@kya-os/contracts 1.7.3 → 1.7.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/handshake.d.ts +22 -22
- package/dist/tool-protection/index.d.ts +12 -41
- package/dist/tool-protection/index.js +9 -29
- package/package.json +1 -1
package/dist/handshake.d.ts
CHANGED
|
@@ -23,16 +23,16 @@ export declare const MCPClientInfoSchema: z.ZodObject<{
|
|
|
23
23
|
persistentId: z.ZodOptional<z.ZodString>;
|
|
24
24
|
}, "strip", z.ZodTypeAny, {
|
|
25
25
|
name: string;
|
|
26
|
-
title?: string | undefined;
|
|
27
26
|
version?: string | undefined;
|
|
28
27
|
platform?: string | undefined;
|
|
28
|
+
title?: string | undefined;
|
|
29
29
|
vendor?: string | undefined;
|
|
30
30
|
persistentId?: string | undefined;
|
|
31
31
|
}, {
|
|
32
32
|
name: string;
|
|
33
|
-
title?: string | undefined;
|
|
34
33
|
version?: string | undefined;
|
|
35
34
|
platform?: string | undefined;
|
|
35
|
+
title?: string | undefined;
|
|
36
36
|
vendor?: string | undefined;
|
|
37
37
|
persistentId?: string | undefined;
|
|
38
38
|
}>;
|
|
@@ -50,9 +50,9 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
|
|
|
50
50
|
}, "strip", z.ZodTypeAny, {
|
|
51
51
|
name: string;
|
|
52
52
|
clientId: string;
|
|
53
|
-
title?: string | undefined;
|
|
54
53
|
version?: string | undefined;
|
|
55
54
|
platform?: string | undefined;
|
|
55
|
+
title?: string | undefined;
|
|
56
56
|
vendor?: string | undefined;
|
|
57
57
|
persistentId?: string | undefined;
|
|
58
58
|
protocolVersion?: string | undefined;
|
|
@@ -60,9 +60,9 @@ export declare const MCPClientSessionInfoSchema: z.ZodObject<{
|
|
|
60
60
|
}, {
|
|
61
61
|
name: string;
|
|
62
62
|
clientId: string;
|
|
63
|
-
title?: string | undefined;
|
|
64
63
|
version?: string | undefined;
|
|
65
64
|
platform?: string | undefined;
|
|
65
|
+
title?: string | undefined;
|
|
66
66
|
vendor?: string | undefined;
|
|
67
67
|
persistentId?: string | undefined;
|
|
68
68
|
protocolVersion?: string | undefined;
|
|
@@ -84,17 +84,17 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
|
|
|
84
84
|
clientId: z.ZodOptional<z.ZodString>;
|
|
85
85
|
}, "strip", z.ZodTypeAny, {
|
|
86
86
|
name: string;
|
|
87
|
-
title?: string | undefined;
|
|
88
87
|
version?: string | undefined;
|
|
89
88
|
platform?: string | undefined;
|
|
89
|
+
title?: string | undefined;
|
|
90
90
|
vendor?: string | undefined;
|
|
91
91
|
persistentId?: string | undefined;
|
|
92
92
|
clientId?: string | undefined;
|
|
93
93
|
}, {
|
|
94
94
|
name: string;
|
|
95
|
-
title?: string | undefined;
|
|
96
95
|
version?: string | undefined;
|
|
97
96
|
platform?: string | undefined;
|
|
97
|
+
title?: string | undefined;
|
|
98
98
|
vendor?: string | undefined;
|
|
99
99
|
persistentId?: string | undefined;
|
|
100
100
|
clientId?: string | undefined;
|
|
@@ -102,15 +102,15 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
|
|
|
102
102
|
clientProtocolVersion: z.ZodOptional<z.ZodString>;
|
|
103
103
|
clientCapabilities: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
104
104
|
}, "strip", z.ZodTypeAny, {
|
|
105
|
+
timestamp: number;
|
|
105
106
|
nonce: string;
|
|
106
107
|
audience: string;
|
|
107
|
-
timestamp: number;
|
|
108
108
|
agentDid?: string | undefined;
|
|
109
109
|
clientInfo?: {
|
|
110
110
|
name: string;
|
|
111
|
-
title?: string | undefined;
