npm - @aigrc/core - Versions diffs - 0.1.0 → 0.2.0 - Mend

@aigrc/core 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/air/index.d.mts +1669 -0
package/dist/air/index.d.ts +1669 -0
package/dist/air/index.js +450 -0
package/dist/air/index.js.map +1 -0
package/dist/air/index.mjs +410 -0
package/dist/air/index.mjs.map +1 -0
package/dist/governance-lock/index.d.mts +903 -0
package/dist/governance-lock/index.d.ts +903 -0
package/dist/governance-lock/index.js +444 -0
package/dist/governance-lock/index.js.map +1 -0
package/dist/governance-lock/index.mjs +389 -0
package/dist/governance-lock/index.mjs.map +1 -0
package/dist/index.d.mts +467 -4
package/dist/index.d.ts +467 -4
package/dist/index.js +2213 -3
package/dist/index.js.map +1 -1
package/dist/index.mjs +2114 -2
package/dist/index.mjs.map +1 -1
package/dist/schemas/index.d.mts +1950 -29
package/dist/schemas/index.d.ts +1950 -29
package/dist/schemas/index.js +354 -1
package/dist/schemas/index.js.map +1 -1
package/dist/schemas/index.mjs +332 -1
package/dist/schemas/index.mjs.map +1 -1
package/package.json +11 -1

package/dist/governance-lock/index.d.mts ADDED Viewed

@@ -0,0 +1,903 @@
+import { z } from 'zod';
+import { AIR } from '../air/index.mjs';
+/**
+ * governance.lock File Format
+ *
+ * The governance.lock file pins policy version to code version, similar to
+ * package-lock.json. It is generated by the Policy Compiler and verified
+ * by the Supply Chain Firewall in IDE, CI/CD, and runtime.
+ *
+ * @see I2E_Engine_Specification_v1.md Section 4.2.3
+ * @module @aigrc/core/governance-lock
+ */
+declare const GovernanceLockSignatureSchema: z.ZodObject<{
+    /** Signer identity (email or system ID) */
+    signer: z.ZodString;
+    /** Role of the signer (e.g., "CISO", "PolicyOwner", "SecurityLead") */
+    role: z.ZodOptional<z.ZodString>;
+    /** Algorithm used: RS256 (RSA-SHA256) or ES256 (ECDSA-P256) */
+    algorithm: z.ZodEnum<["RS256", "ES256"]>;
+    /** Base64-encoded signature */
+    signature: z.ZodString;
+    /** When the signature was created */
+    signed_at: z.ZodString;
+    /** Key ID for key rotation support */
+    key_id: z.ZodOptional<z.ZodString>;
+    /** Expiration of this signature (optional, separate from lock expiration) */
+    expires_at: z.ZodOptional<z.ZodString>;
+    /** Certificate chain for verification (optional) */
+    certificate_chain: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    signature: string;
+    algorithm: "RS256" | "ES256";
+    signer: string;
+    signed_at: string;
+    role?: string | undefined;
+    expires_at?: string | undefined;
+    key_id?: string | undefined;
+    certificate_chain?: string[] | undefined;
+}, {
+    signature: string;
+    algorithm: "RS256" | "ES256";
+    signer: string;
+    signed_at: string;
+    role?: string | undefined;
+    expires_at?: string | undefined;
+    key_id?: string | undefined;
+    certificate_chain?: string[] | undefined;
+}>;
+type GovernanceLockSignature = z.infer<typeof GovernanceLockSignatureSchema>;
+declare const GovernanceLockPolicySourceSchema: z.ZodObject<{
+    /** Unique identifier for this source */
+    id: z.ZodString;
+    /** Type of source */
+    type: z.ZodEnum<["pdf", "url", "confluence", "jira", "manual"]>;
+    /** URI to the source document */
+    uri: z.ZodString;
+    /** SHA-256 hash of the source content at time of compilation */
+    content_hash: z.ZodString;
+    /** When the source was fetched */
+    fetched_at: z.ZodString;
+    /** Title of the policy document */
+    title: z.ZodOptional<z.ZodString>;
+    /** Version of the policy document */
+    version: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type: "jira" | "url" | "pdf" | "confluence" | "manual";
+    id: string;
+    uri: string;
+    content_hash: string;
+    fetched_at: string;
+    version?: string | undefined;
+    title?: string | undefined;
+}, {
+    type: "jira" | "url" | "pdf" | "confluence" | "manual";
+    id: string;
+    uri: string;
+    content_hash: string;
+    fetched_at: string;
+    version?: string | undefined;
+    title?: string | undefined;
+}>;
+type GovernanceLockPolicySource = z.infer<typeof GovernanceLockPolicySourceSchema>;
+declare const GovernanceLockRegistryConstraintsSchema: z.ZodObject<{
+    /** List of approved vendor IDs */
+    allowed_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** List of blocked vendor IDs */
+    blocked_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** List of approved region codes */
+    allowed_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** List of blocked region codes */
+    blocked_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** List of approved model patterns */
+    allowed_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** List of blocked model patterns */
+    blocked_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** Maximum model parameters allowed */
