@mcp-i/core 1.1.0 → 1.1.3

package/README.md

@@ -1,203 +1,131 @@
-# @mcp-i/core
-
-**Identity, delegation, and proof for the Model Context Protocol.**
-
-MCP-I answers three questions for every AI agent tool call: *who* is calling (DID), *are they allowed* (delegation VC), and *what happened* (signed proof). It uses W3C Verifiable Credentials, Ed25519 signatures, and Decentralized Identifiers — no central authority required.
-
-> [DIF TAAWG](https://identity.foundation/working-groups/agent-and-authorization.html) protocol reference implementation. Spec: [modelcontextprotocol-identity.io](https://modelcontextprotocol-identity.io)
+<p align="center">
+  <a href="https://modelcontextprotocol-identity.io">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="https://modelcontextprotocol-identity.io/images/logo-mark_white.svg">
+      <img alt="MCP-I" src="https://modelcontextprotocol-identity.io/images/logo-mark_black.svg" width="64">
+    </picture>
+  </a>
+</p>
+
+<p align="center">
+  <strong>Identity, delegation, and proof for the Model Context Protocol.</strong>
+</p>
+
+<p align="center">
+  <a href="https://www.npmjs.com/package/@mcp-i/core"><img src="https://img.shields.io/npm/v/@mcp-i/core" alt="npm"></a>
+  <a href="https://modelcontextprotocol-identity.io"><img src="https://img.shields.io/badge/spec-modelcontextprotocol--identity.io-blue" alt="spec"></a>
+  <a href="https://identity.foundation/working-groups/agent-and-authorization.html"><img src="https://img.shields.io/badge/DIF-TAAWG-purple" alt="DIF TAAWG"></a>
+  <a href="./LICENSE"><img src="https://img.shields.io/github/license/modelcontextprotocol-identity/mcp-i-core" alt="license"></a>
+</p>
 
 ---
 
-## Try It
+AI agents call tools on your behalf. But today, there's no way to know *who* called, *whether they were allowed to*, or *what actually happened*. MCP-I fixes that.
 
-See the consent flow in action — an agent calls a protected tool, a human approves, and the agent retries with a signed credential:
+- **Every server gets a cryptographic identity** (DID) — no accounts, no API keys, no central registry
+- **Every tool call gets a signed proof** — a tamper-evident receipt the agent can't forge or deny
+- **Protected tools require human consent** — per-tool authorization via W3C Delegation Credentials
+- **The AI never knows** — identity, proofs, and consent happen transparently in the protocol layer
 
-```bash
-git clone https://github.com/modelcontextprotocol-identity/mcp-i-core.git
-cd mcp-i-core
-pnpm install
-npx tsx examples/consent-basic/src/server.ts
 ```
-
-Then connect with [MCP Inspector](https://github.com/modelcontextprotocol/inspector):
-
-```bash
-npx @modelcontextprotocol/inspector
-# → Connect to http://localhost:3002/sse
+npm install @mcp-i/core
 ```
 
-Call `checkout` — you'll get a consent link. Open it, approve, then retry the tool. [Full walkthrough →](./examples/consent-basic/README.md)
-
 ---
 
-## Add to Your Server
+## Migrate Any MCP Server in 2 Lines
 
-One line to add identity, sessions, and proofs to any MCP server:
+**Before** — a standard MCP server with no identity or proofs:
 
 ```typescript
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { withMCPI, NodeCryptoProvider } from '@mcp-i/core';
 
 const server = new McpServer({ name: 'my-server', version: '1.0.0' });
-await withMCPI(server, { crypto: new NodeCryptoProvider() });
-
-// Register tools normally — proofs are attached automatically
-```
 
-Default behavior is compatibility-first:
-- `withMCPI` auto-registers `_mcpi`, so it appears in MCP Inspector and tool lists.
-- Handshake is not tied to MCP `initialize`; a client/runtime must call it (or use `autoSession`).
-
-If your runtime has a native connection/auth handshake hook, disable tool exposure and call middleware directly:
-
-```typescript
-const mcpi = await withMCPI(server, {
-  crypto: new NodeCryptoProvider(),
-  handshakeExposure: 'none',
-  autoSession: false,
-});
-
-// In your runtime's connection handshake hook:
-await mcpi.handleMCPI({
-  action: 'handshake',
-  nonce: 'client-generated-nonce',
-  audience: mcpi.identity.did,
-  timestamp: Math.floor(Date.now() / 1000),
-  agentDid: 'did:key:...optional...',
-});
+server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
+  content: [{ type: 'text', text: `Hello, ${args.name}!` }],
+}));
 ```
 
-Every tool response now includes a cryptographic proof. For protected tools that require human consent, add `wrapWithDelegation`:
+**After** — every tool response now carries a signed cryptographic proof:
 
 ```typescript
-import { createMCPIMiddleware, generateIdentity, NodeCryptoProvider } from '@mcp-i/core';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { withMCPI, NodeCryptoProvider } from '@mcp-i/core';  // +1 line
 
-const crypto = new NodeCryptoProvider();
-const identity = await generateIdentity(crypto);
-const mcpi = createMCPIMiddleware({ identity, session: { sessionTtlMinutes: 60 } }, crypto);
+const server = new McpServer({ name: 'my-server', version: '1.0.0' });
+await withMCPI(server, { crypto: new NodeCryptoProvider() }); // +1 line
 
-// Public tool — proof attached automatically
-const search = mcpi.wrapWithProof('search', async (args) => ({
-  content: [{ type: 'text', text: `Results for: ${args['query']}` }],
+server.registerTool('greet', { description: 'Say hello' }, async (args) => ({
+  content: [{ type: 'text', text: `Hello, ${args.name}!` }],
 }));
-
-// Protected tool — requires delegation with scope 'orders:write'
-const placeOrder = mcpi.wrapWithDelegation(
-  'place_order',
-  { scopeId: 'orders:write', consentUrl: 'https://example.com/consent' },
-  mcpi.wrapWithProof('place_order', async (args) => ({
-    content: [{ type: 'text', text: `Order placed: ${args['item']}` }],
-  })),
-);
-```
-
----
-
-## Install
-
-```bash
-npm install @mcp-i/core
 ```
 
