npm - @mcp-i/core - Versions diffs - 1.1.0-canary.2 → 1.1.0 - Mend

@mcp-i/core 1.1.0-canary.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/README.md +123 -333
package/dist/auth/handshake.d.ts +19 -4
package/dist/auth/handshake.d.ts.map +1 -1
package/dist/auth/handshake.js +52 -15
package/dist/auth/handshake.js.map +1 -1
package/dist/auth/index.d.ts +1 -1
package/dist/auth/index.d.ts.map +1 -1
package/dist/auth/index.js.map +1 -1
package/dist/delegation/did-key-resolver.d.ts.map +1 -1
package/dist/delegation/did-key-resolver.js +9 -6
package/dist/delegation/did-key-resolver.js.map +1 -1
package/dist/delegation/outbound-headers.d.ts +2 -4
package/dist/delegation/outbound-headers.d.ts.map +1 -1
package/dist/delegation/outbound-headers.js +2 -3
package/dist/delegation/outbound-headers.js.map +1 -1
package/dist/delegation/statuslist-manager.d.ts.map +1 -1
package/dist/delegation/statuslist-manager.js +1 -1
package/dist/delegation/statuslist-manager.js.map +1 -1
package/dist/delegation/vc-verifier.d.ts.map +1 -1
package/dist/delegation/vc-verifier.js +2 -2
package/dist/delegation/vc-verifier.js.map +1 -1
package/dist/errors.d.ts +42 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +45 -0
package/dist/errors.js.map +1 -0
package/dist/index.d.ts +3 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +3 -1
package/dist/index.js.map +1 -1
package/dist/middleware/index.d.ts +1 -0
package/dist/middleware/index.d.ts.map +1 -1
package/dist/middleware/index.js +1 -0
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/mcpi-transport.d.ts +39 -0
package/dist/middleware/mcpi-transport.d.ts.map +1 -0
package/dist/middleware/mcpi-transport.js +121 -0
package/dist/middleware/mcpi-transport.js.map +1 -0
package/dist/middleware/with-mcpi-server.d.ts +25 -9
package/dist/middleware/with-mcpi-server.d.ts.map +1 -1
package/dist/middleware/with-mcpi-server.js +62 -47
package/dist/middleware/with-mcpi-server.js.map +1 -1
package/dist/middleware/with-mcpi.d.ts +26 -5
package/dist/middleware/with-mcpi.d.ts.map +1 -1
package/dist/middleware/with-mcpi.js +108 -10
package/dist/middleware/with-mcpi.js.map +1 -1
package/dist/providers/memory.js +2 -2
package/dist/providers/memory.js.map +1 -1
package/dist/session/manager.d.ts +7 -1
package/dist/session/manager.d.ts.map +1 -1
package/dist/session/manager.js +20 -4
package/dist/session/manager.js.map +1 -1
package/dist/utils/crypto-service.d.ts.map +1 -1
package/dist/utils/crypto-service.js +11 -10
package/dist/utils/crypto-service.js.map +1 -1
package/dist/utils/did-helpers.d.ts +12 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +18 -0
package/dist/utils/did-helpers.js.map +1 -1
package/package.json +3 -3
package/src/__tests__/errors.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +1 -1
package/src/__tests__/integration/mcp-enhance-server.test.ts +48 -5
package/src/__tests__/integration/mcp-transport-context7.test.ts +19 -15
package/src/__tests__/integration/mcp-transport.test.ts +13 -10
package/src/__tests__/providers/base.test.ts +1 -1
package/src/__tests__/providers/memory.test.ts +2 -2
package/src/__tests__/utils/mock-providers.ts +2 -2
package/src/auth/__tests__/handshake.test.ts +190 -0
package/src/auth/handshake.ts +88 -21
package/src/auth/index.ts +1 -0
package/src/delegation/__tests__/did-key-resolver.test.ts +2 -2
package/src/delegation/__tests__/outbound-headers.test.ts +16 -20
package/src/delegation/__tests__/statuslist-manager.test.ts +120 -7
package/src/delegation/__tests__/vc-verifier.test.ts +45 -3
package/src/delegation/did-key-resolver.ts +11 -6
package/src/delegation/outbound-headers.ts +1 -4
package/src/delegation/statuslist-manager.ts +3 -1
package/src/delegation/vc-verifier.ts +3 -2
package/src/errors.ts +65 -0
package/src/index.ts +10 -0
package/src/middleware/__tests__/mcpi-transport.test.ts +150 -0
package/src/middleware/__tests__/with-mcpi-server.test.ts +117 -0
package/src/middleware/__tests__/with-mcpi.test.ts +124 -6
package/src/middleware/index.ts +6 -0
package/src/middleware/mcpi-transport.ts +162 -0
package/src/middleware/with-mcpi-server.ts +83 -92
package/src/middleware/with-mcpi.ts +147 -11
package/src/proof/__tests__/errors.test.ts +79 -0
package/src/proof/__tests__/verifier.test.ts +5 -5
package/src/providers/memory.ts +2 -2
package/src/session/__tests__/session-manager.test.ts +3 -3
package/src/session/manager.ts +28 -6
package/src/utils/crypto-service.ts +11 -10
package/src/utils/did-helpers.ts +19 -0

