npm - @mcp-i/core - Versions diffs - 0.1.0 - Mend

@mcp-i/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (226) hide show

package/LICENSE +21 -0
package/README.md +390 -0
package/dist/auth/handshake.d.ts +104 -0
package/dist/auth/handshake.d.ts.map +1 -0
package/dist/auth/handshake.js +230 -0
package/dist/auth/handshake.js.map +1 -0
package/dist/auth/index.d.ts +3 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +2 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/types.d.ts +31 -0
package/dist/auth/types.d.ts.map +1 -0
package/dist/auth/types.js +7 -0
package/dist/auth/types.js.map +1 -0
package/dist/delegation/audience-validator.d.ts +9 -0
package/dist/delegation/audience-validator.d.ts.map +1 -0
package/dist/delegation/audience-validator.js +17 -0
package/dist/delegation/audience-validator.js.map +1 -0
package/dist/delegation/bitstring.d.ts +37 -0
package/dist/delegation/bitstring.d.ts.map +1 -0
package/dist/delegation/bitstring.js +117 -0
package/dist/delegation/bitstring.js.map +1 -0
package/dist/delegation/cascading-revocation.d.ts +45 -0
package/dist/delegation/cascading-revocation.d.ts.map +1 -0
package/dist/delegation/cascading-revocation.js +148 -0
package/dist/delegation/cascading-revocation.js.map +1 -0
package/dist/delegation/delegation-graph.d.ts +49 -0
package/dist/delegation/delegation-graph.d.ts.map +1 -0
package/dist/delegation/delegation-graph.js +99 -0
package/dist/delegation/delegation-graph.js.map +1 -0
package/dist/delegation/did-key-resolver.d.ts +64 -0
package/dist/delegation/did-key-resolver.d.ts.map +1 -0
package/dist/delegation/did-key-resolver.js +154 -0
package/dist/delegation/did-key-resolver.js.map +1 -0
package/dist/delegation/did-web-resolver.d.ts +83 -0
package/dist/delegation/did-web-resolver.d.ts.map +1 -0
package/dist/delegation/did-web-resolver.js +218 -0
package/dist/delegation/did-web-resolver.js.map +1 -0
package/dist/delegation/index.d.ts +21 -0
package/dist/delegation/index.d.ts.map +1 -0
package/dist/delegation/index.js +21 -0
package/dist/delegation/index.js.map +1 -0
package/dist/delegation/outbound-headers.d.ts +81 -0
package/dist/delegation/outbound-headers.d.ts.map +1 -0
package/dist/delegation/outbound-headers.js +139 -0
package/dist/delegation/outbound-headers.js.map +1 -0
package/dist/delegation/outbound-proof.d.ts +43 -0
package/dist/delegation/outbound-proof.d.ts.map +1 -0
package/dist/delegation/outbound-proof.js +52 -0
package/dist/delegation/outbound-proof.js.map +1 -0
package/dist/delegation/statuslist-manager.d.ts +44 -0
package/dist/delegation/statuslist-manager.d.ts.map +1 -0
package/dist/delegation/statuslist-manager.js +126 -0
package/dist/delegation/statuslist-manager.js.map +1 -0
package/dist/delegation/storage/memory-graph-storage.d.ts +70 -0
package/dist/delegation/storage/memory-graph-storage.d.ts.map +1 -0
package/dist/delegation/storage/memory-graph-storage.js +145 -0
package/dist/delegation/storage/memory-graph-storage.js.map +1 -0
package/dist/delegation/storage/memory-statuslist-storage.d.ts +19 -0
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +1 -0
package/dist/delegation/storage/memory-statuslist-storage.js +33 -0
package/dist/delegation/storage/memory-statuslist-storage.js.map +1 -0
package/dist/delegation/utils.d.ts +49 -0
package/dist/delegation/utils.d.ts.map +1 -0
package/dist/delegation/utils.js +131 -0
package/dist/delegation/utils.js.map +1 -0
package/dist/delegation/vc-issuer.d.ts +56 -0
package/dist/delegation/vc-issuer.d.ts.map +1 -0
package/dist/delegation/vc-issuer.js +80 -0