-Requires Node.js 20+. Peer dependency on `@modelcontextprotocol/sdk` (optional — only needed for `withMCPI`).
-
----
-
-## Architecture
+That's it. `withMCPI` auto-generates an Ed25519 identity, registers the `_mcpi` protocol tool, and wraps the transport so every tool response includes a detached JWS proof in `_meta` — invisible to the LLM, verifiable by anyone.
 
-```
-┌─────────────┐     ┌──────────────┐     ┌─────────────┐
-│   Agent      │────▶│  MCP Server  │────▶│  Downstream  │
-│  (did:key)   │     │  + MCP-I     │     │  Services    │
-└─────────────┘     └──────────────┘     └─────────────┘
-       │                    │                     │
-       │ handshake          │ verify delegation   │ outbound headers
-       │ (nonce+DID)        │ attach proof        │ (X-Agent-DID,
-       │                    │ check scopes        │  X-Delegation-Chain)
-       ▼                    ▼                     ▼
-   Session established   Tool executes        Context forwarded
-   with replay           with signed           to downstream
-   prevention            receipt               with delegation
-```
+> See the full working example: [examples/context7-with-mcpi](./examples/context7-with-mcpi/) — a real MCP server (Context7) migrated with exactly 2 lines of code.
 
 ---
 
-## Modules
+## Protect Tools with Human Consent
 
-| Module | What it does |
-|--------|-------------|
-| **middleware** | `withMCPI(server)` — one-call integration. `createMCPIMiddleware` for low-level control. |
-| **delegation** | Issue and verify W3C VCs. DID:key and DID:web resolution. StatusList2021 revocation. Cascading revocation. |
-| **proof** | Generate and verify detached JWS proofs with canonical hashing (JCS + SHA-256). |
-| **session** | Nonce-based handshake. Replay prevention. Session TTL management. |
-| **providers** | Abstract `CryptoProvider`, `IdentityProvider`, `StorageProvider`. Plug in your own KMS, HSM, or vault. |
-| **types** | Pure TypeScript interfaces. Zero runtime dependencies. |
+Some tools shouldn't run without a human saying "yes." MCP-I adds per-tool authorization using W3C Verifiable Credentials:
 
-All modules available as subpath exports: `@mcp-i/core/delegation`, `@mcp-i/core/proof`, etc.
-
----
+```typescript
+const checkout = mcpi.wrapWithDelegation(
+  'checkout',
+  { scopeId: 'cart:write', consentUrl: 'https://example.com/consent' },
+  mcpi.wrapWithProof('checkout', async (args) => ({
+    content: [{ type: 'text', text: `Order placed: ${args.item}` }],
+  })),
+);
+```
 
-## Examples
+When an agent calls `checkout` without a delegation credential, it gets back a `needs_authorization` response with a consent URL. The human approves, a scoped credential is issued, and the agent retries — now authorized.
 
-| Example | What it shows |
-|---------|--------------|
-| [**consent-basic**](./examples/consent-basic/) | Human-in-the-loop consent flow: `needs_authorization` → consent page → delegation VC → tool execution. SSE + Streamable HTTP transports. |
-| [**consent-full**](./examples/consent-full/) | Same consent flow as consent-basic, powered by [`@kya-os/consent`](https://www.npmjs.com/package/@kya-os/consent) — multi-mode auth, configurable branding, and production-grade consent UI. |
-| [**node-server**](./examples/node-server/) | Low-level Server API with handshake, proof, and restricted tools. |
-| [**brave-search-mcp-server**](./examples/brave-search-mcp-server/) | Real-world MCP server wrapping Brave Search with MCP-I identity and proofs. |
-| [**outbound-delegation**](./examples/outbound-delegation/) | Forwarding delegation context to downstream services (§7 gateway pattern). |
-| [**verify-proof**](./examples/verify-proof/) | Standalone proof verification with DID:key resolution. |
-| [**context7-with-mcpi**](./examples/context7-with-mcpi/) | Adding MCP-I to an existing MCP server with `withMCPI`. |
+> Try it yourself: [examples/consent-basic](./examples/consent-basic/) walks through the full consent flow end-to-end.
 
