@kya-os/mcp 1.6.1 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +117 -0
- package/README.md +228 -3
- package/dist/authz/index.d.ts +1 -0
- package/dist/authz/index.d.ts.map +1 -1
- package/dist/authz/index.js +1 -0
- package/dist/authz/index.js.map +1 -1
- package/dist/authz/oidc/oidc-adapter.d.ts +10 -2
- package/dist/authz/oidc/oidc-adapter.d.ts.map +1 -1
- package/dist/authz/oidc/oidc-adapter.js +18 -9
- package/dist/authz/oidc/oidc-adapter.js.map +1 -1
- package/dist/authz/oidc/pending-flow-store.d.ts +80 -0
- package/dist/authz/oidc/pending-flow-store.d.ts.map +1 -0
- package/dist/authz/oidc/pending-flow-store.js +82 -0
- package/dist/authz/oidc/pending-flow-store.js.map +1 -0
- package/dist/card/build.d.ts +41 -0
- package/dist/card/build.d.ts.map +1 -0
- package/dist/card/build.js +47 -0
- package/dist/card/build.js.map +1 -0
- package/dist/card/builder.d.ts +99 -0
- package/dist/card/builder.d.ts.map +1 -0
- package/dist/card/builder.js +147 -0
- package/dist/card/builder.js.map +1 -0
- package/dist/card/cimd.d.ts +92 -0
- package/dist/card/cimd.d.ts.map +1 -0
- package/dist/card/cimd.js +225 -0
- package/dist/card/cimd.js.map +1 -0
- package/dist/card/delegation.d.ts +145 -0
- package/dist/card/delegation.d.ts.map +1 -0
- package/dist/card/delegation.js +293 -0
- package/dist/card/delegation.js.map +1 -0
- package/dist/card/emit.d.ts +133 -0
- package/dist/card/emit.d.ts.map +1 -0
- package/dist/card/emit.js +127 -0
- package/dist/card/emit.js.map +1 -0
- package/dist/card/index.d.ts +43 -0
- package/dist/card/index.d.ts.map +1 -0
- package/dist/card/index.js +46 -0
- package/dist/card/index.js.map +1 -0
- package/dist/card/middleware.d.ts +112 -0
- package/dist/card/middleware.d.ts.map +1 -0
- package/dist/card/middleware.js +121 -0
- package/dist/card/middleware.js.map +1 -0
- package/dist/card/proof/build.d.ts +22 -0
- package/dist/card/proof/build.d.ts.map +1 -0
- package/dist/card/proof/build.js +55 -0
- package/dist/card/proof/build.js.map +1 -0
- package/dist/card/proof/canonical.d.ts +66 -0
- package/dist/card/proof/canonical.d.ts.map +1 -0
- package/dist/card/proof/canonical.js +131 -0
- package/dist/card/proof/canonical.js.map +1 -0
- package/dist/card/proof/http-sig.d.ts +69 -0
- package/dist/card/proof/http-sig.d.ts.map +1 -0
- package/dist/card/proof/http-sig.js +101 -0
- package/dist/card/proof/http-sig.js.map +1 -0
- package/dist/card/proof/index.d.ts +25 -0
- package/dist/card/proof/index.d.ts.map +1 -0
- package/dist/card/proof/index.js +25 -0
- package/dist/card/proof/index.js.map +1 -0
- package/dist/card/proof/nonce-cache.d.ts +67 -0
- package/dist/card/proof/nonce-cache.d.ts.map +1 -0
- package/dist/card/proof/nonce-cache.js +88 -0
- package/dist/card/proof/nonce-cache.js.map +1 -0
- package/dist/card/proof/signer.d.ts +32 -0
- package/dist/card/proof/signer.d.ts.map +1 -0
- package/dist/card/proof/signer.js +59 -0
- package/dist/card/proof/signer.js.map +1 -0
- package/dist/card/proof/types.d.ts +219 -0
- package/dist/card/proof/types.d.ts.map +1 -0
- package/dist/card/proof/types.js +87 -0
- package/dist/card/proof/types.js.map +1 -0
- package/dist/card/proof/verify.d.ts +27 -0
- package/dist/card/proof/verify.d.ts.map +1 -0
- package/dist/card/proof/verify.js +236 -0
- package/dist/card/proof/verify.js.map +1 -0
- package/dist/card/resolve.d.ts +97 -0
- package/dist/card/resolve.d.ts.map +1 -0
- package/dist/card/resolve.js +223 -0
- package/dist/card/resolve.js.map +1 -0
- package/dist/card/revocation.d.ts +96 -0
- package/dist/card/revocation.d.ts.map +1 -0
- package/dist/card/revocation.js +190 -0
- package/dist/card/revocation.js.map +1 -0
- package/dist/card/schema.d.ts +177 -0
- package/dist/card/schema.d.ts.map +1 -0
- package/dist/card/schema.js +119 -0
- package/dist/card/schema.js.map +1 -0
- package/dist/card/verify.d.ts +144 -0
- package/dist/card/verify.d.ts.map +1 -0
- package/dist/card/verify.js +132 -0
- package/dist/card/verify.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +9 -7
- package/dist/delegation/bitstring.d.ts.map +1 -1
- package/dist/delegation/bitstring.js +70 -37
- package/dist/delegation/bitstring.js.map +1 -1
- package/dist/delegation/did-linkage.d.ts +23 -0
- package/dist/delegation/did-linkage.d.ts.map +1 -0
- package/dist/delegation/did-linkage.js +57 -0
- package/dist/delegation/did-linkage.js.map +1 -0
- package/dist/delegation/did-resolver-registry.d.ts +7 -0
- package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
- package/dist/delegation/did-resolver-registry.js +20 -0
- package/dist/delegation/did-resolver-registry.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +29 -18
- package/dist/delegation/did-web-resolver.d.ts.map +1 -1
- package/dist/delegation/did-web-resolver.js +65 -35
- package/dist/delegation/did-web-resolver.js.map +1 -1
- package/dist/delegation/index.d.ts +3 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +3 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/statuslist-manager.d.ts.map +1 -1
- package/dist/delegation/statuslist-manager.js +16 -1
- package/dist/delegation/statuslist-manager.js.map +1 -1
- package/dist/delegation/vc-jwt-verify.d.ts +61 -0
- package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
- package/dist/delegation/vc-jwt-verify.js +131 -0
- package/dist/delegation/vc-jwt-verify.js.map +1 -0
- package/dist/delegation/vc-verification-checks.d.ts +50 -0
- package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
- package/dist/delegation/vc-verification-checks.js +212 -0
- package/dist/delegation/vc-verification-checks.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +24 -61
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +57 -180
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/delegation/vc-verifier.types.d.ts +88 -0
- package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.types.js +9 -0
- package/dist/delegation/vc-verifier.types.js.map +1 -0
- package/dist/index.d.ts +8 -4
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -3
- package/dist/index.js.map +1 -1
- package/dist/integrations/cheqd/dlr.d.ts +44 -0
- package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
- package/dist/integrations/cheqd/dlr.js +86 -0
- package/dist/integrations/cheqd/dlr.js.map +1 -0
- package/dist/integrations/cheqd/index.d.ts +5 -0
- package/dist/integrations/cheqd/index.d.ts.map +1 -0
- package/dist/integrations/cheqd/index.js +5 -0
- package/dist/integrations/cheqd/index.js.map +1 -0
- package/dist/integrations/cheqd/linkage.d.ts +20 -0
- package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
- package/dist/integrations/cheqd/linkage.js +32 -0
- package/dist/integrations/cheqd/linkage.js.map +1 -0
- package/dist/integrations/cheqd/registrar.d.ts +85 -0
- package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
- package/dist/integrations/cheqd/registrar.js +304 -0
- package/dist/integrations/cheqd/registrar.js.map +1 -0
- package/dist/integrations/cheqd/resolver.d.ts +38 -0
- package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
- package/dist/integrations/cheqd/resolver.js +156 -0
- package/dist/integrations/cheqd/resolver.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +5 -0
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/kya-os-transport.d.ts +2 -1
- package/dist/middleware/kya-os-transport.d.ts.map +1 -1
- package/dist/middleware/kya-os-transport.js +2 -1
- package/dist/middleware/kya-os-transport.js.map +1 -1
- package/dist/middleware/with-kya-os-server.d.ts +21 -4
- package/dist/middleware/with-kya-os-server.d.ts.map +1 -1
- package/dist/middleware/with-kya-os-server.js +4 -0
