@kya-os/contracts 1.5.3-canary.2 → 1.5.3-canary.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (90) hide show
  1. package/.turbo/turbo-build.log +17 -0
  2. package/.turbo/turbo-test$colon$coverage.log +85 -0
  3. package/.turbo/turbo-test.log +32 -0
  4. package/coverage/coverage-final.json +38 -0
  5. package/dist/agentshield-api/admin-schemas.d.ts +2 -2
  6. package/dist/agentshield-api/index.d.ts +1 -1
  7. package/dist/agentshield-api/schemas.d.ts +150 -48
  8. package/dist/agentshield-api/schemas.js +32 -4
  9. package/dist/agentshield-api/types.d.ts +31 -4
  10. package/dist/audit/index.d.ts +193 -0
  11. package/dist/audit/index.js +100 -0
  12. package/dist/config/identity.d.ts +205 -2
  13. package/dist/config/identity.js +28 -0
  14. package/dist/config/index.d.ts +2 -1
  15. package/dist/config/tool-context.d.ts +34 -0
  16. package/dist/config/tool-context.js +13 -0
  17. package/dist/consent/schemas.d.ts +119 -93
  18. package/dist/consent/schemas.js +111 -64
  19. package/dist/dashboard-config/schemas.d.ts +2248 -992
  20. package/dist/handshake.d.ts +14 -14
  21. package/dist/index.d.ts +1 -0
  22. package/dist/index.js +2 -0
  23. package/dist/tool-protection/index.d.ts +490 -14
  24. package/dist/tool-protection/index.js +89 -2
  25. package/dist/verifier/index.d.ts +1 -0
  26. package/dist/verifier/index.js +18 -0
  27. package/dist/well-known/index.d.ts +2 -2
  28. package/package.json +43 -122
  29. package/schemas/cli/register-output/v1.0.0.json +69 -0
  30. package/schemas/identity/v1.0.0.json +46 -0
  31. package/schemas/proof/v1.0.0.json +80 -0
  32. package/schemas/registry/receipt-v1.0.0.json +60 -0
  33. package/schemas/verifier/verify-page/v1.0.0.json +94 -0
  34. package/schemas/well-known/agent/v1.0.0.json +67 -0
  35. package/schemas/well-known/did/v1.0.0.json +174 -0
  36. package/scripts/emit-schemas.js +11 -0
  37. package/src/agentshield-api/admin-schemas.ts +31 -0
  38. package/src/agentshield-api/admin-types.ts +47 -0
  39. package/src/agentshield-api/endpoints.ts +60 -0
  40. package/src/agentshield-api/index.ts +70 -0
  41. package/src/agentshield-api/schemas.ts +304 -0
  42. package/src/agentshield-api/types.ts +317 -0
  43. package/src/audit/index.ts +128 -0
  44. package/src/cli.ts +156 -0
  45. package/src/config/base.ts +107 -0
  46. package/src/config/builder.ts +97 -0
  47. package/src/config/delegation.ts +232 -0
  48. package/src/config/identity.ts +252 -0
  49. package/src/config/index.ts +78 -0
  50. package/src/config/proofing.ts +138 -0
  51. package/src/config/tool-context.ts +41 -0
  52. package/src/config/tool-protection.ts +174 -0
  53. package/src/consent/index.ts +32 -0
  54. package/src/consent/schemas.ts +334 -0
  55. package/src/consent/types.ts +199 -0
  56. package/src/dashboard-config/default-config.json +86 -0
  57. package/src/dashboard-config/default-config.ts +266 -0
  58. package/src/dashboard-config/index.ts +48 -0
  59. package/src/dashboard-config/schemas.ts +286 -0
  60. package/src/dashboard-config/types.ts +404 -0
