@mcp-i/core 0.1.0

package/dist/auth/handshake.js

@@ -0,0 +1,230 @@
+/**
+ * Authorization Handshake — Platform-agnostic Protocol Reference
+ *
+ * Orchestrates the MCP-I authorization flow:
+ * 1. Check agent reputation (optional)
+ * 2. Verify delegation exists
+ * 3. Return needs_authorization error if missing
+ *
+ * Uses only the global fetch API — no Node-specific imports.
+ * Safe to run on Node.js, Cloudflare Workers, and any fetch-capable runtime.
+ */
+import { createNeedsAuthorizationError } from '../types/protocol.js';
+import { logger } from '../logging/index.js';
+export class MemoryResumeTokenStore {
+    tokens = new Map();
+    ttl;
+    constructor(ttlMs = 600_000) {
+        this.ttl = ttlMs;
+    }
+    async create(agentDid, scopes, metadata) {
+        const token = `rt_${Date.now()}_${Math.random().toString(36).substring(2, 18)}`;
+        const now = Date.now();
+        this.tokens.set(token, {
+            agentDid,
+            scopes,
+            createdAt: now,
+            expiresAt: now + this.ttl,
+            metadata,
+            fulfilled: false,
+        });
+        return token;
+    }
+    async get(token) {
+        const data = this.tokens.get(token);
+        if (!data)
+            return null;
+        if (Date.now() > data.expiresAt) {
+            this.tokens.delete(token);
+            return null;
+        }
+        if (data.fulfilled)
+            return null;
+        return {
+            agentDid: data.agentDid,
+            scopes: data.scopes,
+            createdAt: data.createdAt,
+            expiresAt: data.expiresAt,
+            metadata: data.metadata,
+        };
+    }
+    async fulfill(token) {
+        const data = this.tokens.get(token);
+        if (data) {
+            data.fulfilled = true;
+        }
+    }
+    clear() {
+        this.tokens.clear();
+    }
+}
+/**
+ * Verify agent delegation or return authorization hints.
+ *
+ * Orchestrates the authorization flow:
+ * 1. Optionally check agent reputation against threshold
+ * 2. Verify existing delegation via DelegationVerifier
+ * 3. Return authorization hints if delegation is missing/invalid
+ *
+ * @param agentDid - The agent's DID to verify
+ * @param scopes - Required scopes for the operation
+ * @param config - Authorization configuration including verifier, token store, etc.
+ * @param _resumeToken - Optional resume token from previous authorization attempt
+ * @returns Result indicating authorization status, delegation, or auth hints
+ */
+export async function verifyOrHints(agentDid, scopes, config, _resumeToken) {
+    const startTime = Date.now();
+    if (config.debug) {
+        logger.debug(`[AuthHandshake] Verifying ${agentDid} for scopes: ${scopes.join(', ')}`);
+    }
+    let reputation;
+    if (config.reputationService && config.authorization.minReputationScore !== undefined) {
+        try {
+            reputation = await fetchAgentReputation(agentDid, config.reputationService);
+            if (config.debug) {
+                logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
+            }
+            if (reputation.score < config.authorization.minReputationScore) {
+                if (config.debug) {
+                    logger.debug(`[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`);
+                }
+                const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Agent reputation score below threshold');
+                return {
+                    authorized: false,
+                    authError,
+                    reputation,
+                    reason: 'Low reputation score',
+                };
+            }
+        }
+        catch (error) {
+            logger.warn('[AuthHandshake] Failed to check reputation:', error);
+        }
+    }
+    let delegationResult;
+    try {
+        delegationResult = await config.delegationVerifier.verify(agentDid, scopes);
+    }
+    catch (error) {
+        logger.error('[AuthHandshake] Delegation verification failed:', error);
+        const errorMessage = `Delegation verification error: ${error instanceof Error ? error.message : 'Unknown error'}`;
+        const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, errorMessage);
+        return {
+            authorized: false,
