@kya-os/mcp 1.7.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +69 -0
- package/README.md +219 -3
- package/dist/card/build.d.ts +41 -0
- package/dist/card/build.d.ts.map +1 -0
- package/dist/card/build.js +47 -0
- package/dist/card/build.js.map +1 -0
- package/dist/card/builder.d.ts +99 -0
- package/dist/card/builder.d.ts.map +1 -0
- package/dist/card/builder.js +147 -0
- package/dist/card/builder.js.map +1 -0
- package/dist/card/cimd.d.ts +92 -0
- package/dist/card/cimd.d.ts.map +1 -0
- package/dist/card/cimd.js +225 -0
- package/dist/card/cimd.js.map +1 -0
- package/dist/card/delegation.d.ts +145 -0
- package/dist/card/delegation.d.ts.map +1 -0
- package/dist/card/delegation.js +293 -0
- package/dist/card/delegation.js.map +1 -0
- package/dist/card/emit.d.ts +133 -0
- package/dist/card/emit.d.ts.map +1 -0
- package/dist/card/emit.js +127 -0
- package/dist/card/emit.js.map +1 -0
- package/dist/card/index.d.ts +43 -0
- package/dist/card/index.d.ts.map +1 -0
- package/dist/card/index.js +46 -0
- package/dist/card/index.js.map +1 -0
- package/dist/card/middleware.d.ts +112 -0
- package/dist/card/middleware.d.ts.map +1 -0
- package/dist/card/middleware.js +121 -0
- package/dist/card/middleware.js.map +1 -0
- package/dist/card/proof/build.d.ts +22 -0
- package/dist/card/proof/build.d.ts.map +1 -0
- package/dist/card/proof/build.js +55 -0
- package/dist/card/proof/build.js.map +1 -0
- package/dist/card/proof/canonical.d.ts +66 -0
- package/dist/card/proof/canonical.d.ts.map +1 -0
- package/dist/card/proof/canonical.js +131 -0
- package/dist/card/proof/canonical.js.map +1 -0
- package/dist/card/proof/http-sig.d.ts +69 -0
- package/dist/card/proof/http-sig.d.ts.map +1 -0
- package/dist/card/proof/http-sig.js +101 -0
- package/dist/card/proof/http-sig.js.map +1 -0
- package/dist/card/proof/index.d.ts +25 -0
- package/dist/card/proof/index.d.ts.map +1 -0
- package/dist/card/proof/index.js +25 -0
- package/dist/card/proof/index.js.map +1 -0
- package/dist/card/proof/nonce-cache.d.ts +67 -0
- package/dist/card/proof/nonce-cache.d.ts.map +1 -0
- package/dist/card/proof/nonce-cache.js +88 -0
- package/dist/card/proof/nonce-cache.js.map +1 -0
- package/dist/card/proof/signer.d.ts +32 -0
- package/dist/card/proof/signer.d.ts.map +1 -0
- package/dist/card/proof/signer.js +59 -0
- package/dist/card/proof/signer.js.map +1 -0
- package/dist/card/proof/types.d.ts +219 -0
- package/dist/card/proof/types.d.ts.map +1 -0
- package/dist/card/proof/types.js +87 -0
- package/dist/card/proof/types.js.map +1 -0
- package/dist/card/proof/verify.d.ts +27 -0
- package/dist/card/proof/verify.d.ts.map +1 -0
- package/dist/card/proof/verify.js +236 -0
- package/dist/card/proof/verify.js.map +1 -0
- package/dist/card/resolve.d.ts +97 -0
- package/dist/card/resolve.d.ts.map +1 -0
- package/dist/card/resolve.js +223 -0
- package/dist/card/resolve.js.map +1 -0
- package/dist/card/revocation.d.ts +96 -0
- package/dist/card/revocation.d.ts.map +1 -0
- package/dist/card/revocation.js +190 -0
- package/dist/card/revocation.js.map +1 -0
- package/dist/card/schema.d.ts +177 -0
- package/dist/card/schema.d.ts.map +1 -0
- package/dist/card/schema.js +119 -0
- package/dist/card/schema.js.map +1 -0
- package/dist/card/verify.d.ts +144 -0
- package/dist/card/verify.d.ts.map +1 -0
- package/dist/card/verify.js +132 -0
- package/dist/card/verify.js.map +1 -0
- package/dist/delegation/bitstring.d.ts +9 -7
- package/dist/delegation/bitstring.d.ts.map +1 -1
- package/dist/delegation/bitstring.js +70 -37
- package/dist/delegation/bitstring.js.map +1 -1
- package/dist/delegation/did-linkage.d.ts +23 -0
- package/dist/delegation/did-linkage.d.ts.map +1 -0
- package/dist/delegation/did-linkage.js +57 -0
- package/dist/delegation/did-linkage.js.map +1 -0
- package/dist/delegation/did-resolver-registry.d.ts +7 -0
- package/dist/delegation/did-resolver-registry.d.ts.map +1 -0
- package/dist/delegation/did-resolver-registry.js +20 -0
- package/dist/delegation/did-resolver-registry.js.map +1 -0
- package/dist/delegation/did-web-resolver.d.ts +29 -18
- package/dist/delegation/did-web-resolver.d.ts.map +1 -1
- package/dist/delegation/did-web-resolver.js +65 -35
- package/dist/delegation/did-web-resolver.js.map +1 -1
- package/dist/delegation/index.d.ts +3 -0
- package/dist/delegation/index.d.ts.map +1 -1
- package/dist/delegation/index.js +3 -0
- package/dist/delegation/index.js.map +1 -1
- package/dist/delegation/statuslist-manager.d.ts.map +1 -1
- package/dist/delegation/statuslist-manager.js +16 -1
- package/dist/delegation/statuslist-manager.js.map +1 -1
- package/dist/delegation/vc-jwt-verify.d.ts +61 -0
- package/dist/delegation/vc-jwt-verify.d.ts.map +1 -0
- package/dist/delegation/vc-jwt-verify.js +131 -0
- package/dist/delegation/vc-jwt-verify.js.map +1 -0
- package/dist/delegation/vc-verification-checks.d.ts +50 -0
- package/dist/delegation/vc-verification-checks.d.ts.map +1 -0
- package/dist/delegation/vc-verification-checks.js +212 -0
- package/dist/delegation/vc-verification-checks.js.map +1 -0
- package/dist/delegation/vc-verifier.d.ts +24 -61
- package/dist/delegation/vc-verifier.d.ts.map +1 -1
- package/dist/delegation/vc-verifier.js +57 -180
- package/dist/delegation/vc-verifier.js.map +1 -1
- package/dist/delegation/vc-verifier.types.d.ts +88 -0
- package/dist/delegation/vc-verifier.types.d.ts.map +1 -0
- package/dist/delegation/vc-verifier.types.js +9 -0
- package/dist/delegation/vc-verifier.types.js.map +1 -0
- package/dist/index.d.ts +3 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -0
- package/dist/index.js.map +1 -1
- package/dist/integrations/cheqd/dlr.d.ts +44 -0
- package/dist/integrations/cheqd/dlr.d.ts.map +1 -0
- package/dist/integrations/cheqd/dlr.js +86 -0
- package/dist/integrations/cheqd/dlr.js.map +1 -0
- package/dist/integrations/cheqd/index.d.ts +5 -0
- package/dist/integrations/cheqd/index.d.ts.map +1 -0