+    max_model_parameters: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    allowed_vendor_ids: string[];
+    blocked_vendor_ids: string[];
+    allowed_region_codes: string[];
+    blocked_region_codes: string[];
+    allowed_model_patterns: string[];
+    blocked_model_patterns: string[];
+    max_model_parameters?: number | undefined;
+}, {
+    max_model_parameters?: number | undefined;
+    allowed_vendor_ids?: string[] | undefined;
+    blocked_vendor_ids?: string[] | undefined;
+    allowed_region_codes?: string[] | undefined;
+    blocked_region_codes?: string[] | undefined;
+    allowed_model_patterns?: string[] | undefined;
+    blocked_model_patterns?: string[] | undefined;
+}>;
+type GovernanceLockRegistryConstraints = z.infer<typeof GovernanceLockRegistryConstraintsSchema>;
+declare const GovernanceLockRuntimeConstraintsSchema: z.ZodObject<{
+    /** Whether PII filtering is required */
+    pii_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+    /** PII filter action */
+    pii_filter_action: z.ZodOptional<z.ZodEnum<["redact", "block", "warn", "audit"]>>;
+    /** Whether toxicity filtering is required */
+    toxicity_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+    /** Toxicity threshold */
+    toxicity_threshold: z.ZodOptional<z.ZodNumber>;
+    /** Data retention period in days */
+    data_retention_days: z.ZodDefault<z.ZodNumber>;
+    /** Whether watermarking is required */
+    watermark_enabled: z.ZodDefault<z.ZodBoolean>;
+    /** Logging level */
+    logging_level: z.ZodDefault<z.ZodEnum<["none", "errors", "all"]>>;
+    /** Maximum tokens per request */
+    max_tokens_per_request: z.ZodOptional<z.ZodNumber>;
+    /** Maximum cost per day in USD */
+    max_cost_per_day_usd: z.ZodOptional<z.ZodNumber>;
+    /** Kill switch enabled */
+    kill_switch_enabled: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    data_retention_days: number;
+    watermark_enabled: boolean;
+    logging_level: "errors" | "none" | "all";
+    pii_filter_enabled: boolean;
+    toxicity_filter_enabled: boolean;
+    kill_switch_enabled: boolean;
+    max_tokens_per_request?: number | undefined;
+    max_cost_per_day_usd?: number | undefined;
+    pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+    toxicity_threshold?: number | undefined;
+}, {
+    data_retention_days?: number | undefined;
+    watermark_enabled?: boolean | undefined;
+    logging_level?: "errors" | "none" | "all" | undefined;
+    max_tokens_per_request?: number | undefined;
+    max_cost_per_day_usd?: number | undefined;
+    pii_filter_enabled?: boolean | undefined;
+    pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+    toxicity_filter_enabled?: boolean | undefined;
+    toxicity_threshold?: number | undefined;
+    kill_switch_enabled?: boolean | undefined;
+}>;
+type GovernanceLockRuntimeConstraints = z.infer<typeof GovernanceLockRuntimeConstraintsSchema>;
+declare const GovernanceLockBuildConstraintsSchema: z.ZodObject<{
+    /** Require Golden Thread linkage */
+    require_golden_thread: z.ZodDefault<z.ZodBoolean>;
+    /** Require asset card */
+    require_asset_card: z.ZodDefault<z.ZodBoolean>;
+    /** Require risk classification */
+    require_risk_classification: z.ZodDefault<z.ZodBoolean>;
+    /** Require model card */
+    require_model_card: z.ZodDefault<z.ZodBoolean>;
+    /** Require security review for high risk */
+    require_security_review: z.ZodDefault<z.ZodBoolean>;
+    /** Block merge on validation failure */
+    block_on_failure: z.ZodDefault<z.ZodBoolean>;
+    /** Generate SARIF report */
+    generate_sarif: z.ZodDefault<z.ZodBoolean>;
+    /** Allowed environments */
+    allowed_environments: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    require_golden_thread: boolean;
+    require_asset_card: boolean;
+    require_risk_classification: boolean;
+    require_model_card: boolean;
+    require_security_review: boolean;
+    block_on_failure: boolean;
+    generate_sarif: boolean;
+    allowed_environments: string[];
+}, {
+    require_golden_thread?: boolean | undefined;
+    require_asset_card?: boolean | undefined;
+    require_risk_classification?: boolean | undefined;
+    require_model_card?: boolean | undefined;
+    require_security_review?: boolean | undefined;
+    block_on_failure?: boolean | undefined;
+    generate_sarif?: boolean | undefined;
+    allowed_environments?: string[] | undefined;
+}>;
+type GovernanceLockBuildConstraints = z.infer<typeof GovernanceLockBuildConstraintsSchema>;
+declare const GovernanceLockConstraintsSchema: z.ZodObject<{
+    /** Registry constraints (vendor/model/region) */
+    registry: z.ZodDefault<z.ZodObject<{
+        /** List of approved vendor IDs */
+        allowed_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** List of blocked vendor IDs */
+        blocked_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** List of approved region codes */
