@kya-os/mcp-i 1.7.9 → 1.7.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runtime/adapter-express.js +3 -3
- package/dist/runtime/adapter-nextjs.js +3 -3
- package/dist/runtime/delegation/vc-verifier.js +32 -17
- package/dist/runtime/http.js +3 -3
- package/dist/runtime/stdio.js +3 -3
- package/dist/runtime/tool-protection.d.ts +3 -10
- package/dist/runtime/utils/tools.js +21 -9
- package/package.json +1 -1
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
* 2. Local file (tool-protections.json) - for development
|
|
10
10
|
* 3. AgentShield API - for production (NOT IMPLEMENTED YET)
|
|
11
11
|
*/
|
|
12
|
+
import type { AuthorizationRequirement } from '@kya-os/contracts/tool-protection';
|
|
12
13
|
/**
|
|
13
14
|
* Protection configuration for a single tool
|
|
14
15
|
*/
|
|
@@ -21,16 +22,8 @@ export interface ToolProtectionConfig {
|
|
|
21
22
|
riskLevel?: 'low' | 'medium' | 'high' | 'critical';
|
|
22
23
|
/** Optional custom authorization URL for this specific tool */
|
|
23
24
|
authorizationUrl?: string;
|
|
24
|
-
/** Authorization method required for this tool */
|
|
25
|
-
authorization?:
|
|
26
|
-
type: 'oauth' | 'oauth2' | 'password' | 'credential' | 'webauthn' | 'siwe' | 'none';
|
|
27
|
-
provider?: string;
|
|
28
|
-
credentialType?: string;
|
|
29
|
-
rpId?: string;
|
|
30
|
-
userVerification?: 'required' | 'preferred' | 'discouraged';
|
|
31
|
-
chainId?: number;
|
|
32
|
-
domain?: string;
|
|
33
|
-
};
|
|
25
|
+
/** Authorization method required for this tool (uses contracts type) */
|
|
26
|
+
authorization?: AuthorizationRequirement;
|
|
34
27
|
}
|
|
35
28
|
/**
|
|
36
29
|
* Map of tool names to their protection configurations
|
|
@@ -10,6 +10,24 @@ const session_1 = require("../session");
|
|
|
10
10
|
const request_context_1 = require("../request-context");
|
|
11
11
|
const proof_batch_queue_1 = require("../proof-batch-queue");
|
|
12
12
|
const mcp_i_core_1 = require("@kya-os/mcp-i-core");
|
|
13
|
+
/**
|
|
14
|
+
* Format authorization info for error messages.
|
|
15
|
+
* Safely handles discriminated union types by checking for property existence.
|
|
16
|
+
* Supports: provider (oauth/password), issuer (mdl/vc), credentialType (vc/mdl)
|
|
17
|
+
*/
|
|
18
|
+
function formatAuthInfo(auth) {
|
|
19
|
+
let result = auth.type;
|
|
20
|
+
if ('provider' in auth && auth.provider) {
|
|
21
|
+
result += `:${auth.provider}`;
|
|
22
|
+
}
|
|
23
|
+
if ('issuer' in auth && auth.issuer) {
|
|
24
|
+
result += `:${auth.issuer}`;
|
|
25
|
+
}
|
|
26
|
+
if ('credentialType' in auth && auth.credentialType) {
|
|
27
|
+
result += `:${auth.credentialType}`;
|
|
28
|
+
}
|
|
29
|
+
return result;
|
|
30
|
+
}
|
|
13
31
|
const rawRuntimeConfigPath = typeof RUNTIME_CONFIG_PATH !== "undefined" ? RUNTIME_CONFIG_PATH : undefined;
|
|
14
32
|
// Single-parse to match single-stringify from webpack DefinePlugin
|
|
15
33
|
const runtimeConfigPath = rawRuntimeConfigPath
|
|
@@ -553,9 +571,7 @@ async function addToolsToServer(server, toolModules, identityConfig, clientMessa
|
|
|
553
571
|
type: "text",
|
|
554
572
|
text: JSON.stringify({
|
|
555
573
|
error: "authorization_data_missing",
|
|
556
|
-
message: `Tool "${name}" requires authorization
|
|
557
|
-
`${toolAuth.provider ? `:${toolAuth.provider}` : ""}` +
|
|
558
|
-
`${toolAuth.credentialType ? `:${toolAuth.credentialType}` : ""} ` +
|
|
574
|
+
message: `Tool "${name}" requires authorization ${formatAuthInfo(toolAuth)} ` +
|
|
559
575
|
`but delegation credential does not contain authorization data. Please re-authorize.`,
|
|
560
576
|
authorizationUrl: authUrl.toString(),
|
|
561
577
|
scopes: toolProtection.requiredScopes || [],
|
|
@@ -583,12 +599,8 @@ async function addToolsToServer(server, toolModules, identityConfig, clientMessa
|
|
|
583
599
|
text: JSON.stringify({
|
|
584
600
|
error: "authorization_method_mismatch",
|
|
585
601
|
message: `Tool "${name}" requires re-authorization. ` +
|
|
586
|
-
`Delegation was created with ${delegationAuth
|
|
587
|
-
|
|
588
|
-
`${delegationAuth.credentialType ? `:${delegationAuth.credentialType}` : ""} ` +
|
|
589
|
-
`but tool now requires ${toolAuth.type}` +
|
|
590
|
-
`${toolAuth.provider ? `:${toolAuth.provider}` : ""}` +
|
|
591
|
-
`${toolAuth.credentialType ? `:${toolAuth.credentialType}` : ""}.`,
|
|
602
|
+
`Delegation was created with ${formatAuthInfo(delegationAuth)} ` +
|
|
603
|
+
`but tool now requires ${formatAuthInfo(toolAuth)}.`,
|
|
592
604
|
authorizationUrl: authUrl.toString(),
|
|
593
605
|
scopes: toolProtection.requiredScopes || [],
|
|
594
606
|
currentAuth: delegationAuth,
|