@kya-os/contracts 1.7.2 → 1.7.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/dashboard-config/schemas.d.ts +3179 -2262
- package/dist/handshake.d.ts +22 -22
- package/dist/tool-protection/index.d.ts +264 -36
- package/dist/tool-protection/index.js +164 -4
- package/package.json +1 -1
|
@@ -1,23 +1,27 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* MCP-I Tool Protection Specification
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
-
*
|
|
4
|
+
* Core types for tool protection with delegation requirements.
|
|
5
|
+
*
|
|
6
|
+
* Consent Flow: type='none' → 2 screens, others → 3 screens (Auth→Consent→Success).
|
|
7
|
+
* DelegationCredential (VC) is created when user confirms on Consent Screen.
|
|
7
8
|
*
|
|
8
9
|
* @module @kya-os/contracts/tool-protection
|
|
9
10
|
*/
|
|
10
11
|
import { z } from 'zod';
|
|
11
12
|
/**
|
|
12
|
-
* Authorization Requirement
|
|
13
|
+
* Authorization Requirement - what auth is needed BEFORE consent screen.
|
|
13
14
|
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
15
|
+
* Types: none (2 screens), oauth/password/mdl/idv (3 screens), verifiable_credential (future).
|
|
16
|
+
* The VC output is always a DelegationCredential created on consent confirmation.
|
|
16
17
|
*/
|
|
17
18
|
export type AuthorizationRequirement = {
|
|
18
19
|
type: 'oauth';
|
|
19
20
|
provider: string;
|
|
20
21
|
requiredScopes?: string[];
|
|
22
|
+
} | {
|
|
23
|
+
type: 'password';
|
|
24
|
+
provider: string;
|
|
21
25
|
} | {
|
|
22
26
|
type: 'mdl';
|
|
23
27
|
issuer: string;
|
|
@@ -27,12 +31,33 @@ export type AuthorizationRequirement = {
|
|
|
27
31
|
provider: string;
|
|
28
32
|
verificationLevel?: 'basic' | 'enhanced' | 'loa3';
|
|
29
33
|
} | {
|
|
34
|
+
/** FUTURE: Require user to present an existing VC (not yet implemented) */
|
|
35
|
+
type: 'verifiable_credential';
|
|
36
|
+
credentialType: string;
|
|
37
|
+
issuer?: string;
|
|
38
|
+
} | {
|
|
39
|
+
/**
|
|
40
|
+
* @deprecated Use `verifiable_credential` instead. Kept for backward compatibility.
|
|
41
|
+
*/
|
|
30
42
|
type: 'credential';
|
|
31
43
|
credentialType: string;
|
|
32
44
|
issuer?: string;
|
|
33
45
|
} | {
|
|
34
46
|
type: 'none';
|
|
35
47
|
};
|
|
48
|
+
/** Canonical authorization type values for type safety */
|
|
49
|
+
export declare const AUTHORIZATION_TYPES: {
|
|
50
|
+
readonly OAUTH: "oauth";
|
|
51
|
+
readonly PASSWORD: "password";
|
|
52
|
+
readonly MDL: "mdl";
|
|
53
|
+
readonly IDV: "idv";
|
|
54
|
+
/** FUTURE: Not yet implemented */
|
|
55
|
+
readonly VERIFIABLE_CREDENTIAL: "verifiable_credential";
|
|
56
|
+
/** @deprecated Use VERIFIABLE_CREDENTIAL */
|
|
57
|
+
readonly CREDENTIAL: "credential";
|
|
58
|
+
readonly NONE: "none";
|
|
59
|
+
};
|
|
60
|
+
export type AuthorizationType = (typeof AUTHORIZATION_TYPES)[keyof typeof AUTHORIZATION_TYPES];
|
|
36
61
|
/**
|
|
37
62
|
* Tool Protection Definition
|
|
38
63
|
*
|
|
@@ -176,6 +201,15 @@ export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"ty
|
|
|
176
201
|
type: "oauth";
|
|
177
202
|
provider: string;
|
|
178
203
|
requiredScopes?: string[] | undefined;
|
|
204
|
+
}>, z.ZodObject<{
