@kya-os/contracts 1.7.16 → 1.7.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agentshield-api/schemas.d.ts +132 -132
- package/dist/consent/schemas.d.ts +30 -8
- package/dist/consent/schemas.js +20 -0
- package/dist/dashboard-config/schemas.d.ts +1919 -1919
- package/dist/delegation/schemas.d.ts +601 -302
- package/dist/delegation/schemas.js +46 -1
- package/dist/handshake.js +11 -2
- package/dist/tool-protection/index.d.ts +6 -6
- package/dist/tool-protection/index.js +10 -7
- package/dist/verifier.d.ts +6 -6
- package/package.json +2 -2
|
@@ -322,6 +322,9 @@ exports.DELEGATION_CREDENTIAL_CONTEXT = 'https://schemas.kya-os.ai/xmcp-i/creden
|
|
|
322
322
|
*
|
|
323
323
|
* Per Python POC (Delegation-Service.md:136-146), delegations are issued AS
|
|
324
324
|
* W3C VCs, with the delegation data embedded in the credentialSubject.
|
|
325
|
+
*
|
|
326
|
+
* Phase 7 Update: Added userDid, userIdentifier, sessionId, and scopes
|
|
327
|
+
* to support Agent Shield VC-JWT tokens and MCP session tracking.
|
|
325
328
|
*/
|
|
326
329
|
exports.DelegationCredentialSubjectSchema = zod_1.z.object({
|
|
327
330
|
/** Subject DID (delegatee) */
|
|
@@ -334,6 +337,38 @@ exports.DelegationCredentialSubjectSchema = zod_1.z.object({
|
|
|
334
337
|
issuerDid: zod_1.z.string().min(1),
|
|
335
338
|
/** DID of the delegatee (subject, e.g., agent) */
|
|
336
339
|
subjectDid: zod_1.z.string().min(1),
|
|
340
|
+
/**
|
|
341
|
+
* DID of the user who granted the delegation.
|
|
342
|
+
*
|
|
343
|
+
* This is the authorizing user's identity. In simple cases, this equals
|
|
344
|
+
* issuerDid. In delegated scenarios (e.g., AgentShield issuing on behalf
|
|
345
|
+
* of a user), userDid identifies the actual user who consented.
|
|
346
|
+
*
|
|
347
|
+
* Required by Agent Shield API for user-scoped delegations.
|
|
348
|
+
* @see delegationCredentialSchema in agentshield-api/schemas.ts
|
|
349
|
+
*/
|
|
350
|
+
userDid: zod_1.z.string().optional(),
|
|
351
|
+
/**
|
|
352
|
+
* Human-readable identifier for the user (e.g., email, OAuth subject).
|
|
353
|
+
*
|
|
354
|
+
* Used for backward compatibility and display purposes.
|
|
355
|
+
* Should not be used for cryptographic identity verification.
|
|
356
|
+
*/
|
|
357
|
+
userIdentifier: zod_1.z.string().optional(),
|
|
358
|
+
/**
|
|
359
|
+
* MCP session ID for session tracking and integration.
|
|
360
|
+
*
|
|
361
|
+
* Links the delegation to a specific MCP session, enabling
|
|
362
|
+
* session-scoped token caching and audit trails.
|
|
363
|
+
*/
|
|
364
|
+
sessionId: zod_1.z.string().optional(),
|
|
365
|
+
/**
|
|
366
|
+
* Authorized scopes for this delegation.
|
|
367
|
+
*
|
|
368
|
+
* Array of scope strings (e.g., ['tool:execute', 'resource:read']).
|
|
369
|
+
* When present, defines what actions the delegatee is authorized to perform.
|
|
370
|
+
*/
|
|
371
|
+
scopes: zod_1.z.array(zod_1.z.string()).optional(),
|
|
337
372
|
/** Optional controller (user account ID or DID) */
|
|
338
373
|
controller: zod_1.z.string().optional(),
|
|
339
374
|
/** Optional parent delegation ID for chain tracking */
|
|
@@ -456,7 +491,7 @@ function extractDelegationFromVC(vc) {
|
|
|
456
491
|
* The caller must sign this to create a valid DelegationCredential.
|
|
457
492
|
*
|
|
458
493
|
* @param delegation - The delegation record
|
|
459
|
-
* @param options - Optional VC options (id, issuanceDate, etc.)