- package/dist/integrations/cheqd/index.js +5 -0
- package/dist/integrations/cheqd/index.js.map +1 -0
- package/dist/integrations/cheqd/linkage.d.ts +20 -0
- package/dist/integrations/cheqd/linkage.d.ts.map +1 -0
- package/dist/integrations/cheqd/linkage.js +32 -0
- package/dist/integrations/cheqd/linkage.js.map +1 -0
- package/dist/integrations/cheqd/registrar.d.ts +85 -0
- package/dist/integrations/cheqd/registrar.d.ts.map +1 -0
- package/dist/integrations/cheqd/registrar.js +304 -0
- package/dist/integrations/cheqd/registrar.js.map +1 -0
- package/dist/integrations/cheqd/resolver.d.ts +38 -0
- package/dist/integrations/cheqd/resolver.d.ts.map +1 -0
- package/dist/integrations/cheqd/resolver.js +156 -0
- package/dist/integrations/cheqd/resolver.js.map +1 -0
- package/dist/middleware/index.d.ts +2 -0
- package/dist/middleware/index.d.ts.map +1 -1
- package/dist/middleware/index.js +5 -0
- package/dist/middleware/index.js.map +1 -1
- package/dist/middleware/with-kya-os.config-types.d.ts +139 -0
- package/dist/middleware/with-kya-os.config-types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.config-types.js +9 -0
- package/dist/middleware/with-kya-os.config-types.js.map +1 -0
- package/dist/middleware/with-kya-os.d.ts +3 -267
- package/dist/middleware/with-kya-os.d.ts.map +1 -1
- package/dist/middleware/with-kya-os.delegation-gate.d.ts +19 -0
- package/dist/middleware/with-kya-os.delegation-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-gate.js +175 -0
- package/dist/middleware/with-kya-os.delegation-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts +51 -0
- package/dist/middleware/with-kya-os.delegation-verify.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.delegation-verify.js +165 -0
- package/dist/middleware/with-kya-os.delegation-verify.js.map +1 -0
- package/dist/middleware/with-kya-os.deps.d.ts +40 -0
- package/dist/middleware/with-kya-os.deps.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.deps.js +9 -0
- package/dist/middleware/with-kya-os.deps.js.map +1 -0
- package/dist/middleware/with-kya-os.grants.d.ts +30 -0
- package/dist/middleware/with-kya-os.grants.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.grants.js +145 -0
- package/dist/middleware/with-kya-os.grants.js.map +1 -0
- package/dist/middleware/with-kya-os.helpers.d.ts +24 -0
- package/dist/middleware/with-kya-os.helpers.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.helpers.js +57 -0
- package/dist/middleware/with-kya-os.helpers.js.map +1 -0
- package/dist/middleware/with-kya-os.js +45 -891
- package/dist/middleware/with-kya-os.js.map +1 -1
- package/dist/middleware/with-kya-os.policy-gate.d.ts +16 -0
- package/dist/middleware/with-kya-os.policy-gate.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.policy-gate.js +98 -0
- package/dist/middleware/with-kya-os.policy-gate.js.map +1 -0
- package/dist/middleware/with-kya-os.protocol.d.ts +29 -0
- package/dist/middleware/with-kya-os.protocol.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.protocol.js +121 -0
- package/dist/middleware/with-kya-os.protocol.js.map +1 -0
- package/dist/middleware/with-kya-os.session.d.ts +32 -0
- package/dist/middleware/with-kya-os.session.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.session.js +201 -0
- package/dist/middleware/with-kya-os.session.js.map +1 -0
- package/dist/middleware/with-kya-os.types.d.ts +178 -0
- package/dist/middleware/with-kya-os.types.d.ts.map +1 -0
- package/dist/middleware/with-kya-os.types.js +13 -0
- package/dist/middleware/with-kya-os.types.js.map +1 -0
- package/dist/providers/runtime-fetch.d.ts +8 -0
- package/dist/providers/runtime-fetch.d.ts.map +1 -1
- package/dist/providers/runtime-fetch.js +17 -0
- package/dist/providers/runtime-fetch.js.map +1 -1
- package/dist/providers/web-crypto.d.ts.map +1 -1
- package/dist/providers/web-crypto.js +15 -7
- package/dist/providers/web-crypto.js.map +1 -1
- package/dist/utils/guards.d.ts +2 -0
- package/dist/utils/guards.d.ts.map +1 -0
- package/dist/utils/guards.js +4 -0
- package/dist/utils/guards.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +3 -0
- package/dist/utils/index.js.map +1 -1
- package/dist/utils/ip-classifier.d.ts +12 -0
- package/dist/utils/ip-classifier.d.ts.map +1 -0
- package/dist/utils/ip-classifier.js +153 -0
- package/dist/utils/ip-classifier.js.map +1 -0
- package/dist/utils/safe-fetch-transports.d.ts +40 -0
- package/dist/utils/safe-fetch-transports.d.ts.map +1 -0
- package/dist/utils/safe-fetch-transports.js +121 -0
- package/dist/utils/safe-fetch-transports.js.map +1 -0
- package/dist/utils/safe-fetch-types.d.ts +66 -0
- package/dist/utils/safe-fetch-types.d.ts.map +1 -0
- package/dist/utils/safe-fetch-types.js +10 -0
- package/dist/utils/safe-fetch-types.js.map +1 -0
- package/dist/utils/safe-fetch.d.ts +40 -0
- package/dist/utils/safe-fetch.d.ts.map +1 -0
- package/dist/utils/safe-fetch.js +188 -0
- package/dist/utils/safe-fetch.js.map +1 -0
- package/dist/utils/statuslist-purpose.d.ts +12 -0
- package/dist/utils/statuslist-purpose.d.ts.map +1 -0
- package/dist/utils/statuslist-purpose.js +19 -0
- package/dist/utils/statuslist-purpose.js.map +1 -0
- package/dist/utils/url.d.ts +2 -0
- package/dist/utils/url.d.ts.map +1 -0
- package/dist/utils/url.js +8 -0
- package/dist/utils/url.js.map +1 -0
- package/package.json +25 -5
- package/schemas/README.md +2 -1
- package/schemas/card-delegation-credential.json +239 -0
- package/schemas/kya-os-card.schema.json +284 -0
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — delegation verification plumbing.
|
|
3
|
+
*
|
|
4
|
+
* Builds the DID resolver, the embedded-proof signature verifier, the
|
|
5
|
+
* `DelegationCredentialVerifier`, and the framework-agnostic chain-validation
|
|
6
|
+
* adapter (chain-enforcement.ts) once per middleware instance. Extracted from
|
|
7
|
+
* `wrapWithDelegation` so the gate module holds only the request flow.
