@vess-id/ai-identity 0.5.0-alpha.15 → 0.5.0-alpha.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -3491,6 +3491,87 @@ declare class APIVCManager {
3491
3491
  issueAdminCredential(agentDid: string, scope: 'project' | 'global', projectId: string | undefined, issuerDid: string, expirationHours?: number): Promise<IssueSDJWTVCResult>;
3492
3492
  }
3493
3493
 
3494
+ /**
3495
+ * Single source of truth for Key Binding JWT (KB-JWT) issuance shared across
3496
+ * the AIdentity stack. Three production code paths build KB-JWTs and they
3497
+ * MUST stay byte-for-byte equivalent so a presentation built on one side is
3498
+ * accepted by the verifier on the other:
3499
+ *
3500
+ * - SDK clients via `VPManager.create()` (this package)
3501
+ * - API service via `packages/api/src/vp/vp-creation.service.ts`
3502
+ * - Remote MCP via `packages/remote-mcp/src/services/vp-creation.service.ts`
3503
+ *
3504
+ * Historically each path had its own copy of this logic, and PR #391 (the
3505
+ * commit that made `exp` REQUIRED on the verifier side) updated only two of
3506
+ * the three. The SDK was missed and every SDK-built VP started failing at
3507
+ * verification time. This module exists so that a future verifier change
3508
+ * cannot drift from the issuer side: any update lands in one place and all
3509
+ * three paths inherit it.
3510
+ */
3511
+ /**
3512
+ * Default KB-JWT lifetime in seconds. Mirrors the cap enforced by the API's
3513
+ * `KeyBindingVerifierService.MAX_KB_JWT_LIFETIME_SECONDS` (also 300).
3514
+ *
3515
+ * The KB-JWT `exp` is the smaller of:
3516
+ * - `iat + KB_JWT_DEFAULT_LIFETIME_SECONDS`
3517
+ * - the parent VC's `exp` (so the bearer's freshness window cannot outlive
3518
+ * the underlying credential's validity, which is itself bounded by
3519
+ * `grant.expiresAt` at issuance time).
3520
+ */
3521
+ declare const KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
3522
+ interface KbJwtPayload {
3523
+ iss: string;
3524
+ aud: string;
3525
+ nonce: string;
3526
+ iat: number;
3527
+ exp: number;
3528
+ }
3529
+ interface BuildKbJwtPayloadArgs {
3530
+ /** Holder DID — becomes the KB-JWT `iss` claim. */
3531
+ holderDid: string;
3532
+ /** Verifier audience (URL or hostname). Will be normalized via {@link normalizeDomain}. */
3533
+ audience: string;
3534
+ /** Verifier-supplied nonce / challenge. */
3535
+ nonce: string;
3536
+ /** The parent SD-JWT VC string. Its `exp` (if any) caps the KB-JWT lifetime. */
3537
+ vcCredential: string;
3538
+ }
3539
+ interface BuildKbJwtPayloadDeps {
3540
+ /** Returns the current time in milliseconds. Defaults to `Date.now`. */
3541
+ now?: () => number;
3542
+ }
3543
+ /**
3544
+ * Build a Key Binding JWT payload for an SD-JWT VC presentation.
3545
+ *
3546
+ * Throws when the parent VC is already expired (`vc.exp <= now`). The error
3547
+ * message intentionally contains the substring `"VC has expired"` so that
3548
+ * downstream catchers (notably remote-mcp's `isCredentialInvalidError`) can
3549
+ * detect a stale-credential condition and trigger a re-approval flow rather
3550
+ * than surface an opaque issuance failure to the user.
3551
+ */
3552
+ declare function buildKbJwtPayload(args: BuildKbJwtPayloadArgs, deps?: BuildKbJwtPayloadDeps): KbJwtPayload;
3553
+ /**
3554
+ * Best-effort read of the VC's `exp` claim from the SD-JWT outer payload.
3555
+ * Returns undefined when the VC is malformed, missing exp, or the field is
3556
+ * not a number — callers fall back to {@link KB_JWT_DEFAULT_LIFETIME_SECONDS}
3557
+ * in that case so issuance does not break for VCs without an explicit expiry.
3558
+ */
3559
+ declare function readVcExpSeconds(sdJwtVc: string): number | undefined;
3560
+ /**
3561
+ * Normalize a domain string for consistent use as a JWT `aud` claim.
3562
+ *
3563
+ * The API verifier compares the KB-JWT `aud` against the expected domain by
3564
+ * exact string match, so issuer and verifier must agree on the canonical
3565
+ * form. We delegate to the URL parser, which strips paths and lowercases
3566
+ * the host, then return the resulting `origin`.
