@kya-os/mcp 1.7.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +69 -0
- package/README.md +219 -3
- package/dist/card/build.d.ts +41 -0
- package/dist/card/build.d.ts.map +1 -0
- package/dist/card/build.js +47 -0
- package/dist/card/build.js.map +1 -0
- package/dist/card/builder.d.ts +99 -0
- package/dist/card/builder.d.ts.map +1 -0
- package/dist/card/builder.js +147 -0
- package/dist/card/builder.js.map +1 -0
- package/dist/card/cimd.d.ts +92 -0
- package/dist/card/cimd.d.ts.map +1 -0
- package/dist/card/cimd.js +225 -0
- package/dist/card/cimd.js.map +1 -0
- package/dist/card/delegation.d.ts +145 -0
- package/dist/card/delegation.d.ts.map +1 -0
- package/dist/card/delegation.js +293 -0
- package/dist/card/delegation.js.map +1 -0
- package/dist/card/emit.d.ts +133 -0
- package/dist/card/emit.d.ts.map +1 -0
- package/dist/card/emit.js +127 -0
- package/dist/card/emit.js.map +1 -0
- package/dist/card/index.d.ts +43 -0
- package/dist/card/index.d.ts.map +1 -0
- package/dist/card/index.js +46 -0
- package/dist/card/index.js.map +1 -0
- package/dist/card/middleware.d.ts +112 -0
- package/dist/card/middleware.d.ts.map +1 -0
- package/dist/card/middleware.js +121 -0
- package/dist/card/middleware.js.map +1 -0
- package/dist/card/proof/build.d.ts +22 -0
- package/dist/card/proof/build.d.ts.map +1 -0
- package/dist/card/proof/build.js +55 -0
- package/dist/card/proof/build.js.map +1 -0
- package/dist/card/proof/canonical.d.ts +66 -0
- package/dist/card/proof/canonical.d.ts.map +1 -0
- package/dist/card/proof/canonical.js +131 -0
- package/dist/card/proof/canonical.js.map +1 -0
- package/dist/card/proof/http-sig.d.ts +69 -0
- package/dist/card/proof/http-sig.d.ts.map +1 -0
- package/dist/card/proof/http-sig.js +101 -0
- package/dist/card/proof/http-sig.js.map +1 -0
- package/dist/card/proof/index.d.ts +25 -0
- package/dist/card/proof/index.d.ts.map +1 -0
- package/dist/card/proof/index.js +25 -0
- package/dist/card/proof/index.js.map +1 -0
- package/dist/card/proof/nonce-cache.d.ts +67 -0
- package/dist/card/proof/nonce-cache.d.ts.map +1 -0
- package/dist/card/proof/nonce-cache.js +88 -0
- package/dist/card/proof/nonce-cache.js.map +1 -0
- package/dist/card/proof/signer.d.ts +32 -0
- package/dist/card/proof/signer.d.ts.map +1 -0
- package/dist/card/proof/signer.js +59 -0
- package/dist/card/proof/signer.js.map +1 -0
- package/dist/card/proof/types.d.ts +219 -0
- package/dist/card/proof/types.d.ts.map +1 -0
- package/dist/card/proof/types.js +87 -0
- package/dist/card/proof/types.js.map +1 -0
- package/dist/card/proof/verify.d.ts +27 -0
- package/dist/card/proof/verify.d.ts.map +1 -0
- package/dist/card/proof/verify.js +236 -0
- package/dist/card/proof/verify.js.map +1 -0
- package/dist/card/resolve.d.ts +97 -0
- package/dist/card/resolve.d.ts.map +1 -0
- package/dist/card/resolve.js +223 -0
- package/dist/card/resolve.js.map +1 -0
- package/dist/card/revocation.d.ts +96 -0
- package/dist/card/revocation.d.ts.map +1 -0
- package/dist/card/revocation.js +190 -0
- package/dist/card/revocation.js.map +1 -0
- package/dist/card/schema.d.ts +177 -0
- package/dist/card/schema.d.ts.map +1 -0
- package/dist/card/schema.js +119 -0
- package/dist/card/schema.js.map +1 -0
- package/dist/card/verify.d.ts +144 -0
- package/dist/card/verify.d.ts.map +1 -0
- package/dist/card/verify.js +132 -0
- package/dist/card/verify.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +9 -7
- package/dist/delegation/bitstring.d.ts.map +1 -1
- package/dist/delegation/bitstring.js +70 -37
- package/dist/delegation/bitstring.js.map +1 -1
- package/dist/delegation/did-linkage.d.ts +23 -0
- package/dist/delegation/did-linkage.d.ts.map +1 -0
- package/dist/delegation/did-linkage.js +57 -0
- package/dist/delegation/did-linkage.js.map +1 -0
- package/dist/delegation/did-resolver-registry.d.ts +7 -0
- package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
- package/dist/delegation/did-resolver-registry.js +20 -0
- package/dist/delegation/did-resolver-registry.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +29 -18
- package/dist/delegation/did-web-resolver.d.ts.map +1 -1
- package/dist/delegation/did-web-resolver.js +65 -35
- package/dist/delegation/did-web-resolver.js.map +1 -1
- package/dist/delegation/index.d.ts +3 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +3 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/statuslist-manager.d.ts.map +1 -1
- package/dist/delegation/statuslist-manager.js +16 -1
- package/dist/delegation/statuslist-manager.js.map +1 -1
- package/dist/delegation/vc-jwt-verify.d.ts +61 -0
- package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
- package/dist/delegation/vc-jwt-verify.js +131 -0
- package/dist/delegation/vc-jwt-verify.js.map +1 -0
- package/dist/delegation/vc-verification-checks.d.ts +50 -0
- package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
- package/dist/delegation/vc-verification-checks.js +212 -0
- package/dist/delegation/vc-verification-checks.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +24 -61
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +57 -180
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/delegation/vc-verifier.types.d.ts +88 -0
- package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.types.js +9 -0
- package/dist/delegation/vc-verifier.types.js.map +1 -0
- package/dist/index.d.ts +3 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/integrations/cheqd/dlr.d.ts +44 -0
- package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
- package/dist/integrations/cheqd/dlr.js +86 -0
- package/dist/integrations/cheqd/dlr.js.map +1 -0
- package/dist/integrations/cheqd/index.d.ts +5 -0
- package/dist/integrations/cheqd/index.d.ts.map +1 -0
- package/dist/integrations/cheqd/index.js +5 -0
- package/dist/integrations/cheqd/index.js.map +1 -0
- package/dist/integrations/cheqd/linkage.d.ts +20 -0
