@datacules/agent-identity-mcp-client 0.11.0 → 0.11.1

package/dist/esm/store.js

@@ -0,0 +1,148 @@
+/**
+ * McpCredentialStore — CredentialStore implementation that fetches
+ * credentials from an external MCP server.
+ *
+ * Implements the full CredentialStore interface from @datacules/agent-identity
+ * so it can be dropped into any CredentialRouter without any other changes:
+ *
+ *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
+ *   import { createRouterFromStore } from '@datacules/agent-identity';
+ *
+ *   const store = new McpCredentialStore({
+ *     serverUrl: 'http://localhost:3002',
+ *     authToken: process.env.MCP_AUTH_TOKEN,
+ *   });
+ *   const router = createRouterFromStore(store, rules, logger);
+ *
+ * The MCP server this client connects to MUST expose a `list_credentials`
+ * tool (i.e. another @datacules/agent-identity-mcp instance, a Vault MCP
+ * server, a 1Password MCP server, or any custom server following the same
+ * tool contract).
+ *
+ * Transport:
+ *   - For a remote HTTP+SSE server: provide serverUrl
+ *   - For an in-process stdio server (test / monorepo): provide serverProcess
+ */
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+// ─── McpCredentialStore ─────────────────────────────────────────────────────────
+/**
+ * CredentialStore implementation that pulls credentials from an external
+ * MCP server by calling its `list_credentials` tool.
+ *
+ * Credentials are cached in-memory for `cacheTtlMs` (default 60s) to avoid
+ * a round-trip on every router.resolve() call. Call invalidateCache() to
+ * force a fresh fetch on the next operation.
+ *
+ * The MCP client connection is lazy — the first store operation connects
+ * and caches the connection. Call disconnect() when the store is no longer
+ * needed (e.g. on process shutdown).
+ */
+export class McpCredentialStore {
+    constructor(options) {
+        this.client = null;
+        this.cache = null;
+        this.connectPromise = null;
+        this.options = options;
+        this.cacheTtlMs = options.cacheTtlMs ?? 60000;
+    }
+    // ── Public CredentialStore interface ────────────────────────────────────────
+    async findByRef(ref) {
+        const all = await this.listActive();
+        return all.find((c) => c.ref === ref && c.status === 'active') ?? null;
+    }
+    async listActive() {
+        const cached = this.getFromCache();
+        if (cached)
+            return cached.filter((c) => c.status === 'active');
+        const fresh = await this.fetchFromServer();
+        return fresh.filter((c) => c.status === 'active');
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    // ── Cache management ──────────────────────────────────────────────────────
+    /** Force the next store operation to fetch fresh credentials from the server */
+    invalidateCache() {
+        this.cache = null;
+    }
+    getFromCache() {
+        if (!this.cache)
+            return null;
+        if (Date.now() > this.cache.expiresAt) {
+            this.cache = null;
+            return null;
+        }
+        return this.cache.credentials;
+    }
+    setCache(credentials) {
+        this.cache = { credentials, expiresAt: Date.now() + this.cacheTtlMs };
+    }
+    // ── MCP client lifecycle ─────────────────────────────────────────────────
+    async ensureConnected() {
+        if (this.client)
+            return;
+        // Serialize concurrent callers so we only connect once
+        if (!this.connectPromise)
+            this.connectPromise = this._connect();
+        await this.connectPromise;
+        this.connectPromise = null;
+    }
+    async _connect() {
+        const opts = this.options;
+        const clientName = opts.clientName ?? 'agent-identity-mcp-client';
+        const clientVersion = opts.clientVersion ?? '0.1.0';
+        this.client = new Client({ name: clientName, version: clientVersion }, { capabilities: {} });
+        if (opts.transport === 'http') {
+            const sseUrl = new URL('/sse', opts.serverUrl);
+            const headers = {};
+            if (opts.authToken)
+                headers['Authorization'] = `Bearer ${opts.authToken}`;
+            const transport = new SSEClientTransport(sseUrl, { requestInit: { headers } });
+            await this.client.connect(transport);
+        }
+        else {
+            const transport = new StdioClientTransport({
+                command: opts.command,
+                args: opts.args ?? [],
+                env: opts.env,
+            });
+            await this.client.connect(transport);
+        }
+    }
+    /** Disconnect the MCP client and clear the cache. Call on process shutdown. */
+    async disconnect() {
+        this.invalidateCache();
+        if (this.client) {
+            await this.client.close();
+            this.client = null;
+        }
+    }
+    // ── Remote fetch ───────────────────────────────────────────────────────────
+    async fetchFromServer() {
+        await this.ensureConnected();
+        const result = await this.client.callTool({
+            name: 'list_credentials',
+            arguments: {},
+        });
+        const text = result.content
+            .filter((c) => c.type === 'text')
+            .map((c) => c.text)
+            .join('');
+        let parsed;
+        try {
+            parsed = JSON.parse(text);
+        }
+        catch {
+            throw new Error(`[McpCredentialStore] MCP server returned non-JSON response from list_credentials: ${text.slice(0, 200)}`);
+        }
+        if (!Array.isArray(parsed.credentials)) {
+            throw new Error('[McpCredentialStore] MCP server list_credentials response missing credentials array');
+        }
+        this.setCache(parsed.credentials);
+        return parsed.credentials;
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/esm/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AA+CjF,mFAAmF;AAEnF;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,kBAAkB;IAO7B,YAAY,OAAkC;QANtC,WAAM,GAAkB,IAAI,CAAC;QAC7B,UAAK,GAAsB,IAAI,CAAC;QAGhC,mBAAc,GAAyB,IAAI,CAAC;QAGlD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAM,CAAC;IACjD,CAAC;IAED,+EAA+E;IAE/E,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACnC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAwB;QACvC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,6EAA6E;IAE7E,gFAAgF;IAChF,eAAe;QACb,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAAC,OAAO,IAAI,CAAC;QAAC,CAAC;QAC1E,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC;IAChC,CAAC;IAEO,QAAQ,CAAC,WAAyB;QACxC,IAAI,CAAC,KAAK,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACxE,CAAC;IAED,4EAA4E;IAEpE,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,uDAAuD;QACvD,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,CAAC,cAAc,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,2BAA2B,CAAC;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,IAAI,OAAO,CAAC;QAEpD,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CACtB,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,EAC5C,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;QAEF,IAAI,IAAI,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAE1E,MAAM,SAAS,GAAG,IAAI,kBAAkB,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;YAC/E,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,GAAG,IAAI,oBAAoB,CAAC;gBACzC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE;gBACrB,GAAG,EAAE,IAAI,CAAC,GAAG;aACd,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,8EAA8E;IAEtE,KAAK,CAAC,eAAe;QAC3B,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAO,CAAC,QAAQ,CAAC;YACzC,IAAI,EAAE,kBAAkB;YACxB,SAAS,EAAE,EAAE;SACd,CAAC,CAAC;QAEH,MAAM,IAAI,GAAI,MAAM,CAAC,OAAiD;aACnE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAClB,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,IAAI,MAAsC,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,qFAAqF,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC1G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,qFAAqF,CACtF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC;CACF"}

