@kya-os/mcp-i 1.5.5 → 1.5.6-canary.0

package/dist/runtime/delegation-verifier-agentshield.d.ts

@@ -20,8 +20,8 @@
  * Related: PHASE_1_XMCP_I_SERVER.md Ticket 1.3
  * Related: AGENTSHIELD_DASHBOARD_PLAN.md Epic 2 (Public API)
  */
-import { DelegationRecord } from '@kya-os/contracts/delegation';
-import { DelegationVerifier, DelegationVerifierConfig, VerifyDelegationResult, VerifyDelegationOptions } from './delegation-verifier';
+import { DelegationRecord } from "@kya-os/contracts/delegation";
+import { DelegationVerifier, DelegationVerifierConfig, VerifyDelegationResult, VerifyDelegationOptions } from "./delegation-verifier";
 /**
  * AgentShield API Delegation Verifier
  *

package/dist/runtime/delegation-verifier-agentshield.js

@@ -24,6 +24,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AgentShieldAPIDelegationVerifier = void 0;
 const delegation_1 = require("@kya-os/contracts/delegation");
+const agentshield_api_1 = require("@kya-os/contracts/agentshield-api");
 const delegation_verifier_1 = require("./delegation-verifier");
 /**
  * Simple in-memory cache (same as KV verifier)
@@ -62,6 +63,7 @@ class DelegationCache {
         this.cache.clear();
     }
 }
+// Use standard AgentShield API response types from contracts
 /**
  * AgentShield API Delegation Verifier
  *
@@ -75,9 +77,9 @@ class AgentShieldAPIDelegationVerifier {
     debug;
     constructor(config) {
         if (!config.agentshield?.apiUrl || !config.agentshield?.apiKey) {
-            throw new Error('AgentShieldAPIDelegationVerifier requires agentshield.apiUrl and agentshield.apiKey in config');
+            throw new Error("AgentShieldAPIDelegationVerifier requires agentshield.apiUrl and agentshield.apiKey in config");
         }
-        this.apiUrl = config.agentshield.apiUrl.replace(/\/$/, ''); // Remove trailing slash
+        this.apiUrl = config.agentshield.apiUrl.replace(/\/$/, ""); // Remove trailing slash
         this.apiKey = config.agentshield.apiKey;
         this.cache = new DelegationCache();
         this.cacheTtl = config.cacheTtl || 60_000; // Default 1 minute
@@ -87,6 +89,18 @@ class AgentShieldAPIDelegationVerifier {
      * Verify agent delegation via API
      */
     async verify(agentDid, scopes, options) {
+        // Validate inputs
+        const validation = delegation_verifier_1.VerifyDelegationInputSchema.safeParse({
+            agentDid,
+            scopes,
+            options,
+        });
+        if (!validation.success) {
+            return {
+                valid: false,
+                reason: `Invalid request: ${validation.error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ")}`,
+            };
+        }
         const startTime = Date.now();
         // Build cache key
         const scopesKey = this.buildScopesKey(scopes);
@@ -106,79 +120,104 @@ class AgentShieldAPIDelegationVerifier {
             console.log(`[AgentShield] Cache MISS for ${agentDid}, calling API...`);
         }
         try {
+            // Validate request input using contracts schema
+            const requestBody = agentshield_api_1.verifyDelegationRequestSchema.parse({
+                agent_did: agentDid,
+                scopes,
+            });
             // Use the correct AgentShield bouncer API endpoint
             const response = await fetch(`${this.apiUrl}/api/v1/bouncer/delegations/verify`, {
-                method: 'POST',
+                method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${this.apiKey}`,
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.apiKey}`,
                 },
-                body: JSON.stringify({
-                    agent_did: agentDid, // AgentShield uses snake_case
-                    scopes,
-                }),
+                body: JSON.stringify(requestBody),
             });
             if (!response.ok) {
-                // Handle API errors
+                // Handle API errors using standard error format
                 if (response.status === 404) {
                     const result = {
                         valid: false,
-                        reason: 'No delegation found',
+                        reason: "No delegation found",
                         cached: false,
                     };
                     this.cache.set(cacheKey, result, this.cacheTtl / 2);
                     return result;
                 }
                 if (response.status === 401 || response.status === 403) {
-                    throw new Error(`AgentShield API authentication failed: ${response.status}`);
+                    const error = {
+                        error: "authentication_failed",
+                        message: `AgentShield API authentication failed: ${response.status}`,
+                        httpStatus: response.status,
+                    };
+                    throw new agentshield_api_1.AgentShieldAPIError(error.error, error.message, error.details);
                 }
-                throw new Error(`AgentShield API error: ${response.status} ${response.statusText}`);
-            }
-            // AgentShield wraps response in success/data structure
-            const response_body = await response.json();
-            const data = response_body.data || response_body;
-            // AgentShield returns either valid with credential or error
-            let result;
-            if (data.valid && data.credential) {
-                // For valid delegations, we only need to return that it's valid
-                // The delegation details are not needed for the verification flow
-                result = {
-                    valid: true,
-                    // Only return delegation if it's in the correct format
-                    delegation: data.delegation, // This will be undefined if not provided
-                    reason: undefined,
-                    cached: false,
-                };
-            }
-            else if (data.error) {
-                result = {
-                    valid: false,
-                    reason: data.error.message || data.error.code || 'Delegation not valid',
-                    cached: false,
+                const error = {
+                    error: "api_error",
+                    message: `AgentShield API error: ${response.status} ${response.statusText}`,
+                    httpStatus: response.status,
                 };
+                throw new agentshield_api_1.AgentShieldAPIError(error.error, error.message, error.details);
             }
-            else {
-                result = {
-                    valid: data.valid || false,
+            // Validate response using standard AgentShield API response schema
+            const responseBody = await response.json();
