@kya-os/mcp-i 1.2.2 → 1.2.3

package/dist/compiler/get-webpack-config/get-externals.js

@@ -70,8 +70,8 @@ function getExternals() {
                 }
                 let pathRequest = request;
                 /**
-                 * Paths are relative to the .xmcp/nextjs-adapter folder,
-                 * but we are building in .xmcp/adapter/index.js, so we need to go up 2 levels
+                 * Paths are relative to the .mcpi/nextjs-adapter folder,
+                 * but we are building in .mcpi/adapter/index.js, so we need to go up 2 levels
                  */
                 if (request.startsWith("../")) {
                     // Only replace the import if it hasn't been replaced yet

package/dist/compiler/get-webpack-config/plugins.js

@@ -12,7 +12,6 @@ const compiler_context_1 = require("../compiler-context");
 const getDefaultRuntimeFiles = () => {
     const path = require("path");
     const fs = require("fs");
-    console.log("getDefaultRuntimeFiles: Starting from __dirname:", __dirname);
     // Try multiple possible locations for the mcp-i runtime dist directory
     const possiblePaths = [
         // When running from compiled dist
@@ -27,17 +26,14 @@ const getDefaultRuntimeFiles = () => {
     ];
     let mcpDistPath = "";
     for (const possiblePath of possiblePaths) {
-        console.log("getDefaultRuntimeFiles: Checking path:", possiblePath);
         if (fs.existsSync(possiblePath) &&
             fs.existsSync(path.join(possiblePath, "http.js"))) {
             mcpDistPath = possiblePath;
-            console.log("getDefaultRuntimeFiles: Found valid dist path:", mcpDistPath);
             break;
         }
     }
     const runtimeFiles = {};
     if (mcpDistPath) {
-        console.log("getDefaultRuntimeFiles: Loading runtime files from:", mcpDistPath);
         // Add known runtime files
         const knownFiles = [
             "http.js",
@@ -48,17 +44,11 @@ const getDefaultRuntimeFiles = () => {
         ];
         for (const file of knownFiles) {
             const filePath = path.join(mcpDistPath, file);
-            console.log("getDefaultRuntimeFiles: Checking for file:", filePath);
             if (fs.existsSync(filePath)) {
-                console.log("getDefaultRuntimeFiles: Found file:", file);
                 runtimeFiles[file] = fs.readFileSync(filePath, "utf8");
             }
         }
     }
-    else {
-        console.log("getDefaultRuntimeFiles: No valid dist path found");
-    }
-    console.log("getDefaultRuntimeFiles: Final runtime files:", Object.keys(runtimeFiles));
     return runtimeFiles;
 };
 exports.runtimeFiles = (typeof RUNTIME_FILES !== "undefined"
@@ -71,10 +61,8 @@ class InjectRuntimePlugin {
             if (hasRun)
                 return;
             hasRun = true;
-            console.log("InjectRuntimePlugin: Found runtime files:", Object.keys(exports.runtimeFiles));
             for (const [fileName, fileContent] of Object.entries(exports.runtimeFiles)) {
                 const targetPath = path_1.default.join(constants_1.runtimeFolderPath, fileName);
-                console.log(`InjectRuntimePlugin: Writing ${fileName} to ${targetPath}`);
                 fs_extra_1.default.writeFileSync(targetPath, fileContent);
             }
         });
@@ -114,7 +102,7 @@ class CreateTypeDefinitionPlugin {
                 return;
             hasRun = true;
             const xmcpConfig = (0, compiler_context_1.getXmcpConfig)();
-            // Manually type the .xmcp/adapter/index.js file using a .xmcp/adapter/index.d.ts file
+            // Manually type the .mcpi/adapter/index.js file using a .mcpi/adapter/index.d.ts file
             // TO DO add withAuth to the type definition & AuthConfig
             if (xmcpConfig.experimental?.adapter) {
                 let typeDefinitionContent = "";

package/dist/runtime/session.js

@@ -25,8 +25,10 @@ class SessionManager {
             nonceCache: new memory_nonce_cache_1.MemoryNonceCache(),
             ...config,
         };
-        // Warn about multi-instance deployments with memory cache
-        if (this.config.nonceCache instanceof memory_nonce_cache_1.MemoryNonceCache) {
+        // Warn about multi-instance deployments with memory cache (only in production or if explicitly enabled)
+        if (this.config.nonceCache instanceof memory_nonce_cache_1.MemoryNonceCache &&
+            (process.env.NODE_ENV === "production" ||
+                process.env.MCPI_WARN_MEMORY_CACHE === "true")) {
             console.warn("Warning: Using MemoryNonceCache - not suitable for multi-instance deployments. " +
                 "Consider using Redis, DynamoDB, or Cloudflare KV for production.");
         }

