@kya-os/mcp-i-core 1.3.7-canary.clientinfo.20251126041014 → 1.3.8-canary.0

package/src/services/session-registration.service.ts

@@ -112,43 +112,6 @@ export class SessionRegistrationService {
         url,
       });
 
-      // ✅ EMPIRICAL PROOF: Prepare request headers with correct auth format
-      const requestHeaders = {
-        "Content-Type": "application/json",
-        "X-AgentShield-Key": this.config.apiKey, // Fixed: Use X-AgentShield-Key instead of Authorization: Bearer
-      };
-
-      // ✅ EMPIRICAL PROOF: Log exact request details (sanitized for security)
-      const sanitizedHeaders = {
-        ...requestHeaders,
-        "X-AgentShield-Key": `${this.config.apiKey.slice(0, 8)}...${this.config.apiKey.slice(-4)}`, // Show first 8 and last 4 chars
-      };
-
-      const sanitizedBody = {
-        session_id: request.session_id,
-        agent_did: request.agent_did,
-        project_id: request.project_id,
-        created_at: request.created_at,
-        client_info: request.client_info,
-        client_identity: request.client_identity,
-        server_did: request.server_did,
-        ttl_minutes: request.ttl_minutes,
-      };
-
-      this.config.logger(
-        "[SessionRegistration] 🔍 EMPIRICAL DEBUG - Request details",
-        {
-          url,
-          method: "POST",
-          headers: sanitizedHeaders,
-          headerKeys: Object.keys(requestHeaders),
-          authHeaderPresent: !!requestHeaders["X-AgentShield-Key"],
-          authHeaderName: "X-AgentShield-Key",
-          body: sanitizedBody,
-          bodySize: JSON.stringify(request).length,
-        }
-      );
-
       // Make the request with timeout
       const controller = new AbortController();
       const timeoutId = setTimeout(
@@ -159,75 +122,47 @@ export class SessionRegistrationService {
       try {
         const response = await this.config.fetchProvider.fetch(url, {
           method: "POST",
-          headers: requestHeaders,
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${this.config.apiKey}`,
+          },
           body: JSON.stringify(request),
           signal: controller.signal,
         });
 
         clearTimeout(timeoutId);
 
-        // ✅ EMPIRICAL PROOF: Capture exact response details
-        const responseHeaders: Record<string, string> = {};
-        response.headers.forEach((value, key) => {
-          responseHeaders[key] = value;
-        });
-
-        const responseText = await response
-          .text()
-          .catch(() => "Failed to read response");
-        let responseBody: unknown;
-        try {
-          responseBody = JSON.parse(responseText);
-        } catch {
-          responseBody = responseText;
-        }
-
-        // ✅ EMPIRICAL PROOF: Log exact response details
-        this.config.logger(
-          "[SessionRegistration] 🔍 EMPIRICAL DEBUG - Response details",
-          {
-            status: response.status,
-            statusText: response.statusText,
-            ok: response.ok,
-            headers: responseHeaders,
-            body: responseBody,
-            bodyLength: responseText.length,
-            clientName: request.client_info.name,
-          }
-        );
-
         if (!response.ok) {
           // Log error but don't throw - this is fire-and-forget
+          const errorText = await response.text().catch(() => "Unknown error");
           this.config.logger("[SessionRegistration] Registration failed", {
             sessionId,
             status: response.status,
-            error: responseText,
-            // ✅ EMPIRICAL PROOF: Include full response details
-            responseHeaders,
-            responseBody,
-            clientName: request.client_info.name,
+            error: errorText,
           });
           return {
             success: false,
             sessionId,
-            error: `HTTP ${response.status}: ${responseText}`,
+            error: `HTTP ${response.status}: ${errorText}`,
           };
         }
 
-        // Parse response (using already-captured responseBody)
-        const responseData = responseBody as
-          | { data?: RegisterSessionResponse }
-          | RegisterSessionResponse;
+        // Parse response
+        const responseData = (await response.json()) as {
+          data?: RegisterSessionResponse;
+        } & RegisterSessionResponse;
         const parseResult = registerSessionResponseSchema.safeParse(
-          (responseData as { data?: RegisterSessionResponse }).data ||
-            responseData
+          responseData.data || responseData
         );
 
         if (!parseResult.success) {
-          this.config.logger("[SessionRegistration] Invalid response format", {
-            sessionId,
-            response: responseData,
-          });
+          this.config.logger(
+            "[SessionRegistration] Invalid response format",
+            {
+              sessionId,
+              response: responseData,
+            }
+          );
           // Still consider it a success if we got a 200 OK
           return { success: true, sessionId };
         }
@@ -252,7 +187,8 @@ export class SessionRegistrationService {
       }
 
