agent-passport-system-mcp 2.5.0 → 2.6.0

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,36 @@
+# Code of Conduct
+
+## Our Pledge
+
+We are committed to making participation in this project a welcoming experience for everyone.
+
+## Standards
+
+Examples of positive behavior:
+
+- Using inclusive language
+- Being respectful of differing viewpoints
+- Accepting constructive feedback gracefully
+- Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+- Personal attacks or derogatory comments
+- Publishing others' private information without permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Responsibilities
+
+Project maintainers are responsible for clarifying standards of acceptable behavior and are expected to take fair corrective action in response to any instances of unacceptable behavior.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, including issues, pull requests, and community discussions.
+
+## Enforcement
+
+Instances of unacceptable behavior may be reported by contacting the project maintainer. All reports will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1.

package/CONTRIBUTING.md

@@ -0,0 +1,58 @@
+# Contributing to Agent Passport System MCP Server
+
+Thanks for your interest in contributing! This is the MCP server for the [Agent Passport System](https://github.com/aeoess/agent-passport-system) — 49 tools across 8 protocol layers for AI agent identity, trust, governance, and commerce.
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork: `git clone https://github.com/<your-username>/agent-passport-mcp.git`
+3. Install dependencies: `npm install --include=dev`
+4. Build the project: `npm run build`
+
+## Development
+
+The MCP server is a single-file TypeScript implementation (`src/index.ts`) that wraps the Agent Passport System SDK. All protocol logic lives in the SDK; this repo provides the MCP tool interface.
+
+### Building
+
+```bash
+npm run build
+```
+
+Build must succeed with zero TypeScript errors before submitting a PR.
+
+### Code Style
+
+- TypeScript throughout
+- Single-file architecture (`src/index.ts`)
+- Each MCP tool follows the same pattern: validation, SDK call, JSON response
+- Use `zod` for input validation
+
+## Submitting Changes
+
+1. Create a feature branch from `main`
+2. Make your changes with clear, descriptive commits
+3. Ensure `npm run build` succeeds with zero errors
+4. Open a pull request with a description of what you changed and why
+
+## Reporting Issues
+
+Open an issue on GitHub with:
+
+- A clear title and description
+- Steps to reproduce (if applicable)
+- Expected vs actual behavior
+- Your environment (Node.js version, OS, MCP client)
+
+## Adding New Tools
+
+If you're adding new MCP tools, follow the existing pattern in `src/index.ts`:
+
+1. Add the SDK import
+2. Register the tool with `server.tool()` including zod schema
+3. Update the README tool table
+4. Update the tool count in the README header
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the project's Apache-2.0 license.

package/README.md

@@ -8,7 +8,7 @@
 
 MCP server for the [Agent Passport System](https://github.com/aeoess/agent-passport-system) — cryptographic identity, delegation, governance, and commerce for AI agents.
 
-**49 tools** across all 8 protocol layers. Works with any MCP client: Claude Desktop, Cursor, Windsurf, and more.
+**55 tools** across all 8 protocol layers. Works with any MCP client: Claude Desktop, Cursor, Windsurf, and more.
 
 ## Quick Start
 
@@ -148,6 +148,16 @@ Add to your MCP config:
 | `create_disclosure` | Selective disclosure of principal identity (public/verified-only/minimal) |
 | `get_fleet_status` | Status of all agents endorsed by the current principal |
 
