@kya-os/contracts 1.8.0 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agentshield-api/index.js +0 -1
- package/dist/agentshield-api/schemas.d.ts +193 -187
- package/dist/agentshield-api/schemas.js +0 -1
- package/dist/agentshield-api/types.js +0 -1
- package/dist/compute.d.ts +47 -17
- package/dist/compute.js +23 -1
- package/dist/consent/index.d.ts +2 -3
- package/dist/consent/index.js +14 -3
- package/dist/handshake.d.ts +4 -3
- package/dist/handshake.js +4 -3
- package/dist/proof/index.d.ts +3 -4
- package/dist/proof/index.js +2 -2
- package/dist/proof.d.ts +98 -67
- package/dist/proof.js +29 -2
- package/dist/runtime/headers.d.ts +16 -12
- package/dist/runtime/headers.js +16 -12
- package/dist/verifier.d.ts +28 -17
- package/dist/verifier.js +20 -9
- package/package.json +2 -1
- package/parity-vectors/delegation-conformance.json +265 -0
- package/parity-vectors/did-key.json +134 -0
- package/parity-vectors/index.ts +253 -0
- package/parity-vectors/scope-matching.json +330 -0
- package/parity-vectors/vc-jwt.json +210 -0
package/dist/proof.d.ts
CHANGED
|
@@ -9,6 +9,23 @@ import { z } from "zod";
|
|
|
9
9
|
* The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
|
|
10
10
|
* proof claims (requestHash, responseHash, nonce, etc.).
|
|
11
11
|
*/
|
|
12
|
+
/**
|
|
13
|
+
* Outcome of the policy decision a proof attests to (ratified DIF decision).
|
|
14
|
+
*
|
|
15
|
+
* - `allowed` — the call was authorized and produced a response; the
|
|
16
|
+
* proof carries a `responseHash` over that response.
|
|
17
|
+
* - `denied` — the call was refused; no response was produced.
|
|
18
|
+
* - `step_up_required` — a step-up (re-auth / higher assurance) is required
|
|
19
|
+
* before the call may proceed; no response yet.
|
|
20
|
+
* - `needs_authorization` — explicit user authorization is required first; no
|
|
21
|
+
* response yet.
|
|
22
|
+
*
|
|
23
|
+
* Denial and step-up outcomes authorize no response, so their proofs omit
|
|
24
|
+
* `responseHash`. The field is optional on {@link ProofMetaSchema}: proofs minted
|
|
25
|
+
* before it existed carry no `outcome` and are treated as `allowed`.
|
|
26
|
+
*/
|
|
27
|
+
export declare const ProofOutcomeSchema: z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>;
|
|
28
|
+
export type ProofOutcome = z.infer<typeof ProofOutcomeSchema>;
|
|
12
29
|
export declare const ProofMetaSchema: z.ZodObject<{
|
|
13
30
|
did: z.ZodString;
|
|
14
31
|
kid: z.ZodString;
|
|
@@ -18,33 +35,36 @@ export declare const ProofMetaSchema: z.ZodObject<{
|
|
|
18
35
|
sessionId: z.ZodString;
|
|
19
36
|
requestHash: z.ZodString;
|
|
20
37
|
responseHash: z.ZodString;
|
|
38
|
+
outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
|
|
21
39
|
scopeId: z.ZodOptional<z.ZodString>;
|
|
22
40
|
delegationRef: z.ZodOptional<z.ZodString>;
|
|
23
41
|
clientDid: z.ZodOptional<z.ZodString>;
|
|
24
42
|
}, "strip", z.ZodTypeAny, {
|
|
25
|
-
did: string;
|
|
26
|
-
kid: string;
|
|
27
43
|
nonce: string;
|
|
28
44
|
audience: string;
|
|
29
45
|
sessionId: string;
|
|
30
|
-
|
|
46
|
+
did: string;
|
|
47
|
+
kid: string;
|
|
31
48
|
requestHash: string;
|
|
32
49
|
responseHash: string;
|
|
50
|
+
ts: number;
|
|
33
51
|
clientDid?: string | undefined;
|
|
34
|
-