|
|
494
|
+
* @param options - Optional VC options (id, issuanceDate, userDid, sessionId, etc.)
|
|
460
495
|
* @returns Unsigned DelegationCredential
|
|
461
496
|
*/
|
|
462
497
|
function wrapDelegationAsVC(delegation, options) {
|
|
@@ -469,6 +504,8 @@ function wrapDelegationAsVC(delegation, options) {
|
|
|
469
504
|
if (!options?.issuanceDate && delegation.createdAt) {
|
|
470
505
|
issuanceDate = new Date(delegation.createdAt).toISOString();
|
|
471
506
|
}
|
|
507
|
+
// Extract scopes from constraints if not provided
|
|
508
|
+
const scopes = options?.scopes || delegation.constraints.scopes;
|
|
472
509
|
return {
|
|
473
510
|
'@context': [
|
|
474
511
|
'https://www.w3.org/2018/credentials/v1',
|
|
@@ -485,6 +522,14 @@ function wrapDelegationAsVC(delegation, options) {
|
|
|
485
522
|
id: delegation.id,
|
|
486
523
|
issuerDid: delegation.issuerDid,
|
|
487
524
|
subjectDid: delegation.subjectDid,
|
|
525
|
+
// Include userDid if provided or fallback to controller
|
|
526
|
+
...(options?.userDid && { userDid: options.userDid }),
|
|
527
|
+
// Include userIdentifier if provided
|
|
528
|
+
...(options?.userIdentifier && { userIdentifier: options.userIdentifier }),
|
|
529
|
+
// Include sessionId if provided
|
|
530
|
+
...(options?.sessionId && { sessionId: options.sessionId }),
|
|
531
|
+
// Include scopes if available
|
|
532
|
+
...(scopes && scopes.length > 0 && { scopes }),
|
|
488
533
|
controller: delegation.controller,
|
|
489
534
|
parentId: delegation.parentId,
|
|
490
535
|
constraints: delegation.constraints,
|
package/dist/handshake.js
CHANGED
|
@@ -2,7 +2,16 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.NONCE_LENGTH_BYTES = exports.DEFAULT_TIMESTAMP_SKEW_SECONDS = exports.DEFAULT_SESSION_TTL_MINUTES = exports.NonceCacheConfigSchema = exports.NonceCacheEntrySchema = exports.SessionContextSchema = exports.HandshakeRequestSchema = exports.MCPClientSessionInfoSchema = exports.MCPClientInfoSchema = exports.SessionIdentityStateSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
|
-
|
|
5
|
+
/**
|
|
6
|
+
* OAuth Identity schema (inlined to avoid ESM/CJS boundary issues with @kya-os/consent)
|
|
7
|
+
* This is a copy of OAuthIdentitySchema from @kya-os/consent for use in handshake types.
|
|
8
|
+
*/
|
|
9
|
+
const oauthIdentitySchema = zod_1.z.object({
|
|
10
|
+
provider: zod_1.z.string().min(1).max(50),
|
|
11
|
+
subject: zod_1.z.string().min(1).max(255),
|
|
12
|
+
email: zod_1.z.string().email().max(255).optional(),
|
|
13
|
+
name: zod_1.z.string().max(255).optional(),
|
|
14
|
+
});
|
|
6
15
|
/**
|
|
7
16
|
* Handshake and session management schemas
|
|
8
17
|
*/
|
|
@@ -65,7 +74,7 @@ exports.SessionContextSchema = zod_1.z.object({
|
|
|
65
74
|
* OAuth identity information (populated after successful OAuth)
|
|
66
75
|
* Contains provider, subject, email from OAuth provider
|
|
67
76
|
*/
|
|
68
|
-
oauthIdentity:
|
|
77
|
+
oauthIdentity: oauthIdentitySchema.optional(),
|
|
69
78
|
});
|
|
70
79
|
exports.NonceCacheEntrySchema = zod_1.z.object({
|
|
71
80
|
sessionId: zod_1.z.string().min(1),
|
|
@@ -943,12 +943,12 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
943
943
|
source: z.ZodOptional<z.ZodString>;
|
|
944
944
|
}, "strip", z.ZodTypeAny, {
|
|
945
945
|
version?: string | undefined;
|
|
946
|
-
source?: string | undefined;