+            authError,
+            reason: errorMessage,
+        };
+    }
+    if (delegationResult.valid && delegationResult.delegation) {
+        if (config.debug) {
+            logger.debug(`[AuthHandshake] Delegation valid, authorized (${Date.now() - startTime}ms)`);
+        }
+        return {
+            authorized: true,
+            delegation: delegationResult.delegation,
+            credential: delegationResult.credential,
+            reputation,
+            reason: 'Valid delegation found',
+        };
+    }
+    if (config.debug) {
+        logger.debug(`[AuthHandshake] No delegation found, returning needs_authorization (${Date.now() - startTime}ms)`);
+    }
+    const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, delegationResult.reason ?? 'No valid delegation found');
+    return {
+        authorized: false,
+        authError,
+        reputation,
+        reason: delegationResult.reason ?? 'No delegation',
+    };
+}
+async function fetchAgentReputation(agentDid, reputationConfig) {
+    const apiUrl = reputationConfig.apiUrl.replace(/\/$/, '');
+    const headers = {
+        'Content-Type': 'application/json',
+    };
+    if (reputationConfig.apiKey) {
+        headers['X-API-Key'] = reputationConfig.apiKey;
+    }
+    const isV2Format = reputationConfig.apiFormat === 'v2';
+    let response;
+    if (isV2Format) {
+        response = await fetch(`${apiUrl}/v1/reputation/${encodeURIComponent(agentDid)}`, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({ include_details: false }),
+        });
+    }
+    else {
+        response = await fetch(`${apiUrl}/api/v1/reputation/${encodeURIComponent(agentDid)}`, { method: 'GET', headers });
+    }
+    if (!response.ok) {
+        if (response.status === 404) {
+            return {
+                agentDid,
+                score: 50,
+                totalInteractions: 0,
+                successRate: 0,
+                riskLevel: 'unknown',
+                updatedAt: Date.now(),
+            };
+        }
+        throw new Error(`Reputation API error: ${response.status} ${response.statusText}`);
+    }
+    const data = (await response.json());
+    const score = data['score'] ?? 50;
+    const levelRaw = (data['level'] ??
+        data['riskLevel'] ??
+        'unknown').toLowerCase();
+    const riskLevel = levelRaw === 'low' || levelRaw === 'medium' || levelRaw === 'high' ? levelRaw : 'unknown';
+    return {
+        agentDid: data['agent_did'] ??
+            data['agentDid'] ??
+            agentDid,
+        score,
+        totalInteractions: data['totalInteractions'] ?? 0,
+        successRate: data['successRate'] ?? 0,
+        riskLevel,
+        updatedAt: data['calculatedAt']
+            ? new Date(data['calculatedAt']).getTime()
+            : (data['updatedAt'] ?? Date.now()),
+    };
+}
+async function buildNeedsAuthorizationError(agentDid, scopes, config, message) {
+    const resumeToken = await config.resumeTokenStore.create(agentDid, scopes, {
+        requestedAt: Date.now(),
+    });
+    const expiresAt = Date.now() + (config.authorization.resumeTokenTtl ?? 600_000);
+    const authUrl = new URL(config.authorization.authorizationUrl);
+    authUrl.searchParams.set('agent_did', agentDid);
+    authUrl.searchParams.set('scopes', scopes.join(','));
+    authUrl.searchParams.set('resume_token', resumeToken);
+    const authCode = resumeToken.substring(0, 8).toUpperCase();
+    const display = {
+        title: 'Authorization Required',
+        hint: ['link', 'qr'],
+        authorizationCode: authCode,
+        qrUrl: `https://api.qrserver.com/v1/create-qr-code/?data=${encodeURIComponent(authUrl.toString())}`,
+    };
+    return createNeedsAuthorizationError({
+        message,
+        authorizationUrl: authUrl.toString(),
+        resumeToken,
+        expiresAt,
+        scopes,
+        display,
+    });
+}
+export function hasSensitiveScopes(scopes) {
+    const sensitivePatterns = [
+        'write',
+        'delete',
+        'admin',
+        'payment',
+        'transfer',
+        'execute',
+        'modify',
+    ];
+    return scopes.some((scope) => sensitivePatterns.some((pattern) => scope.toLowerCase().includes(pattern)));
+}
+//# sourceMappingURL=handshake.js.map

