@kya-os/contracts 1.5.4-canary.3 → 1.6.0

package/dist/tool-protection/index.js

@@ -9,11 +9,13 @@
  * @module @kya-os/contracts/tool-protection
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = void 0;
+exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = exports.AuthorizationRequirementSchema = void 0;
 exports.isToolProtection = isToolProtection;
 exports.isToolProtectionMap = isToolProtectionMap;
 exports.isToolProtectionResponse = isToolProtectionResponse;
 exports.isDelegationRequiredErrorData = isDelegationRequiredErrorData;
+exports.isAuthorizationRequirement = isAuthorizationRequirement;
+exports.hasOAuthAuthorization = hasOAuthAuthorization;
 exports.validateToolProtection = validateToolProtection;
 exports.validateToolProtectionMap = validateToolProtectionMap;
 exports.validateToolProtectionResponse = validateToolProtectionResponse;
@@ -22,14 +24,42 @@ exports.toolRequiresDelegation = toolRequiresDelegation;
 exports.getToolRequiredScopes = getToolRequiredScopes;
 exports.getToolRiskLevel = getToolRiskLevel;
 exports.createDelegationRequiredError = createDelegationRequiredError;
+exports.normalizeToolProtection = normalizeToolProtection;
 const zod_1 = require("zod");
 /**
  * Zod Schemas for Validation
  */
+exports.AuthorizationRequirementSchema = zod_1.z.discriminatedUnion('type', [
+    zod_1.z.object({
+        type: zod_1.z.literal('oauth'),
+        provider: zod_1.z.string(),
+        requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
+    }),
+    zod_1.z.object({
+        type: zod_1.z.literal('mdl'),
+        issuer: zod_1.z.string(),
+        credentialType: zod_1.z.string().optional(),
+    }),
+    zod_1.z.object({
+        type: zod_1.z.literal('idv'),
+        provider: zod_1.z.string(),
+        verificationLevel: zod_1.z.enum(['basic', 'enhanced', 'loa3']).optional(),
+    }),
+    zod_1.z.object({
+        type: zod_1.z.literal('credential'),
+        credentialType: zod_1.z.string(),
+        issuer: zod_1.z.string().optional(),
+    }),
+    zod_1.z.object({
+        type: zod_1.z.literal('none'),
+    }),
+]);
 exports.ToolProtectionSchema = zod_1.z.object({
     requiresDelegation: zod_1.z.boolean(),
     requiredScopes: zod_1.z.array(zod_1.z.string()),
-    riskLevel: zod_1.z.enum(['low', 'medium', 'high', 'critical']).optional()
+    riskLevel: zod_1.z.enum(['low', 'medium', 'high', 'critical']).optional(),
+    oauthProvider: zod_1.z.string().optional(), // Phase 2: Tool-specific OAuth provider
+    authorization: exports.AuthorizationRequirementSchema.optional(),
 });
 exports.ToolProtectionMapSchema = zod_1.z.record(zod_1.z.string(), exports.ToolProtectionSchema);
 exports.ToolProtectionResponseSchema = zod_1.z.object({
@@ -62,6 +92,18 @@ function isToolProtectionResponse(obj) {
 function isDelegationRequiredErrorData(obj) {
     return exports.DelegationRequiredErrorDataSchema.safeParse(obj).success;
 }
+/**
+ * Type guard to check if an object is a valid AuthorizationRequirement
+ */
+function isAuthorizationRequirement(obj) {
+    return exports.AuthorizationRequirementSchema.safeParse(obj).success;
+}
+/**
+ * Type guard to check if a ToolProtection has OAuth authorization
+ */
+function hasOAuthAuthorization(protection) {
+    return protection.authorization?.type === 'oauth';
+}
 /**
  * Validation Functions
  */
@@ -111,3 +153,48 @@ function createDelegationRequiredError(toolName, requiredScopes, consentUrl) {
         authorizationUrl: consentUrl // Include both for compatibility
     };
 }
+/**
+ * Normalize tool protection configuration
+ * Migrates legacy oauthProvider field to authorization object
+ *
+ * - Migrates `oauthProvider` → `authorization: { type: 'oauth', provider: ... }`
+ * - Ensures `authorization` field is present when `requiresDelegation=true`
+ * - Returns fully normalized ToolProtection object
+ *
+ * @param raw - Raw tool protection data (may have legacy fields or be partial)
+ * @returns Normalized ToolProtection object
+ *
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
+ */
+function normalizeToolProtection(raw) {
+    // Ensure we have required fields (provide defaults for partial input)
+    const normalized = {
+        requiresDelegation: raw.requiresDelegation ?? false,
+        requiredScopes: raw.requiredScopes ?? [],
+        ...(raw.riskLevel && { riskLevel: raw.riskLevel }),
+        ...(raw.oauthProvider && { oauthProvider: raw.oauthProvider }),
+    };
+    // If authorization is already present, use it
+    if (raw.authorization) {
+        normalized.authorization = raw.authorization;
+        return normalized;
+    }
+    // Migrate oauthProvider to authorization
+    if (raw.oauthProvider) {
+        normalized.authorization = {
+            type: 'oauth',
+            provider: raw.oauthProvider,
+        };
+        // Keep oauthProvider for backward compatibility until Phase 3
+        return normalized;
+    }
+    // Default for requiresDelegation=true without specific auth: type='none' (consent only)
+    // But ONLY if authorization is missing entirely
+    if (normalized.requiresDelegation && !normalized.authorization && !normalized.oauthProvider) {
+        // We don't automatically set type='none' here to allow
+        // ProviderResolver to do its scope inference fallback logic.
+        // The fallback logic will eventually be moved into an AuthorizationService.
+        return normalized;
+    }
+    return normalized;
+}