package/src/proof/__tests__/errors.test.ts ADDED Viewed

@@ -0,0 +1,79 @@
+import { describe, it, expect } from "vitest";
+import {
+  PROOF_VERIFICATION_ERROR_CODES,
+  ProofVerificationError,
+  createProofVerificationError,
+} from "../errors.js";
+describe("PROOF_VERIFICATION_ERROR_CODES", () => {
+  it("should define all expected error code categories", () => {
+    const codes = PROOF_VERIFICATION_ERROR_CODES;
+    // Proof structure
+    expect(codes.INVALID_PROOF_STRUCTURE).toBeDefined();
+    expect(codes.MISSING_REQUIRED_FIELD).toBeDefined();
+    // Security
+    expect(codes.NONCE_REPLAY_DETECTED).toBeDefined();
+    expect(codes.TIMESTAMP_SKEW_EXCEEDED).toBeDefined();
+    // JWS
+    expect(codes.INVALID_JWS_SIGNATURE).toBeDefined();
+    expect(codes.INVALID_JWS_FORMAT).toBeDefined();
+    // JWK
+    expect(codes.INVALID_JWK_FORMAT).toBeDefined();
+    // DID
+    expect(codes.DID_RESOLUTION_FAILED).toBeDefined();
+    expect(codes.DID_DOCUMENT_NOT_FOUND).toBeDefined();
+  });
+});
+describe("ProofVerificationError", () => {
+  it("should extend Error", () => {
+    const err = new ProofVerificationError(
+      PROOF_VERIFICATION_ERROR_CODES.NONCE_REPLAY_DETECTED,
+      "Nonce reused",
+    );
+    expect(err).toBeInstanceOf(Error);
+    expect(err.name).toBe("ProofVerificationError");
+    expect(err.message).toBe("Nonce reused");
+    expect(err.code).toBe("NONCE_REPLAY_DETECTED");
+  });
+  it("should include optional details", () => {
+    const err = new ProofVerificationError(
+      PROOF_VERIFICATION_ERROR_CODES.DID_DOCUMENT_NOT_FOUND,
+      "DID not found",
+      { did: "did:key:z6MkTest" },
+    );
+    expect(err.details).toEqual({ did: "did:key:z6MkTest" });
+  });
+  it("should have undefined details when not provided", () => {
+    const err = new ProofVerificationError(
+      PROOF_VERIFICATION_ERROR_CODES.INVALID_JWS_FORMAT,
+      "Bad format",
+    );
+    expect(err.details).toBeUndefined();
+  });
+});
+describe("createProofVerificationError", () => {
+  it("should create a ProofVerificationError instance", () => {
+    const err = createProofVerificationError(
+      PROOF_VERIFICATION_ERROR_CODES.TIMESTAMP_SKEW_EXCEEDED,
+      "Clock skew too large",
+      { skew: 300 },
+    );
+    expect(err).toBeInstanceOf(ProofVerificationError);
+    expect(err.code).toBe("TIMESTAMP_SKEW_EXCEEDED");
+    expect(err.message).toBe("Clock skew too large");
+    expect(err.details).toEqual({ skew: 300 });
+  });
+});

