npm - @kya-os/contracts - Versions diffs - 1.5.3-canary.2 → 1.5.3-canary.20 - Mend

@kya-os/contracts 1.5.3-canary.2 → 1.5.3-canary.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/.turbo/turbo-build.log +17 -0
package/.turbo/turbo-test$colon$coverage.log +85 -0
package/.turbo/turbo-test.log +32 -0
package/coverage/coverage-final.json +38 -0
package/dist/agentshield-api/admin-schemas.d.ts +2 -2
package/dist/agentshield-api/index.d.ts +1 -1
package/dist/agentshield-api/schemas.d.ts +150 -48
package/dist/agentshield-api/schemas.js +32 -4
package/dist/agentshield-api/types.d.ts +31 -4
package/dist/audit/index.d.ts +193 -0
package/dist/audit/index.js +100 -0
package/dist/config/identity.d.ts +205 -2
package/dist/config/identity.js +28 -0
package/dist/config/index.d.ts +2 -1
package/dist/config/tool-context.d.ts +34 -0
package/dist/config/tool-context.js +13 -0
package/dist/consent/schemas.d.ts +119 -93
package/dist/consent/schemas.js +111 -64
package/dist/dashboard-config/schemas.d.ts +1949 -693
package/dist/handshake.d.ts +14 -14
package/dist/index.d.ts +1 -0
package/dist/index.js +2 -0
package/dist/tool-protection/index.d.ts +430 -2
package/dist/tool-protection/index.js +62 -2
package/dist/verifier/index.d.ts +1 -0
package/dist/verifier/index.js +18 -0
package/dist/well-known/index.d.ts +2 -2
package/package.json +43 -122
package/schemas/cli/register-output/v1.0.0.json +69 -0
package/schemas/identity/v1.0.0.json +46 -0
package/schemas/proof/v1.0.0.json +80 -0
package/schemas/registry/receipt-v1.0.0.json +60 -0
package/schemas/verifier/verify-page/v1.0.0.json +94 -0
package/schemas/well-known/agent/v1.0.0.json +67 -0
package/schemas/well-known/did/v1.0.0.json +174 -0
package/scripts/emit-schemas.js +11 -0
package/src/agentshield-api/admin-schemas.ts +31 -0
package/src/agentshield-api/admin-types.ts +47 -0
package/src/agentshield-api/endpoints.ts +60 -0
package/src/agentshield-api/index.ts +70 -0
package/src/agentshield-api/schemas.ts +304 -0
package/src/agentshield-api/types.ts +317 -0
package/src/audit/index.ts +128 -0
package/src/cli.ts +156 -0
package/src/config/base.ts +107 -0
package/src/config/builder.ts +97 -0
package/src/config/delegation.ts +232 -0
package/src/config/identity.ts +252 -0
package/src/config/index.ts +78 -0
package/src/config/proofing.ts +138 -0
package/src/config/tool-context.ts +41 -0
package/src/config/tool-protection.ts +174 -0
package/src/consent/index.ts +32 -0
package/src/consent/schemas.ts +334 -0
package/src/consent/types.ts +199 -0
package/src/dashboard-config/default-config.json +86 -0
package/src/dashboard-config/default-config.ts +266 -0
package/src/dashboard-config/index.ts +48 -0
package/src/dashboard-config/schemas.ts +286 -0
package/src/dashboard-config/types.ts +404 -0
package/src/delegation/constraints.ts +267 -0
package/src/delegation/index.ts +8 -0
package/src/delegation/schemas.ts +595 -0
package/src/did/index.ts +9 -0
package/src/did/resolve-contract.ts +255 -0
package/src/did/schemas.ts +190 -0
package/src/did/types.ts +224 -0
package/src/env/constants.ts +70 -0
package/src/env/index.ts +5 -0
package/src/handshake.ts +125 -0
package/src/index.ts +45 -0
package/src/proof/index.ts +31 -0
package/src/proof/proof-record.ts +163 -0
package/src/proof/signing-spec.ts +146 -0
package/src/proof.ts +99 -0
package/src/registry.ts +146 -0
package/src/runtime/errors.ts +153 -0
package/src/runtime/headers.ts +136 -0
package/src/runtime/index.ts +6 -0
package/src/test.ts +143 -0
package/src/tlkrc/index.ts +5 -0
package/src/tlkrc/rotation.ts +153 -0
package/src/tool-protection/index.ts +343 -0
package/src/utils/validation.ts +93 -0
package/src/vc/index.ts +8 -0
package/src/vc/schemas.ts +277 -0
package/src/vc/statuslist.ts +279 -0
package/src/verifier/index.ts +2 -0
package/src/verifier.ts +92 -0
package/src/well-known/index.ts +237 -0

