npm - @vess-id/ai-identity - Versions diffs - 0.11.0 → 0.12.0 - Mend

@vess-id/ai-identity 0.11.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/README.md +0 -16
package/dist/client.d.ts +0 -14
package/dist/client.d.ts.map +1 -1
package/dist/index.d.mts +342 -153
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +164 -204
package/dist/index.js.map +1 -1
package/dist/index.mjs +150 -203
package/dist/index.mjs.map +1 -1
package/dist/internal-signature/__tests__/canonical.spec.d.ts +2 -0
package/dist/internal-signature/__tests__/canonical.spec.d.ts.map +1 -0
package/dist/internal-signature/__tests__/signer-roundtrip.spec.d.ts +2 -0
package/dist/internal-signature/__tests__/signer-roundtrip.spec.d.ts.map +1 -0
package/dist/internal-signature/__tests__/signer.spec.d.ts +2 -0
package/dist/internal-signature/__tests__/signer.spec.d.ts.map +1 -0
package/dist/internal-signature/canonical.d.ts +80 -0
package/dist/internal-signature/canonical.d.ts.map +1 -0
package/dist/internal-signature/index.d.ts +17 -0
package/dist/internal-signature/index.d.ts.map +1 -0
package/dist/internal-signature/signer.d.ts +76 -0
package/dist/internal-signature/signer.d.ts.map +1 -0
package/dist/registry/index.d.ts +2 -0
package/dist/registry/index.d.ts.map +1 -1
package/dist/registry/reauth-constants.d.ts +33 -0
package/dist/registry/reauth-constants.d.ts.map +1 -0
package/dist/vp/kb-jwt-builder.d.ts +89 -0
package/dist/vp/kb-jwt-builder.d.ts.map +1 -0
package/dist/vp/vp-manager.d.ts.map +1 -1
package/package.json +20 -26
package/dist/memory/memory-manager.d.ts +0 -77
package/dist/memory/memory-manager.d.ts.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -52,6 +52,7 @@ __export(index_exports, {
   DummyCreds: () => DummyCreds,
   DummyVpVerifier: () => DummyVpVerifier,
   FilesystemKeyStorage: () => FilesystemKeyStorage,
+  GATEWAY_ERROR_CODE: () => GATEWAY_ERROR_CODE,
   GatewayClient: () => GatewayClient,
   GatewayError: () => GatewayError,
   GrantResourceType: () => GrantResourceType,
@@ -60,16 +61,20 @@ __export(index_exports, {
   InvalidVPError: () => InvalidVPError,
   InvitationStatus: () => InvitationStatus,
   JsonStateStore: () => JsonStateStore,
+  KB_JWT_DEFAULT_LIFETIME_SECONDS: () => KB_JWT_DEFAULT_LIFETIME_SECONDS,
   KeyManager: () => KeyManager,
   LEGACY_RESOURCE_TYPE_MAP: () => LEGACY_RESOURCE_TYPE_MAP,
+  MIN_SIGNER_KEY_BYTES: () => MIN_SIGNER_KEY_BYTES,
   MemoryKeyStorage: () => MemoryKeyStorage,
-  MemoryManager: () => MemoryManager,
   NetworkError: () => NetworkError,
   OAuthProvider: () => OAuthProvider,
   PROVIDER_ALIASES: () => PROVIDER_ALIASES,
+  REAUTH_REQUIRED_ACTION: () => REAUTH_REQUIRED_ACTION,
   RESOURCE_TYPES: () => RESOURCE_TYPES,
   ReceiptStatus: () => ReceiptStatus,
   SDJwtClient: () => SDJwtClient,
+  SIGNATURE_HEADER: () => SIGNATURE_HEADER,
+  SIGNATURE_VERSION_PREFIX: () => SIGNATURE_VERSION_PREFIX,
   ScopeUnmatchedError: () => ScopeUnmatchedError,
   SimpleRebac: () => SimpleRebac,
   StandardActionCategory: () => StandardActionCategory,
@@ -87,7 +92,9 @@ __export(index_exports, {
   VCType: () => VCType,
   VPManager: () => VPManager,
   WRITE_ACTION_NAMES: () => WRITE_ACTION_NAMES,
+  buildCanonicalString: () => buildCanonicalString,
   buildGrantIdFields: () => buildGrantIdFields,
+  buildKbJwtPayload: () => buildKbJwtPayload,
   canonicalizeAction: () => canonicalizeAction,
   checkPermissionWithVP: () => checkPermissionWithVP,
   configure: () => configure,
@@ -99,6 +106,7 @@ __export(index_exports, {
   extractProjectKey: () => extractProjectKey,
   extractPublicKey: () => extractPublicKey,
   extractPublicKeyFromDid: () => extractPublicKeyFromDid,
