@agenticprimitives/mcp-runtime 0.1.0-alpha.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Agentic Trust Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,43 @@
+# @agenticprimitives/mcp-runtime
+
+Delegation-aware authorization middleware around the official MCP TypeScript SDK. Eliminates the ~65% code duplication observed across smart-agent's three mature MCP servers (`person-mcp`, `org-mcp`, `people-group-mcp`).
+
+This package is the **decision layer**, not the SDK. The official `@modelcontextprotocol/sdk` already provides tool/resource/prompt registration, transports, and OAuth 2.1+PKCE+RFC-9728+RFC-8707 plumbing (mandated by the 2026-03-15 MCP spec). We add the bridge to `@agenticprimitives/delegation` + `@agenticprimitives/tool-policy`.
+
+See [`spec.md`](./spec.md) → [`specs/205-mcp-runtime.md`](../../specs/205-mcp-runtime.md).
+
+## Quick start
+
+```ts
+import { McpServer } from '@modelcontextprotocol/sdk/server';
+import { withDelegation, createSqliteJtiStore } from '@agenticprimitives/mcp-runtime';
+
+const config = {
+  audience: 'urn:mcp:server:person',
+  chainId: 31337,
+  rpcUrl: process.env.RPC_URL!,
+  delegationManager: process.env.DELEGATION_MANAGER_ADDRESS as `0x${string}`,
+  enforcerMap,
+  jtiStore: createSqliteJtiStore(db, 'token_usage'),
+};
+
+const server = new McpServer({ name: 'person-mcp', version: '0.1.0' });
+
+server.registerTool({
+  name: 'get_profile',
+  inputSchema: { type: 'object', properties: { token: { type: 'string' } } },
+  handler: withDelegation(config, async ({ principal }) => {
+    return db.profiles.findUnique({ where: { ownerAddress: principal } });
+  }),
+});
+```
+
+The handler no longer touches auth. The wrapper performs: HMAC envelope check → session-key signature → EIP-712 hash → on-chain `isRevoked` → ERC-1271 verify → caveat eval (fail-closed) → JTI usage tracking → `tool-policy.evaluatePolicy` → hand `{ principal, grants? }` to the inner handler.
+
+## Cross-delegation
+
+**Removed from the public surface in H7-B.8** (XPKG-002 / EXT-024 closure). The previous `withCrossDelegation` was a stub that unconditionally rejected. Per spec 100 §6, experimental capability lives behind a `./experimental` subpath; when cross-delegation work resumes it lands there. See [`docs/audits/2026-05-packages-contracts-production-readiness.md`](../../docs/audits/2026-05-packages-contracts-production-readiness.md) (PKG-mcp-runtime-001).
+
+## Status
+
+Pre-alpha. Spec stable.

package/dist/declare-resource.d.ts

@@ -0,0 +1,6 @@
+import type { ResourceDefinition } from './types';
+import type { ToolClassification } from '@agenticprimitives/tool-policy';
+export declare function declareResource(def: ResourceDefinition, classification: ToolClassification): ResourceDefinition & {
+    _classification: ToolClassification;
+};
+//# sourceMappingURL=declare-resource.d.ts.map

package/dist/declare-resource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"declare-resource.d.ts","sourceRoot":"","sources":["../src/declare-resource.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAEzE,wBAAgB,eAAe,CAC7B,GAAG,EAAE,kBAAkB,EACvB,cAAc,EAAE,kBAAkB,GACjC,kBAAkB,GAAG;IAAE,eAAe,EAAE,kBAAkB,CAAA;CAAE,CAE9D"}

package/dist/declare-resource.js

@@ -0,0 +1,4 @@
+export function declareResource(def, classification) {
+    return Object.assign({}, def, { _classification: classification });
+}
+//# sourceMappingURL=declare-resource.js.map

package/dist/declare-resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"declare-resource.js","sourceRoot":"","sources":["../src/declare-resource.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,eAAe,CAC7B,GAAuB,EACvB,cAAkC;IAElC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC;AACrE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { withDelegation, verifyDelegationForResource, McpAuthError, type McpAuthErrorCode, type PrivateAuthFailureContext, } from './with-delegation';
+export { declareResource } from './declare-resource';
+export { createMemoryJtiStore, createSqliteJtiStore, createPostgresJtiStore, type MigratableJtiStore, } from './jti-stores';
+export { generateServiceMac, verifyServiceMac, bodyDigestHex, } from './service-mac';
+export type { MacProviderLike, ServiceMacContext, ServiceMacHeaders, } from './service-mac';
+export type { Address, Hex, Caveat, DataScopeGrant, Delegation, EnforcerAddressMap, JtiStore, ToolClassification, McpResourceVerifyConfig, ResourceDefinition, BetterSqlite3DatabaseLike, PgPoolLike, } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,YAAY,EACZ,KAAK,gBAAgB,EACrB,KAAK,yBAAyB,GAC/B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,KAAK,kBAAkB,GACxB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,eAAe,EACf,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAEvB,YAAY,EACV,OAAO,EACP,GAAG,EACH,MAAM,EACN,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,QAAQ,EACR,kBAAkB,EAClB,uBAAuB,EACvB,kBAAkB,EAClB,yBAAyB,EACzB,UAAU,GACX,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+// @agenticprimitives/mcp-runtime — public API
+//
+// See ../../specs/205-mcp-runtime.md for the full contract.
+// H7-B.8: `withCrossDelegation` + `verifyCrossDelegationForResource` removed
+// from the public surface (XPKG-002 / EXT-024 closure). Both were stubs that
+// unconditionally rejected. They will resurface behind `./experimental` per
+// spec 100 §6 when the cross-delegation work resumes.
+export { withDelegation, verifyDelegationForResource, McpAuthError, } from './with-delegation';
+export { declareResource } from './declare-resource';
+export { createMemoryJtiStore, createSqliteJtiStore, createPostgresJtiStore, } from './jti-stores';
+export { generateServiceMac, verifyServiceMac, bodyDigestHex, } from './service-mac';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,EAAE;AACF,4DAA4D;AAE5D,6EAA6E;AAC7E,6EAA6E;AAC7E,4EAA4E;AAC5E,sDAAsD;AACtD,OAAO,EACL,cAAc,EACd,2BAA2B,EAC3B,YAAY,GAGb,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,GAEvB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC"}

package/dist/jti-stores.d.ts

@@ -0,0 +1,46 @@
+import type { JtiStore } from '@agenticprimitives/delegation';
+import type { BetterSqlite3DatabaseLike, PgPoolLike } from './types';
+/**
+ * Sentinel env var. When set to "true", `createMemoryJtiStore` will
+ * construct in production without throwing. Required for one-off
+ * scenarios (CI smoke tests against a prod-built bundle, isolated dev
+ * worker instances). All callers MUST treat this as a loud opt-in — a
+ * one-time `console.warn` is emitted on construction.
+ */
+export declare const ALLOW_MEMORY_JTI_ENV = "AGENTIC_ALLOW_MEMORY_JTI_STORE";
+/**
+ * H7-B.9 / XPKG-005 — explicit environment opt-in. The memory store is
+ * the only JTI store that ships with this package and has cross-isolate
+ * replay-vulnerability; production deploys MUST pass `environment:
+ * 'production'` to gate it on (and supply the `AP_ALLOW_MEMORY_JTI_STORE`
+ * opt-out). The previous `process.env.NODE_ENV` check silently opened on
+ * Cloudflare Workers / SES where `process.env` is undefined.
+ */
+export interface CreateMemoryJtiStoreOpts {
+    environment?: 'production' | 'development';
+}
+export declare function createMemoryJtiStore(opts?: CreateMemoryJtiStoreOpts): JtiStore;
+/**
+ * JtiStore extended with an explicit `migrate()` step. H7-B.6: the SQL /
+ * pg adapters MUST be migrated once at bootstrap before any `trackUsage`
+ * is called. The migrate step is idempotent (`CREATE TABLE IF NOT EXISTS`)
+ * but requires DDL permission — keep it out of the security hot path.
+ */
+export interface MigratableJtiStore extends JtiStore {
+    migrate(): Promise<void>;
+}
+/**
+ * H7-B.6 — SQLite JTI store. Construction no longer issues DDL; call
+ * `await store.migrate()` from your bootstrap before serving traffic.
+ * Calling `trackUsage` without a prior `migrate()` throws a setup error
+ * (NOT a silent noop) so least-privilege deploys fail loud, not silent.
+ */
+export declare function createSqliteJtiStore(db: BetterSqlite3DatabaseLike, table?: string): MigratableJtiStore;
+/**
+ * H7-B.6 — Postgres JTI store. Construction no longer issues DDL; call
+ * `await store.migrate()` from your bootstrap. Calling `trackUsage` without
+ * a prior `migrate()` throws a setup error so a misconfigured least-privilege
+ * deploy fails loud rather than silently disabling replay protection.
+ */
+export declare function createPostgresJtiStore(pool: PgPoolLike, table?: string): MigratableJtiStore;
+//# sourceMappingURL=jti-stores.d.ts.map