package/src/proof/__tests__/verifier.test.ts CHANGED Viewed

@@ -35,7 +35,7 @@ describe('ProofVerifier Security', () => {
     kty: 'OKP',
     crv: 'Ed25519',
     x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
-    kid: 'did:key:z123#keys-1',
+    kid: 'did:key:z123#z123',
   };
   const createValidProof = (): DetachedProof => {
@@ -64,7 +64,7 @@ describe('ProofVerifier Security', () => {
       jws,
       meta: {
         did: 'did:key:z123',
-        kid: 'did:key:z123#keys-1',
+        kid: 'did:key:z123#z123',
         ts: Math.floor(Date.now() / 1000),
         nonce: 'nonce123',
         audience: 'test-audience',
@@ -104,7 +104,7 @@ describe('ProofVerifier Security', () => {
     mockFetchProvider = {
       resolveDID: vi.fn().mockResolvedValue({
         verificationMethod: [{
-          id: 'did:key:z123#keys-1',
+          id: 'did:key:z123#z123',
           publicKeyJwk: validJwk,
         }],
       }),
@@ -417,7 +417,7 @@ describe('ProofVerifier Security', () => {
   describe('fetchPublicKeyFromDID', () => {
     it('should fetch public key from DID document', async () => {
-      const jwk = await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'keys-1');
+      const jwk = await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'z123');
       expect(jwk).toEqual(validJwk);
       expect(mockFetchProvider.resolveDID).toHaveBeenCalledWith('did:key:z123');
@@ -462,7 +462,7 @@ describe('ProofVerifier Security', () => {
     it('should throw ProofVerificationError if JWK is not Ed25519', async () => {
       mockFetchProvider.resolveDID = vi.fn().mockResolvedValue({
         verificationMethod: [{
-          id: 'did:key:z123#keys-1',
+          id: 'did:key:z123#z123',
           publicKeyJwk: {
             kty: 'RSA',
             crv: 'RS256',

package/src/providers/memory.ts CHANGED Viewed

@@ -11,7 +11,7 @@ import {
   IdentityProvider,
   type AgentIdentity,
 } from './base.js';
-import { generateDidKeyFromBase64 } from '../utils/did-helpers.js';
+import { generateDidKeyFromBase64, didKeyFragment } from '../utils/did-helpers.js';
 export class MemoryStorageProvider extends StorageProvider {
   private store: Map<string, string> = new Map();
@@ -116,7 +116,7 @@ export class MemoryIdentityProvider extends IdentityProvider {
     return {
       did,
-      kid: `${did}#keys-1`,
+      kid: `${did}#${didKeyFragment(did)}`,
       privateKey: keyPair.privateKey,
       publicKey: keyPair.publicKey,
       createdAt: new Date().toISOString(),

package/src/session/__tests__/session-manager.test.ts CHANGED Viewed

@@ -88,7 +88,7 @@ describe("SessionManager", () => {
       const result = await manager.validateHandshake(request);
       expect(result.success).toBe(false);
-      expect(result.error?.code).toBe("XMCP_I_EHANDSHAKE");
+      expect(result.error?.code).toBe("handshake_failed");
     });
     it("should accept request within timestamp skew", async () => {
@@ -106,7 +106,7 @@ describe("SessionManager", () => {
       // Same request again (same nonce)
       const second = await manager.validateHandshake(request);
       expect(second.success).toBe(false);
-      expect(second.error?.code).toBe("XMCP_I_EHANDSHAKE");
+      expect(second.error?.code).toBe("handshake_failed");
     });
     it("should accept different nonces in succession", async () => {
@@ -261,7 +261,7 @@ describe("SessionManager", () => {
       const result = await sm.validateHandshake(request);
       expect(result.success).toBe(false);
-      expect(result.error?.code).toBe("MCPI_AUDIENCE_MISMATCH");
+      expect(result.error?.code).toBe("handshake_failed");
       expect(result.error?.message).toContain("Audience mismatch");
     });

