npm - @kya-os/mcp-i-cloudflare - Versions diffs - 1.2.3-canary.0 → 1.2.3-canary.10 - Mend

@kya-os/mcp-i-cloudflare 1.2.3-canary.0 → 1.2.3-canary.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/adapter.d.ts +4 -5
package/dist/adapter.d.ts.map +1 -1
package/dist/adapter.js +54 -17
package/dist/adapter.js.map +1 -1
package/dist/cache/kv-tool-protection-cache.d.ts +46 -0
package/dist/cache/kv-tool-protection-cache.d.ts.map +1 -0
package/dist/cache/kv-tool-protection-cache.js +88 -0
package/dist/cache/kv-tool-protection-cache.js.map +1 -0
package/dist/index.d.ts +9 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.js +22 -5
package/dist/index.js.map +1 -1
package/dist/proof-generator.d.ts +120 -0
package/dist/proof-generator.d.ts.map +1 -0
package/dist/proof-generator.js +238 -0
package/dist/proof-generator.js.map +1 -0
package/dist/providers/storage.d.ts +1 -1
package/dist/providers/storage.d.ts.map +1 -1
package/dist/providers/storage.js +8 -22
package/dist/providers/storage.js.map +1 -1
package/dist/runtime.d.ts +103 -0
package/dist/runtime.d.ts.map +1 -0
package/dist/runtime.js +185 -0
package/dist/runtime.js.map +1 -0
package/package.json +4 -3

package/dist/runtime.js ADDED Viewed

@@ -0,0 +1,185 @@
+/**
+ * CloudflareRuntime - Extended runtime with CloudflareProofGenerator
+ *
+ * Extends MCPIRuntimeBase with Cloudflare-specific proof generation
+ * using Web Crypto API instead of Node.js crypto.
+ *
+ * This runtime automatically uses CloudflareProofGenerator for all proof generation,
+ * producing full JWS compact format (header.payload.signature) compatible with
+ * AgentShield and the MCP-I proof specification.
+ */
+import { MCPIRuntimeBase, ToolProtectionService } from '@kya-os/mcp-i-core';
+import { CloudflareProofGenerator } from './proof-generator';
+import { KVToolProtectionCache } from './cache/kv-tool-protection-cache';
+export class CloudflareRuntime extends MCPIRuntimeBase {
+    proofGenerator;
+    lastDetachedProof;
+    lastToolCallContext;
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Initialize runtime and proof generator
+     */
+    async initialize() {
+        await super.initialize();
+        // Initialize CloudflareProofGenerator with identity
+        const identity = await this.getIdentity();
+        this.proofGenerator = new CloudflareProofGenerator(identity);
+        if (this.config.audit?.enabled) {
+            console.log('[MCP-I] CloudflareRuntime initialized with CloudflareProofGenerator');
+            console.log('[MCP-I] DID:', identity.did);
+        }
+    }
+    /**
+     * Override createProof to use CloudflareProofGenerator
+     *
+     * This returns a DetachedProof with full JWS format:
+     * - jws: Full compact JWS (header.payload.signature)
+     * - meta: ProofMeta with all required fields
+     *
+     * The proof is compatible with AgentShield and follows MCP-I specification.
+     */
+    async createProof(data, session) {
+        if (!this.proofGenerator) {
+            throw new Error('CloudflareProofGenerator not initialized. Call initialize() first.');
+        }
+        if (!session) {
+            throw new Error('Session required for proof generation');
+        }
+        // Ensure we have a nonce (generate one if not provided)
+        let nonce = session.nonce;
+        if (!nonce) {
+            nonce = await this.issueNonce(session.id);
+            // Store nonce back to session for consistency
+            session.nonce = nonce;
+        }
+        // Build ToolRequest from session data
+        // The processToolCall method should pass toolName in the session
+        const request = {
+            method: session.toolName || 'unknown',
+            params: session.toolParams || session.args || {},
+        };
+        // Build ToolResponse
+        const response = {
+            data,
+        };
+        // Build SessionContext for CloudflareProofGenerator
+        const sessionContext = {
+            nonce,
+            audience: session.audience || 'mcp-client',
+            sessionId: session.id,
+        };
+        // ✅ NEW: Determine scopeId from session or runtime config
+        let scopeId;
+        // Option 1: Get from session (if adapter passes it)
+        if (session?.scopeId) {
+            scopeId = session.scopeId;
+        }
+        // Option 2: Generate fallback from toolName
+        else if (session?.toolName) {
+            scopeId = `${session.toolName}:execute`;
+        }
+        if (this.config.audit?.enabled && scopeId) {
+            console.log(`[MCP-I] Proof scopeId for tool "${session.toolName}": ${scopeId}`);
+        }
+        // ✅ Generate full JWS proof WITH scopeId using CloudflareProofGenerator
+        const detachedProof = await this.proofGenerator.generateProof(request, response, sessionContext, { scopeId } // ← ADDED: Pass scopeId for tool auto-discovery
+        );
+        // Store the proof for getLastProof() retrieval
+        this.lastDetachedProof = detachedProof;
+        // ✅ Store tool call context for AgentShield dashboard
+        this.lastToolCallContext = {
+            tool: session.toolName || 'unknown',
+            args: session.toolParams || session.args || {},
+            result: data,
+            scopeId: scopeId || 'unknown',
+            userId: session.userId, // Optional user identifier
+        };
+        if (this.config.audit?.enabled) {
+            console.log('[MCP-I] Proof generated:', {
+                did: detachedProof.meta.did,
+                sessionId: detachedProof.meta.sessionId,
+                requestHash: detachedProof.meta.requestHash.substring(0, 20) + '...',
+                responseHash: detachedProof.meta.responseHash.substring(0, 20) + '...',
+                scopeId: detachedProof.meta.scopeId, // ← ADDED: Log scopeId
+                jwsFormat: detachedProof.jws.split('.').length === 3 ? 'valid (3 parts)' : 'invalid',
+            });
+        }
+        return detachedProof;
+    }
+    /**
+     * Override processToolCall to pass tool metadata through session
+     *
+     * This ensures that CloudflareProofGenerator has access to the tool name
+     * and parameters for generating accurate request hashes.
+     */
+    async processToolCall(toolName, args, handler, session) {
+        // Enhance session with tool metadata for proof generation
+        const enhancedSession = session ? {
+            ...session,
+            toolName,
+            toolParams: args,
+        } : undefined;
+        // Call parent implementation with enhanced session
+        return await super.processToolCall(toolName, args, handler, enhancedSession);
+    }
+    /**
+     * Get the CloudflareProofGenerator instance (for advanced usage)
+     */
+    getProofGenerator() {
+        return this.proofGenerator;
+    }
+    /**
+     * Override getLastProof to return DetachedProof format
+     *
+     * This ensures compatibility with applications expecting the full JWS proof format.
+     */
+    getLastProof() {
+        return this.lastDetachedProof;
+    }
+    /**
+     * Get the last tool call context
+     *
+     * Returns plaintext tool execution data for AgentShield dashboard integration.
+     * This context can be submitted alongside proofs for enhanced UX.
+     */
+    getLastToolCallContext() {
+        return this.lastToolCallContext;
+    }
+    /**
+     * Create a ToolProtectionService with CloudFlare KV cache
+     *
+     * The service fetches tool protection config from AgentShield by agent DID.
+     * Config is cached in KV for 5 minutes to minimize API calls.