scopeId?: string | undefined;
|
|
35
52
|
delegationRef?: string | undefined;
|
|
53
|
+
scopeId?: string | undefined;
|
|
54
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
36
55
|
}, {
|
|
37
|
-
did: string;
|
|
38
|
-
kid: string;
|
|
39
56
|
nonce: string;
|
|
40
57
|
audience: string;
|
|
41
58
|
sessionId: string;
|
|
42
|
-
|
|
59
|
+
did: string;
|
|
60
|
+
kid: string;
|
|
43
61
|
requestHash: string;
|
|
44
62
|
responseHash: string;
|
|
63
|
+
ts: number;
|
|
45
64
|
clientDid?: string | undefined;
|
|
46
|
-
scopeId?: string | undefined;
|
|
47
65
|
delegationRef?: string | undefined;
|
|
66
|
+
scopeId?: string | undefined;
|
|
67
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
48
68
|
}>;
|
|
49
69
|
export declare const DetachedProofSchema: z.ZodObject<{
|
|
50
70
|
jws: z.ZodString;
|
|
@@ -57,63 +77,68 @@ export declare const DetachedProofSchema: z.ZodObject<{
|
|
|
57
77
|
sessionId: z.ZodString;
|
|
58
78
|
requestHash: z.ZodString;
|
|
59
79
|
responseHash: z.ZodString;
|
|
80
|
+
outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
|
|
60
81
|
scopeId: z.ZodOptional<z.ZodString>;
|
|
61
82
|
delegationRef: z.ZodOptional<z.ZodString>;
|
|
62
83
|
clientDid: z.ZodOptional<z.ZodString>;
|
|
63
84
|
}, "strip", z.ZodTypeAny, {
|
|
64
|
-
did: string;
|
|
65
|
-
kid: string;
|
|
66
85
|
nonce: string;
|
|
67
86
|
audience: string;
|
|
68
87
|
sessionId: string;
|
|
69
|
-
|
|
88
|
+
did: string;
|
|
89
|
+
kid: string;
|
|
70
90
|
requestHash: string;
|
|
71
91
|
responseHash: string;
|
|
92
|
+
ts: number;
|
|
72
93
|
clientDid?: string | undefined;
|
|
73
|
-
scopeId?: string | undefined;
|
|
74
94
|
delegationRef?: string | undefined;
|
|
95
|
+
scopeId?: string | undefined;
|
|
96
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
75
97
|
}, {
|
|
76
|
-
did: string;
|
|
77
|
-
kid: string;
|
|
78
98
|
nonce: string;
|
|
79
99
|
audience: string;
|
|
80
100
|
sessionId: string;
|
|
81
|
-
|
|
101
|
+
did: string;
|
|
102
|
+
kid: string;
|
|
82
103
|
requestHash: string;
|
|
83
104
|
responseHash: string;
|
|
105
|
+
ts: number;
|
|
84
106
|
clientDid?: string | undefined;
|
|
85
|
-
scopeId?: string | undefined;
|
|
86
107
|
delegationRef?: string | undefined;
|
|
108
|
+
scopeId?: string | undefined;
|
|
109
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
87
110
|
}>;
|
|
88
111
|
}, "strip", z.ZodTypeAny, {
|
|
89
112
|
jws: string;
|
|
90
113
|
meta: {
|
|
91
|
-
did: string;
|
|
92
|
-
kid: string;
|
|
93
114
|
nonce: string;
|
|
94
115
|
audience: string;
|
|
95
116
|
sessionId: string;
|
|
96
|
-
|
|
117
|
+
did: string;
|
|
118
|
+
kid: string;
|
|
97
119
|
requestHash: string;
|
|
98
120
|
responseHash: string;
|
|
121
|
+
ts: number;
|
|
99
122
|
clientDid?: string | undefined;
|
|
100
|
-
scopeId?: string | undefined;
|
|
101
123
|
delegationRef?: string | undefined;
|
|
124
|
+
scopeId?: string | undefined;
|
|
125
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
102
126
|
};
|
|
103
127
|
}, {
|
|
104
128
|
jws: string;
|
|
105
129
|
meta: {
|
|
106
|
-
did: string;
|
|
107
|
-
kid: string;
|
|
108
130
|
nonce: string;
|
|
109
131
|
audience: string;
|
|
110
132
|
sessionId: string;
|
|
111
|
-
|
|
133
|
+
did: string;
|
|
134
|
+
kid: string;
|
|
