@kya-os/contracts 1.3.2 → 1.3.3

package/dist/agentshield-api/schemas.js

@@ -0,0 +1,92 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revokeDelegationAPIResponseSchema = exports.revokeDelegationResponseSchema = exports.revokeDelegationRequestSchema = exports.createDelegationAPIResponseSchema = exports.createDelegationResponseSchema = exports.createDelegationRequestSchema = exports.toolProtectionConfigAPIResponseSchema = exports.toolProtectionConfigResponseSchema = exports.agentShieldToolProtectionSchema = exports.verifyDelegationAPIResponseSchema = exports.verifyDelegationResponseSchema = exports.verifyDelegationRequestSchema = exports.delegationCredentialSchema = exports.proofSubmissionResponseSchema = exports.proofSubmissionRequestSchema = exports.agentShieldAPIResponseSchema = exports.agentShieldAPIErrorSchema = void 0;
+const zod_1 = require("zod");
+const proof_js_1 = require("../proof.js");
+const index_js_1 = require("../delegation/index.js");
+exports.agentShieldAPIErrorSchema = zod_1.z.object({
+    code: zod_1.z.string(),
+    message: zod_1.z.string(),
+    details: zod_1.z.record(zod_1.z.unknown()).optional(),
+});
+const agentShieldAPIResponseSchema = (dataSchema) => zod_1.z.object({
+    success: zod_1.z.boolean(),
+    data: dataSchema,
+    metadata: zod_1.z.object({
+        requestId: zod_1.z.string(),
+        timestamp: zod_1.z.string(),
+    }).optional(),
+});
+exports.agentShieldAPIResponseSchema = agentShieldAPIResponseSchema;
+exports.proofSubmissionRequestSchema = zod_1.z.object({
+    delegation_id: zod_1.z.string().uuid().nullable(),
+    session_id: zod_1.z.string().uuid(),
+    proofs: zod_1.z.array(proof_js_1.DetachedProofSchema).min(1),
+});
+exports.proofSubmissionResponseSchema = zod_1.z.object({
+    success: zod_1.z.boolean(),
+    received: zod_1.z.number().int().min(0),
+    processed: zod_1.z.number().int().min(0),
+    errors: zod_1.z.array(zod_1.z.object({
+        proofId: zod_1.z.string(),
+        error: zod_1.z.string(),
+    })).optional(),
+});
+exports.delegationCredentialSchema = zod_1.z.object({
+    agent_did: zod_1.z.string(),
+    user_id: zod_1.z.string().optional(),
+    user_identifier: zod_1.z.string().optional(),
+    scopes: zod_1.z.array(zod_1.z.string()),
+    constraints: zod_1.z.record(zod_1.z.unknown()).optional(),
+    issued_at: zod_1.z.number().int().positive(),
+    created_at: zod_1.z.number().int().positive(),
+});
+exports.verifyDelegationRequestSchema = zod_1.z.object({
+    agent_did: zod_1.z.string(),
+    scopes: zod_1.z.array(zod_1.z.string()).min(1),
+    timestamp: zod_1.z.number().int().positive().optional(),
+    client_info: zod_1.z.object({
+        ip_address: zod_1.z.string().ip().optional(),
+        origin: zod_1.z.string().url().optional(),
+        user_agent: zod_1.z.string().optional(),
+    }).optional(),
+});
+exports.verifyDelegationResponseSchema = zod_1.z.object({
+    valid: zod_1.z.boolean(),
+    delegation: index_js_1.DelegationRecordSchema.optional(),
+    delegation_id: zod_1.z.string().uuid().optional(),
+    credential: exports.delegationCredentialSchema.optional(),
+    error: exports.agentShieldAPIErrorSchema.optional(),
+    reason: zod_1.z.string().optional(),
+});
+exports.verifyDelegationAPIResponseSchema = (0, exports.agentShieldAPIResponseSchema)(exports.verifyDelegationResponseSchema);
+exports.agentShieldToolProtectionSchema = zod_1.z.object({
+    scopes: zod_1.z.array(zod_1.z.string()),
+    requires_delegation: zod_1.z.boolean().optional(),
+    requiresDelegation: zod_1.z.boolean().optional(),
+    required_scopes: zod_1.z.array(zod_1.z.string()).optional(),
+}).passthrough();
+exports.toolProtectionConfigResponseSchema = zod_1.z.object({
+    agent_did: zod_1.z.string(),
+    tools: zod_1.z.record(zod_1.z.string(), exports.agentShieldToolProtectionSchema),
+    reputation_threshold: zod_1.z.number().min(0).max(1).optional(),
+    denied_agents: zod_1.z.array(zod_1.z.string()).optional(),
+});
+exports.toolProtectionConfigAPIResponseSchema = (0, exports.agentShieldAPIResponseSchema)(exports.toolProtectionConfigResponseSchema);
+exports.createDelegationRequestSchema = zod_1.z.object({
+    delegation: index_js_1.DelegationRecordSchema,
+});
+exports.createDelegationResponseSchema = zod_1.z.object({
+    delegation_id: zod_1.z.string().uuid(),
+    delegation: index_js_1.DelegationRecordSchema,
+});
+exports.createDelegationAPIResponseSchema = (0, exports.agentShieldAPIResponseSchema)(exports.createDelegationResponseSchema);
+exports.revokeDelegationRequestSchema = zod_1.z.object({
+    reason: zod_1.z.string().optional(),
+});
+exports.revokeDelegationResponseSchema = zod_1.z.object({
+    delegation_id: zod_1.z.string().uuid(),
+    revoked: zod_1.z.boolean(),
+    revoked_at: zod_1.z.number().int().positive(),
+});
+exports.revokeDelegationAPIResponseSchema = (0, exports.agentShieldAPIResponseSchema)(exports.revokeDelegationResponseSchema);

