@kya-os/contracts 1.7.16 → 1.7.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/agentshield-api/schemas.d.ts +18 -18
  2. package/dist/audit/index.d.ts +21 -21
  3. package/dist/dashboard-config/schemas.d.ts +1919 -1919
  4. package/dist/delegation/schemas.d.ts +300 -1
  5. package/dist/delegation/schemas.js +46 -1
  6. package/dist/handshake.d.ts +30 -30
  7. package/dist/handshake.js +11 -2
  8. package/dist/tool-protection/index.d.ts +6 -6
  9. package/package.json +2 -2
package/dist/delegation/schemas.d.ts CHANGED
@@ -4680,6 +4680,9 @@ export declare const DELEGATION_CREDENTIAL_CONTEXT: "https://schemas.kya-os.ai/x
4680
4680
  *
4681
4681
  * Per Python POC (Delegation-Service.md:136-146), delegations are issued AS
4682
4682
  * W3C VCs, with the delegation data embedded in the credentialSubject.
4683
+ *
4684
+ * Phase 7 Update: Added userDid, userIdentifier, sessionId, and scopes
4685
+ * to support Agent Shield VC-JWT tokens and MCP session tracking.
4683
4686
  */
4684
4687
  export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
4685
4688
  /** Subject DID (delegatee) */
@@ -4692,6 +4695,38 @@ export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
4692
4695
  issuerDid: z.ZodString;
4693
4696
  /** DID of the delegatee (subject, e.g., agent) */
4694
4697
  subjectDid: z.ZodString;
4698
+ /**
4699
+ * DID of the user who granted the delegation.
4700
+ *
4701
+ * This is the authorizing user's identity. In simple cases, this equals
4702
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
4703
+ * of a user), userDid identifies the actual user who consented.
4704
+ *
4705
+ * Required by Agent Shield API for user-scoped delegations.
4706
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
4707
+ */
4708
+ userDid: z.ZodOptional<z.ZodString>;
4709
+ /**
4710
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
4711
+ *
4712
+ * Used for backward compatibility and display purposes.
4713
+ * Should not be used for cryptographic identity verification.
4714
+ */
4715
+ userIdentifier: z.ZodOptional<z.ZodString>;
4716
+ /**
4717
+ * MCP session ID for session tracking and integration.
4718
+ *
4719
+ * Links the delegation to a specific MCP session, enabling
4720
+ * session-scoped token caching and audit trails.
4721
+ */
4722
+ sessionId: z.ZodOptional<z.ZodString>;
4723
+ /**
4724
+ * Authorized scopes for this delegation.
4725
+ *
4726
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
4727
+ * When present, defines what actions the delegatee is authorized to perform.
4728
+ */
4729
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
4695
4730
  /** Optional controller (user account ID or DID) */
4696
4731
  controller: z.ZodOptional<z.ZodString>;
4697
4732
  /** Optional parent delegation ID for chain tracking */
@@ -5158,8 +5193,12 @@ export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
5158
5193
  };
5159
5194
  controller?: string | undefined;
5160
5195
  parentId?: string | undefined;
5196
+ scopes?: string[] | undefined;
5161
5197
  createdAt?: number | undefined;
5162
5198
  metadata?: Record<string, any> | undefined;
5199
+ userDid?: string | undefined;
5200
+ userIdentifier?: string | undefined;
5201
+ sessionId?: string | undefined;
