agentic-orchestrator 0.1.0

package/dist/apps/control-plane/mcp/runtime-factory.js

@@ -0,0 +1,71 @@
+import { OperationLedger } from './operation-ledger.js';
+import { KernelToolExecutor } from './kernel-tool-executor.js';
+import { McpServerAdapter } from './mcp-server-adapter.js';
+import { TokenAuthVerifier } from './token-auth-verifier.js';
+import { ToolAuthorizer } from './tool-authorizer.js';
+import { ToolContractValidator } from './tool-contract-validator.js';
+import { InProcessToolClient, McpToolClient } from './tool-client.js';
+import { ToolRegistryLoader } from './tool-registry-loader.js';
+import { ToolRuntime } from './tool-runtime.js';
+import { ToolsMarkdownGenerator } from './tools-markdown-generator.js';
+export class ToolingRuntimeComposer {
+    repoRoot;
+    kernel;
+    options;
+    constructor(repoRoot, kernel, options = {}) {
+        this.repoRoot = repoRoot;
+        this.kernel = kernel;
+        this.options = options;
+    }
+    async compose() {
+        const loader = new ToolRegistryLoader(this.repoRoot);
+        const registry = await loader.load();
+        await this.generateToolsMarkdownIfEnabled(registry.catalog);
+        const validator = await ToolContractValidator.create(loader, registry);
+        const authorizer = new ToolAuthorizer(this.kernel.getRbacPolicy(), registry);
+        const ledger = new OperationLedger(this.repoRoot);
+        const executor = new KernelToolExecutor(this.kernel);
+        const runtime = new ToolRuntime({
+            registry,
+            loader,
+            validator,
+            authorizer,
+            ledger,
+            executor
+        });
+        const authVerifier = new TokenAuthVerifier();
+        const mcpAdapter = new McpServerAdapter(runtime, authVerifier);
+        return {
+            loader,
+            registry,
+            validator,
+            authorizer,
+            ledger,
+            executor,
+            runtime,
+            authVerifier,
+            mcpAdapter,
+            inProcessClient: new InProcessToolClient(runtime),
+            mcpClient: new McpToolClient(mcpAdapter, authVerifier)
+        };
+    }
+    async generateToolsMarkdownIfEnabled(catalog) {
+        const shouldGenerateDocs = this.options.generateToolsMarkdown ?? true;
+        if (!shouldGenerateDocs) {
+            return;
+        }
+        const markdownGenerator = new ToolsMarkdownGenerator(this.repoRoot);
+        await markdownGenerator.writeFromCatalog(catalog);
+    }
+}
+export async function createToolingRuntime(repoRoot, kernel, options = {}) {
+    const composer = new ToolingRuntimeComposer(repoRoot, kernel, options);
+    return await composer.compose();
+}
+export function resolveToolClient(transport, tooling) {
+    if (transport === 'mcp') {
+        return tooling.mcpClient;
+    }
+    return tooling.inProcessClient;
+}
+//# sourceMappingURL=runtime-factory.js.map

