@kya-os/mcp-i-cloudflare 1.6.19 → 1.6.21-canary.clientinfo.20251126130107

package/dist/utils/known-clients.js

@@ -2,7 +2,7 @@
  * Known MCP Clients Registry
  *
  * Maps known MCP client names to their official Know That AI (KTA) DIDs.
- * When a known client connects, we use its pre-registered DID instead of generating one.
+ * All known clients get a did:web DID, with ktaRegistered indicating actual KTA registration.
  */
 /**
  * Registry of known MCP clients
@@ -10,6 +10,8 @@
  * Each entry maps a canonical client ID to its configuration.
  * The `names` array contains possible variations of the client name
  * that might appear in the MCP initialize message's clientInfo.name field.
+ *
+ * All known clients get a did:web DID. ktaRegistered indicates if actually on KTA.
  */
 export const KNOWN_MCP_CLIENTS = {
     // ============================================================
@@ -27,7 +29,8 @@ export const KNOWN_MCP_CLIENTS = {
             "Claude Code", // CLI/code client
             "claude-code",
         ],
-        ktaDid: "did:web:knowthat.ai:agents:claude", // https://knowthat.ai/agents/claude
+        ktaDid: "did:web:knowthat.ai:agents:claude",
+        ktaRegistered: true, // https://knowthat.ai/agents/claude
         displayName: "Claude",
         vendor: "Anthropic",
     },
@@ -39,8 +42,11 @@ export const KNOWN_MCP_CLIENTS = {
             "ChatGPT App",
             "OpenAI ChatGPT",
             "OpenAI",
+            "OpenAI-MCP", // ChatGPT MCP client name
+            "openai-mcp",
         ],
-        ktaDid: "did:web:knowthat.ai:agents:chatgpt", // https://knowthat.ai/agents/chatgpt
+        ktaDid: "did:web:knowthat.ai:agents:chatgpt",
+        ktaRegistered: true, // https://knowthat.ai/agents/chatgpt
         displayName: "ChatGPT",
         vendor: "OpenAI",
     },
@@ -52,12 +58,13 @@ export const KNOWN_MCP_CLIENTS = {
             "perplexity-ai",
             "Perplexity App",
         ],
-        ktaDid: "did:web:knowthat.ai:agents:perplexity", // https://knowthat.ai/agents/perplexity
+        ktaDid: "did:web:knowthat.ai:agents:perplexity",
+        ktaRegistered: true, // https://knowthat.ai/agents/perplexity
         displayName: "Perplexity",
         vendor: "Perplexity AI",
     },
     // ============================================================
-    // UNREGISTERED CLIENTS (no KTA DID yet - will get ephemeral DID)
+    // KNOWN BUT UNREGISTERED CLIENTS (have did:web but not yet on KTA)
     // ============================================================
     "mcp-inspector": {
         names: [
@@ -68,31 +75,36 @@ export const KNOWN_MCP_CLIENTS = {
             "Inspector",
             "inspector-client", // Name sent by inspector CLI
         ],
-        ktaDid: null, // Not yet registered on knowthat.ai
+        ktaDid: "did:web:knowthat.ai:agents:mcp-inspector",
+        ktaRegistered: false, // Pending registration on knowthat.ai
         displayName: "MCP Inspector",
         vendor: "Anthropic",
     },
     "cursor": {
         names: ["Cursor", "cursor", "cursor-ai", "Cursor AI", "Cursor IDE"],
-        ktaDid: null, // Not yet registered on knowthat.ai
+        ktaDid: "did:web:knowthat.ai:agents:cursor",
+        ktaRegistered: false, // Pending registration on knowthat.ai
         displayName: "Cursor",
         vendor: "Cursor Inc",
     },
     "windsurf": {