|
|
205
|
+
type: z.ZodLiteral<"password">;
|
|
206
|
+
provider: z.ZodString;
|
|
207
|
+
}, "strip", z.ZodTypeAny, {
|
|
208
|
+
type: "password";
|
|
209
|
+
provider: string;
|
|
210
|
+
}, {
|
|
211
|
+
type: "password";
|
|
212
|
+
provider: string;
|
|
179
213
|
}>, z.ZodObject<{
|
|
180
214
|
type: z.ZodLiteral<"mdl">;
|
|
181
215
|
issuer: z.ZodString;
|
|
@@ -200,6 +234,18 @@ export declare const AuthorizationRequirementSchema: z.ZodDiscriminatedUnion<"ty
|
|
|
200
234
|
type: "idv";
|
|
201
235
|
provider: string;
|
|
202
236
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
237
|
+
}>, z.ZodObject<{
|
|
238
|
+
type: z.ZodLiteral<"verifiable_credential">;
|
|
239
|
+
credentialType: z.ZodString;
|
|
240
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
241
|
+
}, "strip", z.ZodTypeAny, {
|
|
242
|
+
type: "verifiable_credential";
|
|
243
|
+
credentialType: string;
|
|
244
|
+
issuer?: string | undefined;
|
|
245
|
+
}, {
|
|
246
|
+
type: "verifiable_credential";
|
|
247
|
+
credentialType: string;
|
|
248
|
+
issuer?: string | undefined;
|
|
203
249
|
}>, z.ZodObject<{
|
|
204
250
|
type: z.ZodLiteral<"credential">;
|
|
205
251
|
credentialType: z.ZodString;
|
|
@@ -236,6 +282,15 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
236
282
|
type: "oauth";
|
|
237
283
|
provider: string;
|
|
238
284
|
requiredScopes?: string[] | undefined;
|
|
285
|
+
}>, z.ZodObject<{
|
|
286
|
+
type: z.ZodLiteral<"password">;
|
|
287
|
+
provider: z.ZodString;
|
|
288
|
+
}, "strip", z.ZodTypeAny, {
|
|
289
|
+
type: "password";
|
|
290
|
+
provider: string;
|
|
291
|
+
}, {
|
|
292
|
+
type: "password";
|
|
293
|
+
provider: string;
|
|
239
294
|
}>, z.ZodObject<{
|
|
240
295
|
type: z.ZodLiteral<"mdl">;
|
|
241
296
|
issuer: z.ZodString;
|
|
@@ -260,6 +315,18 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
260
315
|
type: "idv";
|
|
261
316
|
provider: string;
|
|
262
317
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
318
|
+
}>, z.ZodObject<{
|
|
319
|
+
type: z.ZodLiteral<"verifiable_credential">;
|
|
320
|
+
credentialType: z.ZodString;
|
|
321
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
322
|
+
}, "strip", z.ZodTypeAny, {
|
|
323
|
+
type: "verifiable_credential";
|
|
324
|
+
credentialType: string;
|
|
325
|
+
issuer?: string | undefined;
|
|
326
|
+
}, {
|
|
327
|
+
type: "verifiable_credential";
|
|
328
|
+
credentialType: string;
|
|
329
|
+
issuer?: string | undefined;
|
|
263
330
|
}>, z.ZodObject<{
|
|
264
331
|
type: z.ZodLiteral<"credential">;
|
|
265
332
|
credentialType: z.ZodString;
|
|
@@ -280,12 +347,17 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
280
347
|
type: "none";
|
|
281
348
|
}>]>>;
|
|
282
349
|
}, "strip", z.ZodTypeAny, {
|
|
283
|
-
requiresDelegation: boolean;
|
|
284
350
|
requiredScopes: string[];
|
|
351
|
+
requiresDelegation: boolean;
|
|
352
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
353
|
+
oauthProvider?: string | undefined;
|
|
285
354
|
authorization?: {
|
|
286
355
|
type: "oauth";
|
|
287
356
|
provider: string;
|
|
288
357
|
requiredScopes?: string[] | undefined;
|
|
358
|
+
} | {
|
|
359
|
+