package/dist/jti-stores.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jti-stores.d.ts","sourceRoot":"","sources":["../src/jti-stores.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,KAAK,EAAE,yBAAyB,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErE;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,mCAAmC,CAAC;AAIrE;;;;;;;GAOG;AACH,MAAM,WAAW,wBAAwB;IACvC,WAAW,CAAC,EAAE,YAAY,GAAG,aAAa,CAAC;CAC5C;AAED,wBAAgB,oBAAoB,CAAC,IAAI,GAAE,wBAA6B,GAAG,QAAQ,CAgClF;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAmB,SAAQ,QAAQ;IAClD,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,EAAE,EAAE,yBAAyB,EAC7B,KAAK,GAAE,MAAsB,GAC5B,kBAAkB,CAqCpB;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,UAAU,EAChB,KAAK,GAAE,MAAsB,GAC5B,kBAAkB,CAgCpB"}

package/dist/jti-stores.js

@@ -0,0 +1,125 @@
+// JtiStore adapters: memory (test), sqlite (demo + many prod), postgres (prod).
+// Each implementation MUST be atomic under concurrent writers per the
+// security invariant in spec 205 §5.
+//
+// H7-B.6 / PKG-MCP-RUNTIME-001 closure (also covers EXT-027). Prior versions
+// ran `CREATE TABLE IF NOT EXISTS …` inside the adapter constructor (sqlite)
+// or lazily on first `trackUsage` (postgres). That coupled the security hot
+// path to runtime DDL permissions:
+//   - Postgres deploys following least-privilege (app role lacks DDL): first
+//     `trackUsage` throws → JTI store down → replay protection silently
+//     disabled (caller swallows → fail-open).
+//   - SQLite: CREATE runs at construction → mig-vs-app race.
+//
+// Fix: explicit `migrate()` step the consumer wires once at bootstrap; the
+// runtime path no longer issues DDL. If `migrate()` was not called and the
+// table is missing, `trackUsage` fails LOUD with a setup error (not a silent
+// noop).
+/**
+ * Sentinel env var. When set to "true", `createMemoryJtiStore` will
+ * construct in production without throwing. Required for one-off
+ * scenarios (CI smoke tests against a prod-built bundle, isolated dev
+ * worker instances). All callers MUST treat this as a loud opt-in — a
+ * one-time `console.warn` is emitted on construction.
+ */
+export const ALLOW_MEMORY_JTI_ENV = 'AGENTIC_ALLOW_MEMORY_JTI_STORE';
+let memoryStoreWarnedOnce = false;
+export function createMemoryJtiStore(opts = {}) {
+    // Production guard — H7-B.9: the caller MUST pass `environment: 'production'`
+    // to opt into the gate. We no longer infer from NODE_ENV (Workers / SES
+    // runtimes don't reliably expose it, leading to silent fall-open).
+    const env = typeof process !== 'undefined' ? (process.env ?? {}) : {};
+    const environment = opts.environment ?? (env.NODE_ENV === 'production' ? 'production' : 'development');
+    if (environment === 'production' && env[ALLOW_MEMORY_JTI_ENV] !== 'true') {
+        throw new Error('[mcp-runtime] createMemoryJtiStore refused: environment="production". ' +
+            'The memory store offers no cross-process replay protection. Use ' +
+            'createSqliteJtiStore / createPostgresJtiStore / a D1-backed store in ' +
+            `production. If you genuinely need to override (e.g., isolated test ` +
+            `worker), set ${ALLOW_MEMORY_JTI_ENV}=true and accept that delegation ` +
+            'tokens are replay-vulnerable across restarts.');
+    }
+    if (environment === 'production' && !memoryStoreWarnedOnce) {
+        console.warn(`[mcp-runtime] ⚠ MEMORY JTI STORE in production — ${ALLOW_MEMORY_JTI_ENV} ` +
+            'is set; delegation-token replay protection is non-durable. Remove this ' +
+            'flag before handling real-value workloads.');
+        memoryStoreWarnedOnce = true;
+    }
+    const usage = new Map();
+    return {
+        async trackUsage(jti, limit) {
+            const current = (usage.get(jti) ?? 0) + 1;
+            usage.set(jti, current);
+            return { usage: current, allowed: current <= limit };
+        },
+    };
+}
+/**
+ * H7-B.6 — SQLite JTI store. Construction no longer issues DDL; call
+ * `await store.migrate()` from your bootstrap before serving traffic.
+ * Calling `trackUsage` without a prior `migrate()` throws a setup error
+ * (NOT a silent noop) so least-privilege deploys fail loud, not silent.
+ */
+export function createSqliteJtiStore(db, table = 'token_usage') {
+    let migrated = false;
+    let upsert = null;
+    const prepareUpsert = () => db.prepare(`INSERT INTO ${table} (jti, usage) VALUES (?, 1)
+       ON CONFLICT(jti) DO UPDATE SET usage = usage + 1
+       RETURNING usage`);
+    return {
+        async migrate() {
+            if (migrated)
+                return;
+            db.prepare(`CREATE TABLE IF NOT EXISTS ${table} (
+          jti TEXT PRIMARY KEY,
+          usage INTEGER NOT NULL DEFAULT 0,
+          first_seen TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+        )`).run();
+            upsert = prepareUpsert();
+            migrated = true;
+        },
+        async trackUsage(jti, limit) {
+            if (!migrated || !upsert) {
+                throw new Error(`[mcp-runtime] sqlite JTI store: migrate() was not called before trackUsage. ` +
+                    `Call \`await store.migrate()\` once at bootstrap (it is idempotent). ` +
+                    `H7-B.6 (PKG-MCP-RUNTIME-001 / EXT-027 closure) moved DDL off the hot path.`);
+            }
+            const row = upsert.get(jti);
+            const current = row?.usage ?? 1;
+            return { usage: current, allowed: current <= limit };
+        },
+    };
+}
+/**
+ * H7-B.6 — Postgres JTI store. Construction no longer issues DDL; call
+ * `await store.migrate()` from your bootstrap. Calling `trackUsage` without
+ * a prior `migrate()` throws a setup error so a misconfigured least-privilege
+ * deploy fails loud rather than silently disabling replay protection.
+ */
+export function createPostgresJtiStore(pool, table = 'token_usage') {
+    let migrated = false;
+    return {
+        async migrate() {
+            if (migrated)
+                return;
+            await pool.query(`CREATE TABLE IF NOT EXISTS ${table} (
+          jti TEXT PRIMARY KEY,
+          usage INTEGER NOT NULL DEFAULT 0,
+          first_seen TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        )`);
+            migrated = true;
+        },
+        async trackUsage(jti, limit) {
+            if (!migrated) {
+                throw new Error(`[mcp-runtime] postgres JTI store: migrate() was not called before trackUsage. ` +
+                    `Call \`await store.migrate()\` once at bootstrap (it is idempotent). ` +
+                    `H7-B.6 (PKG-MCP-RUNTIME-001 / EXT-027 closure) moved DDL off the hot path.`);
+            }
+            const res = await pool.query(`INSERT INTO ${table} (jti, usage) VALUES ($1, 1)
+         ON CONFLICT (jti) DO UPDATE SET usage = ${table}.usage + 1
+         RETURNING usage`, [jti]);
+            const current = res.rows[0]?.usage ?? 1;
+            return { usage: current, allowed: current <= limit };
+        },
+    };
+}
+//# sourceMappingURL=jti-stores.js.map

package/dist/jti-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jti-stores.js","sourceRoot":"","sources":["../src/jti-stores.ts"],"names":[],"mappings":"AAAA,gFAAgF;AAChF,sEAAsE;AACtE,qCAAqC;AACrC,EAAE;AACF,6EAA6E;AAC7E,6EAA6E;AAC7E,4EAA4E;AAC5E,mCAAmC;AACnC,6EAA6E;AAC7E,wEAAwE;AACxE,8CAA8C;AAC9C,6DAA6D;AAC7D,EAAE;AACF,2EAA2E;AAC3E,2EAA2E;AAC3E,6EAA6E;AAC7E,SAAS;AAKT;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,gCAAgC,CAAC;AAErE,IAAI,qBAAqB,GAAG,KAAK,CAAC;AAclC,MAAM,UAAU,oBAAoB,CAAC,OAAiC,EAAE;IACtE,8EAA8E;IAC9E,wEAAwE;IACxE,mEAAmE;IACnE,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACvG,IAAI,WAAW,KAAK,YAAY,IAAI,GAAG,CAAC,oBAAoB,CAAC,KAAK,MAAM,EAAE,CAAC;QACzE,MAAM,IAAI,KAAK,CACb,wEAAwE;YACtE,kEAAkE;YAClE,uEAAuE;YACvE,qEAAqE;YACrE,gBAAgB,oBAAoB,mCAAmC;YACvE,+CAA+C,CAClD,CAAC;IACJ,CAAC;IACD,IAAI,WAAW,KAAK,YAAY,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3D,OAAO,CAAC,IAAI,CACV,oDAAoD,oBAAoB,GAAG;YACzE,yEAAyE;YACzE,4CAA4C,CAC/C,CAAC;QACF,qBAAqB,GAAG,IAAI,CAAC;IAC/B,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,OAAO;QACL,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,KAAa;YACzC,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,KAAK,EAAE,CAAC;QACvD,CAAC;KACF,CAAC;AACJ,CAAC;AAYD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,EAA6B,EAC7B,QAAgB,aAAa;IAE7B,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,MAAM,GAA4D,IAAI,CAAC;IAE3E,MAAM,aAAa,GAAG,GAAG,EAAE,CACzB,EAAE,CAAC,OAAO,CACR,eAAe,KAAK;;uBAEH,CAClB,CAAC;IAEJ,OAAO;QACL,KAAK,CAAC,OAAO;YACX,IAAI,QAAQ;gBAAE,OAAO;YACrB,EAAE,CAAC,OAAO,CACR,8BAA8B,KAAK;;;;UAIjC,CACH,CAAC,GAAG,EAAE,CAAC;YACR,MAAM,GAAG,aAAa,EAAE,CAAC;YACzB,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,KAAa;YACzC,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CACb,8EAA8E;oBAC5E,uEAAuE;oBACvE,4EAA4E,CAC/E,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAkC,CAAC;YAC7D,MAAM,OAAO,GAAG,GAAG,EAAE,KAAK,IAAI,CAAC,CAAC;YAChC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,KAAK,EAAE,CAAC;QACvD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAAgB,EAChB,QAAgB,aAAa;IAE7B,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,OAAO;QACL,KAAK,CAAC,OAAO;YACX,IAAI,QAAQ;gBAAE,OAAO;YACrB,MAAM,IAAI,CAAC,KAAK,CACd,8BAA8B,KAAK;;;;UAIjC,CACH,CAAC;YACF,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,KAAa;YACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CACb,gFAAgF;oBAC9E,uEAAuE;oBACvE,4EAA4E,CAC/E,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAC1B,eAAe,KAAK;mDACuB,KAAK;yBAC/B,EACjB,CAAC,GAAG,CAAC,CACN,CAAC;YACF,MAAM,OAAO,GAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAmC,EAAE,KAAK,IAAI,CAAC,CAAC;YAC3E,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,KAAK,EAAE,CAAC;QACvD,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/service-mac.d.ts

