@kya-os/contracts 1.6.2-canary.0 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/dist/agentshield-api/endpoints.d.ts +3 -0
  2. package/dist/agentshield-api/endpoints.js +3 -0
  3. package/dist/agentshield-api/index.d.ts +2 -2
  4. package/dist/agentshield-api/index.js +7 -1
  5. package/dist/agentshield-api/schemas.d.ts +287 -122
  6. package/dist/agentshield-api/schemas.js +52 -5
  7. package/dist/agentshield-api/types.d.ts +69 -4
  8. package/dist/audit/index.d.ts +193 -0
  9. package/dist/audit/index.js +100 -0
  10. package/dist/config/identity.d.ts +214 -2
  11. package/dist/config/identity.js +29 -0
  12. package/dist/config/index.d.ts +2 -1
  13. package/dist/config/tool-context.d.ts +34 -0
  14. package/dist/config/tool-context.js +13 -0
  15. package/dist/consent/schemas.d.ts +99 -4
  16. package/dist/consent/schemas.js +39 -1
  17. package/dist/dashboard-config/schemas.d.ts +1430 -174
  18. package/dist/index.d.ts +1 -0
  19. package/dist/index.js +2 -0
  20. package/dist/tool-protection/index.d.ts +478 -2
  21. package/dist/tool-protection/index.js +89 -2
  22. package/dist/verifier/index.d.ts +1 -0
  23. package/dist/verifier/index.js +18 -0
  24. package/package.json +63 -120
package/dist/index.d.ts CHANGED
@@ -21,5 +21,6 @@ export * from "./test.js";
21
21
  export * from "./utils/validation.js";
22
22
  export * from "./vc/index.js";
23
23
  export * from "./delegation/index.js";
24
+ export * from "./audit/index.js";
24
25
  export declare const CONTRACTS_VERSION = "1.2.1";
25
26
  export declare const SUPPORTED_XMCP_I_VERSION = "^1.0.0";
package/dist/index.js CHANGED
@@ -40,6 +40,8 @@ __exportStar(require("./utils/validation.js"), exports);
40
40
  // W3C VC and Delegation exports (for mcp-i-core compatibility)
41
41
  __exportStar(require("./vc/index.js"), exports);
42
42
  __exportStar(require("./delegation/index.js"), exports);
43
+ // Audit types (platform-agnostic)
44
+ __exportStar(require("./audit/index.js"), exports);
43
45
  // Version information
44
46
  exports.CONTRACTS_VERSION = "1.2.1";
45
47
  exports.SUPPORTED_XMCP_I_VERSION = "^1.0.0";
package/dist/tool-protection/index.d.ts CHANGED
@@ -8,6 +8,31 @@
8
8
  * @module @kya-os/contracts/tool-protection
9
9
  */
10
10
  import { z } from 'zod';
11
+ /**
12
+ * Authorization Requirement (Discriminated Union)
13
+ *
14
+ * Defines the type of authorization required for a tool.
15
+ * Extensible design to support OAuth, MDL, IDV, credentials, etc.
16
+ */
17
+ export type AuthorizationRequirement = {
18
+ type: 'oauth';
19
+ provider: string;
20
+ requiredScopes?: string[];
21
+ } | {
22
+ type: 'mdl';
23
+ issuer: string;
24
+ credentialType?: string;
25
+ } | {
26
+ type: 'idv';
27
+ provider: string;
28
+ verificationLevel?: 'basic' | 'enhanced' | 'loa3';
29
+ } | {
30
+ type: 'credential';
31
+ credentialType: string;
32
+ issuer?: string;
33
+ } | {
34
+ type: 'none';
35
+ };
11
36
  /**
12
37
  * Tool Protection Definition
13
38
  *
@@ -29,6 +54,19 @@ export interface ToolProtection {
29
54
  * Used to determine appropriate authorization flows
30
55
  */
31
56
  riskLevel?: 'low' | 'medium' | 'high' | 'critical';
57
+ /**
58
+ * OAuth provider name for this tool (Phase 2+)
59
+ * If specified, this tool will use the specified OAuth provider.