type: "password";
|
|
360
|
+
provider: string;
|
|
289
361
|
} | {
|
|
290
362
|
type: "mdl";
|
|
291
363
|
issuer: string;
|
|
@@ -294,6 +366,10 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
294
366
|
type: "idv";
|
|
295
367
|
provider: string;
|
|
296
368
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
369
|
+
} | {
|
|
370
|
+
type: "verifiable_credential";
|
|
371
|
+
credentialType: string;
|
|
372
|
+
issuer?: string | undefined;
|
|
297
373
|
} | {
|
|
298
374
|
type: "credential";
|
|
299
375
|
credentialType: string;
|
|
@@ -301,15 +377,18 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
301
377
|
} | {
|
|
302
378
|
type: "none";
|
|
303
379
|
} | undefined;
|
|
304
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
305
|
-
oauthProvider?: string | undefined;
|
|
306
380
|
}, {
|
|
307
|
-
requiresDelegation: boolean;
|
|
308
381
|
requiredScopes: string[];
|
|
382
|
+
requiresDelegation: boolean;
|
|
383
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
384
|
+
oauthProvider?: string | undefined;
|
|
309
385
|
authorization?: {
|
|
310
386
|
type: "oauth";
|
|
311
387
|
provider: string;
|
|
312
388
|
requiredScopes?: string[] | undefined;
|
|
389
|
+
} | {
|
|
390
|
+
type: "password";
|
|
391
|
+
provider: string;
|
|
313
392
|
} | {
|
|
314
393
|
type: "mdl";
|
|
315
394
|
issuer: string;
|
|
@@ -318,6 +397,10 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
318
397
|
type: "idv";
|
|
319
398
|
provider: string;
|
|
320
399
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
400
|
+
} | {
|
|
401
|
+
type: "verifiable_credential";
|
|
402
|
+
credentialType: string;
|
|
403
|
+
issuer?: string | undefined;
|
|
321
404
|
} | {
|
|
322
405
|
type: "credential";
|
|
323
406
|
credentialType: string;
|
|
@@ -325,8 +408,6 @@ export declare const ToolProtectionSchema: z.ZodObject<{
|
|
|
325
408
|
} | {
|
|
326
409
|
type: "none";
|
|
327
410
|
} | undefined;
|
|
328
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
329
|
-
oauthProvider?: string | undefined;
|
|
330
411
|
}>;
|
|
331
412
|
export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
332
413
|
requiresDelegation: z.ZodBoolean;
|
|
@@ -345,6 +426,15 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
345
426
|
type: "oauth";
|
|
346
427
|
provider: string;
|
|
347
428
|
requiredScopes?: string[] | undefined;
|
|
429
|
+
}>, z.ZodObject<{
|
|
430
|
+
type: z.ZodLiteral<"password">;
|
|
431
|
+
provider: z.ZodString;
|
|
432
|
+
}, "strip", z.ZodTypeAny, {
|
|
433
|
+
type: "password";
|
|
434
|
+
provider: string;
|
|
435
|
+
}, {
|
|
436
|
+
type: "password";
|
|
437
|
+
provider: string;
|
|
348
438
|
}>, z.ZodObject<{
|
|
349
439
|
type: z.ZodLiteral<"mdl">;
|
|
350
440
|
issuer: z.ZodString;
|
|
@@ -369,6 +459,18 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
369
459
|
type: "idv";
|
|
370
460
|
provider: string;
|
|
371
461
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
462
|
+
}>, z.ZodObject<{
|
|
463
|
+
type: z.ZodLiteral<"verifiable_credential">;
|
|
464
|
+
credentialType: z.ZodString;
|
|
465
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
466
|
+
