@kya-os/mcp-i 0.1.0-alpha.2.3 → 0.1.0-alpha.2.4

package/dist/crypto.js

@@ -1,8 +1,4 @@
 "use strict";
-/**
- * Cryptographic utilities for MCP-I
- * Implements Ed25519 signing and verification for challenge-response authentication
- */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -41,57 +37,93 @@ exports.generateKeyPair = generateKeyPair;
 exports.sign = sign;
 exports.verify = verify;
 exports.generateNonce = generateNonce;
+exports.generateNonceSync = generateNonceSync;
 exports.constantTimeEqual = constantTimeEqual;
 exports.publicKeyToDid = publicKeyToDid;
-const ed25519 = __importStar(require("@noble/ed25519"));
-const crypto_1 = require("crypto");
-/**
- * Generate a new Ed25519 key pair
- */
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.clearCache = clearCache;
+let ed25519 = null;
+let cryptoModule = null;
+const signatureCache = new Map();
+const MAX_CACHE_SIZE = 100;
+async function loadEd25519() {
+    if (!ed25519) {
+        ed25519 = await Promise.resolve().then(() => __importStar(require('@noble/ed25519')));
+    }
+    return ed25519;
+}
+async function loadCrypto() {
+    if (!cryptoModule) {
+        cryptoModule = await Promise.resolve().then(() => __importStar(require('crypto')));
+    }
+    return cryptoModule;
+}
 async function generateKeyPair() {
-    const privateKey = ed25519.utils.randomPrivateKey();
-    const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+    const ed = await loadEd25519();
+    const privateKeyBytes = ed.utils.randomPrivateKey();
+    const publicKeyBytes = await ed.getPublicKeyAsync(privateKeyBytes);
+    const publicKey = Buffer.from(publicKeyBytes).toString('base64');
+    const privateKey = Buffer.from(privateKeyBytes).toString('base64');
     return {
-        publicKey: Buffer.from(publicKey).toString('base64'),
-        privateKey: Buffer.from(privateKey).toString('base64')
+        publicKey,
+        privateKey,
+        publicKeyBytes,
+        privateKeyBytes
     };
 }
-/**
- * Sign a message with Ed25519
- */
 async function sign(message, privateKeyBase64) {
+    const messageStr = typeof message === 'string' ? message : message.toString('base64');
+    const cacheKey = `${privateKeyBase64}:${messageStr}`;
+    const cached = signatureCache.get(cacheKey);
+    if (cached) {
+        return cached;
+    }
+    const ed = await loadEd25519();
     const messageBuffer = typeof message === 'string'
         ? Buffer.from(message, 'utf-8')
         : message;
     const privateKey = Buffer.from(privateKeyBase64, 'base64');
-    const signature = await ed25519.signAsync(messageBuffer, privateKey);
-    return Buffer.from(signature).toString('base64');
+    const signature = await ed.signAsync(messageBuffer, privateKey);
+    const signatureBase64 = Buffer.from(signature).toString('base64');
+    if (signatureCache.size >= MAX_CACHE_SIZE) {
+        const firstKey = signatureCache.keys().next().value;
+        if (firstKey) {
+            signatureCache.delete(firstKey);
+        }
+    }
+    signatureCache.set(cacheKey, signatureBase64);
+    return signatureBase64;
 }
-/**
- * Verify an Ed25519 signature
- */
 async function verify(message, signatureBase64, publicKeyBase64) {
     try {
+        const ed = await loadEd25519();
         const messageBuffer = typeof message === 'string'
             ? Buffer.from(message, 'utf-8')
             : message;
         const signature = Buffer.from(signatureBase64, 'base64');
         const publicKey = Buffer.from(publicKeyBase64, 'base64');
-        return await ed25519.verifyAsync(signature, messageBuffer, publicKey);
+        return await ed.verifyAsync(signature, messageBuffer, publicKey);
     }
     catch {
         return false;
     }
 }
-/**
- * Generate a cryptographically secure nonce
- */
-function generateNonce(length = 32) {