|
|
8
|
+
*/
|
|
9
|
+
import { createDidKeyResolver } from "../delegation/did-key-resolver.js";
|
|
10
|
+
import { createDidWebResolver } from "../delegation/did-web-resolver.js";
|
|
11
|
+
import { buildDidResolverRegistry, } from "../delegation/did-resolver-registry.js";
|
|
12
|
+
import { getDidMethod } from "../utils/did-helpers.js";
|
|
13
|
+
import { DelegationCredentialVerifier, } from "../delegation/vc-verifier.js";
|
|
14
|
+
import { validateDelegationChain as validateDelegationChainCore } from "../delegation/chain-enforcement.js";
|
|
15
|
+
import { RuntimeFetchProvider } from "../providers/runtime-fetch.js";
|
|
16
|
+
import { canonicalizeJSON } from "../delegation/utils.js";
|
|
17
|
+
import { base64urlDecodeToBytes, bytesToBase64 } from "../utils/base64.js";
|
|
18
|
+
import { createNeedsAuthorizationError, } from "../types/protocol.js";
|
|
19
|
+
import { logger } from "../logging/index.js";
|
|
20
|
+
import { sanitizeForMessage } from "./with-kya-os.helpers.js";
|
|
21
|
+
export function createDelegationVerification(deps) {
|
|
22
|
+
const { identity, cryptoProvider, delegationConfig } = deps;
|
|
23
|
+
const didKeyResolver = createDidKeyResolver();
|
|
24
|
+
const fetchProvider = delegationConfig?.fetchProvider ??
|
|
25
|
+
(typeof globalThis.fetch === "function"
|
|
26
|
+
? new RuntimeFetchProvider()
|
|
27
|
+
: undefined);
|
|
28
|
+
const didWebResolver = fetchProvider
|
|
29
|
+
? createDidWebResolver(fetchProvider)
|
|
30
|
+
: undefined;
|
|
31
|
+
const configuredDidResolvers = buildDidResolverRegistry(delegationConfig?.didResolvers, fetchProvider);
|
|
32
|
+
const didResolver = {
|
|
33
|
+
async resolve(did) {
|
|
34
|
+
const customResolver = delegationConfig?.didResolver;
|
|
35
|
+
if (customResolver) {
|
|
36
|
+
const resolved = await customResolver.resolve(did);
|
|
37
|
+
if (resolved) {
|
|
38
|
+
return resolved;
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
const method = getDidMethod(did);
|
|
42
|
+
const configuredResolver = method ? configuredDidResolvers[method] : undefined;
|
|
43
|
+
if (configuredResolver) {
|
|
44
|
+
try {
|
|
45
|
+
const resolved = await configuredResolver.resolve(did);
|
|
46
|
+
if (resolved) {
|
|
47
|
+
return resolved;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
catch {
|
|
51
|
+
return null;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
if (did.startsWith("did:key:")) {
|
|
55
|
+
return didKeyResolver.resolve(did);
|
|
56
|
+
}
|
|
57
|
+
if (did.startsWith("did:web:")) {
|
|
58
|
+
return didWebResolver?.resolve(did) ?? null;
|
|
59
|
+
}
|
|
60
|
+
return null;
|
|
61
|
+
},
|
|
62
|
+
};
|
|
63
|
+
const signatureVerifier = async (vc, publicKeyJwk) => {
|
|
64
|
+
const proof = vc.proof;
|
|
65
|
+
if (!proof) {
|
|
66
|
+
return { valid: false, reason: "Missing proof" };
|
|
67
|
+
}
|
|
68
|
+
const proofValue = proof["proofValue"];
|
|
69
|
+
if (!proofValue) {
|
|
70
|
+
return { valid: false, reason: "Missing proofValue in proof" };
|
|
71
|
+
}
|
|
72
|
+
// Reconstruct the unsigned VC (without proof) for signature verification
|
|
73
|
+
const vcRecord = vc;
|
|
74
|
+
const vcWithoutProof = {};
|
|
75
|
+
for (const [k, v] of Object.entries(vcRecord)) {
|
|
76
|
+
if (k !== "proof")
|
|
77
|
+
vcWithoutProof[k] = v;
|
|
78
|
+
}
|
|
79
|
+
const canonical = canonicalizeJSON(vcWithoutProof);
|
|
80
|
+
const data = new TextEncoder().encode(canonical);
|
|
81
|
+
// Decode signature from base64url proof value
|
|
82
|
+
const sigBytes = base64urlDecodeToBytes(proofValue);
|
|
83
|
+
// Get public key from JWK (x is base64url-encoded raw key bytes)
|
|
84
|
+
const jwk = publicKeyJwk;
|
|
85
|
+
if (!jwk.x) {
|
|
86
|
+
return { valid: false, reason: "No x field in publicKeyJwk" };
|
|
87
|
+
}
|
|
88
|
+
// Convert base64url key to standard base64 for the crypto provider
|
|
89
|
+
const pubKeyBytes = base64urlDecodeToBytes(jwk.x);
|
|
90
|
+
const pubKeyBase64 = bytesToBase64(pubKeyBytes);
|
|
91
|
+
const valid = await cryptoProvider.verify(data, sigBytes, pubKeyBase64);
|
|
92
|
+
return {
|
|
93
|
+
valid,
|
|
94
|
+
reason: valid ? undefined : "Signature verification failed",
|
|
95
|
+
};
|
|
96
|
+
};
|
|
97
|
+
const verifier = new DelegationCredentialVerifier({
|
|
98
|
+
didResolver,
|
|
99
|
+
signatureVerifier,
|
|
100
|
+
statusListResolver: delegationConfig?.statusListResolver,
|
|
101
|
+
});
|
|
102
|
+
const buildDelegationErrorResponse = (error, reason) => ({
|
|
103
|
+
content: [
|
|
104
|
+
{
|
|
105
|
+
type: "text",
|
|
106
|
+
text: JSON.stringify({ error, reason: sanitizeForMessage(reason) }),
|
|
107
|
+
},
|
|
108
|
+
],
|
|
109
|
+
isError: true,
|
|
110
|
+
});
|
|
111
|
+
const validateDelegationChain = (leafCredential, options) => validateDelegationChainCore(leafCredential, {
|
|
112
|
+
serverDid: identity.did,
|
|
113
|
+
verifier,
|
|
114
|
+
resolveDelegationChain: delegationConfig?.resolveDelegationChain,
|
|
115
|
+
statusListConfigured: !!delegationConfig?.statusListResolver,
|
|
116
|
+
revocationChecker: delegationConfig?.revocationChecker,
|
|
117
|
+
}, options);
|
|
118
|
+
async function buildNeedsAuthorizationChallenge(toolName, config) {
|
|
119
|
+
const tokenBytes = await cryptoProvider.randomBytes(16);
|
|
120
|
+
const hex = Array.from(tokenBytes)
|
|
121
|
+
.map((b) => b.toString(16).padStart(2, "0"))
|
|
122
|
+
.join("");
|
|
123
|
+
const resumeToken = [
|
|
124
|
+
hex.slice(0, 8),
|
|
125
|
+
hex.slice(8, 12),
|
|
126
|
+
hex.slice(12, 16),
|
|
127
|
+
hex.slice(16, 20),
|
|
128
|
+
hex.slice(20),
|
|
129
|
+
].join("-");
|
|
130
|
+
const expiresAt = Math.floor(Date.now() / 1000) + 300;
|
|
131
|
+
const authError = createNeedsAuthorizationError({
|
|
132
|
+
message: `Tool "${toolName}" requires delegation with scope: ${config.scopeId}`,
|
|
133
|
+
authorizationUrl: config.consentUrl,
|
|
134
|
+
resumeToken,
|
|
135
|
+
expiresAt,
|
|
136
|
+
scopes: [config.scopeId],
|
|
137
|
+
});
|
|
138
|
+
// config.formatChallenge lets a server render the challenge (e.g. a markdown
|
|
139
|
+
// link for LLM clients) BEFORE it is signed, so the proof binds exactly what
|
|
140
|
+
// the client receives. A throwing hook falls back to the default challenge.