package/dist/delegation/vc-issuer.js.map +1 -0
package/dist/delegation/vc-verifier.d.ts +112 -0
package/dist/delegation/vc-verifier.d.ts.map +1 -0
package/dist/delegation/vc-verifier.js +280 -0
package/dist/delegation/vc-verifier.js.map +1 -0
package/dist/index.d.ts +45 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +53 -0
package/dist/index.js.map +1 -0
package/dist/logging/index.d.ts +2 -0
package/dist/logging/index.d.ts.map +1 -0
package/dist/logging/index.js +2 -0
package/dist/logging/index.js.map +1 -0
package/dist/logging/logger.d.ts +23 -0
package/dist/logging/logger.d.ts.map +1 -0
package/dist/logging/logger.js +82 -0
package/dist/logging/logger.js.map +1 -0
package/dist/middleware/index.d.ts +7 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +7 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/with-mcpi.d.ts +152 -0
package/dist/middleware/with-mcpi.d.ts.map +1 -0
package/dist/middleware/with-mcpi.js +472 -0
package/dist/middleware/with-mcpi.js.map +1 -0
package/dist/proof/errors.d.ts +49 -0
package/dist/proof/errors.d.ts.map +1 -0
package/dist/proof/errors.js +61 -0
package/dist/proof/errors.js.map +1 -0
package/dist/proof/generator.d.ts +65 -0
package/dist/proof/generator.d.ts.map +1 -0
package/dist/proof/generator.js +163 -0
package/dist/proof/generator.js.map +1 -0
package/dist/proof/index.d.ts +4 -0
package/dist/proof/index.d.ts.map +1 -0
package/dist/proof/index.js +4 -0
package/dist/proof/index.js.map +1 -0
package/dist/proof/verifier.d.ts +108 -0
package/dist/proof/verifier.d.ts.map +1 -0
package/dist/proof/verifier.js +299 -0
package/dist/proof/verifier.js.map +1 -0
package/dist/providers/base.d.ts +64 -0
package/dist/providers/base.d.ts.map +1 -0
package/dist/providers/base.js +19 -0
package/dist/providers/base.js.map +1 -0
package/dist/providers/index.d.ts +3 -0
package/dist/providers/index.d.ts.map +1 -0
package/dist/providers/index.js +3 -0
package/dist/providers/index.js.map +1 -0
package/dist/providers/memory.d.ts +33 -0
package/dist/providers/memory.d.ts.map +1 -0
package/dist/providers/memory.js +102 -0
package/dist/providers/memory.js.map +1 -0
package/dist/session/index.d.ts +2 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/index.js +2 -0
package/dist/session/index.js.map +1 -0
package/dist/session/manager.d.ts +77 -0
package/dist/session/manager.d.ts.map +1 -0
package/dist/session/manager.js +251 -0
package/dist/session/manager.js.map +1 -0
package/dist/types/protocol.d.ts +320 -0
package/dist/types/protocol.d.ts.map +1 -0
package/dist/types/protocol.js +229 -0
package/dist/types/protocol.js.map +1 -0
package/dist/utils/base58.d.ts +31 -0
package/dist/utils/base58.d.ts.map +1 -0
package/dist/utils/base58.js +104 -0
package/dist/utils/base58.js.map +1 -0
package/dist/utils/base64.d.ts +13 -0
package/dist/utils/base64.d.ts.map +1 -0
package/dist/utils/base64.js +99 -0
package/dist/utils/base64.js.map +1 -0
package/dist/utils/crypto-service.d.ts +37 -0
package/dist/utils/crypto-service.d.ts.map +1 -0
package/dist/utils/crypto-service.js +153 -0
package/dist/utils/crypto-service.js.map +1 -0
package/dist/utils/did-helpers.d.ts +156 -0
package/dist/utils/did-helpers.d.ts.map +1 -0
package/dist/utils/did-helpers.js +193 -0
package/dist/utils/did-helpers.js.map +1 -0
package/dist/utils/ed25519-constants.d.ts +18 -0
package/dist/utils/ed25519-constants.d.ts.map +1 -0
package/dist/utils/ed25519-constants.js +21 -0
package/dist/utils/ed25519-constants.js.map +1 -0
package/dist/utils/index.d.ts +5 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +5 -0