+        allowed_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** List of blocked region codes */
+        blocked_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** List of approved model patterns */
+        allowed_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** List of blocked model patterns */
+        blocked_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** Maximum model parameters allowed */
+        max_model_parameters: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        allowed_vendor_ids: string[];
+        blocked_vendor_ids: string[];
+        allowed_region_codes: string[];
+        blocked_region_codes: string[];
+        allowed_model_patterns: string[];
+        blocked_model_patterns: string[];
+        max_model_parameters?: number | undefined;
+    }, {
+        max_model_parameters?: number | undefined;
+        allowed_vendor_ids?: string[] | undefined;
+        blocked_vendor_ids?: string[] | undefined;
+        allowed_region_codes?: string[] | undefined;
+        blocked_region_codes?: string[] | undefined;
+        allowed_model_patterns?: string[] | undefined;
+        blocked_model_patterns?: string[] | undefined;
+    }>>;
+    /** Runtime constraints */
+    runtime: z.ZodDefault<z.ZodObject<{
+        /** Whether PII filtering is required */
+        pii_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+        /** PII filter action */
+        pii_filter_action: z.ZodOptional<z.ZodEnum<["redact", "block", "warn", "audit"]>>;
+        /** Whether toxicity filtering is required */
+        toxicity_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+        /** Toxicity threshold */
+        toxicity_threshold: z.ZodOptional<z.ZodNumber>;
+        /** Data retention period in days */
+        data_retention_days: z.ZodDefault<z.ZodNumber>;
+        /** Whether watermarking is required */
+        watermark_enabled: z.ZodDefault<z.ZodBoolean>;
+        /** Logging level */
+        logging_level: z.ZodDefault<z.ZodEnum<["none", "errors", "all"]>>;
+        /** Maximum tokens per request */
+        max_tokens_per_request: z.ZodOptional<z.ZodNumber>;
+        /** Maximum cost per day in USD */
+        max_cost_per_day_usd: z.ZodOptional<z.ZodNumber>;
+        /** Kill switch enabled */
+        kill_switch_enabled: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        data_retention_days: number;
+        watermark_enabled: boolean;
+        logging_level: "errors" | "none" | "all";
+        pii_filter_enabled: boolean;
+        toxicity_filter_enabled: boolean;
+        kill_switch_enabled: boolean;
+        max_tokens_per_request?: number | undefined;
+        max_cost_per_day_usd?: number | undefined;
+        pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+        toxicity_threshold?: number | undefined;
+    }, {
+        data_retention_days?: number | undefined;
+        watermark_enabled?: boolean | undefined;
+        logging_level?: "errors" | "none" | "all" | undefined;
+        max_tokens_per_request?: number | undefined;
+        max_cost_per_day_usd?: number | undefined;
+        pii_filter_enabled?: boolean | undefined;
+        pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+        toxicity_filter_enabled?: boolean | undefined;
+        toxicity_threshold?: number | undefined;
+        kill_switch_enabled?: boolean | undefined;
+    }>>;
+    /** Build constraints */
+    build: z.ZodDefault<z.ZodObject<{
+        /** Require Golden Thread linkage */
+        require_golden_thread: z.ZodDefault<z.ZodBoolean>;
+        /** Require asset card */
+        require_asset_card: z.ZodDefault<z.ZodBoolean>;
+        /** Require risk classification */
+        require_risk_classification: z.ZodDefault<z.ZodBoolean>;
+        /** Require model card */
+        require_model_card: z.ZodDefault<z.ZodBoolean>;
+        /** Require security review for high risk */
+        require_security_review: z.ZodDefault<z.ZodBoolean>;
+        /** Block merge on validation failure */
+        block_on_failure: z.ZodDefault<z.ZodBoolean>;
+        /** Generate SARIF report */
+        generate_sarif: z.ZodDefault<z.ZodBoolean>;
+        /** Allowed environments */
+        allowed_environments: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        require_golden_thread: boolean;
+        require_asset_card: boolean;
+        require_risk_classification: boolean;
+        require_model_card: boolean;
+        require_security_review: boolean;
+        block_on_failure: boolean;
+        generate_sarif: boolean;
+        allowed_environments: string[];
+    }, {
+        require_golden_thread?: boolean | undefined;
+        require_asset_card?: boolean | undefined;
+        require_risk_classification?: boolean | undefined;
+        require_model_card?: boolean | undefined;
