npm - @mcp-i/core - Versions diffs - 0.1.0 - Mend

@mcp-i/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (226) hide show

package/LICENSE +21 -0
package/README.md +390 -0
package/dist/auth/handshake.d.ts +104 -0
package/dist/auth/handshake.d.ts.map +1 -0
package/dist/auth/handshake.js +230 -0
package/dist/auth/handshake.js.map +1 -0
package/dist/auth/index.d.ts +3 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +2 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/types.d.ts +31 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +7 -0
package/dist/auth/types.js.map +1 -0
package/dist/delegation/audience-validator.d.ts +9 -0
package/dist/delegation/audience-validator.d.ts.map +1 -0
package/dist/delegation/audience-validator.js +17 -0
package/dist/delegation/audience-validator.js.map +1 -0
package/dist/delegation/bitstring.d.ts +37 -0
package/dist/delegation/bitstring.d.ts.map +1 -0
package/dist/delegation/bitstring.js +117 -0
package/dist/delegation/bitstring.js.map +1 -0
package/dist/delegation/cascading-revocation.d.ts +45 -0
package/dist/delegation/cascading-revocation.d.ts.map +1 -0
package/dist/delegation/cascading-revocation.js +148 -0
package/dist/delegation/cascading-revocation.js.map +1 -0
package/dist/delegation/delegation-graph.d.ts +49 -0
package/dist/delegation/delegation-graph.d.ts.map +1 -0
package/dist/delegation/delegation-graph.js +99 -0
package/dist/delegation/delegation-graph.js.map +1 -0
package/dist/delegation/did-key-resolver.d.ts +64 -0
package/dist/delegation/did-key-resolver.d.ts.map +1 -0
package/dist/delegation/did-key-resolver.js +154 -0
package/dist/delegation/did-key-resolver.js.map +1 -0
package/dist/delegation/did-web-resolver.d.ts +83 -0
package/dist/delegation/did-web-resolver.d.ts.map +1 -0
package/dist/delegation/did-web-resolver.js +218 -0
package/dist/delegation/did-web-resolver.js.map +1 -0
package/dist/delegation/index.d.ts +21 -0
package/dist/delegation/index.d.ts.map +1 -0
package/dist/delegation/index.js +21 -0
package/dist/delegation/index.js.map +1 -0
package/dist/delegation/outbound-headers.d.ts +81 -0
package/dist/delegation/outbound-headers.d.ts.map +1 -0
package/dist/delegation/outbound-headers.js +139 -0
package/dist/delegation/outbound-headers.js.map +1 -0
package/dist/delegation/outbound-proof.d.ts +43 -0
package/dist/delegation/outbound-proof.d.ts.map +1 -0
package/dist/delegation/outbound-proof.js +52 -0
package/dist/delegation/outbound-proof.js.map +1 -0
package/dist/delegation/statuslist-manager.d.ts +44 -0
package/dist/delegation/statuslist-manager.d.ts.map +1 -0
package/dist/delegation/statuslist-manager.js +126 -0
package/dist/delegation/statuslist-manager.js.map +1 -0
package/dist/delegation/storage/memory-graph-storage.d.ts +70 -0
package/dist/delegation/storage/memory-graph-storage.d.ts.map +1 -0
package/dist/delegation/storage/memory-graph-storage.js +145 -0
package/dist/delegation/storage/memory-graph-storage.js.map +1 -0
package/dist/delegation/storage/memory-statuslist-storage.d.ts +19 -0
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +1 -0
package/dist/delegation/storage/memory-statuslist-storage.js +33 -0
package/dist/delegation/storage/memory-statuslist-storage.js.map +1 -0
package/dist/delegation/utils.d.ts +49 -0
package/dist/delegation/utils.d.ts.map +1 -0
package/dist/delegation/utils.js +131 -0
package/dist/delegation/utils.js.map +1 -0
package/dist/delegation/vc-issuer.d.ts +56 -0
package/dist/delegation/vc-issuer.d.ts.map +1 -0
package/dist/delegation/vc-issuer.js +80 -0
package/dist/delegation/vc-issuer.js.map +1 -0
package/dist/delegation/vc-verifier.d.ts +112 -0
package/dist/delegation/vc-verifier.d.ts.map +1 -0
package/dist/delegation/vc-verifier.js +280 -0
package/dist/delegation/vc-verifier.js.map +1 -0
package/dist/index.d.ts +45 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +53 -0
package/dist/index.js.map +1 -0
package/dist/logging/index.d.ts +2 -0
package/dist/logging/index.d.ts.map +1 -0
package/dist/logging/index.js +2 -0
package/dist/logging/index.js.map +1 -0
package/dist/logging/logger.d.ts +23 -0
package/dist/logging/logger.d.ts.map +1 -0
package/dist/logging/logger.js +82 -0
package/dist/logging/logger.js.map +1 -0
package/dist/middleware/index.d.ts +7 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +7 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/with-mcpi.d.ts +152 -0
package/dist/middleware/with-mcpi.d.ts.map +1 -0
package/dist/middleware/with-mcpi.js +472 -0
package/dist/middleware/with-mcpi.js.map +1 -0
package/dist/proof/errors.d.ts +49 -0
package/dist/proof/errors.d.ts.map +1 -0
package/dist/proof/errors.js +61 -0
package/dist/proof/errors.js.map +1 -0
package/dist/proof/generator.d.ts +65 -0
package/dist/proof/generator.d.ts.map +1 -0
package/dist/proof/generator.js +163 -0
package/dist/proof/generator.js.map +1 -0
package/dist/proof/index.d.ts +4 -0
package/dist/proof/index.d.ts.map +1 -0
package/dist/proof/index.js +4 -0
package/dist/proof/index.js.map +1 -0
package/dist/proof/verifier.d.ts +108 -0
package/dist/proof/verifier.d.ts.map +1 -0
