@agentproto/governance-engine 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,169 @@
1
+ import * as _agentproto_tool from '@agentproto/tool';
2
+ import { G as GovernanceConfig } from '../workspace-config-vgR1Ieoo.js';
3
+
4
+ /**
5
+ * AIP-14 contract for signing an artifact.
6
+ *
7
+ * `governanceConfig` is read from the per-call `context` (validated by
8
+ * `contextSchema`) — a single tool instance serves multiple workspaces /
9
+ * tenants without re-instantiation. Hosts that wire the tool through a
10
+ * Mastra adapter use `resolveContext` to project per-request guildId →
11
+ * config.
12
+ *
13
+ * Input fields use AIP-27 `Ref` compact strings — `artifact: "local:..."`,
14
+ * `signer: "operator:..."`. The body lives on the AIP-30 PROVIDER
15
+ * (`@agentproto/governance-engine/provider`); this file carries only
16
+ * the abstract contract per AIP-14.
17
+ */
18
+ declare const signArtifactTool: _agentproto_tool.ToolHandle<{
19
+ artifact: string;
20
+ signer: string;
21
+ signerKind: "external" | "operator" | "user" | "counterparty" | "agent";
22
+ method: "typed_name" | "agent_confirm" | "click_through" | "esign_external";
23
+ evidence: unknown;
24
+ signerEmail?: string | undefined;
25
+ expectedDocumentHash?: string | undefined;
26
+ idempotencyKey?: string | undefined;
27
+ }, {
28
+ signaturePath: string;
29
+ auditLogPath: string;
30
+ auditLineIndex: number;
31
+ documentHash: string;
32
+ }, {
33
+ governanceConfig: GovernanceConfig;
34
+ }>;
35
+
36
+ /**
37
+ * AIP-14 contract for appending an event to the workspace audit log.
38
+ *
39
+ * Reads `governanceConfig` from the per-call context (validated by
40
+ * `contextSchema`). Body lives on the AIP-30 PROVIDER
41
+ * (`@agentproto/governance-engine/provider`).
42
+ */
43
+ declare const recordAuditEventTool: _agentproto_tool.ToolHandle<{
44
+ actorKind: "operator" | "user" | "counterparty" | "agent" | "system";
45
+ actor: string | null;
46
+ entityType: string;
47
+ entity: string;
48
+ action: string;
49
+ scopeDir?: string | undefined;
50
+ payload?: Record<string, unknown> | undefined;
51
+ requestId?: string | undefined;
52
+ traceId?: string | undefined;
53
+ idempotencyKey?: string | undefined;
54
+ }, {
55
+ logPath: string;
56
+ lineIndex: number;
57
+ anchored: boolean;
58
+ signature: string;
59
+ }, {
60
+ governanceConfig: GovernanceConfig;
61
+ }>;
62
+
63
+ /**
64
+ * AIP-14 contract for registering pending signatures on an artifact.
65
+ *
66
+ * Reads `governanceConfig` from per-call context. Body lives on the
67
+ * AIP-30 PROVIDER (`@agentproto/governance-engine/provider`).
68
+ */
69
+ declare const requestSignaturesTool: _agentproto_tool.ToolHandle<{
70
+ artifact: string;
71
+ requiredSignatures: {
72
+ signer: string;
73
+ method?: "typed_name" | "agent_confirm" | "click_through" | "esign_external" | undefined;
74
+ weight?: number | undefined;
75
+ deadline?: string | undefined;
76
+ }[];
77
+ }, {
78
+ added: number;
79
+ }, {
80
+ governanceConfig: GovernanceConfig;
81
+ }>;
82
+
83
+ /**
84
+ * AIP-14 contract for the read-only query of pending signatures.
85
+ *
86
+ * Reads `governanceConfig` from per-call context. Body lives on the
87
+ * AIP-30 PROVIDER (`@agentproto/governance-engine/provider`).