+        require_security_review?: boolean | undefined;
+        block_on_failure?: boolean | undefined;
+        generate_sarif?: boolean | undefined;
+        allowed_environments?: string[] | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    runtime: {
+        data_retention_days: number;
+        watermark_enabled: boolean;
+        logging_level: "errors" | "none" | "all";
+        pii_filter_enabled: boolean;
+        toxicity_filter_enabled: boolean;
+        kill_switch_enabled: boolean;
+        max_tokens_per_request?: number | undefined;
+        max_cost_per_day_usd?: number | undefined;
+        pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+        toxicity_threshold?: number | undefined;
+    };
+    build: {
+        require_golden_thread: boolean;
+        require_asset_card: boolean;
+        require_risk_classification: boolean;
+        require_model_card: boolean;
+        require_security_review: boolean;
+        block_on_failure: boolean;
+        generate_sarif: boolean;
+        allowed_environments: string[];
+    };
+    registry: {
+        allowed_vendor_ids: string[];
+        blocked_vendor_ids: string[];
+        allowed_region_codes: string[];
+        blocked_region_codes: string[];
+        allowed_model_patterns: string[];
+        blocked_model_patterns: string[];
+        max_model_parameters?: number | undefined;
+    };
+}, {
+    runtime?: {
+        data_retention_days?: number | undefined;
+        watermark_enabled?: boolean | undefined;
+        logging_level?: "errors" | "none" | "all" | undefined;
+        max_tokens_per_request?: number | undefined;
+        max_cost_per_day_usd?: number | undefined;
+        pii_filter_enabled?: boolean | undefined;
+        pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+        toxicity_filter_enabled?: boolean | undefined;
+        toxicity_threshold?: number | undefined;
+        kill_switch_enabled?: boolean | undefined;
+    } | undefined;
+    build?: {
+        require_golden_thread?: boolean | undefined;
+        require_asset_card?: boolean | undefined;
+        require_risk_classification?: boolean | undefined;
+        require_model_card?: boolean | undefined;
+        require_security_review?: boolean | undefined;
+        block_on_failure?: boolean | undefined;
+        generate_sarif?: boolean | undefined;
+        allowed_environments?: string[] | undefined;
+    } | undefined;
+    registry?: {
+        max_model_parameters?: number | undefined;
+        allowed_vendor_ids?: string[] | undefined;
+        blocked_vendor_ids?: string[] | undefined;
+        allowed_region_codes?: string[] | undefined;
+        blocked_region_codes?: string[] | undefined;
+        allowed_model_patterns?: string[] | undefined;
+        blocked_model_patterns?: string[] | undefined;
+    } | undefined;
+}>;
+type GovernanceLockConstraints = z.infer<typeof GovernanceLockConstraintsSchema>;
+declare const GovernanceLockSchema: z.ZodObject<{
+    /** Schema version for forward compatibility */
+    version: z.ZodLiteral<"1.0">;
+    /** When this lock file was generated */
+    generated_at: z.ZodString;
+    /** SHA-256 hash of the compiled policy (AIR) */
+    policy_hash: z.ZodString;
+    /** Name of this policy lock */
+    name: z.ZodOptional<z.ZodString>;
+    /** Description of this lock file */
+    description: z.ZodOptional<z.ZodString>;
+    /** Policy sources that contributed to this lock */
+    policy_sources: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        /** Unique identifier for this source */
+        id: z.ZodString;
+        /** Type of source */
+        type: z.ZodEnum<["pdf", "url", "confluence", "jira", "manual"]>;
+        /** URI to the source document */
+        uri: z.ZodString;
+        /** SHA-256 hash of the source content at time of compilation */
+        content_hash: z.ZodString;
+        /** When the source was fetched */
+        fetched_at: z.ZodString;
+        /** Title of the policy document */
+        title: z.ZodOptional<z.ZodString>;
+        /** Version of the policy document */
+        version: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type: "jira" | "url" | "pdf" | "confluence" | "manual";
+        id: string;
+        uri: string;
+        content_hash: string;
+        fetched_at: string;
+        version?: string | undefined;
+        title?: string | undefined;
+    }, {
+        type: "jira" | "url" | "pdf" | "confluence" | "manual";
+        id: string;
+        uri: string;
+        content_hash: string;
+        fetched_at: string;
+        version?: string | undefined;
+        title?: string | undefined;
+    }>, "many">>;
+    /** Compiled constraints (subset of AIR) */
+    constraints: z.ZodDefault<z.ZodObject<{
+        /** Registry constraints (vendor/model/region) */
+        registry: z.ZodDefault<z.ZodObject<{
+            /** List of approved vendor IDs */