package/dist/proof/verifier.js +299 -0
package/dist/proof/verifier.js.map +1 -0
package/dist/providers/base.d.ts +64 -0
package/dist/providers/base.d.ts.map +1 -0
package/dist/providers/base.js +19 -0
package/dist/providers/base.js.map +1 -0
package/dist/providers/index.d.ts +3 -0
package/dist/providers/index.d.ts.map +1 -0
package/dist/providers/index.js +3 -0
package/dist/providers/index.js.map +1 -0
package/dist/providers/memory.d.ts +33 -0
package/dist/providers/memory.d.ts.map +1 -0
package/dist/providers/memory.js +102 -0
package/dist/providers/memory.js.map +1 -0
package/dist/session/index.d.ts +2 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +2 -0
package/dist/session/index.js.map +1 -0
package/dist/session/manager.d.ts +77 -0
package/dist/session/manager.d.ts.map +1 -0
package/dist/session/manager.js +251 -0
package/dist/session/manager.js.map +1 -0
package/dist/types/protocol.d.ts +320 -0
package/dist/types/protocol.d.ts.map +1 -0
package/dist/types/protocol.js +229 -0
package/dist/types/protocol.js.map +1 -0
package/dist/utils/base58.d.ts +31 -0
package/dist/utils/base58.d.ts.map +1 -0
package/dist/utils/base58.js +104 -0
package/dist/utils/base58.js.map +1 -0
package/dist/utils/base64.d.ts +13 -0
package/dist/utils/base64.d.ts.map +1 -0
package/dist/utils/base64.js +99 -0
package/dist/utils/base64.js.map +1 -0
package/dist/utils/crypto-service.d.ts +37 -0
package/dist/utils/crypto-service.d.ts.map +1 -0
package/dist/utils/crypto-service.js +153 -0
package/dist/utils/crypto-service.js.map +1 -0
package/dist/utils/did-helpers.d.ts +156 -0
package/dist/utils/did-helpers.d.ts.map +1 -0
package/dist/utils/did-helpers.js +193 -0
package/dist/utils/did-helpers.js.map +1 -0
package/dist/utils/ed25519-constants.d.ts +18 -0
package/dist/utils/ed25519-constants.d.ts.map +1 -0
package/dist/utils/ed25519-constants.js +21 -0
package/dist/utils/ed25519-constants.js.map +1 -0
package/dist/utils/index.d.ts +5 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +5 -0
package/dist/utils/index.js.map +1 -0
package/package.json +105 -0
package/src/__tests__/integration/full-flow.test.ts +362 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +332 -0
package/src/__tests__/utils/mock-providers.ts +319 -0
package/src/__tests__/utils/node-crypto-provider.ts +93 -0
package/src/auth/handshake.ts +411 -0
package/src/auth/index.ts +11 -0
package/src/auth/types.ts +40 -0
package/src/delegation/__tests__/audience-validator.test.ts +110 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +624 -0
package/src/delegation/__tests__/delegation-graph.test.ts +623 -0
package/src/delegation/__tests__/did-key-resolver.test.ts +265 -0
package/src/delegation/__tests__/did-web-resolver.test.ts +467 -0
package/src/delegation/__tests__/outbound-headers.test.ts +230 -0
package/src/delegation/__tests__/outbound-proof.test.ts +179 -0
package/src/delegation/__tests__/statuslist-manager.test.ts +515 -0
package/src/delegation/__tests__/utils.test.ts +185 -0
package/src/delegation/__tests__/vc-issuer.test.ts +487 -0
package/src/delegation/__tests__/vc-verifier.test.ts +1029 -0
package/src/delegation/audience-validator.ts +24 -0
package/src/delegation/bitstring.ts +160 -0
package/src/delegation/cascading-revocation.ts +224 -0
package/src/delegation/delegation-graph.ts +143 -0
package/src/delegation/did-key-resolver.ts +181 -0
package/src/delegation/did-web-resolver.ts +270 -0
package/src/delegation/index.ts +33 -0
package/src/delegation/outbound-headers.ts +193 -0
package/src/delegation/outbound-proof.ts +90 -0
package/src/delegation/statuslist-manager.ts +219 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +42 -0
package/src/delegation/utils.ts +189 -0
package/src/delegation/vc-issuer.ts +137 -0
package/src/delegation/vc-verifier.ts +440 -0
package/src/index.ts +264 -0
package/src/logging/__tests__/logger.test.ts +366 -0
package/src/logging/index.ts +6 -0
package/src/logging/logger.ts +91 -0
package/src/middleware/__tests__/with-mcpi.test.ts +504 -0
package/src/middleware/index.ts +16 -0
package/src/middleware/with-mcpi.ts +766 -0
package/src/proof/__tests__/proof-generator.test.ts +483 -0
package/src/proof/__tests__/verifier.test.ts +488 -0
package/src/proof/errors.ts +75 -0
package/src/proof/generator.ts +255 -0
package/src/proof/index.ts +22 -0
package/src/proof/verifier.ts +449 -0
package/src/providers/base.ts +68 -0
package/src/providers/index.ts +15 -0
package/src/providers/memory.ts +130 -0
package/src/session/__tests__/session-manager.test.ts +342 -0
package/src/session/index.ts +7 -0
package/src/session/manager.ts +332 -0
package/src/types/protocol.ts +596 -0
package/src/utils/__tests__/base58.test.ts +281 -0
package/src/utils/__tests__/base64.test.ts +239 -0
package/src/utils/__tests__/crypto-service.test.ts +530 -0
package/src/utils/__tests__/did-helpers.test.ts +156 -0
package/src/utils/base58.ts +115 -0
package/src/utils/base64.ts +116 -0
package/src/utils/crypto-service.ts +209 -0
package/src/utils/did-helpers.ts +210 -0
package/src/utils/ed25519-constants.ts +23 -0
package/src/utils/index.ts +9 -0

