@kya-os/contracts 1.6.3-canary.0 → 1.6.3

package/dist/dashboard-config/schemas.js

@@ -8,7 +8,7 @@
  * @package @kya-os/contracts/dashboard-config
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateServerConfigResponseSchema = exports.validateServerConfigRequestSchema = exports.updateServerConfigResponseSchema = exports.updateServerConfigRequestSchema = exports.getMergedServerConfigResponseSchema = exports.getServerConfigResponseSchema = exports.getServerConfigRequestSchema = exports.mergedMcpIServerConfigSchema = exports.mcpIServerConfigSchema = exports.configMetadataSchema = exports.platformConfigSchema = exports.vercelPlatformConfigSchema = exports.nodePlatformConfigSchema = exports.cloudflarePlatformConfigSchema = exports.sessionConfigSchema = exports.auditConfigSchema = exports.mergedToolProtectionConfigSchema = exports.toolProtectionConfigSchema = exports.delegationConfigSchema = exports.proofingConfigSchema = exports.identityConfigSchema = void 0;
+exports.validateServerConfigResponseSchema = exports.validateServerConfigRequestSchema = exports.updateServerConfigResponseSchema = exports.updateServerConfigRequestSchema = exports.getServerConfigResponseSchema = exports.getServerConfigRequestSchema = exports.mcpIServerConfigSchema = exports.configMetadataSchema = exports.platformConfigSchema = exports.vercelPlatformConfigSchema = exports.nodePlatformConfigSchema = exports.cloudflarePlatformConfigSchema = exports.sessionConfigSchema = exports.auditConfigSchema = exports.toolProtectionConfigSchema = exports.delegationConfigSchema = exports.proofingConfigSchema = exports.identityConfigSchema = void 0;
 const zod_1 = require("zod");
 const index_js_1 = require("../tool-protection/index.js");
 /**
@@ -80,10 +80,6 @@ exports.toolProtectionConfigSchema = zod_1.z.object({
     }).optional(),
     fallback: index_js_1.ToolProtectionMapSchema.optional(),
 });
-/** Merged tool protection config with embedded tools */
-exports.mergedToolProtectionConfigSchema = exports.toolProtectionConfigSchema.extend({
-    tools: index_js_1.ToolProtectionMapSchema,
-});
 /**
  * Audit configuration schema
  */
@@ -183,10 +179,6 @@ exports.mcpIServerConfigSchema = zod_1.z.object({
     platform: exports.platformConfigSchema,
     metadata: exports.configMetadataSchema,
 });
-/** Merged MCP-I Server Configuration schema @since 1.6.0 */
-exports.mergedMcpIServerConfigSchema = exports.mcpIServerConfigSchema.extend({
-    toolProtection: exports.mergedToolProtectionConfigSchema,
-});
 /**
  * Get server config request schema
  */
@@ -206,20 +198,6 @@ exports.getServerConfigResponseSchema = zod_1.z.object({
         timestamp: zod_1.z.string().optional(),
     }).optional(),
 });
-/** Get merged server config response schema @since 1.6.0 */
-exports.getMergedServerConfigResponseSchema = zod_1.z.object({
-    success: zod_1.z.boolean(),
-    data: zod_1.z.object({
-        config: exports.mergedMcpIServerConfigSchema,
-        /** @deprecated Use config.toolProtection.tools instead */
-        toolProtections: index_js_1.ToolProtectionMapSchema.optional(),
-    }),
-    metadata: zod_1.z.object({
-        requestId: zod_1.z.string().optional(),
-        timestamp: zod_1.z.string().optional(),
-        cachedUntil: zod_1.z.string().optional(),
-    }).optional(),
-});
 /**
  * Update server config request schema
  */

