@kya-os/contracts 1.6.2 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/audit/index.d.ts +21 -21
  2. package/dist/handshake.d.ts +64 -14
  3. package/dist/handshake.js +23 -1
  4. package/dist/identity/index.d.ts +7 -0
  5. package/dist/identity/index.js +23 -0
  6. package/dist/identity/schemas.d.ts +250 -0
  7. package/dist/identity/schemas.js +115 -0
  8. package/dist/index.js +1 -0
  9. package/package.json +6 -2
package/dist/audit/index.d.ts CHANGED
@@ -65,38 +65,38 @@ export declare const AuditContextSchema: z.ZodObject<{
65
65
  */
66
66
  scopeId: z.ZodOptional<z.ZodString>;
67
67
  }, "strip", z.ZodTypeAny, {
68
- requestHash: string;
69
- responseHash: string;
68
+ identity: {
69
+ did: string;
70
+ kid: string;
71
+ } & {
72
+ [k: string]: unknown;
73
+ };
70
74
  session: {
71
75
  audience: string;
72
76
  sessionId: string;
73
77
  } & {
74
78
  [k: string]: unknown;
75
79
  };
80
+ requestHash: string;
81
+ responseHash: string;
76
82
  verified: "yes" | "no";
83
+ scopeId?: string | undefined;
84
+ }, {
77
85
  identity: {
78
86
  did: string;
79
87
  kid: string;
80
88
  } & {
81
89
  [k: string]: unknown;
82
90
  };
83
- scopeId?: string | undefined;
84
- }, {
85
- requestHash: string;
86
- responseHash: string;
87
91
  session: {
88
92
  audience: string;
89
93
  sessionId: string;
90
94
  } & {
91
95
  [k: string]: unknown;
92
96
  };
97
+ requestHash: string;
98
+ responseHash: string;
93
99
  verified: "yes" | "no";
94
- identity: {
95
- did: string;
96
- kid: string;
97
- } & {
98
- [k: string]: unknown;
99
- };
100
100
  scopeId?: string | undefined;
101
101
  }>;
102
102
  export type AuditContext = {
@@ -153,33 +153,33 @@ export declare const AuditEventContextSchema: z.ZodObject<{
153
153
  */
154
154
  eventData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
155
155
  }, "strip", z.ZodTypeAny, {
156
- session: {
157
- audience: string;
158
- sessionId: string;
159
- } & {
160
- [k: string]: unknown;
161
- };
162
156
  identity: {
163
157
  did: string;
164
158
  kid: string;
165
159
  } & {
166
160
  [k: string]: unknown;
167
161
  };
168
- eventType: string;
169
- eventData?: Record<string, unknown> | undefined;
170
- }, {
171
162
  session: {
172
163
  audience: string;
173
164
  sessionId: string;
174
165
  } & {
175
166
  [k: string]: unknown;
176
167
  };
168
+ eventType: string;
169
+ eventData?: Record<string, unknown> | undefined;
170
+ }, {
177
171
  identity: {
178
172
  did: string;
179
173
  kid: string;
180
174
  } & {
181
175
  [k: string]: unknown;
182
176
  };
177
+ session: {
178
+ audience: string;
179
+ sessionId: string;
180
+ } & {
181
+ [k: string]: unknown;
182
+ };
183
183
  eventType: string;
184
184
  eventData?: Record<string, unknown> | undefined;
185
185
  }>;
package/dist/handshake.d.ts CHANGED
@@ -2,6 +2,17 @@ import { z } from "zod";
2
2
  /**
3
3
  * Handshake and session management schemas
4
4
  */
5
+ /**
6
+ * Session Identity State
7
+ *
8
+ * Tracks whether a session has been authenticated via OAuth.
