@kya-os/contracts 1.6.3 → 1.6.5

package/dist/audit/index.d.ts

@@ -72,8 +72,8 @@ export declare const AuditContextSchema: z.ZodObject<{
         [k: string]: unknown;
     };
     session: {
-        audience: string;
         sessionId: string;
+        audience: string;
     } & {
         [k: string]: unknown;
     };
@@ -89,8 +89,8 @@ export declare const AuditContextSchema: z.ZodObject<{
         [k: string]: unknown;
     };
     session: {
-        audience: string;
         sessionId: string;
+        audience: string;
     } & {
         [k: string]: unknown;
     };
@@ -160,8 +160,8 @@ export declare const AuditEventContextSchema: z.ZodObject<{
         [k: string]: unknown;
     };
     session: {
-        audience: string;
         sessionId: string;
+        audience: string;
     } & {
         [k: string]: unknown;
     };
@@ -175,8 +175,8 @@ export declare const AuditEventContextSchema: z.ZodObject<{
         [k: string]: unknown;
     };
     session: {
-        audience: string;
         sessionId: string;
+        audience: string;
     } & {
         [k: string]: unknown;
     };

package/dist/config/identity.d.ts

@@ -74,6 +74,219 @@ export interface RuntimeIdentityConfig {
      */
     userDidStorage?: "ephemeral" | "persistent";
 }
+/**
+ * Auth Provider Type
+ *
+ * Discriminator for provider configuration types.
+ */
+export type AuthProviderType = "oauth2" | "credential";
+/**
+ * Base Provider Configuration
+ *
+ * Common fields shared by all provider types.
+ */
+export interface BaseProviderConfig {
+    /** Provider type discriminator */
+    type: AuthProviderType;
+    /** Human-readable display name for the provider */
+    displayName?: string;
+}
+/**
+ * Credential Provider Configuration
+ *
+ * Configuration for credential-based authentication (email/password).
+ * Used for customers who don't use OAuth and want direct login.
+ */
+export interface CredentialProviderConfig extends BaseProviderConfig {
+    type: "credential";
+    /** Authentication endpoint URL to POST credentials */
+    authEndpoint: string;
+    /**
+     * Request body template mapping form fields to API fields
+     * Use {{fieldName}} placeholders that will be replaced with form values
+     * @example { email: "{{email}}", password: "{{password}}" }
+     */
+    requestBodyTemplate: Record<string, string>;
+    /**
+     * Response field mappings to extract data from auth response
+     */
+    responseFields: {
+        /** JSON path to session token, or "cookie" to extract from Set-Cookie header */
+        sessionToken: string;
+        /** JSON path to user ID (optional) */
+        userId?: string;
+        /** JSON path to user email (optional) */
+        userEmail?: string;
+        /** JSON path to user display name (optional) */
+        userDisplayName?: string;
+        /** JSON path to token expiration in seconds (optional) */
+        expiresIn?: string;
+    };
+    /**
+     * Success validation configuration
+     * Checks if a field in the response matches an expected value
+     */
+    successCheck?: {
+        /** JSON path to check in response */
+        path: string;
+        /** Expected value (string, boolean, or number) */
+        expectedValue: string | boolean | number;
+    };
+    /** Custom headers to include in auth request */
+    headers?: Record<string, string>;
+    /**
+     * How to use the token for subsequent API calls
+     * - "cookie": Send as Cookie header
+     * - "bearer": Send as Authorization: Bearer xxx
+     * - "header": Send as custom header (specify tokenHeader)
+     * @default "cookie"
+     */
+    tokenUsage?: "cookie" | "bearer" | "header";
+    /** Custom header name when tokenUsage is "header" */
+    tokenHeader?: string;
+    /**
+     * Cookie format template when tokenUsage is "cookie"
+     * Use {{token}} placeholder for the token value
+     * @example "CIX={{token}}; customerCookie={{token}}"
+     */
+    cookieFormat?: string;
+    /** Additional headers to include in subsequent API calls */
+    apiHeaders?: Record<string, string>;
+    /**
+     * Consent page customization overrides
+     */
+    consentOverrides?: {
+        branding?: Record<string, unknown>;
+        formTitle?: string;
+        formDescription?: string;
+        identityFieldLabel?: string;
+        passwordFieldLabel?: string;
+        submitButtonText?: string;
+    };
+}
+/**
