Skip to content

feat(cloudflare): add @keycardai/cloudflare package#8

Merged
Larry-Osakwe merged 3 commits intomainfrom
larry/cloudflare-package
Apr 6, 2026
Merged

feat(cloudflare): add @keycardai/cloudflare package#8
Larry-Osakwe merged 3 commits intomainfrom
larry/cloudflare-package

Conversation

@Larry-Osakwe
Copy link
Copy Markdown
Collaborator

@Larry-Osakwe Larry-Osakwe commented Apr 1, 2026

Summary

  • New @keycardai/cloudflare package adapting Keycard OAuth primitives to Workers' fetch() handler model
  • Addresses security issues from Code Mode KEP (keycardlabs/keps#12): real JWT verification, per-user isolate-safe token cache, both ClientSecret and WebIdentity credential modes
  • createKeycardWorker() high-level wrapper chains metadata + auth + user handler
  • Full example in examples/cloudflare-worker/ with MCP tools and token exchange
  • 30 tests passing, builds clean, strict TypeScript

New files

  • packages/cloudflare/ — the package (auth, metadata, credentials, tokenCache, worker)
  • examples/cloudflare-worker/ — working example with README

Test plan

  • pnpm -r run build — all 4 packages build
  • pnpm --filter @keycardai/cloudflare test — 30 tests pass
  • pnpm --filter @keycardai/cloudflare typecheck — strict TS clean
  • Manual: deploy example worker to CF, verify auth flow against a Keycard zone

🤖 Generated with Claude Code

@Larry-Osakwe @claude
feat(cloudflare): add @keycardai/cloudflare package for Workers auth
7b2cce1 
- createKeycardWorker() high-level wrapper: CORS, metadata, bearer auth, delegation
- JWT verification via @keycardai/oauth keyring (JWKS discovery + caching)
- IsolateSafeTokenCache: per-user token cache with request deduplication
- WorkersClientSecret and WorkersWebIdentity credential modes
- Extract ApplicationCredential interface to @keycardai/oauth/credentials
  so @keycardai/mcp and @keycardai/cloudflare share a single source of truth
- Full example in examples/cloudflare-worker/
- 30 tests passing, builds clean, strict TypeScript

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Larry-Osakwe Larry-Osakwe force-pushed the larry/cloudflare-package branch from 160648c to 7b2cce1 Compare April 2, 2026 16:16
@jerriclynsjohn jerriclynsjohn self-requested a review April 6, 2026 14:29
jerriclynsjohn
jerriclynsjohn approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@jerriclynsjohn jerriclynsjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Larry-Osakwe and others added 2 commits April 6, 2026 11:11
@Larry-Osakwe @claude
fix(cloudflare): address review nits
546e2b7 
- Remove dead `resource` variable in handleProtectedResourceMetadata
  (computed but never used — response already uses `baseUrl`)
- Fix audience check in verifyBearerToken to compare origin only,
  not full URL including path+query. A token scoped to
  https://example.com should validate for requests to any path
  on that origin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Larry-Osakwe @claude
docs(cloudflare): add package README
ca70aca 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Larry-Osakwe Larry-Osakwe merged commit ee87bae into main Apr 6, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jerriclynsjohn jerriclynsjohn jerriclynsjohn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Larry-Osakwe @jerriclynsjohn