@kya-os/mcp-i-core 1.4.3 → 1.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +3 -2
- package/dist/index.js +7 -2
- package/dist/services/oauth-service.d.ts +46 -1
- package/dist/services/oauth-service.js +74 -5
- package/package.json +2 -2
package/dist/index.d.ts
CHANGED
|
@@ -21,8 +21,8 @@ export { SessionRegistrationService, createSessionRegistrationService, } from ".
|
|
|
21
21
|
export type { SessionRegistrationServiceConfig, SessionRegistrationResult, } from "./services/session-registration.service";
|
|
22
22
|
export { OAuthConfigService } from "./services/oauth-config.service";
|
|
23
23
|
export type { OAuthConfigServiceConfig } from "./services/oauth-config.service";
|
|
24
|
-
export { OAuthService } from "./services/oauth-service";
|
|
25
|
-
export type { OAuthServiceConfig } from "./services/oauth-service";
|
|
24
|
+
export { OAuthService, defaultSecretResolver } from "./services/oauth-service";
|
|
25
|
+
export type { OAuthServiceConfig, SecretResolver } from "./services/oauth-service";
|
|
26
26
|
export { ToolContextBuilder } from "./services/tool-context-builder";
|
|
27
27
|
export type { ToolContextBuilderConfig } from "./services/tool-context-builder";
|
|
28
28
|
export { OAuthProviderRegistry } from "./services/oauth-provider-registry";
|
|
@@ -68,4 +68,5 @@ export type { UserDidStorage, UserDidManagerConfig, UserKeyPair, OAuthIdentity,
|
|
|
68
68
|
export { IdpTokenResolver } from "./identity/idp-token-resolver";
|
|
69
69
|
export type { IdpTokenResolverConfig } from "./identity/idp-token-resolver";
|
|
70
70
|
export type { IIdpTokenStorage, TokenUsageMetadata, IdpTokensWithMetadata, } from "./identity/idp-token-storage.interface";
|
|
71
|
+
export { logger, createDefaultConsoleLogger, type Logger, type Level, } from "./logging";
|
|
71
72
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.js
CHANGED
|
@@ -20,8 +20,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
|
20
20
|
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
21
21
|
};
|
|
22
22
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
23
|
-
exports.
|
|
24
|
-
exports.IdpTokenResolver = exports.UserDidManager = exports.fetchRemoteConfig = exports.bytesToBase64 = exports.base64urlDecodeToString = exports.base64urlDecodeToBytes = exports.base64urlEncodeFromString = exports.base64urlEncodeFromBytes = exports.parseVCJWT = exports.completeVCJWT = exports.createUnsignedVCJWT = exports.canonicalizeJSON = exports.getSchemaStats = exports.getCriticalSchemas = exports.getSchemaById = exports.getSchemasByCategory = exports.getAllSchemas = exports.SCHEMA_REGISTRY = exports.createSchemaVerifier = exports.SchemaVerifier = exports.isValidBase58 = exports.base58Decode = exports.base58Encode = exports.resolveDidKeySync = exports.publicKeyToJwk = exports.extractPublicKeyFromDidKey = exports.isEd25519DidKey = exports.createDidKeyResolver = exports.MemoryDelegationGraphStorage = exports.MemoryStatusListStorage = exports.createCascadingRevocationManager = exports.CascadingRevocationManager = exports.createDelegationGraph = exports.DelegationGraphManager = void 0;
|
|
23
|
+
