@arbiterhq/sdk 0.2.0

package/CHANGELOG.md

@@ -0,0 +1,25 @@
+# Changelog
+
+## 0.2.0 — 2026-06-28
+
+First public npm release under **`@arbiterhq/sdk`**. The product name remains **Arbiter**; only the npm scope changed from the previously planned `@arbiter` org.
+
+### Added
+
+- `ArbiterRuntime` — connect, heartbeat, disconnect, evaluate, pollApproval, consumeRelease, getReceipt
+- `ArbiterAdmin` — registry, credentials, manifest plan/sync/drift, human approve/reject
+- **Discovery bootstrap** — workspace API key (`arb_test_*`) + `runtime.connect()` discovers unknown agents
+- **Permission discovery** — `runtime.evaluate()` discovers unknown actions (requires adopted agent)
+- **Runtime dual-auth** — backend accepts workspace API key or agent credential on runtime routes
+- Manifest validation, plan, sync, drift, state signature
+
+### Migration
+
+- Use `ArbiterAdmin` instead of deprecated `Arbiter` for control-plane operations
+- Use `ArbiterRuntime` with `arb_agent_*` for production runtime loops
+- Discovery-first onboarding: `ArbiterRuntime({ credential: ARBITER_API_KEY })` then adopt in dashboard
+- Set `ARBITER_AGENT` (or `connect({ agent })`) in production for stable identity across redeployments
+
+### Breaking changes
+
+- None for new installs. Deprecated `Arbiter` class remains exported with runtime warning.

