@kya-os/mcp-i-core 1.3.0 → 1.3.2

package/src/services/__tests__/provider-resolver.test.ts

@@ -45,6 +45,7 @@ describe("ProviderResolver", () => {
       getAllProviders: vi.fn().mockReturnValue([]),
       getProviderNames: vi.fn().mockReturnValue([]),
       loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
+      getConfiguredProvider: vi.fn().mockReturnValue(null), // New method for configuredProvider
     } as any;
 
     resolver = new ProviderResolver(mockRegistry, mockConfigService);
@@ -121,42 +122,37 @@ describe("ProviderResolver", () => {
       expect(provider).toBe("google");
     });
 
-    it("should return null for ambiguous scopes", async () => {
+    it("should fall back to configuredProvider for ambiguous scopes", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: ["github:read", "google:read"],
       };
 
-      (mockRegistry.hasProvider as any).mockReturnValue(true);
-
-      // Should fall through to Priority 3
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // Ambiguous scopes - both infer different providers
+      // Should fall through to Priority 3 (configuredProvider)
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Falls back to first configured provider
+      // Falls back to configuredProvider
       expect(provider).toBe("github");
     });
   });
 
-  describe("resolveProvider - Priority 3: First configured provider", () => {
-    it("should use first configured provider as fallback", async () => {
+  describe("resolveProvider - Priority 3: Project-configured provider", () => {
+    it("should use configuredProvider as fallback", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: ["custom:scope"],
       };
 
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // configuredProvider is github
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
 
@@ -167,30 +163,28 @@ describe("ProviderResolver", () => {
 
       expect(provider).toBe("github");
       expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("deprecated")
+        expect.stringContaining("project-configured provider")
       );
 
       consoleSpy.mockRestore();
     });
 
-    it("should log deprecation warning when using fallback", async () => {
+    it("should log warning when using configuredProvider fallback", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: [],
       };
 
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // configuredProvider is github
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
 
       await resolver.resolveProvider(toolProtection, "test-project");
 
       expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("deprecated")
+        expect.stringContaining("Consider explicitly setting oauthProvider")
       );
 
       consoleSpy.mockRestore();
@@ -198,19 +192,21 @@ describe("ProviderResolver", () => {
   });
 
   describe("resolveProvider - Priority 4: Error if no provider", () => {
-    it("should throw error if no provider can be resolved", async () => {
+    it("should throw error if no provider is configured", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: [],
       };
 
+      // No configuredProvider set
       (mockRegistry.hasProvider as any).mockReturnValue(false);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
       (mockRegistry.getAllProviders as any).mockReturnValue([]);
       (mockRegistry.getProviderNames as any).mockReturnValue([]);
 
       await expect(
         resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider could be resolved/);
+      ).rejects.toThrow(/no provider is configured/);
     });
   });
 });

package/src/services/oauth-config.service.ts

@@ -99,6 +99,7 @@ export class OAuthConfigService {
         success: boolean;
         data?: {
           providers?: Record<string, unknown>;
+          configuredProvider?: string | null;
         };
       };
 
@@ -116,11 +117,12 @@ export class OAuthConfigService {
       }
 
       // Build OAuthConfig object
-      // Note: API does NOT return defaultProvider field (Phase 1 architecture)
-      // Phase 1 uses configured provider as temporary fallback
-      // Phase 2+ requires tools to explicitly specify oauthProvider
+      // Extract configuredProvider from API response - this indicates which provider
+      // the user has actually configured in AgentShield dashboard
+      const configuredProvider = result.data.configuredProvider || null;
       const config: OAuthConfig = {
         providers: providers as Record<string, OAuthProvider>,
+        configuredProvider,
       };
 
       // Cache config
@@ -130,6 +132,7 @@ export class OAuthConfigService {
         projectId,
         providerCount: Object.keys(providers).length,
         providers: Object.keys(providers),
+        configuredProvider,
         expiresAt: new Date(
           Date.now() + this.config.cacheTtl
         ).toISOString(),

package/src/services/oauth-provider-registry.ts

@@ -19,6 +19,7 @@ import type { ProviderValidator } from "./provider-validator.js";
  */
 export class OAuthProviderRegistry {
   private providers: Map<string, OAuthProvider> = new Map();
+  private _configuredProvider: string | null = null;
 
   constructor(
     private configService: OAuthConfigService,
@@ -30,6 +31,7 @@ export class OAuthProviderRegistry {
    *
    * Fetches OAuth configuration and caches providers in memory.
    * Clears existing providers before loading new ones.
+   * Also stores the configured provider from the API response.
    *
    * @param projectId - Project ID to load providers for
    */
@@ -39,12 +41,28 @@ export class OAuthProviderRegistry {
     // Clear existing providers
     this.providers.clear();
 