package/dist/dashboard-config/types.d.ts

@@ -6,7 +6,7 @@
  *
  * @package @kya-os/contracts/dashboard-config
  */
-import type { ToolProtection, ToolProtectionMap } from '../tool-protection/index.js';
+import type { ToolProtectionMap } from '../tool-protection/index.js';
 import type { DelegationVerifierType } from '../config/delegation.js';
 /**
  * MCP-I Server Configuration (Dashboard View Model)
@@ -256,16 +256,6 @@ export interface MCPIServerConfig {
         deploymentStatus?: 'active' | 'inactive' | 'error';
     };
 }
-/**
- * Merged MCP-I Server Configuration with embedded tool protections
- * @since 1.6.0
- */
-export interface MergedMCPIServerConfig extends MCPIServerConfig {
-    toolProtection: MCPIServerConfig['toolProtection'] & {
-        /** Embedded tool protection rules (keys are tool names) */
-        tools: Record<string, ToolProtection>;
-    };
-}
 /**
  * API Request/Response types for dashboard config endpoints
  */
@@ -289,23 +279,6 @@ export interface GetServerConfigResponse {
         timestamp?: string;
     };
 }
-/**
- * Response with merged tool protections
- * @since 1.6.0
- */
-export interface GetMergedServerConfigResponse {
-    success: boolean;
-    data: {
-        config: MergedMCPIServerConfig;
-        /** @deprecated Use config.toolProtection.tools instead */
-        toolProtections?: ToolProtectionMap;
-    };
-    metadata?: {
-        requestId?: string;
-        timestamp?: string;
-        cachedUntil?: string;
-    };
-}
 /**
  * Request to update server configuration
  * PUT /api/v1/bouncer/projects/{projectId}/config

package/dist/handshake.d.ts

@@ -2,6 +2,17 @@ import { z } from "zod";
 /**
  * Handshake and session management schemas
  */
+/**
+ * Session Identity State
+ *
+ * Tracks whether a session has been authenticated via OAuth.
+ * Phase 5: Anonymous Sessions Until OAuth
+ *
+ * - 'anonymous': No userDid assigned yet (session started without OAuth)
+ * - 'authenticated': userDid assigned via OAuth → AgentShield identity resolution
+ */
+export declare const SessionIdentityStateSchema: z.ZodEnum<["anonymous", "authenticated"]>;
+export type SessionIdentityState = z.infer<typeof SessionIdentityStateSchema>;
 declare const MCPClientCapabilitiesSchema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
 export declare const MCPClientInfoSchema: z.ZodObject<{
     name: z.ZodString;
@@ -167,6 +178,31 @@ export declare const SessionContextSchema: z.ZodObject<{
         protocolVersion?: string | undefined;
         capabilities?: Record<string, unknown> | undefined;
     }>>;
+    /**
+     * Identity state of the session
+     * @default 'anonymous' - Sessions start anonymous until OAuth completes
+     */
+    identityState: z.ZodDefault<z.ZodEnum<["anonymous", "authenticated"]>>;
+    /**
+     * OAuth identity information (populated after successful OAuth)
+     * Contains provider, subject, email from OAuth provider
+     */
+    oauthIdentity: z.ZodOptional<z.ZodObject<{
+        provider: z.ZodString;
+        subject: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        provider: string;
+        subject: string;
+        name?: string | undefined;
+        email?: string | undefined;
+    }, {
+        provider: string;
+        subject: string;
+        name?: string | undefined;
+        email?: string | undefined;
+    }>>;
 }, "strip", z.ZodTypeAny, {
     nonce: string;
     audience: string;
@@ -175,6 +211,7 @@ export declare const SessionContextSchema: z.ZodObject<{
     createdAt: number;
     lastActivity: number;
     ttlMinutes: number;
+    identityState: "anonymous" | "authenticated";
     agentDid?: string | undefined;
     clientInfo?: {
         name: string;
@@ -190,6 +227,12 @@ export declare const SessionContextSchema: z.ZodObject<{
     serverDid?: string | undefined;
     clientDid?: string | undefined;
     userDid?: string | undefined;
+    oauthIdentity?: {
+        provider: string;
+        subject: string;
+        name?: string | undefined;
+        email?: string | undefined;
+    } | undefined;
 }, {
     nonce: string;
     audience: string;
@@ -213,6 +256,13 @@ export declare const SessionContextSchema: z.ZodObject<{
     serverDid?: string | undefined;
     clientDid?: string | undefined;
     userDid?: string | undefined;
+    identityState?: "anonymous" | "authenticated" | undefined;
+    oauthIdentity?: {
+        provider: string;
+        subject: string;
+        name?: string | undefined;
+        email?: string | undefined;
+    } | undefined;
 }>;
 export declare const NonceCacheEntrySchema: z.ZodObject<{
     sessionId: z.ZodString;

