@kya-os/contracts 1.6.7 → 1.6.9

package/dist/agentshield-api/schemas.d.ts

@@ -464,6 +464,7 @@ export declare const verifyDelegationRequestSchema: z.ZodObject<{
     scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
     timestamp: z.ZodOptional<z.ZodNumber>;
     agent_did: z.ZodString;
+    user_did: z.ZodOptional<z.ZodString>;
     credential_jwt: z.ZodOptional<z.ZodString>;
     delegation_token: z.ZodOptional<z.ZodString>;
     client_info: z.ZodOptional<z.ZodObject<{
@@ -483,6 +484,7 @@ export declare const verifyDelegationRequestSchema: z.ZodObject<{
     agent_did: string;
     scopes?: string[] | undefined;
     timestamp?: number | undefined;
+    user_did?: string | undefined;
     credential_jwt?: string | undefined;
     delegation_token?: string | undefined;
     client_info?: {
@@ -494,6 +496,7 @@ export declare const verifyDelegationRequestSchema: z.ZodObject<{
     agent_did: string;
     scopes?: string[] | undefined;
     timestamp?: number | undefined;
+    user_did?: string | undefined;
     credential_jwt?: string | undefined;
     delegation_token?: string | undefined;
     client_info?: {

package/dist/agentshield-api/schemas.js

@@ -129,6 +129,9 @@ exports.delegationCredentialSchema = zod_1.z.object({
  */
 exports.verifyDelegationRequestSchema = zod_1.z.object({
     agent_did: zod_1.z.string(),
+    // User DID for user-scoped delegation verification (RECOMMENDED)
+    // Prevents cross-user delegation leakage where User B could use User A's delegation
+    user_did: zod_1.z.string().optional(),
     credential_jwt: zod_1.z.string().optional(), // Optional, omit (don't set to empty string) when not available for OAuth flow
     delegation_token: zod_1.z.string().optional(), // Optional, for stateless MCP servers
     scopes: zod_1.z.array(zod_1.z.string()).optional(), // Optional, can be empty array

package/dist/agentshield-api/types.d.ts

@@ -111,6 +111,16 @@ export interface ProofSubmissionResponse {
 export interface VerifyDelegationRequest {
     /** Agent DID to verify */
     agent_did: string;
+    /**
+     * User DID for user-scoped delegation verification (RECOMMENDED)
+     *
+     * When provided, AgentShield validates that the delegation belongs to this specific user.
+     * This prevents cross-user delegation leakage where User B could use User A's delegation.
+     *
+     * Without user_did, verification relies on delegation_token alone which may not provide
+     * user-level isolation in all scenarios (e.g., legacy agent-only delegations).
+     */
+    user_did?: string;
     /** Credential JWT (optional, defaults to empty string for OAuth flow) */
     credential_jwt?: string;
     /** Delegation token from OAuth flow (optional, for stateless MCP servers) */

package/dist/config/identity.d.ts

@@ -160,6 +160,12 @@ export interface CredentialProviderConfig extends BaseProviderConfig {
         formTitle?: string;
         formDescription?: string;
         identityFieldLabel?: string;
+        /**
+         * Input type for the identity/username field
+         * Use "text" for username-based authentication, "email" for email-based
+         * @default Automatically detected from field name (email -> "email", otherwise "text")
+         */
+        identityFieldType?: "text" | "email" | "tel";
         passwordFieldLabel?: string;
         submitButtonText?: string;
     };
@@ -211,6 +217,7 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
         formTitle: z.ZodOptional<z.ZodString>;
         formDescription: z.ZodOptional<z.ZodString>;
         identityFieldLabel: z.ZodOptional<z.ZodString>;
+        identityFieldType: z.ZodOptional<z.ZodEnum<["text", "email", "tel"]>>;
         passwordFieldLabel: z.ZodOptional<z.ZodString>;
         submitButtonText: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
@@ -218,6 +225,7 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     }, {
@@ -225,6 +233,7 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     }>>;
@@ -254,6 +263,7 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     } | undefined;
@@ -283,6 +293,7 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     } | undefined;
@@ -661,6 +672,7 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
         formTitle: z.ZodOptional<z.ZodString>;
         formDescription: z.ZodOptional<z.ZodString>;
         identityFieldLabel: z.ZodOptional<z.ZodString>;
+        identityFieldType: z.ZodOptional<z.ZodEnum<["text", "email", "tel"]>>;
         passwordFieldLabel: z.ZodOptional<z.ZodString>;
         submitButtonText: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
@@ -668,6 +680,7 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     }, {
@@ -675,6 +688,7 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     }>>;
@@ -704,6 +718,7 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     } | undefined;
@@ -733,6 +748,7 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
         formTitle?: string | undefined;
         formDescription?: string | undefined;
         identityFieldLabel?: string | undefined;
+        identityFieldType?: "text" | "email" | "tel" | undefined;
         passwordFieldLabel?: string | undefined;
         submitButtonText?: string | undefined;
     } | undefined;

