@kya-os/contracts 1.8.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/proof.d.ts CHANGED
@@ -9,6 +9,23 @@ import { z } from "zod";
9
9
  * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
10
10
  * proof claims (requestHash, responseHash, nonce, etc.).
11
11
  */
12
+ /**
13
+ * Outcome of the policy decision a proof attests to (ratified DIF decision).
14
+ *
15
+ * - `allowed` — the call was authorized and produced a response; the
16
+ * proof carries a `responseHash` over that response.
17
+ * - `denied` — the call was refused; no response was produced.
18
+ * - `step_up_required` — a step-up (re-auth / higher assurance) is required
19
+ * before the call may proceed; no response yet.
20
+ * - `needs_authorization` — explicit user authorization is required first; no
21
+ * response yet.
22
+ *
23
+ * Denial and step-up outcomes authorize no response, so their proofs omit
24
+ * `responseHash`. The field is optional on {@link ProofMetaSchema}: proofs minted
25
+ * before it existed carry no `outcome` and are treated as `allowed`.
26
+ */
27
+ export declare const ProofOutcomeSchema: z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>;
28
+ export type ProofOutcome = z.infer<typeof ProofOutcomeSchema>;
12
29
  export declare const ProofMetaSchema: z.ZodObject<{
13
30
  did: z.ZodString;
14
31
  kid: z.ZodString;
@@ -18,33 +35,36 @@ export declare const ProofMetaSchema: z.ZodObject<{
18
35
  sessionId: z.ZodString;
19
36
  requestHash: z.ZodString;
20
37
  responseHash: z.ZodString;
38
+ outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
21
39
  scopeId: z.ZodOptional<z.ZodString>;
22
40
  delegationRef: z.ZodOptional<z.ZodString>;
23
41
  clientDid: z.ZodOptional<z.ZodString>;
24
42
  }, "strip", z.ZodTypeAny, {
25
- did: string;
26
- kid: string;
27
43
  nonce: string;
28
44
  audience: string;
29
45
  sessionId: string;
30
- ts: number;
46
+ did: string;
47
+ kid: string;
31
48
  requestHash: string;
32
49
  responseHash: string;
50
+ ts: number;
33
51
  clientDid?: string | undefined;
34
- scopeId?: string | undefined;
35
52
  delegationRef?: string | undefined;
53
+ scopeId?: string | undefined;
54
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
36
55
  }, {
37
- did: string;
38
- kid: string;
39
56
  nonce: string;
40
57
  audience: string;
41
58
  sessionId: string;
42
- ts: number;
59
+ did: string;
60
+ kid: string;
43
61
  requestHash: string;
44
62
  responseHash: string;
63
+ ts: number;
45
64
  clientDid?: string | undefined;
46
- scopeId?: string | undefined;
47
65
  delegationRef?: string | undefined;
66
+ scopeId?: string | undefined;
67
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
48
68
  }>;
49
69
  export declare const DetachedProofSchema: z.ZodObject<{
50
70
  jws: z.ZodString;
@@ -57,63 +77,68 @@ export declare const DetachedProofSchema: z.ZodObject<{
57
77
  sessionId: z.ZodString;
58
78
  requestHash: z.ZodString;
59
79
  responseHash: z.ZodString;
80
+ outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
60
81
  scopeId: z.ZodOptional<z.ZodString>;
61
82
  delegationRef: z.ZodOptional<z.ZodString>;
62
83
  clientDid: z.ZodOptional<z.ZodString>;
63
84
  }, "strip", z.ZodTypeAny, {
64
- did: string;
65
- kid: string;
66
85
  nonce: string;
67
86
  audience: string;
68
87
  sessionId: string;
69
- ts: number;
88
+ did: string;
89
+ kid: string;
70
90
  requestHash: string;
71
91
  responseHash: string;
92
+ ts: number;
72
93
  clientDid?: string | undefined;
73
- scopeId?: string | undefined;
74
94
  delegationRef?: string | undefined;
95
+ scopeId?: string | undefined;
96
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
75
97
  }, {
76
- did: string;
77
- kid: string;
78
98
  nonce: string;
79
99
  audience: string;
80
100
  sessionId: string;
81
- ts: number;
101
+ did: string;
102
+ kid: string;
82
103