package/README.md

@@ -0,0 +1,563 @@
+# @arbiterhq/sdk
+
+Official TypeScript SDK for the Arbiter AI governance API.
+
+Two clients align with W7.3 runtime identity:
+
+- **`ArbiterRuntime`** — autonomous agent execution. Accepts **`arb_agent_*`** (production) or **`arb_test_*`** (discovery bootstrap).
+- **`ArbiterAdmin`** — control plane (`arb_test_*`) including manifest plan/drift
+
+### Runtime authentication model
+
+```
+Discovery bootstrap (first connect)
+  Workspace API Key (arb_test_*)
+        ↓
+  runtime.connect()
+        ↓
+  Automatic Agent Discovery
+        ↓
+  Adopt Agent (dashboard)
+        ↓
+  Issue Agent Credential
+        ↓
+Production runtime
+  arb_agent_*  →  runtime.connect() / evaluate() / heartbeat()
+```
+
+For production deployments, set **`ARBITER_AGENT`** (or pass `connect({ agent })`) to guarantee a stable runtime identity across redeployments. Package name and hostname fallbacks exist for local development convenience only — do not rely on them in production.
+
+## Requirements
+
+- Node.js 18+
+- A running Arbiter backend instance
+
+## Install
+
+```bash
+npm install @arbiterhq/sdk
+```
+
+**Discovery-first prerequisite:** Enable **Runtime Discovery** in workspace settings before using a workspace API key with `runtime.connect()`.
+
+## Base URL
+
+The SDK resolves the API base URL in this order:
+
+1. `baseUrl` passed to the client constructor
+2. `ARBITER_BASE_URL` environment variable
+3. Production default: `https://api.arbitertrust.com`
+
+**Production** — omit `baseUrl` or set `ARBITER_BASE_URL=https://api.arbitertrust.com`.
+
+**Local development** — set `ARBITER_BASE_URL=http://localhost:3001` or pass `baseUrl: 'http://localhost:3001'` explicitly.
+
+## Credentials
+
+| Variable | Used by | Purpose |
+|----------|---------|---------|
+| `ARBITER_AGENT_CREDENTIAL` | `ArbiterRuntime` | Agent runtime auth (`arb_agent_*`) |
+| `ARBITER_AGENT` | `ArbiterRuntime` | Stable agent externalId for discovery bootstrap with workspace API key |
+| `ARBITER_API_KEY` | `ArbiterAdmin`, discovery-first `ArbiterRuntime` | Workspace control plane (`arb_test_*`) |
+| `ARBITER_HUMAN_TOKEN` | `ArbiterAdmin.approve()` / `reject()` | Human session token for authorization actions |
+| `ARBITER_BASE_URL` | Both clients | Override API endpoint |
+
+## Onboarding paths
+
+There are two onboarding paths:
+
+1. **Discovery-first** — use a workspace API key with `ArbiterRuntime`, call `runtime.connect()` to discover the agent, adopt in the Discovery Inbox, then call `runtime.evaluate()` to discover permissions.
+2. **Registry-first** — register agents and permissions with `ArbiterAdmin`, issue an agent credential, then connect with `ARBITER_AGENT_CREDENTIAL`.
+
+Both paths converge on the same governed runtime loop after adoption.
+
+## Automatic Discovery
+
+Discovery is fully automatic — there are no `discoverAgent()` or `discoverPermission()` APIs.
+
+### Agent discovery (at connect)
+
+```
+Workspace API Key
+      ↓
+runtime.connect()
+      ↓
+Agent Discovery
+      ↓
+Discovery Inbox
+      ↓
+Adopt
+      ↓
+Registry
+      ↓
+(Optional) Agent Credential issued for production
+```
+
+When `ArbiterRuntime` is constructed with a workspace API key (`arb_test_*`), `runtime.connect()` sends the agent identity to the backend. If the agent is unknown and workspace discovery is enabled, it appears in the Discovery Inbox as `pending_review`.
+
+### Permission discovery (at evaluate)
+
+```
+Known active agent
+      ↓
+runtime.evaluate()
+      ↓
+Unknown Permission
+      ↓
+Automatic Permission Discovery
+      ↓
+Discovery Inbox
+      ↓
+Adopt
+      ↓
+Permission becomes available
+```
+
+Permission discovery requires an active runtime identity. Unknown actions discovered during `runtime.evaluate()` appear in the Discovery Inbox for operator adoption.
+
+### Production identity (`ARBITER_AGENT`)
+
+Production deployments should set **`ARBITER_AGENT`** to maintain a stable runtime identity across restarts and replicas.
+
+When using a workspace API key, the SDK resolves the agent externalId in this order:
+
+1. `connect({ agent })` — explicit argument
+2. `ARBITER_AGENT` environment variable
+3. `ARBITER_AGENT_EXTERNAL_ID` environment variable
+4. `npm_package_name` from `package.json`
+5. Hostname (development convenience only)
+
+Fallbacks (package name / hostname) exist for local development convenience. Do not rely on them in production — set `ARBITER_AGENT` explicitly.
+
+### Discovery-first quickstart
+
+```typescript