package/dist/apps/control-plane/mcp/runtime-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-factory.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/runtime-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,kBAAkB,EAAgC,MAAM,2BAA2B,CAAC;AAC7F,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAmB,MAAM,kBAAkB,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAwBvE,MAAM,OAAO,sBAAsB;IAChB,QAAQ,CAAS;IACjB,MAAM,CAAoB;IAC1B,OAAO,CAA8B;IAEtD,YAAY,QAAgB,EAAE,MAAyB,EAAE,UAAuC,EAAE;QAChG,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QAErC,MAAM,IAAI,CAAC,8BAA8B,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAE5D,MAAM,SAAS,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvE,MAAM,UAAU,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC7E,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,QAAQ;YACR,MAAM;YACN,SAAS;YACT,UAAU;YACV,MAAM;YACN,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,iBAAiB,EAAE,CAAC;QAC7C,MAAM,UAAU,GAAG,IAAI,gBAAgB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAE/D,OAAO;YACL,MAAM;YACN,QAAQ;YACR,SAAS;YACT,UAAU;YACV,MAAM;YACN,QAAQ;YACR,OAAO;YACP,YAAY;YACZ,UAAU;YACV,eAAe,EAAE,IAAI,mBAAmB,CAAC,OAAO,CAAC;YACjD,SAAS,EAAE,IAAI,aAAa,CAAC,UAAU,EAAE,YAAY,CAAC;SACvD,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,8BAA8B,CAAC,OAAmE;QAC9G,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,IAAI,IAAI,CAAC;QACtE,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;QACD,MAAM,iBAAiB,GAAG,IAAI,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpE,MAAM,iBAAiB,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACpD,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAgB,EAChB,MAAyB,EACzB,UAAuC,EAAE;IAEzC,MAAM,QAAQ,GAAG,IAAI,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACvE,OAAO,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,SAA8B,EAAE,OAAuB;IACvF,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC,eAAe,CAAC;AACjC,CAAC"}

package/dist/apps/control-plane/mcp/runtime-types.d.ts

@@ -0,0 +1,40 @@
+export interface ToolCatalogEntry {
+    name: string;
+    description: string;
+    input_schema_ref: string;
+    output_schema_ref: string;
+    supported_roles: string[];
+    handler_id: string;
+    mutating: boolean;
+    requires_operation_id: boolean;
+}
+export interface ToolCatalog {
+    version: number;
+    tools: ToolCatalogEntry[];
+}
+export interface ProtocolContract {
+    mcp_protocol_version: string;
+    sdk: {
+        package: string;
+        version: string;
+    };
+    enabled_transports: string[];
+}
+export interface LoadedToolRegistry {
+    toolsRoot: string;
+    catalogPath: string;
+    protocolPath: string;
+    catalog: ToolCatalog;
+    protocol: ProtocolContract;
+    toolsByName: Map<string, ToolCatalogEntry>;
+    toolsByHandlerId: Map<string, ToolCatalogEntry>;
+}
+export interface VerifiedActorClaims {
+    run_id: string;
+    session_id: string;
+    actor_type: string;
+    actor_id: string;
+    issued_at: string;
+    expires_at: string;
+    feature_scope?: string[];
+}

package/dist/apps/control-plane/mcp/runtime-types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=runtime-types.js.map

package/dist/apps/control-plane/mcp/runtime-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-types.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/runtime-types.ts"],"names":[],"mappings":""}

package/dist/apps/control-plane/mcp/token-auth-verifier.d.ts

@@ -0,0 +1,24 @@
+import type { VerifiedActorClaims } from './runtime-types.js';
+interface TokenAuthOptions {
+    secret?: string;
+    ttl_seconds?: number;
+    now?: () => Date;
+}
+export declare class TokenAuthVerifier {
+    readonly secret: string;
+    readonly ttlSeconds: number;
+    readonly now: () => Date;
+    private readonly tokenCodec;
+    private readonly claimsValidator;
+    constructor(options?: TokenAuthOptions);
+    issueToken(input: {
+        run_id: string;
+        session_id: string;
+        actor_type: string;
+        actor_id: string;
+        feature_scope?: string[];
+        expires_at?: string;
+    }): string;
+    verifyToken(token: string): VerifiedActorClaims;
+}
+export {};

