protect-mcp 0.6.2 → 0.6.3

package/dist/cli.mjs

@@ -145,8 +145,8 @@ async function handleInit(argv) {
   let keypair;
   {
     const { randomBytes } = await import("crypto");
-    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
-    const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
+    const { ed25519 } = await import("@noble/curves/ed25519");
+    const { bytesToHex } = await import("@noble/hashes/utils");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
     keypair = {
@@ -765,8 +765,8 @@ ${bold("protect-mcp quickstart")}
   const { randomBytes } = await import("crypto");
   let keypair;
   try {
-    const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
-    const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
+    const { ed25519 } = await import("@noble/curves/ed25519");
+    const { bytesToHex } = await import("@noble/hashes/utils");
     const privateKey = randomBytes(32);
     const publicKey = ed25519.getPublicKey(privateKey);
     keypair = {
@@ -1111,8 +1111,8 @@ ${bold("protect-mcp init-hooks")}
     if (!existsSync(keysDir)) mkdirSync(keysDir, { recursive: true });
     const { randomBytes: rb } = await import("crypto");
     try {
-      const { ed25519 } = await import("./ed25519-DZMMNNVE.mjs");
-      const { bytesToHex } = await import("./utils-6AYZFE5A.mjs");
+      const { ed25519 } = await import("@noble/curves/ed25519");
+      const { bytesToHex } = await import("@noble/hashes/utils");
       const privateKey = rb(32);
       const publicKey = ed25519.getPublicKey(privateKey);
       writeFileSync(keyPath, JSON.stringify({

package/dist/index.d.mts

@@ -2019,6 +2019,29 @@ interface ApprovalResult {
     contextHash: string;
     /** Timestamp of approval */
     approvedAt: string;
+    /** On failure, a machine-readable reason (e.g. 'invalid_signature'). */
+    reason?: string;
+}
+/**
+ * The registered credential public key, extracted from the COSE_Key at
+ * registration. ES256 keys are an uncompressed P-256 point; EdDSA keys are a
+ * 32-byte Ed25519 public key.
+ */
+interface CredentialPublicKey {
+    /** COSE algorithm: -7 = ES256 (P-256 / ECDSA), -8 = EdDSA (Ed25519). */
+    alg: -7 | -8;
+    /** Public key, hex. ES256: 65-byte uncompressed point (0x04 || x || y). EdDSA: 32-byte key. */
+    publicKeyHex: string;
+}
+interface VerifyAssertionOptions {
+    /** Allowed origin(s) the assertion must come from, e.g. 'https://app.scopeblind.com'. Defaults to https://<rpId>. */
+    expectedOrigin?: string | string[];
+    /** Require the UV (user-verified / biometric or PIN) flag. Default true. */
+    requireUserVerification?: boolean;
+    /** The signCount stored from the previous assertion; a non-increasing counter signals a cloned authenticator. */
+    prevSignCount?: number;
+    /** Override 'now' (ms) for testing. */
+    now?: number;
 }
 /**
  * Create a WebAuthn challenge for approving a tool call.
@@ -2055,17 +2078,22 @@ declare function toCredentialRequestOptions(challenge: ApprovalChallenge, allowC
     };
 };
 /**
- * Verify a WebAuthn assertion from the client.
- *
- * This is a simplified verification that checks the structure
- * and extracts the authenticator data. For production use with
- * full signature verification, use the @simplewebauthn/server package.
- *
- * @param challenge - The original challenge
- * @param assertion - The assertion from navigator.credentials.get()
- * @returns ApprovalResult with verification details
- */
-declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion): ApprovalResult;
+ * Verify a WebAuthn assertion: full, fail-closed verification of a passkey or
+ * security-key co-sign. This proves a SPECIFIC human authorized a SPECIFIC
+ * action with a hardware-held key the host operator cannot exfiltrate. It
+ * checks, in order: challenge freshness; clientDataJSON type, challenge, and
+ * origin; the rpIdHash; the UP (and, by default, UV) flags; the authenticator
+ * signature over authenticatorData || SHA-256(clientDataJSON) using the
+ * registered credential public key (ES256 or EdDSA); and signCount monotonicity
+ * (clone detection) when a previous count is supplied. Any failure returns
+ * valid:false with a reason; nothing is trusted on a partial check.
+ *
+ * @param challenge - the original challenge
+ * @param assertion - the assertion from navigator.credentials.get()
+ * @param credentialPublicKey - the registered public key for assertion.credentialId
+ * @param opts - origin / UV / signCount / clock options
+ */
+declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion, credentialPublicKey?: CredentialPublicKey, opts?: VerifyAssertionOptions): ApprovalResult;
 /**
  * Create the approval receipt payload for embedding in an Acta receipt.
  *

