@agentbouncr/core 0.1.0

package/dist/tracing/trace-context.js

@@ -0,0 +1,76 @@
+/**
+ * @agentbouncr/core — W3C Trace Context Primitives
+ *
+ * Trace-ID-Generierung und -Validierung nach W3C Trace Context Standard.
+ * https://www.w3.org/TR/trace-context/
+ *
+ * Format:
+ *   traceId:     32 hex chars (128 bit)
+ *   spanId:      16 hex chars (64 bit)
+ *   traceparent: "00-{traceId}-{spanId}-{flags}"
+ */
+import { randomBytes } from 'node:crypto';
+// --- Constants ---
+const TRACE_ID_BYTES = 16;
+const SPAN_ID_BYTES = 8;
+const TRACE_VERSION = '00';
+const TRACE_FLAGS_SAMPLED = '01';
+const TRACE_ID_REGEX = /^[0-9a-f]{32}$/;
+const SPAN_ID_REGEX = /^[0-9a-f]{16}$/;
+const TRACEPARENT_REGEX = /^([0-9a-f]{2})-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/;
+const ALL_ZEROS_TRACE_ID = '0'.repeat(32);
+const ALL_ZEROS_SPAN_ID = '0'.repeat(16);
+// --- Generation ---
+export function generateTraceId() {
+    return randomBytes(TRACE_ID_BYTES).toString('hex');
+}
+export function generateSpanId() {
+    return randomBytes(SPAN_ID_BYTES).toString('hex');
+}
+// --- Validation ---
+export function isValidTraceId(traceId) {
+    return TRACE_ID_REGEX.test(traceId) && traceId !== ALL_ZEROS_TRACE_ID;
+}
+export function isValidSpanId(spanId) {
+    return SPAN_ID_REGEX.test(spanId) && spanId !== ALL_ZEROS_SPAN_ID;
+}
+// --- traceparent formatting ---
+function formatTraceparent(traceId, spanId) {
+    return `${TRACE_VERSION}-${traceId}-${spanId}-${TRACE_FLAGS_SAMPLED}`;
+}
+// --- Factory ---
+/**
+ * Create a TraceContext. Reuses valid traceId/spanId if provided,
+ * otherwise generates new ones.
+ */
+export function createTraceContext(traceId, spanId) {
+    const validTraceId = traceId && isValidTraceId(traceId) ? traceId : generateTraceId();
+    const validSpanId = spanId && isValidSpanId(spanId) ? spanId : generateSpanId();
+    return {
+        traceId: validTraceId,
+        spanId: validSpanId,
+        traceparent: formatTraceparent(validTraceId, validSpanId),
+    };
+}
+// --- Parsing ---
+/**
+ * Parse a W3C traceparent header string into a TraceContext.
+ * Returns null for invalid formats.
+ *
+ * Format: "{version}-{traceId}-{spanId}-{flags}"
+ * Example: "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"
+ */
+export function parseTraceparent(header) {
+    const match = header.match(TRACEPARENT_REGEX);
+    if (!match)
+        return null;
+    const [, , traceId, spanId] = match;
+    if (!isValidTraceId(traceId) || !isValidSpanId(spanId))
+        return null;
+    return {
+        traceId,
+        spanId,
+        traceparent: header,
+    };
+}
+//# sourceMappingURL=trace-context.js.map