-    return (0, crypto_1.randomBytes)(length).toString('hex');
+async function generateNonce(length = 32) {
+    const crypto = await loadCrypto();
+    return crypto.randomBytes(length).toString('hex');
+}
+function generateNonceSync(length = 32) {
+    if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.getRandomValues) {
+        const bytes = new Uint8Array(length);
+        globalThis.crypto.getRandomValues(bytes);
+        return Buffer.from(bytes).toString('hex');
+    }
+    else {
+        const crypto = require('crypto');
+        return crypto.randomBytes(length).toString('hex');
+    }
 }
-/**
- * Constant-time string comparison to prevent timing attacks
- */
 function constantTimeEqual(a, b) {
     if (a.length !== b.length) {
         return false;
@@ -102,16 +134,64 @@ function constantTimeEqual(a, b) {
     }
     return result === 0;
 }
-/**
- * Convert Ed25519 public key to did:key format
- */
 function publicKeyToDid(publicKeyBase64) {
     const publicKey = Buffer.from(publicKeyBase64, 'base64');
-    // Multicodec ed25519-pub header (0xed 0x01)
     const multicodec = Buffer.from([0xed, 0x01]);
     const multikey = Buffer.concat([multicodec, publicKey]);
-    // Base58 encode (simplified - in production use a proper base58 library)
-    // For now, just return a placeholder
     return `did:key:z${multikey.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')}`;
 }
-//# sourceMappingURL=crypto.js.map
+async function encrypt(data, password) {
+    const encoder = new TextEncoder();
+    const salt = new Uint8Array(16);
+    globalThis.crypto.getRandomValues(salt);
+    const keyMaterial = await globalThis.crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, ['deriveKey']);
+    const key = await globalThis.crypto.subtle.deriveKey({
+        name: 'PBKDF2',
+        salt,
+        iterations: 100000,
+        hash: 'SHA-256'
+    }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['encrypt']);
+    const iv = new Uint8Array(12);
+    globalThis.crypto.getRandomValues(iv);
+    const encrypted = await globalThis.crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoder.encode(data));
+    const combined = new Uint8Array(salt.length + iv.length + encrypted.byteLength);
+    combined.set(salt);
+    combined.set(iv, salt.length);
+    combined.set(new Uint8Array(encrypted), salt.length + iv.length);
+    return 'enc:' + Buffer.from(combined).toString('base64');
+}
+async function decrypt(encryptedData, password) {
+    let dataToDecrypt = encryptedData;
+    if (encryptedData.startsWith('enc:')) {
+        dataToDecrypt = encryptedData.slice(4);
+    }
+    if (!dataToDecrypt || dataToDecrypt.length < 44) {
+        return encryptedData;
+    }
+    const encoder = new TextEncoder();
+    const decoder = new TextDecoder();
+    try {
+        const combined = Buffer.from(dataToDecrypt, 'base64');
+        if (combined.length < 29) {
+            return encryptedData;
+        }
+        const salt = combined.slice(0, 16);
+        const iv = combined.slice(16, 28);
+        const encrypted = combined.slice(28);
+        const keyMaterial = await globalThis.crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, ['deriveKey']);
+        const key = await globalThis.crypto.subtle.deriveKey({
+            name: 'PBKDF2',
+            salt: new Uint8Array(salt),
+            iterations: 100000,
+            hash: 'SHA-256'
+        }, keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['decrypt']);
+        const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv: new Uint8Array(iv) }, key, new Uint8Array(encrypted));
+        return decoder.decode(decrypted);
+    }
+    catch (error) {
+        throw new Error('Failed to decrypt data: invalid password or corrupted data');
+    }
+}
+function clearCache() {
+    signatureCache.clear();
+}

