@mcp-i/core 1.1.1 → 1.2.0

package/src/delegation/outbound-headers.ts

@@ -5,10 +5,10 @@
  * delegation context to downstream services.
  *
  * Headers (MCP-I §7):
- * - X-Agent-DID: the original agent's DID
- * - X-Delegation-Chain: the delegation chain ID (vcId of the root delegation)
- * - X-Session-ID: the current session ID
- * - X-Delegation-Proof: a signed JWT proving the delegation is being forwarded
+ * - KYA-Agent-DID: the original agent's DID
+ * - KYA-Delegation-Chain: the delegation chain ID (vcId of the root delegation)
+ * - KYA-Session-Id: the current session ID
+ * - KYA-Delegation-Proof: a signed JWT proving the delegation is being forwarded
  *
  * Related Spec: MCP-I §7 — Outbound Delegation Propagation
  */
@@ -23,10 +23,10 @@ import { logger } from '../logging/index.js';
  * Header names for outbound delegation propagation
  */
 export const OUTBOUND_HEADER_NAMES = {
-  AGENT_DID: 'X-Agent-DID',
-  DELEGATION_CHAIN: 'X-Delegation-Chain',
-  SESSION_ID: 'X-Session-ID',
-  DELEGATION_PROOF: 'X-Delegation-Proof',
+  AGENT_DID: 'KYA-Agent-DID',
+  DELEGATION_CHAIN: 'KYA-Delegation-Chain',
+  SESSION_ID: 'KYA-Session-Id',
+  DELEGATION_PROOF: 'KYA-Delegation-Proof',
 } as const;
 
 /**
@@ -51,10 +51,10 @@ export interface OutboundDelegationContext {
  * Outbound delegation headers to attach to downstream requests
  */
 export interface OutboundDelegationHeaders {
-  'X-Agent-DID': string;
-  'X-Delegation-Chain': string;
-  'X-Session-ID': string;
-  'X-Delegation-Proof': string;
+  'KYA-Agent-DID': string;
+  'KYA-Delegation-Chain': string;
+  'KYA-Session-Id': string;
+  'KYA-Delegation-Proof': string;
 }
 
 /**
@@ -182,9 +182,9 @@ export async function buildOutboundDelegationHeaders(
   });
 
   return {
-    'X-Agent-DID': session.agentDid,
-    'X-Delegation-Chain': delegation.vcId,
-    'X-Session-ID': session.sessionId,
-    'X-Delegation-Proof': jwt,
+    'KYA-Agent-DID': session.agentDid,
+    'KYA-Delegation-Chain': delegation.vcId,
+    'KYA-Session-Id': session.sessionId,
+    'KYA-Delegation-Proof': jwt,
   };
 }

package/src/delegation/outbound-proof.ts

@@ -5,7 +5,7 @@
  * Enables downstream services to independently verify the delegation chain.
  *
  * Wire format: signed compact EdDSA JWT (60s TTL, per-call jti)
- * Header injection: X-Delegation-Id, X-Delegation-Chain, X-Delegation-Proof, X-Scopes
+ * Header injection: KYA-Delegation-Id, KYA-Delegation-Chain, KYA-Delegation-Proof, KYA-Granted-Scopes
  *
  * Related Spec: MCP-I §2 — Outbound Delegation Propagation
  */

package/src/delegation/statuslist-manager.ts

@@ -28,6 +28,8 @@ export interface StatusListIdentityProvider {
 export class StatusList2021Manager {
   private statusListBaseUrl: string;
   private defaultListSize: number;
+  /** Per-status-list mutex to serialize updateStatus calls and prevent race conditions. */
+  private updateLocks = new Map<string, Promise<void>>();
 
   constructor(
     private storage: StatusListStorageProvider,
@@ -63,6 +65,21 @@ export class StatusList2021Manager {
   }
 
   async updateStatus(credentialStatus: CredentialStatus, revoked: boolean): Promise<void> {
+    const { statusListCredential } = credentialStatus;
+
+    // Serialize updates per status list to prevent concurrent read-modify-write races.
+    // Each call chains on the previous operation for the same list.
+    const previous = this.updateLocks.get(statusListCredential) ?? Promise.resolve();
+    const operation = previous.then(() => this.doUpdateStatus(credentialStatus, revoked));
+
+    // Store a non-rejecting version so the chain continues even if one update fails
+    this.updateLocks.set(statusListCredential, operation.catch(() => {}));
+
+    // Propagate the actual error to the caller
+    await operation;
+  }
+
+  private async doUpdateStatus(credentialStatus: CredentialStatus, revoked: boolean): Promise<void> {
     const { statusListCredential, statusListIndex } = credentialStatus;
 
     const statusList = await this.storage.getStatusList(statusListCredential);

package/src/middleware/with-mcpi-server.ts

@@ -71,11 +71,7 @@ export async function generateIdentity(
  */
 interface McpServerLike {
   connect(transport: Transport): Promise<unknown>;
-  registerTool(
-    name: string,
-    config: Record<string, unknown>,
-    handler: (args: unknown) => Promise<unknown>,
-  ): void;
+  registerTool(...args: unknown[]): void;
 }
 