5163
5202
  }, {
5164
5203
  id: string;
5165
5204
  issuerDid: string;
@@ -5218,8 +5257,12 @@ export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
5218
5257
  controller?: string | undefined;
5219
5258
  parentId?: string | undefined;
5220
5259
  status?: "active" | "revoked" | "expired" | undefined;
5260
+ scopes?: string[] | undefined;
5221
5261
  createdAt?: number | undefined;
5222
5262
  metadata?: Record<string, any> | undefined;
5263
+ userDid?: string | undefined;
5264
+ userIdentifier?: string | undefined;
5265
+ sessionId?: string | undefined;
5223
5266
  }>;
5224
5267
  }, "strip", z.ZodTypeAny, {
5225
5268
  id: string;
@@ -5281,8 +5324,12 @@ export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
5281
5324
  };
5282
5325
  controller?: string | undefined;
5283
5326
  parentId?: string | undefined;
5327
+ scopes?: string[] | undefined;
5284
5328
  createdAt?: number | undefined;
5285
5329
  metadata?: Record<string, any> | undefined;
5330
+ userDid?: string | undefined;
5331
+ userIdentifier?: string | undefined;
5332
+ sessionId?: string | undefined;
5286
5333
  };
5287
5334
  }, {
5288
5335
  id: string;
@@ -5344,8 +5391,12 @@ export declare const DelegationCredentialSubjectSchema: z.ZodObject<{
5344
5391
  controller?: string | undefined;
5345
5392
  parentId?: string | undefined;
5346
5393
  status?: "active" | "revoked" | "expired" | undefined;
5394
+ scopes?: string[] | undefined;
5347
5395
  createdAt?: number | undefined;
5348
5396
  metadata?: Record<string, any> | undefined;
5397
+ userDid?: string | undefined;
5398
+ userIdentifier?: string | undefined;
5399
+ sessionId?: string | undefined;
5349
5400
  };
5350
5401
  }>;
5351
5402
  export type DelegationCredentialSubject = z.infer<typeof DelegationCredentialSubjectSchema>;
@@ -5397,6 +5448,38 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
5397
5448
  issuerDid: z.ZodString;
5398
5449
  /** DID of the delegatee (subject, e.g., agent) */
5399
5450
  subjectDid: z.ZodString;
5451
+ /**
5452
+ * DID of the user who granted the delegation.
5453
+ *
5454
+ * This is the authorizing user's identity. In simple cases, this equals
5455
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
5456
+ * of a user), userDid identifies the actual user who consented.
5457
+ *
5458
+ * Required by Agent Shield API for user-scoped delegations.
5459
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
5460
+ */
5461
+ userDid: z.ZodOptional<z.ZodString>;
5462
+ /**
5463
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
5464
+ *
5465
+ * Used for backward compatibility and display purposes.
5466
+ * Should not be used for cryptographic identity verification.
5467
+ */
5468
+ userIdentifier: z.ZodOptional<z.ZodString>;
5469
+ /**
5470
+ * MCP session ID for session tracking and integration.
5471
+ *
5472
+ * Links the delegation to a specific MCP session, enabling
5473
+ * session-scoped token caching and audit trails.
5474
+ */
5475
+ sessionId: z.ZodOptional<z.ZodString>;
5476
+ /**
5477
+ * Authorized scopes for this delegation.
5478
+ *
5479
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
5480
+ * When present, defines what actions the delegatee is authorized to perform.
