@kya-os/mcp-i 1.2.10 → 1.2.11

package/dist/cache/cloudflare-kv.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Cloudflare KV-based nonce cache implementation for Workers
+ *
+ * This cache prevents replay attacks by tracking used nonces in Cloudflare KV.
+ * Each nonce is stored with a TTL matching the session timeout.
+ */
+import type { NonceCache } from "@kya-os/contracts/handshake";
+/**
+ * Cloudflare KV namespace interface
+ */
+export interface KVNamespace {
+    get(key: string, options?: {
+        type?: "text" | "json" | "arrayBuffer" | "stream";
+    }): Promise<any>;
+    put(key: string, value: string | ArrayBuffer | ReadableStream, options?: {
+        expiration?: number;
+        expirationTtl?: number;
+    }): Promise<void>;
+    delete(key: string): Promise<void>;
+}
+/**
+ * Configuration for Cloudflare KV nonce cache
+ */
+export interface CloudflareKVNonceCacheConfig {
+    /**
+     * KV namespace binding from Worker environment
+     */
+    namespace: KVNamespace;
+    /**
+     * TTL for nonce entries in seconds
+     * Should match or exceed session timeout
+     * @default 1800 (30 minutes)
+     */
+    ttl?: number;
+    /**
+     * Key prefix for nonce entries
+     * @default "nonce:"
+     */
+    keyPrefix?: string;
+}
+/**
+ * Cloudflare KV nonce cache for Workers
+ *
+ * Usage in Worker:
+ * ```typescript
+ * export interface Env {
+ *   NONCE_CACHE: KVNamespace;
+ * }
+ *
+ * export default {
+ *   async fetch(request: Request, env: Env): Promise<Response> {
+ *     const nonceCache = new CloudflareKVNonceCache({
+ *       namespace: env.NONCE_CACHE,
+ *       ttl: 1800, // 30 minutes
+ *     });
+ *
+ *     // Use with verifier or MCP-I runtime
+ *     const runtime = new MCPIRuntime({
+ *       nonce: { cache: nonceCache }
+ *     });
+ *   }
+ * }
+ * ```
+ */
+export declare class CloudflareKVNonceCache implements NonceCache {
+    private kv;
+    private ttl;
+    private keyPrefix;
+    constructor(config: CloudflareKVNonceCacheConfig);
+    /**
+     * Check if a nonce exists in the cache
+     *
+     * @param nonce - The nonce to check
+     * @returns Promise<boolean> - true if exists, false if not
+     */
+    has(nonce: string): Promise<boolean>;
+    /**
+     * Add a nonce to the cache with TTL
+     * Implements atomic add-if-absent semantics for replay prevention
+     *
+     * @param nonce - The nonce to add
+     * @param ttl - Time-to-live in seconds
+     */
+    add(nonce: string, ttl: number): Promise<void>;
+    /**
+     * Cleanup expired nonces
+     * Note: Cloudflare KV handles expiration automatically via TTL
+     */
+    cleanup(): Promise<void>;
+}

package/dist/cache/cloudflare-kv.js

@@ -0,0 +1,98 @@
+"use strict";
+/**
+ * Cloudflare KV-based nonce cache implementation for Workers
+ *
+ * This cache prevents replay attacks by tracking used nonces in Cloudflare KV.
+ * Each nonce is stored with a TTL matching the session timeout.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudflareKVNonceCache = void 0;
+/**
+ * Cloudflare KV nonce cache for Workers
+ *
+ * Usage in Worker:
+ * ```typescript
+ * export interface Env {
+ *   NONCE_CACHE: KVNamespace;
+ * }
+ *
+ * export default {
+ *   async fetch(request: Request, env: Env): Promise<Response> {
+ *     const nonceCache = new CloudflareKVNonceCache({
+ *       namespace: env.NONCE_CACHE,
+ *       ttl: 1800, // 30 minutes
+ *     });
+ *
+ *     // Use with verifier or MCP-I runtime
+ *     const runtime = new MCPIRuntime({
+ *       nonce: { cache: nonceCache }
+ *     });
+ *   }
+ * }
+ * ```
+ */
+class CloudflareKVNonceCache {
+    kv;
+    ttl;
+    keyPrefix;
+    constructor(config) {
+        this.kv = config.namespace;
+        this.ttl = config.ttl ?? 1800; // 30 minutes default
+        this.keyPrefix = config.keyPrefix ?? "nonce:";
+    }
+    /**
+     * Check if a nonce exists in the cache
+     *
+     * @param nonce - The nonce to check
+     * @returns Promise<boolean> - true if exists, false if not
+     */
+    async has(nonce) {
+        const key = this.keyPrefix + nonce;
+        try {
+            const existing = await this.kv.get(key, { type: "text" });
+            return existing !== null;
+        }
+        catch (error) {
+            console.error("CloudflareKVNonceCache.has error:", error);
+            // On error, assume nonce exists (fail closed for security)
+            return true;
+        }
+    }
+    /**
+     * Add a nonce to the cache with TTL
+     * Implements atomic add-if-absent semantics for replay prevention
+     *
+     * @param nonce - The nonce to add
+     * @param ttl - Time-to-live in seconds
+     */
+    async add(nonce, ttl) {
+        const key = this.keyPrefix + nonce;
+        try {
+            // Check if nonce already exists
+            const existing = await this.kv.get(key, { type: "text" });
+            if (existing !== null) {
+                throw new Error(`Nonce ${nonce} already exists (replay attack detected)`);
+            }
+            // Add nonce with TTL
+            await this.kv.put(key, new Date().toISOString(), {
+                expirationTtl: ttl,
+            });
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes("already exists")) {
+                throw error;
+            }
+            console.error("CloudflareKVNonceCache.add error:", error);
+            throw new Error("Failed to add nonce to cache");
+        }
+    }
+    /**
+     * Cleanup expired nonces
+     * Note: Cloudflare KV handles expiration automatically via TTL
+     */
+    async cleanup() {
+        // KV automatically expires entries based on TTL
+        // No manual cleanup needed
+    }
+}
+exports.CloudflareKVNonceCache = CloudflareKVNonceCache;

