@kya-os/mcp-i-cloudflare 1.4.1-canary.0 → 1.4.1-canary.2

package/dist/services/consent-config.service.js

@@ -0,0 +1,157 @@
+/**
+ * Consent Config Service
+ *
+ * Fetches consent configuration from AgentShield API with caching.
+ * Falls back to sensible defaults if API is unavailable.
+ *
+ * Related Spec: MCP-I Phase 0 Implementation Plan, Task B.3
+ */
+import { DEFAULT_AGENTSHIELD_URL } from '../constants';
+import { validateConsentConfig } from '@kya-os/contracts/consent';
+/**
+ * Default consent configuration cache TTL (5 minutes)
+ */
+const CONSENT_CONFIG_CACHE_TTL = 300; // 5 minutes in seconds
+/**
+ * Consent Config Service
+ *
+ * Manages fetching and caching of consent configuration from AgentShield
+ */
+export class ConsentConfigService {
+    env;
+    constructor(env) {
+        this.env = env;
+    }
+    /**
+     * Get consent configuration for a project
+     *
+     * Fetches from AgentShield API with caching. Falls back to defaults if:
+     * - API is unavailable
+     * - API key is missing
+     * - Project not found
+     *
+     * @param projectId - Project ID from AgentShield
+     * @returns Consent configuration (always returns valid config, never throws)
+     */
+    async getConsentConfig(projectId) {
+        const cache = this.env.TOOL_PROTECTION_KV;
+        // Check cache first
+        if (cache) {
+            const cacheKey = `consent:config:${projectId}`;
+            try {
+                const cached = await cache.get(cacheKey, 'json');
+                if (cached) {
+                    // Validate cached config
+                    const validation = validateConsentConfig(cached);
+                    if (validation.success) {
+                        console.log('[ConsentConfig] ✅ Config retrieved from cache');
+                        return validation.data;
+                    }
+                    else {
+                        console.warn('[ConsentConfig] Cached config invalid, fetching fresh:', validation.error);
+                        // Cache is invalid, continue to fetch fresh
+                    }
+                }
+            }
+            catch (error) {
+                console.warn('[ConsentConfig] Cache read error, fetching fresh:', error);
+                // Continue to fetch fresh on cache error
+            }
+        }
+        // Fetch from AgentShield API
+        try {
+            const agentShieldUrl = this.env.AGENTSHIELD_API_URL || DEFAULT_AGENTSHIELD_URL;
+            const apiKey = this.env.AGENTSHIELD_API_KEY;
+            if (!apiKey) {
+                console.warn('[ConsentConfig] No API key configured, using defaults');
+                return this.getDefaultConfig();
+            }
+            const response = await fetch(`${agentShieldUrl}/api/v1/bouncer/projects/${projectId}/consent-config`, {
+                headers: {
+                    'Authorization': `Bearer ${apiKey}`,
+                    'Content-Type': 'application/json',
+                },
+            });
+            if (response.ok) {
+                const configData = await response.json();
+                // Validate response
+                const validation = validateConsentConfig(configData);
+                if (validation.success) {
+                    const config = validation.data;
+                    // Cache for 5 minutes
+                    if (cache) {
+                        try {
+                            await cache.put(`consent:config:${projectId}`, JSON.stringify(config), { expirationTtl: CONSENT_CONFIG_CACHE_TTL });
+                            console.log('[ConsentConfig] ✅ Config fetched and cached');
+                        }
+                        catch (cacheError) {
+                            console.warn('[ConsentConfig] Cache write failed (non-fatal):', cacheError);
+                        }
+                    }
+                    return config;
+                }
+                else {
+                    console.warn('[ConsentConfig] API response invalid, using defaults:', validation.error);
+                    // Don't cache invalid configs - return defaults instead
+                    return this.getDefaultConfig();
+                }
+            }
+            else if (response.status === 404) {
+                console.log('[ConsentConfig] Project not found, using defaults');
+                return this.getDefaultConfig();
+            }
+            else {
+                console.warn('[ConsentConfig] API request failed:', response.status, response.statusText);
+                return this.getDefaultConfig();
+            }
+        }
+        catch (error) {
+            console.warn('[ConsentConfig] Failed to fetch config, using defaults:', error);
+            return this.getDefaultConfig();
+        }
+    }
+    /**
+     * Get default consent configuration
+     *
+     * Returns sensible defaults when API is unavailable
+     *
+     * @returns Default consent configuration
+     */
+    getDefaultConfig() {
+        return {
+            branding: {
+                primaryColor: '#2563eb',
+                theme: 'light',
+            },
+            terms: {
+                text: 'By approving, you grant permission for this agent to perform actions on your behalf. You can revoke this permission at any time.',
+                required: true,
+            },
+            ui: {
+                theme: 'light',
+                popupEnabled: false,
+                autoClose: false,
+            },
+        };
+    }
+    /**
+     * Invalidate cached consent configuration for a project
+     *
+     * @param projectId - Project ID to invalidate
+     */
+    async invalidateCache(projectId) {
+        const cache = this.env.TOOL_PROTECTION_KV;
+        if (!cache) {
+            return;
+        }
+        try {
+            const cacheKey = `consent:config:${projectId}`;
+            await cache.delete(cacheKey);
+            console.log('[ConsentConfig] Cache invalidated for project:', projectId);
+        }
+        catch (error) {
+            console.warn('[ConsentConfig] Failed to invalidate cache:', error);
+        }
+    }
+}
+//# sourceMappingURL=consent-config.service.js.map

