npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/dist/config/remote-config.js CHANGED Viewed

@@ -54,20 +54,17 @@ async function fetchRemoteConfig(options, cache) {
     }
     // Fetch from API
     try {
-        // Build API URL
-        let url;
-        if (projectId) {
-            // Use project-scoped endpoint (preferred)
-            url = `${apiUrl}${agentshield_api_1.AGENTSHIELD_ENDPOINTS.CONFIG(projectId)}`;
-        }
-        else if (agentDid) {
-            // Use agent-scoped endpoint
-            url = `${apiUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
-        }
-        else {
-            console.warn('[RemoteConfig] Neither projectId nor agentDid provided');
+        // ❌ REMOVED: Legacy agent-scoped endpoint fallback
+        // Agent-only scoping causes cross-user delegation leakage (Priority 3 fallback issue)
+        // projectId is now REQUIRED for proper user isolation
+        if (!projectId) {
+            console.error('[RemoteConfig] projectId is required for user-scoped delegation. ' +
+                'Agent-only scoping has been deprecated due to security concerns (cross-user delegation leakage). ' +
+                'Please configure AGENTSHIELD_PROJECT_ID environment variable.');
             return null;
         }
+        // ✅ PROJECT-SCOPED ENDPOINT: Ensures delegations are properly scoped to user+agent
+        const url = `${apiUrl}${agentshield_api_1.AGENTSHIELD_ENDPOINTS.CONFIG(projectId)}`;
         const response = await fetchProvider(url, {
             headers: {
                 'Authorization': `Bearer ${apiKey}`,

package/dist/runtime/base.d.ts CHANGED Viewed

@@ -122,9 +122,10 @@ export declare class MCPIRuntimeBase {
      * @param session - Current session context
      * @param resumeToken - Token to resume after delegation
      * @param projectId - Project ID for AgentShield API
+     * @param provider - Provider name (e.g., "github", "credentials") to select specific auth method
      * @returns Full consent URL with snake_case parameters
      */
-    protected buildConsentUrl(toolName: string, scopes: string[], session?: any, resumeToken?: string, projectId?: string): string;
+    protected buildConsentUrl(toolName: string, scopes: string[], session?: any, resumeToken?: string, projectId?: string, provider?: string): string;
     /**
      * Issue a new nonce and register it in the cache
      * Use this to get a nonce for the session context before calling processToolCall

package/dist/runtime/base.js CHANGED Viewed

@@ -271,7 +271,10 @@ class MCPIRuntimeBase {
                     const resumeToken = this.generateResumeToken(interceptedCall);
                     // Build consent URL with resume token
                     // Note: projectId is not available in base class - subclasses should override buildConsentUrl
-                    const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken);
+                    // Pass oauthProvider to ensure correct auth method is selected (e.g., "credentials" vs "github")
+                    const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, // projectId - handled by subclass override
+                    protection.oauthProvider // Provider from tool config
+                    );
                     // Create error with intercepted call context and pre-generated resume token
                     const error = new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
                     // Store intercepted call for resumption
@@ -321,6 +324,17 @@ class MCPIRuntimeBase {
                             agent_did: identity.did,
                             scopes: protection.requiredScopes,
                         };
+                        // ✅ CRITICAL: Include user_did for user-scoped delegation verification
+                        // This prevents cross-user delegation leakage (Priority 3 fallback issue)
+                        // Without user_did, AgentShield cannot validate user isolation
+                        if (session?.userDid) {
+                            verifyRequest.user_did = session.userDid;
+                            if (this.config.audit?.enabled) {
+                                console.log("[MCP-I] 🔐 Including user_did in verification request", {
+                                    userDid: session.userDid.slice(0, 20) + "...",
+                                });
+                            }
+                        }
                         // Add delegation token if available (preferred over consent proof)
                         if (delegationToken) {
                             verifyRequest.delegation_token = delegationToken;
@@ -368,7 +382,9 @@ class MCPIRuntimeBase {
                                 expiresAt: this.clock.calculateExpiry(1800), // 30 minutes
                             };
                             const resumeToken = this.generateResumeToken(interceptedCall);
-                            const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken);
+                            const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, // projectId - handled by subclass override
+                            protection.oauthProvider // Provider from tool config
+                            );
                             this.interceptedCalls.set(resumeToken, interceptedCall);
                             this.cleanupExpiredInterceptedCalls();
                             throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
@@ -402,7 +418,9 @@ class MCPIRuntimeBase {
                                     expiresAt: this.clock.calculateExpiry(1800), // 30 minutes
                                 };
                                 const resumeToken = this.generateResumeToken(interceptedCall);
-                                const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken);
+                                const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, // projectId - handled by subclass override
+                                protection.oauthProvider // Provider from tool config
+                                );
                                 this.interceptedCalls.set(resumeToken, interceptedCall);
                                 this.cleanupExpiredInterceptedCalls();
                                 throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
@@ -466,7 +484,9 @@ class MCPIRuntimeBase {
                                 expiresAt: this.clock.calculateExpiry(1800),
                             };
                             const resumeToken = this.generateResumeToken(interceptedCall);
-                            const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken);
+                            const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, // projectId - handled by subclass override
+                            protection.oauthProvider // Provider from tool config
+                            );
                             this.interceptedCalls.set(resumeToken, interceptedCall);
                             this.cleanupExpiredInterceptedCalls();
                             throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
@@ -489,7 +509,9 @@ class MCPIRuntimeBase {
                             expiresAt: this.clock.calculateExpiry(1800),
                         };
                         const resumeToken = this.generateResumeToken(interceptedCall);
-                        const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken);
+                        const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, // projectId - handled by subclass override
+                        protection.oauthProvider // Provider from tool config
+                        );
                         this.interceptedCalls.set(resumeToken, interceptedCall);
                         this.cleanupExpiredInterceptedCalls();
                         throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
@@ -605,9 +627,10 @@ class MCPIRuntimeBase {
      * @param session - Current session context
      * @param resumeToken - Token to resume after delegation
      * @param projectId - Project ID for AgentShield API
+     * @param provider - Provider name (e.g., "github", "credentials") to select specific auth method
      * @returns Full consent URL with snake_case parameters
      */
-    buildConsentUrl(toolName, scopes, session, resumeToken, projectId) {
+    buildConsentUrl(toolName, scopes, session, resumeToken, projectId, provider) {
         // Default implementation - override in subclasses
         // This URL should point to AgentShield's consent page
         // Parameter names use snake_case for AgentShield API compatibility
@@ -625,6 +648,11 @@ class MCPIRuntimeBase {
         if (resumeToken) {
             params.set("resume_token", resumeToken);
         }
+        // Add provider if specified (allows selecting specific auth method like "credentials" or "github")
+        // This is critical when multiple providers are configured for a project
+        if (provider) {
+            params.set("provider", provider);
+        }
         // Use AgentShield consent endpoint
         return `https://kya.vouched.id/bouncer/consent?${params.toString()}`;
     }