9
+ * Phase 5: Anonymous Sessions Until OAuth
10
+ *
11
+ * - 'anonymous': No userDid assigned yet (session started without OAuth)
12
+ * - 'authenticated': userDid assigned via OAuth → AgentShield identity resolution
13
+ */
14
+ export declare const SessionIdentityStateSchema: z.ZodEnum<["anonymous", "authenticated"]>;
15
+ export type SessionIdentityState = z.infer<typeof SessionIdentityStateSchema>;
5
16
  declare const MCPClientCapabilitiesSchema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
6
17
  export declare const MCPClientInfoSchema: z.ZodObject<{
7
18
  name: z.ZodString;
@@ -12,15 +23,15 @@ export declare const MCPClientInfoSchema: z.ZodObject<{
12
23
  persistentId: z.ZodOptional<z.ZodString>;
13
24
  }, "strip", z.ZodTypeAny, {
14
25
  name: string;
15
- version?: string | undefined;
16
26
  title?: string | undefined;
27
+ version?: string | undefined;
17
28
  platform?: string | undefined;
18
29
  vendor?: string | undefined;
19
30
  persistentId?: string | undefined;
20
31
  }, {
21
32
  name: string;
22
- version?: string | undefined;
23
33
  title?: string | undefined;
34
+ version?: string | undefined;
24
35
  platform?: string | undefined;
25
36
  vendor?: string | undefined;
26
37
  persistentId?: string | undefined;
@@ -39,8 +50,8 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
39
50
  }, "strip", z.ZodTypeAny, {
40
51
  name: string;
41
52
  clientId: string;
42
- version?: string | undefined;
43
53
  title?: string | undefined;
54
+ version?: string | undefined;
44
55
  platform?: string | undefined;
45
56
  vendor?: string | undefined;
46
57
  persistentId?: string | undefined;
@@ -49,8 +60,8 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
49
60
  }, {
50
61
  name: string;
51
62
  clientId: string;
52
- version?: string | undefined;
53
63
  title?: string | undefined;
64
+ version?: string | undefined;
54
65
  platform?: string | undefined;
55
66
  vendor?: string | undefined;
56
67
  persistentId?: string | undefined;
@@ -73,16 +84,16 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
73
84
  clientId: z.ZodOptional<z.ZodString>;
74
85
  }, "strip", z.ZodTypeAny, {
75
86
  name: string;
76
- version?: string | undefined;
77
87
  title?: string | undefined;
88
+ version?: string | undefined;
78
89
  platform?: string | undefined;
79
90
  vendor?: string | undefined;
80
91
  persistentId?: string | undefined;
81
92
  clientId?: string | undefined;
82
93
  }, {
83
94
  name: string;
84
- version?: string | undefined;
85
95
  title?: string | undefined;
96
+ version?: string | undefined;
86
97
  platform?: string | undefined;
87
98
  vendor?: string | undefined;
88
99
  persistentId?: string | undefined;
@@ -97,8 +108,8 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
97
108
  agentDid?: string | undefined;
98
109
  clientInfo?: {
99
110
  name: string;
100
- version?: string | undefined;
101
111
  title?: string | undefined;
112
+ version?: string | undefined;
102
113
  platform?: string | undefined;
103
114
  vendor?: string | undefined;
104
115
  persistentId?: string | undefined;
@@ -113,8 +124,8 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
113
124
  agentDid?: string | undefined;
114
125
  clientInfo?: {
115
126
  name: string;
116
- version?: string | undefined;
117
127
  title?: string | undefined;
128
+ version?: string | undefined;
118
129
  platform?: string | undefined;
119
130
  vendor?: string | undefined;
120
131
  persistentId?: string | undefined;
@@ -149,8 +160,8 @@ export declare const SessionContextSchema: z.ZodObject<{
149
160
  }, "strip", z.ZodTypeAny, {
150
161
  name: string;
151
162
  clientId: string;
152
- version?: string | undefined;
153
163
  title?: string | undefined;
164
+ version?: string | undefined;
154
165
  platform?: string | undefined;
155
166
  vendor?: string | undefined;
156
167
  persistentId?: string | undefined;
@@ -159,28 +170,54 @@ export declare const SessionContextSchema: z.ZodObject<{
159
170
  }, {
160
171
  name: string;
161
172
  clientId: string;
162
- version?: string | undefined;
163
173
  title?: string | undefined;
174
+ version?: string | undefined;
164
175
  platform?: string | undefined;
165
176