 /**

package/src/middleware/with-mcpi.ts

@@ -85,6 +85,20 @@ export interface MCPIDelegationConfig {
   resolveDelegationChain?: (
     leafCredential: DelegationCredential,
   ) => Promise<DelegationCredential[]>;
+  /**
+   * When true, re-delegations (credentials with a `parentId`) MUST include
+   * an `audience` constraint binding them to the verifying server's DID.
+   *
+   * This prevents confused-deputy attacks where a delegated credential is
+   * forwarded to an unintended server. Without audience binding, any server
+   * that receives the credential will accept it.
+   *
+   * Recommended for production. See: Alan Karp's transitive access analysis
+   * and MCP-I §11.6 (Confused Deputy Attacks).
+   *
+   * Default is false for backward compatibility.
+   */
+  requireAudienceOnRedelegation?: boolean;
   /**
    * Compatibility mode for legacy integrations that cannot yet provide
    * full delegation-chain and status-list resolvers.
@@ -789,6 +803,21 @@ export function createMCPIMiddleware(
           };
         }
 
+        // When requireAudienceOnRedelegation is enabled, every non-root
+        // credential in the chain MUST have an audience constraint.
+        // This prevents confused-deputy attacks where re-delegated
+        // credentials are forwarded to unintended servers.
+        if (
+          delegationConfig?.requireAudienceOnRedelegation &&
+          delegation.parentId &&
+          !delegation.constraints.audience
+        ) {
+          return {
+            valid: false,
+            reason: `Delegation ${delegation.id} is a re-delegation (parentId: ${delegation.parentId}) but has no audience constraint. Re-delegations must include an audience when requireAudienceOnRedelegation is enabled`,
+          };
+        }
+
         if (!previousDelegation || !previousCredential) {
           if (delegation.parentId) {
             return {

package/src/proof/__tests__/verifier.integration.test.ts

@@ -0,0 +1,181 @@
+/**
+ * ProofVerifier Integration Tests (Real Crypto)
+ *
+ * Companion to verifier.test.ts — these tests use real Ed25519 signing,
+ * real nonce caching, and real clock providers instead of mocking.
+ *
+ * The mocked unit tests verify pipeline logic and error code propagation.
+ * These integration tests verify that real proofs are correctly verified
+ * and that security properties hold with actual cryptographic operations.
+ */
+
+import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
+import { ProofGenerator } from '../generator.js';
+import { ProofVerifier } from '../verifier.js';
+import type { AgentIdentity } from '../../providers/base.js';
+import { extractPublicKeyFromDidKey, publicKeyToJwk } from '../../delegation/did-key-resolver.js';
+import type { Ed25519JWK } from '../../utils/crypto-service.js';
+import {
+  createRealCryptoProvider,
+  createRealIdentity,
+  RealClockProvider,
+  RealFetchProvider,
+  MemoryNonceCacheProvider,
+} from '../../__tests__/audit/helpers/crypto-helpers.js';
+import { NodeCryptoProvider } from '../../__tests__/utils/node-crypto-provider.js';
+
+describe('ProofVerifier (real crypto)', () => {
+  let crypto: NodeCryptoProvider;
+  let agent: AgentIdentity;
+  let otherAgent: AgentIdentity;
+
+  beforeAll(async () => {
+    crypto = createRealCryptoProvider();
+    agent = await createRealIdentity(crypto);
+    otherAgent = await createRealIdentity(crypto);
+  });
+
+  function makeVerifier(): { verifier: ProofVerifier; nonceCache: MemoryNonceCacheProvider } {
+    const nonceCache = new MemoryNonceCacheProvider();
+    const verifier = new ProofVerifier({
+      cryptoProvider: crypto,
+      clockProvider: new RealClockProvider(),
+      nonceCacheProvider: nonceCache,
+      fetchProvider: new RealFetchProvider(),
+      timestampSkewSeconds: 300,
+    });
+    return { verifier, nonceCache };
+  }
+
+  function getJwk(identity: AgentIdentity): Ed25519JWK {
+    const raw = extractPublicKeyFromDidKey(identity.did);
+    const jwk = publicKeyToJwk(raw!);
+    jwk.kid = identity.kid;
+    return jwk as Ed25519JWK;
+  }
+
+  async function generateProof(identity: AgentIdentity) {
+    const gen = new ProofGenerator(
+      { did: identity.did, kid: identity.kid, privateKey: identity.privateKey, publicKey: identity.publicKey },
+      crypto
+    );
+    return gen.generateProof(
+      { method: 'tools/call', params: { name: 'test-tool' } },
+      { data: { output: 'result' } },
+      {
+        sessionId: 'sess_integration',
+        audience: 'did:web:server.example.com',
+        nonce: `nonce-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+        timestamp: Math.floor(Date.now() / 1000),
+        createdAt: Math.floor(Date.now() / 1000),
+        lastActivity: Math.floor(Date.now() / 1000),
+        ttlMinutes: 30,
+        identityState: 'anonymous',
+      }
+    );
+  }
+
+  // ── Core Verification ─────────────────────────────────────────
+
+  it('should verify a valid proof with real Ed25519 signature', async () => {
+    const { verifier } = makeVerifier();
+    const proof = await generateProof(agent);
+    const jwk = getJwk(agent);
+
+    const result = await verifier.verifyProof(proof, jwk);
+
+    expect(result.valid).toBe(true);
+  });
+
+  it('should reject proof signed by a different key', async () => {
+    const { verifier } = makeVerifier();
+    const proof = await generateProof(agent);
+    const wrongJwk = getJwk(otherAgent);
+
+    const result = await verifier.verifyProof(proof, wrongJwk);
+
+    expect(result.valid).toBe(false);
+  });
+
+  // ── Nonce Replay (real cache) ─────────────────────────────────
+
+  it('should prevent nonce replay with real MemoryNonceCacheProvider', async () => {
+    const { verifier } = makeVerifier();
+    const proof = await generateProof(agent);
+    const jwk = getJwk(agent);
+
+    const first = await verifier.verifyProof(proof, jwk);
+    expect(first.valid).toBe(true);
+
+    const replay = await verifier.verifyProof(proof, jwk);
+    expect(replay.valid).toBe(false);
+    expect(replay.reason).toContain('replay');
+  });
+
+  it('should scope nonces per agent DID', async () => {
+    const { verifier } = makeVerifier();
+
+    const proofA = await generateProof(agent);
+    const proofB = await generateProof(otherAgent);
+    const jwkA = getJwk(agent);
+    const jwkB = getJwk(otherAgent);
+
+    const resultA = await verifier.verifyProof(proofA, jwkA);
+    const resultB = await verifier.verifyProof(proofB, jwkB);
+
+    expect(resultA.valid).toBe(true);
+    expect(resultB.valid).toBe(true);
+  });
+
+  // ── Detached Verification ─────────────────────────────────────
+
+  it('should verify proof via verifyProofDetached with string payload', async () => {
+    const { verifier } = makeVerifier();
+    const proof = await generateProof(agent);
+    const jwk = getJwk(agent);
+    const canonical = verifier.buildCanonicalPayload(proof.meta);
+
+    const result = await verifier.verifyProofDetached(proof, canonical, jwk);
+
+    expect(result.valid).toBe(true);
+  });
+
+  it('should verify proof via verifyProofDetached with Uint8Array payload', async () => {
+    const { verifier } = makeVerifier();
+    const proof = await generateProof(agent);
+    const jwk = getJwk(agent);
+    const canonical = new TextEncoder().encode(verifier.buildCanonicalPayload(proof.meta));
+
+    const result = await verifier.verifyProofDetached(proof, canonical, jwk);
+
+    expect(result.valid).toBe(true);
+  });
+
+  // ── Proof Structure Rejection ─────────────────────────────────
+
+  it('should reject malformed proof structure', async () => {
+    const { verifier } = makeVerifier();
+    const jwk = getJwk(agent);
+
+    const result = await verifier.verifyProof(
+      { jws: 'not-valid', meta: { did: 'x' } } as any,
+      jwk
+    );
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toContain('Invalid proof structure');
+  });
+
+  // ── fetchPublicKeyFromDID (real DID resolution) ───────────────
+
+  it('should resolve a real did:key to a valid Ed25519 JWK', async () => {
+    const { verifier } = makeVerifier();
+
+    const jwk = await verifier.fetchPublicKeyFromDID(agent.did);
+
+    expect(jwk).toBeDefined();
+    expect(jwk!.kty).toBe('OKP');
+    expect(jwk!.crv).toBe('Ed25519');
+    expect(jwk!.x).toBeTruthy();
+  });
+});