|
|
141
|
+
const defaultChallengeContent = [
|
|
142
|
+
{ type: "text", text: JSON.stringify(authError) },
|
|
143
|
+
];
|
|
144
|
+
let challengeContent = defaultChallengeContent;
|
|
145
|
+
if (config.formatChallenge) {
|
|
146
|
+
try {
|
|
147
|
+
challengeContent = config.formatChallenge(authError);
|
|
148
|
+
}
|
|
149
|
+
catch (error) {
|
|
150
|
+
logger.error("[kya-os] formatChallenge threw; using the default challenge", {
|
|
151
|
+
tool: toolName,
|
|
152
|
+
error: error instanceof Error ? error.message : String(error),
|
|
153
|
+
});
|
|
154
|
+
challengeContent = defaultChallengeContent;
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
return { challengeContent, message: authError.message };
|
|
158
|
+
}
|
|
159
|
+
return {
|
|
160
|
+
validateDelegationChain,
|
|
161
|
+
buildDelegationErrorResponse,
|
|
162
|
+
buildNeedsAuthorizationChallenge,
|
|
163
|
+
};
|
|
164
|
+
}
|
|
165
|
+
//# sourceMappingURL=with-kya-os.delegation-verify.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.delegation-verify.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os.delegation-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AACzE,OAAO,EACL,wBAAwB,GACzB,MAAM,wCAAwC,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,4BAA4B,GAG7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,uBAAuB,IAAI,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAC5G,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAC3E,OAAO,EACL,6BAA6B,GAG9B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAG7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AA0C9D,MAAM,UAAU,4BAA4B,CAC1C,IAAoB;IAEpB,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC;IAE5D,MAAM,cAAc,GAAG,oBAAoB,EAAE,CAAC;IAC9C,MAAM,aAAa,GACjB,gBAAgB,EAAE,aAAa;QAC/B,CAAC,OAAO,UAAU,CAAC,KAAK,KAAK,UAAU;YACrC,CAAC,CAAC,IAAI,oBAAoB,EAAE;YAC5B,CAAC,CAAC,SAAS,CAAC,CAAC;IACjB,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC,oBAAoB,CAAC,aAAa,CAAC;QACrC,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,sBAAsB,GAAG,wBAAwB,CACrD,gBAAgB,EAAE,YAAY,EAC9B,aAAa,CACd,CAAC;IACF,MAAM,WAAW,GAAgB;QAC/B,KAAK,CAAC,OAAO,CAAC,GAAW;YACvB,MAAM,cAAc,GAAG,gBAAgB,EAAE,WAAW,CAAC;YACrD,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACnD,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,QAAQ,CAAC;gBAClB,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;YACjC,MAAM,kBAAkB,GAAG,MAAM,CAAC,CAAC,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/E,IAAI,kBAAkB,EAAE,CAAC;gBACvB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;oBACvD,IAAI,QAAQ,EAAE,CAAC;wBACb,OAAO,QAAQ,CAAC;oBAClB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAED,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/B,OAAO,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/B,OAAO,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;YAC9C,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IAEF,MAAM,iBAAiB,GAAkC,KAAK,EAC5D,EAAwB,EACxB,YAAqB,EACyB,EAAE;QAChD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC;QACvB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAuB,CAAC;QAC7D,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;QACjE,CAAC;QAED,yEAAyE;QACzE,MAAM,QAAQ,GAAG,EAA6B,CAAC;QAC/C,MAAM,cAAc,GAA4B,EAAE,CAAC;QACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC,KAAK,OAAO;gBAAE,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QAEpD,iEAAiE;QACjE,MAAM,GAAG,GAAG,YAA8B,CAAC;QAC3C,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAChE,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClD,MAAM,YAAY,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;QAEhD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QACxE,OAAO;YACL,KAAK;YACL,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,+BAA+B;SAC5D,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,4BAA4B,CAAC;QAChD,WAAW;QACX,iBAAiB;QACjB,kBAAkB,EAAE,gBAAgB,EAAE,kBAAkB;KACzD,CAAC,CAAC;IAEH,MAAM,4BAA4B,GAAG,CACnC,KAAa,EACb,MAAc,EACyB,EAAE,CAAC,CAAC;QAC3C,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAe;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;aACpE;SACF;QACD,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;IAEH,MAAM,uBAAuB,GAAG,CAC9B,cAAoC,EACpC,OAAqC,EACS,EAAE,CAChD,2BAA2B,CACzB,cAAc,EACd;QACE,SAAS,EAAE,QAAQ,CAAC,GAAG;QACvB,QAAQ;QACR,sBAAsB,EAAE,gBAAgB,EAAE,sBAAsB;QAChE,oBAAoB,EAAE,CAAC,CAAC,gBAAgB,EAAE,kBAAkB;QAC5D,iBAAiB,EAAE,gBAAgB,EAAE,iBAAiB;KACvD,EACD,OAAO,CACR,CAAC;IAEJ,KAAK,UAAU,gCAAgC,CAC7C,QAAgB,EAChB,MAA4B;QAK5B,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACxD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;aAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,WAAW,GAAG;YAClB,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACf,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAChB,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;YACjB,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC;YACjB,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;SACd,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;QAEtD,MAAM,SAAS,GAAG,6BAA6B,CAAC;YAC9C,OAAO,EAAE,SAAS,QAAQ,qCAAqC,MAAM,CAAC,OAAO,EAAE;YAC/E,gBAAgB,EAAE,MAAM,CAAC,UAAU;YACnC,WAAW;YACX,SAAS;YACT,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC;SACzB,CAAC,CAAC;QAEH,6EAA6E;QAC7E,6EAA6E;QAC7E,4EAA4E;QAC5E,MAAM,uBAAuB,GAAG;YAC9B,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;SAC3D,CAAC;QACF,IAAI,gBAAgB,GAAG,uBAAuB,CAAC;QAC/C,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,gBAAgB,GAAG,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,KAAK,CAAC,6DAA6D,EAAE;oBAC1E,IAAI,EAAE,QAAQ;oBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;gBACH,gBAAgB,GAAG,uBAAuB,CAAC;YAC7C,CAAC;QACH,CAAC;QACD,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC;IAC1D,CAAC;IAED,OAAO;QACL,uBAAuB;QACvB,4BAA4B;QAC5B,gCAAgC;KACjC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — the internal dependency bag.