- package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
- package/dist/integrations/cheqd/linkage.js +32 -0
- package/dist/integrations/cheqd/linkage.js.map +1 -0
- package/dist/integrations/cheqd/registrar.d.ts +85 -0
- package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
- package/dist/integrations/cheqd/registrar.js +304 -0
- package/dist/integrations/cheqd/registrar.js.map +1 -0
- package/dist/integrations/cheqd/resolver.d.ts +38 -0
- package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
- package/dist/integrations/cheqd/resolver.js +156 -0
- package/dist/integrations/cheqd/resolver.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +5 -0
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
- package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.config-types.js +9 -0
- package/dist/middleware/with-kya-os.config-types.js.map +1 -0
- package/dist/middleware/with-kya-os.d.ts +3 -267
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
- package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
- package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
- package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
- package/dist/middleware/with-kya-os.deps.d.ts +40 -0
- package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.deps.js +9 -0
- package/dist/middleware/with-kya-os.deps.js.map +1 -0
- package/dist/middleware/with-kya-os.grants.d.ts +30 -0
- package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.grants.js +145 -0
- package/dist/middleware/with-kya-os.grants.js.map +1 -0
- package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
- package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.helpers.js +57 -0
- package/dist/middleware/with-kya-os.helpers.js.map +1 -0
- package/dist/middleware/with-kya-os.js +45 -891
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
- package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.policy-gate.js +98 -0
- package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
- package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.protocol.js +121 -0
- package/dist/middleware/with-kya-os.protocol.js.map +1 -0
- package/dist/middleware/with-kya-os.session.d.ts +32 -0
- package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.session.js +201 -0
- package/dist/middleware/with-kya-os.session.js.map +1 -0
- package/dist/middleware/with-kya-os.types.d.ts +178 -0
- package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.types.js +13 -0
- package/dist/middleware/with-kya-os.types.js.map +1 -0
- package/dist/providers/runtime-fetch.d.ts +8 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +17 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts.map +1 -1
- package/dist/providers/web-crypto.js +15 -7
- package/dist/providers/web-crypto.js.map +1 -1
- package/dist/utils/guards.d.ts +2 -0
- package/dist/utils/guards.d.ts.map +1 -0
- package/dist/utils/guards.js +4 -0
- package/dist/utils/guards.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +3 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-classifier.d.ts +12 -0
- package/dist/utils/ip-classifier.d.ts.map +1 -0
- package/dist/utils/ip-classifier.js +153 -0
- package/dist/utils/ip-classifier.js.map +1 -0
- package/dist/utils/safe-fetch-transports.d.ts +40 -0
- package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
- package/dist/utils/safe-fetch-transports.js +121 -0
- package/dist/utils/safe-fetch-transports.js.map +1 -0
- package/dist/utils/safe-fetch-types.d.ts +66 -0
- package/dist/utils/safe-fetch-types.d.ts.map +1 -0
- package/dist/utils/safe-fetch-types.js +10 -0
- package/dist/utils/safe-fetch-types.js.map +1 -0
- package/dist/utils/safe-fetch.d.ts +40 -0
- package/dist/utils/safe-fetch.d.ts.map +1 -0
- package/dist/utils/safe-fetch.js +188 -0
- package/dist/utils/safe-fetch.js.map +1 -0
- package/dist/utils/statuslist-purpose.d.ts +12 -0
- package/dist/utils/statuslist-purpose.d.ts.map +1 -0
- package/dist/utils/statuslist-purpose.js +19 -0
- package/dist/utils/statuslist-purpose.js.map +1 -0
- package/dist/utils/url.d.ts +2 -0
- package/dist/utils/url.d.ts.map +1 -0
- package/dist/utils/url.js +8 -0
- package/dist/utils/url.js.map +1 -0
- package/package.json +25 -5
- package/schemas/README.md +2 -1
- package/schemas/card-delegation-credential.json +239 -0
- package/schemas/kya-os-card.schema.json +284 -0
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,75 @@ Versioning: https://semver.org/spec/v2.0.0.html
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.9.0] - 2026-07-07
|
|
11
|
+
|
|
12
|
+
Entity Card (`@kya-os/mcp/card`) — a typed, DID-anchored, per-request
|
|
13
|
+
holder-of-key identity layer that rides existing rails (MCP server-card `_meta`,
|
|
14
|
+
A2A extension, NANDA AgentFacts) instead of a new well-known doc. Additive.
|
|
15
|
+
|
|
16
|
+
First npm release since 1.7.0 (the prepared 1.8.0 was never published). See the
|
|
17
|
+
BREAKING status-list note below — persisted 1.x status lists MUST be
|
|
18
|
+
regenerated on upgrade.
|
|
19
|
+
|
|
20
|
+
### Added
|
|
21
|
+
|
|
22
|
+
- **`./card`** — the `card()` builder, `withKyaOsCard` / `requireProof`
|
|
23
|
+
middleware, and `buildCard` / `resolveCard` / `verifyCard`. Conformance is
|
|
24
|
+
recomputed on verify, never self-claimed.
|
|
25
|
+
- **Stateless proof (`org.kya-os/proof@1`)** and a **VC 2.0 / ZCAP-LD**
|
|
26
|
+
delegation profile with Bitstring Status List v1.0 revocation. Both run
|
|
27
|
+
alongside the legacy session proof + delegation for all of 1.x; the legacy
|
|
28
|
+
paths drop at 2.0.
|
|
29
|
+
- **CIMD L1 on-ramp** — `client_id ⇄ did:web`, so an OAuth `private_key_jwt`
|
|
30
|
+
doubles as a DID-key proof (RFC 9449 `cnf.jkt` sender-constrains it).
|
|
31
|
+
- Conformance vectors + a cross-language verifier folded into the existing
|
|
32
|
+
`conformance/` harness (new `card-proof` / `entity-card` categories).
