@vess-id/ai-identity 0.5.0-alpha.15 → 0.5.0-alpha.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +82 -1
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +63 -5
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +59 -5
- package/dist/index.mjs.map +1 -1
- package/dist/vp/kb-jwt-builder.d.ts +81 -0
- package/dist/vp/kb-jwt-builder.d.ts.map +1 -0
- package/dist/vp/vp-manager.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.d.mts
CHANGED
|
@@ -3491,6 +3491,87 @@ declare class APIVCManager {
|
|
|
3491
3491
|
issueAdminCredential(agentDid: string, scope: 'project' | 'global', projectId: string | undefined, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
|
|
3492
3492
|
}
|
|
3493
3493
|
|
|
3494
|
+
/**
|
|
3495
|
+
* Single source of truth for Key Binding JWT (KB-JWT) issuance shared across
|
|
3496
|
+
* the AIdentity stack. Three production code paths build KB-JWTs and they
|
|
3497
|
+
* MUST stay byte-for-byte equivalent so a presentation built on one side is
|
|
3498
|
+
* accepted by the verifier on the other:
|
|
3499
|
+
*
|
|
3500
|
+
* - SDK clients via `VPManager.create()` (this package)
|
|
3501
|
+
* - API service via `packages/api/src/vp/vp-creation.service.ts`
|
|
3502
|
+
* - Remote MCP via `packages/remote-mcp/src/services/vp-creation.service.ts`
|
|
3503
|
+
*
|
|
3504
|
+
* Historically each path had its own copy of this logic, and PR #391 (the
|
|
3505
|
+
* commit that made `exp` REQUIRED on the verifier side) updated only two of
|
|
3506
|
+
* the three. The SDK was missed and every SDK-built VP started failing at
|
|
3507
|
+
* verification time. This module exists so that a future verifier change
|
|
3508
|
+
* cannot drift from the issuer side: any update lands in one place and all
|
|
3509
|
+
* three paths inherit it.
|
|
3510
|
+
*/
|
|
3511
|
+
/**
|
|
3512
|
+
* Default KB-JWT lifetime in seconds. Mirrors the cap enforced by the API's
|
|
3513
|
+
* `KeyBindingVerifierService.MAX_KB_JWT_LIFETIME_SECONDS` (also 300).
|
|
3514
|
+
*
|
|
3515
|
+
* The KB-JWT `exp` is the smaller of:
|
|
3516
|
+
* - `iat + KB_JWT_DEFAULT_LIFETIME_SECONDS`
|
|
3517
|
+
* - the parent VC's `exp` (so the bearer's freshness window cannot outlive
|
|
3518
|
+
* the underlying credential's validity, which is itself bounded by
|
|
3519
|
+
* `grant.expiresAt` at issuance time).
|
|
3520
|
+
*/
|
|
3521
|
+
declare const KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
|
|
3522
|
+
interface KbJwtPayload {
|
|
3523
|
+
iss: string;
|
|
3524
|
+
aud: string;
|
|
3525
|
+
nonce: string;
|
|
3526
|
+
iat: number;
|
|
3527
|
+
exp: number;
|
|
3528
|
+
}
|
|
3529
|
+
interface BuildKbJwtPayloadArgs {
|
|
3530
|
+
/** Holder DID — becomes the KB-JWT `iss` claim. */
|
|
3531
|
+
holderDid: string;
|
|
3532
|
+
/** Verifier audience (URL or hostname). Will be normalized via {@link normalizeDomain}. */
|
|
3533
|
+
audience: string;
|
|
3534
|
+
/** Verifier-supplied nonce / challenge. */
|
|
3535
|
+
nonce: string;
|
|
3536
|
+
/** The parent SD-JWT VC string. Its `exp` (if any) caps the KB-JWT lifetime. */
|
|
3537
|
+
vcCredential: string;
|
|
3538
|
+
}
|
|
3539
|
+
interface BuildKbJwtPayloadDeps {
|
|
3540
|
+
/** Returns the current time in milliseconds. Defaults to `Date.now`. */
|
|
3541
|
+
now?: () => number;
|
|
3542
|
+
}
|
|
3543
|
+
/**
|
|
3544
|
+
* Build a Key Binding JWT payload for an SD-JWT VC presentation.
