@vess-id/vess 0.2.0-alpha.1

package/dist/wallet/wallet.js

@@ -0,0 +1,170 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Wallet = void 0;
+exports.validateResources = validateResources;
+const crypto_1 = require("crypto");
+/**
+ * Validate and sanitize resources from gateway response at runtime.
+ * Strips unknown fields to prevent prototype pollution or type confusion.
+ */
+function validateResources(raw) {
+    if (raw == null)
+        return undefined;
+    if (!Array.isArray(raw))
+        return undefined;
+    return raw
+        .filter((r) => r != null && typeof r === 'object')
+        .map(r => {
+        const validated = {
+            provider: typeof r.provider === 'string' ? r.provider : '',
+            type: typeof r.type === 'string' ? r.type : '',
+        };
+        if (typeof r.id === 'string')
+            validated.id = r.id;
+        if (typeof r.pattern === 'string')
+            validated.pattern = r.pattern;
+        return validated;
+    })
+        .filter(r => r.provider !== '' && r.type !== '');
+}
+class Wallet {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    storeCredential(entry) {
+        const id = entry.id || (0, crypto_1.randomUUID)();
+        const now = Date.now();
+        // Guard against oversized metadata (defensive limit: 64KB)
+        if (entry.metadata) {
+            const metadataStr = JSON.stringify(entry.metadata);
+            if (metadataStr.length > 65536) {
+                throw new Error(`Credential metadata exceeds 64KB limit (${metadataStr.length} bytes)`);
+            }
+        }
+        // Guard against oversized resources (defensive limit: 64KB)
+        if (entry.resources) {
+            const resourcesStr = JSON.stringify(entry.resources);
+            if (resourcesStr.length > 65536) {
+                throw new Error(`Credential resources exceeds 64KB limit (${resourcesStr.length} bytes)`);
+            }
+        }
+        this.db.prepare(`
+      INSERT INTO credentials (
+        id, holder_did, project_id, credential_jwt, actions, provider,
+        resources, normalized_resource_key, resource_fingerprint,
+        delegated_from, status, expires_at, created_at, metadata
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(id, entry.holderDid, entry.projectId, entry.credentialJwt, JSON.stringify(entry.actions), entry.provider, entry.resources ? JSON.stringify(entry.resources) : null, entry.normalizedResourceKey ?? null, entry.resourceFingerprint ?? null, entry.delegatedFrom ?? null, entry.status ?? 'active', entry.expiresAt ?? null, now, entry.metadata ? JSON.stringify(entry.metadata) : null);
+        return {
+            ...entry,
+            id,
+            status: entry.status ?? 'active',
+            createdAt: now,
+            metadata: entry.metadata,
+            resources: entry.resources,
+        };
+    }
+    /**
+     * Find a credential by holder DID, action, and project.
+     * Uses json_each for action matching in JSON array.
+     * Excludes expired and revoked credentials.
+     */
+    findCredential(holderDid, action, projectId, resourceId) {
+        const now = Date.now();
+        if (resourceId !== undefined) {
+            // Input validation: reject control characters or excessively long resourceId
+            if (resourceId.length > 500 || /[\x00-\x1f]/.test(resourceId)) {
+                return null;
+            }
+            const row = this.db.prepare(`
+        SELECT c.* FROM credentials c, json_each(c.actions) AS je, json_each(c.resources) AS re
+        WHERE je.value = ?
+          AND c.holder_did = ?
+          AND c.project_id = ?
+          AND c.status = 'active'
+          AND (c.expires_at IS NULL OR c.expires_at > ?)
+          AND json_extract(re.value, '$.id') = ?
+        LIMIT 1
+      `).get(action, holderDid, projectId, now, resourceId);
+            return row ? this.rowToCredential(row) : null;
+        }
+        const row = this.db.prepare(`
+      SELECT c.* FROM credentials c, json_each(c.actions) AS je
+      WHERE je.value = ?
+        AND c.holder_did = ?
+        AND c.project_id = ?
+        AND c.status = 'active'
+        AND (c.expires_at IS NULL OR c.expires_at > ?)
+      LIMIT 1
+    `).get(action, holderDid, projectId, now);
+        return row ? this.rowToCredential(row) : null;
+    }
+    /**
+     * Find a credential that is NOT scoped to any specific resource.
+     * Returns credentials where resources is NULL or an empty array '[]'.
+     */
+    findUnscopedCredential(holderDid, action, projectId) {
+        const now = Date.now();
+        const row = this.db.prepare(`
+      SELECT c.* FROM credentials c, json_each(c.actions) AS je
+      WHERE je.value = ?
+        AND c.holder_did = ?
+        AND c.project_id = ?
+        AND c.status = 'active'
+        AND (c.expires_at IS NULL OR c.expires_at > ?)
+        AND (c.resources IS NULL OR c.resources = '[]')
+      LIMIT 1
+    `).get(action, holderDid, projectId, now);
+        return row ? this.rowToCredential(row) : null;
+    }
+    /**
+     * Find a credential by normalized resource key.
+     */
+    findCredentialByResource(normalizedKey, holderDid, projectId) {
+        const now = Date.now();
+        const row = this.db.prepare(`
+      SELECT * FROM credentials
+      WHERE normalized_resource_key = ?
+        AND holder_did = ?
+        AND project_id = ?
+        AND status = 'active'
+        AND (expires_at IS NULL OR expires_at > ?)
+      LIMIT 1
+    `).get(normalizedKey, holderDid, projectId, now);
+        return row ? this.rowToCredential(row) : null;
+    }
+    revokeCredential(id) {
+        this.db.prepare('UPDATE credentials SET status = ? WHERE id = ?').run('revoked', id);
+    }
+    getExpiredCredentials() {
+        const now = Date.now();
+        const rows = this.db.prepare('SELECT * FROM credentials WHERE status = ? AND expires_at IS NOT NULL AND expires_at <= ?').all('active', now);
+        return rows.map(r => this.rowToCredential(r));
+    }
+    getActiveCredentials() {
+        const now = Date.now();
+        const rows = this.db.prepare('SELECT * FROM credentials WHERE status = ? AND (expires_at IS NULL OR expires_at > ?)').all('active', now);
+        return rows.map(r => this.rowToCredential(r));
+    }
+    rowToCredential(row) {
+        return {
+            id: row.id,
+            holderDid: row.holder_did,
+            projectId: row.project_id,
+            credentialJwt: row.credential_jwt,
+            actions: JSON.parse(row.actions),
+            provider: row.provider,
+            normalizedResourceKey: row.normalized_resource_key ?? undefined,
+            resourceFingerprint: row.resource_fingerprint ?? undefined,
+            delegatedFrom: row.delegated_from ?? undefined,
+            status: row.status,
+            expiresAt: row.expires_at ?? undefined,
+            createdAt: row.created_at,
+            resources: row.resources ? JSON.parse(row.resources) : undefined,
+            metadata: row.metadata ? JSON.parse(row.metadata) : undefined,
+        };
+    }
+}
+exports.Wallet = Wallet;
+//# sourceMappingURL=wallet.js.map