package/dist/apps/control-plane/mcp/token-auth-verifier.js

@@ -0,0 +1,45 @@
+import { SessionTokenCodec } from './token-codec.js';
+import { TokenClaimsValidator } from './token-claims-validator.js';
+export class TokenAuthVerifier {
+    secret;
+    ttlSeconds;
+    now;
+    tokenCodec;
+    claimsValidator;
+    constructor(options = {}) {
+        this.secret = options.secret ?? process.env.AOP_MCP_HMAC_SECRET ?? 'aop-dev-secret';
+        this.ttlSeconds = options.ttl_seconds ?? 900;
+        this.now = options.now ?? (() => new Date());
+        this.tokenCodec = new SessionTokenCodec(this.secret);
+        this.claimsValidator = new TokenClaimsValidator(this.now);
+    }
+    issueToken(input) {
+        const issuedAt = this.now().toISOString();
+        const expiresAt = input.expires_at ?? new Date(this.now().getTime() + this.ttlSeconds * 1000).toISOString();
+        const claims = {
+            run_id: input.run_id,
+            session_id: input.session_id,
+            actor_type: input.actor_type,
+            actor_id: input.actor_id,
+            feature_scope: input.feature_scope,
+            issued_at: issuedAt,
+            expires_at: expiresAt
+        };
+        this.claimsValidator.validate(claims, { checkExpiry: false });
+        return this.tokenCodec.issue(claims);
+    }
+    verifyToken(token) {
+        try {
+            const claims = this.tokenCodec.decodeAndVerify(token);
+            this.claimsValidator.validate(claims);
+            return claims;
+        }
+        catch (error) {
+            if (error?.normalizedResponse) {
+                throw error;
+            }
+            this.claimsValidator.wrapCodecError(error);
+        }
+    }
+}
+//# sourceMappingURL=token-auth-verifier.js.map

package/dist/apps/control-plane/mcp/token-auth-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-auth-verifier.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/token-auth-verifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAQnE,MAAM,OAAO,iBAAiB;IACnB,MAAM,CAAS;IACf,UAAU,CAAS;IACnB,GAAG,CAAa;IACR,UAAU,CAAoB;IAC9B,eAAe,CAAuB;IAEvD,YAAY,UAA4B,EAAE;QACxC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,gBAAgB,CAAC;QACpF,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,WAAW,IAAI,GAAG,CAAC;QAC7C,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,CAAC,eAAe,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5D,CAAC;IAED,UAAU,CAAC,KAOV;QACC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAE5G,MAAM,MAAM,GAAwB;YAClC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,SAAS,EAAE,QAAQ;YACnB,UAAU,EAAE,SAAS;SACtB,CAAC;QAEF,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,WAAW,CAAC,KAAa;QACvB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACtD,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACtC,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,IAAK,KAA0C,EAAE,kBAAkB,EAAE,CAAC;gBACpE,MAAM,KAAK,CAAC;YACd,CAAC;YACD,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;CACF"}

package/dist/apps/control-plane/mcp/token-claims-validator.d.ts

@@ -0,0 +1,9 @@
+import type { VerifiedActorClaims } from './runtime-types.js';
+export declare class TokenClaimsValidator {
+    private readonly now;
+    constructor(now: () => Date);
+    validate(claims: VerifiedActorClaims, options?: {
+        checkExpiry?: boolean;
+    }): void;
+    wrapCodecError(error: unknown): never;
+}

