@kya-os/contracts 1.7.4 → 1.7.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/dist/audit/index.d.ts +4 -4
  2. package/dist/cli.d.ts +5 -5
  3. package/dist/config/identity.d.ts +240 -8
  4. package/dist/config/identity.js +17 -1
  5. package/dist/config/index.d.ts +1 -1
  6. package/dist/config/index.js +4 -1
  7. package/dist/deploy/schemas.d.ts +80 -80
  8. package/dist/tool-protection/index.d.ts +30 -16
  9. package/dist/tool-protection/index.js +51 -31
  10. package/package.json +2 -2
package/dist/audit/index.d.ts CHANGED
@@ -72,8 +72,8 @@ export declare const AuditContextSchema: z.ZodObject<{
72
72
  [k: string]: unknown;
73
73
  };
74
74
  session: {
75
- audience: string;
76
75
  sessionId: string;
76
+ audience: string;
77
77
  } & {
78
78
  [k: string]: unknown;
79
79
  };
@@ -89,8 +89,8 @@ export declare const AuditContextSchema: z.ZodObject<{
89
89
  [k: string]: unknown;
90
90
  };
91
91
  session: {
92
- audience: string;
93
92
  sessionId: string;
93
+ audience: string;
94
94
  } & {
95
95
  [k: string]: unknown;
96
96
  };
@@ -160,8 +160,8 @@ export declare const AuditEventContextSchema: z.ZodObject<{
160
160
  [k: string]: unknown;
161
161
  };
162
162
  session: {
163
- audience: string;
164
163
  sessionId: string;
164
+ audience: string;
165
165
  } & {
166
166
  [k: string]: unknown;
167
167
  };
@@ -175,8 +175,8 @@ export declare const AuditEventContextSchema: z.ZodObject<{
175
175
  [k: string]: unknown;
176
176
  };
177
177
  session: {
178
- audience: string;
179
178
  sessionId: string;
179
+ audience: string;
180
180
  } & {
181
181
  [k: string]: unknown;
182
182
  };
package/dist/cli.d.ts CHANGED
@@ -37,11 +37,11 @@ export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObjec
37
37
  claimUrl: string | null;
38
38
  }>>;
39
39
  }, "strip", z.ZodTypeAny, {
40
- version: "1.0";
41
40
  did: string;
42
41
  publicKey: string;
43
42
  privateKey: string;
44
43
  createdAt: string;
44
+ version: "1.0";
45
45
  kta?: {
46
46
  registered: boolean;
47
47
  registeredAt: string;
@@ -51,11 +51,11 @@ export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObjec
51
51
  keyId?: string | undefined;
52
52
  lastRotated?: string | undefined;
53
53
  }, {
54
- version: "1.0";
55
54
  did: string;
56
55
  publicKey: string;
57
56
  privateKey: string;
58
57
  createdAt: string;
58
+ version: "1.0";
59
59
  kta?: {
60
60
  registered: boolean;
61
61
  registeredAt: string;
@@ -65,11 +65,11 @@ export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObjec
65
65
  keyId?: string | undefined;
66
66
  lastRotated?: string | undefined;
67
67
  }>, {
68
- version: "1.0";
69
68
  did: string;
70
69
  publicKey: string;
71
70
  privateKey: string;
72
71
  createdAt: string;
72
+ version: "1.0";
73
73
  kta?: {
74
74
  registered: boolean;
75
75
  registeredAt: string;
@@ -79,11 +79,11 @@ export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObjec
79
79
  keyId?: string | undefined;
80
80
  lastRotated?: string | undefined;
81
81
  }, {
82
- version: "1.0";
83
82
  did: string;
84
83
  publicKey: string;
85
84
  privateKey: string;
86
85
  createdAt: string;
86
+ version: "1.0";
87
87
  kta?: {
88
88
  registered: boolean;
89
89
  registeredAt: string;
@@ -102,11 +102,11 @@ export declare const CLIIdentityFileSchema: z.ZodEffects<z.ZodEffects<z.ZodObjec
102
102
  lastRotated?: string;
103
103
  kta?: z.infer<typeof KTARegistrationSchema>;
104
104
  }, {
105
- version: "1.0";
106
105
  did: string;
107
106
  publicKey: string;
108
107
  privateKey: string;
109
108
  createdAt: string;
109
+ version: "1.0";
110
110
  kta?: {
111
111
  registered: boolean;
112
112
  registeredAt: string;
package/dist/config/identity.d.ts CHANGED
@@ -298,6 +298,41 @@ export declare const CredentialProviderConfigSchema: z.ZodObject<{
298
298
  submitButtonText?: string | undefined;
299
299
  } | undefined;
300
300
  }>;
301
+ /**
302
+ * OAuth Provider Secret Metadata
303
+ *
304
+ * Metadata for runtime secret resolution from secure storage.
