@kya-os/mcp-i-cloudflare 1.3.9 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +132 -255
- package/dist/adapter.js.map +1 -1
- package/dist/agent.d.ts +88 -0
- package/dist/agent.d.ts.map +1 -0
- package/dist/agent.js +157 -0
- package/dist/agent.js.map +1 -0
- package/dist/app.d.ts +52 -0
- package/dist/app.d.ts.map +1 -0
- package/dist/app.js +115 -0
- package/dist/app.js.map +1 -0
- package/dist/config.d.ts +26 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +83 -0
- package/dist/config.js.map +1 -1
- package/dist/constants.d.ts +32 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/constants.js +32 -0
- package/dist/constants.js.map +1 -0
- package/dist/helpers/env-mapper.d.ts +23 -0
- package/dist/helpers/env-mapper.d.ts.map +1 -0
- package/dist/helpers/env-mapper.js +39 -0
- package/dist/helpers/env-mapper.js.map +1 -0
- package/dist/index.d.ts +28 -31
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +51 -37
- package/dist/index.js.map +1 -1
- package/dist/runtime.d.ts.map +1 -1
- package/dist/runtime.js +3 -2
- package/dist/runtime.js.map +1 -1
- package/dist/server.d.ts +58 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +125 -0
- package/dist/server.js.map +1 -0
- package/dist/services/admin.service.d.ts +22 -0
- package/dist/services/admin.service.d.ts.map +1 -0
- package/dist/services/admin.service.js +151 -0
- package/dist/services/admin.service.js.map +1 -0
- package/dist/services/consent.service.d.ts +25 -0
- package/dist/services/consent.service.d.ts.map +1 -0
- package/dist/services/consent.service.js +48 -0
- package/dist/services/consent.service.js.map +1 -0
- package/dist/services/delegation.service.d.ts +33 -0
- package/dist/services/delegation.service.d.ts.map +1 -0
- package/dist/services/delegation.service.js +168 -0
- package/dist/services/delegation.service.js.map +1 -0
- package/dist/services/proof.service.d.ts +32 -0
- package/dist/services/proof.service.d.ts.map +1 -0
- package/dist/services/proof.service.js +95 -0
- package/dist/services/proof.service.js.map +1 -0
- package/dist/types.d.ts +27 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +7 -0
- package/dist/types.js.map +1 -0
- package/package.json +7 -3
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Admin Service
|
|
3
|
+
*
|
|
4
|
+
* Handles admin endpoints for cache management and debugging.
|
|
5
|
+
* Only enabled when config.admin.enabled === true
|
|
6
|
+
*/
|
|
7
|
+
import { DEFAULT_AGENTSHIELD_URL } from "../constants";
|
|
8
|
+
export class AdminService {
|
|
9
|
+
env;
|
|
10
|
+
constructor(env) {
|
|
11
|
+
this.env = env;
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Handle admin requests
|
|
15
|
+
* @param request - Incoming request
|
|
16
|
+
* @returns Response
|
|
17
|
+
*/
|
|
18
|
+
async handle(request) {
|
|
19
|
+
const url = new URL(request.url);
|
|
20
|
+
// Only POST /admin/clear-cache is supported
|
|
21
|
+
if (url.pathname === "/admin/clear-cache") {
|
|
22
|
+
if (request.method !== "POST") {
|
|
23
|
+
return new Response(JSON.stringify({
|
|
24
|
+
success: false,
|
|
25
|
+
error: "Method not allowed. Use POST.",
|
|
26
|
+
}), {
|
|
27
|
+
status: 405,
|
|
28
|
+
headers: { "Content-Type": "application/json" },
|
|
29
|
+
});
|
|
30
|
+
}
|
|
31
|
+
return this.handleClearCache(request);
|
|
32
|
+
}
|
|
33
|
+
return new Response(JSON.stringify({
|
|
34
|
+
success: false,
|
|
35
|
+
error: "Not found",
|
|
36
|
+
}), {
|
|
37
|
+
status: 404,
|
|
38
|
+
headers: { "Content-Type": "application/json" },
|
|
39
|
+
});
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Handle cache clearing request
|
|
43
|
+
*/
|
|
44
|
+
async handleClearCache(request) {
|
|
45
|
+
try {
|
|
46
|
+
// Parse request body
|
|
47
|
+
const body = (await request.json().catch(() => ({})));
|
|
48
|
+
const agentDid = body.agent_did;
|
|
49
|
+
if (!agentDid || typeof agentDid !== "string") {
|
|
50
|
+
return new Response(JSON.stringify({
|
|
51
|
+
success: false,
|
|
52
|
+
error: "Bad Request - agent_did required in body",
|
|
53
|
+
}), {
|
|
54
|
+
status: 400,
|
|
55
|
+
headers: { "Content-Type": "application/json" },
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
// Extract API key from Authorization header
|
|
59
|
+
const authHeader = request.headers.get("Authorization");
|
|
60
|
+
if (!authHeader || !authHeader.startsWith("Bearer ")) {
|
|
61
|
+
return new Response(JSON.stringify({
|
|
62
|
+
success: false,
|
|
63
|
+
error: "Unauthorized - Missing or invalid Authorization header",
|
|
64
|
+
}), {
|
|
65
|
+
status: 401,
|
|
66
|
+
headers: { "Content-Type": "application/json" },
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
const apiKey = authHeader.slice(7); // Remove "Bearer " prefix
|
|
70
|
+
// Validate API key by making a test call to AgentShield
|
|
71
|
+
const agentShieldUrl = this.env.AGENTSHIELD_API_URL || DEFAULT_AGENTSHIELD_URL;
|
|
72
|
+
const validationUrl = `${agentShieldUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
|
|
73
|
+
try {
|
|
74
|
+
const validationResponse = await fetch(validationUrl, {
|
|
75
|
+