package/dist/apps/control-plane/mcp/token-claims-validator.js

@@ -0,0 +1,62 @@
+import { ERROR_CODES } from '../core/error-codes.js';
+import { fail } from '../core/response.js';
+function isValidIsoDate(value) {
+    const parsed = new Date(value);
+    return !Number.isNaN(parsed.getTime()) && parsed.toISOString() === value;
+}
+function claimsValidationError(message) {
+    return {
+        normalizedResponse: fail(ERROR_CODES.UNAUTHENTICATED, message, {
+            retryable: false,
+            requires_human: true
+        })
+    };
+}
+export class TokenClaimsValidator {
+    now;
+    constructor(now) {
+        this.now = now;
+    }
+    validate(claims, options = {}) {
+        const checkExpiry = options.checkExpiry ?? true;
+        const requiredStringFields = [
+            'run_id',
+            'session_id',
+            'actor_type',
+            'actor_id',
+            'issued_at',
+            'expires_at'
+        ];
+        for (const field of requiredStringFields) {
+            if (!claims[field] || typeof claims[field] !== 'string') {
+                throw claimsValidationError(`missing_claim_${field}`);
+            }
+        }
+        if (!isValidIsoDate(claims.issued_at) || !isValidIsoDate(claims.expires_at)) {
+            throw claimsValidationError('invalid_claim_timestamp');
+        }
+        if (claims.actor_type === 'system' && !claims.session_id.startsWith('bootstrap:')) {
+            throw {
+                normalizedResponse: fail(ERROR_CODES.FORBIDDEN_TOOL_FOR_ROLE, 'system_role_requires_bootstrap_session', {
+                    retryable: false,
+                    requires_human: true
+                })
+            };
+        }
+        if (claims.feature_scope != null && !Array.isArray(claims.feature_scope)) {
+            throw claimsValidationError('invalid_feature_scope_claim');
+        }
+        if (checkExpiry) {
+            const nowMs = this.now().getTime();
+            const expiresAtMs = new Date(claims.expires_at).getTime();
+            if (expiresAtMs < nowMs) {
+                throw claimsValidationError('session_token_expired');
+            }
+        }
+    }
+    wrapCodecError(error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw claimsValidationError(message);
+    }
+}
+//# sourceMappingURL=token-claims-validator.js.map

package/dist/apps/control-plane/mcp/token-claims-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-claims-validator.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/token-claims-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAG3C,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC;AAC3E,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAe;IAC5C,OAAO;QACL,kBAAkB,EAAE,IAAI,CAAC,WAAW,CAAC,eAAe,EAAE,OAAO,EAAE;YAC7D,SAAS,EAAE,KAAK;YAChB,cAAc,EAAE,IAAI;SACrB,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,oBAAoB;IACd,GAAG,CAAa;IAEjC,YAAY,GAAe;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED,QAAQ,CAAC,MAA2B,EAAE,UAAqC,EAAE;QAC3E,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;QAChD,MAAM,oBAAoB,GAAqC;YAC7D,QAAQ;YACR,YAAY;YACZ,YAAY;YACZ,UAAU;YACV,WAAW;YACX,YAAY;SACb,CAAC;QACF,KAAK,MAAM,KAAK,IAAI,oBAAoB,EAAE,CAAC;YACzC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,qBAAqB,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5E,MAAM,qBAAqB,CAAC,yBAAyB,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAClF,MAAM;gBACJ,kBAAkB,EAAE,IAAI,CAAC,WAAW,CAAC,uBAAuB,EAAE,wCAAwC,EAAE;oBACtG,SAAS,EAAE,KAAK;oBAChB,cAAc,EAAE,IAAI;iBACrB,CAAC;aACH,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,aAAa,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;YACzE,MAAM,qBAAqB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1D,IAAI,WAAW,GAAG,KAAK,EAAE,CAAC;gBACxB,MAAM,qBAAqB,CAAC,uBAAuB,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,cAAc,CAAC,KAAc;QAC3B,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;CACF"}

package/dist/apps/control-plane/mcp/token-codec.d.ts

@@ -0,0 +1,11 @@
+import type { VerifiedActorClaims } from './runtime-types.js';
+export interface TokenHeader {
+    alg: 'HS256';
+    typ: 'JWT';
+}
+export declare class SessionTokenCodec {
+    private readonly secret;
+    constructor(secret: string);
+    issue(claims: VerifiedActorClaims): string;
+    decodeAndVerify(token: string): VerifiedActorClaims;
+}