package/dist/storage/encryption.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Encryption utilities for ktaEncrypted storage mode
+ */
+export interface EncryptionResult {
+    ciphertext: string;
+    nonce: string;
+    publicKey: string;
+}
+export interface DecryptionParams {
+    ciphertext: string;
+    nonce: string;
+    publicKey: string;
+    privateKey: string;
+}
+/**
+ * Audience-key encryption for ktaEncrypted mode
+ * Uses X25519 key exchange + ChaCha20-Poly1305 AEAD
+ */
+export declare class AudienceKeyEncryption {
+    /**
+     * Generate a new key pair for encryption
+     */
+    static generateKeyPair(): Promise<CryptoKeyPair>;
+    /**
+     * Encrypt data for a specific audience public key
+     */
+    static encrypt(data: string, audiencePublicKey: string): Promise<EncryptionResult>;
+    /**
+     * Decrypt data using private key
+     */
+    static decrypt(params: DecryptionParams): Promise<string>;
+    /**
+     * Import public key from base64 string
+     */
+    private static importPublicKey;
+    /**
+     * Import private key from base64 string
+     */
+    private static importPrivateKey;
+    /**
+     * Export public key to base64 string
+     */
+    private static exportPublicKey;
+    /**
+     * Export private key to base64 string
+     */
+    static exportPrivateKey(privateKey: CryptoKey): Promise<string>;
+}
+/**
+ * Simple symmetric encryption for testing
+ */
+export declare class SimpleEncryption {
+    /**
+     * Encrypt data with a password (for testing only)
+     */
+    static encrypt(data: string, password: string): Promise<string>;
+    /**
+     * Decrypt data with a password (for testing only)
+     */
+    static decrypt(encryptedData: string, password: string): Promise<string>;
+}

