npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/services/provider-resolver.d.ts DELETED Viewed

@@ -1,48 +0,0 @@
-/**
- * Provider Resolver
- *
- * Resolves OAuth provider for tools using priority-based resolution strategy.
- * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
- *
- * @package @kya-os/mcp-i-core
- */
-import type { ToolProtection } from "@kya-os/contracts/tool-protection";
-import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
-import type { OAuthConfigService } from "./oauth-config.service.js";
-/**
- * Resolves OAuth provider for tools with priority-based fallback strategy
- *
- * Priority order:
- * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
- * 2. Scope prefix inference (fallback)
- * 3. First configured provider (Phase 1 compatibility fallback)
- * 4. Error if no provider can be resolved
- */
-export declare class ProviderResolver {
-    private registry;
-    private configService;
-    constructor(registry: OAuthProviderRegistry, configService: OAuthConfigService);
-    /**
-     * Resolve OAuth provider for a tool
-     *
-     * @param toolProtection - Tool protection configuration
-     * @param projectId - Project ID for fetching provider config
-     * @returns Provider name (never null - throws if cannot resolve)
-     * @throws Error if provider cannot be resolved
-     */
-    resolveProvider(toolProtection: ToolProtection, projectId: string): Promise<string>;
-    /**
-     * Infer provider from scope prefixes
-     *
-     * Used as Priority 2 fallback when oauthProvider is not specified.
-     * Examples:
-     * - github:repo:read → github
-     * - gmail:read → google
-     * - microsoft:calendar:read → microsoft
-     *
-     * @param scopes - Required scopes for the tool
-     * @returns Provider name if uniquely inferred, null otherwise
-     */
-    private inferProviderFromScopes;
-}
-//# sourceMappingURL=provider-resolver.d.ts.map

package/src/services/provider-resolver.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"provider-resolver.d.ts","sourceRoot":"","sources":["provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAEpE;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;gBADb,QAAQ,EAAE,qBAAqB,EAC/B,aAAa,EAAE,kBAAkB;IAG3C;;;;;;;OAOG;IACG,eAAe,CACnB,cAAc,EAAE,cAAc,EAC9B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;IA6ClB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,uBAAuB;CAoChC"}

package/src/services/provider-resolver.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"provider-resolver.js","sourceRoot":"","sources":["provider-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;;;;;;;GAQG;AACH,MAAM,OAAO,gBAAgB;IAEjB;IACA;IAFV,YACU,QAA+B,EAC/B,aAAiC;QADjC,aAAQ,GAAR,QAAQ,CAAuB;QAC/B,kBAAa,GAAb,aAAa,CAAoB;IACxC,CAAC;IAEJ;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CACnB,cAA8B,EAC9B,SAAiB;QAEjB,0DAA0D;QAC1D,IAAI,cAAc,CAAC,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,aAAa,cAAc,CAAC,aAAa,iCAAiC,SAAS,KAAK;oBACtF,mCAAmC,CACtC,CAAC;YACJ,CAAC;YACD,OAAO,cAAc,CAAC,aAAa,CAAC;QACtC,CAAC;QAED,gDAAgD;QAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,uBAAuB,CACnD,cAAc,CAAC,cAAc,IAAI,EAAE,CACpC,CAAC;QACF,IAAI,gBAAgB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpE,OAAO,CAAC,GAAG,CACT,yCAAyC,gBAAgB,eAAe,CACzE,CAAC;YACF,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAED,yEAAyE;QACzE,4BAA4B;QAC5B,MAAM,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC;QAClD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,4CAA4C;YAC5C,MAAM,iBAAiB,GAAG,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,CAAC;YAC9D,OAAO,CAAC,IAAI,CACV,0DAA0D;gBACxD,oCAAoC,iBAAiB,iBAAiB;gBACtE,qFAAqF,CACxF,CAAC;YACF,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,mDAAmD;QACnD,MAAM,IAAI,KAAK,CACb,yDAAyD;YACvD,2GAA2G,SAAS,IAAI,CAC3H,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACK,uBAAuB,CAAC,MAAgB;QAC9C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mDAAmD;QACnD,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,mBAAmB;QACnB,MAAM,WAAW,GAA2B;YAC1C,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,QAAQ,EAAE,sBAAsB;YACvC,QAAQ,EAAE,QAAQ,EAAE,6DAA6D;YACjF,SAAS,EAAE,WAAW;YACtB,OAAO,EAAE,WAAW;YACpB,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,MAAM;SACb,CAAC;QAEF,uBAAuB;QACvB,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CACnE,CAAC;QAEF,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,oEAAoE;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/src/services/provider-resolver.ts DELETED Viewed

@@ -1,146 +0,0 @@
-/**
- * Provider Resolver
- *
- * Resolves OAuth provider for tools using priority-based resolution strategy.
