a2a-did 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 a2a-did contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,180 @@
+# a2a-did
+
+> DID-based authentication for A2A Protocol - Sign and verify agent messages with did:web and did:ethr
+
+[![npm version](https://img.shields.io/npm/v/a2a-did.svg)](https://www.npmjs.com/package/a2a-did)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+## Implementation Notes
+
+**This is an experimental v0.1.0 release** focused on basic functionality.
+
+For production use, consider implementing additional security measures appropriate to your use case:
+- **Key Management**: This library generates keys in memory. Consider integrating with KMS/HSM based on your security requirements.
+- **DID Resolution**: Implement domain allowlisting if your deployment requires SSRF protection.
+- **Message Replay**: Add timestamps/nonces to messages in your application logic.
+
+See [SECURITY.md](./SECURITY.md) for detailed security considerations.
+
+---
+
+**a2a-did** provides decentralized identity (DID) authentication for the A2A Protocol, enabling cryptographically verifiable agent-to-agent communication without centralized registries.
+
+## Features
+
+- ✅ **DID Identity Management** - Create and resolve DIDs (did:web, did:ethr)
+- ✅ **Message Signing** - Sign A2A messages with DID private keys (ES256K/JWS)
+- ✅ **Signature Verification** - Verify message authenticity with DID public keys
+- ✅ **Zero Pre-registration** - No central registry required
+
+## Installation
+
+```bash
+npm install a2a-did
+```
+
+## Quick Start
+
+### 1. Create a DID Identity
+
+```typescript
+import { createAgentDIDService } from 'a2a-did';
+
+// Create did:web identity (HTTPS-based)
+const service = await createAgentDIDService(['web']);
+const identity = await service.createIdentity({
+  method: 'web',
+  agentId: 'my-agent',
+  config: {
+    type: 'web',
+    domain: 'example.com',
+    port: 443
+  }
+});
+
+console.log(identity.did);
+// → did:web:example.com%3A443:agents:my-agent
+```
+
+### 2. Sign A2A Messages
+
+```typescript
+import { signA2AMessage } from 'a2a-did';
+
+// A2A Protocol message
+const message = {
+  jsonrpc: '2.0',
+  method: 'message/send',
+  params: {
+    message: {
+      kind: 'message',
+      messageId: 'msg-123',
+      role: 'user',
+      parts: [{ kind: 'text', text: 'Hello' }]
+    }
+  },
+  id: 1
+};
+
+// Sign with DID
+const signature = await signA2AMessage(message, identity);
+
+// Send signed request
+const signedRequest = { ...message, signature };
+await fetch('https://agent.example.com/a2a', {
+  method: 'POST',
+  body: JSON.stringify(signedRequest)
+});
+```
+
+### 3. Verify Signatures
+
+```typescript
+import { verifySignedA2ARequest } from 'a2a-did';
+
+app.post('/a2a', async (req, res) => {
+  if (req.body.signature) {
+    const result = await verifySignedA2ARequest(req.body);
+
+    if (!result.valid) {
+      return res.json({
+        jsonrpc: '2.0',
+        error: { code: -32600, message: 'Invalid signature' },
+        id: req.body.id
+      });
+    }
+
+    console.log(`Authenticated: ${result.senderDid}`);
+  }
+
+  // Process message...
+});
+```
+
+## API Reference
+
+### Identity Management
+
+```typescript
+// Create DID service
+createAgentDIDService(methods: Array<'web' | 'ethr'>): Promise<AgentDIDService>
+
+// Create identity
+service.createIdentity(options: {
+  method: 'web' | 'ethr',
+  agentId: string,
+  config: WebConfig | EthrConfig
+}): Promise<DIDIdentity>
+```
+
+### Message Signing
+
+```typescript
+// Sign message
+signA2AMessage(payload: object, identity: DIDIdentity): Promise<string>
+
+// Verify signature
+verifySignedA2ARequest(request: object): Promise<{
+  valid: boolean;
+  senderDid?: string;
+  error?: string;
+}>
+```
+
+### Agent Resolution
+
+```typescript
+// Resolve DID → A2A endpoint
+resolveA2AEndpoint(did: string): Promise<string>
+```
+
+## DID Methods
+
+### did:web
+
+- **Trust model**: HTTPS/TLS (same as web PKI)
+- **Setup**: Simple (HTTPS server only)
+- **Use case**: Corporate agents, fixed endpoints
+
+### did:ethr
+
+- **Trust model**: Ethereum blockchain
+- **Setup**: Requires RPC endpoint
+- **Use case**: Dynamic agents, cross-domain
+
+## Security Notes
+
+⚠️ **Important**: This library provides authentication (identity verification) only. You must implement:
+
+- **Replay protection**: Add `iat`/`exp`/`jti` to prevent message replay
+- **Authorization**: Access control policies for your agents
+- **Rate limiting**: Protection against DoS attacks
+
+## License
+
+MIT
+
+## Related Projects
+
+- [A2A Protocol](https://github.com/a2aproject/A2A) - Agent-to-Agent Communication Protocol
+- [W3C DID Core](https://www.w3.org/TR/did-core/) - Decentralized Identifiers specification

