@vess-id/ai-identity 0.5.0-alpha.14 → 0.5.0-alpha.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -16
- package/dist/client.d.ts +0 -14
- package/dist/client.d.ts.map +1 -1
- package/dist/index.d.mts +145 -153
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +63 -204
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +59 -203
- package/dist/index.mjs.map +1 -1
- package/dist/vp/kb-jwt-builder.d.ts +81 -0
- package/dist/vp/kb-jwt-builder.d.ts.map +1 -0
- package/dist/vp/vp-manager.d.ts.map +1 -1
- package/package.json +2 -2
- package/dist/memory/memory-manager.d.ts +0 -77
- package/dist/memory/memory-manager.d.ts.map +0 -1
package/README.md
CHANGED
|
@@ -71,7 +71,6 @@ client.user // UserIdentityManager — user DID management
|
|
|
71
71
|
client.vc // VCManager — VC issuance (SD-JWT)
|
|
72
72
|
client.vp // VPManager — VP creation and verification
|
|
73
73
|
client.tool // ToolManager — tool invocation with VP authorization
|
|
74
|
-
client.memory // MemoryManager — vector-backed memory storage
|
|
75
74
|
client.grant // GrantManager — grant suggestion and confirmation
|
|
76
75
|
```
|
|
77
76
|
|
|
@@ -138,21 +137,6 @@ const result = await client.invokeTool<SlackResponse>(
|
|
|
138
137
|
)
|
|
139
138
|
```
|
|
140
139
|
|
|
141
|
-
### Memory
|
|
142
|
-
|
|
143
|
-
Vector-backed memory with VC authorization:
|
|
144
|
-
|
|
145
|
-
```typescript
|
|
146
|
-
await client.writeMemory('Meeting notes: ...', 'project-alpha', [vc], {
|
|
147
|
-
type: 'meeting-notes',
|
|
148
|
-
})
|
|
149
|
-
|
|
150
|
-
const results = await client.queryMemory('latest meeting decisions', [vc], {
|
|
151
|
-
namespace: 'project-alpha',
|
|
152
|
-
limit: 10,
|
|
153
|
-
})
|
|
154
|
-
```
|
|
155
|
-
|
|
156
140
|
## Action Registry
|
|
157
141
|
|
|
158
142
|
All supported actions are defined in `ACTION_REGISTRY` using `provider.resource.operation` format:
|
package/dist/client.d.ts
CHANGED
|
@@ -4,7 +4,6 @@ import { UserIdentityManager } from './identity/user-identity-manager';
|
|
|
4
4
|
import { VCManager } from './vc/vc-manager';
|
|
5
5
|
import { VPManager } from './vp/vp-manager';
|
|
6
6
|
import { ToolManager } from './tool/tool-manager';
|
|
7
|
-
import { MemoryManager } from './memory/memory-manager';
|
|
8
7
|
import { GrantManager } from './grant/grant-manager';
|
|
9
8
|
import { Agent, ConnectorResponse } from './types';
|
|
10
9
|
export declare class AIdentityClient {
|
|
@@ -13,7 +12,6 @@ export declare class AIdentityClient {
|
|
|
13
12
|
readonly vc: VCManager;
|
|
14
13
|
readonly vp: VPManager;
|
|
15
14
|
readonly tool: ToolManager;
|
|
16
|
-
readonly memory: MemoryManager;
|
|
17
15
|
readonly grant: GrantManager;
|
|
18
16
|
private keyManager;
|
|
19
17
|
private currentAgent?;
|
|
@@ -59,18 +57,6 @@ export declare class AIdentityClient {