method: "GET",
|
|
76
|
+
headers: {
|
|
77
|
+
"Content-Type": "application/json",
|
|
78
|
+
Authorization: `Bearer ${apiKey}`,
|
|
79
|
+
},
|
|
80
|
+
});
|
|
81
|
+
if (!validationResponse.ok) {
|
|
82
|
+
console.warn("[Admin] API key validation failed:", validationResponse.status);
|
|
83
|
+
return new Response(JSON.stringify({
|
|
84
|
+
success: false,
|
|
85
|
+
error: "Unauthorized - Invalid API key",
|
|
86
|
+
}), {
|
|
87
|
+
status: 401,
|
|
88
|
+
headers: { "Content-Type": "application/json" },
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
// API key is valid, proceed to clear cache
|
|
92
|
+
console.log("[Admin] API key validated successfully");
|
|
93
|
+
}
|
|
94
|
+
catch (error) {
|
|
95
|
+
console.error("[Admin] API key validation error:", error);
|
|
96
|
+
return new Response(JSON.stringify({
|
|
97
|
+
success: false,
|
|
98
|
+
error: "Failed to validate API key with AgentShield",
|
|
99
|
+
}), {
|
|
100
|
+
status: 500,
|
|
101
|
+
headers: { "Content-Type": "application/json" },
|
|
102
|
+
});
|
|
103
|
+
}
|
|
104
|
+
// Clear cache from KV
|
|
105
|
+
// Cache key format: KVToolProtectionCache uses 'tool-protection:' prefix + agentDid
|
|
106
|
+
const cacheKey = `tool-protection:${agentDid}`;
|
|
107
|
+
const kvNamespace = this.env.TOOL_PROTECTION_KV;
|
|
108
|
+
if (!kvNamespace) {
|
|
109
|
+
return new Response(JSON.stringify({
|
|
110
|
+
success: false,
|
|
111
|
+
error: "Tool protection KV namespace not configured",
|
|
112
|
+
}), {
|
|
113
|
+
status: 500,
|
|
114
|
+
headers: { "Content-Type": "application/json" },
|
|
115
|
+
});
|
|
116
|
+
}
|
|
117
|
+
// Log before and after for debugging
|
|
118
|
+
const before = await kvNamespace.get(cacheKey);
|
|
119
|
+
await kvNamespace.delete(cacheKey);
|
|
120
|
+
const after = await kvNamespace.get(cacheKey);
|
|
121
|
+
console.log("[Admin] Cache clear operation", {
|
|
122
|
+
agentDid: agentDid.slice(0, 20) + "...",
|
|
123
|
+
cacheKey,
|
|
124
|
+
hadValue: !!before,
|
|
125
|
+
cleared: !after,
|
|
126
|
+
});
|
|
127
|
+
return new Response(JSON.stringify({
|
|
128
|
+
success: true,
|
|
129
|
+
message: "Cache cleared successfully. Next tool call will fetch fresh config from AgentShield.",
|
|
130
|
+
agent_did: agentDid,
|
|
131
|
+
cache_key: cacheKey,
|
|
132
|
+
had_value: !!before,
|
|
133
|
+
}), {
|
|
134
|
+
status: 200,
|
|
135
|
+
headers: { "Content-Type": "application/json" },
|
|
136
|
+
});
|
|
137
|
+
}
|
|
138
|
+
catch (error) {
|
|
139
|
+
console.error("[Admin] Failed to clear cache:", error);
|
|
140
|
+
return new Response(JSON.stringify({
|
|
141
|
+
success: false,
|
|
142
|
+
error: "Internal error clearing cache",
|
|
143
|
+
details: error instanceof Error ? error.message : String(error),
|
|
144
|
+
}), {
|
|
145
|
+
status: 500,
|
|
146
|
+
headers: { "Content-Type": "application/json" },
|
|
147
|
+
});
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
//# sourceMappingURL=admin.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"admin.service.js","sourceRoot":"","sources":["../../src/services/admin.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAEvD,MAAM,OAAO,YAAY;IACf,GAAG,CAAgB;IAE3B,YAAY,GAAkB;QAC5B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,OAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAEjC,4CAA4C;QAC5C,IAAI,GAAG,CAAC,QAAQ,KAAK,oBAAoB,EAAE,CAAC;YAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC9B,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,+BAA+B;iBACvC,CAAC,EACF;oBACE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CACF,CAAC;YACJ,CAAC;YAED,OAAO,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,WAAW;SACnB,CAAC,EACF;YACE,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAAC,OAAgB;QAC7C,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAEnD,CAAC;YACF,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;YAEhC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC9C,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,0CAA0C;iBAClD,CAAC,EACF;oBACE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CACF,CAAC;YACJ,CAAC;YAED,4CAA4C;YAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACxD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,wDAAwD;iBAChE,CAAC,EACF;oBACE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CACF,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;YAE9D,wDAAwD;YACxD,MAAM,cAAc,GAClB,IAAI,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;YAC1D,MAAM,aAAa,GAAG,GAAG,cAAc,oCAAoC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAE1G,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;oBACpD,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,aAAa,EAAE,UAAU,MAAM,EAAE;qBAClC;iBACF,CAAC,CAAC;gBAEH,IAAI,CAAC,kBAAkB,CAAC,EAAE,EAAE,CAAC;oBAC3B,OAAO,CAAC,IAAI,CACV,oCAAoC,EACpC,kBAAkB,CAAC,MAAM,CAC1B,CAAC;oBACF,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;wBACb,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,gCAAgC;qBACxC,CAAC,EACF;wBACE,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CACF,CAAC;gBACJ,CAAC;gBAED,2CAA2C;gBAC3C,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