}, "strip", z.ZodTypeAny, {
|
|
467
|
+
type: "verifiable_credential";
|
|
468
|
+
credentialType: string;
|
|
469
|
+
issuer?: string | undefined;
|
|
470
|
+
}, {
|
|
471
|
+
type: "verifiable_credential";
|
|
472
|
+
credentialType: string;
|
|
473
|
+
issuer?: string | undefined;
|
|
372
474
|
}>, z.ZodObject<{
|
|
373
475
|
type: z.ZodLiteral<"credential">;
|
|
374
476
|
credentialType: z.ZodString;
|
|
@@ -389,12 +491,17 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
389
491
|
type: "none";
|
|
390
492
|
}>]>>;
|
|
391
493
|
}, "strip", z.ZodTypeAny, {
|
|
392
|
-
requiresDelegation: boolean;
|
|
393
494
|
requiredScopes: string[];
|
|
495
|
+
requiresDelegation: boolean;
|
|
496
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
497
|
+
oauthProvider?: string | undefined;
|
|
394
498
|
authorization?: {
|
|
395
499
|
type: "oauth";
|
|
396
500
|
provider: string;
|
|
397
501
|
requiredScopes?: string[] | undefined;
|
|
502
|
+
} | {
|
|
503
|
+
type: "password";
|
|
504
|
+
provider: string;
|
|
398
505
|
} | {
|
|
399
506
|
type: "mdl";
|
|
400
507
|
issuer: string;
|
|
@@ -403,6 +510,10 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
403
510
|
type: "idv";
|
|
404
511
|
provider: string;
|
|
405
512
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
513
|
+
} | {
|
|
514
|
+
type: "verifiable_credential";
|
|
515
|
+
credentialType: string;
|
|
516
|
+
issuer?: string | undefined;
|
|
406
517
|
} | {
|
|
407
518
|
type: "credential";
|
|
408
519
|
credentialType: string;
|
|
@@ -410,15 +521,18 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
410
521
|
} | {
|
|
411
522
|
type: "none";
|
|
412
523
|
} | undefined;
|
|
413
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
414
|
-
oauthProvider?: string | undefined;
|
|
415
524
|
}, {
|
|
416
|
-
requiresDelegation: boolean;
|
|
417
525
|
requiredScopes: string[];
|
|
526
|
+
requiresDelegation: boolean;
|
|
527
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
528
|
+
oauthProvider?: string | undefined;
|
|
418
529
|
authorization?: {
|
|
419
530
|
type: "oauth";
|
|
420
531
|
provider: string;
|
|
421
532
|
requiredScopes?: string[] | undefined;
|
|
533
|
+
} | {
|
|
534
|
+
type: "password";
|
|
535
|
+
provider: string;
|
|
422
536
|
} | {
|
|
423
537
|
type: "mdl";
|
|
424
538
|
issuer: string;
|
|
@@ -427,6 +541,10 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
427
541
|
type: "idv";
|
|
428
542
|
provider: string;
|
|
429
543
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
544
|
+
} | {
|
|
545
|
+
type: "verifiable_credential";
|
|
546
|
+
credentialType: string;
|
|
547
|
+
issuer?: string | undefined;
|
|
430
548
|
} | {
|
|
431
549
|
type: "credential";
|
|
432
550
|
credentialType: string;
|
|
@@ -434,8 +552,6 @@ export declare const ToolProtectionMapSchema: z.ZodRecord<z.ZodString, z.ZodObje
|
|
|
434
552
|
} | {
|
|
435
553
|
type: "none";
|
|
436
554
|
} | undefined;
|
|
437
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
438
|
-
oauthProvider?: string | undefined;
|
|
439
555
|
}>>;
|
|
440
556
|
export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
441
557
|