|
|
3
|
+
*
|
|
4
|
+
* `createKyaOsMiddleware` constructs these collaborators once and threads this
|
|
5
|
+
* bag into each sub-factory (session/proof, grant-resolution, delegation-gate,
|
|
6
|
+
* policy-gate). Internal to the middleware package — not part of the public API.
|
|
7
|
+
*/
|
|
8
|
+
import type { CryptoProvider } from "../providers/base.js";
|
|
9
|
+
import type { AuditLogProvider } from "../providers/audit-log.js";
|
|
10
|
+
import type { GrantStore } from "../providers/grant-store.js";
|
|
11
|
+
import type { SessionManager } from "../session/manager.js";
|
|
12
|
+
import type { ProofGenerator, ProofAgentIdentity } from "../proof/generator.js";
|
|
13
|
+
import type { ProofVerifier } from "../proof/verifier.js";
|
|
14
|
+
import type { KyaOsConfig, KyaOsDelegationConfig, KyaOsToolHandler } from "./with-kya-os.types.js";
|
|
15
|
+
/**
|
|
16
|
+
* Attach a signed proof recording an authorization OUTCOME (denied / step-up /
|
|
17
|
+
* needs-authorization) to a response. Provided by the session/proof sub-factory
|
|
18
|
+
* and consumed by the delegation- and policy-gate sub-factories, so it is typed
|
|
19
|
+
* here as the shared internal contract between them.
|
|
20
|
+
*/
|
|
21
|
+
export type AttachOutcomeProof = (response: Awaited<ReturnType<KyaOsToolHandler>>, toolName: string, args: Record<string, unknown>, sessionId: string | undefined, reason: string, outcome?: "denied" | "step_up_required" | "needs_authorization", paramsOverride?: Record<string, unknown>, responseData?: unknown) => Promise<Awaited<ReturnType<KyaOsToolHandler>>>;
|
|
22
|
+
/** The constructed dependencies shared across the middleware sub-factories. */
|
|
23
|
+
export interface MiddlewareDeps {
|
|
24
|
+
/** Proof-generation identity (DID + key material). */
|
|
25
|
+
identity: ProofAgentIdentity;
|
|
26
|
+
/** The full user config (for `identity.agentName`, `autoSession`, …). */
|
|
27
|
+
config: KyaOsConfig;
|
|
28
|
+
cryptoProvider: CryptoProvider;
|
|
29
|
+
sessionManager: SessionManager;
|
|
30
|
+
proofGenerator: ProofGenerator;
|
|
31
|
+
auditLog: AuditLogProvider;
|
|
32
|
+
grantStore: GrantStore;
|
|
33
|
+
delegationConfig: KyaOsDelegationConfig | undefined;
|
|
34
|
+
holderBindingMode: "off" | "warn" | "enforce";
|
|
35
|
+
/** Present iff holder binding is enabled; the inbound per-request proof verifier. */
|
|
36
|
+
holderBindingVerifier: ProofVerifier | undefined;
|
|
37
|
+
/** Mirror the proof under the legacy bare `_meta.proof` key (pre-1.1 back-compat). */
|
|
38
|
+
emitLegacyProofKey: boolean;
|
|
39
|
+
}
|
|
40
|
+
//# sourceMappingURL=with-kya-os.deps.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.deps.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.deps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAChF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EACV,WAAW,EACX,qBAAqB,EACrB,gBAAgB,EACjB,MAAM,wBAAwB,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAC/B,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,EAC/C,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,QAAQ,GAAG,kBAAkB,GAAG,qBAAqB,EAC/D,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,YAAY,CAAC,EAAE,OAAO,KACnB,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;AAEpD,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC7B,sDAAsD;IACtD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,yEAAyE;IACzE,MAAM,EAAE,WAAW,CAAC;IACpB,cAAc,EAAE,cAAc,CAAC;IAC/B,cAAc,EAAE,cAAc,CAAC;IAC/B,cAAc,EAAE,cAAc,CAAC;IAC/B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,UAAU,EAAE,UAAU,CAAC;IACvB,gBAAgB,EAAE,qBAAqB,GAAG,SAAS,CAAC;IACpD,iBAAiB,EAAE,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;IAC9C,qFAAqF;IACrF,qBAAqB,EAAE,aAAa,GAAG,SAAS,CAAC;IACjD,sFAAsF;IACtF,kBAAkB,EAAE,OAAO,CAAC;CAC7B"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — the internal dependency bag.
|
|
3
|
+
*
|
|
4
|
+
* `createKyaOsMiddleware` constructs these collaborators once and threads this
|
|
5
|
+
* bag into each sub-factory (session/proof, grant-resolution, delegation-gate,
|
|
6
|
+
* policy-gate). Internal to the middleware package — not part of the public API.
|
|
7
|
+
*/
|
|
8
|
+
export {};
|
|
9
|
+
//# sourceMappingURL=with-kya-os.deps.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.deps.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os.deps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — durable-grant resolution (the no-paste retry).
|
|
3
|
+
*
|
|
4
|
+
* Resolves and mints agent-anchored / session-bound authorization grants so a
|
|
5
|
+
* verified delegation need not be re-pasted on the next call — even on a fresh
|
|
6
|
+
* instance with empty memory. Extracted from `./with-kya-os.ts`; depends only on
|
|
7
|
+
* the immutable {@link MiddlewareDeps} (no shared session state).
|
|
8
|
+
*/
|
|
9
|
+
import type { Grant } from "../providers/grant-store.js";
|
|
10
|
+
import type { DelegationCredential } from "../types/protocol.js";
|
|
11
|
+
import type { MiddlewareDeps } from "./with-kya-os.deps.js";
|
|
12
|
+
export interface GrantResolution {
|
|
13
|
+
/**
|
|
14
|
+
* Resolve an existing durable grant for a no-delegation (retry) call, so a
|
|
15
|
+
* fresh instance with empty memory authorizes the retry from the shared store.
|
|
16
|
+
* Fail-closed, holder-of-key first (agent-anchored, portable), then the
|
|
17
|
+
* session bearer capability. Returns undefined to fall through to the
|
|
18
|
+
* needs_authorization challenge.
|
|
19
|
+
*/
|
|
20
|
+
resolveExistingGrant(toolName: string, args: Record<string, unknown>, sessionId: string | undefined, scopeId: string): Promise<Grant | undefined>;
|
|
21
|
+
/**
|
|
22
|
+
* Mint a durable grant from a freshly-verified delegation so the NEXT call —
|
|
23
|
+
* on any instance — resolves via {@link resolveExistingGrant} without
|
|
24
|
+
* re-pasting the VC. Best-effort: a store failure must not break the
|
|
25
|
+
* already-authorized response.