  requestHash: string;
83
104
  responseHash: string;
105
+ ts: number;
84
106
  clientDid?: string | undefined;
85
- scopeId?: string | undefined;
86
107
  delegationRef?: string | undefined;
108
+ scopeId?: string | undefined;
109
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
87
110
  }>;
88
111
  }, "strip", z.ZodTypeAny, {
89
112
  jws: string;
90
113
  meta: {
91
- did: string;
92
- kid: string;
93
114
  nonce: string;
94
115
  audience: string;
95
116
  sessionId: string;
96
- ts: number;
117
+ did: string;
118
+ kid: string;
97
119
  requestHash: string;
98
120
  responseHash: string;
121
+ ts: number;
99
122
  clientDid?: string | undefined;
100
- scopeId?: string | undefined;
101
123
  delegationRef?: string | undefined;
124
+ scopeId?: string | undefined;
125
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
102
126
  };
103
127
  }, {
104
128
  jws: string;
105
129
  meta: {
106
- did: string;
107
- kid: string;
108
130
  nonce: string;
109
131
  audience: string;
110
132
  sessionId: string;
111
- ts: number;
133
+ did: string;
134
+ kid: string;
112
135
  requestHash: string;
113
136
  responseHash: string;
137
+ ts: number;
114
138
  clientDid?: string | undefined;
115
- scopeId?: string | undefined;
116
139
  delegationRef?: string | undefined;
140
+ scopeId?: string | undefined;
141
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
117
142
  };
118
143
  }>;
119
144
  export declare const CanonicalHashesSchema: z.ZodObject<{
@@ -139,25 +164,25 @@ export declare const AuditRecordSchema: z.ZodObject<{
139
164
  scope: z.ZodString;
140
165
  }, "strip", z.ZodTypeAny, {
141
166
  version: "audit.v1";
167
+ audience: string;
142
168
  did: string;
143
169
  kid: string;
144
- audience: string;
145
- ts: number;
146
170
  session: string;
171
+ verified: "yes" | "no";
172
+ ts: number;
147
173
  reqHash: string;
148
174
  resHash: string;
149
- verified: "yes" | "no";
150
175
  scope: string;
151
176
  }, {
152
177
  version: "audit.v1";
178
+ audience: string;
153
179
  did: string;
154
180
  kid: string;
155
- audience: string;
156
- ts: number;
157
181
  session: string;
182
+ verified: "yes" | "no";
183
+ ts: number;
158
184
  reqHash: string;
159
185
  resHash: string;
160
- verified: "yes" | "no";
161
186
  scope: string;
162
187
  }>;
163
188
  export type ProofMeta = z.infer<typeof ProofMetaSchema>;
@@ -181,14 +206,14 @@ export declare const ToolCallContextSchema: z.ZodObject<{
181
206
  scopeId: string;
182
207
  tool: string;
183
208
  args: Record<string, unknown>;
184
- userId?: string | undefined;
185
209
  result?: unknown;
210
+ userId?: string | undefined;
186
211
  }, {
187
212
  scopeId: string;
188
213
  tool: string;
189
214
  args: Record<string, unknown>;
190
- userId?: string | undefined;
191
215
  result?: unknown;
216
+ userId?: string | undefined;
192
217
  }>;
193
218
  /**
194
219
  * Proof submission context for AgentShield API
@@ -205,14 +230,14 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
205
230
  scopeId: string;
206
231
  tool: string;
207
232
  args: Record<string, unknown>;
208
- userId?: string | undefined;
209
233
  result?: unknown;
234
+ userId?: string | undefined;
210
235
  }, {
211
236
  scopeId: string;
212
237
  tool: string;
213
238
  args: Record<string, unknown>;
214
- userId?: string | undefined;
215
239
  result?: unknown;
240
+ userId?: string | undefined;
216
241
  }>, "many">;
217
242
  mcpServerUrl: z.ZodOptional<z.ZodString>;
218
243
  }, "strip", z.ZodTypeAny, {
@@ -220,8 +245,8 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
220
245
  scopeId: string;
221
246
  tool: string;
222
247
  args: Record<string, unknown>;
223
- userId?: string | undefined;
224
248
  result?: unknown;
249
+ userId?: string | undefined;
225
250
  }[];
226
251
  mcpServerUrl?: string | undefined;
227
252
  }, {