112
135
|
requestHash: string;
|
|
113
136
|
responseHash: string;
|
|
137
|
+
ts: number;
|
|
114
138
|
clientDid?: string | undefined;
|
|
115
|
-
scopeId?: string | undefined;
|
|
116
139
|
delegationRef?: string | undefined;
|
|
140
|
+
scopeId?: string | undefined;
|
|
141
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
117
142
|
};
|
|
118
143
|
}>;
|
|
119
144
|
export declare const CanonicalHashesSchema: z.ZodObject<{
|
|
@@ -139,25 +164,25 @@ export declare const AuditRecordSchema: z.ZodObject<{
|
|
|
139
164
|
scope: z.ZodString;
|
|
140
165
|
}, "strip", z.ZodTypeAny, {
|
|
141
166
|
version: "audit.v1";
|
|
167
|
+
audience: string;
|
|
142
168
|
did: string;
|
|
143
169
|
kid: string;
|
|
144
|
-
audience: string;
|
|
145
|
-
ts: number;
|
|
146
170
|
session: string;
|
|
171
|
+
verified: "yes" | "no";
|
|
172
|
+
ts: number;
|
|
147
173
|
reqHash: string;
|
|
148
174
|
resHash: string;
|
|
149
|
-
verified: "yes" | "no";
|
|
150
175
|
scope: string;
|
|
151
176
|
}, {
|
|
152
177
|
version: "audit.v1";
|
|
178
|
+
audience: string;
|
|
153
179
|
did: string;
|
|
154
180
|
kid: string;
|
|
155
|
-
audience: string;
|
|
156
|
-
ts: number;
|
|
157
181
|
session: string;
|
|
182
|
+
verified: "yes" | "no";
|
|
183
|
+
ts: number;
|
|
158
184
|
reqHash: string;
|
|
159
185
|
resHash: string;
|
|
160
|
-
verified: "yes" | "no";
|
|
161
186
|
scope: string;
|
|
162
187
|
}>;
|
|
163
188
|
export type ProofMeta = z.infer<typeof ProofMetaSchema>;
|
|
@@ -181,14 +206,14 @@ export declare const ToolCallContextSchema: z.ZodObject<{
|
|
|
181
206
|
scopeId: string;
|
|
182
207
|
tool: string;
|
|
183
208
|
args: Record<string, unknown>;
|
|
184
|
-
userId?: string | undefined;
|
|
185
209
|
result?: unknown;
|
|
210
|
+
userId?: string | undefined;
|
|
186
211
|
}, {
|
|
187
212
|
scopeId: string;
|
|
188
213
|
tool: string;
|
|
189
214
|
args: Record<string, unknown>;
|
|
190
|
-
userId?: string | undefined;
|
|
191
215
|
result?: unknown;
|
|
216
|
+
userId?: string | undefined;
|
|
192
217
|
}>;
|
|
193
218
|
/**
|
|
194
219
|
* Proof submission context for AgentShield API
|
|
@@ -205,14 +230,14 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
|
|
|
205
230
|
scopeId: string;
|
|
206
231
|
tool: string;
|
|
207
232
|
args: Record<string, unknown>;
|
|
208
|
-
userId?: string | undefined;
|
|
209
233
|
result?: unknown;
|
|
234
|
+
userId?: string | undefined;
|
|
210
235
|
}, {
|
|
211
236
|
scopeId: string;
|
|
212
237
|
tool: string;
|
|
213
238
|
args: Record<string, unknown>;
|
|
214
|
-
userId?: string | undefined;
|
|
215
239
|
result?: unknown;
|
|
240
|
+
userId?: string | undefined;
|
|
216
241
|
}>, "many">;
|
|
217
242
|
mcpServerUrl: z.ZodOptional<z.ZodString>;
|
|
218
243
|
}, "strip", z.ZodTypeAny, {
|
|
@@ -220,8 +245,8 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
|
|
|
220
245
|
scopeId: string;
|
|
221
246
|
tool: string;
|
|
222
247
|
args: Record<string, unknown>;
|
|
223
|
-
userId?: string | undefined;
|
|
224
248
|
result?: unknown;
|
|
249
|
+
userId?: string | undefined;
|
|
225
250
|
}[];
|
|
226
251
|
mcpServerUrl?: string | undefined;
|
|
227
252
|
}, {
|
|
@@ -229,8 +254,8 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
|
|
|
229
254
|
scopeId: string;