|
|
26
|
+
*/
|
|
27
|
+
bindGrantOnSuccess(vc: DelegationCredential, delegationArg: unknown, isVCJWT: boolean, sessionId: string | undefined, scopeId: string): Promise<void>;
|
|
28
|
+
}
|
|
29
|
+
export declare function createGrantResolution(deps: MiddlewareDeps): GrantResolution;
|
|
30
|
+
//# sourceMappingURL=with-kya-os.grants.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.grants.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.grants.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,KAAK,EACV,oBAAoB,EAErB,MAAM,sBAAsB,CAAC;AAQ9B,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,WAAW,eAAe;IAC9B;;;;;;OAMG;IACH,oBAAoB,CAClB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,KAAK,GAAG,SAAS,CAAC,CAAC;IAC9B;;;;;OAKG;IACH,kBAAkB,CAChB,EAAE,EAAE,oBAAoB,EACxB,aAAa,EAAE,OAAO,EACtB,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAAC;CAClB;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,cAAc,GAAG,eAAe,CAiK3E"}
|
|
@@ -0,0 +1,145 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — durable-grant resolution (the no-paste retry).
|
|
3
|
+
*
|
|
4
|
+
* Resolves and mints agent-anchored / session-bound authorization grants so a
|
|
5
|
+
* verified delegation need not be re-pasted on the next call — even on a fresh
|
|
6
|
+
* instance with empty memory. Extracted from `./with-kya-os.ts`; depends only on
|
|
7
|
+
* the immutable {@link MiddlewareDeps} (no shared session state).
|
|
8
|
+
*/
|
|
9
|
+
import { getDelegationScopes } from "../delegation/chain-enforcement.js";
|
|
10
|
+
import { assertHolderBinding, isHolderBindingApplicable, toHolderBindingRequest, } from "../delegation/holder-binding.js";
|
|
11
|
+
import { logger } from "../logging/index.js";
|
|
12
|
+
export function createGrantResolution(deps) {
|
|
13
|
+
const { identity, cryptoProvider, grantStore, holderBindingMode, holderBindingVerifier, } = deps;
|
|
14
|
+
/**
|
|
15
|
+
* Deterministic grant id from (agentDid, sessionId, sorted scopes). Stable for
|
|
16
|
+
* the same tuple so a repeated VC-paste UPSERTS one grant rather than piling
|
|
17
|
+
* duplicate rows in a durable store.
|
|
18
|
+
*/
|
|
19
|
+
async function grantId(agentDid, sessionId, scopes) {
|
|
20
|
+
const key = `${agentDid}|${sessionId ?? ""}|${[...scopes].sort().join(",")}`;
|
|
21
|
+
const digest = await cryptoProvider.hash(new TextEncoder().encode(key));
|
|
22
|
+
return `grant_${digest.replace(/^sha256:/, "")}`;
|
|
23
|
+
}
|
|
24
|
+
/** Grant expiry (ms epoch) derived from the VC, or undefined for no expiry. */
|
|
25
|
+
function delegationExpiryMs(vc) {
|
|
26
|
+
if (vc.expirationDate) {
|
|
27
|
+
const parsed = Date.parse(vc.expirationDate);
|
|
28
|
+
if (!Number.isNaN(parsed))
|
|
29
|
+
return parsed;
|
|
30
|
+
}
|
|
31
|
+
const notAfter = vc.credentialSubject?.delegation?.constraints?.notAfter;
|
|
32
|
+
if (typeof notAfter === "number")
|
|
33
|
+
return notAfter * 1000;
|
|
34
|
+
return undefined;
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Resolve a durable, agent-anchored grant for a no-delegation call — BUT ONLY
|
|
38
|
+
* behind a verified holder-of-key proof. The agent DID is taken from the
|
|
39
|
+
* `_kyaos_proof` and re-proven per request (possession of the subject key over
|
|
40
|
+
* THIS request), never trusted from a bearer hint. This is the single most
|
|
41
|
+
* security-sensitive gate of the durable-consent change: without it, any
|
|
42
|
+
* caller who knows agent A's DID could replay A's grant (confused-deputy
|
|
43
|
+
* escalation, spec §A.4). Returns undefined unless possession is proven.
|
|
44
|
+
*/
|
|
45
|
+
async function resolveAgentGrant(toolName, args, sessionId, scopeId) {
|
|
46
|
+
if (!holderBindingVerifier)
|
|
47
|
+
return undefined; // inert unless holder binding is on
|
|
48
|
+
const proofArg = args["_kyaos_proof"];
|
|
49
|
+
if (proofArg === undefined)
|
|
50
|
+
return undefined;
|
|
51
|
+
let parsedProof = proofArg;
|
|
52
|
+
if (typeof proofArg === "string") {
|
|
53
|
+
try {
|
|
54
|
+
parsedProof = JSON.parse(proofArg);
|
|
55
|
+
}
|
|
56
|
+
catch {
|
|
57
|
+
return undefined;
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
const proof = parsedProof;
|
|
61
|
+
const agentDid = proof?.meta?.did;
|
|
62
|
+
if (typeof agentDid !== "string" || !isHolderBindingApplicable(agentDid)) {
|
|
63
|
+
return undefined;
|
|
64
|
+
}
|
|
65
|
+
const binding = await assertHolderBinding({
|
|
66
|
+
proof,
|
|
67
|
+
subjectDid: agentDid,
|
|
68
|
+
request: toHolderBindingRequest(toolName, args),
|
|
69
|
+
expectedAudience: identity.did,
|
|
70
|
+
proofVerifier: holderBindingVerifier,
|
|
71
|
+
});
|
|
72
|
+
if (binding.status !== "bound")
|
|
73
|
+
return undefined;
|
|
74
|
+
const grants = await grantStore.getByAgent(agentDid, [scopeId]);
|
|
75
|
+
// A session-bound grant is usable only from its own session; an
|
|
76
|
+
// agent-anchored (session-less) grant is portable across transports.
|
|
77
|
+
return grants.find((g) => g.sessionId === undefined || g.sessionId === sessionId);
|
|
78
|
+
}
|
|
79
|
+
async function resolveExistingGrant(toolName, args, sessionId, scopeId) {
|
|
80
|
+
const agentGrant = await resolveAgentGrant(toolName, args, sessionId, scopeId);
|
|
81
|
+
if (agentGrant)
|
|
82
|
+
return agentGrant;
|
|
83
|
+
if (sessionId) {
|
|
84
|
+
const [sessionGrant] = await grantStore.getBySession(sessionId, [scopeId]);
|
|
85
|
+
if (sessionGrant)
|
|
86
|
+
return sessionGrant;
|
|
87
|
+
}
|
|
88
|
+
return undefined;
|
|
89
|
+
}
|
|
90
|
+
async function bindGrantOnSuccess(vc, delegationArg, isVCJWT, sessionId, scopeId) {
|
|
91
|
+
try {
|
|
92
|
+
const agentDid = vc.credentialSubject?.id;
|
|
93
|
+
if (!agentDid)
|
|
94
|
+
return;
|
|
95
|
+
// A session-less grant minted with holder binding OFF is unresolvable on
|
|
96
|
+
// retry (getByAgent needs a holder-of-key proof; getBySession needs a
|
|
97
|
+
// sessionId), so DON'T bind it — that would only orphan a row in a durable
|
|
98
|
+
// store. Durability for such flows comes from re-presenting the delegation,
|
|
99
|
+
// not from a grant. Enable holderBinding 'enforce' or thread a sessionId to
|
|
100
|
+
// use the grant-backed no-paste retry.