  61. package/src/delegation/constraints.ts +267 -0
  62. package/src/delegation/index.ts +8 -0
  63. package/src/delegation/schemas.ts +595 -0
  64. package/src/did/index.ts +9 -0
  65. package/src/did/resolve-contract.ts +255 -0
  66. package/src/did/schemas.ts +190 -0
  67. package/src/did/types.ts +224 -0
  68. package/src/env/constants.ts +70 -0
  69. package/src/env/index.ts +5 -0
  70. package/src/handshake.ts +125 -0
  71. package/src/index.ts +45 -0
  72. package/src/proof/index.ts +31 -0
  73. package/src/proof/proof-record.ts +163 -0
  74. package/src/proof/signing-spec.ts +146 -0
  75. package/src/proof.ts +99 -0
  76. package/src/registry.ts +146 -0
  77. package/src/runtime/errors.ts +153 -0
  78. package/src/runtime/headers.ts +136 -0
  79. package/src/runtime/index.ts +6 -0
  80. package/src/test.ts +143 -0
  81. package/src/tlkrc/index.ts +5 -0
  82. package/src/tlkrc/rotation.ts +153 -0
  83. package/src/tool-protection/index.ts +406 -0
  84. package/src/utils/validation.ts +93 -0
  85. package/src/vc/index.ts +8 -0
  86. package/src/vc/schemas.ts +277 -0
  87. package/src/vc/statuslist.ts +279 -0
  88. package/src/verifier/index.ts +2 -0
  89. package/src/verifier.ts +92 -0
  90. package/src/well-known/index.ts +237 -0
package/dist/tool-protection/index.d.ts CHANGED
@@ -8,6 +8,31 @@
8
8
  * @module @kya-os/contracts/tool-protection
9
9
  */
10
10
  import { z } from 'zod';
11
+ /**
12
+ * Authorization Requirement (Discriminated Union)
13
+ *
14
+ * Defines the type of authorization required for a tool.
15
+ * Extensible design to support OAuth, MDL, IDV, credentials, etc.
16
+ */
17
+ export type AuthorizationRequirement = {
18
+ type: 'oauth';
19
+ provider: string;
20
+ requiredScopes?: string[];
21
+ } | {
22
+ type: 'mdl';
23
+ issuer: string;
24
+ credentialType?: string;
25
+ } | {
26
+ type: 'idv';
27
+ provider: string;
28
+ verificationLevel?: 'basic' | 'enhanced' | 'loa3';
29
+ } | {
30
+ type: 'credential';
31
+ credentialType: string;
32
+ issuer?: string;
33
+ } | {
34
+ type: 'none';
35
+ };
11
36
  /**
12
37
  * Tool Protection Definition
13
38
  *
@@ -29,6 +54,19 @@ export interface ToolProtection {
29
54
  * Used to determine appropriate authorization flows
30
55
  */
31
56
  riskLevel?: 'low' | 'medium' | 'high' | 'critical';
57
+ /**
58
+ * OAuth provider name for this tool (Phase 2+)
59
+ * If specified, this tool will use the specified OAuth provider.
60
+ * If not specified, provider will be resolved via fallback strategies.
61
+ * @example "github", "google", "microsoft"
62
+ * @deprecated Use `authorization` field instead. Will be removed in Phase 3.
63
+ */
64
+ oauthProvider?: string;
65
+ /**
66
+ * Authorization requirement for this tool
67
+ * If requiresDelegation=true, authorization must be specified (or inferred from legacy fields)
68
+ */
69
+ authorization?: AuthorizationRequirement;
32
70
  }
33
71
  /**
34
72
  * Tool Protection Map
@@ -37,6 +75,23 @@ export interface ToolProtection {
37
75
  * This is how tool protections are typically stored and transmitted.