package/dist/tracing/trace-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trace-context.js","sourceRoot":"","sources":["../../src/tracing/trace-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAa1C,oBAAoB;AAEpB,MAAM,cAAc,GAAG,EAAE,CAAC;AAC1B,MAAM,aAAa,GAAG,CAAC,CAAC;AACxB,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAEjC,MAAM,cAAc,GAAG,gBAAgB,CAAC;AACxC,MAAM,aAAa,GAAG,gBAAgB,CAAC;AACvC,MAAM,iBAAiB,GAAG,6DAA6D,CAAC;AACxF,MAAM,kBAAkB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC1C,MAAM,iBAAiB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAEzC,qBAAqB;AAErB,MAAM,UAAU,eAAe;IAC7B,OAAO,WAAW,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,WAAW,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACpD,CAAC;AAED,qBAAqB;AAErB,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,OAAO,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,KAAK,kBAAkB,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAO,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,MAAM,KAAK,iBAAiB,CAAC;AACpE,CAAC;AAED,iCAAiC;AAEjC,SAAS,iBAAiB,CAAC,OAAe,EAAE,MAAc;IACxD,OAAO,GAAG,aAAa,IAAI,OAAO,IAAI,MAAM,IAAI,mBAAmB,EAAE,CAAC;AACxE,CAAC;AAED,kBAAkB;AAElB;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAgB,EAAE,MAAe;IAClE,MAAM,YAAY,GAAG,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;IACtF,MAAM,WAAW,GAAG,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC;IAEhF,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,WAAW;QACnB,WAAW,EAAE,iBAAiB,CAAC,YAAY,EAAE,WAAW,CAAC;KAC1D,CAAC;AACJ,CAAC;AAED,kBAAkB;AAElB;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,CAAC,EAAE,AAAD,EAAG,OAAO,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IAEpC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,OAAO;QACL,OAAO;QACP,MAAM;QACN,WAAW,EAAE,MAAM;KACpB,CAAC;AACJ,CAAC"}

package/dist/tracing/trace-provider.d.ts

@@ -0,0 +1,43 @@
+/**
+ * @agentbouncr/core — TraceProvider
+ *
+ * DI-injectable Trace-Kontext-Management mit:
+ * - AsyncLocalStorage fuer implizite Propagation
+ * - OTel-API-Bridge (no-op wenn kein SDK registriert)
+ * - Pino child-Logger mit traceId/spanId gebunden
+ */
+import type pino from 'pino';
+import { type TraceContext } from './trace-context.js';
+export declare class TraceProvider {
+    private readonly logger;
+    private readonly storage;
+    private readonly tracer;
+    constructor(logger: pino.Logger, serviceName?: string);
+    /**
+     * Execute fn within a traced scope. TraceId is available via
+     * getTraceId()/getTraceContext() anywhere inside fn (sync or async).
+     *
+     * Priority for traceId:
+     * 1. options.traceId (caller-provided, e.g. from EvaluateRequest)
+     * 2. Active OTel span context (if SDK registered)
+     * 3. Generate new W3C-compliant trace ID
+     */
+    run<T>(fn: () => T, options?: {
+        traceId?: string;
+        spanName?: string;
+    }): T;
+    /**
+     * Get the active TraceContext. Returns undefined outside run() scope.
+     */
+    getTraceContext(): TraceContext | undefined;
+    /**
+     * Convenience: get just the traceId. Returns undefined outside run() scope.
+     */
+    getTraceId(): string | undefined;
+    /**
+     * Get the context-bound logger (with traceId/spanId fields).
+     * Falls back to the base logger outside run() scope.
+     */
+    getLogger(): pino.Logger;
+}
+//# sourceMappingURL=trace-provider.d.ts.map

package/dist/tracing/trace-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trace-provider.d.ts","sourceRoot":"","sources":["../../src/tracing/trace-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,oBAAoB,CAAC;AAW5B,qBAAa,aAAa;IAKtB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuC;IAC/D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAGb,MAAM,EAAE,IAAI,CAAC,MAAM,EACpC,WAAW,GAAE,MAA4B;IAK3C;;;;;;;;OAQG;IACH,GAAG,CAAC,CAAC,EACH,EAAE,EAAE,MAAM,CAAC,EACX,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAChD,CAAC;IAkDJ;;OAEG;IACH,eAAe,IAAI,YAAY,GAAG,SAAS;IAI3C;;OAEG;IACH,UAAU,IAAI,MAAM,GAAG,SAAS;IAIhC;;;OAGG;IACH,SAAS,IAAI,IAAI,CAAC,MAAM;CAGzB"}