package/dist/a2a/constants.d.ts

@@ -0,0 +1,10 @@
+/**
+ * A2A Protocol Constants
+ * @module a2a/constants
+ */
+/**
+ * Service type for Agent Card URL in DID Document
+ * Use this constant to ensure consistency across the codebase
+ */
+export declare const A2A_AGENT_CARD_SERVICE_TYPE: "A2AAgentCard";
+//# sourceMappingURL=constants.d.ts.map

package/dist/a2a/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/a2a/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAG,cAAuB,CAAC"}

package/dist/a2a/constants.js

@@ -0,0 +1,10 @@
+/**
+ * A2A Protocol Constants
+ * @module a2a/constants
+ */
+/**
+ * Service type for Agent Card URL in DID Document
+ * Use this constant to ensure consistency across the codebase
+ */
+export const A2A_AGENT_CARD_SERVICE_TYPE = 'A2AAgentCard';
+//# sourceMappingURL=constants.js.map

package/dist/a2a/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/a2a/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,cAAuB,CAAC"}

package/dist/a2a/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * A2A Integration Module
+ *
+ * DID-based authentication and verification for A2A Protocol
+ *
+ * This module provides:
+ * - DID signature creation for A2A messages (signing.ts)
+ * - DID signature verification for A2A messages (verification.ts)
+ * - Agent Card verification (verification.ts)
+ * - DID-to-A2A endpoint resolution (resolution.ts)
+ *
+ * What this module does NOT provide:
+ * - A2A communication (use @a2a-js/sdk)
+ * - A2A server implementation (see packages/api)
+ * - Message type definitions (use @a2a-js/sdk types)
+ *
+ * @module a2a
+ */
+export * from './constants.js';
+export * from './resolution.js';
+export * from './verification.js';
+export * from './signing.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/a2a/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,cAAc,gBAAgB,CAAC;AAG/B,cAAc,iBAAiB,CAAC;AAGhC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,cAAc,CAAC"}

package/dist/a2a/index.js

@@ -0,0 +1,27 @@
+/**
+ * A2A Integration Module
+ *
+ * DID-based authentication and verification for A2A Protocol
+ *
+ * This module provides:
+ * - DID signature creation for A2A messages (signing.ts)
+ * - DID signature verification for A2A messages (verification.ts)
+ * - Agent Card verification (verification.ts)
+ * - DID-to-A2A endpoint resolution (resolution.ts)
+ *
+ * What this module does NOT provide:
+ * - A2A communication (use @a2a-js/sdk)
+ * - A2A server implementation (see packages/api)
+ * - Message type definitions (use @a2a-js/sdk types)
+ *
+ * @module a2a
+ */
+// Constants
+export * from './constants.js';
+// Resolution functions
+export * from './resolution.js';
+// Verification functions
+export * from './verification.js';
+// Signing functions
+export * from './signing.js';
+//# sourceMappingURL=index.js.map

package/dist/a2a/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/a2a/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,YAAY;AACZ,cAAc,gBAAgB,CAAC;AAE/B,uBAAuB;AACvB,cAAc,iBAAiB,CAAC;AAEhC,yBAAyB;AACzB,cAAc,mBAAmB,CAAC;AAElC,oBAAoB;AACpB,cAAc,cAAc,CAAC"}