+    // Store the configured provider from API response
+    // This is the provider the user has explicitly configured in AgentShield dashboard
+    this._configuredProvider = config.configuredProvider || null;
+
     // Register all providers from config
     for (const [name, providerConfig] of Object.entries(config.providers)) {
       this.providers.set(name, providerConfig);
     }
   }
 
+  /**
+   * Get the explicitly configured provider for this project
+   *
+   * Returns the provider that the user has configured in AgentShield dashboard.
+   * Used by ProviderResolver as fallback when tool doesn't specify oauthProvider.
+   *
+   * @returns Configured provider name, or null if no provider is configured
+   */
+  getConfiguredProvider(): string | null {
+    return this._configuredProvider;
+  }
+
   /**
    * Get provider by name
    *

package/src/services/provider-resolver.ts

@@ -17,7 +17,7 @@ import type { OAuthConfigService } from "./oauth-config.service.js";
  * Priority order:
  * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
  * 2. Scope prefix inference (fallback)
- * 3. First configured provider (Phase 1 compatibility fallback)
+ * 3. Project-configured provider from AgentShield dashboard
  * 4. Error if no provider can be resolved
  */
 export class ProviderResolver {
@@ -70,25 +70,27 @@ export class ProviderResolver {
       }
     }
 
-    // Priority 3: First configured provider (Phase 1 compatibility fallback)
-    // Ensure registry is loaded
+    // Priority 3: Use explicitly configured provider from AgentShield dashboard
+    // This is the provider the user has actually configured, not just any available provider
     await this.registry.loadFromAgentShield(projectId);
-    const providers = this.registry.getAllProviders();
-    if (providers.length > 0) {
-      // Log deprecation warning for Phase 1 tools
-      const firstProviderName = this.registry.getProviderNames()[0];
+    const configuredProvider = this.registry.getConfiguredProvider();
+
+    if (configuredProvider && this.registry.hasProvider(configuredProvider)) {
       console.warn(
         `[ProviderResolver] Tool does not specify oauthProvider. ` +
-          `Using first configured provider "${firstProviderName}" as fallback. ` +
-          `This is deprecated - configure oauthProvider in AgentShield dashboard for Phase 2+.`
+          `Using project-configured provider "${configuredProvider}" as fallback. ` +
+          `Consider explicitly setting oauthProvider in tool protection config.`
       );
-      return firstProviderName;
+      return configuredProvider;
     }
 
-    // Priority 4: Error if no provider can be resolved
+    // Priority 4: Error if no provider is configured
+    // NOTE: We intentionally do NOT fall back to "first available provider" anymore
+    // because AgentShield returns ALL providers (even unconfigured ones).
+    // Only use providers explicitly configured by the user.
     throw new Error(
-      `Tool requires OAuth but no provider could be resolved. ` +
-        `Either specify oauthProvider in tool protection config, or configure at least one provider for project "${projectId}".`
+      `Tool requires OAuth but no provider is configured for project "${projectId}". ` +
+        `Configure an OAuth provider in AgentShield dashboard.`
     );
   }
 