package/dist/auth/handshake.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAErE,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AA+E7C,MAAM,OAAO,sBAAsB;IACzB,MAAM,GAAG,IAAI,GAAG,EAUrB,CAAC;IACI,GAAG,CAAS;IAEpB,YAAY,KAAK,GAAG,OAAO;QACzB,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,MAAgB,EAChB,QAAkC;QAElC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAChF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE;YACrB,QAAQ;YACR,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG;YACzB,QAAQ;YACR,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa;QAOrB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,YAAqB;IAErB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CAAC,6BAA6B,QAAQ,gBAAgB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,UAAuC,CAAC;IAC5C,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,aAAa,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACtF,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAE5E,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,qCAAqC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;YAED,IAAI,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,CAAC;gBAC/D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,CAAC,KAAK,CACV,8BAA8B,UAAU,CAAC,KAAK,MAAM,MAAM,CAAC,aAAa,CAAC,kBAAkB,2BAA2B,CACvH,CAAC;gBACJ,CAAC;gBAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,wCAAwC,CACzC,CAAC;gBAEF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,sBAAsB;iBAC/B,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED,IAAI,gBAAwC,CAAC;IAE7C,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,iDAAiD,EAAE,KAAK,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,kCAAkC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;QAElH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE7F,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,SAAS;YACT,MAAM,EAAE,YAAY;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,gBAAgB,CAAC,KAAK,IAAI,gBAAgB,CAAC,UAAU,EAAE,CAAC;QAC1D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CACV,iDAAiD,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CAC7E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU;YACV,MAAM,EAAE,wBAAwB;SACjC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CACV,uEAAuE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CACnG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gBAAgB,CAAC,MAAM,IAAI,2BAA2B,CACvD,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,SAAS;QACT,UAAU;QACV,MAAM,EAAE,gBAAgB,CAAC,MAAM,IAAI,eAAe;KACnD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,gBAA8E;IAE9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,WAAW,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC;IACjD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,KAAK,IAAI,CAAC;IACvD,IAAI,QAAkB,CAAC;IAEvB,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,kBAAkB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EACzD;YACE,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SACjD,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ;gBACR,KAAK,EAAE,EAAE;gBACT,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEhE,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,EAAE,CAAC;IAC1D,MAAM,QAAQ,GAAG,CACd,IAAI,CAAC,OAAO,CAAwB;QACpC,IAAI,CAAC,WAAW,CAAwB;QACzC,SAAS,CACV,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,SAAS,GACb,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5F,OAAO;QACL,QAAQ,EACL,IAAI,CAAC,WAAW,CAAwB;YACxC,IAAI,CAAC,UAAU,CAAwB;YACxC,QAAQ;QACV,KAAK;QACL,iBAAiB,EAAG,IAAI,CAAC,mBAAmB,CAAwB,IAAI,CAAC;QACzE,WAAW,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,CAAC;QAC7D,SAAS;QACT,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,CAAW,CAAC,CAAC,OAAO,EAAE;YACpD,CAAC,CAAC,CAAE,IAAI,CAAC,WAAW,CAAwB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,OAAe;IAEf,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE;QACzE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;KACxB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC;IAEhF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC/D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3D,MAAM,OAAO,GAAyB;QACpC,KAAK,EAAE,wBAAwB;QAC/B,IAAI,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;QACpB,iBAAiB,EAAE,QAAQ;QAC3B,KAAK,EAAE,oDAAoD,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE;KACpG,CAAC;IAEF,OAAO,6BAA6B,CAAC;QACnC,OAAO;QACP,gBAAgB,EAAE,OAAO,CAAC,QAAQ,EAAE;QACpC,WAAW;QACX,SAAS;QACT,MAAM;QACN,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAgB;IACjD,MAAM,iBAAiB,GAAG;QACxB,OAAO;QACP,QAAQ;QACR,OAAO;QACP,SAAS;QACT,UAAU;QACV,SAAS;QACT,QAAQ;KACT,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC3B,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAC3E,CAAC;AACJ,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,3 @@
+export { verifyOrHints, hasSensitiveScopes, MemoryResumeTokenStore, type AuthHandshakeConfig, type VerifyOrHintsResult, type AgentReputation, type ResumeTokenStore, } from './handshake.js';
+export type { DelegationVerifier, VerifyDelegationResult } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,2 @@
+export { verifyOrHints, hasSensitiveScopes, MemoryResumeTokenStore, } from './handshake.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,GAKvB,MAAM,gBAAgB,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Authorization types for the auth module.
+ *
+ * Minimal interfaces required by the auth handshake.
+ */
+import type { DelegationRecord } from '../types/protocol.js';
+export interface VerifyDelegationResult {
+    valid: boolean;
+    delegation?: DelegationRecord;
+    credential?: {
+        agent_did: string;
+        user_did: string;
+        scopes: string[];
+        authorization: {
+            type: 'oauth' | 'oauth2' | 'password' | 'credential' | 'webauthn' | 'siwe' | 'none';
+            provider?: string;
+            credentialType?: string;
+            rpId?: string;
+            userVerification?: 'required' | 'preferred' | 'discouraged';
+            chainId?: number;
+            domain?: string;
+        };
+        [key: string]: unknown;
+    };
+    reason?: string;
+    cached?: boolean;
+}
+export interface DelegationVerifier {
+    verify(agentDid: string, scopes: string[]): Promise<VerifyDelegationResult>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE;YACb,IAAI,EACA,OAAO,GACP,QAAQ,GACR,UAAU,GACV,YAAY,GACZ,UAAU,GACV,MAAM,GACN,MAAM,CAAC;YACX,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,gBAAgB,CAAC,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;YAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,MAAM,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;CAC7E"}