package/dist/handshake.js

@@ -1,10 +1,21 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NONCE_LENGTH_BYTES = exports.DEFAULT_TIMESTAMP_SKEW_SECONDS = exports.DEFAULT_SESSION_TTL_MINUTES = exports.NonceCacheConfigSchema = exports.NonceCacheEntrySchema = exports.SessionContextSchema = exports.HandshakeRequestSchema = exports.MCPClientSessionInfoSchema = exports.MCPClientInfoSchema = void 0;
+exports.NONCE_LENGTH_BYTES = exports.DEFAULT_TIMESTAMP_SKEW_SECONDS = exports.DEFAULT_SESSION_TTL_MINUTES = exports.NonceCacheConfigSchema = exports.NonceCacheEntrySchema = exports.SessionContextSchema = exports.HandshakeRequestSchema = exports.MCPClientSessionInfoSchema = exports.MCPClientInfoSchema = exports.SessionIdentityStateSchema = void 0;
 const zod_1 = require("zod");
+const schemas_1 = require("./consent/schemas");
 /**
  * Handshake and session management schemas
  */
+/**
+ * Session Identity State
+ *
+ * Tracks whether a session has been authenticated via OAuth.
+ * Phase 5: Anonymous Sessions Until OAuth
+ *
+ * - 'anonymous': No userDid assigned yet (session started without OAuth)
+ * - 'authenticated': userDid assigned via OAuth → AgentShield identity resolution
+ */
+exports.SessionIdentityStateSchema = zod_1.z.enum(["anonymous", "authenticated"]);
 const MCPClientCapabilitiesSchema = zod_1.z.record(zod_1.z.string(), zod_1.z.unknown());
 exports.MCPClientInfoSchema = zod_1.z.object({
     name: zod_1.z.string().min(1), // e.g., "Claude Desktop"
@@ -44,6 +55,17 @@ exports.SessionContextSchema = zod_1.z.object({
     clientDid: zod_1.z.string().optional(), // Client app DID (if different from agent)
     userDid: zod_1.z.string().optional(), // User DID (delegator)
     clientInfo: exports.MCPClientSessionInfoSchema.optional(), // MCP client information with negotiated metadata
+    // Phase 5: Anonymous Sessions Until OAuth
+    /**
+     * Identity state of the session
+     * @default 'anonymous' - Sessions start anonymous until OAuth completes
+     */
+    identityState: exports.SessionIdentityStateSchema.default("anonymous"),
+    /**
+     * OAuth identity information (populated after successful OAuth)
+     * Contains provider, subject, email from OAuth provider
+     */
+    oauthIdentity: schemas_1.oauthIdentitySchema.optional(),
 });
 exports.NonceCacheEntrySchema = zod_1.z.object({
     sessionId: zod_1.z.string().min(1),

package/dist/identity/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Identity Module
+ *
+ * Exports for OAuth identity → persistent user DID resolution.
+ * Part of Phase 5: Identity Resolution Integration
+ */
+export * from "./schemas.js";

package/dist/identity/index.js

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * Identity Module
+ *
+ * Exports for OAuth identity → persistent user DID resolution.
+ * Part of Phase 5: Identity Resolution Integration
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./schemas.js"), exports);