305
+ * Part of the MCP-I provider-registry model where agents resolve
306
+ * secrets by name from Cloudflare Worker env bindings.
307
+ */
308
+ export interface OAuthProviderSecretMetadata {
309
+ /**
310
+ * Secret name for client secret in secure storage
311
+ * Used by agents to resolve the actual secret value at runtime
312
+ * @example 'KYA_PROD_MYPROJ_GITHUB_CLIENT_SECRET'
313
+ */
314
+ clientSecretName?: string;
315
+ /**
316
+ * Secret name for client ID in secure storage (optional)
317
+ * @example 'KYA_PROD_MYPROJ_GITHUB_CLIENT_ID'
318
+ */
319
+ clientIdSecretName?: string;
320
+ /**
321
+ * Secret name for API key in secure storage (for non-OAuth providers)
322
+ * @example 'KYA_PROD_MYPROJ_CUSTOM_API_KEY'
323
+ */
324
+ apiKeySecretName?: string;
325
+ /**
326
+ * Version number of the client secret for rotation tracking
327
+ * Incremented on each rotation
328
+ */
329
+ clientSecretVersion?: number;
330
+ /**
331
+ * ISO 8601 timestamp of when the secret was last rotated
332
+ * @example '2025-12-01T00:00:00Z'
333
+ */
334
+ lastRotatedAt?: string;
335
+ }
301
336
  /**
302
337
  * OAuth Provider Configuration
303
338
  *
@@ -332,6 +367,17 @@ export interface OAuthProvider {
332
367
  responseType?: string;
333
368
  /** OAuth grant type (default: "authorization_code") */
334
369
  grantType?: string;
370
+ /**
371
+ * Whether provider has a client secret configured
372
+ * Boolean flag indicating secret availability without exposing the value
373
+ */
374
+ hasClientSecret?: boolean;
375
+ /**
376
+ * Secret resolution metadata for MCP-I provider-registry model
377
+ * Contains secret names (not values) for runtime resolution from secure storage
378
+ * Agents use these names to look up actual secrets from Cloudflare Worker env
379
+ */
380
+ metadata?: OAuthProviderSecretMetadata;
335
381
  }
336
382
  /**
337
383
  * OAuth Configuration
@@ -353,6 +399,28 @@ export interface OAuthConfig {
353
399
  */
354
400
  configuredProvider?: string | null;
355
401
  }
402
+ /**
403
+ * Zod schema for OAuthProviderSecretMetadata validation
404
+ */
405
+ export declare const OAuthProviderSecretMetadataSchema: z.ZodObject<{
406
+ clientSecretName: z.ZodOptional<z.ZodString>;
407
+ clientIdSecretName: z.ZodOptional<z.ZodString>;
408
+ apiKeySecretName: z.ZodOptional<z.ZodString>;
409
+ clientSecretVersion: z.ZodOptional<z.ZodNumber>;
410
+ lastRotatedAt: z.ZodOptional<z.ZodString>;
411
+ }, "strip", z.ZodTypeAny, {
412
+ clientSecretName?: string | undefined;
413
+ clientIdSecretName?: string | undefined;
414
+ apiKeySecretName?: string | undefined;
415
+ clientSecretVersion?: number | undefined;
416
+ lastRotatedAt?: string | undefined;
417
+ }, {
418
+ clientSecretName?: string | undefined;
419
+ clientIdSecretName?: string | undefined;
420
+ apiKeySecretName?: string | undefined;
421
+ clientSecretVersion?: number | undefined;
422
+ lastRotatedAt?: string | undefined;
423
+ }>;
356
424
  /**
357
425
  * Zod schema for OAuthProvider validation
358
426
  */
@@ -371,6 +439,26 @@ export declare const OAuthProviderSchema: z.ZodObject<{
371
439
  tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
372
440
  responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
373
441
  grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
442
+ hasClientSecret: z.ZodOptional<z.ZodBoolean>;
443
+ metadata: z.ZodOptional<z.ZodObject<{
444
+ clientSecretName: z.ZodOptional<z.ZodString>;
445
+ clientIdSecretName: z.ZodOptional<z.ZodString>;
446
+ apiKeySecretName: z.ZodOptional<z.ZodString>;
447
+ clientSecretVersion: z.ZodOptional<z.ZodNumber>;
448
+ lastRotatedAt: z.ZodOptional<z.ZodString>;
449
