@kya-os/mcp-i-cloudflare 1.5.8-canary.1 → 1.5.8-canary.10

package/dist/services/consent-audit.service.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Consent Audit Service
+ *
+ * Handles audit logging for consent-related events.
+ * These events bypass session deduplication to allow multiple events per session.
+ */
+import type { ProofService } from './proof.service';
+import type { AuditLogger } from '@kya-os/mcp-i/runtime';
+import { CloudflareProofGenerator } from '../proof-generator';
+import type { CloudflareRuntimeConfig } from '../config';
+import type { CloudflareRuntime } from '../runtime';
+export declare class ConsentAuditService {
+    private proofService;
+    private auditLogger;
+    private proofGenerator;
+    private config;
+    private runtime;
+    private logger;
+    constructor(proofService: ProofService, auditLogger: AuditLogger, proofGenerator: CloudflareProofGenerator, config: CloudflareRuntimeConfig, runtime: CloudflareRuntime);
+    /**
+     * Create a minimal SessionContext for audit logging
+     * Only sessionId and audience are used by logEvent, but TypeScript requires full SessionContext
+     */
+    private createSessionContext;
+    /**
+     * Log consent page view event
+     */
+    logConsentPageView(event: {
+        sessionId: string;
+        agentDid: string;
+        targetTools: string[];
+        scopes: string[];
+        projectId: string;
+    }): Promise<void>;
+    /**
+     * Log consent approval event
+     */
+    logConsentApproval(event: {
+        sessionId: string;
+        userDid?: string;
+        agentDid: string;
+        targetTools: string[];
+        scopes: string[];
+        delegationId: string;
+        projectId: string;
+        termsAccepted: boolean;
+        oauthIdentity?: {
+            provider: string;
+            identifier: string;
+        };
+    }): Promise<void>;
+    /**
+     * Log when user needs credentials before delegation
+     */
+    logCredentialRequired(event: {
+        sessionId: string;
+        agentDid: string;
+        targetTools: string[];
+        scopes: string[];
+        projectId: string;
+        oauthProvider?: string;
+    }): Promise<void>;
+    /**
+     * Log delegation creation
+     */
+    logDelegationCreated(event: {
+        sessionId: string;
+        delegationId: string;
+        agentDid: string;
+        userDid?: string;
+        targetTools: string[];
+        scopes: string[];
+        projectId: string;
+    }): Promise<void>;
+    /**
+     * Generate proof for consent event
+     *
+     * IMPORTANT: Consent events use synthetic canonical request/response forms
+     * since they represent system events, not actual HTTP requests. The MCP-I
+     * proof spec allows synthetic forms for system-generated events that don't
+     * correspond to actual HTTP requests.
+     *
+     * ✅ FIXED: Added nonce generation, fixed SessionContext structure
+     */
+    private generateConsentProof;
+    /**
+     * Get server's actual identity (NO FALLBACK)
+     */
+    private getServerIdentity;
+}
+//# sourceMappingURL=consent-audit.service.d.ts.map

package/dist/services/consent-audit.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-audit.service.d.ts","sourceRoot":"","sources":["../../src/services/consent-audit.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAI9D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAGpD,qBAAa,mBAAmB;IAS5B,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,OAAO;IAZjB,OAAO,CAAC,MAAM,CAKZ;gBAGQ,YAAY,EAAE,YAAY,EAC1B,WAAW,EAAE,WAAW,EACxB,cAAc,EAAE,wBAAwB,EACxC,MAAM,EAAE,uBAAuB,EAC/B,OAAO,EAAE,iBAAiB;IAGpC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAe5B;;OAEG;IACG,kBAAkB,CAAC,KAAK,EAAE;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,IAAI,CAAC;IA6BjB;;OAEG;IACG,kBAAkB,CAAC,KAAK,EAAE;QAC9B,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,CAAC,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,CAAC;KAC1D,GAAG,OAAO,CAAC,IAAI,CAAC;IAiCjB;;OAEG;IACG,qBAAqB,CAAC,KAAK,EAAE;QACjC,SAAS,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkCjB;;OAEG;IACG,oBAAoB,CAAC,KAAK,EAAE;QAChC,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,EAAE,CAAC;QACtB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,IAAI,CAAC;IA+BjB;;;;;;;;;OASG;YACW,oBAAoB;IAuDlC;;OAEG;YACW,iBAAiB;CAkBhC"}

package/dist/services/consent-audit.service.js

@@ -0,0 +1,241 @@
+/**
+ * Consent Audit Service
+ *
+ * Handles audit logging for consent-related events.