package/dist/wallet/wallet.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wallet.js","sourceRoot":"","sources":["../../src/wallet/wallet.ts"],"names":[],"mappings":";;;AAoCA,8CAiBC;AApDD,mCAAmC;AA+BnC;;;GAGG;AACH,SAAgB,iBAAiB,CAC/B,GAAY;IAEZ,IAAI,GAAG,IAAI,IAAI;QAAE,OAAO,SAAS,CAAA;IACjC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAA;IACzC,OAAO,GAAG;SACP,MAAM,CAAC,CAAC,CAAC,EAAgC,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ,CAAC;SAC/E,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,MAAM,SAAS,GAAuB;YACpC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;YAC1D,IAAI,EAAE,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;SAC/C,CAAA;QACD,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ;YAAE,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAA;QACjD,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;YAAE,SAAS,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAA;QAChE,OAAO,SAAS,CAAA;IAClB,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,EAAE,IAAI,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC,CAAA;AACpD,CAAC;AAED,MAAa,MAAM;IACY;IAA7B,YAA6B,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAEtD,eAAe,CAAC,KAAsB;QACpC,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,IAAA,mBAAU,GAAE,CAAA;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,2DAA2D;QAC3D,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;YAClD,IAAI,WAAW,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,2CAA2C,WAAW,CAAC,MAAM,SAAS,CAAC,CAAA;YACzF,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;YACpD,IAAI,YAAY,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,4CAA4C,YAAY,CAAC,MAAM,SAAS,CAAC,CAAA;YAC3F,CAAC;QACH,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;KAMf,CAAC,CAAC,GAAG,CACJ,EAAE,EACF,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,aAAa,EACnB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,EAC7B,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EACxD,KAAK,CAAC,qBAAqB,IAAI,IAAI,EACnC,KAAK,CAAC,mBAAmB,IAAI,IAAI,EACjC,KAAK,CAAC,aAAa,IAAI,IAAI,EAC3B,KAAK,CAAC,MAAM,IAAI,QAAQ,EACxB,KAAK,CAAC,SAAS,IAAI,IAAI,EACvB,GAAG,EACH,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CACvD,CAAA;QAED,OAAO;YACL,GAAG,KAAK;YACR,EAAE;YACF,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,QAAQ;YAChC,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAA;IACH,CAAC;IAED;;;;OAIG;IACH,cAAc,CACZ,SAAiB,EACjB,MAAc,EACd,SAAiB,EACjB,UAAmB;QAEnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,6EAA6E;YAC7E,IAAI,UAAU,CAAC,MAAM,GAAG,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9D,OAAO,IAAI,CAAA;YACb,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;OAS3B,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,CAAoB,CAAA;YAExE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;QAC/C,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ3B,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAoB,CAAA;QAE5D,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC/C,CAAC;IAED;;;OAGG;IACH,sBAAsB,CACpB,SAAiB,EACjB,MAAc,EACd,SAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;KAS3B,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAoB,CAAA;QAE5D,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC/C,CAAC;IAED;;OAEG;IACH,wBAAwB,CACtB,aAAqB,EACrB,SAAiB,EACjB,SAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ3B,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAoB,CAAA;QAEnE,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC/C,CAAC;IAED,gBAAgB,CAAC,EAAU;QACzB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,gDAAgD,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IACtF,CAAC;IAED,qBAAqB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,2FAA2F,CAC5F,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAU,CAAA;QAE7B,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;IAED,oBAAoB;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,uFAAuF,CACxF,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAU,CAAA;QAE7B,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;IAEO,eAAe,CAAC,GAAQ;QAC9B,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,aAAa,EAAE,GAAG,CAAC,cAAc;YACjC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;YAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,qBAAqB,EAAE,GAAG,CAAC,uBAAuB,IAAI,SAAS;YAC/D,mBAAmB,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS;YAC1D,aAAa,EAAE,GAAG,CAAC,cAAc,IAAI,SAAS;YAC9C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;YAChE,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAA;IACH,CAAC;CACF;AA5LD,wBA4LC"}