package/dist/delegation/did-web-resolver.js ADDED Viewed

@@ -0,0 +1,218 @@
+/**
+ * DID:web Resolver
+ *
+ * Resolves did:web DIDs by fetching /.well-known/did.json from the domain.
+ * Supports both root domain DIDs and path-based DIDs.
+ *
+ * Examples:
+ *   did:web:example.com → https://example.com/.well-known/did.json
+ *   did:web:example.com:agents:bot1 → https://example.com/agents/bot1/did.json
+ *
+ * @see https://w3c-ccg.github.io/did-method-web/
+ */
+import { logger } from '../logging/index.js';
+/**
+ * Type guard for checking if value is a valid DID Document structure
+ */
+function isValidDIDDocument(value) {
+    if (typeof value !== 'object' || value === null) {
+        return false;
+    }
+    const doc = value;
+    // id is required and must be a string
+    if (typeof doc['id'] !== 'string' || doc['id'].length === 0) {
+        return false;
+    }
+    // verificationMethod is optional but if present must be an array
+    if (doc['verificationMethod'] !== undefined) {
+        if (!Array.isArray(doc['verificationMethod'])) {
+            return false;
+        }
+        // Each verification method must have required fields
+        for (const vm of doc['verificationMethod']) {
+            if (!isValidVerificationMethod(vm)) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+/**
+ * Type guard for checking if value is a valid VerificationMethod
+ */
+function isValidVerificationMethod(value) {
+    if (typeof value !== 'object' || value === null) {
+        return false;
+    }
+    const vm = value;
+    // id, type, and controller are required strings
+    if (typeof vm['id'] !== 'string' || vm['id'].length === 0) {
+        return false;
+    }
+    if (typeof vm['type'] !== 'string' || vm['type'].length === 0) {
+        return false;
+    }
+    if (typeof vm['controller'] !== 'string' || vm['controller'].length === 0) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Check if a DID is a did:web DID
+ *
+ * @param did - The DID to check
+ * @returns true if it's a did:web DID
+ */
+export function isDidWeb(did) {
+    return did.startsWith('did:web:');
+}
+/**
+ * Parse a did:web DID into its components
+ *
+ * @param did - The did:web DID to parse
+ * @returns Parsed components or null if invalid
+ */
+export function parseDidWeb(did) {
+    if (!isDidWeb(did)) {
+        return null;
+    }
+    // Remove the 'did:web:' prefix
+    const remainder = did.slice(8);
+    if (remainder.length === 0) {
+        return null;
+    }
+    // Split by ':' to get domain and path components
+    const parts = remainder.split(':');
+    // First part is the domain (URL-decoded)
+    const domain = decodeURIComponent(parts[0]);
+    if (domain.length === 0) {
+        return null;
+    }
+    // Remaining parts form the path
+    const path = parts.slice(1).map((p) => decodeURIComponent(p));
+    return { domain, path };
+}
+/**
+ * Convert a did:web DID to its resolution URL
+ *
+ * did:web:example.com → https://example.com/.well-known/did.json
+ * did:web:example.com:path:to:doc → https://example.com/path/to/doc/did.json
+ *
+ * @param did - The did:web DID
+ * @returns The resolution URL or null if invalid
+ */
+export function didWebToUrl(did) {
+    const parsed = parseDidWeb(did);
+    if (!parsed) {
+        return null;
+    }
+    const { domain, path } = parsed;
+    // Build the URL
+    // Note: did:web specification requires HTTPS
+    let url = `https://${domain}`;
+    if (path.length === 0) {
+        // Root domain: use /.well-known/did.json
+        url += '/.well-known/did.json';
+    }
+    else {
+        // Path-based: use /path/to/resource/did.json
+        url += '/' + path.join('/') + '/did.json';
+    }
+    return url;
+}
+/**
+ * DID:web resolver implementation
+ */
+export class DidWebResolver {
+    fetchProvider;
+    cache;
+    cacheTtl;
+    constructor(fetchProvider, options) {
+        this.fetchProvider = fetchProvider;
+        this.cache = new Map();
+        this.cacheTtl = options?.cacheTtl ?? 300_000; // 5 minutes default
+    }
+    /**
+     * Resolve a did:web DID to its DID Document
+     *
+     * @param did - The did:web DID to resolve
+     * @returns The DID Document or null if resolution fails
+     */
+    async resolve(did) {
+        // Check if it's a did:web
+        if (!isDidWeb(did)) {
+            return null;
+        }
+        // Check cache
+        const cached = this.cache.get(did);
+        if (cached && Date.now() < cached.expiresAt) {
+            return cached.document;
+        }
+        // Convert to URL
+        const url = didWebToUrl(did);
+        if (!url) {
+            logger.warn(`[DidWebResolver] Invalid did:web format: ${did}`);
+            return null;
+        }
+        try {
+            // Fetch the DID document
+            const response = await this.fetchProvider.fetch(url);
+            if (!response.ok) {
+                logger.warn(`[DidWebResolver] HTTP ${response.status} fetching ${url}`);
+                return null;
+            }
+            // Parse JSON
+            let json;
+            try {
+                json = await response.json();
+            }
+            catch {
+                logger.warn(`[DidWebResolver] Invalid JSON from ${url}`);
+                return null;
+            }
+            // Validate structure
+            if (!isValidDIDDocument(json)) {
+                logger.warn(`[DidWebResolver] Invalid DID Document structure from ${url}`);
+                return null;
+            }
+            // Verify the id matches the DID
+            if (json.id !== did) {
+                logger.warn(`[DidWebResolver] DID Document id mismatch: expected ${did}, got ${json.id}`);
+                return null;
+            }
+            // Cache the result
+            this.cache.set(did, {
+                document: json,
+                expiresAt: Date.now() + this.cacheTtl,
+            });
+            return json;
+        }
+        catch (error) {
+            logger.warn(`[DidWebResolver] Error resolving ${did}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            return null;
+        }
+    }
+    /**
+     * Clear the resolution cache
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+    /**
+     * Clear a specific entry from the cache
+     */
+    clearCacheEntry(did) {
+        this.cache.delete(did);
+    }
+}
+/**
+ * Create a did:web resolver with the given fetch provider
+ *
+ * @param fetchProvider - Provider for making HTTP requests
+ * @param options - Optional configuration
+ * @returns DIDResolver implementation for did:web
+ */
+export function createDidWebResolver(fetchProvider, options) {
+    return new DidWebResolver(fetchProvider, options);
+}
+//# sourceMappingURL=did-web-resolver.js.map

