npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/services/provider-resolver.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Provider Resolver
+ *
+ * Resolves OAuth provider for tools using priority-based resolution strategy.
+ * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { ToolProtection } from "@kya-os/contracts/tool-protection";
+import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+/**
+ * Resolves OAuth provider for tools with priority-based fallback strategy
+ *
+ * Priority order:
+ * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
+ * 2. Scope prefix inference (fallback)
+ * 3. First configured provider (Phase 1 compatibility fallback)
+ * 4. Error if no provider can be resolved
+ */
+export declare class ProviderResolver {
+    private registry;
+    private configService;
+    constructor(registry: OAuthProviderRegistry, configService: OAuthConfigService);
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * @param toolProtection - Tool protection configuration
+     * @param projectId - Project ID for fetching provider config
+     * @returns Provider name (never null - throws if cannot resolve)
+     * @throws Error if provider cannot be resolved
+     */
+    resolveProvider(toolProtection: ToolProtection, projectId: string): Promise<string>;
+    /**
+     * Infer provider from scope prefixes
+     *
+     * Used as Priority 2 fallback when oauthProvider is not specified.
+     * Examples:
+     * - github:repo:read → github
+     * - gmail:read → google
+     * - microsoft:calendar:read → microsoft
+     *
+     * @param scopes - Required scopes for the tool
+     * @returns Provider name if uniquely inferred, null otherwise
+     */
+    private inferProviderFromScopes;
+}
+//# sourceMappingURL=provider-resolver.d.ts.map

package/src/services/provider-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider-resolver.d.ts","sourceRoot":"","sources":["provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;gBADb,QAAQ,EAAE,qBAAqB,EAC/B,aAAa,EAAE,kBAAkB;IAG3C;;;;;;;OAOG;IACG,eAAe,CACnB,cAAc,EAAE,cAAc,EAC9B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IA6ClB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}

package/src/services/provider-resolver.js ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * Provider Resolver
+ *
+ * Resolves OAuth provider for tools using priority-based resolution strategy.
+ * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+/**
+ * Resolves OAuth provider for tools with priority-based fallback strategy
+ *
+ * Priority order:
+ * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
+ * 2. Scope prefix inference (fallback)
+ * 3. First configured provider (Phase 1 compatibility fallback)
+ * 4. Error if no provider can be resolved
+ */
+export class ProviderResolver {
+    registry;
+    configService;
+    constructor(registry, configService) {
+        this.registry = registry;
+        this.configService = configService;
+    }
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * @param toolProtection - Tool protection configuration
+     * @param projectId - Project ID for fetching provider config
+     * @returns Provider name (never null - throws if cannot resolve)
+     * @throws Error if provider cannot be resolved
+     */
+    async resolveProvider(toolProtection, projectId) {
+        // Priority 1: Tool-specific provider (Phase 2+ preferred)
+        if (toolProtection.oauthProvider) {
+            if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
+                throw new Error(`Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
+                    `Add provider in project settings.`);
+            }
+            return toolProtection.oauthProvider;
+        }
+        // Priority 2: Scope prefix inference (fallback)
+        const inferredProvider = this.inferProviderFromScopes(toolProtection.requiredScopes || []);
+        if (inferredProvider && this.registry.hasProvider(inferredProvider)) {
+            console.log(`[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`);
+            return inferredProvider;
+        }
+        // Priority 3: First configured provider (Phase 1 compatibility fallback)
+        // Ensure registry is loaded
+        await this.registry.loadFromAgentShield(projectId);
+        const providers = this.registry.getAllProviders();
+        if (providers.length > 0) {
+            // Log deprecation warning for Phase 1 tools
+            const firstProviderName = this.registry.getProviderNames()[0];
+            console.warn(`[ProviderResolver] Tool does not specify oauthProvider. ` +
+                `Using first configured provider "${firstProviderName}" as fallback. ` +
+                `This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.`);
+            return firstProviderName;
+        }
+        // Priority 4: Error if no provider can be resolved
+        throw new Error(`Tool requires OAuth but no provider could be resolved. ` +
+            `Either specify oauthProvider in tool protection config, or configure at least one provider for project "${projectId}".`);
+    }
+    /**
+     * Infer provider from scope prefixes
+     *
+     * Used as Priority 2 fallback when oauthProvider is not specified.