package/dist/types/caller.d.ts

@@ -0,0 +1,58 @@
+/**
+ * McpToolCaller — utility for calling arbitrary tools on a connected
+ * agent-identity MCP server from application code.
+ *
+ * While McpCredentialStore handles the CredentialStore contract,
+ * McpToolCaller lets you call any tool (resolve_credential,
+ * resolve_migration_credential, health, etc.) directly — useful
+ * when you want the MCP server to perform the resolution and return
+ * the result without going through a local CredentialRouter.
+ *
+ * Example:
+ *   const caller = new McpToolCaller({ transport: 'http', serverUrl: 'http://localhost:3002' });
+ *   const result = await caller.resolveCredential({ userId: 'u1', ... });
+ *   await caller.disconnect();
+ */
+import type { McpCredentialStoreOptions } from './store.js';
+export type McpToolCallerOptions = McpCredentialStoreOptions;
+export interface ResolvedCredentialResult {
+    ok: boolean;
+    credentialId: string;
+    kind: 'fixed' | 'user-delegated';
+    resolvedFor: string;
+}
+export interface ResolvedMigrationResult {
+    ok: boolean;
+    migrationId: string;
+    source: ResolvedCredentialResult;
+    target: ResolvedCredentialResult;
+    expiresAt: string | null;
+}
+export interface HealthResult {
+    status: 'ok' | 'error';
+    credentialsLoaded: number;
+    rulesLoaded: number;
+    timestamp: string;
+}
+/**
+ * Thin wrapper around the MCP SDK Client for calling agent-identity
+ * MCP tools directly. Connection is lazy and cached after first call.
+ */
+export declare class McpToolCaller {
+    private client;
+    private connectPromise;
+    private readonly options;
+    constructor(options: McpToolCallerOptions);
+    /** Resolve a credential via the remote MCP server */
+    resolveCredential(ctx: Record<string, unknown>): Promise<ResolvedCredentialResult>;
+    /** Resolve a migration credential pair via the remote MCP server */
+    resolveMigrationCredential(ctx: Record<string, unknown>): Promise<ResolvedMigrationResult>;
+    /** Check the health of the remote agent-identity MCP server */
+    health(): Promise<HealthResult>;
+    callTool<T = unknown>(toolName: string, args: Record<string, unknown>): Promise<T>;
+    /** Disconnect from the remote MCP server */
+    disconnect(): Promise<void>;
+    private ensureConnected;
+    private _connect;
+}
+//# sourceMappingURL=caller.d.ts.map

