@kya-os/mcp-i-cloudflare 1.0.0

package/README.md

@@ -0,0 +1,458 @@
+# @kya-os/mcp-i-cloudflare
+
+Cloudflare Workers runtime for MCP-I (Model Context Protocol with Identity). Deploy cryptographically-signed MCP servers to Cloudflare's edge network with full identity support.
+
+## Features
+
+- ✅ **Full MCP-I Support**: Cryptographic signing of all tool responses
+- ✅ **Edge-Native**: Built for Cloudflare Workers with Web Crypto API
+- ✅ **Identity Management**: DID-based identity with Ed25519 keys
+- ✅ **Session Management**: Stateless sessions with nonce protection
+- ✅ **KV Storage**: Use Workers KV for nonce cache and identity
+- ✅ **Secrets Management**: Store private keys securely with Wrangler secrets
+- ✅ **Progressive Verification**: Optimized for edge performance
+
+## Quick Start
+
+### 1. Create a new project
+
+```bash
+npx @kya-os/create-mcpi-app my-agent --platform cloudflare --mode mcp-i
+cd my-agent
+```
+
+### 2. Install dependencies
+
+```bash
+npm install
+```
+
+### 3. Configure KV Namespace
+
+```bash
+# Create KV namespace for nonce cache
+npm run kv:create
+
+# Copy the ID from output and update wrangler.toml
+```
+
+### 4. Set Identity Secrets
+
+```bash
+# Generate identity locally (for development)
+npx mcpi init
+
+# Set secrets for production
+wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+wrangler secret put MCP_IDENTITY_PUBLIC_KEY
+wrangler secret put MCP_IDENTITY_DID
+```
+
+### 5. Deploy
+
+```bash
+npm run deploy
+```
+
+## Manual Setup
+
+### Installation
+
+```bash
+npm install @kya-os/mcp-i-cloudflare @modelcontextprotocol/sdk hono zod
+```
+
+### Worker Implementation
+
+```typescript
+// src/index.ts
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { createMCPIServer, MCPICloudflareEnv } from '@kya-os/mcp-i-cloudflare';
+import { z } from 'zod';
+
+interface Env extends MCPICloudflareEnv {
+  NONCE_CACHE: KVNamespace;
+  // Optional for development
+  IDENTITY_KV?: KVNamespace;
+}
+
+const app = new Hono<{ Bindings: Env }>();
+
+// Enable CORS
+app.use('/*', cors({
+  origin: '*',
+  allowMethods: ['GET', 'POST', 'OPTIONS'],
+  allowHeaders: ['Content-Type', 'Authorization'],
+}));
+
+// Initialize MCP-I runtime
+let mcpiRuntime: ReturnType<typeof createMCPIServer> | null = null;
+let mcpServer: McpServer | null = null;
+
+const initialize = async (env: Env) => {
+  if (!mcpiRuntime) {
+    // Create MCP-I runtime
+    mcpiRuntime = createMCPIServer(env);
+    await mcpiRuntime.initialize();
+
+    // Create MCP server
+    mcpServer = new McpServer({
+      name: 'my-agent',
+      version: '1.0.0'
+    });
+
+    // Register tools with automatic signing
+    mcpServer.tool(
+      'greet',
+      'Greet a user',
+      z.object({ name: z.string() }),
+      async (args: any) => {
+        // Get session (in production, from request headers)
+        const session = await mcpiRuntime!.getCurrentSession();
+
+        // Process with automatic proof generation
+        return mcpiRuntime!.processToolCall(
+          'greet',
+          args,
+          async ({ name }) => ({
+            content: [{
+              type: 'text',
+              text: `Hello, ${name}!`
+            }]
+          }),
+          session
+        );
+      }
+    );
+  }
+  return { mcpiRuntime, mcpServer };
+};
+
+// Health check
+app.get('/health', (c) => {
+  return c.json({
+    status: 'healthy',
+    timestamp: new Date().toISOString()
+  });
+});
+
+// Identity endpoint
+app.get('/.well-known/mcp-identity', async (c) => {
+  const { mcpiRuntime } = await initialize(c.env);
+  const identity = await mcpiRuntime!.getIdentity();
+
+  return c.json({
+    did: identity.did,
+    keyId: identity.keyId,
+    publicKey: identity.publicKey
+  });
+});
+
+// MCP endpoint
+app.post('/mcp', async (c) => {