+ * These events bypass session deduplication to allow multiple events per session.
+ */
+export class ConsentAuditService {
+    proofService;
+    auditLogger;
+    proofGenerator;
+    config;
+    runtime;
+    logger = {
+        error: (message, meta) => {
+            console.error(`[ConsentAuditService] ${message}`, meta);
+            // TODO: Send to error tracking service
+        }
+    };
+    constructor(proofService, auditLogger, proofGenerator, config, runtime // REQUIRED for identity
+    ) {
+        this.proofService = proofService;
+        this.auditLogger = auditLogger;
+        this.proofGenerator = proofGenerator;
+        this.config = config;
+        this.runtime = runtime;
+    }
+    /**
+     * Create a minimal SessionContext for audit logging
+     * Only sessionId and audience are used by logEvent, but TypeScript requires full SessionContext
+     */
+    createSessionContext(sessionId) {
+        const now = Math.floor(Date.now() / 1000);
+        // Audience is typically from the handshake, but for consent events we use a default
+        const audience = "https://kya.vouched.id";
+        return {
+            sessionId,
+            audience,
+            nonce: '', // Not used by logEvent, but required by type
+            timestamp: now,
+            createdAt: now,
+            lastActivity: now,
+            ttlMinutes: 30,
+        };
+    }
+    /**
+     * Log consent page view event
+     */
+    async logConsentPageView(event) {
+        const timestamp = Date.now();
+        const identity = await this.getServerIdentity();
+        // Log to audit system (bypasses session deduplication)
+        await this.auditLogger.logEvent({
+            eventType: "consent:page_viewed",
+            identity,
+            session: this.createSessionContext(event.sessionId),
+            eventData: event
+        });
+        // Generate proof for dashboard
+        const proof = await this.generateConsentProof("consent:page_viewed", event, timestamp);
+        await this.proofService.submitProof(proof, {
+            session: { id: event.sessionId },
+            consentEvent: {
+                eventType: "consent:page_viewed",
+                timestamp,
+                sessionId: event.sessionId,
+                agentDid: event.agentDid,
+                targetTools: event.targetTools,
+                scopes: event.scopes,
+                projectId: event.projectId
+            }
+        });
+    }
+    /**
+     * Log consent approval event
+     */
+    async logConsentApproval(event) {
+        const timestamp = Date.now();
+        const identity = await this.getServerIdentity();
+        // Log to audit system
+        await this.auditLogger.logEvent({
+            eventType: "consent:approved",
+            identity,
+            session: this.createSessionContext(event.sessionId),
+            eventData: event
+        });
+        // Generate proof
+        const proof = await this.generateConsentProof("consent:approved", event, timestamp);
+        await this.proofService.submitProof(proof, {
+            session: { id: event.sessionId },
+            consentEvent: {
+                eventType: "consent:approved",
+                timestamp,
+                sessionId: event.sessionId,
+                userDid: event.userDid,
+                agentDid: event.agentDid,
+                targetTools: event.targetTools,
+                scopes: event.scopes,
+                delegationId: event.delegationId,
+                projectId: event.projectId,
+                termsAccepted: event.termsAccepted,
+                oauthIdentity: event.oauthIdentity
+            }
+        });
+    }
+    /**
+     * Log when user needs credentials before delegation
+     */
+    async logCredentialRequired(event) {
+        const timestamp = Date.now();
+        const identity = await this.getServerIdentity();