- package/dist/middleware/with-kya-os-server.js.map +1 -1
- package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
- package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.config-types.js +9 -0
- package/dist/middleware/with-kya-os.config-types.js.map +1 -0
- package/dist/middleware/with-kya-os.d.ts +10 -238
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
- package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
- package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
- package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
- package/dist/middleware/with-kya-os.deps.d.ts +40 -0
- package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.deps.js +9 -0
- package/dist/middleware/with-kya-os.deps.js.map +1 -0
- package/dist/middleware/with-kya-os.grants.d.ts +30 -0
- package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.grants.js +145 -0
- package/dist/middleware/with-kya-os.grants.js.map +1 -0
- package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
- package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.helpers.js +57 -0
- package/dist/middleware/with-kya-os.helpers.js.map +1 -0
- package/dist/middleware/with-kya-os.js +65 -703
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
- package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.policy-gate.js +98 -0
- package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
- package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.protocol.js +121 -0
- package/dist/middleware/with-kya-os.protocol.js.map +1 -0
- package/dist/middleware/with-kya-os.session.d.ts +32 -0
- package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.session.js +201 -0
- package/dist/middleware/with-kya-os.session.js.map +1 -0
- package/dist/middleware/with-kya-os.types.d.ts +178 -0
- package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.types.js +13 -0
- package/dist/middleware/with-kya-os.types.js.map +1 -0
- package/dist/proof/generator.d.ts +21 -0
- package/dist/proof/generator.d.ts.map +1 -1
- package/dist/proof/generator.js +21 -0
- package/dist/proof/generator.js.map +1 -1
- package/dist/proof/index.d.ts +1 -1
- package/dist/proof/index.d.ts.map +1 -1
- package/dist/proof/index.js +1 -1
- package/dist/proof/index.js.map +1 -1
- package/dist/proof/verifier.d.ts +26 -3
- package/dist/proof/verifier.d.ts.map +1 -1
- package/dist/proof/verifier.js +54 -24
- package/dist/proof/verifier.js.map +1 -1
- package/dist/providers/grant-store.d.ts +10 -1
- package/dist/providers/grant-store.d.ts.map +1 -1
- package/dist/providers/grant-store.js.map +1 -1
- package/dist/providers/runtime-fetch.d.ts +8 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +17 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts.map +1 -1
- package/dist/providers/web-crypto.js +15 -7
- package/dist/providers/web-crypto.js.map +1 -1
- package/dist/session/index.d.ts +1 -0
- package/dist/session/index.d.ts.map +1 -1
- package/dist/session/index.js +1 -0
- package/dist/session/index.js.map +1 -1
- package/dist/session/manager.d.ts +17 -6
- package/dist/session/manager.d.ts.map +1 -1
- package/dist/session/manager.js +16 -26
- package/dist/session/manager.js.map +1 -1
- package/dist/session/session-store.d.ts +78 -0
- package/dist/session/session-store.d.ts.map +1 -0
- package/dist/session/session-store.js +79 -0
- package/dist/session/session-store.js.map +1 -0
- package/dist/types/protocol.d.ts +9 -3
- package/dist/types/protocol.d.ts.map +1 -1
- package/dist/types/protocol.js.map +1 -1
- package/dist/utils/guards.d.ts +2 -0
- package/dist/utils/guards.d.ts.map +1 -0
- package/dist/utils/guards.js +4 -0
- package/dist/utils/guards.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +3 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-classifier.d.ts +12 -0
- package/dist/utils/ip-classifier.d.ts.map +1 -0
- package/dist/utils/ip-classifier.js +153 -0
- package/dist/utils/ip-classifier.js.map +1 -0
- package/dist/utils/safe-fetch-transports.d.ts +40 -0
- package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
- package/dist/utils/safe-fetch-transports.js +121 -0
- package/dist/utils/safe-fetch-transports.js.map +1 -0
- package/dist/utils/safe-fetch-types.d.ts +66 -0
- package/dist/utils/safe-fetch-types.d.ts.map +1 -0
- package/dist/utils/safe-fetch-types.js +10 -0
- package/dist/utils/safe-fetch-types.js.map +1 -0
- package/dist/utils/safe-fetch.d.ts +40 -0
- package/dist/utils/safe-fetch.d.ts.map +1 -0
- package/dist/utils/safe-fetch.js +188 -0
- package/dist/utils/safe-fetch.js.map +1 -0
- package/dist/utils/statuslist-purpose.d.ts +12 -0
- package/dist/utils/statuslist-purpose.d.ts.map +1 -0
- package/dist/utils/statuslist-purpose.js +19 -0
- package/dist/utils/statuslist-purpose.js.map +1 -0
- package/dist/utils/url.d.ts +2 -0
- package/dist/utils/url.d.ts.map +1 -0
- package/dist/utils/url.js +8 -0
- package/dist/utils/url.js.map +1 -0
- package/package.json +25 -5
- package/schemas/README.md +2 -1
- package/schemas/card-delegation-credential.json +239 -0
- package/schemas/kya-os-card.schema.json +284 -0
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
/**
|
|
3
|
+
* Zod schema for the KYA-OS Entity Card — the runtime source of truth, mirroring
|
|
4
|
+
* `schemas/kya-os-card.schema.json` (the published JSON Schema). Types are derived
|
|
5
|
+
* via `z.infer`, matching the package convention (see `src/authz/requirement.ts`).
|
|
6
|
+
*/
|
|
7
|
+
/** A `did:key` or `did:web` DID — the single source of truth for the DID shape (imported, never re-declared). */
|
|
8
|
+
export declare const Did: z.ZodString;
|
|
9
|
+
export declare const EntityTypeSchema: z.ZodEnum<{
|
|
10
|
+
mcp: "mcp";
|
|
11
|
+
agent: "agent";
|
|
12
|
+
client: "client";
|
|
13
|
+
verifier: "verifier";
|
|
14
|
+
human: "human";
|
|
15
|
+
}>;
|
|
16
|
+
export declare const ConformanceLevelSchema: z.ZodEnum<{
|
|
17
|
+
L1: "L1";
|
|
18
|
+
L2: "L2";
|
|
19
|
+
L3: "L3";
|
|
20
|
+
}>;
|
|
21
|
+
export declare const Ed25519PublicJwkSchema: z.ZodObject<{
|
|
22
|
+
kty: z.ZodLiteral<"OKP">;
|
|
23
|
+
crv: z.ZodLiteral<"Ed25519">;
|
|
24
|
+
x: z.ZodString;
|
|
25
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
26
|
+
use: z.ZodOptional<z.ZodString>;
|
|
27
|
+
}, z.core.$strict>;
|
|
28
|
+
/** A P-256 public JWK — the ES256 (ECDSA, FIPS-eligible) proof-signing key. */
|
|
29
|
+
export declare const P256PublicJwkSchema: z.ZodObject<{
|
|
30
|
+
kty: z.ZodLiteral<"EC">;
|
|
31
|
+
crv: z.ZodLiteral<"P-256">;
|
|
32
|
+
x: z.ZodString;
|
|
33
|
+
y: z.ZodString;
|
|
34
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
35
|
+
use: z.ZodOptional<z.ZodString>;
|
|
36
|
+
}, z.core.$strict>;
|
|
37
|
+
/** A proof-signing public JWK: Ed25519 (EdDSA) or P-256 (ES256) — the two profile algorithms. */
|
|
38
|
+
export declare const ProofPublicJwkSchema: z.ZodUnion<readonly [z.ZodObject<{
|
|
39
|
+
kty: z.ZodLiteral<"OKP">;
|
|
40
|
+
crv: z.ZodLiteral<"Ed25519">;
|
|
41
|
+
x: z.ZodString;
|
|
42
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
43
|
+
use: z.ZodOptional<z.ZodString>;
|
|
44
|
+
}, z.core.$strict>, z.ZodObject<{
|
|
45
|
+
kty: z.ZodLiteral<"EC">;
|
|
46
|
+
crv: z.ZodLiteral<"P-256">;
|
|
47
|
+
x: z.ZodString;
|
|
48
|
+
y: z.ZodString;
|
|
49
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
50
|
+
use: z.ZodOptional<z.ZodString>;
|
|
51
|
+
}, z.core.$strict>]>;
|
|
52
|
+
/**
|
|
53
|
+
* Deliberately NON-strict: the JSON Schema marks `CapabilityAttestation` as
|
|
54
|
+
* `additionalProperties: true`, so extra keys alongside `vc` are permitted here.