package/dist/tracing/trace-provider.js

@@ -0,0 +1,89 @@
+/**
+ * @agentbouncr/core — TraceProvider
+ *
+ * DI-injectable Trace-Kontext-Management mit:
+ * - AsyncLocalStorage fuer implizite Propagation
+ * - OTel-API-Bridge (no-op wenn kein SDK registriert)
+ * - Pino child-Logger mit traceId/spanId gebunden
+ */
+import { AsyncLocalStorage } from 'node:async_hooks';
+import { trace, SpanKind } from '@opentelemetry/api';
+import { createTraceContext, generateSpanId, } from './trace-context.js';
+// --- TraceProvider ---
+export class TraceProvider {
+    logger;
+    storage = new AsyncLocalStorage();
+    tracer;
+    constructor(logger, serviceName = '@agentbouncr/core') {
+        this.logger = logger;
+        this.tracer = trace.getTracer(serviceName);
+    }
+    /**
+     * Execute fn within a traced scope. TraceId is available via
+     * getTraceId()/getTraceContext() anywhere inside fn (sync or async).
+     *
+     * Priority for traceId:
+     * 1. options.traceId (caller-provided, e.g. from EvaluateRequest)
+     * 2. Active OTel span context (if SDK registered)
+     * 3. Generate new W3C-compliant trace ID
+     */
+    run(fn, options) {
+        // Determine trace context
+        let traceCtx;
+        if (options?.traceId) {
+            traceCtx = createTraceContext(options.traceId);
+        }
+        else {
+            const activeSpan = trace.getActiveSpan();
+            if (activeSpan) {
+                const spanCtx = activeSpan.spanContext();
+                traceCtx = createTraceContext(spanCtx.traceId, generateSpanId());
+            }
+            else {
+                traceCtx = createTraceContext();
+            }
+        }
+        const childLogger = this.logger.child({
+            traceId: traceCtx.traceId,
+            spanId: traceCtx.spanId,
+        });
+        const store = { traceContext: traceCtx, logger: childLogger };
+        const spanName = options?.spanName ?? 'governance.operation';
+        return this.tracer.startActiveSpan(spanName, { kind: SpanKind.INTERNAL }, (span) => {
+            return this.storage.run(store, () => {
+                try {
+                    const result = fn();
+                    if (result instanceof Promise) {
+                        return result.then((val) => { span.end(); return val; }, (err) => { span.end(); throw err; });
+                    }
+                    span.end();
+                    return result;
+                }
+                catch (err) {
+                    span.end();
+                    throw err;
+                }
+            });
+        });
+    }
+    /**
+     * Get the active TraceContext. Returns undefined outside run() scope.
+     */
+    getTraceContext() {
+        return this.storage.getStore()?.traceContext;
+    }
+    /**
+     * Convenience: get just the traceId. Returns undefined outside run() scope.
+     */
+    getTraceId() {
+        return this.storage.getStore()?.traceContext.traceId;
+    }
+    /**
+     * Get the context-bound logger (with traceId/spanId fields).
+     * Falls back to the base logger outside run() scope.
+     */
+    getLogger() {
+        return this.storage.getStore()?.logger ?? this.logger;
+    }
+}
+//# sourceMappingURL=trace-provider.js.map

package/dist/tracing/trace-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trace-provider.js","sourceRoot":"","sources":["../../src/tracing/trace-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,KAAK,EAA0B,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE7E,OAAO,EACL,kBAAkB,EAClB,cAAc,GAEf,MAAM,oBAAoB,CAAC;AAS5B,wBAAwB;AAExB,MAAM,OAAO,aAAa;IAKL;IAJF,OAAO,GAAG,IAAI,iBAAiB,EAAc,CAAC;IAC9C,MAAM,CAAS;IAEhC,YACmB,MAAmB,EACpC,cAAsB,mBAAmB;QADxB,WAAM,GAAN,MAAM,CAAa;QAGpC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;;;;OAQG;IACH,GAAG,CACD,EAAW,EACX,OAAiD;QAEjD,0BAA0B;QAC1B,IAAI,QAAsB,CAAC;QAE3B,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;YACrB,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,KAAK,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;gBACzC,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,kBAAkB,EAAE,CAAC;YAClC,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,OAAO,EAAE,QAAQ,CAAC,OAAO;YACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;SACxB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAe,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,sBAAsB,CAAC;QAE7D,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAChC,QAAQ,EACR,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAC3B,CAAC,IAAU,EAAE,EAAE;YACb,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE;gBAClC,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,EAAE,EAAE,CAAC;oBAEpB,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;wBAC9B,OAAQ,MAA2B,CAAC,IAAI,CACtC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EACpC,CAAC,GAAY,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CACxC,CAAC;oBACT,CAAC;oBAED,IAAI,CAAC,GAAG,EAAE,CAAC;oBACX,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,IAAI,CAAC,GAAG,EAAE,CAAC;oBACX,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,YAAY,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,YAAY,CAAC,OAAO,CAAC;IACvD,CAAC;IAED;;;OAGG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;IACxD,CAAC;CACF"}

