@vess-id/ai-identity 0.3.1 → 0.4.0

package/dist/index.mjs

@@ -1533,6 +1533,7 @@ var VPManager = class {
         presentationFrame[key] = true;
       });
       const kbJwtPayload = {
+        iss: options.holderDid,
         aud: options.domain,
         nonce: options.challenge,
         iat: Math.floor(Date.now() / 1e3)
@@ -3907,6 +3908,98 @@ var ConstraintEvaluator = class {
     return {};
   }
   // ============================================================================
+  // PermissionConstraints evaluation (VC-level constraints from PermissionRule)
+  // ============================================================================
+  /**
+   * Evaluate PermissionConstraints from a PermissionRule.
+   *
+   * This is the VC-level constraint evaluator that works with the
+   * normalized PermissionConstraints format (as opposed to GrantConstraints).
+   *
+   * Used by the PolicyEvaluator after rule matching to verify
+   * rule-level constraints are satisfied.
+   */
+  evaluatePermissionConstraints(constraints, context) {
+    const violations = [];
+    const warnings = [];
+    if (constraints.time) {
+      const timeResult = this.checkPermissionTimeConstraint(
+        constraints.time,
+        new Date(context.now * 1e3)
+      );
+      if (timeResult.violation) violations.push(timeResult.violation);
+      if (timeResult.warning) warnings.push(timeResult.warning);
+    }
+    if (constraints.max_invocations !== void 0 && context.invocationCount !== void 0) {
+      const invResult = this.checkInvocationLimit(
+        constraints.max_invocations,
+        context.invocationCount
+      );
+      if (invResult.violation) violations.push(invResult.violation);
+      if (invResult.warning) warnings.push(invResult.warning);
+    }
+    if (constraints.ip_allowlist && constraints.ip_allowlist.length > 0 && context.ipAddress) {
+      const ipResult = this.checkIpAllowlist(constraints.ip_allowlist, context.ipAddress);
+      if (ipResult.violation) violations.push(ipResult.violation);
+    }
+    if (constraints.risk_threshold !== void 0 && context.riskScore !== void 0) {
+      const riskResult = this.checkRiskThreshold(constraints.risk_threshold, context.riskScore);
+      if (riskResult.violation) violations.push(riskResult.violation);
+      if (riskResult.warning) warnings.push(riskResult.warning);
+    }
+    return {
+      allowed: violations.length === 0,
+      violations,
+      warnings
+    };
+  }
+  /**
+   * Check PermissionTimeConstraint (supports both absolute and recurring)
+   */
+  checkPermissionTimeConstraint(time, currentTime) {
+    const nowUnix = Math.floor(currentTime.getTime() / 1e3);
+    if (time.not_before !== void 0 && nowUnix < time.not_before) {
+      return {
+        violation: {
+          type: "time_window",
+          message: `Current time is before not_before (${new Date(time.not_before * 1e3).toISOString()})`,
+          details: { now: nowUnix, not_before: time.not_before }
+        }
+      };
+    }
+    if (time.not_after !== void 0 && nowUnix > time.not_after) {
+      return {
+        violation: {
+          type: "time_window",
+          message: `Current time is after not_after (${new Date(time.not_after * 1e3).toISOString()})`,
+          details: { now: nowUnix, not_after: time.not_after }
+        }
+      };
+    }
+    const timezone = time.timezone || this.options.defaultTimezone;
+    if (time.days_of_week && time.days_of_week.length > 0) {
+      const currentDay = this.getDayOfWeekInTimezone(currentTime, timezone);
+      if (!time.days_of_week.includes(currentDay)) {
+        return {
+          violation: {
+            type: "time_window",
+            message: `Current day (${this.getDayName(currentDay)}) is not in allowed days`,
+            details: { currentDay, allowedDays: time.days_of_week }
+          }
+        };
+      }
+    }
+    if (time.recurring_start && time.recurring_end) {
+      const tw = {
+        start: time.recurring_start,
+        end: time.recurring_end,
+        timezone
+      };
+      return this.checkTimeWindow(tw, currentTime);
+    }
+    return {};
+  }
+  // ============================================================================
   // Helper Methods
   // ============================================================================
   getDayOfWeekInTimezone(date, timezone) {
@@ -3940,21 +4033,38 @@ var ConstraintEvaluator = class {
     const [hours, minutes] = time.split(":").map(Number);
     return hours * 60 + minutes;
   }
+  /**
+   * Check if an IP address is within a CIDR range or matches exactly.
+   * Uses unsigned 32-bit arithmetic to avoid sign-bit issues.
+   * Public for reuse by other services (e.g., LocalPolicyEvaluatorService).
+   */
   isIpInCidr(ip, cidr) {
     try {
+      if (!cidr.includes("/")) {
+        return ip === cidr;
+      }
       const [range, bits] = cidr.split("/");
-      const mask = parseInt(bits, 10);
+      const prefix = parseInt(bits, 10);
+      if (isNaN(prefix)) return false;
       const ipNum = this.ipToNumber(ip);
       const rangeNum = this.ipToNumber(range);
-      const maskNum = ~(2 ** (32 - mask) - 1);
-      return (ipNum & maskNum) === (rangeNum & maskNum);
+      if (ipNum === null || rangeNum === null) return false;
+      const mask = prefix === 0 ? 0 : ~0 << 32 - prefix >>> 0;
+      return (ipNum & mask) === (rangeNum & mask);
     } catch {
       return false;
     }
   }
   ipToNumber(ip) {
-    const parts = ip.split(".").map(Number);
-    return (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];
+    const parts = ip.split(".");
+    if (parts.length !== 4) return null;
+    let result = 0;
+    for (const part of parts) {
+      const n = parseInt(part, 10);
+      if (isNaN(n) || n < 0 || n > 255) return null;
+      result = result << 8 | n;
+    }
+    return result >>> 0;
   }
 };
 var defaultConstraintEvaluator = new ConstraintEvaluator();