npm - @aporthq/aport-agent-guardrails - Versions diffs - 1.0.8 - Mend

@aporthq/aport-agent-guardrails 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/external/aport-spec/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 LiftRails Inc.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/external/aport-spec/README.md ADDED Viewed

@@ -0,0 +1,168 @@
+# Open Agent Passport (OAP) v1.0 (**draft**)
+> *The runtime trust rail for AI agents*
+---
+## The Agentic Era Demands New Standards
+As AI agents become the primary interface for digital commerce, a fundamental question emerges: *How do we trust what we cannot see?*
+Traditional identity verification answers *who* built an agent. But in a world where agents complete transactions in milliseconds, we need something more: **real-time enforcement of what agents are allowed to do at the point of action.**
+The Open Agent Passport (OAP) v1.0 is the first specification designed for this new reality—a lightweight, cryptographically verifiable credential that enables **Pre-action authorization** for AI agents across any platform.
+---
+## Why OAP Matters
+### The Problem
+- **Agentic commerce** is accelerating, but trust infrastructure hasn't kept pace
+- Merchants need **instant verification** before money or data moves
+- Platforms require **sub-100ms decisions** at the point of action
+- Current solutions focus on *who* built the agent, not *what* it can do
+### The Solution
+OAP provides the **runtime trust layer** that makes agentic commerce safe and scalable:
+- **Pre-action authorization** before sensitive operations
+- **Cryptographically signed decisions** for audit trails
+- **Global suspend capabilities** for instant risk mitigation
+- **Standardized policy packs** for consistent enforcement
+---
+## Core Specification
+### 📋 The Foundation
+- **[OAP v1.0 Specification](./oap/oap-spec.md)** — Complete normative specification
+- **[Passport Schema](./oap/passport-schema.json)** — Agent identity and capabilities
+- **[Decision Schema](./oap/decision-schema.json)** — Authorization decisions
+- **[Security Model](./oap/security.md)** — Cryptographic verification
+### 🎯 Policy Framework
+- **[Capability Registry](./oap/capability-registry.md)** — Standardized capabilities and limits
+- **[Conformance Requirements](./oap/conformance.md)** — Implementation standards
+### 📝 Implementation Examples
+- **[Template Passport](./oap/examples/passport.template.v1.json)** — Agent template
+- **[Instance Passport](./oap/examples/passport.instance.v1.json)** — Deployed agent
+- **[Allow Decision](./oap/examples/decision.allow.sample.json)** — Authorization granted
+- **[Deny Decision](./oap/examples/decision.deny.sample.json)** — Authorization denied
+---
+## Verifiable Credentials Integration
+OAP objects integrate seamlessly with W3C Verifiable Credentials for maximum interoperability.
+### 🔐 VC Specifications
+- **[JSON-LD Context](./oap/vc/context-oap-v1.jsonld)** — OAP VC context definition
+- **[VC Mapping Guide](./oap/vc/vc-mapping.md)** — OAP ↔ VC conversion rules
+- **[VC Examples](./oap/vc/examples/)** — Passport and Decision as VCs
+### 🛠️ Developer Tools
+- **[CLI Tools](./oap/vc/tools/)** — Command-line conversion utilities
+- **[SDK Integration](./oap/vc/tools/INTEGRATION.md)** — Integration guide
+- **[JavaScript Examples](./oap/vc/tools/examples/)** — Usage examples
+---
+## Conformance Testing
+Verify your implementation meets OAP standards with our comprehensive testing suite.
+### 🧪 Test Runner
+- **[Conformance Runner](./conformance/)** — CLI tool for validation
+- **[Test Cases](./conformance/cases/)** — Standard test scenarios
+- **[Documentation](./conformance/README.md)** — Usage and certification
+### 📊 Coverage
+- **Schema Validation** — JSON Schema compliance
+- **Policy Evaluation** — Decision logic verification
+- **Signature Verification** — Ed25519 cryptographic validation
+- **Performance Testing** — Response time validation
+---
+## Quick Start
+### For Platform Builders
+1. **Understand the Problem** — Read [OAP v1.0 Specification](./oap/oap-spec.md)
+2. **See It in Action** — Review [examples](./oap/examples/) for implementation patterns
+3. **Validate Your Implementation** — Use [conformance runner](./conformance/) for testing
+4. **Integrate with VCs** — Follow [VC mapping guide](./oap/vc/vc-mapping.md)
+### For Developers
+1. **API Integration** — Use [OpenAPI spec](./api/openapi-generated.json) for client generation
+2. **SDK Implementation** — Follow [integration guides](./oap/vc/tools/INTEGRATION.md)
+3. **Policy Development** — Review [capability registry](./oap/capability-registry.md)
+---
+## The OAP Ecosystem
+### How It Works
+1. **Agent Registration** — Developers register agents with verified capabilities
+2. **Policy Evaluation** — Real-time authorization at the point of action
+3. **Decision Recording** — Cryptographically signed receipts for audit
+4. **Continuous Monitoring** — Ongoing verification and risk assessment
+### Key Benefits
+- **Instant Trust** — Sub-100ms authorization decisions
+- **Audit Trail** — Cryptographically signed decision receipts
+- **Global Control** — Instant suspend capabilities across platforms
+- **Standards Compliance** — Built for regulatory requirements
+---
+## Industry Adoption
+OAP is designed to work with existing identity frameworks:
+- **KYA (Know Your Agent)** — OAP implements KYA at runtime via policy packs
+- **W3C Verifiable Credentials** — Full VC interoperability
+- **Existing KYC/KYB** — Complements rather than replaces traditional verification
+---
+## Versioning & Updates
+- **[Version History](./oap/VERSION.md)** — OAP specification versioning
+- **[Changelog](./oap/CHANGELOG.md)** — Detailed change history
+---
+## Contributing
+We welcome contributions to the OAP specification and tooling.
+- **[Contributing Guide](./CONTRIBUTING.md)** — Development guidelines
+- **[Main Documentation](https://aport.io/docs/)** — Detailed feature documentation
+- **[Examples](./oap/examples/)** — Code examples and tutorials
+- **[Policy Packs](https://aport.io/policy-packs)** — Available policy implementations
+---
+## License
+All specifications are released under the MIT License. See [LICENSE](./LICENSE) for details.
+---
+<div align="center">
+**Open Agent Passport v1.0**
+*The runtime trust rail for AI agents*
+[![OAP Version](https://img.shields.io/badge/OAP-v1.0.0-blue.svg)](./oap/VERSION.md)
+[![Specification Status](https://img.shields.io/badge/Status-Stable-green.svg)](./oap/oap-spec.md)
+[![License](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
+</div>
+---
+**Last Updated**: 2026-02-15 18:32:09 UTC