|
|
947
946
|
lastUpdated?: string | undefined;
|
|
947
|
+
source?: string | undefined;
|
|
948
948
|
}, {
|
|
949
949
|
version?: string | undefined;
|
|
950
|
-
source?: string | undefined;
|
|
951
950
|
lastUpdated?: string | undefined;
|
|
951
|
+
source?: string | undefined;
|
|
952
952
|
}>>;
|
|
953
953
|
}, "strip", z.ZodTypeAny, {
|
|
954
954
|
toolProtections: Record<string, {
|
|
@@ -997,8 +997,8 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
997
997
|
}>;
|
|
998
998
|
metadata?: {
|
|
999
999
|
version?: string | undefined;
|
|
1000
|
-
source?: string | undefined;
|
|
1001
1000
|
lastUpdated?: string | undefined;
|
|
1001
|
+
source?: string | undefined;
|
|
1002
1002
|
} | undefined;
|
|
1003
1003
|
}, {
|
|
1004
1004
|
toolProtections: Record<string, {
|
|
@@ -1047,8 +1047,8 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
1047
1047
|
}>;
|
|
1048
1048
|
metadata?: {
|
|
1049
1049
|
version?: string | undefined;
|
|
1050
|
-
source?: string | undefined;
|
|
1051
1050
|
lastUpdated?: string | undefined;
|
|
1051
|
+
source?: string | undefined;
|
|
1052
1052
|
} | undefined;
|
|
1053
1053
|
}>;
|
|
1054
1054
|
export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
|
|
@@ -1060,15 +1060,15 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
|
|
|
1060
1060
|
}, "strip", z.ZodTypeAny, {
|
|
1061
1061
|
requiredScopes: string[];
|
|
1062
1062
|
toolName: string;
|
|
1063
|
+
authorizationUrl?: string | undefined;
|
|
1063
1064
|
reason?: string | undefined;
|
|
1064
1065
|
consentUrl?: string | undefined;
|
|
1065
|
-
authorizationUrl?: string | undefined;
|
|
1066
1066
|
}, {
|
|
1067
1067
|
requiredScopes: string[];
|
|
1068
1068
|
toolName: string;
|
|
1069
|
+
authorizationUrl?: string | undefined;
|
|
1069
1070
|
reason?: string | undefined;
|
|
1070
1071
|
consentUrl?: string | undefined;
|
|
1071
|
-
authorizationUrl?: string | undefined;
|
|
1072
1072
|
}>;
|
|
1073
1073
|
/**
|
|
1074
1074
|
* Type Guards
|
|
@@ -352,20 +352,23 @@ function getAuthorizationTypeKey(auth) {
|
|
|
352
352
|
switch (auth.type) {
|
|
353
353
|
case 'oauth':
|
|
354
354
|
// Keep original key format for backward compatibility with existing cache entries
|
|
355
|
-
|
|
355
|
+
// Handle undefined provider gracefully (may come from loose API response types)
|
|
356
|
+
return auth.provider ? `oauth:${auth.provider}` : 'oauth';
|
|
356
357
|
case 'oauth2':
|
|
357
|
-
return `oauth2:${auth.provider}
|
|
358
|
+
return auth.provider ? `oauth2:${auth.provider}` : 'oauth2';
|
|
358
359
|
case 'password':
|
|
359
|
-
return `password:${auth.provider}
|
|
360
|
+
return auth.provider ? `password:${auth.provider}` : 'password';
|
|
360
361
|
case 'mdl':
|
|
361
|
-
|
|
362
|
+
// Keep trailing colon for backward compatibility with existing cache entries
|
|
363
|
+
return `mdl:${auth.issuer || 'unknown'}:${auth.credentialType || ''}`;
|
|
362
364
|
case 'idv':
|
|
363
|
-
|
|
365
|
+
// Keep trailing colon for backward compatibility with existing cache entries
|
|
366
|
+
return `idv:${auth.provider || 'unknown'}:${auth.verificationLevel || ''}`;
|
|
364
367
|
case 'verifiable_credential':
|
|
365
|
-
return `vc:${auth.issuer || 'any'}:${auth.credentialType}`;
|
|
368
|
+
return `vc:${auth.issuer || 'any'}:${auth.credentialType || 'unknown'}`;
|
|
366
369
|
case 'credential':