38
76
  */
39
77
  export type ToolProtectionMap = Record<string, ToolProtection>;
78
+ /**
79
+ * Partial tool protection for updates (all fields optional)
80
+ * Use this when accepting partial updates to tool protection settings
81
+ */
82
+ export type PartialToolProtection = Partial<ToolProtection>;
83
+ /**
84
+ * Tool protection with explicit optional fields
85
+ * Useful when TypeScript's Partial<T> doesn't preserve optional property access
86
+ * Supports explicit null values to clear fields
87
+ */
88
+ export type ToolProtectionUpdate = {
89
+ requiresDelegation?: boolean;
90
+ requiredScopes?: string[];
91
+ riskLevel?: 'low' | 'medium' | 'high' | 'critical';
92
+ oauthProvider?: string | null;
93
+ authorization?: AuthorizationRequirement | null;
94
+ };
40
95
  /**
41
96
  * Tool Protection Response
42
97
  *
@@ -94,82 +149,477 @@ export interface DelegationRequiredErrorData {
94
149
  */
95
150
  reason?: string;
96
151
  }
152
+ /**
153
+ * Legacy tool protection format (pre-authorization field)
154
+ * Used during migration period to support both old and new formats
155
+ */
156
+ export type LegacyToolProtection = Omit<ToolProtection, 'authorization'> & {
157
+ oauthProvider?: string;
158
+ };
159
+ /**
160
+ * Union type for both legacy and new formats
161
+ * Useful during migration period when accepting tool protection input
162
+ */
163
+ export type ToolProtectionInput = ToolProtection | LegacyToolProtection;
97
164
  /**
98
165
  * Zod Schemas for Validation
99
166
  */
167
+ export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
168
+ type: z.ZodLiteral<"oauth">;
169
+ provider: z.ZodString;
170
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
171
+ }, "strip", z.ZodTypeAny, {
172
+ type: "oauth";
173
+ provider: string;
174
+ requiredScopes?: string[] | undefined;
175
+ }, {
176
+ type: "oauth";
177
+ provider: string;
178
+ requiredScopes?: string[] | undefined;
179
+ }>, z.ZodObject<{
180
+ type: z.ZodLiteral<"mdl">;
181
+ issuer: z.ZodString;
182
+ credentialType: z.ZodOptional<z.ZodString>;
183
+ }, "strip", z.ZodTypeAny, {
184
+ type: "mdl";
185
+ issuer: string;
186
+ credentialType?: string | undefined;
187
+ }, {
188
+ type: "mdl";
189
+ issuer: string;
190
+ credentialType?: string | undefined;
191
+ }>, z.ZodObject<{
192
+ type: z.ZodLiteral<"idv">;
193
+ provider: z.ZodString;
194
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
195
+ }, "strip", z.ZodTypeAny, {
196
+ type: "idv";
197
+ provider: string;
198
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
199
+ }, {
200
+ type: "idv";
201
+ provider: string;
202
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
203
+ }>, z.ZodObject<{
204
+ type: z.ZodLiteral<"credential">;
205
+ credentialType: z.ZodString;
206
+ issuer: z.ZodOptional<z.ZodString>;
207
+ }, "strip", z.ZodTypeAny, {
208
+ type: "credential";
209
+ credentialType: string;
210
+ issuer?: string | undefined;
211
+ }, {
212
+ type: "credential";
213
+ credentialType: string;
214
+ issuer?: string | undefined;
215
+ }>, z.ZodObject<{
216
+ type: z.ZodLiteral<"none">;
217
+ }, "strip", z.ZodTypeAny, {
218
+ type: "none";
219
+ }, {
220
+ type: "none";
221
+ }>]>;
100
222
  export declare const ToolProtectionSchema: z.ZodObject<{
101
223
  requiresDelegation: z.ZodBoolean;
102
224
  requiredScopes: z.ZodArray<z.ZodString, "many">;
103
225
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
226
+ oauthProvider: z.ZodOptional<z.ZodString>;
227
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
228
+ type: z.ZodLiteral<"oauth">;
229
+ provider: z.ZodString;
230
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
231
+ }, "strip", z.ZodTypeAny, {
232
+ type: "oauth";
233