+ * Zod schema for CredentialProviderConfig validation
+ */
+export declare const CredentialProviderConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"credential">;
+    displayName: z.ZodOptional<z.ZodString>;
+    authEndpoint: z.ZodString;
+    requestBodyTemplate: z.ZodRecord<z.ZodString, z.ZodString>;
+    responseFields: z.ZodObject<{
+        sessionToken: z.ZodString;
+        userId: z.ZodOptional<z.ZodString>;
+        userEmail: z.ZodOptional<z.ZodString>;
+        userDisplayName: z.ZodOptional<z.ZodString>;
+        expiresIn: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    }, {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    }>;
+    successCheck: z.ZodOptional<z.ZodObject<{
+        path: z.ZodString;
+        expectedValue: z.ZodUnion<[z.ZodString, z.ZodBoolean, z.ZodNumber]>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        expectedValue: string | number | boolean;
+    }, {
+        path: string;
+        expectedValue: string | number | boolean;
+    }>>;
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    tokenUsage: z.ZodOptional<z.ZodEnum<["cookie", "bearer", "header"]>>;
+    tokenHeader: z.ZodOptional<z.ZodString>;
+    cookieFormat: z.ZodOptional<z.ZodString>;
+    apiHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    consentOverrides: z.ZodOptional<z.ZodObject<{
+        branding: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        formTitle: z.ZodOptional<z.ZodString>;
+        formDescription: z.ZodOptional<z.ZodString>;
+        identityFieldLabel: z.ZodOptional<z.ZodString>;
+        passwordFieldLabel: z.ZodOptional<z.ZodString>;
+        submitButtonText: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    }, {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    type: "credential";
+    authEndpoint: string;
+    requestBodyTemplate: Record<string, string>;
+    responseFields: {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    };
+    displayName?: string | undefined;
+    successCheck?: {
+        path: string;
+        expectedValue: string | number | boolean;
+    } | undefined;
+    headers?: Record<string, string> | undefined;
+    tokenUsage?: "cookie" | "bearer" | "header" | undefined;
+    tokenHeader?: string | undefined;
+    cookieFormat?: string | undefined;
+    apiHeaders?: Record<string, string> | undefined;
+    consentOverrides?: {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    } | undefined;
+}, {
+    type: "credential";
+    authEndpoint: string;
+    requestBodyTemplate: Record<string, string>;
+    responseFields: {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    };
+    displayName?: string | undefined;
+    successCheck?: {
+        path: string;
+        expectedValue: string | number | boolean;
+    } | undefined;
+    headers?: Record<string, string> | undefined;
+    tokenUsage?: "cookie" | "bearer" | "header" | undefined;
+    tokenHeader?: string | undefined;
+    cookieFormat?: string | undefined;
+    apiHeaders?: Record<string, string> | undefined;
+    consentOverrides?: {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    } | undefined;
+}>;
 /**
  * OAuth Provider Configuration
  *
@@ -155,9 +368,9 @@ export declare const OAuthProviderSchema: z.ZodObject<{
     requiresClientSecret: boolean;
     responseType: string;
     grantType: string;
-    scopes?: string[] | undefined;
     clientSecret?: string | null | undefined;
     userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
     defaultScopes?: string[] | undefined;
     proxyMode?: boolean | undefined;
     customParams?: Record<string, string> | undefined;
@@ -168,9 +381,9 @@ export declare const OAuthProviderSchema: z.ZodObject<{
     tokenUrl: string;
     supportsPKCE: boolean;
     requiresClientSecret: boolean;
-    scopes?: string[] | undefined;
     clientSecret?: string | null | undefined;
     userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
     defaultScopes?: string[] | undefined;
     proxyMode?: boolean | undefined;
     customParams?: Record<string, string> | undefined;
@@ -205,9 +418,9 @@ export declare const OAuthConfigSchema: z.ZodObject<{
         requiresClientSecret: boolean;
         responseType: string;
         grantType: string;
-        scopes?: string[] | undefined;
         clientSecret?: string | null | undefined;
         userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