  vendor?: string | undefined;
166
177
  persistentId?: string | undefined;
167
178
  protocolVersion?: string | undefined;
168
179
  capabilities?: Record<string, unknown> | undefined;
169
180
  }>>;
181
+ /**
182
+ * Identity state of the session
183
+ * @default 'anonymous' - Sessions start anonymous until OAuth completes
184
+ */
185
+ identityState: z.ZodDefault<z.ZodEnum<["anonymous", "authenticated"]>>;
186
+ /**
187
+ * OAuth identity information (populated after successful OAuth)
188
+ * Contains provider, subject, email from OAuth provider
189
+ */
190
+ oauthIdentity: z.ZodOptional<z.ZodObject<{
191
+ provider: z.ZodString;
192
+ subject: z.ZodString;
193
+ email: z.ZodOptional<z.ZodString>;
194
+ name: z.ZodOptional<z.ZodString>;
195
+ }, "strip", z.ZodTypeAny, {
196
+ provider: string;
197
+ subject: string;
198
+ name?: string | undefined;
199
+ email?: string | undefined;
200
+ }, {
201
+ provider: string;
202
+ subject: string;
203
+ name?: string | undefined;
204
+ email?: string | undefined;
205
+ }>>;
170
206
  }, "strip", z.ZodTypeAny, {
171
- createdAt: number;
172
207
  nonce: string;
173
208
  audience: string;
174
209
  timestamp: number;
175
210
  sessionId: string;
211
+ createdAt: number;
176
212
  lastActivity: number;
177
213
  ttlMinutes: number;
214
+ identityState: "anonymous" | "authenticated";
178
215
  agentDid?: string | undefined;
179
216
  clientInfo?: {
180
217
  name: string;
181
218
  clientId: string;
182
- version?: string | undefined;
183
219
  title?: string | undefined;
220
+ version?: string | undefined;
184
221
  platform?: string | undefined;
185
222
  vendor?: string | undefined;
186
223
  persistentId?: string | undefined;
@@ -190,19 +227,25 @@ export declare const SessionContextSchema: z.ZodObject<{
190
227
  serverDid?: string | undefined;
191
228
  clientDid?: string | undefined;
192
229
  userDid?: string | undefined;
230
+ oauthIdentity?: {
231
+ provider: string;
232
+ subject: string;
233
+ name?: string | undefined;
234
+ email?: string | undefined;
235
+ } | undefined;
193
236
  }, {
194
- createdAt: number;
195
237
  nonce: string;
196
238
  audience: string;
197
239
  timestamp: number;
198
240
  sessionId: string;
241
+ createdAt: number;
199
242
  lastActivity: number;
200
243
  agentDid?: string | undefined;
201
244
  clientInfo?: {
202
245
  name: string;
203
246
  clientId: string;
204
- version?: string | undefined;
205
247
  title?: string | undefined;
248
+ version?: string | undefined;
206
249
  platform?: string | undefined;
207
250
  vendor?: string | undefined;
208
251
  persistentId?: string | undefined;
@@ -213,6 +256,13 @@ export declare const SessionContextSchema: z.ZodObject<{
213
256
  serverDid?: string | undefined;
214
257
  clientDid?: string | undefined;
215
258
  userDid?: string | undefined;
259
+ identityState?: "anonymous" | "authenticated" | undefined;
260
+ oauthIdentity?: {
261
+ provider: string;
262
+ subject: string;
263
+ name?: string | undefined;
264
+ email?: string | undefined;
265
+ } | undefined;
216
266
  }>;
217
267
  export declare const NonceCacheEntrySchema: z.ZodObject<{
218
268
  sessionId: z.ZodString;
package/dist/handshake.js CHANGED
@@ -1,10 +1,21 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.NONCE_LENGTH_BYTES = exports.DEFAULT_TIMESTAMP_SKEW_SECONDS = exports.DEFAULT_SESSION_TTL_MINUTES = exports.NonceCacheConfigSchema = exports.NonceCacheEntrySchema = exports.SessionContextSchema = exports.HandshakeRequestSchema = exports.MCPClientSessionInfoSchema = exports.MCPClientInfoSchema = void 0;
3
+ exports.NONCE_LENGTH_BYTES = exports.DEFAULT_TIMESTAMP_SKEW_SECONDS = exports.DEFAULT_SESSION_TTL_MINUTES = exports.NonceCacheConfigSchema = exports.NonceCacheEntrySchema = exports.SessionContextSchema = exports.HandshakeRequestSchema = exports.MCPClientSessionInfoSchema = exports.MCPClientInfoSchema = exports.SessionIdentityStateSchema = void 0;
4
4
  const zod_1 = require("zod");
5
+ const schemas_1 = require("./consent/schemas");
5
6
  /**
6
7
  * Handshake and session management schemas
7
8
  */
9
+ /**
10
+ * Session Identity State
11
+ *
12
+ * Tracks whether a session has been authenticated via OAuth.