package/dist/types/index.d.ts

@@ -0,0 +1,248 @@
+/**
+ * @agentbouncr/core — Shared Types
+ *
+ * GovernanceError, Failure Categories, and shared interfaces
+ * used across all governance modules.
+ */
+import type { GovernanceTool, RiskLevel } from '../schema/tool-schema.js';
+export type FailureCategory = 'tool_error' | 'policy_denial' | 'provider_timeout' | 'provider_error' | 'injection_alert' | 'config_error' | 'rate_limit' | 'approval_timeout';
+export declare class GovernanceError extends Error {
+    readonly code: string;
+    readonly category: FailureCategory;
+    readonly context?: Record<string, unknown> | undefined;
+    readonly name = "GovernanceError";
+    constructor(message: string, code: string, category: FailureCategory, context?: Record<string, unknown> | undefined);
+}
+export interface InjectionDetectionResult {
+    detected: boolean;
+    patterns: string[];
+    text: string;
+}
+export interface KillSwitchResult {
+    triggered: boolean;
+    command: string | null;
+}
+export interface PermissionResult {
+    allowed: boolean;
+    reason?: string;
+    toolName: string;
+    agentId: string;
+}
+export interface EvaluateRequest {
+    agentId: string;
+    tool: string;
+    params?: Record<string, unknown>;
+    traceId?: string;
+}
+export interface EvaluateResult {
+    allowed: boolean;
+    traceId: string;
+    reason?: string;
+    appliedRules: AppliedRule[];
+    requiresApproval?: boolean;
+    approvalId?: string;
+    deadline?: string;
+}
+export interface AppliedRule {
+    policyName: string;
+    ruleName?: string;
+    effect: 'allow' | 'deny';
+    requireApproval?: boolean;
+}
+export interface ToolResult {
+    success: boolean;
+    data?: unknown;
+    error?: string;
+}
+export interface ToolExecutionContext {
+    agentId: string;
+    traceId: string;
+    [key: string]: unknown;
+}
+export interface AuditEvent {
+    id?: number;
+    traceId: string;
+    timestamp: string;
+    agentId: string;
+    tool: string;
+    params?: Record<string, unknown>;
+    result: 'allowed' | 'denied' | 'error';
+    reason?: string;
+    durationMs: number;
+    failureCategory?: FailureCategory;
+    previousHash: string | null;
+    hash: string;
+}
+export type AuditEventInput = Omit<AuditEvent, 'id' | 'previousHash' | 'hash'>;
+export interface AuditFilter {
+    agentId?: string;
+    tool?: string;
+    result?: 'allowed' | 'denied' | 'error';
+    traceId?: string;
+    fromTimestamp?: string;
+    toTimestamp?: string;
+    failureCategory?: FailureCategory;
+    search?: string;
+    limit?: number;
+    offset?: number;
+}
+export interface AuditChainVerificationResult {
+    valid: boolean;
+    brokenAt?: number;
+    totalEvents: number;
+    verifiedEvents: number;
+}
+export type ConditionOperator = 'equals' | 'notEquals' | 'startsWith' | 'endsWith' | 'contains' | 'gt' | 'lt' | 'gte' | 'lte' | 'in' | 'matches';
+/**
+ * Policy condition: maps parameter names to operator-value pairs.
+ * Example: { "path": { "startsWith": "/etc/" }, "amount": { "gt": 1000 } }
+ * All conditions are AND-combined (conjunctive).
+ */
+export type PolicyCondition = Record<string, Partial<Record<ConditionOperator, unknown>>>;
+export interface Policy {
+    name: string;
+    version: string;
+    agentId?: string;
+    rules: PolicyRule[];
+    createdAt: string;
+    updatedAt: string;
+}
+export interface PolicyRule {
+    name?: string;
+    tool: string;
+    effect: 'allow' | 'deny';
+    condition?: PolicyCondition;
+    reason?: string;
+    rateLimit?: {
+        maxPerMinute: number;
+    };
+    requireApproval?: boolean;
+}
+export type AgentRunStatus = 'registered' | 'running' | 'stopped' | 'error';
+export interface AgentConfig {
+    agentId: string;
+    name: string;
+    description?: string;
+    allowedTools: string[];