3567
+ *
3568
+ * Inputs without a scheme are assumed to be hostnames; `localhost` (with or
3569
+ * without a port) defaults to `http://`, everything else to `https://`. If
3570
+ * URL parsing fails, the input is returned unchanged so a caller can still
3571
+ * detect the mismatch downstream rather than silently swallowing a typo.
3572
+ */
3573
+ declare function normalizeDomain(domain: string): string;
3574
+
3494
3575
  interface DisclosureFields {
3495
3576
  selectiveFields: string[];
3496
3577
  mandatoryFields: string[];
@@ -8674,4 +8755,4 @@ declare function signRequest(key: InternalHmacSignerKey, args: SignRequestArgs):
8674
8755
 
8675
8756
  declare const version = "0.0.1";
8676
8757
 
8677
- export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
8758
+ export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, buildKbJwtPayload, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
package/dist/index.d.ts CHANGED
@@ -10,6 +10,7 @@ export { DeviceEnrollManager, DeviceEnrollStartParams, DeviceEnrollServerSidePar
10
10
  export { VCManager } from './vc/vc-manager';
11
11
  export { APIVCManager } from './vc/api-vc-manager';
12
12
  export { VPManager } from './vp/vp-manager';
13
+ export { buildKbJwtPayload, KB_JWT_DEFAULT_LIFETIME_SECONDS, normalizeDomain, readVcExpSeconds, KbJwtPayload, BuildKbJwtPayloadArgs, BuildKbJwtPayloadDeps, } from './vp/kb-jwt-builder';
13
14
  export { ToolManager, ToolDefinition } from './tool/tool-manager';
14
15
  export { getDefaultDisclosureFields, DisclosureFields, } from './utils/sdjwt-disclosure';
15
16
  export { ConstraintEvaluator, ConstraintEvaluatorOptions, defaultConstraintEvaluator, evaluateConstraints, } from './constraint/constraint-evaluator';
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAGvB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAKhF,cAAc,sBAAsB,CAAA;AAGpC,eAAO,MAAM,OAAO,UAAU,CAAA"}
package/dist/index.js CHANGED
@@ -61,6 +61,7 @@ __export(index_exports, {
61
61
  InvalidVPError: () => InvalidVPError,
62
62
  InvitationStatus: () => InvitationStatus,
63
63
  JsonStateStore: () => JsonStateStore,
64
+ KB_JWT_DEFAULT_LIFETIME_SECONDS: () => KB_JWT_DEFAULT_LIFETIME_SECONDS,
64
65
  KeyManager: () => KeyManager,
65
66
  LEGACY_RESOURCE_TYPE_MAP: () => LEGACY_RESOURCE_TYPE_MAP,
66
67
  MIN_SIGNER_KEY_BYTES: () => MIN_SIGNER_KEY_BYTES,
@@ -93,6 +94,7 @@ __export(index_exports, {
93
94
  WRITE_ACTION_NAMES: () => WRITE_ACTION_NAMES,
94
95
  buildCanonicalString: () => buildCanonicalString,
95
96
  buildGrantIdFields: () => buildGrantIdFields,
97
+ buildKbJwtPayload: () => buildKbJwtPayload,
96
98
  canonicalizeAction: () => canonicalizeAction,
97
99
  checkPermissionWithVP: () => checkPermissionWithVP,
98
100
  configure: () => configure,
@@ -131,12 +133,14 @@ __export(index_exports, {
131
133
  isWriteAction: () => isWriteAction,
132
134
  loadActionRegistryFromFile: () => loadActionRegistryFromFile,
133
135
  loadActionRegistryFromObject: () => loadActionRegistryFromObject,
136
+ normalizeDomain: () => normalizeDomain,
134
137
  normalizeMcpActionName: () => normalizeMcpActionName,
135
138
  parseGrantAction: () => parseGrantAction,
136
139
  parseGrantResourceType: () => parseGrantResourceType,
137
140
  parseSignatureHeader: () => parseSignatureHeader,
138
141
  planDelegationForVC: () => planDelegationForVC,
139
142
  publicKeysMatch: () => publicKeysMatch,
143
+ readVcExpSeconds: () => readVcExpSeconds,
140
144
  resolveActionsFromSelection: () => resolveActionsFromSelection,
141
145
  resolveProvider: () => resolveProvider,
142
146