package/dist/handshake.d.ts CHANGED Viewed

@@ -12,15 +12,15 @@ export declare const MCPClientInfoSchema: z.ZodObject<{
     persistentId: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     name: string;
-    title?: string | undefined;
     version?: string | undefined;
+    title?: string | undefined;
     platform?: string | undefined;
     vendor?: string | undefined;
     persistentId?: string | undefined;
 }, {
     name: string;
-    title?: string | undefined;
     version?: string | undefined;
+    title?: string | undefined;
     platform?: string | undefined;
     vendor?: string | undefined;
     persistentId?: string | undefined;
@@ -39,8 +39,8 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     name: string;
     clientId: string;
-    title?: string | undefined;
     version?: string | undefined;
+    title?: string | undefined;
     platform?: string | undefined;
     vendor?: string | undefined;
     persistentId?: string | undefined;
@@ -49,8 +49,8 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
 }, {
     name: string;
     clientId: string;
-    title?: string | undefined;
     version?: string | undefined;
+    title?: string | undefined;
     platform?: string | undefined;
     vendor?: string | undefined;
     persistentId?: string | undefined;
@@ -73,16 +73,16 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
         clientId: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         name: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
         clientId?: string | undefined;
     }, {
         name: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -97,8 +97,8 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
     agentDid?: string | undefined;
     clientInfo?: {
         name: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -113,8 +113,8 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
     agentDid?: string | undefined;
     clientInfo?: {
         name: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -149,8 +149,8 @@ export declare const SessionContextSchema: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         name: string;
         clientId: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -159,8 +159,8 @@ export declare const SessionContextSchema: z.ZodObject<{
     }, {
         name: string;
         clientId: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -168,19 +168,19 @@ export declare const SessionContextSchema: z.ZodObject<{
         capabilities?: Record<string, unknown> | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
+    createdAt: number;
     nonce: string;
     audience: string;
     timestamp: number;
     sessionId: string;
-    createdAt: number;
     lastActivity: number;
     ttlMinutes: number;
     agentDid?: string | undefined;
     clientInfo?: {
         name: string;
         clientId: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;
@@ -191,18 +191,18 @@ export declare const SessionContextSchema: z.ZodObject<{
     clientDid?: string | undefined;
     userDid?: string | undefined;
 }, {
+    createdAt: number;
     nonce: string;
     audience: string;
     timestamp: number;
     sessionId: string;
-    createdAt: number;
     lastActivity: number;
     agentDid?: string | undefined;
     clientInfo?: {
         name: string;
         clientId: string;
-        title?: string | undefined;
         version?: string | undefined;
+        title?: string | undefined;
         platform?: string | undefined;
         vendor?: string | undefined;
         persistentId?: string | undefined;

package/dist/index.d.ts CHANGED Viewed

@@ -21,5 +21,6 @@ export * from "./test.js";
 export * from "./utils/validation.js";
 export * from "./vc/index.js";
 export * from "./delegation/index.js";
+export * from "./audit/index.js";
 export declare const CONTRACTS_VERSION = "1.2.1";
 export declare const SUPPORTED_XMCP_I_VERSION = "^1.0.0";

package/dist/index.js CHANGED Viewed

@@ -40,6 +40,8 @@ __exportStar(require("./utils/validation.js"), exports);
 // W3C VC and Delegation exports (for mcp-i-core compatibility)
 __exportStar(require("./vc/index.js"), exports);
 __exportStar(require("./delegation/index.js"), exports);
+// Audit types (platform-agnostic)
+__exportStar(require("./audit/index.js"), exports);
 // Version information
 exports.CONTRACTS_VERSION = "1.2.1";
 exports.SUPPORTED_XMCP_I_VERSION = "^1.0.0";

