@kya-os/mcp-i-core 1.3.22 → 1.3.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/runtime/base.js +73 -0
  2. package/package.json +2 -2
package/dist/runtime/base.js CHANGED
@@ -10,6 +10,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
10
10
  exports.MCPIRuntimeBase = void 0;
11
11
  const tool_protection_js_1 = require("../types/tool-protection.js");
12
12
  const crypto_service_js_1 = require("../services/crypto.service.js");
13
+ const access_control_service_js_1 = require("../services/access-control.service.js");
13
14
  const agentshield_api_1 = require("@kya-os/contracts/agentshield-api");
14
15
  const user_did_manager_1 = require("../identity/user-did-manager");
15
16
  class MCPIRuntimeBase {
@@ -466,6 +467,78 @@ class MCPIRuntimeBase {
466
467
  });
467
468
  }
468
469
  }
470
+ // ✅ SECURITY: Validate authorization method matches tool requirements
471
+ // This prevents stale delegations from working after tool auth method changes
472
+ // NOTE: Authorization validation only applies when credential is present (AgentShield API verifier).
473
+ // KV/Memory verifiers don't return credential data, so we skip auth method validation for them.
474
+ const toolAuth = protection.authorization;
475
+ const delegationAuth = credential?.authorization;
476
+ // Only validate when:
477
+ // 1. Tool has authorization requirement defined
478
+ // 2. Credential is present (AgentShield API verifier)
479
+ if (toolAuth && credential) {
480
+ // If tool requires authorization but credential doesn't have auth data, reject
481
+ // This prevents bypassing auth checks with incomplete credential data
482
+ if (!delegationAuth) {
483
+ if (this.config.audit?.enabled) {
484
+ console.error("[MCP-I] ❌ Tool requires authorization but credential missing auth data", {
485
+ tool: toolName,
486
+ agentDid: identity.did.slice(0, 20) + "...",
487
+ toolAuth,
488
+ note: "Credential exists but missing authorization metadata - rejecting for security",
489
+ });
490
+ }
491
+ // Throw DelegationRequiredError to force re-authorization
492
+ const interceptedCall = {
493
+ toolName,
494
+ args,
495
+ sessionId: session?.id || "unknown",
496
+ timestamp: this.clock.now(),
497
+ expiresAt: this.clock.calculateExpiry(1800),
498
+ };
499
+ const resumeToken = this.generateResumeToken(interceptedCall);
500
+ const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, protection.oauthProvider);
501
+ this.interceptedCalls.set(resumeToken, interceptedCall);
502
+ this.cleanupExpiredInterceptedCalls();
503
+ throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
504
+ }
505
+ // Both tool and delegation have authorization - compare them
506
+ if (!(0, access_control_service_js_1.authorizationMatches)(delegationAuth, toolAuth)) {
507
+ const authMismatchReason = `Authorization method mismatch: delegation has ${delegationAuth.type}${delegationAuth.provider ? `:${delegationAuth.provider}` : ""}${delegationAuth.credentialType ? `:${delegationAuth.credentialType}` : ""} but tool requires ${toolAuth.type}${toolAuth.provider ? `:${toolAuth.provider}` : ""}${toolAuth.credentialType ? `:${toolAuth.credentialType}` : ""}`;
508
+ if (this.config.audit?.enabled) {
509
+ console.error("[MCP-I] ❌ Authorization method validation FAILED", {
510
+ tool: toolName,
511
+ agentDid: identity.did.slice(0, 20) + "...",
512
+ reason: authMismatchReason,
513
+ delegationAuth,
514
+ toolAuth,
515
+ });
516
+ }
517
+ // Throw DelegationRequiredError to force re-authorization with correct method
518
+ const interceptedCall = {
519
+ toolName,
520
+ args,
521
+ sessionId: session?.id || "unknown",
522
+ timestamp: this.clock.now(),
523
+ expiresAt: this.clock.calculateExpiry(1800),
524
+ };
525
+ const resumeToken = this.generateResumeToken(interceptedCall);
526
+ const consentUrl = this.buildConsentUrl(toolName, protection.requiredScopes, session, resumeToken, undefined, protection.oauthProvider);
527
+ this.interceptedCalls.set(resumeToken, interceptedCall);
528
+ this.cleanupExpiredInterceptedCalls();
529
+ throw new tool_protection_js_1.DelegationRequiredError(toolName, protection.requiredScopes, consentUrl, interceptedCall, resumeToken);
530
+ }
531
+ // Authorization method validation passed
532
+ if (this.config.audit?.enabled) {
533
+ console.log("[MCP-I] ✅ Authorization method validation PASSED", {
534
+ tool: toolName,
535
+ agentDid: identity.did.slice(0, 20) + "...",
536
+ authType: delegationAuth.type,
537
+ provider: delegationAuth.provider || "N/A",
538
+ });
539
+ }
540
+ }
541
+ // If credential is missing entirely (KV/Memory verifiers), skip validation for backward compatibility
469
542
  // Verification succeeded
470
543
  if (this.config.audit?.enabled) {
471
544
  console.log("[MCP-I] ✅ Delegation verification SUCCEEDED", {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kya-os/mcp-i-core",
3
- "version": "1.3.22",
3
+ "version": "1.3.24",
4
4
  "description": "Core runtime and types for MCP-I framework",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -28,7 +28,7 @@
28
28
  "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-no-workspace.js"
29
29
  },
30
30
  "dependencies": {
31
- "@kya-os/contracts": "^1.6.15",
31
+ "@kya-os/contracts": "^1.6.17",
32
32
  "jose": "^5.6.3",
33
33
  "json-canonicalize": "^2.0.0",
34
34
  "zod": "^3.25.76"