package/dist/types/caller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"caller.d.ts","sourceRoot":"","sources":["../../src/caller.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE5D,MAAM,MAAM,oBAAoB,GAAG,yBAAyB,CAAC;AAE7D,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,OAAO,GAAG,gBAAgB,CAAC;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,OAAO,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,wBAAwB,CAAC;IACjC,MAAM,EAAE,wBAAwB,CAAC;IACjC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,cAAc,CAA8B;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuB;gBAEnC,OAAO,EAAE,oBAAoB;IAMzC,qDAAqD;IAC/C,iBAAiB,CACrB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAAC,wBAAwB,CAAC;IAIpC,oEAAoE;IAC9D,0BAA0B,CAC9B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC3B,OAAO,CAAC,uBAAuB,CAAC;IAInC,+DAA+D;IACzD,MAAM,IAAI,OAAO,CAAC,YAAY,CAAC;IAM/B,QAAQ,CAAC,CAAC,GAAG,OAAO,EACxB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,OAAO,CAAC,CAAC,CAAC;IA0Bb,4CAA4C;IACtC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;YASnB,eAAe;YAOf,QAAQ;CAsBvB"}

package/{src/index.ts → dist/types/index.d.ts}

@@ -42,8 +42,8 @@
  *   const result = await caller.resolveCredential({ userId: 'u1', ... });
  *   await caller.disconnect();
  */
-
 export { McpCredentialStore } from './store.js';
 export type { McpCredentialStoreOptions, McpCredentialStoreHttpOptions, McpCredentialStoreStdioOptions } from './store.js';
 export { McpToolCaller } from './caller.js';
 export type { McpToolCallerOptions, ResolvedCredentialResult, ResolvedMigrationResult, HealthResult } from './caller.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAChD,YAAY,EAAE,yBAAyB,EAAE,6BAA6B,EAAE,8BAA8B,EAAE,MAAM,YAAY,CAAC;AAC3H,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,YAAY,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/types/store.d.ts

