@kya-os/mcp-i-core 1.3.0 → 1.3.1

package/src/cache/oauth-config-cache.js

@@ -1,71 +0,0 @@
-/**
- * Platform-agnostic cache interface for OAuth provider configurations
- *
- * This interface allows different runtime adapters to provide their own
- * caching implementations (e.g., in-memory for Node.js, KV for Cloudflare)
- *
- * @package @kya-os/mcp-i-core
- */
-/**
- * In-memory cache implementation
- *
- * Suitable for:
- * - Node.js runtimes
- * - Development/testing
- * - Single-instance deployments
- *
- * NOT suitable for:
- * - Multi-instance deployments (cache not shared)
- * - Serverless environments (state not persisted)
- */
-export class InMemoryOAuthConfigCache {
-    cache = new Map();
-    async get(key) {
-        const entry = this.cache.get(key);
-        if (!entry) {
-            return null;
-        }
-        // Check if expired
-        if (Date.now() > entry.expiresAt) {
-            this.cache.delete(key);
-            return null;
-        }
-        return entry.value;
-    }
-    async set(key, value, ttl) {
-        // If TTL is <= 0, don't store (entry would be immediately expired)
-        if (ttl <= 0) {
-            return;
-        }
-        const expiresAt = Date.now() + ttl;
-        this.cache.set(key, { value, expiresAt });
-    }
-    async clear() {
-        this.cache.clear();
-    }
-    async delete(key) {
-        this.cache.delete(key);
-    }
-}
-/**
- * No-op cache implementation (disables caching)
- *
- * Use when:
- * - You want to disable caching entirely
- * - Testing scenarios that require fresh data
- */
-export class NoOpOAuthConfigCache {
-    async get(_key) {
-        return null;
-    }
-    async set(_key, _value, _ttl) {
-        // No-op
-    }
-    async clear() {
-        // No-op
-    }
-    async delete(_key) {
-        // No-op
-    }
-}
-//# sourceMappingURL=oauth-config-cache.js.map

package/src/providers/base.js

@@ -1,38 +0,0 @@
-/**
- * Base Provider Classes
- *
- * Abstract classes that define the provider interfaces for
- * platform-specific implementations.
- */
-/**
- * Cryptographic operations provider
- */
-export class CryptoProvider {
-}
-/**
- * Clock/timing operations provider
- */
-export class ClockProvider {
-}
-/**
- * Network fetch operations provider
- */
-export class FetchProvider {
-}
-/**
- * Storage operations provider
- */
-export class StorageProvider {
-}
-/**
- * Nonce cache provider
- * Handles replay prevention
- *
- * Nonces should be scoped per agent to prevent cross-agent replay attacks.
- * When agentDid is provided, implementations should use agent-scoped keys.
- */
-export class NonceCacheProvider {
-}
-export class IdentityProvider {
-}
-//# sourceMappingURL=base.js.map