@@ -229,8 +254,8 @@ export declare const ProofSubmissionContextSchema: z.ZodObject<{
229
254
  scopeId: string;
230
255
  tool: string;
231
256
  args: Record<string, unknown>;
232
- userId?: string | undefined;
233
257
  result?: unknown;
258
+ userId?: string | undefined;
234
259
  }[];
235
260
  mcpServerUrl?: string | undefined;
236
261
  }>;
@@ -251,63 +276,68 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
251
276
  sessionId: z.ZodString;
252
277
  requestHash: z.ZodString;
253
278
  responseHash: z.ZodString;
279
+ outcome: z.ZodOptional<z.ZodEnum<["allowed", "denied", "step_up_required", "needs_authorization"]>>;
254
280
  scopeId: z.ZodOptional<z.ZodString>;
255
281
  delegationRef: z.ZodOptional<z.ZodString>;
256
282
  clientDid: z.ZodOptional<z.ZodString>;
257
283
  }, "strip", z.ZodTypeAny, {
258
- did: string;
259
- kid: string;
260
284
  nonce: string;
261
285
  audience: string;
262
286
  sessionId: string;
263
- ts: number;
287
+ did: string;
288
+ kid: string;
264
289
  requestHash: string;
265
290
  responseHash: string;
291
+ ts: number;
266
292
  clientDid?: string | undefined;
267
- scopeId?: string | undefined;
268
293
  delegationRef?: string | undefined;
294
+ scopeId?: string | undefined;
295
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
269
296
  }, {
270
- did: string;
271
- kid: string;
272
297
  nonce: string;
273
298
  audience: string;
274
299
  sessionId: string;
275
- ts: number;
300
+ did: string;
301
+ kid: string;
276
302
  requestHash: string;
277
303
  responseHash: string;
304
+ ts: number;
278
305
  clientDid?: string | undefined;
279
- scopeId?: string | undefined;
280
306
  delegationRef?: string | undefined;
307
+ scopeId?: string | undefined;
308
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
281
309
  }>;
282
310
  }, "strip", z.ZodTypeAny, {
283
311
  jws: string;
284
312
  meta: {
285
- did: string;
286
- kid: string;
287
313
  nonce: string;
288
314
  audience: string;
289
315
  sessionId: string;
290
- ts: number;
316
+ did: string;
317
+ kid: string;
291
318
  requestHash: string;
292
319
  responseHash: string;
320
+ ts: number;
293
321
  clientDid?: string | undefined;
294
- scopeId?: string | undefined;
295
322
  delegationRef?: string | undefined;
323
+ scopeId?: string | undefined;
324
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
296
325
  };
297
326
  }, {
298
327
  jws: string;
299
328
  meta: {
300
- did: string;
301
- kid: string;
302
329
  nonce: string;
303
330
  audience: string;
304
331
  sessionId: string;
305
- ts: number;
332
+ did: string;
333
+ kid: string;
306
334
  requestHash: string;
307
335
  responseHash: string;
336
+ ts: number;
308
337
  clientDid?: string | undefined;
309
- scopeId?: string | undefined;
310
338
  delegationRef?: string | undefined;
339
+ scopeId?: string | undefined;
340
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
311
341
  };
312
342
  }>, "many">;
313
343
  context: z.ZodOptional<z.ZodObject<{
@@ -321,14 +351,14 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
321
351
  scopeId: string;
322
352
  tool: string;
323
353
  args: Record<string, unknown>;
324
- userId?: string | undefined;
325
354
  result?: unknown;
355
+ userId?: string | undefined;
326
356
  }, {
327
357
  scopeId: string;
328
358
  tool: string;
329
359
  args: Record<string, unknown>;
330
- userId?: string | undefined;
331
360
  result?: unknown;
361
+ userId?: string | undefined;
332
362
  }>, "many">;
333
363
  mcpServerUrl: z.ZodOptional<z.ZodString>;
334
364
  }, "strip", z.ZodTypeAny, {
@@ -336,8 +366,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
336
366
  scopeId: string;
337
367
  tool: string;
338
368
  args: Record<string, unknown>;
339
- userId?: string | undefined;
340
369
  result?: unknown;
370
+ userId?: string | undefined;
341
371
  }[];
342
372