package/dist/dev-helper.d.ts

@@ -0,0 +1,3 @@
+import { MCPIdentity } from './index';
+export declare function initWithDevExperience(options?: any): Promise<MCPIdentity>;
+export declare function showAgentStatus(identity: MCPIdentity): void;

package/dist/dev-helper.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initWithDevExperience = initWithDevExperience;
+exports.showAgentStatus = showAgentStatus;
+const index_1 = require("./index");
+const logger_1 = require("./logger");
+async function initWithDevExperience(options = {}) {
+    const logger = (0, logger_1.getLogger)();
+    if (process.env.NODE_ENV === 'development' && !options.mode) {
+        options.mode = 'development';
+        logger.info('🔧 Development mode detected - agents will be created as drafts');
+    }
+    if (!options.name && !process.env.MCP_SERVER_NAME) {
+        try {
+            const pkg = require(process.cwd() + '/package.json');
+            options.name = pkg.name || 'Unnamed MCP Server';
+            options.description = pkg.description;
+            options.repository = pkg.repository?.url || pkg.repository;
+            logger.info(`📦 Auto-detected agent name: ${options.name}`);
+        }
+        catch {
+            options.name = 'Development MCP Server';
+        }
+    }
+    if (!options.storage) {
+        logger.info('💡 Tip: Use storage: "file" for persistent identity across restarts');
+    }
+    const identity = await index_1.MCPIdentity.init(options);
+    logger.info('✨ MCP Identity initialized successfully!');
+    logger.info(`🆔 DID: ${identity.did}`);
+    const { claimUrl } = await identity.requestEditAccess();
+    logger.info(`🔗 Claim your agent: ${claimUrl}`);
+    logger.info('💡 Your MCP server responses are now automatically signed with your agent identity');
+    return identity;
+}
+function showAgentStatus(identity) {
+    const logger = (0, logger_1.getLogger)();
+    const capabilities = identity.getCapabilities();
+    logger.info('📊 Agent Status:');
+    logger.info(`   DID: ${identity.did}`);
+    logger.info(`   Conformance Level: ${capabilities.conformanceLevel}`);
+    logger.info(`   Registry: ${capabilities.registry || 'knowthat.ai'}`);
+    logger.info(`   Handshake Supported: ${capabilities.handshakeSupported}`);
+    const directories = identity.getDirectories();
+    if (directories === 'none') {
+        logger.info('📋 Directories: Not listing on any directories');
+    }
+    else if (directories === 'verified') {
+        logger.info('📋 Directories: Listing on all verified directories');
+    }
+    else if (Array.isArray(directories)) {
+        logger.info(`📋 Directories: ${directories.join(', ')}`);
+    }
+}

package/dist/encrypted-storage.d.ts

@@ -0,0 +1,11 @@
+import { StorageProvider } from './storage';
+import { PersistedIdentity } from './types';
+export declare class EncryptedStorage implements StorageProvider {
+    private baseStorage;
+    private password;
+    constructor(baseStorage: StorageProvider, password: string);
+    load(): Promise<PersistedIdentity | null>;
+    save(identity: PersistedIdentity): Promise<void>;
+    exists(): Promise<boolean>;
+}
+export declare function createEncryptedStorage(baseStorage: StorageProvider, password: string): StorageProvider;

package/dist/encrypted-storage.js

@@ -0,0 +1,73 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EncryptedStorage = void 0;
+exports.createEncryptedStorage = createEncryptedStorage;
+const crypto = __importStar(require("./crypto"));
+class EncryptedStorage {
+    constructor(baseStorage, password) {
+        this.baseStorage = baseStorage;
+        this.password = password;
+    }
+    async load() {
+        const identity = await this.baseStorage.load();
+        if (!identity) {
+            return null;
+        }
+        if (identity.privateKey.startsWith('enc:')) {
+            try {
+                identity.privateKey = await crypto.decrypt(identity.privateKey, this.password);
+            }
+            catch (error) {
+                throw new Error('Failed to decrypt stored identity - invalid password');
+            }
+        }
+        return identity;
+    }
+    async save(identity) {
+        const encryptedIdentity = { ...identity };
+        if (!encryptedIdentity.privateKey.startsWith('enc:')) {
+            encryptedIdentity.privateKey = await crypto.encrypt(encryptedIdentity.privateKey, this.password);
+        }
+        await this.baseStorage.save(encryptedIdentity);
+    }
+    async exists() {
+        return this.baseStorage.exists();
+    }
+}
+exports.EncryptedStorage = EncryptedStorage;
+function createEncryptedStorage(baseStorage, password) {
+    return new EncryptedStorage(baseStorage, password);
+}