|
|
55
|
+
*/
|
|
56
|
+
export declare const CapabilityAttestationSchema: z.ZodObject<{
|
|
57
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
58
|
+
}, z.core.$strip>;
|
|
59
|
+
export declare const Level2CapabilitySchema: z.ZodObject<{
|
|
60
|
+
name: z.ZodString;
|
|
61
|
+
attestations: z.ZodArray<z.ZodObject<{
|
|
62
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
63
|
+
}, z.core.$strip>>;
|
|
64
|
+
}, z.core.$strict>;
|
|
65
|
+
/** L1 bare-string name, or an L2 object carrying attestations. */
|
|
66
|
+
export declare const CapabilitySchema: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
67
|
+
name: z.ZodString;
|
|
68
|
+
attestations: z.ZodArray<z.ZodObject<{
|
|
69
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
70
|
+
}, z.core.$strip>>;
|
|
71
|
+
}, z.core.$strict>]>;
|
|
72
|
+
export declare const AttestationSchema: z.ZodObject<{
|
|
73
|
+
type: z.ZodEnum<{
|
|
74
|
+
IdentityVerification: "IdentityVerification";
|
|
75
|
+
CapabilityAttestation: "CapabilityAttestation";
|
|
76
|
+
}>;
|
|
77
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
78
|
+
subject: z.ZodOptional<z.ZodString>;
|
|
79
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
80
|
+
}, z.core.$strict>;
|
|
81
|
+
/** The canonical per-request proof profile id — the ONE source of truth every consumer
|
|
82
|
+
* references (the proof's `prf` tag, its `_meta` key, and the card's `proofProfile` field). */
|
|
83
|
+
export declare const PROOF_PROFILE_ID = "org.kya-os/proof@1";
|
|
84
|
+
/**
|
|
85
|
+
* Self-declared per-request holder-of-key proof profile. A card carrying this advertises
|
|
86
|
+
* that its requests ride the stateless, sender-constrained `org.kya-os/proof@1` envelope
|
|
87
|
+
* (distinct from the legacy session-bound ProofMeta). The proof itself is NEVER on the
|
|
88
|
+
* static card — it rides per-request `_meta`; this field only names the profile.
|
|
89
|
+
*/
|
|
90
|
+
export declare const ProofProfileSchema: z.ZodLiteral<"org.kya-os/proof@1">;
|
|
91
|
+
/**
|
|
92
|
+
* CIMD (draft-ietf-oauth-client-id-metadata-document) binding — the L1 on-ramp
|
|
93
|
+
* coordinates. `clientId` is the `did:web` HTTPS form; `jwksUri` is the DID-keyed JWKS the
|
|
94
|
+
* AS validates `private_key_jwt` against (so OAuth client-auth IS a DID-key proof).
|
|
95
|
+
*/
|
|
96
|
+
export declare const CimdBindingSchema: z.ZodObject<{
|
|
97
|
+
clientId: z.ZodString;
|
|
98
|
+
jwksUri: z.ZodString;
|
|
99
|
+
}, z.core.$strict>;
|
|
100
|
+
/**
|
|
101
|
+
* W3C Bitstring Status List v1.0 `credentialStatus` entry — the StatusList2021
|
|
102
|
+
* SUCCESSOR. `statusListIndex` is an integer expressed as a string (per the spec).
|
|
103
|
+
*/
|
|
104
|
+
export declare const BitstringStatusListEntrySchema: z.ZodObject<{
|
|
105
|
+
statusListCredential: z.ZodString;
|
|
106
|
+
statusListIndex: z.ZodString;
|
|
107
|
+
}, z.core.$strict>;
|
|
108
|
+
export declare const EntityCardSchema: z.ZodObject<{
|
|
109
|
+
id: z.ZodString;
|
|
110
|
+
entityType: z.ZodEnum<{
|
|
111
|
+
mcp: "mcp";
|
|
112
|
+
agent: "agent";
|
|
113
|
+
client: "client";
|
|
114
|
+
verifier: "verifier";
|
|
115
|
+
human: "human";
|
|
116
|
+
}>;
|
|
117
|
+
name: z.ZodString;
|
|
118
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
119
|
+
publicKeyJwk: z.ZodOptional<z.ZodObject<{
|
|
120
|
+
kty: z.ZodLiteral<"OKP">;
|
|
121
|
+
crv: z.ZodLiteral<"Ed25519">;
|
|
122
|
+
x: z.ZodString;
|
|
123
|
+
kid: z.ZodOptional<z.ZodString>;
|
|
124
|
+
use: z.ZodOptional<z.ZodString>;
|
|
125
|
+
}, z.core.$strict>>;
|
|
126
|
+
createdAt: z.ZodOptional<z.ZodString>;
|
|
127
|
+
capabilities: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
128
|
+
name: z.ZodString;
|
|
129
|
+
attestations: z.ZodArray<z.ZodObject<{
|
|
130
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
131
|
+
}, z.core.$strip>>;
|
|
132
|
+
}, z.core.$strict>]>>>;
|
|
133
|
+
conformanceLevel: z.ZodOptional<z.ZodEnum<{
|
|
134
|
+
L1: "L1";
|
|
135
|
+
L2: "L2";
|
|
136
|
+
L3: "L3";
|
|
137
|
+
}>>;
|
|
138
|
+
responsibleParty: z.ZodOptional<z.ZodString>;
|
|
139
|
+
principal: z.ZodOptional<z.ZodString>;
|
|
140
|
+
delegationRef: z.ZodOptional<z.ZodString>;
|
|
141
|
+
attestations: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
142
|
+
type: z.ZodEnum<{
|
|
143
|
+
IdentityVerification: "IdentityVerification";
|
|
144
|
+
CapabilityAttestation: "CapabilityAttestation";
|
|
145
|
+
}>;
|
|
146
|
+
vc: z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
|
|
147
|
+
subject: z.ZodOptional<z.ZodString>;
|
|
148
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
149
|
+
}, z.core.$strict>>>;
|
|
150
|
+
didDocument: z.ZodOptional<z.ZodString>;
|
|
151
|
+
proofProfile: z.ZodOptional<z.ZodLiteral<"org.kya-os/proof@1">>;
|
|
152
|
+
cimd: z.ZodOptional<z.ZodObject<{
|
|
153
|
+
clientId: z.ZodString;
|
|
154
|
+
jwksUri: z.ZodString;
|
|
155
|
+
}, z.core.$strict>>;
|
|
156
|
+
revocation: z.ZodOptional<z.ZodObject<{
|
|
157
|
+
statusListCredential: z.ZodString;
|
|
158
|
+
statusListIndex: z.ZodString;
|
|
159
|
+
}, z.core.$strict>>;
|
|
160
|
+
}, z.core.$strict>;
|
|
161
|
+
export type EntityType = z.infer<typeof EntityTypeSchema>;
|
|
162
|
+
export type ConformanceLevel = z.infer<typeof ConformanceLevelSchema>;
|
|
163
|
+
export type Ed25519PublicJwk = z.infer<typeof Ed25519PublicJwkSchema>;
|
|
164
|
+
export type P256PublicJwk = z.infer<typeof P256PublicJwkSchema>;
|
|
165
|
+
/** The proof-signing key type — Ed25519 or P-256 (discriminated by `kty`/`crv`). */
|
|
166
|
+
export type ProofPublicJwk = z.infer<typeof ProofPublicJwkSchema>;
|
|
167
|
+
export type CapabilityAttestation = z.infer<typeof CapabilityAttestationSchema>;
|
|
168
|
+
export type Level2Capability = z.infer<typeof Level2CapabilitySchema>;
|
|
169
|
+
export type Capability = z.infer<typeof CapabilitySchema>;
|
|
170
|
+
export type Attestation = z.infer<typeof AttestationSchema>;
|
|
171
|
+
export type ProofProfile = z.infer<typeof ProofProfileSchema>;
|
|
172
|
+
export type CimdBinding = z.infer<typeof CimdBindingSchema>;
|
|
173
|
+
export type BitstringStatusListEntry = z.infer<typeof BitstringStatusListEntrySchema>;
|
|
174
|
+
export type EntityCard = z.infer<typeof EntityCardSchema>;
|
|
175
|
+
/** Flatten capabilities (bare strings or attested objects) to their names. */
|
|
176
|
+
export declare function capabilityNames(caps: Capability[]): string[];
|
|
177
|
+
//# sourceMappingURL=schema.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/card/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AAEH,iHAAiH;AACjH,eAAO,MAAM,GAAG,aAA6E,CAAC;AAE9F,eAAO,MAAM,gBAAgB;;;;;;EAA0D,CAAC;AAExF,eAAO,MAAM,sBAAsB;;;;EAA6B,CAAC;AAEjE,eAAO,MAAM,sBAAsB;;;;;;kBAQxB,CAAC;AAEZ,+EAA+E;AAC/E,eAAO,MAAM,mBAAmB;;;;;;;kBASrB,CAAC;AAEZ,iGAAiG;AACjG,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;oBAAyD,CAAC;AAK3F;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;iBAEtC,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;kBAKxB,CAAC;AAEZ,kEAAkE;AAClE,eAAO,MAAM,gBAAgB;;;;;oBAAuD,CAAC;AAErF,eAAO,MAAM,iBAAiB;;;;;;;;kBAOnB,CAAC;AAEZ;gGACgG;AAChG,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AAErD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,oCAA8B,CAAC;AAE9D;;;;GAIG;AACH,eAAO,MAAM,iBAAiB;;;kBAKnB,CAAC;AAEZ;;;GAGG;AACH,eAAO,MAAM,8BAA8B;;;kBAKhC,CAAC;AAEZ,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAyBlB,CAAC;AAEZ,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,oFAAoF;AACpF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,8EAA8E;AAC9E,wBAAgB,eAAe,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,MAAM,EAAE,CAE5D"}
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
/**
|
|
3
|
+
* Zod schema for the KYA-OS Entity Card — the runtime source of truth, mirroring
|
|
4
|
+
* `schemas/kya-os-card.schema.json` (the published JSON Schema). Types are derived
|
|
5
|
+
* via `z.infer`, matching the package convention (see `src/authz/requirement.ts`).
