kavachos 0.0.6 → 0.1.1

package/README.md

@@ -1,69 +1,202 @@
-# kavachos
+<p align="center">
+  <img src="https://kavachos.com/logo.svg" height="64" alt="KavachOS" />
+</p>
 
-Auth OS for AI agents. Identity, permissions, delegation, and audit.
+<h1 align="center">kavachos</h1>
 
-[![npm](https://img.shields.io/npm/v/kavachos)](https://www.npmjs.com/package/kavachos)
-[![license](https://img.shields.io/badge/license-MIT-blue)](https://github.com/kavachos/kavachos/blob/main/LICENSE)
+<p align="center">
+  <strong>The auth OS for AI agents and humans</strong><br />
+  Identity, permissions, delegation, and audit for the agentic era.
+</p>
 
-## Install
+<p align="center">
+  <a href="https://www.npmjs.com/package/kavachos"><img src="https://img.shields.io/npm/v/kavachos?style=flat-square&color=c9a84c" alt="npm" /></a>
+  <a href="https://www.npmjs.com/package/kavachos"><img src="https://img.shields.io/npm/dm/kavachos?style=flat-square&color=c9a84c" alt="downloads" /></a>
+  <a href="https://github.com/kavachos/kavachos/actions"><img src="https://img.shields.io/github/actions/workflow/status/kavachos/kavachos/ci.yml?style=flat-square&label=tests" alt="tests" /></a>
+  <a href="https://github.com/kavachos/kavachos/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue?style=flat-square" alt="MIT" /></a>
+  <a href="https://www.typescriptlang.org/"><img src="https://img.shields.io/badge/TypeScript-strict-blue?style=flat-square" alt="TypeScript" /></a>
+  <a href="https://docs.kavachos.com"><img src="https://img.shields.io/badge/docs-kavachos.com-c9a84c?style=flat-square" alt="docs" /></a>
+</p>
 
-```bash
+<p align="center">
+  <a href="https://docs.kavachos.com/docs/quickstart">Quickstart</a> &middot;
+  <a href="https://docs.kavachos.com/docs">Documentation</a> &middot;
+  <a href="https://github.com/kavachos/kavachos/tree/main/examples">Examples</a> &middot;
+  <a href="https://app.kavachos.com">KavachOS Cloud</a>
+</p>
+
+---
+
+## Why kavachos?
+
+Every auth library handles human login. None of them handle **AI agent identity**. KavachOS gives every agent its own bearer token, scoped permissions, delegation chains, and an immutable audit trail. Plus full human auth (14 methods, 27+ OAuth providers, passkeys, SSO) so you don't need two auth systems.
+
+```
 npm install kavachos
-# or
-pnpm add kavachos
 ```
 
 ## Quick start
 
 ```typescript
-import { createKavach } from 'kavachos';
+import { createKavach } from "kavachos";
+import { emailPassword } from "kavachos/auth";
 
 const kavach = createKavach({
-  database: { provider: 'sqlite', url: 'kavach.db' },
+  database: { provider: "sqlite", url: "kavach.db" },
+  plugins: [emailPassword()],
 });
 
-// Create an agent with scoped permissions
+// Create an AI agent with scoped permissions
 const agent = await kavach.agent.create({
-  ownerId: 'user-123',
-  name: 'github-reader',
-  type: 'autonomous',
+  ownerId: "user-123",
+  name: "github-reader",
+  type: "autonomous",
   permissions: [
-    { resource: 'mcp:github:*', actions: ['read'] },
-    {
-      resource: 'mcp:deploy:production',
-      actions: ['execute'],
-      constraints: { requireApproval: true },
-    },
+    { resource: "mcp:github:*", actions: ["read"] },
+    { resource: "mcp:deploy:production", actions: ["execute"],
+      constraints: { requireApproval: true } },
   ],
 });
 
-// Authorize an action
+// Authorize and audit (< 1ms)
 const result = await kavach.authorize(agent.id, {
-  action: 'read',
-  resource: 'mcp:github:repos',
+  action: "read",
+  resource: "mcp:github:repos",
 });
-// { allowed: true, auditId: 'aud_...' }
+// { allowed: true, auditId: "aud_..." }
+```
+
+## Features
+
+<table>
+<tr>
+<td width="50%">
+
+### Agent identity
+- Cryptographic bearer tokens (`kv_...`)
+- Wildcard permission matching (`mcp:github:*`)
+- Delegation chains with depth limits
+- Immutable audit trail
+- Trust scoring and anomaly detection
+- Budget policies and cost attribution
+- CIBA-style human approval flows
+
+</td>
+<td width="50%">
+
+### Human auth (14 methods)
+- Email + password
+- Magic link, email OTP
+- Passkey / WebAuthn
+- TOTP 2FA
+- Phone SMS
+- Google One-tap
+- Sign In With Ethereum
+- Anonymous auth
+- Session freshness enforcement
+
+</td>
+</tr>
+<tr>
+<td>
+
+### OAuth (27+ providers)
+Google, GitHub, Apple, Microsoft, Discord, Slack, GitLab, LinkedIn, Twitter/X, Facebook, Spotify, Twitch, Reddit, Notion, plus a generic OIDC factory for any provider.
+
+</td>
+<td>
+
+### MCP OAuth 2.1
+Spec-compliant authorization server for Model Context Protocol. PKCE S256, RFC 9728 / 8707 / 8414 / 7591.
+
+</td>
+</tr>
+<tr>
+<td>
+
+### Enterprise
+Organizations + RBAC, SAML SSO, SCIM directory sync, admin controls, API key management, multi-tenant isolation, GDPR compliance.
+
+</td>
+<td>
+
+### Edge compatible
+Runs on Cloudflare Workers (D1), Deno, Bun, and Node.js. Only 3 runtime deps: `drizzle-orm`, `jose`, `zod`.
 
