npm - @vess-id/ai-identity - Versions diffs - 0.3.1 → 0.4.0 - Mend

@vess-id/ai-identity 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/constraint/constraint-evaluator.d.ts +33 -2
package/dist/constraint/constraint-evaluator.d.ts.map +1 -1
package/dist/index.js +115 -5
package/dist/index.js.map +1 -1
package/dist/index.mjs +115 -5
package/dist/index.mjs.map +1 -1
package/dist/registry/index.d.ts +2 -1
package/dist/registry/index.d.ts.map +1 -1
package/dist/vp/vp-manager.d.ts.map +1 -1
package/package.json +2 -2

package/dist/constraint/constraint-evaluator.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * ConstraintEvaluator
  * Grant制約の評価ロジック
  */
-import { GrantConstraints, TimeWindowConstraint, EvaluationContext, ConstraintEvaluationResult, ConstraintViolation, ConstraintWarning } from '@vess-id/ai-identity-types';
+import { GrantConstraints, TimeWindowConstraint, EvaluationContext, ConstraintEvaluationResult, ConstraintViolation, ConstraintWarning, PermissionConstraints, PermissionTimeConstraint } from '@vess-id/ai-identity-types';
 export interface ConstraintEvaluatorOptions {
     /** 警告を発する残り実行回数の閾値 */
     invocationWarningThreshold?: number;
@@ -54,11 +54,42 @@ export declare class ConstraintEvaluator {
         violation?: ConstraintViolation;
         warning?: ConstraintWarning;
     };
+    /**
+     * Evaluate PermissionConstraints from a PermissionRule.
+     *
+     * This is the VC-level constraint evaluator that works with the
+     * normalized PermissionConstraints format (as opposed to GrantConstraints).
+     *
+     * Used by the PolicyEvaluator after rule matching to verify
+     * rule-level constraints are satisfied.
+     */
+    evaluatePermissionConstraints(constraints: PermissionConstraints, context: {
+        now: number;
+        ipAddress?: string;
+        riskScore?: number;
+        invocationCount?: number;
+    }): {
+        allowed: boolean;
+        violations: ConstraintViolation[];
+        warnings: ConstraintWarning[];
+    };
+    /**
+     * Check PermissionTimeConstraint (supports both absolute and recurring)
+     */
+    checkPermissionTimeConstraint(time: PermissionTimeConstraint, currentTime: Date): {
+        violation?: ConstraintViolation;
+        warning?: ConstraintWarning;
+    };
     private getDayOfWeekInTimezone;
     private getTimeInTimezone;
     private getDayName;
     private timeToMinutes;
-    private isIpInCidr;
+    /**
+     * Check if an IP address is within a CIDR range or matches exactly.
+     * Uses unsigned 32-bit arithmetic to avoid sign-bit issues.
+     * Public for reuse by other services (e.g., LocalPolicyEvaluatorService).
+     */
+    isIpInCidr(ip: string, cidr: string): boolean;
     private ipToNumber;
 }
 /**