         names: ["Windsurf", "windsurf", "Codeium Windsurf"],
-        ktaDid: null, // Not yet registered on knowthat.ai
+        ktaDid: "did:web:knowthat.ai:agents:windsurf",
+        ktaRegistered: false, // Pending registration on knowthat.ai
         displayName: "Windsurf",
         vendor: "Codeium",
     },
     "cline": {
         names: ["Cline", "cline", "VS Code Cline", "vscode-cline"],
-        ktaDid: null, // Not yet registered on knowthat.ai
+        ktaDid: "did:web:knowthat.ai:agents:cline",
+        ktaRegistered: false, // Pending registration on knowthat.ai
         displayName: "Cline",
         vendor: "Cline",
     },
     "zed": {
         names: ["Zed", "zed", "Zed Editor", "zed-editor"],
-        ktaDid: null, // Not yet registered on knowthat.ai
+        ktaDid: "did:web:knowthat.ai:agents:zed",
+        ktaRegistered: false, // Pending registration on knowthat.ai
         displayName: "Zed",
         vendor: "Zed Industries",
     },
@@ -123,12 +135,19 @@ export function isKnownClient(clientName) {
     return findKnownClient(clientName) !== undefined;
 }
 /**
- * Get the DID for a known client, if registered
+ * Get the DID for a known client
  */
 export function getKnownClientDid(clientName) {
     const known = findKnownClient(clientName);
     return known?.ktaDid ?? null;
 }
+/**
+ * Check if a known client is registered on KTA
+ */
+export function isKnownClientRegistered(clientName) {
+    const known = findKnownClient(clientName);
+    return known?.ktaRegistered ?? false;
+}
 /**
  * Get all known client IDs
  */

package/dist/utils/known-clients.js.map

@@ -1 +1 @@
-{"version":3,"file":"known-clients.js","sourceRoot":"","sources":["../../src/utils/known-clients.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAsC;IAClE,+DAA+D;IAC/D,+DAA+D;IAC/D,+DAA+D;IAC/D,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,gBAAgB;YAChB,gBAAgB;YAChB,QAAQ;YACR,QAAQ;YACR,kBAAkB;YAClB,oBAAoB,EAAE,yBAAyB;YAC/C,UAAU;YACV,aAAa,EAAE,kBAAkB;YACjC,aAAa;SACd;QACD,MAAM,EAAE,mCAAmC,EAAE,oCAAoC;QACjF,WAAW,EAAE,QAAQ;QACrB,MAAM,EAAE,WAAW;KACpB;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,SAAS;YACT,SAAS;YACT,aAAa;YACb,aAAa;YACb,gBAAgB;YAChB,QAAQ;SACT;QACD,MAAM,EAAE,oCAAoC,EAAE,qCAAqC;QACnF,WAAW,EAAE,SAAS;QACtB,MAAM,EAAE,QAAQ;KACjB;IACD,YAAY,EAAE;QACZ,KAAK,EAAE;YACL,YAAY;YACZ,YAAY;YACZ,eAAe;YACf,eAAe;YACf,gBAAgB;SACjB;QACD,MAAM,EAAE,uCAAuC,EAAE,wCAAwC;QACzF,WAAW,EAAE,YAAY;QACzB,MAAM,EAAE,eAAe;KACxB;IAED,+DAA+D;IAC/D,iEAAiE;IACjE,+DAA+D;IAC/D,eAAe,EAAE;QACf,KAAK,EAAE;YACL,eAAe;YACf,eAAe;YACf,0BAA0B;YAC1B,iCAAiC;YACjC,WAAW;YACX,kBAAkB,EAAE,6BAA6B;SAClD;QACD,MAAM,EAAE,IAAI,EAAE,oCAAoC;QAClD,WAAW,EAAE,eAAe;QAC5B,MAAM,EAAE,WAAW;KACpB;IACD,QAAQ,EAAE;QACR,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC;QACnE,MAAM,EAAE,IAAI,EAAE,oCAAoC;QAClD,WAAW,EAAE,QAAQ;QACrB,MAAM,EAAE,YAAY;KACrB;IACD,UAAU,EAAE;QACV,KAAK,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,kBAAkB,CAAC;QACnD,MAAM,EAAE,IAAI,EAAE,oCAAoC;QAClD,WAAW,EAAE,UAAU;QACvB,MAAM,EAAE,SAAS;KAClB;IACD,OAAO,EAAE;QACP,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,cAAc,CAAC;QAC1D,MAAM,EAAE,IAAI,EAAE,oCAAoC;QAClD,WAAW,EAAE,OAAO;QACpB,MAAM,EAAE,OAAO;KAChB;IACD,KAAK,EAAE;QACL,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC;QACjD,MAAM,EAAE,IAAI,EAAE,oCAAoC;QAClD,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,gBAAgB;KACzB;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAElC,MAAM,cAAc,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAEvD,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,cAAc,EAAE,CAAC;gBAC1C,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,UAA8B;IAC1D,OAAO,eAAe,CAAC,UAAU,CAAC,KAAK,SAAS,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,UAA8B;IAE9B,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC1C,OAAO,KAAK,EAAE,MAAM,IAAI,IAAI,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;AACxC,CAAC"}
+{"version":3,"file":"known-clients.js","sourceRoot":"","sources":["../../src/utils/known-clients.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAsC;IAClE,+DAA+D;IAC/D,+DAA+D;IAC/D,+DAA+D;IAC/D,QAAQ,EAAE;QACR,KAAK,EAAE;YACL,gBAAgB;YAChB,gBAAgB;YAChB,QAAQ;YACR,QAAQ;YACR,kBAAkB;YAClB,oBAAoB,EAAE,yBAAyB;YAC/C,UAAU;YACV,aAAa,EAAE,kBAAkB;YACjC,aAAa;SACd;QACD,MAAM,EAAE,mCAAmC;QAC3C,aAAa,EAAE,IAAI,EAAE,oCAAoC;QACzD,WAAW,EAAE,QAAQ;QACrB,MAAM,EAAE,WAAW;KACpB;IACD,SAAS,EAAE;QACT,KAAK,EAAE;YACL,SAAS;YACT,SAAS;YACT,aAAa;YACb,aAAa;YACb,gBAAgB;YAChB,QAAQ;YACR,YAAY,EAAE,0BAA0B;YACxC,YAAY;SACb;QACD,MAAM,EAAE,oCAAoC;QAC5C,aAAa,EAAE,IAAI,EAAE,qCAAqC;QAC1D,WAAW,EAAE,SAAS;QACtB,MAAM,EAAE,QAAQ;KACjB;IACD,YAAY,EAAE;QACZ,KAAK,EAAE;YACL,YAAY;YACZ,YAAY;YACZ,eAAe;YACf,eAAe;YACf,gBAAgB;SACjB;QACD,MAAM,EAAE,uCAAuC;QAC/C,aAAa,EAAE,IAAI,EAAE,wCAAwC;QAC7D,WAAW,EAAE,YAAY;QACzB,MAAM,EAAE,eAAe;KACxB;IAED,+DAA+D;IAC/D,mEAAmE;IACnE,+DAA+D;IAC/D,eAAe,EAAE;QACf,KAAK,EAAE;YACL,eAAe;YACf,eAAe;YACf,0BAA0B;YAC1B,iCAAiC;YACjC,WAAW;YACX,kBAAkB,EAAE,6BAA6B;SAClD;QACD,MAAM,EAAE,0CAA0C;QAClD,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,WAAW,EAAE,eAAe;QAC5B,MAAM,EAAE,WAAW;KACpB;IACD,QAAQ,EAAE;QACR,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC;QACnE,MAAM,EAAE,mCAAmC;QAC3C,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,WAAW,EAAE,QAAQ;QACrB,MAAM,EAAE,YAAY;KACrB;IACD,UAAU,EAAE;QACV,KAAK,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,kBAAkB,CAAC;QACnD,MAAM,EAAE,qCAAqC;QAC7C,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,WAAW,EAAE,UAAU;QACvB,MAAM,EAAE,SAAS;KAClB;IACD,OAAO,EAAE;QACP,KAAK,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,cAAc,CAAC;QAC1D,MAAM,EAAE,kCAAkC;QAC1C,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,WAAW,EAAE,OAAO;QACpB,MAAM,EAAE,OAAO;KAChB;IACD,KAAK,EAAE;QACL,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC;QACjD,MAAM,EAAE,gCAAgC;QACxC,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,gBAAgB;KACzB;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAElC,MAAM,cAAc,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAEvD,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,cAAc,EAAE,CAAC;gBAC1C,OAAO,EAAE,GAAG,MAAM,EAAE,EAAE,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,UAA8B;IAC1D,OAAO,eAAe,CAAC,UAAU,CAAC,KAAK,SAAS,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,UAA8B;IAE9B,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC1C,OAAO,KAAK,EAAE,MAAM,IAAI,IAAI,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAA8B;IAE9B,MAAM,KAAK,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAC1C,OAAO,KAAK,EAAE,aAAa,IAAI,KAAK,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;AACxC,CAAC"}

package/dist/utils/oauth-identity.d.ts

@@ -0,0 +1,58 @@
+/**
+ * OAuth Identity Utilities
+ *
+ * Handles OAuth identity extraction and validation from HTTP requests.