 ---
 
-## Extension Points
+## See It in Action
 
-MCP-I is a protocol, not a platform. All cryptographic operations, storage, and identity management are abstracted behind interfaces you implement:
-
-```typescript
-// Use AWS KMS instead of local keys
-class KMSCryptoProvider extends CryptoProvider {
-  async sign(data: Uint8Array, keyArn: string) {
-    return kmsClient.sign({ KeyId: keyArn, Message: data });
-  }
-}
-
-// Use Redis instead of in-memory nonce cache
-class RedisNonceCacheProvider extends NonceCacheProvider {
-  async hasNonce(nonce: string) { return redis.exists(`nonce:${nonce}`); }
-  async addNonce(nonce: string, ttl: number) { redis.setex(`nonce:${nonce}`, ttl, '1'); }
-}
+```bash
+git clone https://github.com/modelcontextprotocol-identity/mcp-i-core.git
+cd mcp-i-core && npm install
+bash scripts/demo.sh
 ```
 
-Supported DID methods: `did:key` (built-in, self-resolving), `did:web` (built-in, HTTP resolution), or any custom method via `DIDResolver`.
-
----
-
-## Conformance
+This starts all example servers and opens [MCP Inspector](https://github.com/modelcontextprotocol/inspector). Connect to any server, call a tool, and inspect the proof in `_meta`:
 
-Three levels defined in [CONFORMANCE.md](./CONFORMANCE.md):
+| Port | Example | What it demonstrates |
+|------|---------|---------------------|
+| 3001 | [node-server](./examples/node-server/) | Proofs + restricted tools (low-level API) |
+| 3002 | [consent-basic](./examples/consent-basic/) | Human consent flow with built-in UI |
+| 3003 | [consent-full](./examples/consent-full/) | Production consent UI ([@kya-os/consent](https://www.npmjs.com/package/@kya-os/consent)) |
+| 3004 | [context7-with-mcpi](./examples/context7-with-mcpi/) | 2-line migration of a real MCP server |
 
-| Level | Requirements |
-|-------|-------------|
-| **Level 1** — Core Crypto | Ed25519 signatures, DID:key resolution, JCS canonicalization |
-| **Level 2** — Full Session | Nonce-based handshake, session management, replay prevention |
-| **Level 3** — Full Delegation | W3C VC issuance/verification, scope attenuation, StatusList2021, cascading revocation |
+Also available: [outbound-delegation](./examples/outbound-delegation/) (gateway pattern), [verify-proof](./examples/verify-proof/) (standalone verification), [statuslist](./examples/statuslist/) (revocation lifecycle).
 
 ---
 
-## Contributing
-
-See [CONTRIBUTING.md](./CONTRIBUTING.md). DCO sign-off required. All PRs must pass CI (type check, lint, test across Node 20/22 on Linux/macOS/Windows).
+## What's Under the Hood
 
-## Governance
+| Capability | How it works |
+|-----------|-------------|
+| **Cryptographic identity** | Ed25519 key pairs, `did:key` and `did:web` resolution |
+| **Signed proofs** | Detached JWS over JCS-canonicalized request/response hashes |
+| **Delegation credentials** | W3C Verifiable Credentials with scope constraints |
+| **Revocation** | StatusList2021 bitstring with cascading revocation |
+| **Replay prevention** | Nonce-based handshake with timestamp skew validation |
+| **Extensible** | Bring your own KMS, HSM, nonce cache (Redis, DynamoDB, KV), or DID method |
 
-See [GOVERNANCE.md](./GOVERNANCE.md). Lazy consensus for non-breaking changes. Explicit vote for breaking changes.
+---
 
-## Security
+## Links
 
-See [SECURITY.md](./SECURITY.md). 48-hour acknowledgement. 90-day coordinated disclosure.
+- [Spec](https://modelcontextprotocol-identity.io) | [DIF TAAWG](https://identity.foundation/working-groups/agent-and-authorization.html) | [npm](https://www.npmjs.com/package/@mcp-i/core)
+- [CONTRIBUTING.md](./CONTRIBUTING.md) | [CONFORMANCE.md](./CONFORMANCE.md) | [SECURITY.md](./SECURITY.md) | [GOVERNANCE.md](./GOVERNANCE.md)
 
 ## License
 
-MIT — see [LICENSE](./LICENSE)
+MIT

package/dist/auth/handshake.d.ts

@@ -15,20 +15,12 @@ import type { DelegationVerifier, VerifyDelegationResult } from './types.js';
 export type { DelegationVerifier, VerifyDelegationResult };
 export interface AgentReputation {
     agentDid: string;
-    score: number | null;
+    score: number;
     totalInteractions: number;
     successRate: number;
     riskLevel: 'low' | 'medium' | 'high' | 'unknown';
     updatedAt: number;
 }
-/**
- * Policy for handling agents with no reputation history.
- *
- * - 'deny'            — reject unknown agents outright (strict environments)
- * - 'require-consent' — route to the consent/authorization flow (default)
- * - 'allow'           — let unknown agents through (reputation is advisory only)
- */
-export type UnknownAgentPolicy = 'deny' | 'require-consent' | 'allow';
 export interface AuthHandshakeConfig {
     delegationVerifier: DelegationVerifier;
     resumeTokenStore: ResumeTokenStore;
@@ -40,15 +32,7 @@ export interface AuthHandshakeConfig {
     authorization: {
         authorizationUrl: string;
         resumeTokenTtl?: number;
-        /**
-         * How to handle agents with no reputation history (404 from reputation
-         * service, network error, or first-time agent).
-         *
-         * - 'deny'            — reject outright
-         * - 'require-consent' — route to consent flow (default)
-         * - 'allow'           — skip reputation gate for unknowns
-         */
-        unknownAgentPolicy?: UnknownAgentPolicy;
+        requireAuthForUnknown?: boolean;
         minReputationScore?: number;
     };
     debug?: boolean;
@@ -112,8 +96,9 @@ export declare class MemoryResumeTokenStore implements ResumeTokenStore {
  * @param agentDid - The agent's DID to verify
  * @param scopes - Required scopes for the operation
  * @param config - Authorization configuration including verifier, token store, etc.
+ * @param _resumeToken - Optional resume token from previous authorization attempt
  * @returns Result indicating authorization status, delegation, or auth hints
  */
-export declare function verifyOrHints(agentDid: string, scopes: string[], config: AuthHandshakeConfig): Promise<VerifyOrHintsResult>;