+  const { mcpServer } = await initialize(c.env);
+  const request = await c.req.json();
+
+  // Process MCP request
+  const response = await mcpServer!.handleRequest(request);
+
+  return c.json(response);
+});
+
+export default app;
+```
+
+### wrangler.toml Configuration
+
+```toml
+name = "my-mcp-agent"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+compatibility_flags = ["nodejs_compat"]
+
+# KV Namespace for nonce cache (required)
+[[kv_namespaces]]
+binding = "NONCE_CACHE"
+id = "your-kv-namespace-id"
+
+# Optional: KV for identity storage (development)
+# [[kv_namespaces]]
+# binding = "IDENTITY_KV"
+# id = "your-identity-kv-id"
+
+# Environment variables
+[vars]
+XMCP_I_TS_SKEW_SEC = "120"
+XMCP_I_SESSION_TTL = "1800"
+
+# Production environment
+[env.production]
+name = "my-mcp-agent-production"
+
+[[env.production.kv_namespaces]]
+binding = "NONCE_CACHE"
+id = "your-production-kv-id"
+```
+
+## Identity Management
+
+### Development
+
+For development, you can store identity in KV:
+
+```typescript
+// Identity stored in IDENTITY_KV namespace
+const env = {
+  IDENTITY_KV: kvNamespace,
+  NONCE_CACHE: nonceNamespace
+};
+```
+
+### Production
+
+For production, use Wrangler secrets:
+
+```bash
+# Generate identity locally
+npx mcpi init
+
+# Copy values from .mcpi/identity.json
+wrangler secret put MCP_IDENTITY_PRIVATE_KEY
+wrangler secret put MCP_IDENTITY_PUBLIC_KEY
+wrangler secret put MCP_IDENTITY_DID
+wrangler secret put MCP_IDENTITY_KEY_ID
+```
+
+## Tool Development
+
+Tools have the same format as Node.js MCP-I:
+
+```typescript
+// src/tools/weather.ts
+import { z } from 'zod';
+
+export const weatherTool = {
+  name: 'get_weather',
+  description: 'Get weather for a location',
+  inputSchema: z.object({
+    location: z.string(),
+    units: z.enum(['celsius', 'fahrenheit']).optional()
+  }),
+  handler: async ({ location, units = 'celsius' }) => {
+    // Tool implementation
+    const weather = await fetchWeather(location, units);
+
+    return {
+      content: [{
+        type: 'text',
+        text: `Weather in ${location}: ${weather.temp}°${units[0].toUpperCase()}`
+      }]
+    };
+  }
+};
+```
+
+## Verification Endpoints
+
+The runtime provides built-in verification endpoints:
+
+### Identity Verification
+```bash
+GET /.well-known/mcp-identity
+
+Response:
+{
+  "did": "did:key:z6MkhaXgBZD...",
+  "keyId": "did:key:z6MkhaXgBZD...#key-1",
+  "publicKey": "base64..."
+}
+```
+
+### Proof Verification
+```bash
+POST /verify
+
+Request:
+{
+  "data": { ... },
+  "proof": { ... }
+}
+
+Response:
+{
+  "valid": true,
+  "metadata": { ... }
+}
+```
+
+## Performance Optimization
+
+### Edge Caching
+
+Use KV with TTL for efficient caching:
+
+```typescript
+// Cache DID documents
+await env.CACHE_KV.put(
+  `did:${did}`,
+  JSON.stringify(document),
+  { expirationTtl: 3600 } // 1 hour
+);
+```
+
+### Progressive Verification
+
+The runtime supports progressive verification for optimal edge performance:
+
+```typescript
+// Stage-1: Quick offline checks (no network)
+const quickCheck = await runtime.verifyOffline(data);
+
+// Stage-2: Full verification (may use network)
+if (quickCheck.valid) {
+  const fullCheck = await runtime.verifyOnline(data);
+}
+```
+
+## Monitoring
+
+### Metrics
+
+Track MCP-I operations:
+
+```typescript
+// In your worker
+app.use('*', async (c, next) => {
+  const start = Date.now();
+  await next();
+
+  // Log to Analytics Engine or Workers Analytics
+  c.env.ANALYTICS.writeDataPoint({
+    endpoint: c.req.path,
+    duration: Date.now() - start,
+    status: c.res.status
+  });
+});
+```
+
+### Audit Logging
+
+Enable audit logging for security:
+
+```typescript
+const runtime = createMCPIServer({
+  ...env,
+  audit: {
+    enabled: true,
+    logFunction: (record) => {
+      // Send to Logflare, Datadog, etc.