package/dist/identity/schemas.d.ts

@@ -0,0 +1,250 @@
+/**
+ * Identity Resolution Schemas
+ *
+ * Types and schemas for OAuth identity → persistent user DID resolution.
+ * Used by xmcp-i to call AgentShield's identity resolution endpoint.
+ *
+ * Part of Phase 5: Identity Resolution Integration
+ *
+ * @see ACCOUNT_CENTRIC_IDENTITY_AND_VC_IMPLEMENTATION.md
+ */
+import { z } from "zod";
+/**
+ * OAuth result from identity provider
+ *
+ * Contains user information from OAuth authentication flow.
+ */
+export declare const OAuthResultSchema: z.ZodObject<{
+    /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
+    provider: z.ZodString;
+    /** OAuth subject claim (unique per provider) */
+    sub: z.ZodString;
+    /** User's email from OAuth provider */
+    email: z.ZodOptional<z.ZodString>;
+    /** Whether email was verified by provider */
+    email_verified: z.ZodOptional<z.ZodBoolean>;
+    /** Display name from OAuth provider */
+    name: z.ZodOptional<z.ZodString>;
+    /** Avatar URL from OAuth provider */
+    picture: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    provider: string;
+    sub: string;
+    email?: string | undefined;
+    email_verified?: boolean | undefined;
+    name?: string | undefined;
+    picture?: string | undefined;
+}, {
+    provider: string;
+    sub: string;
+    email?: string | undefined;
+    email_verified?: boolean | undefined;
+    name?: string | undefined;
+    picture?: string | undefined;
+}>;
+export type OAuthResult = z.infer<typeof OAuthResultSchema>;
+/**
+ * Identity resolution request
+ *
+ * POST /api/v1/bouncer/identity/resolve
+ */
+export declare const IdentityResolveRequestSchema: z.ZodObject<{
+    /** Project UUID */
+    project_id: z.ZodString;
+    /** OAuth authentication result */
+    oauth_result: z.ZodObject<{
+        /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
+        provider: z.ZodString;
+        /** OAuth subject claim (unique per provider) */
+        sub: z.ZodString;
+        /** User's email from OAuth provider */
+        email: z.ZodOptional<z.ZodString>;
+        /** Whether email was verified by provider */
+        email_verified: z.ZodOptional<z.ZodBoolean>;
+        /** Display name from OAuth provider */
+        name: z.ZodOptional<z.ZodString>;
+        /** Avatar URL from OAuth provider */
+        picture: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        provider: string;
+        sub: string;
+        email?: string | undefined;
+        email_verified?: boolean | undefined;
+        name?: string | undefined;
+        picture?: string | undefined;
+    }, {
+        provider: string;
+        sub: string;
+        email?: string | undefined;
+        email_verified?: boolean | undefined;
+        name?: string | undefined;
+        picture?: string | undefined;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    project_id: string;
+    oauth_result: {
+        provider: string;
+        sub: string;
+        email?: string | undefined;
+        email_verified?: boolean | undefined;
+        name?: string | undefined;
+        picture?: string | undefined;
+    };
+}, {
+    project_id: string;
+    oauth_result: {
+        provider: string;
+        sub: string;
+        email?: string | undefined;
+        email_verified?: boolean | undefined;
+        name?: string | undefined;
+        picture?: string | undefined;
+    };
+}>;
+export type IdentityResolveRequest = z.infer<typeof IdentityResolveRequestSchema>;
+/**
+ * Identity resolution response
+ *
+ * Returns the persistent user DID and account information.
+ */
+export declare const IdentityResolveResponseSchema: z.ZodObject<{
+    success: z.ZodLiteral<true>;
+    data: z.ZodObject<{
+        /** Persistent user DID (did:key:z6Mk...) */
+        user_did: z.ZodString;
+        /** User account UUID */
+        user_account_id: z.ZodString;
+        /** Whether a new account was created */
+        is_new_account: z.ZodBoolean;
+        /** Whether identity was auto-linked by email */
+        auto_linked: z.ZodBoolean;
+    }, "strip", z.ZodTypeAny, {
+        user_did: string;
+        user_account_id: string;
+        is_new_account: boolean;
+        auto_linked: boolean;
+    }, {
+        user_did: string;
+        user_account_id: string;
+        is_new_account: boolean;
+        auto_linked: boolean;
+    }>;
+    metadata: z.ZodOptional<z.ZodObject<{
+        requestId: z.ZodOptional<z.ZodString>;
+        timestamp: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        requestId?: string | undefined;
+        timestamp?: string | undefined;
+    }, {
+        requestId?: string | undefined;
+        timestamp?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    success: true;
+    data: {
+        user_did: string;
+        user_account_id: string;
+        is_new_account: boolean;
+        auto_linked: boolean;
+    };
+    metadata?: {
+        requestId?: string | undefined;
+        timestamp?: string | undefined;
+    } | undefined;
+}, {
+    success: true;
+    data: {
+        user_did: string;
+        user_account_id: string;
+        is_new_account: boolean;
+        auto_linked: boolean;
+    };
+    metadata?: {
+        requestId?: string | undefined;
+        timestamp?: string | undefined;
+    } | undefined;
+}>;
+export type IdentityResolveResponse = z.infer<typeof IdentityResolveResponseSchema>;
+/**
+ * Identity resolution error response
+ */
+export declare const IdentityResolveErrorSchema: z.ZodObject<{
+    success: z.ZodLiteral<false>;
+    error: z.ZodObject<{
+        code: z.ZodString;
+        message: z.ZodString;
+        details: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            path: z.ZodString;
+            message: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            path: string;
+            message: string;
+        }, {
+            path: string;
+            message: string;
+        }>, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        code: string;
+        message: string;
+        details?: {
+            path: string;
+            message: string;
+        }[] | undefined;
+    }, {
+        code: string;
+        message: string;
+        details?: {
+            path: string;
+            message: string;
+        }[] | undefined;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    success: false;
+    error: {
+        code: string;
+        message: string;
+        details?: {
+            path: string;
+            message: string;
+        }[] | undefined;
+    };
+}, {
+    success: false;
+    error: {
+        code: string;
+        message: string;
+        details?: {
+            path: string;
+            message: string;
+        }[] | undefined;
+    };
+}>;
+export type IdentityResolveError = z.infer<typeof IdentityResolveErrorSchema>;
+/**
+ * Parse and validate identity resolution request
+ */
+export declare function parseIdentityResolveRequest(data: unknown): IdentityResolveRequest;
+/**
+ * Safely validate identity resolution request
+ */
+export declare function safeParseIdentityResolveRequest(data: unknown): {
+    success: true;
+    data: IdentityResolveRequest;
+} | {
+    success: false;
+    error: z.ZodError;
+};
+/**
+ * Parse and validate identity resolution response
+ */
+export declare function parseIdentityResolveResponse(data: unknown): IdentityResolveResponse;
+/**
+ * Safely validate identity resolution response
+ */
+export declare function safeParseIdentityResolveResponse(data: unknown): {
+    success: true;
+    data: IdentityResolveResponse;
+} | {
+    success: false;
+    error: z.ZodError;
+};