+    policyName?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface AgentStatus {
+    agentId: string;
+    name: string;
+    status: AgentRunStatus;
+    registeredAt: string;
+    lastActiveAt?: string;
+}
+export interface PolicyVersion {
+    id: number;
+    policyName: string;
+    version: string;
+    agentId?: string;
+    rules: PolicyRule[];
+    author: string;
+    createdAt: string;
+}
+export interface GovernanceEventRecord {
+    id?: number;
+    agentId: string;
+    eventType: string;
+    timestamp: string;
+    traceId?: string;
+    data?: Record<string, unknown>;
+    receivedAt?: string;
+}
+export interface GovernanceEventFilter {
+    agentId?: string;
+    eventType?: string;
+    fromTimestamp?: string;
+    toTimestamp?: string;
+    limit?: number;
+    offset?: number;
+}
+export type ApprovalStatus = 'pending' | 'approved' | 'rejected' | 'timeout';
+export interface ApprovalRequest {
+    id: string;
+    agentId: string;
+    tool: string;
+    params?: Record<string, unknown>;
+    traceId: string;
+    policyName: string;
+    ruleName?: string;
+    status: ApprovalStatus;
+    deadline: string;
+    approver?: string;
+    comment?: string;
+    createdAt: string;
+    resolvedAt?: string;
+    tenantId: string;
+}
+export interface ApprovalRequestInput {
+    agentId: string;
+    tool: string;
+    params?: Record<string, unknown>;
+    traceId: string;
+    policyName: string;
+    ruleName?: string;
+    deadline: string;
+}
+export interface ApprovalFilter {
+    agentId?: string;
+    status?: ApprovalStatus;
+    tool?: string;
+    limit?: number;
+    offset?: number;
+}
+export interface ApprovalResolution {
+    status: 'approved' | 'rejected' | 'timeout';
+    approver?: string;
+    comment?: string;
+}
+export interface ToolFilter {
+    source?: 'manual' | 'import' | 'mcp';
+    riskLevel?: RiskLevel;
+    category?: string;
+    /** Search in tool name and description */
+    search?: string;
+}
+export interface TransactionClient {
+    run(sql: string, params?: unknown[]): void;
+    get<T>(sql: string, params?: unknown[]): T | undefined;
+    all<T>(sql: string, params?: unknown[]): T[];
+}
+export interface DatabaseAdapter {
+    writeAuditEvent(event: AuditEventInput): Promise<void>;
+    queryAuditEvents(filter: AuditFilter): Promise<AuditEvent[]>;
+    getLatestAuditHash(): Promise<string | null>;
+    verifyAuditChain(): Promise<AuditChainVerificationResult>;
+    exportAuditEvents(filter: AuditFilter, stream: NodeJS.WritableStream): Promise<void>;
+    writePolicy(policy: Policy): Promise<void>;
+    getActivePolicy(agentId: string): Promise<Policy | null>;
+    listPolicies(): Promise<Policy[]>;
+    getPolicyByName(name: string): Promise<Policy | null>;
+    deletePolicy(name: string): Promise<boolean>;
+    writePolicyVersion(policyName: string, policy: Policy, author: string): Promise<void>;
+    getPolicyHistory(policyName: string): Promise<PolicyVersion[]>;
+    getPolicyVersion(policyName: string, versionId: number): Promise<PolicyVersion | null>;
+    registerAgent(config: AgentConfig): Promise<string>;
+    getAgentStatus(agentId: string): Promise<AgentStatus | null>;
+    updateAgentStatus(agentId: string, status: AgentRunStatus): Promise<void>;
+    listAgents(): Promise<AgentStatus[]>;
+    deleteAgent(agentId: string): Promise<boolean>;
+    writeTool(tool: GovernanceTool): Promise<void>;
+    getTool(name: string): Promise<GovernanceTool | null>;
+    listTools(filter?: ToolFilter): Promise<GovernanceTool[]>;
+    deleteTool(name: string): Promise<boolean>;
+    writeGovernanceEvent(event: GovernanceEventRecord): Promise<void>;
+    queryGovernanceEvents(filter: GovernanceEventFilter): Promise<GovernanceEventRecord[]>;
+    runMigrations(): Promise<void>;
+    getSchemaVersion(): Promise<number>;