toolProtections: z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
@@ -455,6 +571,15 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
455
571
|
type: "oauth";
|
|
456
572
|
provider: string;
|
|
457
573
|
requiredScopes?: string[] | undefined;
|
|
574
|
+
}>, z.ZodObject<{
|
|
575
|
+
type: z.ZodLiteral<"password">;
|
|
576
|
+
provider: z.ZodString;
|
|
577
|
+
}, "strip", z.ZodTypeAny, {
|
|
578
|
+
type: "password";
|
|
579
|
+
provider: string;
|
|
580
|
+
}, {
|
|
581
|
+
type: "password";
|
|
582
|
+
provider: string;
|
|
458
583
|
}>, z.ZodObject<{
|
|
459
584
|
type: z.ZodLiteral<"mdl">;
|
|
460
585
|
issuer: z.ZodString;
|
|
@@ -479,6 +604,18 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
479
604
|
type: "idv";
|
|
480
605
|
provider: string;
|
|
481
606
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
607
|
+
}>, z.ZodObject<{
|
|
608
|
+
type: z.ZodLiteral<"verifiable_credential">;
|
|
609
|
+
credentialType: z.ZodString;
|
|
610
|
+
issuer: z.ZodOptional<z.ZodString>;
|
|
611
|
+
}, "strip", z.ZodTypeAny, {
|
|
612
|
+
type: "verifiable_credential";
|
|
613
|
+
credentialType: string;
|
|
614
|
+
issuer?: string | undefined;
|
|
615
|
+
}, {
|
|
616
|
+
type: "verifiable_credential";
|
|
617
|
+
credentialType: string;
|
|
618
|
+
issuer?: string | undefined;
|
|
482
619
|
}>, z.ZodObject<{
|
|
483
620
|
type: z.ZodLiteral<"credential">;
|
|
484
621
|
credentialType: z.ZodString;
|
|
@@ -499,12 +636,17 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
499
636
|
type: "none";
|
|
500
637
|
}>]>>;
|
|
501
638
|
}, "strip", z.ZodTypeAny, {
|
|
502
|
-
requiresDelegation: boolean;
|
|
503
639
|
requiredScopes: string[];
|
|
640
|
+
requiresDelegation: boolean;
|
|
641
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
642
|
+
oauthProvider?: string | undefined;
|
|
504
643
|
authorization?: {
|
|
505
644
|
type: "oauth";
|
|
506
645
|
provider: string;
|
|
507
646
|
requiredScopes?: string[] | undefined;
|
|
647
|
+
} | {
|
|
648
|
+
type: "password";
|
|
649
|
+
provider: string;
|
|
508
650
|
} | {
|
|
509
651
|
type: "mdl";
|
|
510
652
|
issuer: string;
|
|
@@ -513,6 +655,10 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
513
655
|
type: "idv";
|
|
514
656
|
provider: string;
|
|
515
657
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
658
|
+
} | {
|
|
659
|
+
type: "verifiable_credential";
|
|
660
|
+
credentialType: string;
|
|
661
|
+
issuer?: string | undefined;
|
|
516
662
|
} | {
|
|
517
663
|
type: "credential";
|
|
518
664
|
credentialType: string;
|
|
@@ -520,15 +666,18 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
520
666
|
} | {
|
|
521
667
|
type: "none";
|
|
522
668
|
} | undefined;
|
|
523
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
524
|
-
oauthProvider?: string | undefined;
|
|
525
669
|
}, {
|
|
526
|
-
requiresDelegation: boolean;
|
|
527
670
|
requiredScopes: string[];
|
|
671
|
+
requiresDelegation: boolean;
|
|
672
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
673
|
+
oauthProvider?: string | undefined;
|
|
528
674
|
authorization?: {
|
|
529
675
|
type: "oauth";
|
|
530
676
|
provider: string;
|
|
531
677
|