package/src/session/manager.ts CHANGED Viewed

@@ -9,6 +9,7 @@
  * Cloudflare Workers) to remain synchronous without platform-specific imports.
  */
+import { MCPI_ERROR_CODES, type MCPIErrorCode } from "../errors.js";
 import type {
   HandshakeRequest,
   SessionContext,
@@ -24,28 +25,33 @@ export interface SessionConfig {
   absoluteSessionLifetime?: number;
   nonceCache?: NonceCache;
   serverDid?: string;
+  /** Maximum number of concurrent sessions. Oldest sessions are evicted when exceeded. Default: 10000 */
+  maxSessions?: number;
 }
 export interface HandshakeResult {
   success: boolean;
   session?: SessionContext;
   error?: {
-    code: string;
+    code: MCPIErrorCode;
     message: string;
     remediation?: string;
   };
 }
 export class SessionManager {
-  private config: Required<Omit<SessionConfig, 'absoluteSessionLifetime' | 'serverDid'>> & {
+  private config: Required<Omit<SessionConfig, 'absoluteSessionLifetime' | 'serverDid' | 'maxSessions'>> & {
     absoluteSessionLifetime?: number;
     serverDid?: string;
   };
   private cryptoProvider: CryptoProvider;
   private sessions = new Map<string, SessionContext>();
+  private sessionInsertionOrder: string[] = [];
+  private maxSessions: number;
   constructor(cryptoProvider: CryptoProvider, config: SessionConfig = {}) {
     this.cryptoProvider = cryptoProvider;
+    this.maxSessions = config.maxSessions ?? 10_000;
     this.config = {
       timestampSkewSeconds: config.timestampSkewSeconds ?? 120,
       sessionTtlMinutes: config.sessionTtlMinutes ?? 30,
@@ -89,7 +95,7 @@ export class SessionManager {
         return {
           success: false,
           error: {
-            code: 'XMCP_I_EHANDSHAKE',
+            code: MCPI_ERROR_CODES.handshake_failed,
             message: `Timestamp outside acceptable range (±${this.config.timestampSkewSeconds}s)`,
             remediation: `Check NTP sync on client and server. Current server time: ${now}, received: ${request.timestamp}, diff: ${timeDiff}s. Adjust timestampSkewSeconds if needed.`,
           },
@@ -101,7 +107,7 @@ export class SessionManager {
         return {
           success: false,
           error: {
-            code: 'MCPI_AUDIENCE_MISMATCH',
+            code: MCPI_ERROR_CODES.handshake_failed,
             message: `Audience mismatch: expected ${this.config.serverDid}, got ${request.audience}`,
           },
         };
@@ -115,7 +121,7 @@ export class SessionManager {
         return {
           success: false,
           error: {
-            code: 'XMCP_I_EHANDSHAKE',
+            code: MCPI_ERROR_CODES.handshake_failed,
             message: 'Nonce already used (replay attack prevention)',
             remediation: 'Generate a new unique nonce for each request',
           },
@@ -146,14 +152,16 @@ export class SessionManager {
         ...(clientInfo && { clientInfo }),
       };
+      this.evictIfNeeded();
       this.sessions.set(sessionId, session);
+      this.sessionInsertionOrder.push(sessionId);
       return { success: true, session };
     } catch (error) {
       return {
         success: false,
         error: {
-          code: 'XMCP_I_EHANDSHAKE',
+          code: MCPI_ERROR_CODES.handshake_failed,
           message: `Handshake validation failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
         },
       };
@@ -262,6 +270,15 @@ export class SessionManager {
       .replace(/=/g, '');
   }
+  private evictIfNeeded(): void {
+    while (this.sessions.size >= this.maxSessions && this.sessionInsertionOrder.length > 0) {
+      const oldest = this.sessionInsertionOrder.shift();
+      if (oldest) {
+        this.sessions.delete(oldest);
+      }
+    }
+  }
   async cleanup(): Promise<void> {
     const now = Math.floor(Date.now() / 1000);
@@ -281,6 +298,10 @@ export class SessionManager {
       }
     }
+    this.sessionInsertionOrder = this.sessionInsertionOrder.filter(
+      id => this.sessions.has(id)
+    );
     await this.config.nonceCache.cleanup();
   }
@@ -306,6 +327,7 @@ export class SessionManager {
   clearSessions(): void {
     this.sessions.clear();
+    this.sessionInsertionOrder = [];
   }
 }