5481
+ */
5482
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
5400
5483
  /** Optional controller (user account ID or DID) */
5401
5484
  controller: z.ZodOptional<z.ZodString>;
5402
5485
  /** Optional parent delegation ID for chain tracking */
@@ -5863,8 +5946,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
5863
5946
  };
5864
5947
  controller?: string | undefined;
5865
5948
  parentId?: string | undefined;
5949
+ scopes?: string[] | undefined;
5866
5950
  createdAt?: number | undefined;
5867
5951
  metadata?: Record<string, any> | undefined;
5952
+ userDid?: string | undefined;
5953
+ userIdentifier?: string | undefined;
5954
+ sessionId?: string | undefined;
5868
5955
  }, {
5869
5956
  id: string;
5870
5957
  issuerDid: string;
@@ -5923,8 +6010,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
5923
6010
  controller?: string | undefined;
5924
6011
  parentId?: string | undefined;
5925
6012
  status?: "active" | "revoked" | "expired" | undefined;
6013
+ scopes?: string[] | undefined;
5926
6014
  createdAt?: number | undefined;
5927
6015
  metadata?: Record<string, any> | undefined;
6016
+ userDid?: string | undefined;
6017
+ userIdentifier?: string | undefined;
6018
+ sessionId?: string | undefined;
5928
6019
  }>;
5929
6020
  }, "strip", z.ZodTypeAny, {
5930
6021
  id: string;
@@ -5986,8 +6077,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
5986
6077
  };
5987
6078
  controller?: string | undefined;
5988
6079
  parentId?: string | undefined;
6080
+ scopes?: string[] | undefined;
5989
6081
  createdAt?: number | undefined;
5990
6082
  metadata?: Record<string, any> | undefined;
6083
+ userDid?: string | undefined;
6084
+ userIdentifier?: string | undefined;
6085
+ sessionId?: string | undefined;
5991
6086
  };
5992
6087
  }, {
5993
6088
  id: string;
@@ -6049,8 +6144,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6049
6144
  controller?: string | undefined;
6050
6145
  parentId?: string | undefined;
6051
6146
  status?: "active" | "revoked" | "expired" | undefined;
6147
+ scopes?: string[] | undefined;
6052
6148
  createdAt?: number | undefined;
6053
6149
  metadata?: Record<string, any> | undefined;
6150
+ userDid?: string | undefined;
6151
+ userIdentifier?: string | undefined;
6152
+ sessionId?: string | undefined;
6054
6153
  };
6055
6154
  }>;
6056
6155
  credentialStatus: z.ZodOptional<z.ZodObject<{
@@ -6113,6 +6212,38 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6113
6212
  issuerDid: z.ZodString;
6114
6213
  /** DID of the delegatee (subject, e.g., agent) */
6115
6214
  subjectDid: z.ZodString;
6215
+ /**
6216
+ * DID of the user who granted the delegation.
6217
+ *
6218
+ * This is the authorizing user's identity. In simple cases, this equals
6219
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
6220
+ * of a user), userDid identifies the actual user who consented.
6221
+ *
6222
+ * Required by Agent Shield API for user-scoped delegations.
6223
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
6224
+ */
6225
+ userDid: z.ZodOptional<z.ZodString>;
6226
+ /**
6227
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
6228
+ *
6229
+ * Used for backward compatibility and display purposes.
6230
+ * Should not be used for cryptographic identity verification.
6231
+ */
6232
+ userIdentifier: z.ZodOptional<z.ZodString>;
6233
+ /**
6234
+ * MCP session ID for session tracking and integration.
6235
+ *
6236
+ * Links the delegation to a specific MCP session, enabling
6237
+ * session-scoped token caching and audit trails.
6238
+ */
6239
+ sessionId: z.ZodOptional<z.ZodString>;
6240
+ /**
6241
+ * Authorized scopes for this delegation.
6242
+ *
6243
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
6244
+ * When present, defines what actions the delegatee is authorized to perform.