;gBAC1D,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,6CAA6C;iBACrD,CAAC,EACF;oBACE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CACF,CAAC;YACJ,CAAC;YAED,sBAAsB;YACtB,oFAAoF;YACpF,MAAM,QAAQ,GAAG,mBAAmB,QAAQ,EAAE,CAAC;YAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;YAEhD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;oBACb,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,6CAA6C;iBACrD,CAAC,EACF;oBACE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CACF,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC/C,MAAM,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE9C,OAAO,CAAC,GAAG,CAAC,+BAA+B,EAAE;gBAC3C,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACvC,QAAQ;gBACR,QAAQ,EAAE,CAAC,CAAC,MAAM;gBAClB,OAAO,EAAE,CAAC,KAAK;aAChB,CAAC,CAAC;YAEH,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EAAE,IAAI;gBACb,OAAO,EACL,sFAAsF;gBACxF,SAAS,EAAE,QAAQ;gBACnB,SAAS,EAAE,QAAQ;gBACnB,SAAS,EAAE,CAAC,CAAC,MAAM;aACpB,CAAC,EACF;gBACE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;YACvD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,+BAA+B;gBACtC,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAChE,CAAC,EACF;gBACE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CACF,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Consent Service
|
|
3
|
+
*
|
|
4
|
+
* Handles consent page rendering and approval handling.
|
|
5
|
+
* Structure only - full implementation in Phase 0.
|
|
6
|
+
*/
|
|
7
|
+
export declare class ConsentService {
|
|
8
|
+
/**
|
|
9
|
+
* Handle consent requests
|
|
10
|
+
* @param request - Incoming request
|
|
11
|
+
* @returns Response
|
|
12
|
+
*/
|
|
13
|
+
handle(request: Request): Promise<Response>;
|
|
14
|
+
/**
|
|
15
|
+
* Render consent page
|
|
16
|
+
* TODO: Implement in Phase 0
|
|
17
|
+
*/
|
|
18
|
+
private renderConsentPage;
|
|
19
|
+
/**
|
|
20
|
+
* Handle consent approval
|
|
21
|
+
* TODO: Implement in Phase 0
|
|
22
|
+
*/
|
|
23
|
+
private handleApproval;
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=consent.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"consent.service.d.ts","sourceRoot":"","sources":["../../src/services/consent.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,qBAAa,cAAc;IACzB;;;;OAIG;IACG,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAgBjD;;;OAGG;YACW,iBAAiB;IAQ/B;;;OAGG;YACW,cAAc;CAO7B"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Consent Service
|
|
3
|
+
*
|
|
4
|
+
* Handles consent page rendering and approval handling.
|
|
5
|
+
* Structure only - full implementation in Phase 0.
|
|
6
|
+
*/
|
|
7
|
+
export class ConsentService {
|
|
8
|
+
/**
|
|
9
|
+
* Handle consent requests
|
|
10
|
+
* @param request - Incoming request
|
|
11
|
+
* @returns Response
|
|
12
|
+
*/
|
|
13
|
+
async handle(request) {
|
|
14
|
+
const url = new URL(request.url);
|
|
15
|
+
if (request.method === 'GET') {
|
|
16
|
+
// Render consent page
|
|
17
|
+
return this.renderConsentPage(url.searchParams);
|
|
18
|
+
}
|
|
19
|
+
if (request.method === 'POST') {
|
|
20
|
+
// Handle approval
|
|
21
|
+
return this.handleApproval(request);
|
|
22
|
+
}
|
|
23
|
+
return new Response('Method not allowed', { status: 405 });
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* Render consent page
|
|
27
|
+
* TODO: Implement in Phase 0
|
|
28
|
+
*/
|
|
29
|
+
async renderConsentPage(params) {
|
|
30
|
+
// Placeholder - will be implemented in Phase 0
|
|
31
|
+
return new Response('Consent page - Phase 0 implementation', {
|
|
32
|
+
status: 501,
|
|
33
|
+
headers: { 'Content-Type': 'text/plain' }
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Handle consent approval
|
|
38
|
+
* TODO: Implement in Phase 0
|
|
39
|
+
*/
|
|
40
|
+
async handleApproval(request) {
|
|
41
|
+
// Placeholder - will be implemented in Phase 0
|
|
42
|
+
return new Response('Consent approval - Phase 0 implementation', {
|
|
43
|
+
status: 501,
|
|
44
|
+
headers: { 'Content-Type': 'text/plain' }
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=consent.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"consent.service.js","sourceRoot":"","sources":["../../src/services/consent.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,OAAO,cAAc;IACzB;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,OAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAEjC,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC7B,sBAAsB;YACtB,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC9B,kBAAkB;YAClB,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,iBAAiB,CAAC,MAAuB;QACrD,+CAA+C;QAC/C,OAAO,IAAI,QAAQ,CAAC,uCAAuC,EAAE;YAC3D,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;SAC1C,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,cAAc,CAAC,OAAgB;QAC3C,+CAA+C;QAC/C,OAAO,IAAI,QAAQ,CAAC,2CAA2C,EAAE;YAC/D,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;SAC1C,CAAC,CAAC;IACL,CAAC;CACF"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Delegation Service
|
|
3
|
+
*
|
|
4
|
+
* Handles delegation token retrieval, verification, and cache management
|
|
5
|
+
* for MCP-I Cloudflare servers.
