@kya-os/mcp-i-cloudflare 1.5.10-canary.8 → 1.6.0

package/dist/services/idp-token-storage.js

@@ -0,0 +1,157 @@
+/**
+ * IDP Token Storage Service
+ *
+ * Stores and retrieves IDP (Identity Provider) tokens encrypted in KV storage.
+ * Tokens are encrypted at rest using AES-GCM encryption.
+ *
+ * Storage key format: `idp_token:user:{userDid}:provider:{provider}:scopes:{scopeHash}`
+ *
+ * @package @kya-os/mcp-i-cloudflare
+ */
+/**
+ * Service for storing and retrieving IDP tokens
+ *
+ * Cloudflare Workers implementation using KV storage and AES-GCM encryption.
+ */
+export class IdpTokenStorage {
+    config;
+    constructor(config) {
+        this.config = {
+            storage: config.storage,
+            oauthSecurityService: config.oauthSecurityService,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Store IDP tokens encrypted in KV storage
+     *
+     * @param userDid - User DID to associate tokens with
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param scopes - Scopes granted for these tokens
+     * @param tokens - IDP tokens to store
+     */
+    async storeToken(userDid, provider, scopes, tokens) {
+        const scopeHash = this.hashScopes(scopes);
+        const key = `idp_token:user:${userDid}:provider:${provider}:scopes:${scopeHash}`;
+        // Prepare token data for storage
+        const tokenData = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_at: tokens.expires_at,
+            token_type: tokens.token_type,
+            scope: tokens.scope,
+            stored_at: Date.now(),
+        };
+        // Encrypt token data before storage
+        const encrypted = await this.config.oauthSecurityService.encryptToken(JSON.stringify(tokenData));
+        // Calculate TTL (expiration time - current time, in seconds)
+        // Default to 7 days if expires_at not available
+        const expiresAt = tokens.expires_at || Date.now() + 7 * 24 * 60 * 60 * 1000;
+        const ttl = Math.max(0, Math.floor((expiresAt - Date.now()) / 1000));
+        await this.config.storage.put(key, encrypted, {
+            expirationTtl: ttl,
+        });
+        this.config.logger("[IdpTokenStorage] Token stored", {
+            userDid: userDid.substring(0, 20) + "...",
+            provider,
+            scopes,
+            scopeHash,
+            expiresAt: new Date(expiresAt).toISOString(),
+            ttl,
+        });
+    }
+    /**
+     * Retrieve IDP tokens from KV storage
+     *
+     * @param userDid - User DID to retrieve tokens for
+     * @param provider - OAuth provider name
+     * @param scopes - Scopes to retrieve tokens for
+     * @returns IDP tokens or null if not found
+     */
+    async getToken(userDid, provider, scopes) {
+        const scopeHash = this.hashScopes(scopes);
+        const key = `idp_token:user:${userDid}:provider:${provider}:scopes:${scopeHash}`;
+        const encrypted = await this.config.storage.get(key, "text");
+        if (!encrypted) {
+            this.config.logger("[IdpTokenStorage] Token not found", {
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+                scopes,
+                scopeHash,
+            });
+            return null;
+        }
+        try {
+            // Decrypt token data
+            const decrypted = await this.config.oauthSecurityService.decryptToken(encrypted);
+            const tokenData = JSON.parse(decrypted);
+            // Reconstruct IdpTokens object
+            const tokens = {
+                access_token: tokenData.access_token,
+                refresh_token: tokenData.refresh_token,
+                expires_at: tokenData.expires_at,
+                token_type: tokenData.token_type,
+                scope: tokenData.scope,
+                expires_in: tokenData.expires_at
+                    ? Math.floor((tokenData.expires_at - Date.now()) / 1000)
+                    : undefined,
+            };
+            this.config.logger("[IdpTokenStorage] Token retrieved", {
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+                scopes,
+                expiresAt: new Date(tokens.expires_at).toISOString(),
+                isExpired: tokens.expires_at < Date.now(),
+            });
+            return tokens;
+        }
+        catch (error) {
+            this.config.logger("[IdpTokenStorage] Token decryption failed", {
+                error: error instanceof Error ? error.message : String(error),
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+            });
+            return null;
+        }
+    }
+    /**
+     * Delete IDP tokens from storage
+     *
+     * @param userDid - User DID
+     * @param provider - OAuth provider name
+     * @param scopes - Scopes
+     */
+    async deleteToken(userDid, provider, scopes) {
+        const scopeHash = this.hashScopes(scopes);
+        const key = `idp_token:user:${userDid}:provider:${provider}:scopes:${scopeHash}`;
+        await this.config.storage.delete(key);
+        this.config.logger("[IdpTokenStorage] Token deleted", {
+            userDid: userDid.substring(0, 20) + "...",
+            provider,
+            scopes,
+            scopeHash,
+        });
+    }
+    /**
+     * Hash scopes deterministically for storage key
+     *
+     * Uses sorted scopes joined with comma, then base64url encoded.
+     * This ensures the same scopes always produce the same hash.
+     *
+     * @param scopes - Array of scope strings
+     * @returns Deterministic hash of scopes
+     */
+    hashScopes(scopes) {
+        // Sort scopes to ensure deterministic hashing
+        const sorted = scopes.sort().join(",");
+        // Simple hash: base64url encode first 16 bytes of UTF-8 encoding
+        const encoder = new TextEncoder();
+        const bytes = encoder.encode(sorted);
+        const hashBytes = bytes.slice(0, 16); // Use first 16 bytes
+        return btoa(String.fromCharCode(...hashBytes))
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=/g, "");
+    }
+}
+//# sourceMappingURL=idp-token-storage.js.map

