@kya-os/contracts 1.5.2-canary.4 → 1.5.2-canary.5

package/dist/proof.d.ts

@@ -0,0 +1,414 @@
+import { z } from "zod";
+/**
+ * Proof and signature schemas for MCP-I
+ *
+ * Note: The type name "DetachedProof" is maintained for backward compatibility,
+ * but the JWS format is actually FULL compact JWS (header.payload.signature),
+ * not detached format (header..signature).
+ *
+ * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
+ * proof claims (requestHash, responseHash, nonce, etc.).
+ */
+export declare const ProofMetaSchema: z.ZodObject<{
+    did: z.ZodString;
+    kid: z.ZodString;
+    ts: z.ZodNumber;
+    nonce: z.ZodString;
+    audience: z.ZodString;
+    sessionId: z.ZodString;
+    requestHash: z.ZodString;
+    responseHash: z.ZodString;
+    scopeId: z.ZodOptional<z.ZodString>;
+    delegationRef: z.ZodOptional<z.ZodString>;
+    clientDid: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    did: string;
+    kid: string;
+    nonce: string;
+    audience: string;
+    sessionId: string;
+    ts: number;
+    requestHash: string;
+    responseHash: string;
+    clientDid?: string | undefined;
+    scopeId?: string | undefined;
+    delegationRef?: string | undefined;
+}, {
+    did: string;
+    kid: string;
+    nonce: string;
+    audience: string;
+    sessionId: string;
+    ts: number;
+    requestHash: string;
+    responseHash: string;
+    clientDid?: string | undefined;
+    scopeId?: string | undefined;
+    delegationRef?: string | undefined;
+}>;
+export declare const DetachedProofSchema: z.ZodObject<{
+    jws: z.ZodString;
+    meta: z.ZodObject<{
+        did: z.ZodString;
+        kid: z.ZodString;
+        ts: z.ZodNumber;
+        nonce: z.ZodString;
+        audience: z.ZodString;
+        sessionId: z.ZodString;
+        requestHash: z.ZodString;
+        responseHash: z.ZodString;
+        scopeId: z.ZodOptional<z.ZodString>;
+        delegationRef: z.ZodOptional<z.ZodString>;
+        clientDid: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        did: string;
+        kid: string;
+        nonce: string;
+        audience: string;
+        sessionId: string;
+        ts: number;
+        requestHash: string;
+        responseHash: string;
+        clientDid?: string | undefined;
+        scopeId?: string | undefined;
+        delegationRef?: string | undefined;
+    }, {
+        did: string;
+        kid: string;
+        nonce: string;
+        audience: string;
+        sessionId: string;
+        ts: number;
+        requestHash: string;
+        responseHash: string;
+        clientDid?: string | undefined;
+        scopeId?: string | undefined;
+        delegationRef?: string | undefined;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    jws: string;
+    meta: {
+        did: string;
+        kid: string;
+        nonce: string;
+        audience: string;
+        sessionId: string;
+        ts: number;
+        requestHash: string;
+        responseHash: string;
+        clientDid?: string | undefined;
+        scopeId?: string | undefined;
+        delegationRef?: string | undefined;
+    };
+}, {
+    jws: string;
+    meta: {
+        did: string;
+        kid: string;
+        nonce: string;
+        audience: string;
+        sessionId: string;
+        ts: number;
+        requestHash: string;
+        responseHash: string;
+        clientDid?: string | undefined;
+        scopeId?: string | undefined;
+        delegationRef?: string | undefined;
+    };
+}>;
+export declare const CanonicalHashesSchema: z.ZodObject<{
+    requestHash: z.ZodString;
+    responseHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    requestHash: string;
+    responseHash: string;
+}, {
+    requestHash: string;
+    responseHash: string;
+}>;
+export declare const AuditRecordSchema: z.ZodObject<{
+    version: z.ZodLiteral<"audit.v1">;
+    ts: z.ZodNumber;
+    session: z.ZodString;
+    audience: z.ZodString;
+    did: z.ZodString;
+    kid: z.ZodString;
+    reqHash: z.ZodString;
+    resHash: z.ZodString;
+    verified: z.ZodEnum<["yes", "no"]>;
+    scope: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    version: "audit.v1";
+    did: string;
+    kid: string;
+    audience: string;
+    ts: number;
+    session: string;
+    reqHash: string;
+    resHash: string;
+    verified: "yes" | "no";
+    scope: string;
+}, {
+    version: "audit.v1";
+    did: string;
+    kid: string;
+    audience: string;
+    ts: number;