|
|
230
255
|
tool: string;
|
|
231
256
|
args: Record<string, unknown>;
|
|
232
|
-
userId?: string | undefined;
|
|
233
257
|
result?: unknown;
|
|
258
|
+
userId?: string | undefined;
|
|
234
259
|
}[];
|
|
235
260
|
mcpServerUrl?: string | undefined;
|
|
236
261
|
}>;
|
|
@@ -251,63 +276,68 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
251
276
|
sessionId: z.ZodString;
|
|
252
277
|
requestHash: z.ZodString;
|
|
253
278
|
responseHash: z.ZodString;
|
|
279
|
+
outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
|
|
254
280
|
scopeId: z.ZodOptional<z.ZodString>;
|
|
255
281
|
delegationRef: z.ZodOptional<z.ZodString>;
|
|
256
282
|
clientDid: z.ZodOptional<z.ZodString>;
|
|
257
283
|
}, "strip", z.ZodTypeAny, {
|
|
258
|
-
did: string;
|
|
259
|
-
kid: string;
|
|
260
284
|
nonce: string;
|
|
261
285
|
audience: string;
|
|
262
286
|
sessionId: string;
|
|
263
|
-
|
|
287
|
+
did: string;
|
|
288
|
+
kid: string;
|
|
264
289
|
requestHash: string;
|
|
265
290
|
responseHash: string;
|
|
291
|
+
ts: number;
|
|
266
292
|
clientDid?: string | undefined;
|
|
267
|
-
scopeId?: string | undefined;
|
|
268
293
|
delegationRef?: string | undefined;
|
|
294
|
+
scopeId?: string | undefined;
|
|
295
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
269
296
|
}, {
|
|
270
|
-
did: string;
|
|
271
|
-
kid: string;
|
|
272
297
|
nonce: string;
|
|
273
298
|
audience: string;
|
|
274
299
|
sessionId: string;
|
|
275
|
-
|
|
300
|
+
did: string;
|
|
301
|
+
kid: string;
|
|
276
302
|
requestHash: string;
|
|
277
303
|
responseHash: string;
|
|
304
|
+
ts: number;
|
|
278
305
|
clientDid?: string | undefined;
|
|
279
|
-
scopeId?: string | undefined;
|
|
280
306
|
delegationRef?: string | undefined;
|
|
307
|
+
scopeId?: string | undefined;
|
|
308
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
281
309
|
}>;
|
|
282
310
|
}, "strip", z.ZodTypeAny, {
|
|
283
311
|
jws: string;
|
|
284
312
|
meta: {
|
|
285
|
-
did: string;
|
|
286
|
-
kid: string;
|
|
287
313
|
nonce: string;
|
|
288
314
|
audience: string;
|
|
289
315
|
sessionId: string;
|
|
290
|
-
|
|
316
|
+
did: string;
|
|
317
|
+
kid: string;
|
|
291
318
|
requestHash: string;
|
|
292
319
|
responseHash: string;
|
|
320
|
+
ts: number;
|
|
293
321
|
clientDid?: string | undefined;
|
|
294
|
-
scopeId?: string | undefined;
|
|
295
322
|
delegationRef?: string | undefined;
|
|
323
|
+
scopeId?: string | undefined;
|
|
324
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
296
325
|
};
|
|
297
326
|
}, {
|
|
298
327
|
jws: string;
|
|
299
328
|
meta: {
|
|
300
|
-
did: string;
|
|
301
|
-
kid: string;
|
|
302
329
|
nonce: string;
|
|
303
330
|
audience: string;
|
|
304
331
|
sessionId: string;
|
|
305
|
-
|
|
332
|
+
did: string;
|
|
333
|
+
kid: string;
|
|
306
334
|
requestHash: string;
|
|
307
335
|
responseHash: string;
|
|
336
|
+
ts: number;
|
|
308
337
|
clientDid?: string | undefined;
|
|
309
|
-
scopeId?: string | undefined;
|
|
310
338
|
delegationRef?: string | undefined;
|
|
339
|
+
scopeId?: string | undefined;
|
|
340
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
311
341
|
};
|
|
312
342
|
}>, "many">;
|
|
313
343
|
context: z.ZodOptional<z.ZodObject<{
|
|
@@ -321,14 +351,14 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
