@astrasyncai/verification-gateway 1.0.0 → 2.0.0

package/dist/git-trigger/git-hooks.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/git-trigger/git-hooks.ts","../../src/adapter-interface/purpose-mapping.ts"],"sourcesContent":["/**\n * Git Trigger — Enterprise git push / PR verification\n *\n * Installs git hooks that evaluate changed files against the PDLSS policy\n * before allowing pushes to remote repositories.\n *\n * Two enforcement modes (admin-configurable):\n *   - block: non-zero exit prevents the push\n *   - warn:  push proceeds but warning is printed\n */\n\nimport { existsSync, mkdirSync, writeFileSync, readFileSync, chmodSync } from 'fs';\nimport { join } from 'path';\nimport { execSync } from 'child_process';\nimport type { AstraSyncGateway } from '../gateway/gateway';\nimport { mapToolToPurpose, extractTarget, extractNetworkDomains } from '../adapter-interface/purpose-mapping';\nimport type { PDLSSContext, VerificationDecision } from '../gateway/types';\n\n// -----------------------------------------------------------------------\n// Configuration\n// -----------------------------------------------------------------------\n\nexport interface GitTriggerConfig {\n  /** Block the push or just warn (default: 'warn') */\n  enforcement: 'block' | 'warn';\n  /** Which git hooks to install (default: ['pre-push']) */\n  hooks: ('pre-push' | 'pre-commit')[];\n  /** Only enforce on these branches (default: all) */\n  protectedBranches?: string[];\n  /** Custom message for blocked pushes */\n  blockMessage?: string;\n}\n\nconst DEFAULT_CONFIG: GitTriggerConfig = {\n  enforcement: 'warn',\n  hooks: ['pre-push'],\n};\n\n// -----------------------------------------------------------------------\n// Hook script content\n// -----------------------------------------------------------------------\n\nconst HOOK_MARKER = '# AstraSync Local Guard — managed hook';\n\nfunction makeHookScript(hookType: 'pre-push' | 'pre-commit'): string {\n  return `#!/bin/sh\n${HOOK_MARKER}\n# Runs AstraSync verification on changed files before ${hookType === 'pre-push' ? 'push' : 'commit'}.\n# Installed by: astrasync guard install-hooks\n# To remove: delete this file or run astrasync guard uninstall-hooks\n\nnpx astrasync guard check --trigger=${hookType} \"$@\"\nexit $?\n`;\n}\n\n// -----------------------------------------------------------------------\n// Hook installer\n// -----------------------------------------------------------------------\n\n/**\n * Install git hooks into the repository.\n * Returns the paths of installed hooks.\n */\nexport function installGitHooks(\n  repoRoot: string,\n  config: Partial<GitTriggerConfig> = {},\n): { installed: string[]; skipped: string[] } {\n  const merged = { ...DEFAULT_CONFIG, ...config };\n  const hooksDir = join(repoRoot, '.git', 'hooks');\n  const installed: string[] = [];\n  const skipped: string[] = [];\n\n  if (!existsSync(join(repoRoot, '.git'))) {\n    throw new Error(`Not a git repository: ${repoRoot}`);\n  }\n\n  if (!existsSync(hooksDir)) {\n    mkdirSync(hooksDir, { recursive: true });\n  }\n\n  for (const hookType of merged.hooks) {\n    const hookPath = join(hooksDir, hookType);\n\n    // Don't overwrite non-AstraSync hooks\n    if (existsSync(hookPath)) {\n      const content = readFileSync(hookPath, 'utf-8');\n      if (!content.includes(HOOK_MARKER)) {\n        skipped.push(hookPath);\n        continue;\n      }\n    }\n\n    writeFileSync(hookPath, makeHookScript(hookType), 'utf-8');\n    chmodSync(hookPath, 0o755);\n    installed.push(hookPath);\n  }\n\n  return { installed, skipped };\n}\n\n/**\n * Remove AstraSync-managed git hooks.\n */\nexport function uninstallGitHooks(\n  repoRoot: string,\n  hooks: ('pre-push' | 'pre-commit')[] = ['pre-push'],\n): string[] {\n  const hooksDir = join(repoRoot, '.git', 'hooks');\n  const removed: string[] = [];\n\n  for (const hookType of hooks) {\n    const hookPath = join(hooksDir, hookType);\n    if (existsSync(hookPath)) {\n      const content = readFileSync(hookPath, 'utf-8');\n      if (content.includes(HOOK_MARKER)) {\n        const { unlinkSync } = require('fs');\n        unlinkSync(hookPath);\n        removed.push(hookPath);\n      }\n    }\n  }\n\n  return removed;\n}\n\n// -----------------------------------------------------------------------\n// Evaluation logic\n// -----------------------------------------------------------------------\n\n/**\n * Get list of changed files for the current trigger context.\n */\nexport function getChangedFiles(trigger: 'pre-push' | 'pre-commit', repoRoot: string): string[] {\n  try {\n    let output: string;\n    if (trigger === 'pre-push') {\n      // Files changed between HEAD and remote tracking branch\n      output = execSync('git diff --name-only @{push}.. 2>/dev/null || git diff --name-only HEAD~1', {\n        cwd: repoRoot,\n        encoding: 'utf-8',\n      });\n    } else {\n      // Files staged for commit\n      output = execSync('git diff --cached --name-only', {\n        cwd: repoRoot,\n        encoding: 'utf-8',\n      });\n    }\n    return output.split('\\n').filter(f => f.trim().length > 0);\n  } catch {\n    return [];\n  }\n}\n\n/**\n * Map a file change to a PDLSS context for evaluation.