+            allowed_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** List of blocked vendor IDs */
+            blocked_vendor_ids: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** List of approved region codes */
+            allowed_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** List of blocked region codes */
+            blocked_region_codes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** List of approved model patterns */
+            allowed_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** List of blocked model patterns */
+            blocked_model_patterns: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+            /** Maximum model parameters allowed */
+            max_model_parameters: z.ZodOptional<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            allowed_vendor_ids: string[];
+            blocked_vendor_ids: string[];
+            allowed_region_codes: string[];
+            blocked_region_codes: string[];
+            allowed_model_patterns: string[];
+            blocked_model_patterns: string[];
+            max_model_parameters?: number | undefined;
+        }, {
+            max_model_parameters?: number | undefined;
+            allowed_vendor_ids?: string[] | undefined;
+            blocked_vendor_ids?: string[] | undefined;
+            allowed_region_codes?: string[] | undefined;
+            blocked_region_codes?: string[] | undefined;
+            allowed_model_patterns?: string[] | undefined;
+            blocked_model_patterns?: string[] | undefined;
+        }>>;
+        /** Runtime constraints */
+        runtime: z.ZodDefault<z.ZodObject<{
+            /** Whether PII filtering is required */
+            pii_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+            /** PII filter action */
+            pii_filter_action: z.ZodOptional<z.ZodEnum<["redact", "block", "warn", "audit"]>>;
+            /** Whether toxicity filtering is required */
+            toxicity_filter_enabled: z.ZodDefault<z.ZodBoolean>;
+            /** Toxicity threshold */
+            toxicity_threshold: z.ZodOptional<z.ZodNumber>;
+            /** Data retention period in days */
+            data_retention_days: z.ZodDefault<z.ZodNumber>;
+            /** Whether watermarking is required */
+            watermark_enabled: z.ZodDefault<z.ZodBoolean>;
+            /** Logging level */
+            logging_level: z.ZodDefault<z.ZodEnum<["none", "errors", "all"]>>;
+            /** Maximum tokens per request */
+            max_tokens_per_request: z.ZodOptional<z.ZodNumber>;
+            /** Maximum cost per day in USD */
+            max_cost_per_day_usd: z.ZodOptional<z.ZodNumber>;
+            /** Kill switch enabled */
+            kill_switch_enabled: z.ZodDefault<z.ZodBoolean>;
+        }, "strip", z.ZodTypeAny, {
+            data_retention_days: number;
+            watermark_enabled: boolean;
+            logging_level: "errors" | "none" | "all";
+            pii_filter_enabled: boolean;
+            toxicity_filter_enabled: boolean;
+            kill_switch_enabled: boolean;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_threshold?: number | undefined;
+        }, {
+            data_retention_days?: number | undefined;
+            watermark_enabled?: boolean | undefined;
+            logging_level?: "errors" | "none" | "all" | undefined;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_enabled?: boolean | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_filter_enabled?: boolean | undefined;
+            toxicity_threshold?: number | undefined;
+            kill_switch_enabled?: boolean | undefined;
+        }>>;
+        /** Build constraints */
+        build: z.ZodDefault<z.ZodObject<{
+            /** Require Golden Thread linkage */
+            require_golden_thread: z.ZodDefault<z.ZodBoolean>;
+            /** Require asset card */
+            require_asset_card: z.ZodDefault<z.ZodBoolean>;
+            /** Require risk classification */
+            require_risk_classification: z.ZodDefault<z.ZodBoolean>;
+            /** Require model card */
+            require_model_card: z.ZodDefault<z.ZodBoolean>;
+            /** Require security review for high risk */
+            require_security_review: z.ZodDefault<z.ZodBoolean>;
+            /** Block merge on validation failure */
+            block_on_failure: z.ZodDefault<z.ZodBoolean>;
+            /** Generate SARIF report */
+            generate_sarif: z.ZodDefault<z.ZodBoolean>;
+            /** Allowed environments */
+            allowed_environments: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            require_golden_thread: boolean;
+            require_asset_card: boolean;
+            require_risk_classification: boolean;
+            require_model_card: boolean;
+            require_security_review: boolean;
+            block_on_failure: boolean;
