@kya-os/contracts 1.5.3-canary.16 → 1.5.3-canary.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/.turbo/turbo-build.log +17 -0
  2. package/.turbo/turbo-test$colon$coverage.log +85 -0
  3. package/.turbo/turbo-test.log +32 -0
  4. package/coverage/coverage-final.json +38 -0
  5. package/dist/consent/schemas.d.ts +18 -0
  6. package/dist/consent/schemas.js +10 -0
  7. package/dist/dashboard-config/schemas.d.ts +1424 -220
  8. package/dist/tool-protection/index.d.ts +418 -8
  9. package/dist/tool-protection/index.js +61 -2
  10. package/package.json +35 -129
  11. package/schemas/cli/register-output/v1.0.0.json +69 -0
  12. package/schemas/identity/v1.0.0.json +46 -0
  13. package/schemas/proof/v1.0.0.json +80 -0
  14. package/schemas/registry/receipt-v1.0.0.json +60 -0
  15. package/schemas/verifier/verify-page/v1.0.0.json +94 -0
  16. package/schemas/well-known/agent/v1.0.0.json +67 -0
  17. package/schemas/well-known/did/v1.0.0.json +174 -0
  18. package/scripts/emit-schemas.js +11 -0
  19. package/src/agentshield-api/admin-schemas.ts +31 -0
  20. package/src/agentshield-api/admin-types.ts +47 -0
  21. package/src/agentshield-api/endpoints.ts +60 -0
  22. package/src/agentshield-api/index.ts +70 -0
  23. package/src/agentshield-api/schemas.ts +304 -0
  24. package/src/agentshield-api/types.ts +317 -0
  25. package/src/audit/index.ts +128 -0
  26. package/src/cli.ts +156 -0
  27. package/src/config/base.ts +107 -0
  28. package/src/config/builder.ts +97 -0
  29. package/src/config/delegation.ts +232 -0
  30. package/src/config/identity.ts +252 -0
  31. package/src/config/index.ts +78 -0
  32. package/src/config/proofing.ts +138 -0
  33. package/src/config/tool-context.ts +41 -0
  34. package/src/config/tool-protection.ts +174 -0
  35. package/src/consent/index.ts +32 -0
  36. package/src/consent/schemas.ts +334 -0
  37. package/src/consent/types.ts +199 -0
  38. package/src/dashboard-config/default-config.json +86 -0
  39. package/src/dashboard-config/default-config.ts +266 -0
  40. package/src/dashboard-config/index.ts +48 -0
  41. package/src/dashboard-config/schemas.ts +286 -0
  42. package/src/dashboard-config/types.ts +404 -0
  43. package/src/delegation/constraints.ts +267 -0
  44. package/src/delegation/index.ts +8 -0
  45. package/src/delegation/schemas.ts +595 -0
  46. package/src/did/index.ts +9 -0
  47. package/src/did/resolve-contract.ts +255 -0
  48. package/src/did/schemas.ts +190 -0
  49. package/src/did/types.ts +224 -0
  50. package/src/env/constants.ts +70 -0
  51. package/src/env/index.ts +5 -0
  52. package/src/handshake.ts +125 -0
  53. package/src/index.ts +45 -0
  54. package/src/proof/index.ts +31 -0
  55. package/src/proof/proof-record.ts +163 -0
  56. package/src/proof/signing-spec.ts +146 -0
  57. package/src/proof.ts +99 -0
  58. package/src/registry.ts +146 -0
  59. package/src/runtime/errors.ts +153 -0
  60. package/src/runtime/headers.ts +136 -0
  61. package/src/runtime/index.ts +6 -0
  62. package/src/test.ts +143 -0
  63. package/src/tlkrc/index.ts +5 -0
  64. package/src/tlkrc/rotation.ts +153 -0
  65. package/src/tool-protection/index.ts +343 -0
  66. package/src/utils/validation.ts +93 -0
  67. package/src/vc/index.ts +8 -0
  68. package/src/vc/schemas.ts +277 -0
  69. package/src/vc/statuslist.ts +279 -0
  70. package/src/verifier.ts +92 -0
  71. package/src/well-known/index.ts +237 -0
package/dist/tool-protection/index.d.ts CHANGED
@@ -8,6 +8,31 @@
8
8
  * @module @kya-os/contracts/tool-protection
9
9
  */
10
10
  import { z } from 'zod';
11
+ /**
12
+ * Authorization Requirement (Discriminated Union)
13
+ *
14
+ * Defines the type of authorization required for a tool.