+export declare function verifyOrHints(agentDid: string, scopes: string[], config: AuthHandshakeConfig, _resumeToken?: string): Promise<VerifyOrHintsResult>;
 export declare function hasSensitiveScopes(scopes: string[]): boolean;
 //# sourceMappingURL=handshake.d.ts.map

package/dist/auth/handshake.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,uBAAuB,EAExB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAE7E,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,CAAC;AAE3D,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG,iBAAiB,GAAG,OAAO,CAAC;AAEtE,MAAM,WAAW,mBAAmB;IAClC,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,CAAC,EAAE;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;KACzB,CAAC;IACF,aAAa,EAAE;QACb,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB;;;;;;;WAOG;QACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;QACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE;YACb,IAAI,EACA,OAAO,GACP,QAAQ,GACR,UAAU,GACV,YAAY,GACZ,UAAU,GACV,MAAM,GACN,MAAM,CAAC;YACX,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,gBAAgB,CAAC,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;YAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,MAAM,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnB,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC,CAAC;IAEV,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAED,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,MAAM,CAUV;IACJ,OAAO,CAAC,GAAG,CAAS;gBAER,KAAK,SAAU;IAIrB,MAAM,CACV,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC;IAmBZ,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC;IAoBH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO3C,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CA+I9B;AA8GD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAc5D"}
+{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EACV,uBAAuB,EAExB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAE7E,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,CAAC;AAE3D,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;IACjD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,kBAAkB,EAAE,kBAAkB,CAAC;IACvC,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,iBAAiB,CAAC,EAAE;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;KACzB,CAAC;IACF,aAAa,EAAE;QACb,gBAAgB,EAAE,MAAM,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,qBAAqB,CAAC,EAAE,OAAO,CAAC;QAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,aAAa,EAAE;YACb,IAAI,EACA,OAAO,GACP,QAAQ,GACR,UAAU,GACV,YAAY,GACZ,UAAU,GACV,MAAM,GACN,MAAM,CAAC;YACX,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,MAAM,CAAC;YACxB,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,gBAAgB,CAAC,EAAE,UAAU,GAAG,WAAW,GAAG,aAAa,CAAC;YAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,MAAM,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;KACxB,CAAC;IACF,SAAS,CAAC,EAAE,uBAAuB,CAAC;IACpC,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnB,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC,CAAC;IAEV,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC;AAED,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,MAAM,CAUV;IACJ,OAAO,CAAC,GAAG,CAAS;gBAER,KAAK,SAAU;IAIrB,MAAM,CACV,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC;IAgBZ,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAChC,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,IAAI,CAAC;IAoBH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO3C,KAAK,IAAI,IAAI;CAGd;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,mBAAmB,EAC3B,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,mBAAmB,CAAC,CA8F9B;AA8GD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAc5D"}

package/dist/auth/handshake.js

@@ -18,10 +18,7 @@ export class MemoryResumeTokenStore {
         this.ttl = ttlMs;
     }
     async create(agentDid, scopes, metadata) {
-        const bytes = new Uint8Array(16);
-        globalThis.crypto.getRandomValues(bytes);
-        const hex = Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
-        const token = `rt_${hex}`;
+        const token = `rt_${Date.now()}_${Math.random().toString(36).substring(2, 18)}`;
         const now = Date.now();
         this.tokens.set(token, {
             agentDid,
@@ -72,70 +69,36 @@ export class MemoryResumeTokenStore {
  * @param agentDid - The agent's DID to verify
  * @param scopes - Required scopes for the operation
  * @param config - Authorization configuration including verifier, token store, etc.
+ * @param _resumeToken - Optional resume token from previous authorization attempt
  * @returns Result indicating authorization status, delegation, or auth hints
  */
-export async function verifyOrHints(agentDid, scopes, config) {
+export async function verifyOrHints(agentDid, scopes, config, _resumeToken) {
     const startTime = Date.now();
     if (config.debug) {
         logger.debug(`[AuthHandshake] Verifying ${agentDid} for scopes: ${scopes.join(', ')}`);
     }
     let reputation;
     if (config.reputationService && config.authorization.minReputationScore !== undefined) {
-        const unknownPolicy = config.authorization.unknownAgentPolicy ?? 'require-consent';
         try {
             reputation = await fetchAgentReputation(agentDid, config.reputationService);
-        }
-        catch (error) {
-            logger.error('[AuthHandshake] Reputation service unreachable, treating agent as unknown:', error);
-            reputation = {
-                agentDid,
-                score: null,
-                totalInteractions: 0,
-                successRate: 0,
-                riskLevel: 'unknown',
-                updatedAt: Date.now(),
-            };
-        }
-        if (config.debug) {
-            logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
-        }
-        // Unknown agent (no reputation data)
-        if (reputation.score === null) {
-            if (unknownPolicy === 'deny') {
-                const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Unknown agent denied by policy');