+      env.LOGGER.log(record);
+    }
+  }
+});
+```
+
+## Deployment
+
+### Local Development
+
+```bash
+# Start local dev server
+npm run dev
+
+# Test endpoints
+curl http://localhost:8787/health
+curl http://localhost:8787/.well-known/mcp-identity
+```
+
+### Production Deployment
+
+```bash
+# Deploy to Cloudflare
+npm run deploy
+
+# Deploy to specific environment
+npm run deploy -- --env production
+
+# Check deployment
+wrangler tail
+```
+
+## Security Best Practices
+
+1. **Never commit private keys** - Use Wrangler secrets
+2. **Rotate keys regularly** - Use `mcpi rotate` command
+3. **Limit KV access** - Use least privilege bindings
+4. **Enable audit logging** - Track all operations
+5. **Use CORS properly** - Restrict origins in production
+6. **Monitor rate limits** - Implement request throttling
+
+## Troubleshooting
+
+### Common Issues
+
+**Error: No identity found**
+- Ensure secrets are set: `wrangler secret list`
+- Check KV binding in wrangler.toml
+
+**Error: Nonce already used**
+- Check KV namespace is configured
+- Verify TTL settings
+
+**Error: Timestamp outside window**
+- Check clock skew settings
+- Ensure client/server time sync
+
+## API Reference
+
+### MCPICloudflareRuntime
+
+```typescript
+class MCPICloudflareRuntime {
+  constructor(env: MCPICloudflareEnv);
+
+  async initialize(): Promise<void>;
+  async getIdentity(): Promise<AgentIdentity>;
+  async handleHandshake(request: HandshakeRequest): Promise<HandshakeResponse>;
+  async processToolCall(
+    toolName: string,
+    args: any,
+    handler: Function,
+    session: SessionContext
+  ): Promise<any>;
+  async verifyProof(data: any, proof: any): Promise<boolean>;
+}
+```
+
+### Environment Types
+
+```typescript
+interface MCPICloudflareEnv {
+  // Required
+  NONCE_CACHE: KVNamespace;
+
+  // Identity (use secrets in production)
+  MCP_IDENTITY_DID?: string;
+  MCP_IDENTITY_KEY_ID?: string;
+  MCP_IDENTITY_PRIVATE_KEY?: string;
+  MCP_IDENTITY_PUBLIC_KEY?: string;
+
+  // Optional
+  IDENTITY_KV?: KVNamespace;
+  STORAGE_KV?: KVNamespace;
+
+  // Configuration
+  XMCP_I_TS_SKEW_SEC?: string;
+  XMCP_I_SESSION_TTL?: string;
+}
+```
+
+## Examples
+
+See the [examples](../../examples/cloudflare-mcpi) directory for complete working examples.
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,40 @@
+/**
+ * @kya-os/mcp-i-cloudflare
+ *
+ * Cloudflare Workers implementation of MCP-I framework.
+ * Provides Web Crypto and KV-based providers for edge runtime.
+ */
+import { MCPIRuntimeBase } from '@kya-os/mcp-i-core';
+import { WebCryptoProvider } from './providers/crypto';
+import { KVStorageProvider, KVNonceCacheProvider, WorkersClockProvider, WorkersFetchProvider, WorkersIdentityProvider } from './providers/storage';
+export { WebCryptoProvider, KVStorageProvider, KVNonceCacheProvider, WorkersClockProvider, WorkersFetchProvider, WorkersIdentityProvider };
+export type { AgentIdentity } from '@kya-os/mcp-i-core';
+export interface CloudflareEnv {
+    NONCE_CACHE: KVNamespace;
+    IDENTITY_STORAGE?: KVNamespace;
+    MCP_IDENTITY_PRIVATE_KEY?: string;
+    MCP_IDENTITY_PUBLIC_KEY?: string;
+    MCP_IDENTITY_AGENT_DID?: string;
+}
+export interface MCPICloudflareConfig {
+    env: CloudflareEnv;
+    environment?: 'development' | 'production';
+    timestampSkewSeconds?: number;
+    sessionTtlMinutes?: number;
+    audit?: {
+        enabled: boolean;
+        logFunction?: (record: string) => void;
+    };
+}
+/**
+ * Create MCP-I runtime for Cloudflare Workers
+ */
+export declare function createCloudflareRuntime(config: MCPICloudflareConfig): MCPIRuntimeBase;
+/**
+ * MCP-I handler for Cloudflare Workers
+ */
+export declare function createMCPIHandler(config: MCPICloudflareConfig): {
+    fetch(request: Request): Promise<Response>;
+};
+export { MCPIRuntimeBase as CloudflareRuntime } from '@kya-os/mcp-i-core';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAwC,MAAM,oBAAoB,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACxB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACxB,CAAC;AAGF,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,WAAW,CAAC;IACzB,gBAAgB,CAAC,EAAE,WAAW,CAAC;IAC/B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,aAAa,CAAC;IACnB,WAAW,CAAC,EAAE,aAAa,GAAG,YAAY,CAAC;IAC3C,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE;QACN,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;KACxC,CAAC;CACH;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,oBAAoB,GAAG,eAAe,CAwBrF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,oBAAoB;mBAIrC,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;EAiEnD;AAGD,OAAO,EAAE,eAAe,IAAI,iBAAiB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/index.js

@@ -0,0 +1,103 @@
+/**
+ * @kya-os/mcp-i-cloudflare
+ *
+ * Cloudflare Workers implementation of MCP-I framework.