|
|
3545
|
+
*
|
|
3546
|
+
* Throws when the parent VC is already expired (`vc.exp <= now`). The error
|
|
3547
|
+
* message intentionally contains the substring `"VC has expired"` so that
|
|
3548
|
+
* downstream catchers (notably remote-mcp's `isCredentialInvalidError`) can
|
|
3549
|
+
* detect a stale-credential condition and trigger a re-approval flow rather
|
|
3550
|
+
* than surface an opaque issuance failure to the user.
|
|
3551
|
+
*/
|
|
3552
|
+
declare function buildKbJwtPayload(args: BuildKbJwtPayloadArgs, deps?: BuildKbJwtPayloadDeps): KbJwtPayload;
|
|
3553
|
+
/**
|
|
3554
|
+
* Best-effort read of the VC's `exp` claim from the SD-JWT outer payload.
|
|
3555
|
+
* Returns undefined when the VC is malformed, missing exp, or the field is
|
|
3556
|
+
* not a number — callers fall back to {@link KB_JWT_DEFAULT_LIFETIME_SECONDS}
|
|
3557
|
+
* in that case so issuance does not break for VCs without an explicit expiry.
|
|
3558
|
+
*/
|
|
3559
|
+
declare function readVcExpSeconds(sdJwtVc: string): number | undefined;
|
|
3560
|
+
/**
|
|
3561
|
+
* Normalize a domain string for consistent use as a JWT `aud` claim.
|
|
3562
|
+
*
|
|
3563
|
+
* The API verifier compares the KB-JWT `aud` against the expected domain by
|
|
3564
|
+
* exact string match, so issuer and verifier must agree on the canonical
|
|
3565
|
+
* form. We delegate to the URL parser, which strips paths and lowercases
|
|
3566
|
+
* the host, then return the resulting `origin`.
|
|
3567
|
+
*
|
|
3568
|
+
* Inputs without a scheme are assumed to be hostnames; `localhost` (with or
|
|
3569
|
+
* without a port) defaults to `http://`, everything else to `https://`. If
|
|
3570
|
+
* URL parsing fails, the input is returned unchanged so a caller can still
|
|
3571
|
+
* detect the mismatch downstream rather than silently swallowing a typo.
|
|
3572
|
+
*/
|
|
3573
|
+
declare function normalizeDomain(domain: string): string;
|
|
3574
|
+
|
|
3494
3575
|
interface DisclosureFields {
|
|
3495
3576
|
selectiveFields: string[];
|
|
3496
3577
|
mandatoryFields: string[];
|
|
@@ -8674,4 +8755,4 @@ declare function signRequest(key: InternalHmacSignerKey, args: SignRequestArgs):
|
|
|
8674
8755
|
|
|
8675
8756
|
declare const version = "0.0.1";
|
|
8676
8757
|
|
|
8677
|
-
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
|
|
8758
|
+
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, buildKbJwtPayload, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
|
package/dist/index.d.ts
CHANGED
|
@@ -10,6 +10,7 @@ export { DeviceEnrollManager, DeviceEnrollStartParams, DeviceEnrollServerSidePar
|
|
|
10
10
|
export { VCManager } from './vc/vc-manager';
|
|
11
11
|
export { APIVCManager } from './vc/api-vc-manager';
|
|
12
12
|
export { VPManager } from './vp/vp-manager';
|
|
13
|
+
export { buildKbJwtPayload, KB_JWT_DEFAULT_LIFETIME_SECONDS, normalizeDomain, readVcExpSeconds, KbJwtPayload, BuildKbJwtPayloadArgs, BuildKbJwtPayloadDeps, } from './vp/kb-jwt-builder';
|
|
13
14
|
export { ToolManager, ToolDefinition } from './tool/tool-manager';
|
|
14
15
|