+            generate_sarif: boolean;
+            allowed_environments: string[];
+        }, {
+            require_golden_thread?: boolean | undefined;
+            require_asset_card?: boolean | undefined;
+            require_risk_classification?: boolean | undefined;
+            require_model_card?: boolean | undefined;
+            require_security_review?: boolean | undefined;
+            block_on_failure?: boolean | undefined;
+            generate_sarif?: boolean | undefined;
+            allowed_environments?: string[] | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        runtime: {
+            data_retention_days: number;
+            watermark_enabled: boolean;
+            logging_level: "errors" | "none" | "all";
+            pii_filter_enabled: boolean;
+            toxicity_filter_enabled: boolean;
+            kill_switch_enabled: boolean;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_threshold?: number | undefined;
+        };
+        build: {
+            require_golden_thread: boolean;
+            require_asset_card: boolean;
+            require_risk_classification: boolean;
+            require_model_card: boolean;
+            require_security_review: boolean;
+            block_on_failure: boolean;
+            generate_sarif: boolean;
+            allowed_environments: string[];
+        };
+        registry: {
+            allowed_vendor_ids: string[];
+            blocked_vendor_ids: string[];
+            allowed_region_codes: string[];
+            blocked_region_codes: string[];
+            allowed_model_patterns: string[];
+            blocked_model_patterns: string[];
+            max_model_parameters?: number | undefined;
+        };
+    }, {
+        runtime?: {
+            data_retention_days?: number | undefined;
+            watermark_enabled?: boolean | undefined;
+            logging_level?: "errors" | "none" | "all" | undefined;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_enabled?: boolean | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_filter_enabled?: boolean | undefined;
+            toxicity_threshold?: number | undefined;
+            kill_switch_enabled?: boolean | undefined;
+        } | undefined;
+        build?: {
+            require_golden_thread?: boolean | undefined;
+            require_asset_card?: boolean | undefined;
+            require_risk_classification?: boolean | undefined;
+            require_model_card?: boolean | undefined;
+            require_security_review?: boolean | undefined;
+            block_on_failure?: boolean | undefined;
+            generate_sarif?: boolean | undefined;
+            allowed_environments?: string[] | undefined;
+        } | undefined;
+        registry?: {
+            max_model_parameters?: number | undefined;
+            allowed_vendor_ids?: string[] | undefined;
+            blocked_vendor_ids?: string[] | undefined;
+            allowed_region_codes?: string[] | undefined;
+            blocked_region_codes?: string[] | undefined;
+            allowed_model_patterns?: string[] | undefined;
+            blocked_model_patterns?: string[] | undefined;
+        } | undefined;
+    }>>;
+    /** Digital signatures from policy owners */
+    signatures: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        /** Signer identity (email or system ID) */
+        signer: z.ZodString;
+        /** Role of the signer (e.g., "CISO", "PolicyOwner", "SecurityLead") */
+        role: z.ZodOptional<z.ZodString>;
+        /** Algorithm used: RS256 (RSA-SHA256) or ES256 (ECDSA-P256) */
+        algorithm: z.ZodEnum<["RS256", "ES256"]>;
+        /** Base64-encoded signature */
+        signature: z.ZodString;
+        /** When the signature was created */
+        signed_at: z.ZodString;
+        /** Key ID for key rotation support */
+        key_id: z.ZodOptional<z.ZodString>;
+        /** Expiration of this signature (optional, separate from lock expiration) */
+        expires_at: z.ZodOptional<z.ZodString>;
+        /** Certificate chain for verification (optional) */
+        certificate_chain: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        signature: string;
+        algorithm: "RS256" | "ES256";
+        signer: string;
+        signed_at: string;
+        role?: string | undefined;
+        expires_at?: string | undefined;
+        key_id?: string | undefined;
+        certificate_chain?: string[] | undefined;
+    }, {
+        signature: string;
+        algorithm: "RS256" | "ES256";
+        signer: string;
+        signed_at: string;
+        role?: string | undefined;
+        expires_at?: string | undefined;
+        key_id?: string | undefined;
+        certificate_chain?: string[] | undefined;
+    }>, "many">>;
+    /** When this lock file expires (forces re-compilation) */
+    expires_at: z.ZodString;
+    /** Tool/system that generated this lock */
