@kya-os/mcp-i 0.1.0 → 1.2.1

package/dist/runtime/adapter-nextjs.js.LICENSE.txt

@@ -0,0 +1,53 @@
+/*!
+ * bytes
+ * Copyright(c) 2012-2014 TJ Holowaychuk
+ * Copyright(c) 2015 Jed Watson
+ * MIT Licensed
+ */
+
+/*!
+ * content-type
+ * Copyright(c) 2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * depd
+ * Copyright(c) 2014-2018 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * http-errors
+ * Copyright(c) 2014 Jonathan Ong
+ * Copyright(c) 2016 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * raw-body
+ * Copyright(c) 2013-2014 Jonathan Ong
+ * Copyright(c) 2014-2022 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * statuses
+ * Copyright(c) 2014 Jonathan Ong
+ * Copyright(c) 2016 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * toidentifier
+ * Copyright(c) 2016 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/*!
+ * unpipe
+ * Copyright(c) 2015 Douglas Christopher Wilson
+ * MIT Licensed
+ */
+
+/** @license URI.js v4.4.1 (c) 2011 Gary Court. License: http://github.com/garycourt/uri-js */

package/dist/runtime/adapters/express/index.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response } from "express";
+export declare function xmcpHandler(req: Request, res: Response): Promise<unknown>;

package/dist/runtime/adapters/express/index.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.xmcpHandler = xmcpHandler;
+const server_1 = require("../../utils/server");
+const stateless_streamable_http_1 = require("../../transports/http/stateless-streamable-http");
+const setup_cors_1 = require("../../transports/http/setup-cors");
+const http_context_1 = require("../../transports/http/http-context");
+const node_crypto_1 = require("node:crypto");
+// HTTP config injected by compiler
+// @ts-expect-error: injected by compiler
+const httpConfig = HTTP_CONFIG;
+// CORS config injected by compiler
+// @ts-expect-error: injected by compiler
+const corsConfig = HTTP_CORS_CONFIG;
+async function xmcpHandler(req, res) {
+    return new Promise((resolve) => {
+        const id = (0, node_crypto_1.randomUUID)();
+        (0, http_context_1.httpContextProvider)({ id, headers: req.headers }, async () => {
+            try {
+                (0, setup_cors_1.setResponseCorsHeaders)(corsConfig, res);
+                const server = await (0, server_1.createServer)();
+                const transport = new stateless_streamable_http_1.StatelessHttpServerTransport(httpConfig.debug, httpConfig.bodySizeLimit || "10mb");
+                // cleanup when request/connection closes
+                res.on("close", () => {
+                    transport.close();
+                    server.close();
+                });
+                await server.connect(transport);
+                await transport.handleRequest(req, res, req.body).then(() => {
+                    resolve(res);
+                });
+            }
+            catch (error) {
+                console.error("[HTTP-server] Error handling MCP request:", error);
+                if (!res.headersSent) {
+                    res.status(500).json({
+                        jsonrpc: "2.0",
+                        error: {
+                            code: -32603,
+                            message: "Internal server error",
+                        },
+                        id: null,
+                    });
+                }
+            }
+        });
+    });
+}

package/dist/runtime/adapters/nextjs/index.d.ts

@@ -0,0 +1,8 @@
+import { experimental_withMcpAuth as withMcpAuth } from "@vercel/mcp-adapter";
+export declare function xmcpHandler(request: Request): Promise<Response>;
+export type VerifyToken = Parameters<typeof withMcpAuth>[1];
+export type Options = Parameters<typeof withMcpAuth>[2];
+export type AuthConfig = Options & {
+    verifyToken: VerifyToken;
+};
+export declare function withAuth(handler: (request: Request) => Promise<Response>, config: AuthConfig): (request: Request) => Promise<Response>;

package/dist/runtime/adapters/nextjs/index.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.xmcpHandler = xmcpHandler;
+exports.withAuth = withAuth;
+const mcp_adapter_1 = require("@vercel/mcp-adapter");
+const server_1 = require("../../utils/server");
+async function xmcpHandler(request) {
+    const [toolPromises, toolModules] = (0, server_1.loadTools)();
+    await Promise.all(toolPromises);
+    const requestHandler = (0, mcp_adapter_1.createMcpHandler)((server) => {
+        (0, server_1.configureServer)(server, toolModules);
+    }, server_1.INJECTED_CONFIG);
+    return requestHandler(request);
+}
+function withAuth(handler, config) {
+    const { verifyToken, ...options } = config;
+    return (0, mcp_adapter_1.experimental_withMcpAuth)(handler, verifyToken, options);
+}