+ provider: string;
234
+ requiredScopes?: string[] | undefined;
235
+ }, {
236
+ type: "oauth";
237
+ provider: string;
238
+ requiredScopes?: string[] | undefined;
239
+ }>, z.ZodObject<{
240
+ type: z.ZodLiteral<"mdl">;
241
+ issuer: z.ZodString;
242
+ credentialType: z.ZodOptional<z.ZodString>;
243
+ }, "strip", z.ZodTypeAny, {
244
+ type: "mdl";
245
+ issuer: string;
246
+ credentialType?: string | undefined;
247
+ }, {
248
+ type: "mdl";
249
+ issuer: string;
250
+ credentialType?: string | undefined;
251
+ }>, z.ZodObject<{
252
+ type: z.ZodLiteral<"idv">;
253
+ provider: z.ZodString;
254
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
255
+ }, "strip", z.ZodTypeAny, {
256
+ type: "idv";
257
+ provider: string;
258
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
259
+ }, {
260
+ type: "idv";
261
+ provider: string;
262
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
263
+ }>, z.ZodObject<{
264
+ type: z.ZodLiteral<"credential">;
265
+ credentialType: z.ZodString;
266
+ issuer: z.ZodOptional<z.ZodString>;
267
+ }, "strip", z.ZodTypeAny, {
268
+ type: "credential";
269
+ credentialType: string;
270
+ issuer?: string | undefined;
271
+ }, {
272
+ type: "credential";
273
+ credentialType: string;
274
+ issuer?: string | undefined;
275
+ }>, z.ZodObject<{
276
+ type: z.ZodLiteral<"none">;
277
+ }, "strip", z.ZodTypeAny, {
278
+ type: "none";
279
+ }, {
280
+ type: "none";
281
+ }>]>>;
104
282
  }, "strip", z.ZodTypeAny, {
105
- requiresDelegation: boolean;
106
283
  requiredScopes: string[];
284
+ requiresDelegation: boolean;
107
285
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
286
+ oauthProvider?: string | undefined;
287
+ authorization?: {
288
+ type: "oauth";
289
+ provider: string;
290
+ requiredScopes?: string[] | undefined;
291
+ } | {
292
+ type: "mdl";
293
+ issuer: string;
294
+ credentialType?: string | undefined;
295
+ } | {
296
+ type: "idv";
297
+ provider: string;
298
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
299
+ } | {
300
+ type: "credential";
301
+ credentialType: string;
302
+ issuer?: string | undefined;
303
+ } | {
304
+ type: "none";
305
+ } | undefined;
108
306
  }, {
109
- requiresDelegation: boolean;
110
307
  requiredScopes: string[];
308
+ requiresDelegation: boolean;
111
309
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
310
+ oauthProvider?: string | undefined;
311
+ authorization?: {
312
+ type: "oauth";
313
+ provider: string;
314
+ requiredScopes?: string[] | undefined;
315
+ } | {
316
+ type: "mdl";
317
+ issuer: string;
318
+ credentialType?: string | undefined;
319
+ } | {
320
+ type: "idv";
321
+ provider: string;
322
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
323
+ } | {
324
+ type: "credential";
325
+ credentialType: string;
326
+ issuer?: string | undefined;
327
+ } | {
328
+ type: "none";
329
+ } | undefined;
112
330
  }>;
113
331
  export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
114
332
  requiresDelegation: z.ZodBoolean;
115
333
  requiredScopes: z.ZodArray<z.ZodString, "many">;
116
334
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
335
+ oauthProvider: z.ZodOptional<z.ZodString>;
336
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
337
+ type: z.ZodLiteral<"oauth">;
338
+ provider: z.ZodString;
339
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
340
+ }, "strip", z.ZodTypeAny, {
341
+ type: "oauth";
342
+ provider: string;
343
+ requiredScopes?: string[] | undefined;
344
+ }, {
345
+ type: "oauth";
346
+ provider: string;
347
+ requiredScopes?: string[] | undefined;
348
+ }>, z.ZodObject<{
349
+ type: z.ZodLiteral<"mdl">;
350
+ issuer: z.ZodString;
351
+ credentialType: z.ZodOptional<z.ZodString>;
352