package/dist/services/consent-config.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-config.service.js","sourceRoot":"","sources":["../../src/services/consent-config.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAEvD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAEvF;;GAEG;AACH,MAAM,wBAAwB,GAAG,GAAG,CAAC,CAAC,uBAAuB;AAE7D;;;;GAIG;AACH,MAAM,OAAO,oBAAoB;IACvB,GAAG,CAAgB;IAE3B,YAAY,GAAkB;QAC5B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAE1C,oBAAoB;QACpB,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,QAAQ,GAAG,kBAAkB,SAAS,EAAE,CAAC;YAC/C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACjD,IAAI,MAAM,EAAE,CAAC;oBACX,yBAAyB;oBACzB,MAAM,UAAU,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;oBACjD,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;wBACvB,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;wBAC7D,OAAO,UAAU,CAAC,IAAI,CAAC;oBACzB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,wDAAwD,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;wBACzF,4CAA4C;oBAC9C,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,mDAAmD,EAAE,KAAK,CAAC,CAAC;gBACzE,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,IAAI,uBAAuB,CAAC;YAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC;YAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;gBACtE,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACjC,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,cAAc,4BAA4B,SAAS,iBAAiB,EACvE;gBACE,OAAO,EAAE;oBACP,eAAe,EAAE,UAAU,MAAM,EAAE;oBACnC,cAAc,EAAE,kBAAkB;iBACnC;aACF,CACF,CAAC;YAEF,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAEzC,oBAAoB;gBACpB,MAAM,UAAU,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;gBACrD,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC;oBAE/B,sBAAsB;oBACtB,IAAI,KAAK,EAAE,CAAC;wBACV,IAAI,CAAC;4BACH,MAAM,KAAK,CAAC,GAAG,CACb,kBAAkB,SAAS,EAAE,EAC7B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EACtB,EAAE,aAAa,EAAE,wBAAwB,EAAE,CAC5C,CAAC;4BACF,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;wBAC7D,CAAC;wBAAC,OAAO,UAAU,EAAE,CAAC;4BACpB,OAAO,CAAC,IAAI,CAAC,iDAAiD,EAAE,UAAU,CAAC,CAAC;wBAC9E,CAAC;oBACH,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,IAAI,CAAC,uDAAuD,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;oBACxF,wDAAwD;oBACxD,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACjC,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACnC,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;gBAC1F,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACjC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,yDAAyD,EAAE,KAAK,CAAC,CAAC;YAC/E,OAAO,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,gBAAgB;QACtB,OAAO;YACL,QAAQ,EAAE;gBACR,YAAY,EAAE,SAAS;gBACvB,KAAK,EAAE,OAAO;aACf;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,kIAAkI;gBACxI,QAAQ,EAAE,IAAI;aACf;YACD,EAAE,EAAE;gBACF,KAAK,EAAE,OAAO;gBACd,YAAY,EAAE,KAAK;gBACnB,SAAS,EAAE,KAAK;aACjB;SACF,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,SAAiB;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;QAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,kBAAkB,SAAS,EAAE,CAAC;YAC/C,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,gDAAgD,EAAE,SAAS,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CACF"}