@@ -0,0 +1,124 @@
+/**
+ * Service-to-service MAC envelope. Audit C1.
+ *
+ * Closes the gap where MCP requests rely solely on bearer delegation
+ * tokens with no route-level service authenticity or replay control.
+ * The MAC binds:
+ *   - `audience` (the MCP server identity, e.g. `urn:mcp:server:person`)
+ *   - `service` (the caller identity, e.g. `a2a-to-mcp`)
+ *   - `route` (the tool name being invoked)
+ *   - `nonce` (one-shot, replay-tracked via JtiStore)
+ *   - `timestamp` (millisecond epoch, clock-skew bounded)
+ *   - `bodyDigest` (sha256 of the raw request body)
+ *
+ * Both sides (a2a caller + mcp verifier) share an HMAC key via
+ * `key-custody.buildMacProvider(...)`. For dev, a local-aes provider
+ * with a shared 32-byte secret. For production, a GCP KMS HMAC key
+ * with IAM scoped to the two service accounts. The wire format is
+ * provider-agnostic.
+ *
+ * Doctrine: MCP runtime stays transport-agnostic. This module ships
+ * pure helpers; the demo's Hono middleware wires them to HTTP headers.
+ */
+import type { Hex } from '@agenticprimitives/types';
+import type { JtiStore } from '@agenticprimitives/delegation';
+import { type AuditSink } from '@agenticprimitives/audit';
+export interface MacProviderLike {
+    readonly keyVersion: string;
+    generateMac?(input: {
+        canonicalMessage: Uint8Array;
+        service: string;
+        audience: string;
+    }): Promise<{
+        mac: Uint8Array;
+        keyId: string;
+    }>;
+}
+export interface ServiceMacContext {
+    /** MCP server identity. Same value MUST be used on both sides. */
+    audience: string;
+    /** Caller identity (e.g. 'a2a-to-mcp'). */
+    service: string;
+    /** Route family — typically the tool name. */
+    route: string;
+    /** sha256 of the raw request body. */
+    bodyDigest: Hex;
+}
+export interface ServiceMacHeaders {
+    /** base64url(HMAC) over the canonical message. */
+    mac: string;
+    /** base64url(16 random bytes). One-shot; tracked via JtiStore. */
+    nonce: string;
+    /** Epoch milliseconds at generate time, as decimal string. */
+    timestamp: string;
+    /** Provider-supplied key ID (for log/forensics + key rotation). */
+    keyId: string;
+}
+/** Hex-encoded sha256 of a body string. Helper for callers. */
+export declare function bodyDigestHex(body: string): Hex;
+/**
+ * Caller side: generate the MAC + headers for an outgoing request.
+ * The provider MUST support `generateMac`.
+ *
+ * H7-F.3 / PKG-MCP-RUNTIME-006 / CT-9 closure — accepts an optional
+ * `auditSink` that receives `mcp-runtime.service-mac.issue` on
+ * successful generation (mirroring the verify side's
+ * `service-mac.{accept,reject}`). The audit row carries `keyId`,
+ * `service`, `audience`, and the `correlationId` the caller threads in,
+ * so a forensics query can join the issue with the corresponding
+ * downstream accept/reject.
+ *
+ * Fail-soft: audit emission failures NEVER break the MAC issuance.
+ */
+export declare function generateServiceMac(args: {
+    ctx: ServiceMacContext;
+    provider: MacProviderLike;
+    /** Override for tests. Production: leave undefined for crypto.randomBytes-derived nonce. */
+    nonce?: Uint8Array;
+    /** Override for tests. Production: leave undefined. */
+    now?: () => number;
+    /** H7-F.3 — emit `mcp-runtime.service-mac.issue` on success. */
+    auditSink?: AuditSink;
+    /** Correlation id stitched into the emitted event. */
+    correlationId?: string;
+}): Promise<ServiceMacHeaders>;
+/**
+ * Verifier side: recompute the MAC + check it matches in constant time,
+ * + check clock skew, + consume the nonce (replay tracking via JtiStore).
+ *
+ * Fail-closed: any failure returns `{ ok: false, reason }`. Callers MUST
+ * NOT echo `reason` to external clients — log it, return generic 401.
+ */
+export declare function verifyServiceMac(args: {
+    ctx: ServiceMacContext;
+    headers: ServiceMacHeaders;
+    provider: MacProviderLike;
+    jtiStore: JtiStore;
+    /** Default 60_000ms. */
+    maxClockSkewMs?: number;
+    now?: () => number;
+    /**
+     * Audit sink (audit C3). When provided, both outcomes emit:
+     *
+     * - On reject: `mcp-runtime.service-mac.reject` with a `reason` string
+     *   classifying the failure (clock skew, mac mismatch, nonce replay,
+     *   malformed input, ...).
+     * - On accept: `mcp-runtime.service-mac.accept` with the keyId + a
+     *   short hash of the consumed nonce.
+     *
+     * Both events fire even when the downstream `withDelegation` wrapper
+     * also emits — service-mac and delegation are separate primitives
+     * with separate threat models, so anomaly detection (accept rate
+     * per primitive, missing-pair detection) needs them as distinct
+     * rows. Per-emit overhead is one D1 INSERT; not worth coalescing.
+     */
+    auditSink?: AuditSink;
+    /** Correlation ID threaded into emitted events. */
+    correlationId?: string;
+}): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+}>;
+//# sourceMappingURL=service-mac.d.ts.map

package/dist/service-mac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-mac.d.ts","sourceRoot":"","sources":["../src/service-mac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAc,KAAK,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAItE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,WAAW,CAAC,CAAC,KAAK,EAAE;QAClB,gBAAgB,EAAE,UAAU,CAAC;QAC7B,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,iBAAiB;IAChC,kEAAkE;IAClE,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,UAAU,EAAE,GAAG,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAC;CACf;AAoDD,+DAA+D;AAC/D,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,GAAG,CAE/C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,kBAAkB,CAAC,IAAI,EAAE;IAC7C,GAAG,EAAE,iBAAiB,CAAC;IACvB,QAAQ,EAAE,eAAe,CAAC;IAC1B,4FAA4F;IAC5F,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,uDAAuD;IACvD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,gEAAgE;IAChE,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,sDAAsD;IACtD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAwC7B;AASD;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,GAAG,EAAE,iBAAiB,CAAC;IACvB,OAAO,EAAE,iBAAiB,CAAC;IAC3B,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,QAAQ,CAAC;IACnB,wBAAwB;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB;;;;;;;;;;;;;;OAcG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAkGxD"}