60
+ * If not specified, provider will be resolved via fallback strategies.
61
+ * @example "github", "google", "microsoft"
62
+ * @deprecated Use `authorization` field instead. Will be removed in Phase 3.
63
+ */
64
+ oauthProvider?: string;
65
+ /**
66
+ * Authorization requirement for this tool
67
+ * If requiresDelegation=true, authorization must be specified (or inferred from legacy fields)
68
+ */
69
+ authorization?: AuthorizationRequirement;
32
70
  }
33
71
  /**
34
72
  * Tool Protection Map
@@ -37,6 +75,23 @@ export interface ToolProtection {
37
75
  * This is how tool protections are typically stored and transmitted.
38
76
  */
39
77
  export type ToolProtectionMap = Record<string, ToolProtection>;
78
+ /**
79
+ * Partial tool protection for updates (all fields optional)
80
+ * Use this when accepting partial updates to tool protection settings
81
+ */
82
+ export type PartialToolProtection = Partial<ToolProtection>;
83
+ /**
84
+ * Tool protection with explicit optional fields
85
+ * Useful when TypeScript's Partial<T> doesn't preserve optional property access
86
+ * Supports explicit null values to clear fields
87
+ */
88
+ export type ToolProtectionUpdate = {
89
+ requiresDelegation?: boolean;
90
+ requiredScopes?: string[];
91
+ riskLevel?: 'low' | 'medium' | 'high' | 'critical';
92
+ oauthProvider?: string | null;
93
+ authorization?: AuthorizationRequirement | null;
94
+ };
40
95
  /**
41
96
  * Tool Protection Response
42
97
  *
@@ -94,48 +149,403 @@ export interface DelegationRequiredErrorData {
94
149
  */
95
150
  reason?: string;
96
151
  }
152
+ /**
153
+ * Legacy tool protection format (pre-authorization field)
154
+ * Used during migration period to support both old and new formats
155
+ */
156
+ export type LegacyToolProtection = Omit<ToolProtection, 'authorization'> & {
157
+ oauthProvider?: string;
158
+ };
159
+ /**
160
+ * Union type for both legacy and new formats
161
+ * Useful during migration period when accepting tool protection input
162
+ */
163
+ export type ToolProtectionInput = ToolProtection | LegacyToolProtection;
97
164
  /**
98
165
  * Zod Schemas for Validation
99
166
  */
167
+ export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
168
+ type: z.ZodLiteral<"oauth">;
169
+ provider: z.ZodString;
170
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
171
+ }, "strip", z.ZodTypeAny, {
172
+ type: "oauth";
173
+ provider: string;
174
+ requiredScopes?: string[] | undefined;
175
+ }, {
176
+ type: "oauth";
177
+ provider: string;
178
+ requiredScopes?: string[] | undefined;
179
+ }>, z.ZodObject<{
180
+ type: z.ZodLiteral<"mdl">;
181
+ issuer: z.ZodString;
182
+ credentialType: z.ZodOptional<z.ZodString>;
183
+ }, "strip", z.ZodTypeAny, {
184
+ type: "mdl";
185
+ issuer: string;
186
+ credentialType?: string | undefined;
187
+ }, {
188
+ type: "mdl";
189
+ issuer: string;
190
+ credentialType?: string | undefined;
191
+ }>, z.ZodObject<{
192
+ type: z.ZodLiteral<"idv">;
193
+ provider: z.ZodString;
194
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
195
+ }, "strip", z.ZodTypeAny, {
196
+ type: "idv";
197
+ provider: string;
198
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
199
+ }, {
200
+ type: "idv";
201
+ provider: string;
202
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
203
+ }>, z.ZodObject<{
204
+ type: z.ZodLiteral<"credential">;
205
+ credentialType: z.ZodString;
206
+ issuer: z.ZodOptional<z.ZodString>;
207
+ }, "strip", z.ZodTypeAny, {
208
+ type: "credential";
209
+ credentialType: string;
210
+ issuer?: string | undefined;
211
+ }, {
212
+ type: "credential";
213
+ credentialType: string;
214