package/dist/agentshield-api/types.d.ts

@@ -0,0 +1,92 @@
+import type { DetachedProof } from '../proof.js';
+import type { DelegationRecord } from '../delegation/index.js';
+export interface AgentShieldAPIResponse<T> {
+    success: boolean;
+    data: T;
+    metadata?: {
+        requestId: string;
+        timestamp: string;
+    };
+}
+export interface AgentShieldAPIErrorResponse {
+    code: string;
+    message: string;
+    details?: Record<string, unknown>;
+}
+export interface ProofSubmissionRequest {
+    delegation_id: string | null;
+    session_id: string;
+    proofs: DetachedProof[];
+}
+export interface ProofSubmissionResponse {
+    success: boolean;
+    received: number;
+    processed: number;
+    errors?: Array<{
+        proofId: string;
+        error: string;
+    }>;
+}
+export interface VerifyDelegationRequest {
+    agent_did: string;
+    scopes: string[];
+    timestamp?: number;
+    client_info?: {
+        ip_address?: string;
+        origin?: string;
+        user_agent?: string;
+    };
+}
+export interface DelegationCredential {
+    agent_did: string;
+    user_id?: string;
+    user_identifier?: string;
+    scopes: string[];
+    constraints?: Record<string, unknown>;
+    issued_at: number;
+    created_at: number;
+}
+export interface VerifyDelegationResponse {
+    valid: boolean;
+    delegation?: DelegationRecord;
+    delegation_id?: string;
+    credential?: DelegationCredential;
+    error?: AgentShieldAPIErrorResponse;
+    reason?: string;
+}
+export type VerifyDelegationAPIResponse = AgentShieldAPIResponse<VerifyDelegationResponse>;
+export interface AgentShieldToolProtection {
+    scopes: string[];
+    requires_delegation?: boolean;
+    requiresDelegation?: boolean;
+    required_scopes?: string[];
+}
+export interface ToolProtectionConfigResponse {
+    agent_did: string;
+    tools: Record<string, AgentShieldToolProtection>;
+    reputation_threshold?: number;
+    denied_agents?: string[];
+}
+export type ToolProtectionConfigAPIResponse = AgentShieldAPIResponse<ToolProtectionConfigResponse>;
+export interface CreateDelegationRequest {
+    delegation: DelegationRecord;
+}
+export interface CreateDelegationResponse {
+    delegation_id: string;
+    delegation: DelegationRecord;
+}
+export type CreateDelegationAPIResponse = AgentShieldAPIResponse<CreateDelegationResponse>;
+export interface RevokeDelegationRequest {
+    reason?: string;
+}
+export interface RevokeDelegationResponse {
+    delegation_id: string;
+    revoked: boolean;
+    revoked_at: number;
+}
+export type RevokeDelegationAPIResponse = AgentShieldAPIResponse<RevokeDelegationResponse>;
+export declare class AgentShieldAPIError extends Error {
+    readonly code: string;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(code: string, message: string, details?: Record<string, unknown> | undefined);
+}