+    generated_by: z.ZodDefault<z.ZodString>;
+    /** Version of the generator */
+    generator_version: z.ZodDefault<z.ZodString>;
+    /** Organization this lock belongs to */
+    organization: z.ZodOptional<z.ZodString>;
+    /** Environment this lock is for */
+    environment: z.ZodOptional<z.ZodString>;
+    /** Reference to the full AIR document (optional) */
+    air_reference: z.ZodOptional<z.ZodObject<{
+        /** AIR document ID */
+        id: z.ZodString;
+        /** AIR document location (URI) */
+        location: z.ZodOptional<z.ZodString>;
+        /** AIR document hash */
+        hash: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        hash: string;
+        id: string;
+        location?: string | undefined;
+    }, {
+        hash: string;
+        id: string;
+        location?: string | undefined;
+    }>>;
+    /** Custom metadata fields */
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    version: "1.0";
+    constraints: {
+        runtime: {
+            data_retention_days: number;
+            watermark_enabled: boolean;
+            logging_level: "errors" | "none" | "all";
+            pii_filter_enabled: boolean;
+            toxicity_filter_enabled: boolean;
+            kill_switch_enabled: boolean;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_threshold?: number | undefined;
+        };
+        build: {
+            require_golden_thread: boolean;
+            require_asset_card: boolean;
+            require_risk_classification: boolean;
+            require_model_card: boolean;
+            require_security_review: boolean;
+            block_on_failure: boolean;
+            generate_sarif: boolean;
+            allowed_environments: string[];
+        };
+        registry: {
+            allowed_vendor_ids: string[];
+            blocked_vendor_ids: string[];
+            allowed_region_codes: string[];
+            blocked_region_codes: string[];
+            allowed_model_patterns: string[];
+            blocked_model_patterns: string[];
+            max_model_parameters?: number | undefined;
+        };
+    };
+    expires_at: string;
+    generated_at: string;
+    generated_by: string;
+    policy_sources: {
+        type: "jira" | "url" | "pdf" | "confluence" | "manual";
+        id: string;
+        uri: string;
+        content_hash: string;
+        fetched_at: string;
+        version?: string | undefined;
+        title?: string | undefined;
+    }[];
+    signatures: {
+        signature: string;
+        algorithm: "RS256" | "ES256";
+        signer: string;
+        signed_at: string;
+        role?: string | undefined;
+        expires_at?: string | undefined;
+        key_id?: string | undefined;
+        certificate_chain?: string[] | undefined;
+    }[];
+    policy_hash: string;
+    generator_version: string;
+    name?: string | undefined;
+    organization?: string | undefined;
+    description?: string | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    environment?: string | undefined;
+    air_reference?: {
+        hash: string;
+        id: string;
+        location?: string | undefined;
+    } | undefined;
+}, {
+    version: "1.0";
+    expires_at: string;
+    generated_at: string;
+    policy_hash: string;
+    name?: string | undefined;
+    organization?: string | undefined;
+    description?: string | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    constraints?: {
+        runtime?: {
+            data_retention_days?: number | undefined;
+            watermark_enabled?: boolean | undefined;
+            logging_level?: "errors" | "none" | "all" | undefined;
+            max_tokens_per_request?: number | undefined;
+            max_cost_per_day_usd?: number | undefined;
+            pii_filter_enabled?: boolean | undefined;
+            pii_filter_action?: "audit" | "block" | "redact" | "warn" | undefined;
+            toxicity_filter_enabled?: boolean | undefined;
+            toxicity_threshold?: number | undefined;
+            kill_switch_enabled?: boolean | undefined;
+        } | undefined;
+        build?: {
+            require_golden_thread?: boolean | undefined;
+            require_asset_card?: boolean | undefined;
+            require_risk_classification?: boolean | undefined;
+            require_model_card?: boolean | undefined;
+            require_security_review?: boolean | undefined;
+            block_on_failure?: boolean | undefined;
+            generate_sarif?: boolean | undefined;
+            allowed_environments?: string[] | undefined;
+        } | undefined;
+        registry?: {
+            max_model_parameters?: number | undefined;
+            allowed_vendor_ids?: string[] | undefined;
+            blocked_vendor_ids?: string[] | undefined;
+            allowed_region_codes?: string[] | undefined;
+            blocked_region_codes?: string[] | undefined;
+            allowed_model_patterns?: string[] | undefined;