321
351
|
scopeId: string;
|
|
322
352
|
tool: string;
|
|
323
353
|
args: Record<string, unknown>;
|
|
324
|
-
userId?: string | undefined;
|
|
325
354
|
result?: unknown;
|
|
355
|
+
userId?: string | undefined;
|
|
326
356
|
}, {
|
|
327
357
|
scopeId: string;
|
|
328
358
|
tool: string;
|
|
329
359
|
args: Record<string, unknown>;
|
|
330
|
-
userId?: string | undefined;
|
|
331
360
|
result?: unknown;
|
|
361
|
+
userId?: string | undefined;
|
|
332
362
|
}>, "many">;
|
|
333
363
|
mcpServerUrl: z.ZodOptional<z.ZodString>;
|
|
334
364
|
}, "strip", z.ZodTypeAny, {
|
|
@@ -336,8 +366,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
336
366
|
scopeId: string;
|
|
337
367
|
tool: string;
|
|
338
368
|
args: Record<string, unknown>;
|
|
339
|
-
userId?: string | undefined;
|
|
340
369
|
result?: unknown;
|
|
370
|
+
userId?: string | undefined;
|
|
341
371
|
}[];
|
|
342
372
|
mcpServerUrl?: string | undefined;
|
|
343
373
|
}, {
|
|
@@ -345,8 +375,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
345
375
|
scopeId: string;
|
|
346
376
|
tool: string;
|
|
347
377
|
args: Record<string, unknown>;
|
|
348
|
-
userId?: string | undefined;
|
|
349
378
|
result?: unknown;
|
|
379
|
+
userId?: string | undefined;
|
|
350
380
|
}[];
|
|
351
381
|
mcpServerUrl?: string | undefined;
|
|
352
382
|
}>>;
|
|
@@ -355,17 +385,18 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
355
385
|
proofs: {
|
|
356
386
|
jws: string;
|
|
357
387
|
meta: {
|
|
358
|
-
did: string;
|
|
359
|
-
kid: string;
|
|
360
388
|
nonce: string;
|
|
361
389
|
audience: string;
|
|
362
390
|
sessionId: string;
|
|
363
|
-
|
|
391
|
+
did: string;
|
|
392
|
+
kid: string;
|
|
364
393
|
requestHash: string;
|
|
365
394
|
responseHash: string;
|
|
395
|
+
ts: number;
|
|
366
396
|
clientDid?: string | undefined;
|
|
367
|
-
scopeId?: string | undefined;
|
|
368
397
|
delegationRef?: string | undefined;
|
|
398
|
+
scopeId?: string | undefined;
|
|
399
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
369
400
|
};
|
|
370
401
|
}[];
|
|
371
402
|
delegation_id?: string | null | undefined;
|
|
@@ -374,8 +405,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
374
405
|
scopeId: string;
|
|
375
406
|
tool: string;
|
|
376
407
|
args: Record<string, unknown>;
|
|
377
|
-
userId?: string | undefined;
|
|
378
408
|
result?: unknown;
|
|
409
|
+
userId?: string | undefined;
|
|
379
410
|
}[];
|
|
380
411
|
mcpServerUrl?: string | undefined;
|
|
381
412
|
} | undefined;
|
|
@@ -384,17 +415,18 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
384
415
|
proofs: {
|
|
385
416
|
jws: string;
|
|
386
417
|
meta: {
|
|
387
|
-
did: string;
|
|
388
|
-
kid: string;
|
|
389
418
|
nonce: string;
|
|
390
419
|
audience: string;
|
|
391
420
|
sessionId: string;
|
|
392
|
-
|
|
421
|
+
did: string;
|
|
422
|
+
kid: string;
|
|
393
423
|
requestHash: string;
|
|
394
424
|
responseHash: string;
|
|
425
|
+
ts: number;
|
|
395
426
|
clientDid?: string | undefined;
|
|
396
|
-
scopeId?: string | undefined;
|
|
397
427
|
delegationRef?: string | undefined;
|
|
428
|
+
scopeId?: string | undefined;
|
|
429
|
+
outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
|
|
398
430
|
};
|
|
399
431
|
}[];
|
|
400
432
|