15
+ * Extensible design to support OAuth, MDL, IDV, credentials, etc.
16
+ */
17
+ export type AuthorizationRequirement = {
18
+ type: 'oauth';
19
+ provider: string;
20
+ requiredScopes?: string[];
21
+ } | {
22
+ type: 'mdl';
23
+ issuer: string;
24
+ credentialType?: string;
25
+ } | {
26
+ type: 'idv';
27
+ provider: string;
28
+ verificationLevel?: 'basic' | 'enhanced' | 'loa3';
29
+ } | {
30
+ type: 'credential';
31
+ credentialType: string;
32
+ issuer?: string;
33
+ } | {
34
+ type: 'none';
35
+ };
11
36
  /**
12
37
  * Tool Protection Definition
13
38
  *
@@ -34,8 +59,14 @@ export interface ToolProtection {
34
59
  * If specified, this tool will use the specified OAuth provider.
35
60
  * If not specified, provider will be resolved via fallback strategies.
36
61
  * @example "github", "google", "microsoft"
62
+ * @deprecated Use `authorization` field instead. Will be removed in Phase 3.
37
63
  */
38
64
  oauthProvider?: string;
65
+ /**
66
+ * Authorization requirement for this tool
67
+ * If requiresDelegation=true, authorization must be specified (or inferred from legacy fields)
68
+ */
69
+ authorization?: AuthorizationRequirement;
39
70
  }
40
71
  /**
41
72
  * Tool Protection Map
@@ -104,37 +135,278 @@ export interface DelegationRequiredErrorData {
104
135
  /**
105
136
  * Zod Schemas for Validation
106
137
  */
138
+ export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
139
+ type: z.ZodLiteral<"oauth">;
140
+ provider: z.ZodString;
141
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
142
+ }, "strip", z.ZodTypeAny, {
143
+ type: "oauth";
144
+ provider: string;
145
+ requiredScopes?: string[] | undefined;
146
+ }, {
147
+ type: "oauth";
148
+ provider: string;
149
+ requiredScopes?: string[] | undefined;
150
+ }>, z.ZodObject<{
151
+ type: z.ZodLiteral<"mdl">;
152
+ issuer: z.ZodString;
153
+ credentialType: z.ZodOptional<z.ZodString>;
154
+ }, "strip", z.ZodTypeAny, {
155
+ type: "mdl";
156
+ issuer: string;
157
+ credentialType?: string | undefined;
158
+ }, {
159
+ type: "mdl";
160
+ issuer: string;
161
+ credentialType?: string | undefined;
162
+ }>, z.ZodObject<{
163
+ type: z.ZodLiteral<"idv">;
164
+ provider: z.ZodString;
165
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
166
+ }, "strip", z.ZodTypeAny, {
167
+ type: "idv";
168
+ provider: string;
169
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
170
+ }, {
171
+ type: "idv";
172
+ provider: string;
173
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
174
+ }>, z.ZodObject<{
175
+ type: z.ZodLiteral<"credential">;
176
+ credentialType: z.ZodString;
177
+ issuer: z.ZodOptional<z.ZodString>;
178
+ }, "strip", z.ZodTypeAny, {
179
+ type: "credential";
180
+ credentialType: string;
181
+ issuer?: string | undefined;
182
+ }, {
183
+ type: "credential";
184
+ credentialType: string;
185
+ issuer?: string | undefined;
186
+ }>, z.ZodObject<{
187
+ type: z.ZodLiteral<"none">;
188
+ }, "strip", z.ZodTypeAny, {
189
+ type: "none";
190
+ }, {
191
+ type: "none";
192
+ }>]>;
107
193
  export declare const ToolProtectionSchema: z.ZodObject<{
108
194
  requiresDelegation: z.ZodBoolean;
109
195
  requiredScopes: z.ZodArray<z.ZodString, "many">;
110
196
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
111
197
  oauthProvider: z.ZodOptional<z.ZodString>;
198
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
199
+ type: z.ZodLiteral<"oauth">;
200
+ provider: z.ZodString;
201
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
202
+ }, "strip", z.ZodTypeAny, {
203
+ type: "oauth";
204
+ provider: string;
205
+ requiredScopes?: string[] | undefined;
206
+ }, {
207
+ type: "oauth";
208
+ provider: string;
209
+ requiredScopes?: string[] | undefined;
210
+ }>, z.ZodObject<{
211
+ type: z.ZodLiteral<"mdl">;
212
+ issuer: z.ZodString;
213
+ credentialType: z.ZodOptional<z.ZodString>;
214
+ }, "strip", z.ZodTypeAny, {
215
+ type: "mdl";
216
+ issuer: string;
217
+ credentialType?: string | undefined;