package/dist/utils/index.js.map +1 -0
package/package.json +105 -0
package/src/__tests__/integration/full-flow.test.ts +362 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +332 -0
package/src/__tests__/utils/mock-providers.ts +319 -0
package/src/__tests__/utils/node-crypto-provider.ts +93 -0
package/src/auth/handshake.ts +411 -0
package/src/auth/index.ts +11 -0
package/src/auth/types.ts +40 -0
package/src/delegation/__tests__/audience-validator.test.ts +110 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +624 -0
package/src/delegation/__tests__/delegation-graph.test.ts +623 -0
package/src/delegation/__tests__/did-key-resolver.test.ts +265 -0
package/src/delegation/__tests__/did-web-resolver.test.ts +467 -0
package/src/delegation/__tests__/outbound-headers.test.ts +230 -0
package/src/delegation/__tests__/outbound-proof.test.ts +179 -0
package/src/delegation/__tests__/statuslist-manager.test.ts +515 -0
package/src/delegation/__tests__/utils.test.ts +185 -0
package/src/delegation/__tests__/vc-issuer.test.ts +487 -0
package/src/delegation/__tests__/vc-verifier.test.ts +1029 -0
package/src/delegation/audience-validator.ts +24 -0
package/src/delegation/bitstring.ts +160 -0
package/src/delegation/cascading-revocation.ts +224 -0
package/src/delegation/delegation-graph.ts +143 -0
package/src/delegation/did-key-resolver.ts +181 -0
package/src/delegation/did-web-resolver.ts +270 -0
package/src/delegation/index.ts +33 -0
package/src/delegation/outbound-headers.ts +193 -0
package/src/delegation/outbound-proof.ts +90 -0
package/src/delegation/statuslist-manager.ts +219 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +42 -0
package/src/delegation/utils.ts +189 -0
package/src/delegation/vc-issuer.ts +137 -0
package/src/delegation/vc-verifier.ts +440 -0
package/src/index.ts +264 -0
package/src/logging/__tests__/logger.test.ts +366 -0
package/src/logging/index.ts +6 -0
package/src/logging/logger.ts +91 -0
package/src/middleware/__tests__/with-mcpi.test.ts +504 -0
package/src/middleware/index.ts +16 -0
package/src/middleware/with-mcpi.ts +766 -0
package/src/proof/__tests__/proof-generator.test.ts +483 -0
package/src/proof/__tests__/verifier.test.ts +488 -0
package/src/proof/errors.ts +75 -0
package/src/proof/generator.ts +255 -0
package/src/proof/index.ts +22 -0
package/src/proof/verifier.ts +449 -0
package/src/providers/base.ts +68 -0
package/src/providers/index.ts +15 -0
package/src/providers/memory.ts +130 -0
package/src/session/__tests__/session-manager.test.ts +342 -0
package/src/session/index.ts +7 -0
package/src/session/manager.ts +332 -0
package/src/types/protocol.ts +596 -0
package/src/utils/__tests__/base58.test.ts +281 -0
package/src/utils/__tests__/base64.test.ts +239 -0
package/src/utils/__tests__/crypto-service.test.ts +530 -0
package/src/utils/__tests__/did-helpers.test.ts +156 -0
package/src/utils/base58.ts +115 -0
package/src/utils/base64.ts +116 -0
package/src/utils/crypto-service.ts +209 -0
package/src/utils/did-helpers.ts +210 -0
package/src/utils/ed25519-constants.ts +23 -0
package/src/utils/index.ts +9 -0

package/src/proof/generator.ts ADDED Viewed

@@ -0,0 +1,255 @@
+/**
+ * Proof Generation — Platform-agnostic Protocol Reference
+ *
+ * Handles JCS canonicalization, SHA-256 digest generation, and Ed25519 JWS
+ * signing (compact format) according to MCP-I requirements 5.1, 5.2, 5.3, 5.6.
+ *
+ * This module is the authoritative proof implementation. All platform adapters
+ * (Node.js, Cloudflare Workers) inject a CryptoProvider and delegate here.