package/dist/constraint/constraint-evaluator.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"constraint-evaluator.d.ts","sourceRoot":"","sources":["../../src/constraint/constraint-evaluator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,iBAAiB,~~EAClB~~,MAAM,4BAA4B,CAAA;AAEnC,MAAM,WAAW,0BAA0B;IACzC,sBAAsB;IACtB,0BAA0B,CAAC,EAAE,MAAM,CAAA;IACnC,2CAA2C;IAC3C,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,kBAAkB;IAClB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAQD;;GAEG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,OAAO,CAA4B;gBAE/B,OAAO,CAAC,EAAE,OAAO,CAAC,0BAA0B,CAAC;IAIzD;;OAEG;IACH,QAAQ,CACN,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,iBAAiB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,SAAS,CAAC,EAAE,IAAI,GACf,0BAA0B;IAgE7B;;OAEG;IACH,eAAe,CACb,cAAc,CAAC,EAAE,IAAI,EACrB,mBAAmB,CAAC,EAAE,MAAM,GAC3B;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAA;KAAE;IA4BtC;;OAEG;IACH,oBAAoB,CAClB,cAAc,CAAC,EAAE,MAAM,EACvB,kBAAkB,CAAC,EAAE,MAAM,GAC1B;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IA8BnE;;OAEG;IACH,eAAe,CACb,UAAU,EAAE,oBAAoB,EAChC,WAAW,EAAE,IAAI,GAChB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IAoEnE;;OAEG;IACH,gBAAgB,CACd,SAAS,EAAE,MAAM,EAAE,EACnB,SAAS,EAAE,MAAM,GAChB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAA;KAAE;IA6BtC;;OAEG;IACH,kBAAkB,CAChB,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,GACnB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IA6BnE,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,iBAAiB;IAczB,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,aAAa;IAKrB,~~OAAO~~,CAAC,~~UAAU~~;~~IAelB~~,OAAO,CAAC,UAAU;~~CAInB~~;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,qBAA4B,CAAA;AAEnE;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,iBAAiB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,SAAS,CAAC,EAAE,IAAI,GACf,0BAA0B,CAE5B"}
1	+ {"version":3,"file":"constraint-evaluator.d.ts","sourceRoot":"","sources":["../../src/constraint/constraint-evaluator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,EACrB,wBAAwB,EACzB,MAAM,4BAA4B,CAAA;AAEnC,MAAM,WAAW,0BAA0B;IACzC,sBAAsB;IACtB,0BAA0B,CAAC,EAAE,MAAM,CAAA;IACnC,2CAA2C;IAC3C,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,kBAAkB;IAClB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAQD;;GAEG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,OAAO,CAA4B;gBAE/B,OAAO,CAAC,EAAE,OAAO,CAAC,0BAA0B,CAAC;IAIzD;;OAEG;IACH,QAAQ,CACN,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,iBAAiB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,SAAS,CAAC,EAAE,IAAI,GACf,0BAA0B;IAgE7B;;OAEG;IACH,eAAe,CACb,cAAc,CAAC,EAAE,IAAI,EACrB,mBAAmB,CAAC,EAAE,MAAM,GAC3B;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAA;KAAE;IA4BtC;;OAEG;IACH,oBAAoB,CAClB,cAAc,CAAC,EAAE,MAAM,EACvB,kBAAkB,CAAC,EAAE,MAAM,GAC1B;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IA8BnE;;OAEG;IACH,eAAe,CACb,UAAU,EAAE,oBAAoB,EAChC,WAAW,EAAE,IAAI,GAChB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IAoEnE;;OAEG;IACH,gBAAgB,CACd,SAAS,EAAE,MAAM,EAAE,EACnB,SAAS,EAAE,MAAM,GAChB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAA;KAAE;IA6BtC;;OAEG;IACH,kBAAkB,CAChB,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,MAAM,GACnB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IA6BnE;;;;;;;;OAQG;IACH,6BAA6B,CAC3B,WAAW,EAAE,qBAAqB,EAClC,OAAO,EAAE;QACP,GAAG,EAAE,MAAM,CAAA;QACX,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,eAAe,CAAC,EAAE,MAAM,CAAA;KACzB,GACA;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,mBAAmB,EAAE,CAAC;QAAC,QAAQ,EAAE,iBAAiB,EAAE,CAAA;KAAE;IA4CzF;;OAEG;IACH,6BAA6B,CAC3B,IAAI,EAAE,wBAAwB,EAC9B,WAAW,EAAE,IAAI,GAChB;QAAE,SAAS,CAAC,EAAE,mBAAmB,CAAC;QAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;KAAE;IAsDnE,OAAO,CAAC,sBAAsB;IAW9B,OAAO,CAAC,iBAAiB;IAczB,OAAO,CAAC,UAAU;IAKlB,OAAO,CAAC,aAAa;IAKrB;;;;OAIG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO;IAoB7C,OAAO,CAAC,UAAU;CAWnB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,qBAA4B,CAAA;AAEnE;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,iBAAiB,EAC1B,kBAAkB,EAAE,MAAM,EAC1B,SAAS,CAAC,EAAE,IAAI,GACf,0BAA0B,CAE5B"}

