@kya-os/contracts 1.6.1 → 1.6.2-canary.0

package/dist/tool-protection/index.js

@@ -9,13 +9,11 @@
  * @module @kya-os/contracts/tool-protection
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = exports.AuthorizationRequirementSchema = void 0;
+exports.DelegationRequiredErrorDataSchema = exports.ToolProtectionResponseSchema = exports.ToolProtectionMapSchema = exports.ToolProtectionSchema = void 0;
 exports.isToolProtection = isToolProtection;
 exports.isToolProtectionMap = isToolProtectionMap;
 exports.isToolProtectionResponse = isToolProtectionResponse;
 exports.isDelegationRequiredErrorData = isDelegationRequiredErrorData;
-exports.isAuthorizationRequirement = isAuthorizationRequirement;
-exports.hasOAuthAuthorization = hasOAuthAuthorization;
 exports.validateToolProtection = validateToolProtection;
 exports.validateToolProtectionMap = validateToolProtectionMap;
 exports.validateToolProtectionResponse = validateToolProtectionResponse;
@@ -24,42 +22,14 @@ exports.toolRequiresDelegation = toolRequiresDelegation;
 exports.getToolRequiredScopes = getToolRequiredScopes;
 exports.getToolRiskLevel = getToolRiskLevel;
 exports.createDelegationRequiredError = createDelegationRequiredError;
-exports.normalizeToolProtection = normalizeToolProtection;
 const zod_1 = require("zod");
 /**
  * Zod Schemas for Validation
  */
-exports.AuthorizationRequirementSchema = zod_1.z.discriminatedUnion('type', [
-    zod_1.z.object({
-        type: zod_1.z.literal('oauth'),
-        provider: zod_1.z.string(),
-        requiredScopes: zod_1.z.array(zod_1.z.string()).optional(),
-    }),
-    zod_1.z.object({
-        type: zod_1.z.literal('mdl'),
-        issuer: zod_1.z.string(),
-        credentialType: zod_1.z.string().optional(),
-    }),
-    zod_1.z.object({
-        type: zod_1.z.literal('idv'),
-        provider: zod_1.z.string(),
-        verificationLevel: zod_1.z.enum(['basic', 'enhanced', 'loa3']).optional(),
-    }),
-    zod_1.z.object({
-        type: zod_1.z.literal('credential'),
-        credentialType: zod_1.z.string(),
-        issuer: zod_1.z.string().optional(),
-    }),
-    zod_1.z.object({
-        type: zod_1.z.literal('none'),
-    }),
-]);
 exports.ToolProtectionSchema = zod_1.z.object({
     requiresDelegation: zod_1.z.boolean(),
     requiredScopes: zod_1.z.array(zod_1.z.string()),
-    riskLevel: zod_1.z.enum(['low', 'medium', 'high', 'critical']).optional(),
-    oauthProvider: zod_1.z.string().optional(), // Phase 2: Tool-specific OAuth provider
-    authorization: exports.AuthorizationRequirementSchema.optional(),
+    riskLevel: zod_1.z.enum(['low', 'medium', 'high', 'critical']).optional()
 });
 exports.ToolProtectionMapSchema = zod_1.z.record(zod_1.z.string(), exports.ToolProtectionSchema);
 exports.ToolProtectionResponseSchema = zod_1.z.object({
@@ -92,18 +62,6 @@ function isToolProtectionResponse(obj) {
 function isDelegationRequiredErrorData(obj) {
     return exports.DelegationRequiredErrorDataSchema.safeParse(obj).success;
 }
-/**
- * Type guard to check if an object is a valid AuthorizationRequirement
- */
-function isAuthorizationRequirement(obj) {
-    return exports.AuthorizationRequirementSchema.safeParse(obj).success;
-}
-/**
- * Type guard to check if a ToolProtection has OAuth authorization
- */
-function hasOAuthAuthorization(protection) {
-    return protection.authorization?.type === 'oauth';
-}
 /**
  * Validation Functions
  */
@@ -153,48 +111,3 @@ function createDelegationRequiredError(toolName, requiredScopes, consentUrl) {
         authorizationUrl: consentUrl // Include both for compatibility
     };
 }
-/**
- * Normalize tool protection configuration
- * Migrates legacy oauthProvider field to authorization object
- *
- * - Migrates `oauthProvider` → `authorization: { type: 'oauth', provider: ... }`
- * - Ensures `authorization` field is present when `requiresDelegation=true`
- * - Returns fully normalized ToolProtection object
- *
- * @param raw - Raw tool protection data (may have legacy fields or be partial)
- * @returns Normalized ToolProtection object
- *
- * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
- */
-function normalizeToolProtection(raw) {
-    // Ensure we have required fields (provide defaults for partial input)
-    const normalized = {
-        requiresDelegation: raw.requiresDelegation ?? false,
-        requiredScopes: raw.requiredScopes ?? [],
-        ...(raw.riskLevel && { riskLevel: raw.riskLevel }),
-        ...(raw.oauthProvider && { oauthProvider: raw.oauthProvider }),
-    };
-    // If authorization is already present, use it
-    if (raw.authorization) {
-        normalized.authorization = raw.authorization;
-        return normalized;
-    }
-    // Migrate oauthProvider to authorization
-    if (raw.oauthProvider) {
-        normalized.authorization = {
-            type: 'oauth',
-            provider: raw.oauthProvider,
-        };
-        // Keep oauthProvider for backward compatibility until Phase 3
-        return normalized;
-    }
-    // Default for requiresDelegation=true without specific auth: type='none' (consent only)
-    // But ONLY if authorization is missing entirely
-    if (normalized.requiresDelegation && !normalized.authorization && !normalized.oauthProvider) {
-        // We don't automatically set type='none' here to allow
-        // ProviderResolver to do its scope inference fallback logic.
-        // The fallback logic will eventually be moved into an AuthorizationService.
-        return normalized;
-    }
-    return normalized;
-}