+ issuer?: string | undefined;
215
+ }>, z.ZodObject<{
216
+ type: z.ZodLiteral<"none">;
217
+ }, "strip", z.ZodTypeAny, {
218
+ type: "none";
219
+ }, {
220
+ type: "none";
221
+ }>]>;
100
222
  export declare const ToolProtectionSchema: z.ZodObject<{
101
223
  requiresDelegation: z.ZodBoolean;
102
224
  requiredScopes: z.ZodArray<z.ZodString, "many">;
103
225
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
226
+ oauthProvider: z.ZodOptional<z.ZodString>;
227
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
228
+ type: z.ZodLiteral<"oauth">;
229
+ provider: z.ZodString;
230
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
231
+ }, "strip", z.ZodTypeAny, {
232
+ type: "oauth";
233
+ provider: string;
234
+ requiredScopes?: string[] | undefined;
235
+ }, {
236
+ type: "oauth";
237
+ provider: string;
238
+ requiredScopes?: string[] | undefined;
239
+ }>, z.ZodObject<{
240
+ type: z.ZodLiteral<"mdl">;
241
+ issuer: z.ZodString;
242
+ credentialType: z.ZodOptional<z.ZodString>;
243
+ }, "strip", z.ZodTypeAny, {
244
+ type: "mdl";
245
+ issuer: string;
246
+ credentialType?: string | undefined;
247
+ }, {
248
+ type: "mdl";
249
+ issuer: string;
250
+ credentialType?: string | undefined;
251
+ }>, z.ZodObject<{
252
+ type: z.ZodLiteral<"idv">;
253
+ provider: z.ZodString;
254
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
255
+ }, "strip", z.ZodTypeAny, {
256
+ type: "idv";
257
+ provider: string;
258
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
259
+ }, {
260
+ type: "idv";
261
+ provider: string;
262
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
263
+ }>, z.ZodObject<{
264
+ type: z.ZodLiteral<"credential">;
265
+ credentialType: z.ZodString;
266
+ issuer: z.ZodOptional<z.ZodString>;
267
+ }, "strip", z.ZodTypeAny, {
268
+ type: "credential";
269
+ credentialType: string;
270
+ issuer?: string | undefined;
271
+ }, {
272
+ type: "credential";
273
+ credentialType: string;
274
+ issuer?: string | undefined;
275
+ }>, z.ZodObject<{
276
+ type: z.ZodLiteral<"none">;
277
+ }, "strip", z.ZodTypeAny, {
278
+ type: "none";
279
+ }, {
280
+ type: "none";
281
+ }>]>>;
104
282
  }, "strip", z.ZodTypeAny, {
105
283
  requiresDelegation: boolean;
106
284
  requiredScopes: string[];
107
285
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
286
+ oauthProvider?: string | undefined;
287
+ authorization?: {
288
+ type: "oauth";
289
+ provider: string;
290
+ requiredScopes?: string[] | undefined;
291
+ } | {
292
+ type: "mdl";
293
+ issuer: string;
294
+ credentialType?: string | undefined;
295
+ } | {
296
+ type: "idv";
297
+ provider: string;
298
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
299
+ } | {
300
+ type: "credential";
301
+ credentialType: string;
302
+ issuer?: string | undefined;
303
+ } | {
304
+ type: "none";
305
+ } | undefined;
108
306
  }, {
109
307
  requiresDelegation: boolean;
110
308
  requiredScopes: string[];
111
309
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
310
+ oauthProvider?: string | undefined;
311
+ authorization?: {
312
+ type: "oauth";
313
+ provider: string;
314
+ requiredScopes?: string[] | undefined;
315
+ } | {
316
+ type: "mdl";
317
+ issuer: string;
318
+ credentialType?: string | undefined;
319
+ } | {
320
+ type: "idv";
321
+ provider: string;
322
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
323
+ } | {
324
+ type: "credential";
325
+ credentialType: string;
326
+ issuer?: string | undefined;
327
+ } | {
328
+ type: "none";
329
+ } | undefined;
112
330
  }>;
113
331
  export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
114
332
  requiresDelegation: z.ZodBoolean;
115
333