  mcpServerUrl?: string | undefined;
343
373
  }, {
@@ -345,8 +375,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
345
375
  scopeId: string;
346
376
  tool: string;
347
377
  args: Record<string, unknown>;
348
- userId?: string | undefined;
349
378
  result?: unknown;
379
+ userId?: string | undefined;
350
380
  }[];
351
381
  mcpServerUrl?: string | undefined;
352
382
  }>>;
@@ -355,17 +385,18 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
355
385
  proofs: {
356
386
  jws: string;
357
387
  meta: {
358
- did: string;
359
- kid: string;
360
388
  nonce: string;
361
389
  audience: string;
362
390
  sessionId: string;
363
- ts: number;
391
+ did: string;
392
+ kid: string;
364
393
  requestHash: string;
365
394
  responseHash: string;
395
+ ts: number;
366
396
  clientDid?: string | undefined;
367
- scopeId?: string | undefined;
368
397
  delegationRef?: string | undefined;
398
+ scopeId?: string | undefined;
399
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
369
400
  };
370
401
  }[];
371
402
  delegation_id?: string | null | undefined;
@@ -374,8 +405,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
374
405
  scopeId: string;
375
406
  tool: string;
376
407
  args: Record<string, unknown>;
377
- userId?: string | undefined;
378
408
  result?: unknown;
409
+ userId?: string | undefined;
379
410
  }[];
380
411
  mcpServerUrl?: string | undefined;
381
412
  } | undefined;
@@ -384,17 +415,18 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
384
415
  proofs: {
385
416
  jws: string;
386
417
  meta: {
387
- did: string;
388
- kid: string;
389
418
  nonce: string;
390
419
  audience: string;
391
420
  sessionId: string;
392
- ts: number;
421
+ did: string;
422
+ kid: string;
393
423
  requestHash: string;
394
424
  responseHash: string;
425
+ ts: number;
395
426
  clientDid?: string | undefined;
396
- scopeId?: string | undefined;
397
427
  delegationRef?: string | undefined;
428
+ scopeId?: string | undefined;
429
+ outcome?: "allowed" | "denied" | "step_up_required" | "needs_authorization" | undefined;
398
430
  };
399
431
  }[];
400
432
  delegation_id?: string | null | undefined;
@@ -403,8 +435,8 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
403
435
  scopeId: string;
404
436
  tool: string;
405
437
  args: Record<string, unknown>;
406
- userId?: string | undefined;
407
438
  result?: unknown;
439
+ userId?: string | undefined;
408
440
  }[];
409
441
  mcpServerUrl?: string | undefined;
410
442
  } | undefined;
@@ -412,4 +444,3 @@ export declare const ProofSubmissionRequestSchema: z.ZodObject<{
412
444
  export type ToolCallContext = z.infer<typeof ToolCallContextSchema>;
413
445
  export type ProofSubmissionContext = z.infer<typeof ProofSubmissionContextSchema>;
414
446
  export type ProofSubmissionRequest = z.infer<typeof ProofSubmissionRequestSchema>;
415
- //# sourceMappingURL=proof.d.ts.map
package/dist/proof.js CHANGED
@@ -1,6 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = void 0;
3
+ exports.ProofSubmissionRequestSchema = exports.ProofSubmissionContextSchema = exports.ToolCallContextSchema = exports.AUDIT_VERSION = exports.HASH_ALGORITHM = exports.JWS_ALGORITHM = exports.AuditRecordSchema = exports.CanonicalHashesSchema = exports.DetachedProofSchema = exports.ProofMetaSchema = exports.ProofOutcomeSchema = void 0;
4
4
  const zod_1 = require("zod");
5
5
  /**
6
6
  * Proof and signature schemas for MCP-I
@@ -12,6 +12,27 @@ const zod_1 = require("zod");
12
12
  * The JWS payload contains JWT standard claims (aud, sub, iss) plus custom
13
13
  * proof claims (requestHash, responseHash, nonce, etc.).
14
14
  */
15
+ /**
16
+ * Outcome of the policy decision a proof attests to (ratified DIF decision).
17
+ *
18
+ * - `allowed` — the call was authorized and produced a response; the
19
+ * proof carries a `responseHash` over that response.