|
|
6
|
+
*/
|
|
7
|
+
import type { CloudflareEnv } from '../types';
|
|
8
|
+
import type { CloudflareRuntime } from '../runtime';
|
|
9
|
+
export declare class DelegationService {
|
|
10
|
+
private env;
|
|
11
|
+
private runtime?;
|
|
12
|
+
constructor(env: CloudflareEnv, runtime?: CloudflareRuntime);
|
|
13
|
+
/**
|
|
14
|
+
* Get delegation token from cache or storage
|
|
15
|
+
* @param sessionId - Optional session ID for session-based lookup
|
|
16
|
+
* @returns Delegation token or null if not found
|
|
17
|
+
*/
|
|
18
|
+
getDelegationToken(sessionId?: string): Promise<string | null>;
|
|
19
|
+
/**
|
|
20
|
+
* Verify delegation token with AgentShield API
|
|
21
|
+
* @param token - Delegation token to verify
|
|
22
|
+
* @returns True if token is valid, false otherwise
|
|
23
|
+
*/
|
|
24
|
+
verifyDelegation(token: string): Promise<boolean>;
|
|
25
|
+
/**
|
|
26
|
+
* Invalidate delegation token in all caches
|
|
27
|
+
* @param sessionId - Session ID to clear
|
|
28
|
+
* @param token - Token to invalidate
|
|
29
|
+
* @param agentDid - Agent DID to clear
|
|
30
|
+
*/
|
|
31
|
+
invalidateCache(sessionId?: string, token?: string, agentDid?: string): Promise<void>;
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=delegation.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"delegation.service.d.ts","sourceRoot":"","sources":["../../src/services/delegation.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAE9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEpD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,GAAG,CAAgB;IAC3B,OAAO,CAAC,OAAO,CAAC,CAAoB;gBAExB,GAAG,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAK3D;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAoEpE;;;;OAIG;IACG,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAyDvD;;;;;OAKG;IACG,eAAe,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CA6B5F"}
|
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Delegation Service
|
|
3
|
+
*
|
|
4
|
+
* Handles delegation token retrieval, verification, and cache management
|
|
5
|
+
* for MCP-I Cloudflare servers.
|
|
6
|
+
*/
|
|
7
|
+
import { DEFAULT_AGENTSHIELD_URL, DEFAULT_VERIFICATION_CACHE_TTL, DEFAULT_SESSION_CACHE_TTL } from '../constants';
|
|
8
|
+
export class DelegationService {
|
|
9
|
+
env;
|
|
10
|
+
runtime;
|
|
11
|
+
constructor(env, runtime) {
|
|
12
|
+
this.env = env;
|
|
13
|
+
this.runtime = runtime;
|
|
14
|
+
}
|
|
15
|
+
/**
|
|
16
|
+
* Get delegation token from cache or storage
|
|
17
|
+
* @param sessionId - Optional session ID for session-based lookup
|
|
18
|
+
* @returns Delegation token or null if not found
|
|
19
|
+
*/
|
|
20
|
+
async getDelegationToken(sessionId) {
|
|
21
|
+
const delegationStorage = this.env.DELEGATION_STORAGE;
|
|
22
|
+
if (!delegationStorage) {
|
|
23
|
+
console.log('[Delegation] No delegation storage configured');
|
|
24
|
+
return null;
|
|
25
|
+
}
|
|
26
|
+
try {
|
|
27
|
+
// Fast path: Try session cache first
|
|
28
|
+
if (sessionId) {
|
|
29
|
+
const sessionKey = `session:${sessionId}`;
|
|
30
|
+
const sessionToken = await delegationStorage.get(sessionKey);
|
|
31
|
+
if (sessionToken) {
|
|
32
|
+
// Verify token is still valid before returning
|
|
33
|
+
const isValid = await this.verifyDelegation(sessionToken);
|
|
34
|
+
if (isValid) {
|
|
35
|
+
console.log('[Delegation] ✅ Token retrieved from session cache and verified');
|
|
36
|
+
return sessionToken;
|
|
37
|
+
}
|
|
38
|
+
else {
|
|
39
|
+
// Token invalid, remove from cache
|
|
40
|
+
await this.invalidateCache(sessionId, sessionToken);
|
|
41
|
+
console.log('[Delegation] ⚠️ Cached token was invalid, removed from cache');
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
// Fallback: Try agent DID (stable across session changes)
|
|
46
|
+
if (this.runtime) {
|
|
47
|
+
const identity = await this.runtime.getIdentity();
|
|
48
|
+
if (identity?.did) {
|
|
49
|
+
const agentKey = `agent:${identity.did}:delegation`;
|
|
50
|
+
const agentToken = await delegationStorage.get(agentKey);
|
|
51
|
+
if (agentToken) {
|
|
52
|
+
// Verify token is still valid before returning
|
|
53
|
+
const isValid = await this.verifyDelegation(agentToken);
|
|
54
|
+
if (isValid) {
|
|
55
|
+
console.log('[Delegation] ✅ Token retrieved using agent DID and verified');
|
|
56
|
+
// Re-cache for current session (performance optimization)
|
|
57
|
+
if (sessionId) {
|
|
58
|
+
const sessionCacheKey = `session:${sessionId}`;
|
|
59
|
+
await delegationStorage.put(sessionCacheKey, agentToken, {
|
|
60
|
+
expirationTtl: DEFAULT_SESSION_CACHE_TTL
|
|
61
|
+
});
|
|
62
|
+
console.log('[Delegation] Token cached for session with 5-minute TTL:', sessionId);
|
|
63
|
+
}
|
|
64
|
+
return agentToken;
|
|
65
|
+
}
|
|
66
|
+
else {
|
|
67
|
+
// Token invalid, remove from cache