@@ -0,0 +1,89 @@
+/**
+ * McpCredentialStore — CredentialStore implementation that fetches
+ * credentials from an external MCP server.
+ *
+ * Implements the full CredentialStore interface from @datacules/agent-identity
+ * so it can be dropped into any CredentialRouter without any other changes:
+ *
+ *   import { McpCredentialStore } from '@datacules/agent-identity-mcp-client';
+ *   import { createRouterFromStore } from '@datacules/agent-identity';
+ *
+ *   const store = new McpCredentialStore({
+ *     serverUrl: 'http://localhost:3002',
+ *     authToken: process.env.MCP_AUTH_TOKEN,
+ *   });
+ *   const router = createRouterFromStore(store, rules, logger);
+ *
+ * The MCP server this client connects to MUST expose a `list_credentials`
+ * tool (i.e. another @datacules/agent-identity-mcp instance, a Vault MCP
+ * server, a 1Password MCP server, or any custom server following the same
+ * tool contract).
+ *
+ * Transport:
+ *   - For a remote HTTP+SSE server: provide serverUrl
+ *   - For an in-process stdio server (test / monorepo): provide serverProcess
+ */
+import type { Credential, CredentialStore } from '@datacules/agent-identity';
+export interface McpCredentialStoreHttpOptions {
+    transport: 'http';
+    /**
+     * Base URL of the remote agent-identity MCP server.
+     * The SSE endpoint is expected at GET <serverUrl>/sse
+     * and messages at POST <serverUrl>/messages.
+     */
+    serverUrl: string;
+    /** Bearer token if the remote server requires auth */
+    authToken?: string;
+    /** Client name sent during MCP handshake (default: 'agent-identity-mcp-client') */
+    clientName?: string;
+    /** Client version (default: '0.1.0') */
+    clientVersion?: string;
+    /** TTL of the in-memory credential cache in ms (default: 60_000) */
+    cacheTtlMs?: number;
+}
+export interface McpCredentialStoreStdioOptions {
+    transport: 'stdio';
+    /** Command to spawn the MCP server process */
+    command: string;
+    /** Arguments passed to the spawned process */
+    args?: string[];
+    /** Environment variables for the spawned process */
+    env?: Record<string, string>;
+    clientName?: string;
+    clientVersion?: string;
+    cacheTtlMs?: number;
+}
+export type McpCredentialStoreOptions = McpCredentialStoreHttpOptions | McpCredentialStoreStdioOptions;
+/**
+ * CredentialStore implementation that pulls credentials from an external
+ * MCP server by calling its `list_credentials` tool.
+ *
+ * Credentials are cached in-memory for `cacheTtlMs` (default 60s) to avoid
+ * a round-trip on every router.resolve() call. Call invalidateCache() to
+ * force a fresh fetch on the next operation.
+ *
+ * The MCP client connection is lazy — the first store operation connects
+ * and caches the connection. Call disconnect() when the store is no longer
+ * needed (e.g. on process shutdown).
+ */
+export declare class McpCredentialStore implements CredentialStore {
+    private client;
+    private cache;
+    private readonly cacheTtlMs;
+    private readonly options;
+    private connectPromise;
+    constructor(options: McpCredentialStoreOptions);
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: Credential['kind']): Promise<Credential[]>;
+    /** Force the next store operation to fetch fresh credentials from the server */
+    invalidateCache(): void;
+    private getFromCache;
+    private setCache;
+    private ensureConnected;
+    private _connect;
+    /** Disconnect the MCP client and clear the cache. Call on process shutdown. */
+    disconnect(): Promise<void>;
+    private fetchFromServer;
+}
+//# sourceMappingURL=store.d.ts.map

package/dist/types/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAI7E,MAAM,WAAW,6BAA6B;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mFAAmF;IACnF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oEAAoE;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,8BAA8B;IAC7C,SAAS,EAAE,OAAO,CAAC;IACnB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,yBAAyB,GACjC,6BAA6B,GAC7B,8BAA8B,CAAC;AAWnC;;;;;;;;;;;GAWG;AACH,qBAAa,kBAAmB,YAAW,eAAe;IACxD,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,KAAK,CAA2B;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA4B;IACpD,OAAO,CAAC,cAAc,CAA8B;gBAExC,OAAO,EAAE,yBAAyB;IAOxC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAKlD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAOnC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAOjE,gFAAgF;IAChF,eAAe,IAAI,IAAI;IAIvB,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,QAAQ;YAMF,eAAe;YAQf,QAAQ;IA2BtB,+EAA+E;IACzE,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;YAUnB,eAAe;CA+B9B"}

package/package.json

@@ -1,17 +1,36 @@
 {
   "name": "@datacules/agent-identity-mcp-client",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "MCP client adapter for @datacules/agent-identity — consume external MCP servers as CredentialStores",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/integrations/mcp-client"
+  },
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.10.0"