+ }, "strip", z.ZodTypeAny, {
353
+ type: "mdl";
354
+ issuer: string;
355
+ credentialType?: string | undefined;
356
+ }, {
357
+ type: "mdl";
358
+ issuer: string;
359
+ credentialType?: string | undefined;
360
+ }>, z.ZodObject<{
361
+ type: z.ZodLiteral<"idv">;
362
+ provider: z.ZodString;
363
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
364
+ }, "strip", z.ZodTypeAny, {
365
+ type: "idv";
366
+ provider: string;
367
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
368
+ }, {
369
+ type: "idv";
370
+ provider: string;
371
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
372
+ }>, z.ZodObject<{
373
+ type: z.ZodLiteral<"credential">;
374
+ credentialType: z.ZodString;
375
+ issuer: z.ZodOptional<z.ZodString>;
376
+ }, "strip", z.ZodTypeAny, {
377
+ type: "credential";
378
+ credentialType: string;
379
+ issuer?: string | undefined;
380
+ }, {
381
+ type: "credential";
382
+ credentialType: string;
383
+ issuer?: string | undefined;
384
+ }>, z.ZodObject<{
385
+ type: z.ZodLiteral<"none">;
386
+ }, "strip", z.ZodTypeAny, {
387
+ type: "none";
388
+ }, {
389
+ type: "none";
390
+ }>]>>;
117
391
  }, "strip", z.ZodTypeAny, {
118
- requiresDelegation: boolean;
119
392
  requiredScopes: string[];
393
+ requiresDelegation: boolean;
120
394
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
395
+ oauthProvider?: string | undefined;
396
+ authorization?: {
397
+ type: "oauth";
398
+ provider: string;
399
+ requiredScopes?: string[] | undefined;
400
+ } | {
401
+ type: "mdl";
402
+ issuer: string;
403
+ credentialType?: string | undefined;
404
+ } | {
405
+ type: "idv";
406
+ provider: string;
407
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
408
+ } | {
409
+ type: "credential";
410
+ credentialType: string;
411
+ issuer?: string | undefined;
412
+ } | {
413
+ type: "none";
414
+ } | undefined;
121
415
  }, {
122
- requiresDelegation: boolean;
123
416
  requiredScopes: string[];
417
+ requiresDelegation: boolean;
124
418
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
419
+ oauthProvider?: string | undefined;
420
+ authorization?: {
421
+ type: "oauth";
422
+ provider: string;
423
+ requiredScopes?: string[] | undefined;
424
+ } | {
425
+ type: "mdl";
426
+ issuer: string;
427
+ credentialType?: string | undefined;
428
+ } | {
429
+ type: "idv";
430
+ provider: string;
431
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
432
+ } | {
433
+ type: "credential";
434
+ credentialType: string;
435
+ issuer?: string | undefined;
436
+ } | {
437
+ type: "none";
438
+ } | undefined;
125
439
  }>>;
126
440
  export declare const ToolProtectionResponseSchema: z.ZodObject<{
127
441
  toolProtections: z.ZodRecord<z.ZodString, z.ZodObject<{
128
442
  requiresDelegation: z.ZodBoolean;
129
443
  requiredScopes: z.ZodArray<z.ZodString, "many">;
130
444
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
445
+ oauthProvider: z.ZodOptional<z.ZodString>;
446
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
447
+ type: z.ZodLiteral<"oauth">;
448
+ provider: z.ZodString;
449
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
450
+ }, "strip", z.ZodTypeAny, {
451
+ type: "oauth";
452
+ provider: string;
453
+ requiredScopes?: string[] | undefined;
454
+ }, {
455
+ type: "oauth";
456
+ provider: string;
457
+ requiredScopes?: string[] | undefined;
458
+ }>, z.ZodObject<{
459
+ type: z.ZodLiteral<"mdl">;
460
+ issuer: z.ZodString;
461
+ credentialType: z.ZodOptional<z.ZodString>;
462
+ }, "strip", z.ZodTypeAny, {
463
+ type: "mdl";
464
+ issuer: string;
465
+ credentialType?: string | undefined;
466
+ }, {
467
+ type: "mdl";
468
+ issuer: string;
469
+ credentialType?: string | undefined;
470
+ }>, z.ZodObject<{
471
+ type: z.ZodLiteral<"idv">;