+ }, "strip", z.ZodTypeAny, {
450
+ clientSecretName?: string | undefined;
451
+ clientIdSecretName?: string | undefined;
452
+ apiKeySecretName?: string | undefined;
453
+ clientSecretVersion?: number | undefined;
454
+ lastRotatedAt?: string | undefined;
455
+ }, {
456
+ clientSecretName?: string | undefined;
457
+ clientIdSecretName?: string | undefined;
458
+ apiKeySecretName?: string | undefined;
459
+ clientSecretVersion?: number | undefined;
460
+ lastRotatedAt?: string | undefined;
461
+ }>>;
374
462
  }, "strip", z.ZodTypeAny, {
375
463
  clientId: string;
376
464
  authorizationUrl: string;
@@ -386,6 +474,14 @@ export declare const OAuthProviderSchema: z.ZodObject<{
386
474
  proxyMode?: boolean | undefined;
387
475
  customParams?: Record<string, string> | undefined;
388
476
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
477
+ hasClientSecret?: boolean | undefined;
478
+ metadata?: {
479
+ clientSecretName?: string | undefined;
480
+ clientIdSecretName?: string | undefined;
481
+ apiKeySecretName?: string | undefined;
482
+ clientSecretVersion?: number | undefined;
483
+ lastRotatedAt?: string | undefined;
484
+ } | undefined;
389
485
  }, {
390
486
  clientId: string;
391
487
  authorizationUrl: string;
@@ -401,6 +497,14 @@ export declare const OAuthProviderSchema: z.ZodObject<{
401
497
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
402
498
  responseType?: string | undefined;
403
499
  grantType?: string | undefined;
500
+ hasClientSecret?: boolean | undefined;
501
+ metadata?: {
502
+ clientSecretName?: string | undefined;
503
+ clientIdSecretName?: string | undefined;
504
+ apiKeySecretName?: string | undefined;
505
+ clientSecretVersion?: number | undefined;
506
+ lastRotatedAt?: string | undefined;
507
+ } | undefined;
404
508
  }>;
405
509
  /**
406
510
  * Zod schema for OAuthConfig validation
@@ -421,6 +525,26 @@ export declare const OAuthConfigSchema: z.ZodObject<{
421
525
  tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
422
526
  responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
423
527
  grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
528
+ hasClientSecret: z.ZodOptional<z.ZodBoolean>;
529
+ metadata: z.ZodOptional<z.ZodObject<{
530
+ clientSecretName: z.ZodOptional<z.ZodString>;
531
+ clientIdSecretName: z.ZodOptional<z.ZodString>;
532
+ apiKeySecretName: z.ZodOptional<z.ZodString>;
533
+ clientSecretVersion: z.ZodOptional<z.ZodNumber>;
534
+ lastRotatedAt: z.ZodOptional<z.ZodString>;
535
+ }, "strip", z.ZodTypeAny, {
536
+ clientSecretName?: string | undefined;
537
+ clientIdSecretName?: string | undefined;
538
+ apiKeySecretName?: string | undefined;
539
+ clientSecretVersion?: number | undefined;
540
+ lastRotatedAt?: string | undefined;
541
+ }, {
542
+ clientSecretName?: string | undefined;
543
+ clientIdSecretName?: string | undefined;
544
+ apiKeySecretName?: string | undefined;
545
+ clientSecretVersion?: number | undefined;
546
+ lastRotatedAt?: string | undefined;
547
+ }>>;
424
548
  }, "strip", z.ZodTypeAny, {
425
549
  clientId: string;
426
550
  authorizationUrl: string;
@@ -436,6 +560,14 @@ export declare const OAuthConfigSchema: z.ZodObject<{
436
560
  proxyMode?: boolean | undefined;
437
561
  customParams?: Record<string, string> | undefined;
438
562
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
563
+ hasClientSecret?: boolean | undefined;
564
+ metadata?: {
565
+ clientSecretName?: string | undefined;
566
+ clientIdSecretName?: string | undefined;
567
+ apiKeySecretName?: string | undefined;
568
+ clientSecretVersion?: number | undefined;
569
+ lastRotatedAt?: string | undefined;
570
+ } | undefined;
439
571
  }, {