export { getDefaultDisclosureFields, DisclosureFields, } from './utils/sdjwt-disclosure';
|
|
15
16
|
export { ConstraintEvaluator, ConstraintEvaluatorOptions, defaultConstraintEvaluator, evaluateConstraints, } from './constraint/constraint-evaluator';
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}
|
package/dist/index.js
CHANGED
|
@@ -61,6 +61,7 @@ __export(index_exports, {
|
|
|
61
61
|
InvalidVPError: () => InvalidVPError,
|
|
62
62
|
InvitationStatus: () => InvitationStatus,
|
|
63
63
|
JsonStateStore: () => JsonStateStore,
|
|
64
|
+
KB_JWT_DEFAULT_LIFETIME_SECONDS: () => KB_JWT_DEFAULT_LIFETIME_SECONDS,
|
|
64
65
|
KeyManager: () => KeyManager,
|
|
65
66
|
LEGACY_RESOURCE_TYPE_MAP: () => LEGACY_RESOURCE_TYPE_MAP,
|
|
66
67
|
MIN_SIGNER_KEY_BYTES: () => MIN_SIGNER_KEY_BYTES,
|
|
@@ -93,6 +94,7 @@ __export(index_exports, {
|
|
|
93
94
|
WRITE_ACTION_NAMES: () => WRITE_ACTION_NAMES,
|
|
94
95
|
buildCanonicalString: () => buildCanonicalString,
|
|
95
96
|
buildGrantIdFields: () => buildGrantIdFields,
|
|
97
|
+
buildKbJwtPayload: () => buildKbJwtPayload,
|
|
96
98
|
canonicalizeAction: () => canonicalizeAction,
|
|
97
99
|
checkPermissionWithVP: () => checkPermissionWithVP,
|
|
98
100
|
configure: () => configure,
|
|
@@ -131,12 +133,14 @@ __export(index_exports, {
|
|
|
131
133
|
isWriteAction: () => isWriteAction,
|
|
132
134
|
loadActionRegistryFromFile: () => loadActionRegistryFromFile,
|
|
133
135
|
loadActionRegistryFromObject: () => loadActionRegistryFromObject,
|
|
136
|
+
normalizeDomain: () => normalizeDomain,
|
|
134
137
|
normalizeMcpActionName: () => normalizeMcpActionName,
|
|
135
138
|
parseGrantAction: () => parseGrantAction,
|
|
136
139
|
parseGrantResourceType: () => parseGrantResourceType,
|
|
137
140
|
parseSignatureHeader: () => parseSignatureHeader,
|
|
138
141
|
planDelegationForVC: () => planDelegationForVC,
|
|
139
142
|
publicKeysMatch: () => publicKeysMatch,
|
|
143
|
+
readVcExpSeconds: () => readVcExpSeconds,
|
|
140
144
|
resolveActionsFromSelection: () => resolveActionsFromSelection,
|
|
141
145
|
resolveProvider: () => resolveProvider,
|
|
142
146
|
resolveResourceType: () => resolveResourceType,
|
|
@@ -1661,6 +1665,56 @@ var VCManager = class {
|
|
|
1661
1665
|
|
|
1662
1666
|
// src/vp/vp-manager.ts
|
|
1663
1667
|
var import_crypto_nodejs2 = require("@sd-jwt/crypto-nodejs");
|
|
1668
|
+
|
|
1669
|
+
// src/vp/kb-jwt-builder.ts
|
|
1670
|
+
var KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
|
|
1671
|
+
function buildKbJwtPayload(args, deps = {}) {
|
|
1672
|
+
const now = deps.now ?? Date.now;
|
|
1673
|
+
const iatSeconds = Math.floor(now() / 1e3);
|
|
1674
|
+
const kbExpCap = iatSeconds + KB_JWT_DEFAULT_LIFETIME_SECONDS;
|
|
1675
|
+
const vcExp = readVcExpSeconds(args.vcCredential);
|
|
1676
|
+
const expSeconds = vcExp !== void 0 ? Math.min(kbExpCap, vcExp) : kbExpCap;
|
|
1677
|
+
if (expSeconds <= iatSeconds) {
|
|
1678
|
+
throw new Error(
|
|
1679
|
+
`VC has expired: cannot issue KB-JWT (vc.exp=${vcExp}, now=${iatSeconds})`
|
|
1680
|
+
);
|
|
1681
|
+
}
|
|
1682
|
+
return {
|
|
1683
|
+