|
|
33
|
+
- **Proof crypto agility (`ES256`)** — the per-request proof now accepts an
|
|
34
|
+
ALLOW-LIST of two signing algorithms, `EdDSA` (Ed25519) and `ES256` (ECDSA
|
|
35
|
+
P-256, FIPS-eligible via HSM/KMS), never negotiated. `alg` is a signed covered
|
|
36
|
+
claim and the resolved key type MUST match it (`alg_key_mismatch`), so adding a
|
|
37
|
+
second curve introduces no algorithm-confusion surface. `es256SignerFromJwk`
|
|
38
|
+
ships alongside `ed25519SignerFromJwk`; the RFC 9421 sibling carries the
|
|
39
|
+
matching `ecdsa-p256-sha256` label. (CIMD DID-keyed JWKS extraction stays
|
|
40
|
+
Ed25519-only for now — a P-256 verifier supplies its own `resolveDidKeys`.)
|
|
41
|
+
- **VC-JWT verification (`./delegation`)** — `DelegationCredentialVerifier.verifyDelegationJwt()`
|
|
42
|
+
verifies the JWT serialization of a Verifiable Credential (compact JWS, where
|
|
43
|
+
the envelope signature over `header.payload` IS the proof — no embedded
|
|
44
|
+
`proof` block), so credentials minted by browser / passkey wallets verify
|
|
45
|
+
without a hand-rolled path. `algorithms` is pinned to `EdDSA`, and the
|
|
46
|
+
credential `issuer` must equal the signed `iss`. Additive; the Data Integrity
|
|
47
|
+
path is unchanged.
|
|
48
|
+
- **Multi-key did:web documents** — `buildDidWebDocument` now accepts
|
|
49
|
+
`Identity | Identity[]`, emitting one verification method per key under a
|
|
50
|
+
single controller DID. This is the basis for multi-device identity: a device
|
|
51
|
+
is added or removed by adding or removing a verification method, and a
|
|
52
|
+
verifier selects the signing key by `kid`. Backward-compatible — a lone
|
|
53
|
+
identity yields the same single-method document as before.
|
|
54
|
+
|
|
55
|
+
### Changed — BREAKING for persisted status lists
|
|
56
|
+
|
|
57
|
+
- **Status-list bit order corrected to W3C MSB-first.** `BitstringManager`
|
|
58
|
+
(StatusList2021 / Bitstring Status List) now reads and writes bits
|
|
59
|
+
most-significant-first (`0x80 >> i`), matching the W3C spec and the Digital
|
|
60
|
+
Bazaar reference — and the Entity Card revocation reader — so both code paths
|
|
61
|
+
read an identical `encodedList` to the same verdict. The prior LSB-first order
|
|
62
|
+
was self-consistent but non-interoperable with any standard tool.
|
|
63
|
+
- **⚠️ MIGRATION — READ THIS.** A status list generated by a 1.x release is
|
|
64
|
+
encoded LSB-first. Read by this release it is **misread silently**: a
|
|
65
|
+
**revoked credential can read as LIVE** (the bit mirrors within its byte, so
|
|
66
|
+
e.g. revoked index 42 → clear, and phantom index 45 → revoked). The W3C
|
|
67
|
+
credential carries no bit-order/version field, so old lists **cannot be
|
|
68
|
+
auto-detected**. You MUST **regenerate every persisted status list** on
|
|
69
|
+
upgrade; do not read 1.x-encoded lists with this release. (Tracking a
|
|
70
|
+
KYA-OS-side encoding-version marker + a bit-reverse migration helper as a
|
|
71
|
+
follow-up so future changes are detectable.)
|
|
72
|
+
- **Fail-closed hardening.** `isIndexSet` / `BitstringManager.getBit` now throw
|
|
73
|
+
on an out-of-range or `NaN` index (were fail-open), `BitstringManager.decode`
|
|
74
|
+
caps the inflated bitstring at 16 MiB (decompression-bomb guard), and the card
|
|
75
|
+
`statusListIndex` must be a canonical decimal (a whitespace/hex value no longer
|
|
76
|
+
silently reads bit 0). IPv6 NAT64 / 6to4 / Teredo / site-local addresses are
|
|
77
|
+
now treated as non-public by the SSRF guard.
|
|
78
|
+
|
|
10
79
|
## [1.7.0] - 2026-06-17
|
|
11
80
|
|
|
12
81
|
Durable consent persistence. Pluggable `GrantStore` / `PendingFlowStore` /
|
package/README.md
CHANGED
|
@@ -108,6 +108,44 @@ When an agent calls `checkout` without a delegation credential, it gets back a `
|
|
|
108
108
|
|
|
109
109
|
---
|
|
110
110
|
|
|
111
|
+
## Typed, DID-anchored identity: the Entity Card
|
|
112
|
+
|
|
113
|
+
Proofs answer *what an agent did*. The **Entity Card** answers *who is calling* — a typed, DID-anchored identity (`agent`, `mcp`, `client`, `verifier`, `human`) an entity publishes once and every discovery rail can index. It is claim-minimal: it asserts only identity, type, declared capabilities, and accountability locators. The trust **level** (L1/L2/L3) is never self-claimed — a verifier RECOMPUTES it from evidence. Three ergonomic calls, imported from the published `@kya-os/mcp/card` subpath:
|
|
114
|
+
|
|
115
|
+
```typescript
|
|
116
|
+
import { card, withKyaOsCard, requireProof, InMemoryNonceCache } from '@kya-os/mcp/card';
|
|
117
|
+
|
|
118
|
+
// 1. BUILD — describe the agent, fluently. No conformanceLevel: a verifier derives it.
|
|
119
|
+
const myCard = card({ did: 'did:web:acme.example:agents:pay', entityType: 'agent', name: 'Acme Pay' })
|
|
120
|
+
.capability('search') // L1: bare-string, self-declared
|
|
121
|
+
.attestedCapability('payments.transfer', capabilityVc) // L2: VC-backed
|
|
122
|
+
.accountableTo('did:web:acme.example:org', { via: 'vc_root>del_123' })
|
|
123
|
+
.usesProof()
|
|
124
|
+
.build();
|
|
125
|
+
|
|
126
|
+
// 2. EMIT — mount the three discovery artifacts (card.json, DID service entry, server.json _meta).
|
|
127
|
+
const mount = withKyaOsCard(myCard);
|
|
128
|
+
const serverJson = mount.mountServerJson({ name: 'acme-mcp', version: '1.0.0' });
|
|
129
|
+
|
|
130
|
+
// 3. GUARD — verify a per-request holder-of-key proof, fail-closed.