package/dist/delegation/did-web-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"did-web-resolver.js","sourceRoot":"","sources":["../../src/delegation/did-web-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAU7C;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAAc;IACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,KAAgC,CAAC;IAE7C,sCAAsC;IACtC,IAAI,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iEAAiE;IACjE,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,SAAS,EAAE,CAAC;QAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,qDAAqD;QACrD,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,yBAAyB,CAAC,EAAE,CAAC,EAAE,CAAC;gBACnC,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAAC,KAAc;IAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,EAAE,GAAG,KAAgC,CAAC;IAE5C,gDAAgD;IAChD,IAAI,OAAO,EAAE,CAAC,IAAI,CAAC,KAAK,QAAQ,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,EAAE,CAAC,MAAM,CAAC,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,EAAE,CAAC,YAAY,CAAC,KAAK,QAAQ,IAAI,EAAE,CAAC,YAAY,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW;IAClC,OAAO,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE/B,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iDAAiD;IACjD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEnC,yCAAyC;IACzC,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAE7C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;IAEhC,gBAAgB;IAChB,6CAA6C;IAC7C,IAAI,GAAG,GAAG,WAAW,MAAM,EAAE,CAAC;IAE9B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,yCAAyC;QACzC,GAAG,IAAI,uBAAuB,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,6CAA6C;QAC7C,GAAG,IAAI,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC;IAC5C,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,aAAa,CAAgB;IAC7B,KAAK,CAA4D;IACjE,QAAQ,CAAS;IAEzB,YAAY,aAA4B,EAAE,OAA+B;QACvE,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,CAAC,oBAAoB;IACpE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,0BAA0B;QAC1B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,cAAc;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QAED,iBAAiB;QACjB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,CAAC,IAAI,CAAC,4CAA4C,GAAG,EAAE,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,yBAAyB;YACzB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAErD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,yBAAyB,QAAQ,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,CAAC;gBACxE,OAAO,IAAI,CAAC;YACd,CAAC;YAED,aAAa;YACb,IAAI,IAAa,CAAC;YAClB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAC;gBACzD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,qBAAqB;YACrB,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,wDAAwD,GAAG,EAAE,CAAC,CAAC;gBAC3E,OAAO,IAAI,CAAC;YACd,CAAC;YAED,gCAAgC;YAChC,IAAI,IAAI,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC;gBACpB,MAAM,CAAC,IAAI,CAAC,uDAAuD,GAAG,SAAS,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC1F,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mBAAmB;YACnB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;gBAClB,QAAQ,EAAE,IAAI;gBACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ;aACtC,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CACT,oCAAoC,GAAG,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACvG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,GAAW;QACzB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAA4B,EAC5B,OAA+B;IAE/B,OAAO,IAAI,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC"}

package/dist/delegation/index.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Delegation Module Exports (Platform-Agnostic)
+ *
+ * W3C VC-based delegation issuance and verification.
+ * Platform-specific adapters (Node.js, Cloudflare) provide signing/verification functions.
+ */
+export * from './vc-issuer.js';
+export * from './vc-verifier.js';
+export * from './bitstring.js';
+export * from './statuslist-manager.js';
+export * from './delegation-graph.js';
+export * from './cascading-revocation.js';
+export * from './utils.js';
+export * from './outbound-proof.js';
+export * from './outbound-headers.js';
+export * from './audience-validator.js';
+export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
+export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
+export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
+export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/delegation/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}