-                return {
-                    authorized: false,
-                    authError,
-                    reputation,
-                    reason: 'Unknown agent — policy: deny',
-                };
+            if (config.debug) {
+                logger.debug(`[AuthHandshake] Reputation score: ${reputation.score}`);
             }
-            if (unknownPolicy === 'require-consent') {
-                const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Unknown agent requires consent');
+            if (reputation.score < config.authorization.minReputationScore) {
+                if (config.debug) {
+                    logger.debug(`[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`);
+                }
+                const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Agent reputation score below threshold');
                 return {
                     authorized: false,
                     authError,
                     reputation,
-                    reason: 'Unknown agent — policy: require-consent',
+                    reason: 'Low reputation score',
                 };
             }
-            // unknownPolicy === 'allow' — skip reputation gate, continue to delegation check
-            if (config.debug) {
-                logger.debug('[AuthHandshake] Unknown agent allowed by policy, skipping reputation gate');
-            }
         }
-        // Known agent with score below threshold
-        if (reputation.score !== null && reputation.score < config.authorization.minReputationScore) {
-            if (config.debug) {
-                logger.debug(`[AuthHandshake] Reputation ${reputation.score} < ${config.authorization.minReputationScore}, requiring authorization`);
-            }
-            const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, 'Agent reputation score below threshold');
-            return {
-                authorized: false,
-                authError,
-                reputation,
-                reason: 'Low reputation score',
-            };
+        catch (error) {
+            logger.warn('[AuthHandshake] Failed to check reputation:', error);
         }
     }
     let delegationResult;
@@ -199,7 +162,7 @@ async function fetchAgentReputation(agentDid, reputationConfig) {
         if (response.status === 404) {
             return {
                 agentDid,
-                score: null,
+                score: 50,
                 totalInteractions: 0,
                 successRate: 0,
                 riskLevel: 'unknown',
@@ -209,7 +172,7 @@ async function fetchAgentReputation(agentDid, reputationConfig) {
         throw new Error(`Reputation API error: ${response.status} ${response.statusText}`);
     }
     const data = (await response.json());
-    const score = data['score'] ?? 0;
+    const score = data['score'] ?? 50;
     const levelRaw = (data['level'] ??
         data['riskLevel'] ??
         'unknown').toLowerCase();

package/dist/auth/handshake.js.map

@@ -1 +1 @@
-{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAErE,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAgG7C,MAAM,OAAO,sBAAsB;IACzB,MAAM,GAAG,IAAI,GAAG,EAUrB,CAAC;IACI,GAAG,CAAS;IAEpB,YAAY,KAAK,GAAG,OAAO;QACzB,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,MAAgB,EAChB,QAAkC;QAElC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACjC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG,MAAM,GAAG,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE;YACrB,QAAQ;YACR,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG;YACzB,QAAQ;YACR,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa;QAOrB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;CACF;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,MAAgB,EAChB,MAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CAAC,6BAA6B,QAAQ,gBAAgB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,UAAuC,CAAC;IAC5C,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,aAAa,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACtF,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,IAAI,iBAAiB,CAAC;QAEnF,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,4EAA4E,EAAE,KAAK,CAAC,CAAC;YAClG,UAAU,GAAG;gBACX,QAAQ;gBACR,KAAK,EAAE,IAAI;gBACX,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CAAC,qCAAqC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,qCAAqC;QACrC,IAAI,UAAU,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;YAC9B,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;gBAC7B,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gCAAgC,CACjC,CAAC;gBACF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,8BAA8B;iBACvC,CAAC;YACJ,CAAC;YAED,IAAI,aAAa,KAAK,iBAAiB,EAAE,CAAC;gBACxC,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gCAAgC,CACjC,CAAC;gBACF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,yCAAyC;iBAClD,CAAC;YACJ,CAAC;YAED,iFAAiF;YACjF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;YAC5F,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,IAAI,UAAU,CAAC,KAAK,KAAK,IAAI,IAAI,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,CAAC;YAC5F,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CACV,8BAA8B,UAAU,CAAC,KAAK,MAAM,MAAM,CAAC,aAAa,CAAC,kBAAkB,2BAA2B,CACvH,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,wCAAwC,CACzC,CAAC;YAEF,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,SAAS;gBACT,UAAU;gBACV,MAAM,EAAE,sBAAsB;aAC/B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,gBAAwC,CAAC;IAE7C,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,iDAAiD,EAAE,KAAK,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,kCAAkC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;QAElH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE7F,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,SAAS;YACT,MAAM,EAAE,YAAY;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,gBAAgB,CAAC,KAAK,IAAI,gBAAgB,CAAC,UAAU,EAAE,CAAC;QAC1D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CACV