package/dist/service-mac.js

@@ -0,0 +1,260 @@
+/**
+ * Service-to-service MAC envelope. Audit C1.
+ *
+ * Closes the gap where MCP requests rely solely on bearer delegation
+ * tokens with no route-level service authenticity or replay control.
+ * The MAC binds:
+ *   - `audience` (the MCP server identity, e.g. `urn:mcp:server:person`)
+ *   - `service` (the caller identity, e.g. `a2a-to-mcp`)
+ *   - `route` (the tool name being invoked)
+ *   - `nonce` (one-shot, replay-tracked via JtiStore)
+ *   - `timestamp` (millisecond epoch, clock-skew bounded)
+ *   - `bodyDigest` (sha256 of the raw request body)
+ *
+ * Both sides (a2a caller + mcp verifier) share an HMAC key via
+ * `key-custody.buildMacProvider(...)`. For dev, a local-aes provider
+ * with a shared 32-byte secret. For production, a GCP KMS HMAC key
+ * with IAM scoped to the two service accounts. The wire format is
+ * provider-agnostic.
+ *
+ * Doctrine: MCP runtime stays transport-agnostic. This module ships
+ * pure helpers; the demo's Hono middleware wires them to HTTP headers.
+ */
+import { sha256, toHex } from 'viem';
+import { buildEvent } from '@agenticprimitives/audit';
+const VERSION = 'agentic-a2a-mcp-v1';
+const DEFAULT_CLOCK_SKEW_MS = 60_000;
+function canonicalMessage(ctx, nonce, timestamp) {
+    const text = VERSION +
+        '\n' +
+        ctx.audience +
+        '\n' +
+        ctx.service +
+        '\n' +
+        ctx.route +
+        '\n' +
+        nonce +
+        '\n' +
+        timestamp +
+        '\n' +
+        ctx.bodyDigest.toLowerCase();
+    return new TextEncoder().encode(text);
+}
+function base64urlEncode(bytes) {
+    const bin = Array.from(bytes, (b) => String.fromCharCode(b)).join('');
+    const b64 = typeof btoa === 'function'
+        ? btoa(bin)
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        : globalThis.Buffer.from(bytes).toString('base64');
+    return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function base64urlDecode(s) {
+    const padded = s.replace(/-/g, '+').replace(/_/g, '/') +
+        '=='.slice((2 - (s.length & 3)) & 3);
+    const bin = typeof atob === 'function'
+        ? atob(padded)
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        : globalThis.Buffer.from(padded, 'base64').toString('binary');
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        out[i] = bin.charCodeAt(i);
+    return out;
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+    return diff === 0;
+}
+/** Hex-encoded sha256 of a body string. Helper for callers. */
+export function bodyDigestHex(body) {
+    return sha256(toHex(body));
+}
+/**
+ * Caller side: generate the MAC + headers for an outgoing request.
+ * The provider MUST support `generateMac`.
+ *
+ * H7-F.3 / PKG-MCP-RUNTIME-006 / CT-9 closure — accepts an optional
+ * `auditSink` that receives `mcp-runtime.service-mac.issue` on
+ * successful generation (mirroring the verify side's
+ * `service-mac.{accept,reject}`). The audit row carries `keyId`,
+ * `service`, `audience`, and the `correlationId` the caller threads in,
+ * so a forensics query can join the issue with the corresponding
+ * downstream accept/reject.
+ *
+ * Fail-soft: audit emission failures NEVER break the MAC issuance.
+ */
+export async function generateServiceMac(args) {
+    if (!args.provider.generateMac) {
+        throw new Error('serviceMac: provider lacks generateMac (use a MAC-capable backend)');
+    }
+    const nonceBytes = args.nonce ?? cryptoRandomBytes(16);
+    const nonce = base64urlEncode(nonceBytes);
+    const timestamp = String((args.now ?? Date.now)());
+    const canonical = canonicalMessage(args.ctx, nonce, timestamp);
+    const { mac, keyId } = await args.provider.generateMac({
+        canonicalMessage: canonical,
+        service: args.ctx.service,
+        audience: args.ctx.audience,
+    });
+    const headers = {
+        mac: base64urlEncode(mac),
+        nonce,
+        timestamp,
+        keyId,
+    };
+    if (args.auditSink) {
+        try {
+            await args.auditSink.write({
+                id: cryptoRandomBytesHex(8),
+                timestamp: new Date().toISOString(),
+                action: 'mcp-runtime.service-mac.issue',
+                outcome: 'success',
+                correlationId: args.correlationId,
+                actor: { type: 'service', id: args.ctx.service },
+                audience: args.ctx.audience,
+                subject: { type: 'service-mac', id: keyId ?? 'unknown' },
+                context: {
+                    route: args.ctx.route,
+                },
+            });
+        }
+        catch {
+            /* H7-F.3: fail-soft. Issuance must not break on audit failure. */
+        }
+    }
+    return headers;
+}
+function cryptoRandomBytesHex(n) {
+    const buf = cryptoRandomBytes(n);
+    let hex = '';
+    for (const b of buf)
+        hex += b.toString(16).padStart(2, '0');
+    return hex;
+}
+/**
+ * Verifier side: recompute the MAC + check it matches in constant time,
+ * + check clock skew, + consume the nonce (replay tracking via JtiStore).
+ *
+ * Fail-closed: any failure returns `{ ok: false, reason }`. Callers MUST
+ * NOT echo `reason` to external clients — log it, return generic 401.
+ */
+export async function verifyServiceMac(args) {
+    const emitReject = async (reason) => {
+        if (!args.auditSink)
+            return;
+        try {
+            await args.auditSink.write(buildEvent({
+                action: 'mcp-runtime.service-mac.reject',
+                outcome: 'denied',
+                correlationId: args.correlationId,
+                actor: { type: 'service', id: args.ctx.service },
+                subject: { type: 'tool', id: args.ctx.route },
+                audience: args.ctx.audience,
+                reason,
+                context: {
+                    keyId: args.headers.keyId,
+                    // Hash of the nonce so the raw value (which is one-shot
+                    // and tied to a specific request) isn't surfaced in logs
+                    // beyond what's already required for the rejection trail.
+                    nonceHash: nonceHashShort(args.headers.nonce),
+                },
+            }));
+        }
+        catch {
+            /* fail-soft */
+        }
+    };
+    const reject = async (reason) => {
+        await emitReject(reason);
+        return { ok: false, reason };
+    };
+    if (!args.provider.generateMac) {
+        return reject('verifier provider lacks generateMac');
+    }
+    // Clock-skew gate.
+    const ts = Number(args.headers.timestamp);
+    if (!Number.isFinite(ts) || ts <= 0) {
+        return reject('malformed timestamp');
+    }
+    const now = (args.now ?? Date.now)();
+    const skew = args.maxClockSkewMs ?? DEFAULT_CLOCK_SKEW_MS;
+    if (Math.abs(now - ts) > skew) {
+        return reject(`clock skew ${Math.abs(now - ts)}ms exceeds ${skew}ms`);
+    }
+    // MAC recompute + constant-time compare.
+    const canonical = canonicalMessage(args.ctx, args.headers.nonce, args.headers.timestamp);
+    let expected;
+    try {
+        const got = await args.provider.generateMac({
+            canonicalMessage: canonical,
+            service: args.ctx.service,
+            audience: args.ctx.audience,
+        });
+        expected = got.mac;
+    }
+    catch (e) {
+        return reject(`mac recompute failed: ${e instanceof Error ? e.message : e}`);
+    }
+    let received;
+    try {
+        received = base64urlDecode(args.headers.mac);
+    }
+    catch (e) {
+        return reject(`malformed mac base64url: ${e instanceof Error ? e.message : e}`);
+    }
+    if (!constantTimeEqual(expected, received)) {
+        return reject('mac mismatch');
+    }
+    // Replay: track the nonce via JTI store. limit=1 means single-use:
+    // first call succeeds (usage=1, allowed=true); second sees usage=2,
+    // allowed=false. JTI key is namespaced to distinguish from
+    // delegation-token JTIs.
+    const jti = `mac:${args.ctx.audience}:${args.ctx.service}:${args.headers.nonce}`;
+    const tracked = await args.jtiStore.trackUsage(jti, 1);
+    if (!tracked.allowed) {
+        return reject('mac nonce already consumed (replay)');
+    }
+    void ts; // ts is bounded by clock-skew gate above; no further use here.
+    if (args.auditSink) {
+        try {
+            await args.auditSink.write(buildEvent({
+                action: 'mcp-runtime.service-mac.accept',
+                outcome: 'success',
+                correlationId: args.correlationId,
+                actor: { type: 'service', id: args.ctx.service },
+                subject: { type: 'tool', id: args.ctx.route },
+                audience: args.ctx.audience,
+                context: {
+                    keyId: args.headers.keyId,
+                    nonceHash: nonceHashShort(args.headers.nonce),
+                },
+            }));
+        }
+        catch {
+            /* fail-soft */
+        }
+    }
+    return { ok: true };
+}
+// ─── Internals ────────────────────────────────────────────────────────
+function nonceHashShort(nonce) {
+    // 8-byte prefix of sha256(nonce) — enough to correlate events
+    // without surfacing the raw one-shot nonce in logs.
+    const digest = sha256(toHex(nonce));
+    return digest.slice(0, 18); // '0x' + 16 hex chars
+}
+function cryptoRandomBytes(n) {
+    const out = new Uint8Array(n);
+    // Both Web Crypto (browsers, Workers) and Node 18+ have globalThis.crypto.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const g = globalThis;
+    if (g.crypto?.getRandomValues) {
+        g.crypto.getRandomValues(out);
+        return out;
+    }
+    throw new Error('serviceMac: crypto.getRandomValues unavailable');
+}
+//# sourceMappingURL=service-mac.js.map