       // Log any other error
-      const errorMsg = error instanceof Error ? error.message : "Unknown error";
+      const errorMsg =
+        error instanceof Error ? error.message : "Unknown error";
       this.config.logger("[SessionRegistration] Unexpected error", {
         sessionId,
         error: errorMsg,
@@ -274,13 +210,10 @@ export class SessionRegistrationService {
     this.registerSession(request).catch((error) => {
       // This should never happen since registerSession catches all errors,
       // but just in case
-      this.config.logger(
-        "[SessionRegistration] Background registration failed",
-        {
-          sessionId: request.session_id,
-          error: error instanceof Error ? error.message : "Unknown error",
-        }
-      );
+      this.config.logger("[SessionRegistration] Background registration failed", {
+        sessionId: request.session_id,
+        error: error instanceof Error ? error.message : "Unknown error",
+      });
     });
   }
 }
@@ -315,3 +248,4 @@ export function createSessionRegistrationService(options: {
     logger: options.logger,
   });
 }
+

package/src/services/tool-protection.service.ts

@@ -87,34 +87,56 @@ import type {
 import type { ToolProtectionCache } from "../cache/tool-protection-cache.js";
 import { InMemoryToolProtectionCache } from "../cache/tool-protection-cache.js";
 
+/**
+ * Tool protection data structure in API responses
+ */
+interface ToolProtectionData {
+  requiresDelegation?: boolean;
+  requires_delegation?: boolean;
+  requiredScopes?: string[];
+  required_scopes?: string[];
+  scopes?: string[];
+  riskLevel?: string;
+  risk_level?: string;
+  oauthProvider?: string;
+  oauth_provider?: string;
+  authorization?: {
+    type: string;
+    provider?: string;
+    issuer?: string;
+    credentialType?: string;
+  };
+}
+
 /**
  * Response from AgentShield API bouncer endpoints
  *
  * Supports multiple endpoint formats:
- * 1. New endpoint (/projects/{projectId}/tool-protections): { data: { toolProtections: { [toolName]: {...} } } } }
- * 2. Old endpoint (/config?agent_did=...): { data: { tools: [{ name: string, ... }] } }
- * 3. Legacy format: { data: { tools: { [toolName]: {...} } } }
+ * 1. Merged config (/projects/{projectId}/config): { data: { config: { toolProtection: { tools: {...} } } } }
+ * 2. Legacy tool-protections endpoint: { data: { toolProtections: { [toolName]: {...} } } }
+ * 3. Old config endpoint (/config?agent_did=...): { data: { tools: [{ name: string, ... }] } }
+ * 4. Legacy format: { data: { tools: { [toolName]: {...} } } }
  */
 interface BouncerConfigApiResponse {
   success: boolean;
   data: {
     agent_did?: string;
-    // New endpoint format: toolProtections object
-    toolProtections?: Record<
-      string,
-      {
-        requiresDelegation?: boolean;
-        requires_delegation?: boolean;
-        requiredScopes?: string[];
-        required_scopes?: string[];
-        scopes?: string[];
-        riskLevel?: string;
-        risk_level?: string;
-        oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-        oauth_provider?: string; // Phase 2: snake_case variant
-      }
-    >;
-    // Old endpoint format: tools array or object
+    
+    // NEW: Merged config format (v1.6.0+) - preferred format
+    // The entire config is returned with tools embedded at config.toolProtection.tools
+    config?: {
+      toolProtection?: {
+        source?: string;
+        tools?: Record<string, ToolProtectionData>;
+      };
+      // Other config fields we don't need to parse
+      [key: string]: unknown;
+    };
+    
+    // DEPRECATED: Top-level toolProtections (backward compatibility during transition)
+    toolProtections?: Record<string, ToolProtectionData>;
+    
+    // Legacy endpoint formats
     tools?:
       | Array<{
           name: string;
@@ -122,20 +144,10 @@ interface BouncerConfigApiResponse {
           requires_delegation?: boolean;
           scopes?: string[];
           required_scopes?: string[];
-          oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-          oauth_provider?: string; // Phase 2: snake_case variant
+          oauthProvider?: string;
+          oauth_provider?: string;
         }>
-      | Record<
-          string,
-          {
-            requiresDelegation?: boolean;
-            requires_delegation?: boolean;
-            scopes?: string[];
-            required_scopes?: string[];
-            oauthProvider?: string; // Phase 2: Tool-specific OAuth provider
-            oauth_provider?: string; // Phase 2: snake_case variant
-          }
-        >;
+      | Record<string, ToolProtectionData>;
     reputation_threshold?: number;
     denied_agents?: string[];
   };
@@ -271,7 +283,7 @@ export class ToolProtectionService {
         projectId: this.config.projectId || "none",
         apiUrl: this.config.apiUrl,
         endpoint: this.config.projectId
-          ? `/api/v1/bouncer/projects/${this.config.projectId}/tool-protections`
+          ? `/api/v1/bouncer/projects/${this.config.projectId}/config`
           : `/api/v1/bouncer/config?agent_did=${agentDid}`,
       });
     }
@@ -665,7 +677,10 @@ export class ToolProtectionService {
 