+  formatSignatureHeader: () => formatSignatureHeader,
   generateActionParamsDisplay: () => generateActionParamsDisplay,
   generateActionSummary: () => generateActionSummary,
   generateKeyPair: () => generateKeyPair,
@@ -125,16 +133,21 @@ __export(index_exports, {
   isWriteAction: () => isWriteAction,
   loadActionRegistryFromFile: () => loadActionRegistryFromFile,
   loadActionRegistryFromObject: () => loadActionRegistryFromObject,
+  normalizeDomain: () => normalizeDomain,
   normalizeMcpActionName: () => normalizeMcpActionName,
   parseGrantAction: () => parseGrantAction,
   parseGrantResourceType: () => parseGrantResourceType,
+  parseSignatureHeader: () => parseSignatureHeader,
   planDelegationForVC: () => planDelegationForVC,
   publicKeysMatch: () => publicKeysMatch,
+  readVcExpSeconds: () => readVcExpSeconds,
   resolveActionsFromSelection: () => resolveActionsFromSelection,
   resolveProvider: () => resolveProvider,
   resolveResourceType: () => resolveResourceType,
   resolveUserTier: () => resolveUserTier,
+  sha256Hex: () => sha256Hex,
   signJWT: () => signJWT,
+  signRequest: () => signRequest,
   validateRegistryObject: () => validateRegistryObject,
   vcStatusToCredentialStatus: () => vcStatusToCredentialStatus,
   verifyJWT: () => verifyJWT,
@@ -1652,6 +1665,56 @@ var VCManager = class {
 // src/vp/vp-manager.ts
 var import_crypto_nodejs2 = require("@sd-jwt/crypto-nodejs");
+// src/vp/kb-jwt-builder.ts
+var KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
+function buildKbJwtPayload(args, deps = {}) {
+  const now = deps.now ?? Date.now;
+  const iatSeconds = Math.floor(now() / 1e3);
+  const kbExpCap = iatSeconds + KB_JWT_DEFAULT_LIFETIME_SECONDS;
+  const vcExp = readVcExpSeconds(args.vcCredential);
+  const expSeconds = vcExp !== void 0 ? Math.min(kbExpCap, vcExp) : kbExpCap;
+  if (expSeconds <= iatSeconds) {
+    throw new Error(
+      `VC has expired: cannot issue KB-JWT (vc.exp=${vcExp}, now=${iatSeconds})`
+    );
+  }
+  return {
+    iss: args.holderDid,
+    aud: normalizeDomain(args.audience),
+    nonce: args.nonce,
+    iat: iatSeconds,
+    exp: expSeconds
+  };
+}
+function readVcExpSeconds(sdJwtVc) {
+  try {
+    const jwtPart = sdJwtVc.split("~")[0];
+    const payloadB64 = jwtPart.split(".")[1];
+    if (!payloadB64) return void 0;
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+    return typeof payload.exp === "number" ? payload.exp : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function normalizeDomain(domain) {
+  if (!domain) return domain;
+  let urlStr;
+  if (/^https?:\/\//i.test(domain)) {
+    urlStr = domain;
+  } else {
+    const scheme = /^localhost(:\d+)?$/i.test(domain) ? "http" : "https";
+    urlStr = `${scheme}://${domain}`;
+  }
+  try {
+    return new URL(urlStr).origin;
+  } catch {
+    return domain;
+  }
+}
+// src/vp/vp-manager.ts
 var VPManager = class {
   keyManager;
   constructor(keyManager) {
@@ -1675,12 +1738,12 @@ var VPManager = class {
       presentableKeys.forEach((key) => {
         presentationFrame[key] = true;
       });
-      const kbJwtPayload = {
-        iss: options.holderDid,
-        aud: options.domain,
+      const kbJwtPayload = buildKbJwtPayload({
+        holderDid: options.holderDid,
+        audience: options.domain,
         nonce: options.challenge,
-        iat: Math.floor(Date.now() / 1e3)
-      };
+        vcCredential: sdJwtVC
+      });
       const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
         kb: { payload: kbJwtPayload }
       });
@@ -2130,172 +2193,6 @@ var ToolManager = class {
   }
 };
-// src/memory/memory-manager.ts