13
+ * Phase 5: Anonymous Sessions Until OAuth
14
+ *
15
+ * - 'anonymous': No userDid assigned yet (session started without OAuth)
16
+ * - 'authenticated': userDid assigned via OAuth → AgentShield identity resolution
17
+ */
18
+ exports.SessionIdentityStateSchema = zod_1.z.enum(["anonymous", "authenticated"]);
8
19
  const MCPClientCapabilitiesSchema = zod_1.z.record(zod_1.z.string(), zod_1.z.unknown());
9
20
  exports.MCPClientInfoSchema = zod_1.z.object({
10
21
  name: zod_1.z.string().min(1), // e.g., "Claude Desktop"
@@ -44,6 +55,17 @@ exports.SessionContextSchema = zod_1.z.object({
44
55
  clientDid: zod_1.z.string().optional(), // Client app DID (if different from agent)
45
56
  userDid: zod_1.z.string().optional(), // User DID (delegator)
46
57
  clientInfo: exports.MCPClientSessionInfoSchema.optional(), // MCP client information with negotiated metadata
58
+ // Phase 5: Anonymous Sessions Until OAuth
59
+ /**
60
+ * Identity state of the session
61
+ * @default 'anonymous' - Sessions start anonymous until OAuth completes
62
+ */
63
+ identityState: exports.SessionIdentityStateSchema.default("anonymous"),
64
+ /**
65
+ * OAuth identity information (populated after successful OAuth)
66
+ * Contains provider, subject, email from OAuth provider
67
+ */
68
+ oauthIdentity: schemas_1.oauthIdentitySchema.optional(),
47
69
  });
48
70
  exports.NonceCacheEntrySchema = zod_1.z.object({
49
71
  sessionId: zod_1.z.string().min(1),
package/dist/identity/index.d.ts ADDED
@@ -0,0 +1,7 @@
1
+ /**
2
+ * Identity Module
3
+ *
4
+ * Exports for OAuth identity → persistent user DID resolution.
5
+ * Part of Phase 5: Identity Resolution Integration
6
+ */
7
+ export * from "./schemas.js";
package/dist/identity/index.js ADDED
@@ -0,0 +1,23 @@
1
+ "use strict";
2
+ /**
3
+ * Identity Module
4
+ *
5
+ * Exports for OAuth identity → persistent user DID resolution.
6
+ * Part of Phase 5: Identity Resolution Integration
7
+ */
8
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
9
+ if (k2 === undefined) k2 = k;
10
+ var desc = Object.getOwnPropertyDescriptor(m, k);
11
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
12
+ desc = { enumerable: true, get: function() { return m[k]; } };
13
+ }
14
+ Object.defineProperty(o, k2, desc);
15
+ }) : (function(o, m, k, k2) {
16
+ if (k2 === undefined) k2 = k;
17
+ o[k2] = m[k];
18
+ }));
19
+ var __exportStar = (this && this.__exportStar) || function(m, exports) {
20
+ for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
21
+ };
22
+ Object.defineProperty(exports, "__esModule", { value: true });
23
+ __exportStar(require("./schemas.js"), exports);
package/dist/identity/schemas.d.ts ADDED
@@ -0,0 +1,250 @@
1
+ /**
2
+ * Identity Resolution Schemas
3
+ *
4
+ * Types and schemas for OAuth identity → persistent user DID resolution.