         defaultScopes?: string[] | undefined;
         proxyMode?: boolean | undefined;
         customParams?: Record<string, string> | undefined;
@@ -218,9 +431,9 @@ export declare const OAuthConfigSchema: z.ZodObject<{
         tokenUrl: string;
         supportsPKCE: boolean;
         requiresClientSecret: boolean;
-        scopes?: string[] | undefined;
         clientSecret?: string | null | undefined;
         userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
         defaultScopes?: string[] | undefined;
         proxyMode?: boolean | undefined;
         customParams?: Record<string, string> | undefined;
@@ -238,9 +451,9 @@ export declare const OAuthConfigSchema: z.ZodObject<{
         requiresClientSecret: boolean;
         responseType: string;
         grantType: string;
-        scopes?: string[] | undefined;
         clientSecret?: string | null | undefined;
         userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
         defaultScopes?: string[] | undefined;
         proxyMode?: boolean | undefined;
         customParams?: Record<string, string> | undefined;
@@ -254,9 +467,9 @@ export declare const OAuthConfigSchema: z.ZodObject<{
         tokenUrl: string;
         supportsPKCE: boolean;
         requiresClientSecret: boolean;
-        scopes?: string[] | undefined;
         clientSecret?: string | null | undefined;
         userInfoUrl?: string | undefined;
+        scopes?: string[] | undefined;
         defaultScopes?: string[] | undefined;
         proxyMode?: boolean | undefined;
         customParams?: Record<string, string> | undefined;
@@ -266,6 +479,264 @@ export declare const OAuthConfigSchema: z.ZodObject<{
     }>;
     configuredProvider?: string | null | undefined;
 }>;
+/**
+ * OAuth2 Provider Configuration (explicit type for discriminated union)
+ *
+ * Wrapper around OAuthProvider with explicit type discriminator.
+ */
+export interface OAuth2ProviderConfig extends BaseProviderConfig {
+    type: "oauth2";
+    clientId: string;
+    clientSecret?: string | null;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userInfoUrl?: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    scopes?: string[];
+    defaultScopes?: string[];
+    proxyMode?: boolean;
+    customParams?: Record<string, string>;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic";
+    responseType?: string;
+    grantType?: string;
+}
+/**
+ * Zod schema for OAuth2ProviderConfig validation
+ */
+export declare const OAuth2ProviderConfigSchema: z.ZodObject<{
+    type: z.ZodLiteral<"oauth2">;
+    displayName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    authorizationUrl: z.ZodString;
+    tokenUrl: z.ZodString;
+    userInfoUrl: z.ZodOptional<z.ZodString>;
+    supportsPKCE: z.ZodBoolean;
+    requiresClientSecret: z.ZodBoolean;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    defaultScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    proxyMode: z.ZodOptional<z.ZodBoolean>;
+    customParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
+    responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    type: "oauth2";
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    responseType: string;
+    grantType: string;
+    displayName?: string | undefined;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+}, {
+    type: "oauth2";
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    displayName?: string | undefined;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+    responseType?: string | undefined;
+    grantType?: string | undefined;
+}>;
+/**
+ * Unified Auth Provider Type
+ *
+ * Discriminated union of all supported authentication provider types.
+ * Use `type` field to determine which configuration shape to expect.
+ */
+export type AuthProvider = OAuth2ProviderConfig | CredentialProviderConfig;
+/**
+ * Zod schema for AuthProvider validation (discriminated union)
+ */
+export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"oauth2">;
+    displayName: z.ZodOptional<z.ZodString>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    authorizationUrl: z.ZodString;
+    tokenUrl: z.ZodString;
+    userInfoUrl: z.ZodOptional<z.ZodString>;
+    supportsPKCE: z.ZodBoolean;
+    requiresClientSecret: z.ZodBoolean;
+    scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    defaultScopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    proxyMode: z.ZodOptional<z.ZodBoolean>;