218
+ }, {
219
+ type: "mdl";
220
+ issuer: string;
221
+ credentialType?: string | undefined;
222
+ }>, z.ZodObject<{
223
+ type: z.ZodLiteral<"idv">;
224
+ provider: z.ZodString;
225
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
226
+ }, "strip", z.ZodTypeAny, {
227
+ type: "idv";
228
+ provider: string;
229
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
230
+ }, {
231
+ type: "idv";
232
+ provider: string;
233
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
234
+ }>, z.ZodObject<{
235
+ type: z.ZodLiteral<"credential">;
236
+ credentialType: z.ZodString;
237
+ issuer: z.ZodOptional<z.ZodString>;
238
+ }, "strip", z.ZodTypeAny, {
239
+ type: "credential";
240
+ credentialType: string;
241
+ issuer?: string | undefined;
242
+ }, {
243
+ type: "credential";
244
+ credentialType: string;
245
+ issuer?: string | undefined;
246
+ }>, z.ZodObject<{
247
+ type: z.ZodLiteral<"none">;
248
+ }, "strip", z.ZodTypeAny, {
249
+ type: "none";
250
+ }, {
251
+ type: "none";
252
+ }>]>>;
112
253
  }, "strip", z.ZodTypeAny, {
113
- requiresDelegation: boolean;
114
254
  requiredScopes: string[];
255
+ requiresDelegation: boolean;
115
256
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
116
257
  oauthProvider?: string | undefined;
258
+ authorization?: {
259
+ type: "oauth";
260
+ provider: string;
261
+ requiredScopes?: string[] | undefined;
262
+ } | {
263
+ type: "mdl";
264
+ issuer: string;
265
+ credentialType?: string | undefined;
266
+ } | {
267
+ type: "idv";
268
+ provider: string;
269
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
270
+ } | {
271
+ type: "credential";
272
+ credentialType: string;
273
+ issuer?: string | undefined;
274
+ } | {
275
+ type: "none";
276
+ } | undefined;
117
277
  }, {
118
- requiresDelegation: boolean;
119
278
  requiredScopes: string[];
279
+ requiresDelegation: boolean;
120
280
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
121
281
  oauthProvider?: string | undefined;
282
+ authorization?: {
283
+ type: "oauth";
284
+ provider: string;
285
+ requiredScopes?: string[] | undefined;
286
+ } | {
287
+ type: "mdl";
288
+ issuer: string;
289
+ credentialType?: string | undefined;
290
+ } | {
291
+ type: "idv";
292
+ provider: string;
293
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
294
+ } | {
295
+ type: "credential";
296
+ credentialType: string;
297
+ issuer?: string | undefined;
298
+ } | {
299
+ type: "none";
300
+ } | undefined;
122
301
  }>;
123
302
  export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
124
303
  requiresDelegation: z.ZodBoolean;
125
304
  requiredScopes: z.ZodArray<z.ZodString, "many">;
126
305
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
127
306
  oauthProvider: z.ZodOptional<z.ZodString>;
307
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
308
+ type: z.ZodLiteral<"oauth">;
309
+ provider: z.ZodString;
310
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
311
+ }, "strip", z.ZodTypeAny, {
312
+ type: "oauth";
313
+ provider: string;
314
+ requiredScopes?: string[] | undefined;
315
+ }, {
316
+ type: "oauth";
317
+ provider: string;
318
+ requiredScopes?: string[] | undefined;
319
+ }>, z.ZodObject<{
320
+ type: z.ZodLiteral<"mdl">;
321
+ issuer: z.ZodString;
322
+ credentialType: z.ZodOptional<z.ZodString>;
323
+ }, "strip", z.ZodTypeAny, {
324
+ type: "mdl";
325
+ issuer: string;
326
+ credentialType?: string | undefined;
327
+ }, {
328
+ type: "mdl";
329
+ issuer: string;
330
+ credentialType?: string | undefined;
331
+ }>, z.ZodObject<{
332
+ type: z.ZodLiteral<"idv">;
333
+ provider: z.ZodString;
334
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
335
+ }, "strip", z.ZodTypeAny, {
336
+ type: "idv";
337
+ provider: string;
338
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
339
+ }, {
340
+ type: "idv";
341
+ provider: string;
342
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
343
+ }>, z.ZodObject<{
344