+ * Provides Web Crypto and KV-based providers for edge runtime.
+ */
+import { MCPIRuntimeBase } from '@kya-os/mcp-i-core';
+import { WebCryptoProvider } from './providers/crypto';
+import { KVStorageProvider, KVNonceCacheProvider, WorkersClockProvider, WorkersFetchProvider, WorkersIdentityProvider } from './providers/storage';
+// Re-export providers
+export { WebCryptoProvider, KVStorageProvider, KVNonceCacheProvider, WorkersClockProvider, WorkersFetchProvider, WorkersIdentityProvider };
+/**
+ * Create MCP-I runtime for Cloudflare Workers
+ */
+export function createCloudflareRuntime(config) {
+    const cryptoProvider = new WebCryptoProvider();
+    const clockProvider = new WorkersClockProvider();
+    const fetchProvider = new WorkersFetchProvider();
+    const storageProvider = new KVStorageProvider(config.env.IDENTITY_STORAGE || config.env.NONCE_CACHE);
+    const nonceCacheProvider = new KVNonceCacheProvider(config.env.NONCE_CACHE);
+    const identityProvider = new WorkersIdentityProvider(config.env, cryptoProvider);
+    const runtimeConfig = {
+        cryptoProvider,
+        clockProvider,
+        fetchProvider,
+        storageProvider,
+        nonceCacheProvider,
+        identityProvider,
+        environment: config.environment || 'production',
+        timestampSkewSeconds: config.timestampSkewSeconds || 120,
+        sessionTtlMinutes: config.sessionTtlMinutes || 30,
+        audit: config.audit
+    };
+    return new MCPIRuntimeBase(runtimeConfig);
+}
+/**
+ * MCP-I handler for Cloudflare Workers
+ */
+export function createMCPIHandler(config) {
+    const runtime = createCloudflareRuntime(config);
+    return {
+        async fetch(request) {
+            // Initialize runtime on first request
+            if (!runtime.getIdentity) {
+                await runtime.initialize();
+            }
+            const url = new URL(request.url);
+            // Handle well-known endpoints
+            if (url.pathname.startsWith('/.well-known/')) {
+                const handler = runtime.createWellKnownHandler();
+                const result = await handler(url.pathname);
+                if (result) {
+                    return new Response(JSON.stringify(result), {
+                        headers: {
+                            'Content-Type': 'application/json',
+                            'Access-Control-Allow-Origin': '*'
+                        }
+                    });
+                }
+            }
+            // Handle MCP requests
+            if (request.method === 'POST') {
+                try {
+                    const body = await request.json();
+                    // Handle handshake
+                    if (body.method === 'handshake') {
+                        const result = await runtime.handleHandshake(body.params);
+                        return new Response(JSON.stringify(result), {
+                            headers: { 'Content-Type': 'application/json' }
+                        });
+                    }
+                    // Handle tool calls
+                    if (body.method === 'tools/call') {
+                        // This would integrate with actual MCP SDK
+                        return new Response(JSON.stringify({
+                            result: 'Tool call handled'
+                        }), {
+                            headers: { 'Content-Type': 'application/json' }
+                        });
+                    }
+                    return new Response(JSON.stringify({
+                        error: 'Unknown method'
+                    }), {
+                        status: 400,
+                        headers: { 'Content-Type': 'application/json' }
+                    });
+                }
+                catch (error) {
+                    return new Response(JSON.stringify({
+                        error: error.message || 'Internal error'
+                    }), {
+                        status: 500,
+                        headers: { 'Content-Type': 'application/json' }
+                    });
+                }
+            }
+            return new Response('Method not allowed', { status: 405 });
+        }
+    };
+}
+// Export the runtime class for advanced usage