+    customParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
+    responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    type: "oauth2";
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    responseType: string;
+    grantType: string;
+    displayName?: string | undefined;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+}, {
+    type: "oauth2";
+    clientId: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    supportsPKCE: boolean;
+    requiresClientSecret: boolean;
+    displayName?: string | undefined;
+    clientSecret?: string | null | undefined;
+    userInfoUrl?: string | undefined;
+    scopes?: string[] | undefined;
+    defaultScopes?: string[] | undefined;
+    proxyMode?: boolean | undefined;
+    customParams?: Record<string, string> | undefined;
+    tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
+    responseType?: string | undefined;
+    grantType?: string | undefined;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"credential">;
+    displayName: z.ZodOptional<z.ZodString>;
+    authEndpoint: z.ZodString;
+    requestBodyTemplate: z.ZodRecord<z.ZodString, z.ZodString>;
+    responseFields: z.ZodObject<{
+        sessionToken: z.ZodString;
+        userId: z.ZodOptional<z.ZodString>;
+        userEmail: z.ZodOptional<z.ZodString>;
+        userDisplayName: z.ZodOptional<z.ZodString>;
+        expiresIn: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    }, {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    }>;
+    successCheck: z.ZodOptional<z.ZodObject<{
+        path: z.ZodString;
+        expectedValue: z.ZodUnion<[z.ZodString, z.ZodBoolean, z.ZodNumber]>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        expectedValue: string | number | boolean;
+    }, {
+        path: string;
+        expectedValue: string | number | boolean;
+    }>>;
+    headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    tokenUsage: z.ZodOptional<z.ZodEnum<["cookie", "bearer", "header"]>>;
+    tokenHeader: z.ZodOptional<z.ZodString>;
+    cookieFormat: z.ZodOptional<z.ZodString>;
+    apiHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    consentOverrides: z.ZodOptional<z.ZodObject<{
+        branding: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        formTitle: z.ZodOptional<z.ZodString>;
+        formDescription: z.ZodOptional<z.ZodString>;
+        identityFieldLabel: z.ZodOptional<z.ZodString>;
+        passwordFieldLabel: z.ZodOptional<z.ZodString>;
+        submitButtonText: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    }, {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    type: "credential";
+    authEndpoint: string;
+    requestBodyTemplate: Record<string, string>;
+    responseFields: {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    };
+    displayName?: string | undefined;
+    successCheck?: {
+        path: string;
+        expectedValue: string | number | boolean;
+    } | undefined;
+    headers?: Record<string, string> | undefined;
+    tokenUsage?: "cookie" | "bearer" | "header" | undefined;
+    tokenHeader?: string | undefined;
+    cookieFormat?: string | undefined;
+    apiHeaders?: Record<string, string> | undefined;
+    consentOverrides?: {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    } | undefined;
+}, {
+    type: "credential";
+    authEndpoint: string;
+    requestBodyTemplate: Record<string, string>;
+    responseFields: {
+        sessionToken: string;
+        userId?: string | undefined;
+        userEmail?: string | undefined;
+        userDisplayName?: string | undefined;
+        expiresIn?: string | undefined;
+    };
+    displayName?: string | undefined;
+    successCheck?: {
+        path: string;
+        expectedValue: string | number | boolean;
+    } | undefined;
+    headers?: Record<string, string> | undefined;
+    tokenUsage?: "cookie" | "bearer" | "header" | undefined;
+    tokenHeader?: string | undefined;
+    cookieFormat?: string | undefined;
+    apiHeaders?: Record<string, string> | undefined;
+    consentOverrides?: {
+        branding?: Record<string, unknown> | undefined;
+        formTitle?: string | undefined;
+        formDescription?: string | undefined;
+        identityFieldLabel?: string | undefined;
+        passwordFieldLabel?: string | undefined;
+        submitButtonText?: string | undefined;
+    } | undefined;
+}>]>;
 /**
  * IDP Tokens
  *