package/dist/runtime/audit.d.ts

@@ -0,0 +1,93 @@
+/**
+ * Audit Logging System for XMCP-I Runtime
+ *
+ * Handles audit record generation and logging with frozen format
+ * according to requirements 5.4, 5.5.
+ */
+import { AuditRecord } from "@kya-os/contracts/proof";
+import { SessionContext } from "@kya-os/contracts/handshake";
+import { AgentIdentity } from "./identity";
+/**
+ * Audit logging configuration
+ */
+export interface AuditConfig {
+    enabled?: boolean;
+    logFunction?: (record: string) => void;
+    includePayloads?: boolean;
+}
+/**
+ * Audit context for logging
+ */
+export interface AuditContext {
+    identity: AgentIdentity;
+    session: SessionContext;
+    requestHash: string;
+    responseHash: string;
+    verified: "yes" | "no";
+    scopeId?: string;
+}
+/**
+ * Audit logger class
+ */
+export declare class AuditLogger {
+    private config;
+    private sessionAuditLog;
+    constructor(config?: AuditConfig);
+    /**
+     * Emit audit record on first call per session
+     * Requirements: 5.4, 5.5
+     */
+    logAuditRecord(context: AuditContext): Promise<void>;
+    /**
+     * Format audit record as frozen audit line
+     * Format: audit.v1 ts=<unix> session=<id> audience=<host> did=<did> kid=<kid> reqHash=<sha256:..> resHash=<sha256:..> verified=yes|no scope=<scopeId|->
+     */
+    private formatAuditLine;
+    /**
+     * Clear session audit log (useful for testing)
+     */
+    clearSessionLog(): void;
+    /**
+     * Get audit statistics
+     */
+    getStats(): {
+        enabled: boolean;
+        sessionsLogged: number;
+        includePayloads: boolean;
+    };
+    /**
+     * Update configuration
+     */
+    updateConfig(config: Partial<AuditConfig>): void;
+}
+/**
+ * Key rotation audit logging
+ */
+export interface KeyRotationAuditContext {
+    identity: AgentIdentity;
+    oldKeyId: string;
+    newKeyId: string;
+    mode: "dev" | "prod";
+    delegated: "yes" | "no";
+    force: "yes" | "no";
+}
+/**
+ * Log key rotation audit record
+ * Format: keys.rotate.v1 ts=<unix> did=<did> oldKid=<kid> newKid=<kid> mode=dev|prod delegated=yes|no force=yes|no
+ */
+export declare function logKeyRotationAudit(context: KeyRotationAuditContext, logFunction?: (record: string) => void): void;
+/**
+ * Default audit logger instance
+ */
+export declare const defaultAuditLogger: AuditLogger;
+/**
+ * Utility functions
+ */
+/**
+ * Parse audit line back to record (for testing/analysis)
+ */
+export declare function parseAuditLine(line: string): AuditRecord | null;
+/**
+ * Validate audit record format
+ */
+export declare function validateAuditRecord(record: any): record is AuditRecord;