exports.BitstringManager = exports.createStatusListManager = exports.StatusList2021Manager = exports.createDelegationVerifier = exports.DelegationCredentialVerifier = exports.createDelegationIssuer = exports.DelegationCredentialIssuer = exports.createDelegationErrorFormatter = exports.DelegationErrorFormatter = exports.OAuthRequiredError = exports.DelegationRequiredError = exports.NoOpToolProtectionCache = exports.InMemoryToolProtectionCache = exports.createProofVerificationError = exports.PROOF_VERIFICATION_ERROR_CODES = exports.ProofVerificationError = exports.migrateLegacyKeys = exports.StorageKeyHelpers = exports.createStorageProviders = exports.NoOpOAuthConfigCache = exports.InMemoryOAuthConfigCache = exports.BatchDelegationService = exports.OAuthTokenRetrievalService = exports.ProviderValidationError = exports.ProviderValidator = exports.CredentialAuthModeError = exports.ConsentOnlyModeError = exports.ProviderResolver = exports.OAuthProviderRegistry = exports.ToolContextBuilder = exports.defaultSecretResolver = exports.OAuthService = exports.OAuthConfigService = exports.createSessionRegistrationService = exports.SessionRegistrationService = exports.authorizationMatches = exports.AccessControlApiService = exports.ProofVerifier = exports.CryptoService = exports.ToolProtectionService = exports.MCPIRuntimeBase = exports.MemoryIdentityProvider = exports.MemoryNonceCacheProvider = exports.MemoryStorageProvider = exports.IdentityProvider = exports.NonceCacheProvider = exports.StorageProvider = exports.FetchProvider = exports.ClockProvider = exports.CryptoProvider = void 0;
|
|
24
|
+
exports.createDefaultConsoleLogger = exports.logger = exports.IdpTokenResolver = exports.UserDidManager = exports.fetchRemoteConfig = exports.bytesToBase64 = exports.base64urlDecodeToString = exports.base64urlDecodeToBytes = exports.base64urlEncodeFromString = exports.base64urlEncodeFromBytes = exports.parseVCJWT = exports.completeVCJWT = exports.createUnsignedVCJWT = exports.canonicalizeJSON = exports.getSchemaStats = exports.getCriticalSchemas = exports.getSchemaById = exports.getSchemasByCategory = exports.getAllSchemas = exports.SCHEMA_REGISTRY = exports.createSchemaVerifier = exports.SchemaVerifier = exports.isValidBase58 = exports.base58Decode = exports.base58Encode = exports.resolveDidKeySync = exports.publicKeyToJwk = exports.extractPublicKeyFromDidKey = exports.isEd25519DidKey = exports.createDidKeyResolver = exports.MemoryDelegationGraphStorage = exports.MemoryStatusListStorage = exports.createCascadingRevocationManager = exports.CascadingRevocationManager = exports.createDelegationGraph = exports.DelegationGraphManager = exports.isIndexSet = void 0;
|
|
25
25
|
// Base providers
|
|
26
26
|
var base_1 = require("./providers/base");
|
|
27
27
|
Object.defineProperty(exports, "CryptoProvider", { enumerable: true, get: function () { return base_1.CryptoProvider; } });
|
|
@@ -63,6 +63,7 @@ Object.defineProperty(exports, "OAuthConfigService", { enumerable: true, get: fu
|
|
|
63
63
|
// OAuth Service (Phase 1)
|
|
64
64
|
var oauth_service_1 = require("./services/oauth-service");
|
|
65
65
|
Object.defineProperty(exports, "OAuthService", { enumerable: true, get: function () { return oauth_service_1.OAuthService; } });
|
|
66
|
+
Object.defineProperty(exports, "defaultSecretResolver", { enumerable: true, get: function () { return oauth_service_1.defaultSecretResolver; } });
|
|
66
67
|
// Tool Context Builder (Phase 1)
|
|
67
68
|
var tool_context_builder_1 = require("./services/tool-context-builder");
|
|
68
69
|
Object.defineProperty(exports, "ToolContextBuilder", { enumerable: true, get: function () { return tool_context_builder_1.ToolContextBuilder; } });
|
|