440
572
  clientId: string;
441
573
  authorizationUrl: string;
@@ -451,6 +583,14 @@ export declare const OAuthConfigSchema: z.ZodObject<{
451
583
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
452
584
  responseType?: string | undefined;
453
585
  grantType?: string | undefined;
586
+ hasClientSecret?: boolean | undefined;
587
+ metadata?: {
588
+ clientSecretName?: string | undefined;
589
+ clientIdSecretName?: string | undefined;
590
+ apiKeySecretName?: string | undefined;
591
+ clientSecretVersion?: number | undefined;
592
+ lastRotatedAt?: string | undefined;
593
+ } | undefined;
454
594
  }>>;
455
595
  configuredProvider: z.ZodOptional<z.ZodNullable<z.ZodString>>;
456
596
  }, "strip", z.ZodTypeAny, {
@@ -469,6 +609,14 @@ export declare const OAuthConfigSchema: z.ZodObject<{
469
609
  proxyMode?: boolean | undefined;
470
610
  customParams?: Record<string, string> | undefined;
471
611
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
612
+ hasClientSecret?: boolean | undefined;
613
+ metadata?: {
614
+ clientSecretName?: string | undefined;
615
+ clientIdSecretName?: string | undefined;
616
+ apiKeySecretName?: string | undefined;
617
+ clientSecretVersion?: number | undefined;
618
+ lastRotatedAt?: string | undefined;
619
+ } | undefined;
472
620
  }>;
473
621
  configuredProvider?: string | null | undefined;
474
622
  }, {
@@ -487,6 +635,14 @@ export declare const OAuthConfigSchema: z.ZodObject<{
487
635
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
488
636
  responseType?: string | undefined;
489
637
  grantType?: string | undefined;
638
+ hasClientSecret?: boolean | undefined;
639
+ metadata?: {
640
+ clientSecretName?: string | undefined;
641
+ clientIdSecretName?: string | undefined;
642
+ apiKeySecretName?: string | undefined;
643
+ clientSecretVersion?: number | undefined;
644
+ lastRotatedAt?: string | undefined;
645
+ } | undefined;
490
646
  }>;
491
647
  configuredProvider?: string | null | undefined;
492
648
  }>;
@@ -511,6 +667,10 @@ export interface OAuth2ProviderConfig extends BaseProviderConfig {
511
667
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic";
512
668
  responseType?: string;
513
669
  grantType?: string;
670
+ /** Whether provider has a client secret configured */
671
+ hasClientSecret?: boolean;
672
+ /** Secret resolution metadata for MCP-I provider-registry model */
673
+ metadata?: OAuthProviderSecretMetadata;
514
674
  }
515
675
  /**
516
676
  * Zod schema for OAuth2ProviderConfig validation
@@ -532,6 +692,26 @@ export declare const OAuth2ProviderConfigSchema: z.ZodObject<{
532
692
  tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
533
693
  responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
534
694
  grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
695
+ hasClientSecret: z.ZodOptional<z.ZodBoolean>;
696
+ metadata: z.ZodOptional<z.ZodObject<{
697
+ clientSecretName: z.ZodOptional<z.ZodString>;
698
+ clientIdSecretName: z.ZodOptional<z.ZodString>;
699
+ apiKeySecretName: z.ZodOptional<z.ZodString>;
700
+ clientSecretVersion: z.ZodOptional<z.ZodNumber>;
701
+ lastRotatedAt: z.ZodOptional<z.ZodString>;
702
+ }, "strip", z.ZodTypeAny, {
703
+ clientSecretName?: string | undefined;
704
+ clientIdSecretName?: string | undefined;
705
+ apiKeySecretName?: string | undefined;
706
+ clientSecretVersion?: number | undefined;
707
+ lastRotatedAt?: string | undefined;
708
+ }, {
709
+ clientSecretName?: string | undefined;
710
+ clientIdSecretName?: string | undefined;
711
+ apiKeySecretName?: string | undefined;
712
+ clientSecretVersion?: number | undefined;
713
+ lastRotatedAt?: string | undefined;
714
+ }>>;
535
715