delegation_id?: string | null | undefined;
|
|
@@ -403,8 +435,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
403
435
|
scopeId: string;
|
|
404
436
|
tool: string;
|
|
405
437
|
args: Record<string, unknown>;
|
|
406
|
-
userId?: string | undefined;
|
|
407
438
|
result?: unknown;
|
|
439
|
+
userId?: string | undefined;
|
|
408
440
|
}[];
|
|
409
441
|
mcpServerUrl?: string | undefined;
|
|
410
442
|
} | undefined;
|
|
@@ -412,4 +444,3 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
|
|
|
412
444
|
export type ToolCallContext = z.infer<typeof ToolCallContextSchema>;
|
|
413
445
|
export type ProofSubmissionContext = z.infer<typeof ProofSubmissionContextSchema>;
|
|
414
446
|
export type ProofSubmissionRequest = z.infer<typeof ProofSubmissionRequestSchema>;
|
|
415
|
-
//# sourceMappingURL=proof.d.ts.map
|
package/dist/proof.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = void 0;
|
|
3
|
+
exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = exports.ProofOutcomeSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
5
|
/**
|
|
6
6
|
* Proof and signature schemas for MCP-I
|
|
@@ -12,6 +12,27 @@ const zod_1 = require("zod");
|
|
|
12
12
|
* The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
|
|
13
13
|
* proof claims (requestHash, responseHash, nonce, etc.).
|
|
14
14
|
*/
|
|
15
|
+
/**
|
|
16
|
+
* Outcome of the policy decision a proof attests to (ratified DIF decision).
|
|
17
|
+
*
|
|
18
|
+
* - `allowed` — the call was authorized and produced a response; the
|
|
19
|
+
* proof carries a `responseHash` over that response.
|
|
20
|
+
* - `denied` — the call was refused; no response was produced.
|
|
21
|
+
* - `step_up_required` — a step-up (re-auth / higher assurance) is required
|
|
22
|
+
* before the call may proceed; no response yet.
|
|
23
|
+
* - `needs_authorization` — explicit user authorization is required first; no
|
|
24
|
+
* response yet.
|
|
25
|
+
*
|
|
26
|
+
* Denial and step-up outcomes authorize no response, so their proofs omit
|
|
27
|
+
* `responseHash`. The field is optional on {@link ProofMetaSchema}: proofs minted
|
|
28
|
+
* before it existed carry no `outcome` and are treated as `allowed`.
|
|
29
|
+
*/
|
|
30
|
+
exports.ProofOutcomeSchema = zod_1.z.enum([
|
|
31
|
+
"allowed",
|
|
32
|
+
"denied",
|
|
33
|
+
"step_up_required",
|
|
34
|
+
"needs_authorization",
|
|
35
|
+
]);
|
|
15
36
|
exports.ProofMetaSchema = zod_1.z.object({
|
|
16
37
|
did: zod_1.z.string().min(1),
|
|
17
38
|
kid: zod_1.z.string().min(1),
|
|
@@ -21,6 +42,13 @@ exports.ProofMetaSchema = zod_1.z.object({
|
|
|
21
42
|
sessionId: zod_1.z.string().min(1),
|
|
22
43
|
requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
|
|
23
44
|
responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
|
|
45
|
+
// Policy outcome this proof attests to (ratified DIF decision); absent on
|
|
46
|
+
// legacy proofs, which consumers treat as "allowed". Per the ratified schema
|
|
47
|
+
// `responseHash` is present only for the "allowed" outcome — the verifier
|
|
48
|
+
// enforces that outcome-conditionally. `responseHash` stays required-typed
|
|
49
|
+
// here to avoid a repo-wide `string | undefined` ripple; making it
|
|
50
|
+
// conditionally optional is a deferred schema refinement.
