npm - @kya-os/mcp-i-cloudflare - Versions diffs - 1.6.18 → 1.6.19-canary.clientinfo.20251126124133 - Mend

@kya-os/mcp-i-cloudflare 1.6.18 → 1.6.19-canary.clientinfo.20251126124133

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/__tests__/e2e/test-config.d.ts +37 -0
package/dist/__tests__/e2e/test-config.d.ts.map +1 -0
package/dist/__tests__/e2e/test-config.js +62 -0
package/dist/__tests__/e2e/test-config.js.map +1 -0
package/dist/agent.d.ts.map +1 -1
package/dist/agent.js +100 -24
package/dist/agent.js.map +1 -1
package/dist/services/kta-client-lookup.d.ts +5 -3
package/dist/services/kta-client-lookup.d.ts.map +1 -1
package/dist/services/kta-client-lookup.js +10 -34
package/dist/services/kta-client-lookup.js.map +1 -1
package/dist/utils/client-info.d.ts +69 -0
package/dist/utils/client-info.d.ts.map +1 -0
package/dist/utils/client-info.js +178 -0
package/dist/utils/client-info.js.map +1 -0
package/dist/utils/error-formatter.d.ts +103 -0
package/dist/utils/error-formatter.d.ts.map +1 -0
package/dist/utils/error-formatter.js +245 -0
package/dist/utils/error-formatter.js.map +1 -0
package/dist/utils/initialize-context.d.ts +91 -0
package/dist/utils/initialize-context.d.ts.map +1 -0
package/dist/utils/initialize-context.js +169 -0
package/dist/utils/initialize-context.js.map +1 -0
package/dist/utils/known-clients.d.ts +14 -6
package/dist/utils/known-clients.d.ts.map +1 -1
package/dist/utils/known-clients.js +28 -11
package/dist/utils/known-clients.js.map +1 -1
package/dist/utils/oauth-identity.d.ts +58 -0
package/dist/utils/oauth-identity.d.ts.map +1 -0
package/dist/utils/oauth-identity.js +215 -0
package/dist/utils/oauth-identity.js.map +1 -0
package/package.json +2 -2

package/dist/utils/oauth-identity.js ADDED Viewed

@@ -0,0 +1,215 @@
+/**
+ * OAuth Identity Utilities
+ *
+ * Handles OAuth identity extraction and validation from HTTP requests.
+ * This module consolidates OAuth-related logic that was previously in the adapter.
+ */
+/**
+ * Extract OAuth identity from request cookies
+ *
+ * @param request - HTTP Request object
+ * @returns OAuthIdentity or null if not found/invalid
+ */
+export function extractOAuthIdentityFromRequest(request) {
+    try {
+        const cookieHeader = request.headers.get("Cookie");
+        if (!cookieHeader)
+            return null;
+        const cookies = cookieHeader.split("; ").map((c) => c.trim());
+        const oauthCookie = cookies.find((c) => c.startsWith("oauth_identity="));
+        if (!oauthCookie)
+            return null;
+        // Extract cookie value properly handling cases where value contains '='
+        // Find the first '=' which separates key from value, then take everything after it
+        const equalsIndex = oauthCookie.indexOf("=");
+        if (equalsIndex === -1)
+            return null;
+        const cookieValue = oauthCookie.substring(equalsIndex + 1);
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        // ✅ SECURITY: Validate OAuth identity format and content
+        const validationResult = validateOAuthIdentity(parsed);
+        if (!validationResult.valid) {
+            console.warn("[OAuth] ⚠️ OAuth identity validation failed:", validationResult.reason, { parsed });
+            return null;
+        }
+        return parsed;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to extract OAuth identity from cookies:", error);
+    }
+    return null;
+}
+/**
+ * Validate OAuth identity format and content
+ *
+ * Ensures:
+ * - Provider is non-empty string (1-50 chars)
+ * - Subject is non-empty string (1-255 chars)
+ * - Provider matches expected format (alphanumeric, hyphens, underscores)
+ * - Subject matches expected format (non-empty, reasonable length)
+ *
+ * @param identity - Parsed OAuth identity object
+ * @returns Validation result
+ */
+export function validateOAuthIdentity(identity) {
+    // Check if identity is an object
+    if (!identity || typeof identity !== "object") {
+        return { valid: false, reason: "OAuth identity must be an object" };
+    }
+    const oauth = identity;
+    // Validate provider
+    if (!oauth.provider || typeof oauth.provider !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth provider is required and must be a string",
+        };
+    }
+    const provider = oauth.provider.trim();
+    if (provider.length === 0) {
+        return { valid: false, reason: "OAuth provider cannot be empty" };
+    }
+    if (provider.length > 50) {
+        return {
+            valid: false,
+            reason: "OAuth provider must be 50 characters or less",
+        };
+    }
+    // Provider format: alphanumeric, hyphens, underscores, dots (e.g., "google", "microsoft", "github", "custom-provider")
+    const providerPattern = /^[a-zA-Z0-9._-]+$/;
+    if (!providerPattern.test(provider)) {
+        return {
+            valid: false,
+            reason: `OAuth provider must match pattern [a-zA-Z0-9._-]: "${provider}"`,
+        };
+    }
+    // Validate subject
+    if (!oauth.subject || typeof oauth.subject !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth subject is required and must be a string",
+        };
+    }
+    const subject = oauth.subject.trim();
+    if (subject.length === 0) {
+        return { valid: false, reason: "OAuth subject cannot be empty" };
+    }
+    if (subject.length > 255) {
+        return {
+            valid: false,
+            reason: "OAuth subject must be 255 characters or less",
+        };
+    }
+    // Subject format: non-empty, reasonable characters (allows most Unicode, but prevents control chars)
+    // OAuth subjects can be numeric IDs, email-like strings, or other identifiers
+    const subjectPattern = /^[\S]+$/; // At least one non-whitespace character
+    if (!subjectPattern.test(subject)) {
+        return {
+            valid: false,
+            reason: `OAuth subject contains invalid characters: "${subject.substring(0, 20)}..."`,
+        };
+    }
+    // Validate optional email if present
+    if (oauth.email !== undefined) {
+        if (typeof oauth.email !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth email must be a string if provided",
+            };
+        }
+        const email = oauth.email.trim();
+        if (email.length > 0) {
+            // Basic email format validation
+            const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+            if (!emailPattern.test(email)) {
+                return {
+                    valid: false,
+                    reason: `OAuth email format invalid: "${email}"`,
+                };
+            }
+            if (email.length > 255) {
+                return {
+                    valid: false,
+                    reason: "OAuth email must be 255 characters or less",
+                };
+            }
+        }
+    }
+    // Validate optional name if present
+    if (oauth.name !== undefined) {
+        if (typeof oauth.name !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth name must be a string if provided",
+            };
+        }
+        if (oauth.name.length > 255) {
+            return {
+                valid: false,
+                reason: "OAuth name must be 255 characters or less",
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * Lookup User DID from OAuth identity mapping
+ *
+ * @param oauthIdentity OAuth identity to lookup
+ * @param delegationStorage KV namespace for storage
+ * @returns User DID or null if not found
+ */
+export async function lookupUserDidFromOAuth(oauthIdentity, delegationStorage) {
+    if (!delegationStorage || !oauthIdentity?.provider || !oauthIdentity?.subject) {
+        return null;
+    }
+    try {
+        const { STORAGE_KEYS } = await import("../constants/storage-keys");
+        const oauthKey = STORAGE_KEYS.oauthIdentity(oauthIdentity.provider, oauthIdentity.subject);
+        const userDid = await delegationStorage.get(oauthKey, "text");
+        if (userDid) {
+            console.log("[OAuth] ✅ Retrieved persistent userDid from OAuth mapping:", {
+                provider: oauthIdentity.provider,
+                userDid: userDid.slice(0, 20) + "...",
+            });
+        }
+        return userDid;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to lookup userDid from OAuth mapping:", error);
+        return null;
+    }
+}
+/**
+ * Create a redacted OAuth identity for storage (PII protection)
+ *
+ * @param oauthIdentity Original OAuth identity
+ * @returns Redacted identity safe for storage
+ */
+export function redactOAuthIdentityForStorage(oauthIdentity) {
+    if (!oauthIdentity) {
+        return undefined;
+    }
+    return {
+        provider: oauthIdentity.provider,
+        subjectHash: oauthIdentity.subject.substring(0, 8), // Redact full subject
+        // Don't store email, name, or full subject for PII protection
+    };
+}
+/**
+ * Test if an OAuth cookie value is valid
+ * Helper function for testing and debugging
+ *
+ * @param cookieValue Encoded cookie value
+ * @returns true if valid OAuth identity, false otherwise
+ */
+export function isValidOAuthCookie(cookieValue) {
+    try {
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        const result = validateOAuthIdentity(parsed);
+        return result.valid;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=oauth-identity.js.map