package/dist/tool-protection/index.d.ts CHANGED Viewed

@@ -8,6 +8,31 @@
  * @module @kya-os/contracts/tool-protection
  */
 import { z } from 'zod';
+/**
+ * Authorization Requirement (Discriminated Union)
+ *
+ * Defines the type of authorization required for a tool.
+ * Extensible design to support OAuth, MDL, IDV, credentials, etc.
+ */
+export type AuthorizationRequirement = {
+    type: 'oauth';
+    provider: string;
+    requiredScopes?: string[];
+} | {
+    type: 'mdl';
+    issuer: string;
+    credentialType?: string;
+} | {
+    type: 'idv';
+    provider: string;
+    verificationLevel?: 'basic' | 'enhanced' | 'loa3';
+} | {
+    type: 'credential';
+    credentialType: string;
+    issuer?: string;
+} | {
+    type: 'none';
+};
 /**
  * Tool Protection Definition
  *
@@ -29,6 +54,19 @@ export interface ToolProtection {
      * Used to determine appropriate authorization flows
      */
     riskLevel?: 'low' | 'medium' | 'high' | 'critical';
+    /**
+     * OAuth provider name for this tool (Phase 2+)
+     * If specified, this tool will use the specified OAuth provider.
+     * If not specified, provider will be resolved via fallback strategies.
+     * @example "github", "google", "microsoft"
+     * @deprecated Use `authorization` field instead. Will be removed in Phase 3.
+     */
+    oauthProvider?: string;
+    /**
+     * Authorization requirement for this tool
+     * If requiresDelegation=true, authorization must be specified (or inferred from legacy fields)
+     */
+    authorization?: AuthorizationRequirement;
 }
 /**
  * Tool Protection Map
@@ -97,45 +135,388 @@ export interface DelegationRequiredErrorData {
 /**
  * Zod Schemas for Validation
  */
+export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"oauth">;
+    provider: z.ZodString;
+    requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type: "oauth";
+    provider: string;
+    requiredScopes?: string[] | undefined;
+}, {
+    type: "oauth";
+    provider: string;
+    requiredScopes?: string[] | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"mdl">;
+    issuer: z.ZodString;
+    credentialType: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "mdl";
+    issuer: string;
+    credentialType?: string | undefined;
+}, {
+    type: "mdl";
+    issuer: string;
+    credentialType?: string | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"idv">;
+    provider: z.ZodString;
+    verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
+}, "strip", z.ZodTypeAny, {
+    type: "idv";
+    provider: string;
+    verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+}, {
+    type: "idv";
+    provider: string;
+    verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"credential">;
+    credentialType: z.ZodString;
+    issuer: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "credential";
+    credentialType: string;
+    issuer?: string | undefined;
+}, {
+    type: "credential";
+    credentialType: string;
+    issuer?: string | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"none">;
+}, "strip", z.ZodTypeAny, {
+    type: "none";
+}, {
+    type: "none";
+}>]>;
 export declare const ToolProtectionSchema: z.ZodObject<{
     requiresDelegation: z.ZodBoolean;
     requiredScopes: z.ZodArray<z.ZodString, "many">;
     riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
+    oauthProvider: z.ZodOptional<z.ZodString>;
+    authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+        type: z.ZodLiteral<"oauth">;
+        provider: z.ZodString;
+        requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    }, {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"mdl">;
+        issuer: z.ZodString;
+        credentialType: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    }, {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"idv">;
+        provider: z.ZodString;
+        verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
+    }, "strip", z.ZodTypeAny, {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    }, {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"credential">;
+        credentialType: z.ZodString;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    }, {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"none">;
+    }, "strip", z.ZodTypeAny, {
+        type: "none";
+    }, {
+        type: "none";
+    }>]>>;
 }, "strip", z.ZodTypeAny, {
     requiresDelegation: boolean;
     requiredScopes: string[];
     riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+    oauthProvider?: string | undefined;
+    authorization?: {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    } | {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    } | {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    } | {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    } | {
+        type: "none";
+    } | undefined;
 }, {
     requiresDelegation: boolean;
     requiredScopes: string[];
     riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+    oauthProvider?: string | undefined;
+    authorization?: {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    } | {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    } | {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    } | {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    } | {
+        type: "none";
+    } | undefined;
 }>;
 export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
     requiresDelegation: z.ZodBoolean;
     requiredScopes: z.ZodArray<z.ZodString, "many">;
     riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
+    oauthProvider: z.ZodOptional<z.ZodString>;
+    authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+        type: z.ZodLiteral<"oauth">;
+        provider: z.ZodString;
+        requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    }, {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"mdl">;
+        issuer: z.ZodString;
+        credentialType: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    }, {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"idv">;
+        provider: z.ZodString;
+        verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
+    }, "strip", z.ZodTypeAny, {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    }, {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"credential">;
+        credentialType: z.ZodString;
+        issuer: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    }, {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"none">;
+    }, "strip", z.ZodTypeAny, {
+        type: "none";
+    }, {
+        type: "none";
+    }>]>>;
 }, "strip", z.ZodTypeAny, {