package/dist/storage/encryption.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SimpleEncryption = exports.AudienceKeyEncryption = void 0;
+const crypto_1 = require("crypto");
+/**
+ * Audience-key encryption for ktaEncrypted mode
+ * Uses X25519 key exchange + ChaCha20-Poly1305 AEAD
+ */
+class AudienceKeyEncryption {
+    /**
+     * Generate a new key pair for encryption
+     */
+    static async generateKeyPair() {
+        const keyPair = await crypto_1.webcrypto.subtle.generateKey({
+            name: "X25519",
+        }, true, // extractable
+        ["deriveKey"]);
+        // Type assertion since we know X25519 returns a CryptoKeyPair
+        return keyPair;
+    }
+    /**
+     * Encrypt data for a specific audience public key
+     */
+    static async encrypt(data, audiencePublicKey) {
+        // Generate ephemeral key pair
+        const ephemeralKeyPair = await this.generateKeyPair();
+        // Import audience public key
+        const audiencePubKey = await this.importPublicKey(audiencePublicKey);
+        // Derive shared secret
+        const sharedSecret = await crypto_1.webcrypto.subtle.deriveKey({
+            name: "X25519",
+            public: audiencePubKey,
+        }, ephemeralKeyPair.privateKey, {
+            name: "ChaCha20-Poly1305",
+            length: 256,
+        }, false, // not extractable
+        ["encrypt"]);
+        // Generate random nonce
+        const nonce = crypto_1.webcrypto.getRandomValues(new Uint8Array(12));
+        // Encrypt the data
+        const encoder = new TextEncoder();
+        const dataBytes = encoder.encode(data);
+        const ciphertext = await crypto_1.webcrypto.subtle.encrypt({
+            name: "ChaCha20-Poly1305",
+            iv: nonce,
+        }, sharedSecret, dataBytes);
+        // Export ephemeral public key
+        const ephemeralPublicKey = await this.exportPublicKey(ephemeralKeyPair.publicKey);
+        return {
+            ciphertext: Buffer.from(ciphertext).toString("base64"),
+            nonce: Buffer.from(nonce).toString("base64"),
+            publicKey: ephemeralPublicKey,
+        };
+    }
+    /**
+     * Decrypt data using private key
+     */
+    static async decrypt(params) {
+        // Import keys
+        const ephemeralPublicKey = await this.importPublicKey(params.publicKey);
+        const privateKey = await this.importPrivateKey(params.privateKey);
+        // Derive shared secret
+        const sharedSecret = await crypto_1.webcrypto.subtle.deriveKey({
+            name: "X25519",
+            public: ephemeralPublicKey,
+        }, privateKey, {
+            name: "ChaCha20-Poly1305",
+            length: 256,
+        }, false, // not extractable
+        ["decrypt"]);
+        // Decrypt the data
+        const ciphertext = Buffer.from(params.ciphertext, "base64");
+        const nonce = Buffer.from(params.nonce, "base64");
+        const decrypted = await crypto_1.webcrypto.subtle.decrypt({
+            name: "ChaCha20-Poly1305",
+            iv: nonce,
+        }, sharedSecret, ciphertext);
+        const decoder = new TextDecoder();
+        return decoder.decode(decrypted);
+    }
+    /**
+     * Import public key from base64 string
+     */
+    static async importPublicKey(publicKey) {
+        const keyBytes = Buffer.from(publicKey, "base64");
+        return await crypto_1.webcrypto.subtle.importKey("raw", keyBytes, {
+            name: "X25519",
+        }, false, []);
+    }
+    /**
+     * Import private key from base64 string
+     */
+    static async importPrivateKey(privateKey) {
+        const keyBytes = Buffer.from(privateKey, "base64");
+        return await crypto_1.webcrypto.subtle.importKey("raw", keyBytes, {
+            name: "X25519",
+        }, false, ["deriveKey"]);
+    }
+    /**
+     * Export public key to base64 string
+     */
+    static async exportPublicKey(publicKey) {
+        const keyBytes = await crypto_1.webcrypto.subtle.exportKey("raw", publicKey);
+        return Buffer.from(keyBytes).toString("base64");
+    }
+    /**
+     * Export private key to base64 string
+     */
+    static async exportPrivateKey(privateKey) {
+        const keyBytes = await crypto_1.webcrypto.subtle.exportKey("raw", privateKey);
+        return Buffer.from(keyBytes).toString("base64");
+    }
+}
+exports.AudienceKeyEncryption = AudienceKeyEncryption;
+/**
+ * Simple symmetric encryption for testing
+ */
+class SimpleEncryption {
+    /**
+     * Encrypt data with a password (for testing only)
+     */
+    static async encrypt(data, password) {
+        // This is a simple implementation for testing
+        // In production, use proper key derivation and authenticated encryption
+        const encoder = new TextEncoder();
+        const dataBytes = encoder.encode(data);
+        const passwordBytes = encoder.encode(password);
+        // Simple XOR encryption (NOT secure, for testing only)
+        const encrypted = new Uint8Array(dataBytes.length);
+        for (let i = 0; i < dataBytes.length; i++) {
+            encrypted[i] = dataBytes[i] ^ passwordBytes[i % passwordBytes.length];
+        }
+        return Buffer.from(encrypted).toString("base64");
+    }
+    /**
+     * Decrypt data with a password (for testing only)
+     */
+    static async decrypt(encryptedData, password) {
+        const encrypted = Buffer.from(encryptedData, "base64");
+        const encoder = new TextEncoder();
+        const passwordBytes = encoder.encode(password);
+        // Simple XOR decryption (NOT secure, for testing only)
+        const decrypted = new Uint8Array(encrypted.length);
+        for (let i = 0; i < encrypted.length; i++) {
+            decrypted[i] = encrypted[i] ^ passwordBytes[i % passwordBytes.length];
+        }
+        const decoder = new TextDecoder();
+        return decoder.decode(decrypted);
+    }
+}
+exports.SimpleEncryption = SimpleEncryption;

package/dist/storage/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Storage and receipts module for XMCP-I
+ *
+ * This module provides storage mode configuration, receipt handling,
+ * delegation management, and encryption utilities for verifiable credentials.
+ */
+export * from "./config";
+export * from "./delegation";
+export * from "./encryption";
+export * from "./merkle-verifier";
+export type { StorageMode, StorageConfig, Receipt, Delegation, DelegationRequest, DelegationResponse, } from "@kya-os/contracts/registry";

package/dist/storage/index.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * Storage and receipts module for XMCP-I
+ *
+ * This module provides storage mode configuration, receipt handling,
+ * delegation management, and encryption utilities for verifiable credentials.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./config"), exports);
+__exportStar(require("./delegation"), exports);
+__exportStar(require("./encryption"), exports);
+__exportStar(require("./merkle-verifier"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "The TypeScript MCP framework with identity features built-in",
   "type": "commonjs",
   "main": "dist/index.js",
@@ -46,7 +46,7 @@
     "model-context-protocol"
   ],
   "dependencies": {
-    "@kya-os/contracts": "^1.2.0",
+    "@kya-os/contracts": "workspace:*",
     "@modelcontextprotocol/inspector": "^0.16.6",
     "@modelcontextprotocol/sdk": "^1.11.4",
     "@swc/core": "^1.11.24",