|
|
367
370
|
// Deprecated: treat as verifiable_credential
|
|
368
|
-
return `vc:${auth.issuer || 'any'}:${auth.credentialType}`;
|
|
371
|
+
return `vc:${auth.issuer || 'any'}:${auth.credentialType || 'unknown'}`;
|
|
369
372
|
case 'webauthn':
|
|
370
373
|
return `webauthn:${auth.rpId || 'default'}`;
|
|
371
374
|
case 'siwe':
|
package/dist/verifier.d.ts
CHANGED
|
@@ -20,8 +20,8 @@ export declare const AgentContextSchema: z.ZodObject<{
|
|
|
20
20
|
confidence: "verified";
|
|
21
21
|
registry: string;
|
|
22
22
|
verifiedAt: number;
|
|
23
|
-
delegationRef?: string | undefined;
|
|
24
23
|
subject?: string | undefined;
|
|
24
|
+
delegationRef?: string | undefined;
|
|
25
25
|
}, {
|
|
26
26
|
did: string;
|
|
27
27
|
kid: string;
|
|
@@ -30,8 +30,8 @@ export declare const AgentContextSchema: z.ZodObject<{
|
|
|
30
30
|
registry: string;
|
|
31
31
|
verifiedAt: number;
|
|
32
32
|
scopes?: string[] | undefined;
|
|
33
|
-
delegationRef?: string | undefined;
|
|
34
33
|
subject?: string | undefined;
|
|
34
|
+
delegationRef?: string | undefined;
|
|
35
35
|
}>;
|
|
36
36
|
export declare const VerifierResultSchema: z.ZodObject<{
|
|
37
37
|
success: z.ZodBoolean;
|
|
@@ -54,8 +54,8 @@ export declare const VerifierResultSchema: z.ZodObject<{
|
|
|
54
54
|
confidence: "verified";
|
|
55
55
|
registry: string;
|
|
56
56
|
verifiedAt: number;
|
|
57
|
-
delegationRef?: string | undefined;
|
|
58
57
|
subject?: string | undefined;
|
|
58
|
+
delegationRef?: string | undefined;
|
|
59
59
|
}, {
|
|
60
60
|
did: string;
|
|
61
61
|
kid: string;
|
|
@@ -64,8 +64,8 @@ export declare const VerifierResultSchema: z.ZodObject<{
|
|
|
64
64
|
registry: string;
|
|
65
65
|
verifiedAt: number;
|
|
66
66
|
scopes?: string[] | undefined;
|
|
67
|
-
delegationRef?: string | undefined;
|
|
68
67
|
subject?: string | undefined;
|
|
68
|
+
delegationRef?: string | undefined;
|
|
69
69
|
}>>;
|
|
70
70
|
error: z.ZodOptional<z.ZodObject<{
|
|
71
71
|
code: z.ZodString;
|
|
@@ -100,8 +100,8 @@ export declare const VerifierResultSchema: z.ZodObject<{
|
|
|
100
100
|
confidence: "verified";
|
|
101
101
|
registry: string;
|
|
102
102
|
verifiedAt: number;
|
|
103
|
-
delegationRef?: string | undefined;
|
|
104
103
|
subject?: string | undefined;
|
|
104
|
+
delegationRef?: string | undefined;
|
|
105
105
|
} | undefined;
|
|
106
106
|
}, {
|
|
107
107
|
success: boolean;
|
|
@@ -120,8 +120,8 @@ export declare const VerifierResultSchema: z.ZodObject<{
|
|
|
120
120
|
registry: string;
|
|
121
121
|
verifiedAt: number;
|
|
122
122
|
scopes?: string[] | undefined;
|
|
123
|
-
delegationRef?: string | undefined;
|
|
124
123
|
subject?: string | undefined;
|
|
124
|
+
delegationRef?: string | undefined;
|
|
125
125
|
} | undefined;
|
|
126
126
|
}>;
|
|
127
127
|
export declare const StructuredErrorSchema: z.ZodObject<{
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/contracts",
|
|
3
|
-
"version": "1.7.
|
|
3
|
+
"version": "1.7.18",
|
|
4
4
|
"description": "Shared contracts, types, and schemas for MCP-I framework",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
},
|
|
96
96
|
"sideEffects": false,
|
|
97
97
|
"dependencies": {
|
|
98
|
-
"@kya-os/consent": "^0.1.
|
|
98
|
+
"@kya-os/consent": "^0.1.20",
|
|
99
99
|
"zod": "^3.25.76"
|
|
100
100
|
},
|
|
101
101
|
"devDependencies": {
|