88
+ */
89
+ declare const listPendingSignaturesTool: _agentproto_tool.ToolHandle<{
90
+ signer: string;
91
+ }, {
92
+ pending: {
93
+ artifactPath: string;
94
+ requestedAt: string;
95
+ deadline?: string | undefined;
96
+ method?: string | undefined;
97
+ weight?: number | undefined;
98
+ }[];
99
+ }, {
100
+ governanceConfig: GovernanceConfig;
101
+ }>;
102
+
103
+ declare const governanceTools: {
104
+ readonly signArtifact: _agentproto_tool.ToolHandle<{
105
+ artifact: string;
106
+ signer: string;
107
+ signerKind: "external" | "operator" | "user" | "counterparty" | "agent";
108
+ method: "typed_name" | "agent_confirm" | "click_through" | "esign_external";
109
+ evidence: unknown;
110
+ signerEmail?: string | undefined;
111
+ expectedDocumentHash?: string | undefined;
112
+ idempotencyKey?: string | undefined;
113
+ }, {
114
+ signaturePath: string;
115
+ auditLogPath: string;
116
+ auditLineIndex: number;
117
+ documentHash: string;
118
+ }, {
119
+ governanceConfig: GovernanceConfig;
120
+ }>;
121
+ readonly recordAuditEvent: _agentproto_tool.ToolHandle<{
122
+ actorKind: "operator" | "user" | "counterparty" | "agent" | "system";
123
+ actor: string | null;
124
+ entityType: string;
125
+ entity: string;
126
+ action: string;
127
+ scopeDir?: string | undefined;
128
+ payload?: Record<string, unknown> | undefined;
129
+ requestId?: string | undefined;
130
+ traceId?: string | undefined;
131
+ idempotencyKey?: string | undefined;
132
+ }, {
133
+ logPath: string;
134
+ lineIndex: number;
135
+ anchored: boolean;
136
+ signature: string;
137
+ }, {
138
+ governanceConfig: GovernanceConfig;
139
+ }>;
140
+ readonly requestSignatures: _agentproto_tool.ToolHandle<{
141
+ artifact: string;
142
+ requiredSignatures: {
143
+ signer: string;
144
+ method?: "typed_name" | "agent_confirm" | "click_through" | "esign_external" | undefined;
145
+ weight?: number | undefined;
146
+ deadline?: string | undefined;
147
+ }[];
148
+ }, {
149
+ added: number;
150
+ }, {
151
+ governanceConfig: GovernanceConfig;
152
+ }>;
153
+ readonly listPendingSignatures: _agentproto_tool.ToolHandle<{
154
+ signer: string;
155
+ }, {
156
+ pending: {
157
+ artifactPath: string;
158
+ requestedAt: string;
159
+ deadline?: string | undefined;
160
+ method?: string | undefined;
161
+ weight?: number | undefined;
162
+ }[];
163
+ }, {
164
+ governanceConfig: GovernanceConfig;
165
+ }>;
166
+ };
167
+ type GovernanceToolBundle = typeof governanceTools;
168
+
169
+ export { type GovernanceToolBundle, governanceTools, listPendingSignaturesTool, recordAuditEventTool, requestSignaturesTool, signArtifactTool };
@@ -0,0 +1,22 @@
1
+ import { listPendingSignaturesTool, requestSignaturesTool, recordAuditEventTool, signArtifactTool } from '../chunk-NXMY54BX.mjs';
2
+ export { listPendingSignaturesTool, recordAuditEventTool, requestSignaturesTool, signArtifactTool } from '../chunk-NXMY54BX.mjs';
3
+ import '../chunk-M7I5HTGN.mjs';
4
+
5
+ /**
6
+ * @agentproto/governance-engine v0.1.0-alpha
7
+ * Reference engine for agentgovernance/v1 — audit chain + sign artifact +
8
+ * pending-signatures index, all routed through IGovernanceFilesystem so the
9
+ * same code runs against Node fs, Supabase Storage, S3, or in-memory.
10
+ */
11
+
12
+ // src/tools/index.ts
13
+ var governanceTools = {
14
+ signArtifact: signArtifactTool,
15
+ recordAuditEvent: recordAuditEventTool,
16
+ requestSignatures: requestSignaturesTool,
17
+ listPendingSignatures: listPendingSignaturesTool
18
+ };
19
+
20
+ export { governanceTools };
21
+ //# sourceMappingURL=index.mjs.map
22
+ //# sourceMappingURL=index.mjs.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/tools/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AA0BO,IAAM,eAAA,GAAkB;AAAA,EAC7B,YAAA,EAAc,gBAAA;AAAA,EACd,gBAAA,EAAkB,oBAAA;AAAA,EAClB,iBAAA,EAAmB,qBAAA;AAAA,EACnB,qBAAA,EAAuB;AACzB","file":"index.mjs","sourcesContent":["/**\n * AIP-14 governance tools — static `defineTool` handles wrapping the\n * `@agentproto/governance-engine` helpers.\n *\n * Each tool is a single global handle that reads `governanceConfig`\n * from the per-call context (validated by its `contextSchema`). One\n * handle serves any number of workspaces / tenants — adapters wire the\n * config in at invocation time via `resolveContext`.\n *\n * Adapters in `@agentproto/adapter-mastra` (and future `@agentproto/adapter-langchain`,\n * `@agentproto/adapter-a2a`) consume these handles and project them into their\n * native tool surface.\n */\n\nimport { signArtifactTool } from \"./sign-artifact.tool.js\"\nimport { recordAuditEventTool } from \"./record-audit-event.tool.js\"\nimport { requestSignaturesTool } from \"./request-signatures.tool.js\"\nimport { listPendingSignaturesTool } from \"./list-pending-signatures.tool.js\"\n\nexport {\n signArtifactTool,\n recordAuditEventTool,\n requestSignaturesTool,\n listPendingSignaturesTool,\n}\n\nexport const governanceTools = {\n signArtifact: signArtifactTool,\n recordAuditEvent: recordAuditEventTool,\n requestSignatures: requestSignaturesTool,\n listPendingSignatures: listPendingSignaturesTool,\n} as const\n\nexport type GovernanceToolBundle = typeof governanceTools\n"]}
@@ -0,0 +1,97 @@
1
+ /**
2
+ * IGovernanceFilesystem — vendor-neutral filesystem interface used by the
3
+ * governance runtime. Lets a consumer plug a non-Node backend (Supabase
4
+ * Storage, S3, in-memory) without forking the runtime.