package/src/services/oauth-config.service.js

@@ -1,113 +0,0 @@
-/**
- * OAuth Config Service
- *
- * Fetches and caches OAuth provider configurations from AgentShield API.
- * Provides caching with TTL to reduce API calls.
- *
- * @package @kya-os/mcp-i-core
- */
-import { InMemoryOAuthConfigCache } from "../cache/oauth-config-cache.js";
-/**
- * Service for fetching OAuth provider configurations from AgentShield API
- */
-export class OAuthConfigService {
-    config;
-    constructor(config) {
-        this.config = {
-            baseUrl: config.baseUrl,
-            apiKey: config.apiKey,
-            fetchProvider: config.fetchProvider,
-            cacheTtl: config.cacheTtl ?? 5 * 60 * 1000, // Default 5 minutes
-            logger: config.logger || (() => { }),
-            cache: config.cache || new InMemoryOAuthConfigCache(),
-        };
-    }
-    /**
-     * Get OAuth configuration for a project
-     *
-     * Fetches from AgentShield API: GET /api/v1/bouncer/projects/{projectId}/providers
-     * Caches responses with TTL to reduce API calls.
-     *
-     * @param projectId - Project ID to fetch config for
-     * @returns OAuth configuration with providers object
-     */
-    async getOAuthConfig(projectId) {
-        // Check cache
-        const cached = await this.config.cache.get(projectId);
-        if (cached) {
-            this.config.logger("[OAuthConfigService] Cache hit", {
-                projectId,
-            });
-            return cached;
-        }
-        // Fetch from AgentShield API
-        const url = `${this.config.baseUrl}/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/providers`;
-        this.config.logger("[OAuthConfigService] Fetching config from API", {
-            projectId,
-            url,
-        });
-        try {
-            const response = await this.config.fetchProvider.fetch(url, {
-                method: "GET",
-                headers: {
-                    Authorization: `Bearer ${this.config.apiKey}`,
-                    "Content-Type": "application/json",
-                },
-            });
-            if (!response.ok) {
-                const errorText = await response.text().catch(() => "Unknown error");
-                throw new Error(`Failed to fetch OAuth config: ${response.status} ${response.statusText} - ${errorText}`);
-            }
-            const result = await response.json();
-            // Validate response structure
-            if (!result.success || !result.data) {
-                throw new Error("Invalid API response: missing success or data field");
-            }
-            // Parse providers object
-            const providers = result.data.providers || {};
-            if (typeof providers !== "object" || Array.isArray(providers)) {
-                throw new Error("Invalid API response: providers must be an object, not an array");
-            }
-            // Build OAuthConfig object
-            // Note: API does NOT return defaultProvider field (Phase 1 architecture)
-            // Phase 1 uses configured provider as temporary fallback
-            // Phase 2+ requires tools to explicitly specify oauthProvider
-            const config = {
-                providers: providers,
-            };
-            // Cache config
-            await this.config.cache.set(projectId, config, this.config.cacheTtl);
-            this.config.logger("[OAuthConfigService] Config fetched and cached", {
-                projectId,
-                providerCount: Object.keys(providers).length,
-                providers: Object.keys(providers),
-                expiresAt: new Date(Date.now() + this.config.cacheTtl).toISOString(),
-            });
-            return config;
-        }
-        catch (error) {
-            this.config.logger("[OAuthConfigService] API fetch failed", {
-                projectId,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
-    /**
-     * Clear cached config for a project
-     *
-     * @param projectId - Project ID to clear cache for
-     */
-    async clearCache(projectId) {
-        await this.config.cache.delete(projectId);
-        this.config.logger("[OAuthConfigService] Cache cleared", { projectId });
-    }
-    /**
-     * Clear all cached configs
-     */
-    async clearAllCache() {
-        await this.config.cache.clear();
-        this.config.logger("[OAuthConfigService] All cache cleared");
-    }
-}
-//# sourceMappingURL=oauth-config.service.js.map

package/src/services/oauth-provider-registry.js

@@ -1,73 +0,0 @@
-/**
- * OAuth Provider Registry
- *
- * Manages OAuth provider configurations loaded from AgentShield API.
- * Provides efficient lookup and caching of provider configurations.
- *
- * @package @kya-os/mcp-i-core
- */
-/**
- * Registry for OAuth providers
- *
- * Wraps OAuthConfigService to provide a simple lookup interface
- * for provider configurations.
- */
-export class OAuthProviderRegistry {
-    configService;
-    providers = new Map();
-    constructor(configService) {
-        this.configService = configService;
-    }
-    /**
-     * Load providers from AgentShield API
-     *
-     * Fetches OAuth configuration and caches providers in memory.
-     * Clears existing providers before loading new ones.
-     *
-     * @param projectId - Project ID to load providers for
-     */
-    async loadFromAgentShield(projectId) {
-        const config = await this.configService.getOAuthConfig(projectId);
-        // Clear existing providers
-        this.providers.clear();
-        // Register all providers from config
-        for (const [name, providerConfig] of Object.entries(config.providers)) {
-            this.providers.set(name, providerConfig);
-        }
-    }
-    /**
-     * Get provider by name
-     *
-     * @param name - Provider name (e.g., "github", "google")
-     * @returns Provider configuration or null if not found
-     */
-    getProvider(name) {
-        return this.providers.get(name) || null;
-    }
-    /**
-     * Get all providers
-     *
-     * @returns Array of all registered provider configurations
-     */
-    getAllProviders() {
-        return Array.from(this.providers.values());
-    }
-    /**
-     * Check if provider exists
-     *
-     * @param name - Provider name to check
-     * @returns True if provider is registered, false otherwise
-     */
-    hasProvider(name) {
-        return this.providers.has(name);
-    }
-    /**
-     * Get all provider names
-     *
-     * @returns Array of provider names
-     */
-    getProviderNames() {
-        return Array.from(this.providers.keys());
-    }
-}
-//# sourceMappingURL=oauth-provider-registry.js.map