-var MemoryManager = class {
-  vpManager;
-  proxyApiUrl;
-  constructor(vpManager) {
-    this.vpManager = vpManager || new VPManager();
-    const config = getConfig();
-    this.proxyApiUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
-  }
-  /**
-   * Write a document to memory
-   */
-  async write(content, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "write"
-    });
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${options.namespace}/doc`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        content,
-        metadata: options.metadata,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to write to memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Query memory with vector search
-   */
-  async query(query, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const queryParams = {
-      query,
-      namespace: options.namespace,
-      limit: options.limit || 10,
-      filter: options.filter
-    };
-    const namespace = options.namespace || "default";
-    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${namespace}/query`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${vpJwt}`
-      },
-      body: JSON.stringify({
-        ...queryParams,
-        challenge
-      })
-    });
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to query memory: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Delete a document from memory
-   */
-  async delete(documentId, options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "delete"
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/${documentId}`,
-      {
-        method: "DELETE",
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to delete from memory: ${error}`);
-    }
-  }
-  /**
-   * List documents in a namespace
-   */
-  async list(options) {
-    const domain = new URL(this.proxyApiUrl).hostname;
-    const challenge = this.generateChallenge();
-    const vpJwt = await this.vpManager.create(options.vcs, {
-      holderDid: options.holderDid,
-      challenge,
-      domain,
-      purpose: "read"
-    });
-    const params = new URLSearchParams({
-      limit: (options.limit || 100).toString(),
-      offset: (options.offset || 0).toString()
-    });
-    const response = await fetch(
-      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/list?${params}`,
-      {
-        headers: {
-          Authorization: `Bearer ${vpJwt}`,
-          "X-Challenge": challenge
-        }
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      throw new Error(`Failed to list memory documents: ${error}`);
-    }
-    return response.json();
-  }
-  /**
-   * Check if VCs authorize memory access
-   */
-  async checkAuthorization(vcs, action, resource) {
-    for (const vcJwt of vcs) {
-      try {
-        const parts = vcJwt.split(".");
-        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
-        const vcResource = payload.credentialSubject?.resource;
-        const vcActions = payload.credentialSubject?.actions || [];
-        if (this.matchResource(vcResource, resource)) {
-          if (vcActions.includes(action)) {
-            return true;
-          }
-        }
-      } catch {
-        continue;
-      }
-    }
-    return false;
-  }
-  matchResource(vcResource, requiredResource) {
-    if (vcResource.endsWith("/*")) {
-      const prefix = vcResource.slice(0, -2);
-      return requiredResource.startsWith(prefix);
-    }
-    return vcResource === requiredResource;
-  }
-  generateChallenge() {
-    return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
-  }
-};
 // src/grant/grant-manager.ts
 var GrantManager = class {