+    session: string;
+    reqHash: string;
+    resHash: string;
+    verified: "yes" | "no";
+    scope: string;
+}>;
+export type ProofMeta = z.infer<typeof ProofMetaSchema>;
+export type DetachedProof = z.infer<typeof DetachedProofSchema>;
+export type CanonicalHashes = z.infer<typeof CanonicalHashesSchema>;
+export type AuditRecord = z.infer<typeof AuditRecordSchema>;
+export declare const JWS_ALGORITHM = "EdDSA";
+export declare const HASH_ALGORITHM = "sha256";
+export declare const AUDIT_VERSION = "audit.v1";
+/**
+ * Tool call context for AgentShield dashboard integration
+ * Provides plaintext tool execution data alongside cryptographic proofs
+ */
+export declare const ToolCallContextSchema: z.ZodObject<{
+    tool: z.ZodString;
+    args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    result: z.ZodOptional<z.ZodUnknown>;
+    scopeId: z.ZodString;
+    userId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    scopeId: string;
+    tool: string;
+    args: Record<string, unknown>;
+    result?: unknown;
+    userId?: string | undefined;
+}, {
+    scopeId: string;
+    tool: string;
+    args: Record<string, unknown>;
+    result?: unknown;
+    userId?: string | undefined;
+}>;
+/**
+ * Proof submission context for AgentShield API
+ * Includes tool calls and optional MCP server URL for tool discovery
+ */
+export declare const ProofSubmissionContextSchema: z.ZodObject<{
+    toolCalls: z.ZodArray<z.ZodObject<{
+        tool: z.ZodString;
+        args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+        result: z.ZodOptional<z.ZodUnknown>;
+        scopeId: z.ZodString;
+        userId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        scopeId: string;
+        tool: string;
+        args: Record<string, unknown>;
+        result?: unknown;
+        userId?: string | undefined;
+    }, {
+        scopeId: string;
+        tool: string;
+        args: Record<string, unknown>;
+        result?: unknown;
+        userId?: string | undefined;
+    }>, "many">;
+    mcpServerUrl: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    toolCalls: {
+        scopeId: string;
+        tool: string;
+        args: Record<string, unknown>;
+        result?: unknown;
+        userId?: string | undefined;
+    }[];
+    mcpServerUrl?: string | undefined;
+}, {
+    toolCalls: {
+        scopeId: string;
+        tool: string;
+        args: Record<string, unknown>;
+        result?: unknown;
+        userId?: string | undefined;
+    }[];
+    mcpServerUrl?: string | undefined;
+}>;
+/**
+ * Complete proof submission request to AgentShield
+ */
+export declare const ProofSubmissionRequestSchema: z.ZodObject<{
+    session_id: z.ZodString;
+    delegation_id: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    proofs: z.ZodArray<z.ZodObject<{
+        jws: z.ZodString;
+        meta: z.ZodObject<{
+            did: z.ZodString;
+            kid: z.ZodString;
+            ts: z.ZodNumber;
+            nonce: z.ZodString;
+            audience: z.ZodString;
+            sessionId: z.ZodString;
+            requestHash: z.ZodString;
+            responseHash: z.ZodString;
+            scopeId: z.ZodOptional<z.ZodString>;
+            delegationRef: z.ZodOptional<z.ZodString>;
+            clientDid: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        }, {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        jws: string;
+        meta: {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        };
+    }, {
+        jws: string;
+        meta: {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        };
+    }>, "many">;
+    context: z.ZodOptional<z.ZodObject<{
+        toolCalls: z.ZodArray<z.ZodObject<{
+            tool: z.ZodString;
+            args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+            result: z.ZodOptional<z.ZodUnknown>;
+            scopeId: z.ZodString;
+            userId: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }, {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }>, "many">;
+        mcpServerUrl: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        toolCalls: {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }[];
+        mcpServerUrl?: string | undefined;
+    }, {
+        toolCalls: {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }[];
+        mcpServerUrl?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    session_id: string;
+    proofs: {
