@kya-os/mcp-i-core 1.3.10 → 1.3.11

package/src/services/tool-protection.service.ts

@@ -266,7 +266,10 @@ export class ToolProtectionService {
           projectId: this.config.projectId || "none",
           toolCount: Object.keys(cached.toolProtections).length,
           protectedTools: Object.entries(cached.toolProtections)
-            .filter(([_, config]: [string, ToolProtection]) => config.requiresDelegation)
+            .filter(
+              ([_, config]: [string, ToolProtection]) =>
+                config.requiresDelegation
+            )
             .map(([name]) => name),
           cacheTtlMs: ttl,
           cachedUntil,
@@ -369,13 +372,13 @@ export class ToolProtectionService {
             (toolConfig as any).required_scopes ??
             (toolConfig as any).scopes ??
             [];
-          
+
           // NEW: Parse oauthProvider (camelCase and snake_case support)
           const oauthProvider =
             (toolConfig as any).oauthProvider ??
             (toolConfig as any).oauth_provider ??
             undefined;
-          
+
           const riskLevel =
             (toolConfig as any).riskLevel ??
             (toolConfig as any).risk_level ??
@@ -414,17 +417,15 @@ export class ToolProtectionService {
               (tool as any).required_scopes ??
               (tool as any).scopes ??
               [];
-            
+
             // NEW: Parse oauthProvider
             const oauthProvider =
               (tool as any).oauthProvider ??
               (tool as any).oauth_provider ??
               undefined;
-            
+
             const riskLevel =
-              (tool as any).riskLevel ??
-              (tool as any).risk_level ??
-              undefined;
+              (tool as any).riskLevel ?? (tool as any).risk_level ?? undefined;
 
             toolProtections[toolName] = {
               requiresDelegation,
@@ -448,13 +449,13 @@ export class ToolProtectionService {
               (toolConfig as any).required_scopes ??
               (toolConfig as any).scopes ??
               [];
-            
+
             // NEW: Parse oauthProvider
             const oauthProvider =
               (toolConfig as any).oauthProvider ??
               (toolConfig as any).oauth_provider ??
               undefined;
-            
+
             const riskLevel =
               (toolConfig as any).riskLevel ??
               (toolConfig as any).risk_level ??
@@ -480,7 +481,11 @@ export class ToolProtectionService {
         )) {
           // Skip if localConfig is empty or not a valid ToolProtection object
           // This prevents empty objects from corrupting the merged config
-          if (!localConfig || typeof localConfig !== 'object' || Object.keys(localConfig).length === 0) {
+          if (
+            !localConfig ||
+            typeof localConfig !== "object" ||
+            Object.keys(localConfig).length === 0
+          ) {
             if (this.config.debug) {
               console.log(
                 "[ToolProtectionService] Skipping empty/invalid fallback config entry",
@@ -489,13 +494,14 @@ export class ToolProtectionService {
             }
             continue;
           }
-          
+
           // Ensure requiredScopes exists (default to empty array if missing)
           const validConfig: ToolProtection = {
-            requiresDelegation: (localConfig as any).requiresDelegation ?? false,
+            requiresDelegation:
+              (localConfig as any).requiresDelegation ?? false,
             requiredScopes: (localConfig as any).requiredScopes ?? [],
           };
-          
+
           // Local config overrides API config for this tool
           mergedToolProtections[toolName] = validConfig;
           if (this.config.debug) {
@@ -524,8 +530,10 @@ export class ToolProtectionService {
       console.log("[ToolProtectionService] Config loaded from API", {
         source: "api",
         toolCount: Object.keys(mergedToolProtections).length,
-          protectedTools: Object.entries(mergedToolProtections)
-          .filter(([_, config]: [string, ToolProtection]) => config.requiresDelegation)
+        protectedTools: Object.entries(mergedToolProtections)
+          .filter(
+            ([_, config]: [string, ToolProtection]) => config.requiresDelegation
+          )
           .map(([name]) => name),
         agentDid: agentDid.slice(0, 20) + "...",
         projectId: this.config.projectId || "none",
@@ -885,28 +893,28 @@ export class ToolProtectionService {
 
   /**
    * Clear cache and immediately fetch fresh config from API
-   * 
+   *
    * This method is designed for Cloudflare Workers where KV has edge caching.
    * After clearing the KV entry, it fetches fresh data from the API and writes
    * it back to KV. This ensures:
    * 1. The global KV entry is deleted
    * 2. Fresh data is fetched from API (with CDN cache bypass!)
    * 3. New data is written to KV (updating edge cache)
-   * 
+   *
    * The next request from the same edge location will get the fresh data.
-   * 
+   *
    * IMPORTANT: This method uses bypassCDNCache to ensure we get fresh data
    * from AgentShield's origin server, not stale CDN-cached data. This is
    * critical for instant cache invalidation when tool protection settings
    * are changed in the AgentShield dashboard.
-   * 
+   *
    * @param agentDid DID of the agent (used for cache key)
    * @returns The fresh tool protection config from API
    */
   async clearAndRefresh(agentDid: string): Promise<{
     config: ToolProtectionConfig;
     cacheKey: string;
-    source: 'api' | 'fallback';
+    source: "api" | "fallback";
   }> {
     const cacheKey = this.config.projectId
       ? `config:tool-protections:${this.config.projectId}`
@@ -926,7 +934,9 @@ export class ToolProtectionService {
     // 2. Fetch fresh config from API with CDN cache bypass
     // This ensures we get fresh data from origin, not stale CDN data
     try {
-      const response = await this.fetchFromApi(agentDid, { bypassCDNCache: true });
+      const response = await this.fetchFromApi(agentDid, {
+        bypassCDNCache: true,
+      });
 
       // Transform API response to internal format (same logic as getToolProtectionConfig)
       const toolProtections: Record<string, ToolProtection> = {};
@@ -966,15 +976,20 @@ export class ToolProtectionService {
             const toolName = (tool as any).name;
             if (!toolName) continue;
             const requiresDelegation =
-              (tool as any).requiresDelegation ?? (tool as any).requires_delegation ?? false;
+              (tool as any).requiresDelegation ??
+              (tool as any).requires_delegation ??
+              false;
             const requiredScopes =
               (tool as any).requiredScopes ??
               (tool as any).required_scopes ??
               (tool as any).scopes ??
               [];
             const oauthProvider =
-              (tool as any).oauthProvider ?? (tool as any).oauth_provider ?? undefined;
-            const riskLevel = (tool as any).riskLevel ?? (tool as any).risk_level ?? undefined;
+              (tool as any).oauthProvider ??
+              (tool as any).oauth_provider ??
+              undefined;
+            const riskLevel =
+              (tool as any).riskLevel ?? (tool as any).risk_level ?? undefined;
 
             toolProtections[toolName] = {
               requiresDelegation,
@@ -1033,19 +1048,23 @@ export class ToolProtectionService {
         source: "api",
       });
 
-      return { config: freshConfig, cacheKey, source: 'api' };
+      return { config: freshConfig, cacheKey, source: "api" };
     } catch (error) {
-      console.warn("[ToolProtectionService] API fetch failed during refresh, using fallback", {
-        error: error instanceof Error ? error.message : String(error),
-        cacheKey,
-      });
+      console.warn(
+        "[ToolProtectionService] API fetch failed during refresh, using fallback",
+        {
+          error: error instanceof Error ? error.message : String(error),
+          cacheKey,
+        }
+      );
 
       // Use fallback config if API fails
-      const fallbackConfig: ToolProtectionConfig = this.config.fallbackConfig || {
+      const fallbackConfig: ToolProtectionConfig = this.config
+        .fallbackConfig || {
         toolProtections: {},
       };
 
-      return { config: fallbackConfig, cacheKey, source: 'fallback' };
+      return { config: fallbackConfig, cacheKey, source: "fallback" };
     }
   }
 }

package/src/utils/__tests__/did-helpers.test.ts

@@ -11,6 +11,8 @@ import {
   normalizeDid,
   compareDids,
   getServerDid,
+  generateDidKeyFromBytes,
+  generateDidKeyFromBase64,
 } from "../did-helpers";
 
 describe("DID Helpers", () => {
@@ -97,5 +99,58 @@ describe("DID Helpers", () => {
       expect(() => getServerDid(config)).toThrow("Server DID not configured");
     });
   });
+
+  describe("generateDidKeyFromBytes", () => {
+    it("should generate valid did:key from 32-byte Ed25519 public key", () => {
+      // Use a known test key (32 bytes)
+      const publicKeyBytes = new Uint8Array(32).fill(0xab);
+      const did = generateDidKeyFromBytes(publicKeyBytes);
+
+      expect(did).toMatch(/^did:key:z6Mk/);
+      expect(isValidDid(did)).toBe(true);
+      expect(getDidMethod(did)).toBe("key");
+    });
+
+    it("should generate consistent did:key for same input", () => {
+      const publicKeyBytes = new Uint8Array(32).fill(0x42);
+      const did1 = generateDidKeyFromBytes(publicKeyBytes);
+      const did2 = generateDidKeyFromBytes(publicKeyBytes);
+
+      expect(did1).toBe(did2);
+    });
+
+    it("should generate different did:key for different inputs", () => {
+      const key1 = new Uint8Array(32).fill(0x11);
+      const key2 = new Uint8Array(32).fill(0x22);
+
+      const did1 = generateDidKeyFromBytes(key1);
+      const did2 = generateDidKeyFromBytes(key2);
+
+      expect(did1).not.toBe(did2);
+    });
+  });
+
+  describe("generateDidKeyFromBase64", () => {
+    it("should generate valid did:key from base64-encoded public key", () => {
+      // Base64 encode a 32-byte key
+      const publicKeyBytes = new Uint8Array(32).fill(0xcd);
+      const publicKeyBase64 = btoa(String.fromCharCode(...publicKeyBytes));
+
+      const did = generateDidKeyFromBase64(publicKeyBase64);
+
+      expect(did).toMatch(/^did:key:z6Mk/);
+      expect(isValidDid(did)).toBe(true);
+    });
+
+    it("should produce same result as generateDidKeyFromBytes", () => {
+      const publicKeyBytes = new Uint8Array(32).fill(0xef);
+      const publicKeyBase64 = btoa(String.fromCharCode(...publicKeyBytes));
+
+      const didFromBytes = generateDidKeyFromBytes(publicKeyBytes);
+      const didFromBase64 = generateDidKeyFromBase64(publicKeyBase64);
+
+      expect(didFromBytes).toBe(didFromBase64);
+    });
+  });
 });
 

package/src/utils/did-helpers.ts

@@ -7,6 +7,8 @@
  * @package @kya-os/mcp-i-core/utils
  */
 
+import { base58Encode } from "./base58";
+
 /**
  * Check if a string is a valid DID format
  *
@@ -148,3 +150,61 @@ export function extractAgentSlug(did: string): string {
   return extractAgentId(did);
 }
 
+/**
+ * Ed25519 multicodec prefix for did:key encoding
+ * As per https://w3c-ccg.github.io/did-method-key/
+ */
+const ED25519_MULTICODEC_PREFIX = new Uint8Array([0xed, 0x01]);
+
+/**
+ * Generate a did:key from Ed25519 public key bytes
+ *
+ * Following spec: https://w3c-ccg.github.io/did-method-key/
+ * Format: did:key:z<multibase-base58btc(<multicodec-ed25519-pub><publicKey>)>
+ *
+ * @param publicKeyBytes - Ed25519 public key as Uint8Array (32 bytes)
+ * @returns did:key string
+ *
+ * @example
+ * ```typescript
+ * const publicKey = new Uint8Array(32); // 32-byte Ed25519 public key
+ * const did = generateDidKeyFromBytes(publicKey);
+ * // did = "did:key:z6Mk..."
+ * ```
+ */
+export function generateDidKeyFromBytes(publicKeyBytes: Uint8Array): string {
+  // Combine multicodec prefix + public key
+  const multicodecKey = new Uint8Array(
+    ED25519_MULTICODEC_PREFIX.length + publicKeyBytes.length
+  );
+  multicodecKey.set(ED25519_MULTICODEC_PREFIX);
+  multicodecKey.set(publicKeyBytes, ED25519_MULTICODEC_PREFIX.length);
+
+  // Base58-btc encode and add multibase prefix 'z'
+  const base58Encoded = base58Encode(multicodecKey);
+  return `did:key:z${base58Encoded}`;
+}
+
+/**
+ * Generate a did:key from base64-encoded Ed25519 public key
+ *
+ * Convenience wrapper around generateDidKeyFromBytes for base64-encoded keys.
+ *
+ * @param publicKeyBase64 - Ed25519 public key as base64 string
+ * @returns did:key string
+ *
+ * @example
+ * ```typescript
+ * const publicKeyBase64 = "...base64 encoded key...";
+ * const did = generateDidKeyFromBase64(publicKeyBase64);
+ * // did = "did:key:z6Mk..."
+ * ```
+ */
+export function generateDidKeyFromBase64(publicKeyBase64: string): string {
+  // Decode base64 to bytes
+  const publicKeyBytes = Uint8Array.from(atob(publicKeyBase64), (c) =>
+    c.charCodeAt(0)
+  );
+  return generateDidKeyFromBytes(publicKeyBytes);
+}
+

package/dist/__tests__/utils/mock-providers.d.ts

@@ -1,104 +0,0 @@
-/**
- * Mock Providers for Testing
- *
- * These mock implementations allow controlled testing of the runtime
- * and other components that depend on providers.
- */
-import { vi } from 'vitest';
-import { CryptoProvider, ClockProvider, FetchProvider, StorageProvider, NonceCacheProvider, IdentityProvider, AgentIdentity } from '../../providers/base';
-/**
- * Mock Crypto Provider
- */
-export declare class MockCryptoProvider extends CryptoProvider {
-    sign(data: Uint8Array, privateKey: string): Promise<Uint8Array>;
-    verify(data: Uint8Array, signature: Uint8Array, publicKey: string): Promise<boolean>;
-    generateKeyPair(): Promise<{
-        privateKey: string;
-        publicKey: string;
-    }>;
-    hash(data: Uint8Array): Promise<Uint8Array>;
-    randomBytes(length: number): Promise<Uint8Array>;
-}
-/**
- * Mock Clock Provider
- */
-export declare class MockClockProvider extends ClockProvider {
-    private currentTime;
-    setTime(timestamp: number): void;
-    now(): number;
-    isWithinSkew(timestamp: number, skewSeconds: number): boolean;
-    hasExpired(expiresAt: number): boolean;
-    calculateExpiry(ttlSeconds: number): number;
-    format(timestamp: number): string;
-}
-/**
- * Mock Fetch Provider
- */
-export declare class MockFetchProvider extends FetchProvider {
-    private didDocuments;
-    private statusLists;
-    private delegationChains;
-    fetch: ReturnType<typeof vi.fn>;
-    constructor();
-    setDIDDocument(did: string, doc: any): void;
-    setStatusList(url: string, list: any): void;
-    setDelegationChain(id: string, chain: any[]): void;
-    resolveDID(did: string): Promise<any>;
-    fetchStatusList(url: string): Promise<any>;
-    fetchDelegationChain(id: string): Promise<any[]>;
-}
-/**
- * Mock Storage Provider
- */
-export declare class MockStorageProvider extends StorageProvider {
-    private store;
-    get(key: string): Promise<string | null>;
-    set(key: string, value: string): Promise<void>;
-    delete(key: string): Promise<void>;
-    exists(key: string): Promise<boolean>;
-    list(prefix?: string): Promise<string[]>;
-    clear(): void;
-}
-/**
- * Mock Nonce Cache Provider
- */
-export declare class MockNonceCacheProvider extends NonceCacheProvider {
-    private nonces;
-    cleanupCalled: boolean;
-    destroyCalled: boolean;
-    private clock?;
-    setClock(clock: ClockProvider): void;
-    has(nonce: string, agentDid?: string): Promise<boolean>;
-    add(nonce: string, ttlSeconds: number, agentDid?: string): Promise<void>;
-    cleanup(): Promise<void>;
-    destroy(): Promise<void>;
-    clear(): void;
-    size(): number;
-}
-/**
- * Mock Identity Provider
- */
-export declare class MockIdentityProvider extends IdentityProvider {
-    private identity?;
-    rotateKeysCalled: boolean;
-    deleteIdentityCalled: boolean;
-    private rotateCount;
-    constructor(identity?: AgentIdentity);
-    getIdentity(): Promise<AgentIdentity>;
-    saveIdentity(identity: AgentIdentity): Promise<void>;
-    rotateKeys(): Promise<AgentIdentity>;
-    deleteIdentity(): Promise<void>;
-    setIdentity(identity: AgentIdentity): void;
-}
-/**
- * Create a full set of mock providers for testing
- */
-export declare function createMockProviders(): {
-    cryptoProvider: MockCryptoProvider;
-    clockProvider: MockClockProvider;
-    fetchProvider: MockFetchProvider;
-    storageProvider: MockStorageProvider;
-    nonceCacheProvider: MockNonceCacheProvider;
-    identityProvider: MockIdentityProvider;
-};
-//# sourceMappingURL=mock-providers.d.ts.map