package/dist/identity/schemas.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * Identity Resolution Schemas
+ *
+ * Types and schemas for OAuth identity → persistent user DID resolution.
+ * Used by xmcp-i to call AgentShield's identity resolution endpoint.
+ *
+ * Part of Phase 5: Identity Resolution Integration
+ *
+ * @see ACCOUNT_CENTRIC_IDENTITY_AND_VC_IMPLEMENTATION.md
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdentityResolveErrorSchema = exports.IdentityResolveResponseSchema = exports.IdentityResolveRequestSchema = exports.OAuthResultSchema = void 0;
+exports.parseIdentityResolveRequest = parseIdentityResolveRequest;
+exports.safeParseIdentityResolveRequest = safeParseIdentityResolveRequest;
+exports.parseIdentityResolveResponse = parseIdentityResolveResponse;
+exports.safeParseIdentityResolveResponse = safeParseIdentityResolveResponse;
+const zod_1 = require("zod");
+/**
+ * OAuth result from identity provider
+ *
+ * Contains user information from OAuth authentication flow.
+ */
+exports.OAuthResultSchema = zod_1.z.object({
+    /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
+    provider: zod_1.z.string().min(1, "Provider is required"),
+    /** OAuth subject claim (unique per provider) */
+    sub: zod_1.z.string().min(1, "Subject claim is required"),
+    /** User's email from OAuth provider */
+    email: zod_1.z.string().email().optional(),
+    /** Whether email was verified by provider */
+    email_verified: zod_1.z.boolean().optional(),
+    /** Display name from OAuth provider */
+    name: zod_1.z.string().optional(),
+    /** Avatar URL from OAuth provider */
+    picture: zod_1.z.string().url().optional(),
+});
+/**
+ * Identity resolution request
+ *
+ * POST /api/v1/bouncer/identity/resolve
+ */
+exports.IdentityResolveRequestSchema = zod_1.z.object({
+    /** Project UUID */
+    project_id: zod_1.z.string().uuid("Invalid project ID format"),
+    /** OAuth authentication result */
+    oauth_result: exports.OAuthResultSchema,
+});
+/**
+ * Identity resolution response
+ *
+ * Returns the persistent user DID and account information.
+ */
+exports.IdentityResolveResponseSchema = zod_1.z.object({
+    success: zod_1.z.literal(true),
+    data: zod_1.z.object({
+        /** Persistent user DID (did:key:z6Mk...) */
+        user_did: zod_1.z.string().regex(/^did:(key|web):.+$/, "Invalid user DID format"),
+        /** User account UUID */
+        user_account_id: zod_1.z.string().uuid(),
+        /** Whether a new account was created */
+        is_new_account: zod_1.z.boolean(),
+        /** Whether identity was auto-linked by email */
+        auto_linked: zod_1.z.boolean(),
+    }),
+    metadata: zod_1.z
+        .object({
+        requestId: zod_1.z.string().optional(),
+        timestamp: zod_1.z.string().datetime().optional(),
+    })
+        .optional(),
+});
+/**
+ * Identity resolution error response
+ */
+exports.IdentityResolveErrorSchema = zod_1.z.object({
+    success: zod_1.z.literal(false),
+    error: zod_1.z.object({
+        code: zod_1.z.string(),
+        message: zod_1.z.string(),
+        details: zod_1.z.array(zod_1.z.object({ path: zod_1.z.string(), message: zod_1.z.string() })).optional(),
+    }),
+});
+/**
+ * Parse and validate identity resolution request
+ */
+function parseIdentityResolveRequest(data) {
+    return exports.IdentityResolveRequestSchema.parse(data);
+}
+/**
+ * Safely validate identity resolution request
+ */
+function safeParseIdentityResolveRequest(data) {
+    const result = exports.IdentityResolveRequestSchema.safeParse(data);
+    if (result.success) {
+        return { success: true, data: result.data };
+    }
+    return { success: false, error: result.error };
+}
+/**
+ * Parse and validate identity resolution response
+ */
+function parseIdentityResolveResponse(data) {
+    return exports.IdentityResolveResponseSchema.parse(data);
+}
+/**
+ * Safely validate identity resolution response
+ */
+function safeParseIdentityResolveResponse(data) {
+    const result = exports.IdentityResolveResponseSchema.safeParse(data);
+    if (result.success) {
+        return { success: true, data: result.data };
+    }
+    return { success: false, error: result.error };
+}