package/src/services/tool-protection.service.ts

@@ -797,162 +797,51 @@ export class ToolProtectionService {
   }
 
   /**
-   * Clear cache and immediately fetch fresh config from API
+   * Clear cache WITHOUT warming
    * 
-   * This method is designed for Cloudflare Workers where KV has edge caching.
-   * After clearing the KV entry, it fetches fresh data from the API and writes
-   * it back to KV. This ensures:
-   * 1. The global KV entry is deleted
-   * 2. Fresh data is fetched from API
-   * 3. New data is written to KV (updating edge cache)
+   * IMPORTANT: This method intentionally does NOT fetch fresh data after clearing.
    * 
-   * The next request from the same edge location will get the fresh data.
+   * Why no cache warming?
+   * - Upstream APIs (AgentShield) may have their own CDN/cache layers
+   * - Immediately fetching after clear would get stale CDN data
+   * - Storing stale data defeats the purpose of cache invalidation
+   * - The next actual tool call will fetch fresh data (with natural delay)
+   * 
+   * This was the behavior in mcp-i-cloudflare@1.6.3 that worked perfectly.
+   * Cache warming was added as an "optimization" that backfired when upstream
+   * APIs have their own caching.
    * 
    * @param agentDid DID of the agent (used for cache key)
-   * @returns The fresh tool protection config from API
+   * @returns Cache key that was cleared
    */
   async clearAndRefresh(agentDid: string): Promise<{
     config: ToolProtectionConfig;
     cacheKey: string;
-    source: 'api' | 'fallback';
+    source: 'cleared';
   }> {
     const cacheKey = this.config.projectId
       ? `config:tool-protections:${this.config.projectId}`
       : `agent:${agentDid}`;
 
-    console.log("[ToolProtectionService] clearAndRefresh starting", {
+    console.log("[ToolProtectionService] clearCache (no warming)", {
       cacheKey,
       projectId: this.config.projectId || "none",
       agentDid: agentDid.slice(0, 20) + "...",
     });
 
-    // 1. Delete the cache entry
+    // Delete the cache entry - that's it, no warming
     await this.cache.delete(cacheKey);
 
-    console.log("[ToolProtectionService] Cache entry deleted", { cacheKey });
-
-    // 2. Fetch fresh config from API
-    try {
-      const response = await this.fetchFromApi(agentDid);
-
-      // Transform API response to internal format (same logic as getToolProtectionConfig)
-      const toolProtections: Record<string, ToolProtection> = {};
-
-      if (response.data.toolProtections) {
-        for (const [toolName, toolConfig] of Object.entries(
-          response.data.toolProtections
-        )) {
-          const requiresDelegation =
-            (toolConfig as any).requiresDelegation ??
-            (toolConfig as any).requires_delegation ??
-            false;
-          const requiredScopes =
-            (toolConfig as any).requiredScopes ??
-            (toolConfig as any).required_scopes ??
-            (toolConfig as any).scopes ??
-            [];
-          const oauthProvider =
-            (toolConfig as any).oauthProvider ??
-            (toolConfig as any).oauth_provider ??
-            undefined;
-          const riskLevel =
-            (toolConfig as any).riskLevel ??
-            (toolConfig as any).risk_level ??
-            undefined;
-
-          toolProtections[toolName] = {
-            requiresDelegation,
-            requiredScopes,
-            ...(oauthProvider && { oauthProvider }),
-            ...(riskLevel && { riskLevel }),
-          };
-        }
-      } else if (response.data.tools) {
-        if (Array.isArray(response.data.tools)) {
-          for (const tool of response.data.tools) {
-            const toolName = (tool as any).name;
-            if (!toolName) continue;
-            const requiresDelegation =
-              (tool as any).requiresDelegation ?? (tool as any).requires_delegation ?? false;
-            const requiredScopes =
-              (tool as any).requiredScopes ??
-              (tool as any).required_scopes ??
-              (tool as any).scopes ??
-              [];
-            const oauthProvider =
-              (tool as any).oauthProvider ?? (tool as any).oauth_provider ?? undefined;
-            const riskLevel = (tool as any).riskLevel ?? (tool as any).risk_level ?? undefined;
-
-            toolProtections[toolName] = {
-              requiresDelegation,
-              requiredScopes,
-              ...(oauthProvider && { oauthProvider }),
-              ...(riskLevel && { riskLevel }),
-            };
-          }
-        } else {
-          for (const [toolName, toolConfig] of Object.entries(
-            response.data.tools
-          )) {
-            const requiresDelegation =
-              (toolConfig as any).requiresDelegation ??
-              (toolConfig as any).requires_delegation ??
-              false;
-            const requiredScopes =
-              (toolConfig as any).requiredScopes ??
-              (toolConfig as any).required_scopes ??
-              (toolConfig as any).scopes ??
-              [];
-            const oauthProvider =
-              (toolConfig as any).oauthProvider ??
-              (toolConfig as any).oauth_provider ??
-              undefined;
-            const riskLevel =
-              (toolConfig as any).riskLevel ??
-              (toolConfig as any).risk_level ??
-              undefined;
-
-            toolProtections[toolName] = {
-              requiresDelegation,
-              requiredScopes,
-              ...(oauthProvider && { oauthProvider }),
-              ...(riskLevel && { riskLevel }),
-            };
-          }
-        }
-      }
-
-      // Construct fresh config (ToolProtectionConfig type)
-      const freshConfig: ToolProtectionConfig = {
-        toolProtections,
-      };
-
-      // 3. Write fresh config to cache
-      const ttl = this.config.cacheTtl ?? 300000;
-      await this.cache.set(cacheKey, freshConfig, ttl);
-
-      console.log("[ToolProtectionService] Fresh config fetched and cached", {
-        cacheKey,
-        toolCount: Object.keys(toolProtections).length,
-        protectedTools: Object.entries(toolProtections)
-          .filter(([_, cfg]) => cfg.requiresDelegation)
-          .map(([name]) => name),
-        source: "api",
-      });
-
-      return { config: freshConfig, cacheKey, source: 'api' };
-    } catch (error) {
-      console.warn("[ToolProtectionService] API fetch failed during refresh, using fallback", {
-        error: error instanceof Error ? error.message : String(error),
-        cacheKey,
-      });
-
-      // Use fallback config if API fails
-      const fallbackConfig: ToolProtectionConfig = this.config.fallbackConfig || {
-        toolProtections: {},
-      };
+    console.log("[ToolProtectionService] Cache entry deleted (next call will fetch fresh)", { 
+      cacheKey,
+      note: "No cache warming - upstream APIs may have CDN caching",
+    });
 
