@agenticprimitives/tool-policy 0.1.0-alpha.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Agentic Trust Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,50 @@
+# @agenticprimitives/tool-policy
+
+Protocol-agnostic classification, risk tiers, and exact-call policy primitives. Consumable by MCP, A2A, LangGraph, Vercel AI — any tool runtime.
+
+This package is **deliberately transport-free**: no MCP SDK, no LangChain, no Vercel imports. That's what lets a LangGraph user `pnpm add` it without buying into MCP middleware, and what lets `@agenticprimitives/mcp-runtime` use it without being the only consumer.
+
+See [`spec.md`](./spec.md) → [`specs/204-tool-policy.md`](../../specs/204-tool-policy.md).
+
+## Quick start
+
+```ts
+import { declareTool, evaluatePolicy } from '@agenticprimitives/tool-policy';
+
+const getProfileTool = declareTool(
+  { name: 'get_profile', inputSchema: { /* ... */ }, handler: /* ... */ },
+  {
+    '@sa-tool': 'delegation-verified',
+    '@sa-auth': 'session-token',
+    '@sa-validation': 'shape-check',
+    '@sa-risk-tier': 'low',
+  },
+);
+
+const decision = evaluatePolicy({
+  toolName: 'get_profile',
+  classification: getProfileTool._classification,
+  delegation,             // from @agenticprimitives/delegation
+  callerKind: 'user-session',
+});
+
+if (decision.decision === 'deny') throw new Error(decision.reason);
+if (decision.decision === 'requires-consent') /* prompt user */;
+```
+
+## Exact-call policy
+
+```ts
+import { exactCall, matchesExactCall } from '@agenticprimitives/tool-policy';
+
+const policy = exactCall(safeAddress, '0xa9059cbb', {
+  calldataHash: '0xdeadbeef...',
+  valueLimit: 0n,
+});
+
+const ok = matchesExactCall({ to, data, value }, policy);
+```
+
+## Status
+
+Pre-alpha. Spec stable.

package/dist/classification.d.ts

@@ -0,0 +1,5 @@
+import type { ToolClassification } from './types';
+export declare function declareTool<T>(def: T, classification: ToolClassification): T & {
+    _classification: ToolClassification;
+};
+//# sourceMappingURL=classification.d.ts.map

package/dist/classification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classification.d.ts","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElD,wBAAgB,WAAW,CAAC,CAAC,EAC3B,GAAG,EAAE,CAAC,EACN,cAAc,EAAE,kBAAkB,GACjC,CAAC,GAAG;IAAE,eAAe,EAAE,kBAAkB,CAAA;CAAE,CAI7C"}

package/dist/classification.js

@@ -0,0 +1,6 @@
+// declareTool: attach a classification at runtime so non-JSDoc consumers
+// surface the same metadata that the lint script reads from JSDoc tags.
+export function declareTool(def, classification) {
+    return Object.assign(def, { _classification: classification });
+}
+//# sourceMappingURL=classification.js.map

package/dist/classification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"classification.js","sourceRoot":"","sources":["../src/classification.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,wEAAwE;AAIxE,MAAM,UAAU,WAAW,CACzB,GAAM,EACN,cAAkC;IAElC,OAAO,MAAM,CAAC,MAAM,CAAC,GAAa,EAAE,EAAE,eAAe,EAAE,cAAc,EAAE,CAEtE,CAAC;AACJ,CAAC"}

package/dist/decision.d.ts

@@ -0,0 +1,3 @@
+import type { PolicyContext, PolicyDecision } from './types';
+export declare function evaluatePolicy(ctx: PolicyContext): PolicyDecision;
+//# sourceMappingURL=decision.d.ts.map

package/dist/decision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.d.ts","sourceRoot":"","sources":["../src/decision.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAsB,MAAM,SAAS,CAAC;AAsDjF,wBAAgB,cAAc,CAAC,GAAG,EAAE,aAAa,GAAG,cAAc,CA4CjE"}

