Skip to content

Delegation engine with optional Cedar authorization #550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cykoder merged 53 commits into from
Dec 1, 2025
Merged

Delegation engine with optional Cedar authorization #550

cykoder merged 53 commits into from
Dec 1, 2025

Conversation

@cykoder
Copy link
Member

@cykoder cykoder commented Nov 14, 2025

No description provided.

cykoder added 30 commits November 6, 2025 18:37
@cykoder
Use queryDidDoc method
524cc9a
@cykoder
Try diff tags
7978456
@cykoder
Upgrade cheqd sdk, fix method
872f901
@cykoder
downgrade cheqd sdk
bc2a964
@cykoder
Manually use toSpecCompliantPayload
49fe55b
@cykoder
Changeset
1825131
@cykoder
Image tag pin
f3dae54
@cykoder
Fix overwriting of Dock SDK contexts
3339717
@cykoder
Initial
d40d3c8
@cykoder
remove allCredentials from buildRifyPremisesFromChain
99ef360
@cykoder
Intiial lint
b03845a
@cykoder
stash
c76e38d
@cykoder
fix jsonld summarize, refactor
adb8442
@cykoder
failOnUnauthorizedClaims flag
886ecb3
@cykoder
cedar auth as authorizeClaims callback
27025ec
@cykoder
support presentation with singular credentials too
7ced846
@cykoder
Split cedar logic from delegation checks
186c9c7
@cykoder
cedar policy resource is credential type
7a37c30
@cykoder
exports
9a0c106
@cykoder
package.json tweaks
7caf980
@cykoder
pass cedar as argument so caller can import however they want
57af72c
@cykoder
update public exports
b59dc73
@cykoder
some JSDocs, buildAuthorizationInputsFromEvaluation method
1c1fb16
@cykoder
refactor/restructure cedar methods
58fc71c
@cykoder
more cleanup
99e2d7e
@cykoder
build types
9c6395a
@cykoder
solidify context IRIS
fa6b5ae
@cykoder
Lint fixes
b1e2927
@cykoder
Unit tests
4d0c63b
@cykoder
rename to @docknetwork/vc-delegation-engine
450ee4e
@cykoder cykoder changed the title Delegation engine with cedar Delegation engine with optional Cedar authorization Nov 14, 2025
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
examples/src/delegation.js Outdated
issuanceDate: new Date().toISOString(),
credentialSubject: {
id: DELEGATE_DID,
[MAY_CLAIM_IRI]: ['creditScore'],
Copy link
Contributor

@mike-parkhill mike-parkhill Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you have an example of referencing a nested attribute anywhere?

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

initially i thought of this with just root level claims, but i think itd be useful to support jsonpath based claims too for more complex scenarios. will update

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added tests and this example also now uses nested attributes too via jsonpath

mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
packages/credential-sdk/src/vc/presentations.js

const DELEGATION_TYPE_URIS = new Set([
'DelegationCredential',
'https://ld.truvera.io/credentials/delegation#DelegationCredential',
Copy link
Contributor

@mike-parkhill mike-parkhill Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do all delegated credentials need to include this context?

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this isnt a context but an expanded IRI of the type. but the defined context, yes all delegation credentials need it as it defines the extensions we use (root credential id etc)

mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
packages/credential-sdk/src/vc/presentations.js
return { verified, results: [presentation], credentialResults };
}

// Skip proof validation for unsigned
Copy link
Contributor

@mike-parkhill mike-parkhill Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

surprising that we weren't doing this before

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we were, i moved it

mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
packages/vc-delegation-engine/documentation/flow.mermaid
C -->|missing context or id| F
C --> D[Build chains + summaries]
D -->|cycle or missing link| F
D --> E[Generate rify premises & rules]
Copy link
Contributor

@mike-parkhill mike-parkhill Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is rify explained elsewhere? I certainly didn't know what it was until you explained it on the call last week

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its not, thought it might be in the existing claim deduction docs but apparently isnt

mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
packages/vc-delegation-engine/src/engine.js
@@ -0,0 +1,650 @@
/* eslint-disable sonarjs/cognitive-complexity */
Copy link
Contributor

@mike-parkhill mike-parkhill Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

anything we can do with this file so we don't have to disable the complexity check?

Copy link
Member Author

@cykoder cykoder Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can refactor a few functions into other functions, but not sure if its really worth the effort. at some point it becomes more complex to read with it all split off (also time investment)

if you feel strongly about it we could do that but im fine with the current cognitive complexity of the methods here

mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
mike-parkhill
mike-parkhill reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@mike-parkhill mike-parkhill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks okay, just a few comments

@cykoder cykoder merged commit 5c8a5d7 into master Dec 1, 2025
12 of 13 checks passed
@cykoder cykoder deleted the feat/delegation-engine-with-cedar branch December 1, 2025 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mike-parkhill mike-parkhill mike-parkhill approved these changes

@gasher gasher Awaiting requested review from gasher

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cykoder @mike-parkhill