|
|
|
59
57
|
* Invoke a tool with automatic VP creation
|
|
60
58
|
*/
|
|
61
59
|
invokeTool<T = any>(tool: string, action: string, params: Record<string, any>, vcs: string[]): Promise<ConnectorResponse<T>>;
|
|
62
|
-
/**
|
|
63
|
-
* Write to memory with automatic VP creation
|
|
64
|
-
*/
|
|
65
|
-
writeMemory(content: string, namespace: string, vcs: string[], metadata?: Record<string, any>): Promise<import("./memory/memory-manager").MemoryDocument>;
|
|
66
|
-
/**
|
|
67
|
-
* Query memory with automatic VP creation
|
|
68
|
-
*/
|
|
69
|
-
queryMemory(query: string, vcs: string[], options?: {
|
|
70
|
-
namespace?: string;
|
|
71
|
-
limit?: number;
|
|
72
|
-
filter?: Record<string, any>;
|
|
73
|
-
}): Promise<import("./memory/memory-manager").MemoryQueryResult>;
|
|
74
60
|
}
|
|
75
61
|
export declare function getClient(config?: AIdentityConfig, password?: string): AIdentityClient;
|
|
76
62
|
export { configure, AIdentityConfig } from './config';
|
package/dist/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAa,MAAM,UAAU,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AACjD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAa,MAAM,UAAU,CAAA;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE1C,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AACpD,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA;AAElD,qBAAa,eAAe;IAC1B,SAAgB,KAAK,EAAE,YAAY,CAAA;IACnC,SAAgB,IAAI,EAAE,mBAAmB,CAAA;IACzC,SAAgB,EAAE,EAAE,SAAS,CAAA;IAC7B,SAAgB,EAAE,EAAE,SAAS,CAAA;IAC7B,SAAgB,IAAI,EAAE,WAAW,CAAA;IACjC,SAAgB,KAAK,EAAE,YAAY,CAAA;IAEnC,OAAO,CAAC,UAAU,CAAY;IAC9B,OAAO,CAAC,YAAY,CAAC,CAAO;gBAEhB,MAAM,CAAC,EAAE,eAAe,EAAE,QAAQ,CAAC,EAAE,MAAM;IAiBvD;;OAEG;IACG,KAAK,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAWzC;;OAEG;IACH,eAAe,IAAI,KAAK,GAAG,SAAS;IAIpC;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI1C;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI1C;;;OAGG;IACG,mBAAmB,CACvB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,OAAO,EAAE;QACP,UAAU,CAAC,EAAE,MAAM,CAAA;QACnB,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACnC,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,GACA,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;OAGG;IACG,eAAe,CACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC,EAAE,EACxC,OAAO,EAAE;QACP,UAAU,CAAC,EAAE,MAAM,CAAA;QACnB,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB,SAAS,CAAC,EAAE,MAAM,CAAA;QAClB,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,GACA,OAAO,CAAC,MAAM,CAAC;IAgBlB;;OAEG;IACG,UAAU,CAAC,CAAC,GAAG,GAAG,EACtB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,GAAG,EAAE,MAAM,EAAE,GACZ,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;CAYjC;AAKD,wBAAgB,SAAS,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,eAAe,CAKtF;AAED,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA"}
