npm - agent-passport-system-mcp - Versions diffs - 3.0.0 → 3.1.0 - Mend

agent-passport-system-mcp 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -12,13 +12,13 @@ Enforcement and accountability layer for AI agents. Bring your own identity. 20
 APS_PROFILE=essential npx agent-passport-system-mcp
 ```
-`essential` is the default profile — the 20 tools 90% of integrations need. Set `APS_PROFILE=full` for all 154 tools.
+`essential` is the default profile — the 20 tools 90% of integrations need. Set `APS_PROFILE=full` for all 146 tools.
 Available profiles: essential (default), identity, governance, coordination, commerce, data, gateway, comms, minimal, full.
 > **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable documentation or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete technical reference. MCP discovery: [.well-known/mcp.json](https://aeoess.com/.well-known/mcp.json).
-Works with any MCP client: Claude Desktop, Claude Code, Cursor, Windsurf, and more. Full surface area under `APS_PROFILE=full`: 154 tools across 123 modules (84 core + 39 v2 constitutional governance). Independently cited by [PDR in Production (Nanook & Gerundium, UBC)](https://doi.org/10.5281/zenodo.19323172).
+Works with any MCP client: Claude Desktop, Claude Code, Cursor, Windsurf, and more. Full surface area under `APS_PROFILE=full`: 146 tools across 125 modules (84 core + 39 v2 constitutional governance). Independently cited by [PDR in Production (Nanook & Gerundium, UBC)](https://doi.org/10.5281/zenodo.19323172).
 ## Quick Start
@@ -216,8 +216,8 @@ Layer 1 — Agent Passport Protocol (Ed25519 identity)
 ## Links
-- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v2.0.0, 2326 tests)
-- Python SDK: [agent-passport-system](https://pypi.org/project/agent-passport-system/) (v0.15.0)
+- npm SDK: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) (v2.2.0, 2395 tests)
+- Python SDK: [agent-passport-system](https://pypi.org/project/agent-passport-system/) (v2.2.0)
 - Paper (Protocol): [doi.org/10.5281/zenodo.18749779](https://doi.org/10.5281/zenodo.18749779)
 - Paper (Faceted Narrowing): [doi.org/10.5281/zenodo.19260073](https://doi.org/10.5281/zenodo.19260073)
 - Paper (Behavioral Derivation Rights): [doi.org/10.5281/zenodo.19476002](https://doi.org/10.5281/zenodo.19476002)

package/build/index.js CHANGED Viewed

@@ -63,6 +63,10 @@ computeDataAxisWeights, computeComputeAxisWeights, DEFAULT_WEIGHT_PROFILE,
 // Attribution Settlement (Build C — per-period signed settlement record)
 aggregateAttributionPrimitives, buildContributorQueryResponse, signSettlementRecord, verifySettlementRecord, } from "agent-passport-system";
 // ═══════════════════════════════════════
+// Mutual Authentication v1 (SDK v2.2.0)
+// ═══════════════════════════════════════
+import { buildCertificate, signCertificate, certificateId, verifyBundle, verifyAttest, deriveSession, } from "agent-passport-system";
+// ═══════════════════════════════════════
 // State Management
 // ═══════════════════════════════════════
 const STORE_PATH = join(process.env.HOME || '.', '.agent-passport-tasks.json');
@@ -4353,6 +4357,108 @@ server.tool("aps_build_contributor_query", "Build a contributor-query response:
         return { content: [{ type: "text", text: safeError("buildContributorQuery failed", e) }], isError: true };
     }
 });
+// ═══════════════════════════════════════
+// Mutual Authentication v1 tools (SDK v2.2.0)
+// ═══════════════════════════════════════
+server.tool("mutualAuthBuildCertificate", "Build and sign a mutual-auth certificate identifying an agent or information system. Returns the signed MutualAuthCertificate object ready to carry into a handshake. The issuer's Ed25519 private key (hex) signs over the canonical (JCS) form.", {
+    role: z.enum(["agent", "information_system"]).describe("Role of the subject this cert identifies"),