package/dist/auth/types.js

@@ -0,0 +1,7 @@
+/**
+ * Authorization types for the auth module.
+ *
+ * Minimal interfaces required by the auth handshake.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/delegation/audience-validator.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Delegation Audience Validation
+ *
+ * Validates if a delegation's audience matches the server DID.
+ * Supports both single server DID and multiple server DIDs.
+ */
+import type { DelegationRecord } from '../types/protocol.js';
+export declare function verifyDelegationAudience(delegation: DelegationRecord, serverDid: string): boolean;
+//# sourceMappingURL=audience-validator.d.ts.map

package/dist/delegation/audience-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audience-validator.d.ts","sourceRoot":"","sources":["../../src/delegation/audience-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,gBAAgB,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAWT"}

package/dist/delegation/audience-validator.js

@@ -0,0 +1,17 @@
+/**
+ * Delegation Audience Validation
+ *
+ * Validates if a delegation's audience matches the server DID.
+ * Supports both single server DID and multiple server DIDs.
+ */
+export function verifyDelegationAudience(delegation, serverDid) {
+    if (!delegation.constraints.audience) {
+        return true;
+    }
+    const audience = delegation.constraints.audience;
+    if (typeof audience === 'string') {
+        return audience === serverDid;
+    }
+    return audience.includes(serverDid);
+}
+//# sourceMappingURL=audience-validator.js.map

package/dist/delegation/audience-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audience-validator.js","sourceRoot":"","sources":["../../src/delegation/audience-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,UAAU,wBAAwB,CACtC,UAA4B,EAC5B,SAAiB;IAEjB,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC;IACjD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,QAAQ,KAAK,SAAS,CAAC;IAChC,CAAC;IAED,OAAO,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC"}