+export { MCPIRuntimeBase as CloudflareRuntime } from '@kya-os/mcp-i-core';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAwC,MAAM,oBAAoB,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACxB,MAAM,qBAAqB,CAAC;AAE7B,sBAAsB;AACtB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACxB,CAAC;AAwBF;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAA4B;IAClE,MAAM,cAAc,GAAG,IAAI,iBAAiB,EAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAI,oBAAoB,EAAE,CAAC;IACjD,MAAM,aAAa,GAAG,IAAI,oBAAoB,EAAE,CAAC;IACjD,MAAM,eAAe,GAAG,IAAI,iBAAiB,CAC3C,MAAM,CAAC,GAAG,CAAC,gBAAgB,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,CACtD,CAAC;IACF,MAAM,kBAAkB,GAAG,IAAI,oBAAoB,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC5E,MAAM,gBAAgB,GAAG,IAAI,uBAAuB,CAAC,MAAM,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAEjF,MAAM,aAAa,GAAe;QAChC,cAAc;QACd,aAAa;QACb,aAAa;QACb,eAAe;QACf,kBAAkB;QAClB,gBAAgB;QAChB,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,YAAY;QAC/C,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,GAAG;QACxD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE;QACjD,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC;IAEF,OAAO,IAAI,eAAe,CAAC,aAAa,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA4B;IAC5D,MAAM,OAAO,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAEhD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,OAAgB;YAC1B,sCAAsC;YACtC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;gBACzB,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;YAC7B,CAAC;YAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAEjC,8BAA8B;YAC9B,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;gBACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAE3C,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE;wBAC1C,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;4BAClC,6BAA6B,EAAE,GAAG;yBACnC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,sBAAsB;YACtB,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAS,CAAC;oBAEzC,mBAAmB;oBACnB,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;wBAChC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;wBAC1D,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE;4BAC1C,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;yBAChD,CAAC,CAAC;oBACL,CAAC;oBAED,oBAAoB;oBACpB,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;wBACjC,2CAA2C;wBAC3C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;4BACjC,MAAM,EAAE,mBAAmB;yBAC5B,CAAC,EAAE;4BACF,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;yBAChD,CAAC,CAAC;oBACL,CAAC;oBAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;wBACjC,KAAK,EAAE,gBAAgB;qBACxB,CAAC,EAAE;wBACF,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAU,EAAE,CAAC;oBACpB,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;wBACjC,KAAK,EAAE,KAAK,CAAC,OAAO,IAAI,gBAAgB;qBACzC,CAAC,EAAE;wBACF,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,CAAC;KACF,CAAC;AACJ,CAAC;AAED,8CAA8C;AAC9C,OAAO,EAAE,eAAe,IAAI,iBAAiB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/providers/crypto.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Web Crypto Provider for Cloudflare Workers
+ *
+ * Implements CryptoProvider using the Web Crypto API available in Workers.
+ */
+import { CryptoProvider } from '@kya-os/mcp-i-core';
+export declare class WebCryptoProvider extends CryptoProvider {
+    /**
+     * Sign data using Ed25519
+     */
+    sign(data: Uint8Array, privateKeyBase64: string): Promise<Uint8Array>;
+    /**
+     * Verify Ed25519 signature
+     */
+    verify(data: Uint8Array, signature: Uint8Array, publicKeyBase64: string): Promise<boolean>;
+    /**
+     * Generate Ed25519 key pair
+     */
+    generateKeyPair(): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    /**
+     * Calculate SHA-256 hash
+     */
+    hash(data: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Generate random bytes
+     */
+    randomBytes(length: number): Promise<Uint8Array>;
+    private wrapPrivateKeyPKCS8;
+    private wrapPublicKeySPKI;
+    private extractRawPrivateKey;
+    private extractRawPublicKey;
+    private base64ToBytes;
+    private bytesToBase64;
+}
+//# sourceMappingURL=crypto.d.ts.map

package/dist/providers/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/providers/crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,qBAAa,iBAAkB,SAAQ,cAAc;IACnD;;OAEG;IACG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA0B3E;;OAEG;IACG,MAAM,CACV,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,EACrB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC;IA6BnB;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAwB3E;;OAEG;IACG,IAAI,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAKjD;;OAEG;IACG,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQtD,OAAO,CAAC,mBAAmB;IAoB3B,OAAO,CAAC,iBAAiB;IAgBzB,OAAO,CAAC,oBAAoB;IAM5B,OAAO,CAAC,mBAAmB;IAM3B,OAAO,CAAC,aAAa;IASrB,OAAO,CAAC,aAAa;CAOtB"}