@kya-os/mcp-i-core 1.3.10-canary.clientinfo.20251126124133 → 1.3.10

package/src/services/session-registration.service.ts

@@ -109,55 +109,9 @@ export class SessionRegistrationService {
         sessionId,
         agentDid: request.agent_did,
         clientName: request.client_info.name,
-        clientVersion: request.client_info.version,
-        hasClientIdentity: !!request.client_identity,
         url,
       });
 
-      // ✅ EMPIRICAL PROOF: Prepare request headers
-      // Try Authorization: Bearer first (same as proofs endpoint)
-      // If that fails, AgentShield may need X-AgentShield-Key instead
-      const requestHeaders = {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${this.config.apiKey}`, // Use same auth as proofs endpoint
-      };
-
-      // ✅ EMPIRICAL PROOF: Log exact request details (sanitized for security)
-      const sanitizedHeaders = {
-        ...requestHeaders,
-        Authorization: `Bearer ${this.config.apiKey.slice(0, 8)}...${this.config.apiKey.slice(-4)}`, // Show first 8 and last 4 chars
-      };
-
-      const sanitizedBody = {
-        session_id: request.session_id,
-        agent_did: request.agent_did,
-        project_id: request.project_id,
-        created_at: request.created_at,
-        client_info: request.client_info,
-        client_identity: request.client_identity,
-        server_did: request.server_did,
-        ttl_minutes: request.ttl_minutes,
-      };
-
-      this.config.logger(
-        "[SessionRegistration] 🔍 EMPIRICAL DEBUG - Request details",
-        {
-          url,
-          method: "POST",
-          headers: sanitizedHeaders,
-          headerKeys: Object.keys(requestHeaders),
-          authHeaderPresent: !!requestHeaders["Authorization"],
-          authHeaderName: "Authorization",
-          authHeaderFormat: requestHeaders["Authorization"]?.startsWith(
-            "Bearer "
-          )
-            ? "Bearer"
-            : "Other",
-          body: sanitizedBody,
-          bodySize: JSON.stringify(request).length,
-        }
-      );
-
       // Make the request with timeout
       const controller = new AbortController();
       const timeoutId = setTimeout(
@@ -168,89 +122,47 @@ export class SessionRegistrationService {
       try {
         const response = await this.config.fetchProvider.fetch(url, {
           method: "POST",
-          headers: requestHeaders,
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.config.apiKey}`,
+          },
           body: JSON.stringify(request),
           signal: controller.signal,
         });
 
         clearTimeout(timeoutId);
 
-        // ✅ EMPIRICAL PROOF: Capture exact response details
-        const responseHeaders: Record<string, string> = {};
-        response.headers.forEach((value, key) => {
-          responseHeaders[key] = value;
-        });
-
-        const responseText = await response
-          .text()
-          .catch(() => "Failed to read response");
-        let responseBody: unknown;
-        try {
-          responseBody = JSON.parse(responseText);
-        } catch {
-          responseBody = responseText;
-        }
-
-        // ✅ EMPIRICAL PROOF: Log exact response details
-        this.config.logger(
-          "[SessionRegistration] 🔍 EMPIRICAL DEBUG - Response details",
-          {
-            status: response.status,
-            statusText: response.statusText,
-            ok: response.ok,
-            headers: responseHeaders,
-            body: responseBody,
-            bodyLength: responseText.length,
-            clientName: request.client_info.name,
-            // ✅ DEBUG: Include request ID from response headers for AgentShield support
-            requestId:
-              responseHeaders["x-request-id"] ||
-              responseHeaders["X-Request-ID"] ||
-              "not-provided",
-            // ✅ DEBUG: Full response text for AgentShield team
-            fullResponseText: responseText,
-          }
-        );
-
         if (!response.ok) {
           // Log error but don't throw - this is fire-and-forget
+          const errorText = await response.text().catch(() => "Unknown error");
           this.config.logger("[SessionRegistration] Registration failed", {
             sessionId,
             status: response.status,
-            error: responseText,
-            // ✅ DEBUG: EMPIRICAL: Include full response details
-            responseHeaders,
-            responseBody,
-            clientName: request.client_info.name,
-            // ✅ DEBUG: Request ID for AgentShield support ticket
-            requestId:
-              responseHeaders["x-request-id"] ||
-              responseHeaders["X-Request-ID"] ||
-              "not-provided",
-            // ✅ DEBUG: Full request body for AgentShield team
-            fullRequestBody: JSON.stringify(request, null, 2),
+            error: errorText,
           });
           return {
             success: false,
             sessionId,
-            error: `HTTP ${response.status}: ${responseText}`,
+            error: `HTTP ${response.status}: ${errorText}`,
           };
         }
 
-        // Parse response (using already-captured responseBody)
-        const responseData = responseBody as
-          | { data?: RegisterSessionResponse }
-          | RegisterSessionResponse;
+        // Parse response
+        const responseData = (await response.json()) as {
+          data?: RegisterSessionResponse;
+        } & RegisterSessionResponse;
         const parseResult = registerSessionResponseSchema.safeParse(
-          (responseData as { data?: RegisterSessionResponse }).data ||
-            responseData
+          responseData.data || responseData
         );
 
         if (!parseResult.success) {
-          this.config.logger("[SessionRegistration] Invalid response format", {
-            sessionId,
-            response: responseData,
-          });
+          this.config.logger(
+            "[SessionRegistration] Invalid response format",
+            {
+              sessionId,
+              response: responseData,
+            }
+          );
           // Still consider it a success if we got a 200 OK
           return { success: true, sessionId };
         }
@@ -258,12 +170,6 @@ export class SessionRegistrationService {
         this.config.logger("[SessionRegistration] Session registered", {
           sessionId,
           registered: parseResult.data.registered,
-          // ✅ DEBUG: Include full response for AgentShield debugging
-          responseData: parseResult.data,
-          requestId:
-            responseHeaders["x-request-id"] ||
-            responseHeaders["X-Request-ID"] ||
-            "not-provided",
         });
 
         return { success: true, sessionId };
@@ -281,7 +187,8 @@ export class SessionRegistrationService {
       }
 
       // Log any other error
-      const errorMsg = error instanceof Error ? error.message : "Unknown error";
+      const errorMsg =
+        error instanceof Error ? error.message : "Unknown error";
       this.config.logger("[SessionRegistration] Unexpected error", {
         sessionId,
         error: errorMsg,
@@ -303,13 +210,10 @@ export class SessionRegistrationService {
     this.registerSession(request).catch((error) => {
       // This should never happen since registerSession catches all errors,
       // but just in case
-      this.config.logger(
-        "[SessionRegistration] Background registration failed",
-        {
-          sessionId: request.session_id,
-          error: error instanceof Error ? error.message : "Unknown error",
-        }
-      );
+      this.config.logger("[SessionRegistration] Background registration failed", {
+        sessionId: request.session_id,
+        error: error instanceof Error ? error.message : "Unknown error",
+      });
     });
   }
 }
@@ -344,3 +248,4 @@ export function createSessionRegistrationService(options: {
     logger: options.logger,
   });
 }
+

package/src/services/tool-protection.service.ts

@@ -46,7 +46,7 @@
  * If tool not discovered:
  * - Tool won't appear in dashboard
  * - Protection settings can't be configured
- * - GET /tool-protections returns empty object
+ * - GET /config returns empty toolProtection.tools object
  *
  * DEBUGGING:
  * ----------
@@ -87,34 +87,56 @@ import type {
 import type { ToolProtectionCache } from "../cache/tool-protection-cache.js";
 import { InMemoryToolProtectionCache } from "../cache/tool-protection-cache.js";
 
+/**
+ * Tool protection data structure in API responses
+ */
+interface ToolProtectionData {
+  requiresDelegation?: boolean;
+  requires_delegation?: boolean;
+  requiredScopes?: string[];
+  required_scopes?: string[];
+  scopes?: string[];
+  riskLevel?: string;
+  risk_level?: string;
+  oauthProvider?: string;
+  oauth_provider?: string;
+  authorization?: {
+    type: string;
+    provider?: string;
+    issuer?: string;
+    credentialType?: string;
+  };
+}
+
 /**
  * Response from AgentShield API bouncer endpoints
  *
  * Supports multiple endpoint formats:
- * 1. New endpoint (/projects/{projectId}/tool-protections): { data: { toolProtections: { [toolName]: {...} } } } }
- * 2. Old endpoint (/config?agent_did=...): { data: { tools: [{ name: string, ... }] } }
- * 3. Legacy format: { data: { tools: { [toolName]: {...} } } }
+ * 1. Merged config (/projects/{projectId}/config): { data: { config: { toolProtection: { tools: {...} } } } }
+ * 2. Legacy tool-protections endpoint: { data: { toolProtections: { [toolName]: {...} } } }
+ * 3. Old config endpoint (/config?agent_did=...): { data: { tools: [{ name: string, ... }] } }
+ * 4. Legacy format: { data: { tools: { [toolName]: {...} } } }
  */
 interface BouncerConfigApiResponse {
   success: boolean;
   data: {
     agent_did?: string;
-    // New endpoint format: toolProtections object
-    toolProtections?: Record<
-      string,
-      {
-        requiresDelegation?: boolean;
-        requires_delegation?: boolean;
-        requiredScopes?: string[];
-        required_scopes?: string[];
-        scopes?: string[];
-        riskLevel?: string;
-        risk_level?: string;
-        oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-        oauth_provider?: string; // Phase 2: snake_case variant
-      }
-    >;
-    // Old endpoint format: tools array or object
+    
+    // NEW: Merged config format (v1.6.0+) - preferred format
+    // The entire config is returned with tools embedded at config.toolProtection.tools
+    config?: {
+      toolProtection?: {
+        source?: string;
+        tools?: Record<string, ToolProtectionData>;
+      };
+      // Other config fields we don't need to parse
+      [key: string]: unknown;
+    };
+    
+    // DEPRECATED: Top-level toolProtections (backward compatibility during transition)
+    toolProtections?: Record<string, ToolProtectionData>;
+    
+    // Legacy endpoint formats
     tools?:
       | Array<{
           name: string;
@@ -122,20 +144,10 @@ interface BouncerConfigApiResponse {
           requires_delegation?: boolean;
           scopes?: string[];
           required_scopes?: string[];
-          oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-          oauth_provider?: string; // Phase 2: snake_case variant
+          oauthProvider?: string;
+          oauth_provider?: string;
         }>
-      | Record<
-          string,
-          {
-            requiresDelegation?: boolean;
-            requires_delegation?: boolean;
-            scopes?: string[];
-            required_scopes?: string[];
-            oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-            oauth_provider?: string; // Phase 2: snake_case variant
-          }
-        >;
+      | Record<string, ToolProtectionData>;
     reputation_threshold?: number;
     denied_agents?: string[];
   };
@@ -271,7 +283,7 @@ export class ToolProtectionService {
         projectId: this.config.projectId || "none",
         apiUrl: this.config.apiUrl,
         endpoint: this.config.projectId
-          ? `/api/v1/bouncer/projects/${this.config.projectId}/tool-protections`
+          ? `/api/v1/bouncer/projects/${this.config.projectId}/config`
           : `/api/v1/bouncer/config?agent_did=${agentDid}`,
       });
     }
@@ -287,6 +299,8 @@ export class ToolProtectionService {
           projectId: this.config.projectId || "none",
           responseKeys: Object.keys(response),
           dataKeys: response.data ? Object.keys(response.data) : [],
+          rawConfig: response.data?.config || null,
+          rawConfigToolProtection: response.data?.config?.toolProtection || null,
           rawToolProtections: response.data?.toolProtections || null,
           rawTools: response.data?.tools || null,
           responseMetadata: response.metadata || null,
@@ -294,15 +308,54 @@ export class ToolProtectionService {
       }
 
       // Transform API response format to internal format
-      // Supports multiple response formats:
-      // 1. New endpoint: { data: { toolProtections: { greet: { requiresDelegation: true, ... } } } }
-      // 2. Old endpoint (array): { data: { tools: [{ name: "greet", requiresDelegation: true, ... }] } }
-      // 3. Old endpoint (object): { data: { tools: { greet: { requiresDelegation: true, ... } } } }
+      // Supports multiple response formats (in priority order):
+      // 1. Merged config endpoint: { data: { config: { toolProtection: { tools: {...} } } } }
+      // 2. Legacy toolProtections: { data: { toolProtections: { greet: { requiresDelegation: true, ... } } } }
+      // 3. Old endpoint (array): { data: { tools: [{ name: "greet", requiresDelegation: true, ... }] } }
+      // 4. Old endpoint (object): { data: { tools: { greet: { requiresDelegation: true, ... } } } }
       const toolProtections: Record<string, ToolProtection> = {};
 
-      // Check for new endpoint format first (toolProtections)
-      if (response.data.toolProtections) {
-        // New endpoint format: object with tool names as keys
+      // Check for merged config format first (data.config.toolProtection.tools)
+      if (response.data.config?.toolProtection?.tools) {
+        // Merged config endpoint format: object with tool names as keys
+        if (this.config.debug) {
+          console.log("[ToolProtectionService] Using merged config format (data.config.toolProtection.tools)");
+        }
+        for (const [toolName, toolConfig] of Object.entries(
+          response.data.config.toolProtection.tools
+        )) {
+          const requiresDelegation =
+            (toolConfig as any).requiresDelegation ??
+            (toolConfig as any).requires_delegation ??
+            false;
+          const requiredScopes =
+            (toolConfig as any).requiredScopes ??
+            (toolConfig as any).required_scopes ??
+            (toolConfig as any).scopes ??
+            [];
+          
+          const oauthProvider =
+            (toolConfig as any).oauthProvider ??
+            (toolConfig as any).oauth_provider ??
+            undefined;
+          
+          const riskLevel =
+            (toolConfig as any).riskLevel ??
+            (toolConfig as any).risk_level ??
+            undefined;
+
+          toolProtections[toolName] = {
+            requiresDelegation,
+            requiredScopes,
+            ...(oauthProvider && { oauthProvider }),
+            ...(riskLevel && { riskLevel }),
+          };
+        }
+      } else if (response.data.toolProtections) {
+        // Legacy toolProtections format: object with tool names as keys
+        if (this.config.debug) {
+          console.log("[ToolProtectionService] Using legacy toolProtections format (data.toolProtections)");
+        }
         // Prefer camelCase over snake_case when both present
         for (const [toolName, toolConfig] of Object.entries(
           response.data.toolProtections
@@ -665,7 +718,10 @@ export class ToolProtectionService {
 
   /**
    * Fetch tool protection config from AgentShield API
-   * Uses projectId endpoint if available (preferred, project-scoped), otherwise falls back to agent_did query param
+   * 
+   * Uses the merged /config endpoint which returns tool protections embedded
+   * at config.toolProtection.tools. Falls back to legacy formats for backward
+   * compatibility.
    *
    * @param agentDid DID of the agent to fetch config for
    * @param options Optional fetch options
@@ -675,17 +731,17 @@ export class ToolProtectionService {
     agentDid: string,
     options?: { bypassCDNCache?: boolean }
   ): Promise<BouncerConfigApiResponse> {
-    // Prefer new project-scoped endpoint: /api/v1/bouncer/projects/{projectId}/tool-protections
-    // Falls back to old endpoint: /api/v1/bouncer/config?agent_did={did} for backward compatibility
+    // Use the merged /config endpoint which includes embedded tool protections
+    // This endpoint returns config.toolProtection.tools with all tool rules
     let url: string;
-    let useNewEndpoint = false;
+    let useMergedEndpoint = false;
 
     if (this.config.projectId) {
-      // ✅ NEW ENDPOINT: Project-scoped, returns toolProtections object
-      url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/tool-protections`;
-      useNewEndpoint = true;
+      // ✅ MERGED CONFIG ENDPOINT: Returns config with embedded toolProtection.tools
+      url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/config`;
+      useMergedEndpoint = true;
     } else {
-      // ⚠️ OLD ENDPOINT: Agent-scoped, returns tools array (backward compatibility)
+      // ⚠️ LEGACY ENDPOINT: Agent-scoped, returns tools array (backward compatibility)
       url = `${this.config.apiUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
     }
 
@@ -712,9 +768,9 @@ export class ToolProtectionService {
 
     if (this.config.debug) {
       console.log("[ToolProtectionService] Fetching from API:", url, {
-        method: useNewEndpoint
-          ? "projects/{projectId}/tool-protections (new)"
-          : "config?agent_did (old)",
+        method: useMergedEndpoint
+          ? "projects/{projectId}/config (merged)"
+          : "config?agent_did (legacy)",
         projectId: this.config.projectId || "none",
         apiKeyPresent: !!this.config.apiKey,
         apiKeyLength,
@@ -736,19 +792,19 @@ export class ToolProtectionService {
       );
     }
 
-    // Build headers - new endpoint uses X-API-Key, old endpoint uses Authorization Bearer
+    // Build headers - merged endpoint uses X-API-Key, legacy uses Authorization Bearer
     const headers: Record<string, string> = {
       "Content-Type": "application/json",
     };
 
-    if (useNewEndpoint) {
-      // ✅ New endpoint headers
+    if (useMergedEndpoint) {
+      // ✅ Merged config endpoint headers
       headers["X-API-Key"] = this.config.apiKey;
       if (this.config.projectId) {
         headers["X-Project-Id"] = this.config.projectId;
       }
     } else {
-      // ⚠️ Old endpoint headers (backward compatibility)
+      // ⚠️ Legacy endpoint headers (backward compatibility)
       headers["Authorization"] = `Bearer ${this.config.apiKey}`;
     }
 
@@ -786,6 +842,19 @@ export class ToolProtectionService {
       throw new Error("API returned success: false");
     }
 
+    // Transform merged config format to normalized format
+    // If response contains config.toolProtection.tools, extract them to data.toolProtections
+    if (useMergedEndpoint && data.data.config?.toolProtection?.tools) {
+      // Extract embedded tools to the standard toolProtections field
+      data.data.toolProtections = data.data.config.toolProtection.tools;
+      if (this.config.debug) {
+        console.log("[ToolProtectionService] Extracted tools from merged config", {
+          toolCount: Object.keys(data.data.toolProtections).length,
+          tools: Object.keys(data.data.toolProtections),
+        });
+      }
+    }
+
     return data;
   }
 

package/src/utils/base58.ts

@@ -0,0 +1,109 @@
+/**
+ * Base58 Utilities (Bitcoin alphabet)
+ *
+ * Encoding and decoding utilities for Base58 (Bitcoin alphabet).
+ * Used for did:key multibase encoding (with 'z' prefix for base58btc).
+ *
+ * The Bitcoin alphabet excludes ambiguous characters (0, O, I, l).
+ */
+
+const ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+const ALPHABET_MAP = new Map<string, number>();
+
+// Build reverse lookup map
+for (let i = 0; i < ALPHABET.length; i++) {
+  ALPHABET_MAP.set(ALPHABET[i], i);
+}
+
+/**
+ * Encode bytes to Base58 (Bitcoin alphabet)
+ *
+ * @param bytes - Bytes to encode
+ * @returns Base58-encoded string
+ */
+export function base58Encode(bytes: Uint8Array): string {
+  if (bytes.length === 0) return '';
+
+  // Convert bytes to big integer
+  let num = BigInt(0);
+  for (let i = 0; i < bytes.length; i++) {
+    num = num * BigInt(256) + BigInt(bytes[i]);
+  }
+
+  // Convert to base58
+  let result = '';
+  while (num > 0) {
+    result = ALPHABET[Number(num % BigInt(58))] + result;
+    num = num / BigInt(58);
+  }
+
+  // Add leading zeros (encoded as '1' in base58)
+  for (let i = 0; i < bytes.length && bytes[i] === 0; i++) {
+    result = '1' + result;
+  }
+
+  return result;
+}
+
+/**
+ * Decode Base58 (Bitcoin alphabet) to bytes
+ *
+ * @param encoded - Base58-encoded string
+ * @returns Decoded bytes
+ * @throws Error if input contains invalid characters
+ */
+export function base58Decode(encoded: string): Uint8Array {
+  if (encoded.length === 0) return new Uint8Array(0);
+
+  // Convert base58 to big integer
+  let num = BigInt(0);
+  for (const char of encoded) {
+    const value = ALPHABET_MAP.get(char);
+    if (value === undefined) {
+      throw new Error(`Invalid base58 character: ${char}`);
+    }
+    num = num * BigInt(58) + BigInt(value);
+  }
+
+  // Convert big integer to bytes
+  const bytes: number[] = [];
+  while (num > 0) {
+    bytes.unshift(Number(num % BigInt(256)));
+    num = num / BigInt(256);
+  }
+
+  // Count leading zeros in input (encoded as '1')
+  let leadingZeros = 0;
+  for (const char of encoded) {
+    if (char === '1') {
+      leadingZeros++;
+    } else {
+      break;
+    }
+  }
+
+  // Prepend leading zero bytes
+  const result = new Uint8Array(leadingZeros + bytes.length);
+  // Leading zeros are already 0 in Uint8Array
+  result.set(bytes, leadingZeros);
+
+  return result;
+}
+
+/**
+ * Validate a Base58 string
+ *
+ * @param encoded - String to validate
+ * @returns true if valid Base58, false otherwise
+ */
+export function isValidBase58(encoded: string): boolean {
+  if (encoded.length === 0) return true;
+
+  for (const char of encoded) {
+    if (!ALPHABET_MAP.has(char)) {
+      return false;
+    }
+  }
+
+  return true;
+}