@kya-os/contracts 1.5.3-canary.15 → 1.5.3-canary.17

package/dist/config/identity.d.ts

@@ -6,6 +6,7 @@
  *
  * @module @kya-os/contracts/config
  */
+import { z } from "zod";
 /**
  * Runtime Identity Configuration
  *
@@ -25,7 +26,7 @@ export interface RuntimeIdentityConfig {
      * Runtime environment for identity
      * Determines where keys come from and how they're managed
      */
-    environment: 'development' | 'production';
+    environment: "development" | "production";
     /**
      * Production identity configuration
      * Used when environment is 'production'
@@ -71,7 +72,7 @@ export interface RuntimeIdentityConfig {
      * - 'persistent': User DIDs are persisted in storage (requires did:web setup)
      * @default 'ephemeral'
      */
-    userDidStorage?: 'ephemeral' | 'persistent';
+    userDidStorage?: "ephemeral" | "persistent";
 }
 /**
  * OAuth Provider Configuration
@@ -102,7 +103,7 @@ export interface OAuthProvider {
     /** Custom OAuth parameters to include in authorization URL (e.g., audience, acr_values) */
     customParams?: Record<string, string>;
     /** Token endpoint authentication method */
-    tokenEndpointAuthMethod?: 'client_secret_post' | 'client_secret_basic';
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic";
     /** OAuth response type (default: "code") */
     responseType?: string;
     /** OAuth grant type (default: "authorization_code") */
@@ -122,6 +123,140 @@ export interface OAuthConfig {
     /** Map of provider names to provider configurations */
     providers: Record<string, OAuthProvider>;
 }
+/**
+ * Zod schema for OAuthProvider validation
+ */
+export declare const OAuthProviderSchema: z.ZodObject<{
+    clientId: z.ZodString;
+    clientSecret: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    authorizationUrl: z.ZodString;
+    tokenUrl: z.ZodString;
+    userInfoUrl: z.ZodOptional<z.ZodString>;
+    supportsPKCE: z.ZodBoolean;
+    requiresClientSecret: z.ZodBoolean;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    defaultScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    proxyMode: z.ZodOptional<z.ZodBoolean>;
+    customParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
+    responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    responseType: string;
+    grantType: string;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+}, {
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+    responseType?: string | undefined;
+    grantType?: string | undefined;
+}>;
+/**
+ * Zod schema for OAuthConfig validation
+ */
+export declare const OAuthConfigSchema: z.ZodObject<{
+    providers: z.ZodRecord<z.ZodString, z.ZodObject<{
+        clientId: z.ZodString;
+        clientSecret: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        authorizationUrl: z.ZodString;
+        tokenUrl: z.ZodString;
+        userInfoUrl: z.ZodOptional<z.ZodString>;
+        supportsPKCE: z.ZodBoolean;
+        requiresClientSecret: z.ZodBoolean;
+        scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        defaultScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        proxyMode: z.ZodOptional<z.ZodBoolean>;
+        customParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
+        responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+        grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        clientId: string;
+        authorizationUrl: string;
+        tokenUrl: string;
+        supportsPKCE: boolean;
+        requiresClientSecret: boolean;
+        responseType: string;
+        grantType: string;
+        clientSecret?: string | null | undefined;
+        userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
+        defaultScopes?: string[] | undefined;
+        proxyMode?: boolean | undefined;
+        customParams?: Record<string, string> | undefined;
+        tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+    }, {
+        clientId: string;
+        authorizationUrl: string;
+        tokenUrl: string;
+        supportsPKCE: boolean;
+        requiresClientSecret: boolean;
+        clientSecret?: string | null | undefined;
+        userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
+        defaultScopes?: string[] | undefined;
+        proxyMode?: boolean | undefined;
+        customParams?: Record<string, string> | undefined;
+        tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+        responseType?: string | undefined;
+        grantType?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    providers: Record<string, {
+        clientId: string;
+        authorizationUrl: string;
+        tokenUrl: string;
+        supportsPKCE: boolean;
+        requiresClientSecret: boolean;
+        responseType: string;
+        grantType: string;
+        clientSecret?: string | null | undefined;
+        userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
+        defaultScopes?: string[] | undefined;
+        proxyMode?: boolean | undefined;
+        customParams?: Record<string, string> | undefined;
+        tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+    }>;
+}, {
+    providers: Record<string, {
+        clientId: string;
+        authorizationUrl: string;
+        tokenUrl: string;
+        supportsPKCE: boolean;
+        requiresClientSecret: boolean;
+        clientSecret?: string | null | undefined;
+        userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
+        defaultScopes?: string[] | undefined;
+        proxyMode?: boolean | undefined;
+        customParams?: Record<string, string> | undefined;
+        tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+        responseType?: string | undefined;
+        grantType?: string | undefined;
+    }>;
+}>;
 /**
  * IDP Tokens
  *

