@vess-id/ai-identity 0.10.0 → 0.12.0

package/dist/index.mjs

@@ -1508,6 +1508,56 @@ var VCManager = class {
 
 // src/vp/vp-manager.ts
 import { digest as digest2 } from "@sd-jwt/crypto-nodejs";
+
+// src/vp/kb-jwt-builder.ts
+var KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
+function buildKbJwtPayload(args, deps = {}) {
+  const now = deps.now ?? Date.now;
+  const iatSeconds = Math.floor(now() / 1e3);
+  const kbExpCap = iatSeconds + KB_JWT_DEFAULT_LIFETIME_SECONDS;
+  const vcExp = readVcExpSeconds(args.vcCredential);
+  const expSeconds = vcExp !== void 0 ? Math.min(kbExpCap, vcExp) : kbExpCap;
+  if (expSeconds <= iatSeconds) {
+    throw new Error(
+      `VC has expired: cannot issue KB-JWT (vc.exp=${vcExp}, now=${iatSeconds})`
+    );
+  }
+  return {
+    iss: args.holderDid,
+    aud: normalizeDomain(args.audience),
+    nonce: args.nonce,
+    iat: iatSeconds,
+    exp: expSeconds
+  };
+}
+function readVcExpSeconds(sdJwtVc) {
+  try {
+    const jwtPart = sdJwtVc.split("~")[0];
+    const payloadB64 = jwtPart.split(".")[1];
+    if (!payloadB64) return void 0;
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    return typeof payload.exp === "number" ? payload.exp : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function normalizeDomain(domain) {
+  if (!domain) return domain;
+  let urlStr;
+  if (/^https?:\/\//i.test(domain)) {
+    urlStr = domain;
+  } else {
+    const scheme = /^localhost(:\d+)?$/i.test(domain) ? "http" : "https";
+    urlStr = `${scheme}://${domain}`;
+  }
+  try {
+    return new URL(urlStr).origin;
+  } catch {
+    return domain;
+  }
+}
+
+// src/vp/vp-manager.ts
 var VPManager = class {
   keyManager;
   constructor(keyManager) {
@@ -1531,12 +1581,12 @@ var VPManager = class {
       presentableKeys.forEach((key) => {
         presentationFrame[key] = true;
       });
-      const kbJwtPayload = {
-        iss: options.holderDid,
-        aud: options.domain,
+      const kbJwtPayload = buildKbJwtPayload({
+        holderDid: options.holderDid,
+        audience: options.domain,
         nonce: options.challenge,
-        iat: Math.floor(Date.now() / 1e3)
-      };
+        vcCredential: sdJwtVC
+      });
       const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
         kb: { payload: kbJwtPayload }
       });
@@ -1986,172 +2036,6 @@ var ToolManager = class {
   }
 };
 
-// src/memory/memory-manager.ts
-var MemoryManager = class {
-  vpManager;
-  proxyApiUrl;
-  constructor(vpManager) {
-    this.vpManager = vpManager || new VPManager();
-    const config = getConfig();
-    this.proxyApiUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
-  }
-  /**
-   * Write a document to memory
-   */
-  async write(content, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "write"
-    });
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${options.namespace}/doc`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        content,
-        metadata: options.metadata,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to write to memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Query memory with vector search
-   */
-  async query(query, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const queryParams = {
-      query,
-      namespace: options.namespace,
-      limit: options.limit || 10,
-      filter: options.filter
-    };
-    const namespace = options.namespace || "default";
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${namespace}/query`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        ...queryParams,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to query memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Delete a document from memory
-   */
-  async delete(documentId, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "delete"
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/${documentId}`,
-      {
-        method: "DELETE",
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to delete from memory: ${error}`);
-    }
-  }
-  /**
-   * List documents in a namespace
-   */
-  async list(options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const params = new URLSearchParams({
-      limit: (options.limit || 100).toString(),
-      offset: (options.offset || 0).toString()
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/list?${params}`,
-      {
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to list memory documents: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Check if VCs authorize memory access
-   */
-  async checkAuthorization(vcs, action, resource) {
-    for (const vcJwt of vcs) {
-      try {
-        const parts = vcJwt.split(".");
-        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
-        const vcResource = payload.credentialSubject?.resource;
-        const vcActions = payload.credentialSubject?.actions || [];
-        if (this.matchResource(vcResource, resource)) {
-          if (vcActions.includes(action)) {
-            return true;
-          }
-        }
-      } catch {
-        continue;
-      }
-    }
-    return false;
-  }
-  matchResource(vcResource, requiredResource) {
-    if (vcResource.endsWith("/*")) {
-      const prefix = vcResource.slice(0, -2);
-      return requiredResource.startsWith(prefix);
-    }
-    return vcResource === requiredResource;
-  }
-  generateChallenge() {
-    return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
-  }
-};
-
 // src/grant/grant-manager.ts
 var GrantManager = class {
   constructor(_vpManager) {
@@ -2393,7 +2277,6 @@ var AIdentityClient = class {
   vc;
   vp;
   tool;
-  memory;
   grant;
   keyManager;
   currentAgent;
@@ -2407,7 +2290,6 @@ var AIdentityClient = class {
     this.vc = new VCManager(this.keyManager, this.agent, this.user);
     this.vp = new VPManager(this.keyManager);
     this.tool = new ToolManager(this.vp);
-    this.memory = new MemoryManager(this.vp);
     this.grant = new GrantManager(this.vp);
   }
   /**
@@ -2491,35 +2373,6 @@ var AIdentityClient = class {
       holderDid
     });
   }
-  /**
-   * Write to memory with automatic VP creation
-   */
-  async writeMemory(content, namespace, vcs, metadata) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.write(content, {
-      namespace,
-      metadata,
-      vcs,
-      holderDid
-    });
-  }
-  /**
-   * Query memory with automatic VP creation
-   */
-  async queryMemory(query, vcs, options) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.query(query, {
-      ...options,
-      vcs,
-      holderDid
-    });
-  }
 };
 var defaultClient;
 function getClient(config, password) {
@@ -2786,6 +2639,8 @@ var AIdentityError = class extends Error {
     this.name = this.constructor.name;
     Object.setPrototypeOf(this, new.target.prototype);
   }
+  code;
+  details;
 };
 var VCExpiredError = class extends AIdentityError {
   constructor(message = "Verifiable Credential has expired", details) {
@@ -3946,6 +3801,8 @@ var GatewayError = class extends Error {
     this.responseBody = responseBody;
     this.name = "GatewayError";
   }
+  statusCode;
+  responseBody;
 };
 