package/package.json

@@ -1,99 +1,156 @@
 {
   "name": "@kya-os/contracts",
-  "version": "1.6.1",
-  "description": "Shared contracts, types, and schemas for MCP-I framework",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "version": "1.6.2-canary.0",
+  "description": "Shared types and schemas for XMCP-I ecosystem",
+  "type": "commonjs",
+  "sideEffects": false,
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "default": "./dist/index.js"
+      "import": "./dist/index.js",
+      "require": "./dist/index.js"
     },
-    "./consent": {
-      "types": "./dist/consent/index.d.ts",
-      "default": "./dist/consent/index.js"
+    "./handshake": {
+      "types": "./dist/handshake.d.ts",
+      "import": "./dist/handshake.js",
+      "require": "./dist/handshake.js"
+    },
+    "./proof": {
+      "types": "./dist/proof/index.d.ts",
+      "import": "./dist/proof/index.js",
+      "require": "./dist/proof/index.js"
+    },
+    "./verifier": {
+      "types": "./dist/verifier.d.ts",
+      "import": "./dist/verifier.js",
+      "require": "./dist/verifier.js"
+    },
+    "./registry": {
+      "types": "./dist/registry.d.ts",
+      "import": "./dist/registry.js",
+      "require": "./dist/registry.js"
+    },
+    "./cli": {
+      "types": "./dist/cli.d.ts",
+      "import": "./dist/cli.js",
+      "require": "./dist/cli.js"
+    },
+    "./test": {
+      "types": "./dist/test.d.ts",
+      "import": "./dist/test.js",
+      "require": "./dist/test.js"
+    },
+    "./did": {
+      "types": "./dist/did/index.d.ts",
+      "import": "./dist/did/index.js",
+      "require": "./dist/did/index.js"
+    },
+    "./vc": {
+      "types": "./dist/vc/index.d.ts",
+      "import": "./dist/vc/index.js",
+      "require": "./dist/vc/index.js"
     },
     "./delegation": {
       "types": "./dist/delegation/index.d.ts",
-      "default": "./dist/delegation/index.js"
-    },
-    "./agentshield-api": {
-      "types": "./dist/agentshield-api/index.d.ts",
-      "default": "./dist/agentshield-api/index.js"
+      "import": "./dist/delegation/index.js",
+      "require": "./dist/delegation/index.js"
     },
     "./runtime": {
       "types": "./dist/runtime/index.d.ts",
-      "default": "./dist/runtime/index.js"
+      "import": "./dist/runtime/index.js",
+      "require": "./dist/runtime/index.js"
     },
-    "./proof": {
-      "types": "./dist/proof/index.d.ts",
-      "default": "./dist/proof/index.js"
+    "./tlkrc": {
+      "types": "./dist/tlkrc/index.d.ts",
+      "import": "./dist/tlkrc/index.js",
+      "require": "./dist/tlkrc/index.js"
     },
-    "./tool-protection": {
-      "types": "./dist/tool-protection/index.d.ts",
-      "default": "./dist/tool-protection/index.js"
+    "./env": {
+      "types": "./dist/env/index.d.ts",
+      "import": "./dist/env/index.js",
+      "require": "./dist/env/index.js"
     },
-    "./config": {
-      "types": "./dist/config/index.d.ts",
-      "default": "./dist/config/index.js"
-    },
-    "./audit": {
-      "types": "./dist/audit/index.d.ts",
-      "default": "./dist/audit/index.js"
-    },
-    "./verifier": {
-      "types": "./dist/verifier/index.d.ts",
-      "default": "./dist/verifier/index.js"
+    "./agentshield-api": {
+      "types": "./dist/agentshield-api/index.d.ts",