package/dist/services/idp-token-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idp-token-storage.js","sourceRoot":"","sources":["../../src/services/idp-token-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAkBH;;;;GAIG;AACH,MAAM,OAAO,eAAe;IAClB,MAAM,CAEZ;IAEF,YAAY,MAA6B;QACvC,IAAI,CAAC,MAAM,GAAG;YACZ,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;YACjD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,UAAU,CACd,OAAe,EACf,QAAgB,EAChB,MAAgB,EAChB,MAAiB;QAEjB,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,kBAAkB,OAAO,aAAa,QAAQ,WAAW,SAAS,EAAE,CAAC;QAEjF,iCAAiC;QACjC,MAAM,SAAS,GAAG;YAChB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,oCAAoC;QACpC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,YAAY,CACnE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAC1B,CAAC;QAEF,6DAA6D;QAC7D,gDAAgD;QAChD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAClB,CAAC,EACD,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAC5C,CAAC;QAEF,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE;YAC5C,aAAa,EAAE,GAAG;SACnB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,gCAAgC,EAAE;YACnD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;YACzC,QAAQ;YACR,MAAM;YACN,SAAS;YACT,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,GAAG;SACJ,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CACZ,OAAe,EACf,QAAgB,EAChB,MAAgB;QAEhB,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,kBAAkB,OAAO,aAAa,QAAQ,WAAW,SAAS,EAAE,CAAC;QAEjF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,mCAAmC,EAAE;gBACtD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,MAAM;gBACN,SAAS;aACV,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,qBAAqB;YACrB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,YAAY,CACnE,SAAS,CACV,CAAC;YACF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAExC,+BAA+B;YAC/B,MAAM,MAAM,GAAc;gBACxB,YAAY,EAAE,SAAS,CAAC,YAAY;gBACpC,aAAa,EAAE,SAAS,CAAC,aAAa;gBACtC,UAAU,EAAE,SAAS,CAAC,UAAU;gBAChC,UAAU,EAAE,SAAS,CAAC,UAAU;gBAChC,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,UAAU,EAAE,SAAS,CAAC,UAAU;oBAC9B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;oBACxD,CAAC,CAAC,SAAS;aACd,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,mCAAmC,EAAE;gBACtD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,MAAM;gBACN,SAAS,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;gBACpD,SAAS,EAAE,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;aAC1C,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;gBAC9D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CACf,OAAe,EACf,QAAgB,EAChB,MAAgB;QAEhB,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,kBAAkB,OAAO,aAAa,QAAQ,WAAW,SAAS,EAAE,CAAC;QAEjF,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEtC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,iCAAiC,EAAE;YACpD,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;YACzC,QAAQ;YACR,MAAM;YACN,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACK,UAAU,CAAC,MAAgB;QACjC,8CAA8C;QAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEvC,iEAAiE;QACjE,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;QAE3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,CAAC;aAC3C,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvB,CAAC;CACF"}