|
|
131
|
+
const nonces = new InMemoryNonceCache(); // ATOMIC replay defense — never hand-roll this seam
|
|
132
|
+
const guard = requireProof({
|
|
133
|
+
resolveKey, // resolve the signing key from its kid (DID document)
|
|
134
|
+
expectedAudience: 'did:web:acme.example:mcp:server',
|
|
135
|
+
consumeNonceIfFresh: nonces.consume, // test-AND-set; a replayed nonce is rejected
|
|
136
|
+
});
|
|
137
|
+
|
|
138
|
+
// Pass the EXACT body the client signed (without _meta) plus the _meta that carried the proof.
|
|
139
|
+
const { _meta, ...signedBody } = incomingRequest;
|
|
140
|
+
const verdict = await guard(signedBody, _meta); // { ok: true, did, level } or a 401-shaped reject
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
Miss the proof, replay a nonce, or tamper the body and `requireProof` fails closed. To go the other direction — DISCOVER and verify another entity's card — use `resolveCard` + `verifyCard` (the verifier recomputes the conformance floor rather than trusting the card).
|
|
144
|
+
|
|
145
|
+
> Run the full 10-minute path end-to-end: [examples/entity-card](./examples/entity-card/) — `npm run example:entity-card:server` (build → emit → guard, with a valid proof accepted and a replay + tamper rejected) and `npm run example:entity-card` (the discover → resolve → verify walkthrough). See [SPEC-ENTITY-CARD.md](./SPEC-ENTITY-CARD.md) for normative detail.
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
111
149
|
## See it in action
|
|
112
150
|
|
|
113
151
|
```bash
|
|
@@ -125,7 +163,7 @@ This starts all example servers and opens [MCP Inspector](https://github.com/mod
|
|
|
125
163
|
| 3003 | [consent-full](./examples/consent-full/) | Production consent UI ([@kya-os/consent](https://www.npmjs.com/package/@kya-os/consent)) |
|
|
126
164
|
| 3004 | [context7-with-kya-os](./examples/context7-with-kya-os/) | 2-line migration of a real MCP server |
|
|
127
165
|
|
|
128
|
-
Also available: [outbound-delegation](./examples/outbound-delegation/) (gateway pattern), [verify-proof](./examples/verify-proof/) (standalone verification), [statuslist](./examples/statuslist/) (revocation lifecycle).
|
|
166
|
+
Also available: [outbound-delegation](./examples/outbound-delegation/) (gateway pattern), [verify-proof](./examples/verify-proof/) (standalone verification), [statuslist](./examples/statuslist/) (revocation lifecycle), [cheqd-dlr](./examples/cheqd-dlr/) (operator DID linkage + DLR publishing).
|
|
129
167
|
|
|
130
168
|
---
|
|
131
169
|
|
|
@@ -133,7 +171,8 @@ Also available: [outbound-delegation](./examples/outbound-delegation/) (gateway
|
|
|
133
171
|
|
|
134
172
|
| Capability | How it works |
|
|
135
173
|
|-----------|-------------|
|
|
136
|
-
| **Cryptographic identity** | Ed25519 key pairs, `did:key`
|
|
174
|
+
| **Cryptographic identity** | Ed25519 (EdDSA) and P-256 (ES256, FIPS-eligible) key pairs, `did:key` / `did:web` resolution, optional `did:cheqd` resolver support |
|
|
175
|
+
| **Entity Card** | Typed, DID-anchored identity: fluent `card()` builder, `withKyaOsCard` discovery projections, `requireProof` per-request holder-of-key guard |
|
|
137
176
|
| **Signed proofs** | Detached JWS over JCS-canonicalized request/response hashes |
|
|
138
177
|
| **Delegation credentials** | W3C Verifiable Credentials with scope constraints, rooted at a Responsible Party |
|
|
139
178
|
| **Revocation** | StatusList2021 bitstring with cascading revocation |
|
|
@@ -151,9 +190,186 @@ flows, and sessions are shared across instances and survive restarts.
|
|
|
151
190
|
|
|
152
191
|
---
|
|
153
192
|
|
|
193
|
+
## Optional did:cheqd and DID-Linked Resources
|
|
194
|
+
|
|
195
|
+
`did:cheqd` support is additive and opt-in. Existing `did:key` and `did:web`
|
|
196
|
+
flows remain unchanged, and operators can keep `did:web` as their canonical
|
|
197
|
+
identifier while linking to a cheqd DID over time.
|
|
198
|
+
|
|
199
|
+
### Resolver configuration
|
|
200
|
+
|
|
201
|
+
```typescript
|
|
202
|
+
import { RuntimeFetchProvider, withKyaOs, NodeCryptoProvider } from '@kya-os/mcp';
|
|
203
|
+
import { cheqdResolver } from '@kya-os/mcp/cheqd';
|
|
204
|
+
|
|
205
|
+
const crypto = new NodeCryptoProvider();
|
|
206
|
+
const fetchProvider = new RuntimeFetchProvider();
|
|
207
|
+
const didResolvers = {
|
|
208
|
+
cheqd: cheqdResolver({ resolverUrl: 'https://resolver.cheqd.net' }),
|
|
209
|
+
};
|
|
210
|
+
|
|
211
|
+
await withKyaOs(server, {
|
|
212
|
+
crypto,
|
|
213
|
+
delegation: {
|
|
214
|
+
fetchProvider,
|
|
215
|
+
didResolvers,
|
|
216
|
+
},
|
|
217
|
+
});
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
`did:cheqd` is resolved only when a resolver for the `cheqd` DID method is
|
|
221
|
+
explicitly supplied. The core middleware and fetch provider use the generic
|
|
222
|
+
`didResolvers` registry; cheqd-specific URL/cache/header options live in the
|
|
223
|
+
`cheqdResolver()` factory from `@kya-os/mcp/cheqd`.
|
|
224
|
+
`RuntimeFetchProvider` accepts the same registry when it is used directly by a
|
|
225
|
+
standalone verifier or operator script.
|
|
226
|
+
Unsupported methods, malformed DIDs, fetch failures, invalid JSON, malformed DID
|
|
227
|
+
Documents, and DID id mismatches fail closed by returning `null`. The resolver
|
|
228
|
+
accepts both raw DID Documents and Universal Resolver-style DID Resolution
|
|
229
|
+
Results (`{ didDocument: ... }`).
