@kya-os/contracts 1.5.3-canary.10 → 1.5.3-canary.11

package/dist/audit/index.d.ts

@@ -0,0 +1,193 @@
+/**
+ * Audit Types and Schemas
+ *
+ * Types and Zod schemas for audit logging in the MCP-I framework.
+ * These types are platform-agnostic and used across all implementations.
+ */
+import { z } from "zod";
+import type { AgentIdentity } from "../config/identity.js";
+import type { SessionContext } from "../handshake.js";
+/**
+ * Audit context schema for logging audit records
+ *
+ * Contains all metadata needed to generate an audit record.
+ * Privacy Note: Only metadata is extracted from these objects.
+ * The identity's private key, session's nonce, and other sensitive
+ * fields are NEVER included in the audit log.
+ */
+export declare const AuditContextSchema: z.ZodObject<{
+    /**
+     * Agent identity
+     * Only `did` and `keyId` are logged. Private key is NEVER logged.
+     */
+    identity: z.ZodObject<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">>;
+    /**
+     * Session context
+     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
+     */
+    session: z.ZodObject<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">>;
+    /**
+     * Request hash (SHA-256 with `sha256:` prefix)
+     */
+    requestHash: z.ZodString;
+    /**
+     * Response hash (SHA-256 with `sha256:` prefix)
+     */
+    responseHash: z.ZodString;
+    /**
+     * Verification result
+     * - 'yes': Proof was verified successfully
+     * - 'no': Proof verification failed
+     */
+    verified: z.ZodEnum<["yes", "no"]>;
+    /**
+     * Optional scope identifier
+     * Application-level scope (e.g., 'orders.create', 'users.read').
+     * If not provided, '-' is used in the audit log.
+     */
+    scopeId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    identity: {
+        did: string;
+        kid: string;
+    } & {
+        [k: string]: unknown;
+    };
+    session: {
+        sessionId: string;
+        audience: string;
+    } & {
+        [k: string]: unknown;
+    };
+    requestHash: string;
+    responseHash: string;
+    verified: "yes" | "no";
+    scopeId?: string | undefined;
+}, {
+    identity: {
+        did: string;
+        kid: string;
+    } & {
+        [k: string]: unknown;
+    };
+    session: {
+        sessionId: string;
+        audience: string;
+    } & {
+        [k: string]: unknown;
+    };
+    requestHash: string;
+    responseHash: string;
+    verified: "yes" | "no";
+    scopeId?: string | undefined;
+}>;
+export type AuditContext = {
+    identity: AgentIdentity;
+    session: SessionContext;
+    requestHash: string;
+    responseHash: string;
+    verified: "yes" | "no";
+    scopeId?: string;
+};
+/**
+ * Event context schema for logging events that bypass session deduplication
+ *
+ * Used for consent events where multiple events occur in the same session.
+ * Unlike AuditContext, this allows multiple events per session.
+ */
+export declare const AuditEventContextSchema: z.ZodObject<{
+    /**
+     * Event type identifier
+     * @example "consent:page_viewed", "consent:approved", "runtime:initialized"
+     */
+    eventType: z.ZodString;
+    /**
+     * Agent identity
+     * Only `did` and `keyId` are logged. Private key is NEVER logged.
+     */
+    identity: z.ZodObject<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        did: z.ZodString;
+        kid: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">>;
+    /**
+     * Session context
+     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
+     */
+    session: z.ZodObject<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        sessionId: z.ZodString;
+        audience: z.ZodString;
+    }, z.ZodTypeAny, "passthrough">>;
+    /**
+     * Optional event-specific data
+     * Used for generating event hash. Not logged directly.
+     */
+    eventData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    identity: {
+        did: string;
+        kid: string;
+    } & {
+        [k: string]: unknown;
+    };
+    session: {
+        sessionId: string;
+        audience: string;
+    } & {
+        [k: string]: unknown;
+    };
+    eventType: string;
+    eventData?: Record<string, unknown> | undefined;
+}, {
+    identity: {
+        did: string;
+        kid: string;
+    } & {
+        [k: string]: unknown;
+    };
+    session: {
+        sessionId: string;
+        audience: string;
+    } & {
+        [k: string]: unknown;
+    };
+    eventType: string;
+    eventData?: Record<string, unknown> | undefined;
+}>;
+export type AuditEventContext = {
+    eventType: string;
+    identity: AgentIdentity;
+    session: SessionContext;
+    eventData?: Record<string, any>;
+};
+export type { AuditRecord } from "../proof.js";
+export { AuditRecordSchema } from "../proof.js";