requiredScopes?: string[] | undefined;
|
|
678
|
+
} | {
|
|
679
|
+
type: "password";
|
|
680
|
+
provider: string;
|
|
532
681
|
} | {
|
|
533
682
|
type: "mdl";
|
|
534
683
|
issuer: string;
|
|
@@ -537,6 +686,10 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
537
686
|
type: "idv";
|
|
538
687
|
provider: string;
|
|
539
688
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
689
|
+
} | {
|
|
690
|
+
type: "verifiable_credential";
|
|
691
|
+
credentialType: string;
|
|
692
|
+
issuer?: string | undefined;
|
|
540
693
|
} | {
|
|
541
694
|
type: "credential";
|
|
542
695
|
credentialType: string;
|
|
@@ -544,30 +697,33 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
544
697
|
} | {
|
|
545
698
|
type: "none";
|
|
546
699
|
} | undefined;
|
|
547
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
548
|
-
oauthProvider?: string | undefined;
|
|
549
700
|
}>>;
|
|
550
701
|
metadata: z.ZodOptional<z.ZodObject<{
|
|
551
702
|
lastUpdated: z.ZodOptional<z.ZodString>;
|
|
552
703
|
version: z.ZodOptional<z.ZodString>;
|
|
553
704
|
source: z.ZodOptional<z.ZodString>;
|
|
554
705
|
}, "strip", z.ZodTypeAny, {
|
|
555
|
-
version?: string | undefined;
|
|
556
706
|
lastUpdated?: string | undefined;
|
|
707
|
+
version?: string | undefined;
|
|
557
708
|
source?: string | undefined;
|
|
558
709
|
}, {
|
|
559
|
-
version?: string | undefined;
|
|
560
710
|
lastUpdated?: string | undefined;
|
|
711
|
+
version?: string | undefined;
|
|
561
712
|
source?: string | undefined;
|
|
562
713
|
}>>;
|
|
563
714
|
}, "strip", z.ZodTypeAny, {
|
|
564
715
|
toolProtections: Record<string, {
|
|
565
|
-
requiresDelegation: boolean;
|
|
566
716
|
requiredScopes: string[];
|
|
717
|
+
requiresDelegation: boolean;
|
|
718
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
719
|
+
oauthProvider?: string | undefined;
|
|
567
720
|
authorization?: {
|
|
568
721
|
type: "oauth";
|
|
569
722
|
provider: string;
|
|
570
723
|
requiredScopes?: string[] | undefined;
|
|
724
|
+
} | {
|
|
725
|
+
type: "password";
|
|
726
|
+
provider: string;
|
|
571
727
|
} | {
|
|
572
728
|
type: "mdl";
|
|
573
729
|
issuer: string;
|
|
@@ -576,6 +732,10 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
576
732
|
type: "idv";
|
|
577
733
|
provider: string;
|
|
578
734
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
735
|
+
} | {
|
|
736
|
+
type: "verifiable_credential";
|
|
737
|
+
credentialType: string;
|
|
738
|
+
issuer?: string | undefined;
|
|
579
739
|
} | {
|
|
580
740
|
type: "credential";
|
|
581
741
|
credentialType: string;
|
|
@@ -583,22 +743,25 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
583
743
|
} | {
|
|
584
744
|
type: "none";
|
|
585
745
|
} | undefined;
|
|
586
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
587
|
-
oauthProvider?: string | undefined;
|
|
588
746
|
}>;
|
|
589
747
|
metadata?: {
|
|
590
|
-
version?: string | undefined;
|
|
591
748
|
lastUpdated?: string | undefined;
|
|
749
|
+
version?: string | undefined;
|
|
592
750
|
source?: string | undefined;
|
|
593
751
|
} | undefined;
|
|
594
752
|
}, {
|
|
595
753
|
toolProtections: Record<string, {
|
|
596
|
-
