@vorionsys/basis 1.0.1

package/src/kya/authorization.ts

@@ -0,0 +1,325 @@
+/**
+ * KYA Authorization Manager
+ * Capability-based access control + policy enforcement
+ */
+
+import {
+  AuthorizationRequest,
+  AuthorizationDecision,
+  CapabilityToken,
+  PolicyBundle,
+  PolicyEngineConfig,
+  KYACapability,
+} from './types.js';
+
+export class AuthorizationManager {
+  private policyBundles: Map<string, PolicyBundle>;
+  private capabilities: Map<string, CapabilityToken[]>;
+
+  constructor(private config: PolicyEngineConfig) {
+    this.policyBundles = new Map();
+    this.capabilities = new Map();
+
+    // Load policy bundles
+    this.loadPolicyBundles();
+  }
+
+  /**
+   * Authorize agent action
+   */
+  async authorize(request: AuthorizationRequest): Promise<AuthorizationDecision> {
+    // 1. Get agent capabilities
+    const agentCapabilities = this.capabilities.get(request.agentDID) || [];
+
+    // 2. Find matching capability
+    const matchingCap = agentCapabilities.find(token =>
+      token.capabilities.some((cap: KYACapability) =>
+        this.matchesCapability(cap, request.action, request.resource)
+      )
+    );
+
+    if (!matchingCap) {
+      return {
+        allowed: false,
+        reason: 'No matching capability',
+        trustImpact: -10,
+      };
+    }
+
+    // 3. Check capability expiry
+    const now = new Date();
+    const notBefore = new Date(matchingCap.notBefore);
+    const notAfter = new Date(matchingCap.notAfter);
+
+    if (now < notBefore || now > notAfter) {
+      return {
+        allowed: false,
+        reason: 'Capability expired or not yet valid',
+        trustImpact: -5,
+      };
+    }
+
+    // 4. Evaluate conditions
+    const capability = matchingCap.capabilities.find((cap: KYACapability) =>
+      this.matchesCapability(cap, request.action, request.resource)
+    )!;
+
+    if (capability.conditions) {
+      const conditionsValid = await this.evaluateConditions(
+        capability.conditions,
+        request
+      );
+
+      if (!conditionsValid) {
+        return {
+          allowed: false,
+          reason: 'Capability conditions not met',
+          trustImpact: -5,
+        };
+      }
+    }
+
+    // 5. Check policy constraints
+    const policyViolations = await this.checkPolicyConstraints(request);
+
+    if (policyViolations.length > 0) {
+      return {
+        allowed: false,
+        reason: `Policy violations: ${policyViolations.join(', ')}`,
+        trustImpact: -20,
+      };
+    }
+
+    // 6. ALLOW
+    return {
+      allowed: true,
+      reason: 'Authorized',
+      conditions: capability.conditions,
+      trustImpact: 1,
+    };
+  }
+
+  /**
+   * Grant capability to agent
+   */
+  async grantCapability(
+    agentDID: string,
+    capabilityToken: CapabilityToken
+  ): Promise<void> {
+    const existing = this.capabilities.get(agentDID) || [];
+    existing.push(capabilityToken);
+    this.capabilities.set(agentDID, existing);
+  }
+
+  /**
+   * Revoke capability from agent
+   */
+  async revokeCapability(agentDID: string, capabilityId: string): Promise<void> {
+    const existing = this.capabilities.get(agentDID) || [];
+    const filtered = existing.filter(cap => cap.id !== capabilityId);
+    this.capabilities.set(agentDID, filtered);
+  }
+
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+
+  /**
+   * Check if capability matches action + resource
+   */
+  private matchesCapability(
+    capability: { action: string; resource: string },
+    action: string,
+    resource: string
+  ): boolean {
+    // Exact match
+    if (capability.action === action && capability.resource === resource) {
+      return true;
+    }
+
+    // Wildcard match
+    const actionMatch = this.matchesPattern(capability.action, action);
+    const resourceMatch = this.matchesPattern(capability.resource, resource);
+
+    return actionMatch && resourceMatch;
+  }
+
+  /**
+   * Pattern matching with wildcards
+   */
+  private matchesPattern(pattern: string, value: string): boolean {
+    if (pattern === '*') return true;
+    if (pattern === value) return true;
+
+    // Convert glob pattern to regex
+    const regexPattern = pattern
+      .replace(/\./g, '\\.')