package/dist/config/identity.js

@@ -42,6 +42,7 @@ exports.CredentialProviderConfigSchema = zod_1.z.object({
         formTitle: zod_1.z.string().optional(),
         formDescription: zod_1.z.string().optional(),
         identityFieldLabel: zod_1.z.string().optional(),
+        identityFieldType: zod_1.z.enum(["text", "email", "tel"]).optional(),
         passwordFieldLabel: zod_1.z.string().optional(),
         submitButtonText: zod_1.z.string().optional(),
     })

package/dist/config/tool-context.d.ts

@@ -43,4 +43,15 @@ export interface ToolExecutionContext {
     sessionId?: string;
     /** Delegation token (MCP-I internal authorization) */
     delegationToken?: string;
+    /**
+     * User ID from credential provider (CRED-003)
+     *
+     * For credential providers, this is the userId extracted from the
+     * authentication response via responseFields.userId configuration.
+     * This allows tool handlers to access the external system's user ID
+     * (e.g., customer ID for an e-commerce API).
+     *
+     * For OAuth providers, this is typically not set (use userDid instead).
+     */
+    userId?: string;
 }

package/dist/identity/schemas.d.ts

@@ -1,7 +1,7 @@
 /**
  * Identity Resolution Schemas
  *
- * Types and schemas for OAuth/credential identity → persistent user DID resolution.
+ * Types and schemas for OAuth identity → persistent user DID resolution.
  * Used by xmcp-i to call AgentShield's identity resolution endpoint.
  *
  * Part of Phase 5: Identity Resolution Integration
@@ -31,58 +31,28 @@ export declare const OAuthResultSchema: z.ZodObject<{
     provider: string;
     sub: string;
     email?: string | undefined;
-    email_verified?: boolean | undefined;
     name?: string | undefined;
+    email_verified?: boolean | undefined;
     picture?: string | undefined;
 }, {
     provider: string;
     sub: string;
     email?: string | undefined;
-    email_verified?: boolean | undefined;
     name?: string | undefined;
+    email_verified?: boolean | undefined;
     picture?: string | undefined;
 }>;
 export type OAuthResult = z.infer<typeof OAuthResultSchema>;
-/**
- * Credential result from credential-based authentication
- *
- * Contains user information from username/password or custom credential flows.
- * Used for third-party authentication systems (e.g., 'hardwareworld').
- */
-export declare const CredentialResultSchema: z.ZodObject<{
-    /** Credential provider name (e.g., 'hardwareworld') */
-    provider: z.ZodString;
-    /** User ID from credential authentication */
-    user_id: z.ZodString;
-    /** User's email (optional) */
-    email: z.ZodOptional<z.ZodString>;
-    /** User's display name (optional) */
-    name: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    provider: string;
-    user_id: string;
-    email?: string | undefined;
-    name?: string | undefined;
-}, {
-    provider: string;
-    user_id: string;
-    email?: string | undefined;
-    name?: string | undefined;
-}>;
-export type CredentialResult = z.infer<typeof CredentialResultSchema>;
 /**
  * Identity resolution request
  *
  * POST /api/v1/bouncer/identity/resolve
- *
- * Accepts EITHER oauth_result OR credential_result (XOR - exactly one required).
- * This supports both OAuth-based and credential-based authentication flows.
  */
-export declare const IdentityResolveRequestSchema: z.ZodEffects<z.ZodObject<{
-    /** Project UUID or friendly ID */
+export declare const IdentityResolveRequestSchema: z.ZodObject<{
+    /** Project UUID */
     project_id: z.ZodString;
-    /** OAuth authentication result (mutually exclusive with credential_result) */
-    oauth_result: z.ZodOptional<z.ZodObject<{
+    /** OAuth authentication result */
+    oauth_result: z.ZodObject<{
         /** OAuth provider name (e.g., 'google', 'github', 'microsoft') */
         provider: z.ZodString;
         /** OAuth subject claim (unique per provider) */
@@ -99,102 +69,37 @@ export declare const IdentityResolveRequestSchema: z.ZodEffects<z.ZodObject<{
         provider: string;
         sub: string;
         email?: string | undefined;
