npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.7 → 1.3.1 - Mend

@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (225) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test.log +2979 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +119 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +88 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +128 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +121 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +429 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +591 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +202 -0
package/src/services/__tests__/provider-resolver.test.ts +213 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +169 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +141 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +146 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/dist/services/provider-resolver.js ADDED Viewed

@@ -0,0 +1,121 @@
+"use strict";
+/**
+ * Provider Resolver
+ *
+ * Resolves OAuth provider for tools using priority-based resolution strategy.
+ * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProviderResolver = void 0;
+/**
+ * Resolves OAuth provider for tools with priority-based fallback strategy
+ *
+ * Priority order:
+ * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
+ * 2. Scope prefix inference (fallback)
+ * 3. Project-configured provider from AgentShield dashboard
+ * 4. Error if no provider can be resolved
+ */
+class ProviderResolver {
+    registry;
+    configService;
+    constructor(registry, configService) {
+        this.registry = registry;
+        this.configService = configService;
+    }
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * @param toolProtection - Tool protection configuration
+     * @param projectId - Project ID for fetching provider config
+     * @returns Provider name (never null - throws if cannot resolve)
+     * @throws Error if provider cannot be resolved
+     */
+    async resolveProvider(toolProtection, projectId) {
+        // Priority 1: Tool-specific provider (Phase 2+ preferred)
+        if (toolProtection.oauthProvider) {
+            // Ensure registry is loaded before checking
+            if (this.registry.getProviderNames().length === 0) {
+                await this.registry.loadFromAgentShield(projectId);
+            }
+            if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
+                throw new Error(`Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
+                    `Add provider in project settings.`);
+            }
+            return toolProtection.oauthProvider;
+        }
+        // Priority 2: Scope prefix inference (fallback)
+        const inferredProvider = this.inferProviderFromScopes(toolProtection.requiredScopes || []);
+        if (inferredProvider) {
+            // Ensure registry is loaded before checking
+            if (this.registry.getProviderNames().length === 0) {
+                await this.registry.loadFromAgentShield(projectId);
+            }
+            if (this.registry.hasProvider(inferredProvider)) {
+                console.log(`[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`);
+                return inferredProvider;
+            }
+        }
+        // Priority 3: Use explicitly configured provider from AgentShield dashboard
+        // This is the provider the user has actually configured, not just any available provider
+        await this.registry.loadFromAgentShield(projectId);
+        const configuredProvider = this.registry.getConfiguredProvider();
+        if (configuredProvider && this.registry.hasProvider(configuredProvider)) {
+            console.warn(`[ProviderResolver] Tool does not specify oauthProvider. ` +
+                `Using project-configured provider "${configuredProvider}" as fallback. ` +
+                `Consider explicitly setting oauthProvider in tool protection config.`);
+            return configuredProvider;
+        }
+        // Priority 4: Error if no provider is configured
+        // NOTE: We intentionally do NOT fall back to "first available provider" anymore
+        // because AgentShield returns ALL providers (even unconfigured ones).
+        // Only use providers explicitly configured by the user.
+        throw new Error(`Tool requires OAuth but no provider is configured for project "${projectId}". ` +
+            `Configure an OAuth provider in AgentShield dashboard.`);
+    }
+    /**
+     * Infer provider from scope prefixes
+     *
+     * Used as Priority 2 fallback when oauthProvider is not specified.
+     * Examples:
+     * - github:repo:read → github
+     * - gmail:read → google
+     * - microsoft:calendar:read → microsoft
+     *
+     * @param scopes - Required scopes for the tool
+     * @returns Provider name if uniquely inferred, null otherwise
+     */
+    inferProviderFromScopes(scopes) {
+        if (!scopes || scopes.length === 0) {
+            return null;
+        }
+        // Extract first part of scope (before first colon)
+        const scopePrefixes = scopes.map((scope) => {
+            const parts = scope.split(":");
+            return parts[0].toLowerCase();
+        });
+        // Provider mapping
+        const providerMap = {
+            github: "github",
+            google: "google",
+            gmail: "google", // gmail:read → google
+            calendar: "google", // calendar:read → google (if ambiguous, use project default)
+            microsoft: "microsoft",
+            outlook: "microsoft",
+            slack: "slack",
+            auth0: "auth0",
+            okta: "okta",
+        };
+        // Find unique provider
+        const providers = new Set(scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean));
+        if (providers.size === 1) {
+            return Array.from(providers)[0];
+        }
+        // Ambiguous or no prefix → return null (use project-level provider)
+        return null;
+    }
+}
+exports.ProviderResolver = ProviderResolver;
+//# sourceMappingURL=provider-resolver.js.map

