@datacules/agent-identity-mcp-client 0.10.0 → 0.11.1

package/LICENSE

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+
+1. PERMISSION TO USE
+
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+
+2. ATTRIBUTION
+
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+
+3. COMMERCIAL USE
+
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+
+5. MODIFICATIONS
+
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+
+6. COMPATIBILITY
+
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/caller.js

@@ -0,0 +1,101 @@
+"use strict";
+/**
+ * McpToolCaller — utility for calling arbitrary tools on a connected
+ * agent-identity MCP server from application code.
+ *
+ * While McpCredentialStore handles the CredentialStore contract,
+ * McpToolCaller lets you call any tool (resolve_credential,
+ * resolve_migration_credential, health, etc.) directly — useful
+ * when you want the MCP server to perform the resolution and return
+ * the result without going through a local CredentialRouter.
+ *
+ * Example:
+ *   const caller = new McpToolCaller({ transport: 'http', serverUrl: 'http://localhost:3002' });
+ *   const result = await caller.resolveCredential({ userId: 'u1', ... });
+ *   await caller.disconnect();
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpToolCaller = void 0;
+const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
+const sse_js_1 = require("@modelcontextprotocol/sdk/client/sse.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/client/stdio.js");
+/**
+ * Thin wrapper around the MCP SDK Client for calling agent-identity
+ * MCP tools directly. Connection is lazy and cached after first call.
+ */
+class McpToolCaller {
+    constructor(options) {
+        this.client = null;
+        this.connectPromise = null;
+        this.options = options;
+    }
+    // ── High-level helpers ─────────────────────────────────────────────────────
+    /** Resolve a credential via the remote MCP server */
+    async resolveCredential(ctx) {
+        return this.callTool('resolve_credential', ctx);
+    }
+    /** Resolve a migration credential pair via the remote MCP server */
+    async resolveMigrationCredential(ctx) {
+        return this.callTool('resolve_migration_credential', ctx);
+    }
+    /** Check the health of the remote agent-identity MCP server */
+    async health() {
+        return this.callTool('health', {});
+    }
+    // ── Generic tool call ────────────────────────────────────────────────────────
+    async callTool(toolName, args) {
+        await this.ensureConnected();
+        const result = await this.client.callTool({ name: toolName, arguments: args });
+        const text = result.content
+            .filter((c) => c.type === 'text')
+            .map((c) => c.text)
+            .join('');
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`[McpToolCaller] Tool "${toolName}" returned non-JSON: ${text.slice(0, 200)}`);
+        }
+        if (parsed?.error) {
+            throw new Error(`[McpToolCaller] Tool "${toolName}" error: ${parsed.error}`);
+        }
+        return parsed;
+    }
+    /** Disconnect from the remote MCP server */
+    async disconnect() {
+        if (this.client) {
+            await this.client.close();
+            this.client = null;
+        }
+    }
+    // ── Connection lifecycle ─────────────────────────────────────────────────
+    async ensureConnected() {
+        if (this.client)
+            return;
+        if (!this.connectPromise)
+            this.connectPromise = this._connect();
+        await this.connectPromise;
+        this.connectPromise = null;
+    }
+    async _connect() {
+        const opts = this.options;
+        this.client = new index_js_1.Client({ name: opts.clientName ?? 'agent-identity-mcp-caller', version: opts.clientVersion ?? '0.1.0' }, { capabilities: {} });
+        if (opts.transport === 'http') {
+            const sseUrl = new URL('/sse', opts.serverUrl);
+            const headers = {};
+            if (opts.authToken)
+                headers['Authorization'] = `Bearer ${opts.authToken}`;
+            await this.client.connect(new sse_js_1.SSEClientTransport(sseUrl, { requestInit: { headers } }));
+        }
+        else {
+            await this.client.connect(new stdio_js_1.StdioClientTransport({
+                command: opts.command,
+                args: opts.args ?? [],
+                env: opts.env,
+            }));
+        }
+    }
+}
+exports.McpToolCaller = McpToolCaller;
+//# sourceMappingURL=caller.js.map