+    subject_id: z.string().describe("Stable subject identifier (e.g., agent DID, IS endpoint URL)"),
+    subject_pubkey_hex: z.string().describe("Ed25519 public key (hex) of the subject"),
+    issuer_id: z.string().describe("Issuer identifier"),
+    issuer_role: z.enum(["agent", "information_system", "trust_anchor"]).describe("Role of the issuer"),
+    issuer_pubkey_hex: z.string().describe("Ed25519 public key (hex) of the issuer"),
+    issuer_privkey_hex: z.string().describe("Ed25519 private key (hex) of the issuer — used to sign"),
+    binding: z.string().describe("For an agent: the APS agent_id. For an IS: the resource domain (e.g., mcp://api.bank.com)"),
+    not_before: z.number().describe("Earliest valid time (unix ms)"),
+    not_after: z.number().describe("Latest valid time (unix ms)"),
+    supported_versions: z.array(z.string()).describe("Protocol versions supported, highest first (e.g., ['1.0'])"),
+    attestation_grade: z.union([z.literal(0), z.literal(1), z.literal(2), z.literal(3)]).optional().describe("For agents: APS attestation grade 0-3"),
+    capabilities: z.array(z.string()).optional().describe("Optional capability tags"),
+}, async (args) => {
+    try {
+        const unsigned = buildCertificate({
+            role: args.role,
+            subject_id: args.subject_id,
+            subject_pubkey_hex: args.subject_pubkey_hex,
+            issuer_id: args.issuer_id,
+            issuer_role: args.issuer_role,
+            binding: args.binding,
+            not_before: args.not_before,
+            not_after: args.not_after,
+            supported_versions: args.supported_versions,
+            attestation_grade: args.attestation_grade,
+            capabilities: args.capabilities,
+        }, args.issuer_pubkey_hex);
+        const cert = signCertificate(unsigned, args.issuer_privkey_hex);
+        return {
+            content: [{ type: "text", text: JSON.stringify({
+                        certificate: cert,
+                        certificate_id: certificateId(cert),
+                    }, null, 2) }],
+        };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: safeError("mutualAuthBuildCertificate failed", e) }], isError: true };
+    }
+});
+server.tool("mutualAuthVerifyAttest", "Verify a MutualAuthAttest against policy and trust anchors. Runs all 10 verification checks: signature, version negotiation, nonce match, timestamp freshness, certificate validity, issuer anchor check, binding constraints, downgrade detection, attestation grade policy, capability policy. Returns ok:true on success or a failure reason on rejection.", {
+    attest: z.any().describe("MutualAuthAttest to verify"),
+    expected_peer_nonce_b64: z.string().describe("The nonce the peer sent in their prior hello or attest"),
+    expected_own_nonce_b64: z.string().describe("The nonce we sent in our own prior hello or attest"),
+    policy: z.any().describe("MutualAuthPolicy (accepted_versions, min_agent_grade, required_capabilities, max_clock_skew_ms, max_session_ms)"),
+    trust_anchors: z.array(z.any()).describe("TrustAnchor[] — local trusted roots"),
+    revoked_anchor_ids: z.array(z.string()).optional().describe("IDs of anchors revoked since the bundle was issued"),
+    now_ms: z.number().optional().describe("Current unix ms — defaults to Date.now()"),
+}, async (args) => {
+    try {
+        const res = verifyAttest({
+            attest: args.attest,
+            expected_peer_nonce_b64: args.expected_peer_nonce_b64,
+            expected_own_nonce_b64: args.expected_own_nonce_b64,
+            policy: args.policy,
+            trust_anchors: args.trust_anchors,
+            revoked_anchor_ids: args.revoked_anchor_ids,
+            now_ms: args.now_ms ?? Date.now(),
+        });
+        return {