package/dist/services/provider-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider-resolver.js","sourceRoot":"","sources":["../../src/services/provider-resolver.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAMH;;;;;;;;GAQG;AACH,MAAa,gBAAgB;IAEjB;IACA;IAFV,YACU,QAA+B,EAC/B,aAAiC;QADjC,aAAQ,GAAR,QAAQ,CAAuB;QAC/B,kBAAa,GAAb,aAAa,CAAoB;IACxC,CAAC;IAEJ;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CACnB,cAA8B,EAC9B,SAAiB;QAEjB,0DAA0D;QAC1D,IAAI,cAAc,CAAC,aAAa,EAAE,CAAC;YACjC,4CAA4C;YAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,aAAa,cAAc,CAAC,aAAa,iCAAiC,SAAS,KAAK;oBACtF,mCAAmC,CACtC,CAAC;YACJ,CAAC;YACD,OAAO,cAAc,CAAC,aAAa,CAAC;QACtC,CAAC;QAED,gDAAgD;QAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,uBAAuB,CACnD,cAAc,CAAC,cAAc,IAAI,EAAE,CACpC,CAAC;QACF,IAAI,gBAAgB,EAAE,CAAC;YACrB,4CAA4C;YAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CACT,yCAAyC,gBAAgB,eAAe,CACzE,CAAC;gBACF,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,yFAAyF;QACzF,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,kBAAkB,GAAG,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QAEjE,IAAI,kBAAkB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACxE,OAAO,CAAC,IAAI,CACV,0DAA0D;gBACxD,sCAAsC,kBAAkB,iBAAiB;gBACzE,sEAAsE,CACzE,CAAC;YACF,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,iDAAiD;QACjD,gFAAgF;QAChF,sEAAsE;QACtE,wDAAwD;QACxD,MAAM,IAAI,KAAK,CACb,kEAAkE,SAAS,KAAK;YAC9E,uDAAuD,CAC1D,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,MAAgB;QAC9C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mDAAmD;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,mBAAmB;QACnB,MAAM,WAAW,GAA2B;YAC1C,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,QAAQ,EAAE,sBAAsB;YACvC,QAAQ,EAAE,QAAQ,EAAE,6DAA6D;YACjF,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,WAAW;YACpB,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,MAAM;SACb,CAAC;QAEF,uBAAuB;QACvB,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CACnE,CAAC;QAEF,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,oEAAoE;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AA1HD,4CA0HC"}

package/dist/services/provider-validator.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * Provider Validator
+ *
+ * Validates OAuth provider configurations for custom IDP support.
+ * Ensures provider configurations are valid before registration.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { OAuthProvider } from "@kya-os/contracts/config";
+/**
+ * Validation error for provider configuration issues
+ */
+export declare class ProviderValidationError extends Error {
+    readonly field?: string | undefined;
+    constructor(message: string, field?: string | undefined);
+}
+/**
+ * Service for validating OAuth provider configurations
+ */
+export declare class ProviderValidator {
+    /**
+     * Validate provider configuration
+     *
+     * @param provider - Provider configuration to validate
+     * @param name - Provider name (for error messages)
+     * @throws ProviderValidationError if validation fails
+     */
+    validate(provider: OAuthProvider, name: string): void;
+    /**
+     * Validate URL format
+     *
+     * @param url - URL to validate
+     * @param providerName - Provider name (for error messages)
+     * @param fieldName - Field name (for error messages)
+     * @throws ProviderValidationError if URL is invalid
+     */
+    private validateUrl;
+    /**
+     * Validate custom parameters don't override reserved OAuth parameters
+     *
+     * @param customParams - Custom parameters to validate
+     * @param providerName - Provider name (for error messages)
+     * @throws ProviderValidationError if reserved parameter is overridden
+     */
+    private validateCustomParams;
+    /**
+     * Test provider endpoint reachability (optional)
+     *
+     * @param provider - Provider configuration
+     * @param fetchProvider - Fetch implementation
+     * @returns True if endpoint is reachable, false otherwise
+     */
+    testProvider(provider: OAuthProvider, fetchProvider: typeof fetch): Promise<boolean>;
+}
+//# sourceMappingURL=provider-validator.d.ts.map

