npm - @openintentai/mcp-server - Versions diffs - 0.13.4 - Mend

@openintentai/mcp-server 0.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +123 -0
package/dist/client.d.ts +302 -0
package/dist/client.d.ts.map +1 -0
package/dist/client.js +470 -0
package/dist/client.js.map +1 -0
package/dist/config.d.ts +42 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +106 -0
package/dist/config.js.map +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +64 -0
package/dist/index.js.map +1 -0
package/dist/resources.d.ts +25 -0
package/dist/resources.d.ts.map +1 -0
package/dist/resources.js +96 -0
package/dist/resources.js.map +1 -0
package/dist/security.d.ts +75 -0
package/dist/security.d.ts.map +1 -0
package/dist/security.js +248 -0
package/dist/security.js.map +1 -0
package/dist/tools.d.ts +21 -0
package/dist/tools.d.ts.map +1 -0
package/dist/tools.js +1485 -0
package/dist/tools.js.map +1 -0
package/openintent-mcp.config.json +18 -0
package/package.json +55 -0

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_js_1 = require("@modelcontextprotocol/sdk/server/index.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const config_js_1 = require("./config.js");
+const security_js_1 = require("./security.js");
+const client_js_1 = require("./client.js");
+const tools_js_1 = require("./tools.js");
+const resources_js_1 = require("./resources.js");
+async function main() {
+    const config = (0, config_js_1.loadConfig)();
+    const warnings = (0, security_js_1.validateConfig)(config);
+    for (const w of warnings) {
+        process.stderr.write(`[openintent-mcp] WARNING: ${w}\n`);
+    }
+    const visibleTools = (0, security_js_1.getVisibleTools)(config);
+    const apiClient = new client_js_1.OpenIntentClient(config);
+    const server = new index_js_1.Server({
+        name: "openintent-mcp",
+        version: "0.13.2",
+    }, {
+        capabilities: {
+            tools: {},
+            resources: {},
+        },
+    });
+    server.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => ({
+        tools: tools_js_1.TOOL_DEFINITIONS
+            .filter((t) => visibleTools.has(t.name))
+            .map((t) => ({
+            name: t.name,
+            description: t.description,
+            inputSchema: t.inputSchema,
+        })),
+    }));
+    server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
+        const { name, arguments: args } = request.params;
+        return (0, tools_js_1.handleToolCall)(name, (args ?? {}), apiClient, config);
+    });
+    server.setRequestHandler(types_js_1.ListResourceTemplatesRequestSchema, async () => ({
+        resourceTemplates: resources_js_1.RESOURCE_TEMPLATES.map((r) => ({
+            uriTemplate: r.uriTemplate,
+            name: r.name,
+            description: r.description,
+            mimeType: r.mimeType,
+        })),
+    }));
+    server.setRequestHandler(types_js_1.ReadResourceRequestSchema, async (request) => {
+        return (0, resources_js_1.handleReadResource)(request.params.uri, apiClient);
+    });
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    const toolCount = visibleTools.size;
+    const totalCount = tools_js_1.TOOL_DEFINITIONS.length;
+    process.stderr.write(`[openintent-mcp] Server started – role="${config.security.role}", ` +
+        `tools=${toolCount}/${totalCount}, connected to ${config.server.url}\n`);
+}
+main().catch((err) => {
