remove verify mandate tool (#3)

* remove verify mandate tool

* add LICENSE file

* finish publish action for API MCP server

Author: mike-parkhill

.github/workflows/ci.yml

@@ -1,13 +1,19 @@
 name: CI
 
 on:
-  push:
   pull_request:
-
+  push:
+    branches:
+      - master
+      
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     strategy:
       matrix:
         node-version: [22.x]
@@ -41,3 +47,84 @@ jobs:
       - name: Run tests (mcp-shared)
         run: npm run test -- --run
         working-directory: packages/mcp-shared
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build truvera-api image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./apps/truvera-api/Dockerfile
+          load: true
+          tags: truvera-api-mcp:ci
+          build-args: |
+            BUILD_NUMBER=${{ github.run_number }}
+
+      - name: Scan truvera-api image for HIGH and CRITICAL vulnerabilities
+        id: trivy_scan
+        continue-on-error: true
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: truvera-api-mcp:ci
+          format: table
+          output: trivy-results.txt
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          exit-code: '1'
+
+      - name: Add Trivy report to job summary
+        if: always()
+        run: |
+          {
+            echo "## Trivy Image Scan"
+            echo
+            if [ "${{ steps.trivy_scan.outcome }}" = "failure" ]; then
+              echo "**Status:** FAILED (HIGH/CRITICAL vulnerabilities found)"
+            else
+              echo "**Status:** PASSED (no HIGH/CRITICAL vulnerabilities found)"
+            fi
+            echo
+            echo "<details><summary>Full Trivy output</summary>"
+            echo
+            echo '```text'
+            cat trivy-results.txt
+            echo '```'
+            echo "</details>"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Generate Trivy SARIF report
+        if: always()
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: truvera-api-mcp:ci
+          format: sarif
+          output: trivy-results.sarif
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          exit-code: '0'
+
+      - name: Upload Trivy SARIF to GitHub Security
+        id: trivy_sarif_upload
+        continue-on-error: true
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-container-scan
+
+      - name: Add SARIF upload status to job summary
+        if: always()
+        run: |
+          if [ "${{ steps.trivy_sarif_upload.outcome }}" = "failure" ]; then
+            echo >> "$GITHUB_STEP_SUMMARY"
+            echo "## SARIF Upload" >> "$GITHUB_STEP_SUMMARY"
+            echo >> "$GITHUB_STEP_SUMMARY"
+            echo "SARIF upload was skipped or failed. GitHub code scanning may not be enabled for this repository." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Fail job if Trivy found HIGH/CRITICAL issues
+        if: steps.trivy_scan.outcome == 'failure'
+        run: |
+          echo "Trivy detected HIGH/CRITICAL vulnerabilities. See job summary and Security tab for details."
+          exit 1

.github/workflows/docker-publish.yml

@@ -3,11 +3,12 @@ name: Build and Push Docker Images
 on:
   push:
     branches:
-      - main
+      - master
     paths:
       - 'apps/truvera-api/**'
       - 'packages/mcp-shared/**'
       - '.github/workflows/docker-publish.yml'
+      
   release:
     types: [published]
 