package/dist/services/provider-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider-validator.d.ts","sourceRoot":"","sources":["../../src/services/provider-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAe9D;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;aACH,KAAK,CAAC,EAAE,MAAM;gBAA/C,OAAO,EAAE,MAAM,EAAkB,KAAK,CAAC,EAAE,MAAM,YAAA;CAI5D;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IA6CrD;;;;;;;OAOG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;OAMG;IACH,OAAO,CAAC,oBAAoB;IAqB5B;;;;;;OAMG;IACG,YAAY,CAChB,QAAQ,EAAE,aAAa,EACvB,aAAa,EAAE,OAAO,KAAK,GAC1B,OAAO,CAAC,OAAO,CAAC;CAYpB"}

package/dist/services/provider-validator.js ADDED Viewed

@@ -0,0 +1,135 @@
+"use strict";
+/**
+ * Provider Validator
+ *
+ * Validates OAuth provider configurations for custom IDP support.
+ * Ensures provider configurations are valid before registration.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProviderValidator = exports.ProviderValidationError = void 0;
+/**
+ * Reserved OAuth parameters that cannot be overridden by custom parameters
+ */
+const RESERVED_PARAMETERS = [
+    "response_type",
+    "client_id",
+    "redirect_uri",
+    "scope",
+    "state",
+    "code_challenge",
+    "code_challenge_method",
+];
+/**
+ * Validation error for provider configuration issues
+ */
+class ProviderValidationError extends Error {
+    field;
+    constructor(message, field) {
+        super(message);
+        this.field = field;
+        this.name = "ProviderValidationError";
+    }
+}
+exports.ProviderValidationError = ProviderValidationError;
+/**
+ * Service for validating OAuth provider configurations
+ */
+class ProviderValidator {
+    /**
+     * Validate provider configuration
+     *
+     * @param provider - Provider configuration to validate
+     * @param name - Provider name (for error messages)
+     * @throws ProviderValidationError if validation fails
+     */
+    validate(provider, name) {
+        // Validate required fields
+        if (!provider.clientId || provider.clientId.trim().length === 0) {
+            throw new ProviderValidationError(`Provider "${name}" must have a clientId`, "clientId");
+        }
+        if (!provider.authorizationUrl || provider.authorizationUrl.trim().length === 0) {
+            throw new ProviderValidationError(`Provider "${name}" must have an authorizationUrl`, "authorizationUrl");
+        }
+        if (!provider.tokenUrl || provider.tokenUrl.trim().length === 0) {
+            throw new ProviderValidationError(`Provider "${name}" must have a tokenUrl`, "tokenUrl");
+        }
+        // Validate URL formats
+        this.validateUrl(provider.authorizationUrl, name, "authorizationUrl");
+        this.validateUrl(provider.tokenUrl, name, "tokenUrl");
+        if (provider.userInfoUrl) {
+            this.validateUrl(provider.userInfoUrl, name, "userInfoUrl");
+        }
+        // Validate proxy mode requirements
+        if (provider.proxyMode && !provider.requiresClientSecret) {
+            throw new ProviderValidationError(`Provider "${name}" with proxyMode=true must have requiresClientSecret=true`, "proxyMode");
+        }
+        // Validate custom parameters don't conflict with reserved parameters
+        if (provider.customParams) {
+            this.validateCustomParams(provider.customParams, name);
+        }
+    }
+    /**
+     * Validate URL format
+     *
+     * @param url - URL to validate
+     * @param providerName - Provider name (for error messages)
+     * @param fieldName - Field name (for error messages)
+     * @throws ProviderValidationError if URL is invalid
+     */
+    validateUrl(url, providerName, fieldName) {
+        try {
+            const parsedUrl = new URL(url);
+            if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+                throw new ProviderValidationError(`Provider "${providerName}" ${fieldName} must use HTTP or HTTPS protocol`, fieldName);
+            }
+        }
+        catch (error) {
+            if (error instanceof ProviderValidationError) {
+                throw error;
+            }
+            throw new ProviderValidationError(`Provider "${providerName}" ${fieldName} is not a valid URL: ${error instanceof Error ? error.message : String(error)}`, fieldName);
+        }
+    }
+    /**
+     * Validate custom parameters don't override reserved OAuth parameters
+     *
+     * @param customParams - Custom parameters to validate
+     * @param providerName - Provider name (for error messages)
+     * @throws ProviderValidationError if reserved parameter is overridden
+     */
+    validateCustomParams(customParams, providerName) {
+        for (const [key, value] of Object.entries(customParams)) {
+            const normalizedKey = key.toLowerCase();
+            if (RESERVED_PARAMETERS.includes(normalizedKey)) {
+                throw new ProviderValidationError(`Provider "${providerName}" custom parameter "${key}" conflicts with reserved OAuth parameter. Reserved parameters: ${RESERVED_PARAMETERS.join(", ")}`, `customParams.${key}`);
+            }
+            if (!value || value.trim().length === 0) {
+                throw new ProviderValidationError(`Provider "${providerName}" custom parameter "${key}" has empty value`, `customParams.${key}`);
+            }
+        }
+    }
+    /**
+     * Test provider endpoint reachability (optional)
+     *
+     * @param provider - Provider configuration
+     * @param fetchProvider - Fetch implementation
+     * @returns True if endpoint is reachable, false otherwise
+     */
+    async testProvider(provider, fetchProvider) {
+        try {
+            // Test authorization URL (HEAD request to avoid triggering OAuth flow)
+            const authResponse = await fetchProvider(provider.authorizationUrl, {
+                method: "HEAD",
+                signal: AbortSignal.timeout(5000), // 5 second timeout
+            });
+            return authResponse.ok || authResponse.status === 405; // 405 Method Not Allowed is OK
+        }
+        catch (error) {
+            return false;
+        }
+    }
+}
+exports.ProviderValidator = ProviderValidator;
+//# sourceMappingURL=provider-validator.js.map