package/dist/cjs/caller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caller.js","sourceRoot":"","sources":["../../src/caller.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAEH,wEAAmE;AACnE,oEAA6E;AAC7E,wEAAiF;AA2BjF;;;GAGG;AACH,MAAa,aAAa;IAKxB,YAAY,OAA6B;QAJjC,WAAM,GAAkB,IAAI,CAAC;QAC7B,mBAAc,GAAyB,IAAI,CAAC;QAIlD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,8EAA8E;IAE9E,qDAAqD;IACrD,KAAK,CAAC,iBAAiB,CACrB,GAA4B;QAE5B,OAAO,IAAI,CAAC,QAAQ,CAA2B,oBAAoB,EAAE,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,0BAA0B,CAC9B,GAA4B;QAE5B,OAAO,IAAI,CAAC,QAAQ,CAA0B,8BAA8B,EAAE,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,QAAQ,CAAe,QAAQ,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,gFAAgF;IAEhF,KAAK,CAAC,QAAQ,CACZ,QAAgB,EAChB,IAA6B;QAE7B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAO,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhF,MAAM,IAAI,GAAI,MAAM,CAAC,OAAiD;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAClB,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,IAAI,MAAS,CAAC;QACd,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,wBAAwB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC9E,CAAC;QACJ,CAAC;QAED,IAAK,MAAc,EAAE,KAAK,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,YAAa,MAAc,CAAC,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,CAAC,cAAc,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,iBAAM,CACtB,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,IAAI,2BAA2B,EAAE,OAAO,EAAE,IAAI,CAAC,aAAa,IAAI,OAAO,EAAE,EAChG,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QAEF,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1E,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,2BAAkB,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CACvB,IAAI,+BAAoB,CAAC;gBACvB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;gBACrB,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AApGD,sCAoGC"}

package/dist/cjs/index.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * @datacules/agent-identity-mcp-client
+ *
+ * Consumes external MCP servers as CredentialStores — the outbound direction
+ * of the agent-identity MCP integration.
+ *
+ * Exports:
+ *   McpCredentialStore   — CredentialStore impl that fetches credentials from
+ *                          any MCP server exposing a list_credentials tool
+ *   McpToolCaller        — thin client for calling any agent-identity MCP tool
+ *                          directly (resolve_credential, health, etc.)
+ *
+ * Both classes support two transports:
+ *   http   — SSE to a running HTTP+SSE agent-identity-mcp server
+ *   stdio  — spawns an MCP server process and communicates over stdio
+ *
+ * Example — plug McpCredentialStore into a CredentialRouter:
+ *
+ *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
+ *   import { createRouterFromStore } from '@datacules/agent-identity';
+ *
+ *   const store = new McpCredentialStore({
+ *     transport: 'http',
+ *     serverUrl: 'http://vault-mcp.internal:3002',
+ *     authToken: process.env.MCP_AUTH_TOKEN,
+ *   });
+ *
+ *   const router = createRouterFromStore(store, rules, logger);
+ *   const resolved = await router.resolveAsync(ctx);   // async path via store
+ *
+ *   // Clean up when done
+ *   process.on('SIGTERM', () => store.disconnect());
+ *
+ * Example — call the MCP server directly (no local router):
+ *
+ *   import { McpToolCaller } from '@datacules/agent-identity-mcp-client';
+ *
+ *   const caller = new McpToolCaller({
+ *     transport: 'http',
+ *     serverUrl: 'http://localhost:3002',
+ *   });
+ *   const result = await caller.resolveCredential({ userId: 'u1', ... });
+ *   await caller.disconnect();
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpToolCaller = exports.McpCredentialStore = void 0;
+var store_js_1 = require("./store.js");
+Object.defineProperty(exports, "McpCredentialStore", { enumerable: true, get: function () { return store_js_1.McpCredentialStore; } });
+var caller_js_1 = require("./caller.js");
+Object.defineProperty(exports, "McpToolCaller", { enumerable: true, get: function () { return caller_js_1.McpToolCaller; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;;;AAEH,uCAAgD;AAAvC,8GAAA,kBAAkB,OAAA;AAE3B,yCAA4C;AAAnC,0GAAA,aAAa,OAAA"}

