@vess-id/ai-identity 0.10.0 → 0.12.0

package/dist/index.d.ts

@@ -10,8 +10,8 @@ export { DeviceEnrollManager, DeviceEnrollStartParams, DeviceEnrollServerSidePar
 export { VCManager } from './vc/vc-manager';
 export { APIVCManager } from './vc/api-vc-manager';
 export { VPManager } from './vp/vp-manager';
+export { buildKbJwtPayload, KB_JWT_DEFAULT_LIFETIME_SECONDS, normalizeDomain, readVcExpSeconds, KbJwtPayload, BuildKbJwtPayloadArgs, BuildKbJwtPayloadDeps, } from './vp/kb-jwt-builder';
 export { ToolManager, ToolDefinition } from './tool/tool-manager';
-export { MemoryManager, MemoryDocument, MemoryQuery, MemoryQueryResult, } from './memory/memory-manager';
 export { getDefaultDisclosureFields, DisclosureFields, } from './utils/sdjwt-disclosure';
 export { ConstraintEvaluator, ConstraintEvaluatorOptions, defaultConstraintEvaluator, evaluateConstraints, } from './constraint/constraint-evaluator';
 export * from './storage';
@@ -31,5 +31,6 @@ export { TargetResolver, extractProjectKey } from './resolver/target-resolver';
 export * from './types';
 export { isWriteAction, WRITE_ACTION_NAMES } from './utils/action-classifier';
 export { resolveUserTier, getTierLimits, isUnlimited } from './utils/tier-utils';
+export * from './internal-signature';
 export declare const version = "0.0.1";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACjE,OAAO,EACL,aAAa,EACb,cAAc,EACd,WAAW,EACX,iBAAiB,GAClB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAGhF,eAAO,MAAM,OAAO,UAAU,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}

package/dist/index.js

@@ -52,6 +52,7 @@ __export(index_exports, {
   DummyCreds: () => DummyCreds,
   DummyVpVerifier: () => DummyVpVerifier,
   FilesystemKeyStorage: () => FilesystemKeyStorage,
+  GATEWAY_ERROR_CODE: () => GATEWAY_ERROR_CODE,
   GatewayClient: () => GatewayClient,
   GatewayError: () => GatewayError,
   GrantResourceType: () => GrantResourceType,
@@ -60,16 +61,20 @@ __export(index_exports, {
   InvalidVPError: () => InvalidVPError,
   InvitationStatus: () => InvitationStatus,
   JsonStateStore: () => JsonStateStore,
+  KB_JWT_DEFAULT_LIFETIME_SECONDS: () => KB_JWT_DEFAULT_LIFETIME_SECONDS,
   KeyManager: () => KeyManager,
   LEGACY_RESOURCE_TYPE_MAP: () => LEGACY_RESOURCE_TYPE_MAP,
+  MIN_SIGNER_KEY_BYTES: () => MIN_SIGNER_KEY_BYTES,
   MemoryKeyStorage: () => MemoryKeyStorage,
-  MemoryManager: () => MemoryManager,
   NetworkError: () => NetworkError,
   OAuthProvider: () => OAuthProvider,
   PROVIDER_ALIASES: () => PROVIDER_ALIASES,
+  REAUTH_REQUIRED_ACTION: () => REAUTH_REQUIRED_ACTION,
   RESOURCE_TYPES: () => RESOURCE_TYPES,
   ReceiptStatus: () => ReceiptStatus,
   SDJwtClient: () => SDJwtClient,
+  SIGNATURE_HEADER: () => SIGNATURE_HEADER,
+  SIGNATURE_VERSION_PREFIX: () => SIGNATURE_VERSION_PREFIX,
   ScopeUnmatchedError: () => ScopeUnmatchedError,
   SimpleRebac: () => SimpleRebac,
   StandardActionCategory: () => StandardActionCategory,
@@ -87,7 +92,9 @@ __export(index_exports, {
   VCType: () => VCType,
   VPManager: () => VPManager,
   WRITE_ACTION_NAMES: () => WRITE_ACTION_NAMES,
+  buildCanonicalString: () => buildCanonicalString,
   buildGrantIdFields: () => buildGrantIdFields,
+  buildKbJwtPayload: () => buildKbJwtPayload,
   canonicalizeAction: () => canonicalizeAction,
   checkPermissionWithVP: () => checkPermissionWithVP,
   configure: () => configure,
@@ -99,6 +106,7 @@ __export(index_exports, {
   extractProjectKey: () => extractProjectKey,
   extractPublicKey: () => extractPublicKey,
   extractPublicKeyFromDid: () => extractPublicKeyFromDid,
+  formatSignatureHeader: () => formatSignatureHeader,
   generateActionParamsDisplay: () => generateActionParamsDisplay,
   generateActionSummary: () => generateActionSummary,
   generateKeyPair: () => generateKeyPair,
@@ -125,16 +133,21 @@ __export(index_exports, {
   isWriteAction: () => isWriteAction,
   loadActionRegistryFromFile: () => loadActionRegistryFromFile,
   loadActionRegistryFromObject: () => loadActionRegistryFromObject,
+  normalizeDomain: () => normalizeDomain,
   normalizeMcpActionName: () => normalizeMcpActionName,
   parseGrantAction: () => parseGrantAction,
   parseGrantResourceType: () => parseGrantResourceType,
+  parseSignatureHeader: () => parseSignatureHeader,
   planDelegationForVC: () => planDelegationForVC,
   publicKeysMatch: () => publicKeysMatch,
+  readVcExpSeconds: () => readVcExpSeconds,
   resolveActionsFromSelection: () => resolveActionsFromSelection,
   resolveProvider: () => resolveProvider,
   resolveResourceType: () => resolveResourceType,
   resolveUserTier: () => resolveUserTier,
+  sha256Hex: () => sha256Hex,
   signJWT: () => signJWT,
+  signRequest: () => signRequest,
   validateRegistryObject: () => validateRegistryObject,
   vcStatusToCredentialStatus: () => vcStatusToCredentialStatus,
   verifyJWT: () => verifyJWT,
@@ -1652,6 +1665,56 @@ var VCManager = class {
 