package/package.json

@@ -0,0 +1,80 @@
+{
+  "name": "@vess-id/vess",
+  "version": "0.2.0-alpha.1",
+  "description": "VESS local AI agent runtime — manages agent identity, permissions, and execution boundaries",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "vess": "./bin/vess.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "jest --no-coverage",
+    "test:cov": "jest",
+    "lint": "eslint src/**/*.ts",
+    "start": "node dist/cli/index.js",
+    "semantic-release": "semantic-release"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.18.1",
+    "@napi-rs/keyring": "^1.2.0",
+    "@sd-jwt/crypto-nodejs": "^0.15.0",
+    "@sd-jwt/sd-jwt-vc": "^0.15.1",
+    "@vess-id/ai-identity": "^0.4.0",
+    "better-sqlite3": "^11.0.0",
+    "commander": "^12.0.0",
+    "zod": "^3.23.0"
+  },
+  "optionalDependencies": {
+    "node-mac-auth": "^1.0.0"
+  },
+  "devDependencies": {
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/exec": "^7.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^12.0.6",
+    "@semantic-release/npm": "^13.0.0",
+    "@semantic-release/release-notes-generator": "^14.1.0",
+    "@types/better-sqlite3": "^7.6.0",
+    "@types/jest": "^29.5.0",
+    "@types/node": "^22.0.0",
+    "conventional-changelog-conventionalcommits": "^9.3.0",
+    "jest": "^29.7.0",
+    "semantic-release": "^25.0.3",
+    "ts-jest": "^29.1.0",
+    "typescript": "^5.3.0"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "license": "BUSL-1.1",
+  "files": [
+    "bin",
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/cvoxelprotocol/aidentity.git",
+    "directory": "packages/agentd"
+  },
+  "keywords": [
+    "vess",
+    "ai-agent",
+    "mcp",
+    "did",
+    "identity",
+    "claude-code",
+    "verifiable-credentials"
+  ],
+  "bugs": {
+    "email": "info@vess.id"
+  },
+  "homepage": "https://vess.id",
+  "publishConfig": {
+    "access": "public"
+  }
+}