+      .replace(/\*/g, '.*');
+
+    const regex = new RegExp(`^${regexPattern}$`);
+    return regex.test(value);
+  }
+
+  /**
+   * Evaluate capability conditions
+   */
+  private async evaluateConditions(
+    conditions: Record<string, unknown>,
+    request: AuthorizationRequest
+  ): Promise<boolean> {
+    // Example condition checks
+    if (conditions.maxFileSize && request.resource.startsWith('/')) {
+      // Would check actual file size
+      return true;
+    }
+
+    if (conditions.rateLimit) {
+      // Would check rate limiting
+      return true;
+    }
+
+    if (conditions.methods && Array.isArray(conditions.methods)) {
+      // Would check HTTP method
+      return true;
+    }
+
+    return true;
+  }
+
+  /**
+   * Check policy constraints (MUST NOT do)
+   */
+  private async checkPolicyConstraints(
+    request: AuthorizationRequest
+  ): Promise<string[]> {
+    const violations: string[] = [];
+
+    // Get applicable policy bundle
+    const policyBundle = this.policyBundles.get(this.config.defaultJurisdiction);
+
+    if (!policyBundle) {
+      return violations;
+    }
+
+    // Check each constraint
+    for (const constraint of policyBundle.constraints) {
+      const violated = await this.evaluateConstraint(constraint.rule, request);
+
+      if (violated) {
+        violations.push(constraint.description);
+
+        // Apply enforcement action
+        if (constraint.enforcement === 'block') {
+          // Already blocked by adding to violations
+        } else if (constraint.enforcement === 'warn') {
+          console.warn(`Policy warning: ${constraint.description}`);
+        } else if (constraint.enforcement === 'log') {
+          console.log(`Policy logged: ${constraint.description}`);
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Evaluate constraint rule (simplified)
+   */
+  private async evaluateConstraint(
+    rule: string,
+    request: AuthorizationRequest
+  ): Promise<boolean> {
+    // Would use CEL (Common Expression Language) or JSON Logic
+    // For now, simple keyword matching
+    if (rule.includes('no_credential_access') && request.resource.includes('credential')) {
+      return true;
+    }
+
+    if (rule.includes('no_external_code') && request.action.includes('code.execute')) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Load policy bundles from configuration
+   */
+  private loadPolicyBundles(): void {
+    // Would load from files/database
+    // For now, create a default policy bundle
+    const defaultBundle: PolicyBundle = {
+      id: 'vorion-default-v1',
+      version: '1.0.0',
+      jurisdiction: 'Global',
+      constraints: [
+        {
+          id: 'no-credential-access',
+          description: 'Agents cannot access credential files',
+          rule: 'no_credential_access',
+          severity: 'critical',
+          enforcement: 'block',
+        },
+        {
+          id: 'no-external-code',
+          description: 'Agents cannot execute external code',
+          rule: 'no_external_code',
+          severity: 'high',
+          enforcement: 'block',
+        },
+      ],
+      obligations: [],
+      permissions: [],
+    };
+
+    this.policyBundles.set('Global', defaultBundle);
+  }
+}
+
+// ============================================================================
+// Example Usage
+// ============================================================================
+
+/*
+import { AuthorizationManager } from './authorization';
+
+async function example() {
+  const authManager = new AuthorizationManager({
+    policyBundlesPath: './policies',
+    defaultJurisdiction: 'Global',
+  });
+
+  // Grant capability to agent
+  await authManager.grantCapability('did:vorion:agent:123', {
+    id: 'cap_001',
+    issuer: 'did:vorion:org:agentanchor',
+    subject: 'did:vorion:agent:123',
+    capabilities: [
+      {
+        action: 'file.write',
+        resource: '/data/user_documents/*',
+        conditions: {
+          maxFileSize: 10485760,