package/dist/verifier/index.d.ts

@@ -0,0 +1 @@
+export * from "../verifier";

package/dist/verifier/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Re-export everything from the main verifier file
+__exportStar(require("../verifier"), exports);

package/dist/well-known/index.d.ts

@@ -209,12 +209,12 @@ export declare const AgentDocumentSchema: z.ZodObject<{
         description?: string | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
-    id: string;
     capabilities: {
         'mcp-i': ("handshake" | "signing" | "verification" | "delegation" | "proof-generation")[];
     } & {
         [k: string]: string[];
     };
+    id: string;
     metadata?: {
         version?: string | undefined;
         name?: string | undefined;
@@ -222,12 +222,12 @@ export declare const AgentDocumentSchema: z.ZodObject<{
         description?: string | undefined;
     } | undefined;
 }, {
-    id: string;
     capabilities: {
         'mcp-i': ("handshake" | "signing" | "verification" | "delegation" | "proof-generation")[];
     } & {
         [k: string]: string[];
     };
+    id: string;
     metadata?: {
         version?: string | undefined;
         name?: string | undefined;

package/package.json

@@ -1,156 +1,99 @@
 {
   "name": "@kya-os/contracts",
-  "version": "1.5.4-canary.3",
-  "description": "Shared types and schemas for XMCP-I ecosystem",
-  "type": "commonjs",
-  "sideEffects": false,
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
+  "version": "1.6.0",
+  "description": "Shared contracts, types, and schemas for MCP-I framework",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.js"
-    },
-    "./handshake": {
-      "types": "./dist/handshake.d.ts",
-      "import": "./dist/handshake.js",
-      "require": "./dist/handshake.js"
-    },
-    "./proof": {
-      "types": "./dist/proof/index.d.ts",
-      "import": "./dist/proof/index.js",
-      "require": "./dist/proof/index.js"
-    },
-    "./verifier": {
-      "types": "./dist/verifier.d.ts",
-      "import": "./dist/verifier.js",
-      "require": "./dist/verifier.js"
-    },
-    "./registry": {
-      "types": "./dist/registry.d.ts",
-      "import": "./dist/registry.js",
-      "require": "./dist/registry.js"
-    },
-    "./cli": {
-      "types": "./dist/cli.d.ts",
-      "import": "./dist/cli.js",
-      "require": "./dist/cli.js"
+      "default": "./dist/index.js"
     },
-    "./test": {
-      "types": "./dist/test.d.ts",
-      "import": "./dist/test.js",
-      "require": "./dist/test.js"
-    },
-    "./did": {
-      "types": "./dist/did/index.d.ts",
-      "import": "./dist/did/index.js",
-      "require": "./dist/did/index.js"
-    },
-    "./vc": {
-      "types": "./dist/vc/index.d.ts",
-      "import": "./dist/vc/index.js",
-      "require": "./dist/vc/index.js"
+    "./consent": {
+      "types": "./dist/consent/index.d.ts",
+      "default": "./dist/consent/index.js"
     },
     "./delegation": {
       "types": "./dist/delegation/index.d.ts",
-      "import": "./dist/delegation/index.js",
-      "require": "./dist/delegation/index.js"
+      "default": "./dist/delegation/index.js"
+    },
+    "./agentshield-api": {
+      "types": "./dist/agentshield-api/index.d.ts",
+      "default": "./dist/agentshield-api/index.js"
     },
     "./runtime": {
       "types": "./dist/runtime/index.d.ts",
-      "import": "./dist/runtime/index.js",
-      "require": "./dist/runtime/index.js"
-    },
-    "./tlkrc": {
-      "types": "./dist/tlkrc/index.d.ts",
-      "import": "./dist/tlkrc/index.js",
-      "require": "./dist/tlkrc/index.js"
+      "default": "./dist/runtime/index.js"
     },
-    "./env": {
-      "types": "./dist/env/index.d.ts",
-      "import": "./dist/env/index.js",
-      "require": "./dist/env/index.js"