|
|
112
111
|
version?: string | undefined;
|
|
113
112
|
platform?: string | undefined;
|
|
113
|
+
title?: string | undefined;
|
|
114
114
|
vendor?: string | undefined;
|
|
115
115
|
persistentId?: string | undefined;
|
|
116
116
|
clientId?: string | undefined;
|
|
@@ -118,15 +118,15 @@ export declare const HandshakeRequestSchema: z.ZodObject<{
|
|
|
118
118
|
clientProtocolVersion?: string | undefined;
|
|
119
119
|
clientCapabilities?: Record<string, unknown> | undefined;
|
|
120
120
|
}, {
|
|
121
|
+
timestamp: number;
|
|
121
122
|
nonce: string;
|
|
122
123
|
audience: string;
|
|
123
|
-
timestamp: number;
|
|
124
124
|
agentDid?: string | undefined;
|
|
125
125
|
clientInfo?: {
|
|
126
126
|
name: string;
|
|
127
|
-
title?: string | undefined;
|
|
128
127
|
version?: string | undefined;
|
|
129
128
|
platform?: string | undefined;
|
|
129
|
+
title?: string | undefined;
|
|
130
130
|
vendor?: string | undefined;
|
|
131
131
|
persistentId?: string | undefined;
|
|
132
132
|
clientId?: string | undefined;
|
|
@@ -160,9 +160,9 @@ export declare const SessionContextSchema: z.ZodObject<{
|
|
|
160
160
|
}, "strip", z.ZodTypeAny, {
|
|
161
161
|
name: string;
|
|
162
162
|
clientId: string;
|
|
163
|
-
title?: string | undefined;
|
|
164
163
|
version?: string | undefined;
|
|
165
164
|
platform?: string | undefined;
|
|
165
|
+
title?: string | undefined;
|
|
166
166
|
vendor?: string | undefined;
|
|
167
167
|
persistentId?: string | undefined;
|
|
168
168
|
protocolVersion?: string | undefined;
|
|
@@ -170,9 +170,9 @@ export declare const SessionContextSchema: z.ZodObject<{
|
|
|
170
170
|
}, {
|
|
171
171
|
name: string;
|
|
172
172
|
clientId: string;
|
|
173
|
-
title?: string | undefined;
|
|
174
173
|
version?: string | undefined;
|
|
175
174
|
platform?: string | undefined;
|
|
175
|
+
title?: string | undefined;
|
|
176
176
|
vendor?: string | undefined;
|
|
177
177
|
persistentId?: string | undefined;
|
|
178
178
|
protocolVersion?: string | undefined;
|
|
@@ -204,27 +204,27 @@ export declare const SessionContextSchema: z.ZodObject<{
|
|
|
204
204
|
name?: string | undefined;
|
|
205
205
|
}>>;
|
|
206
206
|
}, "strip", z.ZodTypeAny, {
|
|
207
|
+
ttlMinutes: number;
|
|
208
|
+
timestamp: number;
|
|
207
209
|
nonce: string;
|
|
208
210
|
audience: string;
|
|
209
|
-
timestamp: number;
|
|
210
211
|
sessionId: string;
|
|
211
212
|
createdAt: number;
|
|
212
213
|
lastActivity: number;
|
|
213
|
-
ttlMinutes: number;
|
|
214
214
|
identityState: "anonymous" | "authenticated";
|
|
215
215
|
agentDid?: string | undefined;
|
|
216
|
+
serverDid?: string | undefined;
|
|
216
217
|
clientInfo?: {
|
|
217
218
|
name: string;
|
|
218
219
|
clientId: string;
|
|
219
|
-
title?: string | undefined;
|
|
220
220
|
version?: string | undefined;
|
|
221
221
|
platform?: string | undefined;
|
|
222
|
+
title?: string | undefined;
|
|
222
223
|
vendor?: string | undefined;
|
|
223
224
|
persistentId?: string | undefined;
|
|
224
225
|
protocolVersion?: string | undefined;
|
|
225
226
|
capabilities?: Record<string, unknown> | undefined;
|
|
226
227
|
} | undefined;
|
|
227
|
-
serverDid?: string | undefined;
|
|
228
228
|
clientDid?: string | undefined;
|
|
229
229
|
userDid?: string | undefined;
|
|
230
230
|
oauthIdentity?: {
|
|
