@datacules/agent-identity-mcp 0.11.0 → 0.11.1

package/src/tools.ts

@@ -1,217 +0,0 @@
-/**
- * MCP tool handler implementations for @datacules/agent-identity.
- *
- * Each exported function corresponds to one MCP tool:
- *   resolve_credential        — resolves credential for AgentRequestContext
- *   resolve_migration_credential — resolves source+target pair for MigrationContext
- *   list_credentials          — lists active credentials (safe metadata, no raw refs)
- *   list_rules                — lists routing rules
- *   health                    — liveness check
- *
- * Tool schemas use Zod and are exported as McpToolSchema objects so the
- * server index can register them with a single loop.
- */
-
-import { z } from 'zod';
-import { createRouterFromStore, MemoryCredentialStore } from '@datacules/agent-identity';
-import type {
-  AuditLogger,
-  Credential,
-  CredentialStore,
-  RoutingRule,
-} from '@datacules/agent-identity';
-
-// ─── Shared Zod schemas ───────────────────────────────────────────────────────
-
-const SupportedProviderSchema = z.enum(['openai', 'anthropic', 'gemini', 'mistral', 'local']);
-const ResourceKindSchema = z.enum(['shared', 'personal']);
-const MigrationPhaseSchema = z.enum(['dry-run', 'extract', 'transform', 'load', 'verify', 'rollback']);
-
-const BaseContextSchema = z.object({
-  userId: z.string().min(1),
-  resourceId: z.string().min(1),
-  resourceKind: ResourceKindSchema,
-  provider: SupportedProviderSchema,
-  model: z.string().min(1),
-  action: z.string().min(1),
-  traceId: z.string().min(1),
-  sessionId: z.string().optional(),
-  requestedAt: z.string().optional(),
-  parentTraceId: z.string().optional(),
-  mcpSessionId: z.string().optional(),
-  mcpClientId: z.string().optional(),
-});
-
-const ResolveCredentialSchema = BaseContextSchema;
-
-const ResolveMigrationSchema = BaseContextSchema.extend({
-  migrationId: z.string().min(1),
-  phase: MigrationPhaseSchema,
-  sourceResourceId: z.string().min(1),
-  targetResourceId: z.string().min(1),
-  batchIndex: z.number().int().nonnegative().optional(),
-  totalBatches: z.number().int().positive().optional(),
-  dryRun: z.boolean(),
-});
-
-// ─── Tool descriptor type ─────────────────────────────────────────────────────
-
-export interface McpToolDefinition {
-  name: string;
-  description: string;
-  inputSchema: z.ZodTypeAny;
-  handler: (input: unknown, deps: ToolDeps) => Promise<McpToolResult>;
-}
-
-export interface McpToolResult {
-  content: Array<{ type: 'text'; text: string }>;
-  isError?: boolean;
-}
-
-export interface ToolDeps {
-  store: CredentialStore;
-  rules: RoutingRule[];
-  logger?: AuditLogger;
-}
-
-// ─── Helper ───────────────────────────────────────────────────────────────────
-
-function ok(data: unknown): McpToolResult {
-  return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] };
-}
-
-function err(message: string): McpToolResult {
-  return { content: [{ type: 'text', text: JSON.stringify({ error: message }) }], isError: true };
-}
-
-// ─── resolve_credential ───────────────────────────────────────────────────────
-
-const resolveCredentialTool: McpToolDefinition = {
-  name: 'resolve_credential',
-  description:
-    'Resolve the correct credential for an agent request. ' +
-    'Provide the full AgentRequestContext (userId, resourceId, resourceKind, provider, model, action, traceId). ' +
-    'Returns the resolved credential metadata — never the raw secret.',
-  inputSchema: ResolveCredentialSchema,
-  async handler(input, { store, rules, logger }) {
-    const parsed = ResolveCredentialSchema.safeParse(input);
-    if (!parsed.success) return err(`Validation error: ${parsed.error.message}`);
-
-    const ctx = {
-      ...parsed.data,
-      requestedAt: parsed.data.requestedAt ?? new Date().toISOString(),
-    };
-
-    const router = createRouterFromStore(store, rules, logger);
-    const resolved = router.resolve(ctx);
-    if (!resolved) return err('No credential resolved — no routing rule matched this context.');
-
-    return ok({
-      ok: true,
-      credentialId: resolved.credentialId,