package/dist/delegation/bitstring.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Bitstring Utilities for StatusList2021
+ *
+ * Implements GZIP compression + base64url encoding for efficient status lists.
+ * Per W3C StatusList2021 spec, each bit represents credential status:
+ * - 0: Not revoked/suspended
+ * - 1: Revoked/suspended
+ *
+ * Related Spec: W3C StatusList2021
+ */
+export interface CompressionFunction {
+    compress(data: Uint8Array): Promise<Uint8Array>;
+}
+export interface DecompressionFunction {
+    decompress(data: Uint8Array): Promise<Uint8Array>;
+}
+export declare class BitstringManager {
+    private compressor;
+    private decompressor;
+    private bits;
+    private size;
+    constructor(size: number, compressor: CompressionFunction, decompressor: DecompressionFunction);
+    setBit(index: number, value: boolean): void;
+    getBit(index: number): boolean;
+    getSetBits(): number[];
+    encode(): Promise<string>;
+    static decode(encodedList: string, compressor: CompressionFunction, decompressor: DecompressionFunction): Promise<BitstringManager>;
+    getRawBits(): Uint8Array;
+    getSize(): number;
+    private base64urlEncode;
+    private static base64urlDecode;
+    private bytesToBase64;
+    private static base64ToBytes;
+    static fromSetBits(size: number, setBits: number[], compressor: CompressionFunction, decompressor: DecompressionFunction): BitstringManager;
+}
+export declare function isIndexSet(encodedList: string, index: number, decompressor: DecompressionFunction): Promise<boolean>;
+//# sourceMappingURL=bitstring.d.ts.map

package/dist/delegation/bitstring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bitstring.d.ts","sourceRoot":"","sources":["../../src/delegation/bitstring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CACnD;AAED,qBAAa,gBAAgB;IAMzB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,YAAY;IANtB,OAAO,CAAC,IAAI,CAAa;IACzB,OAAO,CAAC,IAAI,CAAS;gBAGnB,IAAI,EAAE,MAAM,EACJ,UAAU,EAAE,mBAAmB,EAC/B,YAAY,EAAE,qBAAqB;IAO7C,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAe3C,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAW9B,UAAU,IAAI,MAAM,EAAE;IAUhB,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;WAKlB,MAAM,CACjB,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,mBAAmB,EAC/B,YAAY,EAAE,qBAAqB,GAClC,OAAO,CAAC,gBAAgB,CAAC;IAU5B,UAAU,IAAI,UAAU;IAIxB,OAAO,IAAI,MAAM;IAIjB,OAAO,CAAC,eAAe;IAKvB,OAAO,CAAC,MAAM,CAAC,eAAe;IAQ9B,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,MAAM,CAAC,aAAa;IAa5B,MAAM,CAAC,WAAW,CAChB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EAAE,EACjB,UAAU,EAAE,mBAAmB,EAC/B,YAAY,EAAE,qBAAqB,GAClC,gBAAgB;CAOpB;AAED,wBAAsB,UAAU,CAC9B,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,qBAAqB,GAClC,OAAO,CAAC,OAAO,CAAC,CAYlB"}

