@agentguard-run/spend 0.5.0 → 0.6.1

package/dist/middleware/provider-registry.js

@@ -0,0 +1,292 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROVIDER_REGISTRY = void 0;
+exports.isForeignOriginModel = isForeignOriginModel;
+exports.inferProviderRoute = inferProviderRoute;
+exports.inferModelIdentity = inferModelIdentity;
+exports.inferHosting = inferHosting;
+exports.inferCompliance = inferCompliance;
+exports.PROVIDER_REGISTRY = {
+    'anthropic-direct': {
+        provider: 'anthropic',
+        weights_origin_country: 'US',
+        available_jurisdictions: ['US'],
+        baa_path: 'Anthropic Enterprise Messages API with BAA eligible routing',
+        hipaa_eligible: true,
+        zdr_available: true,
+        default_retention_days: 0,
+    },
+    'aws-bedrock': {
+        provider: 'anthropic',
+        weights_origin_country: 'US',
+        available_jurisdictions: ['us-east-1', 'us-east-2', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-northeast-1'],
+        baa_path: 'AWS BAA for Bedrock HIPAA eligible services',
+        hipaa_eligible: true,
+        zdr_available: true,
+        default_retention_days: 0,
+    },
+    'azure-openai': {
+        provider: 'openai',
+        weights_origin_country: 'US',
+        available_jurisdictions: ['eastus', 'westus', 'westeurope', 'francecentral', 'switzerlandnorth'],
+        baa_path: 'Microsoft Product Terms DPA',
+        hipaa_eligible: true,
+        zdr_available: true,
+        default_retention_days: 0,
+    },
+    'openai-direct': {
+        provider: 'openai',
+        weights_origin_country: 'US',
+        available_jurisdictions: ['US'],
+        baa_path: 'OpenAI Enterprise BAA with eligible API configuration',
+        hipaa_eligible: true,
+        zdr_available: true,
+        default_retention_days: 30,
+    },
+    'vertex-ai': {
+        provider: 'google',
+        weights_origin_country: 'US',
+        available_jurisdictions: ['us-central1', 'us-east4', 'europe-west4', 'europe-west1', 'asia-northeast1'],
+        baa_path: 'Google Cloud BAA',
+        hipaa_eligible: true,
+        zdr_available: true,
+        default_retention_days: 0,
+    },
+    fireworks: {
+        provider: 'fireworks',
+        weights_origin_country: 'unknown',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+    },
+    baseten: {
+        provider: 'baseten',
+        weights_origin_country: 'unknown',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+    },
+    together: {
+        provider: 'together',
+        weights_origin_country: 'unknown',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+    },
+    'moonshot-direct': {
+        provider: 'moonshot',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['CN'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'deepseek-direct': {
+        provider: 'deepseek',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['CN'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'alibaba-direct': {
+        provider: 'alibaba',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['CN'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'kimi-k2-on-baseten': {
+        provider: 'baseten',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'deepseek-on-together': {
+        provider: 'together',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'qwen-on-together': {
+        provider: 'together',
+        weights_origin_country: 'CN',
+        available_jurisdictions: ['US'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: false,
+        default_retention_days: 30,
+        foreign_origin: true,
+    },
+    'self-hosted': {
+        provider: 'self_hosted',
+        weights_origin_country: 'unknown',
+        available_jurisdictions: ['self-hosted'],
+        baa_path: null,
+        hipaa_eligible: false,
+        zdr_available: true,
+        default_retention_days: 0,
+    },
+};
+const FOREIGN_ORIGIN_PATTERNS = [/kimi/i, /deepseek/i, /qwen/i, /yi[-_ ]/i, /baichuan/i, /glm/i, /moonshot/i];
+function isForeignOriginModel(model) {
+    return FOREIGN_ORIGIN_PATTERNS.some((pattern) => pattern.test(model));
+}
+function inferProviderRoute(req) {
+    const model = String(req.model || '').toLowerCase();
+    const url = String(req.url || '').toLowerCase();
+    if ((req.providerRoute === 'baseten' || url.includes('baseten')) && /kimi/.test(model))
