@kya-os/contracts 1.7.4 → 1.7.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/audit/index.d.ts +4 -4
- package/dist/cli.d.ts +5 -5
- package/dist/config/identity.d.ts +240 -8
- package/dist/config/identity.js +17 -1
- package/dist/config/index.d.ts +1 -1
- package/dist/config/index.js +4 -1
- package/dist/deploy/schemas.d.ts +80 -80
- package/dist/tool-protection/index.d.ts +30 -16
- package/dist/tool-protection/index.js +51 -31
- package/package.json +2 -2
|
@@ -29,9 +29,9 @@ exports.getToolRiskLevel = getToolRiskLevel;
|
|
|
29
29
|
exports.createDelegationRequiredError = createDelegationRequiredError;
|
|
30
30
|
exports.normalizeToolProtection = normalizeToolProtection;
|
|
31
31
|
exports.determineConsentProviderType = determineConsentProviderType;
|
|
32
|
-
exports.normalizeAuthorizationType = normalizeAuthorizationType;
|
|
33
32
|
exports.getAuthorizationTypeLabel = getAuthorizationTypeLabel;
|
|
34
33
|
exports.getAuthorizationTypeKey = getAuthorizationTypeKey;
|
|
34
|
+
exports.normalizeAuthorizationType = normalizeAuthorizationType;
|
|
35
35
|
const zod_1 = require("zod");
|
|
36
36
|
/** Canonical authorization type values for type safety */
|
|
37
37
|
exports.AUTHORIZATION_TYPES = {
|
|
@@ -39,10 +39,7 @@ exports.AUTHORIZATION_TYPES = {
|
|
|
39
39
|
PASSWORD: 'password',
|
|
40
40
|
MDL: 'mdl',
|
|
41
41
|
IDV: 'idv',
|
|
42
|
-
/** FUTURE: Not yet implemented */
|
|
43
42
|
VERIFIABLE_CREDENTIAL: 'verifiable_credential',
|
|
44
|
-
/** @deprecated Use VERIFIABLE_CREDENTIAL */
|
|
45
|
-
CREDENTIAL: 'credential',
|
|
46
43
|
NONE: 'none',
|
|
47
44
|
};
|
|
48
45
|
/**
|
|
@@ -73,7 +70,8 @@ exports.AuthorizationRequirementSchema = zod_1.z.discriminatedUnion('type', [
|
|
|
73
70
|
credentialType: zod_1.z.string(),
|
|
74
71
|
issuer: zod_1.z.string().optional(),
|
|
75
72
|
}),
|
|
76
|
-
//
|
|
73
|
+
// Deprecated: 'credential' is an alias for 'verifiable_credential'
|
|
74
|
+
// Will be removed in v2.0.0. Use 'verifiable_credential' instead.
|
|
77
75
|
zod_1.z.object({
|
|
78
76
|
type: zod_1.z.literal('credential'),
|
|
79
77
|
credentialType: zod_1.z.string(),
|
|
@@ -141,11 +139,12 @@ function hasPasswordAuthorization(protection) {
|
|
|
141
139
|
}
|
|
142
140
|
/**
|
|
143
141
|
* Type guard to check if a ToolProtection requires a Verifiable Credential
|
|
144
|
-
*
|
|
142
|
+
*
|
|
143
|
+
* Note: Also returns true for deprecated 'credential' type (normalized to verifiable_credential)
|
|
145
144
|
*/
|
|
146
145
|
function hasVerifiableCredentialAuthorization(protection) {
|
|
147
|
-
|
|
148
|
-
|
|
146
|
+
return (protection.authorization?.type === 'verifiable_credential' ||
|
|
147
|
+
protection.authorization?.type === 'credential');
|
|
149
148
|
}
|
|
150
149
|
/**
|
|
151
150
|
* Validation Functions
|
|
@@ -285,29 +284,6 @@ function determineConsentProviderType(hasOAuthIdentity, isPasswordFlow = false,
|
|
|
285
284
|
}
|
|
286
285
|
return exports.CONSENT_PROVIDER_TYPES.NONE;
|
|
287
286
|
}
|
|
288
|
-
// =============================================================================
|
|
289
|
-
// AUTHORIZATION TYPE NORMALIZATION
|
|
290
|
-
// =============================================================================
|
|
291
|
-
/**
|
|
292
|
-
* Normalize authorization requirement to use canonical type names
|
|
293
|
-
*
|
|
294
|
-
* Migrates legacy 'credential' type to 'verifiable_credential'
|
|
295
|
-
* This ensures consistent type usage across the codebase.
