@kya-os/mcp-i 1.5.9-canary.8 → 1.5.9-canary.9

package/dist/runtime/audit.d.ts

@@ -257,6 +257,38 @@ export interface AuditContext {
      */
     scopeId?: string;
 }
+/**
+ * Event context for logging events that bypass session deduplication
+ *
+ * Used for consent events where multiple events occur in the same session.
+ * Unlike AuditContext, this allows multiple events per session.
+ */
+export interface AuditEventContext {
+    /**
+     * Event type identifier
+     *
+     * @example "consent:page_viewed", "consent:approved", "runtime:initialized"
+     */
+    eventType: string;
+    /**
+     * Agent identity
+     *
+     * Only `did` and `keyId` are logged. Private key is NEVER logged.
+     */
+    identity: AgentIdentity;
+    /**
+     * Session context
+     *
+     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
+     */
+    session: SessionContext;
+    /**
+     * Optional event-specific data
+     *
+     * Used for generating event hash. Not logged directly.
+     */
+    eventData?: Record<string, any>;
+}
 /**
  * Audit logger class with event-driven rotation support
  *
@@ -291,6 +323,23 @@ export declare class AuditLogger {
      * 4. Triggers rotation hooks if threshold met
      */
     logAuditRecord(context: AuditContext): Promise<void>;
+    /**
+     * Log an event using the frozen audit format WITHOUT session deduplication.
+     *
+     * Unlike logAuditRecord(), this method ALWAYS logs the event, regardless
+     * of whether an event has already been logged for this session. This is
+     * necessary for consent events where multiple events occur in the same session.
+     *
+     * The event still uses the frozen audit.v1 format for consistency, but
+     * bypasses the "once per session" constraint.
+     *
+     * @param context - Event context including eventType, identity, session, and eventData
+     */
+    logEvent(context: AuditEventContext): Promise<void>;
+    /**
+     * Generate deterministic hash for event
+     */
+    private hashEvent;
     /**
      * Format audit record as frozen audit line
      * Format: audit.v1 ts=<unix> session=<id> audience=<host> did=<did> kid=<kid> reqHash=<sha256:..> resHash=<sha256:..> verified=yes|no scope=<scopeId|->

package/dist/runtime/audit.js

@@ -47,6 +47,7 @@ exports.logKeyRotationAudit = logKeyRotationAudit;
 exports.parseAuditLine = parseAuditLine;
 exports.validateAuditRecord = validateAuditRecord;
 const time_1 = require("./utils/time");
+const crypto_1 = require("crypto");
 /**
  * Audit logger class with event-driven rotation support
  *
@@ -133,6 +134,63 @@ class AuditLogger {
         // Check if rotation is needed (event-driven)
         await this.checkRotation();
     }
+    /**
+     * Log an event using the frozen audit format WITHOUT session deduplication.
+     *
+     * Unlike logAuditRecord(), this method ALWAYS logs the event, regardless
+     * of whether an event has already been logged for this session. This is
+     * necessary for consent events where multiple events occur in the same session.
+     *
+     * The event still uses the frozen audit.v1 format for consistency, but
+     * bypasses the "once per session" constraint.
+     *
+     * @param context - Event context including eventType, identity, session, and eventData
+     */
+    async logEvent(context) {
+        if (this.destroyed) {
+            throw new Error("AuditLogger has been destroyed");
+        }
+        if (!this.config.enabled) {
+            return;
+        }
+        // Generate event hash
+        const eventHash = this.hashEvent(context.eventType, context.eventData);
+        // Create audit record (same format as regular audit logs)
+        const auditRecord = {
+            version: "audit.v1",
+            ts: Math.floor(Date.now() / 1000),
+            session: context.session.sessionId,
+            audience: context.session.audience,
+            did: context.identity.did,
+            kid: context.identity.kid,
+            reqHash: `sha256:${eventHash}`,
+            resHash: `sha256:${eventHash}`, // Same hash for events
+            verified: "yes",
+            scope: context.eventType, // Use eventType as scope
+        };
+        // Format and log (NO session deduplication check)
+        const auditLine = this.formatAuditLine(auditRecord);
+        // Track size and count
+        const sizeBytes = Buffer.byteLength(auditLine, "utf8");
+        this.currentLogSize += sizeBytes;
+        this.totalRecordsLogged++;
+        // Emit audit record
+        this.config.logFunction(auditLine);
+        // Check rotation
+        await this.checkRotation();
+    }
+    /**
+     * Generate deterministic hash for event
+     */
+    hashEvent(type, data) {
+        const content = JSON.stringify({
+            type,
+            data,
+            ts: Date.now(),
+            nonce: (0, crypto_1.randomBytes)(16).toString('hex')
+        });
+        return (0, crypto_1.createHash)('sha256').update(content).digest('hex');
+    }
     /**
      * Format audit record as frozen audit line
      * Format: audit.v1 ts=<unix> session=<id> audience=<host> did=<did> kid=<kid> reqHash=<sha256:..> resHash=<sha256:..> verified=yes|no scope=<scopeId|->