+### Reputation-Gated Authority — 5 tools
+
+| Tool | Description |
+|------|-------------|
+| `resolve_authority` | Compute effective reputation score and authority tier for an agent |
+| `check_tier` | Check if agent's earned tier permits action at given autonomy/spend |
+| `review_promotion` | Create signed promotion review (earned-only reviewers, no self-promotion) |
+| `update_reputation` | Bayesian (mu, sigma) updates from task results |
+| `get_promotion_history` | List all promotion reviews this session |
+
 ## Architecture
 
 ```
@@ -163,7 +173,7 @@ Layer 1 — Agent Passport Protocol (Ed25519 identity)
 
 ## Links
 
-- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v1.11.0, 470 tests)
+- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v1.12.0, 511 tests)
 - Python SDK: [agent-passport-system](https://pypi.org/project/agent-passport-system/) (v0.4.0, 86 tests)
 - Paper: [doi.org/10.5281/zenodo.18749779](https://doi.org/10.5281/zenodo.18749779)
 - Docs: [aeoess.com/llms-full.txt](https://aeoess.com/llms-full.txt)

package/build/index.js

@@ -33,7 +33,7 @@ commercePreflight, createCommerceDelegation, getSpendSummary, requestHumanApprov
 // Principal Identity
 createPrincipalIdentity, endorseAgent, verifyEndorsement, revokeEndorsement, createDisclosure, createFleet, addToFleet, getFleetStatus, revokeFromFleet, 
 // Reputation-Gated Authority (Layer 9)
-computeEffectiveScore, createScopedReputation, resolveAuthorityTier, checkTierForIntent, advisoryTierPrecheck, createPromotionReview, updateReputationFromResult, DEFAULT_TIERS, } from "agent-passport-system";
+computeEffectiveScore, createScopedReputation, resolveAuthorityTier, checkTierForIntent, advisoryTierPrecheck, createPromotionReview, updateReputationFromResult, DEFAULT_TIERS, createProxyGateway, } from "agent-passport-system";
 // ═══════════════════════════════════════
 // State Management
 // ═══════════════════════════════════════
@@ -64,6 +64,8 @@ const state = {
     fleet: null,
     reputations: new Map(),
     promotionHistory: [],
+    gateway: null,
+    gatewayKeys: null,
 };
 // Load persisted task state
 function loadTasks() {
@@ -2112,6 +2114,216 @@ server.tool("get_promotion_history", "Get the promotion review history for this
     };
 });
 // ═══════════════════════════════════════
+// Proxy Gateway (Enforcement Boundary)
+// ═══════════════════════════════════════
+server.tool("create_gateway", "Create a ProxyGateway enforcement boundary. The gateway validates identity, delegation scope, policy compliance, and provides replay protection for every tool call. Returns gateway ID and public key.", {
+    gatewayId: z.string().optional().describe("Custom gateway ID (auto-generated if omitted)"),
+    approvalTTLSeconds: z.number().optional().describe("Two-phase approval timeout in seconds (default: 300)"),
+    maxPendingPerAgent: z.number().optional().describe("Max pending approvals per agent (default: 10)"),
+}, async ({ gatewayId, approvalTTLSeconds, maxPendingPerAgent }) => {
+    const keys = generateKeyPair();
+    const id = gatewayId || `gateway-${Date.now().toString(36)}`;
+    if (!state.floor) {
+        return { content: [{ type: "text", text: "Error: Load a Values Floor first (load_values_floor)" }] };
+    }
+    const config = {
+        gatewayId: id,
+        gatewayPublicKey: keys.publicKey,
+        gatewayPrivateKey: keys.privateKey,
+        floor: state.floor,
+        approvalTTLSeconds: approvalTTLSeconds ?? 300,
+        maxPendingPerAgent: maxPendingPerAgent ?? 10,
+        recheckRevocationOnExecute: true,
+    };
+    // Default executor echoes tool calls — real execution is done by MCP client
+    const executor = async (tool, params) => {
+        return { success: true, result: { tool, params, executedVia: 'mcp-gateway' } };
+    };
+    state.gateway = createProxyGateway(config, executor);
+    state.gatewayKeys = keys;
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    created: true,
+                    gatewayId: id,
+                    publicKey: keys.publicKey,
+                    approvalTTLSeconds: config.approvalTTLSeconds,
+                    maxPendingPerAgent: config.maxPendingPerAgent,
+                    note: "Gateway ready. Register agents with register_gateway_agent, then process calls with gateway_process_tool_call.",
+                }, null, 2),
+            }],
+    };
+});
+server.tool("register_gateway_agent", "Register an agent with the gateway. The agent must have a valid passport and floor attestation. Delegations define what scopes the agent can use through the gateway.", {