+import { ArbiterRuntime, SDK_VERSION } from '@arbiterhq/sdk';
+
+// Workspace API key — discovery bootstrap (not production runtime auth)
+const runtime = new ArbiterRuntime({
+  credential: process.env.ARBITER_API_KEY!,
+});
+
+// Set ARBITER_AGENT in production for stable identity
+await runtime.connect({
+  agent: process.env.ARBITER_AGENT ?? 'my-agent',
+  framework: 'custom',
+  runtimeType: 'node',
+  runtimeVersion: process.version,
+  sdkVersion: SDK_VERSION,
+});
+
+// Agent appears in Discovery Inbox → adopt in dashboard
+// After adoption, evaluate discovers unknown permissions:
+const decision = await runtime.evaluate({ action: 'send_payment', amount: 500 });
+// Permission appears in Discovery Inbox → adopt → governance applies
+```
+
+See [`../../examples/discovery-first/`](../../examples/discovery-first/) for the canonical onboarding script.
+
+## Complete runtime flow
+
+End-to-end governed execution: connect → heartbeat → evaluate → approval → poll → consume release → receipt.
+
+```typescript
+import { ArbiterAdmin, ArbiterRuntime, SDK_VERSION } from '@arbiterhq/sdk';
+
+// Production: omit baseUrl. Local dev: baseUrl: 'http://localhost:3001'
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY!,
+});
+
+const runtime = new ArbiterRuntime({
+  credential: process.env.ARBITER_AGENT_CREDENTIAL!,
+  environment: 'production',
+});
+
+await runtime.connect({
+  framework: 'custom',
+  runtimeType: 'node',
+  runtimeVersion: process.version,
+  sdkVersion: SDK_VERSION,
+});
+
+await runtime.heartbeat();
+
+const evaluationPayload = {
+  action: 'send_payment',
+  amount: 5000,
+} as const;
+
+const decision = await runtime.evaluate(evaluationPayload);
+
+if (decision.decision === 'hold' && decision.approvalRequestId) {
+  // Human operator approves via admin + session token
+  await admin.approve(decision.approvalRequestId, {
+    humanToken: process.env.ARBITER_HUMAN_TOKEN!,
+  });
+
+  const approval = await runtime.pollApproval(decision.approvalRequestId);
+
+  if (approval.status === 'approved') {
+    const release = await runtime.consumeRelease({
+      approvalRequestId: decision.approvalRequestId,
+      originalPayload: evaluationPayload,
+    });
+
+    const receipt = await runtime.getReceipt(release.evaluationId);
+    console.log(receipt.receiptHash);
+  }
+}
+```
+
+Obtain `ARBITER_HUMAN_TOKEN` from a workspace session (`POST /auth/session` or dashboard login). Obtain `ARBITER_AGENT_CREDENTIAL` via `createAgentCredentialByExternalId()` or the dashboard.
+
+## Runtime Quickstart
+
+```typescript
+import { ArbiterRuntime, SDK_VERSION } from '@arbiterhq/sdk';
+
+const runtime = new ArbiterRuntime({
+  credential: process.env.ARBITER_AGENT_CREDENTIAL!,
+});
+
+await runtime.connect({
+  framework: 'langgraph',
+  runtimeType: 'node',
+  runtimeVersion: process.version,
+  sdkVersion: SDK_VERSION,
+  environment: 'production',
+});
+
+const result = await runtime.evaluate({
+  action: 'send_payment',
+  amount: 5000,
+});
+
+console.log(result.decision, result.evaluationId);
+```
+
+### Local development
+
+```typescript
+const runtime = new ArbiterRuntime({
+  credential: process.env.ARBITER_AGENT_CREDENTIAL!,
+  baseUrl: 'http://localhost:3001',
+});
+```
+
+## Admin Quickstart
+
+```typescript
+import { ArbiterAdmin } from '@arbiterhq/sdk';
+
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY!,
+});
+
+await admin.registerAgent({ externalId: 'finance-agent' });
+await admin.registerPermission({ action: 'send_payment' });
+await admin.grantPermission({ agent: 'finance-agent', action: 'send_payment' });
+
+const { credential } = await admin.createAgentCredentialByExternalId({
+  externalId: 'finance-agent',
+  name: 'Runtime credential',
+  createdByUserId: 'owner-user-id',
+});
+```
+
+### Local development
+
+```typescript
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY!,
+  baseUrl: 'http://localhost:3001',
+});
+```
+
+## Manifest lifecycle
+
+Manifest SDK methods accept a typed **`ManifestWorkspace`** object — not a YAML string, file path, or full `arbiter.yaml` document.
+
+```
+arbiter.yaml
+    ↓
+parse YAML
+    ↓
+doc.spec
+    ↓
+ManifestWorkspace
+    ↓
+plan()
+    ↓
+syncRegistryManifest()
+```
+
+The SDK does **not** read files. The CLI reads and parses `arbiter.yaml` for you. When using the SDK directly, parse the file, extract `doc.spec`, and optionally validate with `validateManifestWorkspace()`.
+
+```typescript
+interface ManifestWorkspace {
+  agents: ManifestAgent[];
+  permissions: ManifestPermission[];
+  policies: ManifestPolicy[];
+}