package/dist/cjs/store.js

@@ -0,0 +1,152 @@
+"use strict";
+/**
+ * McpCredentialStore — CredentialStore implementation that fetches
+ * credentials from an external MCP server.
+ *
+ * Implements the full CredentialStore interface from @datacules/agent-identity
+ * so it can be dropped into any CredentialRouter without any other changes:
+ *
+ *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
+ *   import { createRouterFromStore } from '@datacules/agent-identity';
+ *
+ *   const store = new McpCredentialStore({
+ *     serverUrl: 'http://localhost:3002',
+ *     authToken: process.env.MCP_AUTH_TOKEN,
+ *   });
+ *   const router = createRouterFromStore(store, rules, logger);
+ *
+ * The MCP server this client connects to MUST expose a `list_credentials`
+ * tool (i.e. another @datacules/agent-identity-mcp instance, a Vault MCP
+ * server, a 1Password MCP server, or any custom server following the same
+ * tool contract).
+ *
+ * Transport:
+ *   - For a remote HTTP+SSE server: provide serverUrl
+ *   - For an in-process stdio server (test / monorepo): provide serverProcess
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpCredentialStore = void 0;
+const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
+const sse_js_1 = require("@modelcontextprotocol/sdk/client/sse.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/client/stdio.js");
+// ─── McpCredentialStore ─────────────────────────────────────────────────────────
+/**
+ * CredentialStore implementation that pulls credentials from an external
+ * MCP server by calling its `list_credentials` tool.
+ *
+ * Credentials are cached in-memory for `cacheTtlMs` (default 60s) to avoid
+ * a round-trip on every router.resolve() call. Call invalidateCache() to
+ * force a fresh fetch on the next operation.
+ *
+ * The MCP client connection is lazy — the first store operation connects
+ * and caches the connection. Call disconnect() when the store is no longer
+ * needed (e.g. on process shutdown).
+ */
+class McpCredentialStore {
+    constructor(options) {
+        this.client = null;
+        this.cache = null;
+        this.connectPromise = null;
+        this.options = options;
+        this.cacheTtlMs = options.cacheTtlMs ?? 60000;
+    }
+    // ── Public CredentialStore interface ────────────────────────────────────────
+    async findByRef(ref) {
+        const all = await this.listActive();
+        return all.find((c) => c.ref === ref && c.status === 'active') ?? null;
+    }
+    async listActive() {
+        const cached = this.getFromCache();
+        if (cached)
+            return cached.filter((c) => c.status === 'active');
+        const fresh = await this.fetchFromServer();
+        return fresh.filter((c) => c.status === 'active');
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    // ── Cache management ──────────────────────────────────────────────────────
+    /** Force the next store operation to fetch fresh credentials from the server */
+    invalidateCache() {
+        this.cache = null;
+    }
+    getFromCache() {
+        if (!this.cache)
+            return null;
+        if (Date.now() > this.cache.expiresAt) {
+            this.cache = null;
+            return null;
+        }
+        return this.cache.credentials;
+    }
+    setCache(credentials) {
+        this.cache = { credentials, expiresAt: Date.now() + this.cacheTtlMs };
+    }
+    // ── MCP client lifecycle ─────────────────────────────────────────────────
+    async ensureConnected() {
+        if (this.client)
+            return;
+        // Serialize concurrent callers so we only connect once
+        if (!this.connectPromise)
+            this.connectPromise = this._connect();
+        await this.connectPromise;
+        this.connectPromise = null;
+    }
+    async _connect() {
+        const opts = this.options;
+        const clientName = opts.clientName ?? 'agent-identity-mcp-client';
+        const clientVersion = opts.clientVersion ?? '0.1.0';
+        this.client = new index_js_1.Client({ name: clientName, version: clientVersion }, { capabilities: {} });
+        if (opts.transport === 'http') {
+            const sseUrl = new URL('/sse', opts.serverUrl);
+            const headers = {};
+            if (opts.authToken)
+                headers['Authorization'] = `Bearer ${opts.authToken}`;
+            const transport = new sse_js_1.SSEClientTransport(sseUrl, { requestInit: { headers } });
+            await this.client.connect(transport);
+        }
+        else {
+            const transport = new stdio_js_1.StdioClientTransport({
+                command: opts.command,
+                args: opts.args ?? [],
+                env: opts.env,
+            });
+            await this.client.connect(transport);
+        }
+    }
+    /** Disconnect the MCP client and clear the cache. Call on process shutdown. */
+    async disconnect() {
+        this.invalidateCache();
+        if (this.client) {
+            await this.client.close();
+            this.client = null;
+        }
+    }
+    // ── Remote fetch ───────────────────────────────────────────────────────────
+    async fetchFromServer() {
+        await this.ensureConnected();
+        const result = await this.client.callTool({
+            name: 'list_credentials',
+            arguments: {},
+        });
+        const text = result.content
+            .filter((c) => c.type === 'text')
+            .map((c) => c.text)
+            .join('');
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`[McpCredentialStore] MCP server returned non-JSON response from list_credentials: ${text.slice(0, 200)}`);
+        }
+        if (!Array.isArray(parsed.credentials)) {
+            throw new Error('[McpCredentialStore] MCP server list_credentials response missing credentials array');
+        }
+        this.setCache(parsed.credentials);
+        return parsed.credentials;
+    }
+}
+exports.McpCredentialStore = McpCredentialStore;
+//# sourceMappingURL=store.js.map