+        // Log to audit system
+        await this.auditLogger.logEvent({
+            eventType: "consent:credential_required",
+            identity,
+            session: this.createSessionContext(event.sessionId),
+            eventData: event
+        });
+        // Generate proof
+        const proof = await this.generateConsentProof("consent:credential_required", event, timestamp);
+        await this.proofService.submitProof(proof, {
+            session: { id: event.sessionId },
+            consentEvent: {
+                eventType: "consent:credential_required",
+                timestamp,
+                sessionId: event.sessionId,
+                agentDid: event.agentDid,
+                targetTools: event.targetTools,
+                scopes: event.scopes,
+                projectId: event.projectId,
+                credentialStatus: "required",
+                oauthIdentity: event.oauthProvider ? {
+                    provider: event.oauthProvider,
+                    identifier: ""
+                } : undefined
+            }
+        });
+    }
+    /**
+     * Log delegation creation
+     */
+    async logDelegationCreated(event) {
+        const timestamp = Date.now();
+        const identity = await this.getServerIdentity();
+        // Log to audit system
+        await this.auditLogger.logEvent({
+            eventType: "consent:delegation_created",
+            identity,
+            session: this.createSessionContext(event.sessionId),
+            eventData: event
+        });
+        // Generate proof
+        const proof = await this.generateConsentProof("consent:delegation_created", event, timestamp);
+        await this.proofService.submitProof(proof, {
+            session: { id: event.sessionId },
+            consentEvent: {
+                eventType: "consent:delegation_created",
+                timestamp,
+                sessionId: event.sessionId,
+                delegationId: event.delegationId,
+                agentDid: event.agentDid,
+                userDid: event.userDid,
+                targetTools: event.targetTools,
+                scopes: event.scopes,
+                projectId: event.projectId
+            }
+        });
+    }
+    /**
+     * Generate proof for consent event
+     *
+     * IMPORTANT: Consent events use synthetic canonical request/response forms
+     * since they represent system events, not actual HTTP requests. The MCP-I
+     * proof spec allows synthetic forms for system-generated events that don't
+     * correspond to actual HTTP requests.
+     *
+     * ✅ FIXED: Added nonce generation, fixed SessionContext structure
+     */
+    async generateConsentProof(eventType, event, timestamp) {
+        const identity = await this.getServerIdentity();
+        // ✅ CRITICAL: Generate nonce for this session (REQUIRED by SessionContext)
+        const nonce = await this.runtime.issueNonce(event.sessionId);
+        // Synthetic canonical forms for consent events
+        // Use ToolRequest/ToolResponse format expected by CloudflareProofGenerator
+        const canonicalRequest = {
+            method: "POST",
+            params: {
+                eventType,
+                timestamp,
+                ...event
+            }
+        };
+        const canonicalResponse = {
+            data: {
+                success: true,
+                eventType,
+                timestamp,
+                serverDid: identity.did
+            }
+        };
+        // ✅ FIXED: Build SessionContext with all required fields
+        // ✅ FIXED: Remove agentDid and clientDid from SessionContext (not part of spec)
+        // ✅ FIXED: Move clientDid to ProofOptions
+        const now = Math.floor(Date.now() / 1000);
+        const sessionContext = {
+            sessionId: event.sessionId,
+            nonce, // ✅ REQUIRED - was missing!