+```
+
+Use `validateManifestWorkspace(manifest)` before calling SDK methods to get actionable validation errors that mirror the backend contract.
+
+## Manifest fields
+
+### Agent (`agents[]`)
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `externalId` | For sync/plan | Stable agent identifier used by sync and plan |
+| `name` | Yes | Display name |
+| `description` | No | Human-readable summary |
+| `source` | No | Provenance: `dashboard`, `sdk`, `discovered` |
+| `management` | No | Ownership mode: `dashboard`, `sdk`, `manifest`, `discovered` |
+| `owner` | No | Structured owner `{ slug, type }` where `type` is `user`, `team`, or `service_account` |
+| `ownerSlug` | No | Owner slug when not using the `owner` object |
+| `ownerType` | No | Owner type when using `ownerSlug` |
+| `riskTier` | No | `low`, `medium`, `high`, or `critical` |
+| `status` | No | `pending_review`, `active`, `disabled`, `expired`, or `archived` |
+| `expiresAt` | No | ISO 8601 datetime |
+| `approvedBy` | No | Approver identity for governed onboarding |
+| `grants` | No | Permission grants to apply with the agent (see Grants) |
+
+### Permission (`permissions[]`)
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `action` | Yes | Snake_case action identifier |
+| `description` | No | Human-readable summary |
+| `status` | No | `pending_review`, `allowed`, `denied`, or `approval_required` |
+| `source` | No | Provenance: `dashboard`, `sdk`, `discovered` |
+| `management` | No | Ownership mode: `dashboard`, `sdk`, `manifest`, `discovered` |
+| `assignedAgents` | No | Agent `externalId` values assigned to this permission |
+| `displayName` | No | UI-friendly label |
+| `category` | No | Grouping label (for example Financial) |
+| `documentation` | No | Documentation URL |
+| `tags` | No | String tags for discovery and filtering |
+| `metadata` | No | Arbitrary key/value metadata object |
+
+### Policy (`policies[]`)
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `id` | For sync/plan | Stable policy slug |
+| `action` | Yes | Snake_case action this policy governs |
+| `field` | Legacy style | Field path for single-condition policies |
+| `operator` | Legacy style | Comparison operator |
+| `value` | Legacy style | Scalar or array value |
+| `conditions` | Modern style | Array of `{ field, operator, value?, type? }` |
+| `conditionOperator` | Modern style | `AND` or `OR` when using multiple `conditions` |
+| `priority` | No | Integer priority (lower runs first) |
+| `displayName` | No | UI-friendly label |
+| `decision` | Yes | `allow`, `deny`, or `hold` |
+| `source` | No | Provenance: `dashboard`, `sdk`, `discovered` |
+| `management` | No | Ownership mode: `dashboard`, `sdk`, `manifest`, `discovered` |
+
+Every policy must declare **either** legacy `field` + `operator` + `value` **or** a non-empty `conditions[]` array.
+
+#### Legacy policy style
+
+Use a single field comparison when the rule is simple:
+
+```yaml
+- id: payment-amount-hold
+  action: send_payment
+  field: amount
+  operator: '>'
+  value: 1000
+  decision: hold
+```
+
+#### Modern policy style
+
+Use `conditions[]` when you need multiple predicates or richer operators:
+
+```yaml
+- id: payment-region-deny
+  action: send_payment
+  conditions:
+    - field: region
+      operator: in
+      value: [sanctioned, blocked]
+    - field: amount
+      operator: '>='
+      value: 100
+  conditionOperator: AND
+  decision: deny
+```
+
+Prefer legacy style for single comparisons. Prefer modern style for compound rules or operator sets like `in`, `between`, and valueless operators (`exists`, `is_null`, etc.).
+
+### Grants
+
+`grants` on an agent replace that agent's permission grants during sync:
+
+```yaml
+grants:
+  - action: send_payment
+    grantedBy: platform-ops
+    grantedReason: Baseline finance automation access
+```
+
+Each grant requires `action` (snake_case). Optional `grantedBy` and `grantedReason` document provenance.
+
+### Ownership and risk
+
+- **`owner`** — structured `{ slug, type }` for accountable ownership
+- **`ownerSlug` / `ownerType`** — flat alternative to the `owner` object
+- **`riskTier`** — classifies agent blast radius: `low`, `medium`, `high`, `critical`
+
+### Source and management semantics
+
+- **`source`** — where the record originated (`dashboard`, `sdk`, `discovered`)
+- **`management`** — who may mutate the record (`dashboard`, `sdk`, `manifest`, `discovered`)
+
+Manifest-managed resources typically use `management: manifest` so the CLI/SDK owns changes and the dashboard stays read-only for those records.