,iDAAiD,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CAC7E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU;YACV,MAAM,EAAE,wBAAwB;SACjC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CACV,uEAAuE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CACnG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gBAAgB,CAAC,MAAM,IAAI,2BAA2B,CACvD,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,SAAS;QACT,UAAU;QACV,MAAM,EAAE,gBAAgB,CAAC,MAAM,IAAI,eAAe;KACnD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,gBAA8E;IAE9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,WAAW,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC;IACjD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,KAAK,IAAI,CAAC;IACvD,IAAI,QAAkB,CAAC;IAEvB,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,kBAAkB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EACzD;YACE,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SACjD,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ;gBACR,KAAK,EAAE,IAAI;gBACX,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEhE,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,CACd,IAAI,CAAC,OAAO,CAAwB;QACpC,IAAI,CAAC,WAAW,CAAwB;QACzC,SAAS,CACV,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,SAAS,GACb,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5F,OAAO;QACL,QAAQ,EACL,IAAI,CAAC,WAAW,CAAwB;YACxC,IAAI,CAAC,UAAU,CAAwB;YACxC,QAAQ;QACV,KAAK;QACL,iBAAiB,EAAG,IAAI,CAAC,mBAAmB,CAAwB,IAAI,CAAC;QACzE,WAAW,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,CAAC;QAC7D,SAAS;QACT,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,CAAW,CAAC,CAAC,OAAO,EAAE;YACpD,CAAC,CAAC,CAAE,IAAI,CAAC,WAAW,CAAwB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,OAAe;IAEf,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE;QACzE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;KACxB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC;IAEhF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC/D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3D,MAAM,OAAO,GAAyB;QACpC,KAAK,EAAE,wBAAwB;QAC/B,IAAI,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;QACpB,iBAAiB,EAAE,QAAQ;QAC3B,KAAK,EAAE,oDAAoD,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE;KACpG,CAAC;IAEF,OAAO,6BAA6B,CAAC;QACnC,OAAO;QACP,gBAAgB,EAAE,OAAO,CAAC,QAAQ,EAAE;QACpC,WAAW;QACX,SAAS;QACT,MAAM;QACN,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAgB;IACjD,MAAM,iBAAiB,GAAG;QACxB,OAAO;QACP,QAAQ;QACR,OAAO;QACP,SAAS;QACT,UAAU;QACV,SAAS;QACT,QAAQ;KACT,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC3B,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAC3E,CAAC;AACJ,CAAC"}
+{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../../src/auth/handshake.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAErE,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AA+E7C,MAAM,OAAO,sBAAsB;IACzB,MAAM,GAAG,IAAI,GAAG,EAUrB,CAAC;IACI,GAAG,CAAS;IAEpB,YAAY,KAAK,GAAG,OAAO;QACzB,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,MAAgB,EAChB,QAAkC;QAElC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAChF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE;YACrB,QAAQ;YACR,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG;YACzB,QAAQ;YACR,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAa;QAOrB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;CACF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,YAAqB;IAErB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CAAC,6BAA6B,QAAQ,gBAAgB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,UAAuC,CAAC;IAC5C,IAAI,MAAM,CAAC,iBAAiB,IAAI,MAAM,CAAC,aAAa,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACtF,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAE5E,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,qCAAqC,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;YAED,IAAI,UAAU,CAAC,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,kBAAkB,EAAE,CAAC;gBAC/D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,CAAC,KAAK,CACV,8BAA8B,UAAU,CAAC,KAAK,MAAM,MAAM,CAAC,aAAa,CAAC,kBAAkB,2BAA2B,CACvH,CAAC;gBACJ,CAAC;gBAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,wCAAwC,CACzC,CAAC;gBAEF,OAAO;oBACL,UAAU,EAAE,KAAK;oBACjB,SAAS;oBACT,UAAU;oBACV,MAAM,EAAE,sBAAsB;iBAC/B,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED,IAAI,gBAAwC,CAAC;IAE7C,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,iDAAiD,EAAE,KAAK,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,kCAAkC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;QAElH,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAE7F,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,SAAS;YACT,MAAM,EAAE,YAAY;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,gBAAgB,CAAC,KAAK,IAAI,gBAAgB,CAAC,UAAU,EAAE,CAAC;QAC1D,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,CAAC,KAAK,CACV,iDAAiD,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CAC7E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU;YACV,MAAM,EAAE,wBAAwB;SACjC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,KAAK,CACV,uEAAuE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,KAAK,CACnG,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAClD,QAAQ,EACR,MAAM,EACN,MAAM,EACN,gBAAgB,CAAC,MAAM,IAAI,2BAA2B,CACvD,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,KAAK;QACjB,SAAS;QACT,UAAU;QACV,MAAM,EAAE,gBAAgB,CAAC,MAAM,IAAI,eAAe;KACnD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,gBAA8E;IAE9E,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,EAAE,CAAC;QAC5B,OAAO,CAAC,WAAW,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC;IACjD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,KAAK,IAAI,CAAC;IACvD,IAAI,QAAkB,CAAC;IAEvB,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,kBAAkB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EACzD;YACE,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,CAAC;SACjD,CACF,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG,MAAM,KAAK,CACpB,GAAG,MAAM,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,EAC7D,