+    process.stderr.write(`[openintent-mcp] Fatal error: ${err}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAEA,wEAAmE;AACnE,wEAAiF;AACjF,iEAK4C;AAE5C,2CAAyC;AACzC,+CAAgE;AAChE,2CAA+C;AAC/C,yCAA8D;AAC9D,iDAAwE;AAExE,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,IAAA,sBAAU,GAAE,CAAC;IAE5B,MAAM,QAAQ,GAAG,IAAA,4BAAc,EAAC,MAAM,CAAC,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,YAAY,GAAG,IAAA,6BAAe,EAAC,MAAM,CAAC,CAAC;IAE7C,MAAM,SAAS,GAAG,IAAI,4BAAgB,CAAC,MAAM,CAAC,CAAC;IAE/C,MAAM,MAAM,GAAG,IAAI,iBAAM,CACvB;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,QAAQ;KAClB,EACD;QACE,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,EAAE;SACd;KACF,CACF,CAAC;IAEF,MAAM,CAAC,iBAAiB,CAAC,iCAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAC5D,KAAK,EAAE,2BAAgB;aACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;aACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC;KACN,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,gCAAqB,EAAE,KAAK,EAAE,OAA0E,EAAE,EAAE;QACnI,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;QACjD,OAAO,IAAA,yBAAc,EAAC,IAAI,EAAE,CAAC,IAAI,IAAI,EAAE,CAA4B,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,iBAAiB,CAAC,6CAAkC,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QACxE,iBAAiB,EAAE,iCAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAChD,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC;KACJ,CAAC,CAAC,CAAC;IAEJ,MAAM,CAAC,iBAAiB,CAAC,oCAAyB,EAAE,KAAK,EAAE,OAAoC,EAAE,EAAE;QACjG,OAAO,IAAA,iCAAkB,EAAC,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC;IACpC,MAAM,UAAU,GAAG,2BAAgB,CAAC,MAAM,CAAC;IAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2CAA2C,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK;QACpE,SAAS,SAAS,IAAI,UAAU,kBAAkB,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CACxE,CAAC;AACJ,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,GAAG,IAAI,CAAC,CAAC;IAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/resources.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { OpenIntentClient } from "./client.js";
+export interface ResourceDefinition {
+    uri: string;
+    name: string;
+    description: string;
+    mimeType: string;
+}
+export interface ResourceTemplateDefinition {
+    uriTemplate: string;
+    name: string;
+    description: string;
+    mimeType: string;
+}
+export declare const RESOURCE_TEMPLATES: ResourceTemplateDefinition[];
+/**
+ * Resolve a resource URI to data by calling the OpenIntent API.
+ */
+export declare function handleReadResource(uri: string, client: OpenIntentClient): Promise<{
+    contents: Array<{
+        uri: string;
+        mimeType: string;
+        text: string;
+    }>;
+}>;
+//# sourceMappingURL=resources.d.ts.map

package/dist/resources.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,0BAA0B;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,kBAAkB,EAAE,0BAA0B,EA+B1D,CAAC;AAEF;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC;IAAE,QAAQ,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CA6D/E"}

package/dist/resources.js ADDED Viewed

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RESOURCE_TEMPLATES = void 0;
+exports.handleReadResource = handleReadResource;
+exports.RESOURCE_TEMPLATES = [
+    {
+        uriTemplate: "openintent://intents",
+        name: "All Intents",
+        description: "List all intents. Append ?status=active to filter by status.",
+        mimeType: "application/json",
+    },
+    {
+        uriTemplate: "openintent://intents/{intent_id}",
+        name: "Intent Details",
+        description: "Get full details for a specific intent including status, state, and metadata.",
+        mimeType: "application/json",
+    },
+    {
+        uriTemplate: "openintent://intents/{intent_id}/events",
+        name: "Intent Events",
+        description: "Get the immutable event log for an intent.",
+        mimeType: "application/json",
+    },
+    {
+        uriTemplate: "openintent://intents/{intent_id}/state",
+        name: "Intent State",
+        description: "Get the current state key-value data for an intent.",
+        mimeType: "application/json",
+    },
+    {
+        uriTemplate: "openintent://channels/{channel_id}/messages",
+        name: "Channel Messages",
+        description: "Get messages from a messaging channel.",
+        mimeType: "application/json",
+    },
+];
+/**
+ * Resolve a resource URI to data by calling the OpenIntent API.