-      return { config: fallbackConfig, cacheKey, source: 'fallback' };
-    }
+    // Return empty config - next tool call will fetch fresh from API
+    return { 
+      config: { toolProtections: {} }, 
+      cacheKey, 
+      source: 'cleared' 
+    };
   }
 }

package/src/cache/oauth-config-cache.js

@@ -1,71 +0,0 @@
-/**
- * Platform-agnostic cache interface for OAuth provider configurations
- *
- * This interface allows different runtime adapters to provide their own
- * caching implementations (e.g., in-memory for Node.js, KV for Cloudflare)
- *
- * @package @kya-os/mcp-i-core
- */
-/**
- * In-memory cache implementation
- *
- * Suitable for:
- * - Node.js runtimes
- * - Development/testing
- * - Single-instance deployments
- *
- * NOT suitable for:
- * - Multi-instance deployments (cache not shared)
- * - Serverless environments (state not persisted)
- */
-export class InMemoryOAuthConfigCache {
-    cache = new Map();
-    async get(key) {
-        const entry = this.cache.get(key);
-        if (!entry) {
-            return null;
-        }
-        // Check if expired
-        if (Date.now() > entry.expiresAt) {
-            this.cache.delete(key);
-            return null;
-        }
-        return entry.value;
-    }
-    async set(key, value, ttl) {
-        // If TTL is <= 0, don't store (entry would be immediately expired)
-        if (ttl <= 0) {
-            return;
-        }
-        const expiresAt = Date.now() + ttl;
-        this.cache.set(key, { value, expiresAt });
-    }
-    async clear() {
-        this.cache.clear();
-    }
-    async delete(key) {
-        this.cache.delete(key);
-    }
-}
-/**
- * No-op cache implementation (disables caching)
- *
- * Use when:
- * - You want to disable caching entirely
- * - Testing scenarios that require fresh data
- */
-export class NoOpOAuthConfigCache {
-    async get(_key) {
-        return null;
-    }
-    async set(_key, _value, _ttl) {
-        // No-op
-    }
-    async clear() {
-        // No-op
-    }
-    async delete(_key) {
-        // No-op
-    }
-}
-//# sourceMappingURL=oauth-config-cache.js.map

package/src/providers/base.js

@@ -1,38 +0,0 @@
-/**
- * Base Provider Classes
- *
- * Abstract classes that define the provider interfaces for
- * platform-specific implementations.
- */
-/**
- * Cryptographic operations provider
- */
-export class CryptoProvider {
-}
-/**
- * Clock/timing operations provider
- */
-export class ClockProvider {
-}
-/**
- * Network fetch operations provider
- */
-export class FetchProvider {
-}
-/**
- * Storage operations provider
- */
-export class StorageProvider {
-}
-/**
- * Nonce cache provider
- * Handles replay prevention
- *
- * Nonces should be scoped per agent to prevent cross-agent replay attacks.
- * When agentDid is provided, implementations should use agent-scoped keys.
- */
-export class NonceCacheProvider {
-}
-export class IdentityProvider {
-}
-//# sourceMappingURL=base.js.map

package/src/services/oauth-config.service.js

@@ -1,113 +0,0 @@
-/**
- * OAuth Config Service
- *
- * Fetches and caches OAuth provider configurations from AgentShield API.
- * Provides caching with TTL to reduce API calls.
- *
- * @package @kya-os/mcp-i-core
- */
-import { InMemoryOAuthConfigCache } from "../cache/oauth-config-cache.js";
-/**
- * Service for fetching OAuth provider configurations from AgentShield API
- */
-export class OAuthConfigService {
-    config;
-    constructor(config) {
-        this.config = {
-            baseUrl: config.baseUrl,
-            apiKey: config.apiKey,
-            fetchProvider: config.fetchProvider,
-            cacheTtl: config.cacheTtl ?? 5 * 60 * 1000, // Default 5 minutes
-            logger: config.logger || (() => { }),
-            cache: config.cache || new InMemoryOAuthConfigCache(),
-        };
-    }
-    /**
-     * Get OAuth configuration for a project
-     *
-     * Fetches from AgentShield API: GET /api/v1/bouncer/projects/{projectId}/providers
-     * Caches responses with TTL to reduce API calls.
-     *
-     * @param projectId - Project ID to fetch config for
-     * @returns OAuth configuration with providers object
-     */
-    async getOAuthConfig(projectId) {
-        // Check cache
-        const cached = await this.config.cache.get(projectId);
-        if (cached) {
-            this.config.logger("[OAuthConfigService] Cache hit", {
-                projectId,
-            });
-            return cached;
-        }
-        // Fetch from AgentShield API
-        const url = `${this.config.baseUrl}/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/providers`;
-        this.config.logger("[OAuthConfigService] Fetching config from API", {
-            projectId,
-            url,
-        });
-        try {
-            const response = await this.config.fetchProvider.fetch(url, {
-                method: "GET",
-                headers: {
-                    Authorization: `Bearer ${this.config.apiKey}`,
-                    "Content-Type": "application/json",
-                },
-            });
-            if (!response.ok) {
-                const errorText = await response.text().catch(() => "Unknown error");
-                throw new Error(`Failed to fetch OAuth config: ${response.status} ${response.statusText} - ${errorText}`);
-            }
-            const result = await response.json();
-            // Validate response structure
-            if (!result.success || !result.data) {
-                throw new Error("Invalid API response: missing success or data field");
-            }
-            // Parse providers object
-            const providers = result.data.providers || {};
-            if (typeof providers !== "object" || Array.isArray(providers)) {
-                throw new Error("Invalid API response: providers must be an object, not an array");
-            }
-            // Build OAuthConfig object
-            // Note: API does NOT return defaultProvider field (Phase 1 architecture)
-            // Phase 1 uses configured provider as temporary fallback
-            // Phase 2+ requires tools to explicitly specify oauthProvider
-            const config = {
-                providers: providers,
-            };
-            // Cache config
-            await this.config.cache.set(projectId, config, this.config.cacheTtl);
-            this.config.logger("[OAuthConfigService] Config fetched and cached", {
-                projectId,
-                providerCount: Object.keys(providers).length,
-                providers: Object.keys(providers),
-                expiresAt: new Date(Date.now() + this.config.cacheTtl).toISOString(),
-            });
-            return config;
-        }
-        catch (error) {
-            this.config.logger("[OAuthConfigService] API fetch failed", {
-                projectId,
-                error: error instanceof Error ? error.message : String(error),
-            });
-            throw error;
-        }
-    }
-    /**
-     * Clear cached config for a project
-     *
-     * @param projectId - Project ID to clear cache for
-     */
-    async clearCache(projectId) {
-        await this.config.cache.delete(projectId);
-        this.config.logger("[OAuthConfigService] Cache cleared", { projectId });
-    }
-    /**
-     * Clear all cached configs
-     */
-    async clearAllCache() {
-        await this.config.cache.clear();
-        this.config.logger("[OAuthConfigService] All cache cleared");
-    }
-}
-//# sourceMappingURL=oauth-config.service.js.map