package/dist/services/provider-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"provider-validator.js","sourceRoot":"","sources":["../../src/services/provider-validator.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAIH;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,eAAe;IACf,WAAW;IACX,cAAc;IACd,OAAO;IACP,OAAO;IACP,gBAAgB;IAChB,uBAAuB;CACf,CAAC;AAEX;;GAEG;AACH,MAAa,uBAAwB,SAAQ,KAAK;IACH;IAA7C,YAAY,OAAe,EAAkB,KAAc;QACzD,KAAK,CAAC,OAAO,CAAC,CAAC;QAD4B,UAAK,GAAL,KAAK,CAAS;QAEzD,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AALD,0DAKC;AAED;;GAEG;AACH,MAAa,iBAAiB;IAC5B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAuB,EAAE,IAAY;QAC5C,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,wBAAwB,EACzC,UAAU,CACX,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChF,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,iCAAiC,EAClD,kBAAkB,CACnB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,wBAAwB,EACzC,UAAU,CACX,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,gBAAgB,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;QACtE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;QAEtD,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACzB,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QAC9D,CAAC;QAED,mCAAmC;QACnC,IAAI,QAAQ,CAAC,SAAS,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC;YACzD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,IAAI,2DAA2D,EAC5E,WAAW,CACZ,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,WAAW,CAAC,GAAW,EAAE,YAAoB,EAAE,SAAiB;QACtE,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,SAAS,CAAC,QAAQ,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACtE,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,KAAK,SAAS,kCAAkC,EACzE,SAAS,CACV,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uBAAuB,EAAE,CAAC;gBAC7C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,KAAK,SAAS,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACvH,SAAS,CACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,oBAAoB,CAC1B,YAAoC,EACpC,YAAoB;QAEpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxD,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,aAAoB,CAAC,EAAE,CAAC;gBACvD,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,uBAAuB,GAAG,mEAAmE,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACtJ,gBAAgB,GAAG,EAAE,CACtB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxC,MAAM,IAAI,uBAAuB,CAC/B,aAAa,YAAY,uBAAuB,GAAG,mBAAmB,EACtE,gBAAgB,GAAG,EAAE,CACtB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,YAAY,CAChB,QAAuB,EACvB,aAA2B;QAE3B,IAAI,CAAC;YACH,uEAAuE;YACvE,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,gBAAgB,EAAE;gBAClE,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,mBAAmB;aACvD,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,EAAE,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC,+BAA+B;QACxF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAnID,8CAmIC"}