6245
+ */
6246
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
6116
6247
  /** Optional controller (user account ID or DID) */
6117
6248
  controller: z.ZodOptional<z.ZodString>;
6118
6249
  /** Optional parent delegation ID for chain tracking */
@@ -6579,8 +6710,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6579
6710
  };
6580
6711
  controller?: string | undefined;
6581
6712
  parentId?: string | undefined;
6713
+ scopes?: string[] | undefined;
6582
6714
  createdAt?: number | undefined;
6583
6715
  metadata?: Record<string, any> | undefined;
6716
+ userDid?: string | undefined;
6717
+ userIdentifier?: string | undefined;
6718
+ sessionId?: string | undefined;
6584
6719
  }, {
6585
6720
  id: string;
6586
6721
  issuerDid: string;
@@ -6639,8 +6774,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6639
6774
  controller?: string | undefined;
6640
6775
  parentId?: string | undefined;
6641
6776
  status?: "active" | "revoked" | "expired" | undefined;
6777
+ scopes?: string[] | undefined;
6642
6778
  createdAt?: number | undefined;
6643
6779
  metadata?: Record<string, any> | undefined;
6780
+ userDid?: string | undefined;
6781
+ userIdentifier?: string | undefined;
6782
+ sessionId?: string | undefined;
6644
6783
  }>;
6645
6784
  }, "strip", z.ZodTypeAny, {
6646
6785
  id: string;
@@ -6702,8 +6841,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6702
6841
  };
6703
6842
  controller?: string | undefined;
6704
6843
  parentId?: string | undefined;
6844
+ scopes?: string[] | undefined;
6705
6845
  createdAt?: number | undefined;
6706
6846
  metadata?: Record<string, any> | undefined;
6847
+ userDid?: string | undefined;
6848
+ userIdentifier?: string | undefined;
6849
+ sessionId?: string | undefined;
6707
6850
  };
6708
6851
  }, {
6709
6852
  id: string;
@@ -6765,8 +6908,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6765
6908
  controller?: string | undefined;
6766
6909
  parentId?: string | undefined;
6767
6910
  status?: "active" | "revoked" | "expired" | undefined;
6911
+ scopes?: string[] | undefined;
6768
6912
  createdAt?: number | undefined;
6769
6913
  metadata?: Record<string, any> | undefined;
6914
+ userDid?: string | undefined;
6915
+ userIdentifier?: string | undefined;
6916
+ sessionId?: string | undefined;
6770
6917
  };
6771
6918
  }>;
6772
6919
  credentialStatus: z.ZodOptional<z.ZodObject<{
@@ -6829,6 +6976,38 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
6829
6976
  issuerDid: z.ZodString;
6830
6977
  /** DID of the delegatee (subject, e.g., agent) */
6831
6978
  subjectDid: z.ZodString;
6979
+ /**
6980
+ * DID of the user who granted the delegation.
6981
+ *
6982
+ * This is the authorizing user's identity. In simple cases, this equals
6983
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
6984
+ * of a user), userDid identifies the actual user who consented.
6985
+ *
6986
+ * Required by Agent Shield API for user-scoped delegations.
6987
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
6988
+ */
6989
+ userDid: z.ZodOptional<z.ZodString>;
6990
+ /**
6991
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
6992
+ *
6993
+ * Used for backward compatibility and display purposes.
6994
+ * Should not be used for cryptographic identity verification.
6995
+ */
6996
+ userIdentifier: z.ZodOptional<z.ZodString>;
6997
+ /**
6998
+ * MCP session ID for session tracking and integration.
6999
+ *
7000
+ * Links the delegation to a specific MCP session, enabling
7001
+ * session-scoped token caching and audit trails.
7002
+ */
7003
+ sessionId: z.ZodOptional<z.ZodString>;
7004
+ /**
7005
+ * Authorized scopes for this delegation.
7006
+ *
7007
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
7008
+ * When present, defines what actions the delegatee is authorized to perform.