|
|
230
|
+
|
|
231
|
+
### Registrar writes
|
|
232
|
+
|
|
233
|
+
Registrar writes are explicit operator/admin actions. The package exposes
|
|
234
|
+
`CheqdDidRegistrarClient` for cheqd DID Registrar `/create`, `/update`, and
|
|
235
|
+
`/{did}/create-resource` flows, using cheqd's client-managed-secret pattern:
|
|
236
|
+
the registrar returns a serialized payload, your signer signs it, and the
|
|
237
|
+
signature is submitted back. Private keys are not sent to the registrar.
|
|
238
|
+
|
|
239
|
+
```typescript
|
|
240
|
+
import {
|
|
241
|
+
CheqdDidRegistrarClient,
|
|
242
|
+
createLocalEd25519CheqdRegistrarSigner,
|
|
243
|
+
} from '@kya-os/mcp/cheqd';
|
|
244
|
+
import {
|
|
245
|
+
NodeCryptoProvider,
|
|
246
|
+
} from '@kya-os/mcp';
|
|
247
|
+
|
|
248
|
+
const crypto = new NodeCryptoProvider();
|
|
249
|
+
const registrar = new CheqdDidRegistrarClient({
|
|
250
|
+
registrarUrl: 'https://did-registrar-staging.cheqd.net/1.0',
|
|
251
|
+
fetchProvider,
|
|
252
|
+
// Optional static or async auth headers for private registrar deployments.
|
|
253
|
+
// headers: async () => ({ Authorization: `Bearer ${token}` }),
|
|
254
|
+
});
|
|
255
|
+
|
|
256
|
+
const signer = createLocalEd25519CheqdRegistrarSigner({
|
|
257
|
+
cryptoProvider: crypto,
|
|
258
|
+
privateKey: process.env.CHEQD_DID_PRIVATE_KEY_BASE64!,
|
|
259
|
+
verificationMethodId: 'did:cheqd:testnet:...#key-1',
|
|
260
|
+
signatureEncoding: 'base64url',
|
|
261
|
+
});
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
For mainnet, run or contract against your own fee-payer registrar deployment and
|
|
265
|
+
provide the signer hook from your KMS/HSM boundary. The local Ed25519 helper is
|
|
266
|
+
for simple controlled deployments and tests; it still signs locally and sends
|
|
267
|
+
only signatures to the registrar.
|
|
268
|
+
|
|
269
|
+
Runtime proof generation does not perform registrar writes. Create/update/DLR
|
|
270
|
+
publishing should be triggered by an explicit operator workflow, deployment
|
|
271
|
+
step, or admin tool.
|
|
272
|
+
|
|
273
|
+
### DID linkage
|
|
274
|
+
|
|
275
|
+
For `did:web` <-> `did:cheqd` binding, publish reciprocal `alsoKnownAs` values
|
|
276
|
+
and verify both DID Documents with `verifyDidLinkage()`. `buildDidWebDocument`
|
|
277
|
+
can include the `did:cheqd` reference on the `did:web` side, while
|
|
278
|
+
`updateCheqdAlsoKnownAs()` updates the cheqd side through the registrar.
|
|
279
|
+
|
|
280
|
+
```typescript
|
|
281
|
+
import { verifyDidLinkage } from '@kya-os/mcp';
|
|
282
|
+
import { updateCheqdAlsoKnownAs } from '@kya-os/mcp/cheqd';
|
|
283
|
+
|
|
284
|
+
await updateCheqdAlsoKnownAs({
|
|
285
|
+
didWeb: 'did:web:agent.example.com',
|
|
286
|
+
didCheqd: 'did:cheqd:testnet:...',
|
|
287
|
+
resolver: cheqdResolver,
|
|
288
|
+
registrar,
|
|
289
|
+
signer,
|
|
290
|
+
verificationMethodId: 'did:cheqd:testnet:...#key-1',
|
|
291
|
+
});
|
|
292
|
+
|
|
293
|
+
const linkage = verifyDidLinkage({
|
|
294
|
+
primaryDid: 'did:web:agent.example.com',
|
|
295
|
+
secondaryDid: 'did:cheqd:testnet:...',
|
|
296
|
+
primaryDidDocument: didWebDocument,
|
|
297
|
+
secondaryDidDocument: didCheqdDocument,
|
|
298
|
+
});
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
### DID-Linked Resource helpers
|
|
302
|
+
|
|
303
|
+
DID-Linked Resource helpers are intended for durable manifests only. Supported
|
|
304
|
+
artifact types are:
|
|
305
|
+
|
|
306
|
+
- `CapabilityManifest`
|
|
307
|
+
- `ConformanceManifest`
|
|
308
|
+
- `AccessHashManifest`
|
|
309
|
+
- `TrustConfigManifest`
|
|
310
|
+
|
|
311
|
+
`prepareCheqdDlrResource()` validates the artifact, canonicalizes its `content`
|
|
312
|
+
with JSON Canonicalization Scheme, computes or validates a `sha256:<64 hex>`
|
|
313
|
+
content hash, and returns a registrar resource body. Updates are modeled as new
|
|
314
|
+
resource versions under the same resource `name` and `type`; prior resources are
|
|
315
|
+
not overwritten. Do not write high-volume tool calls, raw operational logs, or
|
|
316
|
+
normal runtime proof events to cheqd; keep those in your normal audit/hash
|
|
317
|
+
stores.
|
|
318
|
+
|
|
319
|
+
```typescript
|
|
320
|
+
import { prepareCheqdDlrResource } from '@kya-os/mcp/cheqd';
|
|
321
|
+
|
|
322
|
+
const prepared = await prepareCheqdDlrResource({
|
|
323
|
+
type: 'TrustConfigManifest',
|
|
324
|
+
subjectDid: 'did:cheqd:testnet:...',
|
|
325
|
+
name: 'agent-trust-config',
|
|
326
|
+
resourceType: 'TrustConfigManifest',
|
|
327
|
+
version: '2026-06-01',
|
|
328
|
+
content: {
|
|
329
|
+
acceptedDidMethods: ['did:web', 'did:key', 'did:cheqd'],
|
|
330
|
+
requiredLinkage: { type: 'alsoKnownAs', bidirectional: true },
|
|
331
|
+
},
|
|
332
|
+
}, crypto);
|
|
333
|
+
|
|
334
|
+
await registrar.createResource({
|
|
335
|
+
did: 'did:cheqd:testnet:...',
|
|
336
|
+
resource: prepared.resource,
|
|
337
|
+
signer,
|
|
338
|
+
verificationMethodId: 'did:cheqd:testnet:...#key-1',
|
|
339
|
+
});
|
|
340
|
+
```
|
|
341
|
+
|
|
342
|
+
See [examples/cheqd-dlr](./examples/cheqd-dlr/) for a complete operator flow.