5
+ *
6
+ * All paths are absolute (the runtime resolves root-relative paths via
7
+ * `resolveFromRoot` before calling FS methods).
8
+ *
9
+ * Default implementation: `NodeGovernanceFilesystem`, backed by `node:fs`.
10
+ * Backends MUST guarantee:
11
+ * - `writeFileAtomic` is atomic on same-volume rename (or equivalent).
12
+ * - `appendLine` is durable across process crashes (line either fully
13
+ * present or absent in the resulting file — no torn writes).
14
+ * - `readFile` returns `null` (not throws) when the file does not exist.
15
+ */
16
+ /** A single child entry returned by `listDirectory`. */
17
+ interface DirectoryEntry {
18
+ /** File or subdirectory name (relative to the parent). No leading slash. */
19
+ name: string;
20
+ /** True for subdirectories, false for files. */
21
+ isDirectory: boolean;
22
+ }
23
+ interface IGovernanceFilesystem {
24
+ /** Recursively create a directory if it does not exist. */
25
+ ensureDir(absDir: string): Promise<void>;
26
+ /** Read a UTF-8 file. Returns `null` when the file does not exist. */
27
+ readFile(absPath: string): Promise<string | null>;
28
+ /**
29
+ * Atomically write the full contents of a file. Implementations should
30
+ * write to a temp file in the same dir, then rename — or use whatever
31
+ * atomic-replace primitive the backend provides.
32
+ */
33
+ writeFileAtomic(absPath: string, content: string): Promise<void>;
34
+ /**
35
+ * Append a single line + newline. Creates the file if absent. Must be
36
+ * crash-safe: a partially-written line MUST NOT be visible to a
37
+ * concurrent reader.
38
+ */
39
+ appendLine(absPath: string, line: string): Promise<void>;
40
+ /**
41
+ * List the immediate children of a directory. Returns `[]` when the
42
+ * directory does not exist (NOT throw). Order is implementation-defined;
43
+ * callers MUST sort if they need stable order.
44
+ */
45
+ listDirectory(absDir: string): Promise<DirectoryEntry[]>;
46
+ }
47
+ declare class NodeGovernanceFilesystem implements IGovernanceFilesystem {
48
+ ensureDir(absDir: string): Promise<void>;
49
+ readFile(absPath: string): Promise<string | null>;
50
+ writeFileAtomic(absPath: string, content: string): Promise<void>;
51
+ appendLine(absPath: string, line: string): Promise<void>;
52
+ listDirectory(absDir: string): Promise<DirectoryEntry[]>;
53
+ }
54
+ /** Default singleton — Node fs. */
55
+ declare function defaultGovernanceFilesystem(): IGovernanceFilesystem;
56
+
57
+ /**
58
+ * GovernanceConfig — runtime configuration the FS-only services need.
59
+ *
60
+ * Apps resolve genesis seed + HMAC secret from a vault / secrets manager and
61
+ * pass an instance into the runtime services. The package itself does NOT
62
+ * read environment variables or secret stores — it stays portable.
63
+ */
64
+
65
+ interface GovernanceConfig {
66
+ /** Absolute path to the workspace root. */
67
+ workspaceRoot: string;
68
+ /** Hex-encoded 64-char workspace genesis seed. */
69
+ genesisSeed: string;
70
+ /** HMAC secret used for chain signatures. */
71
+ hmacSecret: string;
72
+ /**
73
+ * Filesystem adapter. Defaults to `NodeGovernanceFilesystem` (node:fs)
74
+ * when omitted. Apps with non-POSIX storage (Supabase Storage, S3,
75
+ * in-memory test fixtures) supply a custom implementation here.