package/dist/services/oauth-service.d.ts

@@ -0,0 +1,66 @@
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-cloudflare
+ */
+import type { OAuthConfigService } from "@kya-os/mcp-i-core";
+import type { IdpTokens } from "@kya-os/contracts/config";
+export interface OAuthServiceConfig {
+    /** OAuth config service for fetching provider configurations */
+    configService: OAuthConfigService;
+    /** Project ID for fetching OAuth config */
+    projectId: string;
+    /** Optional logger callback for diagnostics */
+    logger?: (message: string, data?: unknown) => void;
+}
+/**
+ * Service for OAuth token exchange and refresh
+ */
+export declare class OAuthService {
+    private config;
+    constructor(config: OAuthServiceConfig);
+    /**
+     * Exchange authorization code for IDP tokens using PKCE
+     *
+     * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+     * For proxy mode: Exchanges code via AgentShield API
+     *
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param code - Authorization code from OAuth callback
+     * @param codeVerifier - PKCE code verifier (must match code_challenge from authorization)
+     * @param redirectUri - Redirect URI used in authorization request
+     * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+     */
+    exchangeToken(provider: string, code: string, codeVerifier: string, redirectUri: string): Promise<IdpTokens>;
+    /**
+     * Exchange token directly with OAuth provider using PKCE
+     */
+    private exchangeTokenPKCE;
+    /**
+     * Exchange token via AgentShield proxy (for providers that require proxy mode)
+     */
+    private exchangeTokenProxy;
+    /**
+     * Refresh IDP access token using refresh token
+     *
+     * For PKCE providers: Refreshes directly with OAuth provider
+     * For proxy mode: Refreshes via AgentShield API
+     *
+     * @param provider - OAuth provider name
+     * @param refreshToken - Refresh token from previous token exchange
+     * @returns New IDP tokens or null if refresh failed
+     */
+    refreshToken(provider: string, refreshToken: string): Promise<IdpTokens | null>;
+    /**
+     * Refresh token directly with OAuth provider using PKCE
+     */
+    private refreshTokenPKCE;
+    /**
+     * Refresh token via AgentShield proxy
+     */
+    private refreshTokenProxy;
+}
+//# sourceMappingURL=oauth-service.d.ts.map

package/dist/services/oauth-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-service.d.ts","sourceRoot":"","sources":["../../src/services/oauth-service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,KAAK,EAAE,SAAS,EAAiB,MAAM,0BAA0B,CAAC;AAEzE,MAAM,WAAW,kBAAkB;IACjC,gEAAgE;IAChE,aAAa,EAAE,kBAAkB,CAAC;IAElC,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAElB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,kBAAkB;IAQtC;;;;;;;;;;;OAWG;IACG,aAAa,CACjB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,SAAS,CAAC;IA2CrB;;OAEG;YACW,iBAAiB;IA8E/B;;OAEG;YACW,kBAAkB;IAiBhC;;;;;;;;;OASG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA2B5B;;OAEG;YACW,gBAAgB;IAiE9B;;OAEG;YACW,iBAAiB;CAShC"}