package/dist/audit/index.js

@@ -0,0 +1,92 @@
+"use strict";
+/**
+ * Audit Types and Schemas
+ *
+ * Types and Zod schemas for audit logging in the MCP-I framework.
+ * These types are platform-agnostic and used across all implementations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditRecordSchema = exports.AuditEventContextSchema = exports.AuditContextSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Audit context schema for logging audit records
+ *
+ * Contains all metadata needed to generate an audit record.
+ * Privacy Note: Only metadata is extracted from these objects.
+ * The identity's private key, session's nonce, and other sensitive
+ * fields are NEVER included in the audit log.
+ */
+exports.AuditContextSchema = zod_1.z.object({
+    /**
+     * Agent identity
+     * Only `did` and `keyId` are logged. Private key is NEVER logged.
+     */
+    identity: zod_1.z.object({
+        did: zod_1.z.string().min(1),
+        kid: zod_1.z.string().min(1),
+    }).passthrough(), // Allow additional fields but only did/kid are used
+    /**
+     * Session context
+     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
+     */
+    session: zod_1.z.object({
+        sessionId: zod_1.z.string().min(1),
+        audience: zod_1.z.string().min(1),
+    }).passthrough(), // Allow additional fields but only sessionId/audience are used
+    /**
+     * Request hash (SHA-256 with `sha256:` prefix)
+     */
+    requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    /**
+     * Response hash (SHA-256 with `sha256:` prefix)
+     */
+    responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
+    /**
+     * Verification result
+     * - 'yes': Proof was verified successfully
+     * - 'no': Proof verification failed
+     */
+    verified: zod_1.z.enum(["yes", "no"]),
+    /**
+     * Optional scope identifier
+     * Application-level scope (e.g., 'orders.create', 'users.read').
+     * If not provided, '-' is used in the audit log.
+     */
+    scopeId: zod_1.z.string().optional(),
+});
+/**
+ * Event context schema for logging events that bypass session deduplication
+ *
+ * Used for consent events where multiple events occur in the same session.
+ * Unlike AuditContext, this allows multiple events per session.
+ */
+exports.AuditEventContextSchema = zod_1.z.object({
+    /**
+     * Event type identifier
+     * @example "consent:page_viewed", "consent:approved", "runtime:initialized"
+     */
+    eventType: zod_1.z.string().min(1),
+    /**
+     * Agent identity
+     * Only `did` and `keyId` are logged. Private key is NEVER logged.
+     */
+    identity: zod_1.z.object({
+        did: zod_1.z.string().min(1),
+        kid: zod_1.z.string().min(1),
+    }).passthrough(), // Allow additional fields but only did/kid are used
+    /**
+     * Session context
+     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
+     */
+    session: zod_1.z.object({
+        sessionId: zod_1.z.string().min(1),
+        audience: zod_1.z.string().min(1),
+    }).passthrough(), // Allow additional fields but only sessionId/audience are used
+    /**
+     * Optional event-specific data
+     * Used for generating event hash. Not logged directly.
+     */
+    eventData: zod_1.z.record(zod_1.z.unknown()).optional(),
+});
+var proof_js_1 = require("../proof.js");
+Object.defineProperty(exports, "AuditRecordSchema", { enumerable: true, get: function () { return proof_js_1.AuditRecordSchema; } });

package/dist/index.d.ts

@@ -21,5 +21,6 @@ export * from "./test.js";
 export * from "./utils/validation.js";
 export * from "./vc/index.js";
 export * from "./delegation/index.js";
+export * from "./audit/index.js";
 export declare const CONTRACTS_VERSION = "1.2.1";
 export declare const SUPPORTED_XMCP_I_VERSION = "^1.0.0";

package/dist/index.js

@@ -40,6 +40,8 @@ __exportStar(require("./utils/validation.js"), exports);
 // W3C VC and Delegation exports (for mcp-i-core compatibility)
 __exportStar(require("./vc/index.js"), exports);
 __exportStar(require("./delegation/index.js"), exports);
+// Audit types (platform-agnostic)
+__exportStar(require("./audit/index.js"), exports);
 // Version information
 exports.CONTRACTS_VERSION = "1.2.1";
 exports.SUPPORTED_XMCP_I_VERSION = "^1.0.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/contracts",
-  "version": "1.5.3-canary.10",
+  "version": "1.5.3-canary.11",
   "description": "Shared types and schemas for XMCP-I ecosystem",
   "type": "commonjs",
   "sideEffects": false,
@@ -77,6 +77,11 @@
       "import": "./dist/agentshield-api/index.js",
       "require": "./dist/agentshield-api/index.js"
     },
+    "./audit": {
+      "types": "./dist/audit/index.d.ts",
+      "import": "./dist/audit/index.js",
+      "require": "./dist/audit/index.js"
+    },
     "./tool-protection": {
       "types": "./dist/tool-protection/index.d.ts",
       "import": "./dist/tool-protection/index.js",