|
package/dist/index.d.mts
CHANGED
|
@@ -4,6 +4,31 @@ import Ajv from 'ajv';
|
|
|
4
4
|
import { SDJwtVcInstance } from '@sd-jwt/sd-jwt-vc';
|
|
5
5
|
import { DisclosureFrame } from '@sd-jwt/types';
|
|
6
6
|
|
|
7
|
+
interface AIdentityConfig {
|
|
8
|
+
didApi?: {
|
|
9
|
+
baseUrl: string;
|
|
10
|
+
apiKey?: string;
|
|
11
|
+
bearerToken?: string;
|
|
12
|
+
};
|
|
13
|
+
issuerApi?: {
|
|
14
|
+
baseUrl: string;
|
|
15
|
+
apiKey?: string;
|
|
16
|
+
bearerToken?: string;
|
|
17
|
+
};
|
|
18
|
+
verifierApi?: {
|
|
19
|
+
baseUrl: string;
|
|
20
|
+
apiKey?: string;
|
|
21
|
+
bearerToken?: string;
|
|
22
|
+
};
|
|
23
|
+
proxyApi?: {
|
|
24
|
+
baseUrl: string;
|
|
25
|
+
};
|
|
26
|
+
storage?: {
|
|
27
|
+
keyStorePath?: string;
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
declare function configure(config: AIdentityConfig): void;
|
|
31
|
+
|
|
7
32
|
interface DIDDocument {
|
|
8
33
|
'@context': string | string[];
|
|
9
34
|
id: string;
|
|
@@ -2803,145 +2828,6 @@ declare class KeyManager {
|
|
|
2803
2828
|
private decrypt;
|
|
2804
2829
|
}
|
|
2805
2830
|
|
|
2806
|
-
declare class VPManager {
|
|
2807
|
-
private keyManager;
|
|
2808
|
-
constructor(keyManager?: KeyManager);
|
|
2809
|
-
/**
|
|
2810
|
-
* Create a SD-JWT presentation using the present() method
|
|
2811
|
-
* This properly binds the holder's key to the SD-JWT VC
|
|
2812
|
-
*/
|
|
2813
|
-
create(vcs: string[], // Array of SD-JWT VC strings
|
|
2814
|
-
options: {
|
|
2815
|
-
holderDid: string;
|
|
2816
|
-
challenge: string;
|
|
2817
|
-
domain: string;
|
|
2818
|
-
purpose?: string;
|
|
2819
|
-
}): Promise<string>;
|
|
2820
|
-
/**
|
|
2821
|
-
* Verify a Verifiable Presentation
|
|
2822
|
-
*/
|
|
2823
|
-
verify(vpJwt: string, options: {
|
|
2824
|
-
expectedChallenge: string;
|
|
2825
|
-
expectedDomain: string;
|
|
2826
|
-
expectedHolder?: string;
|
|
2827
|
-
}): Promise<VerifiablePresentation>;
|
|
2828
|
-
/**
|
|
2829
|
-
* Create a VP request
|
|
2830
|
-
*/
|
|
2831
|
-
createRequest(domain: string, query?: {
|
|
2832
|
-
type?: string;
|
|
2833
|
-
credentialQuery?: any;
|
|
2834
|
-
}): VPRequest;
|
|
2835
|
-
/**
|
|
2836
|
-
* Submit VP to a verifier
|
|
2837
|
-
*/
|
|
2838
|
-
submit(vpJwt: string, verifierEndpoint: string): Promise<{
|
|
2839
|
-
verified: boolean;
|
|
2840
|
-
result?: any;
|
|
2841
|
-
}>;
|
|
2842
|
-
}
|
|
2843
|
-
|
|
2844
|
-
/**
|
|
2845
|
-
* NOTE: MemoryManager is currently DORMANT (as of 2026-03-29).
|
|
2846
|
-
* The API memory endpoints exist but are not actively called in production.
|
|
2847
|
-
* The server-side implementation (InMemoryProvider) is volatile and not shared across instances.
|
|
2848
|
-
* Do not rely on this in production until a persistent backend is introduced.