+          allowedExtensions: ['.txt', '.md', '.json'],
+        },
+      },
+    ],
+    notBefore: new Date().toISOString(),
+    notAfter: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+    signature: '...',
+  });
+
+  // Check authorization
+  const decision = await authManager.authorize({
+    agentDID: 'did:vorion:agent:123',
+    action: 'file.write',
+    resource: '/data/user_documents/report.txt',
+    context: {
+      timestamp: Date.now(),
+    },
+  });
+
+  console.log('Authorized:', decision.allowed);
+  console.log('Reason:', decision.reason);
+}
+*/

package/src/kya/behavior.ts

@@ -0,0 +1,169 @@
+/**
+ * KYA Behavior Monitor
+ * Real-time anomaly detection + trust scoring
+ */
+
+import { AnomalyAlert, BehaviorProfile, DatabaseConfig } from './types.js';
+
+export class BehaviorMonitor {
+  private profiles: Map<string, BehaviorProfile>;
+  private trustScores: Map<string, number>;
+
+  constructor(private config: DatabaseConfig) {
+    this.profiles = new Map();
+    this.trustScores = new Map();
+  }
+
+  /**
+   * Detect anomalies in agent behavior
+   */
+  async detectAnomalies(agentDID: string): Promise<AnomalyAlert[]> {
+    const profile = await this.getBehaviorProfile(agentDID);
+    const alerts: AnomalyAlert[] = [];
+
+    // 1. Rate spike detection
+    const zScore =
+      (profile.recentWindow.actionsInLastHour - profile.baseline.actionsPerHour.mean) /
+      profile.baseline.actionsPerHour.stddev;
+
+    if (zScore > 3) {
+      alerts.push({
+        severity: 'high',
+        type: 'rate_spike',
+        description: `Action rate is ${zScore.toFixed(1)} standard deviations above baseline`,
+        evidence: {
+          baseline: profile.baseline.actionsPerHour.mean,
+          current: profile.recentWindow.actionsInLastHour,
+        },
+        recommendedAction: 'throttle',
+        trustImpact: -50,
+      });
+    }
+
+    // 2. Success rate drop
+    const successDrop =
+      profile.baseline.successRate.mean - profile.recentWindow.successRateLastHour;
+
+    if (successDrop > 0.2) {
+      alerts.push({
+        severity: 'medium',
+        type: 'success_rate_drop',
+        description: `Success rate dropped ${(successDrop * 100).toFixed(1)}%`,
+        evidence: {
+          baseline: profile.baseline.successRate.mean,
+          current: profile.recentWindow.successRateLastHour,
+        },
+        recommendedAction: 'warn',
+        trustImpact: -20,
+      });
+    }
+
+    // 3. New capability usage
+    if (profile.recentWindow.newActionsInLastHour.length > 3) {
+      alerts.push({
+        severity: 'low',
+        type: 'new_capabilities',
+        description: `Agent using ${profile.recentWindow.newActionsInLastHour.length} new capabilities`,
+        evidence: {
+          newActions: profile.recentWindow.newActionsInLastHour,
+        },
+        recommendedAction: 'log',
+        trustImpact: -5,
+      });
+    }
+
+    // 4. Suspicious resource access
+    const suspiciousResources = profile.recentWindow.newResourcesInLastHour.filter((r: string) =>
+      r.includes('.env') || r.includes('credentials') || r.includes('secret')
+    );
+
+    if (suspiciousResources.length > 0) {
+      alerts.push({
+        severity: 'critical',
+        type: 'suspicious_resource_access',
+        description: 'Agent accessing sensitive resources',
+        evidence: {
+          resources: suspiciousResources,
+        },
+        recommendedAction: 'suspend',
+        trustImpact: -150,
+      });
+    }
+
+    return alerts;
+  }
+
+  /**
+   * Get or create behavior profile for agent
+   */
+  async getBehaviorProfile(agentDID: string): Promise<BehaviorProfile> {
+    if (this.profiles.has(agentDID)) {
+      return this.profiles.get(agentDID)!;
+    }
+
+    // Create initial profile
+    const profile: BehaviorProfile = {
+      agentDID,
+      baseline: {
+        actionsPerHour: { mean: 10, stddev: 3 },
+        successRate: { mean: 0.95, stddev: 0.05 },
+        topActions: [],