|
|
68
|
+
await this.invalidateCache(sessionId, agentToken, identity.did);
|
|
69
|
+
console.log('[Delegation] ⚠️ Agent token was invalid, removed from cache');
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
console.log('[Delegation] No delegation token found');
|
|
75
|
+
return null;
|
|
76
|
+
}
|
|
77
|
+
catch (error) {
|
|
78
|
+
console.error('[Delegation] Failed to retrieve token:', error);
|
|
79
|
+
return null;
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
/**
|
|
83
|
+
* Verify delegation token with AgentShield API
|
|
84
|
+
* @param token - Delegation token to verify
|
|
85
|
+
* @returns True if token is valid, false otherwise
|
|
86
|
+
*/
|
|
87
|
+
async verifyDelegation(token) {
|
|
88
|
+
// Check verification cache first
|
|
89
|
+
const verificationCache = this.env.TOOL_PROTECTION_KV;
|
|
90
|
+
if (verificationCache) {
|
|
91
|
+
const cacheKey = `verified:${token.substring(0, 16)}`; // Use prefix to avoid key size issues
|
|
92
|
+
const cached = await verificationCache.get(cacheKey);
|
|
93
|
+
if (cached === '1') {
|
|
94
|
+
console.log('[Delegation] Token verification cached as valid');
|
|
95
|
+
return true;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
try {
|
|
99
|
+
const agentShieldUrl = this.env.AGENTSHIELD_API_URL || DEFAULT_AGENTSHIELD_URL;
|
|
100
|
+
const apiKey = this.env.AGENTSHIELD_API_KEY;
|
|
101
|
+
if (!apiKey) {
|
|
102
|
+
console.warn('[Delegation] No AgentShield API key configured, skipping verification');
|
|
103
|
+
return true; // Allow in development without API key
|
|
104
|
+
}
|
|
105
|
+
// Verify with AgentShield API
|
|
106
|
+
const response = await fetch(`${agentShieldUrl}/api/v1/bouncer/delegations/verify`, {
|
|
107
|
+
method: 'POST',
|
|
108
|
+
headers: {
|
|
109
|
+
'Authorization': `Bearer ${apiKey}`,
|
|
110
|
+
'Content-Type': 'application/json'
|
|
111
|
+
},
|
|
112
|
+
body: JSON.stringify({ token })
|
|
113
|
+
});
|
|
114
|
+
if (response.ok) {
|
|
115
|
+
// Cache successful verification
|
|
116
|
+
if (verificationCache) {
|
|
117
|
+
const cacheKey = `verified:${token.substring(0, 16)}`;
|
|
118
|
+
await verificationCache.put(cacheKey, '1', {
|
|
119
|
+
expirationTtl: DEFAULT_VERIFICATION_CACHE_TTL
|
|
120
|
+
});
|
|
121
|
+
}
|
|
122
|
+
console.log('[Delegation] Token verified successfully with AgentShield');
|
|
123
|
+
return true;
|
|
124
|
+
}
|
|
125
|
+
if (response.status === 401 || response.status === 403) {
|
|
126
|
+
console.log('[Delegation] Token verification failed: unauthorized');
|
|
127
|
+
return false;
|
|
128
|
+
}
|
|
129
|
+
console.warn('[Delegation] Token verification returned unexpected status:', response.status);
|
|
130
|
+
return false; // Fail closed for security
|
|
131
|
+
}
|
|
132
|
+
catch (error) {
|
|
133
|
+
console.error('[Delegation] Error verifying token with AgentShield:', error);
|
|
134
|
+
return false; // Fail closed on errors
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* Invalidate delegation token in all caches
|
|
139
|
+
* @param sessionId - Session ID to clear
|
|
140
|
+
* @param token - Token to invalidate
|
|
141
|
+
* @param agentDid - Agent DID to clear
|
|
142
|
+
*/
|
|
143
|
+
async invalidateCache(sessionId, token, agentDid) {
|
|
144
|
+
const delegationStorage = this.env.DELEGATION_STORAGE;
|
|
145
|
+
const verificationCache = this.env.TOOL_PROTECTION_KV;
|
|
146
|
+
if (!delegationStorage)
|
|
147
|
+
return;
|
|
148
|
+
const deletions = [];
|
|
149
|
+
// Clear session cache
|
|
150
|
+
if (sessionId) {
|
|
151
|
+
const sessionKey = `session:${sessionId}`;
|
|
152
|
+
deletions.push(delegationStorage.delete(sessionKey));
|
|
153
|
+
}
|
|
154
|
+
// Clear agent cache
|
|
155
|
+
if (agentDid) {
|
|
156
|
+
const agentKey = `agent:${agentDid}:delegation`;
|
|
157
|
+
deletions.push(delegationStorage.delete(agentKey));
|
|
158
|
+
}
|
|
159
|
+
// Clear verification cache
|
|
160
|
+
if (token && verificationCache) {
|
|
161
|
+
const cacheKey = `verified:${token.substring(0, 16)}`;
|
|
162
|
+
deletions.push(verificationCache.delete(cacheKey));
|
|
163
|
+
}
|
|
164
|
+
await Promise.all(deletions);
|
|
165
|
+
console.log('[Delegation] Cache invalidated for revoked/invalid token');
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