   constructor(_vpManager) {
@@ -2537,7 +2434,6 @@ var AIdentityClient = class {
   vc;
   vp;
   tool;
-  memory;
   grant;
   keyManager;
   currentAgent;
@@ -2551,7 +2447,6 @@ var AIdentityClient = class {
     this.vc = new VCManager(this.keyManager, this.agent, this.user);
     this.vp = new VPManager(this.keyManager);
     this.tool = new ToolManager(this.vp);
-    this.memory = new MemoryManager(this.vp);
     this.grant = new GrantManager(this.vp);
   }
   /**
@@ -2635,35 +2530,6 @@ var AIdentityClient = class {
       holderDid
     });
   }
-  /**
-   * Write to memory with automatic VP creation
-   */
-  async writeMemory(content, namespace, vcs, metadata) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.write(content, {
-      namespace,
-      metadata,
-      vcs,
-      holderDid
-    });
-  }
-  /**
-   * Query memory with automatic VP creation
-   */
-  async queryMemory(query, vcs, options) {
-    const holderDid = this.currentAgent?.did;
-    if (!holderDid) {
-      throw new Error("No current agent available");
-    }
-    return this.memory.query(query, {
-      ...options,
-      vcs,
-      holderDid
-    });
-  }
 };
 var defaultClient;
 function getClient(config, password) {
@@ -2930,6 +2796,8 @@ var AIdentityError = class extends Error {
     this.name = this.constructor.name;
     Object.setPrototypeOf(this, new.target.prototype);
   }
+  code;
+  details;
 };
 var VCExpiredError = class extends AIdentityError {
   constructor(message = "Verifiable Credential has expired", details) {
@@ -4090,6 +3958,8 @@ var GatewayError = class extends Error {
     this.responseBody = responseBody;
     this.name = "GatewayError";
   }
+  statusCode;
+  responseBody;
 };
 // src/auth/auth-provider.ts
@@ -4569,6 +4439,7 @@ var SimpleRebac = class {
   constructor(allowRelations = ["viewer", "editor", "admin", "owner", "act_as"]) {
     this.allowRelations = allowRelations;
   }
+  allowRelations;
   async check(_sub, relations) {
     return relations.some((r) => this.allowRelations.includes(r));
   }
@@ -4583,6 +4454,7 @@ var DummyVpVerifier = class {
   constructor(vc) {
     this.vc = vc;
   }
+  vc;
   async verifyAndExtractClaims() {
     return this.vc;
   }
@@ -5911,6 +5783,17 @@ function normalizeMcpActionName(toolName, actionName) {
   return actionName;
 }
+// src/registry/reauth-constants.ts
+var REAUTH_REQUIRED_ACTION = "reauth_required";
+var GATEWAY_ERROR_CODE = {
+  /** Upstream OAuth token is revoked — the user must re-auth at the SaaS provider. */
+  REAUTH_REQUIRED: "REAUTH_REQUIRED",
+  /** Local VC/VP is invalid (expired, malformed, signature mismatch). Try VC reissuance. */
+  CREDENTIAL_INVALID: "CREDENTIAL_INVALID",
+  /** VC allowed a different resource than the request targeted. Try a new approval. */
+  RESOURCE_MISMATCH: "RESOURCE_MISMATCH"
+};
 // src/registry/action-summary.ts
 var ACTION_DISPLAY_CONFIGS = {
   "slack.message.post": {
@@ -6165,6 +6048,70 @@ function getTierLimits(tier) {
   return TIER_LIMITS[resolveUserTier(tier)];
 }
+// src/internal-signature/canonical.ts
+var import_crypto3 = require("crypto");
+var SIGNATURE_HEADER = "x-internal-signature";
+var SIGNATURE_VERSION_PREFIX = "v1=";
+function sha256Hex(input) {
+  return (0, import_crypto3.createHash)("sha256").update(input).digest("hex");
+}
+function buildCanonicalString(args) {
+  const { method, path: path4, unixSeconds, rawBody } = args;
+  return [method.toUpperCase(), path4, String(unixSeconds), sha256Hex(rawBody)].join("\n");
+}
+function parseSignatureHeader(headerValue) {
+  if (typeof headerValue !== "string" || !headerValue.startsWith(SIGNATURE_VERSION_PREFIX)) {