|
|
2849
|
-
*/
|
|
2850
|
-
interface MemoryDocument {
|
|
2851
|
-
id: string;
|
|
2852
|
-
namespace: string;
|
|
2853
|
-
content: string;
|
|
2854
|
-
metadata?: Record<string, any>;
|
|
2855
|
-
embedding?: number[];
|
|
2856
|
-
createdAt: string;
|
|
2857
|
-
updatedAt: string;
|
|
2858
|
-
}
|
|
2859
|
-
interface MemoryQuery {
|
|
2860
|
-
query: string;
|
|
2861
|
-
namespace?: string;
|
|
2862
|
-
limit?: number;
|
|
2863
|
-
filter?: Record<string, any>;
|
|
2864
|
-
includeEmbedding?: boolean;
|
|
2865
|
-
}
|
|
2866
|
-
interface MemoryQueryResult {
|
|
2867
|
-
documents: MemoryDocument[];
|
|
2868
|
-
scores?: number[];
|
|
2869
|
-
total: number;
|
|
2870
|
-
}
|
|
2871
|
-
declare class MemoryManager {
|
|
2872
|
-
private vpManager;
|
|
2873
|
-
private proxyApiUrl;
|
|
2874
|
-
constructor(vpManager?: VPManager);
|
|
2875
|
-
/**
|
|
2876
|
-
* Write a document to memory
|
|
2877
|
-
*/
|
|
2878
|
-
write(content: string, options: {
|
|
2879
|
-
namespace: string;
|
|
2880
|
-
metadata?: Record<string, any>;
|
|
2881
|
-
vcs: string[];
|
|
2882
|
-
holderDid: string;
|
|
2883
|
-
}): Promise<MemoryDocument>;
|
|
2884
|
-
/**
|
|
2885
|
-
* Query memory with vector search
|
|
2886
|
-
*/
|
|
2887
|
-
query(query: string, options: {
|
|
2888
|
-
namespace?: string;
|
|
2889
|
-
limit?: number;
|
|
2890
|
-
filter?: Record<string, any>;
|
|
2891
|
-
vcs: string[];
|
|
2892
|
-
holderDid: string;
|
|
2893
|
-
}): Promise<MemoryQueryResult>;
|
|
2894
|
-
/**
|
|
2895
|
-
* Delete a document from memory
|
|
2896
|
-
*/
|
|
2897
|
-
delete(documentId: string, options: {
|
|
2898
|
-
namespace: string;
|
|
2899
|
-
vcs: string[];
|
|
2900
|
-
holderDid: string;
|
|
2901
|
-
}): Promise<void>;
|
|
2902
|
-
/**
|
|
2903
|
-
* List documents in a namespace
|
|
2904
|
-
*/
|
|
2905
|
-
list(options: {
|
|
2906
|
-
namespace: string;
|
|
2907
|
-
limit?: number;
|
|
2908
|
-
offset?: number;
|
|
2909
|
-
vcs: string[];
|
|
2910
|
-
holderDid: string;
|
|
2911
|
-
}): Promise<MemoryQueryResult>;
|
|
2912
|
-
/**
|
|
2913
|
-
* Check if VCs authorize memory access
|
|
2914
|
-
*/
|
|
2915
|
-
checkAuthorization(vcs: string[], action: 'read' | 'write' | 'delete', resource: string): Promise<boolean>;
|
|
2916
|
-
private matchResource;
|
|
2917
|
-
private generateChallenge;
|
|
2918
|
-
}
|
|
2919
|
-
|
|
2920
|
-
interface AIdentityConfig {
|
|
2921
|
-
didApi?: {
|
|
2922
|
-
baseUrl: string;
|
|
2923
|
-
apiKey?: string;
|
|
2924
|
-
bearerToken?: string;
|
|
2925
|
-
};
|
|
2926
|
-
issuerApi?: {
|
|
2927
|
-
baseUrl: string;
|
|
2928
|
-
apiKey?: string;
|
|
2929
|
-
bearerToken?: string;
|
|
2930
|
-
};
|
|
2931
|
-
verifierApi?: {
|
|
2932
|
-
baseUrl: string;
|
|
2933
|
-
apiKey?: string;
|
|
2934
|
-
bearerToken?: string;
|
|
2935
|
-
};
|
|
2936
|
-
proxyApi?: {
|
|
2937
|
-
baseUrl: string;
|
|
2938
|
-
};
|
|
2939
|
-
storage?: {
|
|
2940
|
-
keyStorePath?: string;
|
|
2941
|
-
};
|
|
2942
|
-
}
|
|
2943
|
-
declare function configure(config: AIdentityConfig): void;
|
|
2944
|
-
|
|
2945
2831
|
declare class AgentManager {
|
|
2946
2832
|
private keyManager;
|
|