package/src/utils/crypto-service.ts CHANGED Viewed

@@ -6,6 +6,7 @@
  */
 import { CryptoProvider } from '../providers/base.js';
+import { logger } from '../logging/index.js';
 import {
   base64urlDecodeToString,
   base64urlDecodeToBytes,
@@ -43,7 +44,7 @@ export class CryptoService {
       const result = await this.cryptoProvider.verify(data, signature, publicKey);
       return result === true;
     } catch (error) {
-      console.error('[CryptoService] Ed25519 verification error:', error);
+      logger.error('[CryptoService] Ed25519 verification error:', error);
       return false;
     }
   }
@@ -101,12 +102,12 @@ export class CryptoService {
   ): Promise<boolean> {
     try {
       if (!this.isValidEd25519JWK(publicKeyJwk)) {
-        console.error('[CryptoService] Invalid Ed25519 JWK format');
+        logger.error('[CryptoService] Invalid Ed25519 JWK format');
         return false;
       }
       if (options?.expectedKid && publicKeyJwk.kid !== options.expectedKid) {
-        console.error('[CryptoService] Key ID mismatch');
+        logger.error('[CryptoService] Key ID mismatch');
         return false;
       }
@@ -126,22 +127,22 @@ export class CryptoService {
               const signatureBytes = base64urlDecodeToBytes(signatureB64);
               parsed = { header, payload: undefined, signatureBytes, signingInput: '' };
             } catch {
-              console.error('[CryptoService] Invalid detached JWS format');
+              logger.error('[CryptoService] Invalid detached JWS format');
               return false;
             }
           } else {
-            console.error('[CryptoService] Invalid JWS format:', error);
+            logger.error('[CryptoService] Invalid JWS format:', error);
             return false;
           }
         } else {
-          console.error('[CryptoService] Invalid JWS format:', error);
+          logger.error('[CryptoService] Invalid JWS format:', error);
           return false;
         }
       }
       const expectedAlg = options?.alg || 'EdDSA';
       if (parsed.header['alg'] !== expectedAlg) {
-        console.error(
+        logger.error(
           `[CryptoService] Unsupported algorithm: ${parsed.header['alg']}, expected ${expectedAlg}`
         );
         return false;
@@ -164,7 +165,7 @@ export class CryptoService {
         signingInputBytes = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
       } else {
         if (!parsed.signingInput) {
-          console.error('[CryptoService] Missing signing input for compact JWS');
+          logger.error('[CryptoService] Missing signing input for compact JWS');
           return false;
         }
         signingInputBytes = new TextEncoder().encode(parsed.signingInput);
@@ -174,13 +175,13 @@ export class CryptoService {
       try {
         publicKeyBase64 = this.jwkToBase64PublicKey(publicKeyJwk);
       } catch (error) {
-        console.error('[CryptoService] Failed to extract public key:', error);
+        logger.error('[CryptoService] Failed to extract public key:', error);
         return false;
       }
       return await this.verifyEd25519(signingInputBytes, parsed.signatureBytes, publicKeyBase64);
     } catch (error) {
-      console.error('[CryptoService] JWS verification error:', error);
+      logger.error('[CryptoService] JWS verification error:', error);
       return false;
     }
   }

package/src/utils/did-helpers.ts CHANGED Viewed

@@ -208,3 +208,22 @@ export function generateDidKeyFromBase64(publicKeyBase64: string): string {
   );
   return generateDidKeyFromBytes(publicKeyBytes);
 }
+/**
+ * Get the spec-compliant fragment identifier for a did:key DID.
+ *
+ * Per the did:key spec (W3C CCG), the fragment equals the multibase-encoded
+ * public key value (the DID-specific-id). For example:
+ *   did:key:z6MkABC... → z6MkABC...
+ *
+ * @see https://w3c-ccg.github.io/did-key-spec/#document-creation-algorithm
+ * @param did - A did:key DID string
+ * @returns The fragment identifier (multibase value), or 'keys-1' as fallback for non-did:key
+ */
+export function didKeyFragment(did: string): string {
+  if (did.startsWith('did:key:')) {
+    return did.slice('did:key:'.length);
+  }
+  // Fallback for non-did:key methods
+  return 'keys-1';
+}