@@ -23,9 +24,13 @@ jobs:
   build-and-push:
     name: Build and Push truvera-api-mcp
     runs-on: ubuntu-latest
+    env:
+      SHOULD_PUSH: ${{ github.event_name != 'workflow_dispatch' || inputs.push }}
+      DOCKER_IMAGE: docknetwork/truvera-api-mcp
     permissions:
       contents: read
       packages: write
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -34,15 +39,21 @@ jobs:
       - name: Read build number
         id: build_number
         run: |
-          BUILD_NUM=$(cat apps/truvera-api/.buildnumber)
+          if [ -f apps/truvera-api/.buildnumber ]; then
+            BUILD_NUM=$(cat apps/truvera-api/.buildnumber)
+            echo "Using apps/truvera-api/.buildnumber"
+          else
+            BUILD_NUM="${{ github.run_number }}"
+            echo "apps/truvera-api/.buildnumber not found; using GitHub run number"
+          fi
           echo "build_number=$BUILD_NUM" >> $GITHUB_OUTPUT
           echo "Build number: $BUILD_NUM"
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to DockerHub
-        if: github.event_name != 'pull_request'
+        if: ${{ env.SHOULD_PUSH == 'true' }}
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -53,27 +64,34 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ secrets.DOCKER_HUB_USERNAME }}/truvera-api-mcp
+            ${{ env.DOCKER_IMAGE }}
           tags: |
             type=raw,value=latest,enable={{is_default_branch}}
             type=raw,value=${{ steps.build_number.outputs.build_number }}
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha,prefix={{branch}}-
+          labels: |
+            org.opencontainers.image.licenses=LicenseRef-DL-NPL
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Build and push API Docker image
+        id: docker_build
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./apps/truvera-api/Dockerfile
-          push: ${{ github.event_name != 'pull_request' && (github.event.inputs.push == 'true' || github.event.inputs.push == null) }}
+          push: ${{ env.SHOULD_PUSH == 'true' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: ${{ env.SHOULD_PUSH == 'true' }}
+          provenance: ${{ env.SHOULD_PUSH == 'true' }}
           build-args: |
             BUILD_NUMBER=${{ steps.build_number.outputs.build_number }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
 
       - name: Image digest
+        if: ${{ env.SHOULD_PUSH == 'true' }}
         run: echo "Image pushed with digest ${{ steps.docker_build.outputs.digest }}"
+
+      - name: Image build only
+        if: ${{ env.SHOULD_PUSH != 'true' }}
+        run: echo "Image built without push because workflow_dispatch input 'push' was false"

LICENSE

@@ -0,0 +1,39 @@
+The Dock Labs Non-Production License (the “DL-NPL”)
+Copyright (c) 2024 Dock Labs AG.
+
+This software and associated documentation files (the "Software") may only be
+used in production, if you (and any entity that you represent) have agreed to,
+and are in compliance with, the Dock Labs Subscription Master Services Agreement
+(MSA), available at https://www.dock.io/master-services-agreement (the “Dock
+Terms”), or other agreement governing the use of the Software, as agreed by you
+and Dock Labs, and otherwise have a valid Dock Labs subscription that is being
+utilized as intended and for its designated purposes. 
+
+Subject to the foregoing sentence, you are free to modify this Software and
+publish patches to the Software. You agree that Dock Labs and/or its licensors
+(as applicable) retain all right, title and interest in and to all such
+modifications and/or patches, and all such modifications and/or patches may only
+be used, copied, modified, displayed, distributed, or otherwise exploited with a
+valid Dock Labs subscription that is being utilized as intended and for its
+designated purposes. Notwithstanding the foregoing, you may copy and modify the
+Software without obtaining a subscription only for non-production development
+and testing purposes. For the avoidance of doubt, non-production use solely
+consists of internal use of this software within a non-production development or
+test environment which uses fictitious data in non-durable identity credentials.
+You are not granted any other rights beyond what is expressly stated herein.
+Subject to the foregoing, it is forbidden to copy, merge, publish, distribute,
+sublicense, and/or sell the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+For all third party components incorporated into the Dock Labs Software, those
+components are licensed under the original license provided by the owner of the
+applicable component.
+
+If you have any questions or need further assistance, please contact
+support@dock.io.

apps/truvera-api/Dockerfile

@@ -1,7 +1,7 @@
 # Multi-stage build for Truvera MCP Service
 ARG BUILD_NUMBER=1
 
-FROM node:22-alpine3.21 AS builder
+FROM node:22-alpine3.23 AS builder
 
 ARG BUILD_NUMBER
 
@@ -11,9 +11,6 @@ WORKDIR /app
 RUN apk update && apk upgrade --no-cache && \
     apk add --no-cache openssl
 
-# Upgrade npm
-RUN npm install -g npm@11.6.4 --no-fund --no-audit
-
 # Copy root package files for workspace
 COPY package*.json ./
 
@@ -39,26 +36,31 @@ COPY apps/truvera-api/tsconfig.json ./apps/truvera-api/
 RUN BUILD_NUMBER=$BUILD_NUMBER npm run build --workspace=apps/truvera-api
 