 // src/auth/auth-provider.ts
@@ -4425,6 +4282,7 @@ var SimpleRebac = class {
   constructor(allowRelations = ["viewer", "editor", "admin", "owner", "act_as"]) {
     this.allowRelations = allowRelations;
   }
+  allowRelations;
   async check(_sub, relations) {
     return relations.some((r) => this.allowRelations.includes(r));
   }
@@ -4439,6 +4297,7 @@ var DummyVpVerifier = class {
   constructor(vc) {
     this.vc = vc;
   }
+  vc;
   async verifyAndExtractClaims() {
     return this.vc;
   }
@@ -4800,7 +4659,10 @@ var ACTION_REGISTRY = {
           subject: { type: "string", minLength: 1 },
           body: { type: "string", minLength: 1 },
           cc: { type: "string" },
-          bcc: { type: "string" }
+          bcc: { type: "string" },
+          threadId: { type: "string" },
+          inReplyTo: { type: "string" },
+          references: { type: "string" }
         },
         required: ["to", "subject", "body"],
         additionalProperties: false
@@ -4830,7 +4692,10 @@ var ACTION_REGISTRY = {
           subject: { type: "string", minLength: 1 },
           body: { type: "string", minLength: 1 },
           cc: { type: "string" },
-          bcc: { type: "string" }
+          bcc: { type: "string" },
+          threadId: { type: "string" },
+          inReplyTo: { type: "string" },
+          references: { type: "string" }
         },
         required: ["to", "subject", "body"],
         additionalProperties: false
@@ -5761,6 +5626,17 @@ function normalizeMcpActionName(toolName, actionName) {
   return actionName;
 }
 
+// src/registry/reauth-constants.ts
+var REAUTH_REQUIRED_ACTION = "reauth_required";
+var GATEWAY_ERROR_CODE = {
+  /** Upstream OAuth token is revoked — the user must re-auth at the SaaS provider. */
+  REAUTH_REQUIRED: "REAUTH_REQUIRED",
+  /** Local VC/VP is invalid (expired, malformed, signature mismatch). Try VC reissuance. */
+  CREDENTIAL_INVALID: "CREDENTIAL_INVALID",
+  /** VC allowed a different resource than the request targeted. Try a new approval. */
+  RESOURCE_MISMATCH: "RESOURCE_MISMATCH"
+};
+
 // src/registry/action-summary.ts
 var ACTION_DISPLAY_CONFIGS = {
   "slack.message.post": {
@@ -6015,6 +5891,70 @@ function getTierLimits(tier) {
   return TIER_LIMITS[resolveUserTier(tier)];
 }
 