+     * Examples:
+     * - github:repo:read → github
+     * - gmail:read → google
+     * - microsoft:calendar:read → microsoft
+     *
+     * @param scopes - Required scopes for the tool
+     * @returns Provider name if uniquely inferred, null otherwise
+     */
+    inferProviderFromScopes(scopes) {
+        if (!scopes || scopes.length === 0) {
+            return null;
+        }
+        // Extract first part of scope (before first colon)
+        const scopePrefixes = scopes.map((scope) => {
+            const parts = scope.split(":");
+            return parts[0].toLowerCase();
+        });
+        // Provider mapping
+        const providerMap = {
+            github: "github",
+            google: "google",
+            gmail: "google", // gmail:read → google
+            calendar: "google", // calendar:read → google (if ambiguous, use project default)
+            microsoft: "microsoft",
+            outlook: "microsoft",
+            slack: "slack",
+            auth0: "auth0",
+            okta: "okta",
+        };
+        // Find unique provider
+        const providers = new Set(scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean));
+        if (providers.size === 1) {
+            return Array.from(providers)[0];
+        }
+        // Ambiguous or no prefix → return null (use project-level provider)
+        return null;
+    }
+}
+//# sourceMappingURL=provider-resolver.js.map

package/src/services/provider-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider-resolver.js","sourceRoot":"","sources":["provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;;;;;;;GAQG;AACH,MAAM,OAAO,gBAAgB;IAEjB;IACA;IAFV,YACU,QAA+B,EAC/B,aAAiC;QADjC,aAAQ,GAAR,QAAQ,CAAuB;QAC/B,kBAAa,GAAb,aAAa,CAAoB;IACxC,CAAC;IAEJ;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CACnB,cAA8B,EAC9B,SAAiB;QAEjB,0DAA0D;QAC1D,IAAI,cAAc,CAAC,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,aAAa,cAAc,CAAC,aAAa,iCAAiC,SAAS,KAAK;oBACtF,mCAAmC,CACtC,CAAC;YACJ,CAAC;YACD,OAAO,cAAc,CAAC,aAAa,CAAC;QACtC,CAAC;QAED,gDAAgD;QAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,uBAAuB,CACnD,cAAc,CAAC,cAAc,IAAI,EAAE,CACpC,CAAC;QACF,IAAI,gBAAgB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpE,OAAO,CAAC,GAAG,CACT,yCAAyC,gBAAgB,eAAe,CACzE,CAAC;YACF,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAED,yEAAyE;QACzE,4BAA4B;QAC5B,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC;QAClD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,4CAA4C;YAC5C,MAAM,iBAAiB,GAAG,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CACV,0DAA0D;gBACxD,oCAAoC,iBAAiB,iBAAiB;gBACtE,qFAAqF,CACxF,CAAC;YACF,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,mDAAmD;QACnD,MAAM,IAAI,KAAK,CACb,yDAAyD;YACvD,2GAA2G,SAAS,IAAI,CAC3H,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,MAAgB;QAC9C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mDAAmD;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,mBAAmB;QACnB,MAAM,WAAW,GAA2B;YAC1C,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,QAAQ,EAAE,sBAAsB;YACvC,QAAQ,EAAE,QAAQ,EAAE,6DAA6D;YACjF,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,WAAW;YACpB,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,MAAM;SACb,CAAC;QAEF,uBAAuB;QACvB,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CACnE,CAAC;QAEF,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,oEAAoE;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/src/services/provider-resolver.ts ADDED Viewed

@@ -0,0 +1,144 @@
+/**
+ * Provider Resolver
+ *
+ * Resolves OAuth provider for tools using priority-based resolution strategy.
+ * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { ToolProtection } from "@kya-os/contracts/tool-protection";
+import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+/**
+ * Resolves OAuth provider for tools with priority-based fallback strategy
+ *
+ * Priority order:
+ * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
+ * 2. Scope prefix inference (fallback)
+ * 3. First configured provider (Phase 1 compatibility fallback)
+ * 4. Error if no provider can be resolved
+ */
+export class ProviderResolver {
+  constructor(
+    private registry: OAuthProviderRegistry,
+    private configService: OAuthConfigService
+  ) {}
+  /**
+   * Resolve OAuth provider for a tool
+   *
+   * @param toolProtection - Tool protection configuration
+   * @param projectId - Project ID for fetching provider config
+   * @returns Provider name (never null - throws if cannot resolve)
+   * @throws Error if provider cannot be resolved
+   */
+  async resolveProvider(
+    toolProtection: ToolProtection,
+    projectId: string
+  ): Promise<string> {
+    // Priority 1: Tool-specific provider (Phase 2+ preferred)
+    if (toolProtection.oauthProvider) {
+      // Ensure registry is loaded before checking
+      if (this.registry.getProviderNames().length === 0) {
+        await this.registry.loadFromAgentShield(projectId);
+      }
+      if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
+        throw new Error(
+          `Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
+            `Add provider in project settings.`
+        );
+      }
+      return toolProtection.oauthProvider;
+    }
+    // Priority 2: Scope prefix inference (fallback)
+    const inferredProvider = this.inferProviderFromScopes(
+      toolProtection.requiredScopes || []
+    );
+    if (inferredProvider) {
+      // Ensure registry is loaded before checking
+      if (this.registry.getProviderNames().length === 0) {
+        await this.registry.loadFromAgentShield(projectId);
+      }
+      if (this.registry.hasProvider(inferredProvider)) {
+        console.log(
+          `[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`
+        );
+        return inferredProvider;
+      }
+    }
+    // Priority 3: First configured provider (Phase 1 compatibility fallback)
+    // Ensure registry is loaded
+    await this.registry.loadFromAgentShield(projectId);
+    const providers = this.registry.getAllProviders();
+    if (providers.length > 0) {
+      // Log deprecation warning for Phase 1 tools
+      const firstProviderName = this.registry.getProviderNames()[0];
+      console.warn(
+        `[ProviderResolver] Tool does not specify oauthProvider. ` +
+          `Using first configured provider "${firstProviderName}" as fallback. ` +
+          `This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.`
+      );
+      return firstProviderName;
+    }
+    // Priority 4: Error if no provider can be resolved
+    throw new Error(
+      `Tool requires OAuth but no provider could be resolved. ` +
+        `Either specify oauthProvider in tool protection config, or configure at least one provider for project "${projectId}".`
+    );
+  }
+  /**
+   * Infer provider from scope prefixes
+   *
+   * Used as Priority 2 fallback when oauthProvider is not specified.
+   * Examples:
+   * - github:repo:read → github
+   * - gmail:read → google
+   * - microsoft:calendar:read → microsoft
+   *
+   * @param scopes - Required scopes for the tool
+   * @returns Provider name if uniquely inferred, null otherwise
+   */
+  private inferProviderFromScopes(scopes: string[]): string | null {
+    if (!scopes || scopes.length === 0) {
+      return null;
+    }
+    // Extract first part of scope (before first colon)
+    const scopePrefixes = scopes.map((scope) => {
+      const parts = scope.split(":");
+      return parts[0].toLowerCase();
+    });
+    // Provider mapping
+    const providerMap: Record<string, string> = {
+      github: "github",
+      google: "google",
+      gmail: "google", // gmail:read → google
+      calendar: "google", // calendar:read → google (if ambiguous, use project default)
+      microsoft: "microsoft",
+      outlook: "microsoft",
+      slack: "slack",
+      auth0: "auth0",
+      okta: "okta",
+    };
+    // Find unique provider
+    const providers = new Set(
+      scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean)
+    );
+    if (providers.size === 1) {
+      return Array.from(providers)[0];
+    }
+    // Ambiguous or no prefix → return null (use project-level provider)
+    return null;
+  }
+}

package/src/services/provider-validator.ts ADDED Viewed

@@ -0,0 +1,170 @@
+/**
+ * Provider Validator
+ *
+ * Validates OAuth provider configurations for custom IDP support.