+ type: z.ZodLiteral<"credential">;
345
+ credentialType: z.ZodString;
346
+ issuer: z.ZodOptional<z.ZodString>;
347
+ }, "strip", z.ZodTypeAny, {
348
+ type: "credential";
349
+ credentialType: string;
350
+ issuer?: string | undefined;
351
+ }, {
352
+ type: "credential";
353
+ credentialType: string;
354
+ issuer?: string | undefined;
355
+ }>, z.ZodObject<{
356
+ type: z.ZodLiteral<"none">;
357
+ }, "strip", z.ZodTypeAny, {
358
+ type: "none";
359
+ }, {
360
+ type: "none";
361
+ }>]>>;
128
362
  }, "strip", z.ZodTypeAny, {
129
- requiresDelegation: boolean;
130
363
  requiredScopes: string[];
364
+ requiresDelegation: boolean;
131
365
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
132
366
  oauthProvider?: string | undefined;
367
+ authorization?: {
368
+ type: "oauth";
369
+ provider: string;
370
+ requiredScopes?: string[] | undefined;
371
+ } | {
372
+ type: "mdl";
373
+ issuer: string;
374
+ credentialType?: string | undefined;
375
+ } | {
376
+ type: "idv";
377
+ provider: string;
378
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
379
+ } | {
380
+ type: "credential";
381
+ credentialType: string;
382
+ issuer?: string | undefined;
383
+ } | {
384
+ type: "none";
385
+ } | undefined;
133
386
  }, {
134
- requiresDelegation: boolean;
135
387
  requiredScopes: string[];
388
+ requiresDelegation: boolean;
136
389
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
137
390
  oauthProvider?: string | undefined;
391
+ authorization?: {
392
+ type: "oauth";
393
+ provider: string;
394
+ requiredScopes?: string[] | undefined;
395
+ } | {
396
+ type: "mdl";
397
+ issuer: string;
398
+ credentialType?: string | undefined;
399
+ } | {
400
+ type: "idv";
401
+ provider: string;
402
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
403
+ } | {
404
+ type: "credential";
405
+ credentialType: string;
406
+ issuer?: string | undefined;
407
+ } | {
408
+ type: "none";
409
+ } | undefined;
138
410
  }>>;
139
411
  export declare const ToolProtectionResponseSchema: z.ZodObject<{
140
412
  toolProtections: z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -142,16 +414,109 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
142
414
  requiredScopes: z.ZodArray<z.ZodString, "many">;
143
415
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
144
416
  oauthProvider: z.ZodOptional<z.ZodString>;
417
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
418
+ type: z.ZodLiteral<"oauth">;
419
+ provider: z.ZodString;
420
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
421
+ }, "strip", z.ZodTypeAny, {
422
+ type: "oauth";
423
+ provider: string;
424
+ requiredScopes?: string[] | undefined;
425
+ }, {
426
+ type: "oauth";
427
+ provider: string;
428
+ requiredScopes?: string[] | undefined;
429
+ }>, z.ZodObject<{
430
+ type: z.ZodLiteral<"mdl">;
431
+ issuer: z.ZodString;
432
+ credentialType: z.ZodOptional<z.ZodString>;
433
+ }, "strip", z.ZodTypeAny, {
434
+ type: "mdl";
435
+ issuer: string;
436
+ credentialType?: string | undefined;
437
+ }, {
438
+ type: "mdl";
439
+ issuer: string;
440
+ credentialType?: string | undefined;
441
+ }>, z.ZodObject<{
442
+ type: z.ZodLiteral<"idv">;
443
+ provider: z.ZodString;
444
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
445
+ }, "strip", z.ZodTypeAny, {
446
+ type: "idv";
447
+ provider: string;
448
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
449
+ }, {
450
+ type: "idv";
451
+ provider: string;
452
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
453
+ }>, z.ZodObject<{
454
+ type: z.ZodLiteral<"credential">;
455
+ credentialType: z.ZodString;
456
+ issuer: z.ZodOptional<z.ZodString>;
457
+ }, "strip", z.ZodTypeAny, {
458
+ type: "credential";
459
+ credentialType: string;
460
+ issuer?: string | undefined;
461
+ }, {
462
+ type: "credential";
463
+ credentialType: string;
464
+ issuer?: string | undefined;
465
+ }>, z.ZodObject<{
466
+ type: z.ZodLiteral<"none">;
467
+ }, "strip", z.ZodTypeAny, {
468