+        return 'kimi-k2-on-baseten';
+    if ((req.providerRoute === 'together' || url.includes('together')) && /deepseek/.test(model))
+        return 'deepseek-on-together';
+    if ((req.providerRoute === 'together' || url.includes('together')) && /qwen/.test(model))
+        return 'qwen-on-together';
+    if (req.providerRoute && exports.PROVIDER_REGISTRY[req.providerRoute])
+        return req.providerRoute;
+    if (url.includes('bedrock') || req.provider === 'bedrock')
+        return 'aws-bedrock';
+    if (url.includes('anthropic') || req.provider === 'anthropic')
+        return 'anthropic-direct';
+    if (url.includes('azure') || url.includes('openai.azure'))
+        return 'azure-openai';
+    if (url.includes('aiplatform.googleapis') || url.includes('vertex'))
+        return 'vertex-ai';
+    if (url.includes('fireworks') || req.providerRoute === 'fireworks')
+        return 'fireworks';
+    if (url.includes('baseten') || req.providerRoute === 'baseten')
+        return 'baseten';
+    if (url.includes('together') || req.providerRoute === 'together')
+        return 'together';
+    if (url.includes('moonshot') || /kimi/.test(model))
+        return 'moonshot-direct';
+    if (url.includes('deepseek') || /deepseek/.test(model))
+        return 'deepseek-direct';
+    if (url.includes('dashscope') || url.includes('alibaba') || /qwen/.test(model))
+        return 'alibaba-direct';
+    if (req.provider === 'openai')
+        return 'openai-direct';
+    if (req.provider === 'gemini')
+        return 'vertex-ai';
+    return 'self-hosted';
+}
+function inferModelIdentity(model, route) {
+    const info = exports.PROVIDER_REGISTRY[route] ?? exports.PROVIDER_REGISTRY['self-hosted'];
+    const modelId = model || 'unknown';
+    return {
+        provider: modelProvider(modelId, info.provider),
+        model_id: modelId,
+        model_version: modelVersion(modelId),
+        model_family: modelFamily(modelId),
+        weights_origin_country: isForeignOriginModel(modelId) || info.foreign_origin ? 'CN' : info.weights_origin_country,
+    };
+}
+function inferHosting(route, config = {}) {
+    const info = exports.PROVIDER_REGISTRY[route] ?? exports.PROVIDER_REGISTRY['self-hosted'];
+    const region = config.jurisdictionRegion || info.available_jurisdictions[0] || 'unknown';
+    return {
+        provider_route: route,
+        jurisdiction_country: config.jurisdictionCountry || countryFromRegion(region),
+        jurisdiction_region: region,
+    };
+}
+function inferCompliance(route, model, config = {}) {
+    const info = exports.PROVIDER_REGISTRY[route] ?? exports.PROVIDER_REGISTRY['self-hosted'];
+    const retention = config.dataRetentionDays !== undefined ? config.dataRetentionDays : info.default_retention_days;
+    return {
+        baa_in_force: config.baaInForce ?? false,
+        baa_vendor: config.baaVendor ?? info.baa_path,
+        hipaa_eligible: info.hipaa_eligible,
+        data_retention_days: retention,
+        data_residency_attested: config.dataResidencyAttested ?? false,
+        foreign_origin_weight_flag: model.weights_origin_country === 'CN' || info.foreign_origin === true,
+        foreign_origin_consent_receipt_id: config.foreignOriginConsentReceiptId ?? null,
+        inference_billing: config.inferenceBilling ?? 'customer_managed',
+        inference_billing_detail: config.inferenceBilling === 'agentguard_managed' ? config.inferenceBillingDetail ?? null : null,
+    };
+}
+function modelProvider(model, fallback) {
+    const lower = model.toLowerCase();
+    if (lower.includes('claude'))
+        return 'anthropic';
+    if (lower.includes('gpt') || lower.includes('openai'))
+        return 'openai';
+    if (lower.includes('gemini'))
+        return 'google';
+    if (lower.includes('mistral'))
+        return 'mistral';
+    if (lower.includes('llama'))
+        return 'meta';
+    if (lower.includes('command'))
+        return 'cohere';
+    if (lower.includes('deepseek'))
+        return 'deepseek';
+    if (lower.includes('kimi') || lower.includes('moonshot'))
+        return 'moonshot';
+    if (lower.includes('qwen') || lower.includes('yi') || lower.includes('baichuan') || lower.includes('glm'))
+        return 'alibaba';
+    return fallback;
+}
+function modelVersion(model) {