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,QAAQ;gBACR,KAAK,EAAE,EAAE;gBACT,iBAAiB,EAAE,CAAC;gBACpB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,SAAS;gBACpB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;IAEhE,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,EAAE,CAAC;IAC1D,MAAM,QAAQ,GAAG,CACd,IAAI,CAAC,OAAO,CAAwB;QACpC,IAAI,CAAC,WAAW,CAAwB;QACzC,SAAS,CACV,CAAC,WAAW,EAAE,CAAC;IAChB,MAAM,SAAS,GACb,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5F,OAAO;QACL,QAAQ,EACL,IAAI,CAAC,WAAW,CAAwB;YACxC,IAAI,CAAC,UAAU,CAAwB;YACxC,QAAQ;QACV,KAAK;QACL,iBAAiB,EAAG,IAAI,CAAC,mBAAmB,CAAwB,IAAI,CAAC;QACzE,WAAW,EAAG,IAAI,CAAC,aAAa,CAAwB,IAAI,CAAC;QAC7D,SAAS;QACT,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,CAAW,CAAC,CAAC,OAAO,EAAE;YACpD,CAAC,CAAC,CAAE,IAAI,CAAC,WAAW,CAAwB,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,QAAgB,EAChB,MAAgB,EAChB,MAA2B,EAC3B,OAAe;IAEf,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE;QACzE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;KACxB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC;IAEhF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAC/D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3D,MAAM,OAAO,GAAyB;QACpC,KAAK,EAAE,wBAAwB;QAC/B,IAAI,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC;QACpB,iBAAiB,EAAE,QAAQ;QAC3B,KAAK,EAAE,oDAAoD,kBAAkB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE;KACpG,CAAC;IAEF,OAAO,6BAA6B,CAAC;QACnC,OAAO;QACP,gBAAgB,EAAE,OAAO,CAAC,QAAQ,EAAE;QACpC,WAAW;QACX,SAAS;QACT,MAAM;QACN,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAgB;IACjD,MAAM,iBAAiB,GAAG;QACxB,OAAO;QACP,QAAQ;QACR,OAAO;QACP,SAAS;QACT,UAAU;QACV,SAAS;QACT,QAAQ;KACT,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAC3B,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAC3E,CAAC;AACJ,CAAC"}

package/dist/auth/index.d.ts

@@ -1,3 +1,3 @@
-export { verifyOrHints, hasSensitiveScopes, MemoryResumeTokenStore, type AuthHandshakeConfig, type VerifyOrHintsResult, type AgentReputation, type ResumeTokenStore, type UnknownAgentPolicy, } from './handshake.js';
+export { verifyOrHints, hasSensitiveScopes, MemoryResumeTokenStore, type AuthHandshakeConfig, type VerifyOrHintsResult, type AgentReputation, type ResumeTokenStore, } from './handshake.js';
 export type { DelegationVerifier, VerifyDelegationResult } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,EACtB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,GAMvB,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,kBAAkB,EAClB,sBAAsB,GAKvB,MAAM,gBAAgB,CAAC"}

package/dist/delegation/did-key-resolver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"did-key-resolver.d.ts","sourceRoot":"","sources":["../../src/delegation/did-key-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAsB,MAAM,kBAAkB,CAAC;AASrF;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CA8BzE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,cAAc,EAAE,UAAU,GAAG;IAC1D,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;CACX,CAMA;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,IAAI,WAAW,CAwClD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CA6BjE"}
+{"version":3,"file":"did-key-resolver.d.ts","sourceRoot":"","sources":["../../src/delegation/did-key-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAsB,MAAM,kBAAkB,CAAC;AASrF;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CA8BzE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,cAAc,EAAE,UAAU,GAAG;IAC1D,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;CACX,CAMA;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,IAAI,WAAW,CAsClD;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CA2BjE"}

package/dist/delegation/did-key-resolver.js

@@ -14,7 +14,6 @@
  * @see https://w3c-ccg.github.io/did-method-key/
  */
 import { base58Decode } from '../utils/base58.js';
-import { didKeyFragment } from '../utils/did-helpers.js';
 import { base64urlEncodeFromBytes } from '../utils/base64.js';
 import { logger } from '../logging/index.js';
 /** Ed25519 multicodec prefix (0xed 0x01) */
@@ -103,9 +102,8 @@ export function createDidKeyResolver() {
             // Get the multibase-encoded key for publicKeyMultibase
             const multibaseKey = did.replace('did:key:', '');
             // Construct the verification method
-            const fragment = didKeyFragment(did);
             const verificationMethod = {
-                id: `${did}#${fragment}`,
+                id: `${did}#keys-1`,
                 type: 'Ed25519VerificationKey2020',
                 controller: did,
                 publicKeyJwk,
@@ -115,8 +113,8 @@ export function createDidKeyResolver() {
             return {
                 id: did,
                 verificationMethod: [verificationMethod],
-                authentication: [`${did}#${fragment}`],
-                assertionMethod: [`${did}#${fragment}`],
+                authentication: [`${did}#keys-1`],
+                assertionMethod: [`${did}#keys-1`],
             };
         },
     };
@@ -139,9 +137,8 @@ export function resolveDidKeySync(did) {
     }
     const publicKeyJwk = publicKeyToJwk(publicKeyBytes);
     const multibaseKey = did.replace('did:key:', '');
-    const fragment = didKeyFragment(did);
     const verificationMethod = {
-        id: `${did}#${fragment}`,
+        id: `${did}#keys-1`,
         type: 'Ed25519VerificationKey2020',
         controller: did,
         publicKeyJwk,
@@ -150,8 +147,8 @@ export function resolveDidKeySync(did) {
     return {
         id: did,
         verificationMethod: [verificationMethod],
-        authentication: [`${did}#${fragment}`],
-        assertionMethod: [`${did}#${fragment}`],
+        authentication: [`${did}#keys-1`],
+        assertionMethod: [`${did}#keys-1`],
     };
 }
 //# sourceMappingURL=did-key-resolver.js.map

package/dist/delegation/did-key-resolver.js.map

@@ -1 +1 @@