package/dist/services/oauth-service.js

@@ -0,0 +1,223 @@
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-cloudflare
+ */
+/**
+ * Service for OAuth token exchange and refresh
+ */
+export class OAuthService {
+    config;
+    constructor(config) {
+        this.config = {
+            configService: config.configService,
+            projectId: config.projectId,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Exchange authorization code for IDP tokens using PKCE
+     *
+     * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+     * For proxy mode: Exchanges code via AgentShield API
+     *
+     * @param provider - OAuth provider name (e.g., "github", "google")
+     * @param code - Authorization code from OAuth callback
+     * @param codeVerifier - PKCE code verifier (must match code_challenge from authorization)
+     * @param redirectUri - Redirect URI used in authorization request
+     * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+     */
+    async exchangeToken(provider, code, codeVerifier, redirectUri) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            throw new Error(`Provider "${provider}" not configured for project "${this.config.projectId}"`);
+        }
+        // Check if provider supports PKCE
+        if (!providerConfig.supportsPKCE) {
+            throw new Error(`Provider "${provider}" does not support PKCE. Only PKCE providers are supported in Phase 1.`);
+        }
+        // For PKCE providers, exchange directly with OAuth provider
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            return this.exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri);
+        }
+        // For proxy mode, exchange via AgentShield
+        if (providerConfig.proxyMode) {
+            return this.exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri);
+        }
+        throw new Error(`Provider "${provider}" configuration is invalid: must support PKCE or use proxy mode`);
+    }
+    /**
+     * Exchange token directly with OAuth provider using PKCE
+     */
+    async exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri) {
+        this.config.logger("[OAuthService] Exchanging token with PKCE", {
+            provider: providerConfig.authorizationUrl,
+            tokenUrl: providerConfig.tokenUrl,
+        });
+        const response = await fetch(providerConfig.tokenUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                Accept: "application/json",
+            },
+            body: new URLSearchParams({
+                grant_type: "authorization_code",
+                code,
+                redirect_uri: redirectUri,
+                client_id: providerConfig.clientId,
+                code_verifier: codeVerifier,
+            }),
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => "Unknown error");
+            let errorData;
+            try {
+                errorData = JSON.parse(errorText);
+            }
+            catch {
+                errorData = { error: errorText };
+            }
+            const errorMessage = errorData.error_description || errorData.error || errorText;
+            this.config.logger("[OAuthService] Token exchange failed", {
+                status: response.status,
+                error: errorMessage,
+                provider: providerConfig.tokenUrl,
+            });
+            throw new Error(`Token exchange failed: ${errorMessage} (${response.status})`);
+        }
+        const tokens = await response.json();
+        // Validate required fields
+        if (!tokens.access_token) {
+            throw new Error("Token response missing access_token");
+        }
+        // Calculate expiration timestamp
+        const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+        const expiresAt = Date.now() + expiresIn * 1000;
+        const idpTokens = {
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token,
+            expires_in: expiresIn,
+            expires_at: expiresAt,
+            token_type: tokens.token_type || "Bearer",
+            scope: tokens.scope,
+        };
+        this.config.logger("[OAuthService] Token exchange successful", {
+            provider: providerConfig.tokenUrl,
+            expiresAt: new Date(expiresAt).toISOString(),
+            hasRefreshToken: !!idpTokens.refresh_token,
+        });
+        return idpTokens;
+    }
+    /**
+     * Exchange token via AgentShield proxy (for providers that require proxy mode)
+     */
+    async exchangeTokenProxy(providerConfig, code, codeVerifier, redirectUri) {
+        // Get AgentShield API URL from config service
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        // Note: We need access to baseUrl and apiKey from configService
+        // For now, this is a placeholder - will need to pass these through config
+        throw new Error("Proxy mode token exchange not yet implemented. Use PKCE mode for Phase 1.");
+    }
+    /**
+     * Refresh IDP access token using refresh token
+     *
+     * For PKCE providers: Refreshes directly with OAuth provider
+     * For proxy mode: Refreshes via AgentShield API
+     *
+     * @param provider - OAuth provider name
+     * @param refreshToken - Refresh token from previous token exchange
+     * @returns New IDP tokens or null if refresh failed
+     */
+    async refreshToken(provider, refreshToken) {
+        // Fetch provider config
+        const oauthConfig = await this.config.configService.getOAuthConfig(this.config.projectId);
+        const providerConfig = oauthConfig.providers[provider];
+        if (!providerConfig) {
+            this.config.logger("[OAuthService] Provider not found for refresh", {
+                provider,
+            });
+            return null;
+        }
+        // For PKCE providers, refresh directly with OAuth provider
+        if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+            return this.refreshTokenPKCE(providerConfig, refreshToken);
+        }
+        // For proxy mode, refresh via AgentShield
+        if (providerConfig.proxyMode) {
+            return this.refreshTokenProxy(providerConfig, refreshToken);
+        }
+        return null;
+    }
+    /**
+     * Refresh token directly with OAuth provider using PKCE
+     */
+    async refreshTokenPKCE(providerConfig, refreshToken) {
+        this.config.logger("[OAuthService] Refreshing token with PKCE", {
+            provider: providerConfig.tokenUrl,
+        });
+        try {
+            const response = await fetch(providerConfig.tokenUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Accept: "application/json",
+                },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    client_id: providerConfig.clientId,
+                }),
+            });
+            if (!response.ok) {
+                this.config.logger("[OAuthService] Token refresh failed", {
+                    status: response.status,
+                    provider: providerConfig.tokenUrl,
+                });
+                return null;
+            }
+            const tokens = await response.json();
+            if (!tokens.access_token) {
+                this.config.logger("[OAuthService] Token refresh response missing access_token");
+                return null;
+            }
+            // Calculate expiration timestamp
+            const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+            const expiresAt = Date.now() + expiresIn * 1000;
+            const idpTokens = {
+                access_token: tokens.access_token,
+                refresh_token: tokens.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep old one
+                expires_in: expiresIn,
+                expires_at: expiresAt,
+                token_type: tokens.token_type || "Bearer",
+                scope: tokens.scope,
+            };
+            this.config.logger("[OAuthService] Token refresh successful", {
+                provider: providerConfig.tokenUrl,
+                expiresAt: new Date(expiresAt).toISOString(),
+            });
+            return idpTokens;
+        }
+        catch (error) {
+            this.config.logger("[OAuthService] Token refresh error", {
+                error: error instanceof Error ? error.message : String(error),
+                provider: providerConfig.tokenUrl,
+            });
+            return null;
+        }
+    }
+    /**
+     * Refresh token via AgentShield proxy
+     */
+    async refreshTokenProxy(providerConfig, refreshToken) {
+        // Placeholder for proxy mode refresh
+        // Will need access to AgentShield API URL and key
+        this.config.logger("[OAuthService] Proxy mode refresh not yet implemented");
+        return null;
+    }
+}
+//# sourceMappingURL=oauth-service.js.map