+ type: "none";
469
+ }, {
470
+ type: "none";
471
+ }>]>>;
145
472
  }, "strip", z.ZodTypeAny, {
146
- requiresDelegation: boolean;
147
473
  requiredScopes: string[];
474
+ requiresDelegation: boolean;
148
475
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
149
476
  oauthProvider?: string | undefined;
477
+ authorization?: {
478
+ type: "oauth";
479
+ provider: string;
480
+ requiredScopes?: string[] | undefined;
481
+ } | {
482
+ type: "mdl";
483
+ issuer: string;
484
+ credentialType?: string | undefined;
485
+ } | {
486
+ type: "idv";
487
+ provider: string;
488
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
489
+ } | {
490
+ type: "credential";
491
+ credentialType: string;
492
+ issuer?: string | undefined;
493
+ } | {
494
+ type: "none";
495
+ } | undefined;
150
496
  }, {
151
- requiresDelegation: boolean;
152
497
  requiredScopes: string[];
498
+ requiresDelegation: boolean;
153
499
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
154
500
  oauthProvider?: string | undefined;
501
+ authorization?: {
502
+ type: "oauth";
503
+ provider: string;
504
+ requiredScopes?: string[] | undefined;
505
+ } | {
506
+ type: "mdl";
507
+ issuer: string;
508
+ credentialType?: string | undefined;
509
+ } | {
510
+ type: "idv";
511
+ provider: string;
512
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
513
+ } | {
514
+ type: "credential";
515
+ credentialType: string;
516
+ issuer?: string | undefined;
517
+ } | {
518
+ type: "none";
519
+ } | undefined;
155
520
  }>>;
156
521
  metadata: z.ZodOptional<z.ZodObject<{
157
522
  lastUpdated: z.ZodOptional<z.ZodString>;
@@ -168,10 +533,29 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
168
533
  }>>;
169
534
  }, "strip", z.ZodTypeAny, {
170
535
  toolProtections: Record<string, {
171
- requiresDelegation: boolean;
172
536
  requiredScopes: string[];
537
+ requiresDelegation: boolean;
173
538
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
174
539
  oauthProvider?: string | undefined;
540
+ authorization?: {
541
+ type: "oauth";
542
+ provider: string;
543
+ requiredScopes?: string[] | undefined;
544
+ } | {
545
+ type: "mdl";
546
+ issuer: string;
547
+ credentialType?: string | undefined;
548
+ } | {
549
+ type: "idv";
550
+ provider: string;
551
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
552
+ } | {
553
+ type: "credential";
554
+ credentialType: string;
555
+ issuer?: string | undefined;
556
+ } | {
557
+ type: "none";
558
+ } | undefined;
175
559
  }>;
176
560
  metadata?: {
177
561
  lastUpdated?: string | undefined;
@@ -180,10 +564,29 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
180
564
  } | undefined;
181
565
  }, {
182
566
  toolProtections: Record<string, {
183
- requiresDelegation: boolean;
184
567
  requiredScopes: string[];
568
+ requiresDelegation: boolean;
185
569
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
186
570
  oauthProvider?: string | undefined;
571
+ authorization?: {
572
+ type: "oauth";
573
+ provider: string;
574
+ requiredScopes?: string[] | undefined;
575
+ } | {
576
+ type: "mdl";
577
+ issuer: string;
578
+ credentialType?: string | undefined;
579
+ } | {
580
+ type: "idv";
581
+ provider: string;
582
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
583
+ } | {
584
+ type: "credential";
585
+ credentialType: string;
586
+ issuer?: string | undefined;
587
+ } | {
588
+ type: "none";
589
+ } | undefined;
187
590
  }>;
188
591
  metadata?: {
189
592
  lastUpdated?: string | undefined;
@@ -243,3 +646,10 @@ export declare function getToolRiskLevel(toolName: string, protections: ToolProt
243
646
  * Create a delegation required error
244
647
  */
245
648
  export declare function createDelegationRequiredError(toolName: string, requiredScopes: string[], consentUrl?: string): DelegationRequiredErrorData;
649
+ /**
650
+ * Normalize tool protection configuration
651
+ * Migrates legacy oauthProvider field to authorization object
652
+ *
653