package/dist/service-mac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service-mac.js","sourceRoot":"","sources":["../src/service-mac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,MAAM,CAAC;AAGrC,OAAO,EAAE,UAAU,EAAkB,MAAM,0BAA0B,CAAC;AAmCtE,MAAM,OAAO,GAAG,oBAAoB,CAAC;AACrC,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAErC,SAAS,gBAAgB,CAAC,GAAsB,EAAE,KAAa,EAAE,SAAiB;IAChF,MAAM,IAAI,GACR,OAAO;QACP,IAAI;QACJ,GAAG,CAAC,QAAQ;QACZ,IAAI;QACJ,GAAG,CAAC,OAAO;QACX,IAAI;QACJ,GAAG,CAAC,KAAK;QACT,IAAI;QACJ,KAAK;QACL,IAAI;QACJ,SAAS;QACT,IAAI;QACJ,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;IAC/B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,UAAU;QACpC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;QACX,8DAA8D;QAC9D,CAAC,CAAE,UAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9D,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,MAAM,GACV,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACvC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,UAAU;QACpC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;QACd,8DAA8D;QAC9D,CAAC,CAAE,UAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAQ,CAAC;AACpC,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAWxC;IACC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,IAAI,iBAAiB,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAC/D,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QACrD,gBAAgB,EAAE,SAAS;QAC3B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;QACzB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;KAC5B,CAAC,CAAC;IACH,MAAM,OAAO,GAAsB;QACjC,GAAG,EAAE,eAAe,CAAC,GAAG,CAAC;QACzB,KAAK;QACL,SAAS;QACT,KAAK;KACN,CAAC;IAEF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;gBACzB,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;gBAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,MAAM,EAAE,+BAA+B;gBACvC,OAAO,EAAE,SAAS;gBAClB,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE;gBAChD,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;gBAC3B,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,KAAK,IAAI,SAAS,EAAE;gBACxD,OAAO,EAAE;oBACP,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK;iBACtB;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,kEAAkE;QACpE,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS;IACrC,MAAM,GAAG,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;IACjC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,GAAG;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IA0BtC;IACC,MAAM,UAAU,GAAG,KAAK,EAAE,MAAc,EAAE,EAAE;QAC1C,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CACxB,UAAU,CAAC;gBACT,MAAM,EAAE,gCAAgC;gBACxC,OAAO,EAAE,QAAQ;gBACjB,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE;gBAChD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE;gBAC7C,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;gBAC3B,MAAM;gBACN,OAAO,EAAE;oBACP,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;oBACzB,wDAAwD;oBACxD,yDAAyD;oBACzD,0DAA0D;oBAC1D,SAAS,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;iBAC9C;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC,CAAC;IACF,MAAM,MAAM,GAAG,KAAK,EAAE,MAAc,EAA0C,EAAE;QAC9E,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;QACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC/B,CAAC,CAAC;IACF,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,qCAAqC,CAAC,CAAC;IACvD,CAAC;IACD,mBAAmB;IACnB,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACpC,OAAO,MAAM,CAAC,qBAAqB,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,IAAI,qBAAqB,CAAC;IAC1D,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,cAAc,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC;IACxE,CAAC;IACD,yCAAyC;IACzC,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACzF,IAAI,QAAoB,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC1C,gBAAgB,EAAE,SAAS;YAC3B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;SAC5B,CAAC,CAAC;QACH,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC;IACrB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,yBAAyB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,IAAI,QAAoB,CAAC;IACzB,IAAI,CAAC;QACH,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,4BAA4B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC3C,OAAO,MAAM,CAAC,cAAc,CAAC,CAAC;IAChC,CAAC;IACD,mEAAmE;IACnE,oEAAoE;IACpE,2DAA2D;IAC3D,yBAAyB;IACzB,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACjF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACvD,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,MAAM,CAAC,qCAAqC,CAAC,CAAC;IACvD,CAAC;IACD,KAAK,EAAE,CAAC,CAAC,+DAA+D;IAExE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CACxB,UAAU,CAAC;gBACT,MAAM,EAAE,gCAAgC;gBACxC,OAAO,EAAE,SAAS;gBAClB,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE;gBAChD,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE;gBAC7C,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;gBAC3B,OAAO,EAAE;oBACP,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;oBACzB,SAAS,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;iBAC9C;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,yEAAyE;AAEzE,SAAS,cAAc,CAAC,KAAa;IACnC,8DAA8D;IAC9D,oDAAoD;IACpD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sBAAsB;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAS;IAClC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9B,2EAA2E;IAC3E,8DAA8D;IAC9D,MAAM,CAAC,GAAG,UAAiB,CAAC;IAC5B,IAAI,CAAC,CAAC,MAAM,EAAE,eAAe,EAAE,CAAC;QAC9B,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QAC9B,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;AACpE,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,52 @@
+import type { Address, Hex } from '@agenticprimitives/types';
+import type { Caveat, DataScopeGrant, Delegation, EnforcerAddressMap, JtiStore, VerifyError } from '@agenticprimitives/delegation';
+import type { ToolClassification } from '@agenticprimitives/tool-policy';
+export type { Address, Hex, Caveat, DataScopeGrant, Delegation, EnforcerAddressMap, JtiStore, ToolClassification, VerifyError };
+export interface McpResourceVerifyConfig {
+    audience: string;
+    chainId: number;
+    rpcUrl: string;
+    delegationManager: Address;
+    enforcerMap: EnforcerAddressMap;
+    jtiStore: JtiStore;
+    acceptLegacyCrossDelegations?: boolean;
+    /**
+     * Whether to require the delegator's smart account to be on-chain.
+     * Default: `true` (fail-closed). When the account isn't deployed, ERC-1271
+     * can't be verified. Demos using counterfactual addresses without
+     * deploying may set `false` explicitly.
+     */
+    requireDeployed?: boolean;
+    /**
+     * Spec 207: `QuorumEnforcer` contract address for this chain. When a
+     * tool's classification produces a `requiresQuorum: true` decision
+     * from `tool-policy.evaluateThresholdPolicy(...)`, `withDelegation`
+     * threads this address into `delegation.verifyDelegationToken`'s
+     * `requireQuorumCaveat` opt so the delegation MUST carry a quorum
+     * caveat with this enforcer or verify fails closed.
+     *
+     * Consumer apps SHOULD configure this from their deployments JSON
+     * (packages/contracts/deployments-<network>.json's `quorumEnforcer`
+     * field). When unset, T3+ tools that require quorum will fail
+     * closed at the boundary — apps that don't ship multi-sig can
+     * either omit T3+ tools or leave this unset and stick to T1/T2.
+     */
+    quorumEnforcer?: Address;
+}
+export interface ResourceDefinition {
+    name: string;
+    audience: string;
+    fields?: string[];
+}
+export interface BetterSqlite3DatabaseLike {
+    prepare(sql: string): {
+        run(...args: unknown[]): unknown;
+        get(...args: unknown[]): unknown;
+    };
+}
+export interface PgPoolLike {
+    query(text: string, params?: unknown[]): Promise<{
+        rows: unknown[];
+    }>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EACV,MAAM,EACN,cAAc,EACd,UAAU,EACV,kBAAkB,EAClB,QAAQ,EACR,WAAW,EACZ,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAEzE,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,kBAAkB,EAAE,QAAQ,EAAE,kBAAkB,EAAE,WAAW,EAAE,CAAC;AAEhI,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE,kBAAkB,CAAC;IAChC,QAAQ,EAAE,QAAQ,CAAC;IACnB,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC;;;;;OAKG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;;;;;;;;;OAaG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG;QACpB,GAAG,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;QACjC,GAAG,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;KAClC,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,EAAE,CAAA;KAAE,CAAC,CAAC;CACvE"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/with-delegation.d.ts