package/dist/services/oauth-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-service.js","sourceRoot":"","sources":["../../src/services/oauth-service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAgBH;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,MAAM,CAEZ;IAEF,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG;YACZ,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,IAAY,EACZ,YAAoB,EACpB,WAAmB;QAEnB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,iCAAiC,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QAClG,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,wEAAwE,CAC9F,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC,iBAAiB,CAC3B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,kBAAkB,CAC5B,cAAc,EACd,IAAI,EACJ,YAAY,EACZ,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,iEAAiE,CACvF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,IAAY,EACZ,YAAoB,EACpB,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,gBAAgB;YACzC,QAAQ,EAAE,cAAc,CAAC,QAAQ;SAClC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;YACpD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,WAAW;gBACzB,SAAS,EAAE,cAAc,CAAC,QAAQ;gBAClC,aAAa,EAAE,YAAY;aAC5B,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YACrE,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,YAAY,GAChB,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC;YAE9D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,sCAAsC,EAAE;gBACzD,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,YAAY;gBACnB,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YAEH,MAAM,IAAI,KAAK,CACb,0BAA0B,YAAY,KAAK,QAAQ,CAAC,MAAM,GAAG,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAErC,2BAA2B;QAC3B,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;QAEhD,MAAM,SAAS,GAAc;YAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACzC,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,0CAA0C,EAAE;YAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;YAC5C,eAAe,EAAE,CAAC,CAAC,SAAS,CAAC,aAAa;SAC3C,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAC9B,cAA6B,EAC7B,IAAY,EACZ,YAAoB,EACpB,WAAmB;QAEnB,8CAA8C;QAC9C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,gEAAgE;QAChE,0EAA0E;QAC1E,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,YAAoB;QAEpB,wBAAwB;QACxB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,cAAc,CAChE,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;QACF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,+CAA+C,EAAE;gBAClE,QAAQ;aACT,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,2DAA2D;QAC3D,IAAI,cAAc,CAAC,YAAY,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC7D,CAAC;QAED,0CAA0C;QAC1C,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,cAA6B,EAC7B,YAAoB;QAEpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,2CAA2C,EAAE;YAC9D,QAAQ,EAAE,cAAc,CAAC,QAAQ;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,QAAQ,EAAE;gBACpD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;oBACnD,MAAM,EAAE,kBAAkB;iBAC3B;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,SAAS,EAAE,cAAc,CAAC,QAAQ;iBACnC,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,qCAAqC,EAAE;oBACxD,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,QAAQ,EAAE,cAAc,CAAC,QAAQ;iBAClC,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAErC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4DAA4D,CAAC,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,iCAAiC;YACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,iBAAiB;YAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC;YAEhD,MAAM,SAAS,GAAc;gBAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,YAAY,EAAE,4DAA4D;gBACjH,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,SAAS;gBACrB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;gBACzC,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,yCAAyC,EAAE;gBAC5D,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,SAAS,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE;aAC7C,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE;gBACvD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ,EAAE,cAAc,CAAC,QAAQ;aAClC,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB,CAC7B,cAA6B,EAC7B,YAAoB;QAEpB,qCAAqC;QACrC,kDAAkD;QAClD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,uDAAuD,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/services/proof.service.d.ts