package/dist/config/identity.js

@@ -8,8 +8,45 @@
  * @module @kya-os/contracts/config
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthConfigSchema = exports.OAuthProviderSchema = void 0;
+exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.OAuthConfigSchema = exports.OAuthProviderSchema = exports.CredentialProviderConfigSchema = void 0;
 const zod_1 = require("zod");
+/**
+ * Zod schema for CredentialProviderConfig validation
+ */
+exports.CredentialProviderConfigSchema = zod_1.z.object({
+    type: zod_1.z.literal("credential"),
+    displayName: zod_1.z.string().optional(),
+    authEndpoint: zod_1.z.string().url(),
+    requestBodyTemplate: zod_1.z.record(zod_1.z.string()),
+    responseFields: zod_1.z.object({
+        sessionToken: zod_1.z.string(),
+        userId: zod_1.z.string().optional(),
+        userEmail: zod_1.z.string().optional(),
+        userDisplayName: zod_1.z.string().optional(),
+        expiresIn: zod_1.z.string().optional(),
+    }),
+    successCheck: zod_1.z
+        .object({
+        path: zod_1.z.string(),
+        expectedValue: zod_1.z.union([zod_1.z.string(), zod_1.z.boolean(), zod_1.z.number()]),
+    })
+        .optional(),
+    headers: zod_1.z.record(zod_1.z.string()).optional(),
+    tokenUsage: zod_1.z.enum(["cookie", "bearer", "header"]).optional(),
+    tokenHeader: zod_1.z.string().optional(),
+    cookieFormat: zod_1.z.string().optional(),
+    apiHeaders: zod_1.z.record(zod_1.z.string()).optional(),
+    consentOverrides: zod_1.z
+        .object({
+        branding: zod_1.z.record(zod_1.z.unknown()).optional(),
+        formTitle: zod_1.z.string().optional(),
+        formDescription: zod_1.z.string().optional(),
+        identityFieldLabel: zod_1.z.string().optional(),
+        passwordFieldLabel: zod_1.z.string().optional(),
+        submitButtonText: zod_1.z.string().optional(),
+    })
+        .optional(),
+});
 /**
  * Zod schema for OAuthProvider validation
  */
@@ -37,3 +74,33 @@ exports.OAuthConfigSchema = zod_1.z.object({
     providers: zod_1.z.record(zod_1.z.string(), exports.OAuthProviderSchema),
     configuredProvider: zod_1.z.string().nullable().optional(),
 });
+/**
+ * Zod schema for OAuth2ProviderConfig validation
+ */
+exports.OAuth2ProviderConfigSchema = zod_1.z.object({
+    type: zod_1.z.literal("oauth2"),
+    displayName: zod_1.z.string().optional(),
+    clientId: zod_1.z.string().min(1),
+    clientSecret: zod_1.z.string().nullable().optional(),
+    authorizationUrl: zod_1.z.string().url(),
+    tokenUrl: zod_1.z.string().url(),
+    userInfoUrl: zod_1.z.string().url().optional(),
+    supportsPKCE: zod_1.z.boolean(),
+    requiresClientSecret: zod_1.z.boolean(),
+    scopes: zod_1.z.array(zod_1.z.string()).optional(),
+    defaultScopes: zod_1.z.array(zod_1.z.string()).optional(),
+    proxyMode: zod_1.z.boolean().optional(),
+    customParams: zod_1.z.record(zod_1.z.string()).optional(),
+    tokenEndpointAuthMethod: zod_1.z
+        .enum(["client_secret_post", "client_secret_basic"])
+        .optional(),
+    responseType: zod_1.z.string().optional().default("code"),
+    grantType: zod_1.z.string().optional().default("authorization_code"),
+});
+/**
+ * Zod schema for AuthProvider validation (discriminated union)
+ */
+exports.AuthProviderSchema = zod_1.z.discriminatedUnion("type", [
+    exports.OAuth2ProviderConfigSchema,
+    exports.CredentialProviderConfigSchema,
+]);

package/dist/config/index.d.ts

@@ -12,7 +12,7 @@ import type { ProofingConfig } from "./proofing.js";
 import type { DelegationConfig } from "./delegation.js";
 import type { ToolProtectionSourceConfig } from "./tool-protection.js";
 export { MCPIBaseConfig } from "./base.js";
-export { RuntimeIdentityConfig, AgentIdentity, OAuthProvider, OAuthConfig, IdpTokens, } from "./identity.js";
+export { RuntimeIdentityConfig, AgentIdentity, OAuthProvider, OAuthConfig, IdpTokens, AuthProviderType, BaseProviderConfig, CredentialProviderConfig, CredentialProviderConfigSchema, OAuth2ProviderConfig, OAuth2ProviderConfigSchema, AuthProvider, AuthProviderSchema, } from "./identity.js";
 export type { ToolExecutionContext } from "./tool-context.js";
 /**
  * @deprecated Use RuntimeIdentityConfig instead

package/dist/config/index.js

@@ -8,7 +8,12 @@
  * @module @kya-os/contracts/config
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.buildBaseConfig = void 0;
+exports.buildBaseConfig = exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.CredentialProviderConfigSchema = void 0;
+// Identity configuration
+var identity_js_1 = require("./identity.js");
+Object.defineProperty(exports, "CredentialProviderConfigSchema", { enumerable: true, get: function () { return identity_js_1.CredentialProviderConfigSchema; } });
+Object.defineProperty(exports, "OAuth2ProviderConfigSchema", { enumerable: true, get: function () { return identity_js_1.OAuth2ProviderConfigSchema; } });
+Object.defineProperty(exports, "AuthProviderSchema", { enumerable: true, get: function () { return identity_js_1.AuthProviderSchema; } });
 // Configuration builder utilities
 var builder_js_1 = require("./builder.js");
 Object.defineProperty(exports, "buildBaseConfig", { enumerable: true, get: function () { return builder_js_1.buildBaseConfig; } });