   /**
    * Fetch tool protection config from AgentShield API
-   * Uses projectId endpoint if available (preferred, project-scoped), otherwise falls back to agent_did query param
+   * 
+   * Uses the merged /config endpoint which returns tool protections embedded
+   * at config.toolProtection.tools. Falls back to legacy formats for backward
+   * compatibility.
    *
    * @param agentDid DID of the agent to fetch config for
    * @param options Optional fetch options
@@ -675,17 +690,17 @@ export class ToolProtectionService {
     agentDid: string,
     options?: { bypassCDNCache?: boolean }
   ): Promise<BouncerConfigApiResponse> {
-    // Prefer new project-scoped endpoint: /api/v1/bouncer/projects/{projectId}/tool-protections
-    // Falls back to old endpoint: /api/v1/bouncer/config?agent_did={did} for backward compatibility
+    // Use the merged /config endpoint which includes embedded tool protections
+    // This endpoint returns config.toolProtection.tools with all tool rules
     let url: string;
-    let useNewEndpoint = false;
+    let useMergedEndpoint = false;
 
     if (this.config.projectId) {
-      // ✅ NEW ENDPOINT: Project-scoped, returns toolProtections object
-      url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/tool-protections`;
-      useNewEndpoint = true;
+      // ✅ MERGED CONFIG ENDPOINT: Returns config with embedded toolProtection.tools
+      url = `${this.config.apiUrl}/api/v1/bouncer/projects/${encodeURIComponent(this.config.projectId)}/config`;
+      useMergedEndpoint = true;
     } else {
-      // ⚠️ OLD ENDPOINT: Agent-scoped, returns tools array (backward compatibility)
+      // ⚠️ LEGACY ENDPOINT: Agent-scoped, returns tools array (backward compatibility)
       url = `${this.config.apiUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(agentDid)}`;
     }
 
@@ -712,9 +727,9 @@ export class ToolProtectionService {
 
     if (this.config.debug) {
       console.log("[ToolProtectionService] Fetching from API:", url, {
-        method: useNewEndpoint
-          ? "projects/{projectId}/tool-protections (new)"
-          : "config?agent_did (old)",
+        method: useMergedEndpoint
+          ? "projects/{projectId}/config (merged)"
+          : "config?agent_did (legacy)",
         projectId: this.config.projectId || "none",
         apiKeyPresent: !!this.config.apiKey,
         apiKeyLength,
@@ -736,19 +751,19 @@ export class ToolProtectionService {
       );
     }
 
-    // Build headers - new endpoint uses X-API-Key, old endpoint uses Authorization Bearer
+    // Build headers - merged endpoint uses X-API-Key, legacy uses Authorization Bearer
     const headers: Record<string, string> = {
       "Content-Type": "application/json",
     };
 
-    if (useNewEndpoint) {
-      // ✅ New endpoint headers
+    if (useMergedEndpoint) {
+      // ✅ Merged config endpoint headers
       headers["X-API-Key"] = this.config.apiKey;
       if (this.config.projectId) {
         headers["X-Project-Id"] = this.config.projectId;
       }
     } else {
-      // ⚠️ Old endpoint headers (backward compatibility)
+      // ⚠️ Legacy endpoint headers (backward compatibility)
       headers["Authorization"] = `Bearer ${this.config.apiKey}`;
     }
 
@@ -786,6 +801,19 @@ export class ToolProtectionService {
       throw new Error("API returned success: false");
     }
 
+    // Transform merged config format to normalized format
+    // If response contains config.toolProtection.tools, extract them to data.toolProtections
+    if (useMergedEndpoint && data.data.config?.toolProtection?.tools) {
+      // Extract embedded tools to the standard toolProtections field
+      data.data.toolProtections = data.data.config.toolProtection.tools;
+      if (this.config.debug) {
+        console.log("[ToolProtectionService] Extracted tools from merged config", {
+          toolCount: Object.keys(data.data.toolProtections).length,
+          tools: Object.keys(data.data.toolProtections),
+        });
+      }
+    }
+
     return data;
   }