2947
2833
|
private agentDIDManager;
|
|
@@ -3110,6 +2996,44 @@ declare class VCManager {
|
|
|
3110
2996
|
private calculateExpirationDate;
|
|
3111
2997
|
}
|
|
3112
2998
|
|
|
2999
|
+
declare class VPManager {
|
|
3000
|
+
private keyManager;
|
|
3001
|
+
constructor(keyManager?: KeyManager);
|
|
3002
|
+
/**
|
|
3003
|
+
* Create a SD-JWT presentation using the present() method
|
|
3004
|
+
* This properly binds the holder's key to the SD-JWT VC
|
|
3005
|
+
*/
|
|
3006
|
+
create(vcs: string[], // Array of SD-JWT VC strings
|
|
3007
|
+
options: {
|
|
3008
|
+
holderDid: string;
|
|
3009
|
+
challenge: string;
|
|
3010
|
+
domain: string;
|
|
3011
|
+
purpose?: string;
|
|
3012
|
+
}): Promise<string>;
|
|
3013
|
+
/**
|
|
3014
|
+
* Verify a Verifiable Presentation
|
|
3015
|
+
*/
|
|
3016
|
+
verify(vpJwt: string, options: {
|
|
3017
|
+
expectedChallenge: string;
|
|
3018
|
+
expectedDomain: string;
|
|
3019
|
+
expectedHolder?: string;
|
|
3020
|
+
}): Promise<VerifiablePresentation>;
|
|
3021
|
+
/**
|
|
3022
|
+
* Create a VP request
|
|
3023
|
+
*/
|
|
3024
|
+
createRequest(domain: string, query?: {
|
|
3025
|
+
type?: string;
|
|
3026
|
+
credentialQuery?: any;
|
|
3027
|
+
}): VPRequest;
|
|
3028
|
+
/**
|
|
3029
|
+
* Submit VP to a verifier
|
|
3030
|
+
*/
|
|
3031
|
+
submit(vpJwt: string, verifierEndpoint: string): Promise<{
|
|
3032
|
+
verified: boolean;
|
|
3033
|
+
result?: any;
|
|
3034
|
+
}>;
|
|
3035
|
+
}
|
|
3036
|
+
|
|
3113
3037
|
interface ToolDefinition {
|
|
3114
3038
|
name: string;
|
|
3115
3039
|
description: string;
|
|
@@ -3296,7 +3220,6 @@ declare class AIdentityClient {
|
|
|
3296
3220
|
readonly vc: VCManager;
|
|
3297
3221
|
readonly vp: VPManager;
|
|
3298
3222
|
readonly tool: ToolManager;
|
|
3299
|
-
readonly memory: MemoryManager;
|
|
3300
3223
|
readonly grant: GrantManager;
|
|
3301
3224
|
private keyManager;
|
|
3302
3225
|
private currentAgent?;
|
|
@@ -3342,18 +3265,6 @@ declare class AIdentityClient {
|
|
|
3342
3265
|
* Invoke a tool with automatic VP creation
|
|
3343
3266
|
*/
|
|
3344
3267
|
invokeTool<T = any>(tool: string, action: string, params: Record<string, any>, vcs: string[]): Promise<ConnectorResponse<T>>;
|
|
3345
|
-
/**
|
|
3346
|
-
* Write to memory with automatic VP creation
|
|
3347
|
-
*/
|
|
3348
|
-
writeMemory(content: string, namespace: string, vcs: string[], metadata?: Record<string, any>): Promise<MemoryDocument>;
|
|
3349
|
-
/**
|
|
3350
|
-
* Query memory with automatic VP creation
|
|
3351
|
-
*/
|
|
3352
|
-
queryMemory(query: string, vcs: string[], options?: {
|
|
3353
|
-
namespace?: string;
|
|
3354
|
-
limit?: number;
|
|
3355
|
-
filter?: Record<string, any>;
|
|
3356
|
-
}): Promise<MemoryQueryResult>;
|
|
3357
3268
|
}
|
|
3358
3269
|
declare function getClient(config?: AIdentityConfig, password?: string): AIdentityClient;
|
|
3359
3270
|
|
|
@@ -3580,6 +3491,87 @@ declare class APIVCManager {
|
|
|
3580
3491
|
issueAdminCredential(agentDid: string, scope: 'project' | 'global', projectId: string | undefined, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
|
|
3581
3492
|
}
|
|
3582
3493