package/dist/__tests__/utils/mock-providers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mock-providers.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/mock-providers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC5B,OAAO,EACL,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,aAAa,EACd,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,cAAc;IAC9C,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAK/D,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMpF,eAAe,IAAI,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAwBrE,IAAI,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAK3C,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAOvD;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,aAAa;IAClD,OAAO,CAAC,WAAW,CAAsB;IAEzC,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIhC,GAAG,IAAI,MAAM;IAIb,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO;IAK7D,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAItC,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAI3C,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAGlC;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,aAAa;IAClD,OAAO,CAAC,YAAY,CAA+B;IACnD,OAAO,CAAC,WAAW,CAA+B;IAClD,OAAO,CAAC,gBAAgB,CAAiC;IAClD,KAAK,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;;IAevC,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI;IAI3C,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,IAAI;IAI3C,kBAAkB,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,IAAI;IAI5C,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAQrC,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAQ1C,oBAAoB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;CAOvD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,eAAe;IACtD,OAAO,CAAC,KAAK,CAAkC;IAEzC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAIxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIrC,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAS9C,KAAK,IAAI,IAAI;CAGd;AAED;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,kBAAkB;IAC5D,OAAO,CAAC,MAAM,CAAkC;IACzC,aAAa,UAAS;IACtB,aAAa,UAAS;IAC7B,OAAO,CAAC,KAAK,CAAC,CAAgB;IAE9B,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAI9B,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAcvD,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQxE,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAUxB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAM9B,KAAK,IAAI,IAAI;IAIb,IAAI,IAAI,MAAM;CAGf;AAED;;GAEG;AACH,qBAAa,oBAAqB,SAAQ,gBAAgB;IACxD,OAAO,CAAC,QAAQ,CAAC,CAAgB;IAC1B,gBAAgB,UAAS;IACzB,oBAAoB,UAAS;IACpC,OAAO,CAAC,WAAW,CAAK;gBAEZ,QAAQ,CAAC,EAAE,aAAa;IAK9B,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;IAerC,YAAY,CAAC,QAAQ,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,UAAU,IAAI,OAAO,CAAC,aAAa,CAAC;IAepC,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAMrC,WAAW,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI;CAG3C;AAED;;GAEG;AACH,wBAAgB,mBAAmB;;;;;;;EAmBlC"}