package/dist/cache/__tests__/cloudflare-kv-nonce-cache.test.d.ts

@@ -1,4 +0,0 @@
-/**
- * Tests for Cloudflare KV Nonce Cache
- */
-export {};

package/dist/cache/__tests__/cloudflare-kv-nonce-cache.test.js

@@ -1,176 +0,0 @@
-"use strict";
-/**
- * Tests for Cloudflare KV Nonce Cache
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-const vitest_1 = require("vitest");
-const cloudflare_kv_nonce_cache_js_1 = require("../cloudflare-kv-nonce-cache.js");
-// Mock Cloudflare KV namespace
-const mockKV = {
-    get: vitest_1.vi.fn(),
-    getWithMetadata: vitest_1.vi.fn(),
-    put: vitest_1.vi.fn(),
-    delete: vitest_1.vi.fn(),
-};
-(0, vitest_1.describe)("CloudflareKVNonceCache", () => {
-    let cache;
-    (0, vitest_1.beforeEach)(() => {
-        vitest_1.vi.clearAllMocks();
-        cache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV, "test:");
-    });
-    (0, vitest_1.describe)("Basic Operations", () => {
-        (0, vitest_1.it)("should add and check nonce existence", async () => {
-            const nonce = "test-nonce-123";
-            // Mock KV responses
-            mockKV.get.mockResolvedValue(null); // doesn't exist initially
-            mockKV.put.mockResolvedValue(undefined); // successful put
-            // Initially should not exist
-            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
-            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("test:test-nonce-123");
-            // Mock getWithMetadata for add operation
-            mockKV.getWithMetadata.mockResolvedValue({ value: null, metadata: null });
-            // Add nonce
-            await cache.add(nonce, 60);
-            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalledWith("test:test-nonce-123", vitest_1.expect.stringContaining('"nonce":"test-nonce-123"'), { expirationTtl: 60 });
-            // Mock that it now exists and is valid
-            const futureTime = Date.now() + 50000;
-            mockKV.get.mockResolvedValue(JSON.stringify({
-                nonce,
-                expiresAt: futureTime,
-                createdAt: Date.now(),
-            }));
-            (0, vitest_1.expect)(await cache.has(nonce)).toBe(true);
-        });
-        (0, vitest_1.it)("should handle expired nonces correctly", async () => {
-            const nonce = "expired-nonce";
-            // Mock expired nonce data
-            const pastTime = Date.now() - 10000;
-            mockKV.get.mockResolvedValue(JSON.stringify({
-                nonce,
-                expiresAt: pastTime,
-                createdAt: Date.now() - 20000,
-            }));
-            mockKV.delete.mockResolvedValue(undefined);
-            // Should return false and clean up expired entry
-            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
-            (0, vitest_1.expect)(mockKV.delete).toHaveBeenCalledWith("test:expired-nonce");
-        });
-        (0, vitest_1.it)("should handle corrupted data gracefully", async () => {
-            const nonce = "corrupted-nonce";
-            // Mock corrupted JSON data
-            mockKV.get.mockResolvedValue("invalid-json");
-            mockKV.delete.mockResolvedValue(undefined);
-            // Should return false and clean up corrupted entry
-            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
-            (0, vitest_1.expect)(mockKV.delete).toHaveBeenCalledWith("test:corrupted-nonce");
-        });
-    });
-    (0, vitest_1.describe)("Atomic Operations with getWithMetadata", () => {
-        (0, vitest_1.it)("should use getWithMetadata for better atomicity when available", async () => {
-            const nonce = "atomic-test-nonce";
-            // Mock getWithMetadata returning no existing value
-            mockKV.getWithMetadata.mockResolvedValue({ value: null, metadata: null });
-            mockKV.put.mockResolvedValue(undefined);
-            await cache.add(nonce, 60);
-            (0, vitest_1.expect)(mockKV.getWithMetadata).toHaveBeenCalledWith("test:atomic-test-nonce");
-            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
-        });
-        (0, vitest_1.it)("should prevent duplicate addition with getWithMetadata", async () => {
-            const nonce = "duplicate-nonce";
-            // Mock existing valid nonce
-            const futureTime = Date.now() + 50000;
-            mockKV.getWithMetadata.mockResolvedValue({
-                value: JSON.stringify({
-                    nonce,
-                    expiresAt: futureTime,
-                    createdAt: Date.now(),
-                }),
-                metadata: null,
-            });
-            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Nonce duplicate-nonce already exists - potential replay attack");
-        });