package/dist/utils/oauth-identity.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-identity.js","sourceRoot":"","sources":["../../src/utils/oauth-identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,OAAgB;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACzE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,wEAAwE;QACxE,mFAAmF;QACnF,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,WAAW,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAE3D,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,gBAAgB,CAAC,MAAM,EACvB,EAAE,MAAM,EAAE,CACX,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAuB,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,wDAAwD,EACxD,KAAK,CACN,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IACrD,iCAAiC;IACjC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,KAAK,GAAG,QAAmC,CAAC;IAElD,oBAAoB;IACpB,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,iDAAiD;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACpE,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,uHAAuH;IACvH,MAAM,eAAe,GAAG,mBAAmB,CAAC;IAC5C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,sDAAsD,QAAQ,GAAG;SAC1E,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,gDAAgD;SACzD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,qGAAqG;IACrG,8EAA8E;IAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,wCAAwC;IAC1E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,+CAA+C,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;SACtF,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0CAA0C;aACnD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,gCAAgC;YAChC,MAAM,YAAY,GAAG,4BAA4B,CAAC;YAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,gCAAgC,KAAK,GAAG;iBACjD,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,4CAA4C;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,yCAAyC;aAClD,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,2CAA2C;aACpD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAA4B,EAC5B,iBAAsB;IAEtB,IAAI,CAAC,iBAAiB,IAAI,CAAC,aAAa,EAAE,QAAQ,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa,CACzC,aAAa,CAAC,QAAQ,EACtB,aAAa,CAAC,OAAO,CACtB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CACT,4DAA4D,EAC5D;gBACE,QAAQ,EAAE,aAAa,CAAC,QAAQ;gBAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;aACtC,CACF,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,sDAAsD,EACtD,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,6BAA6B,CAAC,aAAmC;IAC/E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,aAAa,CAAC,QAAQ;QAChC,WAAW,EAAE,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,sBAAsB;QAC1E,8DAA8D;KAC/D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i-cloudflare",
-  "version": "1.6.18",
+  "version": "1.6.19-canary.clientinfo.20251126124133",
   "description": "Cloudflare Workers adapter for MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -18,7 +18,7 @@
   },
   "dependencies": {
     "@kya-os/contracts": "^1.6.1",
-    "@kya-os/mcp-i-core": "^1.3.6",
+    "@kya-os/mcp-i-core": "canary-clientinfo",
     "@modelcontextprotocol/sdk": "^1.19.1",
     "agents": "^0.2.21",
     "base-x": "^5.0.0",