+ * This module consolidates OAuth-related logic that was previously in the adapter.
+ */
+import type { OAuthIdentity } from "@kya-os/contracts/consent";
+/**
+ * OAuth identity validation result
+ */
+export interface OAuthValidationResult {
+    valid: boolean;
+    reason?: string;
+}
+/**
+ * Extract OAuth identity from request cookies
+ *
+ * @param request - HTTP Request object
+ * @returns OAuthIdentity or null if not found/invalid
+ */
+export declare function extractOAuthIdentityFromRequest(request: Request): OAuthIdentity | null;
+/**
+ * Validate OAuth identity format and content
+ *
+ * Ensures:
+ * - Provider is non-empty string (1-50 chars)
+ * - Subject is non-empty string (1-255 chars)
+ * - Provider matches expected format (alphanumeric, hyphens, underscores)
+ * - Subject matches expected format (non-empty, reasonable length)
+ *
+ * @param identity - Parsed OAuth identity object
+ * @returns Validation result
+ */
+export declare function validateOAuthIdentity(identity: unknown): OAuthValidationResult;
+/**
+ * Lookup User DID from OAuth identity mapping
+ *
+ * @param oauthIdentity OAuth identity to lookup
+ * @param delegationStorage KV namespace for storage
+ * @returns User DID or null if not found
+ */
+export declare function lookupUserDidFromOAuth(oauthIdentity: OAuthIdentity, delegationStorage: any): Promise<string | null>;
+/**
+ * Create a redacted OAuth identity for storage (PII protection)
+ *
+ * @param oauthIdentity Original OAuth identity
+ * @returns Redacted identity safe for storage
+ */
+export declare function redactOAuthIdentityForStorage(oauthIdentity: OAuthIdentity | null): any;
+/**
+ * Test if an OAuth cookie value is valid
+ * Helper function for testing and debugging
+ *
+ * @param cookieValue Encoded cookie value
+ * @returns true if valid OAuth identity, false otherwise
+ */
+export declare function isValidOAuthCookie(cookieValue: string): boolean;
+//# sourceMappingURL=oauth-identity.d.ts.map

package/dist/utils/oauth-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-identity.d.ts","sourceRoot":"","sources":["../../src/utils/oauth-identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,OAAO,GAAG,aAAa,GAAG,IAAI,CAoCtF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,OAAO,GAAG,qBAAqB,CAkH9E;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,aAAa,EAAE,aAAa,EAC5B,iBAAiB,EAAE,GAAG,GACrB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA+BxB;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,aAAa,EAAE,aAAa,GAAG,IAAI,GAAG,GAAG,CAUtF;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAQ/D"}

package/dist/utils/oauth-identity.js

@@ -0,0 +1,215 @@
+/**
+ * OAuth Identity Utilities
+ *
+ * Handles OAuth identity extraction and validation from HTTP requests.
+ * This module consolidates OAuth-related logic that was previously in the adapter.