+ */
+async function handleReadResource(uri, client) {
+    const parsed = new URL(uri);
+    const path = parsed.hostname + parsed.pathname;
+    // openintent://intents
+    if (path === "intents" || path === "intents/") {
+        const status = parsed.searchParams.get("status") ?? undefined;
+        const data = await client.listIntents({ status });
+        return {
+            contents: [
+                { uri, mimeType: "application/json", text: JSON.stringify(data, null, 2) },
+            ],
+        };
+    }
+    // openintent://intents/{id}/events
+    const eventsMatch = path.match(/^intents\/([^/]+)\/events$/);
+    if (eventsMatch) {
+        const data = await client.getEvents({ intent_id: eventsMatch[1] });
+        return {
+            contents: [
+                { uri, mimeType: "application/json", text: JSON.stringify(data, null, 2) },
+            ],
+        };
+    }
+    // openintent://intents/{id}/state
+    const stateMatch = path.match(/^intents\/([^/]+)\/state$/);
+    if (stateMatch) {
+        const intent = (await client.getIntent(stateMatch[1]));
+        const state = intent.state ?? {};
+        return {
+            contents: [
+                { uri, mimeType: "application/json", text: JSON.stringify(state, null, 2) },
+            ],
+        };
+    }
+    // openintent://intents/{id}
+    const intentMatch = path.match(/^intents\/([^/]+)$/);
+    if (intentMatch) {
+        const data = await client.getIntent(intentMatch[1]);
+        return {
+            contents: [
+                { uri, mimeType: "application/json", text: JSON.stringify(data, null, 2) },
+            ],
+        };
+    }
+    // openintent://channels/{id}/messages
+    const channelMatch = path.match(/^channels\/([^/]+)\/messages$/);
+    if (channelMatch) {
+        const data = await client.getChannelMessages({ channel_id: channelMatch[1] });
+        return {
+            contents: [
+                { uri, mimeType: "application/json", text: JSON.stringify(data, null, 2) },
+            ],
+        };
+    }
+    throw new Error(`Unknown resource URI: ${uri}`);
+}
+//# sourceMappingURL=resources.js.map

package/dist/resources.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resources.js","sourceRoot":"","sources":["../src/resources.ts"],"names":[],"mappings":";;;AAoDA,gDAgEC;AApGY,QAAA,kBAAkB,GAAiC;IAC9D;QACE,WAAW,EAAE,sBAAsB;QACnC,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,8DAA8D;QAC3E,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,WAAW,EAAE,kCAAkC;QAC/C,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,+EAA+E;QAC5F,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,WAAW,EAAE,yCAAyC;QACtD,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,WAAW,EAAE,wCAAwC;QACrD,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,qDAAqD;QAClE,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,WAAW,EAAE,6CAA6C;QAC1D,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,wCAAwC;QACrD,QAAQ,EAAE,kBAAkB;KAC7B;CACF,CAAC;AAEF;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,GAAW,EACX,MAAwB;IAExB,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAE/C,uBAAuB;IACvB,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;QAC9D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAClD,OAAO;YACL,QAAQ,EAAE;gBACR,EAAE,GAAG,EAAE,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAC7D,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACnE,OAAO;YACL,QAAQ,EAAE;gBACR,EAAE,GAAG,EAAE,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC3D,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAA4B,CAAC;QAClF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO;YACL,QAAQ,EAAE;gBACR,EAAE,GAAG,EAAE,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;aAC5E;SACF,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACrD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QACpD,OAAO;YACL,QAAQ,EAAE;gBACR,EAAE,GAAG,EAAE,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC9E,OAAO;YACL,QAAQ,EAAE;gBACR,EAAE,GAAG,EAAE,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;aAC3E;SACF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;AAClD,CAAC"}

package/dist/security.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import type { MCPConfig, MCPRole } from "./config.js";
+export interface AuditEntry {
+    timestamp: string;
+    operation: string;
+    params: Record<string, unknown>;
+    result: "success" | "error";
+    duration_ms: number;
+    agent_id: string;
+}
+/**
+ * Tool permission tiers.
+ *
+ * Each tool belongs to exactly one tier. Tiers are cumulative — higher roles
+ * inherit all tools from lower tiers.
+ *
+ *   read   — Observe protocol state without side effects.
+ *   write  — Progress work within an intent (create content, send messages).
+ *   admin  — Lifecycle control, coordination primitives, structural changes.
+ */
+export type ToolTier = "read" | "write" | "admin";
+export declare const TOOL_TIERS: Record<string, ToolTier>;
+/**
+ * Map each role to the set of tiers it grants access to.
+ *
+ *   reader   → read
+ *   operator → read + write
+ *   admin    → read + write + admin
+ */
+export declare const ROLE_TIERS: Record<MCPRole, Set<ToolTier>>;
+export declare function getToolTier(toolName: string): ToolTier | undefined;
+export declare function getTiersForRole(role: MCPRole): Set<ToolTier>;
+export declare function getToolsForRole(role: MCPRole): string[];
+/**
+ * Check whether a tool is permitted by the configured role.
+ * Returns `true` if the tool's tier is within the role's granted tiers.
+ * Unknown tools are denied by default.
+ */
+export declare function checkToolAllowedByRole(toolName: string, config: MCPConfig): boolean;
+/**
+ * Check whether a tool name is permitted by the explicit allowlist.
+ * Returns `true` if the tool is allowed, `false` otherwise.
+ */
+export declare function checkToolAllowed(toolName: string, config: MCPConfig): boolean;
+/**
+ * Combined check: a tool must pass BOTH the role gate AND the allowlist.
+ * Returns an object with allowed status and a reason string for denials.
+ */
+export declare function isToolPermitted(toolName: string, config: MCPConfig): {
+    allowed: boolean;
+    reason?: string;
+};
+/**
+ * Return the list of tool names visible to the current configuration.
+ * A tool is visible only if it passes both the role gate and the allowlist.
+ */
+export declare function getVisibleTools(config: MCPConfig): Set<string>;
+/**
+ * Validate the loaded configuration, emitting warnings to stderr for
+ * potentially dangerous settings (e.g. TLS not required on a non-localhost URL).
+ */
+export declare function validateConfig(config: MCPConfig): string[];
+/**
+ * Remove sensitive fields from a params object before writing to audit logs.
+ */
+export declare function sanitizeForAudit(operation: string, params: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Enforce TLS transport requirements. Throws if a non-HTTPS URL is used
+ * when `tls_required` is enabled.
+ */
+export declare function enforceTransport(url: string, config: MCPConfig): void;
+/**
+ * Build a structured audit log entry.
+ */
+export declare function createAuditEntry(operation: string, params: Record<string, unknown>, result: "success" | "error", duration: number, agentId: string): AuditEntry;
+//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAGtD,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAID;;;;;;;;;GASG;AACH,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;AAElD,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAgG/C,CAAC;AAIF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,CAIrD,CAAC;AAEF,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,CAElE;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,CAE5D;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,EAAE,CAKvD;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAKnF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,OAAO,CAK7E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,SAAS,GAChB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAmBvC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,CAO9D;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,EAAE,CAqC1D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAYzB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,IAAI,CAOrE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,EAAE,SAAS,GAAG,OAAO,EAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,UAAU,CASZ"}

package/dist/security.js ADDED Viewed

@@ -0,0 +1,248 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ROLE_TIERS = exports.TOOL_TIERS = void 0;
+exports.getToolTier = getToolTier;
+exports.getTiersForRole = getTiersForRole;
+exports.getToolsForRole = getToolsForRole;
+exports.checkToolAllowedByRole = checkToolAllowedByRole;
+exports.checkToolAllowed = checkToolAllowed;
+exports.isToolPermitted = isToolPermitted;
+exports.getVisibleTools = getVisibleTools;
+exports.validateConfig = validateConfig;
+exports.sanitizeForAudit = sanitizeForAudit;
+exports.enforceTransport = enforceTransport;
+exports.createAuditEntry = createAuditEntry;
+const config_js_1 = require("./config.js");
+const SENSITIVE_KEYS = new Set(["api_key", "password", "secret", "token", "authorization"]);
+exports.TOOL_TIERS = {
+    // ── Participation Tools (16) ──────────────────────────────────────
+    openintent_get_intent: "read",
+    openintent_list_intents: "read",
+    openintent_get_events: "read",
+    openintent_get_messages: "read",
+    openintent_create_intent: "write",
+    openintent_update_state: "write",
+    openintent_log_event: "write",
+    openintent_send_message: "write",
+    openintent_ask: "write",
+    openintent_broadcast: "write",
+    openintent_set_status: "admin",
+    openintent_acquire_lease: "admin",
+    openintent_release_lease: "admin",
+    openintent_assign_agent: "admin",
+    openintent_unassign_agent: "admin",
+    openintent_create_channel: "admin",
+    // ── Advanced Tools (46) ───────────────────────────────────────────
+    // Workflows (RFC-0011)
+    openintent_get_workflow: "read",
+    openintent_list_workflows: "read",
+    openintent_create_workflow: "write",
+    openintent_trigger_workflow: "admin",
+    // Plans & Task Decomposition (RFC-0012)
+    openintent_get_plan: "read",
+    openintent_create_plan: "write",
+    openintent_decompose_task: "write",
+    // Coordinator Governance (RFC-0013)
+    openintent_get_arbitration: "read",
+    openintent_set_coordinator: "admin",
+    openintent_record_decision: "admin",
+    // Governance Enforcement (RFC-0013)
+    openintent_set_governance_policy: "admin",
+    openintent_get_governance_policy: "read",
+    openintent_approve_approval: "admin",
+    openintent_deny_approval: "admin",
+    // Human Escalation (RFC-0013)
+    openintent_escalate_to_human: "write",
+    openintent_list_escalations: "read",
+    openintent_resolve_escalation: "admin",
+    openintent_request_approval: "write",
+    openintent_get_approval_status: "read",
+    // Portfolios (RFC-0004)
+    openintent_get_portfolio: "read",
+    openintent_create_portfolio: "write",
+    openintent_add_to_portfolio: "write",
+    // Access Control (RFC-0011)
+    openintent_get_permissions: "read",
+    openintent_set_permissions: "admin",
+    openintent_grant_access: "admin",
+    // Credential Vaults (RFC-0014)
+    openintent_store_credential: "admin",
+    openintent_get_credential: "admin",
+    openintent_grant_tool: "admin",
+    // Agent Memory (RFC-0015)
+    openintent_memory_get: "read",
+    openintent_memory_list: "read",
+    openintent_memory_set: "write",
+    // Agent Lifecycle (RFC-0016)
+    openintent_get_health: "read",
+    openintent_heartbeat: "write",
+    openintent_set_agent_status: "admin",
+    // Triggers (RFC-0017)
+    openintent_list_triggers: "read",
+    openintent_create_trigger: "admin",
+    openintent_delete_trigger: "admin",
+    // Cryptographic Identity (RFC-0018)
+    openintent_register_identity: "admin",
+    openintent_verify_challenge: "admin",
+    openintent_rotate_key: "admin",
+    // Verifiable Event Logs (RFC-0019)
+    openintent_get_hash_chain: "read",
+    openintent_verify_inclusion: "read",
+    openintent_get_checkpoint: "read",
+    // Distributed Tracing (RFC-0020)
+    openintent_get_trace: "read",
+    openintent_start_trace: "write",
+    openintent_link_spans: "write",
+};
+const TIER_ORDER = ["read", "write", "admin"];
+/**
+ * Map each role to the set of tiers it grants access to.
+ *
+ *   reader   → read
+ *   operator → read + write
+ *   admin    → read + write + admin
+ */
+exports.ROLE_TIERS = {
+    reader: new Set(["read"]),
+    operator: new Set(["read", "write"]),
+    admin: new Set(["read", "write", "admin"]),
+};
+function getToolTier(toolName) {
+    return exports.TOOL_TIERS[toolName];
+}
+function getTiersForRole(role) {
+    return exports.ROLE_TIERS[role] ?? exports.ROLE_TIERS["reader"];
+}
+function getToolsForRole(role) {
+    const allowedTiers = getTiersForRole(role);
+    return Object.entries(exports.TOOL_TIERS)
+        .filter(([, tier]) => allowedTiers.has(tier))
+        .map(([name]) => name);
+}
+/**
+ * Check whether a tool is permitted by the configured role.
+ * Returns `true` if the tool's tier is within the role's granted tiers.
+ * Unknown tools are denied by default.
+ */
+function checkToolAllowedByRole(toolName, config) {
+    const tier = getToolTier(toolName);
+    if (!tier)
+        return false;
+    const allowedTiers = getTiersForRole(config.security.role);
+    return allowedTiers.has(tier);
+}
+/**
+ * Check whether a tool name is permitted by the explicit allowlist.
+ * Returns `true` if the tool is allowed, `false` otherwise.
+ */
+function checkToolAllowed(toolName, config) {
+    if (config.security.allowed_tools === null) {
+        return true;
+    }
+    return config.security.allowed_tools.includes(toolName);
+}
+/**
+ * Combined check: a tool must pass BOTH the role gate AND the allowlist.
+ * Returns an object with allowed status and a reason string for denials.
+ */
+function isToolPermitted(toolName, config) {
+    if (!checkToolAllowedByRole(toolName, config)) {
+        const tier = getToolTier(toolName) ?? "unknown";
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" requires "${tier}" permission but the current role ` +
+                `"${config.security.role}" does not grant it. ` +
+                `Upgrade to a role that includes the "${tier}" tier ` +
+                `(${TIER_ORDER.filter((t) => TIER_ORDER.indexOf(t) >= TIER_ORDER.indexOf(tier)).join(", ")}).`,
+        };
+    }
+    if (!checkToolAllowed(toolName, config)) {
+        return {
+            allowed: false,
+            reason: `Tool "${toolName}" is not in the allowed_tools list.`,
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Return the list of tool names visible to the current configuration.
+ * A tool is visible only if it passes both the role gate and the allowlist.
+ */
+function getVisibleTools(config) {
+    const roleTools = getToolsForRole(config.security.role);
+    if (config.security.allowed_tools === null) {
+        return new Set(roleTools);
+    }
+    const allowSet = new Set(config.security.allowed_tools);
+    return new Set(roleTools.filter((t) => allowSet.has(t)));
+}
+/**
+ * Validate the loaded configuration, emitting warnings to stderr for
+ * potentially dangerous settings (e.g. TLS not required on a non-localhost URL).
+ */
+function validateConfig(config) {
+    const warnings = [];
+    if (!config.server.api_key) {
+        warnings.push("OPENINTENT_API_KEY is not set – requests will fail authentication.");
+    }
+    const url = config.server.url;
+    const isLocal = url.includes("localhost") || url.includes("127.0.0.1");
+    if (!config.security.tls_required && !isLocal) {
+        warnings.push(`TLS is not required but server URL "${url}" is not localhost. ` +
+            "Set security.tls_required = true for production deployments.");
+    }
+    if (config.security.max_timeout > 300) {
+        warnings.push(`max_timeout is ${config.security.max_timeout}s which exceeds the recommended 300s limit.`);
+    }
+    if (!config_js_1.VALID_ROLES.includes(config.security.role)) {
+        warnings.push(`Unknown role "${config.security.role}". Valid roles: ${config_js_1.VALID_ROLES.join(", ")}. Falling back to "reader".`);
+        config.security.role = "reader";
+    }
+    if (config.security.role === "admin") {
+        warnings.push('Role is set to "admin" which grants access to all tools including lifecycle ' +
+            "and coordination primitives. Use this only for trusted orchestrators.");
+    }
+    return warnings;
+}
+/**
+ * Remove sensitive fields from a params object before writing to audit logs.
+ */
+function sanitizeForAudit(operation, params) {
+    const sanitized = { _operation: operation };
+    for (const [key, value] of Object.entries(params)) {
+        if (SENSITIVE_KEYS.has(key.toLowerCase())) {
+            sanitized[key] = "[REDACTED]";
+        }
+        else if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+            sanitized[key] = sanitizeForAudit("", value);
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
+/**
+ * Enforce TLS transport requirements. Throws if a non-HTTPS URL is used
+ * when `tls_required` is enabled.
+ */
+function enforceTransport(url, config) {
+    if (config.security.tls_required && !url.startsWith("https://")) {
+        throw new Error(`TLS is required but the server URL "${url}" does not use HTTPS. ` +
+            "Set security.tls_required to false or use an HTTPS endpoint.");
+    }
+}
+/**
+ * Build a structured audit log entry.
+ */
+function createAuditEntry(operation, params, result, duration, agentId) {
+    return {
+        timestamp: new Date().toISOString(),
+        operation,
+        params: sanitizeForAudit(operation, params),
+        result,
+        duration_ms: Math.round(duration),
+        agent_id: agentId,
+    };
+}
+//# sourceMappingURL=security.js.map

package/dist/security.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":";;;AA2IA,kCAEC;AAED,0CAEC;AAED,0CAKC;AAOD,wDAKC;AAMD,4CAKC;AAMD,0CAsBC;AAMD,0CAOC;AAMD,wCAqCC;AAKD,4CAeC;AAMD,4CAOC;AAKD,4CAeC;AAvTD,2CAA0C;AAW1C,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC;AAc/E,QAAA,UAAU,GAA6B;IAClD,qEAAqE;IACrE,qBAAqB,EAAK,MAAM;IAChC,uBAAuB,EAAG,MAAM;IAChC,qBAAqB,EAAK,MAAM;IAChC,uBAAuB,EAAG,MAAM;IAEhC,wBAAwB,EAAE,OAAO;IACjC,uBAAuB,EAAG,OAAO;IACjC,oBAAoB,EAAM,OAAO;IACjC,uBAAuB,EAAG,OAAO;IACjC,cAAc,EAAY,OAAO;IACjC,oBAAoB,EAAM,OAAO;IAEjC,qBAAqB,EAAO,OAAO;IACnC,wBAAwB,EAAI,OAAO;IACnC,wBAAwB,EAAI,OAAO;IACnC,uBAAuB,EAAK,OAAO;IACnC,yBAAyB,EAAG,OAAO;IACnC,yBAAyB,EAAG,OAAO;IAEnC,qEAAqE;IAErE,uBAAuB;IACvB,uBAAuB,EAAM,MAAM;IACnC,yBAAyB,EAAI,MAAM;IACnC,0BAA0B,EAAG,OAAO;IACpC,2BAA2B,EAAE,OAAO;IAEpC,wCAAwC;IACxC,mBAAmB,EAAU,MAAM;IACnC,sBAAsB,EAAO,OAAO;IACpC,yBAAyB,EAAI,OAAO;IAEpC,oCAAoC;IACpC,0BAA0B,EAAG,MAAM;IACnC,0BAA0B,EAAG,OAAO;IACpC,0BAA0B,EAAG,OAAO;IAEpC,oCAAoC;IACpC,gCAAgC,EAAE,OAAO;IACzC,gCAAgC,EAAE,MAAM;IACxC,2BAA2B,EAAO,OAAO;IACzC,wBAAwB,EAAU,OAAO;IAEzC,8BAA8B;IAC9B,4BAA4B,EAAG,OAAO;IACtC,2BAA2B,EAAI,MAAM;IACrC,6BAA6B,EAAE,OAAO;IACtC,2BAA2B,EAAI,OAAO;IACtC,8BAA8B,EAAE,MAAM;IAEtC,wBAAwB;IACxB,wBAAwB,EAAO,MAAM;IACrC,2BAA2B,EAAI,OAAO;IACtC,2BAA2B,EAAI,OAAO;IAEtC,4BAA4B;IAC5B,0BAA0B,EAAG,MAAM;IACnC,0BAA0B,EAAG,OAAO;IACpC,uBAAuB,EAAM,OAAO;IAEpC,+BAA+B;IAC/B,2BAA2B,EAAE,OAAO;IACpC,yBAAyB,EAAI,OAAO;IACpC,qBAAqB,EAAQ,OAAO;IAEpC,0BAA0B;IAC1B,qBAAqB,EAAG,MAAM;IAC9B,sBAAsB,EAAE,MAAM;IAC9B,qBAAqB,EAAG,OAAO;IAE/B,6BAA6B;IAC7B,qBAAqB,EAAS,MAAM;IACpC,oBAAoB,EAAU,OAAO;IACrC,2BAA2B,EAAG,OAAO;IAErC,sBAAsB;IACtB,wBAAwB,EAAI,MAAM;IAClC,yBAAyB,EAAG,OAAO;IACnC,yBAAyB,EAAG,OAAO;IAEnC,oCAAoC;IACpC,4BAA4B,EAAG,OAAO;IACtC,2BAA2B,EAAI,OAAO;IACtC,qBAAqB,EAAU,OAAO;IAEtC,mCAAmC;IACnC,yBAAyB,EAAM,MAAM;IACrC,2BAA2B,EAAI,MAAM;IACrC,yBAAyB,EAAM,MAAM;IAErC,iCAAiC;IACjC,oBAAoB,EAAK,MAAM;IAC/B,sBAAsB,EAAG,OAAO;IAChC,qBAAqB,EAAI,OAAO;CACjC,CAAC;AAEF,MAAM,UAAU,GAAe,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AAE1D;;;;;;GAMG;AACU,QAAA,UAAU,GAAmC;IACxD,MAAM,EAAI,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAC3B,QAAQ,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,KAAK,EAAK,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;CAC9C,CAAC;AAEF,SAAgB,WAAW,CAAC,QAAgB;IAC1C,OAAO,kBAAU,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED,SAAgB,eAAe,CAAC,IAAa;IAC3C,OAAO,kBAAU,CAAC,IAAI,CAAC,IAAI,kBAAU,CAAC,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,SAAgB,eAAe,CAAC,IAAa;IAC3C,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC,OAAO,CAAC,kBAAU,CAAC;SAC9B,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;SAC5C,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,QAAgB,EAAE,MAAiB;IACxE,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC3D,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,QAAgB,EAAE,MAAiB;IAClE,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC1D,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,MAAiB;IAEjB,IAAI,CAAC,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;QAChD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