package/external/aport-spec/conformance/README.md ADDED Viewed

@@ -0,0 +1,294 @@
+# OAP Conformance Test Runner
+A CLI tool for validating **your OAP implementation** against the Open Agent Passport specification.
+## What It Does
+The conformance runner validates **your OAP implementation** by:
+- ✅ **Schema Validation**: Ensures your passports and decisions conform to OAP JSON schemas
+- ✅ **Policy Evaluation**: Tests your policy logic with various contexts and limits
+- ✅ **Signature Verification**: Validates your Ed25519 signatures over JCS-canonicalized payloads
+- ✅ **API Testing**: Tests your OAP endpoints for compliance
+- ✅ **Report Generation**: Produces detailed PASS/FAIL reports for certification
+## Quick Start
+### 1. Get the OAP Specification
+```bash
+# Clone the OAP spec repository
+git clone https://github.com/aporthq/oap-spec.git
+cd oap-spec
+```
+### 2. Install Dependencies
+```bash
+# Navigate to conformance directory
+cd spec/conformance
+# Install dependencies
+pnpm install
+```
+### 3. Test Your OAP Implementation
+```bash
+# Test your OAP API endpoint
+pnpm test --endpoint https://your-oap-api.com
+# Test with your passport file
+pnpm test --passport-file /path/to/your-passport.json
+# Test with your decision file
+pnpm test --decision-file /path/to/your-decision.json
+# Test all components
+pnpm test --endpoint https://your-oap-api.com --passport-file passport.json --decision-file decision.json
+```
+### 4. Expected Output
+```bash
+🔍 OAP Conformance Test Runner v1.0.0
+Testing your OAP implementation...
+✅ Passport validation: PASS
+✅ Decision validation: PASS
+✅ Policy evaluation: PASS
+✅ Signature verification: PASS
+✅ API compliance: PASS
+📊 Conformance Test Results
+✅ Passed: 5
+❌ Failed: 0
+📈 Success Rate: 100.0%
+🎯 Your implementation is OAP compliant!
+```
+## CLI Commands
+### Testing Your Implementation
+```bash
+# Test your OAP API endpoint
+pnpm test --endpoint https://your-oap-api.com
+# Test with your passport file
+pnpm test --passport-file /path/to/your-passport.json
+# Test with your decision file
+pnpm test --decision-file /path/to/your-decision.json
+# Test all components together
+pnpm test --endpoint https://your-oap-api.com --passport-file passport.json --decision-file decision.json
+```
+### Policy Pack Testing
+```bash
+# Test specific policy pack against your implementation
+pnpm test --endpoint https://your-oap-api.com --pack finance.payment.refund.v1
+# Test with verbose output
+pnpm test --endpoint https://your-oap-api.com --pack data.export.create.v1 --verbose
+```
+### Reporting
+```bash
+# Generate detailed JSON report
+pnpm test --endpoint https://your-oap-api.com --report
+# Verbose output for debugging
+pnpm test --endpoint https://your-oap-api.com --verbose
+```
+### Development
+```bash
+# Watch mode for development
+pnpm dev
+# Build TypeScript
+pnpm build
+# Run simple JavaScript version (fallback)
+pnpm run test:simple
+```
+## Understanding Test Results
+### What "PASS" Means
+- ✅ **PASS**: Implementation correctly enforces OAP policies
+- ✅ **PASS**: Valid operations are allowed
+- ✅ **PASS**: Invalid operations are properly denied
+### What "FAIL" Means
+- ❌ **FAIL**: Implementation incorrectly allows/denies operations
+- ❌ **FAIL**: Schema validation errors
+- ❌ **FAIL**: Policy logic errors
+### Example Output
+```bash
+🔍 OAP Conformance Test Runner v1.0.0
+✅ Loaded 5 test cases
+Running data.export.create.v1:allow_users...
+  ✅ PASS
+Running data.export.create.v1:deny_pii...
+  ❌ FAIL: Policy evaluation failed: PII export not allowed
+Running finance.payment.refund.v1:allow_50usd...
+  ✅ PASS
+Running finance.payment.refund.v1:deny_150usd...
+  ❌ FAIL: Policy evaluation failed: Amount 15000 exceeds max per transaction 5000
+Running finance.payment.refund.v1:deny_currency...
+  ✅ PASS
+📊 Test Results
+✅ Passed: 3
+❌ Failed: 2
+📈 Success Rate: 60.0%
+❌ Failed Tests:
+  • data.export.create.v1:deny_pii
+    - Policy evaluation failed: PII export not allowed
+  • finance.payment.refund.v1:deny_150usd
+    - Policy evaluation failed: Amount 15000 exceeds max per transaction 5000
+🎯 Conformance testing complete!
+```