package/dist/delegation/index.js ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Delegation Module Exports (Platform-Agnostic)
+ *
+ * W3C VC-based delegation issuance and verification.
+ * Platform-specific adapters (Node.js, Cloudflare) provide signing/verification functions.
+ */
+export * from './vc-issuer.js';
+export * from './vc-verifier.js';
+export * from './bitstring.js';
+export * from './statuslist-manager.js';
+export * from './delegation-graph.js';
+export * from './cascading-revocation.js';
+export * from './utils.js';
+export * from './outbound-proof.js';
+export * from './outbound-headers.js';
+export * from './audience-validator.js';
+export { createDidKeyResolver, resolveDidKeySync, isEd25519DidKey, extractPublicKeyFromDidKey, publicKeyToJwk, } from './did-key-resolver.js';
+export { DidWebResolver, createDidWebResolver, isDidWeb, parseDidWeb, didWebToUrl, } from './did-web-resolver.js';
+export { MemoryStatusListStorage } from './storage/memory-statuslist-storage.js';
+export { MemoryDelegationGraphStorage } from './storage/memory-graph-storage.js';
+//# sourceMappingURL=index.js.map

package/dist/delegation/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/delegation/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,QAAQ,EACR,WAAW,EACX,WAAW,GACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC"}

package/dist/delegation/outbound-headers.d.ts ADDED Viewed

@@ -0,0 +1,81 @@
+/**
+ * Outbound Delegation Headers
+ *
+ * Builds the full set of outbound delegation headers for forwarding
+ * delegation context to downstream services.
+ *
+ * Headers (MCP-I §7):
+ * - X-Agent-DID: the original agent's DID
+ * - X-Delegation-Chain: the delegation chain ID (vcId of the root delegation)
+ * - X-Session-ID: the current session ID
+ * - X-Delegation-Proof: a signed JWT proving the delegation is being forwarded
+ *
+ * Related Spec: MCP-I §7 — Outbound Delegation Propagation
+ */
+import type { SessionContext, DelegationRecord } from '../types/protocol.js';
+import type { CryptoProvider } from '../providers/base.js';
+/**
+ * Header names for outbound delegation propagation
+ */
+export declare const OUTBOUND_HEADER_NAMES: {
+    readonly AGENT_DID: "X-Agent-DID";
+    readonly DELEGATION_CHAIN: "X-Delegation-Chain";
+    readonly SESSION_ID: "X-Session-ID";
+    readonly DELEGATION_PROOF: "X-Delegation-Proof";
+};
+/**
+ * Context required to build outbound delegation headers
+ */
+export interface OutboundDelegationContext {
+    /** The current session context */
+    session: SessionContext;
+    /** The delegation record being forwarded */
+    delegation: DelegationRecord;
+    /** The MCP server's identity for signing the proof */
+    serverIdentity: {
+        did: string;
+        kid: string;
+        privateKey: string;
+    };
+    /** The downstream URL being called */
+    targetUrl: string;
+}
+/**
+ * Outbound delegation headers to attach to downstream requests
+ */
+export interface OutboundDelegationHeaders {
+    'X-Agent-DID': string;
+    'X-Delegation-Chain': string;
+    'X-Session-ID': string;
+    'X-Delegation-Proof': string;
+}
+/**
+ * Build outbound delegation headers for forwarding to downstream services.
+ *
+ * When an MCP server calls a downstream service on behalf of an agent,
+ * it MUST forward the delegation context using these headers so the
+ * downstream service can independently verify the delegation chain.
+ *
+ * @param context - The delegation context including session, delegation, and server identity
+ * @param _cryptoProvider - CryptoProvider (reserved for future use)
+ * @returns Headers object to attach to the outbound request
+ *
+ * @throws {Error} If session is missing agentDid or sessionId
+ * @throws {Error} If delegation is missing vcId
+ * @throws {Error} If serverIdentity.did is not a valid Ed25519 did:key
+ *
+ * @example
+ * ```typescript
+ * const headers = await buildOutboundDelegationHeaders({
+ *   session,
+ *   delegation,
+ *   serverIdentity: { did: serverDid, kid: serverKid, privateKey },
+ *   targetUrl: 'https://downstream-api.example.com/resource',
+ * }, cryptoProvider);
+ *
+ * // Attach headers to your HTTP request
+ * fetch(targetUrl, { headers });
+ * ```
+ */
+export declare function buildOutboundDelegationHeaders(context: OutboundDelegationContext, _cryptoProvider: CryptoProvider): Promise<OutboundDelegationHeaders>;
+//# sourceMappingURL=outbound-headers.d.ts.map

package/dist/delegation/outbound-headers.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"outbound-headers.d.ts","sourceRoot":"","sources":["../../src/delegation/outbound-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAM3D;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;CAKxB,CAAC;AAEX;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,kCAAkC;IAClC,OAAO,EAAE,cAAc,CAAC;IACxB,4CAA4C;IAC5C,UAAU,EAAE,gBAAgB,CAAC;IAC7B,sDAAsD;IACtD,cAAc,EAAE;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAgDD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,yBAAyB,EAClC,eAAe,EAAE,cAAc,GAC9B,OAAO,CAAC,yBAAyB,CAAC,CAuDpC"}