package/dist/index.d.ts

@@ -1,29 +1,12 @@
-/**
- * @kya-os/mcp-i - Ultra-light MCP Identity auto-registration
- *
- * Enable any MCP server to get a verifiable identity with just 2 lines of code:
- *
- * ```typescript
- * import "@kya-os/mcp-i/auto";  // That's it! Your server now has identity
- * ```
- *
- * Or with configuration:
- * ```typescript
- * import { enableMCPIdentity } from "@kya-os/mcp-i";
- * await enableMCPIdentity({ name: "My Amazing Agent" });
- * ```
- *
- * Future multi-registry support:
- * ```typescript
- * await enableMCPIdentity({
- *   name: "My Agent",
- *   // Additional registries will be supported as directories adopt MCP-I
- * });
- * ```
- */
-import { MCPIdentityOptions, Challenge, ChallengeResponse, MCPICapabilities, SignedResponse, RegistryStatus, RegistryName } from './types';
+import { MCPIdentityOptions, Challenge, ChallengeResponse, MCPICapabilities, SignedResponse, MCPMiddleware, DirectoryPreference } from './types';
+import { KeyRotationResult, KeyHealth } from './rotation';
 export * from './types';
 export { RegistryFactory, REGISTRY_TIERS, resolveRegistries } from './registry';
+export { LoggerFactory, ConsoleLogger, SilentLogger } from './logger';
+export { StorageFactory, MemoryStorage, FileStorage } from './storage';
+export { TransportFactory, RuntimeDetector } from './transport';
+export { KeyRotationManager } from './rotation';
+export { initWithDevExperience, showAgentStatus } from './dev-helper';
 export declare class MCPIdentity {
     readonly did: string;
     readonly publicKey: string;
@@ -32,100 +15,40 @@ export declare class MCPIdentity {
     private enableNonceTracking;
     private usedNonces;
     private nonceCleanupInterval?;
-    readonly didHost: string;
-    private registries;
-    private registryAdapters;
+    private encryptionPassword?;
+    private decryptedPrivateKey?;
+    private directories;
+    private storage;
+    private transport;
+    private logger;
+    private rotationManager?;
+    private precomputed;
     private constructor();
-    /**
-     * Initialize MCP Identity - the main entry point
-     *
-     * IMPORTANT: This only makes API calls in these cases:
-     * 1. First time ever (no identity exists) - registers with all specified registries
-     * 2. Adding new registries to existing identity - only calls the new registries
-     *
-     * After initial registration, all subsequent calls load from disk with NO API calls.
-     */
     static init(options?: MCPIdentityOptions): Promise<MCPIdentity>;
-    /**
-     * Sync identity to additional registries
-     *
-     * RATE LIMITED: Each registry can only be synced once per minute to prevent spam.
-     * Skips registries that are already active.
-     */
-    syncToRegistries(registryNames: RegistryName[]): Promise<void>;
-    /**
-     * Add a new registry
-     */
-    addRegistry(registryName: RegistryName): Promise<void>;
-    /**
-     * Add multiple registries
-     */
-    addRegistries(registryNames: RegistryName[]): Promise<void>;
-    /**
-     * Get current registry status
-     */
-    getRegistryStatus(): RegistryStatus[];
-    /**
-     * Check if registered with a specific registry
-     */
-    isRegisteredWith(registryName: RegistryName): boolean;
-    /**
-     * Sign a message with the agent's private key using Ed25519
-     */
+    enableAutoRotation(policy?: {
+        maxAge?: number;
+        maxSignatures?: number;
+    }): Promise<void>;
+    rotateKeys(reason?: string): Promise<KeyRotationResult>;
+    checkKeyHealth(): KeyHealth | null;
+    private getPrivateKey;
     sign(message: string | Buffer): Promise<string>;
-    /**
-     * Verify a signature against a public key
-     */
+    requestEditAccess(): Promise<{
+        editUrl: string;
+        claimUrl?: string;
+    }>;
     verify(message: string | Buffer, signature: string, publicKey?: string): Promise<boolean>;
-    /**
-     * Respond to an MCP-I challenge
-     */
     respondToChallenge(challenge: Challenge): Promise<ChallengeResponse>;
-    /**
-     * Get MCP-I capabilities for advertisement
-     */
     getCapabilities(): MCPICapabilities;
-    /**
-     * Sign an MCP response with identity metadata
-     */
     signResponse<T = any>(response: T): Promise<SignedResponse<T>>;
-    /**
-     * Generate a new nonce for challenges
-     */
     static generateNonce(): string;
-    /**
-     * Request edit access to agent profile
-     * Returns a signed URL for editing the agent on the registry
-     */
-    requestEditAccess(registryName?: string): Promise<string>;
-    /**
-     * Clean up old nonces periodically to prevent memory leaks
-     */
+    getDirectories(): DirectoryPreference;
     private startNonceCleanup;
-    /**
-     * Clean up resources
-     */
     destroy(): void;
-    /**
-     * Helper to extract agent name from DID
-     */
     private extractAgentName;
-    /**
-     * Helper to extract agent ID
-     */
     private extractAgentId;
-    /**
-     * Helper to extract agent slug
-     */
     private extractAgentSlug;
-    /**
-     * Persist updated registry status
-     */
-    private persistRegistryStatus;
+    private persistIdentity;
 }
-/**
- * Enable MCP Identity for any MCP server
- * This is the main integration point that patches the MCP Server
- */
 export declare function enableMCPIdentity(options?: MCPIdentityOptions): Promise<MCPIdentity>;
-//# sourceMappingURL=index.d.ts.map
+export declare function createMCPMiddleware(identity: MCPIdentity): MCPMiddleware;