@kya-os/mcp-i 1.7.13 → 1.10.0

package/dist/runtime/mcpi-runtime.d.ts

@@ -82,6 +82,8 @@ export interface MCPIRuntimeConfig {
             kta?: {
                 apiUrl: string;
                 apiKey?: string;
+                /** API format: 'kta' (default, GET /api/v1/reputation/{did}) or 'argus' (POST /v1/reputation/{did}) */
+                apiFormat?: 'kta' | 'argus';
             };
             /** Minimum reputation score to bypass authorization (0-100) */
             minReputationScore?: number;
@@ -144,6 +146,8 @@ export declare class MCPIRuntime {
     processToolCall(request: ToolRequest, session: SessionContext, toolHandler: (request: ToolRequest) => Promise<any>, options?: {
         scopeId?: string;
         delegationRef?: string;
+        delegationChain?: string;
+        delegationScopes?: string[];
         requiresDelegation?: boolean;
         requiredScopes?: string[];
         agentDid?: string;

package/dist/runtime/mcpi-runtime.js

@@ -17,8 +17,10 @@ const debug_1 = require("./debug");
 const demo_1 = require("./demo");
 const delegation_verifier_1 = require("./delegation-verifier");
 const auth_handshake_1 = require("./auth-handshake");
+const request_context_1 = require("./request-context");
 const tool_protection_1 = require("./tool-protection");
 const tool_protection_registry_1 = require("./tool-protection-registry");
+const mcp_i_core_1 = require("@kya-os/mcp-i-core");
 /**
  * XMCP-I Runtime class
  */
@@ -195,55 +197,68 @@ class MCPIRuntime {
                 }
                 return verifyResult.authError;
             }
-            // If authorized, log the delegation ID for audit trail
+            // If authorized, capture delegation metadata for outbound header propagation
             if (verifyResult.delegation) {
                 options.delegationRef = verifyResult.delegation.id;
+                options.delegationChain = (0, mcp_i_core_1.buildChainString)(verifyResult.delegation);
+                options.delegationScopes = options.requiredScopes ?? [];
+                const identity = await this.identityManager.ensureIdentity();
+                (0, request_context_1.setDelegationContextFromIdentity)({
+                    delegationId: options.delegationRef,
+                    delegationChain: options.delegationChain,
+                    delegationScopes: options.delegationScopes,
+                    identity,
+                });
             }
         }
-        try {
-            // Execute the tool (only if delegation check passed)
-            let data = await toolHandler(request);
-            // Add identity badge if enabled
-            if (this.demoManager?.isIdentityBadgeEnabled()) {
-                data = this.demoManager.addIdentityBadgeToResponse(data);
+        // Capture before async boundary — TS narrowing doesn't survive across async callbacks
+        const cachedIdentity = this.cachedIdentity;
+        return (0, request_context_1.runWithContext)({ session: session ?? undefined }, async () => {
+            try {
+                // Execute the tool (only if delegation check passed)
+                let data = await toolHandler(request);
+                // Add identity badge if enabled
+                if (this.demoManager?.isIdentityBadgeEnabled()) {
+                    data = this.demoManager.addIdentityBadgeToResponse(data);
+                }
+                // Create response with proof
+                const proofOptions = {
+                    ...options,
+                    ...(session && session.clientDid
+                        ? { clientDid: session.clientDid }
+                        : {}),
+                };
+                const response = await (0, proof_1.createProofResponse)(request, data, cachedIdentity, session, proofOptions);
+                // Update debug state with latest proof
+                if (this.debugManager && response.meta?.proof) {
+                    this.debugManager.updateDebugState(response.meta.proof, session);
+                }
+                // Log audit record (first call per session)
+                const auditContext = {
+                    identity: cachedIdentity,
+                    session,
+                    requestHash: response.meta.proof.meta.requestHash,
+                    responseHash: response.meta.proof.meta.responseHash,
+                    verified: "yes",
+                    scopeId: options.scopeId,
+                };
+                await this.auditLogger.logAuditRecord(auditContext);
+                return response;
             }
-            // Create response with proof
-            const proofOptions = {
-                ...options,
-                ...(session && session.clientDid
-                    ? { clientDid: session.clientDid }
-                    : {}),
-            };
-            const response = await (0, proof_1.createProofResponse)(request, data, this.cachedIdentity, session, proofOptions);
-            // Update debug state with latest proof
-            if (this.debugManager && response.meta?.proof) {
-                this.debugManager.updateDebugState(response.meta.proof, session);
+            catch (error) {
+                // Log failed audit record
+                const auditContext = {
+                    identity: cachedIdentity,
+                    session,
+                    requestHash: "sha256:error",
+                    responseHash: "sha256:error",
+                    verified: "no",
+                    scopeId: options.scopeId,
+                };
+                await this.auditLogger.logAuditRecord(auditContext);
+                throw error;
             }
-            // Log audit record (first call per session)
-            const auditContext = {
-                identity: this.cachedIdentity,
-                session,
-                requestHash: response.meta.proof.meta.requestHash,
-                responseHash: response.meta.proof.meta.responseHash,
-                verified: "yes",
-                scopeId: options.scopeId,
-            };
-            await this.auditLogger.logAuditRecord(auditContext);
-            return response;
-        }
-        catch (error) {
-            // Log failed audit record
-            const auditContext = {
-                identity: this.cachedIdentity,
-                session,
-                requestHash: "sha256:error",
-                responseHash: "sha256:error",
-                verified: "no",
-                scopeId: options.scopeId,
-            };
-            await this.auditLogger.logAuditRecord(auditContext);
-            throw error;
-        }
+        }); // end runWithContext
     }
     /**
      * Get well-known endpoint handler