package/dist/services/tool-context-builder.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Tool Context Builder
+ *
+ * Builds ToolExecutionContext for tool handlers by resolving IDP tokens
+ * based on tool protection configuration and user identity.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { ToolExecutionContext } from "@kya-os/contracts/config";
+import type { IdpTokenResolver } from "../identity/idp-token-resolver.js";
+import type { ToolProtection } from "../types/tool-protection.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+import type { ProviderResolver } from "./provider-resolver.js";
+export interface ToolContextBuilderConfig {
+    /** IDP token resolver for resolving tokens from User DID */
+    tokenResolver: IdpTokenResolver;
+    /** OAuth config service for fetching provider configurations */
+    configService: OAuthConfigService;
+    /** Provider resolver for resolving OAuth providers for tools */
+    providerResolver: ProviderResolver;
+    /** Project ID for fetching OAuth config */
+    projectId: string;
+    /** Optional logger callback for diagnostics */
+    logger?: (message: string, data?: unknown) => void;
+}
+/**
+ * Builder for tool execution context
+ *
+ * Resolves IDP tokens and builds context for tool handlers.
+ * Phase 1: Uses configured provider as temporary fallback.
+ * Phase 2+: Requires explicit oauthProvider on tool protection.
+ */
+export declare class ToolContextBuilder {
+    private config;
+    constructor(config: ToolContextBuilderConfig);
+    /**
+     * Build tool execution context
+     *
+     * @param toolName - Name of the tool being executed
+     * @param userDid - User DID (optional, required for OAuth)
+     * @param sessionId - Session ID (optional)
+     * @param delegationToken - Delegation token (optional)
+     * @param toolProtection - Tool protection configuration (optional)
+     * @returns Tool execution context or undefined if not needed
+     */
+    buildContext(toolName: string, userDid: string | undefined, sessionId: string | undefined, delegationToken: string | undefined, toolProtection: ToolProtection | null): Promise<ToolExecutionContext | undefined>;
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * Phase 2: Uses ProviderResolver with priority-based resolution
+     *
+     * @param toolProtection - Tool protection configuration
+     * @returns Provider name or throws error if not found
+     */
+    private resolveProvider;
+}
+//# sourceMappingURL=tool-context-builder.d.ts.map

package/dist/services/tool-context-builder.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tool-context-builder.d.ts","sourceRoot":"","sources":["../../src/services/tool-context-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AACrE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,MAAM,WAAW,wBAAwB;IACvC,4DAA4D;IAC5D,aAAa,EAAE,gBAAgB,CAAC;IAEhC,gEAAgE;IAChE,aAAa,EAAE,kBAAkB,CAAC;IAElC,gEAAgE;IAChE,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAElB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;GAMG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAEZ;gBAEU,MAAM,EAAE,wBAAwB;IAU5C;;;;;;;;;OASG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GAAG,SAAS,EAC3B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,eAAe,EAAE,MAAM,GAAG,SAAS,EACnC,cAAc,EAAE,cAAc,GAAG,IAAI,GACpC,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC;IAqE5C;;;;;;;OAOG;YACW,eAAe;CAsB9B"}

