@kya-os/mcp-i 1.5.3-canary.0 → 1.5.4

package/dist/runtime/identity.d.ts

@@ -9,7 +9,7 @@
  */
 export interface AgentIdentity {
     did: string;
-    keyId: string;
+    kid: string;
     privateKey: string;
     publicKey: string;
     createdAt: string;
@@ -21,7 +21,7 @@ export interface AgentIdentity {
 export interface DevIdentityFile {
     version: string;
     did: string;
-    keyId: string;
+    kid: string;
     privateKey: string;
     publicKey: string;
     createdAt: string;
@@ -74,6 +74,14 @@ export declare class IdentityManager {
      * Requirements: 4.1, 4.4
      */
     private generateDevIdentity;
+    /**
+     * Generate multibase-encoded key identifier (z-prefix base58btc)
+     */
+    private generateMultibaseKid;
+    /**
+     * Simple base58 encoding (matching well-known.ts implementation)
+     */
+    private encodeBase58;
     /**
      * Save development identity to .mcpi/identity.json
      */

package/dist/runtime/identity.js

@@ -73,9 +73,31 @@ class IdentityManager {
             if ((0, fs_1.existsSync)(identityPath)) {
                 const content = await (0, promises_1.readFile)(identityPath, "utf-8");
                 const devIdentity = JSON.parse(content);
+                // Handle backward compatibility: support both 'kid' and old 'keyId' format
+                let kid = devIdentity.kid || devIdentity.keyId;
+                // If we have old keyId format, migrate to multibase format
+                if (devIdentity.keyId && !devIdentity.kid) {
+                    // Check if it's the old format (key-[hex])
+                    if (kid.startsWith('key-')) {
+                        // Generate new multibase kid from public key
+                        kid = this.generateMultibaseKid(devIdentity.publicKey);
+                        // Save migrated identity
+                        const migratedIdentity = {
+                            did: devIdentity.did,
+                            kid,
+                            privateKey: devIdentity.privateKey,
+                            publicKey: devIdentity.publicKey,
+                            createdAt: devIdentity.createdAt,
+                            lastRotated: devIdentity.lastRotated,
+                        };
+                        await this.saveDevIdentity(migratedIdentity);
+                        console.error(`✅ Migrated identity to new multibase kid format: ${kid}`);
+                        return migratedIdentity;
+                    }
+                }
                 return {
                     did: devIdentity.did,
-                    keyId: devIdentity.keyId,
+                    kid,
                     privateKey: devIdentity.privateKey,
                     publicKey: devIdentity.publicKey,
                     createdAt: devIdentity.createdAt,
@@ -83,9 +105,9 @@ class IdentityManager {
                 };
             }
         }
-        catch {
+        catch (error) {
             // If file exists but is corrupted, we'll regenerate
-            console.warn(`Warning: Could not load identity from ${identityPath}, generating new one`);
+            console.warn(`Warning: Could not load identity from ${identityPath}, generating new one`, error instanceof Error ? error.message : error);
         }
         // Generate new identity
         return await this.generateDevIdentity();
@@ -104,14 +126,16 @@ class IdentityManager {
         }
         const privateKey = Buffer.from(privateKeyJwk.d, "base64url").toString("base64");
         const publicKey = Buffer.from(privateKeyJwk.x, "base64url").toString("base64");
-        // Generate key ID (first 8 chars of public key hash)
-        const keyId = `key-${(0, crypto_1.createHash)("sha256").update(publicKey).digest("hex").substring(0, 8)}`;