package/dist/decision.js

@@ -0,0 +1,103 @@
+// evaluatePolicy — pure decision engine, no I/O, no clocks.
+// Deterministic; same context → same decision. Fail-CLOSED on any
+// unrecognised classification metadata (audit P0-1).
+//
+// Order of operations (fail-closed first):
+//   0. Classification shape: every required tag present + value in
+//      the closed enum set → reject otherwise.
+//   1. classification['@sa-auth'] === 'none' AND caller != 'service' → deny
+//   2. classification['@sa-tool'] === 'service-only' AND caller != 'service' → deny
+//   3. classification['@sa-tool'] === 'bootstrap' AND caller != 'service' → deny
+//   4. classification['@sa-tool'] === 'dev-only' → deny (env gate required)
+//   5. classification['@sa-tool'] === 'delegation-verified' AND no delegation → deny
+//   6. classification['@sa-risk-tier'] === 'critical' → requires-consent
+//   7. else → allow
+// Closed enum sets — keep in lockstep with `types.ts ToolClassification`.
+// Any value outside these sets is treated as unknown → deny. This is
+// the wire-format security boundary; loosening any of these requires
+// a coordinated change to the type, the enum here, and (likely) the
+// production preflight that audits classification coverage.
+const KNOWN_TOOL_KINDS = new Set([
+    'delegation-verified',
+    'service-only',
+    'bootstrap',
+    'dev-only',
+]);
+const KNOWN_AUTH_KINDS = new Set([
+    'session-token',
+    'service-hmac',
+    'none',
+    'none-with-csrf',
+]);
+const KNOWN_RISK_TIERS = new Set(['low', 'medium', 'high', 'critical']);
+/**
+ * Validate the *shape* of a classification. Returns null when the
+ * classification is well-formed, or a deny-reason string otherwise.
+ *
+ * Spec invariant: `@sa-tool` AND `@sa-auth` are REQUIRED; `@sa-risk-tier`
+ * is required for everything except `service-only` / `bootstrap` /
+ * `none-with-csrf` (which have no human risk dimension). Unknown values
+ * in ANY of the three tags is unrecoverable — the package can't infer
+ * an interpretation it doesn't know.
+ */
+function validateClassificationShape(cls) {
+    const tool = cls['@sa-tool'];
+    if (typeof tool !== 'string' || !KNOWN_TOOL_KINDS.has(tool)) {
+        return `classification: @sa-tool="${tool}" not in known set ${[...KNOWN_TOOL_KINDS].join('|')}`;
+    }
+    const auth = cls['@sa-auth'];
+    if (typeof auth !== 'string' || !KNOWN_AUTH_KINDS.has(auth)) {
+        return `classification: @sa-auth="${auth}" not in known set ${[...KNOWN_AUTH_KINDS].join('|')}`;
+    }
+    // Risk tier is REQUIRED for user-facing tool kinds.
+    const userFacing = tool === 'delegation-verified' || tool === 'dev-only';
+    const tier = cls['@sa-risk-tier'];
+    if (userFacing) {
+        if (typeof tier !== 'string' || !KNOWN_RISK_TIERS.has(tier)) {
+            return `classification: @sa-risk-tier="${tier}" required for tool=${tool} but not in known set ${[...KNOWN_RISK_TIERS].join('|')}`;
+        }
+    }
+    else if (tier !== undefined && !KNOWN_RISK_TIERS.has(tier)) {
+        // Set but with an unknown value → deny (no silent acceptance).
+        return `classification: @sa-risk-tier="${tier}" not in known set ${[...KNOWN_RISK_TIERS].join('|')}`;
+    }
+    return null;
+}
+export function evaluatePolicy(ctx) {
+    const cls = ctx.classification;
+    // 0. SHAPE GATE (fail-closed default). Unknown/missing classification
+    //    metadata is the most common cause of mis-configured tools
+    //    silently being accepted. Reject here before any rule fires.
+    const shapeErr = validateClassificationShape(cls);
+    if (shapeErr) {
+        return { decision: 'deny', reason: shapeErr };
+    }
+    if (cls['@sa-auth'] === 'none' && ctx.callerKind !== 'service') {
+        return { decision: 'deny', reason: 'tool is @sa-auth:none; only service callers permitted' };
+    }
+    if (cls['@sa-tool'] === 'service-only' && ctx.callerKind !== 'service') {
+        return { decision: 'deny', reason: 'tool is @sa-tool:service-only; user/agent calls rejected' };
+    }
+    if (cls['@sa-tool'] === 'bootstrap' && ctx.callerKind !== 'service') {
+        return { decision: 'deny', reason: 'tool is @sa-tool:bootstrap; only service callers permitted' };
+    }
+    if (cls['@sa-tool'] === 'dev-only') {
+        // Dev-only tools must be gated by environment; we don't read env here
+        // (purity), so we deny unless explicitly classified differently by
+        // the consumer's runtime. Consumers wanting "allow in dev" should
+        // re-declare the tool as service-only with @sa-prod-gate:disabled.
+        return { decision: 'deny', reason: 'tool is @sa-tool:dev-only; explicit env gate required' };
+    }
+    if (cls['@sa-tool'] === 'delegation-verified' && !ctx.delegation) {
+        return { decision: 'deny', reason: 'tool requires delegation but none presented' };
+    }
+    if (cls['@sa-risk-tier'] === 'critical') {
+        return {
+            decision: 'requires-consent',
+            promptId: `consent:critical:${ctx.toolName}`,
+            risk: 'critical',
+        };
+    }
+    return { decision: 'allow' };
+}
+//# sourceMappingURL=decision.js.map