package/dist/apps/control-plane/mcp/token-codec.js

@@ -0,0 +1,46 @@
+import crypto from 'node:crypto';
+function base64urlEncode(input) {
+    return Buffer.from(input, 'utf8').toString('base64url');
+}
+function base64urlDecode(input) {
+    return Buffer.from(input, 'base64url').toString('utf8');
+}
+function sign(secret, payload) {
+    return crypto.createHmac('sha256', secret).update(payload).digest('base64url');
+}
+export class SessionTokenCodec {
+    secret;
+    constructor(secret) {
+        this.secret = secret;
+    }
+    issue(claims) {
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const encodedHeader = base64urlEncode(JSON.stringify(header));
+        const encodedClaims = base64urlEncode(JSON.stringify(claims));
+        const signature = sign(this.secret, `${encodedHeader}.${encodedClaims}`);
+        return `${encodedHeader}.${encodedClaims}.${signature}`;
+    }
+    decodeAndVerify(token) {
+        if (!token || typeof token !== 'string') {
+            throw new Error('missing_session_token');
+        }
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('invalid_session_token_format');
+        }
+        const [encodedHeader, encodedPayload, receivedSignature] = parts;
+        const expectedSignature = sign(this.secret, `${encodedHeader}.${encodedPayload}`);
+        if (expectedSignature.length !== receivedSignature.length) {
+            throw new Error('invalid_session_signature');
+        }
+        if (!crypto.timingSafeEqual(Buffer.from(expectedSignature), Buffer.from(receivedSignature))) {
+            throw new Error('invalid_session_signature');
+        }
+        const header = JSON.parse(base64urlDecode(encodedHeader));
+        if (header.alg !== 'HS256' || header.typ !== 'JWT') {
+            throw new Error('invalid_session_header');
+        }
+        return JSON.parse(base64urlDecode(encodedPayload));
+    }
+}
+//# sourceMappingURL=token-codec.js.map

package/dist/apps/control-plane/mcp/token-codec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-codec.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/token-codec.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAQjC,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,IAAI,CAAC,MAAc,EAAE,OAAe;IAC3C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,OAAO,iBAAiB;IACX,MAAM,CAAS;IAEhC,YAAY,MAAc;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,MAA2B;QAC/B,MAAM,MAAM,GAAgB,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QACzD,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,aAAa,IAAI,aAAa,EAAE,CAAC,CAAC;QACzE,OAAO,GAAG,aAAa,IAAI,aAAa,IAAI,SAAS,EAAE,CAAC;IAC1D,CAAC;IAED,eAAe,CAAC,KAAa;QAC3B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,iBAAiB,CAAC,GAAG,KAAK,CAAC;QACjE,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC,CAAC;QAClF,IAAI,iBAAiB,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC;YAC5F,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAgB,CAAC;QACzE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAAwB,CAAC;IAC5E,CAAC;CACF"}

package/dist/apps/control-plane/mcp/tool-authorizer.d.ts

@@ -0,0 +1,8 @@
+import type { LoadedToolRegistry } from './runtime-types.js';
+export declare class ToolAuthorizer {
+    readonly policyRbac: Record<string, string[]>;
+    readonly registry: LoadedToolRegistry;
+    constructor(policyRbac: Record<string, string[]>, registry: LoadedToolRegistry);
+    isAuthorized(actorType: string, toolName: string): boolean;
+    private assertPolicyIntersectionIsValid;
+}

package/dist/apps/control-plane/mcp/tool-authorizer.js

@@ -0,0 +1,36 @@
+export class ToolAuthorizer {
+    policyRbac;
+    registry;
+    constructor(policyRbac = {}, registry) {
+        this.policyRbac = policyRbac;
+        this.registry = registry;
+        this.assertPolicyIntersectionIsValid();
+    }
+    isAuthorized(actorType, toolName) {
+        const tool = this.registry.toolsByName.get(toolName);
+        if (!tool) {
+            return false;
+        }
+        const policyAllowlist = this.policyRbac[actorType] ?? [];
+        const policyAllows = policyAllowlist.includes('*') || policyAllowlist.includes(toolName);
+        const registryAllows = tool.supported_roles.includes(actorType);
+        return policyAllows && registryAllows;
+    }
+    assertPolicyIntersectionIsValid() {
+        for (const [role, allowlist] of Object.entries(this.policyRbac)) {
+            const effective = allowlist.includes('*')
+                ? [...this.registry.toolsByName.keys()]
+                : allowlist;
+            for (const toolName of effective) {
+                const tool = this.registry.toolsByName.get(toolName);
+                if (!tool) {
+                    throw new Error(`policy_references_unknown_tool:${role}:${toolName}`);
+                }
+                if (!tool.supported_roles.includes(role)) {
+                    throw new Error(`policy_role_outside_supported_roles:${role}:${toolName}`);
+                }
+            }
+        }
+    }
+}
+//# sourceMappingURL=tool-authorizer.js.map

package/dist/apps/control-plane/mcp/tool-authorizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-authorizer.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/tool-authorizer.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,cAAc;IAChB,UAAU,CAA2B;IACrC,QAAQ,CAAqB;IAEtC,YAAY,aAAuC,EAAE,EAAE,QAA4B;QACjF,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,+BAA+B,EAAE,CAAC;IACzC,CAAC;IAED,YAAY,CAAC,SAAiB,EAAE,QAAgB;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACzD,MAAM,YAAY,GAAG,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzF,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAChE,OAAO,YAAY,IAAI,cAAc,CAAC;IACxC,CAAC;IAEO,+BAA+B;QACrC,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAChE,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACvC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;gBACvC,CAAC,CAAC,SAAS,CAAC;YAEd,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACrD,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,IAAI,IAAI,QAAQ,EAAE,CAAC,CAAC;gBACxE,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBACzC,MAAM,IAAI,KAAK,CAAC,uCAAuC,IAAI,IAAI,QAAQ,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/apps/control-plane/mcp/tool-client.d.ts

@@ -0,0 +1,30 @@
+import type { ToolResponse } from '../core/response.js';
+import type { ToolDescriptor } from './transport-types.js';
+import { type McpServerAdapter } from './mcp-server-adapter.js';
+import { type TokenAuthVerifier } from './token-auth-verifier.js';
+import { type ToolRuntime } from './tool-runtime.js';
+export interface ToolClientIdentity {
+    run_id: string;
+    session_id: string;
+    actor_type: string;
+    actor_id: string;
+    feature_scope?: string[];
+}
+export interface ToolClient {
+    listTools(): Promise<ToolDescriptor[]>;
+    call(toolName: string, args: Record<string, unknown>, identity: ToolClientIdentity): Promise<ToolResponse>;
+}
+export declare class InProcessToolClient implements ToolClient {
+    readonly runtime: ToolRuntime;
+    constructor(runtime: ToolRuntime);
+    listTools(): Promise<ToolDescriptor[]>;
+    call(toolName: string, args: Record<string, unknown>, identity: ToolClientIdentity): Promise<ToolResponse>;
+}
+export declare class McpToolClient implements ToolClient {
+    readonly adapter: McpServerAdapter;
+    readonly authVerifier: TokenAuthVerifier;
+    constructor(adapter: McpServerAdapter, authVerifier: TokenAuthVerifier);
+    listTools(): Promise<ToolDescriptor[]>;
+    call(toolName: string, args: Record<string, unknown>, identity: ToolClientIdentity): Promise<ToolResponse>;
+}
+export declare function createOperationId(toolName: string, featureId?: string): string;

package/dist/apps/control-plane/mcp/tool-client.js

@@ -0,0 +1,50 @@
+import crypto from 'node:crypto';
+function toVerifiedClaims(identity) {
+    const now = new Date();
+    return {
+        ...identity,
+        issued_at: now.toISOString(),
+        expires_at: new Date(now.getTime() + 15 * 60 * 1000).toISOString()
+    };
+}
+export class InProcessToolClient {
+    runtime;
+    constructor(runtime) {
+        this.runtime = runtime;
+    }
+    async listTools() {
+        return await this.runtime.listTools();
+    }
+    async call(toolName, args, identity) {
+        return await this.runtime.callTool(toolName, args, toVerifiedClaims(identity));
+    }
+}
+export class McpToolClient {
+    adapter;
+    authVerifier;
+    constructor(adapter, authVerifier) {
+        this.adapter = adapter;
+        this.authVerifier = authVerifier;
+    }
+    async listTools() {
+        const response = await this.adapter.toolsList();
+        return response.tools;
+    }
+    async call(toolName, args, identity) {
+        const token = this.authVerifier.issueToken(identity);
+        return await this.adapter.toolsCall({
+            name: toolName,
+            arguments: args,
+            session_token: token
+        });
+    }
+}
+export function createOperationId(toolName, featureId) {
+    const parts = [toolName.replace(/[^a-zA-Z0-9]/g, '_')];
+    if (featureId) {
+        parts.push(featureId.replace(/[^a-zA-Z0-9_-]/g, '_'));
+    }
+    parts.push(crypto.randomUUID());
+    return parts.join('__');
+}
+//# sourceMappingURL=tool-client.js.map

package/dist/apps/control-plane/mcp/tool-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-client.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/tool-client.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAqBjC,SAAS,gBAAgB,CAAC,QAA4B;IACpD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,OAAO;QACL,GAAG,QAAQ;QACX,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,UAAU,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;KACnE,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,mBAAmB;IACrB,OAAO,CAAc;IAE9B,YAAY,OAAoB;QAC9B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,SAAS;QACb,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,IAA6B,EAAE,QAA4B;QACtF,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjF,CAAC;CACF;AAED,MAAM,OAAO,aAAa;IACf,OAAO,CAAmB;IAC1B,YAAY,CAAoB;IAEzC,YAAY,OAAyB,EAAE,YAA+B;QACpE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QAChD,OAAO,QAAQ,CAAC,KAAK,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,IAA6B,EAAE,QAA4B;QACtF,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACrD,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;YAClC,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,IAAI;YACf,aAAa,EAAE,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,SAAkB;IACpE,MAAM,KAAK,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,CAAC;IACvD,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IAChC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/apps/control-plane/mcp/tool-contract-validator.d.ts

@@ -0,0 +1,29 @@
+import type { ErrorObject, ValidateFunction } from 'ajv';
+import type { LoadedToolRegistry, ToolCatalogEntry } from './runtime-types.js';
+import { type ToolRegistryLoader } from './tool-registry-loader.js';
+interface AjvInstance {
+    compile(schema: Record<string, unknown>): ValidateFunction;
+}
+export declare class ToolContractValidator {
+    readonly loader: ToolRegistryLoader;
+    readonly registry: LoadedToolRegistry;
+    readonly ajv: AjvInstance;
+    readonly validators: Map<string, ValidateFunction>;
+    readonly errorsValidator: ValidateFunction;
+    private constructor();
+    static create(loader: ToolRegistryLoader, registry: LoadedToolRegistry): Promise<ToolContractValidator>;
+    validateInput(tool: ToolCatalogEntry, payload: unknown): Promise<{
+        valid: boolean;
+        errors: ErrorObject[];
+    }>;
+    validateOutput(tool: ToolCatalogEntry, payload: unknown): Promise<{
+        valid: boolean;
+        errors: ErrorObject[];
+    }>;
+    validateErrorEnvelope(response: unknown): {
+        valid: boolean;
+        errors: ErrorObject[];
+    };
+    private getOrCompile;
+}
+export {};