+        topResources: [],
+      },
+      recentWindow: {
+        actionsInLastHour: 0,
+        successRateLastHour: 1.0,
+        newActionsInLastHour: [],
+        newResourcesInLastHour: [],
+      },
+    };
+
+    this.profiles.set(agentDID, profile);
+    return profile;
+  }
+
+  /**
+   * Update trust score from behavior
+   */
+  async updateTrustScoreFromBehavior(
+    agentDID: string,
+    anomalies: AnomalyAlert[]
+  ): Promise<number> {
+    const currentScore = this.trustScores.get(agentDID) || 500; // Default: T3
+
+    // Apply trust impact from anomalies
+    const totalImpact = anomalies.reduce((sum, alert) => sum + alert.trustImpact, 0);
+
+    // Update trust score
+    const newScore = Math.max(0, Math.min(1000, currentScore + totalImpact));
+
+    this.trustScores.set(agentDID, newScore);
+
+    // Take recommended actions
+    for (const alert of anomalies) {
+      switch (alert.recommendedAction) {
+        case 'suspend':
+          console.warn(`SUSPEND agent ${agentDID}:`, alert.description);
+          break;
+        case 'throttle':
+          console.warn(`THROTTLE agent ${agentDID}:`, alert.description);
+          break;
+        case 'warn':
+          console.warn(`WARNING for agent ${agentDID}:`, alert.description);
+          break;
+        case 'log':
+          console.log(`LOG for agent ${agentDID}:`, alert.description);
+          break;
+      }
+    }
+
+    return newScore;
+  }
+
+  /**
+   * Get current trust score
+   */
+  async getTrustScore(agentDID: string): Promise<number> {
+    return this.trustScores.get(agentDID) || 500;
+  }
+}

package/src/kya/identity.ts

@@ -0,0 +1,224 @@
+/**
+ * KYA Identity Verification
+ * W3C DID resolution + Ed25519 signature verification
+ */
+
+import * as ed from '@noble/ed25519';
+import { Resolver } from 'did-resolver';
+import {
+  DIDDocument,
+  DIDResolverConfig,
+  IdentityProof,
+  VerificationMethod,
+} from './types.js';
+
+export class IdentityVerifier {
+  private resolver: Resolver;
+  private cache: Map<string, DIDDocument>;
+
+  constructor(config: DIDResolverConfig) {
+    // Initialize DID resolver (would integrate with did-resolver library)
+    this.resolver = new Resolver({
+      // Custom resolver for did:vorion:
+      vorion: async (did: string) => {
+        return this.resolveVorionDID(did);
+      },
+    });
+
+    this.cache = new Map();
+  }
+
+  /**
+   * Verify agent identity using DID + signature
+   */
+  async verify(proof: IdentityProof): Promise<boolean> {
+    try {
+      // 1. Resolve DID document
+      const didDoc = await this.resolveDID(proof.did);
+
+      // 2. Extract verification method
+      const verificationMethod = didDoc.verificationMethod?.find(
+        (vm: VerificationMethod) => vm.type === 'Ed25519VerificationKey2020'
+      );
+
+      if (!verificationMethod) {
+        throw new Error('No Ed25519 verification method found');
+      }
+
+      // 3. Verify signature
+      const message = `${proof.challenge}:${proof.timestamp}`;
+      const messageBytes = new TextEncoder().encode(message);
+      const signatureBytes = this.hexToBytes(proof.signature);
+      const publicKeyBytes = this.multibaseToBytes(verificationMethod.publicKeyMultibase);
+
+      const isValid = await ed.verify(signatureBytes, messageBytes, publicKeyBytes);
+
+      // 4. Check timestamp freshness (prevent replay attacks)
+      const age = Date.now() - proof.timestamp;
+      if (age > 60000) { // 1 minute max
+        throw new Error('Proof too old (replay attack prevention)');
+      }
+
+      return isValid;
+    } catch (error) {
+      console.error('Identity verification failed:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Resolve DID to DID Document
+   */
+  async resolveDID(did: string): Promise<DIDDocument> {
+    // Check cache first
+    if (this.cache.has(did)) {
+      return this.cache.get(did)!;
+    }
+
+    // Resolve from network
+    const result = await this.resolver.resolve(did);
+
+    if (!result.didDocument) {