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
654
+ */
655
+ export declare function normalizeToolProtection(raw: ToolProtection): ToolProtection;
package/dist/tool-protection/index.js CHANGED
@@ -9,7 +9,7 @@
9
9
  * @module @kya-os/contracts/tool-protection
10
10
  */
11
11
  Object.defineProperty(exports, "__esModule", { value: true });
12
- exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = void 0;
12
+ exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = exports.AuthorizationRequirementSchema = void 0;
13
13
  exports.isToolProtection = isToolProtection;
14
14
  exports.isToolProtectionMap = isToolProtectionMap;
15
15
  exports.isToolProtectionResponse = isToolProtectionResponse;
@@ -22,15 +22,42 @@ exports.toolRequiresDelegation = toolRequiresDelegation;
22
22
  exports.getToolRequiredScopes = getToolRequiredScopes;
23
23
  exports.getToolRiskLevel = getToolRiskLevel;
24
24
  exports.createDelegationRequiredError = createDelegationRequiredError;
25
+ exports.normalizeToolProtection = normalizeToolProtection;
25
26
  const zod_1 = require("zod");
26
27
  /**
27
28
  * Zod Schemas for Validation
28
29
  */
30
+ exports.AuthorizationRequirementSchema = zod_1.z.discriminatedUnion('type', [
31
+ zod_1.z.object({
32
+ type: zod_1.z.literal('oauth'),
33
+ provider: zod_1.z.string(),
34
+ requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
35
+ }),
36
+ zod_1.z.object({
37
+ type: zod_1.z.literal('mdl'),
38
+ issuer: zod_1.z.string(),
39
+ credentialType: zod_1.z.string().optional(),
40
+ }),
41
+ zod_1.z.object({
42
+ type: zod_1.z.literal('idv'),
43
+ provider: zod_1.z.string(),
44
+ verificationLevel: zod_1.z.enum(['basic', 'enhanced', 'loa3']).optional(),
45
+ }),
46
+ zod_1.z.object({
47
+ type: zod_1.z.literal('credential'),
48
+ credentialType: zod_1.z.string(),
49
+ issuer: zod_1.z.string().optional(),
50
+ }),
51
+ zod_1.z.object({
52
+ type: zod_1.z.literal('none'),
53
+ }),
54
+ ]);
29
55
  exports.ToolProtectionSchema = zod_1.z.object({
30
56
  requiresDelegation: zod_1.z.boolean(),
31
57
  requiredScopes: zod_1.z.array(zod_1.z.string()),
32
58
  riskLevel: zod_1.z.enum(['low', 'medium', 'high', 'critical']).optional(),
33
- oauthProvider: zod_1.z.string().optional() // Phase 2: Tool-specific OAuth provider
59
+ oauthProvider: zod_1.z.string().optional(), // Phase 2: Tool-specific OAuth provider
60
+ authorization: exports.AuthorizationRequirementSchema.optional(),
34
61
  });
35
62
  exports.ToolProtectionMapSchema = zod_1.z.record(zod_1.z.string(), exports.ToolProtectionSchema);
36
63
  exports.ToolProtectionResponseSchema = zod_1.z.object({
@@ -112,3 +139,35 @@ function createDelegationRequiredError(toolName, requiredScopes, consentUrl) {
112
139
  authorizationUrl: consentUrl // Include both for compatibility
113
140
  };
114
141
  }
142
+ /**
143
+ * Normalize tool protection configuration
144
+ * Migrates legacy oauthProvider field to authorization object
145
+ *
146
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
147
+ */
148
+ function normalizeToolProtection(raw) {
149
+ // If authorization is already present, return as is
150
+ if (raw.authorization) {
151
+ return raw;
152
+ }
153
+ // Migrate oauthProvider to authorization
154
+ if (raw.oauthProvider) {
155
+ return {
156
+ ...raw,
157
+ authorization: {
158
+ type: 'oauth',
159
+ provider: raw.oauthProvider,
160
+ },
161
+ // Keep oauthProvider for backward compatibility until Phase 3
162
+ };
163
+ }
164
+ // Default for requiresDelegation=true without specific auth: type='none' (consent only)
165
+ // But ONLY if authorization is missing entirely
166
+ if (raw.requiresDelegation && !raw.authorization && !raw.oauthProvider) {
167
+ // We don't automatically set type='none' here to allow
168
+ // ProviderResolver to do its scope inference fallback logic.
169
+ // The fallback logic will eventually be moved into an AuthorizationService.
170
+ return raw;
171
+ }
172
+ return raw;
173
+ }