+**Note**: The "failures" above are actually **correct behavior** - the system is properly denying operations that should be denied!
+## Certification Process
+### For OAP Implementers
+1. **Test Your Implementation**: Run `pnpm test --endpoint https://your-oap-api.com`
+2. **Validate All Components**: Test passports, decisions, and API endpoints
+3. **Achieve 100% Pass Rate**: All tests must pass for certification
+4. **Review Detailed Report**: Use `--report` flag for comprehensive results
+5. **Document Compliance**: Use results for OAP certification claims
+### What Gets Tested
+The conformance runner tests your implementation against:
+- **Passport Creation**: Does your API create valid OAP passports?
+- **Decision Making**: Does your policy engine make correct allow/deny decisions?
+- **Schema Compliance**: Do your JSON responses match OAP schemas?
+- **Signature Generation**: Do you generate valid Ed25519 signatures?
+- **Error Handling**: Do you return proper OAP error codes?
+- **API Endpoints**: Do your endpoints follow OAP patterns?
+### Integration with CI/CD
+```yaml
+# Example GitHub Actions workflow
+name: OAP Conformance Tests
+on: [push, pull_request]
+jobs:
+  conformance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '18'
+      - name: Install pnpm
+        run: npm install -g pnpm
+      - name: Run OAP Conformance Tests
+        run: |
+          cd spec/conformance
+          pnpm install
+          pnpm test --report
+```
+## Test Structure
+```
+spec/conformance/
+├── README.md              # This file
+├── package.json           # Dependencies and scripts
+├── tsconfig.json          # TypeScript configuration
+├── test-runner.js         # Simple JavaScript fallback
+├── src/                   # TypeScript source code
+│   ├── runner.ts          # Main test runner
+│   ├── validators.ts      # Schema and signature validators
+│   ├── jcs.ts            # JCS canonicalization
+│   ├── ed25519.ts        # Ed25519 signature verification
+│   └── cases.ts          # Test case definitions
+├── cases/                 # Test cases by policy pack
+│   ├── finance.payment.refund.v1/       # Refunds policy pack tests
+│   │   ├── passports/     # Test passport templates
+│   │   ├── contexts/      # Test contexts
+│   │   └── expected/      # Expected decisions
+│   ├── data.export.create.v1/   # Data export policy pack tests
+│   └── repo.release.publish.v1/ # Repository release tests
+└── reports/              # Generated test reports
+```
+## Test Cases
+Each policy pack includes:
+- `passports/` - Passport examples (template and instance)
+- `contexts/` - Policy evaluation contexts
+- `expected/` - Expected decision outputs
+- `receipts/` - Decision receipts for signature verification
+## What Gets Tested
+### 1. Passport Validation
+- Required fields present
+- Correct data types
+- Valid UUIDs and timestamps
+- Proper assurance levels (L0-L4FIN)
+- Valid capability structures
+### 2. Policy Evaluation
+- **Refunds**: Amount limits, currency support, reason codes
+- **Data Export**: PII restrictions, collection limits, row limits
+- **Repository Release**: Branch restrictions, artifact signing
+### 3. Decision Validation
+- Correct allow/deny logic
+- Proper reason codes
+- Valid signatures and digests
+- Correct TTL handling
+### 4. Signature Verification
+- Ed25519 signature format validation
+- JCS canonicalization verification
+- Key resolution and validation
+## Reports
+Test results are saved to `reports/` with:
+- `conformance-{timestamp}.json` - Complete test results
+- Summary statistics and detailed per-case results
+- Signature verification results
+## Troubleshooting
+### Common Issues
+**"spawn /bin/zsh ENOENT"**
+```bash
+# Use the simple JavaScript version
+pnpm run test:simple
+```
+**TypeScript compilation errors**
+```bash
+# Install dependencies first
+pnpm install
+# Then run tests
+pnpm test
+```
+**Permission denied**
+```bash
+# Make sure the test runner is executable
+chmod +x test-runner.js
+```
+### Getting Help
+- Check the [OAP Specification](../../oap/oap-spec.md) for detailed requirements
+- Review test cases in the `cases/` directory
+- Use `--verbose` flag for detailed debugging output