- * Supports Phase 2+ tool-specific providers with backward compatibility for Phase 1.
- *
- * @package @kya-os/mcp-i-core
- */
-import type { ToolProtection } from "@kya-os/contracts/tool-protection";
-import type { OAuthProviderRegistry } from "./oauth-provider-registry.js";
-import type { OAuthConfigService } from "./oauth-config.service.js";
-/**
- * Resolves OAuth provider for tools with priority-based fallback strategy
- *
- * Priority order:
- * 1. Tool-specific oauthProvider field (Phase 2+ preferred)
- * 2. Scope prefix inference (fallback)
- * 3. Project-configured provider from AgentShield dashboard
- * 4. Error if no provider can be resolved
- */
-export class ProviderResolver {
-  constructor(
-    private registry: OAuthProviderRegistry,
-    private configService: OAuthConfigService
-  ) {}
-  /**
-   * Resolve OAuth provider for a tool
-   *
-   * @param toolProtection - Tool protection configuration
-   * @param projectId - Project ID for fetching provider config
-   * @returns Provider name (never null - throws if cannot resolve)
-   * @throws Error if provider cannot be resolved
-   */
-  async resolveProvider(
-    toolProtection: ToolProtection,
-    projectId: string
-  ): Promise<string> {
-    // Priority 1: Tool-specific provider (Phase 2+ preferred)
-    if (toolProtection.oauthProvider) {
-      // Ensure registry is loaded before checking
-      if (this.registry.getProviderNames().length === 0) {
-        await this.registry.loadFromAgentShield(projectId);
-      }
-      if (!this.registry.hasProvider(toolProtection.oauthProvider)) {
-        throw new Error(
-          `Provider "${toolProtection.oauthProvider}" not configured for project "${projectId}". ` +
-            `Add provider in project settings.`
-        );
-      }
-      return toolProtection.oauthProvider;
-    }
-    // Priority 2: Scope prefix inference (fallback)
-    const inferredProvider = this.inferProviderFromScopes(
-      toolProtection.requiredScopes || []
-    );
-    if (inferredProvider) {
-      // Ensure registry is loaded before checking
-      if (this.registry.getProviderNames().length === 0) {
-        await this.registry.loadFromAgentShield(projectId);
-      }
-      if (this.registry.hasProvider(inferredProvider)) {
-        console.log(
-          `[ProviderResolver] Inferred provider "${inferredProvider}" from scopes`
-        );
-        return inferredProvider;
-      }
-    }
-    // Priority 3: Use explicitly configured provider from AgentShield dashboard
-    // This is the provider the user has actually configured, not just any available provider
-    await this.registry.loadFromAgentShield(projectId);
-    const configuredProvider = this.registry.getConfiguredProvider();
-    if (configuredProvider && this.registry.hasProvider(configuredProvider)) {
-      console.warn(
-        `[ProviderResolver] Tool does not specify oauthProvider. ` +
-          `Using project-configured provider "${configuredProvider}" as fallback. ` +
-          `Consider explicitly setting oauthProvider in tool protection config.`
-      );
-      return configuredProvider;
-    }
-    // Priority 4: Error if no provider is configured
-    // NOTE: We intentionally do NOT fall back to "first available provider" anymore
-    // because AgentShield returns ALL providers (even unconfigured ones).
-    // Only use providers explicitly configured by the user.
-    throw new Error(
-      `Tool requires OAuth but no provider is configured for project "${projectId}". ` +
-        `Configure an OAuth provider in AgentShield dashboard.`
-    );
-  }
-  /**
-   * Infer provider from scope prefixes
-   *
-   * Used as Priority 2 fallback when oauthProvider is not specified.