+    const match = model.match(/(?:^|[-_])(20\d{6}|\d{8})(?:$|[-_])/);
+    return match?.[1] ?? 'unknown';
+}
+function modelFamily(model) {
+    const lower = model.toLowerCase();
+    if (lower.includes('claude'))
+        return 'claude';
+    if (lower.includes('gpt'))
+        return 'gpt';
+    if (lower.includes('gemini'))
+        return 'gemini';
+    if (lower.includes('llama-4') || lower.includes('llama4'))
+        return 'llama-4';
+    if (lower.includes('mistral'))
+        return 'mistral';
+    if (lower.includes('kimi'))
+        return 'kimi';
+    if (lower.includes('deepseek'))
+        return 'deepseek';
+    if (lower.includes('qwen'))
+        return 'qwen';
+    return lower.split(/[/:_]/).pop()?.split('-').slice(0, 2).join('-') || 'unknown';
+}
+function countryFromRegion(region) {
+    const lower = region.toLowerCase();
+    if (lower.startsWith('us') || lower.includes('eastus') || lower.includes('westus'))
+        return 'US';
+    if (lower.startsWith('eu') || lower.includes('europe') || lower.includes('france') || lower.includes('switzerland'))
+        return 'EU';
+    if (lower.startsWith('uk'))
+        return 'UK';
+    if (lower.startsWith('ca'))
+        return 'CA';
+    if (lower.startsWith('cn'))
+        return 'CN';
+    if (lower.startsWith('ap-northeast') || lower.includes('tokyo') || lower.includes('japan'))
+        return 'JP';
+    if (lower.startsWith('ap-southeast-2') || lower.includes('australia'))
+        return 'AU';
+    return 'unknown';
+}
+//# sourceMappingURL=provider-registry.js.map

package/dist/middleware/provider-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-registry.js","sourceRoot":"","sources":["../../src/middleware/provider-registry.ts"],"names":[],"mappings":";;;AA0LA,oDAEC;AAED,gDAoBC;AAED,gDAUC;AAED,oCAQC;AAED,0CAcC;AAhNY,QAAA,iBAAiB,GAAsC;IAClE,kBAAkB,EAAE;QAClB,QAAQ,EAAE,WAAW;QACrB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,6DAA6D;QACvE,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,CAAC;KAC1B;IACD,aAAa,EAAE;QACb,QAAQ,EAAE,WAAW;QACrB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,CAAC;QAC/G,QAAQ,EAAE,6CAA6C;QACvD,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,CAAC;KAC1B;IACD,cAAc,EAAE;QACd,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,eAAe,EAAE,kBAAkB,CAAC;QAChG,QAAQ,EAAE,6BAA6B;QACvC,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,CAAC;KAC1B;IACD,eAAe,EAAE;QACf,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,uDAAuD;QACjE,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,EAAE;KAC3B;IACD,WAAW,EAAE;QACX,QAAQ,EAAE,QAAQ;QAClB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,iBAAiB,CAAC;QACvG,QAAQ,EAAE,kBAAkB;QAC5B,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,CAAC;KAC1B;IACD,SAAS,EAAE;QACT,QAAQ,EAAE,WAAW;QACrB,sBAAsB,EAAE,SAAS;QACjC,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;KAC3B;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,SAAS;QACnB,sBAAsB,EAAE,SAAS;QACjC,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;KAC3B;IACD,QAAQ,EAAE;QACR,QAAQ,EAAE,UAAU;QACpB,sBAAsB,EAAE,SAAS;QACjC,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;KAC3B;IACD,iBAAiB,EAAE;QACjB,QAAQ,EAAE,UAAU;QACpB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,iBAAiB,EAAE;QACjB,QAAQ,EAAE,UAAU;QACpB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,gBAAgB,EAAE;QAChB,QAAQ,EAAE,SAAS;QACnB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,oBAAoB,EAAE;QACpB,QAAQ,EAAE,SAAS;QACnB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,sBAAsB,EAAE;QACtB,QAAQ,EAAE,UAAU;QACpB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,kBAAkB,EAAE;QAClB,QAAQ,EAAE,UAAU;QACpB,sBAAsB,EAAE,IAAI;QAC5B,uBAAuB,EAAE,CAAC,IAAI,CAAC;QAC/B,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,sBAAsB,EAAE,EAAE;QAC1B,cAAc,EAAE,IAAI;KACrB;IACD,aAAa,EAAE;QACb,QAAQ,EAAE,aAAa;QACvB,sBAAsB,EAAE,SAAS;QACjC,uBAAuB,EAAE,CAAC,aAAa,CAAC;QACxC,QAAQ,EAAE,IAAI;QACd,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,IAAI;QACnB,sBAAsB,EAAE,CAAC;KAC1B;CACF,CAAC;AAEF,MAAM,uBAAuB,GAAG,CAAC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;AAE9G,SAAgB,oBAAoB,CAAC,KAAa;IAChD,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACxE,CAAC;AAED,SAAgB,kBAAkB,CAAC,GAA4B;IAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,GAAG,CAAC,aAAa,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,oBAAoB