  requiredScopes: z.ZodArray<z.ZodString, "many">;
116
334
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
335
+ oauthProvider: z.ZodOptional<z.ZodString>;
336
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
337
+ type: z.ZodLiteral<"oauth">;
338
+ provider: z.ZodString;
339
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
340
+ }, "strip", z.ZodTypeAny, {
341
+ type: "oauth";
342
+ provider: string;
343
+ requiredScopes?: string[] | undefined;
344
+ }, {
345
+ type: "oauth";
346
+ provider: string;
347
+ requiredScopes?: string[] | undefined;
348
+ }>, z.ZodObject<{
349
+ type: z.ZodLiteral<"mdl">;
350
+ issuer: z.ZodString;
351
+ credentialType: z.ZodOptional<z.ZodString>;
352
+ }, "strip", z.ZodTypeAny, {
353
+ type: "mdl";
354
+ issuer: string;
355
+ credentialType?: string | undefined;
356
+ }, {
357
+ type: "mdl";
358
+ issuer: string;
359
+ credentialType?: string | undefined;
360
+ }>, z.ZodObject<{
361
+ type: z.ZodLiteral<"idv">;
362
+ provider: z.ZodString;
363
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
364
+ }, "strip", z.ZodTypeAny, {
365
+ type: "idv";
366
+ provider: string;
367
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
368
+ }, {
369
+ type: "idv";
370
+ provider: string;
371
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
372
+ }>, z.ZodObject<{
373
+ type: z.ZodLiteral<"credential">;
374
+ credentialType: z.ZodString;
375
+ issuer: z.ZodOptional<z.ZodString>;
376
+ }, "strip", z.ZodTypeAny, {
377
+ type: "credential";
378
+ credentialType: string;
379
+ issuer?: string | undefined;
380
+ }, {
381
+ type: "credential";
382
+ credentialType: string;
383
+ issuer?: string | undefined;
384
+ }>, z.ZodObject<{
385
+ type: z.ZodLiteral<"none">;
386
+ }, "strip", z.ZodTypeAny, {
387
+ type: "none";
388
+ }, {
389
+ type: "none";
390
+ }>]>>;
117
391
  }, "strip", z.ZodTypeAny, {
118
392
  requiresDelegation: boolean;
119
393
  requiredScopes: string[];
120
394
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
395
+ oauthProvider?: string | undefined;
396
+ authorization?: {
397
+ type: "oauth";
398
+ provider: string;
399
+ requiredScopes?: string[] | undefined;
400
+ } | {
401
+ type: "mdl";
402
+ issuer: string;
403
+ credentialType?: string | undefined;
404
+ } | {
405
+ type: "idv";
406
+ provider: string;
407
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
408
+ } | {
409
+ type: "credential";
410
+ credentialType: string;
411
+ issuer?: string | undefined;
412
+ } | {
413
+ type: "none";
414
+ } | undefined;
121
415
  }, {
122
416
  requiresDelegation: boolean;
123
417
  requiredScopes: string[];
124
418
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
419
+ oauthProvider?: string | undefined;
420
+ authorization?: {
421
+ type: "oauth";
422
+ provider: string;
423
+ requiredScopes?: string[] | undefined;
424
+ } | {
425
+ type: "mdl";
426
+ issuer: string;
427
+ credentialType?: string | undefined;
428
+ } | {
429
+ type: "idv";
430
+ provider: string;
431
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
432
+ } | {
433
+ type: "credential";
434
+ credentialType: string;
435
+ issuer?: string | undefined;
436
+ } | {
437
+ type: "none";
438
+ } | undefined;
125
439
  }>>;
126
440
  export declare const ToolProtectionResponseSchema: z.ZodObject<{
127
441
  toolProtections: z.ZodRecord<z.ZodString, z.ZodObject<{
128
442
  requiresDelegation: z.ZodBoolean;
129
443
  requiredScopes: z.ZodArray<z.ZodString, "many">;
130
444
  riskLevel: z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
445
+ oauthProvider: z.ZodOptional<z.ZodString>;
446
+ authorization: z.ZodOptional<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