+
+## Manifest SDK workflow
+
+Install a YAML parser in your project:
+
+```bash
+npm install yaml
+```
+
+### Plan
+
+```javascript
+import fs from 'node:fs';
+import { parse as parseYaml } from 'yaml';
+import { ArbiterAdmin, validateManifestWorkspace } from '@arbiterhq/sdk';
+
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY,
+});
+
+const doc = parseYaml(fs.readFileSync('./arbiter.yaml', 'utf8'));
+const manifest = validateManifestWorkspace(doc.spec);
+
+const plan = await admin.plan(manifest);
+console.log(JSON.stringify(plan, null, 2));
+```
+
+### Sync (apply manifest)
+
+High-level API — pass a parsed `ManifestWorkspace`:
+
+```javascript
+import fs from 'node:fs';
+import { parse as parseYaml } from 'yaml';
+import { ArbiterAdmin, validateManifestWorkspace } from '@arbiterhq/sdk';
+
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY,
+});
+
+const doc = parseYaml(fs.readFileSync('./arbiter.yaml', 'utf8'));
+const manifest = validateManifestWorkspace(doc.spec);
+
+const applied = await admin.syncRegistryManifest(manifest);
+console.log(JSON.stringify(applied, null, 2));
+```
+
+### Drift
+
+Drift is workspace-scoped — no manifest input:
+
+```javascript
+import { ArbiterAdmin } from '@arbiterhq/sdk';
+
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY,
+});
+
+const drift = await admin.getDrift();
+console.log(JSON.stringify(drift, null, 2));
+```
+
+### State signature
+
+```javascript
+import { ArbiterAdmin } from '@arbiterhq/sdk';
+
+const admin = new ArbiterAdmin({
+  apiKey: process.env.ARBITER_API_KEY,
+});
+
+const signature = await admin.getStateSignature();
+console.log(signature.stateSignature);
+```
+
+## Manifest API surface
+
+| API | Level | Input | Use when |
+|-----|-------|-------|----------|
+| `plan(manifest)` | High-level | `ManifestWorkspace` | Preview changes from parsed manifest |
+| `syncRegistryManifest(manifest)` | High-level | `ManifestWorkspace` | Apply parsed manifest to workspace |
+| `getDrift()` | High-level | none | Compare live workspace drift |
+| `getStateSignature()` | High-level | none | Read workspace governance fingerprint |
+| `syncRegistry(input)` | Low-level transport | `SyncRegistryInput` | You already built the typed sync payload |
+
+Prefer **`syncRegistryManifest()`** for manifest-driven workflows. Use **`syncRegistry()`** only when you construct the transport payload yourself.
+
+## Runnable examples
+
+See [`../../examples/discovery-first/`](../../examples/discovery-first/) for the canonical discovery-first onboarding flow.
+
+See [`../../examples/manifest/`](../../examples/manifest/) for complete manifest scripts:
+
+- `plan.mjs` — preview manifest changes
+- `sync.mjs` — apply manifest changes
+- `drift.mjs` — inspect workspace drift
+- `state-signature.mjs` — read workspace governance fingerprint
+- `loadManifest.mjs` — shared YAML loader with SDK validation
+- `arbiter.yaml` — canonical manifest demonstrating supported fields
+
+```bash
+cd examples/manifest
+npm install
+export ARBITER_API_KEY=your_key
+npm run plan
+npm run sync
+npm run drift
+npm run state-signature
+```
+
+## API Reference
+
+### `ArbiterRuntime`
+
+| Method | Description |
+|--------|-------------|
+| `connect(input?)` | `POST /runtime/connect` — agent discovery with workspace API key |
+| `heartbeat()` | `POST /runtime/heartbeat` |
+| `evaluate(input)` | `POST /evaluate` — permission discovery for unknown actions |
+| `getApproval(id)` | `GET /approvals/:id` |
+| `pollApproval(id, options?)` | Poll until approved/rejected/expired |
+| `consumeRelease(input)` | `POST /releases/consume` |
+| `getReceipt(evaluationId)` | `GET /evaluations/:id/receipt` |
+
+### `ArbiterAdmin`
+
+| Method | Description |
+|--------|-------------|
+| `registerAgent` | `POST /sdk/register-agent` |
+| `registerPermission` | `POST /sdk/register-permission` |
+| `grantPermission` | `POST /sdk/register-agent-permission` |
+| `registerPolicy` | `POST /sdk/register-policy` |
+| `plan(manifest)` | `POST /sdk/plan` — requires `ManifestWorkspace` |
+| `syncRegistryManifest(manifest)` | `POST /sdk/sync-registry` — requires `ManifestWorkspace` |
+| `syncRegistry(input)` | `POST /sdk/sync-registry` — low-level typed payload |
+| `getDrift()` | `GET /manifest/drift` |
+| `getStateSignature()` | `GET /state-signature` |
+| `createAgentCredential` | `POST /agents/:id/credentials` |
+| `createAgentCredentialByExternalId` | Resolve agent + create credential |
+| `approve` / `reject` | Human session required |
+
+## License
+
+ISC