package/dist/runtime/index.d.ts

@@ -10,7 +10,7 @@ export { RuntimeFactory, RUNTIME_ERRORS, type MCPIRuntimeConfig, type RuntimeEnv
 export { IdentityManager, defaultIdentityManager, ensureIdentity, IDENTITY_ERRORS, type AgentIdentity, type DevIdentityFile, type ProdEnvironment, type RuntimeIdentityManagerConfig, } from "./identity";
 export { SessionManager, defaultSessionManager, createHandshakeRequest, validateHandshakeFormat, type SessionConfig, type HandshakeResult, } from "./session";
 export { ProofGenerator, createProofResponse, extractCanonicalData, type ToolRequest, type ToolResponse, type ProofOptions, } from "./proof";
-export { AuditLogger, defaultAuditLogger, logKeyRotationAudit, parseAuditLine, validateAuditRecord, type AuditConfig, type AuditContext, type KeyRotationAuditContext, } from "./audit";
+export { AuditLogger, defaultAuditLogger, logKeyRotationAudit, parseAuditLine, validateAuditRecord, type AuditConfig, type AuditContext, type AuditEventContext, type KeyRotationAuditContext, } from "./audit";
 export { WellKnownManager, createWellKnownHandler, validateDIDDocument, validateAgentDocument, extractDIDFromPath, type DIDDocument, type VerificationMethod, type ServiceEndpoint, type AgentDocument, type WellKnownConfig, type WellKnownHandler, } from "./well-known";
 export { DebugManager, createDebugEndpoint, type DebugVerificationResult, type DebugPageData, } from "./debug";
 export { DemoManager, createDemoManager, DemoConsole, formatVerifyLink, type DemoConfig, } from "./demo";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/mcp-i",
-  "version": "1.5.9-canary.8",
+  "version": "1.5.9-canary.9",
   "description": "The TypeScript MCP framework with identity features built-in",
   "type": "commonjs",
   "main": "dist/index.js",
@@ -35,6 +35,11 @@
       "require": "./dist/config.js",
       "import": "./dist/config.js",
       "types": "./dist/config.d.ts"
+    },
+    "./runtime": {
+      "require": "./dist/runtime/index.js",
+      "import": "./dist/runtime/index.js",
+      "types": "./dist/runtime/index.d.ts"
     }
   },
   "files": [
@@ -58,8 +63,8 @@
     "model-context-protocol"
   ],
   "dependencies": {
-    "@kya-os/contracts": "^1.5.3-canary.5",
-    "@kya-os/mcp-i-core": "^1.2.2-canary.6",
+    "@kya-os/contracts": "^1.5.3-canary.6",
+    "@kya-os/mcp-i-core": "^1.2.2-canary.7",
     "@modelcontextprotocol/sdk": "^1.11.4",
     "@swc/core": "^1.11.24",
     "@types/express": "^5.0.1",