package/dist/runtime/audit.js

@@ -0,0 +1,212 @@
+"use strict";
+/**
+ * Audit Logging System for XMCP-I Runtime
+ *
+ * Handles audit record generation and logging with frozen format
+ * according to requirements 5.4, 5.5.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultAuditLogger = exports.AuditLogger = void 0;
+exports.logKeyRotationAudit = logKeyRotationAudit;
+exports.parseAuditLine = parseAuditLine;
+exports.validateAuditRecord = validateAuditRecord;
+/**
+ * Audit logger class
+ */
+class AuditLogger {
+    config;
+    sessionAuditLog = new Set(); // Track first call per session
+    constructor(config = {}) {
+        this.config = {
+            enabled: true,
+            logFunction: console.log,
+            includePayloads: false, // Keep identity/proof data out by default
+            ...config,
+        };
+    }
+    /**
+     * Emit audit record on first call per session
+     * Requirements: 5.4, 5.5
+     */
+    async logAuditRecord(context) {
+        if (!this.config.enabled) {
+            return;
+        }
+        // Check if this is the first call for this session
+        const sessionKey = `${context.session.sessionId}:${context.session.audience}`;
+        if (this.sessionAuditLog.has(sessionKey)) {
+            return; // Already logged for this session
+        }
+        // Mark session as logged
+        this.sessionAuditLog.add(sessionKey);
+        // Create audit record
+        const auditRecord = {
+            version: "audit.v1",
+            ts: Math.floor(Date.now() / 1000),
+            session: context.session.sessionId,
+            audience: context.session.audience,
+            did: context.identity.did,
+            kid: context.identity.keyId,
+            reqHash: context.requestHash,
+            resHash: context.responseHash,
+            verified: context.verified,
+            scope: context.scopeId || "-", // Use "-" for no scope
+        };
+        // Format as frozen audit line
+        const auditLine = this.formatAuditLine(auditRecord);
+        // Emit audit record
+        this.config.logFunction(auditLine);
+    }
+    /**
+     * Format audit record as frozen audit line
+     * Format: audit.v1 ts=<unix> session=<id> audience=<host> did=<did> kid=<kid> reqHash=<sha256:..> resHash=<sha256:..> verified=yes|no scope=<scopeId|->
+     */
+    formatAuditLine(record) {
+        const fields = [
+            `${record.version}`,
+            `ts=${record.ts}`,
+            `session=${record.session}`,
+            `audience=${record.audience}`,
+            `did=${record.did}`,
+            `kid=${record.kid}`,
+            `reqHash=${record.reqHash}`,
+            `resHash=${record.resHash}`,
+            `verified=${record.verified}`,
+            `scope=${record.scope}`,
+        ];
+        return fields.join(" ");
+    }
+    /**
+     * Clear session audit log (useful for testing)
+     */
+    clearSessionLog() {
+        this.sessionAuditLog.clear();
+    }
+    /**
+     * Get audit statistics
+     */
+    getStats() {
+        return {
+            enabled: this.config.enabled,
+            sessionsLogged: this.sessionAuditLog.size,
+            includePayloads: this.config.includePayloads,
+        };
+    }
+    /**
+     * Update configuration
+     */
+    updateConfig(config) {
+        this.config = { ...this.config, ...config };
+    }
+}
+exports.AuditLogger = AuditLogger;
+/**
+ * Log key rotation audit record
+ * Format: keys.rotate.v1 ts=<unix> did=<did> oldKid=<kid> newKid=<kid> mode=dev|prod delegated=yes|no force=yes|no
+ */
+function logKeyRotationAudit(context, logFunction = console.log) {
+    const fields = [
+        "keys.rotate.v1",
+        `ts=${Math.floor(Date.now() / 1000)}`,
+        `did=${context.identity.did}`,
+        `oldKid=${context.oldKeyId}`,
+        `newKid=${context.newKeyId}`,
+        `mode=${context.mode}`,
+        `delegated=${context.delegated}`,
+        `force=${context.force}`,
+    ];
+    const auditLine = fields.join(" ");
+    logFunction(auditLine);
+}
+/**
+ * Default audit logger instance
+ */
+exports.defaultAuditLogger = new AuditLogger();
+/**
+ * Utility functions
+ */
+/**
+ * Parse audit line back to record (for testing/analysis)
+ */
+function parseAuditLine(line) {
+    try {
+        const parts = line.split(" ");
+        if (parts.length < 10 || !parts[0].startsWith("audit.v")) {
+            return null;
+        }
+        const record = {
+            version: parts[0],
+        };
+        // Parse key=value pairs
+        for (let i = 1; i < parts.length; i++) {
+            const [key, value] = parts[i].split("=", 2);
+            if (!key || value === undefined)
+                continue;
+            switch (key) {
+                case "ts":
+                    record.ts = parseInt(value, 10);
+                    break;
+                case "session":
+                    record.session = value;
+                    break;
+                case "audience":
+                    record.audience = value;
+                    break;
+                case "did":
+                    record.did = value;
+                    break;
+                case "kid":
+                    record.kid = value;
+                    break;
+                case "reqHash":
+                    record.reqHash = value;
+                    break;
+                case "resHash":
+                    record.resHash = value;
+                    break;
+                case "verified":
+                    record.verified = value;
+                    break;
+                case "scope":
+                    record.scope = value;
+                    break;
+            }
+        }
+        // Validate required fields
+        if (record.version &&
+            record.ts &&
+            record.session &&
+            record.audience &&
+            record.did &&
+            record.kid &&
+            record.reqHash &&
+            record.resHash &&
+            record.verified &&
+            record.scope !== undefined) {
+            return record;
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Validate audit record format
+ */
+function validateAuditRecord(record) {
+    return (typeof record === "object" &&
+        record !== null &&
+        record.version === "audit.v1" &&
+        typeof record.ts === "number" &&
+        typeof record.session === "string" &&
+        typeof record.audience === "string" &&
+        typeof record.did === "string" &&
+        typeof record.kid === "string" &&
+        typeof record.reqHash === "string" &&
+        record.reqHash.startsWith("sha256:") &&
+        typeof record.resHash === "string" &&
+        record.resHash.startsWith("sha256:") &&
+        (record.verified === "yes" || record.verified === "no") &&
+        typeof record.scope === "string");
+}