@@ -234,26 +234,26 @@ export declare const SessionContextSchema: z.ZodObject<{
|
|
|
234
234
|
name?: string | undefined;
|
|
235
235
|
} | undefined;
|
|
236
236
|
}, {
|
|
237
|
+
timestamp: number;
|
|
237
238
|
nonce: string;
|
|
238
239
|
audience: string;
|
|
239
|
-
timestamp: number;
|
|
240
240
|
sessionId: string;
|
|
241
241
|
createdAt: number;
|
|
242
242
|
lastActivity: number;
|
|
243
243
|
agentDid?: string | undefined;
|
|
244
|
+
serverDid?: string | undefined;
|
|
245
|
+
ttlMinutes?: number | undefined;
|
|
244
246
|
clientInfo?: {
|
|
245
247
|
name: string;
|
|
246
248
|
clientId: string;
|
|
247
|
-
title?: string | undefined;
|
|
248
249
|
version?: string | undefined;
|
|
249
250
|
platform?: string | undefined;
|
|
251
|
+
title?: string | undefined;
|
|
250
252
|
vendor?: string | undefined;
|
|
251
253
|
persistentId?: string | undefined;
|
|
252
254
|
protocolVersion?: string | undefined;
|
|
253
255
|
capabilities?: Record<string, unknown> | undefined;
|
|
254
256
|
} | undefined;
|
|
255
|
-
ttlMinutes?: number | undefined;
|
|
256
|
-
serverDid?: string | undefined;
|
|
257
257
|
clientDid?: string | undefined;
|
|
258
258
|
userDid?: string | undefined;
|
|
259
259
|
identityState?: "anonymous" | "authenticated" | undefined;
|
|
@@ -346,7 +346,7 @@ export declare const NonceCacheConfigSchema: z.ZodObject<{
|
|
|
346
346
|
keyPrefix?: string | undefined;
|
|
347
347
|
}>>;
|
|
348
348
|
}, "strip", z.ZodTypeAny, {
|
|
349
|
-
type?: "
|
|
349
|
+
type?: "cloudflare-kv" | "memory" | "redis" | "dynamodb" | undefined;
|
|
350
350
|
redis?: {
|
|
351
351
|
url: string;
|
|
352
352
|
keyPrefix: string;
|
|
@@ -362,7 +362,7 @@ export declare const NonceCacheConfigSchema: z.ZodObject<{
|
|
|
362
362
|
namespace: string;
|
|
363
363
|
} | undefined;
|
|
364
364
|
}, {
|
|
365
|
-
type?: "
|
|
365
|
+
type?: "cloudflare-kv" | "memory" | "redis" | "dynamodb" | undefined;
|
|
366
366
|
redis?: {
|
|
367
367
|
url: string;
|
|
368
368
|
keyPrefix?: string | undefined;
|
|
@@ -1,28 +1,19 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* MCP-I Tool Protection Specification
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
-
*
|
|
4
|
+
* Core types for tool protection with delegation requirements.
|
|
5
|
+
*
|
|
6
|
+
* Consent Flow: type='none' → 2 screens, others → 3 screens (Auth→Consent→Success).
|
|
7
|
+
* DelegationCredential (VC) is created when user confirms on Consent Screen.
|
|
7
8
|
*
|
|
8
9
|
* @module @kya-os/contracts/tool-protection
|
|
9
10
|
*/
|
|
10
11
|
import { z } from 'zod';
|
|
11
12
|
/**
|
|
12
|
-
* Authorization Requirement
|
|
13
|
-
*
|
|
14
|
-
* Defines the type of authorization required for a tool.
|
|
15
|
-
* Extensible design to support OAuth, password auth, MDL, IDV, verifiable credentials, etc.
|
|
16
|
-
*
|
|
17
|
-
* ## Type Naming Clarification
|
|
13
|
+
* Authorization Requirement - what auth is needed BEFORE consent screen.
|
|
18
14
|
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
* - `verifiable_credential` - W3C Verifiable Credential requirement (preferred)
|
|
22
|
-
* - `credential` - **DEPRECATED** alias for `verifiable_credential` (for backward compatibility)
|
|
23
|
-
* - `mdl` - Mobile Driver's License (ISO 18013-5)
|
|
24
|
-
* - `idv` - Identity Verification provider (Stripe, Onfido, etc.)