+            audience: "https://kya.vouched.id",
+            timestamp: now,
+            createdAt: now,
+            lastActivity: now,
+            ttlMinutes: 30,
+        };
+        return await this.proofGenerator.generateProof(canonicalRequest, canonicalResponse, sessionContext, // Only nonce, audience, sessionId
+        {
+            scopeId: eventType,
+            clientDid: event.userDid // ✅ clientDid belongs in options, not session
+        });
+    }
+    /**
+     * Get server's actual identity (NO FALLBACK)
+     */
+    async getServerIdentity() {
+        if (!this.runtime) {
+            throw new Error("Runtime required for consent audit - cannot use fallback identity");
+        }
+        try {
+            const identity = await this.runtime.getIdentity();
+            if (!identity) {
+                throw new Error("No active identity available");
+            }
+            return identity;
+        }
+        catch (error) {
+            this.logger.error("Failed to get server identity", {
+                error: error instanceof Error ? error.message : String(error)
+            });
+            throw new Error("Server identity required for consent audit logging");
+        }
+    }
+}
+//# sourceMappingURL=consent-audit.service.js.map

package/dist/services/consent-audit.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent-audit.service.js","sourceRoot":"","sources":["../../src/services/consent-audit.service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,MAAM,OAAO,mBAAmB;IASpB;IACA;IACA;IACA;IACA;IAZF,MAAM,GAAG;QACf,KAAK,EAAE,CAAC,OAAe,EAAE,IAAyB,EAAE,EAAE;YACpD,OAAO,CAAC,KAAK,CAAC,yBAAyB,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;YACxD,uCAAuC;QACzC,CAAC;KACF,CAAC;IAEF,YACU,YAA0B,EAC1B,WAAwB,EACxB,cAAwC,EACxC,MAA+B,EAC/B,OAA0B,CAAC,wBAAwB;;QAJnD,iBAAY,GAAZ,YAAY,CAAc;QAC1B,gBAAW,GAAX,WAAW,CAAa;QACxB,mBAAc,GAAd,cAAc,CAA0B;QACxC,WAAM,GAAN,MAAM,CAAyB;QAC/B,YAAO,GAAP,OAAO,CAAmB;IACjC,CAAC;IAEJ;;;OAGG;IACK,oBAAoB,CAAC,SAAiB;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,oFAAoF;QACpF,MAAM,QAAQ,GAAG,wBAAwB,CAAC;QAC1C,OAAO;YACL,SAAS;YACT,QAAQ;YACR,KAAK,EAAE,EAAE,EAAE,6CAA6C;YACxD,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAMxB;QACC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEhD,uDAAuD;QACvD,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC9B,SAAS,EAAE,qBAAqB;YAChC,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC;YACnD,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,+BAA+B;QAC/B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,qBAAqB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAEvF,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE;YACzC,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;YAChC,YAAY,EAAE;gBACZ,SAAS,EAAE,qBAAqB;gBAChC,SAAS;gBACT,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,SAAS,EAAE,KAAK,CAAC,SAAS;aAC3B;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAUxB;QACC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEhD,sBAAsB;QACtB,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC9B,SAAS,EAAE,kBAAkB;YAC7B,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC;YACnD,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,iBAAiB;QACjB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,kBAAkB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAEpF,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE;YACzC,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;YAChC,YAAY,EAAE;gBACZ,SAAS,EAAE,kBAAkB;gBAC7B,SAAS;gBACT,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,aAAa,EAAE,KAAK,CAAC,aAAa;aACnC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB,CAAC,KAO3B;QACC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEhD,sBAAsB;QACtB,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC9B,SAAS,EAAE,6BAA6B;YACxC,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC;YACnD,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,iBAAiB;QACjB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,6BAA6B,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAE/F,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE;YACzC,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;YAChC,YAAY,EAAE;gBACZ,SAAS,EAAE,6BAA6B;gBACxC,SAAS;gBACT,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,gBAAgB,EAAE,UAAU;gBAC5B,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC;oBACnC,QAAQ,EAAE,KAAK,CAAC,aAAa;oBAC7B,UAAU,EAAE,EAAE;iBACf,CAAC,CAAC,CAAC,SAAS;aACd;SACF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAQ1B;QACC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEhD,sBAAsB;QACtB,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC9B,SAAS,EAAE,4BAA4B;YACvC,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,SAAS,