-   * Examples:
-   * - github:repo:read → github
-   * - gmail:read → google
-   * - microsoft:calendar:read → microsoft
-   *
-   * @param scopes - Required scopes for the tool
-   * @returns Provider name if uniquely inferred, null otherwise
-   */
-  private inferProviderFromScopes(scopes: string[]): string | null {
-    if (!scopes || scopes.length === 0) {
-      return null;
-    }
-    // Extract first part of scope (before first colon)
-    const scopePrefixes = scopes.map((scope) => {
-      const parts = scope.split(":");
-      return parts[0].toLowerCase();
-    });
-    // Provider mapping
-    const providerMap: Record<string, string> = {
-      github: "github",
-      google: "google",
-      gmail: "google", // gmail:read → google
-      calendar: "google", // calendar:read → google (if ambiguous, use project default)
-      microsoft: "microsoft",
-      outlook: "microsoft",
-      slack: "slack",
-      auth0: "auth0",
-      okta: "okta",
-    };
-    // Find unique provider
-    const providers = new Set(
-      scopePrefixes.map((prefix) => providerMap[prefix]).filter(Boolean)
-    );
-    if (providers.size === 1) {
-      return Array.from(providers)[0];
-    }
-    // Ambiguous or no prefix → return null (use project-level provider)
-    return null;
-  }
-}

package/src/services/provider-validator.ts DELETED Viewed

@@ -1,170 +0,0 @@
-/**
- * Provider Validator
- *
- * Validates OAuth provider configurations for custom IDP support.
- * Ensures provider configurations are valid before registration.
- *
- * @package @kya-os/mcp-i-core
- */
-import type { OAuthProvider } from "@kya-os/contracts/config";
-/**
- * Reserved OAuth parameters that cannot be overridden by custom parameters
- */
-const RESERVED_PARAMETERS = [
-  "response_type",
-  "client_id",
-  "redirect_uri",
-  "scope",
-  "state",
-  "code_challenge",
-  "code_challenge_method",
-] as const;
-/**
- * Validation error for provider configuration issues
- */
-export class ProviderValidationError extends Error {
-  constructor(message: string, public readonly field?: string) {
-    super(message);
-    this.name = "ProviderValidationError";
-  }
-}
-/**
- * Service for validating OAuth provider configurations
- */
-export class ProviderValidator {
-  /**
-   * Validate provider configuration
-   *
-   * @param provider - Provider configuration to validate
-   * @param name - Provider name (for error messages)
-   * @throws ProviderValidationError if validation fails
-   */
-  validate(provider: OAuthProvider, name: string): void {
-    // Validate required fields
-    if (!provider.clientId || provider.clientId.trim().length === 0) {
-      throw new ProviderValidationError(
-        `Provider "${name}" must have a clientId`,
-        "clientId"
-      );
-    }
-    if (!provider.authorizationUrl || provider.authorizationUrl.trim().length === 0) {
-      throw new ProviderValidationError(
-        `Provider "${name}" must have an authorizationUrl`,
-        "authorizationUrl"
-      );
-    }
-    if (!provider.tokenUrl || provider.tokenUrl.trim().length === 0) {
-      throw new ProviderValidationError(
-        `Provider "${name}" must have a tokenUrl`,
-        "tokenUrl"
-      );
-    }
-    // Validate URL formats
-    this.validateUrl(provider.authorizationUrl, name, "authorizationUrl");
-    this.validateUrl(provider.tokenUrl, name, "tokenUrl");
-    if (provider.userInfoUrl) {
-      this.validateUrl(provider.userInfoUrl, name, "userInfoUrl");
-    }
-    // Validate proxy mode requirements
-    if (provider.proxyMode && !provider.requiresClientSecret) {
-      throw new ProviderValidationError(
-        `Provider "${name}" with proxyMode=true must have requiresClientSecret=true`,
-        "proxyMode"
-      );
-    }
-    // Validate custom parameters don't conflict with reserved parameters
-    if (provider.customParams) {
-      this.validateCustomParams(provider.customParams, name);
-    }
-  }
-  /**
-   * Validate URL format
-   *
-   * @param url - URL to validate
-   * @param providerName - Provider name (for error messages)
-   * @param fieldName - Field name (for error messages)
-   * @throws ProviderValidationError if URL is invalid
-   */
-  private validateUrl(url: string, providerName: string, fieldName: string): void {
-    try {
-      const parsedUrl = new URL(url);
-      if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
-        throw new ProviderValidationError(
-          `Provider "${providerName}" ${fieldName} must use HTTP or HTTPS protocol`,
-          fieldName
-        );
-      }
-    } catch (error) {
-      if (error instanceof ProviderValidationError) {