-        email_verified?: boolean | undefined;
         name?: string | undefined;
-        picture?: string | undefined;
-    }, {
-        provider: string;
-        sub: string;
-        email?: string | undefined;
         email_verified?: boolean | undefined;
-        name?: string | undefined;
         picture?: string | undefined;
-    }>>;
-    /** Credential authentication result (mutually exclusive with oauth_result) */
-    credential_result: z.ZodOptional<z.ZodObject<{
-        /** Credential provider name (e.g., 'hardwareworld') */
-        provider: z.ZodString;
-        /** User ID from credential authentication */
-        user_id: z.ZodString;
-        /** User's email (optional) */
-        email: z.ZodOptional<z.ZodString>;
-        /** User's display name (optional) */
-        name: z.ZodOptional<z.ZodString>;
-    }, "strip", z.ZodTypeAny, {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
     }, {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
-    }>>;
-}, "strip", z.ZodTypeAny, {
-    project_id: string;
-    oauth_result?: {
         provider: string;
         sub: string;
         email?: string | undefined;
-        email_verified?: boolean | undefined;
         name?: string | undefined;
-        picture?: string | undefined;
-    } | undefined;
-    credential_result?: {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
-    } | undefined;
-}, {
-    project_id: string;
-    oauth_result?: {
-        provider: string;
-        sub: string;
-        email?: string | undefined;
         email_verified?: boolean | undefined;
-        name?: string | undefined;
         picture?: string | undefined;
-    } | undefined;
-    credential_result?: {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
-    } | undefined;
-}>, {
+    }>;
+}, "strip", z.ZodTypeAny, {
     project_id: string;
-    oauth_result?: {
+    oauth_result: {
         provider: string;
         sub: string;
         email?: string | undefined;
-        email_verified?: boolean | undefined;
         name?: string | undefined;
+        email_verified?: boolean | undefined;
         picture?: string | undefined;
-    } | undefined;
-    credential_result?: {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
-    } | undefined;
+    };
 }, {
     project_id: string;
-    oauth_result?: {
+    oauth_result: {
         provider: string;
         sub: string;
         email?: string | undefined;
-        email_verified?: boolean | undefined;
         name?: string | undefined;
+        email_verified?: boolean | undefined;
         picture?: string | undefined;
-    } | undefined;
-    credential_result?: {
-        provider: string;
-        user_id: string;
-        email?: string | undefined;
-        name?: string | undefined;
-    } | undefined;
+    };
 }>;
 export type IdentityResolveRequest = z.infer<typeof IdentityResolveRequestSchema>;
 /**
@@ -228,11 +133,11 @@ export declare const IdentityResolveResponseSchema: z.ZodObject<{
         requestId: z.ZodOptional<z.ZodString>;
         timestamp: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
-        requestId?: string | undefined;
         timestamp?: string | undefined;
-    }, {
         requestId?: string | undefined;
+    }, {
         timestamp?: string | undefined;
+        requestId?: string | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
     success: true;
@@ -243,8 +148,8 @@ export declare const IdentityResolveResponseSchema: z.ZodObject<{
         auto_linked: boolean;
     };
     metadata?: {
-        requestId?: string | undefined;
         timestamp?: string | undefined;
+        requestId?: string | undefined;
     } | undefined;
 }, {
     success: true;
@@ -255,8 +160,8 @@ export declare const IdentityResolveResponseSchema: z.ZodObject<{
         auto_linked: boolean;
     };
     metadata?: {
-        requestId?: string | undefined;
         timestamp?: string | undefined;
+        requestId?: string | undefined;
     } | undefined;
 }>;
 export type IdentityResolveResponse = z.infer<typeof IdentityResolveResponseSchema>;