@@ -181,4 +182,8 @@ Object.defineProperty(exports, "UserDidManager", { enumerable: true, get: functi
|
|
|
181
182
|
// IDP Token Resolver (Phase 1 - MH-7, updated for CRED-003)
|
|
182
183
|
var idp_token_resolver_1 = require("./identity/idp-token-resolver");
|
|
183
184
|
Object.defineProperty(exports, "IdpTokenResolver", { enumerable: true, get: function () { return idp_token_resolver_1.IdpTokenResolver; } });
|
|
185
|
+
// Logger (transport-aware logging)
|
|
186
|
+
var logging_1 = require("./logging");
|
|
187
|
+
Object.defineProperty(exports, "logger", { enumerable: true, get: function () { return logging_1.logger; } });
|
|
188
|
+
Object.defineProperty(exports, "createDefaultConsoleLogger", { enumerable: true, get: function () { return logging_1.createDefaultConsoleLogger; } });
|
|
184
189
|
//# sourceMappingURL=index.js.map
|
|
@@ -4,11 +4,39 @@
|
|
|
4
4
|
* Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
|
|
5
5
|
* Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
|
|
6
6
|
*
|
|
7
|
+
* MCP-I Provider Registry Model:
|
|
8
|
+
* - Client secrets are NOT sent via the API response
|
|
9
|
+
* - Agents receive metadata.clientSecretName from AgentShield
|
|
10
|
+
* - Secrets are resolved at runtime from secure storage (Cloudflare Worker env)
|
|
11
|
+
* - The SecretResolver interface enables platform-specific secret resolution
|
|
12
|
+
*
|
|
7
13
|
* @package @kya-os/mcp-i-core
|
|
8
14
|
*/
|
|
9
15
|
import type { FetchProvider } from "../providers/base.js";
|
|
10
16
|
import type { OAuthConfigService } from "./oauth-config.service.js";
|
|
11
|
-
import type { IdpTokens } from "@kya-os/contracts/config";
|
|
17
|
+
import type { IdpTokens, OAuthProvider } from "@kya-os/contracts/config";
|
|
18
|
+
/**
|
|
19
|
+
* Secret Resolver Interface
|
|
20
|
+
*
|
|
21
|
+
* Platform-specific interface for resolving secrets from secure storage.
|
|
22
|
+
* Implementations:
|
|
23
|
+
* - Cloudflare Workers: Resolves from env bindings
|
|
24
|
+
* - Node.js: Resolves from process.env
|
|
25
|
+
* - Other platforms: Custom implementations
|
|
26
|
+
*/
|
|
27
|
+
export interface SecretResolver {
|
|
28
|
+
/**
|
|
29
|
+
* Resolve a secret by its name from secure storage
|
|
30
|
+
* @param secretName - The name/key of the secret (e.g., 'KYA_PROD_MYPROJ_GITHUB_CLIENT_SECRET')
|
|
31
|
+
* @returns The secret value, or undefined if not found
|
|
32
|
+
*/
|
|
33
|
+
resolveSecret(secretName: string): Promise<string | undefined>;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Default secret resolver that uses environment variables
|
|
37
|
+
* Used when no custom resolver is provided
|
|
38
|
+
*/
|
|
39
|
+
export declare const defaultSecretResolver: SecretResolver;
|
|
12
40
|
export interface OAuthServiceConfig {
|
|
13
41
|
/** OAuth config service for fetching provider configurations */
|
|
14
42
|
configService: OAuthConfigService;
|
|
@@ -22,6 +50,12 @@ export interface OAuthServiceConfig {
|
|
|
22
50
|
projectId: string;
|
|
23
51
|
/** Optional logger callback for diagnostics */
|
|
24
52
|
logger?: (message: string, data?: unknown) => void;
|
|
53
|
+
/**
|
|
54
|
+
* Optional secret resolver for MCP-I provider-registry model
|
|
55
|
+
* Used to resolve client secrets from secure storage
|
|
56
|
+
* Default: Uses environment variables (process.env)
|
|
57
|
+
*/
|
|
58
|
+
secretResolver?: SecretResolver;
|
|
25
59
|
}
|
|
26
60
|
/**
|
|
27
61
|