+        jws: string;
+        meta: {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        };
+    }[];
+    delegation_id?: string | null | undefined;
+    context?: {
+        toolCalls: {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }[];
+        mcpServerUrl?: string | undefined;
+    } | undefined;
+}, {
+    session_id: string;
+    proofs: {
+        jws: string;
+        meta: {
+            did: string;
+            kid: string;
+            nonce: string;
+            audience: string;
+            sessionId: string;
+            ts: number;
+            requestHash: string;
+            responseHash: string;
+            clientDid?: string | undefined;
+            scopeId?: string | undefined;
+            delegationRef?: string | undefined;
+        };
+    }[];
+    delegation_id?: string | null | undefined;
+    context?: {
+        toolCalls: {
+            scopeId: string;
+            tool: string;
+            args: Record<string, unknown>;
+            result?: unknown;
+            userId?: string | undefined;
+        }[];
+        mcpServerUrl?: string | undefined;
+    } | undefined;
+}>;
+export type ToolCallContext = z.infer<typeof ToolCallContextSchema>;
+export type ProofSubmissionContext = z.infer<typeof ProofSubmissionContextSchema>;
+export type ProofSubmissionRequest = z.infer<typeof ProofSubmissionRequestSchema>;

package/dist/proof.js

@@ -0,0 +1,82 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Proof and signature schemas for MCP-I
+ *
+ * Note: The type name "DetachedProof" is maintained for backward compatibility,
+ * but the JWS format is actually FULL compact JWS (header.payload.signature),
+ * not detached format (header..signature).
+ *
+ * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
+ * proof claims (requestHash, responseHash, nonce, etc.).
+ */
+exports.ProofMetaSchema = zod_1.z.object({
+    did: zod_1.z.string().min(1),
+    kid: zod_1.z.string().min(1),
+    ts: zod_1.z.number().int().positive(),
+    nonce: zod_1.z.string().min(1),
+    audience: zod_1.z.string().min(1),
+    sessionId: zod_1.z.string().min(1),
+    requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    scopeId: zod_1.z.string().optional(),
+    delegationRef: zod_1.z.string().optional(),
+    clientDid: zod_1.z.string().optional(), // Optional for backward compatibility
+});
+exports.DetachedProofSchema = zod_1.z.object({
+    jws: zod_1.z.string().min(1), // Full compact JWS format (header.payload.signature)
+    meta: exports.ProofMetaSchema, // Convenience metadata (duplicates signed payload data)
+});
+exports.CanonicalHashesSchema = zod_1.z.object({
+    requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+});
+exports.AuditRecordSchema = zod_1.z.object({
+    version: zod_1.z.literal("audit.v1"),
+    ts: zod_1.z.number().int().positive(),
+    session: zod_1.z.string().min(1),
+    audience: zod_1.z.string().min(1),
+    did: zod_1.z.string().min(1),
+    kid: zod_1.z.string().min(1),
+    reqHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    resHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    verified: zod_1.z.enum(["yes", "no"]),
+    scope: zod_1.z.string().min(1), // "-" for no scope
+});
+// Constants
+exports.JWS_ALGORITHM = "EdDSA";
+exports.HASH_ALGORITHM = "sha256";
+exports.AUDIT_VERSION = "audit.v1";
+/**
+ * Tool call context for AgentShield dashboard integration
+ * Provides plaintext tool execution data alongside cryptographic proofs
+ */
+exports.ToolCallContextSchema = zod_1.z.object({
+    tool: zod_1.z.string().min(1),
+    args: zod_1.z.record(zod_1.z.unknown()),
+    result: zod_1.z.unknown().optional(),
+    scopeId: zod_1.z.string(),
+    userId: zod_1.z.string().optional(),
+});
+/**
+ * Proof submission context for AgentShield API
+ * Includes tool calls and optional MCP server URL for tool discovery
+ */
+exports.ProofSubmissionContextSchema = zod_1.z.object({
+    toolCalls: zod_1.z.array(exports.ToolCallContextSchema),
+    mcpServerUrl: zod_1.z.string().url().optional(),
+});
+/**
+ * Complete proof submission request to AgentShield
+ */
+exports.ProofSubmissionRequestSchema = zod_1.z.object({
+    session_id: zod_1.z.string().min(1),
+    delegation_id: zod_1.z.string().nullable().optional(),
+    proofs: zod_1.z.array(zod_1.z.object({
+        jws: zod_1.z.string().min(1),
+        meta: exports.ProofMetaSchema,
+    })),
+    context: exports.ProofSubmissionContextSchema.optional(),
+});