package/dist/runtime/outbound-delegation.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Outbound Delegation Header Injection
+ *
+ * Wraps globalThis.fetch to inject delegation proof headers on outbound
+ * HTTP requests made during delegated tool handler execution.
+ *
+ * Reads delegation context from AsyncLocalStorage (via getContext()),
+ * builds a signed Ed25519 JWT, and injects:
+ *   KYA-Delegation-Id, KYA-Delegation-Chain, KYA-Delegation-Proof, KYA-Granted-Scopes
+ *
+ * Behavior:
+ * - Skips injection for internal hostnames (localhost, *.vouched.id, Fly IPs)
+ * - On signing failure: logs warning, continues WITHOUT delegation headers
+ * - Anonymous/non-delegated calls: no headers injected
+ *
+ * Related Spec: MCP-I §2 — Outbound Delegation Propagation
+ */
+interface Logger {
+    debug: (msg: string, meta?: Record<string, unknown>) => void;
+    warn: (msg: string, meta?: Record<string, unknown>) => void;
+}
+/**
+ * Determine if a URL is an internal request that should not carry
+ * delegation headers. Matches the same guard as the compute interceptor.
+ */
+export declare function isInternalDelegationTarget(urlString: string): boolean;
+/**
+ * Install the delegation header interceptor on globalThis.fetch.
+ * Returns a teardown function that restores the original fetch.
+ *
+ * Idempotent — calling multiple times is safe.
+ */
+export declare function installDelegationInterceptor(logger?: Logger): () => void;
+export {};

package/dist/runtime/outbound-delegation.js

@@ -0,0 +1,134 @@
+"use strict";
+/**
+ * Outbound Delegation Header Injection
+ *
+ * Wraps globalThis.fetch to inject delegation proof headers on outbound
+ * HTTP requests made during delegated tool handler execution.
+ *
+ * Reads delegation context from AsyncLocalStorage (via getContext()),
+ * builds a signed Ed25519 JWT, and injects:
+ *   KYA-Delegation-Id, KYA-Delegation-Chain, KYA-Delegation-Proof, KYA-Granted-Scopes
+ *
+ * Behavior:
+ * - Skips injection for internal hostnames (localhost, *.vouched.id, Fly IPs)
+ * - On signing failure: logs warning, continues WITHOUT delegation headers
+ * - Anonymous/non-delegated calls: no headers injected
+ *
+ * Related Spec: MCP-I §2 — Outbound Delegation Propagation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isInternalDelegationTarget = isInternalDelegationTarget;
+exports.installDelegationInterceptor = installDelegationInterceptor;
+const mcp_i_core_1 = require("@kya-os/mcp-i-core");
+const request_context_js_1 = require("./request-context.js");
+// Flag to avoid double-installing
+const DELEGATION_INTERCEPTED_FLAG = "__kyaDelegationIntercepted";
+/**
+ * Determine if a URL is an internal request that should not carry
+ * delegation headers. Matches the same guard as the compute interceptor.
+ */
+function isInternalDelegationTarget(urlString) {
+    let url;
+    try {
+        url = new URL(urlString);
+    }
+    catch {
+        return false;
+    }
+    const hostname = url.hostname.toLowerCase();
+    if (hostname === "localhost" ||
+        hostname === "127.0.0.1" ||
+        hostname === "[::1]" ||
+        hostname === "::1" ||
+        hostname === "0.0.0.0") {
+        return true;
+    }
+    if (hostname.endsWith(".vouched.id") ||
+        hostname === "vouched.id") {
+        return true;
+    }
+    // Internal hostnames (*.internal, bare "internal")
+    if (hostname.endsWith(".internal") || hostname === "internal") {
+        return true;
+    }
+    // AWS EC2 metadata service
+    if (hostname === "169.254.169.254") {
+        return true;
+    }
+    // Fly.io private network ranges (fdaa:*, fd10::*)
+    if (hostname.startsWith("fdaa:") || hostname.startsWith("fd10:")) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Install the delegation header interceptor on globalThis.fetch.
+ * Returns a teardown function that restores the original fetch.
+ *
+ * Idempotent — calling multiple times is safe.
+ */
+function installDelegationInterceptor(logger) {
+    if (globalThis.fetch[DELEGATION_INTERCEPTED_FLAG]) {
+        logger?.debug("Delegation interceptor already installed, skipping");
+        return () => { };
+    }
+    const originalFetch = globalThis.fetch;
+    const delegationFetch = async function (input, init) {
+        const urlString = typeof input === "string"
+            ? input
+            : input instanceof URL
+                ? input.toString()
+                : input.url;
+        if (isInternalDelegationTarget(urlString)) {
+            return originalFetch(input, init);
+        }
+        const baseHeaders = input instanceof Request ? input.headers : undefined;
+        const headers = new Headers(init?.headers ?? baseHeaders);
+        // Only inject if we have a delegation context and haven't already injected
+        if (!headers.has("KYA-Delegation-Proof")) {
+            const ctx = (0, request_context_js_1.getContext)();
+            if (ctx?.delegationRef &&
+                ctx.delegationPrivateKeyJwk &&
+                ctx.delegationAgentKid) {
+                try {
+                    let targetHostname = "";
+                    try {
+                        targetHostname = new URL(urlString).hostname;
+                    }
+                    catch {
+                        // malformed URL — leave aud empty
+                    }
+                    const proof = await (0, mcp_i_core_1.buildDelegationProofJWT)({
+                        agentDid: ctx.session?.serverDid ?? "",
+                        userDid: ctx.session?.userDid ?? "",
+                        delegationId: ctx.delegationRef,
+                        delegationChain: ctx.delegationChain ?? ctx.delegationRef,
+                        scopes: ctx.delegationScopes ?? [],
+                        privateKeyJwk: ctx.delegationPrivateKeyJwk,
+                        kid: ctx.delegationAgentKid,
+                        targetHostname,
+                    });
+                    headers.set("KYA-Delegation-Id", ctx.delegationRef);
+                    headers.set("KYA-Delegation-Chain", ctx.delegationChain ?? ctx.delegationRef);
+                    headers.set("KYA-Delegation-Proof", proof);
+                    headers.set("KYA-Granted-Scopes", (ctx.delegationScopes ?? []).join(","));
+                    logger?.debug("Delegation headers injected", {
+                        delegationRef: ctx.delegationRef,
+                        targetHostname,
+                    });
+                }
+                catch (error) {
+                    logger?.warn(`Failed to build delegation proof, continuing without delegation headers: ${error.message}`);
+                }
+            }
+        }
+        return originalFetch(input, { ...init, headers });
+    };
+    delegationFetch[DELEGATION_INTERCEPTED_FLAG] = true;
+    globalThis.fetch = delegationFetch;
+    return () => {
+        if (globalThis.fetch === delegationFetch) {
+            globalThis.fetch = originalFetch;
+        }
+    };
+}

package/dist/runtime/proof.d.ts

@@ -1,93 +1,18 @@
 /**
- * Proof Generation for XMCP-I Runtime
+ * Proof Generation for XMCP-I Runtime — Node.js adapter
  *
- * Handles JCS canonicalization, SHA-256 digest generation, and Ed25519 JWS signing (compact format)
- * according to requirements 5.1, 5.2, 5.3, 5.6.
+ * Re-exports ProofGenerator from @kya-os/mcp-i-core and wires in
+ * NodeCryptoProvider as the default. All existing call sites remain
+ * compatible: `new ProofGenerator(identity)` continues to work.
+ *
+ * Requirements: 5.1, 5.2, 5.3, 5.6
  */
-import { DetachedProof } from "@kya-os/contracts/proof";
+import { ProofGenerator as CoreProofGenerator, type ProofAgentIdentity, type ToolRequest, type ToolResponse, type ProofOptions, extractCanonicalData } from "@kya-os/mcp-i-core";
+import { CryptoProvider } from "@kya-os/mcp-i-core";
 import { SessionContext } from "@kya-os/contracts/handshake";
-import { AgentIdentity } from "./identity";
-/**
- * Tool request structure for proof generation
- */
-export interface ToolRequest {
-    method: string;
-    params?: any;
-}
-/**
- * Tool response structure for proof generation
- */
-export interface ToolResponse {
-    data: any;
-    meta?: {
-        proof?: DetachedProof;
-        [key: string]: any;
-    };
-}
-/**
- * Proof generation options
- */
-export interface ProofOptions {
-    scopeId?: string;
-    delegationRef?: string;
-    clientDid?: string;
+export declare class ProofGenerator extends CoreProofGenerator {
+    constructor(identity: ProofAgentIdentity, cryptoProvider?: CryptoProvider);
 }
-/**
- * Proof generator class
- */
-export declare class ProofGenerator {
-    private identity;
-    constructor(identity: AgentIdentity);
-    /**
-     * Generate proof for tool request/response
-     * Requirements: 5.1, 5.2, 5.3, 5.6
-     */
-    generateProof(request: ToolRequest, response: ToolResponse, session: SessionContext, options?: ProofOptions): Promise<DetachedProof>;
-    /**
-     * Generate canonical hashes for request and response
-     * Requirement: 5.1
-     */
-    private generateCanonicalHashes;
-    /**
-     * Generate SHA-256 hash with JCS canonicalization
-     * Requirement: 5.2
-     */
-    private generateSHA256Hash;
-    /**
-     * JCS canonicalization implementation (RFC 8785)
-     */
-    private canonicalizeJSON;
-    /**
-     * Generate Ed25519 JWS in compact format (header.payload.signature)
-     * Requirement: 5.3
-     *
-     * Uses standard JWT claims (aud, sub, iss) in addition to custom claims
-     */
-    private generateJWS;
-    /**
-     * Format base64 private key as PKCS#8 PEM for JOSE library
-     */
-    private formatPrivateKeyAsPEM;
-    /**
-     * Verify a proof (for testing/validation)
-     */
-    verifyProof(proof: DetachedProof, request: ToolRequest, response: ToolResponse): Promise<boolean>;
-    /**
-     * Convert base64 public key to Ed25519 JWK format
-     */
-    private base64PublicKeyToJWK;
-}
-/**
- * Utility functions
- */
-/**
- * Create a tool response with proof
- */
-export declare function createProofResponse(request: ToolRequest, data: any, identity: AgentIdentity, session: SessionContext, options?: ProofOptions): Promise<ToolResponse>;
-/**
- * Extract canonical data for hashing (utility for testing)
- */
-export declare function extractCanonicalData(request: ToolRequest, response: ToolResponse): {
-    request: any;
-    response: any;
-};
+export type { ProofAgentIdentity, ToolRequest, ToolResponse, ProofOptions };
+export { extractCanonicalData };
+export declare function createProofResponse(request: ToolRequest, data: unknown, identity: ProofAgentIdentity, session: SessionContext, options?: ProofOptions): Promise<ToolResponse>;

package/dist/runtime/proof.js

@@ -1,227 +1,25 @@
 "use strict";
 /**
- * Proof Generation for XMCP-I Runtime
+ * Proof Generation for XMCP-I Runtime — Node.js adapter
  *
- * Handles JCS canonicalization, SHA-256 digest generation, and Ed25519 JWS signing (compact format)
- * according to requirements 5.1, 5.2, 5.3, 5.6.
+ * Re-exports ProofGenerator from @kya-os/mcp-i-core and wires in
+ * NodeCryptoProvider as the default. All existing call sites remain
+ * compatible: `new ProofGenerator(identity)` continues to work.
+ *
+ * Requirements: 5.1, 5.2, 5.3, 5.6
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ProofGenerator = void 0;
+exports.extractCanonicalData = exports.ProofGenerator = void 0;
 exports.createProofResponse = createProofResponse;
-exports.extractCanonicalData = extractCanonicalData;
-const crypto_1 = require("crypto");
-const jose_1 = require("jose");
-const json_canonicalize_1 = require("json-canonicalize");
 const mcp_i_core_1 = require("@kya-os/mcp-i-core");
+Object.defineProperty(exports, "extractCanonicalData", { enumerable: true, get: function () { return mcp_i_core_1.extractCanonicalData; } });
 const node_providers_1 = require("../providers/node-providers");
-/**
- * Proof generator class
- */
-class ProofGenerator {
-    identity;
-    constructor(identity) {
-        this.identity = identity;
-    }
-    /**
-     * Generate proof for tool request/response
-     * Requirements: 5.1, 5.2, 5.3, 5.6
-     */
-    async generateProof(request, response, session, options = {}) {
-        // Generate canonical hashes
-        const hashes = this.generateCanonicalHashes(request, response);
-        // Create proof metadata
-        const meta = {
-            did: this.identity.did,
-            kid: this.identity.kid,
-            ts: Math.floor(Date.now() / 1000),
-            nonce: session.nonce,
-            audience: session.audience,
-            sessionId: session.sessionId,
-            requestHash: hashes.requestHash,
-            responseHash: hashes.responseHash,
-            ...options, // Include scopeId, delegationRef, and clientDid if provided
-        };
-        // Generate JWS (compact format)
-        const jws = await this.generateJWS(meta);
-        return {
-            jws,
-            meta,
-        };
-    }
-    /**
-     * Generate canonical hashes for request and response
-     * Requirement: 5.1
-     */
-    generateCanonicalHashes(request, response) {
-        // Canonicalize request (exclude transport metadata, include method and params)
-        const canonicalRequest = {
-            method: request.method,
-            ...(request.params && { params: request.params }),
-        };
-        // Canonicalize response (only the data part, exclude meta)
-        const canonicalResponse = response.data;
-        // Generate SHA-256 hashes with JCS canonicalization
-        const requestHash = this.generateSHA256Hash(canonicalRequest);
-        const responseHash = this.generateSHA256Hash(canonicalResponse);
-        return {
-            requestHash,
-            responseHash,
-        };
-    }
-    /**
-     * Generate SHA-256 hash with JCS canonicalization
-     * Requirement: 5.2
-     */
-    generateSHA256Hash(data) {
-        // JCS (JSON Canonicalization Scheme) canonicalization
-        const canonicalJson = this.canonicalizeJSON(data);
-        // Generate SHA-256 hash
-        const hash = (0, crypto_1.createHash)("sha256")
-            .update(canonicalJson, "utf8")
-            .digest("hex");
-        return `sha256:${hash}`;
-    }
-    /**
-     * JCS canonicalization implementation (RFC 8785)
-     */
-    canonicalizeJSON(obj) {
-        return (0, json_canonicalize_1.canonicalize)(obj);
-    }
-    /**
-     * Generate Ed25519 JWS in compact format (header.payload.signature)
-     * Requirement: 5.3
-     *
-     * Uses standard JWT claims (aud, sub, iss) in addition to custom claims
-     */
-    async generateJWS(meta) {
-        try {
-            // Import the private key
-            const privateKeyPem = this.formatPrivateKeyAsPEM(this.identity.privateKey);
-            const privateKey = await (0, jose_1.importPKCS8)(privateKeyPem, "EdDSA");
-            // Create JWT payload with standard claims + custom proof data
-            // Standard JWT claims: aud (audience), sub (subject), iss (issuer)
-            // Custom claims: requestHash, responseHash, nonce, sessionId, etc.
-            const payload = {
-                // Standard JWT claims (RFC 7519)
-                aud: meta.audience, // Audience (who the token is for)
-                sub: meta.did, // Subject (agent DID)
-                iss: meta.did, // Issuer (agent DID - self-issued)
-                // Custom MCP-I proof claims
-                requestHash: meta.requestHash,
-                responseHash: meta.responseHash,
-                ts: meta.ts,
-                nonce: meta.nonce,
-                sessionId: meta.sessionId,
-                // Optional claims