+      throw new Error(`Failed to resolve DID: ${did}`);
+    }
+
+    const didDoc = result.didDocument as DIDDocument;
+
+    // Cache for future lookups
+    this.cache.set(did, didDoc);
+
+    return didDoc;
+  }
+
+  /**
+   * Custom Vorion DID resolver
+   * Format: did:vorion:<method>:<identifier>
+   */
+  private async resolveVorionDID(did: string): Promise<any> {
+    // Parse DID
+    const parts = did.split(':');
+    if (parts.length < 4) {
+      throw new Error('Invalid Vorion DID format');
+    }
+
+    const method = parts[2];  // e.g., 'ed25519'
+    const identifier = parts[3];  // e.g., '5Z8K3q2YvU8pVzNxF9sT7bQw6JhR1XmDcL4nVk'
+
+    // Fetch from Vorion DID registry (would be actual API call)
+    // For now, return mock structure
+    return {
+      didDocument: {
+        '@context': [
+          'https://www.w3.org/ns/did/v1',
+          'https://vorion.org/ns/kya/v1',
+        ],
+        id: did,
+        controller: did,
+        verificationMethod: [
+          {
+            id: `${did}#keys-1`,
+            type: 'Ed25519VerificationKey2020',
+            controller: did,
+            publicKeyMultibase: `z${identifier}`,
+          },
+        ],
+        authentication: [`${did}#keys-1`],
+        assertionMethod: [`${did}#keys-1`],
+        service: [
+          {
+            id: `${did}#agentcard`,
+            type: 'AgentCard',
+            serviceEndpoint: `https://agentanchorai.com/cards/${identifier}`,
+          },
+        ],
+        kya: {
+          trustScore: 0,
+          tier: 'T0' as const,
+          certified: false,
+          capabilities: [],
+          restrictions: [],
+        },
+      },
+    };
+  }
+
+  /**
+   * Generate challenge for identity proof
+   */
+  generateChallenge(): string {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return this.bytesToHex(bytes);
+  }
+
+  /**
+   * Sign challenge with private key (for agents to use)
+   */
+  async signChallenge(challenge: string, privateKey: Uint8Array): Promise<string> {
+    const timestamp = Date.now();
+    const message = `${challenge}:${timestamp}`;
+    const messageBytes = new TextEncoder().encode(message);
+
+    const signature = await ed.sign(messageBytes, privateKey);
+
+    return this.bytesToHex(signature);
+  }
+
+  // ============================================================================
+  // Utility Methods
+  // ============================================================================
+
+  private hexToBytes(hex: string): Uint8Array {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+      bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+    }
+    return bytes;
+  }
+
+  private bytesToHex(bytes: Uint8Array): string {
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
+  }
+
+  private multibaseToBytes(multibase: string): Uint8Array {
+    // Remove 'z' prefix (base58btc encoding)
+    const base58 = multibase.substring(1);
+
+    // Decode base58 (simplified, would use actual base58 library)
+    // For now, assume hex encoding
+    return this.hexToBytes(base58);
+  }
+}
+
+// ============================================================================
+// Example Usage
+// ============================================================================
+
+/*
+import { IdentityVerifier } from './identity';
+
+async function example() {
+  const verifier = new IdentityVerifier({
+    networks: ['vorion', 'ethereum'],
+    cacheEnabled: true,
+  });
+
+  // Agent generates proof
+  const challenge = verifier.generateChallenge();
+  const privateKey = ed.utils.randomPrivateKey();
+  const signature = await verifier.signChallenge(challenge, privateKey);
+
+  // Verify identity
+  const isValid = await verifier.verify({
+    did: 'did:vorion:ed25519:5Z8K3q2YvU8pVzNxF9sT7bQw6JhR1XmDcL4nVk',
+    timestamp: Date.now(),
+    challenge,
+    signature,
+    publicKey: ed.utils.bytesToHex(await ed.getPublicKey(privateKey)),
+  });
+
+  console.log('Identity valid:', isValid);
+}
+*/