|
|
343
|
+
|
|
344
|
+
### Live cheqd registrar E2E tests
|
|
345
|
+
|
|
346
|
+
Live registrar coverage is opt-in because it performs real writes to cheqd
|
|
347
|
+
testnet. The default endpoint is the cheqd-published testnet staging registrar;
|
|
348
|
+
override it only with another testnet registrar. The live test creates a testnet
|
|
349
|
+
DID, adds a realistic `did:web` alias via `alsoKnownAs`, then publishes one
|
|
350
|
+
resource for each supported KYA DLR artifact type.
|
|
351
|
+
|
|
352
|
+
```powershell
|
|
353
|
+
$env:KYA_OS_CHEQD_E2E = '1'
|
|
354
|
+
npm run test:e2e:cheqd:testnet
|
|
355
|
+
Remove-Item Env:\KYA_OS_CHEQD_E2E
|
|
356
|
+
```
|
|
357
|
+
|
|
358
|
+
Optional environment variables:
|
|
359
|
+
|
|
360
|
+
| Variable | Default |
|
|
361
|
+
| --- | --- |
|
|
362
|
+
| `KYA_OS_CHEQD_TESTNET_REGISTRAR_URL` | `https://did-registrar-staging.cheqd.net/1.0` |
|
|
363
|
+
| `KYA_OS_CHEQD_TESTNET_RESOLVER_URL` | `https://resolver.cheqd.net` |
|
|
364
|
+
| `KYA_OS_CHEQD_E2E_TIMEOUT_MS` | `180000` |
|
|
365
|
+
|
|
366
|
+
Out of scope for this package: replacing `did:web` as the canonical identity,
|
|
367
|
+
writing runtime proof events on-chain, KYC/KYB issuance, reputation VC snapshot
|
|
368
|
+
publication, status-list backend hosting, and external registry changes.
|
|
369
|
+
|
|
154
370
|
## Links
|
|
155
371
|
|
|
156
|
-
- [Spec](./SPEC.md) | [Changelog](./CHANGELOG.md) | [DIF TAAWG](https://identity.foundation/working-groups/agent-and-authorization.html) | [npm](https://www.npmjs.com/package/@kya-os/mcp)
|
|
372
|
+
- [Spec](./SPEC.md) | [Card Profile](./SPEC-ENTITY-CARD.md) | [Changelog](./CHANGELOG.md) | [DIF TAAWG](https://identity.foundation/working-groups/agent-and-authorization.html) | [npm](https://www.npmjs.com/package/@kya-os/mcp)
|
|
157
373
|
- [CONTRIBUTING.md](./CONTRIBUTING.md) | [CONFORMANCE.md](./CONFORMANCE.md) | [SECURITY.md](./SECURITY.md) | [GOVERNANCE.md](./GOVERNANCE.md)
|
|
158
374
|
|
|
159
375
|
## License
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Entity Card — EMIT.
|
|
3
|
+
*
|
|
4
|
+
* `buildCard` projects this entity's identity + declared facts into a card. Pure,
|
|
5
|
+
* claim-minimal: it asserts only identity + type + declared capabilities (trust-bearing
|
|
6
|
+
* claims are proven by the referenced credentials, not minted here). `conformanceLevel`
|
|
7
|
+
* is intentionally omitted — it is a derived value a verifier recomputes.
|
|
8
|
+
*/
|
|
9
|
+
import type { Attestation, BitstringStatusListEntry, Capability, CimdBinding, Ed25519PublicJwk, EntityCard, EntityType, ProofProfile } from './schema.js';
|
|
10
|
+
export interface BuildCardFacts {
|
|
11
|
+
entityType: EntityType;
|
|
12
|
+
name: string;
|
|
13
|
+
capabilities?: Capability[];
|
|
14
|
+
responsibleParty?: string;
|
|
15
|
+
principal?: string;
|
|
16
|
+
delegationRef?: string;
|
|
17
|
+
attestations?: Attestation[];
|
|
18
|
+
didDocument?: string;
|
|
19
|
+
/** Card's Ed25519 public JWK (for a card that inlines its verification key). */
|
|
20
|
+
publicKeyJwk?: Ed25519PublicJwk;
|
|
21
|
+
/** Names the per-request holder-of-key proof profile this entity's requests carry. */
|
|
22
|
+
proofProfile?: ProofProfile;
|
|
23
|
+
/** L1 CIMD on-ramp coordinates (client_id ⇄ did:web, jwks_uri ⇄ DID keys). */
|
|
24
|
+
cimd?: CimdBinding;
|
|
25
|
+
/** W3C Bitstring Status List revocation entry (the post-issuance kill switch). */
|
|
26
|
+
revocation?: BitstringStatusListEntry;
|
|
27
|
+
}
|
|
28
|
+
/** Minimal identity shape this helper needs (structurally compatible with `Identity`). */
|
|
29
|
+
export interface CardIdentity {
|
|
30
|
+
did: string;
|
|
31
|
+
kid?: string;
|
|
32
|
+
createdAt?: string;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Build this entity's card from its identity + declared facts. Pure. Asserts only
|
|
36
|
+
* identity + type + declared capabilities (claim-minimalism — trust-bearing claims are
|
|
37
|
+
* proven by the referenced credentials, not minted here). `conformanceLevel` is
|
|
38
|
+
* intentionally omitted on emit: it is a derived value a verifier recomputes.
|
|
39
|
+
*/
|
|
40
|
+
export declare function buildCard(identity: CardIdentity, facts: BuildCardFacts): EntityCard;
|
|
41
|
+
//# sourceMappingURL=build.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"build.d.ts","sourceRoot":"","sources":["../../src/card/build.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,wBAAwB,EACxB,UAAU,EACV,WAAW,EACX,gBAAgB,EAChB,UAAU,EACV,UAAU,EACV,YAAY,EACb,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,UAAU,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gFAAgF;IAChF,YAAY,CAAC,EAAE,gBAAgB,CAAC;IAChC,sFAAsF;IACtF,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,8EAA8E;IAC9E,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,kFAAkF;IAClF,UAAU,CAAC,EAAE,wBAAwB,CAAC;CACvC;AAED,0FAA0F;AAC1F,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,GAAG,UAAU,CAmBnF"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Entity Card — EMIT.