package/dist/services/tool-context-builder.js ADDED Viewed

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * Tool Context Builder
+ *
+ * Builds ToolExecutionContext for tool handlers by resolving IDP tokens
+ * based on tool protection configuration and user identity.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ToolContextBuilder = void 0;
+const oauth_required_error_js_1 = require("../types/oauth-required-error.js");
+/**
+ * Builder for tool execution context
+ *
+ * Resolves IDP tokens and builds context for tool handlers.
+ * Phase 1: Uses configured provider as temporary fallback.
+ * Phase 2+: Requires explicit oauthProvider on tool protection.
+ */
+class ToolContextBuilder {
+    config;
+    constructor(config) {
+        this.config = {
+            tokenResolver: config.tokenResolver,
+            configService: config.configService,
+            providerResolver: config.providerResolver,
+            projectId: config.projectId,
+            logger: config.logger || (() => { }),
+        };
+    }
+    /**
+     * Build tool execution context
+     *
+     * @param toolName - Name of the tool being executed
+     * @param userDid - User DID (optional, required for OAuth)
+     * @param sessionId - Session ID (optional)
+     * @param delegationToken - Delegation token (optional)
+     * @param toolProtection - Tool protection configuration (optional)
+     * @returns Tool execution context or undefined if not needed
+     */
+    async buildContext(toolName, userDid, sessionId, delegationToken, toolProtection) {
+        // Only build context if tool requires OAuth
+        if (!toolProtection?.requiredScopes?.length || !userDid) {
+            return undefined;
+        }
+        // Phase 2: Resolve provider using ProviderResolver
+        // ProviderResolver handles priority-based resolution with fallbacks
+        let provider;
+        try {
+            provider = await this.resolveProvider(toolProtection);
+        }
+        catch (error) {
+            // Provider resolution failed - cannot build context
+            this.config.logger("[ToolContextBuilder] Provider not resolved", {
+                toolName,
+                userDid: userDid.substring(0, 20) + "...",
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return undefined;
+        }
+        // Resolve IDP token
+        const idpToken = await this.config.tokenResolver.resolveTokenFromDid(userDid, provider, toolProtection.requiredScopes);
+        if (!idpToken) {
+            // Token not available - throw OAuthRequiredError to trigger OAuth flow
+            this.config.logger("[ToolContextBuilder] Token not available, throwing OAuthRequiredError", {
+                toolName,
+                userDid: userDid.substring(0, 20) + "...",
+                provider,
+                scopes: toolProtection.requiredScopes,
+            });
+            // Throw error with provider and scopes info
+            // OAuth URL will be built by the Cloudflare layer (agent.ts)
+            throw new oauth_required_error_js_1.OAuthRequiredError({
+                toolName,
+                requiredScopes: toolProtection.requiredScopes,
+                provider,
+                oauthUrl: "", // Will be populated by Cloudflare layer
+                userDid,
+                sessionId,
+            });
+        }
+        // Build context with token
+        const context = {
+            idpToken,
+            provider,
+            scopes: toolProtection.requiredScopes,
+            userDid,
+            sessionId,
+            delegationToken,
+        };
+        this.config.logger("[ToolContextBuilder] Context built successfully", {
+            toolName,
+            userDid: userDid.substring(0, 20) + "...",
+            provider,
+            hasToken: !!idpToken,
+        });
+        return context;
+    }
+    /**
+     * Resolve OAuth provider for a tool
+     *
+     * Phase 2: Uses ProviderResolver with priority-based resolution
+     *
+     * @param toolProtection - Tool protection configuration
+     * @returns Provider name or throws error if not found
+     */
+    async resolveProvider(toolProtection) {
+        try {
+            const provider = await this.config.providerResolver.resolveProvider(toolProtection, this.config.projectId);
+            this.config.logger("[ToolContextBuilder] Provider resolved", {
+                provider,
+            });
+            return provider;
+        }
+        catch (error) {
+            this.config.logger("[ToolContextBuilder] Provider resolution failed", {
+                error: error instanceof Error ? error.message : String(error),
+                projectId: this.config.projectId,
+            });
+            throw error; // Re-throw to let caller handle
+        }
+    }
+}
+exports.ToolContextBuilder = ToolContextBuilder;
+//# sourceMappingURL=tool-context-builder.js.map

package/dist/services/tool-context-builder.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tool-context-builder.js","sourceRoot":"","sources":["../../src/services/tool-context-builder.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAOH,8EAAsE;AAmBtE;;;;;;GAMG;AACH,MAAa,kBAAkB;IACrB,MAAM,CAEZ;IAEF,YAAY,MAAgC;QAC1C,IAAI,CAAC,MAAM,GAAG;YACZ,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,OAA2B,EAC3B,SAA6B,EAC7B,eAAmC,EACnC,cAAqC;QAErC,4CAA4C;QAC5C,IAAI,CAAC,cAAc,EAAE,cAAc,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACxD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,mDAAmD;QACnD,oEAAoE;QACpE,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,oDAAoD;YACpD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,4CAA4C,EAAE;gBAC/D,QAAQ;gBACR,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,oBAAoB;QACpB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,mBAAmB,CAClE,OAAO,EACP,QAAQ,EACR,cAAc,CAAC,cAAc,CAC9B,CAAC;QAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,uEAAuE;YACvE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,uEAAuE,EAAE;gBAC1F,QAAQ;gBACR,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBACzC,QAAQ;gBACR,MAAM,EAAE,cAAc,CAAC,cAAc;aACtC,CAAC,CAAC;YAEH,4CAA4C;YAC5C,6DAA6D;YAC7D,MAAM,IAAI,4CAAkB,CAAC;gBAC3B,QAAQ;gBACR,cAAc,EAAE,cAAc,CAAC,cAAc;gBAC7C,QAAQ;gBACR,QAAQ,EAAE,EAAE,EAAE,wCAAwC;gBACtD,OAAO;gBACP,SAAS;aACV,CAAC,CAAC;QACL,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAAyB;YACpC,QAAQ;YACR,QAAQ;YACR,MAAM,EAAE,cAAc,CAAC,cAAc;YACrC,OAAO;YACP,SAAS;YACT,eAAe;SAChB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,iDAAiD,EAAE;YACpE,QAAQ;YACR,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;YACzC,QAAQ;YACR,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,eAAe,CAC3B,cAA8B;QAE9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,eAAe,CACjE,cAAc,EACd,IAAI,CAAC,MAAM,CAAC,SAAS,CACtB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,wCAAwC,EAAE;gBAC3D,QAAQ;aACT,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,iDAAiD,EAAE;gBACpE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;aACjC,CAAC,CAAC;YACH,MAAM,KAAK,CAAC,CAAC,gCAAgC;QAC/C,CAAC;IACH,CAAC;CACF;AAlID,gDAkIC"}