|
|
|
3494
|
+
/**
|
|
3495
|
+
* Single source of truth for Key Binding JWT (KB-JWT) issuance shared across
|
|
3496
|
+
* the AIdentity stack. Three production code paths build KB-JWTs and they
|
|
3497
|
+
* MUST stay byte-for-byte equivalent so a presentation built on one side is
|
|
3498
|
+
* accepted by the verifier on the other:
|
|
3499
|
+
*
|
|
3500
|
+
* - SDK clients via `VPManager.create()` (this package)
|
|
3501
|
+
* - API service via `packages/api/src/vp/vp-creation.service.ts`
|
|
3502
|
+
* - Remote MCP via `packages/remote-mcp/src/services/vp-creation.service.ts`
|
|
3503
|
+
*
|
|
3504
|
+
* Historically each path had its own copy of this logic, and PR #391 (the
|
|
3505
|
+
* commit that made `exp` REQUIRED on the verifier side) updated only two of
|
|
3506
|
+
* the three. The SDK was missed and every SDK-built VP started failing at
|
|
3507
|
+
* verification time. This module exists so that a future verifier change
|
|
3508
|
+
* cannot drift from the issuer side: any update lands in one place and all
|
|
3509
|
+
* three paths inherit it.
|
|
3510
|
+
*/
|
|
3511
|
+
/**
|
|
3512
|
+
* Default KB-JWT lifetime in seconds. Mirrors the cap enforced by the API's
|
|
3513
|
+
* `KeyBindingVerifierService.MAX_KB_JWT_LIFETIME_SECONDS` (also 300).
|
|
3514
|
+
*
|
|
3515
|
+
* The KB-JWT `exp` is the smaller of:
|
|
3516
|
+
* - `iat + KB_JWT_DEFAULT_LIFETIME_SECONDS`
|
|
3517
|
+
* - the parent VC's `exp` (so the bearer's freshness window cannot outlive
|
|
3518
|
+
* the underlying credential's validity, which is itself bounded by
|
|
3519
|
+
* `grant.expiresAt` at issuance time).
|
|
3520
|
+
*/
|
|
3521
|
+
declare const KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
|
|
3522
|
+
interface KbJwtPayload {
|
|
3523
|
+
iss: string;
|
|
3524
|
+
aud: string;
|
|
3525
|
+
nonce: string;
|
|
3526
|
+
iat: number;
|
|
3527
|
+
exp: number;
|
|
3528
|
+
}
|
|
3529
|
+
interface BuildKbJwtPayloadArgs {
|
|
3530
|
+
/** Holder DID — becomes the KB-JWT `iss` claim. */
|
|
3531
|
+
holderDid: string;
|
|
3532
|
+
/** Verifier audience (URL or hostname). Will be normalized via {@link normalizeDomain}. */
|
|
3533
|
+
audience: string;
|
|
3534
|
+
/** Verifier-supplied nonce / challenge. */
|
|
3535
|
+
nonce: string;
|
|
3536
|
+
/** The parent SD-JWT VC string. Its `exp` (if any) caps the KB-JWT lifetime. */
|
|
3537
|
+
vcCredential: string;
|
|
3538
|
+
}
|
|
3539
|
+
interface BuildKbJwtPayloadDeps {
|
|
3540
|
+
/** Returns the current time in milliseconds. Defaults to `Date.now`. */
|
|
3541
|
+
now?: () => number;
|
|
3542
|
+
}
|
|
3543
|
+
/**
|
|
3544
|
+
* Build a Key Binding JWT payload for an SD-JWT VC presentation.
|
|
3545
|
+
*
|
|
3546
|
+
* Throws when the parent VC is already expired (`vc.exp <= now`). The error
|
|
3547
|
+
* message intentionally contains the substring `"VC has expired"` so that
|
|
3548
|
+
* downstream catchers (notably remote-mcp's `isCredentialInvalidError`) can
|
|
3549
|
+
* detect a stale-credential condition and trigger a re-approval flow rather
|
|
3550
|
+
* than surface an opaque issuance failure to the user.