package/dist/index.js

@@ -55,3 +55,4 @@ exports.SUPPORTED_XMCP_I_VERSION = "^1.0.0";
 // import { ... } from '@kya-os/contracts/agentshield-api'
 // import { ... } from '@kya-os/contracts/tool-protection'
 // import { ... } from '@kya-os/contracts/well-known'
+// import { ... } from '@kya-os/contracts/identity'  // Phase 5: Identity resolution

package/dist/tool-protection/index.d.ts

@@ -553,12 +553,12 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
         source: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         version?: string | undefined;
-        source?: string | undefined;
         lastUpdated?: string | undefined;
+        source?: string | undefined;
     }, {
         version?: string | undefined;
-        source?: string | undefined;
         lastUpdated?: string | undefined;
+        source?: string | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
     toolProtections: Record<string, {
@@ -588,8 +588,8 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
     }>;
     metadata?: {
         version?: string | undefined;
-        source?: string | undefined;
         lastUpdated?: string | undefined;
+        source?: string | undefined;
     } | undefined;
 }, {
     toolProtections: Record<string, {
@@ -619,8 +619,8 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
     }>;
     metadata?: {
         version?: string | undefined;
-        source?: string | undefined;
         lastUpdated?: string | undefined;
+        source?: string | undefined;
     } | undefined;
 }>;
 export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
@@ -632,14 +632,14 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     requiredScopes: string[];
     toolName: string;
-    authorizationUrl?: string | undefined;
     reason?: string | undefined;
+    authorizationUrl?: string | undefined;
     consentUrl?: string | undefined;
 }, {
     requiredScopes: string[];
     toolName: string;
-    authorizationUrl?: string | undefined;
     reason?: string | undefined;
+    authorizationUrl?: string | undefined;
     consentUrl?: string | undefined;
 }>;
 /**