+      "import": "./dist/agentshield-api/index.js",
+      "require": "./dist/agentshield-api/index.js"
     },
-    "./handshake": {
-      "types": "./dist/handshake.d.ts",
-      "default": "./dist/handshake.js"
+    "./tool-protection": {
+      "types": "./dist/tool-protection/index.d.ts",
+      "import": "./dist/tool-protection/index.js",
+      "require": "./dist/tool-protection/index.js"
     },
     "./well-known": {
       "types": "./dist/well-known/index.d.ts",
-      "default": "./dist/well-known/index.js"
+      "import": "./dist/well-known/index.js",
+      "require": "./dist/well-known/index.js"
     },
-    "./cli": {
-      "types": "./dist/cli.d.ts",
-      "default": "./dist/cli.js"
+    "./config": {
+      "types": "./dist/config/index.d.ts",
+      "import": "./dist/config/index.js",
+      "require": "./dist/config/index.js"
     },
-    "./test": {
-      "types": "./dist/test.d.ts",
-      "default": "./dist/test.js"
+    "./dashboard-config": {
+      "types": "./dist/dashboard-config/index.d.ts",
+      "import": "./dist/dashboard-config/index.js",
+      "require": "./dist/dashboard-config/index.js"
     },
-    "./registry": {
-      "types": "./dist/registry.d.ts",
-      "default": "./dist/registry.js"
+    "./consent": {
+      "types": "./dist/consent/index.d.ts",
+      "import": "./dist/consent/index.js",
+      "require": "./dist/consent/index.js"
     }
   },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.d.ts",
+    "!dist/**/*.map",
+    "!dist/**/__tests__/**",
+    "!dist/**/__fixtures__/**",
+    "!dist/**/*.spec.*",
+    "!dist/**/*.test.*",
+    "!README.md",
+    "!*.md",
+    "!CHANGELOG.md"
+  ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json && npm run emit-schemas",
     "emit-schemas": "node scripts/emit-schemas.js",
+    "clean": "rm -rf dist && rm -f *.tsbuildinfo",
+    "dev": "tsc -p tsconfig.build.json --watch",
+    "type-check": "tsc --noEmit",
     "test": "vitest run",
-    "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",
-    "lint": "eslint .",
-    "format": "prettier --write \"src/**/*.{ts,tsx}\"",
-    "clean": "rm -rf dist .turbo node_modules",
-    "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-no-workspace.js"
-  },
-  "sideEffects": false,
-  "dependencies": {
-    "zod": "^3.23.8"
+    "test:coverage": "vitest run --coverage",
+    "prepublishOnly": "npm run build && node ../create-mcpi-app/scripts/validate-dependencies.js"
   },
   "devDependencies": {
-    "@types/node": "^20.14.9",
+    "@types/node": "^20.0.0",
     "@vitest/coverage-v8": "^4.0.5",
-    "eslint": "^8.57.0",
-    "typescript": "^5.5.3",
-    "vitest": "^4.0.5"
+    "ajv": "^8.12.0",
+    "ajv-formats": "^2.1.1",
+    "fast-check": "^3.15.0",
+    "typescript": "^5.0.0",
+    "vitest": "^4.0.5",
+    "zod-to-json-schema": "^3.22.0"
   },
-  "files": [
-    "dist",
-    "package.json",
-    "README.md"
+  "dependencies": {
+    "zod": "^3.22.0"
+  },
+  "keywords": [
+    "xmcp",
+    "mcp",
+    "identity",
+    "types",
+    "contracts"
   ],
-  "publishConfig": {
-    "access": "public"
+  "author": "KYA OS",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/kya-os/xmcp-i.git",
+    "directory": "packages/contracts"
   }
 }