|
|
3551
|
+
*/
|
|
3552
|
+
declare function buildKbJwtPayload(args: BuildKbJwtPayloadArgs, deps?: BuildKbJwtPayloadDeps): KbJwtPayload;
|
|
3553
|
+
/**
|
|
3554
|
+
* Best-effort read of the VC's `exp` claim from the SD-JWT outer payload.
|
|
3555
|
+
* Returns undefined when the VC is malformed, missing exp, or the field is
|
|
3556
|
+
* not a number — callers fall back to {@link KB_JWT_DEFAULT_LIFETIME_SECONDS}
|
|
3557
|
+
* in that case so issuance does not break for VCs without an explicit expiry.
|
|
3558
|
+
*/
|
|
3559
|
+
declare function readVcExpSeconds(sdJwtVc: string): number | undefined;
|
|
3560
|
+
/**
|
|
3561
|
+
* Normalize a domain string for consistent use as a JWT `aud` claim.
|
|
3562
|
+
*
|
|
3563
|
+
* The API verifier compares the KB-JWT `aud` against the expected domain by
|
|
3564
|
+
* exact string match, so issuer and verifier must agree on the canonical
|
|
3565
|
+
* form. We delegate to the URL parser, which strips paths and lowercases
|
|
3566
|
+
* the host, then return the resulting `origin`.
|
|
3567
|
+
*
|
|
3568
|
+
* Inputs without a scheme are assumed to be hostnames; `localhost` (with or
|
|
3569
|
+
* without a port) defaults to `http://`, everything else to `https://`. If
|
|
3570
|
+
* URL parsing fails, the input is returned unchanged so a caller can still
|
|
3571
|
+
* detect the mismatch downstream rather than silently swallowing a typo.
|
|
3572
|
+
*/
|
|
3573
|
+
declare function normalizeDomain(domain: string): string;
|
|
3574
|
+
|
|
3583
3575
|
interface DisclosureFields {
|
|
3584
3576
|
selectiveFields: string[];
|
|
3585
3577
|
mandatoryFields: string[];
|
|
@@ -8763,4 +8755,4 @@ declare function signRequest(key: InternalHmacSignerKey, args: SignRequestArgs):
|
|
|
8763
8755
|
|
|
8764
8756
|
declare const version = "0.0.1";
|
|
8765
8757
|
|
|
8766
|
-
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES,
|
|
8758
|
+
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, buildKbJwtPayload, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
|
package/dist/index.d.ts
CHANGED
|
@@ -10,8 +10,8 @@ export { DeviceEnrollManager, DeviceEnrollStartParams, DeviceEnrollServerSidePar
|
|
|
10
10
|
export { VCManager } from './vc/vc-manager';
|
|
11
11
|
export { APIVCManager } from './vc/api-vc-manager';
|
|
12
12
|
export { VPManager } from './vp/vp-manager';
|
|
13
|
+
export { buildKbJwtPayload, KB_JWT_DEFAULT_LIFETIME_SECONDS, normalizeDomain, readVcExpSeconds, KbJwtPayload, BuildKbJwtPayloadArgs, BuildKbJwtPayloadDeps, } from './vp/kb-jwt-builder';
|
|
13
14
|
export { ToolManager, ToolDefinition } from './tool/tool-manager';
|
|
14
|
-
export { MemoryManager, MemoryDocument, MemoryQuery, MemoryQueryResult, } from './memory/memory-manager';
|
|
15
15
|
export { getDefaultDisclosureFields, DisclosureFields, } from './utils/sdjwt-disclosure';
|
|
16
16
|
export { ConstraintEvaluator, ConstraintEvaluatorOptions, defaultConstraintEvaluator, evaluateConstraints, } from './constraint/constraint-evaluator';
|
|
17
17
|
export * from './storage';
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}
|