CAAC;YACnD,SAAS,EAAE,KAAK;SACjB,CAAC,CAAC;QAEH,iBAAiB;QACjB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,4BAA4B,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;QAE9F,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK,EAAE;YACzC,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;YAChC,YAAY,EAAE;gBACZ,SAAS,EAAE,4BAA4B;gBACvC,SAAS;gBACT,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,WAAW,EAAE,KAAK,CAAC,WAAW;gBAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,SAAS,EAAE,KAAK,CAAC,SAAS;aAC3B;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,KAAK,CAAC,oBAAoB,CAChC,SAAiB,EACjB,KAAU,EACV,SAAiB;QAEjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEhD,2EAA2E;QAC3E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAE7D,+CAA+C;QAC/C,2EAA2E;QAC3E,MAAM,gBAAgB,GAAG;YACvB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE;gBACN,SAAS;gBACT,SAAS;gBACT,GAAG,KAAK;aACT;SACF,CAAC;QAEF,MAAM,iBAAiB,GAAG;YACxB,IAAI,EAAE;gBACJ,OAAO,EAAE,IAAI;gBACb,SAAS;gBACT,SAAS;gBACT,SAAS,EAAE,QAAQ,CAAC,GAAG;aACxB;SACF,CAAC;QAEF,yDAAyD;QACzD,gFAAgF;QAChF,0CAA0C;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAmB;YACrC,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE,4BAA4B;YACnC,QAAQ,EAAE,wBAAwB;YAClC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,GAAG;YACjB,UAAU,EAAE,EAAE;SACf,CAAC;QAEF,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAC5C,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EAAE,kCAAkC;QAClD;YACE,OAAO,EAAE,SAAS;YAClB,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,8CAA8C;SACxE,CACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBACjD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;CACF"}

package/dist/services/consent.service.d.ts

@@ -15,7 +15,40 @@ export declare class ConsentService {
     private env;
     private runtime?;
     private userDidManager?;
+    private auditService?;
+    private auditInitPromise?;
+    /**
+     * ✅ FIXED: Constructor takes env: CloudflareEnv, not config
+     */
     constructor(env: CloudflareEnv, runtime?: CloudflareRuntime);
+    /**
+     * Get or initialize audit service (lazy initialization)
+     *
+     * Fetches config from remote API when projectId is available.
+     * Uses promise caching to prevent race conditions.
+     *
+     * @param projectId - Project ID from consent request (required for config fetch)
+     */
+    private getAuditService;
+    /**
+     * Initialize audit service - fetches config from remote API
+     *
+     * ⚠️ CRITICAL: Fetches config from remote API using fetchRemoteConfig()
+     * This is the ONLY way to get CloudflareRuntimeConfig per requirement.
+     */
+    private initializeAuditService;
+    /**
+     * Fetch CloudflareRuntimeConfig from remote API (AgentShield)
+     *
+     * ⚠️ CRITICAL: Config MUST be fetched from remote API, not constructed from env.
+     *
+     * Uses existing `fetchRemoteConfig()` from `@kya-os/mcp-i-core/config/remote-config`
+     * which handles caching, error handling, and API communication.
+     *
+     * @param projectId - Project ID from consent request
+     * @returns Runtime config or undefined if unavailable
+     */
+    private getConfigFromRemoteAPI;
     /**
      * Get or generate User DID for a session
      *
@@ -94,6 +127,16 @@ export declare class ConsentService {
      * @returns HTML response
      */
     private renderConsentPage;
+    /**
+     * Parse request body from JSON or FormData
+     *
+     * Handles both JSON and FormData/multipart requests, converting
+     * FormData fields to the correct format for ConsentApprovalRequest.
+     *
+     * @param request - Request to parse
+     * @returns Parsed body object
+     */
+    private parseRequestBody;
     /**
      * Handle consent approval
      *
@@ -152,6 +195,13 @@ export declare class ConsentService {
     private isValidUUID;
     /**
      * Build simplified format request with proper field name
+     *
+     * CRITICAL: This method MUST NOT include session_id or project_id in the request body.
+     * These fields are NOT part of AgentShield's createDelegationSchema:
+     * - project_id is extracted from API key context by AgentShield middleware
+     * - session_id is not needed for delegation creation
+     *
+     * Including these fields will cause validation errors (400 Bad Request).
      */
     private buildSimplifiedFormatRequest;
     /**
@@ -160,6 +210,9 @@ export declare class ConsentService {
     private tryAPICall;
     /**
      * Make API call and parse response
+     *
+     * CRITICAL: This method ensures session_id and project_id are never sent to AgentShield.
+     * These fields are NOT part of the createDelegationSchema and will cause validation errors.