 // src/vp/vp-manager.ts
 var import_crypto_nodejs2 = require("@sd-jwt/crypto-nodejs");
+
+// src/vp/kb-jwt-builder.ts
+var KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
+function buildKbJwtPayload(args, deps = {}) {
+  const now = deps.now ?? Date.now;
+  const iatSeconds = Math.floor(now() / 1e3);
+  const kbExpCap = iatSeconds + KB_JWT_DEFAULT_LIFETIME_SECONDS;
+  const vcExp = readVcExpSeconds(args.vcCredential);
+  const expSeconds = vcExp !== void 0 ? Math.min(kbExpCap, vcExp) : kbExpCap;
+  if (expSeconds <= iatSeconds) {
+    throw new Error(
+      `VC has expired: cannot issue KB-JWT (vc.exp=${vcExp}, now=${iatSeconds})`
+    );
+  }
+  return {
+    iss: args.holderDid,
+    aud: normalizeDomain(args.audience),
+    nonce: args.nonce,
+    iat: iatSeconds,
+    exp: expSeconds
+  };
+}
+function readVcExpSeconds(sdJwtVc) {
+  try {
+    const jwtPart = sdJwtVc.split("~")[0];
+    const payloadB64 = jwtPart.split(".")[1];
+    if (!payloadB64) return void 0;
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    return typeof payload.exp === "number" ? payload.exp : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function normalizeDomain(domain) {
+  if (!domain) return domain;
+  let urlStr;
+  if (/^https?:\/\//i.test(domain)) {
+    urlStr = domain;
+  } else {
+    const scheme = /^localhost(:\d+)?$/i.test(domain) ? "http" : "https";
+    urlStr = `${scheme}://${domain}`;
+  }
+  try {
+    return new URL(urlStr).origin;
+  } catch {
+    return domain;
+  }
+}
+
+// src/vp/vp-manager.ts
 var VPManager = class {
   keyManager;
   constructor(keyManager) {
@@ -1675,12 +1738,12 @@ var VPManager = class {
       presentableKeys.forEach((key) => {
         presentationFrame[key] = true;
       });
-      const kbJwtPayload = {
-        iss: options.holderDid,
-        aud: options.domain,
+      const kbJwtPayload = buildKbJwtPayload({
+        holderDid: options.holderDid,
+        audience: options.domain,
         nonce: options.challenge,
-        iat: Math.floor(Date.now() / 1e3)
-      };
+        vcCredential: sdJwtVC
+      });
       const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
         kb: { payload: kbJwtPayload }
       });
@@ -2130,172 +2193,6 @@ var ToolManager = class {
   }
 };
 