package/src/services/provider-resolver.js

@@ -1,106 +0,0 @@
-/**
- * Provider Resolver
- *
- * Resolves OAuth provider for tools using priority-based resolution strategy.
- * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
- *
- * @package @kya-os/mcp-i-core
- */
-/**
- * Resolves OAuth provider for tools with priority-based fallback strategy
- *
- * Priority order:
- * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
- * 2. Scope prefix inference (fallback)
- * 3. First configured provider (Phase 1 compatibility fallback)
- * 4. Error if no provider can be resolved
- */
-export class ProviderResolver {
-    registry;
-    configService;
-    constructor(registry, configService) {
-        this.registry = registry;
-        this.configService = configService;
-    }
-    /**
-     * Resolve OAuth provider for a tool
-     *
-     * @param toolProtection - Tool protection configuration
-     * @param projectId - Project ID for fetching provider config
-     * @returns Provider name (never null - throws if cannot resolve)
-     * @throws Error if provider cannot be resolved
-     */
-    async resolveProvider(toolProtection, projectId) {
-        // Priority 1: Tool-specific provider (Phase 2+ preferred)
-        if (toolProtection.oauthProvider) {
-            if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
-                throw new Error(`Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
-                    `Add provider in project settings.`);
-            }
-            return toolProtection.oauthProvider;
-        }
-        // Priority 2: Scope prefix inference (fallback)
-        const inferredProvider = this.inferProviderFromScopes(toolProtection.requiredScopes || []);
-        if (inferredProvider && this.registry.hasProvider(inferredProvider)) {
-            console.log(`[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`);
-            return inferredProvider;
-        }
-        // Priority 3: First configured provider (Phase 1 compatibility fallback)
-        // Ensure registry is loaded
-        await this.registry.loadFromAgentShield(projectId);
-        const providers = this.registry.getAllProviders();
-        if (providers.length > 0) {
-            // Log deprecation warning for Phase 1 tools
-            const firstProviderName = this.registry.getProviderNames()[0];
-            console.warn(`[ProviderResolver] Tool does not specify oauthProvider. ` +
-                `Using first configured provider "${firstProviderName}" as fallback. ` +
-                `This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.`);
-            return firstProviderName;
-        }
-        // Priority 4: Error if no provider can be resolved
-        throw new Error(`Tool requires OAuth but no provider could be resolved. ` +
-            `Either specify oauthProvider in tool protection config, or configure at least one provider for project "${projectId}".`);
-    }
-    /**
-     * Infer provider from scope prefixes
-     *
-     * Used as Priority 2 fallback when oauthProvider is not specified.
-     * Examples:
-     * - github:repo:read → github
-     * - gmail:read → google
-     * - microsoft:calendar:read → microsoft
-     *
-     * @param scopes - Required scopes for the tool
-     * @returns Provider name if uniquely inferred, null otherwise
-     */
-    inferProviderFromScopes(scopes) {
-        if (!scopes || scopes.length === 0) {
-            return null;
-        }
-        // Extract first part of scope (before first colon)
-        const scopePrefixes = scopes.map((scope) => {
-            const parts = scope.split(":");
-            return parts[0].toLowerCase();
-        });
-        // Provider mapping
-        const providerMap = {
-            github: "github",
-            google: "google",
-            gmail: "google", // gmail:read → google
-            calendar: "google", // calendar:read → google (if ambiguous, use project default)
-            microsoft: "microsoft",
-            outlook: "microsoft",
-            slack: "slack",
-            auth0: "auth0",
-            okta: "okta",
-        };
-        // Find unique provider
-        const providers = new Set(scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean));
-        if (providers.size === 1) {
-            return Array.from(providers)[0];
-        }
-        // Ambiguous or no prefix → return null (use project-level provider)
-        return null;
-    }
-}
-//# sourceMappingURL=provider-resolver.js.map