package/dist/decision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.js","sourceRoot":"","sources":["../src/decision.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,kEAAkE;AAClE,qDAAqD;AACrD,EAAE;AACF,2CAA2C;AAC3C,mEAAmE;AACnE,+CAA+C;AAC/C,4EAA4E;AAC5E,oFAAoF;AACpF,iFAAiF;AACjF,4EAA4E;AAC5E,qFAAqF;AACrF,yEAAyE;AACzE,oBAAoB;AAIpB,0EAA0E;AAC1E,qEAAqE;AACrE,qEAAqE;AACrE,oEAAoE;AACpE,4DAA4D;AAC5D,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,qBAAqB;IACrB,cAAc;IACd,WAAW;IACX,UAAU;CACX,CAAC,CAAC;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,eAAe;IACf,cAAc;IACd,MAAM;IACN,gBAAgB;CACjB,CAAC,CAAC;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AAExE;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,GAAuB;IAC1D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,6BAA6B,IAAI,sBAAsB,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAClG,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,6BAA6B,IAAI,sBAAsB,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAClG,CAAC;IACD,oDAAoD;IACpD,MAAM,UAAU,GAAG,IAAI,KAAK,qBAAqB,IAAI,IAAI,KAAK,UAAU,CAAC;IACzE,MAAM,IAAI,GAAG,GAAG,CAAC,eAAe,CAAC,CAAC;IAClC,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,OAAO,kCAAkC,IAAI,uBAAuB,IAAI,yBAAyB,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrI,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,+DAA+D;QAC/D,OAAO,kCAAkC,IAAI,sBAAsB,CAAC,GAAG,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IACvG,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAkB;IAC/C,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,CAAC;IAE/B,sEAAsE;IACtE,+DAA+D;IAC/D,iEAAiE;IACjE,MAAM,QAAQ,GAAG,2BAA2B,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,MAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC;IAC/F,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,cAAc,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,0DAA0D,EAAE,CAAC;IAClG,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,WAAW,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,4DAA4D,EAAE,CAAC;IACpG,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,UAAU,EAAE,CAAC;QACnC,sEAAsE;QACtE,mEAAmE;QACnE,kEAAkE;QAClE,mEAAmE;QACnE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,uDAAuD,EAAE,CAAC;IAC/F,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,qBAAqB,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QACjE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,6CAA6C,EAAE,CAAC;IACrF,CAAC;IAED,IAAI,GAAG,CAAC,eAAe,CAAC,KAAK,UAAU,EAAE,CAAC;QACxC,OAAO;YACL,QAAQ,EAAE,kBAAkB;YAC5B,QAAQ,EAAE,oBAAoB,GAAG,CAAC,QAAQ,EAAE;YAC5C,IAAI,EAAE,UAAU;SACjB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC"}

package/dist/exact-call.d.ts

@@ -0,0 +1,12 @@
+import type { Address, Hex } from '@agenticprimitives/types';
+import type { ExactCallPolicy } from './types';
+export declare function exactCall(target: Address, selector: Hex, opts?: {
+    calldataHash?: Hex;
+    valueLimit?: bigint;
+}): ExactCallPolicy;
+export declare function matchesExactCall(call: {
+    to: Address;
+    data: Hex;
+    value: bigint;
+}, policy: ExactCallPolicy): boolean;
+//# sourceMappingURL=exact-call.d.ts.map

package/dist/exact-call.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exact-call.d.ts","sourceRoot":"","sources":["../src/exact-call.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAY/C,wBAAgB,SAAS,CACvB,MAAM,EAAE,OAAO,EACf,QAAQ,EAAE,GAAG,EACb,IAAI,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,GAAG,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACjD,eAAe,CAajB;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,GAAG,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,EAC/C,MAAM,EAAE,eAAe,GACtB,OAAO,CAeT"}

package/dist/exact-call.js

@@ -0,0 +1,49 @@
+// Exact-call DSL: a delegation can authorize EXACTLY one call
+// (target + selector + optional calldata hash + optional value cap).
+//
+// Used for critical-tier operations where the user should authorize the
+// exact intent and nothing else.
+import { keccak_256 } from '@noble/hashes/sha3';
+function keccak256OfHex(hex) {
+    const cleaned = hex.startsWith('0x') ? hex.slice(2) : hex;
+    const bytes = new Uint8Array(cleaned.length / 2);
+    for (let i = 0; i < bytes.length; i++)
+        bytes[i] = parseInt(cleaned.slice(i * 2, i * 2 + 2), 16);
+    const out = keccak_256(bytes);
+    let s = '0x';
+    for (const b of out)
+        s += b.toString(16).padStart(2, '0');
+    return s;
+}
+export function exactCall(target, selector, opts) {
+    if (!/^0x[0-9a-fA-F]{8}$/.test(selector)) {
+        throw new Error(`exactCall: selector must be 4 bytes (0x + 8 hex chars); got "${selector}"`);
+    }
+    if (opts?.calldataHash && !/^0x[0-9a-fA-F]{64}$/.test(opts.calldataHash)) {
+        throw new Error(`exactCall: calldataHash must be 32 bytes (0x + 64 hex chars); got "${opts.calldataHash}"`);
+    }
+    return {
+        target,
+        selector,
+        calldataHash: opts?.calldataHash,
+        valueLimit: opts?.valueLimit,
+    };
+}
+export function matchesExactCall(call, policy) {
+    if (call.to.toLowerCase() !== policy.target.toLowerCase())
+        return false;
+    if (!call.data.startsWith('0x') || call.data.length < 10)
+        return false;
+    const callSelector = call.data.slice(0, 10).toLowerCase();
+    if (callSelector !== policy.selector.toLowerCase())
+        return false;
+    if (policy.calldataHash) {
+        const computed = keccak256OfHex(call.data);
+        if (computed.toLowerCase() !== policy.calldataHash.toLowerCase())
+            return false;
+    }
+    if (policy.valueLimit !== undefined && call.value > policy.valueLimit)
+        return false;
+    return true;
+}
+//# sourceMappingURL=exact-call.js.map