     requiresDelegation: boolean;
     requiredScopes: string[];
     riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+    oauthProvider?: string | undefined;
+    authorization?: {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    } | {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    } | {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    } | {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    } | {
+        type: "none";
+    } | undefined;
 }, {
     requiresDelegation: boolean;
     requiredScopes: string[];
     riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+    oauthProvider?: string | undefined;
+    authorization?: {
+        type: "oauth";
+        provider: string;
+        requiredScopes?: string[] | undefined;
+    } | {
+        type: "mdl";
+        issuer: string;
+        credentialType?: string | undefined;
+    } | {
+        type: "idv";
+        provider: string;
+        verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+    } | {
+        type: "credential";
+        credentialType: string;
+        issuer?: string | undefined;
+    } | {
+        type: "none";
+    } | undefined;
 }>>;
 export declare const ToolProtectionResponseSchema: z.ZodObject<{
     toolProtections: z.ZodRecord<z.ZodString, z.ZodObject<{
         requiresDelegation: z.ZodBoolean;
         requiredScopes: z.ZodArray<z.ZodString, "many">;
         riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
+        oauthProvider: z.ZodOptional<z.ZodString>;
+        authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+            type: z.ZodLiteral<"oauth">;
+            provider: z.ZodString;
+            requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        }, {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        }>, z.ZodObject<{
+            type: z.ZodLiteral<"mdl">;
+            issuer: z.ZodString;
+            credentialType: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        }, {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        }>, z.ZodObject<{
+            type: z.ZodLiteral<"idv">;
+            provider: z.ZodString;
+            verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
+        }, "strip", z.ZodTypeAny, {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        }, {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        }>, z.ZodObject<{
+            type: z.ZodLiteral<"credential">;
+            credentialType: z.ZodString;
+            issuer: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        }, {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        }>, z.ZodObject<{
+            type: z.ZodLiteral<"none">;
+        }, "strip", z.ZodTypeAny, {
+            type: "none";
+        }, {
+            type: "none";
+        }>]>>;
     }, "strip", z.ZodTypeAny, {
         requiresDelegation: boolean;
         requiredScopes: string[];
         riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+        oauthProvider?: string | undefined;
+        authorization?: {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        } | {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        } | {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        } | {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        } | {
+            type: "none";
+        } | undefined;
     }, {
         requiresDelegation: boolean;
         requiredScopes: string[];
         riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+        oauthProvider?: string | undefined;
+        authorization?: {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        } | {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        } | {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        } | {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        } | {
+            type: "none";
+        } | undefined;
     }>>;
     metadata: z.ZodOptional<z.ZodObject<{
         lastUpdated: z.ZodOptional<z.ZodString>;
@@ -155,6 +536,26 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
         requiresDelegation: boolean;
         requiredScopes: string[];
         riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+        oauthProvider?: string | undefined;
+        authorization?: {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        } | {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        } | {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        } | {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        } | {
+            type: "none";
+        } | undefined;
     }>;
     metadata?: {
         version?: string | undefined;
@@ -166,6 +567,26 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
         requiresDelegation: boolean;
         requiredScopes: string[];
         riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
+        oauthProvider?: string | undefined;
+        authorization?: {
+            type: "oauth";
+            provider: string;
+            requiredScopes?: string[] | undefined;
+        } | {
+            type: "mdl";
+            issuer: string;
+            credentialType?: string | undefined;
+        } | {
+            type: "idv";
+            provider: string;
+            verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
+        } | {
+            type: "credential";
+            credentialType: string;
+            issuer?: string | undefined;
+        } | {
+            type: "none";
+        } | undefined;
     }>;
     metadata?: {
         version?: string | undefined;
@@ -183,14 +604,14 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
     requiredScopes: string[];
     toolName: string;
     reason?: string | undefined;
-    consentUrl?: string | undefined;
     authorizationUrl?: string | undefined;
+    consentUrl?: string | undefined;
 }, {
     requiredScopes: string[];
     toolName: string;
     reason?: string | undefined;
-    consentUrl?: string | undefined;
     authorizationUrl?: string | undefined;
+    consentUrl?: string | undefined;
 }>;
 /**
  * Type Guards
@@ -225,3 +646,10 @@ export declare function getToolRiskLevel(toolName: string, protections: ToolProt
  * Create a delegation required error
  */
 export declare function createDelegationRequiredError(toolName: string, requiredScopes: string[], consentUrl?: string): DelegationRequiredErrorData;
+/**
+ * Normalize tool protection configuration
+ * Migrates legacy oauthProvider field to authorization object
+ *
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
+ */
+export declare function normalizeToolProtection(raw: ToolProtection): ToolProtection;