-        throw error;
-      }
-      throw new ProviderValidationError(
-        `Provider "${providerName}" ${fieldName} is not a valid URL: ${error instanceof Error ? error.message : String(error)}`,
-        fieldName
-      );
-    }
-  }
-  /**
-   * Validate custom parameters don't override reserved OAuth parameters
-   *
-   * @param customParams - Custom parameters to validate
-   * @param providerName - Provider name (for error messages)
-   * @throws ProviderValidationError if reserved parameter is overridden
-   */
-  private validateCustomParams(
-    customParams: Record<string, string>,
-    providerName: string
-  ): void {
-    for (const [key, value] of Object.entries(customParams)) {
-      const normalizedKey = key.toLowerCase();
-      if (RESERVED_PARAMETERS.includes(normalizedKey as any)) {
-        throw new ProviderValidationError(
-          `Provider "${providerName}" custom parameter "${key}" conflicts with reserved OAuth parameter. Reserved parameters: ${RESERVED_PARAMETERS.join(", ")}`,
-          `customParams.${key}`
-        );
-      }
-      if (!value || value.trim().length === 0) {
-        throw new ProviderValidationError(
-          `Provider "${providerName}" custom parameter "${key}" has empty value`,
-          `customParams.${key}`
-        );
-      }
-    }
-  }
-  /**
-   * Test provider endpoint reachability (optional)
-   *
-   * @param provider - Provider configuration
-   * @param fetchProvider - Fetch implementation
-   * @returns True if endpoint is reachable, false otherwise
-   */
-  async testProvider(
-    provider: OAuthProvider,
-    fetchProvider: typeof fetch
-  ): Promise<boolean> {
-    try {
-      // Test authorization URL (HEAD request to avoid triggering OAuth flow)
-      const authResponse = await fetchProvider(provider.authorizationUrl, {
-        method: "HEAD",
-        signal: AbortSignal.timeout(5000), // 5 second timeout
-      });
-      return authResponse.ok || authResponse.status === 405; // 405 Method Not Allowed is OK
-    } catch (error) {
-      return false;
-    }
-  }
-}

package/src/services/session-registration.service.ts DELETED Viewed

@@ -1,251 +0,0 @@
-/**
- * Session Registration Service
- *
- * Registers MCP sessions with the AgentShield dashboard, enabling
- * visibility into which MCP clients are connecting to agents.
- *
- * This is a fire-and-forget service - session registration should not
- * block tool execution or affect the user experience.
- *
- * @package @kya-os/mcp-i-core
- */
-import type {
-  RegisterSessionRequest,
-  RegisterSessionResponse,
-} from "@kya-os/contracts/agentshield-api";
-import {
-  registerSessionRequestSchema,
-  registerSessionResponseSchema,
-  AGENTSHIELD_ENDPOINTS,
-} from "@kya-os/contracts/agentshield-api";
-import type { FetchProvider } from "../providers/base.js";
-/**
- * Configuration for the session registration service
- */
-export interface SessionRegistrationServiceConfig {
-  /** Base URL for the AgentShield API (e.g., "https://kya.vouched.id") */
-  baseUrl: string;
-  /** API key for authentication */
-  apiKey: string;
-  /** Fetch provider for making HTTP requests (platform-agnostic) */
-  fetchProvider: FetchProvider;
-  /** Optional logger callback for diagnostics */
-  logger?: (message: string, data?: unknown) => void;
-  /** Timeout in milliseconds for the registration request (default: 5000) */
-  timeoutMs?: number;
-}
-/**
- * Result of a session registration attempt
- */
-export interface SessionRegistrationResult {
-  /** Whether registration was successful */
-  success: boolean;
-  /** Session ID that was registered */
-  sessionId: string;
-  /** Error message if registration failed */
-  error?: string;
-}
-/**
- * Session Registration Service
- *
- * Registers MCP sessions with AgentShield for dashboard visibility.
- * Designed to be non-blocking - failures are logged but don't throw.
- */
-export class SessionRegistrationService {
-  private config: Required<
-    Omit<SessionRegistrationServiceConfig, "logger" | "timeoutMs">
-  > & {
-    logger: NonNullable<SessionRegistrationServiceConfig["logger"]>;
-    timeoutMs: number;
-  };
-  constructor(config: SessionRegistrationServiceConfig) {
-    this.config = {
-      baseUrl: config.baseUrl,
-      apiKey: config.apiKey,
-      fetchProvider: config.fetchProvider,
-      logger: config.logger || (() => {}),
-      timeoutMs: config.timeoutMs ?? 5000,
-    };
-  }
-  /**
-   * Register a session with AgentShield
-   *
-   * This is a fire-and-forget operation. Failures are logged but don't throw.
-   * The method returns quickly and doesn't block the caller.