|
|
51
|
+
outcome: exports.ProofOutcomeSchema.optional(),
|
|
24
52
|
scopeId: zod_1.z.string().optional(),
|
|
25
53
|
delegationRef: zod_1.z.string().optional(),
|
|
26
54
|
clientDid: zod_1.z.string().optional(), // Optional for backward compatibility
|
|
@@ -80,4 +108,3 @@ exports.ProofSubmissionRequestSchema = zod_1.z.object({
|
|
|
80
108
|
})),
|
|
81
109
|
context: exports.ProofSubmissionContextSchema.optional(),
|
|
82
110
|
});
|
|
83
|
-
//# sourceMappingURL=proof.js.map
|
|
@@ -13,31 +13,34 @@
|
|
|
13
13
|
*/
|
|
14
14
|
export interface DownstreamHeaders {
|
|
15
15
|
/** DID of the verified agent */
|
|
16
|
-
'KYA-Agent-DID': string;
|
|
17
|
-
/** Optional delegation ID */
|
|
18
|
-
'KYA-Delegation-Id'?: string;
|
|
16
|
+
'KYA-OS-Agent-DID': string;
|
|
19
17
|
/** Optional delegation chain (format: vc_id>del_id>...) */
|
|
20
|
-
'KYA-Delegation-Chain'?: string;
|
|
18
|
+
'KYA-OS-Delegation-Chain'?: string;
|
|
19
|
+
/** Optional Layer 2 delegation proof (signed JWT) */
|
|
20
|
+
'KYA-OS-Delegation-Proof'?: string;
|
|
21
|
+
/** Optional JWS-compact DelegationCredential VC */
|
|
22
|
+
'KYA-OS-Delegation-Credential'?: string;
|
|
21
23
|
/** Proof ID for audit trail */
|
|
22
24
|
'KYA-Proof-Id': string;
|
|
23
25
|
/** Optional CRISP spend info (JSON string: {unit, delta, remaining}) */
|
|
24
26
|
'KYA-CRISP-Spend'?: string;
|
|
25
27
|
/** Optional session ID */
|
|
26
|
-
'KYA-Session-Id'?: string;
|
|
28
|
+
'KYA-OS-Session-Id'?: string;
|
|
27
29
|
/** Optional scopes */
|
|
28
|
-
'KYA-Granted-Scopes'?: string;
|
|
30
|
+
'KYA-OS-Granted-Scopes'?: string;
|
|
29
31
|
}
|
|
30
32
|
/**
|
|
31
33
|
* Header names as constants for type safety
|
|
32
34
|
*/
|
|
33
35
|
export declare const DOWNSTREAM_HEADER_NAMES: Readonly<{
|
|
34
|
-
readonly AGENT_DID: "KYA-Agent-DID";
|
|
35
|
-
readonly
|
|
36
|
-
readonly
|
|
36
|
+
readonly AGENT_DID: "KYA-OS-Agent-DID";
|
|
37
|
+
readonly DELEGATION_CHAIN: "KYA-OS-Delegation-Chain";
|
|
38
|
+
readonly DELEGATION_PROOF: "KYA-OS-Delegation-Proof";
|
|
39
|
+
readonly DELEGATION_CREDENTIAL: "KYA-OS-Delegation-Credential";
|
|
37
40
|
readonly PROOF_ID: "KYA-Proof-Id";
|
|
38
41
|
readonly CRISP_SPEND: "KYA-CRISP-Spend";
|
|
39
|
-
readonly SESSION_ID: "KYA-Session-Id";
|
|
40
|
-
readonly SCOPES: "KYA-Granted-Scopes";
|
|
42
|
+
readonly SESSION_ID: "KYA-OS-Session-Id";
|
|
43
|
+
readonly SCOPES: "KYA-OS-Granted-Scopes";
|
|
41
44
|
}>;
|
|
42
45
|
/**
|
|
43
46
|
* CRISP Spend Info
|
|
@@ -75,8 +78,9 @@ export declare function parseCrispSpend(headerValue: string): CrispSpendInfo | n
|
|
|
75
78
|
export declare function createDownstreamHeaders(config: {