472
+ provider: z.ZodString;
473
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
474
+ }, "strip", z.ZodTypeAny, {
475
+ type: "idv";
476
+ provider: string;
477
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
478
+ }, {
479
+ type: "idv";
480
+ provider: string;
481
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
482
+ }>, z.ZodObject<{
483
+ type: z.ZodLiteral<"credential">;
484
+ credentialType: z.ZodString;
485
+ issuer: z.ZodOptional<z.ZodString>;
486
+ }, "strip", z.ZodTypeAny, {
487
+ type: "credential";
488
+ credentialType: string;
489
+ issuer?: string | undefined;
490
+ }, {
491
+ type: "credential";
492
+ credentialType: string;
493
+ issuer?: string | undefined;
494
+ }>, z.ZodObject<{
495
+ type: z.ZodLiteral<"none">;
496
+ }, "strip", z.ZodTypeAny, {
497
+ type: "none";
498
+ }, {
499
+ type: "none";
500
+ }>]>>;
131
501
  }, "strip", z.ZodTypeAny, {
132
- requiresDelegation: boolean;
133
502
  requiredScopes: string[];
503
+ requiresDelegation: boolean;
134
504
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
505
+ oauthProvider?: string | undefined;
506
+ authorization?: {
507
+ type: "oauth";
508
+ provider: string;
509
+ requiredScopes?: string[] | undefined;
510
+ } | {
511
+ type: "mdl";
512
+ issuer: string;
513
+ credentialType?: string | undefined;
514
+ } | {
515
+ type: "idv";
516
+ provider: string;
517
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
518
+ } | {
519
+ type: "credential";
520
+ credentialType: string;
521
+ issuer?: string | undefined;
522
+ } | {
523
+ type: "none";
524
+ } | undefined;
135
525
  }, {
136
- requiresDelegation: boolean;
137
526
  requiredScopes: string[];
527
+ requiresDelegation: boolean;
138
528
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
529
+ oauthProvider?: string | undefined;
530
+ authorization?: {
531
+ type: "oauth";
532
+ provider: string;
533
+ requiredScopes?: string[] | undefined;
534
+ } | {
535
+ type: "mdl";
536
+ issuer: string;
537
+ credentialType?: string | undefined;
538
+ } | {
539
+ type: "idv";
540
+ provider: string;
541
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
542
+ } | {
543
+ type: "credential";
544
+ credentialType: string;
545
+ issuer?: string | undefined;
546
+ } | {
547
+ type: "none";
548
+ } | undefined;
139
549
  }>>;
140
550
  metadata: z.ZodOptional<z.ZodObject<{
141
551
  lastUpdated: z.ZodOptional<z.ZodString>;
142
552
  version: z.ZodOptional<z.ZodString>;
143
553
  source: z.ZodOptional<z.ZodString>;
144
554
  }, "strip", z.ZodTypeAny, {
145
- version?: string | undefined;
146
555
  lastUpdated?: string | undefined;
556
+ version?: string | undefined;
147
557
  source?: string | undefined;
148
558
  }, {
149
- version?: string | undefined;
150
559
  lastUpdated?: string | undefined;
560
+ version?: string | undefined;
151
561
  source?: string | undefined;
152
562
  }>>;
153
563
  }, "strip", z.ZodTypeAny, {
154
564
  toolProtections: Record<string, {
155
- requiresDelegation: boolean;
156
565
  requiredScopes: string[];
566
+ requiresDelegation: boolean;
157
567
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
568
+ oauthProvider?: string | undefined;
569
+ authorization?: {
570
+ type: "oauth";
571
+ provider: string;
572
+ requiredScopes?: string[] | undefined;
573
+ } | {
574
+ type: "mdl";
575
+ issuer: string;
576
+ credentialType?: string | undefined;
577
+ } | {
578
+ type: "idv";
579
+ provider: string;
580
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
581
+ } | {
582
+ type: "credential";
583
+ credentialType: string;
584
+ issuer?: string | undefined;
585
+ } | {
586
+ type: "none";
587
+ } | undefined;
158
588
  }>;
159
589
  metadata?: {
160