//# sourceMappingURL=delegation.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"delegation.service.js","sourceRoot":"","sources":["../../src/services/delegation.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,uBAAuB,EAAE,8BAA8B,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAC;AAGlH,MAAM,OAAO,iBAAiB;IACpB,GAAG,CAAgB;IACnB,OAAO,CAAqB;IAEpC,YAAY,GAAkB,EAAE,OAA2B;QACzD,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,kBAAkB,CAAC,SAAkB;QACzC,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAEtD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,qCAAqC;YACrC,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,UAAU,GAAG,WAAW,SAAS,EAAE,CAAC;gBAC1C,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBAE7D,IAAI,YAAY,EAAE,CAAC;oBACjB,+CAA+C;oBAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;oBAC1D,IAAI,OAAO,EAAE,CAAC;wBACZ,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;wBAC9E,OAAO,YAAY,CAAC;oBACtB,CAAC;yBAAM,CAAC;wBACN,mCAAmC;wBACnC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;wBACpD,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;oBAC9E,CAAC;gBACH,CAAC;YACH,CAAC;YAED,0DAA0D;YAC1D,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;gBAClD,IAAI,QAAQ,EAAE,GAAG,EAAE,CAAC;oBAClB,MAAM,QAAQ,GAAG,SAAS,QAAQ,CAAC,GAAG,aAAa,CAAC;oBACpD,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAEzD,IAAI,UAAU,EAAE,CAAC;wBACf,+CAA+C;wBAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;wBACxD,IAAI,OAAO,EAAE,CAAC;4BACZ,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;4BAE3E,0DAA0D;4BAC1D,IAAI,SAAS,EAAE,CAAC;gCACd,MAAM,eAAe,GAAG,WAAW,SAAS,EAAE,CAAC;gCAC/C,MAAM,iBAAiB,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,EAAE;oCACvD,aAAa,EAAE,yBAAyB;iCACzC,CAAC,CAAC;gCACH,OAAO,CAAC,GAAG,CAAC,0DAA0D,EAAE,SAAS,CAAC,CAAC;4BACrF,CAAC;4BAED,OAAO,UAAU,CAAC;wBACpB,CAAC;6BAAM,CAAC;4BACN,mCAAmC;4BACnC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,UAAU,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;4BAChE,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;wBAC7E,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB,CAAC,KAAa;QAClC,iCAAiC;QACjC,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACtD,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,QAAQ,GAAG,YAAY,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,sCAAsC;YAC7F,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACrD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;YAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC;YAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;gBACtF,OAAO,IAAI,CAAC,CAAC,uCAAuC;YACtD,CAAC;YAED,8BAA8B;YAC9B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,cAAc,oCAAoC,EAAE;gBAClF,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,MAAM,EAAE;oBACnC,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,gCAAgC;gBAChC,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,QAAQ,GAAG,YAAY,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;oBACtD,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,EAAE;wBACzC,aAAa,EAAE,8BAA8B;qBAC9C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBACzE,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;gBACpE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,6DAA6D,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7F,OAAO,KAAK,CAAC,CAAC,2BAA2B;QAE3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sDAAsD,EAAE,KAAK,CAAC,CAAC;YAC7E,OAAO,KAAK,CAAC,CAAC,wBAAwB;QACxC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CAAC,SAAkB,EAAE,KAAc,EAAE,QAAiB;QACzE,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACtD,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAEtD,IAAI,CAAC,iBAAiB;YAAE,OAAO;QAE/B,MAAM,SAAS,GAAoB,EAAE,CAAC;QAEtC,sBAAsB;QACtB,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,UAAU,GAAG,WAAW,SAAS,EAAE,CAAC;YAC1C,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,oBAAoB;QACpB,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,SAAS,QAAQ,aAAa,CAAC;YAChD,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QACrD,CAAC;QAED,2BAA2B;QAC3B,IAAI,KAAK,IAAI,iBAAiB,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,YAAY,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACtD,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;IAC1E,CAAC;CACF"}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Proof Service
|
|
3
|
+
*
|
|
4
|
+
* Handles proof submission to AgentShield API with optional context
|
|
5
|
+
* for dashboard integration.
|
|
6
|
+
*/
|
|
7
|
+
import type { DetachedProof } from '@kya-os/contracts/proof';
|
|
8
|
+
import type { CloudflareRuntimeConfig } from '../config';
|
|
9
|
+
import type { CloudflareRuntime } from '../runtime';
|
|
10
|
+
export interface ProofSubmissionContext {
|
|
11
|
+
session: {
|
|
12
|
+
id: string;
|
|
13
|
+
};
|
|
14
|
+
toolName: string;
|
|
15
|
+
args: Record<string, unknown>;
|
|
16
|
+
result: unknown;
|
|
17
|
+
mcpServerUrl?: string;
|
|
18
|
+
}
|
|
19
|
+
export declare class ProofService {
|
|
20
|
+
private config;
|
|
21
|
+
private runtime?;
|
|
22
|
+
constructor(config: CloudflareRuntimeConfig, runtime?: CloudflareRuntime);
|
|
23
|
+
/**
|
|
24
|
+
* Submit proof to AgentShield API
|
|
25
|
+
* Uses the proof.jws directly (full JWS format from CloudflareRuntime)
|
|
26
|
+
*
|
|
27
|
+
* Also submits optional context for AgentShield dashboard integration.