|
|
6
|
+
*/
|
|
7
|
+
/** A `did:key` or `did:web` DID — the single source of truth for the DID shape (imported, never re-declared). */
|
|
8
|
+
export const Did = z.string().regex(/^did:(key|web):.+$/, 'must be a did:key or did:web DID');
|
|
9
|
+
export const EntityTypeSchema = z.enum(['mcp', 'agent', 'client', 'verifier', 'human']);
|
|
10
|
+
export const ConformanceLevelSchema = z.enum(['L1', 'L2', 'L3']);
|
|
11
|
+
export const Ed25519PublicJwkSchema = z
|
|
12
|
+
.object({
|
|
13
|
+
kty: z.literal('OKP'),
|
|
14
|
+
crv: z.literal('Ed25519'),
|
|
15
|
+
x: z.string(),
|
|
16
|
+
kid: z.string().optional(),
|
|
17
|
+
use: z.string().optional(),
|
|
18
|
+
})
|
|
19
|
+
.strict();
|
|
20
|
+
/** A P-256 public JWK — the ES256 (ECDSA, FIPS-eligible) proof-signing key. */
|
|
21
|
+
export const P256PublicJwkSchema = z
|
|
22
|
+
.object({
|
|
23
|
+
kty: z.literal('EC'),
|
|
24
|
+
crv: z.literal('P-256'),
|
|
25
|
+
x: z.string(),
|
|
26
|
+
y: z.string(),
|
|
27
|
+
kid: z.string().optional(),
|
|
28
|
+
use: z.string().optional(),
|
|
29
|
+
})
|
|
30
|
+
.strict();
|
|
31
|
+
/** A proof-signing public JWK: Ed25519 (EdDSA) or P-256 (ES256) — the two profile algorithms. */
|
|
32
|
+
export const ProofPublicJwkSchema = z.union([Ed25519PublicJwkSchema, P256PublicJwkSchema]);
|
|
33
|
+
/** A Verifiable Credential — a compact VC-JWT string or a pre-parsed object. */
|
|
34
|
+
const VcValue = z.union([z.string(), z.record(z.string(), z.unknown())]);
|
|
35
|
+
/**
|
|
36
|
+
* Deliberately NON-strict: the JSON Schema marks `CapabilityAttestation` as
|
|
37
|
+
* `additionalProperties: true`, so extra keys alongside `vc` are permitted here.
|
|
38
|
+
*/
|
|
39
|
+
export const CapabilityAttestationSchema = z.object({
|
|
40
|
+
vc: VcValue,
|
|
41
|
+
});
|
|
42
|
+
export const Level2CapabilitySchema = z
|
|
43
|
+
.object({
|
|
44
|
+
name: z.string().min(1),
|
|
45
|
+
attestations: z.array(CapabilityAttestationSchema).min(1),
|
|
46
|
+
})
|
|
47
|
+
.strict();
|
|
48
|
+
/** L1 bare-string name, or an L2 object carrying attestations. */
|
|
49
|
+
export const CapabilitySchema = z.union([z.string().min(1), Level2CapabilitySchema]);
|
|
50
|
+
export const AttestationSchema = z
|
|
51
|
+
.object({
|
|
52
|
+
type: z.enum(['IdentityVerification', 'CapabilityAttestation']),
|
|
53
|
+
vc: VcValue,
|
|
54
|
+
subject: Did.optional(),
|
|
55
|
+
issuer: Did.optional(),
|
|
56
|
+
})
|
|
57
|
+
.strict();
|
|
58
|
+
/** The canonical per-request proof profile id — the ONE source of truth every consumer
|
|
59
|
+
* references (the proof's `prf` tag, its `_meta` key, and the card's `proofProfile` field). */
|
|
60
|
+
export const PROOF_PROFILE_ID = 'org.kya-os/proof@1';
|
|
61
|
+
/**
|
|
62
|
+
* Self-declared per-request holder-of-key proof profile. A card carrying this advertises
|
|
63
|
+
* that its requests ride the stateless, sender-constrained `org.kya-os/proof@1` envelope
|
|
64
|
+
* (distinct from the legacy session-bound ProofMeta). The proof itself is NEVER on the
|
|
65
|
+
* static card — it rides per-request `_meta`; this field only names the profile.
|
|
66
|
+
*/
|
|
67
|
+
export const ProofProfileSchema = z.literal(PROOF_PROFILE_ID);
|
|
68
|
+
/**
|
|
69
|
+
* CIMD (draft-ietf-oauth-client-id-metadata-document) binding — the L1 on-ramp
|
|
70
|
+
* coordinates. `clientId` is the `did:web` HTTPS form; `jwksUri` is the DID-keyed JWKS the
|
|
71
|
+
* AS validates `private_key_jwt` against (so OAuth client-auth IS a DID-key proof).
|
|
72
|
+
*/
|
|
73
|
+
export const CimdBindingSchema = z
|
|
74
|
+
.object({
|
|
75
|
+
clientId: z.string().min(1),
|
|
76
|
+
jwksUri: z.string().min(1),
|
|
77
|
+
})
|
|
78
|
+
.strict();
|
|
79
|
+
/**
|
|
80
|
+
* W3C Bitstring Status List v1.0 `credentialStatus` entry — the StatusList2021
|
|
81
|
+
* SUCCESSOR. `statusListIndex` is an integer expressed as a string (per the spec).