* Service for OAuth token exchange and refresh
|
|
@@ -29,6 +63,17 @@ export interface OAuthServiceConfig {
|
|
|
29
63
|
export declare class OAuthService {
|
|
30
64
|
private config;
|
|
31
65
|
constructor(config: OAuthServiceConfig);
|
|
66
|
+
/**
|
|
67
|
+
* Resolve client secret for a provider using the MCP-I provider-registry model
|
|
68
|
+
*
|
|
69
|
+
* Resolution order:
|
|
70
|
+
* 1. If metadata.clientSecretName exists, resolve from secure storage
|
|
71
|
+
* 2. Fall back to clientSecret field (legacy/backward compatibility)
|
|
72
|
+
*
|
|
73
|
+
* @param providerConfig - The OAuth provider configuration
|
|
74
|
+
* @returns The resolved client secret, or undefined if not available
|
|
75
|
+
*/
|
|
76
|
+
resolveClientSecret(providerConfig: OAuthProvider): Promise<string | undefined>;
|
|
32
77
|
/**
|
|
33
78
|
* Exchange authorization code for IDP tokens using PKCE
|
|
34
79
|
*
|
|
@@ -5,10 +5,29 @@
|
|
|
5
5
|
* Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
|
|
6
6
|
* Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
|
|
7
7
|
*
|
|
8
|
+
* MCP-I Provider Registry Model:
|
|
9
|
+
* - Client secrets are NOT sent via the API response
|
|
10
|
+
* - Agents receive metadata.clientSecretName from AgentShield
|
|
11
|
+
* - Secrets are resolved at runtime from secure storage (Cloudflare Worker env)
|
|
12
|
+
* - The SecretResolver interface enables platform-specific secret resolution
|
|
13
|
+
*
|
|
8
14
|
* @package @kya-os/mcp-i-core
|
|
9
15
|
*/
|
|
10
16
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
11
|
-
exports.OAuthService = void 0;
|
|
17
|
+
exports.OAuthService = exports.defaultSecretResolver = void 0;
|
|
18
|
+
/**
|
|
19
|
+
* Default secret resolver that uses environment variables
|
|
20
|
+
* Used when no custom resolver is provided
|
|
21
|
+
*/
|
|
22
|
+
exports.defaultSecretResolver = {
|
|
23
|
+
async resolveSecret(secretName) {
|
|
24
|
+
// For Node.js environments, check process.env
|
|
25
|
+
if (typeof process !== "undefined" && process.env) {
|
|
26
|
+
return process.env[secretName];
|
|
27
|
+
}
|
|
28
|
+
return undefined;
|
|
29
|
+
},
|
|
30
|
+
};
|
|
12
31
|
/**
|
|
13
32
|
* Service for OAuth token exchange and refresh
|
|
14
33
|
*/
|
|
@@ -22,8 +41,55 @@ class OAuthService {
|
|
|
22
41
|
agentShieldApiKey: config.agentShieldApiKey,
|
|
23
42
|
projectId: config.projectId,
|
|
24
43
|
logger: config.logger || (() => { }),
|
|
44
|
+
secretResolver: config.secretResolver || exports.defaultSecretResolver,
|
|
25
45
|
};
|
|
26
46
|
}
|
|
47
|
+
/**
|
|
48
|
+
* Resolve client secret for a provider using the MCP-I provider-registry model
|
|
49
|
+
*
|
|
50
|
+
* Resolution order:
|
|
51
|
+
* 1. If metadata.clientSecretName exists, resolve from secure storage
|
|
52
|
+
* 2. Fall back to clientSecret field (legacy/backward compatibility)
|
|
53
|
+
*
|
|
54
|
+
* @param providerConfig - The OAuth provider configuration
|
|
55
|
+
* @returns The resolved client secret, or undefined if not available
|
|
56
|
+
*/
|
|
57
|
+
async resolveClientSecret(providerConfig) {
|
|
58
|
+
// MCP-I Provider Registry model: resolve secret by name
|
|
59
|
+
if (providerConfig.metadata?.clientSecretName) {
|
|
60
|
+
const secretName = providerConfig.metadata.clientSecretName;
|
|
61
|
+
this.config.logger("[OAuthService] Resolving client secret by name", {
|
|
62
|
+
secretName,
|
|
63
|
+
version: providerConfig.metadata.clientSecretVersion,