+            content: [{ type: "text", text: JSON.stringify(res, null, 2) }],
+        };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: safeError("mutualAuthVerifyAttest failed", e) }], isError: true };
+    }
+});
+server.tool("mutualAuthDeriveSession", "Derive the shared mutual-auth session record from both sides' Attests. Both parties MUST compute identical session_id given identical inputs (canonical JCS + sha256 of chosen_version, both cert ids, both nonces). Returns a MutualAuthSession with session_id + both certificates + expiry bounds, or failure reason.", {
+    agent_attest: z.any().describe("The agent's MutualAuthAttest"),
+    is_attest: z.any().describe("The information system's MutualAuthAttest"),
+    policy: z.any().describe("MutualAuthPolicy"),
+    now_ms: z.number().optional().describe("Current unix ms — defaults to Date.now()"),
+}, async (args) => {
+    try {
+        const res = deriveSession(args.agent_attest, args.is_attest, args.policy, args.now_ms ?? Date.now());
+        return {
+            content: [{ type: "text", text: JSON.stringify(res, null, 2) }],
+        };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: safeError("mutualAuthDeriveSession failed", e) }], isError: true };
+    }
+});
+server.tool("mutualAuthVerifyTrustBundle", "Verify a TrustAnchorBundle signature and freshness. Caller supplies the list of trusted publisher public keys (root configuration). Returns ok:true on success or failure reason (untrusted_publisher, signature_invalid, bundle_expired, not_yet_valid).", {
+    bundle: z.any().describe("TrustAnchorBundle to verify"),
+    trusted_publisher_pubkeys_hex: z.array(z.string()).describe("List of Ed25519 pubkeys (hex) authorized to publish bundles"),
+    now_ms: z.number().optional().describe("Current unix ms — defaults to Date.now()"),
+}, async (args) => {
+    try {
+        const res = verifyBundle(args.bundle, args.trusted_publisher_pubkeys_hex, args.now_ms ?? Date.now());
+        return {
+            content: [{ type: "text", text: JSON.stringify(res, null, 2) }],
+        };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: safeError("mutualAuthVerifyTrustBundle failed", e) }], isError: true };
+    }
+});
 server.prompt("coordination_role", "Get instructions for your assigned coordination role", {}, async () => {
     const role = state.agentRole || 'default';
     const instructions = ROLE_PROMPTS[role] || ROLE_PROMPTS['default'];

package/package.json CHANGED Viewed

@@ -1,8 +1,8 @@
 {
   "name": "agent-passport-system-mcp",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "mcpName": "io.github.aeoess/agent-passport-mcp",
-  "description": "MCP server for the Agent Passport System — protocol-layer tools only. 142 tools (132 protocol + 10 gateway deprecation stubs). Identity, delegation, reputation, attestation, coordination, commerce, attribution primitive, attribution settlement. Tracks SDK v2.0.0. For gateway-runtime tools (ProxyGateway, AgentContext, DataEnforcementGate), use gateway.aeoess.com REST API or pin to v2.27.0.",
+  "description": "MCP server for the Agent Passport System — protocol-layer tools only. 146 tools (132 protocol + 10 gateway deprecation stubs). Identity, delegation, reputation, attestation, coordination, commerce, attribution primitive, attribution settlement. Tracks SDK v2.2.0. For gateway-runtime tools (ProxyGateway, AgentContext, DataEnforcementGate), use gateway.aeoess.com REST API or pin to v3.1.0.",
   "type": "module",
   "bin": {
     "agent-passport-system-mcp": "./build/bin.js",
@@ -50,7 +50,7 @@
   "homepage": "https://github.com/aeoess/agent-passport-mcp",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "agent-passport-system": "^2.0.0-beta.0",
+    "agent-passport-system": "^2.2.0",
     "zod": "^3.25.76"
   },
   "devDependencies": {