+        // Generate multibase-encoded key ID
+        const kid = this.generateMultibaseKid(publicKey);
         // Generate DID (for dev, use localhost)
-        const did = `did:web:localhost:3000:agents:${keyId}`;
+        // Extract a short identifier for the DID path (first 8 chars of hash for readability)
+        const shortId = (0, crypto_1.createHash)("sha256").update(publicKey).digest("hex").substring(0, 8);
+        const did = `did:web:localhost:3000:agents:${shortId}`;
         const now = new Date().toISOString();
         const identity = {
             did,
-            keyId,
+            kid: kid, // Using kid but keeping field name for now for compatibility
             privateKey,
             publicKey,
             createdAt: now,
@@ -120,6 +144,38 @@ class IdentityManager {
         await this.saveDevIdentity(identity);
         return identity;
     }
+    /**
+     * Generate multibase-encoded key identifier (z-prefix base58btc)
+     */
+    generateMultibaseKid(base64PublicKey) {
+        const publicKeyBytes = Buffer.from(base64PublicKey, "base64");
+        // Ed25519 public key prefix (0xed01) + key bytes
+        const prefixedKey = Buffer.concat([
+            Buffer.from([0xed, 0x01]), // Ed25519 multicodec prefix
+            publicKeyBytes,
+        ]);
+        // Convert to base58btc
+        const base58 = this.encodeBase58(prefixedKey);
+        return `z${base58}`; // 'z' prefix indicates base58btc
+    }
+    /**
+     * Simple base58 encoding (matching well-known.ts implementation)
+     */
+    encodeBase58(buffer) {
+        const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+        let num = BigInt("0x" + buffer.toString("hex"));
+        let result = "";
+        while (num > 0n) {
+            const remainder = num % 58n;
+            result = alphabet[Number(remainder)] + result;
+            num = num / 58n;
+        }
+        // Handle leading zeros
+        for (let i = 0; i < buffer.length && buffer[i] === 0; i++) {
+            result = "1" + result;
+        }
+        return result;
+    }
     /**
      * Save development identity to .mcpi/identity.json
      */
@@ -127,10 +183,11 @@ class IdentityManager {
         const identityPath = this.config.devIdentityPath;
         // Ensure directory exists
         await (0, promises_1.mkdir)((0, path_1.dirname)(identityPath), { recursive: true });
+        // Use 'kid' in the saved file (conforming to new schema)
         const devIdentity = {
             version: "1.0",
             did: identity.did,
-            keyId: identity.keyId,
+            kid: identity.kid, // Save as 'kid' in file
             privateKey: identity.privateKey,
             publicKey: identity.publicKey,
             createdAt: identity.createdAt,
@@ -141,7 +198,7 @@ class IdentityManager {
         });
         console.error(`✅ Identity saved to ${identityPath}`);
         console.error(`   DID: ${identity.did}`);
-        console.error(`   Key ID: ${identity.keyId}`);
+        console.error(`   Key ID: ${identity.kid}`);
     }
     /**
      * Load production identity from environment variables
@@ -185,7 +242,7 @@ class IdentityManager {
             .digest("base64");
         return {
             did: env.AGENT_DID,
-            keyId: env.AGENT_KEY_ID,
+            kid: env.AGENT_KEY_ID,
             privateKey: env.AGENT_PRIVATE_KEY,
             publicKey,
             createdAt: new Date().toISOString(), // We don't have creation time in prod
@@ -198,7 +255,7 @@ class IdentityManager {
         try {
             // Basic validation
             if (!identity.did ||
-                !identity.keyId ||
+                !identity.kid ||
                 !identity.privateKey ||
                 !identity.publicKey) {
                 return false;