package/dist/index.d.ts

@@ -2019,6 +2019,29 @@ interface ApprovalResult {
     contextHash: string;
     /** Timestamp of approval */
     approvedAt: string;
+    /** On failure, a machine-readable reason (e.g. 'invalid_signature'). */
+    reason?: string;
+}
+/**
+ * The registered credential public key, extracted from the COSE_Key at
+ * registration. ES256 keys are an uncompressed P-256 point; EdDSA keys are a
+ * 32-byte Ed25519 public key.
+ */
+interface CredentialPublicKey {
+    /** COSE algorithm: -7 = ES256 (P-256 / ECDSA), -8 = EdDSA (Ed25519). */
+    alg: -7 | -8;
+    /** Public key, hex. ES256: 65-byte uncompressed point (0x04 || x || y). EdDSA: 32-byte key. */
+    publicKeyHex: string;
+}
+interface VerifyAssertionOptions {
+    /** Allowed origin(s) the assertion must come from, e.g. 'https://app.scopeblind.com'. Defaults to https://<rpId>. */
+    expectedOrigin?: string | string[];
+    /** Require the UV (user-verified / biometric or PIN) flag. Default true. */
+    requireUserVerification?: boolean;
+    /** The signCount stored from the previous assertion; a non-increasing counter signals a cloned authenticator. */
+    prevSignCount?: number;
+    /** Override 'now' (ms) for testing. */
+    now?: number;
 }
 /**
  * Create a WebAuthn challenge for approving a tool call.
@@ -2055,17 +2078,22 @@ declare function toCredentialRequestOptions(challenge: ApprovalChallenge, allowC
     };
 };
 /**
- * Verify a WebAuthn assertion from the client.
- *
- * This is a simplified verification that checks the structure
- * and extracts the authenticator data. For production use with
- * full signature verification, use the @simplewebauthn/server package.
- *
- * @param challenge - The original challenge
- * @param assertion - The assertion from navigator.credentials.get()
- * @returns ApprovalResult with verification details
- */
-declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion): ApprovalResult;
+ * Verify a WebAuthn assertion: full, fail-closed verification of a passkey or
+ * security-key co-sign. This proves a SPECIFIC human authorized a SPECIFIC
+ * action with a hardware-held key the host operator cannot exfiltrate. It
+ * checks, in order: challenge freshness; clientDataJSON type, challenge, and
+ * origin; the rpIdHash; the UP (and, by default, UV) flags; the authenticator
+ * signature over authenticatorData || SHA-256(clientDataJSON) using the
+ * registered credential public key (ES256 or EdDSA); and signCount monotonicity
+ * (clone detection) when a previous count is supplied. Any failure returns
+ * valid:false with a reason; nothing is trusted on a partial check.
+ *
+ * @param challenge - the original challenge
+ * @param assertion - the assertion from navigator.credentials.get()
+ * @param credentialPublicKey - the registered public key for assertion.credentialId
+ * @param opts - origin / UV / signCount / clock options
+ */
+declare function verifyApprovalAssertion(challenge: ApprovalChallenge, assertion: ApprovalAssertion, credentialPublicKey?: CredentialPublicKey, opts?: VerifyAssertionOptions): ApprovalResult;
 /**
  * Create the approval receipt payload for embedding in an Acta receipt.
  *