npm - @datacules/agent-identity-mcp-client - Versions diffs - 0.10.0 → 0.11.1 - Mend

@datacules/agent-identity-mcp-client 0.10.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/LICENSE +109 -0
package/dist/cjs/caller.js +101 -0
package/dist/cjs/caller.js.map +1 -0
package/dist/cjs/index.js +52 -0
package/dist/cjs/index.js.map +1 -0
package/dist/cjs/store.js +152 -0
package/dist/cjs/store.js.map +1 -0
package/dist/esm/caller.js +97 -0
package/dist/esm/caller.js.map +1 -0
package/dist/esm/index.js +47 -0
package/dist/esm/index.js.map +1 -0
package/dist/esm/store.js +148 -0
package/dist/esm/store.js.map +1 -0
package/dist/types/caller.d.ts +58 -0
package/dist/types/caller.d.ts.map +1 -0
package/{src/index.ts → dist/types/index.d.ts} +1 -1
package/dist/types/index.d.ts.map +1 -0
package/dist/types/store.d.ts +89 -0
package/dist/types/store.d.ts.map +1 -0
package/package.json +22 -3
package/src/caller.ts +0 -150
package/src/mcp-client.test.ts +0 -201
package/src/store.ts +0 -217
package/tsconfig.build.json +0 -9
package/tsconfig.json +0 -10