-    },
-    "./agentshield-api": {
-      "types": "./dist/agentshield-api/index.d.ts",
-      "import": "./dist/agentshield-api/index.js",
-      "require": "./dist/agentshield-api/index.js"
+    "./proof": {
+      "types": "./dist/proof/index.d.ts",
+      "default": "./dist/proof/index.js"
     },
     "./tool-protection": {
       "types": "./dist/tool-protection/index.d.ts",
-      "import": "./dist/tool-protection/index.js",
-      "require": "./dist/tool-protection/index.js"
+      "default": "./dist/tool-protection/index.js"
+    },
+    "./config": {
+      "types": "./dist/config/index.d.ts",
+      "default": "./dist/config/index.js"
+    },
+    "./audit": {
+      "types": "./dist/audit/index.d.ts",
+      "default": "./dist/audit/index.js"
+    },
+    "./verifier": {
+      "types": "./dist/verifier/index.d.ts",
+      "default": "./dist/verifier/index.js"
+    },
+    "./handshake": {
+      "types": "./dist/handshake.d.ts",
+      "default": "./dist/handshake.js"
     },
     "./well-known": {
       "types": "./dist/well-known/index.d.ts",
-      "import": "./dist/well-known/index.js",
-      "require": "./dist/well-known/index.js"
+      "default": "./dist/well-known/index.js"
     },
-    "./config": {
-      "types": "./dist/config/index.d.ts",
-      "import": "./dist/config/index.js",
-      "require": "./dist/config/index.js"
+    "./cli": {
+      "types": "./dist/cli.d.ts",
+      "default": "./dist/cli.js"
     },
-    "./dashboard-config": {
-      "types": "./dist/dashboard-config/index.d.ts",
-      "import": "./dist/dashboard-config/index.js",
-      "require": "./dist/dashboard-config/index.js"
+    "./test": {
+      "types": "./dist/test.d.ts",
+      "default": "./dist/test.js"
     },
-    "./consent": {
-      "types": "./dist/consent/index.d.ts",
-      "import": "./dist/consent/index.js",
-      "require": "./dist/consent/index.js"
+    "./registry": {
+      "types": "./dist/registry.d.ts",
+      "default": "./dist/registry.js"
     }
   },
-  "files": [
-    "dist/**/*.js",
-    "dist/**/*.d.ts",
-    "!dist/**/*.map",
-    "!dist/**/__tests__/**",
-    "!dist/**/__fixtures__/**",
-    "!dist/**/*.spec.*",
-    "!dist/**/*.test.*",
-    "!README.md",
-    "!*.md",
-    "!CHANGELOG.md"
-  ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json && npm run emit-schemas",
     "emit-schemas": "node scripts/emit-schemas.js",
-    "clean": "rm -rf dist && rm -f *.tsbuildinfo",
-    "dev": "tsc -p tsconfig.build.json --watch",
-    "type-check": "tsc --noEmit",
     "test": "vitest run",
-    "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-dependencies.js"
+    "test:watch": "vitest",
+    "lint": "eslint .",
+    "format": "prettier --write \"src/**/*.{ts,tsx}\"",
+    "clean": "rm -rf dist .turbo node_modules",
+    "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-no-workspace.js"
+  },
+  "sideEffects": false,
+  "dependencies": {
+    "zod": "^3.23.8"
   },
   "devDependencies": {
-    "@types/node": "^20.0.0",
+    "@types/node": "^20.14.9",
     "@vitest/coverage-v8": "^4.0.5",
-    "ajv": "^8.12.0",
-    "ajv-formats": "^2.1.1",
-    "fast-check": "^3.15.0",
-    "typescript": "^5.0.0",
-    "vitest": "^4.0.5",
-    "zod-to-json-schema": "^3.22.0"
+    "eslint": "^8.57.0",
+    "typescript": "^5.5.3",
+    "vitest": "^4.0.5"
   },
-  "dependencies": {
-    "zod": "^3.22.0"
-  },
-  "keywords": [
-    "xmcp",
-    "mcp",
-    "identity",
-    "types",
-    "contracts"
+  "files": [
+    "dist",
+    "package.json",
+    "README.md"
   ],
-  "author": "KYA OS",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/kya-os/xmcp-i.git",
-    "directory": "packages/contracts"
+  "publishConfig": {
+    "access": "public"
   }
 }