7009
+ */
7010
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
6832
7011
  /** Optional controller (user account ID or DID) */
6833
7012
  controller: z.ZodOptional<z.ZodString>;
6834
7013
  /** Optional parent delegation ID for chain tracking */
@@ -7295,8 +7474,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
7295
7474
  };
7296
7475
  controller?: string | undefined;
7297
7476
  parentId?: string | undefined;
7477
+ scopes?: string[] | undefined;
7298
7478
  createdAt?: number | undefined;
7299
7479
  metadata?: Record<string, any> | undefined;
7480
+ userDid?: string | undefined;
7481
+ userIdentifier?: string | undefined;
7482
+ sessionId?: string | undefined;
7300
7483
  }, {
7301
7484
  id: string;
7302
7485
  issuerDid: string;
@@ -7355,8 +7538,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
7355
7538
  controller?: string | undefined;
7356
7539
  parentId?: string | undefined;
7357
7540
  status?: "active" | "revoked" | "expired" | undefined;
7541
+ scopes?: string[] | undefined;
7358
7542
  createdAt?: number | undefined;
7359
7543
  metadata?: Record<string, any> | undefined;
7544
+ userDid?: string | undefined;
7545
+ userIdentifier?: string | undefined;
7546
+ sessionId?: string | undefined;
7360
7547
  }>;
7361
7548
  }, "strip", z.ZodTypeAny, {
7362
7549
  id: string;
@@ -7418,8 +7605,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
7418
7605
  };
7419
7606
  controller?: string | undefined;
7420
7607
  parentId?: string | undefined;
7608
+ scopes?: string[] | undefined;
7421
7609
  createdAt?: number | undefined;
7422
7610
  metadata?: Record<string, any> | undefined;
7611
+ userDid?: string | undefined;
7612
+ userIdentifier?: string | undefined;
7613
+ sessionId?: string | undefined;
7423
7614
  };
7424
7615
  }, {
7425
7616
  id: string;
@@ -7481,8 +7672,12 @@ export declare const DelegationCredentialSchema: z.ZodObject<{
7481
7672
  controller?: string | undefined;
7482
7673
  parentId?: string | undefined;
7483
7674
  status?: "active" | "revoked" | "expired" | undefined;
7675
+ scopes?: string[] | undefined;
7484
7676
  createdAt?: number | undefined;
7485
7677
  metadata?: Record<string, any> | undefined;
7678
+ userDid?: string | undefined;
7679
+ userIdentifier?: string | undefined;
7680
+ sessionId?: string | undefined;
7486
7681
  };
7487
7682
  }>;
7488
7683
  credentialStatus: z.ZodOptional<z.ZodObject<{
@@ -7553,6 +7748,38 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
7553
7748
  issuerDid: z.ZodString;
7554
7749
  /** DID of the delegatee (subject, e.g., agent) */
7555
7750
  subjectDid: z.ZodString;
7751
+ /**
7752
+ * DID of the user who granted the delegation.
7753
+ *
7754
+ * This is the authorizing user's identity. In simple cases, this equals
7755
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
7756
+ * of a user), userDid identifies the actual user who consented.
7757
+ *
7758
+ * Required by Agent Shield API for user-scoped delegations.
7759
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
7760
+ */
7761
+ userDid: z.ZodOptional<z.ZodString>;
7762
+ /**
7763
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
7764
+ *
7765
+ * Used for backward compatibility and display purposes.
7766
+ * Should not be used for cryptographic identity verification.
7767
+ */
7768
+ userIdentifier: z.ZodOptional<z.ZodString>;
7769
+ /**
7770
+ * MCP session ID for session tracking and integration.
7771
+ *
7772
+ * Links the delegation to a specific MCP session, enabling
7773
+ * session-scoped token caching and audit trails.
7774
+ */
7775
+ sessionId: z.ZodOptional<z.ZodString>;
7776
+ /**
7777
+ * Authorized scopes for this delegation.
7778
+ *
7779
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
7780
+ * When present, defines what actions the delegatee is authorized to perform.