5
+ * Used by xmcp-i to call AgentShield's identity resolution endpoint.
6
+ *
7
+ * Part of Phase 5: Identity Resolution Integration
8
+ *
9
+ * @see ACCOUNT_CENTRIC_IDENTITY_AND_VC_IMPLEMENTATION.md
10
+ */
11
+ import { z } from "zod";
12
+ /**
13
+ * OAuth result from identity provider
14
+ *
15
+ * Contains user information from OAuth authentication flow.
16
+ */
17
+ export declare const OAuthResultSchema: z.ZodObject<{
18
+ /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
19
+ provider: z.ZodString;
20
+ /** OAuth subject claim (unique per provider) */
21
+ sub: z.ZodString;
22
+ /** User's email from OAuth provider */
23
+ email: z.ZodOptional<z.ZodString>;
24
+ /** Whether email was verified by provider */
25
+ email_verified: z.ZodOptional<z.ZodBoolean>;
26
+ /** Display name from OAuth provider */
27
+ name: z.ZodOptional<z.ZodString>;
28
+ /** Avatar URL from OAuth provider */
29
+ picture: z.ZodOptional<z.ZodString>;
30
+ }, "strip", z.ZodTypeAny, {
31
+ provider: string;
32
+ sub: string;
33
+ email?: string | undefined;
34
+ email_verified?: boolean | undefined;
35
+ name?: string | undefined;
36
+ picture?: string | undefined;
37
+ }, {
38
+ provider: string;
39
+ sub: string;
40
+ email?: string | undefined;
41
+ email_verified?: boolean | undefined;
42
+ name?: string | undefined;
43
+ picture?: string | undefined;
44
+ }>;
45
+ export type OAuthResult = z.infer<typeof OAuthResultSchema>;
46
+ /**
47
+ * Identity resolution request
48
+ *
49
+ * POST /api/v1/bouncer/identity/resolve
50
+ */
51
+ export declare const IdentityResolveRequestSchema: z.ZodObject<{
52
+ /** Project UUID */
53
+ project_id: z.ZodString;
54
+ /** OAuth authentication result */
55
+ oauth_result: z.ZodObject<{
56
+ /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
57
+ provider: z.ZodString;
58
+ /** OAuth subject claim (unique per provider) */
59
+ sub: z.ZodString;
60
+ /** User's email from OAuth provider */
61
+ email: z.ZodOptional<z.ZodString>;
62
+ /** Whether email was verified by provider */
63
+ email_verified: z.ZodOptional<z.ZodBoolean>;
64
+ /** Display name from OAuth provider */
65
+ name: z.ZodOptional<z.ZodString>;
66
+ /** Avatar URL from OAuth provider */
67
+ picture: z.ZodOptional<z.ZodString>;
68
+ }, "strip", z.ZodTypeAny, {
69
+ provider: string;
70
+ sub: string;
71
+ email?: string | undefined;
72
+ email_verified?: boolean | undefined;
73
+ name?: string | undefined;
74
+ picture?: string | undefined;
75
+ }, {
76
+ provider: string;
77
+ sub: string;
78
+ email?: string | undefined;
79
+ email_verified?: boolean | undefined;
80
+ name?: string | undefined;
81
+ picture?: string | undefined;
82
+ }>;
83
+ }, "strip", z.ZodTypeAny, {
84
+ project_id: string;
85
+ oauth_result: {
86
+ provider: string;
87
+ sub: string;
88
+ email?: string | undefined;
89
+ email_verified?: boolean | undefined;
90
+ name?: string | undefined;
91
+ picture?: string | undefined;
92
+ };
93
+ }, {
94
+ project_id: string;
95
+ oauth_result: {
96
+ provider: string;
97
+ sub: string;
98
+ email?: string | undefined;
99
+ email_verified?: boolean | undefined;
100
+ name?: string | undefined;
101
+ picture?: string | undefined;
102
+ };
103
+ }>;
104
+ export type IdentityResolveRequest = z.infer<typeof IdentityResolveRequestSchema>;
105
+ /**
106
+ * Identity resolution response
107
+ *
108
+ * Returns the persistent user DID and account information.