  }, "strip", z.ZodTypeAny, {
536
716
  type: "oauth2";
537
717
  clientId: string;
@@ -549,6 +729,14 @@ export declare const OAuth2ProviderConfigSchema: z.ZodObject<{
549
729
  proxyMode?: boolean | undefined;
550
730
  customParams?: Record<string, string> | undefined;
551
731
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
732
+ hasClientSecret?: boolean | undefined;
733
+ metadata?: {
734
+ clientSecretName?: string | undefined;
735
+ clientIdSecretName?: string | undefined;
736
+ apiKeySecretName?: string | undefined;
737
+ clientSecretVersion?: number | undefined;
738
+ lastRotatedAt?: string | undefined;
739
+ } | undefined;
552
740
  }, {
553
741
  type: "oauth2";
554
742
  clientId: string;
@@ -566,6 +754,14 @@ export declare const OAuth2ProviderConfigSchema: z.ZodObject<{
566
754
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
567
755
  responseType?: string | undefined;
568
756
  grantType?: string | undefined;
757
+ hasClientSecret?: boolean | undefined;
758
+ metadata?: {
759
+ clientSecretName?: string | undefined;
760
+ clientIdSecretName?: string | undefined;
761
+ apiKeySecretName?: string | undefined;
762
+ clientSecretVersion?: number | undefined;
763
+ lastRotatedAt?: string | undefined;
764
+ } | undefined;
569
765
  }>;
570
766
  /**
571
767
  * Unified Auth Provider Type
@@ -594,6 +790,26 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
594
790
  tokenEndpointAuthMethod: z.ZodOptional<z.ZodEnum<["client_secret_post", "client_secret_basic"]>>;
595
791
  responseType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
596
792
  grantType: z.ZodDefault<z.ZodOptional<z.ZodString>>;
793
+ hasClientSecret: z.ZodOptional<z.ZodBoolean>;
794
+ metadata: z.ZodOptional<z.ZodObject<{
795
+ clientSecretName: z.ZodOptional<z.ZodString>;
796
+ clientIdSecretName: z.ZodOptional<z.ZodString>;
797
+ apiKeySecretName: z.ZodOptional<z.ZodString>;
798
+ clientSecretVersion: z.ZodOptional<z.ZodNumber>;
799
+ lastRotatedAt: z.ZodOptional<z.ZodString>;
800
+ }, "strip", z.ZodTypeAny, {
801
+ clientSecretName?: string | undefined;
802
+ clientIdSecretName?: string | undefined;
803
+ apiKeySecretName?: string | undefined;
804
+ clientSecretVersion?: number | undefined;
805
+ lastRotatedAt?: string | undefined;
806
+ }, {
807
+ clientSecretName?: string | undefined;
808
+ clientIdSecretName?: string | undefined;
809
+ apiKeySecretName?: string | undefined;
810
+ clientSecretVersion?: number | undefined;
811
+ lastRotatedAt?: string | undefined;
812
+ }>>;
597
813
  }, "strip", z.ZodTypeAny, {
598
814
  type: "oauth2";
599
815
  clientId: string;
@@ -611,6 +827,14 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
611
827
  proxyMode?: boolean | undefined;
612
828
  customParams?: Record<string, string> | undefined;
613
829
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
830
+ hasClientSecret?: boolean | undefined;
831
+ metadata?: {
832
+ clientSecretName?: string | undefined;
833
+ clientIdSecretName?: string | undefined;
834
+ apiKeySecretName?: string | undefined;
835
+ clientSecretVersion?: number | undefined;
836
+ lastRotatedAt?: string | undefined;
837
+ } | undefined;
614
838
  }, {
615
839
  type: "oauth2";
616
840
  clientId: string;
@@ -628,6 +852,14 @@ export declare const AuthProviderSchema: z.ZodDiscriminatedUnion<"type", [z.ZodO
628
852
  tokenEndpointAuthMethod?: "client_secret_post" | "client_secret_basic" | undefined;
629
853
  responseType?: string | undefined;
630
854
  grantType?: string | undefined;
855
+ hasClientSecret?: boolean | undefined;
856
+ metadata?: {
857
+ clientSecretName?: string | undefined;
858
+ clientIdSecretName?: string | undefined;
859