requiresDelegation: boolean;
|
|
597
754
|
requiredScopes: string[];
|
|
755
|
+
requiresDelegation: boolean;
|
|
756
|
+
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
757
|
+
oauthProvider?: string | undefined;
|
|
598
758
|
authorization?: {
|
|
599
759
|
type: "oauth";
|
|
600
760
|
provider: string;
|
|
601
761
|
requiredScopes?: string[] | undefined;
|
|
762
|
+
} | {
|
|
763
|
+
type: "password";
|
|
764
|
+
provider: string;
|
|
602
765
|
} | {
|
|
603
766
|
type: "mdl";
|
|
604
767
|
issuer: string;
|
|
@@ -607,6 +770,10 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
607
770
|
type: "idv";
|
|
608
771
|
provider: string;
|
|
609
772
|
verificationLevel?: "basic" | "enhanced" | "loa3" | undefined;
|
|
773
|
+
} | {
|
|
774
|
+
type: "verifiable_credential";
|
|
775
|
+
credentialType: string;
|
|
776
|
+
issuer?: string | undefined;
|
|
610
777
|
} | {
|
|
611
778
|
type: "credential";
|
|
612
779
|
credentialType: string;
|
|
@@ -614,12 +781,10 @@ export declare const ToolProtectionResponseSchema: z.ZodObject<{
|
|
|
614
781
|
} | {
|
|
615
782
|
type: "none";
|
|
616
783
|
} | undefined;
|
|
617
|
-
riskLevel?: "low" | "medium" | "high" | "critical" | undefined;
|
|
618
|
-
oauthProvider?: string | undefined;
|
|
619
784
|
}>;
|
|
620
785
|
metadata?: {
|
|
621
|
-
version?: string | undefined;
|
|
622
786
|
lastUpdated?: string | undefined;
|
|
787
|
+
version?: string | undefined;
|
|
623
788
|
source?: string | undefined;
|
|
624
789
|
} | undefined;
|
|
625
790
|
}>;
|
|
@@ -632,15 +797,15 @@ export declare const DelegationRequiredErrorDataSchema: z.ZodObject<{
|
|
|
632
797
|
}, "strip", z.ZodTypeAny, {
|
|
633
798
|
requiredScopes: string[];
|
|
634
799
|
toolName: string;
|
|
800
|
+
consentUrl?: string | undefined;
|
|
635
801
|
authorizationUrl?: string | undefined;
|
|
636
802
|
reason?: string | undefined;
|
|
637
|
-
consentUrl?: string | undefined;
|
|
638
803
|
}, {
|
|
639
804
|
requiredScopes: string[];
|
|
640
805
|
toolName: string;
|
|
806
|
+
consentUrl?: string | undefined;
|
|
641
807
|
authorizationUrl?: string | undefined;
|
|
642
808
|
reason?: string | undefined;
|
|
643
|
-
consentUrl?: string | undefined;
|
|
644
809
|
}>;
|
|
645
810
|
/**
|
|
646
811
|
* Type Guards
|
|
@@ -661,6 +826,23 @@ export declare function hasOAuthAuthorization(protection: ToolProtection): prote
|
|
|
661
826
|
type: 'oauth';
|
|
662
827
|
};
|
|
663
828
|
};
|
|
829
|
+
/**
|
|
830
|
+
* Type guard to check if a ToolProtection has password authorization
|
|
831
|
+
*/
|
|
832
|
+
export declare function hasPasswordAuthorization(protection: ToolProtection): protection is ToolProtection & {
|
|
833
|
+
authorization: {
|
|
834
|
+
type: 'password';
|
|
835
|
+
};
|
|
836
|
+
};
|
|
837
|
+
/**
|
|
838
|
+
* Type guard to check if a ToolProtection requires a Verifiable Credential
|
|
839
|
+
* Handles both 'verifiable_credential' and legacy 'credential' types
|
|
840
|
+
*/
|
|
841
|
+
export declare function hasVerifiableCredentialAuthorization(protection: ToolProtection): protection is ToolProtection & {
|
|
842
|
+
authorization: {
|
|
843
|
+
type: 'verifiable_credential' | 'credential';