+ */
+/**
+ * Extract OAuth identity from request cookies
+ *
+ * @param request - HTTP Request object
+ * @returns OAuthIdentity or null if not found/invalid
+ */
+export function extractOAuthIdentityFromRequest(request) {
+    try {
+        const cookieHeader = request.headers.get("Cookie");
+        if (!cookieHeader)
+            return null;
+        const cookies = cookieHeader.split("; ").map((c) => c.trim());
+        const oauthCookie = cookies.find((c) => c.startsWith("oauth_identity="));
+        if (!oauthCookie)
+            return null;
+        // Extract cookie value properly handling cases where value contains '='
+        // Find the first '=' which separates key from value, then take everything after it
+        const equalsIndex = oauthCookie.indexOf("=");
+        if (equalsIndex === -1)
+            return null;
+        const cookieValue = oauthCookie.substring(equalsIndex + 1);
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        // ✅ SECURITY: Validate OAuth identity format and content
+        const validationResult = validateOAuthIdentity(parsed);
+        if (!validationResult.valid) {
+            console.warn("[OAuth] ⚠️ OAuth identity validation failed:", validationResult.reason, { parsed });
+            return null;
+        }
+        return parsed;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to extract OAuth identity from cookies:", error);
+    }
+    return null;
+}
+/**
+ * Validate OAuth identity format and content
+ *
+ * Ensures:
+ * - Provider is non-empty string (1-50 chars)
+ * - Subject is non-empty string (1-255 chars)
+ * - Provider matches expected format (alphanumeric, hyphens, underscores)
+ * - Subject matches expected format (non-empty, reasonable length)
+ *
+ * @param identity - Parsed OAuth identity object
+ * @returns Validation result
+ */
+export function validateOAuthIdentity(identity) {
+    // Check if identity is an object
+    if (!identity || typeof identity !== "object") {
+        return { valid: false, reason: "OAuth identity must be an object" };
+    }
+    const oauth = identity;
+    // Validate provider
+    if (!oauth.provider || typeof oauth.provider !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth provider is required and must be a string",
+        };
+    }
+    const provider = oauth.provider.trim();
+    if (provider.length === 0) {
+        return { valid: false, reason: "OAuth provider cannot be empty" };
+    }
+    if (provider.length > 50) {
+        return {
+            valid: false,
+            reason: "OAuth provider must be 50 characters or less",
+        };
+    }
+    // Provider format: alphanumeric, hyphens, underscores, dots (e.g., "google", "microsoft", "github", "custom-provider")
+    const providerPattern = /^[a-zA-Z0-9._-]+$/;
+    if (!providerPattern.test(provider)) {
+        return {
+            valid: false,
+            reason: `OAuth provider must match pattern [a-zA-Z0-9._-]: "${provider}"`,
+        };
+    }
+    // Validate subject
+    if (!oauth.subject || typeof oauth.subject !== "string") {
+        return {
+            valid: false,
+            reason: "OAuth subject is required and must be a string",
+        };
+    }
+    const subject = oauth.subject.trim();
+    if (subject.length === 0) {
+        return { valid: false, reason: "OAuth subject cannot be empty" };
+    }
+    if (subject.length > 255) {
+        return {
+            valid: false,
+            reason: "OAuth subject must be 255 characters or less",
+        };
+    }
+    // Subject format: non-empty, reasonable characters (allows most Unicode, but prevents control chars)
+    // OAuth subjects can be numeric IDs, email-like strings, or other identifiers
+    const subjectPattern = /^[\S]+$/; // At least one non-whitespace character
+    if (!subjectPattern.test(subject)) {
+        return {
+            valid: false,
+            reason: `OAuth subject contains invalid characters: "${subject.substring(0, 20)}..."`,
+        };
+    }
+    // Validate optional email if present
+    if (oauth.email !== undefined) {
+        if (typeof oauth.email !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth email must be a string if provided",
+            };
+        }
+        const email = oauth.email.trim();
+        if (email.length > 0) {
+            // Basic email format validation
+            const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+            if (!emailPattern.test(email)) {
+                return {
+                    valid: false,
+                    reason: `OAuth email format invalid: "${email}"`,
+                };
+            }
+            if (email.length > 255) {
+                return {
+                    valid: false,
+                    reason: "OAuth email must be 255 characters or less",
+                };
+            }
+        }
+    }
+    // Validate optional name if present
+    if (oauth.name !== undefined) {
+        if (typeof oauth.name !== "string") {
+            return {
+                valid: false,
+                reason: "OAuth name must be a string if provided",
+            };
+        }
+        if (oauth.name.length > 255) {
+            return {
+                valid: false,
+                reason: "OAuth name must be 255 characters or less",
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * Lookup User DID from OAuth identity mapping
+ *