@@ -0,0 +1,135 @@
+import type { Address } from '@agenticprimitives/types';
+import type { ToolClassification } from '@agenticprimitives/tool-policy';
+import { type AuditSink, type MetricsSink } from '@agenticprimitives/audit';
+import type { DataScopeGrant, McpResourceVerifyConfig } from './types';
+/**
+ * H7-F.1 / PKG-MCP-RUNTIME-003 / EXT-026 / EXT-032 closure — split
+ * public error surface from private failure context.
+ *
+ * Previously `McpAuthError.reason` carried the full denial cause
+ * ("policy deny: high-risk tool requires quorum", "delegation
+ * revoked at block N", "ERC-1271 returned 0x00…", etc.). A relying
+ * app that forwarded `error.reason` to the client leaked denial
+ * cause + occasionally PII (signer addresses, delegation hashes).
+ *
+ * The new surface:
+ *   - {@link McpAuthError} is OPAQUE: carries only `code` (a small,
+ *     bounded set) + an opaque `correlationId` the operator can use
+ *     to look up the audit row.
+ *   - {@link PrivateAuthFailureContext} is the rich shape emitted to
+ *     the audit sink at the moment of failure. NEVER returned to the
+ *     caller; consumed only by ops + forensics tooling.
+ *
+ * Migration note: tests that previously asserted on `error.reason`
+ * should assert on `error.code` instead and (for the rich shape)
+ * intercept the audit sink.
+ */
+export type McpAuthErrorCode = 'auth-failed' | 'auth-misconfigured' | 'auth-paused';
+export declare class McpAuthError extends Error {
+    readonly code: McpAuthErrorCode;
+    readonly correlationId: string;
+    constructor(code: McpAuthErrorCode, correlationId: string);
+}
+/**
+ * Rich failure context emitted to the audit sink. NEVER returned to
+ * the caller.
+ */
+export interface PrivateAuthFailureContext {
+    /** Same correlationId as the thrown {@link McpAuthError}. */
+    correlationId: string;
+    /** The opaque public code. */
+    code: McpAuthErrorCode;
+    /**
+     * The ORIGINAL detailed denial reason (private). May contain
+     * delegation hashes, on-chain addresses, classification tier labels,
+     * etc. Routed to the audit sink (durable, op-only).
+     */
+    reason: string;
+    /** Tool name if known. */
+    toolName?: string;
+    /** Step the failure happened at (`verify`, `policy`, `classification`, etc.). */
+    stage?: string;
+}
+export declare function withDelegation<A extends Record<string, unknown>>(config: McpResourceVerifyConfig, handler: (args: A & {
+    principal: Address;
+    grants?: DataScopeGrant[];
+}) => Promise<unknown>, opts?: {
+    toolName?: string;
+    /**
+     * Tool classification metadata (audit H2). When provided, the
+     * `evaluatePolicy()` decision engine runs after delegation verify;
+     * `deny` and `requires-consent` both reject with McpAuthError. When
+     * omitted, an internal warning is logged but the call proceeds
+     * (back-compat for unclassified demo tools). Production code MUST
+     * pass classification — the production preflight will eventually
+     * enforce this.
+     */
+    classification?: ToolClassification;
+    /**
+     * Audit sink (audit C3). When provided, the wrapper emits
+     * `mcp-runtime.with-delegation.{accept,reject}` events on every
+     * call. Omit only for tests / paths that explicitly opt out of
+     * forensics; production code MUST pass a sink and the preflight
+     * will eventually enforce.
+     */
+    auditSink?: AuditSink;
+    /** Correlation ID threaded into emitted events. */
+    correlationId?: string;
+    /**
+     * Metrics sink (production-readiness wave 1). When provided, the
+     * wrapper emits:
+     *   - counter `mcp_runtime.with_delegation.calls` per call
+     *     (tags: tool, audience, outcome ∈ accept|reject)
+     *   - histogram `mcp_runtime.with_delegation.duration_ms` per call
+     *     (tags: tool, audience, outcome)
+     * Cardinality is bounded by the tool registry; safe for production
+     * Prometheus / Datadog / OpenTelemetry pipelines.
+     */
+    metricsSink?: MetricsSink;
+    /**
+     * W3C traceparent header value (`00-{trace-id}-{parent-id}-{flags}`)
+     * captured from the inbound request. Forwarded on outbound calls
+     * the handler makes and stamped into emitted audit events so the
+     * full session→token→tool chain stitches together end-to-end.
+     */
+    traceparent?: string;
+    /**
+     * Production-readiness gate (audit H1). Inverted default behaviour:
+     * `withDelegation` runs in PRODUCTION mode unless the consumer
+     * explicitly opts out via `developmentMode: true` (test/dev shim)
+     * OR the runtime reports `NODE_ENV !== 'production'`. In
+     * production, the wrapper throws at construction time if
+     * `classification` or `auditSink` is missing. This makes the
+     * package API impossible to misuse: you can't register a tool
+     * wrapper without the metadata the policy engine + audit pipeline
+     * need.
+     *
+     * Pass `environment: 'production'` to force production (the
+     * canonical override; useful for tests that need to exercise prod
+     * gates without setting NODE_ENV). Pass `environment: 'development'`
+     * or `developmentMode: true` to opt out — required only for tests.
+     */
+    environment?: 'production' | 'development';
+    /**
+     * Explicit opt-out shorthand for non-production callers. Equivalent
+     * to `environment: 'development'`. Useful so test code reads as
+     * "this is intentionally a dev wrapper" rather than referencing
+     * the environment axis directly.
+     */
+    developmentMode?: boolean;
+}): (args: A & {
+    token: string;
+}) => Promise<unknown>;
+export interface VerifyDelegationForResourceOpts {
+    toolName?: string;
+}
+export declare function verifyDelegationForResource(token: string, config: McpResourceVerifyConfig, ctx?: {
+    toolName?: string;
+    timestamp?: number;
+}): Promise<{
+    principal: Address;
+    grants?: DataScopeGrant[];
+} | {
+    error: string;
+}>;
+//# sourceMappingURL=with-delegation.d.ts.map

package/dist/with-delegation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"with-delegation.d.ts","sourceRoot":"","sources":["../src/with-delegation.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAO,MAAM,0BAA0B,CAAC;AAG7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AACzE,OAAO,EAAc,KAAK,SAAS,EAAE,KAAK,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACxF,OAAO,KAAK,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AA4BvE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,MAAM,gBAAgB,GACxB,aAAa,GACb,oBAAoB,GACpB,aAAa,CAAC;AAElB,qBAAa,YAAa,SAAQ,KAAK;IACrC,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAC;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBACnB,IAAI,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM;CAM1D;AAED;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,IAAI,EAAE,gBAAgB,CAAC;IACvB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IACf,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,cAAc,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9D,MAAM,EAAE,uBAAuB,EAC/B,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC,GAAG;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,cAAc,EAAE,CAAA;CAAE,KAAK,OAAO,CAAC,OAAO,CAAC,EAC1F,IAAI,CAAC,EAAE;IACL,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,kBAAkB,CAAC;IACpC;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,mDAAmD;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;;;;;;;;;;OAeG;IACH,WAAW,CAAC,EAAE,YAAY,GAAG,aAAa,CAAC;IAC3C;;;;;OAKG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B,GACA,CAAC,IAAI,EAAE,CAAC,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,KAAK,OAAO,CAAC,OAAO,CAAC,CAgNnD;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,uBAAuB,EAC/B,GAAG,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9C,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,cAAc,EAAE,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAYhF"}