+ */
+import { CompactSign, importPKCS8 } from 'jose';
+import { canonicalize } from 'json-canonicalize';
+import type {
+  DetachedProof,
+  ProofMeta,
+  CanonicalHashes,
+  SessionContext,
+} from '../types/protocol.js';
+import type { CryptoProvider } from '../providers/base.js';
+import { CryptoService, type Ed25519JWK } from '../utils/crypto-service.js';
+import { base64ToBytes, base64urlEncodeFromBytes, bytesToBase64 } from '../utils/base64.js';
+import { ED25519_PKCS8_DER_HEADER, ED25519_KEY_SIZE } from '../utils/ed25519-constants.js';
+export interface ProofAgentIdentity {
+  did: string;
+  kid: string;
+  privateKey: string;
+  publicKey: string;
+}
+export interface ToolRequest {
+  method: string;
+  params?: unknown;
+}
+export interface ToolResponse {
+  data: unknown;
+  meta?: {
+    proof?: DetachedProof;
+    [key: string]: unknown;
+  };
+}
+export interface ProofOptions {
+  scopeId?: string;
+  delegationRef?: string;
+  clientDid?: string;
+}
+export class ProofGenerator {
+  private identity: ProofAgentIdentity;
+  private cryptoProvider: CryptoProvider;
+  constructor(identity: ProofAgentIdentity, cryptoProvider: CryptoProvider) {
+    this.identity = identity;
+    this.cryptoProvider = cryptoProvider;
+  }
+  /**
+   * Generate a detached proof for an MCP tool call.
+   *
+   * Creates a JWS (JSON Web Signature) that binds the tool request and response
+   * to the agent's identity and current session context.
+   *
+   * @param request - The MCP tool request (method + params)
+   * @param response - The tool response data
+   * @param session - The current session context from handshake
+   * @param options - Optional proof metadata (scopeId, delegationRef, clientDid)
+   * @returns Detached proof containing JWS and proof metadata
+   * @throws {Error} If JWS generation fails (invalid key, crypto error)
+   */
+  async generateProof(
+    request: ToolRequest,
+    response: ToolResponse,
+    session: SessionContext,
+    options: ProofOptions = {}
+  ): Promise<DetachedProof> {
+    const hashes = await this.generateCanonicalHashes(request, response);
+    const meta: ProofMeta = {
+      did: this.identity.did,
+      kid: this.identity.kid,
+      ts: Math.floor(Date.now() / 1000),
+      nonce: session.nonce,
+      audience: session.audience,
+      sessionId: session.sessionId,
+      requestHash: hashes.requestHash,
+      responseHash: hashes.responseHash,
+      ...options,
+    };
+    const jws = await this.generateJWS(meta);
+    return { jws, meta };
+  }
+  private async generateCanonicalHashes(
+    request: ToolRequest,
+    response: ToolResponse
+  ): Promise<CanonicalHashes> {
+    const canonicalRequest = {
+      method: request.method,
+      ...(request.params ? { params: request.params } : {}),
+    };
+    const canonicalResponse = response.data;
+    const requestHash = await this.generateSHA256Hash(canonicalRequest);
+    const responseHash = await this.generateSHA256Hash(canonicalResponse);
+    return { requestHash, responseHash };
+  }
+  private async generateSHA256Hash(data: unknown): Promise<string> {
+    const canonicalJson = this.canonicalizeJSON(data);
+    const encoded = new TextEncoder().encode(canonicalJson);
+    return this.cryptoProvider.hash(encoded);
+  }
+  private canonicalizeJSON(obj: unknown): string {
+    return canonicalize(obj as Parameters<typeof canonicalize>[0]);
+  }
+  private async generateJWS(meta: ProofMeta): Promise<string> {
+    try {
+      const privateKeyPem = this.formatPrivateKeyAsPEM(this.identity.privateKey);
+      const privateKey = await importPKCS8(privateKeyPem, 'EdDSA');
+      const payload = {
+        aud: meta.audience,
+        sub: meta.did,
+        iss: meta.did,
+        requestHash: meta.requestHash,
+        responseHash: meta.responseHash,
+        ts: meta.ts,
+        nonce: meta.nonce,
+        sessionId: meta.sessionId,
+        ...(meta.scopeId && { scopeId: meta.scopeId }),
+        ...(meta.delegationRef && { delegationRef: meta.delegationRef }),
+        ...(meta.clientDid && { clientDid: meta.clientDid }),
+      };
+      // Use canonicalized JSON (RFC 8785) for deterministic payload serialization.
+      // This ensures signature verification succeeds regardless of JSON key ordering.