package/dist/a2a/resolution.d.ts

@@ -0,0 +1,20 @@
+import type { DIDDocument } from '../did/types.js';
+/**
+ * Extract Agent Card URL from DID Document
+ * @param document - The DID Document
+ * @returns The Agent Card URL, or undefined if not found
+ */
+export declare function extractAgentCardUrl(document: DIDDocument): string | undefined;
+/**
+ * Resolve a DID and get its A2A endpoint
+ * Follows A2A Protocol 0.3.0: DID → Agent Card URL → Agent Card → A2A endpoint
+ *
+ * IMPORTANT: For did:ethr, you must call configureResolver() before using this function.
+ * See packages/core/src/did/resolver.ts for configuration details.
+ *
+ * @param did - The DID to resolve
+ * @returns The A2A endpoint URL from Agent Card
+ * @throws Error if DID cannot be resolved, has no Agent Card, or Agent Card has no url
+ */
+export declare function resolveA2AEndpoint(did: string): Promise<string>;
+//# sourceMappingURL=resolution.d.ts.map

package/dist/a2a/resolution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolution.d.ts","sourceRoot":"","sources":["../../src/a2a/resolution.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAmB,MAAM,iBAAiB,CAAC;AAmBpE;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,WAAW,GAAG,MAAM,GAAG,SAAS,CAQ7E;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA0BrE"}

package/dist/a2a/resolution.js

@@ -0,0 +1,55 @@
+/**
+ * A2A Resolution Functions
+ * DID Document から Agent Card URL や A2A エンドポイントを解決
+ * @module a2a/resolution
+ */
+import { resolveDID } from '../did/resolver.js';
+import { A2A_AGENT_CARD_SERVICE_TYPE } from './constants.js';
+import { fetchUri } from './utils.js';
+/**
+ * Extract Agent Card URL from DID Document
+ * @param document - The DID Document
+ * @returns The Agent Card URL, or undefined if not found
+ */
+export function extractAgentCardUrl(document) {
+    const service = document.service?.find((s) => s.type === A2A_AGENT_CARD_SERVICE_TYPE);
+    if (!service)
+        return undefined;
+    return typeof service.serviceEndpoint === 'string'
+        ? service.serviceEndpoint
+        : undefined;
+}
+/**
+ * Resolve a DID and get its A2A endpoint
+ * Follows A2A Protocol 0.3.0: DID → Agent Card URL → Agent Card → A2A endpoint
+ *
+ * IMPORTANT: For did:ethr, you must call configureResolver() before using this function.
+ * See packages/core/src/did/resolver.ts for configuration details.
+ *
+ * @param did - The DID to resolve
+ * @returns The A2A endpoint URL from Agent Card
+ * @throws Error if DID cannot be resolved, has no Agent Card, or Agent Card has no url
+ */
+export async function resolveA2AEndpoint(did) {
+    // Step 1: Resolve DID to get Agent Card URL
+    const document = await resolveDID(did);
+    if (!document) {
+        throw new Error(`Failed to resolve DID: ${did}`);
+    }
+    const agentCardUrl = extractAgentCardUrl(document);
+    if (!agentCardUrl) {
+        throw new Error(`No Agent Card URL found in DID Document: ${did}`);
+    }
+    // Step 2: Fetch Agent Card with cryptographic verification (supports http://, https://, ipfs://)
+    const response = await fetchUri(agentCardUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch Agent Card from ${agentCardUrl}: ${response.status}`);
+    }
+    const agentCard = (await response.json());
+    // Step 3: Extract A2A endpoint from Agent Card
+    if (!agentCard.url || typeof agentCard.url !== 'string') {
+        throw new Error(`Agent Card has no valid url field: ${agentCardUrl}`);
+    }
+    return agentCard.url;
+}
+//# sourceMappingURL=resolution.js.map

package/dist/a2a/resolution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolution.js","sourceRoot":"","sources":["../../src/a2a/resolution.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAiBtC;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAqB;IACvD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,IAAI,CACpC,CAAC,CAAkB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,2BAA2B,CAC/D,CAAC;IACF,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,OAAO,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ;QAChD,CAAC,CAAC,OAAO,CAAC,eAAe;QACzB,CAAC,CAAC,SAAS,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,4CAA4C,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,iGAAiG;IACjG,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,YAAY,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAoB,CAAC;IAE7D,+CAA+C;IAC/C,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,OAAO,SAAS,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,sCAAsC,YAAY,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,SAAS,CAAC,GAAG,CAAC;AACvB,CAAC"}