|
|
82
|
+
*/
|
|
83
|
+
export const BitstringStatusListEntrySchema = z
|
|
84
|
+
.object({
|
|
85
|
+
statusListCredential: z.string().min(1),
|
|
86
|
+
statusListIndex: z.string().regex(/^[0-9]+$/, 'statusListIndex must be a canonical non-negative decimal'),
|
|
87
|
+
})
|
|
88
|
+
.strict();
|
|
89
|
+
export const EntityCardSchema = z
|
|
90
|
+
.object({
|
|
91
|
+
id: Did,
|
|
92
|
+
entityType: EntityTypeSchema,
|
|
93
|
+
name: z.string().min(1),
|
|
94
|
+
kid: z.string().optional(),
|
|
95
|
+
publicKeyJwk: Ed25519PublicJwkSchema.optional(),
|
|
96
|
+
createdAt: z.string().optional(),
|
|
97
|
+
capabilities: z.array(CapabilitySchema).optional(),
|
|
98
|
+
/** DERIVED summary — never trusted on input (a verifier recomputes it). */
|
|
99
|
+
conformanceLevel: ConformanceLevelSchema.optional(),
|
|
100
|
+
responsibleParty: Did.optional(),
|
|
101
|
+
principal: Did.optional(),
|
|
102
|
+
delegationRef: z.string().optional(),
|
|
103
|
+
attestations: z.array(AttestationSchema).optional(),
|
|
104
|
+
didDocument: z.string().optional(),
|
|
105
|
+
/** Names the per-request holder-of-key proof profile this entity's requests carry. */
|
|
106
|
+
proofProfile: ProofProfileSchema.optional(),
|
|
107
|
+
/** L1 CIMD on-ramp coordinates (client_id ↔ did:web, jwks_uri ↔ DID keys). */
|
|
108
|
+
cimd: CimdBindingSchema.optional(),
|
|
109
|
+
/** W3C Bitstring Status List v1.0 revocation entry for this card's credential. */
|
|
110
|
+
revocation: BitstringStatusListEntrySchema.optional(),
|
|
111
|
+
})
|
|
112
|
+
// Mirrors `additionalProperties: false` on the published JSON Schema: a conformant
|
|
113
|
+
// Card MUST NOT carry unknown top-level properties (SPEC §7). Reject, never strip.
|
|
114
|
+
.strict();
|
|
115
|
+
/** Flatten capabilities (bare strings or attested objects) to their names. */
|
|
116
|
+
export function capabilityNames(caps) {
|
|
117
|
+
return caps.map((c) => (typeof c === 'string' ? c : c.name));
|
|
118
|
+
}
|
|
119
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/card/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AAEH,iHAAiH;AACjH,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,EAAE,kCAAkC,CAAC,CAAC;AAE9F,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;AAExF,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAEjE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,CAAC;IACN,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACzB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,+EAA+E;AAC/E,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC;KACjC,MAAM,CAAC;IACN,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACvB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,iGAAiG;AACjG,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,sBAAsB,EAAE,mBAAmB,CAAC,CAAC,CAAC;AAE3F,gFAAgF;AAChF,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;AAEzE;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,EAAE,EAAE,OAAO;CACZ,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1D,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,kEAAkE;AAClE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,sBAAsB,CAAC,CAAC,CAAC;AAErF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,sBAAsB,EAAE,uBAAuB,CAAC,CAAC;IAC/D,EAAE,EAAE,OAAO;IACX,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE;IACvB,MAAM,EAAE,GAAG,CAAC,QAAQ,EAAE;CACvB,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ;gGACgG;AAChG,MAAM,CAAC,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AAErD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;AAE9D;;;;GAIG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC3B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC;KAC5C,MAAM,CAAC;IACN,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,0DAA0D,CAAC;CAC1G,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,EAAE,EAAE,GAAG;IACP,UAAU,EAAE,gBAAgB;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,YAAY,EAAE,sBAAsB,CAAC,QAAQ,EAAE;IAC/C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,EAAE;IAClD,2EAA2E;IAC3E,gBAAgB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;IACnD,gBAAgB,EAAE,GAAG,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,GAAG,CAAC,QAAQ,EAAE;IACzB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,QAAQ,EAAE;IACnD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,sFAAsF;IACtF,YAAY,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IAC3C,8EAA8E;IAC9E,IAAI,EAAE,iBAAiB,CAAC,QAAQ,EAAE;IAClC,kFAAkF;IAClF,UAAU,EAAE,8BAA8B,CAAC,QAAQ,EAAE;CACtD,CAAC;IACF,mFAAmF;IACnF,mFAAmF;KAClF,MAAM,EAAE,CAAC;AAiBZ,8EAA8E;AAC9E,MAAM,UAAU,eAAe,CAAC,IAAkB;IAChD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/D,CAAC"}
|
|
@@ -0,0 +1,144 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Entity Card — VERIFY (the proof half).
|
|
3
|
+
*
|
|
4
|
+
* Verify a resolved card's claims via injected, level-AGNOSTIC crypto seams (the pattern
|
|
5
|
+
* `validateLevel2` uses for its `signatureVerifier`, keeping `@kya-os/mcp` free of any mcp-i-core
|
|
6
|
+
* runtime dep) and RECOMPUTE the conformance level — the self-declared `conformanceLevel` is NEVER
|
|
7
|
+
* trusted; the LEVEL is derived here, never baked into a function name. Four fail-closed seams the
|
|
8
|
+
* SPEC §9/§11 ladder needs:
|
|
9
|
+
* - `capabilityVerifier` — per-capability attestation check (L1 floor if omitted);
|
|
10
|
+
* - `accountabilityVerifier` — delegation edge: `responsibleParty === issuer(rootVC)`, `leaf-invoker
|
|
11
|
+
* === proof.did` (via `ctx.proofDid`), AND the chain `fresh` L3 gate (./delegation);
|
|
12
|
+
* - `proofVerifier` + `proof`/`request` — the live per-request holder-of-key proof (./proof);
|
|
13
|
+
* - `statusListChecker` — W3C Bitstring Status List v1.0 liveness (./revocation).
|
|
14
|
+
* Fail-closed everywhere: a missing/expired/revoked artifact DEMOTES the level (L3→L2→L1) and never
|
|
15
|
+
* errors open; an unreachable/stale status list OR stale delegation chain demotes L3→L2.
|
|
16
|
+
*/
|
|
17
|
+
import { type EntityCard, type EntityType, type ConformanceLevel, type Capability, type Attestation } from './schema.js';
|
|
18
|
+
import type { RevocationChecker } from './revocation.js';
|
|
19
|
+
import type { ProofAssurance, ProofVerifyResult } from './proof/index.js';
|
|
20
|
+
import type { ToolRequest } from '../proof/generator.js';
|
|
21
|
+
export declare const ENTITY_TYPES: readonly EntityType[];
|
|
22
|
+
export declare const DEFAULT_TRUSTED_ISSUERS: readonly ["did:web:example.com"];
|
|
23
|
+
export interface CapabilityCheckResult {
|
|
24
|
+
/** Capability names whose attestation verified (eligible for L2). */
|
|
25
|
+
verified: string[];
|
|
26
|
+
/** Capability names that were self-declared (bare string) or failed. */
|
|
27
|
+
unverified: string[];
|
|
28
|
+
/** True iff every attested capability's status was read from a LIVE list (§9.3 L3 gate). Omitted ⇒ unknown ⇒ no demotion. */
|
|
29
|
+
fresh?: boolean;
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Verifies capability attestations. Deliberately NOT named for a level — the level is DERIVED
|
|
33
|
+
* downstream (see `deriveConformanceLevel`). A runtime supplies an implementation (e.g. an adapter
|
|
34
|
+
* over mcp-i-core's `validateLevel2`); `@kya-os/mcp` ships only the interface.
|
|
35
|
+
*/
|
|
36
|
+
export type CapabilityVerifier = (capabilities: Capability[], ctx: {
|
|
37
|
+
subjectDid: string;
|
|
38
|
+
trustedIssuers: readonly string[];
|
|
39
|
+
}) => Promise<CapabilityCheckResult>;
|
|
40
|
+
/** Verifies a single attestation VC (trusted issuer + signature + expiry). */
|
|
41
|
+
export type AttestationVerifier = (attestation: Attestation, ctx: {
|
|
42
|
+
subjectDid: string;
|
|
43
|
+
trustedIssuers: readonly string[];
|
|
44
|
+
}) => Promise<boolean>;
|
|
45
|
+
/**
|
|
46
|
+
* The accountability seam's verdict. `fresh` is the freshness channel a bare boolean cannot express
|
|
47
|
+
* (SPEC §9.3/§12.6): a stale-but-non-revoked chain stays `verified:true` (keeps §10.6's cached L2)
|
|
48
|
+
* yet `fresh:false` demotes L3→L2; omitted `fresh` ⇒ freshness UNKNOWN so no demotion (back-compat).
|
|
49
|
+
*/
|
|
50
|
+
export interface AccountabilityResult {
|
|
51
|
+
/** True iff the delegation edge verified (`responsibleParty === issuer(rootVC)`, leaf-invoker join). */
|
|
52
|
+
verified: boolean;
|
|
53
|
+
/** True iff every leaf/chain delegation credential status was read from a LIVE list (drives L2→L3). */
|
|
54
|
+
fresh?: boolean;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Verifies the accountability edge: resolve `card.delegationRef` → the signed
|
|
58
|
+
* DelegationCredential chain and confirm `card.responsibleParty === issuerDid(rootVC)` AND —
|
|
59
|
+
* when a live proof accompanies the request — the leaf invoker `=== ctx.proofDid` (the
|
|
60
|
+
* delegation/accountability JOIN of ./delegation, recomputed, asserted nowhere). `proofDid` is
|
|
61
|
+
* OPTIONAL and additive: implementations that ignore it keep the L2 offline check unchanged.