,CAAC;IACpH,IAAI,CAAC,GAAG,CAAC,aAAa,KAAK,UAAU,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,sBAAsB,CAAC;IAC5H,IAAI,CAAC,GAAG,CAAC,aAAa,KAAK,UAAU,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,kBAAkB,CAAC;IACpH,IAAI,GAAG,CAAC,aAAa,IAAI,yBAAiB,CAAC,GAAG,CAAC,aAAa,CAAC;QAAE,OAAO,GAAG,CAAC,aAAa,CAAC;IACxF,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IAChF,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW;QAAE,OAAO,kBAAkB,CAAC;IACzF,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;QAAE,OAAO,cAAc,CAAC;IACjF,IAAI,GAAG,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,WAAW,CAAC;IACxF,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,aAAa,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IACvF,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,aAAa,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACjF,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,aAAa,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACpF,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,iBAAiB,CAAC;IAC7E,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACjF,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACxG,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,eAAe,CAAC;IACtD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC;IAClD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,SAAgB,kBAAkB,CAAC,KAAa,EAAE,KAAa;IAC7D,MAAM,IAAI,GAAG,yBAAiB,CAAC,KAAK,CAAC,IAAI,yBAAiB,CAAC,aAAa,CAAC,CAAC;IAC1E,MAAM,OAAO,GAAG,KAAK,IAAI,SAAS,CAAC;IACnC,OAAO;QACL,QAAQ,EAAE,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC;QAC/C,QAAQ,EAAE,OAAO;QACjB,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC;QACpC,YAAY,EAAE,WAAW,CAAC,OAAO,CAAC;QAClC,sBAAsB,EAAE,oBAAoB,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB;KAClH,CAAC;AACJ,CAAC;AAED,SAAgB,YAAY,CAAC,KAAa,EAAE,SAAiC,EAAE;IAC7E,MAAM,IAAI,GAAG,yBAAiB,CAAC,KAAK,CAAC,IAAI,yBAAiB,CAAC,aAAa,CAAC,CAAC;IAC1E,MAAM,MAAM,GAAG,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IACzF,OAAO;QACL,cAAc,EAAE,KAAK;QACrB,oBAAoB,EAAE,MAAM,CAAC,mBAAmB,IAAI,iBAAiB,CAAC,MAAM,CAAC;QAC7E,mBAAmB,EAAE,MAAM;KAC5B,CAAC;AACJ,CAAC;AAED,SAAgB,eAAe,CAAC,KAAa,EAAE,KAAoB,EAAE,SAAiC,EAAE;IACtG,MAAM,IAAI,GAAG,yBAAiB,CAAC,KAAK,CAAC,IAAI,yBAAiB,CAAC,aAAa,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,MAAM,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC;IAClH,OAAO;QACL,YAAY,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;QACxC,UAAU,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ;QAC7C,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,mBAAmB,EAAE,SAAS;QAC9B,uBAAuB,EAAE,MAAM,CAAC,qBAAqB,IAAI,KAAK;QAC9D,0BAA0B,EAAE,KAAK,CAAC,sBAAsB,KAAK,IAAI,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;QACjG,iCAAiC,EAAE,MAAM,CAAC,6BAA6B,IAAI,IAAI;QAC/E,iBAAiB,EAAE,MAAM,CAAC,gBAAgB,IAAI,kBAAkB;QAChE,wBAAwB,EAAE,MAAM,CAAC,gBAAgB,KAAK,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,sBAAsB,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI;KAC1H,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAa,EAAE,QAA4B;IAChE,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvE,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC9C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,MAAM,CAAC;IAC3C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IAClD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IAC5E,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5H,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACjE,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;AACjC,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC9C,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC9C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5E,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAChD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,UAAU,CAAC;IAClD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;AACnF,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAc;IACvC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAChG,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IACjI,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACxG,IAAI,KAAK,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IACnF,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/openrouter/key-fetch.d.ts

@@ -0,0 +1,28 @@
+/**
+ * AgentGuard(TM) Spend: server-runtime OpenRouter managed-key fetcher.