+    transaction<T>(fn: (tx: TransactionClient) => Promise<T>): Promise<T>;
+    createApprovalRequest?(request: ApprovalRequestInput): Promise<ApprovalRequest>;
+    getApprovalRequest?(id: string): Promise<ApprovalRequest | null>;
+    listApprovalRequests?(filter?: ApprovalFilter): Promise<ApprovalRequest[]>;
+    resolveApprovalRequest?(id: string, resolution: ApprovalResolution): Promise<boolean>;
+    forTenant?(tenantId: string): DatabaseAdapter;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAI1E,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,eAAe,GACf,kBAAkB,GAClB,gBAAgB,GAChB,iBAAiB,GACjB,cAAc,GACd,YAAY,GACZ,kBAAkB,CAAC;AAIvB,qBAAa,eAAgB,SAAQ,KAAK;aAKtB,IAAI,EAAE,MAAM;aACZ,QAAQ,EAAE,eAAe;aACzB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IANnD,SAAyB,IAAI,qBAAqB;gBAGhD,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,eAAe,EACzB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAIpD;AAID,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd;AAID,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAID,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB;AAID,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAID,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,WAAW,UAAU;IACzB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,cAAc,GAAG,MAAM,CAAC,CAAC;AAE/E,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,WAAW,GACX,YAAY,GACZ,UAAU,GACV,UAAU,GACV,IAAI,GACJ,IAAI,GACJ,KAAK,GACL,KAAK,GACL,IAAI,GACJ,SAAS,CAAC;AAEd;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;AAE1F,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAID,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5E,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,cAAc,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,qBAAqB;IACpC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;AAE7E,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,KAAK,CAAC;IACrC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC3C,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,GAAG,SAAS,CAAC;IACvD,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;CAC9C;AAED,MAAM,WAAW,eAAe;IAE9B,eAAe,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,gBAAgB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC7D,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,gBAAgB,IAAI,OAAO,CAAC,4BAA4B,CAAC,CAAC;IAC1D,iBAAiB,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAGrF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACzD,YAAY,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAClC,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtD,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAG7C,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtF,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IAC/D,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAGvF,aAAa,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1E,UAAU,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IACrC,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAG/C,SAAS,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IACtD,SAAS,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;IAC1D,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAG3C,oBAAoB,CAAC,KAAK,EAAE,qBAAqB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE,qBAAqB,CAAC,MAAM,EAAE,qBAAqB,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;IAGvF,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAGpC,WAAW,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAGtE,qBAAqB,CAAC,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAChF,kBAAkB,CAAC,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IACjE,oBAAoB,CAAC,CAAC,MAAM,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IAC3E,sBAAsB,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAGtF,SAAS,CAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAAC;IAG9C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB"}