109
+ */
110
+ export declare const IdentityResolveResponseSchema: z.ZodObject<{
111
+ success: z.ZodLiteral<true>;
112
+ data: z.ZodObject<{
113
+ /** Persistent user DID (did:key:z6Mk...) */
114
+ user_did: z.ZodString;
115
+ /** User account UUID */
116
+ user_account_id: z.ZodString;
117
+ /** Whether a new account was created */
118
+ is_new_account: z.ZodBoolean;
119
+ /** Whether identity was auto-linked by email */
120
+ auto_linked: z.ZodBoolean;
121
+ }, "strip", z.ZodTypeAny, {
122
+ user_did: string;
123
+ user_account_id: string;
124
+ is_new_account: boolean;
125
+ auto_linked: boolean;
126
+ }, {
127
+ user_did: string;
128
+ user_account_id: string;
129
+ is_new_account: boolean;
130
+ auto_linked: boolean;
131
+ }>;
132
+ metadata: z.ZodOptional<z.ZodObject<{
133
+ requestId: z.ZodOptional<z.ZodString>;
134
+ timestamp: z.ZodOptional<z.ZodString>;
135
+ }, "strip", z.ZodTypeAny, {
136
+ requestId?: string | undefined;
137
+ timestamp?: string | undefined;
138
+ }, {
139
+ requestId?: string | undefined;
140
+ timestamp?: string | undefined;
141
+ }>>;
142
+ }, "strip", z.ZodTypeAny, {
143
+ success: true;
144
+ data: {
145
+ user_did: string;
146
+ user_account_id: string;
147
+ is_new_account: boolean;
148
+ auto_linked: boolean;
149
+ };
150
+ metadata?: {
151
+ requestId?: string | undefined;
152
+ timestamp?: string | undefined;
153
+ } | undefined;
154
+ }, {
155
+ success: true;
156
+ data: {
157
+ user_did: string;
158
+ user_account_id: string;
159
+ is_new_account: boolean;
160
+ auto_linked: boolean;
161
+ };
162
+ metadata?: {
163
+ requestId?: string | undefined;
164
+ timestamp?: string | undefined;
165
+ } | undefined;
166
+ }>;
167
+ export type IdentityResolveResponse = z.infer<typeof IdentityResolveResponseSchema>;
168
+ /**
169
+ * Identity resolution error response
170
+ */
171
+ export declare const IdentityResolveErrorSchema: z.ZodObject<{
172
+ success: z.ZodLiteral<false>;
173
+ error: z.ZodObject<{
174
+ code: z.ZodString;
175
+ message: z.ZodString;
176
+ details: z.ZodOptional<z.ZodArray<z.ZodObject<{
177
+ path: z.ZodString;
178
+ message: z.ZodString;
179
+ }, "strip", z.ZodTypeAny, {
180
+ path: string;
181
+ message: string;
182
+ }, {
183
+ path: string;
184
+ message: string;
185
+ }>, "many">>;
186
+ }, "strip", z.ZodTypeAny, {
187
+ code: string;
188
+ message: string;
189
+ details?: {
190
+ path: string;
191
+ message: string;
192
+ }[] | undefined;
193
+ }, {
194
+ code: string;
195
+ message: string;
196
+ details?: {
197
+ path: string;
198
+ message: string;
199
+ }[] | undefined;
200
+ }>;
201
+ }, "strip", z.ZodTypeAny, {
202
+ success: false;
203
+ error: {
204
+ code: string;
205
+ message: string;
206
+ details?: {
207
+ path: string;
208
+ message: string;
209
+ }[] | undefined;
210
+ };
211
+ }, {
212
+ success: false;
213
+ error: {
214
+ code: string;
215
+ message: string;
216
+ details?: {
217
+ path: string;
218
+ message: string;
219
+ }[] | undefined;
220
+ };
221
+ }>;
222
+ export type IdentityResolveError = z.infer<typeof IdentityResolveErrorSchema>;
223
+ /**
224