package/external/aport-spec/conformance/cases/data.export.v1/contexts/allow_users.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "collection": "users",
+  "estimated_rows": 50000,
+  "include_pii": false,
+  "region": "US"
+}

package/external/aport-spec/conformance/cases/data.export.v1/contexts/deny_pii.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "collection": "users",
+  "estimated_rows": 1000,
+  "include_pii": true,
+  "region": "US"
+}

package/external/aport-spec/conformance/cases/data.export.v1/expected/allow_users.decision.json ADDED Viewed

@@ -0,0 +1,19 @@
+{
+  "decision_id": "550e8400-e29b-41d4-a716-446655440005",
+  "policy_id": "data.export.create.v1",
+  "agent_id": "550e8400-e29b-41d4-a716-446655440001",
+  "owner_id": "org_12345678",
+  "assurance_level": "L1",
+  "allow": true,
+  "reasons": [
+    {
+      "code": "oap.allowed",
+      "message": "Export within limits and policy requirements"
+    }
+  ],
+  "created_at": "2024-01-15T10:30:00Z",
+  "expires_in": 3600,
+  "passport_digest": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+  "signature": "ed25519:bcde2345fghi6789jklm0123nopq4567rstu9012vwxy3456zabc7890defg==",
+  "kid": "oap:registry:key-2025-01"
+}

package/external/aport-spec/conformance/cases/data.export.v1/expected/deny_pii.decision.json ADDED Viewed

@@ -0,0 +1,19 @@
+{
+  "decision_id": "550e8400-e29b-41d4-a716-446655440006",
+  "policy_id": "data.export.create.v1",
+  "agent_id": "550e8400-e29b-41d4-a716-446655440001",
+  "owner_id": "org_12345678",
+  "assurance_level": "L1",
+  "allow": false,
+  "reasons": [
+    {
+      "code": "oap.pii_blocked",
+      "message": "PII export not allowed for this passport"
+    }
+  ],
+  "created_at": "2024-01-15T10:30:00Z",
+  "expires_in": 3600,
+  "passport_digest": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+  "signature": "ed25519:fghi6789jklm0123nopq4567rstu9012vwxy3456zabc7890defgbcde2345==",
+  "kid": "oap:registry:key-2025-01"
+}

package/external/aport-spec/conformance/cases/data.export.v1/passports/template.json ADDED Viewed