-// src/memory/memory-manager.ts
-var MemoryManager = class {
-  vpManager;
-  proxyApiUrl;
-  constructor(vpManager) {
-    this.vpManager = vpManager || new VPManager();
-    const config = getConfig();
-    this.proxyApiUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
-  }
-  /**
-   * Write a document to memory
-   */
-  async write(content, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "write"
-    });
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${options.namespace}/doc`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        content,
-        metadata: options.metadata,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to write to memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Query memory with vector search
-   */
-  async query(query, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const queryParams = {
-      query,
-      namespace: options.namespace,
-      limit: options.limit || 10,
-      filter: options.filter
-    };
-    const namespace = options.namespace || "default";
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${namespace}/query`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        ...queryParams,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to query memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Delete a document from memory
-   */
-  async delete(documentId, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "delete"
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/${documentId}`,
-      {
-        method: "DELETE",
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to delete from memory: ${error}`);
-    }
-  }
-  /**
-   * List documents in a namespace
-   */
-  async list(options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const params = new URLSearchParams({
-      limit: (options.limit || 100).toString(),
-      offset: (options.offset || 0).toString()
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/list?${params}`,
-      {
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to list memory documents: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Check if VCs authorize memory access
-   */
-  async checkAuthorization(vcs, action, resource) {
-    for (const vcJwt of vcs) {
-      try {
-        const parts = vcJwt.split(".");
-        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
-        const vcResource = payload.credentialSubject?.resource;
-        const vcActions = payload.credentialSubject?.actions || [];
-        if (this.matchResource(vcResource, resource)) {
-          if (vcActions.includes(action)) {
-            return true;
-          }
-        }
-      } catch {
-        continue;
-      }
-    }
-    return false;
-  }
-  matchResource(vcResource, requiredResource) {
-    if (vcResource.endsWith("/*")) {
-      const prefix = vcResource.slice(0, -2);
-      return requiredResource.startsWith(prefix);
-    }
-    return vcResource === requiredResource;
-  }
-  generateChallenge() {
-    return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
-  }
-};
-
 // src/grant/grant-manager.ts
 var GrantManager = class {
   constructor(_vpManager) {
@@ -2537,7 +2434,6 @@ var AIdentityClient = class {
   vc;
   vp;
   tool;
-  memory;
   grant;
   keyManager;
   currentAgent;
@@ -2551,7 +2447,6 @@ var AIdentityClient = class {
     this.vc = new VCManager(this.keyManager, this.agent, this.user);
     this.vp = new VPManager(this.keyManager);
     this.tool = new ToolManager(this.vp);
-    this.memory = new MemoryManager(this.vp);
     this.grant = new GrantManager(this.vp);
   }
   /**
@@ -2635,35 +2530,6 @@ var AIdentityClient = class {
       holderDid
     });
   }
-  /**
-   * Write to memory with automatic VP creation
-   */
-  async writeMemory(content, namespace, vcs, metadata) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.write(content, {
-      namespace,
-      metadata,
-      vcs,
-      holderDid
-    });
-  }
-  /**
-   * Query memory with automatic VP creation
-   */
-  async queryMemory(query, vcs, options) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.query(query, {
-      ...options,
-      vcs,
-      holderDid
-    });
-  }
 };
 var defaultClient;
 function getClient(config, password) {
@@ -2930,6 +2796,8 @@ var AIdentityError = class extends Error {
     this.name = this.constructor.name;
     Object.setPrototypeOf(this, new.target.prototype);
   }
+  code;
+  details;
 };
 var VCExpiredError = class extends AIdentityError {
   constructor(message = "Verifiable Credential has expired", details) {
@@ -4090,6 +3958,8 @@ var GatewayError = class extends Error {
     this.responseBody = responseBody;
     this.name = "GatewayError";
   }
+  statusCode;
+  responseBody;
 };
 