package/dist/agentshield-api/types.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentShieldAPIError = void 0;
+class AgentShieldAPIError extends Error {
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'AgentShieldAPIError';
+    }
+}
+exports.AgentShieldAPIError = AgentShieldAPIError;

package/dist/cli.d.ts

@@ -1,8 +1,5 @@
 import { z } from "zod";
-/**
- * CLI command schemas and results
- */
-export declare const IdentityConfigSchema: z.ZodEffects<z.ZodEffects<z.ZodObject<{
+export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObject<{
     version: z.ZodLiteral<"1.0">;
     did: z.ZodString;
     kid: z.ZodOptional<z.ZodString>;
@@ -342,7 +339,7 @@ export declare const ScaffolderResultSchema: z.ZodObject<{
     identityEnabled: boolean;
     warnings?: string[] | undefined;
 }>;
-export type IdentityConfig = z.infer<typeof IdentityConfigSchema>;
+export type CLIIdentityFile = z.infer<typeof CLIIdentityFileSchema>;
 export type KeyRotationResult = z.infer<typeof KeyRotationResultSchema>;
 export type StatusReport = z.infer<typeof StatusReportSchema>;
 export type PackageInfo = z.infer<typeof PackageInfoSchema>;
@@ -353,6 +350,7 @@ export type CacheInfo = z.infer<typeof CacheInfoSchema>;
 export type DoctorResult = z.infer<typeof DoctorResultSchema>;
 export type ScaffolderOptions = z.infer<typeof ScaffolderOptionsSchema>;
 export type ScaffolderResult = z.infer<typeof ScaffolderResultSchema>;
+export type IdentityConfig = CLIIdentityFile;
 export declare const ERROR_CODES: {
     readonly XMCP_I_EBADPROOF: "XMCP_I_EBADPROOF";
     readonly XMCP_I_ENOIDENTITY: "XMCP_I_ENOIDENTITY";
@@ -375,4 +373,3 @@ export declare const CLI_EXIT_CODES: {
     readonly CONFIG: 25;
     readonly RUNTIME: 26;
 };
-//# sourceMappingURL=cli.d.ts.map

package/dist/cli.js

@@ -1,14 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CLI_EXIT_CODES = exports.ERROR_CODES = exports.ScaffolderResultSchema = exports.ScaffolderOptionsSchema = exports.DoctorResultSchema = exports.CacheInfoSchema = exports.KTAInfoSchema = exports.EnvironmentInfoSchema = exports.XMCPUpstreamInfoSchema = exports.PackageInfoSchema = exports.StatusReportSchema = exports.KeyRotationResultSchema = exports.IdentityConfigSchema = void 0;
+exports.CLI_EXIT_CODES = exports.ERROR_CODES = exports.ScaffolderResultSchema = exports.ScaffolderOptionsSchema = exports.DoctorResultSchema = exports.CacheInfoSchema = exports.KTAInfoSchema = exports.EnvironmentInfoSchema = exports.XMCPUpstreamInfoSchema = exports.PackageInfoSchema = exports.StatusReportSchema = exports.KeyRotationResultSchema = exports.CLIIdentityFileSchema = void 0;
 const zod_1 = require("zod");
-/**
- * CLI command schemas and results
- */
-exports.IdentityConfigSchema = zod_1.z.object({
+exports.CLIIdentityFileSchema = zod_1.z.object({
     version: zod_1.z.literal("1.0"),
     did: zod_1.z.string().min(1),
-    // Accept both kid and keyId for backward compatibility with pre-1.3 identity files
     kid: zod_1.z.string().min(1).optional(),
     keyId: zod_1.z.string().min(1).optional(),
     privateKey: zod_1.z.string().regex(/^[A-Za-z0-9+/]{43}=$/, "Must be a valid base64-encoded Ed25519 private key (44 characters)"),
@@ -38,7 +34,7 @@ exports.KeyRotationResultSchema = zod_1.z.object({
 });
 exports.StatusReportSchema = zod_1.z.object({
     did: zod_1.z.string().min(1),
-    kid: zod_1.z.string().min(1), // Changed from keyId to kid for spec compliance
+    kid: zod_1.z.string().min(1),
     ktaURL: zod_1.z.string().url(),
     mirrorStatus: zod_1.z.enum(["pending", "success", "error"]),
     lastHandshake: zod_1.z.number().int().positive().optional(),
@@ -90,7 +86,6 @@ exports.ScaffolderResultSchema = zod_1.z.object({
     identityEnabled: zod_1.z.boolean(),
     warnings: zod_1.z.array(zod_1.z.string()).optional(),
 });
-// Error codes as string literal union
 exports.ERROR_CODES = {
     XMCP_I_EBADPROOF: "XMCP_I_EBADPROOF",
     XMCP_I_ENOIDENTITY: "XMCP_I_ENOIDENTITY",
@@ -101,7 +96,6 @@ exports.ERROR_CODES = {
     XMCP_I_ECONFIG: "XMCP_I_ECONFIG",
     XMCP_I_ERUNTIME: "XMCP_I_ERUNTIME",
 };
-// CLI exit codes
 exports.CLI_EXIT_CODES = {
     SUCCESS: 0,
     GENERAL_ERROR: 1,
@@ -113,4 +107,3 @@ exports.CLI_EXIT_CODES = {
     CONFIG: 25,
     RUNTIME: 26,
 };
-//# sourceMappingURL=cli.js.map