package/dist/identity/schemas.js

@@ -2,7 +2,7 @@
 /**
  * Identity Resolution Schemas
  *
- * Types and schemas for OAuth/credential identity → persistent user DID resolution.
+ * Types and schemas for OAuth identity → persistent user DID resolution.
  * Used by xmcp-i to call AgentShield's identity resolution endpoint.
  *
  * Part of Phase 5: Identity Resolution Integration
@@ -10,7 +10,7 @@
  * @see ACCOUNT_CENTRIC_IDENTITY_AND_VC_IMPLEMENTATION.md
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IdentityResolveErrorSchema = exports.IdentityResolveResponseSchema = exports.IdentityResolveRequestSchema = exports.CredentialResultSchema = exports.OAuthResultSchema = void 0;
+exports.IdentityResolveErrorSchema = exports.IdentityResolveResponseSchema = exports.IdentityResolveRequestSchema = exports.OAuthResultSchema = void 0;
 exports.parseIdentityResolveRequest = parseIdentityResolveRequest;
 exports.safeParseIdentityResolveRequest = safeParseIdentityResolveRequest;
 exports.parseIdentityResolveResponse = parseIdentityResolveResponse;
@@ -35,45 +35,16 @@ exports.OAuthResultSchema = zod_1.z.object({
     /** Avatar URL from OAuth provider */
     picture: zod_1.z.string().url().optional(),
 });
-/**
- * Credential result from credential-based authentication
- *
- * Contains user information from username/password or custom credential flows.
- * Used for third-party authentication systems (e.g., 'hardwareworld').
- */
-exports.CredentialResultSchema = zod_1.z.object({
-    /** Credential provider name (e.g., 'hardwareworld') */
-    provider: zod_1.z.string().min(1, "Provider is required"),
-    /** User ID from credential authentication */
-    user_id: zod_1.z.string().min(1, "User ID is required"),
-    /** User's email (optional) */
-    email: zod_1.z.string().email().optional(),
-    /** User's display name (optional) */
-    name: zod_1.z.string().optional(),
-});
 /**
  * Identity resolution request
  *
  * POST /api/v1/bouncer/identity/resolve
- *
- * Accepts EITHER oauth_result OR credential_result (XOR - exactly one required).
- * This supports both OAuth-based and credential-based authentication flows.
  */
-exports.IdentityResolveRequestSchema = zod_1.z
-    .object({
-    /** Project UUID or friendly ID */
-    project_id: zod_1.z.string().min(1, "Project ID is required"),
-    /** OAuth authentication result (mutually exclusive with credential_result) */
-    oauth_result: exports.OAuthResultSchema.optional(),
-    /** Credential authentication result (mutually exclusive with oauth_result) */
-    credential_result: exports.CredentialResultSchema.optional(),
-})
-    .refine((data) => {
-    const hasOAuth = !!data.oauth_result;
-    const hasCredential = !!data.credential_result;
-    return (hasOAuth && !hasCredential) || (!hasOAuth && hasCredential);
-}, {
-    message: "Exactly one of oauth_result or credential_result must be provided",
+exports.IdentityResolveRequestSchema = zod_1.z.object({
+    /** Project UUID */
+    project_id: zod_1.z.string().uuid("Invalid project ID format"),
+    /** OAuth authentication result */
+    oauth_result: exports.OAuthResultSchema,
 });
 /**
  * Identity resolution response

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kya-os/contracts",
-  "version": "1.6.7",
+  "version": "1.6.9",
   "description": "Shared contracts, types, and schemas for MCP-I framework",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",