|
|
3
|
+
*
|
|
4
|
+
* `buildCard` projects this entity's identity + declared facts into a card. Pure,
|
|
5
|
+
* claim-minimal: it asserts only identity + type + declared capabilities (trust-bearing
|
|
6
|
+
* claims are proven by the referenced credentials, not minted here). `conformanceLevel`
|
|
7
|
+
* is intentionally omitted — it is a derived value a verifier recomputes.
|
|
8
|
+
*/
|
|
9
|
+
/**
|
|
10
|
+
* Build this entity's card from its identity + declared facts. Pure. Asserts only
|
|
11
|
+
* identity + type + declared capabilities (claim-minimalism — trust-bearing claims are
|
|
12
|
+
* proven by the referenced credentials, not minted here). `conformanceLevel` is
|
|
13
|
+
* intentionally omitted on emit: it is a derived value a verifier recomputes.
|
|
14
|
+
*/
|
|
15
|
+
export function buildCard(identity, facts) {
|
|
16
|
+
const card = {
|
|
17
|
+
id: identity.did,
|
|
18
|
+
entityType: facts.entityType,
|
|
19
|
+
name: facts.name,
|
|
20
|
+
};
|
|
21
|
+
if (identity.kid !== undefined)
|
|
22
|
+
card.kid = identity.kid;
|
|
23
|
+
if (identity.createdAt !== undefined)
|
|
24
|
+
card.createdAt = identity.createdAt;
|
|
25
|
+
if (facts.capabilities !== undefined)
|
|
26
|
+
card.capabilities = facts.capabilities;
|
|
27
|
+
if (facts.responsibleParty !== undefined)
|
|
28
|
+
card.responsibleParty = facts.responsibleParty;
|
|
29
|
+
if (facts.principal !== undefined)
|
|
30
|
+
card.principal = facts.principal;
|
|
31
|
+
if (facts.delegationRef !== undefined)
|
|
32
|
+
card.delegationRef = facts.delegationRef;
|
|
33
|
+
if (facts.attestations !== undefined)
|
|
34
|
+
card.attestations = facts.attestations;
|
|
35
|
+
if (facts.didDocument !== undefined)
|
|
36
|
+
card.didDocument = facts.didDocument;
|
|
37
|
+
if (facts.publicKeyJwk !== undefined)
|
|
38
|
+
card.publicKeyJwk = facts.publicKeyJwk;
|
|
39
|
+
if (facts.proofProfile !== undefined)
|
|
40
|
+
card.proofProfile = facts.proofProfile;
|
|
41
|
+
if (facts.cimd !== undefined)
|
|
42
|
+
card.cimd = facts.cimd;
|
|
43
|
+
if (facts.revocation !== undefined)
|
|
44
|
+
card.revocation = facts.revocation;
|
|
45
|
+
return card;
|
|
46
|
+
}
|
|
47
|
+
//# sourceMappingURL=build.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"build.js","sourceRoot":"","sources":["../../src/card/build.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAuCH;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,QAAsB,EAAE,KAAqB;IACrE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,QAAQ,CAAC,GAAG;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,IAAI,EAAE,KAAK,CAAC,IAAI;KACjB,CAAC;IACF,IAAI,QAAQ,CAAC,GAAG,KAAK,SAAS;QAAE,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;IACxD,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC1E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS;QAAE,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IACzF,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IACpE,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;IAChF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IAC1E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;IAC7E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACrD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Entity Card — fluent BUILDER (the 10-minute adoption path).
|
|
3
|
+
*
|
|
4
|
+
* `card({ did, entityType, name })` opens a fluent chain that accumulates declared facts and
|
|
5
|
+
* `.build()`s them into an `EntityCard` — a thin, ergonomic front over {@link buildCard} that
|
|
6
|
+
* hides the card shape behind readable, self-documenting calls:
|
|
7
|
+
*
|
|
8
|
+
* card({ did, entityType: 'agent', name: 'Acme Pay' })
|
|
9
|
+
* .capability('search') // L1 bare-string capability
|
|
10
|
+
* .attestedCapability('payments.transfer', vc) // L2 attested capability (VC-backed)
|
|
11
|
+
* .accountableTo('did:web:acme.example', { via: 'vc_root>del_123' })
|
|
12
|
+
* .build();
|
|
13
|
+
*
|
|
14
|
+
* Claim-minimal like `buildCard`: it asserts only identity + type + declared capabilities +
|
|
15
|
+
* accountability locators; trust-bearing claims are PROVEN by the referenced credentials, not
|
|
16
|
+
* minted here. The infrastructure coordinates it can ALSO carry — `.usesProof()` (proof profile),
|
|
17
|
+
* `.cimd()`, `.revocation()`, `.didDocument()`, `.publicKey()` — are self-descriptive pointers, not
|
|
18
|
+
* credential-proven claims, so the ergonomic path can emit a card that plugs into the proof / CIMD /
|
|
19
|
+
* revocation machinery. `conformanceLevel` is intentionally never set — a verifier RECOMPUTES it.
|
|
20
|
+
* Pure, no I/O, no crypto: no runtime (`mcp-i-core`) dependency leaks in.
|
|
21
|
+
*/
|
|
22
|
+
import type { Attestation, BitstringStatusListEntry, CapabilityAttestation, CimdBinding, Ed25519PublicJwk, EntityCard, EntityType } from './schema.js';
|
|
23
|
+
/** A Verifiable Credential value (a compact VC-JWT string or a pre-parsed object). */
|
|
24
|
+
export type VcInput = CapabilityAttestation['vc'];
|
|
25
|
+
/** The identity + type coordinates a card chain opens with. */
|
|
26
|
+
export interface CardBuilderInit {
|
|
27
|
+
did: string;
|
|
28
|
+
entityType: EntityType;
|
|
29
|
+
name: string;
|
|
30
|
+
kid?: string;
|
|
31
|
+
createdAt?: string;
|
|
32
|
+
}
|
|
33
|
+
/** Accountability locators for `accountableTo`: the delegation chain (`via`) + human `principal`. */
|
|
34
|
+
export interface AccountableToOptions {
|
|
35
|
+
/** Compact delegation-chain locator (`delegationRef`, e.g. `vc_root>del_123`) — resolved, not inlined. */
|
|
36
|
+
via?: string;
|
|
37
|
+
/** The immediate human delegator DID (`principal`), when distinct from the responsible party. */
|
|
38
|
+
principal?: string;
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* A fluent accumulator over one card's declared facts. Mutable + chainable (each method returns
|
|
42
|
+
* `this`); `.build()` projects the accumulated facts through {@link buildCard}. Prefer the `card()`
|
|
43
|
+
* factory over `new CardBuilder(...)`.