package/dist/services/consent-page-renderer.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Consent Page Renderer
+ *
+ * Renders secure consent pages with comprehensive XSS prevention.
+ * All user input is sanitized and escaped before rendering.
+ *
+ * Security Requirements:
+ * - All user input escaped with escapeHtml()
+ * - URLs validated before use
+ * - CSS colors validated
+ * - CSP headers enforced
+ * - No eval() or innerHTML with user data
+ *
+ * Related Spec: MCP-I Phase 0 Implementation Plan, Task B.4
+ */
+import type { ConsentPageConfig } from "@kya-os/contracts/consent";
+/**
+ * Consent Page Renderer
+ *
+ * Renders HTML consent pages with security-first approach
+ */
+export declare class ConsentPageRenderer {
+    /**
+     * Render consent page HTML
+     *
+     * @param config - Consent page configuration (will be sanitized)
+     * @returns HTML string
+     */
+    render(config: ConsentPageConfig): string;
+    /**
+     * Render success page HTML
+     *
+     * @param config - Success page configuration
+     * @returns HTML string
+     */
+    renderSuccess(config: {
+        delegationId: string;
+        autoClose?: boolean;
+    }): string;
+    /**
+     * Escape HTML special characters
+     *
+     * Prevents XSS by escaping characters that have special meaning in HTML
+     *
+     * @param text - Text to escape
+     * @returns Escaped text
+     */
+    private escapeHtml;
+    /**
+     * Validate and sanitize URL
+     *
+     * @param url - URL to validate
+     * @returns Sanitized URL or original if invalid (for fallback)
+     */
+    private validateUrl;
+    /**
+     * Validate CSS color (hex format)
+     *
+     * @param color - Color to validate
+     * @returns Validated color or default
+     */
+    private validateColor;
+    /**
+     * Sanitize consent page configuration
+     *
+     * Deep sanitization of all user input fields
+     * Note: serverUrl is validated but not escaped (needed for JavaScript)
+     *
+     * @param config - Configuration to sanitize
+     * @returns Sanitized configuration
+     */
+    private sanitizeConfig;
+    /**
+     * Sanitize branding configuration
+     *
+     * @param branding - Branding to sanitize
+     * @returns Sanitized branding
+     */
+    private sanitizeBranding;
+    /**
+     * Sanitize terms configuration
+     *
+     * @param terms - Terms to sanitize
+     * @returns Sanitized terms
+     */
+    private sanitizeTerms;
+    /**
+     * Sanitize custom field
+     *
+     * @param field - Field to sanitize
+     * @returns Sanitized field
+     */
+    private sanitizeCustomField;
+    /**
+     * Render page header
+     *
+     * @param config - Sanitized configuration
+     * @returns HTML string
+     */
+    private renderHeader;
+    /**
+     * Render scopes list
+     *
+     * @param scopes - Sanitized scopes
+     * @returns HTML string
+     */
+    private renderScopes;
+    /**
+     * Render terms section
+     *
+     * @param terms - Sanitized terms
+     * @returns HTML string
+     */
+    private renderTerms;
+    /**
+     * Render custom fields
+     *
+     * @param fields - Sanitized custom fields
+     * @returns HTML string
+     */
+    private renderCustomFields;
+    /**
+     * Render form
+     *
+     * @param config - Sanitized configuration
+     * @returns HTML string
+     */
+    private renderForm;
+    /**
+     * Render JavaScript for form handling
+     *
+     * @param config - Sanitized configuration
+     * @returns HTML string
+     */
+    private renderScript;
+}
+//# sourceMappingURL=consent-page-renderer.d.ts.map

package/dist/services/consent-page-renderer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-page-renderer.d.ts","sourceRoot":"","sources":["../../src/services/consent-page-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,iBAAiB,EAIlB,MAAM,2BAA2B,CAAC;AAEnC;;;;GAIG;AACH,qBAAa,mBAAmB;IAC9B;;;;;OAKG;IACH,MAAM,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM;IAyBzC;;;;;OAKG;IACH,aAAa,CAAC,MAAM,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,MAAM;IA6B5E;;;;;;;OAOG;IACH,OAAO,CAAC,UAAU;IAYlB;;;;;OAKG;IACH,OAAO,CAAC,WAAW;IAanB;;;;;OAKG;IACH,OAAO,CAAC,aAAa;IASrB;;;;;;;;OAQG;IACH,OAAO,CAAC,cAAc;IAwBtB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAkCxB;;;;;OAKG;IACH,OAAO,CAAC,aAAa;IASrB;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;IAkB3B;;;;;OAKG;IACH,OAAO,CAAC,YAAY;IAmBpB;;;;;OAKG;IACH,OAAO,CAAC,YAAY;IA0BpB;;;;;OAKG;IACH,OAAO,CAAC,WAAW;IAmBnB;;;;;OAKG;IACH,OAAO,CAAC,kBAAkB;IA4D1B;;;;;OAKG;IACH,OAAO,CAAC,UAAU;IAwClB;;;;;OAKG;IACH,OAAO,CAAC,YAAY;CAiErB"}