npm - @kya-os/mcp-i-core - Versions diffs - 1.3.13 → 1.3.15 - Mend

@kya-os/mcp-i-core 1.3.13 → 1.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (255) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.d.ts +2 -1
package/dist/runtime/base.js +34 -6
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -4631
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/services/tool-context-builder.ts DELETED Viewed

@@ -1,237 +0,0 @@
-/**
- * Tool Context Builder
- *
- * Builds ToolExecutionContext for tool handlers by resolving IDP tokens
- * based on tool protection configuration and user identity.
- *
- * Updated for CRED-003: Builds idpHeaders based on tokenUsage metadata
- * to support credential providers with custom token usage patterns.
- *
- * @package @kya-os/mcp-i-core
- */
-import type { ToolExecutionContext } from "@kya-os/contracts/config";
-import type { IdpTokenResolver } from "../identity/idp-token-resolver.js";
-import type { IdpTokensWithMetadata } from "../identity/idp-token-storage.interface.js";
-import type { ToolProtection } from "../types/tool-protection.js";
-import type { OAuthConfigService } from "./oauth-config.service.js";
-import type { ProviderResolver } from "./provider-resolver.js";
-import { OAuthRequiredError } from "../types/oauth-required-error.js";
-export interface ToolContextBuilderConfig {
-  /** IDP token resolver for resolving tokens from User DID */
-  tokenResolver: IdpTokenResolver;
-  /** OAuth config service for fetching provider configurations */
-  configService: OAuthConfigService;
-  /** Provider resolver for resolving OAuth providers for tools */
-  providerResolver: ProviderResolver;
-  /** Project ID for fetching OAuth config */
-  projectId: string;
-  /** Optional logger callback for diagnostics */
-  logger?: (message: string, data?: unknown) => void;
-}
-/**
- * Builder for tool execution context
- *
- * Resolves IDP tokens and builds context for tool handlers.
- * Phase 1: Uses configured provider as temporary fallback.
- * Phase 2+: Requires explicit oauthProvider on tool protection.
- */
-export class ToolContextBuilder {
-  private config: Required<Omit<ToolContextBuilderConfig, "logger">> & {
-    logger: (message: string, data?: unknown) => void;
-  };
-  constructor(config: ToolContextBuilderConfig) {
-    this.config = {
-      tokenResolver: config.tokenResolver,
-      configService: config.configService,
-      providerResolver: config.providerResolver,
-      projectId: config.projectId,
-      logger: config.logger || (() => {}),
-    };
-  }
-  /**
-   * Build tool execution context
-   *
-   * @param toolName - Name of the tool being executed
-   * @param userDid - User DID (optional, required for OAuth/credentials)
-   * @param sessionId - Session ID (optional)
-   * @param delegationToken - Delegation token (optional)
-   * @param toolProtection - Tool protection configuration (optional)
-   * @returns Tool execution context or undefined if not needed
-   */
-  async buildContext(
-    toolName: string,
-    userDid: string | undefined,
-    sessionId: string | undefined,
-    delegationToken: string | undefined,
-    toolProtection: ToolProtection | null
-  ): Promise<ToolExecutionContext | undefined> {
-    // Only build context if tool requires OAuth/credentials
-    if (!toolProtection?.requiredScopes?.length || !userDid) {
-      return undefined;
-    }
-    // Phase 2: Resolve provider using ProviderResolver
-    // ProviderResolver handles priority-based resolution with fallbacks
-    let provider: string;
-    try {
-      provider = await this.resolveProvider(toolProtection);
-    } catch (error) {
-      // Provider resolution failed - cannot build context
-      this.config.logger("[ToolContextBuilder] Provider not resolved", {
-        toolName,
-        userDid: userDid.substring(0, 20) + "...",
-        error: error instanceof Error ? error.message : String(error),
-      });
-      return undefined;
-    }
-    // CRED-003: Resolve full token data (not just access_token)
-    // This includes tokenUsage, cookieFormat, apiHeaders for credential providers