package/dist/services/tool-protection.service.d.ts CHANGED Viewed

@@ -1,12 +1,80 @@
 /**
  * ToolProtectionService - Fetches and caches tool protection configurations
  *
- * This service:
+ * This service manages tool protection configuration from AgentShield API with
+ * efficient caching and automatic synchronization support.
+ *
+ * CORE FUNCTIONALITY:
+ * -------------------
  * 1. Fetches tool protection config from AgentShield API
- * 2. Caches responses to reduce API calls
+ * 2. Caches responses with configurable TTL (default 5 minutes)
  * 3. Falls back to local config if API unavailable
- * 4. Provides delegation checking logic
+ * 4. Provides delegation requirement checking before tool execution
+ *
+ * SYNCHRONIZATION WITH AGENTSHIELD:
+ * ----------------------------------
+ * When you update tool protection settings in the AgentShield dashboard:
+ *
+ * 1. Dashboard sends PATCH /api/internal/bouncer/tools/{projectId}/{toolName}
+ * 2. AgentShield updates the database immediately (PostgreSQL JSONB column)
+ * 3. Dashboard sends POST /admin/clear-cache to this service (automatic)
+ * 4. This service clears the cached config from KV storage
+ * 5. Next tool call fetches fresh config from AgentShield API
+ * 6. New config is cached for the configured TTL period
+ *
+ * CACHE INVALIDATION:
+ * -------------------
+ * Cache is invalidated via POST /admin/clear-cache endpoint:
+ * - Triggered automatically by AgentShield dashboard when tool protection changes
+ * - Can be triggered manually for testing/debugging
+ * - Requires API key authentication for security
+ *
+ * If cache is NOT cleared:
+ * - Stale config is served until TTL expires (default 5 minutes)
+ * - Configure shorter TTL via TOOL_PROTECTION_CACHE_TTL env var for faster updates
+ * - Set to 0 for no cache (not recommended for production)
+ *
+ * TOOL DISCOVERY PREREQUISITE:
+ * ----------------------------
+ * IMPORTANT: Tools must be discovered before they can be protected!
+ *
+ * Discovery happens when:
+ * - Agent makes first tool call with proof submission
+ * - AgentShield extracts tool info from cryptographic proof
+ * - Tool is added to bouncerConfigs.discoveredTools in database
  *
+ * If tool not discovered:
+ * - Tool won't appear in dashboard
+ * - Protection settings can't be configured
+ * - GET /tool-protections returns empty object
+ *
+ * DEBUGGING:
+ * ----------
+ * Enable debug logging with:
+ *   toolProtection: { debug: true }
+ *
+ * Debug logs show:
+ * - Cache hits vs API fetches
+ * - Full API responses
+ * - Tool protection status for each tool
+ * - Cache TTL and expiration times
+ * - Source of config data (cache, api, or fallback)
+ *
+ * TROUBLESHOOTING:
+ * ----------------
+ * Problem: Dashboard shows protection but tool still executes
+ * Cause: Stale cache not invalidated
+ * Solution: POST /admin/clear-cache or wait for TTL expiration
+ *
+ * Problem: Empty toolProtections returned from API
+ * Cause: Tool not discovered yet (no proof submissions)
+ * Solution: Make at least one tool call to trigger discovery
+ *
+ * Problem: Updates take 5+ minutes to apply
+ * Cause: Long cache TTL and cache clear failed
+ * Solution: Configure MCP server URL in AgentShield for auto cache clear
+ *
+ * @see https://github.com/modelcontextprotocol-identity/agent-shield/docs/bouncer/tool-protection-sync.md
  * @package @kya-os/mcp-i-core
  */
 import type { ToolProtection, ToolProtectionConfig, ToolProtectionServiceConfig } from "../types/tool-protection.js";
@@ -58,7 +126,6 @@ export declare class ToolProtectionService {
      * Uses projectId endpoint if available (preferred, project-scoped), otherwise falls back to agent_did query param
      *
      * @param agentDid DID of the agent to fetch config for
-     * @param bypassCache If true, adds Cache-Control header to bypass AgentShield's cache
      */
     private fetchFromApi;
     /**
@@ -71,14 +138,24 @@ export declare class ToolProtectionService {
      */
     clearCache(agentDid: string): Promise<void>;
     /**
-     * Refresh cache immediately from API, bypassing both local and AgentShield cache
+     * Clear cache and immediately fetch fresh config from API
+     *
+     * This method is designed for Cloudflare Workers where KV has edge caching.
+     * After clearing the KV entry, it fetches fresh data from the API and writes
+     * it back to KV. This ensures:
+     * 1. The global KV entry is deleted
+     * 2. Fresh data is fetched from API
+     * 3. New data is written to KV (updating edge cache)
      *
-     * This method clears the local cache and fetches fresh config from the API
-     * with Cache-Control headers to bypass AgentShield's 5-minute cache.
+     * The next request from the same edge location will get the fresh data.
      *
-     * @param agentDid DID of the agent to refresh config for
-     * @returns Fresh tool protection config
+     * @param agentDid DID of the agent (used for cache key)
+     * @returns The fresh tool protection config from API
      */
-    refreshCache(agentDid: string): Promise<ToolProtectionConfig>;
+    clearAndRefresh(agentDid: string): Promise<{
+        config: ToolProtectionConfig;
+        cacheKey: string;
+        source: 'api' | 'fallback';
+    }>;
 }
 //# sourceMappingURL=tool-protection.service.d.ts.map