+            blocked_model_patterns?: string[] | undefined;
+        } | undefined;
+    } | undefined;
+    generated_by?: string | undefined;
+    environment?: string | undefined;
+    policy_sources?: {
+        type: "jira" | "url" | "pdf" | "confluence" | "manual";
+        id: string;
+        uri: string;
+        content_hash: string;
+        fetched_at: string;
+        version?: string | undefined;
+        title?: string | undefined;
+    }[] | undefined;
+    signatures?: {
+        signature: string;
+        algorithm: "RS256" | "ES256";
+        signer: string;
+        signed_at: string;
+        role?: string | undefined;
+        expires_at?: string | undefined;
+        key_id?: string | undefined;
+        certificate_chain?: string[] | undefined;
+    }[] | undefined;
+    generator_version?: string | undefined;
+    air_reference?: {
+        hash: string;
+        id: string;
+        location?: string | undefined;
+    } | undefined;
+}>;
+type GovernanceLock = z.infer<typeof GovernanceLockSchema>;
+interface GovernanceLockValidationResult {
+    /** Whether the lock file is valid */
+    valid: boolean;
+    /** Validation errors */
+    errors: string[];
+    /** Validation warnings */
+    warnings: string[];
+    /** Whether the lock file has expired */
+    expired: boolean;
+    /** Days until expiration (negative if expired) */
+    daysUntilExpiration: number;
+    /** Whether signatures are present */
+    signed: boolean;
+    /** Number of valid signatures */
+    validSignatureCount: number;
+    /** Whether policy hash is valid */
+    policyHashValid: boolean;
+}
+/**
+ * Computes SHA-256 hash of a string
+ */
+declare function computeHash(data: string): Promise<string>;
+/**
+ * Creates a governance.lock from an AIR document
+ */
+declare function createGovernanceLock(air: AIR, options?: {
+    expiresInDays?: number;
+    name?: string;
+    description?: string;
+    organization?: string;
+    environment?: string;
+}): Promise<GovernanceLock>;
+/**
+ * Validates a governance.lock file
+ */
+declare function validateGovernanceLock(lock: unknown, options?: {
+    /** Whether to check expiration */
+    checkExpiration?: boolean;
+    /** Whether to require signatures */
+    requireSignatures?: boolean;
+    /** Expected policy hash (for integrity check) */
+    expectedPolicyHash?: string;
+}): GovernanceLockValidationResult;
+/**
+ * Parses a governance.lock file from YAML string
+ */
+declare function parseGovernanceLockYAML(content: string): GovernanceLock;
+/**
+ * Parses a governance.lock file from JSON string
+ */
+declare function parseGovernanceLockJSON(content: string): GovernanceLock;
+/**
+ * Serializes a governance.lock to YAML
+ */
+declare function serializeGovernanceLockYAML(lock: GovernanceLock): string;
+/**
+ * Serializes a governance.lock to JSON
+ */
+declare function serializeGovernanceLockJSON(lock: GovernanceLock, pretty?: boolean): string;
+/**
+ * Checks if a governance.lock file is expired
+ */
+declare function isGovernanceLockExpired(lock: GovernanceLock): boolean;
+/**
+ * Gets the number of days until a governance.lock expires
+ */
+declare function getDaysUntilExpiration(lock: GovernanceLock): number;
+/**
+ * Checks if a vendor is allowed by the governance.lock
+ */
+declare function isVendorAllowedByLock(vendorId: string, lock: GovernanceLock): boolean;
+/**
+ * Checks if a model is allowed by the governance.lock
+ */
+declare function isModelAllowedByLock(modelId: string, lock: GovernanceLock): boolean;
+/**
+ * Checks if a region is allowed by the governance.lock
+ */
+declare function isRegionAllowedByLock(regionCode: string, lock: GovernanceLock): boolean;
+/**
+ * Creates a canonical string for signing
+ */
+declare function createSigningPayload(lock: GovernanceLock): string;
+/**
+ * Adds a signature to a governance.lock
+ * Note: Actual cryptographic signing is delegated to external libraries
+ */
+declare function addSignature(lock: GovernanceLock, signature: GovernanceLockSignature): GovernanceLock;
+export { type GovernanceLock, type GovernanceLockBuildConstraints, GovernanceLockBuildConstraintsSchema, type GovernanceLockConstraints, GovernanceLockConstraintsSchema, type GovernanceLockPolicySource, GovernanceLockPolicySourceSchema, type GovernanceLockRegistryConstraints, GovernanceLockRegistryConstraintsSchema, type GovernanceLockRuntimeConstraints, GovernanceLockRuntimeConstraintsSchema, GovernanceLockSchema, type GovernanceLockSignature, GovernanceLockSignatureSchema, type GovernanceLockValidationResult, addSignature, computeHash, createGovernanceLock, createSigningPayload, getDaysUntilExpiration, isGovernanceLockExpired, isModelAllowedByLock, isRegionAllowedByLock, isVendorAllowedByLock, parseGovernanceLockJSON, parseGovernanceLockYAML, serializeGovernanceLockJSON, serializeGovernanceLockYAML, validateGovernanceLock };