package/dist/with-delegation.js

@@ -0,0 +1,266 @@
+// withDelegation — the headline wrapper.
+//
+// Pipeline (per spec 205 §2):
+//   1. extract token from args
+//   2. delegation.verifyDelegationToken(token, opts) — full chain check
+//   3. tool-policy.evaluatePolicy(ctx) for classification gating
+//      (audit H2; fail-closed on deny / requires-consent / unknown
+//      classification)
+//   4. invoke inner handler with verified { principal, grants? }
+//
+// Error responses must NOT leak the specific failure mode (malformed vs
+// expired vs revoked vs caveat-failed vs policy-denied). Single
+// "auth failed" error class.
+import { verifyDelegationToken } from '@agenticprimitives/delegation';
+import { evaluatePolicy, evaluateThresholdPolicy } from '@agenticprimitives/tool-policy';
+import { buildEvent } from '@agenticprimitives/audit';
+/**
+ * Resolve the effective environment for production-mode gates. Order
+ * of precedence:
+ *   1. Explicit `opts.environment` value.
+ *   2. `developmentMode: true` → 'development'.
+ *   3. `process.env.NODE_ENV` if readable.
+ *   4. Default to 'production' — safe-by-default when the runtime is
+ *      ambiguous (Cloudflare Workers, Deno, browser). Consumers who
+ *      want a permissive wrapper MUST opt out explicitly.
+ */
+function inferEnvironment(opts) {
+    if (opts?.environment)
+        return opts.environment;
+    if (opts?.developmentMode === true)
+        return 'development';
+    try {
+        if (typeof process !== 'undefined' && process.env?.NODE_ENV) {
+            return process.env.NODE_ENV === 'production' ? 'production' : 'development';
+        }
+    }
+    catch {
+        /* SES / Workers may throw on process access */
+    }
+    return 'production';
+}
+export class McpAuthError extends Error {
+    code;
+    correlationId;
+    constructor(code, correlationId) {
+        super('mcp: auth failed');
+        this.name = 'McpAuthError';
+        this.code = code;
+        this.correlationId = correlationId;
+    }
+}
+export function withDelegation(config, handler, opts) {
+    // Inferred environment — production-by-default per audit H1. The
+    // construction-time gate now fires unless the consumer explicitly
+    // opts into development.
+    const env = inferEnvironment(opts);
+    if (env === 'production') {
+        if (!opts?.classification) {
+            throw new Error('[mcp-runtime] withDelegation requires `classification` in production. ' +
+                'The policy engine (tool-policy.evaluatePolicy) MUST run; an unclassified tool ' +
+                'is a security regression. Pass `opts.classification = declareTool(...)`. ' +
+                'For tests, pass `developmentMode: true` to opt out of the strict gate.');
+        }
+        if (!opts?.auditSink) {
+            throw new Error('[mcp-runtime] withDelegation requires `auditSink` in production. ' +
+                'Audit emission is the only forensic trail for delegation accept/reject; ' +
+                'production deployments MUST persist these. Pass a durable sink (D1, ' +
+                'Cloud Logging, etc.) — wrap with composeSinks(durable, console) if you ' +
+                'still want a tail-friendly mirror.');
+        }
+    }
+    return async (args) => {
+        // Pull `quorumProof` off args (audit H3). It's a delegation-layer
+        // concern, not handler input. Either the caller serializes proof
+        // alongside the token, or there's no proof — and the verifier
+        // rejects accordingly when `requireQuorumCaveat` is set.
+        const { token, quorumProof, ...rest } = args;
+        const toolName = opts?.toolName ?? 'unknown';
+        // H7-F.1: every request gets a stable correlationId. Caller-supplied
+        // wins; otherwise mint a random one so the thrown McpAuthError carries
+        // a non-empty handle the operator can correlate with audit rows.
+        const correlationId = opts?.correlationId ??
+            `wd-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+        const startedAt = Date.now();
+        const metric = opts?.metricsSink;
+        const emit = async (outcome, reason, principal) => {
+            // Metrics fire in lockstep with audit emissions so a single
+            // observability pipeline sees both the structured event AND the
+            // counter/histogram. Cardinality is bounded by tool name +
+            // audience + outcome — safe for production Prometheus.
+            if (metric) {
+                const tags = {
+                    tool: toolName,
+                    audience: config.audience ?? 'unknown',
+                    outcome: outcome === 'success' ? 'accept' : 'reject',
+                };
+                try {
+                    metric.increment('mcp_runtime.with_delegation.calls', 1, tags);
+                }
+                catch { /* fail-soft */ }
+                try {
+                    metric.observe('mcp_runtime.with_delegation.duration_ms', Date.now() - startedAt, tags);
+                }
+                catch { /* fail-soft */ }
+            }
+            if (!opts?.auditSink)
+                return;
+            try {
+                await opts.auditSink.write(buildEvent({
+                    action: outcome === 'success'
+                        ? 'mcp-runtime.with-delegation.accept'
+                        : 'mcp-runtime.with-delegation.reject',
+                    outcome,
+                    correlationId,
+                    actor: principal ? { type: 'user', id: principal } : { type: 'unknown' },
+                    subject: { type: 'tool', id: toolName },
+                    audience: config.audience,
+                    chainId: config.chainId,
+                    reason,
+                    // Traceparent (W3C) stamped into context for downstream
+                    // trace correlation. Reject events still carry the trace.
+                    context: opts?.traceparent ? { traceparent: opts.traceparent } : undefined,
+                }));
+            }
+            catch {
+                // Fail-soft: audit emission must never break the auth flow.
+                // composeSinks should be doing this for us, but belt-and-braces.
+            }
+        };
+        if (typeof token !== 'string' || token.length === 0) {
+            // H7-F.1: private reason goes to audit; caller sees opaque code.
+            await emit('denied', 'missing token', undefined);
+            throw new McpAuthError('auth-failed', correlationId);
+        }
+        // Spec 207 threshold-policy: when a classification is provided,
+        // derive the threshold-policy decision via tool-policy +
+        // translate into delegation's verify opts. Pre-verify check so a
+        // missing quorum caveat or absent on-chain blessing fails closed
+        // before any chain reads.
+        let requireQuorumCaveat;
+        let requireAcceptedOnChain;
+        if (opts?.classification) {
+            const thrDecision = evaluateThresholdPolicy(opts.classification);
+            if (thrDecision.requiresQuorum) {
+                if (!config.quorumEnforcer) {
+                    // Fail closed at the boundary — a T3+ tool that needs
+                    // quorum can't be verified if the runtime doesn't know
+                    // where to find the QuorumEnforcer. Consumer apps must
+                    // wire `config.quorumEnforcer` from their deployments JSON.
+                    const detail = 'tool requires quorum caveat but mcp-runtime has no quorumEnforcer configured';
+                    console.error('[mcp-runtime] auth misconfigured:', detail);
+                    await emit('denied', detail, undefined);
+                    // H7-F.1: server-side config gap surfaces as the distinct
+                    // 'auth-misconfigured' code so the caller can distinguish from
+                    // a legitimate credential reject.
+                    throw new McpAuthError('auth-misconfigured', correlationId);
+                }
+                requireQuorumCaveat = { enforcer: config.quorumEnforcer };
+            }
+            if (thrDecision.requiresAcceptedOnChain) {
+                requireAcceptedOnChain = true;
+            }
+            // `requiresUv` from the threshold-policy decision is verified
+            // at the SIGNER layer (the wallet sets the WebAuthn UV flag when
+            // producing the delegation signature). delegation's verify path
+            // doesn't re-check UV because it would need to parse the
+            // passkey signature blob; that's the consumer app's
+            // responsibility at signing time.
+        }
+        const result = await verifyDelegationToken(token, {
+            audience: config.audience,
+            chainId: config.chainId,
+            rpcUrl: config.rpcUrl,
+            delegationManager: config.delegationManager,
+            enforcerMap: config.enforcerMap,
+            jtiStore: config.jtiStore,
+            toolName: opts?.toolName,
+            requireDeployed: config.requireDeployed,
+            // Thread the audit sink + correlation id down so delegation
+            // emits `delegation.verify.{accept,reject}` events through the
+            // same sink as `mcp-runtime.with-delegation.*`. Pass 3b.
+            auditSink: opts?.auditSink,
+            correlationId,
+            // Spec 207 threshold-policy gates (6c.4). Both undefined for T1
+            // tools; either or both set for T2+ depending on the tool's
+            // `@sa-risk-tier` classification.
+            requireQuorumCaveat,
+            requireAcceptedOnChain,
+            // Audit H3 — when requireQuorumCaveat is set, delegation refuses
+            // without an explicit proof. Forward the caller-supplied proof
+            // through; if missing, the verifier rejects (a Wave H1 production
+            // wrapper would have already thrown at construction if the tool
+            // is unclassified).
+            quorumProof,
+        });
+        if ('error' in result) {
+            // H7-F.1: the private reason (which may carry delegation hashes
+            // or signer addresses) is emitted to the audit sink and stays
+            // server-side. The caller sees only the opaque code + correlationId
+            // they can quote to the operator for forensics.
+            console.error('[mcp-runtime] auth failed:', result.error);
+            await emit('denied', result.error, undefined);
+            throw new McpAuthError('auth-failed', correlationId);
+        }
+        // Policy enforcement (audit H2). Fail-closed on deny + requires-consent.
+        if (opts?.classification) {
+            const decision = evaluatePolicy({
+                toolName,
+                classification: opts.classification,
+                callerKind: 'user-session',
+                delegation: {
+                    delegator: result.principal,
+                    delegate: result.principal,
+                    caveats: [],
+                },
+            });
+            if (decision.decision !== 'allow') {
+                // Spec 207 reconciliation: critical-risk tools have historically
+                // returned `requires-consent` from evaluatePolicy + the wrapper
+                // failed closed because the runtime doesn't host a consent loop
+                // (audit H2). The threshold-policy `requiresAcceptedOnChain`
+                // gate IS the consent loop for that path — the user committed
+                // an `acceptSessionDelegation(hash)` transaction in advance.
+                // When that gate is in force AND it passed (verify didn't
+                // reject), the requires-consent outcome is satisfied.
+                const thrDec = evaluateThresholdPolicy(opts.classification);
+                const satisfiedByOnChainBlessing = decision.decision === 'requires-consent' && thrDec.requiresAcceptedOnChain;
+                if (!satisfiedByOnChainBlessing) {
+                    const detail = decision.decision === 'deny'
+                        ? `policy deny: ${decision.reason}`
+                        : `policy requires-consent (${decision.promptId}); runtime does not host consent loop`;
+                    console.error('[mcp-runtime] auth failed:', detail);
+                    await emit('denied', detail, result.principal);
+                    // H7-F.1: same opaque shape as other reject paths.
+                    throw new McpAuthError('auth-failed', correlationId);
+                }
+            }
+        }
+        else {
+            console.warn('[mcp-runtime] withDelegation called without classification — ' +
+                'consider passing opts.classification for policy enforcement (audit H2)');
+        }
+        await emit('success', undefined, result.principal);
+        return handler({ ...rest, principal: result.principal, grants: result.grants });
+    };
+}
+export async function verifyDelegationForResource(token, config, ctx) {
+    return verifyDelegationToken(token, {
+        audience: config.audience,
+        chainId: config.chainId,
+        rpcUrl: config.rpcUrl,
+        delegationManager: config.delegationManager,
+        enforcerMap: config.enforcerMap,
+        jtiStore: config.jtiStore,
+        toolName: ctx?.toolName,
+        requireDeployed: config.requireDeployed,
+        now: ctx?.timestamp ? () => ctx.timestamp * 1000 : undefined,
+    });
+}
+// H7-B.8 (XPKG-002 / EXT-024 closure) — `withCrossDelegation` +
+// `verifyCrossDelegationForResource` were public symbols that
+// unconditionally rejected. Removed from the public surface; will land
+// behind `./experimental` per spec 100 §6 when the cross-delegation work
+// resumes. See PKG-mcp-runtime-001 in
+// docs/audits/2026-05-packages-contracts-production-readiness.md.
+//# sourceMappingURL=with-delegation.js.map