+     *
+     * Usage in CloudFlare Worker:
+     * ```typescript
+     * const toolProtectionService = CloudflareRuntime.createToolProtectionService(
+     *   env.TOOL_PROTECTION_KV, // KV namespace from wrangler.toml
+     *   {
+     *     apiUrl: env.AGENTSHIELD_API_URL || 'https://kya.vouched.id',
+     *     apiKey: env.AGENTSHIELD_API_KEY,
+     *     cacheTtl: 300000, // 5 minutes (default)
+     *     debug: env.MCPI_ENV === 'development',
+     *     fallbackConfig: {
+     *       toolProtections: {
+     *         greet: { requiresDelegation: false, requiredScopes: ['greet:execute'] }
+     *       }
+     *     }
+     *   }
+     * );
+     *
+     * // Pass to runtime config
+     * const runtime = new CloudflareRuntime({
+     *   ...providers,
+     *   toolProtectionService,
+     * });
+     * ```
+     */
+    static createToolProtectionService(kv, config) {
+        const cache = new KVToolProtectionCache(kv);
+        return new ToolProtectionService(config, cache);
+    }
+}
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,eAAe,EAEf,qBAAqB,EAEtB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAE7D,OAAO,EAAE,qBAAqB,EAAoB,MAAM,kCAAkC,CAAC;AAgB3F,MAAM,OAAO,iBAAkB,SAAQ,eAAe;IAC5C,cAAc,CAA4B;IAC1C,iBAAiB,CAAiB;IAClC,mBAAmB,CAAmB;IAE9C,YAAY,MAAyB;QACnC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC;QAEzB,oDAAoD;QACpD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,IAAI,CAAC,cAAc,GAAG,IAAI,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QAE7D,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;YACnF,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,WAAW,CAAC,IAAS,EAAE,OAAa;QACxC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,wDAAwD;QACxD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1C,8CAA8C;YAC9C,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC;QACxB,CAAC;QAED,sCAAsC;QACtC,iEAAiE;QACjE,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS;YACrC,MAAM,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,IAAI,IAAI,EAAE;SACjD,CAAC;QAEF,qBAAqB;QACrB,MAAM,QAAQ,GAAG;YACf,IAAI;SACL,CAAC;QAEF,oDAAoD;QACpD,MAAM,cAAc,GAAG;YACrB,KAAK;YACL,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,YAAY;YAC1C,SAAS,EAAE,OAAO,CAAC,EAAE;SACtB,CAAC;QAEF,0DAA0D;QAC1D,IAAI,OAA2B,CAAC;QAEhC,oDAAoD;QACpD,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;YACrB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC5B,CAAC;QACD,4CAA4C;aACvC,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YAC3B,OAAO,GAAG,GAAG,OAAO,CAAC,QAAQ,UAAU,CAAC;QAC1C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,IAAI,OAAO,EAAE,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,mCAAmC,OAAO,CAAC,QAAQ,MAAM,OAAO,EAAE,CAAC,CAAC;QAClF,CAAC;QAED,wEAAwE;QACxE,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAC3D,OAAO,EACP,QAAQ,EACR,cAAc,EACd,EAAE,OAAO,EAAE,CAAE,gDAAgD;SAC9D,CAAC;QAEF,+CAA+C;QAC/C,IAAI,CAAC,iBAAiB,GAAG,aAAa,CAAC;QAEvC,sDAAsD;QACtD,IAAI,CAAC,mBAAmB,GAAG;YACzB,IAAI,EAAE,OAAO,CAAC,QAAQ,IAAI,SAAS;YACnC,IAAI,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,IAAI,IAAI,EAAE;YAC9C,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,OAAO,IAAI,SAAS;YAC7B,MAAM,EAAE,OAAO,CAAC,MAAM,EAAG,2BAA2B;SACrD,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE;gBACtC,GAAG,EAAE,aAAa,CAAC,IAAI,CAAC,GAAG;gBAC3B,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,SAAS;gBACvC,WAAW,EAAE,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACpE,YAAY,EAAE,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACtE,OAAO,EAAE,aAAa,CAAC,IAAI,CAAC,OAAO,EAAG,uBAAuB;gBAC7D,SAAS,EAAE,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;aACrF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CACnB,QAAgB,EAChB,IAAS,EACT,OAAoC,EACpC,OAAa;QAEb,0DAA0D;QAC1D,MAAM,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC;YAChC,GAAG,OAAO;YACV,QAAQ;YACR,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC,CAAC,SAAS,CAAC;QAEd,mDAAmD;QACnD,OAAO,MAAM,KAAK,CAAC,eAAe,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC;IAC/E,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACH,sBAAsB;QACpB,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BG;IACH,MAAM,CAAC,2BAA2B,CAChC,EAAe,EACf,MAAmC;QAEnC,MAAM,KAAK,GAAG,IAAI,qBAAqB,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,qBAAqB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC;CACF"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i-cloudflare",
-  "version": "1.2.3-canary.0",
+  "version": "1.2.3-canary.10",
   "description": "Cloudflare Workers implementation of MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -33,9 +33,10 @@
     "edge"
   ],
   "dependencies": {
-    "@kya-os/mcp-i-core": "^1.1.0",
     "@kya-os/contracts": "^1.3.0",
-    "@modelcontextprotocol/sdk": "^1.11.4"
+    "@kya-os/mcp-i-core": "^1.1.1-canary.0",
+    "@modelcontextprotocol/sdk": "^1.11.4",
+    "base-x": "^5.0.1"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.0.0",