package/dist/delegation/outbound-headers.js ADDED Viewed

@@ -0,0 +1,139 @@
+/**
+ * Outbound Delegation Headers
+ *
+ * Builds the full set of outbound delegation headers for forwarding
+ * delegation context to downstream services.
+ *
+ * Headers (MCP-I §7):
+ * - X-Agent-DID: the original agent's DID
+ * - X-Delegation-Chain: the delegation chain ID (vcId of the root delegation)
+ * - X-Session-ID: the current session ID
+ * - X-Delegation-Proof: a signed JWT proving the delegation is being forwarded
+ *
+ * Related Spec: MCP-I §7 — Outbound Delegation Propagation
+ */
+import { buildDelegationProofJWT } from './outbound-proof.js';
+import { extractPublicKeyFromDidKey, isEd25519DidKey } from './did-key-resolver.js';
+import { base64ToBytes, base64urlEncodeFromBytes } from '../utils/base64.js';
+import { logger } from '../logging/index.js';
+/**
+ * Header names for outbound delegation propagation
+ */
+export const OUTBOUND_HEADER_NAMES = {
+    AGENT_DID: 'X-Agent-DID',
+    DELEGATION_CHAIN: 'X-Delegation-Chain',
+    SESSION_ID: 'X-Session-ID',
+    DELEGATION_PROOF: 'X-Delegation-Proof',
+};
+/**
+ * Extract hostname from a URL
+ */
+function extractHostname(url) {
+    try {
+        const parsed = new URL(url);
+        return parsed.hostname;
+    }
+    catch {
+        logger.warn('Failed to parse target URL, using as-is', { url });
+        return url;
+    }
+}
+/**
+ * Convert base64 private key and DID to Ed25519 JWK format
+ */
+function buildPrivateKeyJwk(privateKeyBase64, serverDid) {
+    // Decode the private key from base64
+    const privateKeyBytes = base64ToBytes(privateKeyBase64);
+    // Extract the 32-byte seed (handle both 32-byte and 64-byte formats)
+    const seed = privateKeyBytes.length === 64
+        ? privateKeyBytes.subarray(0, 32)
+        : privateKeyBytes;
+    // Extract public key from did:key
+    if (!isEd25519DidKey(serverDid)) {
+        throw new Error(`Server DID must be did:key with Ed25519: ${serverDid}`);
+    }
+    const publicKeyBytes = extractPublicKeyFromDidKey(serverDid);
+    if (!publicKeyBytes) {
+        throw new Error(`Failed to extract public key from DID: ${serverDid}`);
+    }
+    return {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: base64urlEncodeFromBytes(publicKeyBytes),
+        d: base64urlEncodeFromBytes(seed),
+    };
+}
+/**
+ * Build outbound delegation headers for forwarding to downstream services.
+ *
+ * When an MCP server calls a downstream service on behalf of an agent,
+ * it MUST forward the delegation context using these headers so the
+ * downstream service can independently verify the delegation chain.
+ *
+ * @param context - The delegation context including session, delegation, and server identity
+ * @param _cryptoProvider - CryptoProvider (reserved for future use)
+ * @returns Headers object to attach to the outbound request
+ *
+ * @throws {Error} If session is missing agentDid or sessionId
+ * @throws {Error} If delegation is missing vcId
+ * @throws {Error} If serverIdentity.did is not a valid Ed25519 did:key
+ *
+ * @example
+ * ```typescript
+ * const headers = await buildOutboundDelegationHeaders({
+ *   session,
+ *   delegation,
+ *   serverIdentity: { did: serverDid, kid: serverKid, privateKey },
+ *   targetUrl: 'https://downstream-api.example.com/resource',
+ * }, cryptoProvider);
+ *
+ * // Attach headers to your HTTP request
+ * fetch(targetUrl, { headers });
+ * ```
+ */
+export async function buildOutboundDelegationHeaders(context, _cryptoProvider) {
+    const { session, delegation, serverIdentity, targetUrl } = context;
+    // Validate required fields
+    if (!session.agentDid) {
+        throw new Error('Session must have agentDid for outbound delegation');
+    }
+    if (!session.sessionId) {
+        throw new Error('Session must have sessionId for outbound delegation');
+    }
+    if (!delegation.vcId) {
+        throw new Error('Delegation must have vcId for outbound delegation');
+    }
+    // Extract hostname for JWT audience
+    const targetHostname = extractHostname(targetUrl);
+    // Build the private key JWK from the server identity
+    const privateKeyJwk = buildPrivateKeyJwk(serverIdentity.privateKey, serverIdentity.did);
+    // Build the delegation proof JWT
+    // Per MCP-I §7, the JWT has:
+    // - iss: serverDid (the MCP server forwarding the request)
+    // - sub: agentDid (the original agent)
+    // - aud: targetHostname (the downstream service)
+    // - scope: "delegation:propagate"
+    const jwt = await buildDelegationProofJWT({
+        agentDid: serverIdentity.did, // becomes iss (server forwarding)
+        userDid: session.agentDid, // becomes sub (original agent)
+        delegationId: delegation.id,
+        delegationChain: delegation.vcId,
+        scopes: ['delegation:propagate'],
+        privateKeyJwk,
+        kid: serverIdentity.kid,
+        targetHostname,
+    });
+    logger.debug('Built outbound delegation headers', {
+        agentDid: session.agentDid,
+        delegationChain: delegation.vcId,
+        sessionId: session.sessionId,
+        targetHostname,
+    });
+    return {
+        'X-Agent-DID': session.agentDid,
+        'X-Delegation-Chain': delegation.vcId,
+        'X-Session-ID': session.sessionId,
+        'X-Delegation-Proof': jwt,
+    };
+}
+//# sourceMappingURL=outbound-headers.js.map