package/dist/cache/index.d.ts

@@ -12,5 +12,5 @@ export { SessionContextSchema, HandshakeRequestSchema, NonceCacheEntrySchema, No
 export { MemoryNonceCache } from "./memory-nonce-cache";
 export { RedisNonceCache } from "./redis-nonce-cache";
 export { DynamoNonceCache } from "./dynamodb-nonce-cache";
-export { CloudflareKVNonceCache } from "./cloudflare-kv-nonce-cache";
+export { CloudflareKVNonceCache, type KVNamespace, type CloudflareKVNonceCacheConfig } from "./cloudflare-kv";
 export { createNonceCache, createNonceCacheWithConfig, detectCacheType, type NonceCacheOptions, } from "./nonce-cache-factory";

package/dist/cache/index.js

@@ -23,8 +23,8 @@ var redis_nonce_cache_1 = require("./redis-nonce-cache");
 Object.defineProperty(exports, "RedisNonceCache", { enumerable: true, get: function () { return redis_nonce_cache_1.RedisNonceCache; } });
 var dynamodb_nonce_cache_1 = require("./dynamodb-nonce-cache");
 Object.defineProperty(exports, "DynamoNonceCache", { enumerable: true, get: function () { return dynamodb_nonce_cache_1.DynamoNonceCache; } });
-var cloudflare_kv_nonce_cache_1 = require("./cloudflare-kv-nonce-cache");
-Object.defineProperty(exports, "CloudflareKVNonceCache", { enumerable: true, get: function () { return cloudflare_kv_nonce_cache_1.CloudflareKVNonceCache; } });
+var cloudflare_kv_1 = require("./cloudflare-kv");
+Object.defineProperty(exports, "CloudflareKVNonceCache", { enumerable: true, get: function () { return cloudflare_kv_1.CloudflareKVNonceCache; } });
 // Factory and auto-detection
 var nonce_cache_factory_1 = require("./nonce-cache-factory");
 Object.defineProperty(exports, "createNonceCache", { enumerable: true, get: function () { return nonce_cache_factory_1.createNonceCache; } });

package/dist/compiler/get-webpack-config/get-entries.js

@@ -4,25 +4,29 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getEntries = getEntries;
-const constants_1 = require("../../utils/constants");
 const path_1 = __importDefault(require("path"));
 /** Get what packages are gonna be built by xmcp */
 function getEntries(xmcpConfig) {
     const entries = {};
+    // Point to SOURCE files in the mcp-i package, not pre-built runtime files
+    // This allows webpack to compile them directly without double-wrapping
+    // Cache bust: Updated adapter paths to correct locations (2025-10-09)
+    const mcpiPackageRoot = path_1.default.resolve(__dirname, "../../..");
+    const runtimeSourcePath = path_1.default.join(mcpiPackageRoot, "src/runtime");
     if (xmcpConfig.stdio) {
-        entries.stdio = path_1.default.join(constants_1.runtimeFolderPath, "stdio.js");
+        entries.stdio = path_1.default.join(runtimeSourcePath, "transports/stdio/index.ts");
     }
     if (xmcpConfig["http"]) {
         // non adapter mode
         if (!xmcpConfig.experimental?.adapter) {
-            entries["http"] = path_1.default.join(constants_1.runtimeFolderPath, "http.js");
+            entries["http"] = path_1.default.join(runtimeSourcePath, "transports/http/index.ts");
         }
         // adapter mode enabled
         if (xmcpConfig.experimental?.adapter === "express") {
-            entries["adapter"] = path_1.default.join(constants_1.runtimeFolderPath, "adapter-express.js");
+            entries["adapter"] = path_1.default.join(runtimeSourcePath, "adapters/express/index.ts");
         }
         if (xmcpConfig.experimental?.adapter === "nextjs") {
-            entries["adapter"] = path_1.default.join(constants_1.runtimeFolderPath, "adapter-nextjs.js");
+            entries["adapter"] = path_1.default.join(runtimeSourcePath, "adapters/nextjs/index.ts");
         }
     }
     return entries;