|
|
101
|
+
if (holderBindingMode === "off" && sessionId === undefined) {
|
|
102
|
+
logger.debug(`[kya-os] Skipping an unresolvable session-less grant for scope "${scopeId}" (holderBinding 'off', no sessionId).`);
|
|
103
|
+
return;
|
|
104
|
+
}
|
|
105
|
+
let delegatedScopes;
|
|
106
|
+
try {
|
|
107
|
+
delegatedScopes = getDelegationScopes(vc);
|
|
108
|
+
}
|
|
109
|
+
catch {
|
|
110
|
+
delegatedScopes = [];
|
|
111
|
+
}
|
|
112
|
+
// Store the EXACT required scope alongside the delegated scopes. The retry
|
|
113
|
+
// queries by the tool's exact scopeId, but the delegation may have granted
|
|
114
|
+
// a prefix/regex scope (e.g. "cart:*"); the store's exact `coversScopes`
|
|
115
|
+
// would never match the wildcard, so the no-paste retry would silently
|
|
116
|
+
// re-challenge. Including scopeId makes the grant resolvable.
|
|
117
|
+
const scopes = Array.from(new Set([scopeId, ...delegatedScopes]));
|
|
118
|
+
const userDid = vc.credentialSubject?.delegation?.controller;
|
|
119
|
+
const expiresAt = delegationExpiryMs(vc);
|
|
120
|
+
const grant = {
|
|
121
|
+
id: await grantId(agentDid, sessionId, scopes),
|
|
122
|
+
agentDid,
|
|
123
|
+
...(userDid !== undefined ? { userDid } : {}),
|
|
124
|
+
scopes,
|
|
125
|
+
...(sessionId !== undefined ? { sessionId } : {}),
|
|
126
|
+
authorization: { type: "delegation" },
|
|
127
|
+
...(isVCJWT && typeof delegationArg === "string"
|
|
128
|
+
? { credentialJwt: delegationArg }
|
|
129
|
+
: {}),
|
|
130
|
+
issuedAt: Date.now(),
|
|
131
|
+
...(expiresAt !== undefined ? { expiresAt } : {}),
|
|
132
|
+
status: "active",
|
|
133
|
+
};
|
|
134
|
+
await grantStore.bind(grant);
|
|
135
|
+
}
|
|
136
|
+
catch (error) {
|
|
137
|
+
logger.error("[kya-os] Grant bind failed", {
|
|
138
|
+
scope: scopeId,
|
|
139
|
+
error: error instanceof Error ? error.message : String(error),
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
return { resolveExistingGrant, bindGrantOnSuccess };
|
|
144
|
+
}
|
|
145
|
+
//# sourceMappingURL=with-kya-os.grants.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.grants.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os.grants.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,sBAAsB,GACvB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAgC7C,MAAM,UAAU,qBAAqB,CAAC,IAAoB;IACxD,MAAM,EACJ,QAAQ,EACR,cAAc,EACd,UAAU,EACV,iBAAiB,EACjB,qBAAqB,GACtB,GAAG,IAAI,CAAC;IAET;;;;OAIG;IACH,KAAK,UAAU,OAAO,CACpB,QAAgB,EAChB,SAA6B,EAC7B,MAAgB;QAEhB,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,SAAS,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7E,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACxE,OAAO,SAAS,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC;IACnD,CAAC;IAED,+EAA+E;IAC/E,SAAS,kBAAkB,CAAC,EAAwB;QAClD,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,OAAO,MAAM,CAAC;QAC3C,CAAC;QACD,MAAM,QAAQ,GAAG,EAAE,CAAC,iBAAiB,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,CAAC;QACzE,IAAI,OAAO,QAAQ,KAAK,QAAQ;YAAE,OAAO,QAAQ,GAAG,IAAI,CAAC;QACzD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,UAAU,iBAAiB,CAC9B,QAAgB,EAChB,IAA6B,EAC7B,SAA6B,EAC7B,OAAe;QAEf,IAAI,CAAC,qBAAqB;YAAE,OAAO,SAAS,CAAC,CAAC,oCAAoC;QAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;QACtC,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,SAAS,CAAC;QAC7C,IAAI,WAAW,GAAY,QAAQ,CAAC;QACpC,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,MAAM,KAAK,GAAG,WAA4B,CAAC;QAC3C,MAAM,QAAQ,GAAG,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC;QAClC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzE,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC;YACxC,KAAK;YACL,UAAU,EAAE,QAAQ;YACpB,OAAO,EAAE,sBAAsB,CAAC,QAAQ,EAAE,IAAI,CAAC;YAC/C,gBAAgB,EAAE,QAAQ,CAAC,GAAG;YAC9B,aAAa,EAAE,qBAAqB;SACrC,CAAC,CAAC;QACH,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO;YAAE,OAAO,SAAS,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAChE,gEAAgE;QAChE,qEAAqE;QACrE,OAAO,MAAM,CAAC,IAAI,CAChB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,CAC9D,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,IAA6B,EAC7B,SAA6B,EAC7B,OAAe;QAEf,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC/E,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC;QAElC,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,YAAY,CAAC,GAAG,MAAM,UAAU,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;YAC3E,IAAI,YAAY;gBAAE,OAAO,YAAY,CAAC;QACxC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,EAAwB,EACxB,aAAsB,EACtB,OAAgB,EAChB,SAA6B,EAC7B,OAAe;QAEf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,EAAE,CAAC,iBAAiB,EAAE,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ;gBAAE,OAAO;YAEtB,yEAAyE;YACzE,sEAAsE;YACtE,2EAA2E;YAC3E,4EAA4E;YAC5E,4EAA4E;YAC5E,uCAAuC;YACvC,IAAI,iBAAiB,KAAK,KAAK,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC3D,MAAM,CAAC,KAAK,CACV,mEAAmE,OAAO,wCAAwC,CACnH,CAAC;gBACF,OAAO;YACT,CAAC;YAED,IAAI,eAAyB,CAAC;YAC9B,IAAI,CAAC;gBACH,eAAe,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe,GAAG,EAAE,CAAC;YACvB,CAAC;YACD,2EAA2E;YAC3E,2EAA2E;YAC3E,yEAAyE;YACzE,uEAAuE;YACvE,8DAA8D;YAC9D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,EAAE,CAAC,iBAAiB,EAAE,UAAU,EAAE,UAAU,CAAC;YAC7D,MAAM,SAAS,GAAG,kBAAkB,CAAC,EAAE,CAAC,CAAC;YAEzC,MAAM,KAAK,GAAU;gBACnB,EAAE,EAAE,MAAM,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC;gBAC9C,QAAQ;gBACR,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,MAAM;gBACN,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,aAAa,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE;gBACrC,GAAG,CAAC,OAAO,IAAI,OAAO,aAAa,KAAK,QAAQ;oBAC9C,CAAC,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE;oBAClC,CAAC,CAAC,EAAE,CAAC;gBACP,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE;gBACpB,GAAG,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjD,MAAM,EAAE,QAAQ;aACjB,CAAC;YACF,MAAM,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;gBACzC,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,CAAC;AACtD,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — pure, dependency-free helpers.
|
|
3
|
+
*
|
|
4
|
+
* Referentially-transparent utilities used by `createKyaOsMiddleware`, split out
|
|
5
|
+
* of `./with-kya-os.ts` so the factory module stays focused on wiring. No shared
|
|
6
|
+
* mutable state, no I/O — safe to unit test in isolation.