76
+ */
77
+ filesystem?: IGovernanceFilesystem;
78
+ /** Optional: invoked when an audit-log line crosses an anchor threshold. */
79
+ anchorSink?: AnchorSink;
80
+ /** Anchor every N lines (default 1000). */
81
+ anchorEveryLines?: number;
82
+ }
83
+ interface AnchorPayload {
84
+ /** Audit-log file path (workspace-relative). */
85
+ logPath: string;
86
+ /** 0-based line index that triggered the anchor (the line that crossed the threshold). */
87
+ lineIndex: number;
88
+ /** The signature at that line — what gets anchored. */
89
+ signature: string;
90
+ /** ISO timestamp when the anchor was emitted. */
91
+ emittedAt: string;
92
+ }
93
+ type AnchorSink = (payload: AnchorPayload) => Promise<void>;
94
+ /** Default anchor cadence. */
95
+ declare const DEFAULT_ANCHOR_EVERY_LINES = 1000;
96
+
97
+ export { type AnchorPayload as A, DEFAULT_ANCHOR_EVERY_LINES as D, type GovernanceConfig as G, type IGovernanceFilesystem as I, NodeGovernanceFilesystem as N, type AnchorSink as a, type DirectoryEntry as b, defaultGovernanceFilesystem as d };
package/package.json ADDED
@@ -0,0 +1,78 @@
1
+ {
2
+ "name": "@agentproto/governance-engine",
3
+ "version": "0.1.0",
4
+ "description": "agentgovernance/v1 reference engine — record audit events, sign artifacts, maintain pending-signatures index. Vendor-neutral via the IGovernanceFilesystem interface (Node fs default, plug Supabase / S3 / in-memory adapters via the same interface). Pairs with @agentproto/governance for doctype types and validators.",
5
+ "keywords": [
6
+ "agentgovernance",
7
+ "governance",
8
+ "audit-log",
9
+ "hash-chain",
10
+ "signature",
11
+ "filesystem-adapter",
12
+ "engine",
13
+ "open-standard",
14
+ "agentic"
15
+ ],
16
+ "homepage": "https://agentproto.sh/docs/gov-1",
17
+ "repository": {
18
+ "type": "git",
19
+ "url": "https://github.com/agentproto/ts",
20
+ "directory": "packages/governance/engine"
21
+ },
22
+ "bugs": {
23
+ "url": "https://github.com/agentproto/ts/issues"
24
+ },
25
+ "license": "MIT",
26
+ "type": "module",
27
+ "main": "dist/index.mjs",
28
+ "module": "dist/index.mjs",
29
+ "types": "dist/index.d.ts",
30
+ "exports": {
31
+ ".": {
32
+ "types": "./dist/index.d.ts",
33
+ "import": "./dist/index.mjs",
34
+ "default": "./dist/index.mjs"
35
+ },
36
+ "./tools": {
37
+ "types": "./dist/tools/index.d.ts",
38
+ "import": "./dist/tools/index.mjs",
39
+ "default": "./dist/tools/index.mjs"
40
+ },
41
+ "./provider": {
42
+ "types": "./dist/provider/index.d.ts",
43
+ "import": "./dist/provider/index.mjs",
44
+ "default": "./dist/provider/index.mjs"
45
+ },
46
+ "./package.json": "./package.json"
47
+ },
48
+ "files": [
49
+ "dist",
50
+ "README.md",
51
+ "LICENSE"
52
+ ],
53
+ "publishConfig": {
54
+ "access": "public"
55
+ },
56
+ "dependencies": {
57
+ "zod": "^4.4.3",
58
+ "@agentproto/driver": "0.1.0",
59
+ "@agentproto/governance": "0.1.0-alpha.0",
60
+ "@agentproto/ref": "0.1.0-alpha.0",
61
+ "@agentproto/tool": "0.1.0"
62
+ },
63
+ "devDependencies": {
64
+ "@types/node": "^25.6.2",
65
+ "tsup": "^8.5.1",
66
+ "typescript": "^5.9.3",
67
+ "vitest": "^3.2.4",
68
+ "@agentproto/tooling": "0.1.0-alpha.0"
69
+ },
70
+ "scripts": {
71
+ "dev": "tsup --watch",
72
+ "build": "tsup",
73
+ "clean": "rm -rf dist",
74
+ "check-types": "tsc --noEmit",
75
+ "test": "vitest run",
76
+ "test:watch": "vitest"
77
+ }
78
+ }