|
|
28
|
+
* Context provides plaintext tool/args data while proof provides cryptographic verification.
|
|
29
|
+
*/
|
|
30
|
+
submitProof(proof: DetachedProof, context: ProofSubmissionContext): Promise<void>;
|
|
31
|
+
}
|
|
32
|
+
//# sourceMappingURL=proof.service.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"proof.service.d.ts","sourceRoot":"","sources":["../../src/services/proof.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAmB,MAAM,YAAY,CAAC;AAGrE,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,OAAO,CAAC,CAAoB;gBAExB,MAAM,EAAE,uBAAuB,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAKxE;;;;;;OAMG;IACG,WAAW,CACf,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC;CA6FjB"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Proof Service
|
|
3
|
+
*
|
|
4
|
+
* Handles proof submission to AgentShield API with optional context
|
|
5
|
+
* for dashboard integration.
|
|
6
|
+
*/
|
|
7
|
+
export class ProofService {
|
|
8
|
+
config;
|
|
9
|
+
runtime;
|
|
10
|
+
constructor(config, runtime) {
|
|
11
|
+
this.config = config;
|
|
12
|
+
this.runtime = runtime;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Submit proof to AgentShield API
|
|
16
|
+
* Uses the proof.jws directly (full JWS format from CloudflareRuntime)
|
|
17
|
+
*
|
|
18
|
+
* Also submits optional context for AgentShield dashboard integration.
|
|
19
|
+
* Context provides plaintext tool/args data while proof provides cryptographic verification.
|
|
20
|
+
*/
|
|
21
|
+
async submitProof(proof, context) {
|
|
22
|
+
if (!proof.jws || !proof.meta) {
|
|
23
|
+
console.warn('[ProofService] Proof missing jws or meta, skipping submission');
|
|
24
|
+
return;
|
|
25
|
+
}
|
|
26
|
+
// Get AgentShield config from proofing config
|
|
27
|
+
const proofingConfig = this.config.proofing;
|
|
28
|
+
if (!proofingConfig?.enabled || !proofingConfig.batchQueue?.destinations) {
|
|
29
|
+
console.log('[ProofService] Proof submission disabled or no destinations configured');
|
|
30
|
+
return;
|
|
31
|
+
}
|
|
32
|
+
// Find AgentShield destination
|
|
33
|
+
const agentShieldDest = proofingConfig.batchQueue.destinations.find((dest) => dest.type === 'agentshield' && dest.apiKey);
|
|
34
|
+
if (!agentShieldDest || !agentShieldDest.apiKey || !agentShieldDest.apiUrl) {
|
|
35
|
+
console.log('[ProofService] No AgentShield destination configured');
|
|
36
|
+
return;
|
|
37
|
+
}
|
|
38
|
+
const apiUrl = agentShieldDest.apiUrl;
|
|
39
|
+
const apiKey = agentShieldDest.apiKey;
|
|
40
|
+
// Get tool call context from runtime (if available)
|
|
41
|
+
const toolCallContext = this.runtime?.getLastToolCallContext();
|
|
42
|
+
// Proof already has correct format from CloudflareRuntime
|
|
43
|
+
// Adding optional context for AgentShield dashboard (Option A architecture)
|
|
44
|
+
const requestBody = {
|
|
45
|
+
session_id: context.session.id,
|
|
46
|
+
delegation_id: null,
|
|
47
|
+
proofs: [{
|
|
48
|
+
jws: proof.jws, // Already in full JWS format
|
|
49
|
+
meta: proof.meta // Already has all required fields
|
|
50
|
+
}],
|
|
51
|
+
// Optional context for dashboard integration
|
|
52
|
+
context: {
|
|
53
|
+
toolCalls: toolCallContext ? [toolCallContext] : [{
|
|
54
|
+
// Fallback if context not available from runtime
|
|
55
|
+
tool: context.toolName,
|
|
56
|
+
args: context.args,
|
|
57
|
+
result: context.result,
|
|
58
|
+
scopeId: proof.meta.scopeId || `${context.toolName}:execute`
|
|
59
|
+
}],
|
|
60
|
+
// MCP server URL for tool discovery (optional, only needed once)
|
|
61
|
+
mcpServerUrl: context.mcpServerUrl
|
|
62
|
+
}
|
|
63
|
+
};
|
|
64
|
+
console.log('[ProofService] Submitting proof with context:', {
|
|
65
|
+
did: proof.meta.did,
|
|
66
|
+
sessionId: proof.meta.sessionId,
|
|
67
|
+
jwsFormat: proof.jws.split('.').length === 3 ? 'valid (3 parts)' : 'invalid',
|
|
68
|
+
contextTool: requestBody.context.toolCalls[0]?.tool,
|
|
69
|
+
contextScopeId: requestBody.context.toolCalls[0]?.scopeId,
|
|
70
|
+
mcpServerUrl: requestBody.context.mcpServerUrl || 'not-set'
|
|
71
|
+
});
|
|
72
|
+
const response = await fetch(`${apiUrl}/api/v1/bouncer/proofs`, {
|
|
73
|
+
method: 'POST',
|
|
74
|
+
headers: {
|
|
75
|
+
'Content-Type': 'application/json',
|
|
76
|
+
'Authorization': `Bearer ${apiKey}`
|
|
77
|
+
},
|
|
78
|
+
body: JSON.stringify(requestBody)
|
|
79
|
+
});
|
|
80
|
+
if (!response.ok) {
|
|
81
|
+
const errorText = await response.text();
|
|
82
|
+
console.error('[ProofService] Submission failed:', response.status, errorText);
|
|
83
|
+
throw new Error(`AgentShield error: ${response.status}`);
|
|
84
|
+
}
|
|
85