447
+ type: z.ZodLiteral<"oauth">;
448
+ provider: z.ZodString;
449
+ requiredScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
450
+ }, "strip", z.ZodTypeAny, {
451
+ type: "oauth";
452
+ provider: string;
453
+ requiredScopes?: string[] | undefined;
454
+ }, {
455
+ type: "oauth";
456
+ provider: string;
457
+ requiredScopes?: string[] | undefined;
458
+ }>, z.ZodObject<{
459
+ type: z.ZodLiteral<"mdl">;
460
+ issuer: z.ZodString;
461
+ credentialType: z.ZodOptional<z.ZodString>;
462
+ }, "strip", z.ZodTypeAny, {
463
+ type: "mdl";
464
+ issuer: string;
465
+ credentialType?: string | undefined;
466
+ }, {
467
+ type: "mdl";
468
+ issuer: string;
469
+ credentialType?: string | undefined;
470
+ }>, z.ZodObject<{
471
+ type: z.ZodLiteral<"idv">;
472
+ provider: z.ZodString;
473
+ verificationLevel: z.ZodOptional<z.ZodEnum<["basic", "enhanced", "loa3"]>>;
474
+ }, "strip", z.ZodTypeAny, {
475
+ type: "idv";
476
+ provider: string;
477
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
478
+ }, {
479
+ type: "idv";
480
+ provider: string;
481
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
482
+ }>, z.ZodObject<{
483
+ type: z.ZodLiteral<"credential">;
484
+ credentialType: z.ZodString;
485
+ issuer: z.ZodOptional<z.ZodString>;
486
+ }, "strip", z.ZodTypeAny, {
487
+ type: "credential";
488
+ credentialType: string;
489
+ issuer?: string | undefined;
490
+ }, {
491
+ type: "credential";
492
+ credentialType: string;
493
+ issuer?: string | undefined;
494
+ }>, z.ZodObject<{
495
+ type: z.ZodLiteral<"none">;
496
+ }, "strip", z.ZodTypeAny, {
497
+ type: "none";
498
+ }, {
499
+ type: "none";
500
+ }>]>>;
131
501
  }, "strip", z.ZodTypeAny, {
132
502
  requiresDelegation: boolean;
133
503
  requiredScopes: string[];
134
504
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
505
+ oauthProvider?: string | undefined;
506
+ authorization?: {
507
+ type: "oauth";
508
+ provider: string;
509
+ requiredScopes?: string[] | undefined;
510
+ } | {
511
+ type: "mdl";
512
+ issuer: string;
513
+ credentialType?: string | undefined;
514
+ } | {
515
+ type: "idv";
516
+ provider: string;
517
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
518
+ } | {
519
+ type: "credential";
520
+ credentialType: string;
521
+ issuer?: string | undefined;
522
+ } | {
523
+ type: "none";
524
+ } | undefined;
135
525
  }, {
136
526
  requiresDelegation: boolean;
137
527
  requiredScopes: string[];
138
528
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
529
+ oauthProvider?: string | undefined;
530
+ authorization?: {
531
+ type: "oauth";
532
+ provider: string;
533
+ requiredScopes?: string[] | undefined;
534
+ } | {
535
+ type: "mdl";
536
+ issuer: string;
537
+ credentialType?: string | undefined;
538
+ } | {
539
+ type: "idv";
540
+ provider: string;
541
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
542
+ } | {
543
+ type: "credential";
544
+ credentialType: string;
545
+ issuer?: string | undefined;
546
+ } | {
547
+ type: "none";
548
+ } | undefined;
139
549
  }>>;
140
550
  metadata: z.ZodOptional<z.ZodObject<{
141
551
  lastUpdated: z.ZodOptional<z.ZodString>;
@@ -155,6 +565,26 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
155
565
  requiresDelegation: boolean;
156
566
  requiredScopes: string[];
157
567
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
568
+ oauthProvider?: string | undefined;
569
+ authorization?: {
570
+ type: "oauth";
571
+ provider: string;
572
+ requiredScopes?: string[] | undefined;
573
+ } | {
574
+ type: "mdl";
575
+ issuer: string;
576
+ credentialType?: string | undefined;
577
+ } | {
578
+ type: "idv";
579
+ provider: string;
580