package/src/mcp-client.test.ts DELETED Viewed

@@ -1,201 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-// Mock MCP SDK modules — the lazy-connect pattern means these are only imported
-// at the module level but never called at runtime if we inject mock clients directly.
-vi.mock('@modelcontextprotocol/sdk/client/index.js', () => ({
-  Client: vi.fn(() => ({ callTool: vi.fn(), close: vi.fn(), connect: vi.fn() })),
-}));
-vi.mock('@modelcontextprotocol/sdk/client/sse.js', () => ({
-  SSEClientTransport: vi.fn(),
-}));
-vi.mock('@modelcontextprotocol/sdk/client/stdio.js', () => ({
-  StdioClientTransport: vi.fn(),
-}));
-import { McpCredentialStore } from './store.js';
-import { McpToolCaller } from './caller.js';
-import type { Credential } from '@datacules/agent-identity';
-const makeCred = (overrides: Partial<Credential> = {}): Credential => ({
-  id: 'cred-openai',
-  kind: 'fixed',
-  name: 'OpenAI Key',
-  scope: 'global',
-  status: 'active',
-  provider: 'openai',
-  ref: 'openai-prod-slot',
-  ...overrides,
-});
-/** Build the content array shape that McpCredentialStore / McpToolCaller expect from callTool() */
-const makeToolResult = (data: unknown) => ({
-  content: [{ type: 'text', text: JSON.stringify(data) }],
-});
-// ─── McpCredentialStore ──────────────────────────────────────────────────────
-describe('McpCredentialStore', () => {
-  let store: McpCredentialStore;
-  let mockCallTool: ReturnType<typeof vi.fn>;
-  let mockClose: ReturnType<typeof vi.fn>;
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockCallTool = vi.fn();
-    mockClose = vi.fn();
-    store = new McpCredentialStore({ transport: 'http', serverUrl: 'http://localhost:3002' });
-    // Inject a mock client — ensureConnected() checks `this.client` first, so _connect() is never called.
-    (store as any).client = { callTool: mockCallTool, close: mockClose };
-  });
-  describe('listActive()', () => {
-    it('returns only active credentials from the MCP server list_credentials response', async () => {
-      const active = makeCred({ id: 'cred-active', ref: 'active-slot' });
-      const pending = makeCred({ id: 'cred-pending', ref: 'pending-slot', status: 'pending' });
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [active, pending] }));
-      const results = await store.listActive();
-      expect(results).toHaveLength(1);
-      expect(results[0]).toEqual(active);
-    });
-    it('caches results — calls list_credentials tool only once for two listActive() calls', async () => {
-      const cred = makeCred();
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [cred] }));
-      await store.listActive();
-      await store.listActive();
-      // Second call hits cache; callTool should be called exactly once.
-      expect(mockCallTool).toHaveBeenCalledTimes(1);
-    });
-    it('invalidateCache() forces a fresh fetch on the next listActive() call', async () => {
-      const cred = makeCred();
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [cred] }));
-      await store.listActive();
-      store.invalidateCache();
-      await store.listActive();
-      // Cache was cleared; callTool should have been called twice.
-      expect(mockCallTool).toHaveBeenCalledTimes(2);
-    });
-    it('throws with a non-JSON message when the server returns unparseable text', async () => {
-      mockCallTool.mockResolvedValue({ content: [{ type: 'text', text: 'not-json-at-all' }] });
-      await expect(store.listActive()).rejects.toThrow('non-JSON response');
-    });
-    it('throws with a missing-credentials-array message when the response has no credentials field', async () => {
-      mockCallTool.mockResolvedValue(makeToolResult({ data: [] }));
-      await expect(store.listActive()).rejects.toThrow('missing credentials array');
-    });
-  });
-  describe('findByRef()', () => {
-    it('returns the matching active credential by ref', async () => {
-      const cred = makeCred({ ref: 'openai-prod-slot' });
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [cred] }));
-      expect(await store.findByRef('openai-prod-slot')).toEqual(cred);
-    });
-    it('returns null when the ref is not present in the server credential list', async () => {
-      const cred = makeCred({ ref: 'other-slot' });