package/dist/config/identity.js

@@ -8,3 +8,31 @@
  * @module @kya-os/contracts/config
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthConfigSchema = exports.OAuthProviderSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * Zod schema for OAuthProvider validation
+ */
+exports.OAuthProviderSchema = zod_1.z.object({
+    clientId: zod_1.z.string().min(1),
+    clientSecret: zod_1.z.string().nullable().optional(),
+    authorizationUrl: zod_1.z.string().url(),
+    tokenUrl: zod_1.z.string().url(),
+    userInfoUrl: zod_1.z.string().url().optional(),
+    supportsPKCE: zod_1.z.boolean(),
+    requiresClientSecret: zod_1.z.boolean(),
+    scopes: zod_1.z.array(zod_1.z.string()).optional(),
+    defaultScopes: zod_1.z.array(zod_1.z.string()).optional(),
+    proxyMode: zod_1.z.boolean().optional(),
+    // Phase 3: Custom IDP Support
+    customParams: zod_1.z.record(zod_1.z.string()).optional(),
+    tokenEndpointAuthMethod: zod_1.z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+    responseType: zod_1.z.string().optional().default("code"),
+    grantType: zod_1.z.string().optional().default("authorization_code"),
+});
+/**
+ * Zod schema for OAuthConfig validation
+ */
+exports.OAuthConfigSchema = zod_1.z.object({
+    providers: zod_1.z.record(zod_1.z.string(), exports.OAuthProviderSchema),
+});

package/dist/consent/schemas.d.ts

@@ -269,6 +269,16 @@ export declare const consentPageConfigSchema: z.ZodObject<{
     }>, "many">>;
     serverUrl: z.ZodString;
     autoClose: z.ZodOptional<z.ZodBoolean>;
+    /**
+     * Whether OAuth authorization is required immediately
+     * If true, the consent page will act as a landing page before redirecting
+     */
+    oauthRequired: z.ZodOptional<z.ZodBoolean>;
+    /**
+     * The OAuth authorization URL to redirect to
+     * Required if oauthRequired is true
+     */
+    oauthUrl: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     agentDid: string;
     serverUrl: string;
@@ -303,6 +313,8 @@ export declare const consentPageConfigSchema: z.ZodObject<{
         pattern?: string | undefined;
     }[] | undefined;
     autoClose?: boolean | undefined;
+    oauthRequired?: boolean | undefined;
+    oauthUrl?: string | undefined;
 }, {
     agentDid: string;
     serverUrl: string;
@@ -337,6 +349,8 @@ export declare const consentPageConfigSchema: z.ZodObject<{
         pattern?: string | undefined;
     }[] | undefined;
     autoClose?: boolean | undefined;
+    oauthRequired?: boolean | undefined;
+    oauthUrl?: string | undefined;
 }>;
 export type ConsentPageConfig = z.infer<typeof consentPageConfigSchema>;
 /**
@@ -689,6 +703,8 @@ export declare function validateConsentPageConfig(config: unknown): z.SafeParseR
         pattern?: string | undefined;
     }[] | undefined;
     autoClose?: boolean | undefined;
+    oauthRequired?: boolean | undefined;
+    oauthUrl?: string | undefined;
 }, {
     agentDid: string;
     serverUrl: string;
@@ -723,6 +739,8 @@ export declare function validateConsentPageConfig(config: unknown): z.SafeParseR
         pattern?: string | undefined;
     }[] | undefined;
     autoClose?: boolean | undefined;
+    oauthRequired?: boolean | undefined;
+    oauthUrl?: string | undefined;
 }>;
 /**
  * Validate a consent approval request

package/dist/consent/schemas.js

@@ -150,6 +150,16 @@ exports.consentPageConfigSchema = zod_1.z.object({
         .optional(),
     serverUrl: zod_1.z.string().url("Server URL must be a valid URL"),
     autoClose: zod_1.z.boolean().optional(),
+    /**
+     * Whether OAuth authorization is required immediately
+     * If true, the consent page will act as a landing page before redirecting
+     */
+    oauthRequired: zod_1.z.boolean().optional(),
+    /**
+     * The OAuth authorization URL to redirect to
+     * Required if oauthRequired is true
+     */
+    oauthUrl: zod_1.z.string().url().optional(),
 });
 /**
  * Consent Approval Request Schema