+    agentId: z.string().describe("Agent ID to register"),
+}, async ({ agentId }) => {
+    if (!state.gateway) {
+        return { content: [{ type: "text", text: "Error: Create gateway first (create_gateway)" }] };
+    }
+    const agent = state.agents.get(agentId);
+    if (!agent) {
+        return { content: [{ type: "text", text: `Error: Agent "${agentId}" not found in session. Join social contract first.` }] };
+    }
+    const agentDelegations = Array.from(state.delegations.values()).filter(d => d.delegatedTo === agent.publicKey);
+    if (agentDelegations.length === 0) {
+        return { content: [{ type: "text", text: `Error: No delegations found for agent "${agentId}". Create a delegation first.` }] };
+    }
+    if (!agent.attestation) {
+        return { content: [{ type: "text", text: `Error: Agent "${agentId}" has no floor attestation. Attest to floor first.` }] };
+    }
+    state.gateway.registerAgent(agent.passport, agent.attestation, agentDelegations);
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    registered: true,
+                    agentId,
+                    delegationCount: agentDelegations.length,
+                    scopes: agentDelegations.flatMap(d => d.scope),
+                }, null, 2),
+            }],
+    };
+});
+server.tool("gateway_process_tool_call", "Process a tool call through the gateway enforcement boundary. Validates identity, delegation, policy, and replay protection in a single atomic operation. Returns execution result with full 3-signature proof chain.", {
+    agentId: z.string().describe("ID of the requesting agent"),
+    tool: z.string().describe("Tool name to execute"),
+    params: z.record(z.unknown()).optional().describe("Tool parameters"),
+    scopeRequired: z.string().describe("Delegation scope needed for this tool"),
+    spendAmount: z.number().optional().describe("Spend amount if commerce action"),
+    spendCurrency: z.string().optional().describe("Currency code (e.g. USD)"),
+    context: z.string().optional().describe("Human-readable context for audit"),
+}, async ({ agentId, tool, params, scopeRequired, spendAmount, spendCurrency, context }) => {
+    if (!state.gateway) {
+        return { content: [{ type: "text", text: "Error: Create gateway first (create_gateway)" }] };
+    }
+    const agent = state.agents.get(agentId);
+    if (!agent) {
+        return { content: [{ type: "text", text: `Error: Agent "${agentId}" not found in session.` }] };
+    }
+    const { canonicalize } = await import("agent-passport-system");
+    const requestId = `mcp-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const payload = canonicalize({ requestId, agentId, tool, params: params || {}, scopeRequired, spend: spendAmount ? { amount: spendAmount, currency: spendCurrency || 'USD' } : undefined });
+    const request = {
+        requestId,
+        agentId,
+        agentPublicKey: agent.publicKey,
+        signature: sign(payload, agent.keyPair.privateKey),
+        tool,
+        params: params || {},
+        scopeRequired,
+        spend: spendAmount ? { amount: spendAmount, currency: spendCurrency || 'USD' } : undefined,
+        context,
+    };
+    const result = await state.gateway.processToolCall(request);
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    executed: result.executed,
+                    requestId: result.requestId,
+                    result: result.result ?? undefined,
+                    denialReason: result.denialReason ?? undefined,
+                    toolError: result.toolError ?? undefined,
+                    ...(result.decision && { verdict: result.decision.verdict, reason: result.decision.reason }),
+                    ...(result.proof && {
+                        proof: {
+                            hasRequestSignature: !!result.proof.requestSignature,
+                            hasDecisionSignature: !!result.proof.decisionSignature,
+                            hasReceiptSignature: !!result.proof.receiptSignature,
+                            policyReceiptId: result.proof.policyReceipt?.policyReceiptId,
+                        },
+                    }),
+                    ...(result.receipt && {
+                        receipt: {
+                            receiptId: result.receipt.receiptId,
+                            agentId: result.receipt.agentId,
+                            action: result.receipt.action,
+                        },
+                    }),
+                }, null, 2),
+            }],
+    };
+});