package/dist/runtime/mcpi-runtime.d.ts

@@ -41,6 +41,30 @@ export interface MCPIRuntimeConfig {
         logFunction?: (record: string) => void;
         includePayloads?: boolean;
     };
+    proofing?: {
+        /** Enable proof generation and submission */
+        enabled?: boolean;
+        /** Proof batch queue configuration */
+        batchQueue?: {
+            /** Proof submission destinations (AgentShield, KTA, etc.) */
+            destinations?: Array<{
+                /** Destination type */
+                type: "agentshield" | "kta";
+                /** API base URL */
+                apiUrl: string;
+                /** API key for authentication */
+                apiKey?: string;
+            }>;
+            /** Maximum batch size before auto-flush (default: 10) */
+            maxBatchSize?: number;
+            /** Flush interval in milliseconds (default: 5000) */
+            flushIntervalMs?: number;
+            /** Maximum retries per batch (default: 3) */
+            maxRetries?: number;
+            /** Enable debug logging */
+            debug?: boolean;
+        };
+    };
     wellKnown?: WellKnownConfig;
     delegation?: {
         /** Enable delegation checks (default: false for backward compatibility) */
@@ -139,7 +163,7 @@ export declare class MCPIRuntime {
     getStats(): {
         identity: {
             did: string | undefined;
-            keyId: string | undefined;
+            kid: string | undefined;
             environment: "development" | "production";
         };
         session: {
@@ -155,6 +179,9 @@ export declare class MCPIRuntime {
             enabled: boolean;
             sessionsLogged: number;
             includePayloads: boolean;
+            totalRecordsLogged: number;
+            currentLogSize: number;
+            lastRotationTime: number;
         };
         runtime: {
             initialized: boolean;

package/dist/runtime/mcpi-runtime.js

@@ -93,7 +93,7 @@ class MCPIRuntime {
         });
         console.error(`✅ XMCP-I Runtime initialized`);
         console.error(`   DID: ${this.cachedIdentity.did}`);
-        console.error(`   Key ID: ${this.cachedIdentity.keyId}`);
+        console.error(`   Key ID: ${this.cachedIdentity.kid}`);
         // Show verify link in development (default true)
         const showVerifyLink = this.config.runtime?.showVerifyLink !== false;
         demo_1.DemoConsole.printVerifyLink(showVerifyLink, this.config.identity?.environment || "development");
@@ -281,7 +281,7 @@ class MCPIRuntime {
         return {
             identity: {
                 did: this.cachedIdentity?.did,
-                keyId: this.cachedIdentity?.keyId,
+                kid: this.cachedIdentity?.kid,
                 environment: this.config.identity?.environment || "development",
             },
             session: this.sessionManager.getStats(),

package/dist/runtime/migrate-identity.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Identity Migration Utility
+ *
+ * Migrates old identity files from keyId format to kid multibase format
+ */
+/**
+ * Migrate an identity file from old keyId format to new kid format
+ * @param identityPath Path to the identity file
+ * @returns true if migration was performed, false if already migrated
+ */
+export declare function migrateIdentityFile(identityPath: string): Promise<boolean>;
+/**
+ * Generate multibase-encoded key identifier (z-prefix base58btc)
+ */
+declare function generateMultibaseKid(base64PublicKey: string): string;
+export { generateMultibaseKid };

package/dist/runtime/migrate-identity.js

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * Identity Migration Utility
+ *
+ * Migrates old identity files from keyId format to kid multibase format
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.migrateIdentityFile = migrateIdentityFile;
+exports.generateMultibaseKid = generateMultibaseKid;
+const promises_1 = require("fs/promises");
+const fs_1 = require("fs");
+/**
+ * Migrate an identity file from old keyId format to new kid format
+ * @param identityPath Path to the identity file
+ * @returns true if migration was performed, false if already migrated
+ */
+async function migrateIdentityFile(identityPath) {
+    if (!(0, fs_1.existsSync)(identityPath)) {
+        throw new Error(`Identity file not found: ${identityPath}`);
+    }
+    const content = await (0, promises_1.readFile)(identityPath, "utf-8");
+    const identity = JSON.parse(content);
+    // Check if already migrated (has kid field)
+    if (identity.kid) {
+        console.log("Identity file already migrated to kid format");
+        return false;
+    }
+    // Check if has old format keyId
+    if (!identity.keyId) {
+        throw new Error("Identity file has neither kid nor keyId field");
+    }
+    // Check if it's the old format (key-[hex])
+    if (identity.keyId.startsWith('key-')) {
+        // Generate multibase kid from public key
+        const kid = generateMultibaseKid(identity.publicKey);
+        // Create migrated identity
+        const migratedIdentity = {
+            version: identity.version || "1.0",
+            did: identity.did,
+            kid, // New field
+            privateKey: identity.privateKey,
+            publicKey: identity.publicKey,
+            createdAt: identity.createdAt,
+            lastRotated: identity.lastRotated || new Date().toISOString(),
+        };
+        // Save migrated identity
+        await (0, promises_1.writeFile)(identityPath, JSON.stringify(migratedIdentity, null, 2), {
+            mode: 0o600,
+        });
+        console.log(`✅ Migrated identity file to new multibase kid format`);
+        console.log(`   Old keyId: ${identity.keyId}`);
+        console.log(`   New kid: ${kid}`);
+        return true;
+    }
+    // Already in multibase format, just rename field
+    const renamedIdentity = {
+        version: identity.version || "1.0",
+        did: identity.did,
+        kid: identity.keyId, // Rename field from keyId to kid
+        privateKey: identity.privateKey,
+        publicKey: identity.publicKey,
+        createdAt: identity.createdAt,
+        lastRotated: identity.lastRotated,
+    };
+    await (0, promises_1.writeFile)(identityPath, JSON.stringify(renamedIdentity, null, 2), {
+        mode: 0o600,
+    });
+    console.log(`✅ Renamed keyId field to kid`);
+    return true;
+}
+/**
+ * Generate multibase-encoded key identifier (z-prefix base58btc)
+ */
+function generateMultibaseKid(base64PublicKey) {
+    const publicKeyBytes = Buffer.from(base64PublicKey, "base64");
+    // Ed25519 public key prefix (0xed01) + key bytes
+    const prefixedKey = Buffer.concat([
+        Buffer.from([0xed, 0x01]), // Ed25519 multicodec prefix
+        publicKeyBytes,
+    ]);
+    // Convert to base58btc
+    const base58 = encodeBase58(prefixedKey);
+    return `z${base58}`; // 'z' prefix indicates base58btc
+}
+/**
+ * Simple base58 encoding
+ */
+function encodeBase58(buffer) {
+    const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+    let num = BigInt("0x" + buffer.toString("hex"));
+    let result = "";
+    while (num > 0n) {
+        const remainder = num % 58n;
+        result = alphabet[Number(remainder)] + result;
+        num = num / 58n;
+    }
+    // Handle leading zeros
+    for (let i = 0; i < buffer.length && buffer[i] === 0; i++) {
+        result = "1" + result;
+    }
+    return result;
+}
+// CLI usage
+if (require.main === module) {
+    const args = process.argv.slice(2);
+    if (args.length !== 1) {
+        console.error("Usage: ts-node migrate-identity.ts <path-to-identity.json>");
+        process.exit(1);
+    }
+    migrateIdentityFile(args[0])
+        .then((migrated) => {
+        process.exit(migrated ? 0 : 1);
+    })
+        .catch((error) => {
+        console.error("Migration failed:", error.message);
+        process.exit(1);
+    });
+}

package/dist/runtime/proof.js

@@ -30,7 +30,7 @@ class ProofGenerator {
         // Create proof metadata
         const meta = {
             did: this.identity.did,
-            kid: this.identity.keyId,
+            kid: this.identity.kid,
             ts: Math.floor(Date.now() / 1000),
             nonce: session.nonce,
             audience: session.audience,
@@ -118,7 +118,7 @@ class ProofGenerator {
             const jwt = await new jose_1.SignJWT(payload)
                 .setProtectedHeader({
                 alg: "EdDSA",
-                kid: this.identity.keyId,
+                kid: this.identity.kid,
             })
                 .sign(privateKey);
             // Return full compact JWS (NOT detached)