|
|
296
|
-
*
|
|
297
|
-
* @param auth - The authorization requirement (may have legacy type)
|
|
298
|
-
* @returns Normalized authorization requirement with canonical type
|
|
299
|
-
*/
|
|
300
|
-
function normalizeAuthorizationType(auth) {
|
|
301
|
-
// Migrate legacy 'credential' to 'verifiable_credential'
|
|
302
|
-
if (auth.type === 'credential') {
|
|
303
|
-
return {
|
|
304
|
-
type: 'verifiable_credential',
|
|
305
|
-
credentialType: auth.credentialType,
|
|
306
|
-
issuer: auth.issuer,
|
|
307
|
-
};
|
|
308
|
-
}
|
|
309
|
-
return auth;
|
|
310
|
-
}
|
|
311
287
|
/**
|
|
312
288
|
* Get a human-readable label for an authorization requirement type
|
|
313
289
|
*/
|
|
@@ -324,7 +300,9 @@ function getAuthorizationTypeLabel(auth) {
|
|
|
324
300
|
case 'idv':
|
|
325
301
|
return 'Identity Verification';
|
|
326
302
|
case 'verifiable_credential':
|
|
303
|
+
return auth.credentialType || 'Verifiable Credential';
|
|
327
304
|
case 'credential':
|
|
305
|
+
// Deprecated: treat as verifiable_credential
|
|
328
306
|
return auth.credentialType || 'Verifiable Credential';
|
|
329
307
|
case 'none':
|
|
330
308
|
return 'Consent Only';
|
|
@@ -348,7 +326,9 @@ function getAuthorizationTypeKey(auth) {
|
|
|
348
326
|
case 'idv':
|
|
349
327
|
return `idv:${auth.provider}:${auth.verificationLevel || ''}`;
|
|
350
328
|
case 'verifiable_credential':
|
|
329
|
+
return `vc:${auth.issuer || 'any'}:${auth.credentialType}`;
|
|
351
330
|
case 'credential':
|
|
331
|
+
// Deprecated: treat as verifiable_credential
|
|
352
332
|
return `vc:${auth.issuer || 'any'}:${auth.credentialType}`;
|
|
353
333
|
case 'none':
|
|
354
334
|
return 'none';
|
|
@@ -358,3 +338,43 @@ function getAuthorizationTypeKey(auth) {
|
|
|
358
338
|
return 'unknown';
|
|
359
339
|
}
|
|
360
340
|
}
|
|
341
|
+
/**
|
|
342
|
+
* Normalize authorization requirement type
|
|
343
|
+
*
|
|
344
|
+
* Normalizes deprecated 'credential' type to 'verifiable_credential' and emits
|
|
345
|
+
* deprecation warnings. This function should be called at runtime boundaries
|
|
346
|
+
* when processing authorization requirements.
|
|
347
|
+
*
|
|
348
|
+
* @param auth - Authorization requirement (may contain deprecated 'credential' type)
|
|
349
|
+
* @param options - Normalization options
|
|
350
|
+
* @returns Normalized authorization requirement
|
|
351
|
+
*
|
|
352
|
+
* @example
|
|
353
|
+
* ```typescript
|
|
354
|
+
* const normalized = normalizeAuthorizationType(
|
|
355
|
+
* { type: 'credential', credentialType: 'delegation' },
|
|
356
|
+
* { warn: true }
|
|
357
|
+
* );
|
|
358
|
+
* // Returns: { type: 'verifiable_credential', credentialType: 'delegation' }
|
|
359
|
+
* // Logs: DEPRECATION warning
|
|
360
|
+
* ```
|
|
361
|
+
*/
|
|
362
|
+
function normalizeAuthorizationType(auth, options = {}) {
|
|
363
|
+
const { warn = true, logger = console.warn } = options;
|
|
364
|
+
if (auth.type === 'credential') {
|
|
365
|
+
if (warn) {
|
|
366
|
+
logger(`DEPRECATION: Authorization type 'credential' is deprecated and will be removed in v2.0.0. ` +
|
|
367
|
+
`Please update to 'verifiable_credential'. ` +
|
|
368
|
+
`See https://github.com/modelcontextprotocol-identity/xmcp-i/blob/main/docs/migrations/credential-to-verifiable_credential.md`);
|
|
369
|
+
}
|
|
370
|
+
// Normalize to verifiable_credential
|
|
371
|
+
const normalized = {
|
|
372
|
+
type: 'verifiable_credential',
|
|
373
|
+
credentialType: auth.credentialType,
|
|
374
|
+
...(auth.issuer !== undefined && { issuer: auth.issuer }),
|
|
375
|
+
};
|
|
376
|
+
return normalized;
|
|
377
|
+
}
|
|
378
|
+
// No normalization needed
|
|
379
|
+
return auth;
|
|
380
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kya-os/contracts",
|
|
3
|
-
"version": "1.7.
|
|
3
|
+
"version": "1.7.7",
|
|
4
4
|
"description": "Shared contracts, types, and schemas for MCP-I framework",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
},
|
|
96
96
|
"sideEffects": false,
|
|
97
97
|
"dependencies": {
|
|
98
|
-
"@kya-os/consent": "^0.1.
|
|
98
|
+
"@kya-os/consent": "^0.1.5",
|
|
99
99
|
"zod": "^3.25.76"
|
|
100
100
|
},
|
|
101
101
|
"devDependencies": {
|