+ * Parse and validate identity resolution request
225
+ */
226
+ export declare function parseIdentityResolveRequest(data: unknown): IdentityResolveRequest;
227
+ /**
228
+ * Safely validate identity resolution request
229
+ */
230
+ export declare function safeParseIdentityResolveRequest(data: unknown): {
231
+ success: true;
232
+ data: IdentityResolveRequest;
233
+ } | {
234
+ success: false;
235
+ error: z.ZodError;
236
+ };
237
+ /**
238
+ * Parse and validate identity resolution response
239
+ */
240
+ export declare function parseIdentityResolveResponse(data: unknown): IdentityResolveResponse;
241
+ /**
242
+ * Safely validate identity resolution response
243
+ */
244
+ export declare function safeParseIdentityResolveResponse(data: unknown): {
245
+ success: true;
246
+ data: IdentityResolveResponse;
247
+ } | {
248
+ success: false;
249
+ error: z.ZodError;
250
+ };
package/dist/identity/schemas.js ADDED
@@ -0,0 +1,115 @@
1
+ "use strict";
2
+ /**
3
+ * Identity Resolution Schemas
4
+ *
5
+ * Types and schemas for OAuth identity → persistent user DID resolution.
6
+ * Used by xmcp-i to call AgentShield's identity resolution endpoint.
7
+ *
8
+ * Part of Phase 5: Identity Resolution Integration
9
+ *
10
+ * @see ACCOUNT_CENTRIC_IDENTITY_AND_VC_IMPLEMENTATION.md
11
+ */
12
+ Object.defineProperty(exports, "__esModule", { value: true });
13
+ exports.IdentityResolveErrorSchema = exports.IdentityResolveResponseSchema = exports.IdentityResolveRequestSchema = exports.OAuthResultSchema = void 0;
14
+ exports.parseIdentityResolveRequest = parseIdentityResolveRequest;
15
+ exports.safeParseIdentityResolveRequest = safeParseIdentityResolveRequest;
16
+ exports.parseIdentityResolveResponse = parseIdentityResolveResponse;
17
+ exports.safeParseIdentityResolveResponse = safeParseIdentityResolveResponse;
18
+ const zod_1 = require("zod");
19
+ /**
20
+ * OAuth result from identity provider
21
+ *
22
+ * Contains user information from OAuth authentication flow.
23
+ */
24
+ exports.OAuthResultSchema = zod_1.z.object({
25
+ /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
26
+ provider: zod_1.z.string().min(1, "Provider is required"),
27
+ /** OAuth subject claim (unique per provider) */
28
+ sub: zod_1.z.string().min(1, "Subject claim is required"),
29
+ /** User's email from OAuth provider */
30
+ email: zod_1.z.string().email().optional(),
31
+ /** Whether email was verified by provider */
32
+ email_verified: zod_1.z.boolean().optional(),
33
+ /** Display name from OAuth provider */
34
+ name: zod_1.z.string().optional(),
35
+ /** Avatar URL from OAuth provider */
36
+ picture: zod_1.z.string().url().optional(),
37
+ });
38
+ /**
39
+ * Identity resolution request
40
+ *
41
+ * POST /api/v1/bouncer/identity/resolve
42
+ */
43
+ exports.IdentityResolveRequestSchema = zod_1.z.object({
44
+ /** Project UUID */
45
+ project_id: zod_1.z.string().uuid("Invalid project ID format"),
46
+ /** OAuth authentication result */
47
+ oauth_result: exports.OAuthResultSchema,
48
+ });
49
+ /**
50
+ * Identity resolution response
51
+ *
52
+ * Returns the persistent user DID and account information.