  resolveResourceType: () => resolveResourceType,
@@ -1661,6 +1665,56 @@ var VCManager = class {
1661
1665
 
1662
1666
  // src/vp/vp-manager.ts
1663
1667
  var import_crypto_nodejs2 = require("@sd-jwt/crypto-nodejs");
1668
+
1669
+ // src/vp/kb-jwt-builder.ts
1670
+ var KB_JWT_DEFAULT_LIFETIME_SECONDS = 300;
1671
+ function buildKbJwtPayload(args, deps = {}) {
1672
+ const now = deps.now ?? Date.now;
1673
+ const iatSeconds = Math.floor(now() / 1e3);
1674
+ const kbExpCap = iatSeconds + KB_JWT_DEFAULT_LIFETIME_SECONDS;
1675
+ const vcExp = readVcExpSeconds(args.vcCredential);
1676
+ const expSeconds = vcExp !== void 0 ? Math.min(kbExpCap, vcExp) : kbExpCap;
1677
+ if (expSeconds <= iatSeconds) {
1678
+ throw new Error(
1679
+ `VC has expired: cannot issue KB-JWT (vc.exp=${vcExp}, now=${iatSeconds})`
1680
+ );
1681
+ }
1682
+ return {
1683
+ iss: args.holderDid,
1684
+ aud: normalizeDomain(args.audience),
1685
+ nonce: args.nonce,
1686
+ iat: iatSeconds,
1687
+ exp: expSeconds
1688
+ };
1689
+ }
1690
+ function readVcExpSeconds(sdJwtVc) {
1691
+ try {
1692
+ const jwtPart = sdJwtVc.split("~")[0];
1693
+ const payloadB64 = jwtPart.split(".")[1];
1694
+ if (!payloadB64) return void 0;
1695
+ const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
1696
+ return typeof payload.exp === "number" ? payload.exp : void 0;
1697
+ } catch {
1698
+ return void 0;
1699
+ }
1700
+ }
1701
+ function normalizeDomain(domain) {
1702
+ if (!domain) return domain;
1703
+ let urlStr;
1704
+ if (/^https?:\/\//i.test(domain)) {
1705
+ urlStr = domain;
1706
+ } else {
1707
+ const scheme = /^localhost(:\d+)?$/i.test(domain) ? "http" : "https";
1708
+ urlStr = `${scheme}://${domain}`;
1709
+ }
1710
+ try {
1711
+ return new URL(urlStr).origin;
1712
+ } catch {
1713
+ return domain;
1714
+ }
1715
+ }
1716
+
1717
+ // src/vp/vp-manager.ts
1664
1718
  var VPManager = class {
1665
1719
  keyManager;
1666
1720
  constructor(keyManager) {
@@ -1684,12 +1738,12 @@ var VPManager = class {
1684
1738
  presentableKeys.forEach((key) => {
1685
1739
  presentationFrame[key] = true;
1686
1740
  });
1687
- const kbJwtPayload = {
1688
- iss: options.holderDid,
1689
- aud: options.domain,
1741
+ const kbJwtPayload = buildKbJwtPayload({
1742
+ holderDid: options.holderDid,
1743
+ audience: options.domain,
1690
1744
  nonce: options.challenge,
1691
- iat: Math.floor(Date.now() / 1e3)
1692
- };
1745
+ vcCredential: sdJwtVC
1746
+ });
1693
1747
  const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
1694
1748
  kb: { payload: kbJwtPayload }
1695
1749
  });
@@ -6093,6 +6147,7 @@ var version = "0.0.1";
6093
6147
  InvalidVPError,
6094
6148
  InvitationStatus,
6095
6149
  JsonStateStore,
6150
+ KB_JWT_DEFAULT_LIFETIME_SECONDS,
6096
6151
  KeyManager,
6097
6152
  LEGACY_RESOURCE_TYPE_MAP,
6098
6153
  MIN_SIGNER_KEY_BYTES,
@@ -6125,6 +6180,7 @@ var version = "0.0.1";
6125
6180
  WRITE_ACTION_NAMES,
6126
6181
  buildCanonicalString,
6127
6182
  buildGrantIdFields,
6183
+ buildKbJwtPayload,
6128
6184
  canonicalizeAction,
6129
6185
  checkPermissionWithVP,
6130
6186
  configure,
@@ -6163,12 +6219,14 @@ var version = "0.0.1";
6163
6219
  isWriteAction,
6164
6220
  loadActionRegistryFromFile,
6165
6221
  loadActionRegistryFromObject,
6222
+ normalizeDomain,
6166
6223
  normalizeMcpActionName,
6167
6224
  parseGrantAction,
6168
6225
  parseGrantResourceType,
6169
6226
  parseSignatureHeader,
6170
6227
  planDelegationForVC,
6171
6228
  publicKeysMatch,
6229
+ readVcExpSeconds,
6172
6230
  resolveActionsFromSelection,
6173
6231
  resolveProvider,
6174
6232
  resolveResourceType,