package/dist/services/access-control.service.js CHANGED Viewed

@@ -113,6 +113,11 @@ class AccessControlApiService {
             if (request.scopes !== undefined) {
                 requestBody.scopes = request.scopes;
             }
+            // ✅ CRITICAL: Include user_did for user-scoped delegation verification
+            // This prevents cross-user delegation leakage (Priority 3 fallback issue)
+            if (request.user_did !== undefined) {
+                requestBody.user_did = request.user_did;
+            }
             // Handle credential_jwt: prefer request, fallback to context
             if (request.credential_jwt !== undefined) {
                 requestBody.credential_jwt = request.credential_jwt;

package/dist/services/tool-protection.service.js CHANGED Viewed

@@ -409,6 +409,10 @@ class ToolProtectionService {
             if (errorMessage.includes("API key is missing or empty")) {
                 throw error;
             }
+            // Re-throw projectId required errors (security fix - don't fallback)
+            if (errorMessage.includes("projectId is required")) {
+                throw error;
+            }
             // Re-throw HTTP errors (4xx, 5xx) - these indicate API issues, not network failures
             // Exception: 429 (rate limit) should fallback if fallback config is available
             if (errorMessage.includes("Failed to fetch bouncer config:")) {
@@ -541,15 +545,20 @@ class ToolProtectionService {
         // This endpoint returns config.toolProtection.tools with all tool rules
         let url;
         let useMergedEndpoint = false;
-        if (this.config.projectId) {
-            // ✅ MERGED CONFIG ENDPOINT: Returns config with embedded toolProtection.tools
-            url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/config`;
-            useMergedEndpoint = true;
-        }
-        else {
-            // ⚠️ LEGACY ENDPOINT: Agent-scoped, returns tools array (backward compatibility)
-            url = `${this.config.apiUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
+        // ❌ REMOVED: Legacy agent-scoped endpoint fallback
+        // Agent-only scoping causes cross-user delegation leakage (Priority 3 fallback issue)
+        // projectId is now REQUIRED for proper user isolation
+        if (!this.config.projectId) {
+            const error = new Error("[ToolProtectionService] projectId is required for user-scoped delegation. " +
+                "Agent-only scoping has been deprecated due to security concerns (cross-user delegation leakage). " +
+                "Please configure AGENTSHIELD_PROJECT_ID environment variable.");
+            console.error("[ToolProtectionService]", error.message);
+            throw error;
         }
+        // ✅ PROJECT-SCOPED ENDPOINT: Returns config with embedded toolProtection.tools
+        // This endpoint ensures delegations are properly scoped to user+agent
+        url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/config`;
+        useMergedEndpoint = true;
         // Add cache-busting query param when bypassing CDN cache
         // This is used during cache invalidation (clearAndRefresh) to ensure we get fresh data
         // from the origin server, not stale CDN-cached data

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i-core",
-  "version": "1.3.13",
+  "version": "1.3.15",
   "description": "Core runtime and types for MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -28,7 +28,7 @@
     "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-no-workspace.js"
   },
   "dependencies": {
-    "@kya-os/contracts": "^1.6.5",
+    "@kya-os/contracts": "^1.6.8",
     "jose": "^5.6.3",
     "json-canonicalize": "^2.0.0",
     "zod": "^3.25.76"

package/.turbo/turbo-build.log DELETED Viewed

@@ -1,4 +0,0 @@
-> @kya-os/mcp-i-core@1.3.12 build /Users/dylanhobbs/Documents/@kya-os/xmcp-i/packages/mcp-i-core
-> tsc