Add zcap policy and refresh features.

.github/workflows/main.yaml

@@ -8,7 +8,7 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        node-version: [22.x]
+        node-version: [24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
@@ -29,7 +29,7 @@ jobs:
           - 27017:27017
     strategy:
       matrix:
-        node-version: [20.x, 22.x]
+        node-version: [22.x, 24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}
@@ -55,7 +55,7 @@ jobs:
           - 27017:27017
     strategy:
       matrix:
-        node-version: [22.x]
+        node-version: [24.x]
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js ${{ matrix.node-version }}

CHANGELOG.md

@@ -1,5 +1,21 @@
 # bedrock-profile-http ChangeLog
 
+## 26.2.0 - 2025-10-dd
+
+### Added
+- Add zcap refresh capability. Policies for zcaps can be created per profile
+  and delegate, enabling delegates to auto-refresh previously issued that
+  are compliant with their associated policy. New HTTP routes:
+  - `/profiles/<profileId>/zcaps/policies`: For creating new policies on
+    behalf of a controlling profile.
+  - `/profiles/<profileId>/zcaps/policies/<delegateId>`: For updating
+    and fetching existing policies on behalf of a controlling profile.
+  - `/profiles/<profileId>/zcaps/policies/<delegateId>/refresh`: For delegates
+    to refresh their zcaps according to the matching policy, if any.
+  - `/profiles/<profileId>/zcaps/policies/<delegateId>/refresh/policy`: For
+    delegates to view any elements exposed by the controller (profile) of
+    the policy associated with this endpoint.
+
 ## 26.1.0 - 2025-09-19
 
 ### Added

lib/config.js

@@ -14,11 +14,33 @@ cfg.routes = {
   basePath
 };
 
+cfg.caches = {
+  // refreshed zcap cache
+  refreshedZcap: {
+    // zcaps are not typically large objects (hundreds of bytes); but this
+    // cache isn't expected to be used frequently either, just for zcap refresh
+    // retries or misbehaving zcap refresh clients
+    max: 100,
+    ttl: 5 * 60 * 1000
+  }
+};
+
+// profile agent zcap config
 cfg.zcap = {
-  // default: 24 hour expiration
+  // default: 24 hour TTL for delegated zcaps (when a profile agent's zcaps
+  // are delegated)
   ttl: 24 * 60 * 60 * 1000
 };
 
+// for middleware that uses zcap-authz
+cfg.authorizeZcapInvocationOptions = {
+  maxChainLength: 10,
+  // 300 second clock skew permitted by default
+  maxClockSkew: 300,
+  // 1 year max TTL by default
+  maxDelegationTtl: 1 * 60 * 60 * 24 * 365 * 1000
+};
+
 // default products (if none specified in request)
 cfg.defaultProducts = {
   // mock ID for default edv service product
@@ -67,3 +89,12 @@ cfg.interactions = {
   */
   types: {}
 };
+
+// optional default limits on number of profile agents, zcap policies etc.
+cfg.limits = {
+  // limit per account; -1 is unlimited; default to -1 for backwards compat;
+  // future version may set another default limit, e.g., 1000
+  profileAgents: -1,
+  // limit per profile; -1 is unlimited; default to 1000
+  zcapPolicies: 1000
+};

lib/documentLoader.js

@@ -0,0 +1,27 @@
+/*!
+ * Copyright (c) 2018-2022 Digital Bazaar, Inc. All rights reserved.
+ */
+import {documentLoader as brDocumentLoader}
+  from '@bedrock/jsonld-document-loader';
+import {didIo} from '@bedrock/did-io';
+
+import '@bedrock/did-context';
+import '@bedrock/security-context';
+import '@bedrock/veres-one-context';
+
+// load config defaults
+import './config.js';
+
+export async function documentLoader(url) {
+  if(url.startsWith('did:')) {
+    const document = await didIo.get({did: url});
+    return {
+      contextUrl: null,
+      documentUrl: url,
+      document
+    };
+  }
+
+  // finally, try the bedrock document loader
+  return brDocumentLoader(url);
+}

lib/helpers.js

@@ -0,0 +1,26 @@
+/*!
+ * Copyright (c) 2020-2025 Digital Bazaar, Inc. All rights reserved.
+ */
+import * as bedrock from '@bedrock/core';
+import {ZCAP_CLIENT} from './zcapClient.js';
+
+export async function createMeter({controller, productId, capability} = {}) {
+  let url;
+  if(capability) {
+    url = capability.invocationTarget;
+  } else {
+    // only use `url` from config if `capability` is not provided
+    ({url} = bedrock.config['profile-http'].meterService);
+  }
+
+  // create a meter
+  let meter = {controller, product: {id: productId}};
+  ({data: {meter}} = await ZCAP_CLIENT.write({url, json: meter, capability}));
+
+  // return fully qualified meter ID
+  const {id} = meter;
+  // ensure `URL` terminates at `/meters` -- in case zcap invocation target
+  // was attenuated
+  url = url.slice(0, url.indexOf('/meters') + '/meters'.length);
+  return {id: `${url}/${id}`};
+}