-{"version":3,"file":"did-key-resolver.js","sourceRoot":"","sources":["../../src/delegation/did-key-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,4CAA4C;AAC5C,MAAM,yBAAyB,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAE/D,gCAAgC;AAChC,MAAM,yBAAyB,GAAG,EAAE,CAAC;AAErC;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;AACxC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAEjD,8CAA8C;QAC9C,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE5C,qBAAqB;QACrB,MAAM,eAAe,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;QAEpD,kDAAkD;QAClD,IACE,eAAe,CAAC,MAAM,GAAG,yBAAyB,CAAC,MAAM,GAAG,yBAAyB;YACrF,eAAe,CAAC,CAAC,CAAC,KAAK,yBAAyB,CAAC,CAAC,CAAC;YACnD,eAAe,CAAC,CAAC,CAAC,KAAK,yBAAyB,CAAC,CAAC,CAAC,EACnD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kDAAkD;QAClD,OAAO,eAAe,CAAC,KAAK,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,cAA0B;IAKvD,OAAO;QACL,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,SAAS;QACd,CAAC,EAAE,wBAAwB,CAAC,cAAc,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,OAAO,EAAE,KAAK,EAAE,GAAW,EAA+B,EAAE;YAC1D,uCAAuC;YACvC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,yBAAyB;YACzB,MAAM,cAAc,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iBAAiB;YACjB,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;YAEpD,uDAAuD;YACvD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAEjD,oCAAoC;YACpC,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;YAErC,MAAM,kBAAkB,GAAuB;gBAC7C,EAAE,EAAE,GAAG,GAAG,IAAI,QAAQ,EAAE;gBACxB,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG;gBACf,YAAY;gBACZ,kBAAkB,EAAE,YAAY;aACjC,CAAC;YAEF,wCAAwC;YACxC,OAAO;gBACL,EAAE,EAAE,GAAG;gBACP,kBAAkB,EAAE,CAAC,kBAAkB,CAAC;gBACxC,cAAc,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;gBACtC,eAAe,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;aACxC,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,cAAc,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAErC,MAAM,kBAAkB,GAAuB;QAC7C,EAAE,EAAE,GAAG,GAAG,IAAI,QAAQ,EAAE;QACxB,IAAI,EAAE,4BAA4B;QAClC,UAAU,EAAE,GAAG;QACf,YAAY;QACZ,kBAAkB,EAAE,YAAY;KACjC,CAAC;IAEF,OAAO;QACL,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE,CAAC,kBAAkB,CAAC;QACxC,cAAc,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;QACtC,eAAe,EAAE,CAAC,GAAG,GAAG,IAAI,QAAQ,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"did-key-resolver.js","sourceRoot":"","sources":["../../src/delegation/did-key-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,4CAA4C;AAC5C,MAAM,yBAAyB,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAE/D,gCAAgC;AAChC,MAAM,yBAAyB,GAAG,EAAE,CAAC;AAErC;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;AACxC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,wDAAwD;QACxD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAEjD,8CAA8C;QAC9C,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE5C,qBAAqB;QACrB,MAAM,eAAe,GAAG,YAAY,CAAC,aAAa,CAAC,CAAC;QAEpD,kDAAkD;QAClD,IACE,eAAe,CAAC,MAAM,GAAG,yBAAyB,CAAC,MAAM,GAAG,yBAAyB;YACrF,eAAe,CAAC,CAAC,CAAC,KAAK,yBAAyB,CAAC,CAAC,CAAC;YACnD,eAAe,CAAC,CAAC,CAAC,KAAK,yBAAyB,CAAC,CAAC,CAAC,EACnD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,kDAAkD;QAClD,OAAO,eAAe,CAAC,KAAK,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE,KAAK,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,cAA0B;IAKvD,OAAO;QACL,GAAG,EAAE,KAAK;QACV,GAAG,EAAE,SAAS;QACd,CAAC,EAAE,wBAAwB,CAAC,cAAc,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,OAAO,EAAE,KAAK,EAAE,GAAW,EAA+B,EAAE;YAC1D,uCAAuC;YACvC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,yBAAyB;YACzB,MAAM,cAAc,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;YACvD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iBAAiB;YACjB,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;YAEpD,uDAAuD;YACvD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAEjD,oCAAoC;YACpC,MAAM,kBAAkB,GAAuB;gBAC7C,EAAE,EAAE,GAAG,GAAG,SAAS;gBACnB,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG;gBACf,YAAY;gBACZ,kBAAkB,EAAE,YAAY;aACjC,CAAC;YAEF,wCAAwC;YACxC,OAAO;gBACL,EAAE,EAAE,GAAG;gBACP,kBAAkB,EAAE,CAAC,kBAAkB,CAAC;gBACxC,cAAc,EAAE,CAAC,GAAG,GAAG,SAAS,CAAC;gBACjC,eAAe,EAAE,CAAC,GAAG,GAAG,SAAS,CAAC;aACnC,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,cAAc,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;IACvD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAEjD,MAAM,kBAAkB,GAAuB;QAC7C,EAAE,EAAE,GAAG,GAAG,SAAS;QACnB,IAAI,EAAE,4BAA4B;QAClC,UAAU,EAAE,GAAG;QACf,YAAY;QACZ,kBAAkB,EAAE,YAAY;KACjC,CAAC;IAEF,OAAO;QACL,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE,CAAC,kBAAkB,CAAC;QACxC,cAAc,EAAE,CAAC,GAAG,GAAG,SAAS,CAAC;QACjC,eAAe,EAAE,CAAC,GAAG,GAAG,SAAS,CAAC;KACnC,CAAC;AACJ,CAAC"}

package/dist/delegation/outbound-headers.d.ts

@@ -13,6 +13,7 @@
  * Related Spec: MCP-I §7 — Outbound Delegation Propagation
  */
 import type { SessionContext, DelegationRecord } from '../types/protocol.js';
+import type { CryptoProvider } from '../providers/base.js';
 /**
  * Header names for outbound delegation propagation
  */
@@ -56,6 +57,7 @@ export interface OutboundDelegationHeaders {
  * downstream service can independently verify the delegation chain.
  *
  * @param context - The delegation context including session, delegation, and server identity
+ * @param _cryptoProvider - CryptoProvider (reserved for future use)
  * @returns Headers object to attach to the outbound request
  *
  * @throws {Error} If session is missing agentDid or sessionId
@@ -69,11 +71,11 @@ export interface OutboundDelegationHeaders {
  *   delegation,
  *   serverIdentity: { did: serverDid, kid: serverKid, privateKey },
  *   targetUrl: 'https://downstream-api.example.com/resource',
- * });
+ * }, cryptoProvider);
  *
  * // Attach headers to your HTTP request
  * fetch(targetUrl, { headers });
  * ```
  */
-export declare function buildOutboundDelegationHeaders(context: OutboundDelegationContext): Promise<OutboundDelegationHeaders>;
+export declare function buildOutboundDelegationHeaders(context: OutboundDelegationContext, _cryptoProvider: CryptoProvider): Promise<OutboundDelegationHeaders>;
 //# sourceMappingURL=outbound-headers.d.ts.map