7781
+ */
7782
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
7556
7783
  /** Optional controller (user account ID or DID) */
7557
7784
  controller: z.ZodOptional<z.ZodString>;
7558
7785
  /** Optional parent delegation ID for chain tracking */
@@ -8019,8 +8246,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8019
8246
  };
8020
8247
  controller?: string | undefined;
8021
8248
  parentId?: string | undefined;
8249
+ scopes?: string[] | undefined;
8022
8250
  createdAt?: number | undefined;
8023
8251
  metadata?: Record<string, any> | undefined;
8252
+ userDid?: string | undefined;
8253
+ userIdentifier?: string | undefined;
8254
+ sessionId?: string | undefined;
8024
8255
  }, {
8025
8256
  id: string;
8026
8257
  issuerDid: string;
@@ -8079,8 +8310,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8079
8310
  controller?: string | undefined;
8080
8311
  parentId?: string | undefined;
8081
8312
  status?: "active" | "revoked" | "expired" | undefined;
8313
+ scopes?: string[] | undefined;
8082
8314
  createdAt?: number | undefined;
8083
8315
  metadata?: Record<string, any> | undefined;
8316
+ userDid?: string | undefined;
8317
+ userIdentifier?: string | undefined;
8318
+ sessionId?: string | undefined;
8084
8319
  }>;
8085
8320
  }, "strip", z.ZodTypeAny, {
8086
8321
  id: string;
@@ -8142,8 +8377,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8142
8377
  };
8143
8378
  controller?: string | undefined;
8144
8379
  parentId?: string | undefined;
8380
+ scopes?: string[] | undefined;
8145
8381
  createdAt?: number | undefined;
8146
8382
  metadata?: Record<string, any> | undefined;
8383
+ userDid?: string | undefined;
8384
+ userIdentifier?: string | undefined;
8385
+ sessionId?: string | undefined;
8147
8386
  };
8148
8387
  }, {
8149
8388
  id: string;
@@ -8205,8 +8444,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8205
8444
  controller?: string | undefined;
8206
8445
  parentId?: string | undefined;
8207
8446
  status?: "active" | "revoked" | "expired" | undefined;
8447
+ scopes?: string[] | undefined;
8208
8448
  createdAt?: number | undefined;
8209
8449
  metadata?: Record<string, any> | undefined;
8450
+ userDid?: string | undefined;
8451
+ userIdentifier?: string | undefined;
8452
+ sessionId?: string | undefined;
8210
8453
  };
8211
8454
  }>;
8212
8455
  credentialStatus: z.ZodOptional<z.ZodObject<{
@@ -8269,6 +8512,38 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8269
8512
  issuerDid: z.ZodString;
8270
8513
  /** DID of the delegatee (subject, e.g., agent) */
8271
8514
  subjectDid: z.ZodString;
8515
+ /**
8516
+ * DID of the user who granted the delegation.
8517
+ *
8518
+ * This is the authorizing user's identity. In simple cases, this equals
8519
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
8520
+ * of a user), userDid identifies the actual user who consented.
8521
+ *
8522
+ * Required by Agent Shield API for user-scoped delegations.
8523
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
8524
+ */
8525
+ userDid: z.ZodOptional<z.ZodString>;
8526
+ /**
8527
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
8528
+ *
8529
+ * Used for backward compatibility and display purposes.
8530
+ * Should not be used for cryptographic identity verification.
8531
+ */
8532
+ userIdentifier: z.ZodOptional<z.ZodString>;
8533
+ /**
8534
+ * MCP session ID for session tracking and integration.
8535
+ *
8536
+ * Links the delegation to a specific MCP session, enabling
8537
+ * session-scoped token caching and audit trails.
8538
+ */
8539
+ sessionId: z.ZodOptional<z.ZodString>;
8540
+ /**
8541
+ * Authorized scopes for this delegation.
8542
+ *
8543
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
8544
+ * When present, defines what actions the delegatee is authorized to perform.