-      kind: resolved.kind,
-      resolvedFor: resolved.resolvedFor,
-      // ref is intentionally omitted — never surface raw refs over MCP
-    });
-  },
-};
-
-// ─── resolve_migration_credential ─────────────────────────────────────────────
-
-const resolveMigrationCredentialTool: McpToolDefinition = {
-  name: 'resolve_migration_credential',
-  description:
-    'Resolve source and target credentials for a data migration workflow. ' +
-    'Requires a full MigrationContext including migrationId, phase, sourceResourceId, targetResourceId, and dryRun flag. ' +
-    'Returns both resolved credential metadata objects — never raw secrets.',
-  inputSchema: ResolveMigrationSchema,
-  async handler(input, { store, rules, logger }) {
-    const parsed = ResolveMigrationSchema.safeParse(input);
-    if (!parsed.success) return err(`Validation error: ${parsed.error.message}`);
-
-    const ctx = {
-      ...parsed.data,
-      requestedAt: parsed.data.requestedAt ?? new Date().toISOString(),
-    };
-
-    const router = createRouterFromStore(store, rules, logger);
-    const pair = router.resolvePair(ctx);
-    if (!pair) return err('No credential pair resolved — check that routing rules cover both sourceResourceId and targetResourceId.');
-
-    return ok({
-      ok: true,
-      migrationId: pair.migrationId,
-      source: { credentialId: pair.source.credentialId, kind: pair.source.kind, resolvedFor: pair.source.resolvedFor },
-      target: { credentialId: pair.target.credentialId, kind: pair.target.kind, resolvedFor: pair.target.resolvedFor },
-      expiresAt: pair.expiresAt ?? null,
-    });
-  },
-};
-
-// ─── list_credentials ─────────────────────────────────────────────────────────
-
-const listCredentialsTool: McpToolDefinition = {
-  name: 'list_credentials',
-  description:
-    'List all active credentials registered with this agent-identity server. ' +
-    'Returns safe metadata only (id, kind, name, scope, status, expiresAt). ' +
-    'Raw refs and secrets are never included.',
-  inputSchema: z.object({
-    kind: z.enum(['fixed', 'user-delegated']).optional().describe('Filter by credential kind'),
-  }),
-  async handler(input, { store }) {
-    const parsed = z.object({ kind: z.enum(['fixed', 'user-delegated']).optional() }).safeParse(input);
-    if (!parsed.success) return err(`Validation error: ${parsed.error.message}`);
-
-    const creds = parsed.data.kind
-      ? await store.listByKind(parsed.data.kind)
-      : await store.listActive();
-
-    const safe = creds.map(({ id, kind, name, scope, status, expiresAt }) => ({
-      id, kind, name, scope, status, expiresAt: expiresAt ?? null,
-    }));
-
-    return ok({ count: safe.length, credentials: safe });
-  },
-};
-
-// ─── list_rules ───────────────────────────────────────────────────────────────
-
-const listRulesTool: McpToolDefinition = {
-  name: 'list_rules',
-  description:
-    'List all routing rules registered with this agent-identity server, ' +
-    'ordered by priority (highest first). Useful for debugging credential routing.',
-  inputSchema: z.object({}),
-  async handler(_input, { rules }) {
-    const sorted = [...rules].sort((a, b) => b.priority - a.priority);
-    return ok({ count: sorted.length, rules: sorted });
-  },
-};
-
-// ─── health ───────────────────────────────────────────────────────────────────
-
-const healthTool: McpToolDefinition = {
-  name: 'health',
-  description: 'Check whether the agent-identity MCP server is healthy and how many credentials/rules are loaded.',
-  inputSchema: z.object({}),
-  async handler(_input, { store, rules }) {
-    const active = await store.listActive();
-    return ok({
-      status: 'ok',
-      credentialsLoaded: active.length,
-      rulesLoaded: rules.length,
-      timestamp: new Date().toISOString(),
-    });
-  },
-};
-
-// ─── Export all tools ─────────────────────────────────────────────────────────
-
-export const ALL_TOOLS: McpToolDefinition[] = [
-  resolveCredentialTool,
-  resolveMigrationCredentialTool,
-  listCredentialsTool,
-  listRulesTool,
-  healthTool,
-];