20
+ * - `denied` — the call was refused; no response was produced.
21
+ * - `step_up_required` — a step-up (re-auth / higher assurance) is required
22
+ * before the call may proceed; no response yet.
23
+ * - `needs_authorization` — explicit user authorization is required first; no
24
+ * response yet.
25
+ *
26
+ * Denial and step-up outcomes authorize no response, so their proofs omit
27
+ * `responseHash`. The field is optional on {@link ProofMetaSchema}: proofs minted
28
+ * before it existed carry no `outcome` and are treated as `allowed`.
29
+ */
30
+ exports.ProofOutcomeSchema = zod_1.z.enum([
31
+ "allowed",
32
+ "denied",
33
+ "step_up_required",
34
+ "needs_authorization",
35
+ ]);
15
36
  exports.ProofMetaSchema = zod_1.z.object({
16
37
  did: zod_1.z.string().min(1),
17
38
  kid: zod_1.z.string().min(1),
@@ -21,6 +42,13 @@ exports.ProofMetaSchema = zod_1.z.object({
21
42
  sessionId: zod_1.z.string().min(1),
22
43
  requestHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
23
44
  responseHash: zod_1.z.string().regex(/^sha256:[a-f0-9]{64}$/),
45
+ // Policy outcome this proof attests to (ratified DIF decision); absent on
46
+ // legacy proofs, which consumers treat as "allowed". Per the ratified schema
47
+ // `responseHash` is present only for the "allowed" outcome — the verifier
48
+ // enforces that outcome-conditionally. `responseHash` stays required-typed
49
+ // here to avoid a repo-wide `string | undefined` ripple; making it
50
+ // conditionally optional is a deferred schema refinement.
51
+ outcome: exports.ProofOutcomeSchema.optional(),
24
52
  scopeId: zod_1.z.string().optional(),
25
53
  delegationRef: zod_1.z.string().optional(),
26
54
  clientDid: zod_1.z.string().optional(), // Optional for backward compatibility
@@ -80,4 +108,3 @@ exports.ProofSubmissionRequestSchema = zod_1.z.object({
80
108
  })),
81
109
  context: exports.ProofSubmissionContextSchema.optional(),
82
110
  });
83
- //# sourceMappingURL=proof.js.map
@@ -13,31 +13,34 @@
13
13
  */
14
14
  export interface DownstreamHeaders {
15
15
  /** DID of the verified agent */
16
- 'KYA-Agent-DID': string;
17
- /** Optional delegation ID */
18
- 'KYA-Delegation-Id'?: string;
16
+ 'KYA-OS-Agent-DID': string;
19
17
  /** Optional delegation chain (format: vc_id>del_id>...) */
20
- 'KYA-Delegation-Chain'?: string;
18
+ 'KYA-OS-Delegation-Chain'?: string;
19
+ /** Optional Layer 2 delegation proof (signed JWT) */
20
+ 'KYA-OS-Delegation-Proof'?: string;
21
+ /** Optional JWS-compact DelegationCredential VC */
22
+ 'KYA-OS-Delegation-Credential'?: string;
21
23
  /** Proof ID for audit trail */
22
24
  'KYA-Proof-Id': string;
23
25
  /** Optional CRISP spend info (JSON string: {unit, delta, remaining}) */
24
26
  'KYA-CRISP-Spend'?: string;
25
27
  /** Optional session ID */
26
- 'KYA-Session-Id'?: string;
28
+ 'KYA-OS-Session-Id'?: string;
27
29
  /** Optional scopes */
28
- 'KYA-Granted-Scopes'?: string;
30
+ 'KYA-OS-Granted-Scopes'?: string;
29
31
  }
30
32
  /**
31
33
  * Header names as constants for type safety
32
34
  */
33
35
  export declare const DOWNSTREAM_HEADER_NAMES: Readonly<{
34
- readonly AGENT_DID: "KYA-Agent-DID";
35