package/dist/exact-call.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exact-call.js","sourceRoot":"","sources":["../src/exact-call.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,qEAAqE;AACrE,EAAE;AACF,wEAAwE;AACxE,iCAAiC;AAEjC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAIhD,SAAS,cAAc,CAAC,GAAQ;IAC9B,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC1D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChG,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG,IAAI,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,GAAG;QAAE,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,CAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,SAAS,CACvB,MAAe,EACf,QAAa,EACb,IAAkD;IAElD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,gEAAgE,QAAQ,GAAG,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,EAAE,YAAY,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,sEAAsE,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC;IAC9G,CAAC;IACD,OAAO;QACL,MAAM;QACN,QAAQ;QACR,YAAY,EAAE,IAAI,EAAE,YAAY;QAChC,UAAU,EAAE,IAAI,EAAE,UAAU;KAC7B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,IAA+C,EAC/C,MAAuB;IAEvB,IAAI,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE;QAAE,OAAO,KAAK,CAAC;IAExE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACvE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,YAAY,KAAK,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,YAAY,CAAC,WAAW,EAAE;YAAE,OAAO,KAAK,CAAC;IACjF,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAEpF,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { declareTool } from './classification';
+export { exactCall, matchesExactCall } from './exact-call';
+export { evaluatePolicy } from './decision';
+export { clampTtlForRiskTier, requiredCaveatsForRiskTier, evaluateThresholdPolicy, RISK_TIER_REQUIREMENTS, } from './risk-tier';
+export { lintClassification } from './lint';
+export { ThresholdTier } from './types';
+export type { Address, Hex, RiskTier, ToolClassification, ExactCallPolicy, CaveatLike, DelegationLike, CaveatContext, PolicyContext, PolicyDecision, ThresholdPolicyDecision, LintResult, } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,QAAQ,CAAC;AAE5C,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC,YAAY,EACV,OAAO,EACP,GAAG,EACH,QAAQ,EACR,kBAAkB,EAClB,eAAe,EACf,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,cAAc,EACd,uBAAuB,EACvB,UAAU,GACX,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,16 @@
+// @agenticprimitives/tool-policy — public API
+//
+// See ../../specs/204-tool-policy.md for the full contract.
+//
+// CRITICAL: This package is protocol-agnostic. It MUST NOT import from any
+// transport SDK (see capability.manifest.json:forbiddenImports for the full
+// list and docs/architecture/decisions/0003-tool-policy-protocol-agnostic.md
+// for why).
+export { declareTool } from './classification';
+export { exactCall, matchesExactCall } from './exact-call';
+export { evaluatePolicy } from './decision';
+export { clampTtlForRiskTier, requiredCaveatsForRiskTier, evaluateThresholdPolicy, RISK_TIER_REQUIREMENTS, } from './risk-tier';
+export { lintClassification } from './lint';
+// ThresholdTier is an enum (value export, not type-only).
+export { ThresholdTier } from './types';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,EAAE;AACF,4DAA4D;AAC5D,EAAE;AACF,2EAA2E;AAC3E,4EAA4E;AAC5E,6EAA6E;AAC7E,YAAY;AAEZ,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,QAAQ,CAAC;AAC5C,0DAA0D;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/lint.d.ts

@@ -0,0 +1,10 @@
+import type { LintResult } from './types';
+interface LintOpts {
+    srcDir: string;
+    requiredTags: string[];
+    optionalTags?: string[];
+    tagBlockPattern?: RegExp;
+}
+export declare function lintClassification(opts: LintOpts): Promise<LintResult>;
+export {};
+//# sourceMappingURL=lint.d.ts.map

package/dist/lint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lint.d.ts","sourceRoot":"","sources":["../src/lint.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAK1C,UAAU,QAAQ;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAgBD,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CA4B5E"}