+ apiKeySecretName?: string | undefined;
860
+ clientSecretVersion?: number | undefined;
861
+ lastRotatedAt?: string | undefined;
862
+ } | undefined;
631
863
  }>, z.ZodObject<{
632
864
  type: z.ZodLiteral<"credential">;
633
865
  displayName: z.ZodOptional<z.ZodString>;
@@ -906,27 +1138,27 @@ export declare const AgentIdentitySchema: z.ZodObject<{
906
1138
  publicKey: string;
907
1139
  privateKey: string;
908
1140
  createdAt: string;
1141
+ metadata?: z.objectOutputType<{
1142
+ name: z.ZodOptional<z.ZodString>;
1143
+ version: z.ZodOptional<z.ZodString>;
1144
+ }, z.ZodTypeAny, "passthrough"> | undefined;
909
1145
  kta?: {
910
1146
  registered: boolean;
911
1147
  registeredAt: string;
912
1148
  claimUrl: string | null;
913
1149
  } | undefined;
914
- metadata?: z.objectOutputType<{
915
- name: z.ZodOptional<z.ZodString>;
916
- version: z.ZodOptional<z.ZodString>;
917
- }, z.ZodTypeAny, "passthrough"> | undefined;
918
1150
  }, {
919
1151
  did: string;
920
1152
  publicKey: string;
921
1153
  privateKey: string;
922
1154
  createdAt: string;
1155
+ metadata?: z.objectInputType<{
1156
+ name: z.ZodOptional<z.ZodString>;
1157
+ version: z.ZodOptional<z.ZodString>;
1158
+ }, z.ZodTypeAny, "passthrough"> | undefined;
923
1159
  kta?: {
924
1160
  registered: boolean;
925
1161
  registeredAt: string;
926
1162
  claimUrl: string | null;
927
1163
  } | undefined;
928
- metadata?: z.objectInputType<{
929
- name: z.ZodOptional<z.ZodString>;
930
- version: z.ZodOptional<z.ZodString>;
931
- }, z.ZodTypeAny, "passthrough"> | undefined;
932
1164
  }>;
package/dist/config/identity.js CHANGED
@@ -8,7 +8,7 @@
8
8
  * @module @kya-os/contracts/config
9
9
  */
10
10
  Object.defineProperty(exports, "__esModule", { value: true });
11
- exports.AgentIdentitySchema = exports.KTARegistrationSchema = exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.OAuthConfigSchema = exports.OAuthProviderSchema = exports.CredentialProviderConfigSchema = void 0;
11
+ exports.AgentIdentitySchema = exports.KTARegistrationSchema = exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.OAuthConfigSchema = exports.OAuthProviderSchema = exports.OAuthProviderSecretMetadataSchema = exports.CredentialProviderConfigSchema = void 0;
12
12
  const zod_1 = require("zod");
13
13
  /**
14
14
  * Zod schema for CredentialProviderConfig validation
@@ -48,6 +48,16 @@ exports.CredentialProviderConfigSchema = zod_1.z.object({
48
48
  })
49
49
  .optional(),
50
50
  });
51
+ /**
52
+ * Zod schema for OAuthProviderSecretMetadata validation
53
+ */
54
+ exports.OAuthProviderSecretMetadataSchema = zod_1.z.object({
55
+ clientSecretName: zod_1.z.string().optional(),
56
+ clientIdSecretName: zod_1.z.string().optional(),
57
+ apiKeySecretName: zod_1.z.string().optional(),
58
+ clientSecretVersion: zod_1.z.number().optional(),
59
+ lastRotatedAt: zod_1.z.string().optional(),
60
+ });
51
61
  /**
52
62
  * Zod schema for OAuthProvider validation
53
63
  */
@@ -69,6 +79,9 @@ exports.OAuthProviderSchema = zod_1.z.object({
69
79
  .optional(),
70
80
  responseType: zod_1.z.string().optional().default("code"),
71
81
  grantType: zod_1.z.string().optional().default("authorization_code"),
82
+ // MCP-I Provider Registry
83
+ hasClientSecret: zod_1.z.boolean().optional(),
84
+ metadata: exports.OAuthProviderSecretMetadataSchema.optional(),
72
85
  });
73
86
  /**
74
87
  * Zod schema for OAuthConfig validation
@@ -99,6 +112,9 @@ exports.OAuth2ProviderConfigSchema = zod_1.z.object({
99
112
  .optional(),
100
113
  responseType: zod_1.z.string().optional().default("code"),
101
114
  grantType: zod_1.z.string().optional().default("authorization_code"),
115