-        (0, vitest_1.it)("should allow overwrite of expired nonce with getWithMetadata", async () => {
-            const nonce = "expired-overwrite-nonce";
-            // Mock existing expired nonce
-            const pastTime = Date.now() - 10000;
-            mockKV.getWithMetadata.mockResolvedValue({
-                value: JSON.stringify({
-                    nonce,
-                    expiresAt: pastTime,
-                    createdAt: Date.now() - 20000,
-                }),
-                metadata: null,
-            });
-            mockKV.put.mockResolvedValue(undefined);
-            // Should succeed in overwriting expired nonce
-            await (0, vitest_1.expect)(cache.add(nonce, 60)).resolves.not.toThrow();
-            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
-        });
-    });
-    (0, vitest_1.describe)("Fallback to Basic Operations", () => {
-        (0, vitest_1.it)("should fall back to basic operations when getWithMetadata fails", async () => {
-            const nonce = "fallback-nonce";
-            // Mock getWithMetadata throwing error
-            const getWithMetadataError = new Error("getWithMetadata is not available");
-            mockKV.getWithMetadata.mockRejectedValue(getWithMetadataError);
-            // Mock basic operations
-            mockKV.get.mockResolvedValue(null);
-            mockKV.put.mockResolvedValue(undefined);
-            await cache.add(nonce, 60);
-            // Should have fallen back to basic has() check
-            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("test:fallback-nonce");
-            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
-        });
-        (0, vitest_1.it)("should prevent duplicate addition in fallback mode", async () => {
-            const nonce = "fallback-duplicate-nonce";
-            // Mock getWithMetadata not available
-            const getWithMetadataError = new Error("getWithMetadata is not available");
-            mockKV.getWithMetadata.mockRejectedValue(getWithMetadataError);
-            // Mock existing nonce in basic mode
-            const futureTime = Date.now() + 50000;
-            mockKV.get.mockResolvedValue(JSON.stringify({
-                nonce,
-                expiresAt: futureTime,
-                createdAt: Date.now(),
-            }));
-            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Nonce fallback-duplicate-nonce already exists - potential replay attack");
-        });
-    });
-    (0, vitest_1.describe)("Error Handling", () => {
-        (0, vitest_1.it)("should propagate unexpected errors", async () => {
-            const nonce = "error-nonce";
-            const unexpectedError = new Error("Network error");
-            mockKV.getWithMetadata.mockRejectedValue(unexpectedError);
-            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Network error");
-        });
-        (0, vitest_1.it)("should handle KV operation failures gracefully", async () => {
-            const nonce = "kv-error-nonce";
-            mockKV.get.mockRejectedValue(new Error("KV service unavailable"));
-            // has() should handle KV errors gracefully
-            await (0, vitest_1.expect)(cache.has(nonce)).rejects.toThrow("KV service unavailable");
-        });
-    });
-    (0, vitest_1.describe)("Cleanup", () => {
-        (0, vitest_1.it)("should be a no-op since KV handles expiry", async () => {
-            // cleanup() should not call any KV methods
-            await cache.cleanup();
-            (0, vitest_1.expect)(mockKV.get).not.toHaveBeenCalled();
-            (0, vitest_1.expect)(mockKV.put).not.toHaveBeenCalled();
-            (0, vitest_1.expect)(mockKV.delete).not.toHaveBeenCalled();
-        });
-    });
-    (0, vitest_1.describe)("Key Prefix", () => {
-        (0, vitest_1.it)("should use custom key prefix", async () => {
-            const customCache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV, "custom:");
-            mockKV.get.mockResolvedValue(null);
-            await customCache.has("test-nonce");
-            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("custom:test-nonce");
-        });
-        (0, vitest_1.it)("should use default key prefix", async () => {
-            const defaultCache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV);
-            mockKV.get.mockResolvedValue(null);
-            await defaultCache.has("test-nonce");
-            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("nonce:test-nonce");
-        });
-    });
-});

package/dist/cache/__tests__/concurrency.test.d.ts

@@ -1,5 +0,0 @@
-/**
- * Concurrency tests for nonce cache implementations
- * Tests multi-instance replay prevention and atomic operations
- */
-export {};