+// src/internal-signature/canonical.ts
+import { createHash } from "crypto";
+var SIGNATURE_HEADER = "x-internal-signature";
+var SIGNATURE_VERSION_PREFIX = "v1=";
+function sha256Hex(input) {
+  return createHash("sha256").update(input).digest("hex");
+}
+function buildCanonicalString(args) {
+  const { method, path: path4, unixSeconds, rawBody } = args;
+  return [method.toUpperCase(), path4, String(unixSeconds), sha256Hex(rawBody)].join("\n");
+}
+function parseSignatureHeader(headerValue) {
+  if (typeof headerValue !== "string" || !headerValue.startsWith(SIGNATURE_VERSION_PREFIX)) {
+    return null;
+  }
+  const payload = headerValue.slice(SIGNATURE_VERSION_PREFIX.length);
+  const parts = payload.split(":");
+  if (parts.length !== 3) return null;
+  const [keyId, tsStr, signature] = parts;
+  if (!keyId || !tsStr || !signature) return null;
+  if (!/^[A-Za-z0-9_-]+$/.test(keyId)) return null;
+  if (!/^\d+$/.test(tsStr)) return null;
+  const unixSeconds = Number(tsStr);
+  if (!Number.isFinite(unixSeconds) || unixSeconds < 0) return null;
+  if (!/^[A-Za-z0-9+/]+=*$/.test(signature)) return null;
+  return { keyId, unixSeconds, signature };
+}
+function formatSignatureHeader(parsed) {
+  return `${SIGNATURE_VERSION_PREFIX}${parsed.keyId}:${parsed.unixSeconds}:${parsed.signature}`;
+}
+
+// src/internal-signature/signer.ts
+import { createHmac } from "crypto";
+var MIN_SIGNER_KEY_BYTES = 32;
+function signRequest(key, args) {
+  assertKeyMaterial(key);
+  const unixSeconds = args.unixSeconds ?? Math.floor(Date.now() / 1e3);
+  const canonical = buildCanonicalString({
+    method: args.method,
+    path: args.path,
+    unixSeconds,
+    rawBody: args.rawBody
+  });
+  const signature = createHmac("sha256", key.secret).update(canonical).digest("base64");
+  const parsed = {
+    keyId: key.keyId,
+    unixSeconds,
+    signature
+  };
+  return formatSignatureHeader(parsed);
+}
+function assertKeyMaterial(k) {
+  if (!k.keyId || !/^[A-Za-z0-9_-]+$/.test(k.keyId)) {
+    throw new Error(
+      `internal-signature signer: invalid keyId ${JSON.stringify(k.keyId)} (must match /^[A-Za-z0-9_-]+$/)`
+    );
+  }
+  if (!Buffer.isBuffer(k.secret) || k.secret.length < MIN_SIGNER_KEY_BYTES) {
+    throw new Error(
+      `internal-signature signer: secret too short for keyId=${k.keyId} (${Buffer.isBuffer(k.secret) ? k.secret.length : "not a Buffer"} bytes; minimum ${MIN_SIGNER_KEY_BYTES} required)`
+    );
+  }
+}
+
 // src/index.ts
 var version = "0.0.1";
 export {
@@ -6040,6 +5980,7 @@ export {
   DummyCreds,
   DummyVpVerifier,
   FilesystemKeyStorage,
+  GATEWAY_ERROR_CODE,
   GatewayClient,
   GatewayError,
   GrantResourceType,
@@ -6048,16 +5989,20 @@ export {
   InvalidVPError,
   InvitationStatus,
   JsonStateStore,
+  KB_JWT_DEFAULT_LIFETIME_SECONDS,
   KeyManager,
   LEGACY_RESOURCE_TYPE_MAP,
+  MIN_SIGNER_KEY_BYTES,
   MemoryKeyStorage,
-  MemoryManager,
   NetworkError,
   OAuthProvider,
   PROVIDER_ALIASES,
+  REAUTH_REQUIRED_ACTION,
   RESOURCE_TYPES,
   ReceiptStatus,
   SDJwtClient,
+  SIGNATURE_HEADER,
+  SIGNATURE_VERSION_PREFIX,
   ScopeUnmatchedError,
   SimpleRebac,
   StandardActionCategory,
@@ -6075,7 +6020,9 @@ export {
   VCType,
   VPManager,
   WRITE_ACTION_NAMES,
+  buildCanonicalString,
   buildGrantIdFields,
+  buildKbJwtPayload,
   canonicalizeAction,
   checkPermissionWithVP,
   configure,
@@ -6087,6 +6034,7 @@ export {
   extractProjectKey,
   extractPublicKey,
   extractPublicKeyFromDid,
+  formatSignatureHeader,
   generateActionParamsDisplay,
   generateActionSummary,
   generateKeyPair,
@@ -6113,16 +6061,21 @@ export {
   isWriteAction,
   loadActionRegistryFromFile,
   loadActionRegistryFromObject,
+  normalizeDomain,
   normalizeMcpActionName,
   parseGrantAction,
   parseGrantResourceType,
+  parseSignatureHeader,
   planDelegationForVC,
   publicKeysMatch,
+  readVcExpSeconds,
   resolveActionsFromSelection,
   resolveProvider,
   resolveResourceType,
   resolveUserTier,
+  sha256Hex,
   signJWT,
+  signRequest,
   validateRegistryObject,
   vcStatusToCredentialStatus,
   verifyJWT,