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [cred] }));
-      expect(await store.findByRef('missing-ref')).toBeNull();
-    });
-  });
-  describe('listByKind()', () => {
-    it('returns only credentials matching the requested kind', async () => {
-      const fixed = makeCred({ kind: 'fixed', id: 'cred-f', ref: 'fixed-slot' });
-      const delegated = makeCred({ kind: 'user-delegated', id: 'cred-u', ref: 'user-slot' });
-      mockCallTool.mockResolvedValue(makeToolResult({ credentials: [fixed, delegated] }));
-      const result = await store.listByKind('fixed');
-      expect(result).toHaveLength(1);
-      expect(result[0].kind).toBe('fixed');
-    });
-  });
-  describe('disconnect()', () => {
-    it('calls close() on the injected client and sets this.client to null', async () => {
-      await store.disconnect();
-      expect(mockClose).toHaveBeenCalled();
-      expect((store as any).client).toBeNull();
-    });
-  });
-});
-// ─── McpToolCaller ────────────────────────────────────────────────────────────
-describe('McpToolCaller', () => {
-  let caller: McpToolCaller;
-  let mockCallTool: ReturnType<typeof vi.fn>;
-  let mockClose: ReturnType<typeof vi.fn>;
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockCallTool = vi.fn();
-    mockClose = vi.fn();
-    caller = new McpToolCaller({ transport: 'http', serverUrl: 'http://localhost:3002' });
-    // Inject a mock client — ensureConnected() short-circuits on this.client
-    (caller as any).client = { callTool: mockCallTool, close: mockClose };
-  });
-  it('resolveCredential() calls the resolve_credential tool with forwarded args and returns parsed result', async () => {
-    const expected = { ok: true, credentialId: 'cred-1', kind: 'fixed', resolvedFor: 'service' };
-    mockCallTool.mockResolvedValue(makeToolResult(expected));
-    const result = await caller.resolveCredential({ userId: 'u1', provider: 'openai' });
-    expect(result).toEqual(expected);
-    expect(mockCallTool).toHaveBeenCalledWith({
-      name: 'resolve_credential',
-      arguments: { userId: 'u1', provider: 'openai' },
-    });
-  });
-  it('resolveMigrationCredential() calls the resolve_migration_credential tool and returns pair', async () => {
-    const expected = {
-      ok: true,
-      migrationId: 'mig-1',
-      source: { credentialId: 'src' },
-      target: { credentialId: 'tgt' },
-      expiresAt: null,
-    };
-    mockCallTool.mockResolvedValue(makeToolResult(expected));
-    const result = await caller.resolveMigrationCredential({ migrationId: 'mig-1' });
-    expect(result.migrationId).toBe('mig-1');
-    expect(mockCallTool).toHaveBeenCalledWith(
-      expect.objectContaining({ name: 'resolve_migration_credential' })
-    );
-  });
-  it('health() calls the health tool and returns the status object', async () => {
-    const expected = {
-      status: 'ok',
-      credentialsLoaded: 5,
-      rulesLoaded: 3,
-      timestamp: new Date().toISOString(),
-    };
-    mockCallTool.mockResolvedValue(makeToolResult(expected));
-    const result = await caller.health();
-    expect(result.status).toBe('ok');
-    expect(mockCallTool).toHaveBeenCalledWith({ name: 'health', arguments: {} });
-  });
-  it('callTool() generic escape hatch returns the parsed result for any tool', async () => {
-    mockCallTool.mockResolvedValue(makeToolResult({ foo: 'bar', count: 42 }));
-    const result = await caller.callTool('my_custom_tool', { arg: 1 });
-    expect(result).toEqual({ foo: 'bar', count: 42 });
-  });
-  it('throws with a non-JSON error when the tool returns unparseable text', async () => {
-    mockCallTool.mockResolvedValue({ content: [{ type: 'text', text: 'NOT JSON!' }] });
-    await expect(caller.callTool('my_tool', {})).rejects.toThrow('non-JSON');
-  });
-  it('throws with the tool error message when the parsed result contains an error field', async () => {
-    mockCallTool.mockResolvedValue(makeToolResult({ error: 'credential not found' }));
-    await expect(caller.callTool('resolve_credential', {})).rejects.toThrow('credential not found');
-  });
-  it('disconnect() calls close() on the injected client', async () => {
-    await caller.disconnect();
-    expect(mockClose).toHaveBeenCalled();
-  });
-});