 # Runtime stage
-FROM node:22-alpine3.21
+FROM node:22-alpine3.23
 
 WORKDIR /app
 
 # Upgrade system packages to fix security vulnerabilities
 RUN apk update && apk upgrade --no-cache && \
     apk add --no-cache openssl
 
-# Upgrade npm in the runtime image too (keeps logs consistent)
-RUN npm install -g npm@11.6.4 --no-fund --no-audit
-
 # Copy root package files
 COPY package*.json ./
 
+# Include repository license in the published runtime image
+COPY LICENSE /licenses/LICENSE
+
 # Copy workspace package.json files
 COPY packages/mcp-shared/package*.json ./packages/mcp-shared/
 COPY apps/truvera-api/package*.json ./apps/truvera-api/
 
 # Install production dependencies only
-RUN npm ci --workspaces --only=production
+RUN npm ci --workspaces --omit=dev
+
+# Runtime image does not need package managers; remove them to reduce attack surface
+# and avoid scanner findings from npm's bundled transitive dependencies.
+RUN rm -rf /usr/local/lib/node_modules/npm \
+  && rm -f /usr/local/bin/npm /usr/local/bin/npx
 
 # Copy built shared package from builder
 COPY --from=builder /app/packages/mcp-shared/dist ./packages/mcp-shared/dist

apps/truvera-api/README.md

@@ -162,7 +162,6 @@ The server exposes 31 tools across these areas:
 - `issue_cart_mandate` — issue a Cart Mandate for human-present transactions
 - `issue_intent_mandate` — issue an Intent Mandate for human-not-present transactions
 - `issue_payment_mandate` — issue a Payment Mandate for payment network visibility
-- `verify_mandate` — verify any AP2 mandate credential
 
 See [src/features/ap2/README.md](src/features/ap2/README.md) for full AP2 documentation.
 

apps/truvera-api/src/build-info.ts

@@ -1,6 +1,6 @@
 // Auto-generated build information
 export const BUILD_INFO = {
-  timestamp: '2026-03-25T20:03:44.614Z',
-  buildNumber: 38,
-  version: '1.0.0-build.38',
+  timestamp: '2026-04-02T20:53:22.032Z',
+  buildNumber: 40,
+  version: '1.0.0-build.40',
 };

apps/truvera-api/src/features/ap2/README.md

@@ -150,12 +150,6 @@ Note: This tool currently emits the repository's bundled Payment Mandate profile
 - `refund_period_days`: Refund eligibility period
 - `user_authorization`: Optional user authorization signature/token. If omitted, the server currently inserts a placeholder string so the credential matches the published Payment Mandate schema.
 
-### `verify_mandate`
-Verify an AP2 mandate credential.
-
-**Required Parameters:**
-- `credential_id`: ID of the mandate credential to verify
-
 ## Architecture
 
 ### Features
@@ -185,7 +179,6 @@ ap2/
 2. **Tool Registration**: AP2 tools are registered with dynamic descriptions including schema URLs
 3. **Issuance**: When a tool is called, AP2Client constructs the mandate structure and issues it as a VC via Truvera API
 4. **Storage**: The issued VC (mandate) can be stored in wallet-server like any other credential
-5. **Verification**: Mandates can be verified using the `verify_mandate` tool
 
 ## Testing
 

apps/truvera-api/src/features/ap2/client.ts

@@ -450,16 +450,4 @@ export class AP2Client {
     return this.routeIssuance(credentialData, request.subject_did);
   }
 
-  /**
-   * Verify a mandate credential
-   * @param credential - The full W3C Verifiable Credential document (not just the ID)
-   */
-  async verifyMandate(credential: unknown) {
-    // Verify the credential directly
-    return this.truveraClient.request({
-      method: "POST",
-      endpoint: "/verify",
-      body: credential,
-    });
-  }
 }

apps/truvera-api/src/features/ap2/schemas.ts

@@ -225,20 +225,6 @@ export const components = {
       ],
     },
 
-    /**
-     * Verify Mandate Request
-     */
-    VerifyMandateRequest: {
-      type: "object",
-      description: "Verify an AP2 mandate credential using the Truvera API",
-      properties: {
-        credential_id: {
-          type: "string",
-          description: "ID of the mandate credential to verify",
-        },
-      },
-      required: ["credential_id"],
-    },
   },
 };