package/dist/approvalMapping.d.ts

@@ -0,0 +1,26 @@
+import type { ApprovalResult, EvaluateResult } from './types.js';
+export interface ApprovalApiResponse {
+    id: string;
+    status: string;
+    evaluationId: string;
+    requestedAt: string;
+    approvedAt: string | null;
+    rejectedAt: string | null;
+    evaluation: {
+        agent: string;
+        action: string;
+        decision: EvaluateResult['decision'];
+        amount: number | null;
+    };
+    executionRelease: {
+        id: string;
+        status: string;
+        issuedAt: string;
+        expiresAt: string;
+        consumedAt: string | null;
+    } | null;
+}
+export declare function mapApproval(response: ApprovalApiResponse): ApprovalResult;
+export declare function isTerminalApprovalStatus(status: string): boolean;
+export declare function resolveTerminalApprovalStatus(approval: ApprovalResult): string;
+//# sourceMappingURL=approvalMapping.d.ts.map

package/dist/approvalMapping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approvalMapping.d.ts","sourceRoot":"","sources":["../src/approvalMapping.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjE,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE;QACV,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;KACvB,CAAC;IACF,gBAAgB,EAAE;QAChB,EAAE,EAAE,MAAM,CAAC;QACX,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;KAC3B,GAAG,IAAI,CAAC;CACV;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,mBAAmB,GAAG,cAAc,CAgBzE;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEhE;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,cAAc,GAAG,MAAM,CAM9E"}

package/dist/approvalMapping.js

@@ -0,0 +1,27 @@
+export function mapApproval(response) {
+    return {
+        id: response.id,
+        status: response.status,
+        evaluationId: response.evaluationId,
+        requestedAt: response.requestedAt,
+        approvedAt: response.approvedAt,
+        rejectedAt: response.rejectedAt,
+        evaluation: {
+            agent: response.evaluation.agent,
+            action: response.evaluation.action,
+            decision: response.evaluation.decision,
+            amount: response.evaluation.amount,
+        },
+        executionRelease: response.executionRelease,
+    };
+}
+export function isTerminalApprovalStatus(status) {
+    return status === 'approved' || status === 'rejected' || status === 'expired';
+}
+export function resolveTerminalApprovalStatus(approval) {
+    if (approval.executionRelease?.status === 'expired') {
+        return 'expired';
+    }
+    return approval.status;
+}
+//# sourceMappingURL=approvalMapping.js.map