8545
+ */
8546
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
8272
8547
  /** Optional controller (user account ID or DID) */
8273
8548
  controller: z.ZodOptional<z.ZodString>;
8274
8549
  /** Optional parent delegation ID for chain tracking */
@@ -8735,8 +9010,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8735
9010
  };
8736
9011
  controller?: string | undefined;
8737
9012
  parentId?: string | undefined;
9013
+ scopes?: string[] | undefined;
8738
9014
  createdAt?: number | undefined;
8739
9015
  metadata?: Record<string, any> | undefined;
9016
+ userDid?: string | undefined;
9017
+ userIdentifier?: string | undefined;
9018
+ sessionId?: string | undefined;
8740
9019
  }, {
8741
9020
  id: string;
8742
9021
  issuerDid: string;
@@ -8795,8 +9074,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8795
9074
  controller?: string | undefined;
8796
9075
  parentId?: string | undefined;
8797
9076
  status?: "active" | "revoked" | "expired" | undefined;
9077
+ scopes?: string[] | undefined;
8798
9078
  createdAt?: number | undefined;
8799
9079
  metadata?: Record<string, any> | undefined;
9080
+ userDid?: string | undefined;
9081
+ userIdentifier?: string | undefined;
9082
+ sessionId?: string | undefined;
8800
9083
  }>;
8801
9084
  }, "strip", z.ZodTypeAny, {
8802
9085
  id: string;
@@ -8858,8 +9141,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8858
9141
  };
8859
9142
  controller?: string | undefined;
8860
9143
  parentId?: string | undefined;
9144
+ scopes?: string[] | undefined;
8861
9145
  createdAt?: number | undefined;
8862
9146
  metadata?: Record<string, any> | undefined;
9147
+ userDid?: string | undefined;
9148
+ userIdentifier?: string | undefined;
9149
+ sessionId?: string | undefined;
8863
9150
  };
8864
9151
  }, {
8865
9152
  id: string;
@@ -8921,8 +9208,12 @@ export declare function validateDelegationCredential(credential: unknown): z.Saf
8921
9208
  controller?: string | undefined;
8922
9209
  parentId?: string | undefined;
8923
9210
  status?: "active" | "revoked" | "expired" | undefined;
9211
+ scopes?: string[] | undefined;
8924
9212
  createdAt?: number | undefined;
8925
9213
  metadata?: Record<string, any> | undefined;
9214
+ userDid?: string | undefined;
9215
+ userIdentifier?: string | undefined;
9216
+ sessionId?: string | undefined;
8926
9217
  };
8927
9218
  }>;
8928
9219
  credentialStatus: z.ZodOptional<z.ZodObject<{
@@ -8978,7 +9269,7 @@ export declare function extractDelegationFromVC(vc: DelegationCredential): Deleg
8978
9269
  * The caller must sign this to create a valid DelegationCredential.
8979
9270
  *
8980
9271
  * @param delegation - The delegation record
8981
- * @param options - Optional VC options (id, issuanceDate, etc.)
9272
+ * @param options - Optional VC options (id, issuanceDate, userDid, sessionId, etc.)
8982
9273
  * @returns Unsigned DelegationCredential
8983
9274
  */
8984
9275
  export declare function wrapDelegationAsVC(delegation: DelegationRecord, options?: {
@@ -8986,6 +9277,14 @@ export declare function wrapDelegationAsVC(delegation: DelegationRecord, options
8986
9277
  issuanceDate?: string;
8987
9278
  expirationDate?: string;
8988
9279
  credentialStatus?: z.infer<typeof CredentialStatusSchema>;
9280
+ /** User DID who granted the delegation (if different from issuer) */
9281
+ userDid?: string;
9282
+ /** Human-readable user identifier */
9283
+ userIdentifier?: string;
9284
+ /** MCP session ID for session tracking */
9285
+ sessionId?: string;
9286
+ /** Authorized scopes */
9287
+ scopes?: string[];
8989
9288
  }): Omit<DelegationCredential, 'proof'>;
8990
9289
  /**
8991
9290
  * Check if a delegation credential is expired
package/dist/delegation/schemas.js CHANGED
@@ -322,6 +322,9 @@ exports.DELEGATION_CREDENTIAL_CONTEXT = 'https://schemas.kya-os.ai/xmcp-i/creden
322
322
  *
323
323
  * Per Python POC (Delegation-Service.md:136-146), delegations are issued AS
324
324
  * W3C VCs, with the delegation data embedded in the credentialSubject.
325
+ *
326
+ * Phase 7 Update: Added userDid, userIdentifier, sessionId, and scopes
327
+ * to support Agent Shield VC-JWT tokens and MCP session tracking.