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
581
+ } | {
582
+ type: "credential";
583
+ credentialType: string;
584
+ issuer?: string | undefined;
585
+ } | {
586
+ type: "none";
587
+ } | undefined;
158
588
  }>;
159
589
  metadata?: {
160
590
  version?: string | undefined;
@@ -166,6 +596,26 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
166
596
  requiresDelegation: boolean;
167
597
  requiredScopes: string[];
168
598
  riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
599
+ oauthProvider?: string | undefined;
600
+ authorization?: {
601
+ type: "oauth";
602
+ provider: string;
603
+ requiredScopes?: string[] | undefined;
604
+ } | {
605
+ type: "mdl";
606
+ issuer: string;
607
+ credentialType?: string | undefined;
608
+ } | {
609
+ type: "idv";
610
+ provider: string;
611
+ verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
612
+ } | {
613
+ type: "credential";
614
+ credentialType: string;
615
+ issuer?: string | undefined;
616
+ } | {
617
+ type: "none";
618
+ } | undefined;
169
619
  }>;
170
620
  metadata?: {
171
621
  version?: string | undefined;
@@ -183,14 +633,14 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
183
633
  requiredScopes: string[];
184
634
  toolName: string;
185
635
  reason?: string | undefined;
186
- consentUrl?: string | undefined;
187
636
  authorizationUrl?: string | undefined;
637
+ consentUrl?: string | undefined;
188
638
  }, {
189
639
  requiredScopes: string[];
190
640
  toolName: string;
191
641
  reason?: string | undefined;
192
- consentUrl?: string | undefined;
193
642
  authorizationUrl?: string | undefined;
643
+ consentUrl?: string | undefined;
194
644
  }>;
195
645
  /**
196
646
  * Type Guards
@@ -199,6 +649,18 @@ export declare function isToolProtection(obj: any): obj is ToolProtection;
199
649
  export declare function isToolProtectionMap(obj: any): obj is ToolProtectionMap;
200
650
  export declare function isToolProtectionResponse(obj: any): obj is ToolProtectionResponse;
201
651
  export declare function isDelegationRequiredErrorData(obj: any): obj is DelegationRequiredErrorData;
652
+ /**
653
+ * Type guard to check if an object is a valid AuthorizationRequirement
654
+ */
655
+ export declare function isAuthorizationRequirement(obj: unknown): obj is AuthorizationRequirement;
656
+ /**
657
+ * Type guard to check if a ToolProtection has OAuth authorization
658
+ */
659
+ export declare function hasOAuthAuthorization(protection: ToolProtection): protection is ToolProtection & {
660
+ authorization: {
661
+ type: 'oauth';
662
+ };
663
+ };
202
664
  /**
203
665
  * Validation Functions
204
666
  */
@@ -225,3 +687,17 @@ export declare function getToolRiskLevel(toolName: string, protections: ToolProt
225
687
  * Create a delegation required error
226
688
  */
227
689
  export declare function createDelegationRequiredError(toolName: string, requiredScopes: string[], consentUrl?: string): DelegationRequiredErrorData;
690
+ /**
691
+ * Normalize tool protection configuration
692
+ * Migrates legacy oauthProvider field to authorization object
693
+ *
694
+ * - Migrates `oauthProvider` → `authorization: { type: 'oauth', provider: ... }`
695
+ * - Ensures `authorization` field is present when `requiresDelegation=true`
696
+ * - Returns fully normalized ToolProtection object
697
+ *
698
+ * @param raw - Raw tool protection data (may have legacy fields or be partial)
699
+ * @returns Normalized ToolProtection object
700
+ *
701
+ * // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
702
+ */
703
+ export declare function normalizeToolProtection(raw: ToolProtection | PartialToolProtection): ToolProtection;