+            const parsedResponse = agentshield_api_1.verifyDelegationAPIResponseSchema.safeParse(responseBody);
+            if (!parsedResponse.success) {
+                // If response doesn't match standard wrapper, try direct data format
+                const directData = agentshield_api_1.verifyDelegationResponseSchema.safeParse(responseBody);
+                if (!directData.success) {
+                    throw new agentshield_api_1.AgentShieldAPIError("invalid_response", "AgentShield API returned invalid response format", { validationErrors: parsedResponse.error.errors });
+                }
+                // Use direct data format (backward compatibility)
+                const data = directData.data;
+                const result = {
+                    valid: data.valid,
                     delegation: data.delegation,
-                    reason: data.reason || 'Unknown error',
+                    reason: data.reason,
                     cached: false,
                 };
+                const ttl = data.valid ? this.cacheTtl : this.cacheTtl / 2;
+                this.cache.set(cacheKey, result, ttl);
+                return result;
             }
+            // Standard wrapped response format
+            const wrappedResponse = parsedResponse.data;
+            const data = wrappedResponse.data;
+            // Build result from validated response
+            const result = {
+                valid: data.valid,
+                delegation: data.delegation,
+                reason: data.error ? data.error.message : data.reason,
+                cached: false,
+            };
             // Cache result
             const ttl = data.valid ? this.cacheTtl : this.cacheTtl / 2;
             this.cache.set(cacheKey, result, ttl);
             if (this.debug) {
-                console.log(`[AgentShield] Delegation ${data.valid ? 'verified' : 'rejected'} (${Date.now() - startTime}ms)`);
+                console.log(`[AgentShield] Delegation ${data.valid ? "verified" : "rejected"} (${Date.now() - startTime}ms)`);
             }
             return result;
         }
         catch (error) {
-            console.error('[AgentShield] API call failed:', error);
+            console.error("[AgentShield] API call failed:", error);
             // Return negative result on error (don't cache failures)
+            // Use standard error format
+            if (error instanceof agentshield_api_1.AgentShieldAPIError) {
+                return {
+                    valid: false,
+                    reason: error.message,
+                    cached: false,
+                };
+            }
+            const runtimeError = {
+                error: "api_error",
+                message: error instanceof Error ? error.message : "Unknown error",
+                httpStatus: 500,
+            };
             return {
                 valid: false,
-                reason: `API error: ${error instanceof Error ? error.message : 'Unknown error'}`,
+                reason: runtimeError.message,
                 cached: false,
             };
         }
@@ -187,16 +226,12 @@ class AgentShieldAPIDelegationVerifier {
      * Get delegation by ID via API
      */
     async get(delegationId) {
-        const cacheKey = `delegation:${delegationId}`;
-        // Check cache
-        const cached = this.cache.get(cacheKey);
-        if (cached)
-            return cached;
+        // Fetch from API (no caching - cache is for verification results only)
         try {
             const response = await fetch(`${this.apiUrl}/api/v1/bouncer/delegations/${delegationId}`, {
-                method: 'GET',
+                method: "GET",
                 headers: {
-                    'Authorization': `Bearer ${this.apiKey}`,
+                    Authorization: `Bearer ${this.apiKey}`,
                 },
             });
             if (!response.ok) {
@@ -207,16 +242,13 @@ class AgentShieldAPIDelegationVerifier {
             const data = await response.json();
             const parsed = delegation_1.DelegationRecordSchema.safeParse(data);
             if (!parsed.success) {
-                console.error('[AgentShield] Invalid delegation in API response:', parsed.error);
+                console.error("[AgentShield] Invalid delegation in API response:", parsed.error);
                 return null;
             }
-            const delegation = parsed.data;
-            // Cache it
-            this.cache.set(cacheKey, delegation, this.cacheTtl);
-            return delegation;
+            return parsed.data;
         }
         catch (error) {
-            console.error('[AgentShield] Failed to get delegation:', error);
+            console.error("[AgentShield] Failed to get delegation:", error);
             return null;
         }
     }
@@ -234,10 +266,10 @@ class AgentShieldAPIDelegationVerifier {
         }
         try {
             const response = await fetch(`${this.apiUrl}/api/v1/bouncer/delegations`, {
-                method: 'POST',
+                method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${this.apiKey}`,
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.apiKey}`,
                 },
                 body: JSON.stringify(delegation),
             });
@@ -254,7 +286,7 @@ class AgentShieldAPIDelegationVerifier {
             }
         }
         catch (error) {
-            console.error('[AgentShield] Failed to store delegation:', error);
+            console.error("[AgentShield] Failed to store delegation:", error);
             throw error;
         }
     }
@@ -264,10 +296,10 @@ class AgentShieldAPIDelegationVerifier {
     async revoke(delegationId, reason) {
         try {
             const response = await fetch(`${this.apiUrl}/api/v1/bouncer/delegations/${delegationId}/revoke`, {
-                method: 'POST',
+                method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${this.apiKey}`,
+                    "Content-Type": "application/json",
+                    Authorization: `Bearer ${this.apiKey}`,
                 },
                 body: JSON.stringify({ reason }),
             });
@@ -281,7 +313,7 @@ class AgentShieldAPIDelegationVerifier {
             }
         }
         catch (error) {
-            console.error('[AgentShield] Failed to revoke delegation:', error);
+            console.error("[AgentShield] Failed to revoke delegation:", error);
             throw error;
         }
     }
@@ -296,7 +328,7 @@ class AgentShieldAPIDelegationVerifier {
      */
     buildScopesKey(scopes) {
         const sorted = [...scopes].sort();
-        const str = sorted.join(',');
+        const str = sorted.join(",");
         let hash = 0;
         for (let i = 0; i < str.length; i++) {
             const char = str.charCodeAt(i);

