npm - @kya-os/mcp-i - Versions diffs - 1.5.0 → 1.5.2 - Mend

@kya-os/mcp-i 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/runtime/auth-handshake.d.ts +2 -0
package/dist/runtime/auth-handshake.js +6 -4
package/dist/runtime/delegation-verifier-kv.js +27 -8
package/dist/runtime/mcpi-runtime.d.ts +1 -0
package/dist/runtime/mcpi-runtime.js +8 -0
package/package.json +1 -1

package/dist/runtime/auth-handshake.d.ts CHANGED Viewed

@@ -42,6 +42,8 @@ export interface AgentReputation {
 export interface AuthHandshakeConfig {
     /** Delegation verifier instance */
     delegationVerifier: DelegationVerifier;
+    /** Resume token store (REQUIRED to persist tokens across calls) */
+    resumeTokenStore: ResumeTokenStore;
     /** KTA API configuration (optional, for reputation checks) */
     kta?: {
         apiUrl: string;

package/dist/runtime/auth-handshake.js CHANGED Viewed

@@ -120,9 +120,12 @@ async function verifyOrHints(agentDid, scopes, config, resumeToken) {
     }
     catch (error) {
         console.error('[AuthHandshake] Delegation verification failed:', error);
+        const errorMessage = `Delegation verification error: ${error instanceof Error ? error.message : 'Unknown error'}`;
+        const authError = await buildNeedsAuthorizationError(agentDid, scopes, config, errorMessage);
         return {
             authorized: false,
-            reason: `Delegation verification error: ${error instanceof Error ? error.message : 'Unknown error'}`,
+            authError,
+            reason: errorMessage,
         };
     }
     // Step 3: If delegation exists and valid, authorize immediately
@@ -202,9 +205,8 @@ async function fetchAgentReputation(agentDid, ktaConfig) {
  * @returns NeedsAuthorizationError
  */
 async function buildNeedsAuthorizationError(agentDid, scopes, config, message) {
-    // Generate resume token (simple implementation - use proper store in production)
-    const resumeTokenStore = new MemoryResumeTokenStore(config.bouncer.resumeTokenTtl || 600_000);
-    const resumeToken = await resumeTokenStore.create(agentDid, scopes, {
+    // Use the persistent resume token store from config
+    const resumeToken = await config.resumeTokenStore.create(agentDid, scopes, {
         requestedAt: Date.now(),
     });
     const expiresAt = Date.now() + (config.bouncer.resumeTokenTtl || 600_000);

package/dist/runtime/delegation-verifier-kv.js CHANGED Viewed

@@ -100,10 +100,9 @@ class CloudflareKVDelegationVerifier {
         if (this.debug) {
             console.log(`[KV] Cache MISS for ${agentDid}, querying KV...`);
         }
-        // Try to find delegation by agent DID lookup key
-        const lookupKey = `agent:${agentDid}:scopes:${scopesKey}`;
-        const delegationId = await this.kv.get(lookupKey, 'text');
-        if (!delegationId) {
+        // List all delegations for this agent (to support subset scope matching)
+        const listResult = await this.kv.list({ prefix: `agent:${agentDid}:scopes:` });
+        if (!listResult.keys || listResult.keys.length === 0) {
             const result = {
                 valid: false,
                 reason: 'No delegation found for agent',
@@ -116,17 +115,37 @@ class CloudflareKVDelegationVerifier {
             }
             return result;
         }
-        // Fetch full delegation record
-        const delegation = await this.get(delegationId);
-        if (!delegation) {
+        // Try each delegation to find one that matches the requested scopes
+        let matchingDelegation = null;
+        for (const key of listResult.keys) {
+            const delegationId = await this.kv.get(key.name, 'text');
+            if (!delegationId)
+                continue;
+            const delegation = await this.get(delegationId);
+            if (!delegation)
+                continue;
+            // Check if this delegation has the required scopes
+            const delegationScopes = (0, delegation_verifier_1.extractScopes)(delegation);
+            const scopesMatch = (0, delegation_verifier_1.checkScopes)(delegationScopes, scopes);
+            if (scopesMatch) {
+                // Found a matching delegation!
+                matchingDelegation = delegation;
+                break;
+            }
+        }
+        if (!matchingDelegation) {
             const result = {
                 valid: false,
-                reason: 'Delegation not found',
+                reason: 'No delegation found with required scopes',
                 cached: false,
             };
             this.cache.set(cacheKey, result, this.cacheTtl / 2);
+            if (this.debug) {
+                console.log(`[KV] No matching delegation found (${Date.now() - startTime}ms)`);
+            }
             return result;
         }
+        const delegation = matchingDelegation;
         // Validate delegation
         const validation = (0, delegation_verifier_1.validateDelegation)(delegation);
         if (!validation.valid) {

package/dist/runtime/mcpi-runtime.d.ts CHANGED Viewed

@@ -82,6 +82,7 @@ export declare class MCPIRuntime {
     private debugManager?;
     private demoManager?;
     private delegationVerifier?;
+    private resumeTokenStore;
     private config;
     private cachedIdentity?;
     constructor(config?: MCPIRuntimeConfig);

package/dist/runtime/mcpi-runtime.js CHANGED Viewed

@@ -28,6 +28,7 @@ class MCPIRuntime {
     debugManager;
     demoManager;
     delegationVerifier; // NEW - Phase 1
+    resumeTokenStore; // NEW - Phase 1
     config;
     cachedIdentity;
     constructor(config = {}) {
@@ -41,6 +42,9 @@ class MCPIRuntime {
         this.sessionManager = new session_1.SessionManager(config.session);
         // Initialize audit logger
         this.auditLogger = new audit_1.AuditLogger(config.audit);
+        // Initialize resume token store (NEW - Phase 1)
+        // Use in-memory store by default (sufficient for most use cases)
+        this.resumeTokenStore = new auth_handshake_1.MemoryResumeTokenStore(config.delegation?.authorization?.resumeTokenTtl || 600_000);
         // Initialize delegation verifier (NEW - Phase 1)
         if (config.delegation?.enabled && config.delegation?.verifier) {
             this.delegationVerifier = (0, delegation_verifier_1.createDelegationVerifier)(config.delegation.verifier);
@@ -113,6 +117,7 @@ class MCPIRuntime {
             // Build auth handshake config
             const authConfig = {
                 delegationVerifier: this.delegationVerifier,
+                resumeTokenStore: this.resumeTokenStore,
                 kta: this.config.delegation.authorization?.kta,
                 bouncer: {
                     authorizationUrl: this.config.delegation.authorization?.authorizationUrl ||
@@ -127,6 +132,9 @@ class MCPIRuntime {
             const verifyResult = await (0, auth_handshake_1.verifyOrHints)(options.agentDid, requiredScopes, authConfig);
             // If not authorized, return needs_authorization error
             if (!verifyResult.authorized) {
+                if (!verifyResult.authError) {
+                    throw new Error('Authorization failed but no authError was provided');
+                }
                 return verifyResult.authError;
             }
             // If authorized, log the delegation ID for audit trail

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i",
-  "version": "1.5.0",
+  "version": "1.5.2",
   "description": "The TypeScript MCP framework with identity features built-in",
   "type": "commonjs",
   "main": "dist/index.js",