package/dist/runtime/debug.d.ts

@@ -0,0 +1,118 @@
+/**
+ * XMCP-I Debug Tools - Development-only debug endpoints
+ *
+ * Provides /verify endpoint for proof inspection and debugging
+ * in development environments only.
+ */
+import { AgentIdentity } from "./identity";
+import { SessionContext } from "@kya-os/contracts/handshake";
+import { DetachedProof, ProofMeta } from "@kya-os/contracts/proof";
+import { DIDDocument, AgentDocument } from "./well-known";
+/**
+ * Debug verification result
+ */
+export interface DebugVerificationResult {
+    success: boolean;
+    signature: {
+        valid: boolean;
+        algorithm: string;
+        keyId: string;
+    };
+    proof: {
+        valid: boolean;
+        timestamp: {
+            valid: boolean;
+            skew: number;
+            remediation?: string;
+        };
+        hashes: {
+            requestValid: boolean;
+            responseValid: boolean;
+        };
+    };
+    session: {
+        valid: boolean;
+        expired: boolean;
+        ttl: number;
+    };
+    errors?: string[];
+}
+/**
+ * Debug page data structure
+ */
+export interface DebugPageData {
+    identity: {
+        did: string;
+        keyId: string;
+        didDocumentUrl: string;
+    };
+    registry: {
+        ktaUrl: string;
+        mcpMirrorStatus: "pending" | "success" | "error" | "unknown";
+        mcpMirrorUrl?: string;
+    };
+    capabilities: {
+        protocol: string[];
+        identity: string[];
+        source: "well-known" | "handshake";
+    };
+    proof?: {
+        jws: string;
+        meta: ProofMeta;
+        canonicalHashes: {
+            requestHash: string;
+            responseHash: string;
+        };
+    };
+    verification?: DebugVerificationResult;
+    logRoot?: string;
+    timestamp: number;
+    environment: "development" | "production";
+}
+/**
+ * Debug endpoint manager
+ */
+export declare class DebugManager {
+    private identity;
+    private environment;
+    private lastProof?;
+    private lastSession?;
+    private logRoot?;
+    constructor(identity: AgentIdentity, environment?: "development" | "production");
+    /**
+     * Update debug state with latest proof and session
+     */
+    updateDebugState(proof: DetachedProof, session: SessionContext): void;
+    /**
+     * Set log root for receipt verification
+     */
+    setLogRoot(logRoot: string): void;
+    /**
+     * Generate debug page data
+     */
+    generateDebugPageData(_didDocument?: DIDDocument, agentDocument?: AgentDocument, logRoot?: string): Promise<DebugPageData>;
+    /**
+     * Create debug endpoint handler
+     */
+    createDebugHandler(): (_request: any) => Promise<Response>;
+    /**
+     * Perform local verification of proof
+     */
+    private performLocalVerification;
+    /**
+     * Generate DID document URL
+     */
+    private generateDIDDocumentUrl;
+    /**
+     * Generate KTA URL
+     */
+    private generateKTAUrl;
+    /**
+     * Generate debug HTML page
+     */
+    private generateDebugHTML;
+}
+/**
+ * Create debug endpoint handler for development
+ */
+export declare function createDebugEndpoint(identity: AgentIdentity, environment?: "development" | "production"): DebugManager;