package/dist/lint.js

@@ -0,0 +1,56 @@
+// lintClassification — scan a source tree for tool definitions and verify
+// each carries the required JSDoc @sa-* tags.
+//
+// v0 implementation: regex-based scan of the source tree. JSDoc parsing
+// proper happens in v0.1; for the demo we focus on tag presence on
+// function/object definitions that look like tools.
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, extname } from 'node:path';
+const DEFAULT_PATTERN = /\/\*\*([\s\S]*?)\*\//g;
+const TOOL_HEURISTIC = /(?:export\s+(?:const|function)\s+\w+Tool|name:\s*['"`])/;
+function* walk(dir) {
+    for (const entry of readdirSync(dir)) {
+        if (entry.startsWith('.'))
+            continue;
+        if (entry === 'node_modules' || entry === 'dist' || entry === 'coverage')
+            continue;
+        const p = join(dir, entry);
+        const st = statSync(p);
+        if (st.isDirectory()) {
+            yield* walk(p);
+        }
+        else if (['.ts', '.tsx', '.js', '.jsx'].includes(extname(entry))) {
+            yield p;
+        }
+    }
+}
+export async function lintClassification(opts) {
+    const required = new Set(opts.requiredTags);
+    const result = { passed: true, errors: [] };
+    const blockRe = opts.tagBlockPattern ?? DEFAULT_PATTERN;
+    for (const file of walk(opts.srcDir)) {
+        const text = readFileSync(file, 'utf8');
+        blockRe.lastIndex = 0;
+        let m;
+        while ((m = blockRe.exec(text)) !== null) {
+            const block = m[0];
+            const after = text.slice(m.index + block.length, m.index + block.length + 200);
+            if (!TOOL_HEURISTIC.test(after))
+                continue;
+            const present = new Set();
+            for (const tag of [...required, ...(opts.optionalTags ?? [])]) {
+                const tagRe = new RegExp(`@${tag.replace(/^@/, '').replace(/[.+^${}()|[\]\\]/g, '\\$&')}\\b`);
+                if (tagRe.test(block))
+                    present.add(tag);
+            }
+            const missing = [...required].filter((t) => !present.has(t));
+            if (missing.length > 0) {
+                const line = text.slice(0, m.index).split('\n').length;
+                result.passed = false;
+                result.errors.push({ file, line, missing });
+            }
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=lint.js.map

package/dist/lint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lint.js","sourceRoot":"","sources":["../src/lint.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,8CAA8C;AAC9C,EAAE;AACF,wEAAwE;AACxE,mEAAmE;AACnE,oDAAoD;AAEpD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAG1C,MAAM,eAAe,GAAG,uBAAuB,CAAC;AAChD,MAAM,cAAc,GAAG,yDAAyD,CAAC;AASjF,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAW;IACxB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QACpC,IAAI,KAAK,KAAK,cAAc,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,UAAU;YAAE,SAAS;QACnF,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC3B,MAAM,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;YACrB,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;aAAM,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACnE,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAAc;IACrD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAe,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC;IAExD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACnB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;YAC/E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,SAAS;YAE1C,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC9D,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC9F,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;oBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,OAAO,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;gBACvD,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC;gBACtB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/risk-tier.d.ts

@@ -0,0 +1,16 @@
+import type { RiskTier, ToolClassification, ThresholdPolicyDecision } from './types';
+export declare function clampTtlForRiskTier(requestedTtlSec: number, risk: RiskTier): number;
+export declare function requiredCaveatsForRiskTier(risk: RiskTier): string[];
+export declare const RISK_TIER_REQUIREMENTS: Record<RiskTier, ThresholdPolicyDecision>;
+/**
+ * Map a tool classification to the spec-207 threshold-policy decision.
+ *
+ * Defaults to `low` (T1 Read) when `@sa-risk-tier` is unset, matching
+ * the existing `evaluatePolicy` permissive default for unclassified
+ * tools. Callers should run `lintClassification` to catch unset risk
+ * tiers as a separate concern; this function intentionally doesn't
+ * fail closed on missing classification (that's `evaluatePolicy`'s
+ * job).
+ */
+export declare function evaluateThresholdPolicy(classification: ToolClassification): ThresholdPolicyDecision;
+//# sourceMappingURL=risk-tier.d.ts.map

package/dist/risk-tier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-tier.d.ts","sourceRoot":"","sources":["../src/risk-tier.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,QAAQ,EACR,kBAAkB,EAClB,uBAAuB,EACxB,MAAM,SAAS,CAAC;AAiBjB,wBAAgB,mBAAmB,CAAC,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,GAAG,MAAM,CAMnF;AAED,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,QAAQ,GAAG,MAAM,EAAE,CAEnE;AAqBD,eAAO,MAAM,sBAAsB,EAAE,MAAM,CAAC,QAAQ,EAAE,uBAAuB,CAyB5E,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CACrC,cAAc,EAAE,kBAAkB,GACjC,uBAAuB,CAGzB"}