|
|
76
79
|
agentDid: string;
|
|
77
80
|
proofId: string;
|
|
78
|
-
delegationId?: string;
|
|
79
81
|
delegationChain?: string;
|
|
82
|
+
delegationProof?: string;
|
|
83
|
+
delegationCredential?: string;
|
|
80
84
|
crispSpend?: CrispSpendInfo;
|
|
81
85
|
sessionId?: string;
|
|
82
86
|
scopes?: string[];
|
package/dist/runtime/headers.js
CHANGED
|
@@ -16,13 +16,14 @@ exports.createDownstreamHeaders = createDownstreamHeaders;
|
|
|
16
16
|
* Header names as constants for type safety
|
|
17
17
|
*/
|
|
18
18
|
exports.DOWNSTREAM_HEADER_NAMES = Object.freeze({
|
|
19
|
-
AGENT_DID: 'KYA-Agent-DID',
|
|
20
|
-
|
|
21
|
-
|
|
19
|
+
AGENT_DID: 'KYA-OS-Agent-DID',
|
|
20
|
+
DELEGATION_CHAIN: 'KYA-OS-Delegation-Chain',
|
|
21
|
+
DELEGATION_PROOF: 'KYA-OS-Delegation-Proof',
|
|
22
|
+
DELEGATION_CREDENTIAL: 'KYA-OS-Delegation-Credential',
|
|
22
23
|
PROOF_ID: 'KYA-Proof-Id',
|
|
23
24
|
CRISP_SPEND: 'KYA-CRISP-Spend',
|
|
24
|
-
SESSION_ID: 'KYA-Session-Id',
|
|
25
|
-
SCOPES: 'KYA-Granted-Scopes',
|
|
25
|
+
SESSION_ID: 'KYA-OS-Session-Id',
|
|
26
|
+
SCOPES: 'KYA-OS-Granted-Scopes',
|
|
26
27
|
});
|
|
27
28
|
/**
|
|
28
29
|
* Helper to serialize CRISP spend info to header value
|
|
@@ -59,23 +60,26 @@ function parseCrispSpend(headerValue) {
|
|
|
59
60
|
*/
|
|
60
61
|
function createDownstreamHeaders(config) {
|
|
61
62
|
const headers = {
|
|
62
|
-
'KYA-Agent-DID': config.agentDid,
|
|
63
|
+
'KYA-OS-Agent-DID': config.agentDid,
|
|
63
64
|
'KYA-Proof-Id': config.proofId,
|
|
64
65
|
};
|
|
65
|
-
if (config.delegationId) {
|
|
66
|
-
headers['KYA-Delegation-Id'] = config.delegationId;
|
|
67
|
-
}
|
|
68
66
|
if (config.delegationChain) {
|
|
69
|
-
headers['KYA-Delegation-Chain'] = config.delegationChain;
|
|
67
|
+
headers['KYA-OS-Delegation-Chain'] = config.delegationChain;
|
|
68
|
+
}
|
|
69
|
+
if (config.delegationProof) {
|
|
70
|
+
headers['KYA-OS-Delegation-Proof'] = config.delegationProof;
|
|
71
|
+
}
|
|
72
|
+
if (config.delegationCredential) {
|
|
73
|
+
headers['KYA-OS-Delegation-Credential'] = config.delegationCredential;
|
|
70
74
|
}
|
|
71
75
|
if (config.crispSpend) {
|
|
72
76
|
headers['KYA-CRISP-Spend'] = serializeCrispSpend(config.crispSpend);
|
|
73
77
|
}
|
|
74
78
|
if (config.sessionId) {
|
|
75
|
-
headers['KYA-Session-Id'] = config.sessionId;
|
|
79
|
+
headers['KYA-OS-Session-Id'] = config.sessionId;
|
|
76
80
|
}
|
|
77
81
|
if (config.scopes && config.scopes.length > 0) {
|
|
78
|
-
headers['KYA-Granted-Scopes'] = config.scopes.join(',');
|
|
82
|
+
headers['KYA-OS-Granted-Scopes'] = config.scopes.join(',');
|
|
79
83
|
}
|
|
80
84
|
return headers;
|
|
81
85
|
}
|