+server.tool("gateway_approve", "Two-phase execution: approve a tool call without executing it. Returns an approval ID that can be executed later with gateway_execute_approval. Useful for human-in-the-loop workflows.", {
+    agentId: z.string().describe("ID of the requesting agent"),
+    tool: z.string().describe("Tool name to approve"),
+    params: z.record(z.unknown()).optional().describe("Tool parameters"),
+    scopeRequired: z.string().describe("Delegation scope needed"),
+    context: z.string().optional().describe("Human-readable context"),
+}, async ({ agentId, tool, params, scopeRequired, context }) => {
+    if (!state.gateway) {
+        return { content: [{ type: "text", text: "Error: Create gateway first (create_gateway)" }] };
+    }
+    const agent = state.agents.get(agentId);
+    if (!agent) {
+        return { content: [{ type: "text", text: `Error: Agent "${agentId}" not found in session.` }] };
+    }
+    const { canonicalize } = await import("agent-passport-system");
+    const requestId = `mcp-approve-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const payload = canonicalize({ requestId, agentId, tool, params: params || {}, scopeRequired, spend: undefined });
+    const request = {
+        requestId,
+        agentId,
+        agentPublicKey: agent.publicKey,
+        signature: sign(payload, agent.keyPair.privateKey),
+        tool,
+        params: params || {},
+        scopeRequired,
+        context,
+    };
+    const result = state.gateway.approve(request);
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    approved: result.approved,
+                    ...(result.approval && {
+                        approvalId: result.approval.approvalId,
+                        expiresAt: result.approval.expiresAt,
+                        nonce: result.approval.nonce,
+                    }),
+                    ...(result.denial && { denial: result.denial }),
+                }, null, 2),
+            }],
+    };
+});
+server.tool("gateway_execute_approval", "Execute a previously approved tool call. Rechecks delegation validity before execution — if delegation was revoked since approval, execution is denied.", {
+    approvalId: z.string().describe("Approval ID from gateway_approve"),
+}, async ({ approvalId }) => {
+    if (!state.gateway) {
+        return { content: [{ type: "text", text: "Error: Create gateway first (create_gateway)" }] };
+    }
+    const result = await state.gateway.executeApproval(approvalId);
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify({
+                    executed: result.executed,
+                    requestId: result.requestId,
+                    result: result.result ?? undefined,
+                    denialReason: result.denialReason ?? undefined,
+                    ...(result.proof && {
+                        proof: {
+                            policyReceiptId: result.proof.policyReceipt?.policyReceiptId,
+                        },
+                    }),
+                }, null, 2),
+            }],
+    };
+});
+server.tool("gateway_stats", "Get gateway statistics: total requests, permits, denials, replay attempts blocked, active agents, and pending approvals.", {}, async () => {
+    if (!state.gateway) {
+        return { content: [{ type: "text", text: "Error: Create gateway first (create_gateway)" }] };
+    }
+    return {
+        content: [{
+                type: "text",
+                text: JSON.stringify(state.gateway.getStats(), null, 2),
+            }],
+    };
+});
+// ═══════════════════════════════════════
 // MCP Prompts — Role-Specific
 // ═══════════════════════════════════════
 server.prompt("coordination_role", "Get instructions for your assigned coordination role", {}, async () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-passport-system-mcp",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "mcpName": "io.github.aeoess/agent-passport-mcp",
   "description": "MCP server for Agent Passport System — cryptographic identity, delegation, governance, and deliberation for AI agents",
   "type": "module",
@@ -8,7 +8,9 @@
     "agent-passport-system-mcp": "build/index.js"
   },
   "files": [
-    "build"
+    "build",
+    "CONTRIBUTING.md",
+    "CODE_OF_CONDUCT.md"
   ],
   "scripts": {
     "build": "tsc && chmod 755 build/index.js",
@@ -45,7 +47,7 @@
   "homepage": "https://github.com/aeoess/agent-passport-mcp",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0",
-    "agent-passport-system": "file:../agent-passport-system/agent-passport-system-1.11.0.tgz",
+    "agent-passport-system": "file:../agent-passport-system/agent-passport-system-1.12.0.tgz",
     "zod": "^3.25.0"
   },
   "devDependencies": {