iss: args.holderDid,
|
|
1684
|
+
aud: normalizeDomain(args.audience),
|
|
1685
|
+
nonce: args.nonce,
|
|
1686
|
+
iat: iatSeconds,
|
|
1687
|
+
exp: expSeconds
|
|
1688
|
+
};
|
|
1689
|
+
}
|
|
1690
|
+
function readVcExpSeconds(sdJwtVc) {
|
|
1691
|
+
try {
|
|
1692
|
+
const jwtPart = sdJwtVc.split("~")[0];
|
|
1693
|
+
const payloadB64 = jwtPart.split(".")[1];
|
|
1694
|
+
if (!payloadB64) return void 0;
|
|
1695
|
+
const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
|
|
1696
|
+
return typeof payload.exp === "number" ? payload.exp : void 0;
|
|
1697
|
+
} catch {
|
|
1698
|
+
return void 0;
|
|
1699
|
+
}
|
|
1700
|
+
}
|
|
1701
|
+
function normalizeDomain(domain) {
|
|
1702
|
+
if (!domain) return domain;
|
|
1703
|
+
let urlStr;
|
|
1704
|
+
if (/^https?:\/\//i.test(domain)) {
|
|
1705
|
+
urlStr = domain;
|
|
1706
|
+
} else {
|
|
1707
|
+
const scheme = /^localhost(:\d+)?$/i.test(domain) ? "http" : "https";
|
|
1708
|
+
urlStr = `${scheme}://${domain}`;
|
|
1709
|
+
}
|
|
1710
|
+
try {
|
|
1711
|
+
return new URL(urlStr).origin;
|
|
1712
|
+
} catch {
|
|
1713
|
+
return domain;
|
|
1714
|
+
}
|
|
1715
|
+
}
|
|
1716
|
+
|
|
1717
|
+
// src/vp/vp-manager.ts
|
|
1664
1718
|
var VPManager = class {
|
|
1665
1719
|
keyManager;
|
|
1666
1720
|
constructor(keyManager) {
|
|
@@ -1684,12 +1738,12 @@ var VPManager = class {
|
|
|
1684
1738
|
presentableKeys.forEach((key) => {
|
|
1685
1739
|
presentationFrame[key] = true;
|
|
1686
1740
|
});
|
|
1687
|
-
const kbJwtPayload = {
|
|
1688
|
-
|
|
1689
|
-
|
|
1741
|
+
const kbJwtPayload = buildKbJwtPayload({
|
|
1742
|
+
holderDid: options.holderDid,
|
|
1743
|
+
audience: options.domain,
|
|
1690
1744
|
nonce: options.challenge,
|
|
1691
|
-
|
|
1692
|
-
};
|
|
1745
|
+
vcCredential: sdJwtVC
|
|
1746
|
+
});
|
|
1693
1747
|
const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
|
|
1694
1748
|
kb: { payload: kbJwtPayload }
|
|
1695
1749
|
});
|
|
@@ -6093,6 +6147,7 @@ var version = "0.0.1";
|
|
|
6093
6147
|
InvalidVPError,
|
|
6094
6148
|
InvitationStatus,
|
|
6095
6149
|
JsonStateStore,
|
|
6150
|
+
KB_JWT_DEFAULT_LIFETIME_SECONDS,
|
|
6096
6151
|
KeyManager,
|
|
6097
6152
|
LEGACY_RESOURCE_TYPE_MAP,
|
|
6098
6153
|
MIN_SIGNER_KEY_BYTES,
|
|
@@ -6125,6 +6180,7 @@ var version = "0.0.1";
|
|
|
6125
6180
|
WRITE_ACTION_NAMES,
|
|
6126
6181
|
buildCanonicalString,
|
|
6127
6182
|
buildGrantIdFields,
|
|
6183
|
+
buildKbJwtPayload,
|
|
6128
6184
|
canonicalizeAction,
|
|
6129
6185
|
checkPermissionWithVP,
|
|
6130
6186
|
configure,
|
|
@@ -6163,12 +6219,14 @@ var version = "0.0.1";
|
|
|
6163
6219
|
isWriteAction,
|
|
6164
6220
|
loadActionRegistryFromFile,
|
|
6165
6221
|
loadActionRegistryFromObject,
|
|
6222
|
+
normalizeDomain,
|
|
6166
6223
|
normalizeMcpActionName,
|
|
6167
6224
|
parseGrantAction,
|
|
6168
6225
|
parseGrantResourceType,
|
|
6169
6226
|
parseSignatureHeader,
|
|
6170
6227
|
planDelegationForVC,
|
|
6171
6228
|
publicKeysMatch,
|
|
6229
|
+
readVcExpSeconds,
|
|
6172
6230
|
resolveActionsFromSelection,
|
|
6173
6231
|
resolveProvider,
|
|
6174
6232
|
resolveResourceType,
|