325
328
  */
326
329
  exports.DelegationCredentialSubjectSchema = zod_1.z.object({
327
330
  /** Subject DID (delegatee) */
@@ -334,6 +337,38 @@ exports.DelegationCredentialSubjectSchema = zod_1.z.object({
334
337
  issuerDid: zod_1.z.string().min(1),
335
338
  /** DID of the delegatee (subject, e.g., agent) */
336
339
  subjectDid: zod_1.z.string().min(1),
340
+ /**
341
+ * DID of the user who granted the delegation.
342
+ *
343
+ * This is the authorizing user's identity. In simple cases, this equals
344
+ * issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
345
+ * of a user), userDid identifies the actual user who consented.
346
+ *
347
+ * Required by Agent Shield API for user-scoped delegations.
348
+ * @see delegationCredentialSchema in agentshield-api/schemas.ts
349
+ */
350
+ userDid: zod_1.z.string().optional(),
351
+ /**
352
+ * Human-readable identifier for the user (e.g., email, OAuth subject).
353
+ *
354
+ * Used for backward compatibility and display purposes.
355
+ * Should not be used for cryptographic identity verification.
356
+ */
357
+ userIdentifier: zod_1.z.string().optional(),
358
+ /**
359
+ * MCP session ID for session tracking and integration.
360
+ *
361
+ * Links the delegation to a specific MCP session, enabling
362
+ * session-scoped token caching and audit trails.
363
+ */
364
+ sessionId: zod_1.z.string().optional(),
365
+ /**
366
+ * Authorized scopes for this delegation.
367
+ *
368
+ * Array of scope strings (e.g., ['tool:execute', 'resource:read']).
369
+ * When present, defines what actions the delegatee is authorized to perform.
370
+ */
371
+ scopes: zod_1.z.array(zod_1.z.string()).optional(),
337
372
  /** Optional controller (user account ID or DID) */
338
373
  controller: zod_1.z.string().optional(),
339
374
  /** Optional parent delegation ID for chain tracking */
@@ -456,7 +491,7 @@ function extractDelegationFromVC(vc) {
456
491
  * The caller must sign this to create a valid DelegationCredential.
457
492
  *
458
493
  * @param delegation - The delegation record
459
- * @param options - Optional VC options (id, issuanceDate, etc.)
494
+ * @param options - Optional VC options (id, issuanceDate, userDid, sessionId, etc.)
460
495
  * @returns Unsigned DelegationCredential
461
496
  */
462
497
  function wrapDelegationAsVC(delegation, options) {
@@ -469,6 +504,8 @@ function wrapDelegationAsVC(delegation, options) {
469
504
  if (!options?.issuanceDate && delegation.createdAt) {
470
505
  issuanceDate = new Date(delegation.createdAt).toISOString();
471
506
  }
507
+ // Extract scopes from constraints if not provided
508
+ const scopes = options?.scopes || delegation.constraints.scopes;
472
509
  return {
473
510
  '@context': [
474
511
  'https://www.w3.org/2018/credentials/v1',
@@ -485,6 +522,14 @@ function wrapDelegationAsVC(delegation, options) {
485
522
  id: delegation.id,
486
523
  issuerDid: delegation.issuerDid,
487
524
  subjectDid: delegation.subjectDid,
525
+ // Include userDid if provided or fallback to controller
526
+ ...(options?.userDid && { userDid: options.userDid }),
527
+ // Include userIdentifier if provided
528
+ ...(options?.userIdentifier && { userIdentifier: options.userIdentifier }),
529
+ // Include sessionId if provided
530
+ ...(options?.sessionId && { sessionId: options.sessionId }),
531
+ // Include scopes if available
532
+ ...(scopes && scopes.length > 0 && { scopes }),
488
533
  controller: delegation.controller,
489
534
  parentId: delegation.parentId,
490
535
  constraints: delegation.constraints,