package/dist/index.js CHANGED Viewed

@@ -1605,6 +1605,7 @@ var VPManager = class {
         presentationFrame[key] = true;
       });
       const kbJwtPayload = {
+        iss: options.holderDid,
         aud: options.domain,
         nonce: options.challenge,
         iat: Math.floor(Date.now() / 1e3)
@@ -3976,6 +3977,98 @@ var ConstraintEvaluator = class {
     return {};
   }
   // ============================================================================
+  // PermissionConstraints evaluation (VC-level constraints from PermissionRule)
+  // ============================================================================
+  /**
+   * Evaluate PermissionConstraints from a PermissionRule.
+   *
+   * This is the VC-level constraint evaluator that works with the
+   * normalized PermissionConstraints format (as opposed to GrantConstraints).
+   *
+   * Used by the PolicyEvaluator after rule matching to verify
+   * rule-level constraints are satisfied.
+   */
+  evaluatePermissionConstraints(constraints, context) {
+    const violations = [];
+    const warnings = [];
+    if (constraints.time) {
+      const timeResult = this.checkPermissionTimeConstraint(
+        constraints.time,
+        new Date(context.now * 1e3)
+      );
+      if (timeResult.violation) violations.push(timeResult.violation);
+      if (timeResult.warning) warnings.push(timeResult.warning);
+    }
+    if (constraints.max_invocations !== void 0 && context.invocationCount !== void 0) {
+      const invResult = this.checkInvocationLimit(
+        constraints.max_invocations,
+        context.invocationCount
+      );
+      if (invResult.violation) violations.push(invResult.violation);
+      if (invResult.warning) warnings.push(invResult.warning);
+    }
+    if (constraints.ip_allowlist && constraints.ip_allowlist.length > 0 && context.ipAddress) {
+      const ipResult = this.checkIpAllowlist(constraints.ip_allowlist, context.ipAddress);
+      if (ipResult.violation) violations.push(ipResult.violation);
+    }
+    if (constraints.risk_threshold !== void 0 && context.riskScore !== void 0) {
+      const riskResult = this.checkRiskThreshold(constraints.risk_threshold, context.riskScore);
+      if (riskResult.violation) violations.push(riskResult.violation);
+      if (riskResult.warning) warnings.push(riskResult.warning);
+    }
+    return {
+      allowed: violations.length === 0,
+      violations,
+      warnings
+    };
+  }
+  /**
+   * Check PermissionTimeConstraint (supports both absolute and recurring)
+   */
+  checkPermissionTimeConstraint(time, currentTime) {
+    const nowUnix = Math.floor(currentTime.getTime() / 1e3);
+    if (time.not_before !== void 0 && nowUnix < time.not_before) {
+      return {
+        violation: {
+          type: "time_window",
+          message: `Current time is before not_before (${new Date(time.not_before * 1e3).toISOString()})`,
+          details: { now: nowUnix, not_before: time.not_before }
+        }
+      };
+    }
+    if (time.not_after !== void 0 && nowUnix > time.not_after) {
+      return {
+        violation: {
+          type: "time_window",
+          message: `Current time is after not_after (${new Date(time.not_after * 1e3).toISOString()})`,
+          details: { now: nowUnix, not_after: time.not_after }
+        }
+      };
+    }
+    const timezone = time.timezone || this.options.defaultTimezone;
+    if (time.days_of_week && time.days_of_week.length > 0) {
+      const currentDay = this.getDayOfWeekInTimezone(currentTime, timezone);
+      if (!time.days_of_week.includes(currentDay)) {
+        return {
+          violation: {
+            type: "time_window",
+            message: `Current day (${this.getDayName(currentDay)}) is not in allowed days`,
+            details: { currentDay, allowedDays: time.days_of_week }
+          }
+        };
+      }
+    }
+    if (time.recurring_start && time.recurring_end) {
+      const tw = {
+        start: time.recurring_start,
+        end: time.recurring_end,
+        timezone
+      };
+      return this.checkTimeWindow(tw, currentTime);
+    }
+    return {};
+  }
+  // ============================================================================
   // Helper Methods
   // ============================================================================
   getDayOfWeekInTimezone(date, timezone) {
@@ -4009,21 +4102,38 @@ var ConstraintEvaluator = class {
     const [hours, minutes] = time.split(":").map(Number);
     return hours * 60 + minutes;
   }
+  /**
+   * Check if an IP address is within a CIDR range or matches exactly.
+   * Uses unsigned 32-bit arithmetic to avoid sign-bit issues.
+   * Public for reuse by other services (e.g., LocalPolicyEvaluatorService).
+   */
   isIpInCidr(ip, cidr) {
     try {
+      if (!cidr.includes("/")) {
+        return ip === cidr;
+      }
       const [range, bits] = cidr.split("/");
-      const mask = parseInt(bits, 10);
+      const prefix = parseInt(bits, 10);
+      if (isNaN(prefix)) return false;
       const ipNum = this.ipToNumber(ip);
       const rangeNum = this.ipToNumber(range);
-      const maskNum = ~(2 ** (32 - mask) - 1);
-      return (ipNum & maskNum) === (rangeNum & maskNum);
+      if (ipNum === null || rangeNum === null) return false;
+      const mask = prefix === 0 ? 0 : ~0 << 32 - prefix >>> 0;
+      return (ipNum & mask) === (rangeNum & mask);
     } catch {
       return false;
     }
   }
   ipToNumber(ip) {
-    const parts = ip.split(".").map(Number);
-    return (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];
+    const parts = ip.split(".");
+    if (parts.length !== 4) return null;
+    let result = 0;
+    for (const part of parts) {
+      const n = parseInt(part, 10);
+      if (isNaN(n) || n < 0 || n > 255) return null;
+      result = result << 8 | n;
+    }
+    return result >>> 0;
   }
 };
 var defaultConstraintEvaluator = new ConstraintEvaluator();