package/dist/cjs/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/store.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;;;AAEH,wEAAmE;AACnE,oEAA6E;AAC7E,wEAAiF;AA+CjF,mFAAmF;AAEnF;;;;;;;;;;;GAWG;AACH,MAAa,kBAAkB;IAO7B,YAAY,OAAkC;QANtC,WAAM,GAAkB,IAAI,CAAC;QAC7B,UAAK,GAAsB,IAAI,CAAC;QAGhC,mBAAc,GAAyB,IAAI,CAAC;QAGlD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAM,CAAC;IACjD,CAAC;IAED,+EAA+E;IAE/E,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACnC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAwB;QACvC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,6EAA6E;IAE7E,gFAAgF;IAChF,eAAe;QACb,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAAC,OAAO,IAAI,CAAC;QAAC,CAAC;QAC1E,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC;IAChC,CAAC;IAEO,QAAQ,CAAC,WAAyB;QACxC,IAAI,CAAC,KAAK,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACxE,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,uDAAuD;QACvD,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,CAAC,cAAc,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,2BAA2B,CAAC;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,IAAI,OAAO,CAAC;QAEpD,IAAI,CAAC,MAAM,GAAG,IAAI,iBAAM,CACtB,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,EAC5C,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QAEF,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAE1E,MAAM,SAAS,GAAG,IAAI,2BAAkB,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;YAC/E,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,GAAG,IAAI,+BAAoB,CAAC;gBACzC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;gBACrB,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,8EAA8E;IAEtE,KAAK,CAAC,eAAe;QAC3B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAO,CAAC,QAAQ,CAAC;YACzC,IAAI,EAAE,kBAAkB;YACxB,SAAS,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,IAAI,GAAI,MAAM,CAAC,OAAiD;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAClB,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,IAAI,MAAsC,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,qFAAqF,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC1G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,qFAAqF,CACtF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;CACF;AA/HD,gDA+HC"}

package/dist/esm/caller.js

@@ -0,0 +1,97 @@
+/**
+ * McpToolCaller — utility for calling arbitrary tools on a connected
+ * agent-identity MCP server from application code.
+ *
+ * While McpCredentialStore handles the CredentialStore contract,
+ * McpToolCaller lets you call any tool (resolve_credential,
+ * resolve_migration_credential, health, etc.) directly — useful
+ * when you want the MCP server to perform the resolution and return
+ * the result without going through a local CredentialRouter.
+ *
+ * Example:
+ *   const caller = new McpToolCaller({ transport: 'http', serverUrl: 'http://localhost:3002' });
+ *   const result = await caller.resolveCredential({ userId: 'u1', ... });
+ *   await caller.disconnect();
+ */
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+/**
+ * Thin wrapper around the MCP SDK Client for calling agent-identity
+ * MCP tools directly. Connection is lazy and cached after first call.
+ */
+export class McpToolCaller {
+    constructor(options) {
+        this.client = null;
+        this.connectPromise = null;
+        this.options = options;
+    }
+    // ── High-level helpers ─────────────────────────────────────────────────────
+    /** Resolve a credential via the remote MCP server */
+    async resolveCredential(ctx) {
+        return this.callTool('resolve_credential', ctx);
+    }
+    /** Resolve a migration credential pair via the remote MCP server */
+    async resolveMigrationCredential(ctx) {
+        return this.callTool('resolve_migration_credential', ctx);
+    }
+    /** Check the health of the remote agent-identity MCP server */
+    async health() {
+        return this.callTool('health', {});
+    }
+    // ── Generic tool call ────────────────────────────────────────────────────────
+    async callTool(toolName, args) {
+        await this.ensureConnected();
+        const result = await this.client.callTool({ name: toolName, arguments: args });
+        const text = result.content
+            .filter((c) => c.type === 'text')
+            .map((c) => c.text)
+            .join('');
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`[McpToolCaller] Tool "${toolName}" returned non-JSON: ${text.slice(0, 200)}`);
+        }
+        if (parsed?.error) {
+            throw new Error(`[McpToolCaller] Tool "${toolName}" error: ${parsed.error}`);
+        }
+        return parsed;
+    }
+    /** Disconnect from the remote MCP server */
+    async disconnect() {
+        if (this.client) {
+            await this.client.close();
+            this.client = null;
+        }
+    }
+    // ── Connection lifecycle ─────────────────────────────────────────────────
+    async ensureConnected() {
+        if (this.client)
+            return;
+        if (!this.connectPromise)
+            this.connectPromise = this._connect();
+        await this.connectPromise;
+        this.connectPromise = null;
+    }
+    async _connect() {
+        const opts = this.options;
+        this.client = new Client({ name: opts.clientName ?? 'agent-identity-mcp-caller', version: opts.clientVersion ?? '0.1.0' }, { capabilities: {} });
+        if (opts.transport === 'http') {
+            const sseUrl = new URL('/sse', opts.serverUrl);
+            const headers = {};
+            if (opts.authToken)
+                headers['Authorization'] = `Bearer ${opts.authToken}`;
+            await this.client.connect(new SSEClientTransport(sseUrl, { requestInit: { headers } }));
+        }
+        else {
+            await this.client.connect(new StdioClientTransport({
+                command: opts.command,
+                args: opts.args ?? [],
+                env: opts.env,
+            }));
+        }
+    }
+}
+//# sourceMappingURL=caller.js.map