package/dist/runtime/delegation-verifier-kv.js

@@ -20,6 +20,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.CloudflareKVDelegationVerifier = void 0;
 const delegation_1 = require("@kya-os/contracts/delegation");
 const delegation_verifier_1 = require("./delegation-verifier");
+const delegation_verifier_2 = require("./delegation-verifier");
 /**
  * Simple in-memory LRU cache for delegation lookups
  */
@@ -65,7 +66,7 @@ class DelegationCache {
  * Self-hosted mode: Stores delegations in local Cloudflare KV namespace
  */
 class CloudflareKVDelegationVerifier {
-    kv; // KVNamespace from @cloudflare/workers-types
+    kv;
     cache;
     cacheTtl;
     debug;
@@ -82,6 +83,14 @@ class CloudflareKVDelegationVerifier {
      * Verify agent delegation
      */
     async verify(agentDid, scopes, options) {
+        // Validate inputs
+        const validation = delegation_verifier_2.VerifyDelegationInputSchema.safeParse({ agentDid, scopes, options });
+        if (!validation.success) {
+            return {
+                valid: false,
+                reason: `Invalid request: ${validation.error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ')}`,
+            };
+        }
         const startTime = Date.now();
         // Build cache key from agent DID + sorted scopes
         const scopesKey = this.buildScopesKey(scopes);
@@ -118,7 +127,7 @@ class CloudflareKVDelegationVerifier {
         // Try each delegation to find one that matches the requested scopes
         let matchingDelegation = null;
         for (const key of listResult.keys) {
-            const delegationId = await this.kv.get(key.name, 'text');
+            const delegationId = await this.kv.get(key.name);
             if (!delegationId)
                 continue;
             const delegation = await this.get(delegationId);
@@ -147,12 +156,12 @@ class CloudflareKVDelegationVerifier {
         }
         const delegation = matchingDelegation;
         // Validate delegation
-        const validation = (0, delegation_verifier_1.validateDelegation)(delegation);
-        if (!validation.valid) {
+        const delegationValidation = (0, delegation_verifier_1.validateDelegation)(delegation);
+        if (!delegationValidation.valid) {
             const result = {
                 valid: false,
                 delegation,
-                reason: validation.reason,
+                reason: delegationValidation.reason,
                 cached: false,
             };
             this.cache.set(cacheKey, result, this.cacheTtl / 2);
@@ -188,14 +197,9 @@ class CloudflareKVDelegationVerifier {
      * Get delegation by ID
      */
     async get(delegationId) {
-        const cacheKey = `delegation:${delegationId}`;
-        // Check cache
-        const cached = this.cache.get(cacheKey);
-        if (cached)
-            return cached;
-        // Fetch from KV
+        // Fetch from KV (no caching - cache is for verification results only)
         const kvKey = `delegation:${delegationId}`;
-        const raw = await this.kv.get(kvKey, 'text');
+        const raw = await this.kv.get(kvKey);
         if (!raw)
             return null;
         try {
@@ -205,10 +209,7 @@ class CloudflareKVDelegationVerifier {
                 console.error('[KV] Invalid delegation record:', parsed.error);
                 return null;
             }
-            const delegation = parsed.data;
-            // Cache it
-            this.cache.set(cacheKey, delegation, this.cacheTtl);
-            return delegation;
+            return parsed.data;
         }
         catch (error) {
             console.error('[KV] Failed to parse delegation:', error);