package/dist/risk-tier.js

@@ -0,0 +1,84 @@
+// Risk-tier helpers. The taxonomy is the binding contract — these helpers
+// surface "what should issuance demand for this tier."
+import { ThresholdTier } from './types';
+const TTL_CLAMP_SECONDS = {
+    low: 7 * 24 * 60 * 60, // 7 days
+    medium: 7 * 24 * 60 * 60, // 7 days
+    high: 24 * 60 * 60, // 1 day
+    critical: 60 * 60, // 1 hour
+};
+const REQUIRED_CAVEATS = {
+    low: ['timestamp'],
+    medium: ['timestamp', 'mcp-tool-scope'],
+    high: ['timestamp', 'mcp-tool-scope', 'value', 'data-scope'],
+    critical: ['timestamp', 'exact-call'],
+};
+export function clampTtlForRiskTier(requestedTtlSec, risk) {
+    if (!Number.isFinite(requestedTtlSec) || requestedTtlSec <= 0) {
+        throw new Error('clampTtlForRiskTier: requestedTtlSec must be a positive number');
+    }
+    const max = TTL_CLAMP_SECONDS[risk];
+    return Math.min(requestedTtlSec, max);
+}
+export function requiredCaveatsForRiskTier(risk) {
+    return [...REQUIRED_CAVEATS[risk]];
+}
+// ─── Spec 207 threshold-policy mapping ────────────────────────────────
+//
+// `@sa-risk-tier` (string) → `ThresholdPolicyDecision` (the shape
+// `mcp-runtime.withDelegation` consumes when gating delegation
+// verification). T1-T3 are tool-call tiers (the only tiers
+// `evaluateThresholdPolicy` returns); T4-T6 are account-level admin
+// tiers and live entirely in `agent-account`.
+//
+// V0 calibration:
+//   - low → T1 Read: 1-of-N, no UV gate, no on-chain blessing.
+//   - medium → T2 Write: 1-of-N + passkey UV (hybrid mode).
+//   - high → T3 Value: quorum caveat required + passkey UV.
+//   - critical → T3 Value + on-chain `acceptSessionDelegation` blessing.
+//
+// Future refinements: argument-level caveats (spec 208) will let
+// individual tool arguments shift the tier (e.g. `target` in a known
+// allowlist drops the on-chain blessing requirement). Until then this
+// flat mapping is the single source of truth.
+export const RISK_TIER_REQUIREMENTS = {
+    low: {
+        tier: ThresholdTier.Read,
+        requiresQuorum: false,
+        requiresUv: false,
+        requiresAcceptedOnChain: false,
+    },
+    medium: {
+        tier: ThresholdTier.Write,
+        requiresQuorum: false,
+        requiresUv: true,
+        requiresAcceptedOnChain: false,
+    },
+    high: {
+        tier: ThresholdTier.Value,
+        requiresQuorum: true,
+        requiresUv: true,
+        requiresAcceptedOnChain: false,
+    },
+    critical: {
+        tier: ThresholdTier.Value,
+        requiresQuorum: true,
+        requiresUv: true,
+        requiresAcceptedOnChain: true,
+    },
+};
+/**
+ * Map a tool classification to the spec-207 threshold-policy decision.
+ *
+ * Defaults to `low` (T1 Read) when `@sa-risk-tier` is unset, matching
+ * the existing `evaluatePolicy` permissive default for unclassified
+ * tools. Callers should run `lintClassification` to catch unset risk
+ * tiers as a separate concern; this function intentionally doesn't
+ * fail closed on missing classification (that's `evaluatePolicy`'s
+ * job).
+ */
+export function evaluateThresholdPolicy(classification) {
+    const risk = classification['@sa-risk-tier'] ?? 'low';
+    return RISK_TIER_REQUIREMENTS[risk];
+}
+//# sourceMappingURL=risk-tier.js.map