|
|
64
|
+
});
|
|
65
|
+
const secret = await this.config.secretResolver.resolveSecret(secretName);
|
|
66
|
+
if (secret) {
|
|
67
|
+
this.config.logger("[OAuthService] Client secret resolved successfully", {
|
|
68
|
+
secretName,
|
|
69
|
+
});
|
|
70
|
+
return secret;
|
|
71
|
+
}
|
|
72
|
+
this.config.logger("[OAuthService] Client secret not found in secure storage", {
|
|
73
|
+
secretName,
|
|
74
|
+
});
|
|
75
|
+
// Fall through to try clientSecret field
|
|
76
|
+
}
|
|
77
|
+
// Legacy model: use clientSecret directly (if provided)
|
|
78
|
+
// DEPRECATED: This path is for backward compatibility only
|
|
79
|
+
// New deployments should use metadata.clientSecretName with secure storage
|
|
80
|
+
if (providerConfig.clientSecret) {
|
|
81
|
+
this.config.logger("[OAuthService] DEPRECATED: Using legacy clientSecret field - " +
|
|
82
|
+
"migrate to metadata.clientSecretName for better security", {
|
|
83
|
+
telemetry: {
|
|
84
|
+
event: "oauth.deprecated_client_secret_used",
|
|
85
|
+
hasMetadata: !!providerConfig.metadata,
|
|
86
|
+
hasSecretName: !!providerConfig.metadata?.clientSecretName,
|
|
87
|
+
},
|
|
88
|
+
});
|
|
89
|
+
return providerConfig.clientSecret;
|
|
90
|
+
}
|
|
91
|
+
return undefined;
|
|
92
|
+
}
|
|
27
93
|
/**
|
|
28
94
|
* Exchange authorization code for IDP tokens using PKCE
|
|
29
95
|
*
|
|
@@ -60,10 +126,13 @@ class OAuthService {
|
|
|
60
126
|
* Exchange token directly with OAuth provider using PKCE
|
|
61
127
|
*/
|
|
62
128
|
async exchangeTokenPKCE(providerConfig, code, codeVerifier, redirectUri) {
|
|
129
|
+
// Resolve client secret using MCP-I provider-registry model
|
|
130
|
+
const clientSecret = await this.resolveClientSecret(providerConfig);
|
|
63
131
|
this.config.logger("[OAuthService] Exchanging token with PKCE", {
|
|
64
132
|
provider: providerConfig.authorizationUrl,
|
|
65
133
|
tokenUrl: providerConfig.tokenUrl,
|
|
66
|
-
hasClientSecret: !!
|
|
134
|
+
hasClientSecret: !!clientSecret,
|
|
135
|
+
resolvedViaSecretName: !!providerConfig.metadata?.clientSecretName,
|
|
67
136
|
});
|
|
68
137
|
// Build token exchange parameters
|
|
69
138
|
// Note: GitHub OAuth Apps require client_secret even with PKCE
|
|
@@ -75,10 +144,10 @@ class OAuthService {
|
|
|
75
144
|
client_id: providerConfig.clientId,
|
|
76
145
|
code_verifier: codeVerifier,
|
|
77
146
|
};
|
|
78
|
-
// Include client_secret if
|
|
147
|
+
// Include client_secret if resolved (either from secure storage or legacy field)
|
|
79
148
|
// This is required for GitHub OAuth Apps and other providers that need it
|
|
80
|
-
if (
|
|
81
|
-
params.client_secret =
|
|
149
|
+
if (clientSecret) {
|
|
150
|
+
params.client_secret = clientSecret;
|
|
82
151
|
}
|
|
83
152
|
const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
|
|
84
153
|
method: "POST",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/mcp-i-core",
|
|
3
|
-
"version": "1.4.
|
|
3
|
+
"version": "1.4.5",
|
|
4
4
|
"description": "Core runtime and types for MCP-I framework",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -28,7 +28,7 @@
|
|
|
28
28
|
"prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-no-workspace.js"
|
|
29
29
|
},
|
|
30
30
|
"dependencies": {
|
|
31
|
-
"@kya-os/contracts": "^1.7.
|
|
31
|
+
"@kya-os/contracts": "^1.7.8",
|
|
32
32
|
"jose": "^5.6.3",
|
|
33
33
|
"json-canonicalize": "^2.0.0",
|
|
34
34
|
"zod": "^3.25.76"
|