@@ -0,0 +1,29 @@
+{
+  "passport_id": "550e8400-e29b-41d4-a716-446655440001",
+  "kind": "template",
+  "spec_version": "oap/1.0",
+  "owner_id": "org_12345678",
+  "owner_type": "org",
+  "assurance_level": "L1",
+  "status": "active",
+  "capabilities": [
+    {
+      "id": "data.export"
+    }
+  ],
+  "limits": {
+    "data.export": {
+      "max_rows": 100000,
+      "allow_pii": false,
+      "allowed_collections": ["users", "orders", "products", "analytics"]
+    }
+  },
+  "regions": ["US", "CA", "EU"],
+  "metadata": {
+    "name": "Data Analytics AI",
+    "description": "AI agent for data analytics operations"
+  },
+  "created_at": "2024-01-01T00:00:00Z",
+  "updated_at": "2024-01-15T10:30:00Z",
+  "version": "1.0.0"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/contexts/allow_50usd.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "amount": 5000,
+  "currency": "USD",
+  "order_id": "order_123456789",
+  "customer_id": "cust_987654321",
+  "reason_code": "customer_request",
+  "region": "US",
+  "idempotency_key": "refund_20240115_001"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/contexts/deny_150usd.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "amount": 15000,
+  "currency": "USD",
+  "order_id": "order_123456790",
+  "customer_id": "cust_987654322",
+  "reason_code": "customer_request",
+  "region": "US",
+  "idempotency_key": "refund_20240115_002"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/contexts/deny_currency.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "amount": 1000,
+  "currency": "JPY",
+  "order_id": "order_123456791",
+  "customer_id": "cust_987654323",
+  "reason_code": "customer_request",
+  "region": "US",
+  "idempotency_key": "refund_20240115_003"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/expected/allow_50usd.decision.json ADDED Viewed

@@ -0,0 +1,19 @@
+{
+  "decision_id": "550e8400-e29b-41d4-a716-446655440002",
+  "policy_id": "finance.payment.refund.v1",
+  "agent_id": "550e8400-e29b-41d4-a716-446655440000",
+  "owner_id": "org_12345678",
+  "assurance_level": "L2",
+  "allow": true,
+  "reasons": [
+    {
+      "code": "oap.allowed",
+      "message": "Transaction within limits and policy requirements"
+    }
+  ],
+  "created_at": "2024-01-15T10:30:00Z",
+  "expires_in": 3600,
+  "passport_digest": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+  "signature": "ed25519:abcd1234efgh5678ijkl9012mnop3456qrst7890uvwx1234yzab5678cdef==",
+  "kid": "oap:registry:key-2025-01"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/expected/deny_150usd.decision.json ADDED Viewed

@@ -0,0 +1,19 @@
+{
+  "decision_id": "550e8400-e29b-41d4-a716-446655440003",
+  "policy_id": "finance.payment.refund.v1",
+  "agent_id": "550e8400-e29b-41d4-a716-446655440000",
+  "owner_id": "org_12345678",
+  "assurance_level": "L2",
+  "allow": false,
+  "reasons": [
+    {
+      "code": "oap.limit_exceeded",
+      "message": "Transaction amount exceeds maximum per transaction limit"
+    }
+  ],
+  "created_at": "2024-01-15T10:30:00Z",
+  "expires_in": 3600,
+  "passport_digest": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+  "signature": "ed25519:efgh5678ijkl9012mnop3456qrst7890uvwx1234yzab5678cdefabcd1234==",
+  "kid": "oap:registry:key-2025-01"
+}

package/external/aport-spec/conformance/cases/payments.refunds.v1/expected/deny_currency.decision.json ADDED Viewed

@@ -0,0 +1,19 @@
+{
+  "decision_id": "550e8400-e29b-41d4-a716-446655440004",
+  "policy_id": "finance.payment.refund.v1",
+  "agent_id": "550e8400-e29b-41d4-a716-446655440000",
+  "owner_id": "org_12345678",
+  "assurance_level": "L2",
+  "allow": false,
+  "reasons": [
+    {
+      "code": "oap.currency_unsupported",
+      "message": "Currency JPY not supported for this passport"
+    }
+  ],
+  "created_at": "2024-01-15T10:30:00Z",
+  "expires_in": 3600,
+  "passport_digest": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
+  "signature": "ed25519:ijkl9012mnop3456qrst7890uvwx1234yzab5678cdefabcd1234efgh5678==",
+  "kid": "oap:registry:key-2025-01"
+}