+ * Ensures provider configurations are valid before registration.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { OAuthProvider } from "@kya-os/contracts/config";
+/**
+ * Reserved OAuth parameters that cannot be overridden by custom parameters
+ */
+const RESERVED_PARAMETERS = [
+  "response_type",
+  "client_id",
+  "redirect_uri",
+  "scope",
+  "state",
+  "code_challenge",
+  "code_challenge_method",
+] as const;
+/**
+ * Validation error for provider configuration issues
+ */
+export class ProviderValidationError extends Error {
+  constructor(message: string, public readonly field?: string) {
+    super(message);
+    this.name = "ProviderValidationError";
+  }
+}
+/**
+ * Service for validating OAuth provider configurations
+ */
+export class ProviderValidator {
+  /**
+   * Validate provider configuration
+   *
+   * @param provider - Provider configuration to validate
+   * @param name - Provider name (for error messages)
+   * @throws ProviderValidationError if validation fails
+   */
+  validate(provider: OAuthProvider, name: string): void {
+    // Validate required fields
+    if (!provider.clientId || provider.clientId.trim().length === 0) {
+      throw new ProviderValidationError(
+        `Provider "${name}" must have a clientId`,
+        "clientId"
+      );
+    }
+    if (!provider.authorizationUrl || provider.authorizationUrl.trim().length === 0) {
+      throw new ProviderValidationError(
+        `Provider "${name}" must have an authorizationUrl`,
+        "authorizationUrl"
+      );
+    }
+    if (!provider.tokenUrl || provider.tokenUrl.trim().length === 0) {
+      throw new ProviderValidationError(
+        `Provider "${name}" must have a tokenUrl`,
+        "tokenUrl"
+      );
+    }
+    // Validate URL formats
+    this.validateUrl(provider.authorizationUrl, name, "authorizationUrl");
+    this.validateUrl(provider.tokenUrl, name, "tokenUrl");
+    if (provider.userInfoUrl) {
+      this.validateUrl(provider.userInfoUrl, name, "userInfoUrl");
+    }
+    // Validate proxy mode requirements
+    if (provider.proxyMode && !provider.requiresClientSecret) {
+      throw new ProviderValidationError(
+        `Provider "${name}" with proxyMode=true must have requiresClientSecret=true`,
+        "proxyMode"
+      );
+    }
+    // Validate custom parameters don't conflict with reserved parameters
+    if (provider.customParams) {
+      this.validateCustomParams(provider.customParams, name);
+    }
+  }
+  /**
+   * Validate URL format
+   *
+   * @param url - URL to validate
+   * @param providerName - Provider name (for error messages)
+   * @param fieldName - Field name (for error messages)
+   * @throws ProviderValidationError if URL is invalid
+   */
+  private validateUrl(url: string, providerName: string, fieldName: string): void {
+    try {
+      const parsedUrl = new URL(url);
+      if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+        throw new ProviderValidationError(
+          `Provider "${providerName}" ${fieldName} must use HTTP or HTTPS protocol`,
+          fieldName
+        );
+      }
+    } catch (error) {
+      if (error instanceof ProviderValidationError) {
+        throw error;
+      }
+      throw new ProviderValidationError(
+        `Provider "${providerName}" ${fieldName} is not a valid URL: ${error instanceof Error ? error.message : String(error)}`,
+        fieldName
+      );
+    }
+  }
+  /**
+   * Validate custom parameters don't override reserved OAuth parameters
+   *
+   * @param customParams - Custom parameters to validate
+   * @param providerName - Provider name (for error messages)
+   * @throws ProviderValidationError if reserved parameter is overridden
+   */
+  private validateCustomParams(
+    customParams: Record<string, string>,
+    providerName: string
+  ): void {
+    for (const [key, value] of Object.entries(customParams)) {
+      const normalizedKey = key.toLowerCase();
+      if (RESERVED_PARAMETERS.includes(normalizedKey as any)) {
+        throw new ProviderValidationError(
+          `Provider "${providerName}" custom parameter "${key}" conflicts with reserved OAuth parameter. Reserved parameters: ${RESERVED_PARAMETERS.join(", ")}`,
+          `customParams.${key}`
+        );
+      }
+      if (!value || value.trim().length === 0) {
+        throw new ProviderValidationError(
+          `Provider "${providerName}" custom parameter "${key}" has empty value`,
+          `customParams.${key}`
+        );
+      }
+    }
+  }
+  /**
+   * Test provider endpoint reachability (optional)
+   *
+   * @param provider - Provider configuration
+   * @param fetchProvider - Fetch implementation
+   * @returns True if endpoint is reachable, false otherwise
+   */
+  async testProvider(
+    provider: OAuthProvider,
+    fetchProvider: typeof fetch
+  ): Promise<boolean> {
+    try {
+      // Test authorization URL (HEAD request to avoid triggering OAuth flow)
+      const authResponse = await fetchProvider(provider.authorizationUrl, {
+        method: "HEAD",
+        signal: AbortSignal.timeout(5000), // 5 second timeout
+      });
+      return authResponse.ok || authResponse.status === 405; // 405 Method Not Allowed is OK
+    } catch (error) {
+      return false;
+    }
+  }
+}