package/dist/delegation/bitstring.js

@@ -0,0 +1,117 @@
+/**
+ * Bitstring Utilities for StatusList2021
+ *
+ * Implements GZIP compression + base64url encoding for efficient status lists.
+ * Per W3C StatusList2021 spec, each bit represents credential status:
+ * - 0: Not revoked/suspended
+ * - 1: Revoked/suspended
+ *
+ * Related Spec: W3C StatusList2021
+ */
+export class BitstringManager {
+    compressor;
+    decompressor;
+    bits;
+    size;
+    constructor(size, compressor, decompressor) {
+        this.compressor = compressor;
+        this.decompressor = decompressor;
+        this.size = size;
+        const byteCount = Math.ceil(size / 8);
+        this.bits = new Uint8Array(byteCount);
+    }
+    setBit(index, value) {
+        if (index < 0 || index >= this.size) {
+            throw new Error(`Bit index ${index} out of range (0-${this.size - 1})`);
+        }
+        const byteIndex = Math.floor(index / 8);
+        const bitIndex = index % 8;
+        if (value) {
+            this.bits[byteIndex] |= 1 << bitIndex;
+        }
+        else {
+            this.bits[byteIndex] &= ~(1 << bitIndex);
+        }
+    }
+    getBit(index) {
+        if (index < 0 || index >= this.size) {
+            throw new Error(`Bit index ${index} out of range (0-${this.size - 1})`);
+        }
+        const byteIndex = Math.floor(index / 8);
+        const bitIndex = index % 8;
+        return (this.bits[byteIndex] & (1 << bitIndex)) !== 0;
+    }
+    getSetBits() {
+        const setBits = [];
+        for (let i = 0; i < this.size; i++) {
+            if (this.getBit(i)) {
+                setBits.push(i);
+            }
+        }
+        return setBits;
+    }
+    async encode() {
+        const compressed = await this.compressor.compress(this.bits);
+        return this.base64urlEncode(compressed);
+    }
+    static async decode(encodedList, compressor, decompressor) {
+        const compressed = BitstringManager.base64urlDecode(encodedList);
+        const decompressed = await decompressor.decompress(compressed);
+        const size = decompressed.length * 8;
+        const manager = new BitstringManager(size, compressor, decompressor);
+        manager.bits = decompressed;
+        return manager;
+    }
+    getRawBits() {
+        return this.bits;
+    }
+    getSize() {
+        return this.size;
+    }
+    base64urlEncode(data) {
+        const base64 = this.bytesToBase64(data);
+        return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    }
+    static base64urlDecode(encoded) {
+        let base64 = encoded.replace(/-/g, '+').replace(/_/g, '/');
+        while (base64.length % 4 !== 0) {
+            base64 += '=';
+        }
+        return BitstringManager.base64ToBytes(base64);
+    }
+    bytesToBase64(bytes) {
+        const binary = Array.from(bytes)
+            .map((byte) => String.fromCharCode(byte))
+            .join('');
+        return btoa(binary);
+    }
+    static base64ToBytes(base64) {
+        let standardBase64 = base64.replace(/-/g, '+').replace(/_/g, '/');
+        const paddingNeeded = (4 - (standardBase64.length % 4)) % 4;
+        standardBase64 += '='.repeat(paddingNeeded);
+        const binary = atob(standardBase64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    static fromSetBits(size, setBits, compressor, decompressor) {
+        const manager = new BitstringManager(size, compressor, decompressor);
+        for (const index of setBits) {
+            manager.setBit(index, true);
+        }
+        return manager;
+    }
+}
+export async function isIndexSet(encodedList, index, decompressor) {
+    const compressed = BitstringManager['base64urlDecode'](encodedList);
+    const decompressed = await decompressor.decompress(compressed);
+    const byteIndex = Math.floor(index / 8);
+    const bitIndex = index % 8;
+    if (byteIndex >= decompressed.length) {
+        return false;
+    }
+    return (decompressed[byteIndex] & (1 << bitIndex)) !== 0;
+}
+//# sourceMappingURL=bitstring.js.map