package/dist/services/tool-protection.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tool-protection.service.d.ts","sourceRoot":"","sources":["../../src/services/tool-protection.service.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;GAUG~~;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,2BAA2B,EAE5B,MAAM,6BAA6B,CAAC;AACrC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;~~AAwD7E~~;;GAEG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAA8B;IAC5C,OAAO,CAAC,KAAK,CAAsB;gBAEvB,MAAM,EAAE,2BAA2B,EAAE,KAAK,EAAE,mBAAmB;IAK3E;;;OAGG;IACH,YAAY,IAAI,MAAM,GAAG,SAAS;IAIlC;;;;;;;;OAQG;YACW,aAAa;IA4C3B;;;;;;;;;;OAUG;IACG,uBAAuB,CAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;~~IAgRhC~~;;;;;;OAMG;IACG,mBAAmB,CACvB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA8BjC~~;;;;;;OAMG~~;YACW,YAAY;~~IA+H1B~~;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBjD~~;;;;;;;;OAQG~~;IACG,~~YAAY~~,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;~~CAuGpE~~"}
1	+ {"version":3,"file":"tool-protection.service.d.ts","sourceRoot":"","sources":["../../src/services/tool-protection.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8EG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,2BAA2B,EAE5B,MAAM,6BAA6B,CAAC;AACrC,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AA8D7E;;GAEG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAA8B;IAC5C,OAAO,CAAC,KAAK,CAAsB;gBAEvB,MAAM,EAAE,2BAA2B,EAAE,KAAK,EAAE,mBAAmB;IAK3E;;;OAGG;IACH,YAAY,IAAI,MAAM,GAAG,SAAS;IAIlC;;;;;;;;OAQG;YACW,aAAa;IA4C3B;;;;;;;;;;OAUG;IACG,uBAAuB,CAC3B,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;IAuYhC;;;;;;OAMG;IACG,mBAAmB,CACvB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IA8BjC;;;;;OAKG;YACW,YAAY;IAsG1B;;;;;;;OAOG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBjD;;;;;;;;;;;;;;OAcG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAC/C,MAAM,EAAE,oBAAoB,CAAC;QAC7B,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,KAAK,GAAG,UAAU,CAAC;KAC5B,CAAC;CA4IH"}