package/src/transports.ts

@@ -1,118 +0,0 @@
-/**
- * Transport helpers for @datacules/agent-identity-mcp.
- *
- * Provides two transports:
- *   - StdioServerTransport  : stdin/stdout, for Claude Desktop / Claude Code / Cursor config
- *   - createHttpMcpTransport: HTTP + SSE, for hosted / networked deployments
- *
- * The HTTP transport adds optional bearer-token auth. The SSE endpoint at
- * GET /sse initialises a session; the message endpoint at POST /messages
- * receives client tool calls and posts responses back over the SSE stream.
- */
-
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
-import type { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import type { IncomingMessage, ServerResponse } from 'node:http';
-
-export { StdioServerTransport };
-
-// ─── HTTP + SSE Transport ─────────────────────────────────────────────────────
-
-export interface HttpMcpTransportOptions {
-  /** MCP Server instance to connect the transport to */
-  server: Server;
-  /** TCP port to listen on (default: 3002) */
-  port?: number;
-  /** Bind address (default: '127.0.0.1') */
-  host?: string;
-  /**
-   * Optional static bearer token.
-   * Requests without a matching Authorization: Bearer <token> header are
-   * rejected with 401. Omit to allow unauthenticated connections (only
-   * appropriate on a private network / localhost).
-   */
-  authToken?: string;
-}
-
-/**
- * Start an HTTP + SSE MCP transport.
- *
- * Session lifecycle:
- *   1. Client opens GET /sse — transport creates an SSEServerTransport,
- *      connects it to the MCP Server, and starts streaming.
- *   2. Client POSTs tool calls to POST /messages?sessionId=<id>.
- *   3. Transport routes each message to the correct session and replies
- *      via the open SSE stream.
- *
- * Returns a cleanup function that closes the HTTP server.
- */
-export async function startHttpMcpTransport(options: HttpMcpTransportOptions): Promise<() => void> {
-  const { server, port = 3002, host = '127.0.0.1', authToken } = options;
-
-  // Session registry: sessionId → active SSEServerTransport
-  const sessions = new Map<string, SSEServerTransport>();
-
-  const http = await import('node:http');
-
-  function authenticate(req: IncomingMessage, res: ServerResponse): boolean {
-    if (!authToken) return true;
-    const header = req.headers['authorization'] ?? '';
-    if (header === `Bearer ${authToken}`) return true;
-    res.writeHead(401, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ error: 'Unauthorized — valid Bearer token required' }));
-    return false;
-  }
-
-  const httpServer = http.createServer(async (req: IncomingMessage, res: ServerResponse) => {
-    const url = new URL(req.url ?? '/', `http://${host}:${port}`);
-
-    // CORS for browser-based MCP clients
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
-    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
-
-    if (!authenticate(req, res)) return;
-
-    // ── SSE session init ──────────────────────────────────────────────────
-    if (req.method === 'GET' && url.pathname === '/sse') {
-      const transport = new SSEServerTransport('/messages', res);
-      sessions.set(transport.sessionId, transport);
-
-      req.on('close', () => sessions.delete(transport.sessionId));
-
-      await server.connect(transport);
-      return;
-    }
-
-    // ── Incoming tool call message ────────────────────────────────────────
-    if (req.method === 'POST' && url.pathname === '/messages') {
-      const sessionId = url.searchParams.get('sessionId') ?? '';
-      const transport = sessions.get(sessionId);
-
-      if (!transport) {
-        res.writeHead(404, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: `Session ${sessionId} not found or expired` }));
-        return;
-      }
-
-      await transport.handlePostMessage(req, res);
-      return;
-    }
-
-    // ── Health probe (GET /) ──────────────────────────────────────────────
-    if (req.method === 'GET' && url.pathname === '/') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ ok: true, sessions: sessions.size, transport: 'http+sse' }));
-      return;
-    }
-
-    res.writeHead(404); res.end();
-  });
-
-  await new Promise<void>((resolve) => httpServer.listen(port, host, resolve));
-  console.error(`[agent-identity-mcp] HTTP+SSE transport listening on http://${host}:${port}`);
-
-  return () => httpServer.close();
-}