package/dist/risk-tier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-tier.js","sourceRoot":"","sources":["../src/risk-tier.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,uDAAuD;AAOvD,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC,MAAM,iBAAiB,GAA6B;IAClD,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAS,SAAS;IACvC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAM,SAAS;IACvC,IAAI,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,EAAY,QAAQ;IACtC,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAa,SAAS;CACxC,CAAC;AAEF,MAAM,gBAAgB,GAA+B;IACnD,GAAG,EAAE,CAAC,WAAW,CAAC;IAClB,MAAM,EAAE,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACvC,IAAI,EAAE,CAAC,WAAW,EAAE,gBAAgB,EAAE,OAAO,EAAE,YAAY,CAAC;IAC5D,QAAQ,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;CACtC,CAAC;AAEF,MAAM,UAAU,mBAAmB,CAAC,eAAuB,EAAE,IAAc;IACzE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,eAAe,IAAI,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,GAAG,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,IAAc;IACvD,OAAO,CAAC,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,yEAAyE;AACzE,EAAE;AACF,kEAAkE;AAClE,+DAA+D;AAC/D,2DAA2D;AAC3D,oEAAoE;AACpE,8CAA8C;AAC9C,EAAE;AACF,kBAAkB;AAClB,+DAA+D;AAC/D,4DAA4D;AAC5D,4DAA4D;AAC5D,yEAAyE;AACzE,EAAE;AACF,iEAAiE;AACjE,qEAAqE;AACrE,sEAAsE;AACtE,8CAA8C;AAE9C,MAAM,CAAC,MAAM,sBAAsB,GAA8C;IAC/E,GAAG,EAAE;QACH,IAAI,EAAE,aAAa,CAAC,IAAI;QACxB,cAAc,EAAE,KAAK;QACrB,UAAU,EAAE,KAAK;QACjB,uBAAuB,EAAE,KAAK;KAC/B;IACD,MAAM,EAAE;QACN,IAAI,EAAE,aAAa,CAAC,KAAK;QACzB,cAAc,EAAE,KAAK;QACrB,UAAU,EAAE,IAAI;QAChB,uBAAuB,EAAE,KAAK;KAC/B;IACD,IAAI,EAAE;QACJ,IAAI,EAAE,aAAa,CAAC,KAAK;QACzB,cAAc,EAAE,IAAI;QACpB,UAAU,EAAE,IAAI;QAChB,uBAAuB,EAAE,KAAK;KAC/B;IACD,QAAQ,EAAE;QACR,IAAI,EAAE,aAAa,CAAC,KAAK;QACzB,cAAc,EAAE,IAAI;QACpB,UAAU,EAAE,IAAI;QAChB,uBAAuB,EAAE,IAAI;KAC9B;CACF,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,uBAAuB,CACrC,cAAkC;IAElC,MAAM,IAAI,GAAG,cAAc,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC;IACtD,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,95 @@
+import type { Address, Hex } from '@agenticprimitives/types';
+export type { Address, Hex };
+export type RiskTier = 'low' | 'medium' | 'high' | 'critical';
+export interface ToolClassification {
+    '@sa-tool': 'delegation-verified' | 'service-only' | 'bootstrap' | 'dev-only';
+    '@sa-auth': 'session-token' | 'service-hmac' | 'none' | 'none-with-csrf';
+    '@sa-validation'?: 'shape-check' | 'json-schema' | 'none-no-body' | 'none-path-params' | 'wallet-action-canonical';
+    '@sa-risk-tier'?: RiskTier;
+    '@sa-owner'?: string;
+    '@sa-rate-limit'?: string;
+    '@sa-prod-gate'?: 'enabled' | 'disabled';
+}
+export interface ExactCallPolicy {
+    target: Address;
+    selector: Hex;
+    calldataHash?: Hex;
+    valueLimit?: bigint;
+}
+export interface CaveatLike {
+    enforcer: Address;
+    terms: Hex;
+}
+export interface DelegationLike {
+    delegator: Address;
+    delegate: Address;
+    caveats: CaveatLike[];
+}
+export interface CaveatContext {
+    timestamp: number;
+    mcpTool?: string;
+    target?: Address;
+    selector?: Hex;
+    value?: bigint;
+    principal?: Address;
+}
+export interface PolicyContext {
+    toolName: string;
+    classification: ToolClassification;
+    delegation?: DelegationLike;
+    caveatContext?: CaveatContext;
+    callerKind: 'user-session' | 'agent-session' | 'service';
+    callDetails?: {
+        to: Address;
+        data: Hex;
+        value: bigint;
+    };
+}
+export type PolicyDecision = {
+    decision: 'allow';
+} | {
+    decision: 'deny';
+    reason: string;
+} | {
+    decision: 'requires-consent';
+    promptId: string;
+    risk: RiskTier;
+};
+export interface LintResult {
+    passed: boolean;
+    errors: Array<{
+        file: string;
+        line: number;
+        missing: string[];
+    }>;
+}
+export declare enum ThresholdTier {
+    Read = 1,// T1 — view-shape MCP delegation, no on-chain mutation
+    Write = 2,// T2 — mutates state but no value transfer above T3 ceiling
+    Value = 3,// T3 — token / native value transfer; requires quorum + (high-value) on-chain blessing
+    Admin = 4,// T4 — owner / passkey / guardian / mode mutation; account-level (not exposed by evaluateThresholdPolicy)
+    Critical = 5,// T5 — impl upgrade / DM change / paymaster change; account-level + timelock
+    Recovery = 6
+}
+/**
+ * Decision returned by `evaluateThresholdPolicy(classification)` —
+ * the shape mcp-runtime's withDelegation threads into
+ * `verifyDelegationToken` so the verify path knows what to enforce.
+ *
+ * - `tier`: which spec 207 § 5 tier the tool falls into. T1-T3 only;
+ *   T4-T6 are account-level admin tiers, not tool-call tiers.
+ * - `requiresQuorum`: the delegation MUST carry a QuorumEnforcer caveat.
+ *   True for T3+ (per spec § 5 multisig/org rows).
+ * - `requiresUv`: at least one signer must have presented a passkey UV
+ *   (user-verification) flag. True for T2+ (per spec § 5 hybrid rows).
+ * - `requiresAcceptedOnChain`: the account must have called
+ *   `acceptSessionDelegation(hash)` for this delegation. True for the
+ *   high-value T3 path (per spec § 6 + § 5 critical-risk-tier).
+ */
+export interface ThresholdPolicyDecision {
+    tier: ThresholdTier;
+    requiresQuorum: boolean;
+    requiresUv: boolean;
+    requiresAcceptedOnChain: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAE7D,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAE7B,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE9D,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,qBAAqB,GAAG,cAAc,GAAG,WAAW,GAAG,UAAU,CAAC;IAC9E,UAAU,EAAE,eAAe,GAAG,cAAc,GAAG,MAAM,GAAG,gBAAgB,CAAC;IACzE,gBAAgB,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,cAAc,GAAG,kBAAkB,GAAG,yBAAyB,CAAC;IACnH,eAAe,CAAC,EAAE,QAAQ,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,eAAe,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC;CAC1C;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,GAAG,CAAC;IACd,YAAY,CAAC,EAAE,GAAG,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAGD,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,GAAG,CAAC;CACZ;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,UAAU,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,kBAAkB,CAAC;IACnC,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,UAAU,EAAE,cAAc,GAAG,eAAe,GAAG,SAAS,CAAC;IACzD,WAAW,CAAC,EAAE;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,GAAG,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CACzD;AAED,MAAM,MAAM,cAAc,GACtB;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,GACrB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,QAAQ,EAAE,kBAAkB,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAA;CAAE,CAAC;AAEvE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAClE;AAWD,oBAAY,aAAa;IACvB,IAAI,IAAI,CAAO,uDAAuD;IACtE,KAAK,IAAI,CAAM,4DAA4D;IAC3E,KAAK,IAAI,CAAM,uFAAuF;IACtG,KAAK,IAAI,CAAM,0GAA0G;IACzH,QAAQ,IAAI,CAAG,6EAA6E;IAC5F,QAAQ,IAAI;CACb;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,aAAa,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,OAAO,CAAC;IACpB,uBAAuB,EAAE,OAAO,CAAC;CAClC"}