package/dist/types/index.js

@@ -0,0 +1,20 @@
+/**
+ * @agentbouncr/core — Shared Types
+ *
+ * GovernanceError, Failure Categories, and shared interfaces
+ * used across all governance modules.
+ */
+// --- GovernanceError ---
+export class GovernanceError extends Error {
+    code;
+    category;
+    context;
+    name = 'GovernanceError';
+    constructor(message, code, category, context) {
+        super(message);
+        this.code = code;
+        this.category = category;
+        this.context = context;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,0BAA0B;AAE1B,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAKtB;IACA;IACA;IANO,IAAI,GAAG,iBAAiB,CAAC;IAElD,YACE,OAAe,EACC,IAAY,EACZ,QAAyB,EACzB,OAAiC;QAEjD,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,SAAI,GAAJ,IAAI,CAAQ;QACZ,aAAQ,GAAR,QAAQ,CAAiB;QACzB,YAAO,GAAP,OAAO,CAA0B;IAGnD,CAAC;CACF"}

package/dist/utils/external-content.d.ts

@@ -0,0 +1,9 @@
+/**
+ * External content wrapper for untrusted data entering the LLM context.
+ * Used for web search results, memory entries with treat_as_external, etc.
+ * Prevents injection by clearly marking boundaries of untrusted content.
+ */
+export declare const INJECTION_WARNING_START = "[EXTERNAL CONTENT - NICHT VERTRAUENSWUERDIG]";
+export declare const INJECTION_WARNING_END = "[ENDE EXTERNAL CONTENT]";
+export declare function wrapExternalContent(content: string): string;
+//# sourceMappingURL=external-content.d.ts.map

package/dist/utils/external-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-content.d.ts","sourceRoot":"","sources":["../../src/utils/external-content.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,uBAAuB,iDAAiD,CAAC;AACtF,eAAO,MAAM,qBAAqB,4BAA4B,CAAC;AAE/D,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE3D"}

package/dist/utils/external-content.js

@@ -0,0 +1,11 @@
+/**
+ * External content wrapper for untrusted data entering the LLM context.
+ * Used for web search results, memory entries with treat_as_external, etc.
+ * Prevents injection by clearly marking boundaries of untrusted content.
+ */
+export const INJECTION_WARNING_START = '[EXTERNAL CONTENT - NICHT VERTRAUENSWUERDIG]';
+export const INJECTION_WARNING_END = '[ENDE EXTERNAL CONTENT]';
+export function wrapExternalContent(content) {
+    return `${INJECTION_WARNING_START}\n${content}\n${INJECTION_WARNING_END}`;
+}
+//# sourceMappingURL=external-content.js.map

package/dist/utils/external-content.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-content.js","sourceRoot":"","sources":["../../src/utils/external-content.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAC,MAAM,uBAAuB,GAAG,8CAA8C,CAAC;AACtF,MAAM,CAAC,MAAM,qBAAqB,GAAG,yBAAyB,CAAC;AAE/D,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,OAAO,GAAG,uBAAuB,KAAK,OAAO,KAAK,qBAAqB,EAAE,CAAC;AAC5E,CAAC"}

package/dist/utils/logger.d.ts

@@ -0,0 +1,4 @@
+import pino from 'pino';
+export declare const logger: pino.Logger<never, boolean>;
+export declare const securityLogger: pino.Logger<never, boolean>;
+//# sourceMappingURL=logger.d.ts.map

package/dist/utils/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAIxB,eAAO,MAAM,MAAM,6BAQjB,CAAC;AAEH,eAAO,MAAM,cAAc,6BAAwC,CAAC"}

package/dist/utils/logger.js

@@ -0,0 +1,13 @@
+import pino from 'pino';
+const level = process.env.LOG_LEVEL || 'info';
+export const logger = pino({
+    level,
+    timestamp: pino.stdTimeFunctions.isoTime,
+    formatters: {
+        level(label) {
+            return { level: label };
+        },
+    },
+});
+export const securityLogger = logger.child({ context: 'security' });
+//# sourceMappingURL=logger.js.map

package/dist/utils/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM,CAAC;AAE9C,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK;IACL,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,OAAO;IACxC,UAAU,EAAE;QACV,KAAK,CAAC,KAAK;YACT,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC1B,CAAC;KACF;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@agentbouncr/core",
+  "version": "0.1.0",
+  "type": "module",
+  "license": "Elastic-2.0",
+  "description": "Agent Governance Framework — Core Engine (Permission Layer, Policy Engine, Audit Trail)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/agentbouncr/agentbouncr.git",
+    "directory": "packages/core"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "@opentelemetry/api": "^1.9.0",
+    "pino": "^10.3.1",
+    "safe-regex2": "^5.0.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.2.3"
+  }
+}