package/src/caller.ts

@@ -1,150 +0,0 @@
-/**
- * McpToolCaller — utility for calling arbitrary tools on a connected
- * agent-identity MCP server from application code.
- *
- * While McpCredentialStore handles the CredentialStore contract,
- * McpToolCaller lets you call any tool (resolve_credential,
- * resolve_migration_credential, health, etc.) directly — useful
- * when you want the MCP server to perform the resolution and return
- * the result without going through a local CredentialRouter.
- *
- * Example:
- *   const caller = new McpToolCaller({ transport: 'http', serverUrl: 'http://localhost:3002' });
- *   const result = await caller.resolveCredential({ userId: 'u1', ... });
- *   await caller.disconnect();
- */
-
-import { Client } from '@modelcontextprotocol/sdk/client/index.js';
-import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
-import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
-import type { McpCredentialStoreOptions } from './store.js';
-
-export type McpToolCallerOptions = McpCredentialStoreOptions;
-
-export interface ResolvedCredentialResult {
-  ok: boolean;
-  credentialId: string;
-  kind: 'fixed' | 'user-delegated';
-  resolvedFor: string;
-}
-
-export interface ResolvedMigrationResult {
-  ok: boolean;
-  migrationId: string;
-  source: ResolvedCredentialResult;
-  target: ResolvedCredentialResult;
-  expiresAt: string | null;
-}
-
-export interface HealthResult {
-  status: 'ok' | 'error';
-  credentialsLoaded: number;
-  rulesLoaded: number;
-  timestamp: string;
-}
-
-/**
- * Thin wrapper around the MCP SDK Client for calling agent-identity
- * MCP tools directly. Connection is lazy and cached after first call.
- */
-export class McpToolCaller {
-  private client: Client | null = null;
-  private connectPromise: Promise<void> | null = null;
-  private readonly options: McpToolCallerOptions;
-
-  constructor(options: McpToolCallerOptions) {
-    this.options = options;
-  }
-
-  // ── High-level helpers ─────────────────────────────────────────────────────
-
-  /** Resolve a credential via the remote MCP server */
-  async resolveCredential(
-    ctx: Record<string, unknown>
-  ): Promise<ResolvedCredentialResult> {
-    return this.callTool<ResolvedCredentialResult>('resolve_credential', ctx);
-  }
-
-  /** Resolve a migration credential pair via the remote MCP server */
-  async resolveMigrationCredential(
-    ctx: Record<string, unknown>
-  ): Promise<ResolvedMigrationResult> {
-    return this.callTool<ResolvedMigrationResult>('resolve_migration_credential', ctx);
-  }
-
-  /** Check the health of the remote agent-identity MCP server */
-  async health(): Promise<HealthResult> {
-    return this.callTool<HealthResult>('health', {});
-  }
-
-  // ── Generic tool call ────────────────────────────────────────────────────────
-
-  async callTool<T = unknown>(
-    toolName: string,
-    args: Record<string, unknown>
-  ): Promise<T> {
-    await this.ensureConnected();
-
-    const result = await this.client!.callTool({ name: toolName, arguments: args });
-
-    const text = (result.content as Array<{ type: string; text: string }>)
-      .filter((c) => c.type === 'text')
-      .map((c) => c.text)
-      .join('');
-
-    let parsed: T;
-    try {
-      parsed = JSON.parse(text) as T;
-    } catch {
-      throw new Error(
-        `[McpToolCaller] Tool "${toolName}" returned non-JSON: ${text.slice(0, 200)}`
-      );
-    }
-
-    if ((parsed as any)?.error) {
-      throw new Error(`[McpToolCaller] Tool "${toolName}" error: ${(parsed as any).error}`);
-    }
-
-    return parsed;
-  }
-
-  /** Disconnect from the remote MCP server */
-  async disconnect(): Promise<void> {
-    if (this.client) {
-      await this.client.close();
-      this.client = null;
-    }
-  }
-
-  // ── Connection lifecycle ─────────────────────────────────────────────────
-
-  private async ensureConnected(): Promise<void> {
-    if (this.client) return;
-    if (!this.connectPromise) this.connectPromise = this._connect();
-    await this.connectPromise;
-    this.connectPromise = null;
-  }
-
-  private async _connect(): Promise<void> {
-    const opts = this.options;
-    this.client = new Client(
-      { name: opts.clientName ?? 'agent-identity-mcp-caller', version: opts.clientVersion ?? '0.1.0' },
-      { capabilities: {} }
-    );
-
-    if (opts.transport === 'http') {
-      const sseUrl = new URL('/sse', opts.serverUrl);
-      const headers: Record<string, string> = {};
-      if (opts.authToken) headers['Authorization'] = `Bearer ${opts.authToken}`;
-      await this.client.connect(new SSEClientTransport(sseUrl, { headers }));
-    } else {
-      await this.client.connect(
-        new StdioClientTransport({
-          command: opts.command,
-          args: opts.args ?? [],
-          env: opts.env,
-        })
-      );
-    }
-  }
-}