-   *
-   * @param request - Session registration request data
-   * @returns Result indicating success or failure
-   */
-  async registerSession(
-    request: RegisterSessionRequest
-  ): Promise<SessionRegistrationResult> {
-    const sessionId = request.session_id;
-    try {
-      // Validate request
-      const validationResult = registerSessionRequestSchema.safeParse(request);
-      if (!validationResult.success) {
-        const errorMsg = `Invalid session registration request: ${validationResult.error.message}`;
-        this.config.logger("[SessionRegistration] Validation failed", {
-          sessionId,
-          error: errorMsg,
-        });
-        return { success: false, sessionId, error: errorMsg };
-      }
-      const url = `${this.config.baseUrl}${AGENTSHIELD_ENDPOINTS.SESSIONS}`;
-      this.config.logger("[SessionRegistration] Registering session", {
-        sessionId,
-        agentDid: request.agent_did,
-        clientName: request.client_info.name,
-        url,
-      });
-      // Make the request with timeout
-      const controller = new AbortController();
-      const timeoutId = setTimeout(
-        () => controller.abort(),
-        this.config.timeoutMs
-      );
-      try {
-        const response = await this.config.fetchProvider.fetch(url, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${this.config.apiKey}`,
-          },
-          body: JSON.stringify(request),
-          signal: controller.signal,
-        });
-        clearTimeout(timeoutId);
-        if (!response.ok) {
-          // Log error but don't throw - this is fire-and-forget
-          const errorText = await response.text().catch(() => "Unknown error");
-          this.config.logger("[SessionRegistration] Registration failed", {
-            sessionId,
-            status: response.status,
-            error: errorText,
-          });
-          return {
-            success: false,
-            sessionId,
-            error: `HTTP ${response.status}: ${errorText}`,
-          };
-        }
-        // Parse response
-        const responseData = (await response.json()) as {
-          data?: RegisterSessionResponse;
-        } & RegisterSessionResponse;
-        const parseResult = registerSessionResponseSchema.safeParse(
-          responseData.data || responseData
-        );
-        if (!parseResult.success) {
-          this.config.logger(
-            "[SessionRegistration] Invalid response format",
-            {
-              sessionId,
-              response: responseData,
-            }
-          );
-          // Still consider it a success if we got a 200 OK
-          return { success: true, sessionId };
-        }
-        this.config.logger("[SessionRegistration] Session registered", {
-          sessionId,
-          registered: parseResult.data.registered,
-        });
-        return { success: true, sessionId };
-      } finally {
-        clearTimeout(timeoutId);
-      }
-    } catch (error) {
-      // Handle abort/timeout
-      if (error instanceof Error && error.name === "AbortError") {
-        this.config.logger("[SessionRegistration] Request timed out", {
-          sessionId,
-          timeoutMs: this.config.timeoutMs,
-        });
-        return { success: false, sessionId, error: "Request timed out" };
-      }
-      // Log any other error
-      const errorMsg =
-        error instanceof Error ? error.message : "Unknown error";
-      this.config.logger("[SessionRegistration] Unexpected error", {
-        sessionId,
-        error: errorMsg,
-      });
-      return { success: false, sessionId, error: errorMsg };
-    }
-  }
-  /**
-   * Fire-and-forget session registration
-   *
-   * Starts registration in the background without waiting for completion.
-   * Useful when you want to register a session but not delay the response.
-   *
-   * @param request - Session registration request data
-   */
-  registerSessionAsync(request: RegisterSessionRequest): void {
-    // Start registration in background - don't await
-    this.registerSession(request).catch((error) => {
-      // This should never happen since registerSession catches all errors,
-      // but just in case
-      this.config.logger("[SessionRegistration] Background registration failed", {
-        sessionId: request.session_id,
-        error: error instanceof Error ? error.message : "Unknown error",
-      });
-    });
-  }
-}
-/**
- * Create a session registration service from common runtime config
- *
- * Helper function to create the service from typical environment config.
- */
-export function createSessionRegistrationService(options: {
-  apiUrl: string;
-  apiKey: string;
-  fetchProvider: FetchProvider;
-  logger?: (message: string, data?: unknown) => void;
-}): SessionRegistrationService | null {
-  // Validate required config
-  if (!options.apiUrl || !options.apiKey) {
-    options.logger?.(
-      "[SessionRegistration] Missing required config - session registration disabled",
-      {
-        hasApiUrl: !!options.apiUrl,
-        hasApiKey: !!options.apiKey,
-      }
-    );
-    return null;
-  }
-  return new SessionRegistrationService({
-    baseUrl: options.apiUrl,
-    apiKey: options.apiKey,
-    fetchProvider: options.fetchProvider,
-    logger: options.logger,
-  });
-}