package/dist/esm/caller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"caller.js","sourceRoot":"","sources":["../../src/caller.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AA2BjF;;;GAGG;AACH,MAAM,OAAO,aAAa;IAKxB,YAAY,OAA6B;QAJjC,WAAM,GAAkB,IAAI,CAAC;QAC7B,mBAAc,GAAyB,IAAI,CAAC;QAIlD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,8EAA8E;IAE9E,qDAAqD;IACrD,KAAK,CAAC,iBAAiB,CACrB,GAA4B;QAE5B,OAAO,IAAI,CAAC,QAAQ,CAA2B,oBAAoB,EAAE,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,0BAA0B,CAC9B,GAA4B;QAE5B,OAAO,IAAI,CAAC,QAAQ,CAA0B,8BAA8B,EAAE,GAAG,CAAC,CAAC;IACrF,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,MAAM;QACV,OAAO,IAAI,CAAC,QAAQ,CAAe,QAAQ,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,gFAAgF;IAEhF,KAAK,CAAC,QAAQ,CACZ,QAAgB,EAChB,IAA6B;QAE7B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAO,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhF,MAAM,IAAI,GAAI,MAAM,CAAC,OAAiD;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAClB,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,IAAI,MAAS,CAAC;QACd,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,wBAAwB,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC9E,CAAC;QACJ,CAAC;QAED,IAAK,MAAc,EAAE,KAAK,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,YAAa,MAAc,CAAC,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,CAAC,cAAc,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CACtB,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,IAAI,2BAA2B,EAAE,OAAO,EAAE,IAAI,CAAC,aAAa,IAAI,OAAO,EAAE,EAChG,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QAEF,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1E,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,kBAAkB,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CACvB,IAAI,oBAAoB,CAAC;gBACvB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;gBACrB,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/esm/index.js

@@ -0,0 +1,47 @@
+/**
+ * @datacules/agent-identity-mcp-client
+ *
+ * Consumes external MCP servers as CredentialStores — the outbound direction
+ * of the agent-identity MCP integration.
+ *
+ * Exports:
+ *   McpCredentialStore   — CredentialStore impl that fetches credentials from
+ *                          any MCP server exposing a list_credentials tool
+ *   McpToolCaller        — thin client for calling any agent-identity MCP tool
+ *                          directly (resolve_credential, health, etc.)
+ *
+ * Both classes support two transports:
+ *   http   — SSE to a running HTTP+SSE agent-identity-mcp server
+ *   stdio  — spawns an MCP server process and communicates over stdio
+ *
+ * Example — plug McpCredentialStore into a CredentialRouter:
+ *
+ *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
+ *   import { createRouterFromStore } from '@datacules/agent-identity';
+ *
+ *   const store = new McpCredentialStore({
+ *     transport: 'http',
+ *     serverUrl: 'http://vault-mcp.internal:3002',
+ *     authToken: process.env.MCP_AUTH_TOKEN,
+ *   });
+ *
+ *   const router = createRouterFromStore(store, rules, logger);
+ *   const resolved = await router.resolveAsync(ctx);   // async path via store
+ *
+ *   // Clean up when done
+ *   process.on('SIGTERM', () => store.disconnect());
+ *
+ * Example — call the MCP server directly (no local router):
+ *
+ *   import { McpToolCaller } from '@datacules/agent-identity-mcp-client';
+ *
+ *   const caller = new McpToolCaller({
+ *     transport: 'http',
+ *     serverUrl: 'http://localhost:3002',
+ *   });
+ *   const result = await caller.resolveCredential({ userId: 'u1', ... });
+ *   await caller.disconnect();
+ */
+export { McpCredentialStore } from './store.js';
+export { McpToolCaller } from './caller.js';
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC"}