+    return null;
+  }
+  const payload = headerValue.slice(SIGNATURE_VERSION_PREFIX.length);
+  const parts = payload.split(":");
+  if (parts.length !== 3) return null;
+  const [keyId, tsStr, signature] = parts;
+  if (!keyId || !tsStr || !signature) return null;
+  if (!/^[A-Za-z0-9_-]+$/.test(keyId)) return null;
+  if (!/^\d+$/.test(tsStr)) return null;
+  const unixSeconds = Number(tsStr);
+  if (!Number.isFinite(unixSeconds) || unixSeconds < 0) return null;
+  if (!/^[A-Za-z0-9+/]+=*$/.test(signature)) return null;
+  return { keyId, unixSeconds, signature };
+}
+function formatSignatureHeader(parsed) {
+  return `${SIGNATURE_VERSION_PREFIX}${parsed.keyId}:${parsed.unixSeconds}:${parsed.signature}`;
+}
+// src/internal-signature/signer.ts
+var import_crypto4 = require("crypto");
+var MIN_SIGNER_KEY_BYTES = 32;
+function signRequest(key, args) {
+  assertKeyMaterial(key);
+  const unixSeconds = args.unixSeconds ?? Math.floor(Date.now() / 1e3);
+  const canonical = buildCanonicalString({
+    method: args.method,
+    path: args.path,
+    unixSeconds,
+    rawBody: args.rawBody
+  });
+  const signature = (0, import_crypto4.createHmac)("sha256", key.secret).update(canonical).digest("base64");
+  const parsed = {
+    keyId: key.keyId,
+    unixSeconds,
+    signature
+  };
+  return formatSignatureHeader(parsed);
+}
+function assertKeyMaterial(k) {
+  if (!k.keyId || !/^[A-Za-z0-9_-]+$/.test(k.keyId)) {
+    throw new Error(
+      `internal-signature signer: invalid keyId ${JSON.stringify(k.keyId)} (must match /^[A-Za-z0-9_-]+$/)`
+    );
+  }
+  if (!Buffer.isBuffer(k.secret) || k.secret.length < MIN_SIGNER_KEY_BYTES) {
+    throw new Error(
+      `internal-signature signer: secret too short for keyId=${k.keyId} (${Buffer.isBuffer(k.secret) ? k.secret.length : "not a Buffer"} bytes; minimum ${MIN_SIGNER_KEY_BYTES} required)`
+    );
+  }
+}
 // src/index.ts
 var version = "0.0.1";
 // Annotate the CommonJS export names for ESM import in node:
@@ -6191,6 +6138,7 @@ var version = "0.0.1";
   DummyCreds,
   DummyVpVerifier,
   FilesystemKeyStorage,
+  GATEWAY_ERROR_CODE,
   GatewayClient,
   GatewayError,
   GrantResourceType,
@@ -6199,16 +6147,20 @@ var version = "0.0.1";
   InvalidVPError,
   InvitationStatus,
   JsonStateStore,
+  KB_JWT_DEFAULT_LIFETIME_SECONDS,
   KeyManager,
   LEGACY_RESOURCE_TYPE_MAP,
+  MIN_SIGNER_KEY_BYTES,
   MemoryKeyStorage,
-  MemoryManager,
   NetworkError,
   OAuthProvider,
   PROVIDER_ALIASES,
+  REAUTH_REQUIRED_ACTION,
   RESOURCE_TYPES,
   ReceiptStatus,
   SDJwtClient,
+  SIGNATURE_HEADER,
+  SIGNATURE_VERSION_PREFIX,
   ScopeUnmatchedError,
   SimpleRebac,
   StandardActionCategory,
@@ -6226,7 +6178,9 @@ var version = "0.0.1";
   VCType,
   VPManager,
   WRITE_ACTION_NAMES,
+  buildCanonicalString,
   buildGrantIdFields,
+  buildKbJwtPayload,
   canonicalizeAction,
   checkPermissionWithVP,
   configure,
@@ -6238,6 +6192,7 @@ var version = "0.0.1";
   extractProjectKey,
   extractPublicKey,
   extractPublicKeyFromDid,
+  formatSignatureHeader,
   generateActionParamsDisplay,
   generateActionSummary,
   generateKeyPair,
@@ -6264,16 +6219,21 @@ var version = "0.0.1";
   isWriteAction,
   loadActionRegistryFromFile,
   loadActionRegistryFromObject,
+  normalizeDomain,
   normalizeMcpActionName,
   parseGrantAction,
   parseGrantResourceType,
+  parseSignatureHeader,
   planDelegationForVC,
   publicKeysMatch,
+  readVcExpSeconds,
   resolveActionsFromSelection,
   resolveProvider,
   resolveResourceType,
   resolveUserTier,
+  sha256Hex,
   signJWT,
+  signRequest,
   validateRegistryObject,
   vcStatusToCredentialStatus,
   verifyJWT,