- version?: string | undefined;
161
590
  lastUpdated?: string | undefined;
591
+ version?: string | undefined;
162
592
  source?: string | undefined;
163
593
  } | undefined;
164
594
  }, {
165
595
  toolProtections: Record<string, {
166
- requiresDelegation: boolean;
167
596
  requiredScopes: string[];
597
+ requiresDelegation: boolean;
168
598
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
599
+ oauthProvider?: string | undefined;
600
+ authorization?: {
601
+ type: "oauth";
602
+ provider: string;
603
+ requiredScopes?: string[] | undefined;
604
+ } | {
605
+ type: "mdl";
606
+ issuer: string;
607
+ credentialType?: string | undefined;
608
+ } | {
609
+ type: "idv";
610
+ provider: string;
611
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
612
+ } | {
613
+ type: "credential";
614
+ credentialType: string;
615
+ issuer?: string | undefined;
616
+ } | {
617
+ type: "none";
618
+ } | undefined;
169
619
  }>;
170
620
  metadata?: {
171
- version?: string | undefined;
172
621
  lastUpdated?: string | undefined;
622
+ version?: string | undefined;
173
623
  source?: string | undefined;
174
624
  } | undefined;
175
625
  }>;
@@ -182,15 +632,15 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
182
632
  }, "strip", z.ZodTypeAny, {
183
633
  requiredScopes: string[];
184
634
  toolName: string;
185
- reason?: string | undefined;
186
635
  consentUrl?: string | undefined;
187
636
  authorizationUrl?: string | undefined;
637
+ reason?: string | undefined;
188
638
  }, {
189
639
  requiredScopes: string[];
190
640
  toolName: string;
191
- reason?: string | undefined;
192
641
  consentUrl?: string | undefined;
193
642
  authorizationUrl?: string | undefined;
643
+ reason?: string | undefined;
194
644
  }>;
195
645
  /**
196
646
  * Type Guards
@@ -199,6 +649,18 @@ export declare function isToolProtection(obj: any): obj is ToolProtection;
199
649
  export declare function isToolProtectionMap(obj: any): obj is ToolProtectionMap;
200
650
  export declare function isToolProtectionResponse(obj: any): obj is ToolProtectionResponse;
201
651
  export declare function isDelegationRequiredErrorData(obj: any): obj is DelegationRequiredErrorData;
652
+ /**
653
+ * Type guard to check if an object is a valid AuthorizationRequirement
654
+ */
655
+ export declare function isAuthorizationRequirement(obj: unknown): obj is AuthorizationRequirement;
656
+ /**
657
+ * Type guard to check if a ToolProtection has OAuth authorization
658
+ */
659
+ export declare function hasOAuthAuthorization(protection: ToolProtection): protection is ToolProtection & {
660
+ authorization: {
661
+ type: 'oauth';
662
+ };
663
+ };
202
664
  /**
203
665
  * Validation Functions
204
666
  */
@@ -225,3 +687,17 @@ export declare function getToolRiskLevel(toolName: string, protections: ToolProt
225
687
  * Create a delegation required error
226
688
  */
227
689
  export declare function createDelegationRequiredError(toolName: string, requiredScopes: string[], consentUrl?: string): DelegationRequiredErrorData;
690
+ /**
691
+ * Normalize tool protection configuration
692
+ * Migrates legacy oauthProvider field to authorization object
693
+ *
694
+ * - Migrates `oauthProvider` → `authorization: { type: 'oauth', provider: ... }`
695
+ * - Ensures `authorization` field is present when `requiresDelegation=true`
696
+ * - Returns fully normalized ToolProtection object
697
+ *
698
+ * @param raw - Raw tool protection data (may have legacy fields or be partial)
699
+ * @returns Normalized ToolProtection object
700
+ *
701
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
702
+ */
703
+ export declare function normalizeToolProtection(raw: ToolProtection | PartialToolProtection): ToolProtection;