+      const canonicalPayload = canonicalize(payload as Parameters<typeof canonicalize>[0]);
+      const payloadBytes = new TextEncoder().encode(canonicalPayload);
+      const jws = await new CompactSign(payloadBytes)
+        .setProtectedHeader({
+          alg: 'EdDSA',
+          kid: this.identity.kid,
+        })
+        .sign(privateKey);
+      return jws;
+    } catch (error) {
+      throw new Error(
+        `Failed to generate JWS: ${error instanceof Error ? error.message : 'Unknown error'}`
+      );
+    }
+  }
+  private formatPrivateKeyAsPEM(base64PrivateKey: string): string {
+    const keyData = base64ToBytes(base64PrivateKey);
+    // Extract raw 32-byte seed
+    const rawKey = keyData.subarray(0, ED25519_KEY_SIZE);
+    // Build full PKCS#8 key: header + raw key
+    const fullKey = new Uint8Array(ED25519_PKCS8_DER_HEADER.length + rawKey.length);
+    fullKey.set(ED25519_PKCS8_DER_HEADER);
+    fullKey.set(rawKey, ED25519_PKCS8_DER_HEADER.length);
+    const base64Key = bytesToBase64(fullKey);
+    const formattedKey = base64Key.match(/.{1,64}/g)?.join('\n') ?? base64Key;
+    return (
+      '-----BEGIN PRIVATE KEY-----\n' +
+      formattedKey +
+      '\n-----END PRIVATE KEY-----'
+    );
+  }
+  async verifyProof(
+    proof: DetachedProof,
+    request: ToolRequest,
+    response: ToolResponse
+  ): Promise<boolean> {
+    try {
+      const expectedHashes = await this.generateCanonicalHashes(request, response);
+      if (
+        proof.meta.requestHash !== expectedHashes.requestHash ||
+        proof.meta.responseHash !== expectedHashes.responseHash
+      ) {
+        return false;
+      }
+      const publicKeyJwk = this.base64PublicKeyToJWK(this.identity.publicKey);
+      const cryptoService = new CryptoService(this.cryptoProvider);
+      return cryptoService.verifyJWS(proof.jws, publicKeyJwk, {
+        expectedKid: this.identity.kid,
+        alg: 'EdDSA',
+      });
+    } catch {
+      return false;
+    }
+  }
+  private base64PublicKeyToJWK(publicKeyBase64: string): Ed25519JWK {
+    const publicKeyBytes = base64ToBytes(publicKeyBase64);
+    if (publicKeyBytes.length !== ED25519_KEY_SIZE) {
+      throw new Error(`Invalid Ed25519 public key length: ${publicKeyBytes.length}`);
+    }
+    return {
+      kty: 'OKP',
+      crv: 'Ed25519',
+      x: base64urlEncodeFromBytes(publicKeyBytes),
+      kid: this.identity.kid,
+    };
+  }
+}
+export async function createProofResponse(
+  request: ToolRequest,
+  data: unknown,
+  identity: ProofAgentIdentity,
+  session: SessionContext,
+  cryptoProvider: CryptoProvider,
+  options: ProofOptions = {}
+): Promise<ToolResponse> {
+  const response: ToolResponse = { data };
+  const proofGenerator = new ProofGenerator(identity, cryptoProvider);
+  const proof = await proofGenerator.generateProof(request, response, session, options);
+  response.meta = { proof };
+  return response;
+}
+export function extractCanonicalData(
+  request: ToolRequest,
+  response: ToolResponse
+): {
+  request: unknown;
+  response: unknown;
+} {
+  return {
+    request: {
+      method: request.method,
+      ...(request.params ? { params: request.params } : {}),
+    },
+    response: response.data,
+  };
+}

package/src/proof/index.ts ADDED Viewed

@@ -0,0 +1,22 @@
+export {
+  ProofGenerator,
+  createProofResponse,
+  extractCanonicalData,
+  type ProofAgentIdentity,
+  type ToolRequest,
+  type ToolResponse,
+  type ProofOptions,
+} from './generator.js';
+export {
+  ProofVerifier,
+  type ProofVerifierConfig,
+  type ProofVerificationResult,
+} from './verifier.js';
+export {
+  ProofVerificationError,
+  PROOF_VERIFICATION_ERROR_CODES,
+  createProofVerificationError,
+  type ProofVerificationErrorCode,
+} from './errors.js';