package/dist/delegation/outbound-headers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"outbound-headers.js","sourceRoot":"","sources":["../../src/delegation/outbound-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,EAAE,uBAAuB,EAA0B,MAAM,qBAAqB,CAAC;AACtF,OAAO,EAAE,0BAA0B,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACpF,OAAO,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC7E,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,SAAS,EAAE,aAAa;IACxB,gBAAgB,EAAE,oBAAoB;IACtC,UAAU,EAAE,cAAc;IAC1B,gBAAgB,EAAE,oBAAoB;CAC9B,CAAC;AA8BX;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAChE,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,gBAAwB,EACxB,SAAiB;IAEjB,qCAAqC;IACrC,MAAM,eAAe,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAExD,qEAAqE;IACrE,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,KAAK,EAAE;QACxC,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC;QACjC,CAAC,CAAC,eAAe,CAAC;IAEpB,kCAAkC;IAClC,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,4CAA4C,SAAS,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,cAAc,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAC;IAC7D,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,OAAO;QACL,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,SAAS;QACd,CAAC,EAAE,wBAAwB,CAAC,cAAc,CAAC;QAC3C,CAAC,EAAE,wBAAwB,CAAC,IAAI,CAAC;KAClC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,OAAkC,EAClC,eAA+B;IAE/B,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAEnE,2BAA2B;IAC3B,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,oCAAoC;IACpC,MAAM,cAAc,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAElD,qDAAqD;IACrD,MAAM,aAAa,GAAG,kBAAkB,CACtC,cAAc,CAAC,UAAU,EACzB,cAAc,CAAC,GAAG,CACnB,CAAC;IAEF,iCAAiC;IACjC,6BAA6B;IAC7B,2DAA2D;IAC3D,uCAAuC;IACvC,iDAAiD;IACjD,kCAAkC;IAClC,MAAM,GAAG,GAAG,MAAM,uBAAuB,CAAC;QACxC,QAAQ,EAAE,cAAc,CAAC,GAAG,EAAM,kCAAkC;QACpE,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAS,+BAA+B;QACjE,YAAY,EAAE,UAAU,CAAC,EAAE;QAC3B,eAAe,EAAE,UAAU,CAAC,IAAI;QAChC,MAAM,EAAE,CAAC,sBAAsB,CAAC;QAChC,aAAa;QACb,GAAG,EAAE,cAAc,CAAC,GAAG;QACvB,cAAc;KACf,CAAC,CAAC;IAEH,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;QAChD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,eAAe,EAAE,UAAU,CAAC,IAAI;QAChC,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,cAAc;KACf,CAAC,CAAC;IAEH,OAAO;QACL,aAAa,EAAE,OAAO,CAAC,QAAQ;QAC/B,oBAAoB,EAAE,UAAU,CAAC,IAAI;QACrC,cAAc,EAAE,OAAO,CAAC,SAAS;QACjC,oBAAoB,EAAE,GAAG;KAC1B,CAAC;AACJ,CAAC"}

package/dist/delegation/outbound-proof.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+/**
+ * Outbound Delegation Proof
+ *
+ * Builds signed delegation proof JWTs for injection on outbound HTTP requests.
+ * Enables downstream services to independently verify the delegation chain.
+ *
+ * Wire format: signed compact EdDSA JWT (60s TTL, per-call jti)
+ * Header injection: X-Delegation-Id, X-Delegation-Chain, X-Delegation-Proof, X-Scopes
+ *
+ * Related Spec: MCP-I §2 — Outbound Delegation Propagation
+ */
+import type { DelegationRecord } from '../types/protocol.js';
+export interface Ed25519PrivateJWK {
+    kty: 'OKP';
+    crv: 'Ed25519';
+    x: string;
+    d: string;
+    kid?: string;
+    use?: string;
+}
+export interface DelegationProofOptions {
+    agentDid: string;
+    userDid: string;
+    delegationId: string;
+    delegationChain: string;
+    scopes: string[];
+    privateKeyJwk: Ed25519PrivateJWK;
+    kid: string;
+    targetHostname: string;
+}
+/**
+ * Build a signed delegation proof JWT for outbound HTTP requests.
+ *
+ * Creates a short-lived (60s) EdDSA-signed JWT containing delegation context
+ * that can be verified by downstream services without access to the MCP server.
+ *
+ * @param options - Proof options including DIDs, delegation info, scopes, and signing key
+ * @returns Compact JWS string (header.payload.signature)
+ * @throws {Error} If key import or signing fails
+ */
+export declare function buildDelegationProofJWT(options: DelegationProofOptions): Promise<string>;
+export declare function buildChainString(delegation: DelegationRecord): string;
+//# sourceMappingURL=outbound-proof.d.ts.map

package/dist/delegation/outbound-proof.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"outbound-proof.d.ts","sourceRoot":"","sources":["../../src/delegation/outbound-proof.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,KAAK,CAAC;IACX,GAAG,EAAE,SAAS,CAAC;IACf,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,aAAa,EAAE,iBAAiB,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,MAAM,CAAC,CAgCjB;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,gBAAgB,GAAG,MAAM,CAQrE"}

