
|
|
276
|
+
"didDocument": "https://example.com/clients/acme-cli/did.json",
|
|
277
|
+
"proofProfile": "org.kya-os/proof@1",
|
|
278
|
+
"cimd": {
|
|
279
|
+
"clientId": "https://example.com/clients/acme-cli",
|
|
280
|
+
"jwksUri": "https://example.com/clients/acme-cli/jwks.json"
|
|
281
|
+
}
|
|
282
|
+
}
|
|
283
|
+
]
|
|
284
|
+
}
|