53
+ */
54
+ exports.IdentityResolveResponseSchema = zod_1.z.object({
55
+ success: zod_1.z.literal(true),
56
+ data: zod_1.z.object({
57
+ /** Persistent user DID (did:key:z6Mk...) */
58
+ user_did: zod_1.z.string().regex(/^did:(key|web):.+$/, "Invalid user DID format"),
59
+ /** User account UUID */
60
+ user_account_id: zod_1.z.string().uuid(),
61
+ /** Whether a new account was created */
62
+ is_new_account: zod_1.z.boolean(),
63
+ /** Whether identity was auto-linked by email */
64
+ auto_linked: zod_1.z.boolean(),
65
+ }),
66
+ metadata: zod_1.z
67
+ .object({
68
+ requestId: zod_1.z.string().optional(),
69
+ timestamp: zod_1.z.string().datetime().optional(),
70
+ })
71
+ .optional(),
72
+ });
73
+ /**
74
+ * Identity resolution error response
75
+ */
76
+ exports.IdentityResolveErrorSchema = zod_1.z.object({
77
+ success: zod_1.z.literal(false),
78
+ error: zod_1.z.object({
79
+ code: zod_1.z.string(),
80
+ message: zod_1.z.string(),
81
+ details: zod_1.z.array(zod_1.z.object({ path: zod_1.z.string(), message: zod_1.z.string() })).optional(),
82
+ }),
83
+ });
84
+ /**
85
+ * Parse and validate identity resolution request
86
+ */
87
+ function parseIdentityResolveRequest(data) {
88
+ return exports.IdentityResolveRequestSchema.parse(data);
89
+ }
90
+ /**
91
+ * Safely validate identity resolution request
92
+ */
93
+ function safeParseIdentityResolveRequest(data) {
94
+ const result = exports.IdentityResolveRequestSchema.safeParse(data);
95
+ if (result.success) {
96
+ return { success: true, data: result.data };
97
+ }
98
+ return { success: false, error: result.error };
99
+ }
100
+ /**
101
+ * Parse and validate identity resolution response
102
+ */
103
+ function parseIdentityResolveResponse(data) {
104
+ return exports.IdentityResolveResponseSchema.parse(data);
105
+ }
106
+ /**
107
+ * Safely validate identity resolution response
108
+ */
109
+ function safeParseIdentityResolveResponse(data) {
110
+ const result = exports.IdentityResolveResponseSchema.safeParse(data);
111
+ if (result.success) {
112
+ return { success: true, data: result.data };
113
+ }
114
+ return { success: false, error: result.error };
115
+ }
package/dist/index.js CHANGED
@@ -55,3 +55,4 @@ exports.SUPPORTED_XMCP_I_VERSION = "^1.0.0";
55
55
  // import { ... } from '@kya-os/contracts/agentshield-api'
56
56
  // import { ... } from '@kya-os/contracts/tool-protection'
57
57
  // import { ... } from '@kya-os/contracts/well-known'
58
+ // import { ... } from '@kya-os/contracts/identity' // Phase 5: Identity resolution
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kya-os/contracts",
3
- "version": "1.6.2",
3
+ "version": "1.6.3",
4
4
  "description": "Shared contracts, types, and schemas for MCP-I framework",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -64,6 +64,10 @@
64
64
  "./registry": {
65
65
  "types": "./dist/registry.d.ts",
66
66
  "default": "./dist/registry.js"
67
+ },
68
+ "./identity": {
69
+ "types": "./dist/identity/index.d.ts",
70
+ "default": "./dist/identity/index.js"
67
71
  }
68
72
  },
69
73
  "scripts": {
@@ -79,7 +83,7 @@
79
83
  },
80
84
  "sideEffects": false,
81
85
  "dependencies": {
82
- "zod": "^3.23.8"
86
+ "zod": "^3.25.76"
83
87
  },
84
88
  "devDependencies": {
85
89
  "@types/node": "^20.14.9",