|
|
44
|
+
*/
|
|
45
|
+
export declare class CardBuilder {
|
|
46
|
+
private readonly identity;
|
|
47
|
+
private readonly entityType;
|
|
48
|
+
private readonly name;
|
|
49
|
+
private readonly capabilities;
|
|
50
|
+
private readonly attestations;
|
|
51
|
+
private responsibleParty?;
|
|
52
|
+
private principal?;
|
|
53
|
+
private delegationRef?;
|
|
54
|
+
private proofProfile?;
|
|
55
|
+
private cimdBinding?;
|
|
56
|
+
private revocationEntry?;
|
|
57
|
+
private didDocumentUrl?;
|
|
58
|
+
private publicKeyJwk?;
|
|
59
|
+
constructor(init: CardBuilderInit);
|
|
60
|
+
/** Declare an L1 bare-string capability (self-asserted; a verifier floors it at L1). */
|
|
61
|
+
capability(name: string): this;
|
|
62
|
+
/**
|
|
63
|
+
* Declare an L2 capability backed by an attestation VC. Repeated calls for the SAME capability
|
|
64
|
+
* name accumulate onto its `attestations[]` (one capability, several proofs) rather than
|
|
65
|
+
* duplicating the entry.
|
|
66
|
+
*/
|
|
67
|
+
attestedCapability(name: string, vc: VcInput): this;
|
|
68
|
+
/**
|
|
69
|
+
* Attach a standalone attestation (e.g. a KYC/KYB `IdentityVerification` VC on the responsible
|
|
70
|
+
* party) that is not tied to a single capability.
|
|
71
|
+
*/
|
|
72
|
+
attestation(attestation: Attestation): this;
|
|
73
|
+
/**
|
|
74
|
+
* Declare the accountability edge: `responsibleParty` is the ultimately-accountable root (a
|
|
75
|
+
* KYC-able org), `opts.via` the compact `delegationRef` chain locator, and `opts.principal` the
|
|
76
|
+
* immediate human delegator. A verifier RECOMPUTES this edge (delegationRef → responsibleParty).
|
|
77
|
+
*/
|
|
78
|
+
accountableTo(responsibleParty: string, opts?: AccountableToOptions): this;
|
|
79
|
+
/**
|
|
80
|
+
* Advertise the per-request holder-of-key proof profile (`org.kya-os/proof@1`). This only NAMES
|
|
81
|
+
* the profile — the proof itself is never on the static card; it rides per-request `_meta`.
|
|
82
|
+
*/
|
|
83
|
+
usesProof(): this;
|
|
84
|
+
/** Bind the L1 CIMD on-ramp coordinates (`client_id` ⇄ `did:web`, `jwks_uri` ⇄ DID keys). */
|
|
85
|
+
cimd(binding: CimdBinding): this;
|
|
86
|
+
/** Attach the W3C Bitstring Status List revocation entry (the post-issuance kill switch). */
|
|
87
|
+
revocation(entry: BitstringStatusListEntry): this;
|
|
88
|
+
/** Record the entity's DID document URL (where the `KyaOsEntityCard` service entry lives). */
|
|
89
|
+
didDocument(url: string): this;
|
|
90
|
+
/** Inline the entity's Ed25519 public JWK (the card's self-contained verification key). */
|
|
91
|
+
publicKey(jwk: Ed25519PublicJwk): this;
|
|
92
|
+
/** Project the accumulated facts into an `EntityCard` (via {@link buildCard}). */
|
|
93
|
+
build(): EntityCard;
|
|
94
|
+
/** Find an already-declared attested capability by name (for attestation accumulation). */
|
|
95
|
+
private findAttested;
|
|
96
|
+
}
|
|
97
|
+
/** Open a fluent card-building chain (the ergonomic entry point). */
|
|
98
|
+
export declare function card(init: CardBuilderInit): CardBuilder;
|
|
99
|
+
//# sourceMappingURL=builder.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/card/builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH,OAAO,KAAK,EACV,WAAW,EACX,wBAAwB,EAExB,qBAAqB,EACrB,WAAW,EACX,gBAAgB,EAChB,UAAU,EACV,UAAU,EAGX,MAAM,aAAa,CAAC;AAKrB,sFAAsF;AACtF,MAAM,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;AAElD,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qGAAqG;AACrG,MAAM,WAAW,oBAAoB;IACnC,0GAA0G;IAC1G,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iGAAiG;IACjG,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAe;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAoB;IACjD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,gBAAgB,CAAC,CAAS;IAClC,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,YAAY,CAAC,CAAe;IACpC,OAAO,CAAC,WAAW,CAAC,CAAc;IAClC,OAAO,CAAC,eAAe,CAAC,CAA2B;IACnD,OAAO,CAAC,cAAc,CAAC,CAAS;IAChC,OAAO,CAAC,YAAY,CAAC,CAAmB;gBAE5B,IAAI,EAAE,eAAe;IAQjC,wFAAwF;IACxF,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAK9B;;;;OAIG;IACH,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,GAAG,IAAI;IAOnD;;;OAGG;IACH,WAAW,CAAC,WAAW,EAAE,WAAW,GAAG,IAAI;IAK3C;;;;OAIG;IACH,aAAa,CAAC,gBAAgB,EAAE,MAAM,EAAE,IAAI,GAAE,oBAAyB,GAAG,IAAI;IAO9E;;;OAGG;IACH,SAAS,IAAI,IAAI;IAKjB,6FAA6F;IAC7F,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAKhC,6FAA6F;IAC7F,UAAU,CAAC,KAAK,EAAE,wBAAwB,GAAG,IAAI;IAKjD,8FAA8F;IAC9F,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAK9B,2FAA2F;IAC3F,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,IAAI;IAKtC,kFAAkF;IAClF,KAAK,IAAI,UAAU;IAiBnB,2FAA2F;IAC3F,OAAO,CAAC,YAAY;CAKrB;AAED,qEAAqE;AACrE,wBAAgB,IAAI,CAAC,IAAI,EAAE,eAAe,GAAG,WAAW,CAEvD"}
|