 // src/auth/auth-provider.ts
@@ -4569,6 +4439,7 @@ var SimpleRebac = class {
   constructor(allowRelations = ["viewer", "editor", "admin", "owner", "act_as"]) {
     this.allowRelations = allowRelations;
   }
+  allowRelations;
   async check(_sub, relations) {
     return relations.some((r) => this.allowRelations.includes(r));
   }
@@ -4583,6 +4454,7 @@ var DummyVpVerifier = class {
   constructor(vc) {
     this.vc = vc;
   }
+  vc;
   async verifyAndExtractClaims() {
     return this.vc;
   }
@@ -4944,7 +4816,10 @@ var ACTION_REGISTRY = {
           subject: { type: "string", minLength: 1 },
           body: { type: "string", minLength: 1 },
           cc: { type: "string" },
-          bcc: { type: "string" }
+          bcc: { type: "string" },
+          threadId: { type: "string" },
+          inReplyTo: { type: "string" },
+          references: { type: "string" }
         },
         required: ["to", "subject", "body"],
         additionalProperties: false
@@ -4974,7 +4849,10 @@ var ACTION_REGISTRY = {
           subject: { type: "string", minLength: 1 },
           body: { type: "string", minLength: 1 },
           cc: { type: "string" },
-          bcc: { type: "string" }
+          bcc: { type: "string" },
+          threadId: { type: "string" },
+          inReplyTo: { type: "string" },
+          references: { type: "string" }
         },
         required: ["to", "subject", "body"],
         additionalProperties: false
@@ -5905,6 +5783,17 @@ function normalizeMcpActionName(toolName, actionName) {
   return actionName;
 }
 
+// src/registry/reauth-constants.ts
+var REAUTH_REQUIRED_ACTION = "reauth_required";
+var GATEWAY_ERROR_CODE = {
+  /** Upstream OAuth token is revoked — the user must re-auth at the SaaS provider. */
+  REAUTH_REQUIRED: "REAUTH_REQUIRED",
+  /** Local VC/VP is invalid (expired, malformed, signature mismatch). Try VC reissuance. */
+  CREDENTIAL_INVALID: "CREDENTIAL_INVALID",
+  /** VC allowed a different resource than the request targeted. Try a new approval. */
+  RESOURCE_MISMATCH: "RESOURCE_MISMATCH"
+};
+
 // src/registry/action-summary.ts
 var ACTION_DISPLAY_CONFIGS = {
   "slack.message.post": {
@@ -6159,6 +6048,70 @@ function getTierLimits(tier) {
   return TIER_LIMITS[resolveUserTier(tier)];
 }
 