+ *
+ * This never proxies inference traffic. It fetches a short-lived managed key
+ * for Pro tiers, then the customer's server runtime calls OpenRouter directly.
+ */
+export interface ManagedOpenRouterKey {
+    key: string;
+    expiresAtMs: number;
+    tier?: string;
+    inferenceBilling?: 'agentguard_managed' | 'customer_managed';
+}
+export interface ManagedOpenRouterKeyOptions {
+    endpointBaseUrl?: string;
+    nowMs?: number;
+    home?: string;
+    machineFingerprint?: string;
+    processId?: string;
+    runtime?: 'server' | 'browser';
+    getJson?: (url: string, headers: Record<string, string>) => Promise<{
+        status: number;
+        body: unknown;
+    }>;
+}
+export declare function fetchManagedOpenRouterKey(licenseKey: string | null | undefined, opts?: ManagedOpenRouterKeyOptions): Promise<ManagedOpenRouterKey | null>;
+export declare function clearManagedOpenRouterKeyCache(): void;
+export declare function isOpenRouterHost(urlOrHost: string | undefined | null, configuredBaseUrl?: string): boolean;
+//# sourceMappingURL=key-fetch.d.ts.map

package/dist/openrouter/key-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-fetch.d.ts","sourceRoot":"","sources":["../../src/openrouter/key-fetch.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,oBAAoB,GAAG,kBAAkB,CAAC;CAC9D;AAED,MAAM,WAAW,2BAA2B;IAC1C,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CACxG;AAMD,wBAAsB,yBAAyB,CAC7C,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACrC,IAAI,GAAE,2BAAgC,GACrC,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAkCtC;AAED,wBAAgB,8BAA8B,IAAI,IAAI,CAErD;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAAE,iBAAiB,CAAC,EAAE,MAAM,GAAG,OAAO,CAM1G"}

package/dist/openrouter/key-fetch.js

@@ -0,0 +1,146 @@
+"use strict";
+/**
+ * AgentGuard(TM) Spend: server-runtime OpenRouter managed-key fetcher.
+ *
+ * This never proxies inference traffic. It fetches a short-lived managed key
+ * for Pro tiers, then the customer's server runtime calls OpenRouter directly.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchManagedOpenRouterKey = fetchManagedOpenRouterKey;
+exports.clearManagedOpenRouterKeyCache = clearManagedOpenRouterKeyCache;
+exports.isOpenRouterHost = isOpenRouterHost;
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+const license_1 = require("../license");
+const DEFAULT_ENDPOINT = 'https://agentguard.run';
+const DEFAULT_TTL_MS = 15 * 60 * 1000;
+const cache = new Map();
+async function fetchManagedOpenRouterKey(licenseKey, opts = {}) {
+    const key = licenseKey?.trim();
+    if (!key)
+        return null;
+    if (opts.runtime === 'browser' || isBrowserRuntime())
+        return null;
+    const now = opts.nowMs ?? Date.now();
+    const cached = cache.get(key);
+    if (cached && cached.expiresAtMs > now)
+        return cached;
+    const base = (opts.endpointBaseUrl || process.env.AGENTGUARD_LICENSE_ENDPOINT || DEFAULT_ENDPOINT).replace(/\/$/, '');
+    const machineFingerprint = opts.machineFingerprint || (0, license_1.anonymousMachineFingerprint)(opts.home);
+    const processId = opts.processId || (0, license_1.processUuid)(opts.home);
+    const headers = {
+        authorization: `Bearer ${key}`,
+        'x-agentguard-runtime': 'server',
+        'x-agentguard-machine-fingerprint': machineFingerprint,
+        'x-agentguard-process-id': processId,
+        'user-agent': 'agentguard-spend/managed-openrouter-key',
+    };
+    const result = await (opts.getJson ?? getJson)(`${base}/api/tenant/openrouter-key`, headers);
+    if (result.status === 404)
+        return null;
+    if (result.status >= 400)
+        throw new Error(`managed OpenRouter key fetch failed: ${result.status}`);
+    const body = result.body && typeof result.body === 'object' ? result.body : {};
+    if (typeof body.key !== 'string' || !body.key)
+        return null;
+    const ttlSeconds = typeof body.expires_in_seconds === 'number' && Number.isFinite(body.expires_in_seconds)
+        ? Math.max(30, Math.min(900, body.expires_in_seconds))
+        : 900;
+    const value = {
+        key: body.key,
+        expiresAtMs: now + Math.min(DEFAULT_TTL_MS, ttlSeconds * 1000),
+        tier: typeof body.tier === 'string' ? body.tier : undefined,
+        inferenceBilling: body.inference_billing === 'agentguard_managed' ? 'agentguard_managed' : undefined,