package/dist/compiler/get-webpack-config/get-externals.d.ts

@@ -1,7 +1,9 @@
 import { Configuration } from "webpack";
 /**
- * This function will decide is a file is bundled by xmcp compiler or not.
- * We want to avoid building node modules.
- * When using Next.js, we want to avoid building tools/*, since the nexjs compiler will handle that code.
+ * This function will decide if a file is bundled by xmcp compiler or not.
+ * - Built-in Node modules: externalized
+ * - npm packages: externalized
+ * - User code (tools, etc): bundled
+ * For adapters, tool files must be bundled so they're available at runtime.
  */
 export declare function getExternals(): Configuration["externals"];

package/dist/compiler/get-webpack-config/get-externals.js

@@ -5,13 +5,14 @@ const compiler_context_1 = require("../compiler-context");
 const module_1 = require("module");
 const plugins_1 = require("./plugins");
 /**
- * This function will decide is a file is bundled by xmcp compiler or not.
- * We want to avoid building node modules.
- * When using Next.js, we want to avoid building tools/*, since the nexjs compiler will handle that code.
+ * This function will decide if a file is bundled by xmcp compiler or not.
+ * - Built-in Node modules: externalized
+ * - npm packages: externalized
+ * - User code (tools, etc): bundled
+ * For adapters, tool files must be bundled so they're available at runtime.
  */
 function getExternals() {
     const xmcpConfig = (0, compiler_context_1.getXmcpConfig)();
-    const replacedImports = new Set();
     return [
         function (data, callback) {
             const { request } = data;
@@ -60,27 +61,19 @@ function getExternals() {
                 }
             }
             /**
-             * When using Next.js, we want them to bundle the code for the tool file,
-             * so just keep the reference for the import as external
+             * For adapters (Next.js, Express), bundle tool files into the adapter
+             * so they're available when the adapter runs at runtime.
+             * Only externalize npm packages - let webpack bundle user code.
              */
-            if (xmcpConfig.experimental?.adapter === "nextjs") {
-                // Bundle imports from the same folder
-                if (request.startsWith("./")) {
+            if (xmcpConfig.experimental?.adapter) {
+                // Bundle local/relative imports (tool files, etc)
+                if (request.startsWith("./") || request.startsWith("../")) {
                     return callback();
                 }
-                let pathRequest = request;
-                /**
-                 * Paths are relative to the .mcpi/nextjs-adapter folder,
-                 * but we are building in .mcpi/adapter/index.js, so we need to go up 2 levels
-                 */
-                if (request.startsWith("../")) {
-                    // Only replace the import if it hasn't been replaced yet
-                    if (!replacedImports.has(request)) {
-                        pathRequest = pathRequest.replace("../", "../../");
-                        replacedImports.add(pathRequest);
-                    }
+                // Externalize npm packages only
+                if (!request.startsWith(".") && !request.startsWith("/")) {
+                    return callback(null, `commonjs ${request}`);
                 }
-                return callback(null, `commonjs ${pathRequest}`);
             }
             callback();
         },

package/dist/compiler/get-webpack-config/plugins.js

@@ -61,9 +61,13 @@ class InjectRuntimePlugin {
             if (hasRun)
                 return;
             hasRun = true;
+            // Only copy headers.js - transport files are now compiled from source
+            // to avoid double-wrapping issues with webpack
             for (const [fileName, fileContent] of Object.entries(exports.runtimeFiles)) {
-                const targetPath = path_1.default.join(constants_1.runtimeFolderPath, fileName);
-                fs_extra_1.default.writeFileSync(targetPath, fileContent);
+                if (fileName === "headers.js") {
+                    const targetPath = path_1.default.join(constants_1.runtimeFolderPath, fileName);
+                    fs_extra_1.default.writeFileSync(targetPath, fileContent);
+                }
             }
         });
     }
@@ -102,16 +106,10 @@ class CreateTypeDefinitionPlugin {
                 return;
             hasRun = true;
             const xmcpConfig = (0, compiler_context_1.getXmcpConfig)();
-            // Manually type the .mcpi/adapter/index.js file using a .mcpi/adapter/index.d.ts file
-            // TO DO add withAuth to the type definition & AuthConfig
-            if (xmcpConfig.experimental?.adapter) {
-                let typeDefinitionContent = "";
-                if (xmcpConfig.experimental?.adapter == "nextjs") {
-                    typeDefinitionContent = nextJsTypeDefinition;
-                }
-                else if (xmcpConfig.experimental?.adapter == "express") {
-                    typeDefinitionContent = expressTypeDefinition;
-                }
+            // For Express adapters, create type definitions
+            // Next.js doesn't need .d.ts files as it causes webpack conflicts
+            if (xmcpConfig.experimental?.adapter === "express") {
+                const typeDefinitionContent = expressTypeDefinition;
                 fs_extra_1.default.writeFileSync(path_1.default.join(constants_1.adapterOutputPath, "index.d.ts"), typeDefinitionContent);
             }
         });