      */
     private makeAPICall;
     /**

package/dist/services/consent.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"consent.service.d.ts","sourceRoot":"","sources":["../../src/services/consent.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAWpD,OAAO,KAAK,EAIV,aAAa,EACd,MAAM,2BAA2B,CAAC;AAenC,qBAAa,cAAc;IACzB,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAsB;IACtC,OAAO,CAAC,GAAG,CAAgB;IAC3B,OAAO,CAAC,OAAO,CAAC,CAAoB;IACpC,OAAO,CAAC,cAAc,CAAC,CAAiB;gBAE5B,GAAG,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAO3D;;;;;;;;;OASG;YACW,oBAAoB;IA4GlC;;;;;;;;;;;OAWG;IACG,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,OAAO,CAAC;IA+CnB;;;;;;;;;;;;OAYG;IACH,aAAa,CACX,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EAAE,EAChB,SAAS,EAAE,MAAM,GAChB,MAAM;IA8BT;;;;;;;;;;;OAWG;IACG,kBAAkB,CACtB,aAAa,EAAE,aAAa,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IAuElB;;;;;;;;;;OAUG;IACG,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAqBjD;;;;;;;;;;;;;OAaG;YACW,iBAAiB;IAqL/B;;;;;;;;OAQG;YACW,cAAc;IA8F5B;;;;;OAKG;YACW,gBAAgB;IAyL9B;;;;;;;;;OASG;YACW,oBAAoB;IAgFlC;;;;;OAKG;YACW,iBAAiB;IAmC/B;;;;OAIG;YACW,sBAAsB;IA+EpC;;OAEG;YACW,sBAAsB;IAuBpC;;;;;;;;;OASG;IACH,OAAO,CAAC,WAAW;IAMnB;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAuDpC;;OAEG;YACW,UAAU;IAqDxB;;OAEG;YACW,WAAW;IAoFzB;;OAEG;YACW,qBAAqB;CAyBpC"}
+{"version":3,"file":"consent.service.d.ts","sourceRoot":"","sources":["../../src/services/consent.service.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAWpD,OAAO,KAAK,EAIV,aAAa,EACd,MAAM,2BAA2B,CAAC;AAqBnC,qBAAa,cAAc;IACzB,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAsB;IACtC,OAAO,CAAC,GAAG,CAAgB;IAC3B,OAAO,CAAC,OAAO,CAAC,CAAoB;IACpC,OAAO,CAAC,cAAc,CAAC,CAAiB;IAGxC,OAAO,CAAC,YAAY,CAAC,CAAsB;IAC3C,OAAO,CAAC,gBAAgB,CAAC,CAAgB;IAEzC;;OAEG;gBACS,GAAG,EAAE,aAAa,EAAE,OAAO,CAAC,EAAE,iBAAiB;IAQ3D;;;;;;;OAOG;YACW,eAAe;IAmC7B;;;;;OAKG;YACW,sBAAsB;IA8CpC;;;;;;;;;;OAUG;YACW,sBAAsB;IA6CpC;;;;;;;;;OASG;YACW,oBAAoB;IA4HlC;;;;;;;;;;;OAWG;IACG,eAAe,CACnB,SAAS,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,aAAa,GAC5B,OAAO,CAAC,OAAO,CAAC;IA+CnB;;;;;;;;;;;;OAYG;IACH,aAAa,CACX,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EAAE,EAChB,SAAS,EAAE,MAAM,GAChB,MAAM;IA8BT;;;;;;;;;;;OAWG;IACG,kBAAkB,CACtB,aAAa,EAAE,aAAa,EAC5B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IAuElB;;;;;;;;;;OAUG;IACG,MAAM,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAqBjD;;;;;;;;;;;;;OAaG;YACW,iBAAiB;IA8M/B;;;;;;;;OAQG;YACW,gBAAgB;IA8lC9B;;;;;;;;OAQG;YACW,cAAc;IAiN5B;;;;;OAKG;YACW,gBAAgB;IA2M9B;;;;;;;;;OASG;YACW,oBAAoB;IAgFlC;;;;;OAKG;YACW,iBAAiB;IAmC/B;;;;OAIG;YACW,sBAAsB;IA+EpC;;OAEG;YACW,sBAAsB;IAyBpC;;;;;;;;;OASG;IACH,OAAO,CAAC,WAAW;IAMnB;;;;;;;;;OASG;IACH,OAAO,CAAC,4BAA4B;IA2DpC;;OAEG;YACW,UAAU;IAqDxB;;;;;OAKG;YACW,WAAW;IA0GzB;;OAEG;YACW,qBAAqB;CAyBpC"}