|
|
62
|
+
* Returns a bare boolean (DEPRECATED alias) or an {@link AccountabilityResult} carrying `fresh`.
|
|
63
|
+
*/
|
|
64
|
+
export type AccountabilityVerifier = (card: EntityCard, ctx: {
|
|
65
|
+
trustedIssuers: readonly string[];
|
|
66
|
+
proofDid?: string;
|
|
67
|
+
}) => Promise<boolean | AccountabilityResult>;
|
|
68
|
+
/**
|
|
69
|
+
* Recompute a live per-request holder-of-key proof against the request it must bind. The
|
|
70
|
+
* caller pre-binds the crypto seams (e.g. `verifyCardProof(proof, req, deps)` from ./proof);
|
|
71
|
+
* `@kya-os/mcp` ships only this interface. Fail-closed: a rejected promise DEMOTES, never throws
|
|
72
|
+
* out of `verifyCard`.
|
|
73
|
+
*/
|
|
74
|
+
export type CardProofVerifier = (proof: unknown, request: ToolRequest) => Promise<ProofVerifyResult>;
|
|
75
|
+
export interface VerifyCardDeps {
|
|
76
|
+
/** Verifies capability attestations (option C seam). If omitted, capabilities are L1. */
|
|
77
|
+
capabilityVerifier?: CapabilityVerifier;
|
|
78
|
+
/** Verifies an attestation VC (e.g. KYC/KYB). If omitted, attestations are unverified. */
|
|
79
|
+
attestationVerifier?: AttestationVerifier;
|
|
80
|
+
/** Verifies the accountability edge (delegationRef → responsibleParty, leaf-invoker join). */
|
|
81
|
+
accountabilityVerifier?: AccountabilityVerifier;
|
|
82
|
+
/** The per-request holder-of-key proof that rode `_meta['org.kya-os/proof@1']` (recomputed here). */
|
|
83
|
+
proof?: unknown;
|
|
84
|
+
/** The request the proof must bind (`method` + `params`); required alongside `proof`. */
|
|
85
|
+
request?: ToolRequest;
|
|
86
|
+
/** Recomputes `proof` against `request` (pre-bound ./proof `verifyCardProof`). Lifts L2 → L3. */
|
|
87
|
+
proofVerifier?: CardProofVerifier;
|
|
88
|
+
/** Live W3C Bitstring Status List v1.0 check for `card.revocation` (fail-closed). */
|
|
89
|
+
statusListChecker?: RevocationChecker;
|
|
90
|
+
/** True iff the caller independently proved CIMD L1 key possession (private_key_jwt ↔ jwks_uri). */
|
|
91
|
+
cimdKeyProven?: boolean;
|
|
92
|
+
/** Trusted issuer allowlist. Default: `DEFAULT_TRUSTED_ISSUERS`. */
|
|
93
|
+
trustedIssuers?: readonly string[];
|
|
94
|
+
}
|
|
95
|
+
export interface VerifyCardResult {
|
|
96
|
+
/** True iff every trust-bearing claim *present* on the card verified (proof is per-request, not a card claim). */
|
|
97
|
+
ok: boolean;
|
|
98
|
+
entityType: EntityType;
|
|
99
|
+
/** RECOMPUTED — the card's self-declared `conformanceLevel` is never trusted. */
|
|
100
|
+
conformanceLevel: ConformanceLevel;
|
|
101
|
+
verifiedCapabilities: string[];
|
|
102
|
+
accountability?: {
|
|
103
|
+
responsibleParty?: string;
|
|
104
|
+
principal?: string;
|
|
105
|
+
verified: boolean;
|
|
106
|
+
fresh?: boolean;
|
|
107
|
+
};
|
|
108
|
+
attestations: Array<{
|
|
109
|
+
type: string;
|
|
110
|
+
subject?: string;
|
|
111
|
+
verified: boolean;
|
|
112
|
+
}>;
|
|
113
|
+
/** Present when a proof was recomputed: the live holder-of-key verdict. */
|
|
114
|
+
proof?: {
|
|
115
|
+
verified: boolean;
|
|
116
|
+
did?: string;
|
|
117
|
+
level?: ProofAssurance;
|
|
118
|
+
reasons: string[];
|
|
119
|
+
};
|
|
120
|
+
/** Present when the card declares `revocation` and a `statusListChecker` was supplied. */
|
|
121
|
+
revocation?: {
|
|
122
|
+
revoked: boolean;
|
|
123
|
+
fresh: boolean;
|
|
124
|
+
};
|
|
125
|
+
/** Echoes `deps.cimdKeyProven` — the caller's L1 CIMD key-possession evidence. */
|
|
126
|
+
cimdKeyProven?: boolean;
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Verify a resolved card: recompute capabilities + accountability + attestations + the live proof
|
|
130
|
+
* + revocation via the injected seams, and RECOMPUTE the conformance level. The card's
|
|
131
|
+
* self-declared `conformanceLevel` is ignored. `ok` is true iff every claim that is *present*
|
|
132
|
+
* verified (a card with only self-declared capabilities is still `ok` — it is just L1); a per-request
|
|
133
|
+
* proof affects the LEVEL, not `ok`, but a revoked card credential fails closed (`ok:false`, L1).
|
|
134
|
+
*/
|
|
135
|
+
export declare function verifyCard(card: EntityCard, deps: VerifyCardDeps): Promise<VerifyCardResult>;
|
|
136
|
+
/**
|
|
137
|
+
* Derive the conformance FLOOR from verified capabilities, live-proof validity, and freshness.
|
|
138
|
+
* L3 ⊇ L2 ⊇ L1: all declared capabilities attested ⇒ L2; plus a valid holder-of-key proof (`proofOk`)
|
|
139
|
+
* AND a fresh (live) status check ⇒ L3. Any self-declared (unverified) capability keeps the floor at
|
|
140
|
+
* L1. `revocationFresh` (the AND of card / delegation-chain / capability status liveness) defaults to
|
|
141
|
+
* `true` so 2-arg calls still compile; a `false` (unreachable/stale list) demotes L3 → L2.
|
|
142
|
+
*/
|
|
143
|
+
export declare function deriveConformanceLevel(check: CapabilityCheckResult, proofOk: boolean, revocationFresh?: boolean): ConformanceLevel;
|
|
144
|
+
//# sourceMappingURL=verify.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/card/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAGL,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,gBAAgB,EACrB,KAAK,UAAU,EACf,KAAK,WAAW,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEzD,eAAO,MAAM,YAAY,EAAE,SAAS,UAAU,EAA6B,CAAC;AAE5E,eAAO,MAAM,uBAAuB,kCAAmC,CAAC;AAIxE,MAAM,WAAW,qBAAqB;IACpC,qEAAqE;IACrE,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,wEAAwE;IACxE,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,6HAA6H;IAC7H,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAC/B,YAAY,EAAE,UAAU,EAAE,EAC1B,GAAG,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,KAC3D,OAAO,CAAC,qBAAqB,CAAC,CAAC;AAEpC,8EAA8E;AAC9E,MAAM,MAAM,mBAAmB,GAAG,CAChC,WAAW,EAAE,WAAW,EACxB,GAAG,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,KAC3D,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,wGAAwG;IACxG,QAAQ,EAAE,OAAO,CAAC;IAClB,uGAAuG;IACvG,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAAG,CACnC,IAAI,EAAE,UAAU,EAChB,GAAG,EAAE;IAAE,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,KAC1D,OAAO,CAAC,OAAO,GAAG,oBAAoB,CAAC,CAAC;AAE7C;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAC9B,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,WAAW,KACjB,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAEhC,MAAM,WAAW,cAAc;IAC7B,yFAAyF;IACzF,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,0FAA0F;IAC1F,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,8FAA8F;IAC9F,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,qGAAqG;IACrG,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yFAAyF;IACzF,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,iGAAiG;IACjG,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAClC,qFAAqF;IACrF,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,oGAAoG;IACpG,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,oEAAoE;IACpE,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,gBAAgB;IAC/B,kHAAkH;IAClH,EAAE,EAAE,OAAO,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,iFAAiF;IACjF,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,cAAc,CAAC,EAAE;QAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACvG,YAAY,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC3E,2EAA2E;IAC3E,KAAK,CAAC,EAAE;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IACvF,0FAA0F;IAC1F,UAAU,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IAClD,kFAAkF;IAClF,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8BlG;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,qBAAqB,EAC5B,OAAO,EAAE,OAAO,EAChB,eAAe,UAAO,GACrB,gBAAgB,CAIlB"}
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Entity Card — VERIFY (the proof half).