+// src/internal-signature/canonical.ts
+var import_crypto3 = require("crypto");
+var SIGNATURE_HEADER = "x-internal-signature";
+var SIGNATURE_VERSION_PREFIX = "v1=";
+function sha256Hex(input) {
+  return (0, import_crypto3.createHash)("sha256").update(input).digest("hex");
+}
+function buildCanonicalString(args) {
+  const { method, path: path4, unixSeconds, rawBody } = args;
+  return [method.toUpperCase(), path4, String(unixSeconds), sha256Hex(rawBody)].join("\n");
+}
+function parseSignatureHeader(headerValue) {
+  if (typeof headerValue !== "string" || !headerValue.startsWith(SIGNATURE_VERSION_PREFIX)) {
+    return null;
+  }
+  const payload = headerValue.slice(SIGNATURE_VERSION_PREFIX.length);
+  const parts = payload.split(":");
+  if (parts.length !== 3) return null;
+  const [keyId, tsStr, signature] = parts;
+  if (!keyId || !tsStr || !signature) return null;
+  if (!/^[A-Za-z0-9_-]+$/.test(keyId)) return null;
+  if (!/^\d+$/.test(tsStr)) return null;
+  const unixSeconds = Number(tsStr);
+  if (!Number.isFinite(unixSeconds) || unixSeconds < 0) return null;
+  if (!/^[A-Za-z0-9+/]+=*$/.test(signature)) return null;
+  return { keyId, unixSeconds, signature };
+}
+function formatSignatureHeader(parsed) {
+  return `${SIGNATURE_VERSION_PREFIX}${parsed.keyId}:${parsed.unixSeconds}:${parsed.signature}`;
+}
+
+// src/internal-signature/signer.ts
+var import_crypto4 = require("crypto");
+var MIN_SIGNER_KEY_BYTES = 32;
+function signRequest(key, args) {
+  assertKeyMaterial(key);
+  const unixSeconds = args.unixSeconds ?? Math.floor(Date.now() / 1e3);
+  const canonical = buildCanonicalString({
+    method: args.method,
+    path: args.path,
+    unixSeconds,
+    rawBody: args.rawBody
+  });
+  const signature = (0, import_crypto4.createHmac)("sha256", key.secret).update(canonical).digest("base64");
+  const parsed = {
+    keyId: key.keyId,
+    unixSeconds,
+    signature
+  };
+  return formatSignatureHeader(parsed);
+}
+function assertKeyMaterial(k) {
+  if (!k.keyId || !/^[A-Za-z0-9_-]+$/.test(k.keyId)) {
+    throw new Error(
+      `internal-signature signer: invalid keyId ${JSON.stringify(k.keyId)} (must match /^[A-Za-z0-9_-]+$/)`
+    );
+  }
+  if (!Buffer.isBuffer(k.secret) || k.secret.length < MIN_SIGNER_KEY_BYTES) {
+    throw new Error(
+      `internal-signature signer: secret too short for keyId=${k.keyId} (${Buffer.isBuffer(k.secret) ? k.secret.length : "not a Buffer"} bytes; minimum ${MIN_SIGNER_KEY_BYTES} required)`
+    );
+  }
+}
+
 // src/index.ts
 var version = "0.0.1";
 // Annotate the CommonJS export names for ESM import in node:
@@ -6185,6 +6138,7 @@ var version = "0.0.1";
   DummyCreds,
   DummyVpVerifier,
   FilesystemKeyStorage,
+  GATEWAY_ERROR_CODE,
   GatewayClient,
   GatewayError,
   GrantResourceType,
@@ -6193,16 +6147,20 @@ var version = "0.0.1";
   InvalidVPError,
   InvitationStatus,
   JsonStateStore,
+  KB_JWT_DEFAULT_LIFETIME_SECONDS,
   KeyManager,
   LEGACY_RESOURCE_TYPE_MAP,
+  MIN_SIGNER_KEY_BYTES,
   MemoryKeyStorage,
-  MemoryManager,
   NetworkError,
   OAuthProvider,
   PROVIDER_ALIASES,
+  REAUTH_REQUIRED_ACTION,
   RESOURCE_TYPES,
   ReceiptStatus,
   SDJwtClient,
+  SIGNATURE_HEADER,
+  SIGNATURE_VERSION_PREFIX,
   ScopeUnmatchedError,
   SimpleRebac,
   StandardActionCategory,
@@ -6220,7 +6178,9 @@ var version = "0.0.1";
   VCType,
   VPManager,
   WRITE_ACTION_NAMES,
+  buildCanonicalString,
   buildGrantIdFields,
+  buildKbJwtPayload,
   canonicalizeAction,
   checkPermissionWithVP,
   configure,
@@ -6232,6 +6192,7 @@ var version = "0.0.1";
   extractProjectKey,
   extractPublicKey,
   extractPublicKeyFromDid,
+  formatSignatureHeader,
   generateActionParamsDisplay,
   generateActionSummary,
   generateKeyPair,
@@ -6258,16 +6219,21 @@ var version = "0.0.1";
   isWriteAction,
   loadActionRegistryFromFile,
   loadActionRegistryFromObject,
+  normalizeDomain,
   normalizeMcpActionName,
   parseGrantAction,
   parseGrantResourceType,
+  parseSignatureHeader,
   planDelegationForVC,
   publicKeysMatch,
+  readVcExpSeconds,
   resolveActionsFromSelection,
   resolveProvider,
   resolveResourceType,
   resolveUserTier,
+  sha256Hex,
   signJWT,
+  signRequest,
   validateRegistryObject,
   vcStatusToCredentialStatus,
   verifyJWT,