package/dist/delegation/outbound-proof.js ADDED Viewed

@@ -0,0 +1,52 @@
+/**
+ * Outbound Delegation Proof
+ *
+ * Builds signed delegation proof JWTs for injection on outbound HTTP requests.
+ * Enables downstream services to independently verify the delegation chain.
+ *
+ * Wire format: signed compact EdDSA JWT (60s TTL, per-call jti)
+ * Header injection: X-Delegation-Id, X-Delegation-Chain, X-Delegation-Proof, X-Scopes
+ *
+ * Related Spec: MCP-I §2 — Outbound Delegation Propagation
+ */
+import { SignJWT, importJWK } from 'jose';
+/**
+ * Build a signed delegation proof JWT for outbound HTTP requests.
+ *
+ * Creates a short-lived (60s) EdDSA-signed JWT containing delegation context
+ * that can be verified by downstream services without access to the MCP server.
+ *
+ * @param options - Proof options including DIDs, delegation info, scopes, and signing key
+ * @returns Compact JWS string (header.payload.signature)
+ * @throws {Error} If key import or signing fails
+ */
+export async function buildDelegationProofJWT(options) {
+    const { agentDid, userDid, delegationId, delegationChain, scopes, privateKeyJwk, kid, targetHostname, } = options;
+    const privateKey = await importJWK(privateKeyJwk, 'EdDSA');
+    const iat = Math.floor(Date.now() / 1000);
+    const exp = iat + 60;
+    const jwt = await new SignJWT({
+        delegation_id: delegationId,
+        delegation_chain: delegationChain,
+        scope: scopes.join(','),
+    })
+        .setProtectedHeader({ alg: 'EdDSA', kid })
+        .setIssuer(agentDid)
+        .setSubject(userDid)
+        .setJti(crypto.randomUUID())
+        .setAudience(targetHostname)
+        .setIssuedAt(iat)
+        .setExpirationTime(exp)
+        .sign(privateKey);
+    return jwt;
+}
+export function buildChainString(delegation) {
+    if (!delegation.id && !delegation.vcId) {
+        return '';
+    }
+    if (!delegation.vcId) {
+        return delegation.id;
+    }
+    return `${delegation.vcId}>${delegation.id}`;
+}
+//# sourceMappingURL=outbound-proof.js.map

package/dist/delegation/outbound-proof.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"outbound-proof.js","sourceRoot":"","sources":["../../src/delegation/outbound-proof.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAuB1C;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAA+B;IAE/B,MAAM,EACJ,QAAQ,EACR,OAAO,EACP,YAAY,EACZ,eAAe,EACf,MAAM,EACN,aAAa,EACb,GAAG,EACH,cAAc,GACf,GAAG,OAAO,CAAC;IAEZ,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;IAE3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;IAErB,MAAM,GAAG,GAAG,MAAM,IAAI,OAAO,CAAC;QAC5B,aAAa,EAAE,YAAY;QAC3B,gBAAgB,EAAE,eAAe;QACjC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;KACxB,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;SACzC,SAAS,CAAC,QAAQ,CAAC;SACnB,UAAU,CAAC,OAAO,CAAC;SACnB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;SAC3B,WAAW,CAAC,cAAc,CAAC;SAC3B,WAAW,CAAC,GAAG,CAAC;SAChB,iBAAiB,CAAC,GAAG,CAAC;SACtB,IAAI,CAAC,UAAU,CAAC,CAAC;IAEpB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,UAA4B;IAC3D,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACrB,OAAO,UAAU,CAAC,EAAE,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,EAAE,EAAE,CAAC;AAC/C,CAAC"}

package/dist/delegation/statuslist-manager.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * StatusList2021 Manager
+ *
+ * Manages StatusList2021 credentials for efficient delegation revocation.
+ *
+ * Related Spec: W3C StatusList2021
+ */
+import type { StatusList2021Credential, CredentialStatus } from '../types/protocol.js';
+import { type CompressionFunction, type DecompressionFunction } from './bitstring.js';
+import type { VCSigningFunction } from './vc-issuer.js';
+export interface StatusListStorageProvider {
+    getStatusList(statusListId: string): Promise<StatusList2021Credential | null>;
+    setStatusList(statusListId: string, credential: StatusList2021Credential): Promise<void>;
+    allocateIndex(statusListId: string): Promise<number>;
+}
+export interface StatusListIdentityProvider {
+    getDid(): string;
+    getKeyId(): string;
+}
+export declare class StatusList2021Manager {
+    private storage;
+    private identity;
+    private signingFunction;
+    private compressor;
+    private decompressor;
+    private statusListBaseUrl;
+    private defaultListSize;
+    constructor(storage: StatusListStorageProvider, identity: StatusListIdentityProvider, signingFunction: VCSigningFunction, compressor: CompressionFunction, decompressor: DecompressionFunction, options?: {
+        statusListBaseUrl?: string;
+        defaultListSize?: number;
+    });
+    allocateStatusEntry(purpose: 'revocation' | 'suspension'): Promise<CredentialStatus>;
+    updateStatus(credentialStatus: CredentialStatus, revoked: boolean): Promise<void>;
+    checkStatus(credentialStatus: CredentialStatus): Promise<boolean>;
+    getRevokedIndices(statusListId: string): Promise<number[]>;
+    private ensureStatusListExists;
+    getStatusListBaseUrl(): string;
+    getDefaultListSize(): number;
+}
+export declare function createStatusListManager(storage: StatusListStorageProvider, identity: StatusListIdentityProvider, signingFunction: VCSigningFunction, compressor: CompressionFunction, decompressor: DecompressionFunction, options?: {
+    statusListBaseUrl?: string;
+    defaultListSize?: number;
+}): StatusList2021Manager;
+//# sourceMappingURL=statuslist-manager.d.ts.map