package/dist/with-delegation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"with-delegation.js","sourceRoot":"","sources":["../src/with-delegation.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,8BAA8B;AAC9B,+BAA+B;AAC/B,wEAAwE;AACxE,iEAAiE;AACjE,mEAAmE;AACnE,uBAAuB;AACvB,iEAAiE;AACjE,EAAE;AACF,wEAAwE;AACxE,gEAAgE;AAChE,6BAA6B;AAG7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAEzF,OAAO,EAAE,UAAU,EAAoC,MAAM,0BAA0B,CAAC;AAGxF;;;;;;;;;GASG;AACH,SAAS,gBAAgB,CAAC,IAGzB;IACC,IAAI,IAAI,EAAE,WAAW;QAAE,OAAO,IAAI,CAAC,WAAW,CAAC;IAC/C,IAAI,IAAI,EAAE,eAAe,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACzD,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;YAC5D,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,aAAa,CAAC;QAC9E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AA6BD,MAAM,OAAO,YAAa,SAAQ,KAAK;IAC5B,IAAI,CAAmB;IACvB,aAAa,CAAS;IAC/B,YAAY,IAAsB,EAAE,aAAqB;QACvD,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC1B,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;CACF;AAuBD,MAAM,UAAU,cAAc,CAC5B,MAA+B,EAC/B,OAA0F,EAC1F,IAgEC;IAED,iEAAiE;IACjE,kEAAkE;IAClE,yBAAyB;IACzB,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,GAAG,KAAK,YAAY,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,gFAAgF;gBAChF,2EAA2E;gBAC3E,wEAAwE,CAC3E,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACb,mEAAmE;gBACjE,0EAA0E;gBAC1E,sEAAsE;gBACtE,yEAAyE;gBACzE,oCAAoC,CACvC,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,KAAK,EAAE,IAAI,EAAE,EAAE;QACpB,kEAAkE;QAClE,iEAAiE;QACjE,8DAA8D;QAC9D,yDAAyD;QACzD,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,GACnC,IAAiH,CAAC;QACpH,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,SAAS,CAAC;QAC7C,qEAAqE;QACrE,uEAAuE;QACvE,iEAAiE;QACjE,MAAM,aAAa,GACjB,IAAI,EAAE,aAAa;YACnB,MAAM,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,EAAE,WAAW,CAAC;QAEjC,MAAM,IAAI,GAAG,KAAK,EAChB,OAAuC,EACvC,MAA0B,EAC1B,SAA8B,EAC9B,EAAE;YACF,4DAA4D;YAC5D,gEAAgE;YAChE,2DAA2D;YAC3D,uDAAuD;YACvD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,GAAG;oBACX,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,SAAS;oBACtC,OAAO,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;iBACrD,CAAC;gBACF,IAAI,CAAC;oBAAC,MAAM,CAAC,SAAS,CAAC,mCAAmC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;gBACjG,IAAI,CAAC;oBAAC,MAAM,CAAC,OAAO,CAAC,yCAAyC,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,IAAI,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;YAC5H,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,SAAS;gBAAE,OAAO;YAC7B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CACxB,UAAU,CAAC;oBACT,MAAM,EACJ,OAAO,KAAK,SAAS;wBACnB,CAAC,CAAC,oCAAoC;wBACtC,CAAC,CAAC,oCAAoC;oBAC1C,OAAO;oBACP,aAAa;oBACb,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE;oBACxE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE;oBACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,MAAM;oBACN,wDAAwD;oBACxD,0DAA0D;oBAC1D,OAAO,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;iBAC3E,CAAC,CACH,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,4DAA4D;gBAC5D,iEAAiE;YACnE,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,iEAAiE;YACjE,MAAM,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;YACjD,MAAM,IAAI,YAAY,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QACvD,CAAC;QACD,gEAAgE;QAChE,yDAAyD;QACzD,iEAAiE;QACjE,iEAAiE;QACjE,0BAA0B;QAC1B,IAAI,mBAAsD,CAAC;QAC3D,IAAI,sBAA2C,CAAC;QAChD,IAAI,IAAI,EAAE,cAAc,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,uBAAuB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACjE,IAAI,WAAW,CAAC,cAAc,EAAE,CAAC;gBAC/B,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;oBAC3B,sDAAsD;oBACtD,uDAAuD;oBACvD,uDAAuD;oBACvD,4DAA4D;oBAC5D,MAAM,MAAM,GACV,8EAA8E,CAAC;oBACjF,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,MAAM,CAAC,CAAC;oBAC3D,MAAM,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;oBACxC,0DAA0D;oBAC1D,+DAA+D;oBAC/D,kCAAkC;oBAClC,MAAM,IAAI,YAAY,CAAC,oBAAoB,EAAE,aAAa,CAAC,CAAC;gBAC9D,CAAC;gBACD,mBAAmB,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,cAAc,EAAE,CAAC;YAC5D,CAAC;YACD,IAAI,WAAW,CAAC,uBAAuB,EAAE,CAAC;gBACxC,sBAAsB,GAAG,IAAI,CAAC;YAChC,CAAC;YACD,8DAA8D;YAC9D,iEAAiE;YACjE,gEAAgE;YAChE,yDAAyD;YACzD,oDAAoD;YACpD,kCAAkC;QACpC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,KAAK,EAAE;YAChD,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,IAAI,EAAE,QAAQ;YACxB,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,4DAA4D;YAC5D,+DAA+D;YAC/D,yDAAyD;YACzD,SAAS,EAAE,IAAI,EAAE,SAAS;YAC1B,aAAa;YACb,gEAAgE;YAChE,4DAA4D;YAC5D,kCAAkC;YAClC,mBAAmB;YACnB,sBAAsB;YACtB,iEAAiE;YACjE,+DAA+D;YAC/D,kEAAkE;YAClE,gEAAgE;YAChE,oBAAoB;YACpB,WAAW;SACZ,CAAC,CAAC;QACH,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,gEAAgE;YAChE,8DAA8D;YAC9D,oEAAoE;YACpE,gDAAgD;YAChD,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1D,MAAM,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YAC9C,MAAM,IAAI,YAAY,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QACvD,CAAC;QAED,yEAAyE;QACzE,IAAI,IAAI,EAAE,cAAc,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,cAAc,CAAC;gBAC9B,QAAQ;gBACR,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,UAAU,EAAE,cAAc;gBAC1B,UAAU,EAAE;oBACV,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,QAAQ,EAAE,MAAM,CAAC,SAAS;oBAC1B,OAAO,EAAE,EAAE;iBACZ;aACF,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAClC,iEAAiE;gBACjE,gEAAgE;gBAChE,gEAAgE;gBAChE,6DAA6D;gBAC7D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,0DAA0D;gBAC1D,sDAAsD;gBACtD,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;gBAC5D,MAAM,0BAA0B,GAC9B,QAAQ,CAAC,QAAQ,KAAK,kBAAkB,IAAI,MAAM,CAAC,uBAAuB,CAAC;gBAC7E,IAAI,CAAC,0BAA0B,EAAE,CAAC;oBAChC,MAAM,MAAM,GACV,QAAQ,CAAC,QAAQ,KAAK,MAAM;wBAC1B,CAAC,CAAC,gBAAgB,QAAQ,CAAC,MAAM,EAAE;wBACnC,CAAC,CAAC,4BAA4B,QAAQ,CAAC,QAAQ,uCAAuC,CAAC;oBAC3F,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,MAAM,CAAC,CAAC;oBACpD,MAAM,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;oBAC/C,mDAAmD;oBACnD,MAAM,IAAI,YAAY,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CACV,+DAA+D;gBAC7D,wEAAwE,CAC3E,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACnD,OAAO,OAAO,CAAC,EAAE,GAAI,IAAqB,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACpG,CAAC,CAAC;AACJ,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,KAAa,EACb,MAA+B,EAC/B,GAA+C;IAE/C,OAAO,qBAAqB,CAAC,KAAK,EAAE;QAClC,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;QAC3C,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,GAAG,EAAE,QAAQ;QACvB,eAAe,EAAE,MAAM,CAAC,eAAe;QACvC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,SAAU,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;KAC9D,CAAC,CAAC;AACL,CAAC;AAED,gEAAgE;AAChE,8DAA8D;AAC9D,uEAAuE;AACvE,yEAAyE;AACzE,sCAAsC;AACtC,kEAAkE"}

package/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "@agenticprimitives/mcp-runtime",
+  "version": "0.1.0-alpha.2",
+  "description": "Delegation-aware authorization middleware around the official MCP TypeScript SDK. The decision layer, not the SDK.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agentictrustlabs/agenticprimitives.git",
+    "directory": "packages/mcp-runtime"
+  },
+  "homepage": "https://github.com/agentictrustlabs/agenticprimitives/tree/master/packages/mcp-runtime",
+  "bugs": {
+    "url": "https://github.com/agentictrustlabs/agenticprimitives/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./testing": {
+      "types": "./dist/testing.d.ts",
+      "import": "./dist/testing.js"
+    },
+    "./lint": {
+      "types": "./dist/lint.d.ts",
+      "import": "./dist/lint.js"
+    }
+  },
+  "files": [
+    "LICENSE",
+    "dist",
+    "spec.md",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:unit": "vitest run test/unit",
+    "test:integration": "vitest run test/integration --passWithNoTests",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@agenticprimitives/audit": "workspace:*",
+    "@agenticprimitives/delegation": "workspace:*",
+    "@agenticprimitives/key-custody": "workspace:*",
+    "@agenticprimitives/tool-policy": "workspace:*",
+    "@agenticprimitives/types": "workspace:*",
+    "@modelcontextprotocol/sdk": ">=1.29.0 <2",
+    "viem": "^2.50.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.7.0",
+    "vitest": "^2.1.0"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "delegation",
+    "authorization",
+    "agentic"
+  ]
+}

package/spec.md

@@ -0,0 +1,6 @@
+# @agenticprimitives/mcp-runtime — spec
+
+The authoritative specification lives at:
+**[`../../specs/205-mcp-runtime.md`](../../specs/205-mcp-runtime.md)**
+
+Do not edit a divergent copy here.