package/dist/config/base.d.ts

@@ -0,0 +1,19 @@
+export interface MCPIBaseConfig {
+    environment: 'development' | 'production';
+    session?: {
+        timestampSkewSeconds?: number;
+        ttlMinutes?: number;
+        absoluteLifetime?: number;
+    };
+    audit?: {
+        enabled: boolean;
+        includeProofHashes?: boolean;
+        includePayloads?: boolean;
+        logFunction?: (record: string) => void;
+    };
+    wellKnown?: {
+        enabled: boolean;
+        serviceName?: string;
+        serviceEndpoint?: string;
+    };
+}

package/dist/config/base.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/config/delegation.d.ts

@@ -0,0 +1,46 @@
+export type DelegationVerifierType = 'agentshield' | 'kta' | 'memory' | 'cloudflare-kv' | 'redis' | 'dynamodb' | 'custom';
+export interface DelegationVerifierConfig {
+    type: DelegationVerifierType;
+    apiUrl?: string;
+    apiKey?: string;
+    cacheTtl?: number;
+    customVerifier?: {
+        verify: (agentDid: string, scopes: string[]) => Promise<boolean>;
+        invalidate?: (agentDid: string) => Promise<void>;
+    };
+    options?: Record<string, unknown>;
+}
+export interface AuthorizationConfig {
+    authorizationUrl?: string;
+    kta?: {
+        apiUrl: string;
+        apiKey?: string;
+    };
+    minReputationScore?: number;
+    resumeTokenTtl?: number;
+    requireAuthForUnknown?: boolean;
+    buildAuthUrl?: (toolName: string, scopes: string[], context: any) => string;
+}
+export interface DelegationConfig {
+    enabled: boolean;
+    enforceDelegations?: boolean;
+    verifier: DelegationVerifierConfig;
+    authorization?: AuthorizationConfig;
+    debug?: boolean;
+}
+export interface DelegationRecord {
+    id: string;
+    userId: string;
+    agentDid: string;
+    scopes: string[];
+    createdAt: string;
+    expiresAt?: string;
+    revoked?: boolean;
+    constraints?: {
+        allowedIps?: string[];
+        allowedOrigins?: string[];
+        maxUses?: number;
+        currentUses?: number;
+        [key: string]: unknown;
+    };
+}

package/dist/config/delegation.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/config/identity.d.ts

@@ -0,0 +1,22 @@
+export interface RuntimeIdentityConfig {
+    enabled: boolean;
+    environment: 'development' | 'production';
+    production?: {
+        privateKeyEnv?: string;
+        publicKeyEnv?: string;
+        didEnv?: string;
+    };
+    privacyMode?: boolean;
+    debug?: boolean;
+}
+export interface AgentIdentity {
+    did: string;
+    publicKey: string;
+    privateKey: string;
+    createdAt: string;
+    metadata?: {
+        name?: string;
+        version?: string;
+        [key: string]: unknown;
+    };
+}

package/dist/config/identity.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/config/index.d.ts