|
|
844
|
+
};
|
|
845
|
+
};
|
|
664
846
|
/**
|
|
665
847
|
* Validation Functions
|
|
666
848
|
*/
|
|
@@ -701,3 +883,49 @@ export declare function createDelegationRequiredError(toolName: string, required
|
|
|
701
883
|
* // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
|
|
702
884
|
*/
|
|
703
885
|
export declare function normalizeToolProtection(raw: ToolProtection | PartialToolProtection): ToolProtection;
|
|
886
|
+
/** Consent provider types - stored in delegation metadata to track auth method used */
|
|
887
|
+
export declare const CONSENT_PROVIDER_TYPES: {
|
|
888
|
+
/** Consent-only mode - no authentication, just clickwrap agreement */
|
|
889
|
+
readonly NONE: "none";
|
|
890
|
+
/** OAuth2 provider authentication */
|
|
891
|
+
readonly OAUTH2: "oauth2";
|
|
892
|
+
/** Password-based authentication (email/password, username/password) */
|
|
893
|
+
readonly PASSWORD: "password";
|
|
894
|
+
/** @deprecated Use PASSWORD instead. Alias for backward compatibility */
|
|
895
|
+
readonly CREDENTIAL: "credential";
|
|
896
|
+
/** Email magic link authentication */
|
|
897
|
+
readonly MAGIC_LINK: "magic_link";
|
|
898
|
+
/** One-time password (SMS/email code) */
|
|
899
|
+
readonly OTP: "otp";
|
|
900
|
+
};
|
|
901
|
+
export type ConsentProviderType = (typeof CONSENT_PROVIDER_TYPES)[keyof typeof CONSENT_PROVIDER_TYPES];
|
|
902
|
+
/**
|
|
903
|
+
* Determine consent provider type based on available identity information
|
|
904
|
+
*
|
|
905
|
+
* This is the single source of truth for consent provider type determination.
|
|
906
|
+
*
|
|
907
|
+
* @param hasOAuthIdentity - Whether OAuth identity is available
|
|
908
|
+
* @param isPasswordFlow - Whether this is a password/credential flow
|
|
909
|
+
* @param isMagicLinkFlow - Whether this is a magic link flow
|
|
910
|
+
* @param isOtpFlow - Whether this is an OTP flow
|
|
911
|
+
* @returns The consent provider type
|
|
912
|
+
*/
|
|
913
|
+
export declare function determineConsentProviderType(hasOAuthIdentity: boolean, isPasswordFlow?: boolean, isMagicLinkFlow?: boolean, isOtpFlow?: boolean): ConsentProviderType;
|
|
914
|
+
/**
|
|
915
|
+
* Normalize authorization requirement to use canonical type names
|
|
916
|
+
*
|
|
917
|
+
* Migrates legacy 'credential' type to 'verifiable_credential'
|
|
918
|
+
* This ensures consistent type usage across the codebase.
|
|
919
|
+
*
|
|
920
|
+
* @param auth - The authorization requirement (may have legacy type)
|
|
921
|
+
* @returns Normalized authorization requirement with canonical type
|
|
922
|
+
*/
|
|
923
|
+
export declare function normalizeAuthorizationType(auth: AuthorizationRequirement): AuthorizationRequirement;
|
|
924
|
+
/**
|
|
925
|
+
* Get a human-readable label for an authorization requirement type
|
|
926
|
+
*/
|
|
927
|
+
export declare function getAuthorizationTypeLabel(auth: AuthorizationRequirement): string;
|
|
928
|
+
/**
|
|
929
|
+
* Get a unique key for an authorization requirement (for React keys, caching, etc.)
|
|
930
|
+
*/
|
|
931
|
+
export declare function getAuthorizationTypeKey(auth: AuthorizationRequirement): string;
|