-                ...(meta.scopeId && { scopeId: meta.scopeId }),
-                ...(meta.delegationRef && { delegationRef: meta.delegationRef }),
-                ...(meta.clientDid && { clientDid: meta.clientDid }),
-            };
-            // Create and sign JWT (compact format: header.payload.signature)
-            const jwt = await new jose_1.SignJWT(payload)
-                .setProtectedHeader({
-                alg: "EdDSA",
-                kid: this.identity.kid,
-            })
-                .sign(privateKey);
-            // Return full compact JWS (NOT detached)
-            return jwt;
-        }
-        catch (error) {
-            throw new Error(`Failed to generate JWS: ${error instanceof Error ? error.message : "Unknown error"}`);
-        }
-    }
-    /**
-     * Format base64 private key as PKCS#8 PEM for JOSE library
-     */
-    formatPrivateKeyAsPEM(base64PrivateKey) {
-        const keyData = Buffer.from(base64PrivateKey, "base64");
-        // Ed25519 PKCS#8 header and footer
-        const header = "-----BEGIN PRIVATE KEY-----\n";
-        const footer = "\n-----END PRIVATE KEY-----";
-        // Wrap Ed25519 raw key in PKCS#8 structure (ASN.1 encoding)
-        const pkcs8Header = Buffer.from([
-            0x30,
-            0x2e, // SEQUENCE, length 46
-            0x02,
-            0x01,
-            0x00, // INTEGER version 0
-            0x30,
-            0x05, // SEQUENCE, length 5
-            0x06,
-            0x03,
-            0x2b,
-            0x65,
-            0x70, // OID for Ed25519
-            0x04,
-            0x22, // OCTET STRING, length 34
-            0x04,
-            0x20, // OCTET STRING, length 32 (the actual key)
-        ]);
-        const fullKey = Buffer.concat([pkcs8Header, keyData.subarray(0, 32)]);
-        const base64Key = fullKey.toString("base64");
-        // Format as PEM with line breaks every 64 characters
-        const formattedKey = base64Key.match(/.{1,64}/g)?.join("\n") || base64Key;
-        return header + formattedKey + footer;
-    }
-    /**
-     * Verify a proof (for testing/validation)
-     */
-    async verifyProof(proof, request, response) {
-        try {
-            // Regenerate hashes
-            const expectedHashes = this.generateCanonicalHashes(request, response);
-            // Check if hashes match
-            if (proof.meta.requestHash !== expectedHashes.requestHash ||
-                proof.meta.responseHash !== expectedHashes.responseHash) {
-                return false;
-            }
-            // Verify JWS signature using CryptoService
-            const publicKeyJwk = this.base64PublicKeyToJWK(this.identity.publicKey);
-            const cryptoProvider = new node_providers_1.NodeCryptoProvider();
-            const cryptoService = new mcp_i_core_1.CryptoService(cryptoProvider);
-            const isValid = await cryptoService.verifyJWS(proof.jws, publicKeyJwk, {
-                expectedKid: this.identity.kid,
-                alg: "EdDSA",
-            });
-            return isValid;
-        }
-        catch (error) {
-            console.error("[ProofGenerator] Proof verification error:", error);
-            return false;
-        }
-    }
-    /**
-     * Convert base64 public key to Ed25519 JWK format
-     */
-    base64PublicKeyToJWK(publicKeyBase64) {
-        // Decode base64 to bytes
-        const publicKeyBytes = Buffer.from(publicKeyBase64, "base64");
-        // Verify key length (Ed25519 public keys are 32 bytes)
-        if (publicKeyBytes.length !== 32) {
-            throw new Error(`Invalid Ed25519 public key length: ${publicKeyBytes.length}`);
-        }
-        // Convert to base64url encoding
-        const base64url = Buffer.from(publicKeyBytes)
-            .toString("base64")
-            .replace(/\+/g, "-")
-            .replace(/\//g, "_")
-            .replace(/=/g, "");
-        return {
-            kty: "OKP",
-            crv: "Ed25519",
-            x: base64url,
-            kid: this.identity.kid,
-        };
+class ProofGenerator extends mcp_i_core_1.ProofGenerator {
+    constructor(identity, cryptoProvider = new node_providers_1.NodeCryptoProvider()) {
+        super(identity, cryptoProvider);
     }
 }
 exports.ProofGenerator = ProofGenerator;
-/**
- * Utility functions
- */
-/**
- * Create a tool response with proof
- */
 async function createProofResponse(request, data, identity, session, options = {}) {
     const response = { data };
     const proofGenerator = new ProofGenerator(identity);
@@ -229,15 +27,3 @@ async function createProofResponse(request, data, identity, session, options = {
     response.meta = { proof };
     return response;
 }
-/**
- * Extract canonical data for hashing (utility for testing)
- */
-function extractCanonicalData(request, response) {
-    return {
-        request: {
-            method: request.method,
-            ...(request.params && { params: request.params }),
-        },
-        response: response.data,
-    };
-}