- readonly DELEGATION_ID: "KYA-Delegation-Id";
36
- readonly DELEGATION_CHAIN: "KYA-Delegation-Chain";
36
+ readonly AGENT_DID: "KYA-OS-Agent-DID";
37
+ readonly DELEGATION_CHAIN: "KYA-OS-Delegation-Chain";
38
+ readonly DELEGATION_PROOF: "KYA-OS-Delegation-Proof";
39
+ readonly DELEGATION_CREDENTIAL: "KYA-OS-Delegation-Credential";
37
40
  readonly PROOF_ID: "KYA-Proof-Id";
38
41
  readonly CRISP_SPEND: "KYA-CRISP-Spend";
39
- readonly SESSION_ID: "KYA-Session-Id";
40
- readonly SCOPES: "KYA-Granted-Scopes";
42
+ readonly SESSION_ID: "KYA-OS-Session-Id";
43
+ readonly SCOPES: "KYA-OS-Granted-Scopes";
41
44
  }>;
42
45
  /**
43
46
  * CRISP Spend Info
@@ -75,8 +78,9 @@ export declare function parseCrispSpend(headerValue: string): CrispSpendInfo | n
75
78
  export declare function createDownstreamHeaders(config: {
76
79
  agentDid: string;
77
80
  proofId: string;
78
- delegationId?: string;
79
81
  delegationChain?: string;
82
+ delegationProof?: string;
83
+ delegationCredential?: string;
80
84
  crispSpend?: CrispSpendInfo;
81
85
  sessionId?: string;
82
86
  scopes?: string[];
@@ -16,13 +16,14 @@ exports.createDownstreamHeaders = createDownstreamHeaders;
16
16
  * Header names as constants for type safety
17
17
  */
18
18
  exports.DOWNSTREAM_HEADER_NAMES = Object.freeze({
19
- AGENT_DID: 'KYA-Agent-DID',
20
- DELEGATION_ID: 'KYA-Delegation-Id',
21
- DELEGATION_CHAIN: 'KYA-Delegation-Chain',
19
+ AGENT_DID: 'KYA-OS-Agent-DID',
20
+ DELEGATION_CHAIN: 'KYA-OS-Delegation-Chain',
21
+ DELEGATION_PROOF: 'KYA-OS-Delegation-Proof',
22
+ DELEGATION_CREDENTIAL: 'KYA-OS-Delegation-Credential',
22
23
  PROOF_ID: 'KYA-Proof-Id',
23
24
  CRISP_SPEND: 'KYA-CRISP-Spend',
24
- SESSION_ID: 'KYA-Session-Id',
25
- SCOPES: 'KYA-Granted-Scopes',
25
+ SESSION_ID: 'KYA-OS-Session-Id',
26
+ SCOPES: 'KYA-OS-Granted-Scopes',
26
27
  });
27
28
  /**
28
29
  * Helper to serialize CRISP spend info to header value
@@ -59,23 +60,26 @@ function parseCrispSpend(headerValue) {
59
60
  */
60
61
  function createDownstreamHeaders(config) {
61
62
  const headers = {
62
- 'KYA-Agent-DID': config.agentDid,
63
+ 'KYA-OS-Agent-DID': config.agentDid,
63
64
  'KYA-Proof-Id': config.proofId,
64
65
  };
65
- if (config.delegationId) {
66
- headers['KYA-Delegation-Id'] = config.delegationId;
67
- }
68
66
  if (config.delegationChain) {
69
- headers['KYA-Delegation-Chain'] = config.delegationChain;
67
+ headers['KYA-OS-Delegation-Chain'] = config.delegationChain;
68
+ }
69
+ if (config.delegationProof) {
70
+ headers['KYA-OS-Delegation-Proof'] = config.delegationProof;
71
+ }
72
+ if (config.delegationCredential) {
73
+ headers['KYA-OS-Delegation-Credential'] = config.delegationCredential;
70
74
  }
71
75
  if (config.crispSpend) {
72
76
  headers['KYA-CRISP-Spend'] = serializeCrispSpend(config.crispSpend);
73
77
  }
74
78
  if (config.sessionId) {
75
- headers['KYA-Session-Id'] = config.sessionId;
79
+ headers['KYA-OS-Session-Id'] = config.sessionId;
76
80
  }
77
81
  if (config.scopes && config.scopes.length > 0) {
78
- headers['KYA-Granted-Scopes'] = config.scopes.join(',');
82
+ headers['KYA-OS-Granted-Scopes'] = config.scopes.join(',');
79
83
  }
80
84
  return headers;
81
85
  }