|
|
3
|
+
*
|
|
4
|
+
* Verify a resolved card's claims via injected, level-AGNOSTIC crypto seams (the pattern
|
|
5
|
+
* `validateLevel2` uses for its `signatureVerifier`, keeping `@kya-os/mcp` free of any mcp-i-core
|
|
6
|
+
* runtime dep) and RECOMPUTE the conformance level — the self-declared `conformanceLevel` is NEVER
|
|
7
|
+
* trusted; the LEVEL is derived here, never baked into a function name. Four fail-closed seams the
|
|
8
|
+
* SPEC §9/§11 ladder needs:
|
|
9
|
+
* - `capabilityVerifier` — per-capability attestation check (L1 floor if omitted);
|
|
10
|
+
* - `accountabilityVerifier` — delegation edge: `responsibleParty === issuer(rootVC)`, `leaf-invoker
|
|
11
|
+
* === proof.did` (via `ctx.proofDid`), AND the chain `fresh` L3 gate (./delegation);
|
|
12
|
+
* - `proofVerifier` + `proof`/`request` — the live per-request holder-of-key proof (./proof);
|
|
13
|
+
* - `statusListChecker` — W3C Bitstring Status List v1.0 liveness (./revocation).
|
|
14
|
+
* Fail-closed everywhere: a missing/expired/revoked artifact DEMOTES the level (L3→L2→L1) and never
|
|
15
|
+
* errors open; an unreachable/stale status list OR stale delegation chain demotes L3→L2.
|
|
16
|
+
*/
|
|
17
|
+
import { EntityTypeSchema, capabilityNames, } from './schema.js';
|
|
18
|
+
export const ENTITY_TYPES = EntityTypeSchema.options;
|
|
19
|
+
export const DEFAULT_TRUSTED_ISSUERS = ['did:web:example.com'];
|
|
20
|
+
/**
|
|
21
|
+
* Verify a resolved card: recompute capabilities + accountability + attestations + the live proof
|
|
22
|
+
* + revocation via the injected seams, and RECOMPUTE the conformance level. The card's
|
|
23
|
+
* self-declared `conformanceLevel` is ignored. `ok` is true iff every claim that is *present*
|
|
24
|
+
* verified (a card with only self-declared capabilities is still `ok` — it is just L1); a per-request
|
|
25
|
+
* proof affects the LEVEL, not `ok`, but a revoked card credential fails closed (`ok:false`, L1).
|
|
26
|
+
*/
|
|
27
|
+
export async function verifyCard(card, deps) {
|
|
28
|
+
const trustedIssuers = deps.trustedIssuers ?? DEFAULT_TRUSTED_ISSUERS;
|
|
29
|
+
const check = await checkCapabilities(card, deps, trustedIssuers);
|
|
30
|
+
const proof = await recomputeProof(deps);
|
|
31
|
+
const proofDid = proof?.ok ? proof.did : undefined;
|
|
32
|
+
const accountability = await checkAccountability(card, deps, trustedIssuers, proofDid);
|
|
33
|
+
const attestations = await checkAttestations(card, deps, trustedIssuers);
|
|
34
|
+
const revocation = await checkCardRevocation(card, deps.statusListChecker);
|
|
35
|
+
const accountabilityOk = !card.responsibleParty || Boolean(accountability?.verified);
|
|
36
|
+
const attestationsOk = attestations.every((a) => a.verified);
|
|
37
|
+
return {
|
|
38
|
+
ok: accountabilityOk && attestationsOk && !revocation.revoked,
|
|
39
|
+
entityType: card.entityType,
|
|
40
|
+
conformanceLevel: deriveConformanceLevel(demoteOnRevocation(check, revocation.revoked), proof?.ok ?? false, (!revocation.checked || revocation.fresh) && (accountability?.fresh ?? true) && (check.fresh ?? true)),
|
|
41
|
+
verifiedCapabilities: check.verified,
|
|
42
|
+
accountability,
|
|
43
|
+
attestations,
|
|
44
|
+
proof: proof
|
|
45
|
+
? { verified: proof.ok, did: proof.did, level: proof.level, reasons: proof.reasons }
|
|
46
|
+
: undefined,
|
|
47
|
+
revocation: revocation.checked ? { revoked: revocation.revoked, fresh: revocation.fresh } : undefined,
|
|
48
|
+
cimdKeyProven: deps.cimdKeyProven,
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* Derive the conformance FLOOR from verified capabilities, live-proof validity, and freshness.
|
|
53
|
+
* L3 ⊇ L2 ⊇ L1: all declared capabilities attested ⇒ L2; plus a valid holder-of-key proof (`proofOk`)
|
|
54
|
+
* AND a fresh (live) status check ⇒ L3. Any self-declared (unverified) capability keeps the floor at
|
|
55
|
+
* L1. `revocationFresh` (the AND of card / delegation-chain / capability status liveness) defaults to
|
|
56
|
+
* `true` so 2-arg calls still compile; a `false` (unreachable/stale list) demotes L3 → L2.
|
|
57
|
+
*/
|
|
58
|
+
export function deriveConformanceLevel(check, proofOk, revocationFresh = true) {
|
|
59
|
+
const allAttested = check.verified.length > 0 && check.unverified.length === 0;
|
|
60
|
+
if (!allAttested)
|
|
61
|
+
return 'L1';
|
|
62
|
+
return proofOk && revocationFresh ? 'L3' : 'L2';
|
|
63
|
+
}
|
|
64
|
+
// ── Internals ──────────────────────────────────────────────────────────────────
|
|
65
|
+
/** Run the capability seam (or floor everything to unverified when no seam is injected). */
|
|
66
|
+
async function checkCapabilities(card, deps, trustedIssuers) {
|
|
67
|
+
const capabilities = card.capabilities ?? [];
|
|
68
|
+
return deps.capabilityVerifier
|
|
69
|
+
? deps.capabilityVerifier(capabilities, { subjectDid: card.id, trustedIssuers })
|
|
70
|
+
: { verified: [], unverified: capabilityNames(capabilities) };
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* Recompute the accountability edge, threading `proofDid` for the leaf-invoker join and surfacing the
|
|
74
|
+
* delegation-chain `fresh` signal the §9.3/§12.6 L3 gate needs. A bare boolean is the DEPRECATED alias.
|
|
75
|
+
*/
|
|
76
|
+
async function checkAccountability(card, deps, trustedIssuers, proofDid) {
|
|
77
|
+
if (!card.responsibleParty)
|
|
78
|
+
return undefined;
|
|
79
|
+
const raw = deps.accountabilityVerifier
|
|
80
|
+
? await deps.accountabilityVerifier(card, { trustedIssuers, proofDid })
|
|
81
|
+
: false;
|
|
82
|
+
const { verified, fresh } = typeof raw === 'boolean' ? { verified: raw, fresh: undefined } : raw;
|
|
83
|
+
return { responsibleParty: card.responsibleParty, principal: card.principal, verified, fresh };
|
|
84
|
+
}
|
|
85
|
+
/** Recompute each attestation VC via the injected seam (unverified when no seam is injected). */
|
|
86
|
+
async function checkAttestations(card, deps, trustedIssuers) {
|
|
87
|
+
return Promise.all((card.attestations ?? []).map(async (a) => ({
|
|
88
|
+
type: a.type,
|
|
89
|
+
subject: a.subject,
|
|
90
|
+
verified: deps.attestationVerifier
|
|
91
|
+
? await deps.attestationVerifier(a, { subjectDid: a.subject ?? card.id, trustedIssuers })
|
|
92
|
+
: false,
|
|
93
|
+
})));
|
|
94
|
+
}
|
|
95
|
+
/**
|
|
96
|
+
* Recompute the live per-request proof. Returns `undefined` when no proof/request/verifier was
|
|
97
|
+
* supplied (the level then rests at the capability floor, no proof lift). Fail-closed: a throwing
|
|
98
|
+
* verifier yields `{ ok:false }` (a demotion) rather than escaping `verifyCard`.