+ * @param oauthIdentity OAuth identity to lookup
+ * @param delegationStorage KV namespace for storage
+ * @returns User DID or null if not found
+ */
+export async function lookupUserDidFromOAuth(oauthIdentity, delegationStorage) {
+    if (!delegationStorage || !oauthIdentity?.provider || !oauthIdentity?.subject) {
+        return null;
+    }
+    try {
+        const { STORAGE_KEYS } = await import("../constants/storage-keys");
+        const oauthKey = STORAGE_KEYS.oauthIdentity(oauthIdentity.provider, oauthIdentity.subject);
+        const userDid = await delegationStorage.get(oauthKey, "text");
+        if (userDid) {
+            console.log("[OAuth] ✅ Retrieved persistent userDid from OAuth mapping:", {
+                provider: oauthIdentity.provider,
+                userDid: userDid.slice(0, 20) + "...",
+            });
+        }
+        return userDid;
+    }
+    catch (error) {
+        console.warn("[OAuth] Failed to lookup userDid from OAuth mapping:", error);
+        return null;
+    }
+}
+/**
+ * Create a redacted OAuth identity for storage (PII protection)
+ *
+ * @param oauthIdentity Original OAuth identity
+ * @returns Redacted identity safe for storage
+ */
+export function redactOAuthIdentityForStorage(oauthIdentity) {
+    if (!oauthIdentity) {
+        return undefined;
+    }
+    return {
+        provider: oauthIdentity.provider,
+        subjectHash: oauthIdentity.subject.substring(0, 8), // Redact full subject
+        // Don't store email, name, or full subject for PII protection
+    };
+}
+/**
+ * Test if an OAuth cookie value is valid
+ * Helper function for testing and debugging
+ *
+ * @param cookieValue Encoded cookie value
+ * @returns true if valid OAuth identity, false otherwise
+ */
+export function isValidOAuthCookie(cookieValue) {
+    try {
+        const parsed = JSON.parse(decodeURIComponent(cookieValue));
+        const result = validateOAuthIdentity(parsed);
+        return result.valid;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=oauth-identity.js.map

package/dist/utils/oauth-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-identity.js","sourceRoot":"","sources":["../../src/utils/oauth-identity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,OAAgB;IAC9D,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACzE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,wEAAwE;QACxE,mFAAmF;QACnF,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,WAAW,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAE3D,yDAAyD;QACzD,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,gBAAgB,CAAC,MAAM,EACvB,EAAE,MAAM,EAAE,CACX,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAuB,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,wDAAwD,EACxD,KAAK,CACN,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IACrD,iCAAiC;IACjC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,KAAK,GAAG,QAAmC,CAAC;IAElD,oBAAoB;IACpB,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,iDAAiD;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IACpE,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,uHAAuH;IACvH,MAAM,eAAe,GAAG,mBAAmB,CAAC;IAC5C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,sDAAsD,QAAQ,GAAG;SAC1E,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,gDAAgD;SACzD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,8CAA8C;SACvD,CAAC;IACJ,CAAC;IAED,qGAAqG;IACrG,8EAA8E;IAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,wCAAwC;IAC1E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,+CAA+C,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;SACtF,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,0CAA0C;aACnD,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,gCAAgC;YAChC,MAAM,YAAY,GAAG,4BAA4B,CAAC;YAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,gCAAgC,KAAK,GAAG;iBACjD,CAAC;YACJ,CAAC;YAED,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACvB,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,4CAA4C;iBACrD,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,yCAAyC;aAClD,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,2CAA2C;aACpD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAA4B,EAC5B,iBAAsB;IAEtB,IAAI,CAAC,iBAAiB,IAAI,CAAC,aAAa,EAAE,QAAQ,IAAI,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;QAC9E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,YAAY,CAAC,aAAa,CACzC,aAAa,CAAC,QAAQ,EACtB,aAAa,CAAC,OAAO,CACtB,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAE9D,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CACT,4DAA4D,EAC5D;gBACE,QAAQ,EAAE,aAAa,CAAC,QAAQ;gBAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;aACtC,CACF,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CACV,sDAAsD,EACtD,KAAK,CACN,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,6BAA6B,CAAC,aAAmC;IAC/E,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,aAAa,CAAC,QAAQ;QAChC,WAAW,EAAE,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,sBAAsB;QAC1E,8DAA8D;KAC/D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i-cloudflare",
-  "version": "1.6.19",
+  "version": "1.6.21-canary.clientinfo.20251126130107",
   "description": "Cloudflare Workers adapter for MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -18,7 +18,7 @@
   },
   "dependencies": {
     "@kya-os/contracts": "^1.6.1",
-    "@kya-os/mcp-i-core": "^1.3.6",
+    "@kya-os/mcp-i-core": "canary-clientinfo",
     "@modelcontextprotocol/sdk": "^1.19.1",
     "agents": "^0.2.21",
     "base-x": "^5.0.0",