package/dist/audit/index.d.ts

@@ -1,193 +0,0 @@
-/**
- * Audit Types and Schemas
- *
- * Types and Zod schemas for audit logging in the MCP-I framework.
- * These types are platform-agnostic and used across all implementations.
- */
-import { z } from "zod";
-import type { AgentIdentity } from "../config/identity.js";
-import type { SessionContext } from "../handshake.js";
-/**
- * Audit context schema for logging audit records
- *
- * Contains all metadata needed to generate an audit record.
- * Privacy Note: Only metadata is extracted from these objects.
- * The identity's private key, session's nonce, and other sensitive
- * fields are NEVER included in the audit log.
- */
-export declare const AuditContextSchema: z.ZodObject<{
-    /**
-     * Agent identity
-     * Only `did` and `keyId` are logged. Private key is NEVER logged.
-     */
-    identity: z.ZodObject<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">>;
-    /**
-     * Session context
-     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
-     */
-    session: z.ZodObject<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">>;
-    /**
-     * Request hash (SHA-256 with `sha256:` prefix)
-     */
-    requestHash: z.ZodString;
-    /**
-     * Response hash (SHA-256 with `sha256:` prefix)
-     */
-    responseHash: z.ZodString;
-    /**
-     * Verification result
-     * - 'yes': Proof was verified successfully
-     * - 'no': Proof verification failed
-     */
-    verified: z.ZodEnum<["yes", "no"]>;
-    /**
-     * Optional scope identifier
-     * Application-level scope (e.g., 'orders.create', 'users.read').
-     * If not provided, '-' is used in the audit log.
-     */
-    scopeId: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    requestHash: string;
-    responseHash: string;
-    session: {
-        audience: string;
-        sessionId: string;
-    } & {
-        [k: string]: unknown;
-    };
-    verified: "yes" | "no";
-    identity: {
-        did: string;
-        kid: string;
-    } & {
-        [k: string]: unknown;
-    };
-    scopeId?: string | undefined;
-}, {
-    requestHash: string;
-    responseHash: string;
-    session: {
-        audience: string;
-        sessionId: string;
-    } & {
-        [k: string]: unknown;
-    };
-    verified: "yes" | "no";
-    identity: {
-        did: string;
-        kid: string;
-    } & {
-        [k: string]: unknown;
-    };
-    scopeId?: string | undefined;
-}>;
-export type AuditContext = {
-    identity: AgentIdentity;
-    session: SessionContext;
-    requestHash: string;
-    responseHash: string;
-    verified: "yes" | "no";
-    scopeId?: string;
-};
-/**
- * Event context schema for logging events that bypass session deduplication
- *
- * Used for consent events where multiple events occur in the same session.
- * Unlike AuditContext, this allows multiple events per session.
- */
-export declare const AuditEventContextSchema: z.ZodObject<{
-    /**
-     * Event type identifier
-     * @example "consent:page_viewed", "consent:approved", "runtime:initialized"
-     */
-    eventType: z.ZodString;
-    /**
-     * Agent identity
-     * Only `did` and `keyId` are logged. Private key is NEVER logged.
-     */
-    identity: z.ZodObject<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        did: z.ZodString;
-        kid: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">>;
-    /**
-     * Session context
-     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
-     */
-    session: z.ZodObject<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
-        sessionId: z.ZodString;
-        audience: z.ZodString;
-    }, z.ZodTypeAny, "passthrough">>;
-    /**
-     * Optional event-specific data
-     * Used for generating event hash. Not logged directly.
-     */
-    eventData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
-}, "strip", z.ZodTypeAny, {
-    session: {
-        audience: string;
-        sessionId: string;
-    } & {
-        [k: string]: unknown;
-    };
-    identity: {
-        did: string;
-        kid: string;
-    } & {
-        [k: string]: unknown;
-    };
-    eventType: string;
-    eventData?: Record<string, unknown> | undefined;
-}, {
-    session: {
-        audience: string;
-        sessionId: string;
-    } & {
-        [k: string]: unknown;
-    };
-    identity: {
-        did: string;
-        kid: string;
-    } & {
-        [k: string]: unknown;
-    };
-    eventType: string;
-    eventData?: Record<string, unknown> | undefined;
-}>;
-export type AuditEventContext = {
-    eventType: string;
-    identity: AgentIdentity;
-    session: SessionContext;
-    eventData?: Record<string, any>;
-};
-export type { AuditRecord } from "../proof.js";
-export { AuditRecordSchema } from "../proof.js";