-// Query the audit trail
-const logs = await kavach.audit.query({ agentId: agent.id });
+</td>
+</tr>
+</table>
+
+### Security
+
+Rate limiting (per-agent and per-IP) &middot; HIBP breach checking &middot; CSRF protection &middot; httpOnly secure cookies &middot; Email enumeration prevention &middot; Trusted device windows &middot; Password reset with signed tokens
+
+## Framework adapters
+
+Works with every major framework:
+
+| Framework | Package | Framework | Package |
+|-----------|---------|-----------|---------|
+| **Hono** | `@kavachos/hono` | **Nuxt** | `@kavachos/nuxt` |
+| **Express** | `@kavachos/express` | **SvelteKit** | `@kavachos/sveltekit` |
+| **Next.js** | `@kavachos/nextjs` | **Astro** | `@kavachos/astro` |
+| **Fastify** | `@kavachos/fastify` | **NestJS** | `@kavachos/nestjs` |
+
+## Client libraries
+
+| Package | What |
+|---------|------|
+| `@kavachos/react` | KavachProvider + hooks |
+| `@kavachos/vue` | Vue 3 plugin + composables |
+| `@kavachos/svelte` | Svelte stores |
+| `@kavachos/ui` | 7 pre-built auth components (SignIn, SignUp, UserButton...) |
+| `@kavachos/expo` | React Native / Expo |
+| `@kavachos/electron` | Electron desktop |
+| `@kavachos/client` | Zero-dep TypeScript REST client |
+
+## Databases
+
+SQLite, PostgreSQL, MySQL, Cloudflare D1, libSQL (Turso). Tables are auto-created on first run.
+
+```typescript
+// Cloudflare Workers + D1
+createKavach({ database: { provider: "d1", binding: env.KAVACH_DB } });
+
+// PostgreSQL
+createKavach({ database: { provider: "postgres", url: process.env.DATABASE_URL } });
+```
+
+## Plugins
+
+Auth methods are plugins. Enable what you need:
+
+```typescript
+import {
+  emailPassword, magicLink, passkey, totp,
+  organizations, sso, admin, apiKeys, webhooks,
+} from "kavachos/auth";
+
+createKavach({
+  database: { provider: "sqlite", url: "kavach.db" },
+  plugins: [emailPassword(), magicLink({ sendMagicLink }), passkey(), totp()],
+});
 ```
 
-## What's included
+## KavachOS Cloud
 
-- **Agent identity** - create, scope, revoke, and rotate agent credentials. Each agent gets an opaque bearer token (`kv_...`) and a permanent audit identity.
-- **Permission engine** - resource-based access control with colon-separated hierarchies (`mcp:github:*`) and wildcard matching. Constraints support rate limits, time windows, and human-in-the-loop approval gates.
-- **Delegation chains** - an orchestrator can delegate a subset of its permissions to a sub-agent, with depth limits and expiry. Chains are auditable and revocable at any point.
-- **Audit trail** - every authorization decision is written to an immutable log. Export as JSON or CSV for EU AI Act Article 12, SOC 2 CC6.1-CC7.2, and ISO 42001 compliance.
-- **MCP OAuth 2.1** - spec-compliant authorization server for the Model Context Protocol, with PKCE (S256), Protected Resource Metadata (RFC 9728), and Resource Indicators (RFC 8707).
+Don't want to self-host? [KavachOS Cloud](https://app.kavachos.com) is the managed version with dashboard, billing, and zero infrastructure.
 
-## Full docs
+| | Free | Starter | Growth | Scale |
+|---|---|---|---|---|
+| MAU | 1,000 | 10,000 | 50,000 | 200,000 |
+| Price | $0 | $29/mo | $79/mo | $199/mo |
 
-[kavachos.com/docs](https://kavachos.com/docs)
+[Start free](https://app.kavachos.com/sign-up) &middot; [Compare plans](https://kavachos.com/pricing) &middot; [Self-host instead](https://docs.kavachos.com/docs/quickstart)
 
-## Source
+## Documentation
 
-[github.com/kavachos/kavachos](https://github.com/kavachos/kavachos)
+Full docs at **[docs.kavachos.com](https://docs.kavachos.com/docs)**
 
 ## License
 
-MIT
+[MIT](https://github.com/kavachos/kavachos/blob/main/LICENSE)

package/dist/a2a/index.d.ts

@@ -1,8 +1,9 @@
 import * as jose from 'jose';
-import { A as AgentIdentity } from '../types-W8X0PXE7.js';
+import { A as AgentIdentity } from '../types-5Ua5KlPc.js';
 import { z } from 'zod';
 import { R as Result } from '../types-BuHrZcjE.js';
 import 'drizzle-orm/sqlite-core';
+import '../redirect/index.js';
 
 /**
  * A2A (Agent-to-Agent) protocol types for KavachOS.

package/dist/a2a/index.js

@@ -1,8 +1,13 @@
-import { generateId } from '../chunk-QCRHJMDX.js';
-import '../chunk-NSBPE2FW.js';
 import * as jose from 'jose';
 import { z } from 'zod';
 
+// src/a2a/agent-card.ts
+
+// src/crypto/web-crypto.ts
+function generateId() {
+  return globalThis.crypto.randomUUID();
+}
+new TextEncoder();
 var A2A_PROTOCOL_VERSION = "0.3";
 var A2A_JSONRPC_VERSION = "2.0";
 var A2A_WELL_KNOWN_PATH = "/.well-known/agent.json";