@@ -0,0 +1,17 @@
+import type { MCPIBaseConfig } from './base.js';
+import type { RuntimeIdentityConfig } from './identity.js';
+import type { ProofingConfig } from './proofing.js';
+import type { DelegationConfig } from './delegation.js';
+import type { ToolProtectionSourceConfig } from './tool-protection.js';
+export { MCPIBaseConfig } from './base.js';
+export { RuntimeIdentityConfig, AgentIdentity } from './identity.js';
+export type IdentityConfig = RuntimeIdentityConfig;
+export { ProofingConfig, ProofBatchQueueConfig, ProofDestination, ProofDestinationType } from './proofing.js';
+export { DelegationConfig, DelegationVerifierConfig, DelegationVerifierType, AuthorizationConfig, DelegationRecord } from './delegation.js';
+export { ToolProtection, ToolProtectionMap, ToolProtectionSourceConfig, ToolProtectionSourceType, ToolProtectionServiceConfig, DelegationRequiredErrorData, ToolProtectionResponse } from './tool-protection.js';
+export interface MCPIConfig extends MCPIBaseConfig {
+    identity?: RuntimeIdentityConfig;
+    proofing?: ProofingConfig;
+    delegation?: DelegationConfig;
+    toolProtection?: ToolProtectionSourceConfig;
+}

package/dist/config/index.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/config/proofing.d.ts

@@ -0,0 +1,26 @@
+export type ProofDestinationType = 'agentshield' | 'kta' | 'custom';
+export interface ProofDestination {
+    type: ProofDestinationType;
+    apiUrl?: string;
+    apiKey?: string;
+    submit?: (proofs: any[]) => Promise<void>;
+    options?: Record<string, unknown>;
+}
+export interface ProofBatchQueueConfig {
+    destinations: ProofDestination[];
+    maxBatchSize?: number;
+    flushIntervalMs?: number;
+    maxRetries?: number;
+    retryBackoff?: number;
+    debug?: boolean;
+}
+export interface ProofingConfig {
+    enabled: boolean;
+    batchQueue?: ProofBatchQueueConfig;
+    includeMetadata?: boolean;
+    options?: {
+        includeTimestamp?: boolean;
+        includeSession?: boolean;
+        customFields?: Record<string, unknown>;
+    };
+}

package/dist/config/proofing.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/config/tool-protection.d.ts

@@ -0,0 +1,36 @@
+import type { ToolProtection as BaseToolProtection, ToolProtectionMap as BaseToolProtectionMap, DelegationRequiredErrorData as BaseDelegationRequiredErrorData, ToolProtectionResponse as BaseToolProtectionResponse } from '../tool-protection/index.js';
+export type ToolProtection = BaseToolProtection;
+export type ToolProtectionMap = BaseToolProtectionMap;
+export type DelegationRequiredErrorData = BaseDelegationRequiredErrorData;
+export type ToolProtectionResponse = BaseToolProtectionResponse;
+export type ToolProtectionSourceType = 'inline' | 'local' | 'agentshield' | 'kta' | 'multi';
+export interface ToolProtectionSourceConfig {
+    source: ToolProtectionSourceType;
+    inline?: BaseToolProtectionMap;
+    localFile?: string;
+    agentShield?: {
+        apiUrl: string;
+        apiKey?: string;
+        projectId?: string;
+        cacheTtl?: number;
+    };
+    kta?: {
+        apiUrl: string;
+        apiKey?: string;
+    };
+    sources?: Array<{
+        config: Omit<ToolProtectionSourceConfig, 'source' | 'sources'>;
+        priority?: number;
+        exclusive?: boolean;
+    }>;
+    fallback?: BaseToolProtectionMap;
+    debug?: boolean;
+}
+export interface ToolProtectionServiceConfig {
+    apiUrl: string;
+    apiKey: string;
+    projectId?: string;
+    cacheTtl?: number;
+    fallbackConfig?: BaseToolProtectionMap;
+    debug?: boolean;
+}

package/dist/config/tool-protection.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });