idprova-mcp 0.1.1

IDProva MCP auth middleware — drop-in identity verification for MCP servers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

//! Multi-agent delegation chain example.
//!
//! Demonstrates a 4-agent delegation chain with progressive scope narrowing:
//!
//! 1. **Operator** issues DAT to Agent A with `mcp:tool:*:*` (all tools)
//! 2. **Agent A** re-delegates to Agent B with `mcp:tool:filesystem:*` (filesystem only)
//! 3. **Agent B** re-delegates to Agent C with `mcp:tool:filesystem:read` (read only)
//! 4. **Agent C** tries `filesystem:read` (succeeds) then `filesystem:write` (blocked)
//!
//! Full receipt chain is printed at the end.

use chrono::{Duration, Utc};
use idprova_core::crypto::KeyPair;
use idprova_core::dat::Dat;
use idprova_mcp::{McpAuth, McpReceiptLog};

/// Represents an agent in the delegation chain.
struct Agent {
    did: String,
    keypair: KeyPair,
}

impl Agent {
    fn new(name: &str) -> Self {
        Self {
            did: format!("did:aid:example.com:{name}"),
            keypair: KeyPair::generate(),
        }
    }
}

fn main() {
    println!("=== IDProva Multi-Agent Delegation Chain ===\n");

    // --- Create 4 agents ---
    let operator = Agent::new("operator");
    let agent_a = Agent::new("agent-a");
    let agent_b = Agent::new("agent-b");
    let agent_c = Agent::new("agent-c");

    let auth = McpAuth::offline();
    let mut receipts = McpReceiptLog::new();

    // --- Level 1: Operator -> Agent A (all MCP tools) ---
    println!("Level 1: {} -> {}", operator.did, agent_a.did);
    println!("  Scope: mcp:tool:*:*\n");

    let dat_a = Dat::issue(
        &operator.did,
        &agent_a.did,
        vec!["mcp:tool:*:*".to_string()],
        Utc::now() + Duration::hours(1),
        None,
        None,
        &operator.keypair,
    )
    .expect("failed to issue DAT for Agent A");
    let token_a = dat_a.to_compact().unwrap();

    // Verify Agent A can use any tool
    let verified_a = auth
        .verify_request(
            &token_a,
            "mcp:tool:search:execute",
            &operator.keypair.public_key_bytes(),
        )
        .expect("Agent A should have full tool access");
    println!(
        "  Agent A verified: aid={}, scope={:?}",
        verified_a.aid, verified_a.scope
    );
    receipts.log_tool_call(
        &verified_a.aid,
        &verified_a.jti,
        "search:execute",
        "blake3:search_input",
        Some("blake3:search_output"),
    );

    // --- Level 2: Agent A -> Agent B (filesystem only) ---
    println!("\nLevel 2: {} -> {}", agent_a.did, agent_b.did);
    println!("  Scope: mcp:tool:filesystem:* (narrowed from mcp:tool:*:*)\n");

    let dat_b = Dat::issue(
        &agent_a.did,
        &agent_b.did,
        vec!["mcp:tool:filesystem:*".to_string()],
        Utc::now() + Duration::hours(1),
        None,
        None,
        &agent_a.keypair,
    )
    .expect("failed to issue DAT for Agent B");
    let token_b = dat_b.to_compact().unwrap();

    // Verify Agent B can use filesystem tools
    let verified_b = auth
        .verify_request(
            &token_b,
            "mcp:tool:filesystem:read",
            &agent_a.keypair.public_key_bytes(),
        )
        .expect("Agent B should have filesystem access");
    println!(
        "  Agent B verified: aid={}, scope={:?}",
        verified_b.aid, verified_b.scope
    );
    receipts.log_tool_call(
        &verified_b.aid,
        &verified_b.jti,
        "filesystem:read",
        "blake3:fs_read_input",
        Some("blake3:fs_read_output"),
    );

    // --- Level 3: Agent B -> Agent C (filesystem read only) ---
    println!("\nLevel 3: {} -> {}", agent_b.did, agent_c.did);
    println!("  Scope: mcp:tool:filesystem:read (narrowed from mcp:tool:filesystem:*)\n");

    let dat_c = Dat::issue(
        &agent_b.did,
        &agent_c.did,
        vec!["mcp:tool:filesystem:read".to_string()],
        Utc::now() + Duration::hours(1),
        None,
        None,
        &agent_b.keypair,
    )
    .expect("failed to issue DAT for Agent C");
    let token_c = dat_c.to_compact().unwrap();
    let jti_c = dat_c.claims.jti.clone();

    // --- Agent C: filesystem:read (should succeed) ---
    println!("--- Agent C attempts: filesystem:read ---");
    match auth.verify_request(
        &token_c,
        "mcp:tool:filesystem:read",
        &agent_b.keypair.public_key_bytes(),
    ) {
        Ok(agent) => {
            println!("  ALLOWED: {}", agent.aid);
            receipts.log_tool_call(
                &agent.aid,
                &agent.jti,
                "filesystem:read",
                "blake3:c_read_input",
                Some("blake3:c_read_output"),
            );
        }
        Err(e) => {
            println!("  DENIED: {e}");
            receipts.log_denial(&agent_c.did, &jti_c, "filesystem:read", &e.to_string());
        }
    }

    // --- Agent C: filesystem:write (should FAIL — scope exceeded) ---
    println!("\n--- Agent C attempts: filesystem:write (exceeds scope) ---");
    match auth.verify_request(
        &token_c,
        "mcp:tool:filesystem:write",
        &agent_b.keypair.public_key_bytes(),
    ) {
        Ok(agent) => {
            println!("  ALLOWED: {} (unexpected!)", agent.aid);
            receipts.log_tool_call(
                &agent.aid,
                &agent.jti,
                "filesystem:write",
                "blake3:c_write_input",
                None,
            );
        }
        Err(e) => {
            println!("  BLOCKED: {e}");
            receipts.log_denial(&agent_c.did, &jti_c, "filesystem:write", &e.to_string());
        }
    }

    // --- Agent C: search:execute (should FAIL — not in scope at all) ---
    println!("\n--- Agent C attempts: search:execute (not in scope) ---");
    match auth.verify_request(
        &token_c,
        "mcp:tool:search:execute",
        &agent_b.keypair.public_key_bytes(),
    ) {
        Ok(agent) => {
            println!("  ALLOWED: {} (unexpected!)", agent.aid);
        }
        Err(e) => {
            println!("  BLOCKED: {e}");
            receipts.log_denial(&agent_c.did, &jti_c, "search:execute", &e.to_string());
        }
    }

    // --- Print full receipt chain ---
    println!(
        "\n=== Full Receipt Chain ({} entries) ===\n",
        receipts.len()
    );
    for (i, entry) in receipts.entries().iter().enumerate() {
        println!(
            "#{i} | agent={} | tool={} | status={}",
            entry.agent,
            entry.action.tool.as_deref().unwrap_or("n/a"),
            entry.action.status,
        );
    }

    println!();
    match receipts.verify_integrity() {
        Ok(()) => println!("Chain integrity: VALID"),
        Err(e) => println!("Chain integrity: BROKEN ({e})"),
    }

    println!("\n=== Delegation Summary ===");
    println!("Operator -> A: mcp:tool:*:*");
    println!("       A -> B: mcp:tool:filesystem:*");
    println!("       B -> C: mcp:tool:filesystem:read");
    println!("C tried write -> BLOCKED (scope narrowing enforced)");
}