|
+
const responseData = await response.json();
|
|
86
|
+
console.log('[ProofService] Response:', responseData);
|
|
87
|
+
if (responseData.accepted) {
|
|
88
|
+
console.log('[ProofService] ✅ Proofs accepted:', responseData.accepted);
|
|
89
|
+
}
|
|
90
|
+
if (responseData.rejected) {
|
|
91
|
+
console.log('[ProofService] ❌ Proofs rejected:', responseData.rejected);
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
//# sourceMappingURL=proof.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"proof.service.js","sourceRoot":"","sources":["../../src/services/proof.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,MAAM,OAAO,YAAY;IACf,MAAM,CAA0B;IAChC,OAAO,CAAqB;IAEpC,YAAY,MAA+B,EAAE,OAA2B;QACtE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CACf,KAAoB,EACpB,OAA+B;QAE/B,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;YAC9E,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC5C,IAAI,CAAC,cAAc,EAAE,OAAO,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;YACzE,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAC;YACtF,OAAO;QACT,CAAC;QAED,+BAA+B;QAC/B,MAAM,eAAe,GAAG,cAAc,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CACjE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,CAAC,MAAM,CACrD,CAAC;QAEF,IAAI,CAAC,eAAe,IAAI,CAAC,eAAe,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;YAC3E,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;YACpE,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;QACtC,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;QAEtC,oDAAoD;QACpD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,EAAE,sBAAsB,EAAE,CAAC;QAE/D,0DAA0D;QAC1D,4EAA4E;QAC5E,MAAM,WAAW,GAAG;YAClB,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;YAC9B,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,CAAC;oBACP,GAAG,EAAE,KAAK,CAAC,GAAG,EAAG,6BAA6B;oBAC9C,IAAI,EAAE,KAAK,CAAC,IAAI,CAAE,kCAAkC;iBACrD,CAAC;YACF,6CAA6C;YAC7C,OAAO,EAAE;gBACP,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;wBAChD,iDAAiD;wBACjD,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,OAAO,CAAC,QAAQ,UAAU;qBAC7D,CAAC;gBACF,iEAAiE;gBACjE,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC;SACF,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,+CAA+C,EAAE;YAC3D,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG;YACnB,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS;YAC/B,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;YAC5E,WAAW,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI;YACnD,cAAc,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO;YACzD,YAAY,EAAE,WAAW,CAAC,OAAO,CAAC,YAAY,IAAI,SAAS;SAC5D,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,wBAAwB,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,eAAe,EAAE,UAAU,MAAM,EAAE;aACpC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC/E,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAOvC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,YAAY,CAAC,CAAC;QAEtD,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,mCAAmC,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,mCAAmC,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;CACF"}
|
package/dist/types.d.ts
ADDED
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared type definitions for @kya-os/mcp-i-cloudflare
|
|
3
|
+
*
|
|
4
|
+
* These types are separated to avoid circular dependencies.
|
|
5
|
+
*/
|
|
6
|
+
import type { KVNamespace, DurableObjectState } from '@cloudflare/workers-types';
|
|
7
|
+
/**
|
|
8
|
+
* Cloudflare environment bindings for MCP-I
|
|
9
|
+
*/
|
|
10
|
+
export interface CloudflareEnv {
|
|
11
|
+
NONCE_CACHE: KVNamespace;
|
|
12
|
+
PROOF_ARCHIVE?: KVNamespace;
|
|
13
|
+
IDENTITY_STORAGE?: KVNamespace;
|
|
14
|
+
TOOL_PROTECTION_KV?: KVNamespace;
|
|
15
|
+
DELEGATION_STORAGE?: KVNamespace;
|
|
16
|
+
MCP_IDENTITY_PRIVATE_KEY?: string;
|
|
17
|
+
MCP_IDENTITY_PUBLIC_KEY?: string;
|
|
18
|
+
MCP_IDENTITY_AGENT_DID?: string;
|
|
19
|
+
MCP_SERVER_URL?: string;
|
|
20
|
+
AGENTSHIELD_API_URL?: string;
|
|
21
|
+
AGENTSHIELD_API_KEY?: string;
|
|
22
|
+
AGENTSHIELD_PROJECT_ID?: string;
|
|
23
|
+
MCPI_ENV?: string;
|
|
24
|
+
ENVIRONMENT?: string;
|
|
25
|
+
_durableObjectState?: DurableObjectState;
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEjF;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,WAAW,CAAC;IACzB,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,gBAAgB,CAAC,EAAE,WAAW,CAAC;IAC/B,kBAAkB,CAAC,EAAE,WAAW,CAAC;IACjC,kBAAkB,CAAC,EAAE,WAAW,CAAC;IACjC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,mBAAmB,CAAC,EAAE,kBAAkB,CAAC;CAC1C"}
|
package/dist/types.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}
|