package/dist/types.js

@@ -0,0 +1,18 @@
+// ─── Spec 207 threshold-policy tiers ──────────────────────────────────
+//
+// Coexists with the string `RiskTier` above. `RiskTier` is a *tool
+// classification* concept (how risky is this tool?); `ThresholdTier` is
+// the *delegation-time gating* tier from spec 207 § 5 (what kind of
+// authorization does this tier demand?). The two map cleanly via
+// `RISK_TIER_REQUIREMENTS` below, but they serve different layers and
+// stay distinct in the type system.
+export var ThresholdTier;
+(function (ThresholdTier) {
+    ThresholdTier[ThresholdTier["Read"] = 1] = "Read";
+    ThresholdTier[ThresholdTier["Write"] = 2] = "Write";
+    ThresholdTier[ThresholdTier["Value"] = 3] = "Value";
+    ThresholdTier[ThresholdTier["Admin"] = 4] = "Admin";
+    ThresholdTier[ThresholdTier["Critical"] = 5] = "Critical";
+    ThresholdTier[ThresholdTier["Recovery"] = 6] = "Recovery";
+})(ThresholdTier || (ThresholdTier = {}));
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA+DA,yEAAyE;AACzE,EAAE;AACF,mEAAmE;AACnE,wEAAwE;AACxE,oEAAoE;AACpE,iEAAiE;AACjE,sEAAsE;AACtE,oCAAoC;AAEpC,MAAM,CAAN,IAAY,aAOX;AAPD,WAAY,aAAa;IACvB,iDAAQ,CAAA;IACR,mDAAS,CAAA;IACT,mDAAS,CAAA;IACT,mDAAS,CAAA;IACT,yDAAY,CAAA;IACZ,yDAAY,CAAA;AACd,CAAC,EAPW,aAAa,KAAb,aAAa,QAOxB"}

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@agenticprimitives/tool-policy",
+  "version": "0.1.0-alpha.2",
+  "description": "Protocol-agnostic classification, risk tiers, and exact-call policy. Consumable by MCP, A2A, LangGraph, and Vercel AI tool runtimes.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agentictrustlabs/agenticprimitives.git",
+    "directory": "packages/tool-policy"
+  },
+  "homepage": "https://github.com/agentictrustlabs/agenticprimitives/tree/master/packages/tool-policy",
+  "bugs": {
+    "url": "https://github.com/agentictrustlabs/agenticprimitives/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./lint": {
+      "types": "./dist/lint.d.ts",
+      "import": "./dist/lint.js"
+    }
+  },
+  "files": [
+    "LICENSE",
+    "dist",
+    "spec.md",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:unit": "vitest run test/unit",
+    "test:integration": "vitest run test/integration --passWithNoTests",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@noble/hashes": "^1.5.0"
+  },
+  "peerDependencies": {
+    "@agenticprimitives/types": "workspace:*"
+  },
+  "devDependencies": {
+    "@types/node": "^22.7.0",
+    "vitest": "^2.1.0"
+  },
+  "keywords": [
+    "policy",
+    "classification",
+    "risk-tier",
+    "exact-call",
+    "agentic",
+    "tool-policy"
+  ]
+}

package/spec.md

@@ -0,0 +1,6 @@
+# @agenticprimitives/tool-policy — spec
+
+The authoritative specification lives at:
+**[`../../specs/204-tool-policy.md`](../../specs/204-tool-policy.md)**
+
+Do not edit a divergent copy here.