@@ -6,16 +6,18 @@
  *
  * Supports both direct submission and batch queue submission.
  */
-import type { DetachedProof } from '@kya-os/contracts/proof';
-import type { CloudflareRuntimeConfig } from '../config';
-import type { CloudflareRuntime } from '../runtime';
+import type { DetachedProof } from "@kya-os/contracts/proof";
+import type { ConsentEventContext } from "@kya-os/contracts/agentshield-api";
+import type { CloudflareRuntimeConfig } from "../config";
+import type { CloudflareRuntime } from "../runtime";
 export interface ProofSubmissionContext {
     session: {
         id: string;
     };
-    toolName: string;
-    args: Record<string, unknown>;
-    result: unknown;
+    toolName?: string;
+    args?: Record<string, unknown>;
+    result?: unknown;
+    consentEvent?: ConsentEventContext;
     mcpServerUrl?: string;
 }
 export declare class ProofService {

package/dist/services/proof.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"proof.service.d.ts","sourceRoot":"","sources":["../../src/services/proof.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAE7D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAmB,MAAM,YAAY,CAAC;AAIrE,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,OAAO,CAAC,CAAoB;IACpC,OAAO,CAAC,UAAU,CAAC,CAAkB;IACrC,OAAO,CAAC,mBAAmB,CAAS;gBAExB,MAAM,EAAE,uBAAuB,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAqFxE;;;;;;;;;OASG;IACG,WAAW,CACf,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC;IA0ChB;;OAEG;YACW,iBAAiB;IA2M/B;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ7B"}
+{"version":3,"file":"proof.service.d.ts","sourceRoot":"","sources":["../../src/services/proof.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAEV,mBAAmB,EACpB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAmB,MAAM,YAAY,CAAC;AAQrE,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAGxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAEnC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,OAAO,CAAC,CAAoB;IACpC,OAAO,CAAC,UAAU,CAAC,CAAkB;IACrC,OAAO,CAAC,mBAAmB,CAAS;gBAExB,MAAM,EAAE,uBAAuB,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAmHxE;;;;;;;;;OASG;IACG,WAAW,CACf,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC;IAiDhB;;OAEG;YACW,iBAAiB;IAkS/B;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAQ7B"}