|
|
25
|
-
* - `none` - Consent-only (clickwrap agreement, no authentication)
|
|
15
|
+
* Types: none (2 screens), oauth/password/mdl/idv (3 screens), verifiable_credential (future).
|
|
16
|
+
* The VC output is always a DelegationCredential created on consent confirmation.
|
|
26
17
|
*/
|
|
27
18
|
export type AuthorizationRequirement = {
|
|
28
19
|
type: 'oauth';
|
|
@@ -40,6 +31,7 @@ export type AuthorizationRequirement = {
|
|
|
40
31
|
provider: string;
|
|
41
32
|
verificationLevel?: 'basic' | 'enhanced' | 'loa3';
|
|
42
33
|
} | {
|
|
34
|
+
/** FUTURE: Require user to present an existing VC (not yet implemented) */
|
|
43
35
|
type: 'verifiable_credential';
|
|
44
36
|
credentialType: string;
|
|
45
37
|
issuer?: string;
|
|
@@ -53,24 +45,16 @@ export type AuthorizationRequirement = {
|
|
|
53
45
|
} | {
|
|
54
46
|
type: 'none';
|
|
55
47
|
};
|
|
56
|
-
/**
|
|
57
|
-
* Canonical authorization type values
|
|
58
|
-
* Use these constants instead of string literals for type safety
|
|
59
|
-
*/
|
|
48
|
+
/** Canonical authorization type values for type safety */
|
|
60
49
|
export declare const AUTHORIZATION_TYPES: {
|
|
61
|
-
/** OAuth 2.0 provider authentication */
|
|
62
50
|
readonly OAUTH: "oauth";
|
|
63
|
-
/** Username/password or API key authentication */
|
|
64
51
|
readonly PASSWORD: "password";
|
|
65
|
-
/** Mobile Driver's License (ISO 18013-5) */
|
|
66
52
|
readonly MDL: "mdl";
|
|
67
|
-
/** Identity Verification provider */
|
|
68
53
|
readonly IDV: "idv";
|
|
69
|
-
/**
|
|
54
|
+
/** FUTURE: Not yet implemented */
|
|
70
55
|
readonly VERIFIABLE_CREDENTIAL: "verifiable_credential";
|
|
71
|
-
/** @deprecated Use VERIFIABLE_CREDENTIAL
|
|
56
|
+
/** @deprecated Use VERIFIABLE_CREDENTIAL */
|
|
72
57
|
readonly CREDENTIAL: "credential";
|
|
73
|
-
/** Consent-only (clickwrap agreement) */
|
|
74
58
|
readonly NONE: "none";
|
|
75
59
|
};
|
|
76
60
|
export type AuthorizationType = (typeof AUTHORIZATION_TYPES)[keyof typeof AUTHORIZATION_TYPES];
|
|
@@ -899,20 +883,7 @@ export declare function createDelegationRequiredError(toolName: string, required
|
|
|
899
883
|
* // TODO: Remove normalizeToolProtection() when all tools migrated (target: Phase 3)
|
|
900
884
|
*/
|
|
901
885
|
export declare function normalizeToolProtection(raw: ToolProtection | PartialToolProtection): ToolProtection;
|
|
902
|
-
/**
|
|
903
|
-
* Consent Provider Types
|
|
904
|
-
*
|
|
905
|
-
* These constants define the authentication method used during consent:
|
|
906
|
-
* - NONE: Consent-only mode (clickwrap) - user agrees without authentication
|
|
907
|
-
* - OAUTH2: OAuth provider authentication (GitHub, Google, etc.)
|
|
908
|
-
* - PASSWORD: Password-based authentication (email/password, username/password)
|
|
909
|
-
* - CREDENTIAL: Alias for PASSWORD (legacy compatibility)
|
|
910
|
-
* - MAGIC_LINK: Email magic link authentication
|
|
911
|
-
* - OTP: One-time password authentication
|
|
912
|
-
*
|
|
913
|
-
* NOTE: This is distinct from AUTHORIZATION_TYPES which define what a TOOL requires.
|
|
914
|
-
* CONSENT_PROVIDER_TYPES define what authentication method the USER used.