package/src/store.ts DELETED Viewed

@@ -1,217 +0,0 @@
-/**
- * McpCredentialStore — CredentialStore implementation that fetches
- * credentials from an external MCP server.
- *
- * Implements the full CredentialStore interface from @datacules/agent-identity
- * so it can be dropped into any CredentialRouter without any other changes:
- *
- *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
- *   import { createRouterFromStore } from '@datacules/agent-identity';
- *
- *   const store = new McpCredentialStore({
- *     serverUrl: 'http://localhost:3002',
- *     authToken: process.env.MCP_AUTH_TOKEN,
- *   });
- *   const router = createRouterFromStore(store, rules, logger);
- *
- * The MCP server this client connects to MUST expose a `list_credentials`
- * tool (i.e. another @datacules/agent-identity-mcp instance, a Vault MCP
- * server, a 1Password MCP server, or any custom server following the same
- * tool contract).
- *
- * Transport:
- *   - For a remote HTTP+SSE server: provide serverUrl
- *   - For an in-process stdio server (test / monorepo): provide serverProcess
- */
-import { Client } from '@modelcontextprotocol/sdk/client/index.js';
-import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
-import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
-import type { Credential, CredentialStore } from '@datacules/agent-identity';
-// ─── Options ───────────────────────────────────────────────────────────────────
-export interface McpCredentialStoreHttpOptions {
-  transport: 'http';
-  /**
-   * Base URL of the remote agent-identity MCP server.
-   * The SSE endpoint is expected at GET <serverUrl>/sse
-   * and messages at POST <serverUrl>/messages.
-   */
-  serverUrl: string;
-  /** Bearer token if the remote server requires auth */
-  authToken?: string;
-  /** Client name sent during MCP handshake (default: 'agent-identity-mcp-client') */
-  clientName?: string;
-  /** Client version (default: '0.1.0') */
-  clientVersion?: string;
-  /** TTL of the in-memory credential cache in ms (default: 60_000) */
-  cacheTtlMs?: number;
-}
-export interface McpCredentialStoreStdioOptions {
-  transport: 'stdio';
-  /** Command to spawn the MCP server process */
-  command: string;
-  /** Arguments passed to the spawned process */
-  args?: string[];
-  /** Environment variables for the spawned process */
-  env?: Record<string, string>;
-  clientName?: string;
-  clientVersion?: string;
-  cacheTtlMs?: number;
-}
-export type McpCredentialStoreOptions =
-  | McpCredentialStoreHttpOptions
-  | McpCredentialStoreStdioOptions;
-// ─── Cache entry ────────────────────────────────────────────────────────────
-interface CacheEntry {
-  credentials: Credential[];
-  expiresAt: number;
-}
-// ─── McpCredentialStore ─────────────────────────────────────────────────────────
-/**
- * CredentialStore implementation that pulls credentials from an external
- * MCP server by calling its `list_credentials` tool.
- *
- * Credentials are cached in-memory for `cacheTtlMs` (default 60s) to avoid
- * a round-trip on every router.resolve() call. Call invalidateCache() to
- * force a fresh fetch on the next operation.
- *
- * The MCP client connection is lazy — the first store operation connects
- * and caches the connection. Call disconnect() when the store is no longer
- * needed (e.g. on process shutdown).
- */
-export class McpCredentialStore implements CredentialStore {
-  private client: Client | null = null;
-  private cache: CacheEntry | null = null;
-  private readonly cacheTtlMs: number;
-  private readonly options: McpCredentialStoreOptions;
-  private connectPromise: Promise<void> | null = null;
-  constructor(options: McpCredentialStoreOptions) {
-    this.options = options;
-    this.cacheTtlMs = options.cacheTtlMs ?? 60_000;
-  }
-  // ── Public CredentialStore interface ────────────────────────────────────────
-  async findByRef(ref: string): Promise<Credential | null> {
-    const all = await this.listActive();
-    return all.find((c) => c.ref === ref && c.status === 'active') ?? null;
-  }
-  async listActive(): Promise<Credential[]> {
-    const cached = this.getFromCache();
-    if (cached) return cached.filter((c) => c.status === 'active');
-    const fresh = await this.fetchFromServer();
-    return fresh.filter((c) => c.status === 'active');
-  }
-  async listByKind(kind: Credential['kind']): Promise<Credential[]> {
-    const all = await this.listActive();
-    return all.filter((c) => c.kind === kind);
-  }
-  // ── Cache management ──────────────────────────────────────────────────────
-  /** Force the next store operation to fetch fresh credentials from the server */
-  invalidateCache(): void {
-    this.cache = null;
-  }
-  private getFromCache(): Credential[] | null {
-    if (!this.cache) return null;
-    if (Date.now() > this.cache.expiresAt) { this.cache = null; return null; }
-    return this.cache.credentials;
-  }
-  private setCache(credentials: Credential[]): void {
-    this.cache = { credentials, expiresAt: Date.now() + this.cacheTtlMs };
-  }
-  // ── MCP client lifecycle ─────────────────────────────────────────────────
-  private async ensureConnected(): Promise<void> {
-    if (this.client) return;
-    // Serialize concurrent callers so we only connect once
-    if (!this.connectPromise) this.connectPromise = this._connect();
-    await this.connectPromise;
-    this.connectPromise = null;
-  }
-  private async _connect(): Promise<void> {
-    const opts = this.options;
-    const clientName = opts.clientName ?? 'agent-identity-mcp-client';
-    const clientVersion = opts.clientVersion ?? '0.1.0';
-    this.client = new Client(
-      { name: clientName, version: clientVersion },
-      { capabilities: {} }
-    );
-    if (opts.transport === 'http') {
-      const sseUrl = new URL('/sse', opts.serverUrl);
-      const headers: Record<string, string> = {};
-      if (opts.authToken) headers['Authorization'] = `Bearer ${opts.authToken}`;
-      const transport = new SSEClientTransport(sseUrl, { headers });
-      await this.client.connect(transport);
-    } else {
-      const transport = new StdioClientTransport({
-        command: opts.command,
-        args: opts.args ?? [],
-        env: opts.env,
-      });
-      await this.client.connect(transport);
-    }
-  }
-  /** Disconnect the MCP client and clear the cache. Call on process shutdown. */
-  async disconnect(): Promise<void> {
-    this.invalidateCache();
-    if (this.client) {
-      await this.client.close();
-      this.client = null;
-    }
-  }
-  // ── Remote fetch ───────────────────────────────────────────────────────────
-  private async fetchFromServer(): Promise<Credential[]> {
-    await this.ensureConnected();
-    const result = await this.client!.callTool({
-      name: 'list_credentials',
-      arguments: {},
-    });
-    const text = (result.content as Array<{ type: string; text: string }>)
-      .filter((c) => c.type === 'text')
-      .map((c) => c.text)
-      .join('');
-    let parsed: { credentials?: Credential[] };
-    try {
-      parsed = JSON.parse(text);
-    } catch {
-      throw new Error(
-        `[McpCredentialStore] MCP server returned non-JSON response from list_credentials: ${text.slice(0, 200)}`
-      );
-    }
-    if (!Array.isArray(parsed.credentials)) {
-      throw new Error(
-        '[McpCredentialStore] MCP server list_credentials response missing credentials array'
-      );
-    }
-    this.setCache(parsed.credentials);
-    return parsed.credentials;
-  }
-}

package/tsconfig.build.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-  "compilerOptions": {
-    "declarationOnly": false,
-    "outDir": "dist/esm",
-    "module": "ESNext",
-    "moduleResolution": "Bundler"
-  }
-}

package/tsconfig.json DELETED Viewed

@@ -1,10 +0,0 @@
-{
-  "extends": "../../../tsconfig.json",
-  "compilerOptions": {
-    "rootDir": "src",
-    "outDir": "dist/types",
-    "declaration": true,
-    "declarationOnly": true
-  },
-  "include": ["src"]
-}