EACJ,SAAS,QAAQ,eAAe,IAAI,oCAAoC;gBACxE,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,uBAAuB;gBAC/C,wCAAwC,IAAI,SAAS;gBACrD,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,IAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SAC7G,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,SAAS,QAAQ,qCAAqC;SAC/D,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,MAAiB;IAC/C,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IACxD,OAAO,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,MAAiB;IAC9C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;IACtF,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC;IAC9B,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACvE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,CACX,uCAAuC,GAAG,sBAAsB;YAC9D,8DAA8D,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,GAAG,GAAG,EAAE,CAAC;QACtC,QAAQ,CAAC,IAAI,CACX,kBAAkB,MAAM,CAAC,QAAQ,CAAC,WAAW,6CAA6C,CAC3F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,uBAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,QAAQ,CAAC,IAAI,CACX,iBAAiB,MAAM,CAAC,QAAQ,CAAC,IAAI,mBAAmB,uBAAW,CAAC,IAAI,CAAC,IAAI,CAAC,6BAA6B,CAC5G,CAAC;QACF,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ,CAAC;IAClC,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACrC,QAAQ,CAAC,IAAI,CACX,8EAA8E;YAC5E,uEAAuE,CAC1E,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,SAAiB,EACjB,MAA+B;IAE/B,MAAM,SAAS,GAA4B,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IACrE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC1C,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;QAChC,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChF,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,EAAE,EAAE,KAAgC,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,GAAW,EAAE,MAAiB;IAC7D,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CACb,uCAAuC,GAAG,wBAAwB;YAChE,8DAA8D,CACjE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,SAAiB,EACjB,MAA+B,EAC/B,MAA2B,EAC3B,QAAgB,EAChB,OAAe;IAEf,OAAO;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS;QACT,MAAM,EAAE,gBAAgB,CAAC,SAAS,EAAE,MAAM,CAAC;QAC3C,MAAM;QACN,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QACjC,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC"}

package/dist/tools.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { OpenIntentClient } from "./client.js";
+import type { MCPConfig } from "./config.js";
+import type { ToolTier } from "./security.js";
+export interface ToolDefinition {
+    name: string;
+    description: string;
+    inputSchema: Record<string, unknown>;
+    tier: ToolTier;
+}
+export declare const TOOL_DEFINITIONS: ToolDefinition[];
+/**
+ * Route an incoming tool call to the appropriate client method.
+ * The tool must pass both the role gate and the allowlist before execution.
+ */
+export declare function handleToolCall(name: string, args: Record<string, unknown>, client: OpenIntentClient, config: MCPConfig): Promise<{
+    content: {
+        type: "text";
+        text: string;
+    }[];
+}>;
+//# sourceMappingURL=tools.d.ts.map

package/dist/tools.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../src/tools.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAG9C,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,EAAE,QAAQ,CAAC;CAChB;AAeD,eAAO,MAAM,gBAAgB,EAAE,cAAc,EAslC5C,CAAC;AAEF;;;GAGG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,SAAS;;;;;GA4dlB"}