|
|
915
|
-
*/
|
|
886
|
+
/** Consent provider types - stored in delegation metadata to track auth method used */
|
|
916
887
|
export declare const CONSENT_PROVIDER_TYPES: {
|
|
917
888
|
/** Consent-only mode - no authentication, just clickwrap agreement */
|
|
918
889
|
readonly NONE: "none";
|
|
@@ -2,9 +2,10 @@
|
|
|
2
2
|
/**
|
|
3
3
|
* MCP-I Tool Protection Specification
|
|
4
4
|
*
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
*
|
|
5
|
+
* Core types for tool protection with delegation requirements.
|
|
6
|
+
*
|
|
7
|
+
* Consent Flow: type='none' → 2 screens, others → 3 screens (Auth→Consent→Success).
|
|
8
|
+
* DelegationCredential (VC) is created when user confirms on Consent Screen.
|
|
8
9
|
*
|
|
9
10
|
* @module @kya-os/contracts/tool-protection
|
|
10
11
|
*/
|
|
@@ -32,24 +33,16 @@ exports.normalizeAuthorizationType = normalizeAuthorizationType;
|
|
|
32
33
|
exports.getAuthorizationTypeLabel = getAuthorizationTypeLabel;
|
|
33
34
|
exports.getAuthorizationTypeKey = getAuthorizationTypeKey;
|
|
34
35
|
const zod_1 = require("zod");
|
|
35
|
-
/**
|
|
36
|
-
* Canonical authorization type values
|
|
37
|
-
* Use these constants instead of string literals for type safety
|
|
38
|
-
*/
|
|
36
|
+
/** Canonical authorization type values for type safety */
|
|
39
37
|
exports.AUTHORIZATION_TYPES = {
|
|
40
|
-
/** OAuth 2.0 provider authentication */
|
|
41
38
|
OAUTH: 'oauth',
|
|
42
|
-
/** Username/password or API key authentication */
|
|
43
39
|
PASSWORD: 'password',
|
|
44
|
-
/** Mobile Driver's License (ISO 18013-5) */
|
|
45
40
|
MDL: 'mdl',
|
|
46
|
-
/** Identity Verification provider */
|
|
47
41
|
IDV: 'idv',
|
|
48
|
-
/**
|
|
42
|
+
/** FUTURE: Not yet implemented */
|
|
49
43
|
VERIFIABLE_CREDENTIAL: 'verifiable_credential',
|
|
50
|
-
/** @deprecated Use VERIFIABLE_CREDENTIAL
|
|
44
|
+
/** @deprecated Use VERIFIABLE_CREDENTIAL */
|
|
51
45
|
CREDENTIAL: 'credential',
|
|
52
|
-
/** Consent-only (clickwrap agreement) */
|
|
53
46
|
NONE: 'none',
|
|
54
47
|
};
|
|
55
48
|
/**
|
|
@@ -249,22 +242,9 @@ function normalizeToolProtection(raw) {
|
|
|
249
242
|
return normalized;
|
|
250
243
|
}
|
|
251
244
|
// =============================================================================
|
|
252
|
-
// CONSENT PROVIDER TYPES
|
|
245
|
+
// CONSENT PROVIDER TYPES - Records what auth method was USED (not required)
|
|
253
246
|
// =============================================================================
|
|
254
|
-
/**
|
|
255
|
-
* Consent Provider Types
|
|
256
|
-
*
|
|
257
|
-
* These constants define the authentication method used during consent:
|
|
258
|
-
* - NONE: Consent-only mode (clickwrap) - user agrees without authentication
|
|
259
|
-
* - OAUTH2: OAuth provider authentication (GitHub, Google, etc.)
|
|
260
|
-
* - PASSWORD: Password-based authentication (email/password, username/password)
|
|
261
|
-
* - CREDENTIAL: Alias for PASSWORD (legacy compatibility)
|
|
262
|
-
* - MAGIC_LINK: Email magic link authentication
|
|
263
|
-
* - OTP: One-time password authentication
|
|
264
|
-
*
|
|
265
|
-
* NOTE: This is distinct from AUTHORIZATION_TYPES which define what a TOOL requires.
|
|
266
|
-
* CONSENT_PROVIDER_TYPES define what authentication method the USER used.
|
|
267
|
-
*/
|
|
247
|
+
/** Consent provider types - stored in delegation metadata to track auth method used */
|
|
268
248
|
exports.CONSENT_PROVIDER_TYPES = {
|
|
269
249
|
/** Consent-only mode - no authentication, just clickwrap agreement */
|
|
270
250
|
NONE: 'none',
|