-    const tokenData = await this.config.tokenResolver.resolveTokenDataFromDid(
-      userDid,
-      provider,
-      toolProtection.requiredScopes
-    );
-    if (!tokenData) {
-      // Token not available - throw OAuthRequiredError to trigger auth flow
-      this.config.logger("[ToolContextBuilder] Token not available, throwing OAuthRequiredError", {
-        toolName,
-        userDid: userDid.substring(0, 20) + "...",
-        provider,
-        scopes: toolProtection.requiredScopes,
-      });
-      // Throw error with provider and scopes info
-      // Auth URL will be built by the Cloudflare layer (agent.ts)
-      throw new OAuthRequiredError({
-        toolName,
-        requiredScopes: toolProtection.requiredScopes,
-        provider,
-        oauthUrl: "", // Will be populated by Cloudflare layer
-        userDid,
-        sessionId,
-      });
-    }
-    // CRED-003: Build headers based on tokenUsage
-    const idpHeaders = this.buildAuthHeaders(tokenData);
-    // Build context with token and headers
-    const context: ToolExecutionContext = {
-      idpToken: tokenData.access_token,
-      idpHeaders,
-      provider,
-      scopes: toolProtection.requiredScopes,
-      userDid,
-      sessionId,
-      delegationToken,
-    };
-    this.config.logger("[ToolContextBuilder] Context built successfully", {
-      toolName,
-      userDid: userDid.substring(0, 20) + "...",
-      provider,
-      hasToken: !!tokenData.access_token,
-      tokenUsage: tokenData.tokenUsage,
-      headerKeys: Object.keys(idpHeaders),
-    });
-    return context;
-  }
-  /**
-   * Build authentication headers based on token usage metadata (CRED-003)
-   *
-   * Supports three modes:
-   * - "cookie": Cookie header (with optional cookieFormat template)
-   * - "bearer": Authorization: Bearer xxx
-   * - "header": Custom header name
-   *
-   * Also includes any apiHeaders from provider config.
-   *
-   * @param tokenData - Token data with usage metadata
-   * @returns Headers object for API calls
-   */
-  private buildAuthHeaders(tokenData: IdpTokensWithMetadata): Record<string, string> {
-    const authHeaders: Record<string, string> = {};
-    const tokenUsage = tokenData.tokenUsage || "bearer"; // Default to bearer for OAuth
-    const token = tokenData.access_token;
-    switch (tokenUsage) {
-      case "cookie":
-        // Use cookieFormat if specified, otherwise send raw token
-        if (tokenData.cookieFormat) {
-          authHeaders["Cookie"] = tokenData.cookieFormat.replace(
-            /\{\{token\}\}/g,
-            token
-          );
-        } else {
-          authHeaders["Cookie"] = token;
-        }
-        break;
-      case "bearer":
-        authHeaders["Authorization"] = `Bearer ${token}`;
-        break;
-      case "header":
-        const headerName = tokenData.tokenHeader || "X-Session-Token";
-        authHeaders[headerName] = token;
-        break;
-      default:
-        // Unknown usage - default to bearer
-        authHeaders["Authorization"] = `Bearer ${token}`;
-    }
-    // Add any additional API headers from provider config
-    if (tokenData.apiHeaders) {
-      Object.assign(authHeaders, tokenData.apiHeaders);
-    }
-    return authHeaders;
-  }
-  /**
-   * Resolve OAuth provider for a tool
-   *
-   * Phase 2: Uses ProviderResolver with priority-based resolution
-   *
-   * @param toolProtection - Tool protection configuration
-   * @returns Provider name or throws error if not found
-   */
-  private async resolveProvider(
-    toolProtection: ToolProtection
-  ): Promise<string> {
-    try {
-      const provider = await this.config.providerResolver.resolveProvider(
-        toolProtection,
-        this.config.projectId
-      );
-      this.config.logger("[ToolContextBuilder] Provider resolved", {
-        provider,
-      });
-      return provider;
-    } catch (error) {
-      this.config.logger("[ToolContextBuilder] Provider resolution failed", {
-        error: error instanceof Error ? error.message : String(error),
-        projectId: this.config.projectId,
-      });
-      throw error; // Re-throw to let caller handle
-    }
-  }
-}