package/dist/apps/control-plane/mcp/tool-contract-validator.js

@@ -0,0 +1,61 @@
+import path from 'node:path';
+import Ajv2020Import from 'ajv/dist/2020.js';
+function createAjvInstance() {
+    const Ajv2020Ctor = Ajv2020Import;
+    return new Ajv2020Ctor({ allErrors: true, strict: false });
+}
+export class ToolContractValidator {
+    loader;
+    registry;
+    ajv;
+    validators;
+    errorsValidator;
+    constructor(loader, registry, ajv, errorsValidator) {
+        this.loader = loader;
+        this.registry = registry;
+        this.ajv = ajv;
+        this.validators = new Map();
+        this.errorsValidator = errorsValidator;
+    }
+    static async create(loader, registry) {
+        const ajv = createAjvInstance();
+        const errorsSchema = await loader.readErrorsSchema();
+        const errorsValidator = ajv.compile(errorsSchema);
+        return new ToolContractValidator(loader, registry, ajv, errorsValidator);
+    }
+    async validateInput(tool, payload) {
+        const validator = await this.getOrCompile(tool.input_schema_ref);
+        const valid = validator(payload);
+        return {
+            valid: Boolean(valid),
+            errors: valid ? [] : ((validator.errors ?? []))
+        };
+    }
+    async validateOutput(tool, payload) {
+        const validator = await this.getOrCompile(tool.output_schema_ref);
+        const valid = validator(payload);
+        return {
+            valid: Boolean(valid),
+            errors: valid ? [] : ((validator.errors ?? []))
+        };
+    }
+    validateErrorEnvelope(response) {
+        const valid = this.errorsValidator(response);
+        return {
+            valid: Boolean(valid),
+            errors: valid ? [] : ((this.errorsValidator.errors ?? []))
+        };
+    }
+    async getOrCompile(schemaRef) {
+        const absolute = path.resolve(this.registry.toolsRoot, schemaRef);
+        const existing = this.validators.get(absolute);
+        if (existing) {
+            return existing;
+        }
+        const schema = await this.loader.readSchemaByRef(schemaRef);
+        const validator = this.ajv.compile(schema);
+        this.validators.set(absolute, validator);
+        return validator;
+    }
+}
+//# sourceMappingURL=tool-contract-validator.js.map

package/dist/apps/control-plane/mcp/tool-contract-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-contract-validator.js","sourceRoot":"","sources":["../../../../apps/control-plane/src/mcp/tool-contract-validator.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,aAAa,MAAM,kBAAkB,CAAC;AAS7C,SAAS,iBAAiB;IACxB,MAAM,WAAW,GAAG,aAEJ,CAAC;IACjB,OAAO,IAAI,WAAW,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,OAAO,qBAAqB;IACvB,MAAM,CAAqB;IAC3B,QAAQ,CAAqB;IAC7B,GAAG,CAAc;IACjB,UAAU,CAAgC;IAC1C,eAAe,CAAmB;IAE3C,YACE,MAA0B,EAC1B,QAA4B,EAC5B,GAAgB,EAChB,eAAiC;QAEjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAA0B,EAAE,QAA4B;QAC1E,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;QAChC,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACrD,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAClD,OAAO,IAAI,qBAAqB,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,eAAe,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,IAAsB,EAAE,OAAgB;QAC1D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACjE,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO;YACL,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;YACrB,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;SAChD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAsB,EAAE,OAAgB;QAC3D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;QACjC,OAAO;YACL,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;YACrB,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;SAChD,CAAC;IACJ,CAAC;IAED,qBAAqB,CAAC,QAAiB;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC7C,OAAO;YACL,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;YACrB,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;SAC3D,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,SAAiB;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACzC,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/apps/control-plane/mcp/tool-registry-loader.d.ts

@@ -0,0 +1,15 @@
+import type { LoadedToolRegistry } from './runtime-types.js';
+export declare class ToolRegistryLoader {
+    readonly repoRoot: string;
+    constructor(repoRoot: string);
+    get toolsRoot(): string;
+    get catalogPath(): string;
+    get protocolPath(): string;
+    get errorsSchemaPath(): string;
+    resolveSchemaPath(schemaRef: string): string;
+    load(): Promise<LoadedToolRegistry>;
+    readSchemaByRef(schemaRef: string): Promise<Record<string, unknown>>;
+    readErrorsSchema(): Promise<Record<string, unknown>>;
+    private readCatalog;
+    private readProtocol;
+}