+    };
+    cache.set(key, value);
+    return value;
+}
+function clearManagedOpenRouterKeyCache() {
+    cache.clear();
+}
+function isOpenRouterHost(urlOrHost, configuredBaseUrl) {
+    const configuredHost = hostOf(configuredBaseUrl);
+    const host = hostOf(urlOrHost) || String(urlOrHost || '').toLowerCase();
+    if (!host)
+        return false;
+    if (configuredHost && host === configuredHost)
+        return true;
+    return host === 'openrouter.ai' || host === 'www.openrouter.ai';
+}
+function hostOf(value) {
+    if (!value)
+        return null;
+    try {
+        if (/^https?:\/\//i.test(value))
+            return new URL(value).hostname.toLowerCase();
+        return new URL(`https://${value}`).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function isBrowserRuntime() {
+    return typeof globalThis === 'object'
+        && typeof globalThis.window !== 'undefined'
+        && typeof process === 'undefined';
+}
+function getJson(url, headers) {
+    if (url.startsWith('mock://'))
+        return Promise.resolve({ status: 404, body: {} });
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(url);
+        const client = parsed.protocol === 'http:' ? http : https;
+        const req = client.request({ method: 'GET', hostname: parsed.hostname, port: parsed.port, path: parsed.pathname + parsed.search, headers, timeout: 5000 }, (res) => {
+            const chunks = [];
+            res.on('data', (chunk) => chunks.push(chunk));
+            res.on('end', () => {
+                const text = Buffer.concat(chunks).toString('utf8');
+                let body = {};
+                try {
+                    body = text ? JSON.parse(text) : {};
+                }
+                catch {
+                    body = {};
+                }
+                resolve({ status: res.statusCode ?? 0, body });
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => req.destroy(new Error('managed OpenRouter key endpoint timed out')));
+        req.end();
+    });
+}
+//# sourceMappingURL=key-fetch.js.map

package/dist/openrouter/key-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-fetch.js","sourceRoot":"","sources":["../../src/openrouter/key-fetch.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BH,8DAqCC;AAED,wEAEC;AAED,4CAMC;AA1ED,2CAA6B;AAC7B,6CAA+B;AAC/B,wCAAsE;AAmBtE,MAAM,gBAAgB,GAAG,wBAAwB,CAAC;AAClD,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACtC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAgC,CAAC;AAE/C,KAAK,UAAU,yBAAyB,CAC7C,UAAqC,EACrC,OAAoC,EAAE;IAEtC,MAAM,GAAG,GAAG,UAAU,EAAE,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,MAAM,IAAI,MAAM,CAAC,WAAW,GAAG,GAAG;QAAE,OAAO,MAAM,CAAC;IAEtD,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,gBAAgB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtH,MAAM,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,IAAI,IAAA,qCAA2B,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7F,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAA,qBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG;QACd,aAAa,EAAE,UAAU,GAAG,EAAE;QAC9B,sBAAsB,EAAE,QAAQ;QAChC,kCAAkC,EAAE,kBAAkB;QACtD,yBAAyB,EAAE,SAAS;QACpC,YAAY,EAAE,yCAAyC;KACxD,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,CAAC,GAAG,IAAI,4BAA4B,EAAE,OAAO,CAAC,CAAC;IAC7F,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACnG,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAA+B,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1G,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3D,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,kBAAkB,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC;QACxG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACtD,CAAC,CAAC,GAAG,CAAC;IACR,MAAM,KAAK,GAAyB;QAClC,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,WAAW,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,UAAU,GAAG,IAAI,CAAC;QAC9D,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAC3D,gBAAgB,EAAE,IAAI,CAAC,iBAAiB,KAAK,oBAAoB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,SAAS;KACrG,CAAC;IACF,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,8BAA8B;IAC5C,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC;AAED,SAAgB,gBAAgB,CAAC,SAAoC,EAAE,iBAA0B;IAC/F,MAAM,cAAc,GAAG,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACxE,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,cAAc,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,IAAI,CAAC;IAC3D,OAAO,IAAI,KAAK,eAAe,IAAI,IAAI,KAAK,mBAAmB,CAAC;AAClE,CAAC;AAED,SAAS,MAAM,CAAC,KAAgC;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9E,OAAO,IAAI,GAAG,CAAC,WAAW,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO,OAAO,UAAU,KAAK,QAAQ;WAChC,OAAQ,UAAmC,CAAC,MAAM,KAAK,WAAW;WAClE,OAAO,OAAO,KAAK,WAAW,CAAC;AACtC,CAAC;AAED,SAAS,OAAO,CAAC,GAAW,EAAE,OAA+B;IAC3D,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IACjF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;YACjK,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACpD,IAAI,IAAI,GAAY,EAAE,CAAC;gBACvB,IAAI,CAAC;oBAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC;oBAAC,IAAI,GAAG,EAAE,CAAC;gBAAC,CAAC;gBACjE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC,CAAC;QAC7F,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/posture/enforce.d.ts

@@ -0,0 +1,19 @@
+import type { ProvenanceBlock } from '../receipts/schema';
+export type GovernancePosture = 'velocity' | 'standard' | 'compliance';
+export interface ComplianceEnforcementConfig {
+    posture?: GovernancePosture;
+    foreignOriginConsentReceiptId?: string | null;
+    consentEndpointBaseUrl?: string;
+    consentGetJson?: (url: string) => Promise<unknown>;
+}
+export declare class AgentGuardComplianceError extends Error {
+    code: string;
+    constructor(message: string);
+}
+export declare class AgentGuardConsentRequiredError extends Error {
+    code: string;
+    constructor(message: string);
+}
+export declare function enforceCompliance(provenance: ProvenanceBlock, config?: ComplianceEnforcementConfig): Promise<void>;
+export declare function verifyConsentReceipt(consentId: string, config?: ComplianceEnforcementConfig): Promise<boolean>;
+//# sourceMappingURL=enforce.d.ts.map

package/dist/posture/enforce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforce.d.ts","sourceRoot":"","sources":["../../src/posture/enforce.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE1D,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,UAAU,GAAG,YAAY,CAAC;AAEvE,MAAM,WAAW,2BAA2B;IAC1C,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,6BAA6B,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9C,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACpD;AAED,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,IAAI,SAAiC;gBACzB,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,8BAA+B,SAAQ,KAAK;IACvD,IAAI,SAAiC;gBACzB,OAAO,EAAE,MAAM;CAI5B;AAID,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,eAAe,EAC3B,MAAM,GAAE,2BAAgC,GACvC,OAAO,CAAC,IAAI,CAAC,CAmBf;AAED,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,2BAAgC,GACvC,OAAO,CAAC,OAAO,CAAC,CAKlB"}

package/dist/posture/enforce.js

@@ -0,0 +1,109 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AgentGuardConsentRequiredError = exports.AgentGuardComplianceError = void 0;
+exports.enforceCompliance = enforceCompliance;
+exports.verifyConsentReceipt = verifyConsentReceipt;
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+class AgentGuardComplianceError extends Error {
+    code = 'AGENTGUARD_COMPLIANCE_BLOCK';
+    constructor(message) {
+        super(message);
+        this.name = 'AgentGuardComplianceError';
+    }
+}
+exports.AgentGuardComplianceError = AgentGuardComplianceError;
+class AgentGuardConsentRequiredError extends Error {
+    code = 'AGENTGUARD_CONSENT_REQUIRED';
+    constructor(message) {
+        super(message);
+        this.name = 'AgentGuardConsentRequiredError';
+    }
+}
+exports.AgentGuardConsentRequiredError = AgentGuardConsentRequiredError;
+const DEFAULT_CONSENT_BASE_URL = 'https://agentguard.run';
+async function enforceCompliance(provenance, config = {}) {
+    if (!provenance.compliance.foreign_origin_weight_flag)
+        return;
+    const posture = config.posture ?? 'standard';
+    if (posture === 'compliance') {
+        throw new AgentGuardComplianceError('Foreign origin weights are blocked in compliance posture. Set posture to standard and provide foreign_origin_consent_receipt_id to use this model.');
+    }
+    if (posture !== 'standard')
+        return;
+    const consentId = config.foreignOriginConsentReceiptId || provenance.compliance.foreign_origin_consent_receipt_id;