package/dist/delegation/bitstring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bitstring.js","sourceRoot":"","sources":["../../src/delegation/bitstring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAUH,MAAM,OAAO,gBAAgB;IAMjB;IACA;IANF,IAAI,CAAa;IACjB,IAAI,CAAS;IAErB,YACE,IAAY,EACJ,UAA+B,EAC/B,YAAmC;QADnC,eAAU,GAAV,UAAU,CAAqB;QAC/B,iBAAY,GAAZ,YAAY,CAAuB;QAE3C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,CAAC,KAAa,EAAE,KAAc;QAClC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,aAAa,KAAK,oBAAoB,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,KAAK,GAAG,CAAC,CAAC;QAE3B,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,IAAI,CAAC,SAAS,CAAE,IAAI,CAAC,IAAI,QAAQ,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,CAAC,SAAS,CAAE,IAAI,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,MAAM,CAAC,KAAa;QAClB,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,aAAa,KAAK,oBAAoB,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,KAAK,GAAG,CAAC,CAAC;QAE3B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAE,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAED,UAAU;QACR,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,WAAmB,EACnB,UAA+B,EAC/B,YAAmC;QAEnC,MAAM,UAAU,GAAG,gBAAgB,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAE/D,MAAM,IAAI,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;QACrE,OAAO,CAAC,IAAI,GAAG,YAAY,CAAC;QAC5B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAEO,eAAe,CAAC,IAAgB;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QACxC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;IAEO,MAAM,CAAC,eAAe,CAAC,OAAe;QAC5C,IAAI,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC3D,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,CAAC;QAChB,CAAC;QACD,OAAO,gBAAgB,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC;IAEO,aAAa,CAAC,KAAiB;QACrC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;aAC7B,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;aACxC,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAEO,MAAM,CAAC,aAAa,CAAC,MAAc;QACzC,IAAI,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAClE,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC5D,cAAc,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAE5C,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,CAAC,WAAW,CAChB,IAAY,EACZ,OAAiB,EACjB,UAA+B,EAC/B,YAAmC;QAEnC,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;QACrE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC9B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,WAAmB,EACnB,KAAa,EACb,YAAmC;IAEnC,MAAM,UAAU,GAAI,gBAA8E,CAAC,iBAAiB,CAAC,CAAC,WAAW,CAAC,CAAC;IACnI,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAE/D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,KAAK,GAAG,CAAC,CAAC;IAE3B,IAAI,SAAS,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CAAC,YAAY,CAAC,SAAS,CAAE,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC"}

package/dist/delegation/cascading-revocation.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Cascading Revocation Manager
+ *
+ * Implements cascading revocation per Python POC design.
+ * When a parent delegation is revoked, all children are automatically revoked.
+ *
+ * Related Spec: MCP-I §4.4, Delegation Chains
+ */
+import { DelegationGraphManager } from './delegation-graph.js';
+import { StatusList2021Manager } from './statuslist-manager.js';
+export interface RevocationEvent {
+    delegationId: string;
+    isRoot: boolean;
+    parentId?: string;
+    timestamp: number;
+    reason?: string;
+}
+export type RevocationHook = (event: RevocationEvent) => Promise<void> | void;
+export interface CascadingRevocationOptions {
+    reason?: string;
+    onRevoke?: RevocationHook;
+    maxDepth?: number;
+    dryRun?: boolean;
+}
+export declare class CascadingRevocationManager {
+    private graph;
+    private statusList;
+    constructor(graph: DelegationGraphManager, statusList: StatusList2021Manager);
+    revokeDelegation(delegationId: string, options?: CascadingRevocationOptions): Promise<RevocationEvent[]>;
+    private revokeNode;
+    restoreDelegation(delegationId: string): Promise<RevocationEvent>;
+    isRevoked(delegationId: string): Promise<{
+        revoked: boolean;
+        reason?: string;
+        revokedAncestor?: string;
+    }>;
+    getRevokedInSubtree(rootId: string): Promise<string[]>;
+    private parseCredentialStatus;
+    validateDelegation(delegationId: string): Promise<{
+        valid: boolean;
+        reason?: string;
+    }>;
+}
+export declare function createCascadingRevocationManager(graph: DelegationGraphManager, statusList: StatusList2021Manager): CascadingRevocationManager;
+//# sourceMappingURL=cascading-revocation.d.ts.map

package/dist/delegation/cascading-revocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cascading-revocation.d.ts","sourceRoot":"","sources":["../../src/delegation/cascading-revocation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,sBAAsB,EAAuB,MAAM,uBAAuB,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE9E,MAAM,WAAW,0BAA0B;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,0BAA0B;IAEnC,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,UAAU;gBADV,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,qBAAqB;IAGrC,gBAAgB,CACpB,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE,0BAA+B,GACvC,OAAO,CAAC,eAAe,EAAE,CAAC;YA8Cf,UAAU;IA6BlB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAuBjE,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;QAC7C,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IAsBI,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAmB5D,OAAO,CAAC,qBAAqB;IAgBvB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAkB7F;AAED,wBAAgB,gCAAgC,CAC9C,KAAK,EAAE,sBAAsB,EAC7B,UAAU,EAAE,qBAAqB,GAChC,0BAA0B,CAE5B"}