package/src/types.ts

@@ -1,99 +0,0 @@
-/**
- * MCP-specific type extensions for @datacules/agent-identity.
- *
- * McpRequestContext extends AgentRequestContext with the MCP session and
- * client identifiers so audit logs can trace a credential resolution back
- * to the exact MCP session that triggered it.
- */
-
-import type { AgentRequestContext, MigrationContext } from '@datacules/agent-identity';
-
-// ─── MCP Request Context ──────────────────────────────────────────────────────
-
-/**
- * AgentRequestContext enriched with MCP session metadata.
- * Pass this to AgentIdentityMcpServer.resolve() for full audit trail.
- */
-export interface McpRequestContext extends AgentRequestContext {
-  /** MCP session ID from the active transport session */
-  mcpSessionId: string;
-  /** MCP client identifier (e.g. 'claude-desktop', 'cursor', 'windsurf') */
-  mcpClientId?: string;
-  /** MCP protocol version negotiated during handshake */
-  mcpProtocolVersion?: string;
-}
-
-/**
- * MigrationContext enriched with MCP session metadata.
- */
-export interface McpMigrationContext extends MigrationContext {
-  mcpSessionId: string;
-  mcpClientId?: string;
-  mcpProtocolVersion?: string;
-}
-
-// ─── Tool I/O shapes (validated by Zod in tools.ts) ──────────────────────────
-
-export interface ResolveCredentialInput {
-  userId: string;
-  resourceId: string;
-  resourceKind: 'shared' | 'personal';
-  provider: 'openai' | 'anthropic' | 'gemini' | 'mistral' | 'local';
-  model: string;
-  action: string;
-  traceId: string;
-  sessionId?: string;
-  requestedAt?: string;
-  parentTraceId?: string;
-  // MCP extensions
-  mcpSessionId?: string;
-  mcpClientId?: string;
-}
-
-export interface ResolveMigrationInput {
-  userId: string;
-  resourceId: string;
-  resourceKind: 'shared' | 'personal';
-  provider: 'openai' | 'anthropic' | 'gemini' | 'mistral' | 'local';
-  model: string;
-  action: string;
-  traceId: string;
-  migrationId: string;
-  phase: 'dry-run' | 'extract' | 'transform' | 'load' | 'verify' | 'rollback';
-  sourceResourceId: string;
-  targetResourceId: string;
-  batchIndex?: number;
-  totalBatches?: number;
-  dryRun: boolean;
-  requestedAt?: string;
-  mcpSessionId?: string;
-  mcpClientId?: string;
-}
-
-// ─── MCP Server Options ───────────────────────────────────────────────────────
-
-export interface AgentIdentityMcpServerOptions {
-  /**
-   * Server name sent during MCP handshake.
-   * Appears in the client's tool list as the server label.
-   */
-  name?: string;
-  /** Semantic version string reported during handshake */
-  version?: string;
-  /**
-   * Transport mode.
-   * - 'stdio'    : reads from stdin / writes to stdout (default; use for
-   *               Claude Desktop, Claude Code, Cursor, Windsurf configs)
-   * - 'http'     : HTTP + SSE transport on the specified port
-   */
-  transport?: 'stdio' | 'http';
-  /** Port for HTTP+SSE transport (default: 3002) */
-  httpPort?: number;
-  /** Host for HTTP+SSE transport (default: '127.0.0.1') */
-  httpHost?: string;
-  /**
-   * Optional bearer token required in MCP HTTP requests.
-   * Ignored for stdio transport.
-   */
-  httpAuthToken?: string;
-}

package/tsconfig.build.json

@@ -1,9 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-  "compilerOptions": {
-    "declarationOnly": false,
-    "outDir": "dist/esm",
-    "module": "ESNext",
-    "moduleResolution": "Bundler"
-  }
-}

package/tsconfig.json

@@ -1,10 +0,0 @@
-{
-  "extends": "../../../tsconfig.json",
-  "compilerOptions": {
-    "rootDir": "src",
-    "outDir": "dist/types",
-    "declaration": true,
-    "declarationOnly": true
-  },
-  "include": ["src"]
-}