package/dist/approvalMapping.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approvalMapping.js","sourceRoot":"","sources":["../src/approvalMapping.ts"],"names":[],"mappings":"AAwBA,MAAM,UAAU,WAAW,CAAC,QAA6B;IACvD,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,EAAE;QACf,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,UAAU,EAAE;YACV,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK;YAChC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,MAAM;YAClC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,QAAQ;YACtC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,MAAM;SACnC;QACD,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,OAAO,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,SAAS,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,QAAwB;IACpE,IAAI,QAAQ,CAAC,gBAAgB,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QACpD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,CAAC;AACzB,CAAC"}

package/dist/arbiter.d.ts

@@ -0,0 +1,23 @@
+import type { ApprovalResult, ArbiterOptions, ConsumeReleaseInput, ConsumeReleaseResult, DriftResult, EvaluateInput, EvaluateResult, GrantPermissionInput, GrantPermissionResult, HumanActionOptions, ListApprovalsOptions, ManifestWorkspace, PlanResult, RegisterAgentInput, RegisterAgentResult, RegisterPermissionInput, RegisterPermissionResult, RegisterPolicyInput, RegisterPolicyResult, RejectApprovalOptions, StateSignatureResult, SyncRegistryResult } from './types.js';
+/**
+ * @deprecated Use {@link ArbiterAdmin} for control-plane operations and {@link ArbiterRuntime} for autonomous agent execution.
+ */
+export declare class Arbiter {
+    private readonly admin;
+    constructor(options: ArbiterOptions);
+    registerAgent(input: RegisterAgentInput): Promise<RegisterAgentResult>;
+    registerPermission(input: RegisterPermissionInput): Promise<RegisterPermissionResult>;
+    grantPermission(input: GrantPermissionInput): Promise<GrantPermissionResult>;
+    registerPolicy(input: RegisterPolicyInput): Promise<RegisterPolicyResult>;
+    evaluate(input: EvaluateInput): Promise<EvaluateResult>;
+    getApproval(id: string): Promise<ApprovalResult>;
+    listApprovals(options?: ListApprovalsOptions): Promise<ApprovalResult[]>;
+    approve(approvalRequestId: string, options: HumanActionOptions): Promise<ApprovalResult>;
+    reject(approvalRequestId: string, options: RejectApprovalOptions): Promise<ApprovalResult>;
+    consumeRelease(input: ConsumeReleaseInput): Promise<ConsumeReleaseResult>;
+    syncRegistry(manifest: ManifestWorkspace): Promise<SyncRegistryResult>;
+    plan(manifest: ManifestWorkspace): Promise<PlanResult>;
+    getDrift(): Promise<DriftResult>;
+    getStateSignature(): Promise<StateSignatureResult>;
+}
+//# sourceMappingURL=arbiter.d.ts.map

package/dist/arbiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"arbiter.d.ts","sourceRoot":"","sources":["../src/arbiter.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,WAAW,EACX,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,iBAAiB,EACjB,UAAU,EACV,kBAAkB,EAClB,mBAAmB,EACnB,uBAAuB,EACvB,wBAAwB,EACxB,mBAAmB,EACnB,oBAAoB,EACpB,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAIpB;;GAEG;AACH,qBAAa,OAAO;IAClB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;gBAElB,OAAO,EAAE,cAAc;IAW7B,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAItE,kBAAkB,CAC7B,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,wBAAwB,CAAC;IAIvB,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAI5E,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAIzE,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAIvD,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAIhD,aAAa,CACxB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,cAAc,EAAE,CAAC;IAIf,OAAO,CAClB,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,cAAc,CAAC;IAIb,MAAM,CACjB,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,cAAc,CAAC;IAIb,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAIzE,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAItE,IAAI,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC;IAItD,QAAQ,IAAI,OAAO,CAAC,WAAW,CAAC;IAIhC,iBAAiB,IAAI,OAAO,CAAC,oBAAoB,CAAC;CAGhE"}