package/dist/audit/index.js

@@ -1,100 +0,0 @@
-"use strict";
-/**
- * Audit Types and Schemas
- *
- * Types and Zod schemas for audit logging in the MCP-I framework.
- * These types are platform-agnostic and used across all implementations.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuditRecordSchema = exports.AuditEventContextSchema = exports.AuditContextSchema = void 0;
-const zod_1 = require("zod");
-/**
- * Audit context schema for logging audit records
- *
- * Contains all metadata needed to generate an audit record.
- * Privacy Note: Only metadata is extracted from these objects.
- * The identity's private key, session's nonce, and other sensitive
- * fields are NEVER included in the audit log.
- */
-exports.AuditContextSchema = zod_1.z.object({
-    /**
-     * Agent identity
-     * Only `did` and `keyId` are logged. Private key is NEVER logged.
-     */
-    identity: zod_1.z
-        .object({
-        did: zod_1.z.string().min(1),
-        kid: zod_1.z.string().min(1),
-    })
-        .passthrough(), // Allow additional fields but only did/kid are used
-    /**
-     * Session context
-     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
-     */
-    session: zod_1.z
-        .object({
-        sessionId: zod_1.z.string().min(1),
-        audience: zod_1.z.string().min(1),
-    })
-        .passthrough(), // Allow additional fields but only sessionId/audience are used
-    /**
-     * Request hash (SHA-256 with `sha256:` prefix)
-     */
-    requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
-    /**
-     * Response hash (SHA-256 with `sha256:` prefix)
-     */
-    responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
-    /**
-     * Verification result
-     * - 'yes': Proof was verified successfully
-     * - 'no': Proof verification failed
-     */
-    verified: zod_1.z.enum(["yes", "no"]),
-    /**
-     * Optional scope identifier
-     * Application-level scope (e.g., 'orders.create', 'users.read').
-     * If not provided, '-' is used in the audit log.
-     */
-    scopeId: zod_1.z.string().optional(),
-});
-/**
- * Event context schema for logging events that bypass session deduplication
- *
- * Used for consent events where multiple events occur in the same session.
- * Unlike AuditContext, this allows multiple events per session.
- */
-exports.AuditEventContextSchema = zod_1.z.object({
-    /**
-     * Event type identifier
-     * @example "consent:page_viewed", "consent:approved", "runtime:initialized"
-     */
-    eventType: zod_1.z.string().min(1),
-    /**
-     * Agent identity
-     * Only `did` and `keyId` are logged. Private key is NEVER logged.
-     */
-    identity: zod_1.z
-        .object({
-        did: zod_1.z.string().min(1),
-        kid: zod_1.z.string().min(1),
-    })
-        .passthrough(), // Allow additional fields but only did/kid are used
-    /**
-     * Session context
-     * Only `sessionId` and `audience` are logged. Nonce is NEVER logged.
-     */
-    session: zod_1.z
-        .object({
-        sessionId: zod_1.z.string().min(1),
-        audience: zod_1.z.string().min(1),
-    })
-        .passthrough(), // Allow additional fields but only sessionId/audience are used
-    /**
-     * Optional event-specific data
-     * Used for generating event hash. Not logged directly.
-     */
-    eventData: zod_1.z.record(zod_1.z.unknown()).optional(),
-});
-var proof_js_1 = require("../proof.js");
-Object.defineProperty(exports, "AuditRecordSchema", { enumerable: true, get: function () { return proof_js_1.AuditRecordSchema; } });

package/dist/config/tool-context.d.ts

@@ -1,34 +0,0 @@
-/**
- * Tool Execution Context
- *
- * Execution context passed to tool handlers, enabling tools to access
- * IDP tokens for external API calls (GitHub, Google, etc.).
- *
- * All fields are optional for backward compatibility - tools that don't
- * require OAuth will receive undefined context.
- *
- * @package @kya-os/contracts
- */
-/**
- * Execution context passed to tool handlers
- *
- * Enables tools to access IDP tokens for external API calls.
- * Context is only provided when:
- * - Tool requires OAuth (has requiredScopes)
- * - User DID is available
- * - IDP token is successfully resolved
- */
-export interface ToolExecutionContext {
-    /** IDP access token for external API calls (e.g., GitHub, Google) */
-    idpToken?: string;
-    /** OAuth provider name (e.g., "github", "google") */
-    provider?: string;
-    /** Scopes granted for this token */
-    scopes?: string[];
-    /** User DID associated with this token */
-    userDid?: string;
-    /** Session ID */
-    sessionId?: string;
-    /** Delegation token (MCP-I internal authorization) */
-    delegationToken?: string;
-}