|
|
99
|
+
*/
|
|
100
|
+
async function recomputeProof(deps) {
|
|
101
|
+
if (!deps.proofVerifier || deps.proof === undefined || deps.request === undefined)
|
|
102
|
+
return undefined;
|
|
103
|
+
try {
|
|
104
|
+
return await deps.proofVerifier(deps.proof, deps.request);
|
|
105
|
+
}
|
|
106
|
+
catch {
|
|
107
|
+
return { ok: false, reasons: ['proof_verifier_threw'] };
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
/** Live-check `card.revocation` via the injected seam; fail-closed (unreachable ⇒ revoked). */
|
|
111
|
+
async function checkCardRevocation(card, checker) {
|
|
112
|
+
if (!checker || !card.revocation)
|
|
113
|
+
return { checked: false, revoked: false, fresh: true };
|
|
114
|
+
try {
|
|
115
|
+
const status = await checker(card.revocation);
|
|
116
|
+
return { checked: true, revoked: status.revoked, fresh: status.fresh };
|
|
117
|
+
}
|
|
118
|
+
catch {
|
|
119
|
+
return { checked: true, revoked: true, fresh: false };
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
/**
|
|
123
|
+
* A REVOKED card credential voids its attested trust: every otherwise-verified capability drops to
|
|
124
|
+
* unverified so the floor collapses to L1 (revocation demotes L3→L2→L1). A clean-but-stale list
|
|
125
|
+
* leaves `check` untouched — it only trims `revocationFresh` (L3→L2). No-op when not revoked.
|
|
126
|
+
*/
|
|
127
|
+
function demoteOnRevocation(check, revoked) {
|
|
128
|
+
if (!revoked)
|
|
129
|
+
return check;
|
|
130
|
+
return { verified: [], unverified: [...check.verified, ...check.unverified] };
|
|
131
|
+
}
|
|
132
|
+
//# sourceMappingURL=verify.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/card/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,gBAAgB,EAChB,eAAe,GAMhB,MAAM,aAAa,CAAC;AAKrB,MAAM,CAAC,MAAM,YAAY,GAA0B,gBAAgB,CAAC,OAAO,CAAC;AAE5E,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,qBAAqB,CAAU,CAAC;AAuGxE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAgB,EAAE,IAAoB;IACrE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,uBAAuB,CAAC;IACtE,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAEnD,MAAM,cAAc,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;IACvF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE3E,MAAM,gBAAgB,GAAG,CAAC,IAAI,CAAC,gBAAgB,IAAI,OAAO,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IACrF,MAAM,cAAc,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAE7D,OAAO;QACL,EAAE,EAAE,gBAAgB,IAAI,cAAc,IAAI,CAAC,UAAU,CAAC,OAAO;QAC7D,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,gBAAgB,EAAE,sBAAsB,CACtC,kBAAkB,CAAC,KAAK,EAAE,UAAU,CAAC,OAAO,CAAC,EAC7C,KAAK,EAAE,EAAE,IAAI,KAAK,EAClB,CAAC,CAAC,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,CACtG;QACD,oBAAoB,EAAE,KAAK,CAAC,QAAQ;QACpC,cAAc;QACd,YAAY;QACZ,KAAK,EAAE,KAAK;YACV,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE;YACpF,CAAC,CAAC,SAAS;QACb,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACrG,aAAa,EAAE,IAAI,CAAC,aAAa;KAClC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAA4B,EAC5B,OAAgB,EAChB,eAAe,GAAG,IAAI;IAEtB,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC;IAC/E,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,OAAO,OAAO,IAAI,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,kFAAkF;AAElF,4FAA4F;AAC5F,KAAK,UAAU,iBAAiB,CAC9B,IAAgB,EAChB,IAAoB,EACpB,cAAiC;IAEjC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;IAC7C,OAAO,IAAI,CAAC,kBAAkB;QAC5B,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,YAAY,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,EAAE,cAAc,EAAE,CAAC;QAChF,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,eAAe,CAAC,YAAY,CAAC,EAAE,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB,CAChC,IAAgB,EAChB,IAAoB,EACpB,cAAiC,EACjC,QAA4B;IAE5B,IAAI,CAAC,IAAI,CAAC,gBAAgB;QAAE,OAAO,SAAS,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,sBAAsB;QACrC,CAAC,CAAC,MAAM,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC;QACvE,CAAC,CAAC,KAAK,CAAC;IACV,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACjG,OAAO,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACjG,CAAC;AAED,iGAAiG;AACjG,KAAK,UAAU,iBAAiB,CAC9B,IAAgB,EAChB,IAAoB,EACpB,cAAiC;IAEjC,OAAO,OAAO,CAAC,GAAG,CAChB,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,QAAQ,EAAE,IAAI,CAAC,mBAAmB;YAChC,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,CAAC,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC,EAAE,EAAE,cAAc,EAAE,CAAC;YACzF,CAAC,CAAC,KAAK;KACV,CAAC,CAAC,CACJ,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,cAAc,CAAC,IAAoB;IAChD,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACpG,IAAI,CAAC;QACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,sBAAsB,CAAC,EAAE,CAAC;IAC1D,CAAC;AACH,CAAC;AAUD,+FAA+F;AAC/F,KAAK,UAAU,mBAAmB,CAChC,IAAgB,EAChB,OAAsC;IAEtC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACxD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAA4B,EAAE,OAAgB;IACxE,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,GAAG,KAAK,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;AAChF,CAAC"}
|
|
@@ -1,12 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Bitstring Utilities for StatusList2021
|
|
2
|
+
* Bitstring Utilities for W3C status lists (StatusList2021 / Bitstring Status List v1.0).
|
|
3
3
|
*
|
|
4
4
|
* Implements GZIP compression + base64url encoding for efficient status lists.
|
|
5
|
-
*
|
|
5
|
+
* Each bit represents credential status:
|
|
6
6
|
* - 0: Not revoked/suspended
|
|
7
7
|
* - 1: Revoked/suspended
|
|
8
8
|
*
|
|
9
|
-
*
|
|
9
|
+
* Bit order is MSB-FIRST within each byte (index 0 → the 0x80 bit), matching the W3C spec and
|
|
10
|
+
* the Digital Bazaar reference `Bitstring` (`0x80 >> bit`). This is the SAME order the Entity Card
|
|
11
|
+
* revocation reader (`src/card/revocation.ts`) uses, so both code paths read an identical
|
|
12
|
+
* `encodedList` to the SAME verdict.
|
|
13
|
+
*
|
|
14
|
+
* Related Spec: W3C Bitstring Status List v1.0 (successor to StatusList2021)
|
|
10
15
|
*/
|
|
11
16
|
export interface CompressionFunction {
|
|
12
17
|
compress(data: Uint8Array): Promise<Uint8Array>;
|
|
@@ -16,10 +21,9 @@ export interface DecompressionFunction {
|
|
|
16
21
|
}
|
|
17
22
|
export declare class BitstringManager {
|
|
18
23
|
private compressor;
|
|
19
|
-
private decompressor;
|
|
20
24
|
private bits;
|
|
21
25
|
private size;
|
|
22
|
-
constructor(size: number, compressor: CompressionFunction,
|
|
26
|
+
constructor(size: number, compressor: CompressionFunction, _decompressor: DecompressionFunction);
|
|
23
27
|
setBit(index: number, value: boolean): void;
|
|
24
28
|
getBit(index: number): boolean;
|
|
25
29
|
getSetBits(): number[];
|
|
@@ -28,9 +32,7 @@ export declare class BitstringManager {
|
|
|
28
32
|
getRawBits(): Uint8Array;
|
|
29
33
|
getSize(): number;
|
|
30
34
|
private base64urlEncode;
|
|
31
|
-
private static base64urlDecode;
|
|
32
35
|
private bytesToBase64;
|
|
33
|
-
private static base64ToBytes;
|
|
34
36
|
static fromSetBits(size: number, setBits: number[], compressor: CompressionFunction, decompressor: DecompressionFunction): BitstringManager;
|
|
35
37
|
}
|
|
36
38
|
export declare function isIndexSet(encodedList: string, index: number, decompressor: DecompressionFunction): Promise<boolean>;
|