package/dist/runtime/delegation-verifier-memory.js

@@ -32,6 +32,14 @@ class MemoryDelegationVerifier {
      * Verify agent delegation
      */
     async verify(agentDid, scopes, _options) {
+        // Validate inputs
+        const validation = delegation_verifier_1.VerifyDelegationInputSchema.safeParse({ agentDid, scopes, options: _options });
+        if (!validation.success) {
+            return {
+                valid: false,
+                reason: `Invalid request: ${validation.error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ')}`,
+            };
+        }
         // Find all delegations for this agent
         const delegationIds = this.agentIndex.get(agentDid);
         if (!delegationIds || delegationIds.size === 0) {

package/dist/runtime/delegation-verifier.d.ts

@@ -12,6 +12,7 @@
  * Related: PHASE_1_XMCP_I_SERVER.md Epic 1 (Delegation Storage Layer)
  */
 import { DelegationRecord } from '@kya-os/contracts/delegation';
+import { z } from 'zod';
 /**
  * Result of delegation verification
  */
@@ -103,6 +104,37 @@ export declare function validateDelegation(delegation: DelegationRecord): {
     valid: boolean;
     reason?: string;
 };
+/**
+ * Validation schema for verify method inputs
+ */
+export declare const VerifyDelegationInputSchema: z.ZodObject<{
+    agentDid: z.ZodString;
+    scopes: z.ZodArray<z.ZodString, "many">;
+    options: z.ZodOptional<z.ZodObject<{
+        skipCache: z.ZodOptional<z.ZodBoolean>;
+        maxCacheAge: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        skipCache?: boolean | undefined;
+        maxCacheAge?: number | undefined;
+    }, {
+        skipCache?: boolean | undefined;
+        maxCacheAge?: number | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    scopes: string[];
+    agentDid: string;
+    options?: {
+        skipCache?: boolean | undefined;
+        maxCacheAge?: number | undefined;
+    } | undefined;
+}, {
+    scopes: string[];
+    agentDid: string;
+    options?: {
+        skipCache?: boolean | undefined;
+        maxCacheAge?: number | undefined;
+    } | undefined;
+}>;
 /**
  * Configuration for delegation verifiers
  */
@@ -110,7 +142,18 @@ export interface DelegationVerifierConfig {
     /** Verifier type */
     type: 'cloudflare-kv' | 'agentshield-api' | 'memory';
     /** Cloudflare KV namespace (for cloudflare-kv type) */
-    kvNamespace?: any;
+    kvNamespace?: {
+        get(key: string): Promise<string | null>;
+        put(key: string, value: string): Promise<void>;
+        delete(key: string): Promise<void>;
+        list(options?: {
+            prefix?: string;
+        }): Promise<{
+            keys: Array<{
+                name: string;
+            }>;
+        }>;
+    };
     /** AgentShield API configuration (for agentshield-api type) */
     agentshield?: {
         apiUrl: string;
@@ -127,6 +170,11 @@ export interface DelegationVerifierConfig {
  * Note: We import all adapters statically for better compatibility.
  * Tree-shaking will remove unused adapters in production builds.
  *
+ * Note: AgentShield API responses use standard wrapper format
+ * { success: boolean, data: {...}, metadata?: {...} } as defined in
+ * @kya-os/contracts/agentshield-api. This is handled in the
+ * AgentShieldAPIDelegationVerifier implementation.
+ *
  * @param config - Verifier configuration
  * @returns DelegationVerifier instance
  */

package/dist/runtime/delegation-verifier.js

@@ -13,11 +13,13 @@
  * Related: PHASE_1_XMCP_I_SERVER.md Epic 1 (Delegation Storage Layer)
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerifyDelegationInputSchema = void 0;
 exports.extractScopes = extractScopes;
 exports.checkScopes = checkScopes;
 exports.validateDelegation = validateDelegation;
 exports.createDelegationVerifier = createDelegationVerifier;
 const delegation_1 = require("@kya-os/contracts/delegation");
+const zod_1 = require("zod");
 /**
  * Helper: Extract scopes from delegation (handles both simple and CRISP formats)
  *
@@ -76,32 +78,56 @@ function validateDelegation(delegation) {
     }
     return { valid: true };
 }
+/**
+ * Validation schema for verify method inputs
+ */
+exports.VerifyDelegationInputSchema = zod_1.z.object({
+    agentDid: zod_1.z.string().min(1),
+    scopes: zod_1.z.array(zod_1.z.string()).min(1),
+    options: zod_1.z.object({
+        skipCache: zod_1.z.boolean().optional(),
+        maxCacheAge: zod_1.z.number().int().positive().optional(),
+    }).optional(),
+});
 /**
  * Factory: Create delegation verifier based on config
  *
  * Note: We import all adapters statically for better compatibility.
  * Tree-shaking will remove unused adapters in production builds.
  *
+ * Note: AgentShield API responses use standard wrapper format
+ * { success: boolean, data: {...}, metadata?: {...} } as defined in
+ * @kya-os/contracts/agentshield-api. This is handled in the
+ * AgentShieldAPIDelegationVerifier implementation.
+ *
  * @param config - Verifier configuration
  * @returns DelegationVerifier instance
  */
 function createDelegationVerifier(config) {
-    // Import adapters dynamically to avoid circular dependencies
-    // but keep them in the same file scope
-    let CloudflareKVDelegationVerifier;
-    let AgentShieldAPIDelegationVerifier;
-    let MemoryDelegationVerifier;
     switch (config.type) {
-        case 'cloudflare-kv':
-            CloudflareKVDelegationVerifier = require('./delegation-verifier-kv').CloudflareKVDelegationVerifier;
+        case 'cloudflare-kv': {
+            const CloudflareKVDelegationVerifier = require('./delegation-verifier-kv').CloudflareKVDelegationVerifier;
             return new CloudflareKVDelegationVerifier(config);
-        case 'agentshield-api':
-            AgentShieldAPIDelegationVerifier = require('./delegation-verifier-agentshield').AgentShieldAPIDelegationVerifier;
+        }
+        case 'agentshield-api': {
+            const AgentShieldAPIDelegationVerifier = require('./delegation-verifier-agentshield').AgentShieldAPIDelegationVerifier;
             return new AgentShieldAPIDelegationVerifier(config);
-        case 'memory':
-            MemoryDelegationVerifier = require('./delegation-verifier-memory').MemoryDelegationVerifier;
+        }
+        case 'memory': {
+            const MemoryDelegationVerifier = require('./delegation-verifier-memory').MemoryDelegationVerifier;
             return new MemoryDelegationVerifier(config);
+        }
         default:
-            throw new Error(`Unknown delegation verifier type: ${config.type}`);
+            const configType = 'type' in config ? config.type : 'unknown';
+            // Use RuntimeError format from @kya-os/contracts/runtime/errors
+            const runtimeError = {
+                error: 'invalid_config',
+                message: `Unknown delegation verifier type: ${configType}`,
+                httpStatus: 500,
+            };
+            // Create Error object that can be checked with RuntimeErrorSchema
+            const error = new Error(runtimeError.message);
+            Object.assign(error, runtimeError);
+            throw error;
     }
 }