package/dist/a2a/signing.d.ts

@@ -0,0 +1,24 @@
+import type { DIDIdentity } from '../did/types.js';
+/**
+ * Sign an A2A message or request with the sender's DID identity
+ * Creates a JWS signature using the DID private key
+ *
+ * @param payload - The message or request to sign (any A2A JSON-RPC message)
+ * @param signer - The sender's DID identity (contains private key)
+ * @returns The JWS signature (compact format)
+ *
+ * @example
+ * ```typescript
+ * const identity = await createIdentity(...);
+ * const message = {
+ *   jsonrpc: '2.0',
+ *   method: 'message/send',
+ *   params: { ... },
+ *   id: 1
+ * };
+ * const signature = await signA2AMessage(message, identity);
+ * const signedRequest = { ...message, signature };
+ * ```
+ */
+export declare function signA2AMessage(payload: Record<string, unknown>, signer: DIDIdentity): Promise<string>;
+//# sourceMappingURL=signing.d.ts.map

package/dist/a2a/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../../src/a2a/signing.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,MAAM,EAAE,WAAW,GAClB,OAAO,CAAC,MAAM,CAAC,CAMjB"}

package/dist/a2a/signing.js

@@ -0,0 +1,31 @@
+/**
+ * A2A Signing Functions
+ * DID Identity を使った A2A メッセージへの署名
+ * @module a2a/signing
+ */
+import { createJWS } from 'did-jwt';
+/**
+ * Sign an A2A message or request with the sender's DID identity
+ * Creates a JWS signature using the DID private key
+ *
+ * @param payload - The message or request to sign (any A2A JSON-RPC message)
+ * @param signer - The sender's DID identity (contains private key)
+ * @returns The JWS signature (compact format)
+ *
+ * @example
+ * ```typescript
+ * const identity = await createIdentity(...);
+ * const message = {
+ *   jsonrpc: '2.0',
+ *   method: 'message/send',
+ *   params: { ... },
+ *   id: 1
+ * };
+ * const signature = await signA2AMessage(message, identity);
+ * const signedRequest = { ...message, signature };
+ * ```
+ */
+export async function signA2AMessage(payload, signer) {
+    return createJWS(payload, signer.signer, { alg: 'ES256K', kid: signer.keyId });
+}
+//# sourceMappingURL=signing.js.map

package/dist/a2a/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/a2a/signing.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAGpC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAgC,EAChC,MAAmB;IAEnB,OAAO,SAAS,CACd,OAAO,EACP,MAAM,CAAC,MAAM,EACb,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,CAAC,KAAK,EAAE,CACrC,CAAC;AACJ,CAAC"}

package/dist/a2a/utils.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Base64URL encode a string
+ */
+export declare function base64UrlEncode(str: string): string;
+/**
+ * Decode base64url to JSON
+ */
+export declare function decodeBase64UrlJson(str: string): Record<string, unknown>;
+/**
+ * Normalize JSON for comparison
+ */
+export declare function normalizeJson(value: unknown): unknown;
+/**
+ * Compare JSON objects for equality
+ */
+export declare function jsonEquals(a: unknown, b: unknown): boolean;
+/**
+ * Fetch content from URI with cryptographic verification for IPFS content
+ *
+ * - For ipfs:// and ipns:// URIs: Uses @helia/verified-fetch for trustless content retrieval
+ *   with CID verification, multiple gateway fallbacks, and tamper detection
+ * - For http:// and https:// URIs: Uses standard fetch (assumes TLS provides sufficient security)
+ *
+ * @param uri - URI to fetch (http://, https://, ipfs://, or ipns://)
+ * @returns Fetch response
+ * @throws Error if URI scheme is unsupported or verification fails
+ */
+export declare function fetchUri(uri: string): Promise<Response>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/a2a/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/a2a/utils.ts"],"names":[],"mappings":"AAUA;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAGxE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAcrD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,OAAO,CAE1D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAU7D"}