+ // MCP-I Provider Registry
116
+ hasClientSecret: zod_1.z.boolean().optional(),
117
+ metadata: exports.OAuthProviderSecretMetadataSchema.optional(),
102
118
  });
103
119
  /**
104
120
  * Zod schema for AuthProvider validation (discriminated union)
package/dist/config/index.d.ts CHANGED
@@ -13,7 +13,7 @@ import type { DelegationConfig } from "./delegation.js";
13
13
  import type { ToolProtectionSourceConfig } from "./tool-protection.js";
14
14
  import type { ClientMessagesConfig } from "./client-messages.js";
15
15
  export { MCPIBaseConfig } from "./base.js";
16
- export { RuntimeIdentityConfig, AgentIdentity, OAuthProvider, OAuthConfig, IdpTokens, AuthProviderType, BaseProviderConfig, CredentialProviderConfig, CredentialProviderConfigSchema, OAuth2ProviderConfig, OAuth2ProviderConfigSchema, AuthProvider, AuthProviderSchema, } from "./identity.js";
16
+ export { RuntimeIdentityConfig, AgentIdentity, OAuthProvider, OAuthConfig, IdpTokens, AuthProviderType, BaseProviderConfig, CredentialProviderConfig, CredentialProviderConfigSchema, OAuth2ProviderConfig, OAuth2ProviderConfigSchema, AuthProvider, AuthProviderSchema, OAuthProviderSecretMetadata, OAuthProviderSecretMetadataSchema, OAuthProviderSchema, OAuthConfigSchema, } from "./identity.js";
17
17
  export type { ToolExecutionContext } from "./tool-context.js";
18
18
  /**
19
19
  * @deprecated Use RuntimeIdentityConfig instead
package/dist/config/index.js CHANGED
@@ -8,12 +8,15 @@
8
8
  * @module @kya-os/contracts/config
9
9
  */
10
10
  Object.defineProperty(exports, "__esModule", { value: true });
11
- exports.validateClientMessagesConfig = exports.validateClientMessageTemplate = exports.isClientMessagesConfig = exports.isClientMessageTemplate = exports.ClientMessagesConfigSchema = exports.ClientMessageTemplateSchema = exports.buildBaseConfig = exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.CredentialProviderConfigSchema = void 0;
11
+ exports.validateClientMessagesConfig = exports.validateClientMessageTemplate = exports.isClientMessagesConfig = exports.isClientMessageTemplate = exports.ClientMessagesConfigSchema = exports.ClientMessageTemplateSchema = exports.buildBaseConfig = exports.OAuthConfigSchema = exports.OAuthProviderSchema = exports.OAuthProviderSecretMetadataSchema = exports.AuthProviderSchema = exports.OAuth2ProviderConfigSchema = exports.CredentialProviderConfigSchema = void 0;
12
12
  // Identity configuration
13
13
  var identity_js_1 = require("./identity.js");
14
14
  Object.defineProperty(exports, "CredentialProviderConfigSchema", { enumerable: true, get: function () { return identity_js_1.CredentialProviderConfigSchema; } });
15
15
  Object.defineProperty(exports, "OAuth2ProviderConfigSchema", { enumerable: true, get: function () { return identity_js_1.OAuth2ProviderConfigSchema; } });
16
16
  Object.defineProperty(exports, "AuthProviderSchema", { enumerable: true, get: function () { return identity_js_1.AuthProviderSchema; } });
17
+ Object.defineProperty(exports, "OAuthProviderSecretMetadataSchema", { enumerable: true, get: function () { return identity_js_1.OAuthProviderSecretMetadataSchema; } });
18
+ Object.defineProperty(exports, "OAuthProviderSchema", { enumerable: true, get: function () { return identity_js_1.OAuthProviderSchema; } });
19
+ Object.defineProperty(exports, "OAuthConfigSchema", { enumerable: true, get: function () { return identity_js_1.OAuthConfigSchema; } });
17
20
  // Configuration builder utilities
18
21
  var builder_js_1 = require("./builder.js");
19
22
  Object.defineProperty(exports, "buildBaseConfig", { enumerable: true, get: function () { return builder_js_1.buildBaseConfig; } });