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Strip control characters and cap length on caller-derived values before they
|
|
10
|
+
* are interpolated into client-facing reasons or log lines. A hostile
|
|
11
|
+
* credential could otherwise embed newlines / control chars in an id or scope to
|
|
12
|
+
* forge or corrupt log entries (log injection) or break a terminal. The fixed
|
|
13
|
+
* parts of a reason contain no control chars, so sanitizing the whole assembled
|
|
14
|
+
* string at the emission boundary is equivalent to sanitizing each interpolated
|
|
15
|
+
* value, and is idempotent.
|
|
16
|
+
*/
|
|
17
|
+
export declare function sanitizeForMessage(value: unknown, maxLen?: number): string;
|
|
18
|
+
/** Best-effort projection of a delegation VC into policy principal facts. */
|
|
19
|
+
export declare function extractPolicyPrincipal(del: unknown): {
|
|
20
|
+
agentDid: string;
|
|
21
|
+
responsibleParty?: string;
|
|
22
|
+
delegatedScopes: string[];
|
|
23
|
+
};
|
|
24
|
+
//# sourceMappingURL=with-kya-os.helpers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.helpers.d.ts","sourceRoot":"","sources":["../../src/middleware/with-kya-os.helpers.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,SAAM,GAAG,MAAM,CAWvE;AAED,6EAA6E;AAC7E,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,OAAO,GAAG;IACpD,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B,CA0BA"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* KYA-OS Middleware — pure, dependency-free helpers.
|
|
3
|
+
*
|
|
4
|
+
* Referentially-transparent utilities used by `createKyaOsMiddleware`, split out
|
|
5
|
+
* of `./with-kya-os.ts` so the factory module stays focused on wiring. No shared
|
|
6
|
+
* mutable state, no I/O — safe to unit test in isolation.
|
|
7
|
+
*/
|
|
8
|
+
import { getDelegationScopes } from "../delegation/chain-enforcement.js";
|
|
9
|
+
/**
|
|
10
|
+
* Strip control characters and cap length on caller-derived values before they
|
|
11
|
+
* are interpolated into client-facing reasons or log lines. A hostile
|
|
12
|
+
* credential could otherwise embed newlines / control chars in an id or scope to
|
|
13
|
+
* forge or corrupt log entries (log injection) or break a terminal. The fixed
|
|
14
|
+
* parts of a reason contain no control chars, so sanitizing the whole assembled
|
|
15
|
+
* string at the emission boundary is equivalent to sanitizing each interpolated
|
|
16
|
+
* value, and is idempotent.
|
|
17
|
+
*/
|
|
18
|
+
export function sanitizeForMessage(value, maxLen = 256) {
|
|
19
|
+
const s = typeof value === "string" ? value : String(value);
|
|
20
|
+
// Replace C0/C1 control chars (incl. CR, LF, TAB, ESC, DEL) with U+FFFD so a
|
|
21
|
+
// hostile id/scope cannot forge log lines or break a terminal. Filtered by
|
|
22
|
+
// code point to keep this source ASCII-only (no literal control chars).
|
|
23
|
+
let out = "";
|
|
24
|
+
for (const ch of s) {
|
|
25
|
+
const code = ch.codePointAt(0) ?? 0;
|
|
26
|
+
out += code <= 0x1f || (code >= 0x7f && code <= 0x9f) ? "\uFFFD" : ch;
|
|
27
|
+
}
|
|
28
|
+
return out.length > maxLen ? `${out.slice(0, maxLen)}\u2026` : out;
|
|
29
|
+
}
|
|
30
|
+
/** Best-effort projection of a delegation VC into policy principal facts. */
|
|
31
|
+
export function extractPolicyPrincipal(del) {
|
|
32
|
+
if (!del || typeof del !== "object") {
|
|
33
|
+
return { agentDid: "unknown", delegatedScopes: [] };
|
|
34
|
+
}
|
|
35
|
+
try {
|
|
36
|
+
const vc = del;
|
|
37
|
+
const subject = vc.credentialSubject;
|
|
38
|
+
const agentDid = subject?.delegation?.subjectDid ?? subject?.id ?? "unknown";
|
|
39
|
+
const responsibleParty = subject?.delegation?.controller;
|
|
40
|
+
let delegatedScopes = [];
|
|
41
|
+
try {
|
|
42
|
+
delegatedScopes = getDelegationScopes(vc);
|
|
43
|
+
}
|
|
44
|
+
catch {
|
|
45
|
+
delegatedScopes = [];
|
|
46
|
+
}
|
|
47
|
+
return {
|
|
48
|
+
agentDid,
|
|
49
|
+
...(responsibleParty ? { responsibleParty } : {}),
|
|
50
|
+
delegatedScopes,
|
|
51
|
+
};
|
|
52
|
+
}
|
|
53
|
+
catch {
|
|
54
|
+
return { agentDid: "unknown", delegatedScopes: [] };
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
//# sourceMappingURL=with-kya-os.helpers.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"with-kya-os.helpers.js","sourceRoot":"","sources":["../../src/middleware/with-kya-os.helpers.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc,EAAE,MAAM,GAAG,GAAG;IAC7D,MAAM,CAAC,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,6EAA6E;IAC7E,2EAA2E;IAC3E,wEAAwE;IACxE,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACpC,GAAG,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;AACrE,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,sBAAsB,CAAC,GAAY;IAKjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,GAA2B,CAAC;QACvC,MAAM,OAAO,GAAG,EAAE,CAAC,iBAGlB,CAAC;QACF,MAAM,QAAQ,GAAG,OAAO,EAAE,UAAU,EAAE,UAAU,IAAI,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;QAC7E,MAAM,gBAAgB,GAAG,OAAO,EAAE,UAAU,EAAE,UAAU,CAAC;QACzD,IAAI,eAAe,GAAa,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,eAAe,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,eAAe,GAAG,EAAE,CAAC;QACvB,CAAC;QACD,OAAO;YACL,QAAQ;YACR,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjD,eAAe;SAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;IACtD,CAAC;AACH,CAAC"}
|