package/dist/a2a/utils.js

@@ -0,0 +1,70 @@
+/**
+ * A2A Utility Functions
+ * @module a2a/utils
+ */
+import * as u8a from 'uint8arrays';
+import { verifiedFetch } from '@helia/verified-fetch';
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+/**
+ * Base64URL encode a string
+ */
+export function base64UrlEncode(str) {
+    return u8a.toString(textEncoder.encode(str), 'base64url');
+}
+/**
+ * Decode base64url to JSON
+ */
+export function decodeBase64UrlJson(str) {
+    const json = textDecoder.decode(u8a.fromString(str, 'base64url'));
+    return JSON.parse(json);
+}
+/**
+ * Normalize JSON for comparison
+ */
+export function normalizeJson(value) {
+    if (Array.isArray(value)) {
+        return value.map(normalizeJson);
+    }
+    if (value && typeof value === 'object') {
+        const record = value;
+        return Object.keys(record)
+            .sort()
+            .reduce((acc, key) => {
+            acc[key] = normalizeJson(record[key]);
+            return acc;
+        }, {});
+    }
+    return value;
+}
+/**
+ * Compare JSON objects for equality
+ */
+export function jsonEquals(a, b) {
+    return JSON.stringify(normalizeJson(a)) === JSON.stringify(normalizeJson(b));
+}
+/**
+ * Fetch content from URI with cryptographic verification for IPFS content
+ *
+ * - For ipfs:// and ipns:// URIs: Uses @helia/verified-fetch for trustless content retrieval
+ *   with CID verification, multiple gateway fallbacks, and tamper detection
+ * - For http:// and https:// URIs: Uses standard fetch (assumes TLS provides sufficient security)
+ *
+ * @param uri - URI to fetch (http://, https://, ipfs://, or ipns://)
+ * @returns Fetch response
+ * @throws Error if URI scheme is unsupported or verification fails
+ */
+export async function fetchUri(uri) {
+    if (uri.startsWith('ipfs://') || uri.startsWith('ipns://')) {
+        // Use verified fetch for IPFS/IPNS content (cryptographic verification + multiple gateways)
+        return verifiedFetch(uri);
+    }
+    else if (uri.startsWith('http://') || uri.startsWith('https://')) {
+        // Use standard fetch for HTTP/HTTPS (TLS provides transport security)
+        return fetch(uri);
+    }
+    else {
+        throw new Error(`Unsupported URI scheme: ${uri}`);
+    }
+}
+//# sourceMappingURL=utils.js.map

package/dist/a2a/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/a2a/utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,GAAG,MAAM,aAAa,CAAC;AACnC,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AACtC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAc;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,KAAgC,CAAC;QAChD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;aACvB,IAAI,EAAE;aACN,MAAM,CAA0B,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,GAAG,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACtC,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,CAAU,EAAE,CAAU;IAC/C,OAAO,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,GAAW;IACxC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3D,4FAA4F;QAC5F,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACnE,sEAAsE;QACtE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;IACpB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC"}

package/dist/a2a/verification.d.ts

@@ -0,0 +1,42 @@
+/**
+ * AgentCard verification result
+ */
+export interface AgentCardVerificationResult {
+    verified: boolean;
+    signerDid?: string;
+    error?: string;
+}
+/**
+ * A2A Message Signature Verification Result
+ */
+export interface MessageSignatureVerificationResult {
+    valid: boolean;
+    senderDid?: string;
+    error?: string;
+}
+/**
+ * Verify AgentCard signature
+ * @param agentCardUrl - URL to fetch AgentCard from (supports http://, https://, ipfs://)
+ * @returns Verification result with signer DID if successful
+ */
+export declare function verifyAgentCard(agentCardUrl: string): Promise<AgentCardVerificationResult>;
+/**
+ * Verify A2A message JWS signature using DID public key
+ * Follows A2A Protocol 0.3.0: Verifies Agent Card signature first, then message signature
+ *
+ * @param jws - The JWS signature string (compact format)
+ * @returns Verification result with sender DID if successful
+ */
+export declare function verifyA2AMessageSignature(jws: string): Promise<MessageSignatureVerificationResult>;
+/**
+ * Verify A2A request with signature validation and payload integrity check
+ * This is a convenience function for API servers to validate incoming signed requests
+ *
+ * @param request - The signed A2A request (JSON-RPC with signature field)
+ * @returns Verification result with sender DID if successful
+ */
+export declare function verifySignedA2ARequest(request: {
+    signature?: string;
+    [key: string]: unknown;
+}): Promise<MessageSignatureVerificationResult>;
+//# sourceMappingURL=verification.d.ts.map

package/dist/a2a/verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.d.ts","sourceRoot":"","sources":["../../src/a2a/verification.ts"],"names":[],"mappings":"AAyBA;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,kCAAkC;IACjD,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,2BAA2B,CAAC,CAyDtC;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAC7C,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,kCAAkC,CAAC,CA8D7C;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CAAE,GACtD,OAAO,CAAC,kCAAkC,CAAC,CA4B7C"}