+    if (!consentId) {
+        throw new AgentGuardConsentRequiredError('This call uses foreign origin weights. Generate a consent receipt at https://agentguard.run/dashboard/consent/foreign-origin-weights before using this model.');
+    }
+    const verified = await verifyConsentReceipt(consentId, config);
+    if (!verified) {
+        throw new AgentGuardConsentRequiredError(`Foreign origin consent receipt ${consentId} is invalid or expired.`);
+    }
+}
+async function verifyConsentReceipt(consentId, config = {}) {
+    if (!/^ag_consent_[A-Za-z0-9_-]+$/.test(consentId))
+        return false;
+    const base = (config.consentEndpointBaseUrl || DEFAULT_CONSENT_BASE_URL).replace(/\/$/, '');
+    const raw = await (config.consentGetJson ?? getJson)(`${base}/api/consent/verify/${encodeURIComponent(consentId)}`);
+    return Boolean(raw && typeof raw === 'object' && raw.valid === true);
+}
+function getJson(url) {
+    if (url.startsWith('mock://'))
+        return Promise.resolve({ valid: true });
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(url);
+        const client = parsed.protocol === 'http:' ? http : https;
+        const req = client.request({ method: 'GET', hostname: parsed.hostname, port: parsed.port, path: parsed.pathname + parsed.search, timeout: 5000 }, (res) => {
+            const chunks = [];
+            res.on('data', (chunk) => chunks.push(chunk));
+            res.on('end', () => {
+                const text = Buffer.concat(chunks).toString('utf8');
+                if ((res.statusCode ?? 0) >= 400)
+                    return reject(new Error(`consent endpoint failed: ${res.statusCode}`));
+                try {
+                    resolve(text ? JSON.parse(text) : {});
+                }
+                catch {
+                    resolve({});
+                }
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => req.destroy(new Error('consent endpoint timed out')));
+        req.end();
+    });
+}
+//# sourceMappingURL=enforce.js.map

package/dist/posture/enforce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforce.js","sourceRoot":"","sources":["../../src/posture/enforce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BA,8CAsBC;AAED,oDAQC;AA/DD,2CAA6B;AAC7B,6CAA+B;AAY/B,MAAa,yBAA0B,SAAQ,KAAK;IAClD,IAAI,GAAG,6BAA6B,CAAC;IACrC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AAND,8DAMC;AAED,MAAa,8BAA+B,SAAQ,KAAK;IACvD,IAAI,GAAG,6BAA6B,CAAC;IACrC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gCAAgC,CAAC;IAC/C,CAAC;CACF;AAND,wEAMC;AAED,MAAM,wBAAwB,GAAG,wBAAwB,CAAC;AAEnD,KAAK,UAAU,iBAAiB,CACrC,UAA2B,EAC3B,SAAsC,EAAE;IAExC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,0BAA0B;QAAE,OAAO;IAC9D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,UAAU,CAAC;IAC7C,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC7B,MAAM,IAAI,yBAAyB,CACjC,oJAAoJ,CACrJ,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,KAAK,UAAU;QAAE,OAAO;IACnC,MAAM,SAAS,GAAG,MAAM,CAAC,6BAA6B,IAAI,UAAU,CAAC,UAAU,CAAC,iCAAiC,CAAC;IAClH,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,8BAA8B,CACtC,+JAA+J,CAChK,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,8BAA8B,CAAC,kCAAkC,SAAS,yBAAyB,CAAC,CAAC;IACjH,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,SAAsC,EAAE;IAExC,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACjE,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,sBAAsB,IAAI,wBAAwB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC5F,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,cAAc,IAAI,OAAO,CAAC,CAAC,GAAG,IAAI,uBAAuB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACpH,OAAO,OAAO,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAK,GAA2B,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC;AAChG,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CACxB,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,EACrH,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACpD,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,IAAI,KAAK,CAAC,4BAA4B,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;gBACzG,IAAI,CAAC;oBAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC,CAAC;gBAAC,CAAC;YACvE,CAAC,CAAC,CAAC;QACL,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC,CAAC,CAAC;QAC9E,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}