\n */\nexport function fileChangeToPDLSSContext(filePath: string): PDLSSContext {\n  const purpose = mapToolToPurpose('file_write');\n  const target = extractTarget('file_write', { path: filePath });\n\n  return {\n    purpose,\n    action: 'file_write',\n    target,\n    dataAccess: ['write'],\n    resourceType: 'file',\n  };\n}\n\n/**\n * Evaluate changed files against the gateway policy.\n * Returns a summary of allow/deny/review decisions.\n */\nexport async function evaluateChangedFiles(\n  gateway: AstraSyncGateway,\n  files: string[],\n  config: Partial<GitTriggerConfig> = {},\n): Promise<GitCheckResult> {\n  const merged = { ...DEFAULT_CONFIG, ...config };\n  const results: { file: string; decision: VerificationDecision }[] = [];\n  let blocked = 0;\n  let warned = 0;\n  let allowed = 0;\n\n  for (const file of files) {\n    const context = fileChangeToPDLSSContext(file);\n    const decision = await gateway.evaluate(context);\n\n    results.push({ file, decision });\n\n    if (decision.recommendation === 'DENY') {\n      blocked++;\n    } else if (decision.recommendation === 'MANUAL_REVIEW') {\n      warned++;\n    } else {\n      allowed++;\n    }\n  }\n\n  const shouldBlock = merged.enforcement === 'block' && (blocked > 0);\n\n  return {\n    allowed,\n    blocked,\n    warned,\n    total: files.length,\n    shouldBlock,\n    enforcement: merged.enforcement,\n    results,\n    blockMessage: shouldBlock\n      ? (merged.blockMessage || `AstraSync blocked push: ${blocked} file(s) denied by policy`)\n      : undefined,\n  };\n}\n\nexport interface GitCheckResult {\n  allowed: number;\n  blocked: number;\n  warned: number;\n  total: number;\n  shouldBlock: boolean;\n  enforcement: 'block' | 'warn';\n  results: { file: string; decision: VerificationDecision }[];\n  blockMessage?: string;\n}\n\n/**\n * Check if the current branch is protected.\n */\nexport function isProtectedBranch(config: Partial<GitTriggerConfig> = {}): boolean {\n  if (!config.protectedBranches || config.protectedBranches.length === 0) {\n    return true; // All branches protected by default\n  }\n\n  try {\n    const branch = execSync('git rev-parse --abbrev-ref HEAD', { encoding: 'utf-8' }).trim();\n    return config.protectedBranches.some(pattern => {\n      if (pattern === branch) return true;\n      if (pattern.endsWith('*') && branch.startsWith(pattern.slice(0, -1))) return true;\n      return false;\n    });\n  } catch {\n    return true; // Can't determine branch, assume protected\n  }\n}\n","/**\n * Shared purpose mapping utilities for Layer 4 platform adapters.\n *\n * Maps platform-native action names to PDLSS purpose categories.\n * Used by OpenClaw CLI, Cursor, browser, and future adapters.\n */\n\n// -----------------------------------------------------------------------\n// Tool → Purpose mapping\n// -----------------------------------------------------------------------\n\n/** Standard tool name → PDLSS purpose mapping used by all adapters */\nconst TOOL_PURPOSE_MAP: Record<string, string> = {\n  // Shell\n  shell_exec: 'shell.exec',\n  run_command: 'shell.exec',\n  execute: 'shell.exec',\n  terminal_exec: 'shell.exec',\n  run_terminal_command: 'shell.exec',\n\n  // File read\n  file_read: 'file.read',\n  read_file: 'file.read',\n\n  // File write\n  file_write: 'file.write',\n  write_file: 'file.write',\n  create_file: 'file.write',\n  edit_file: 'file.write',\n\n  // File delete\n  file_delete: 'file.delete',\n  delete_file: 'file.delete',\n\n  // Network\n  http_request: 'network.request',\n  fetch: 'network.request',\n  web_request: 'network.request',\n\n  // Email\n  send_email: 'email.send',\n  read_email: 'email.read',\n\n  // Calendar\n  create_event: 'calendar.create',\n\n  // Database\n  query_database: 'database.query',\n  write_database: 'database.write',\n\n  // Payment\n  payment_execute: 'payment.execute',\n};\n\n/**\n * Map a tool/action name to a PDLSS purpose category.\n * Returns `tool.<name>` for unmapped tools (denied by default).\n */\nexport function mapToolToPurpose(toolName: string): string {\n  return TOOL_PURPOSE_MAP[toolName] || `tool.${toolName}`;\n}\n\n/**\n * Register additional tool → purpose mappings (e.g. from a platform adapter).\n * Does not overwrite existing mappings.\n */\nexport function registerToolMappings(mappings: Record<string, string>): void {\n  for (const [tool, purpose] of Object.entries(mappings)) {\n    if (!(tool in TOOL_PURPOSE_MAP)) {\n      TOOL_PURPOSE_MAP[tool] = purpose;\n    }\n  }\n}\n\n// -----------------------------------------------------------------------\n// Target extraction\n// -----------------------------------------------------------------------\n\n/**\n * Extract the meaningful target string from tool arguments.\n * Uses the purpose category to determine which argument field is relevant.\n */\nexport function extractTarget(toolName: string, args: Record<string, unknown>): string {\n  const purpose = mapToolToPurpose(toolName);\n\n  if (purpose.startsWith('shell.')) {\n    return String(args.command || args.cmd || args.script || '');\n  }\n\n  if (purpose.startsWith('file.')) {\n    return String(args.path || args.file || args.filename || args.file_path || '');\n  }\n\n  if (purpose.startsWith('network.')) {\n    return String(args.url || args.endpoint || args.uri || '');\n  }\n\n  if (purpose.startsWith('email.')) {\n    return String(args.to || args.recipient || args.address || '');\n  }\n\n  if (purpose.startsWith('database.')) {\n    return String(args.query || args.table || '');\n  }\n\n  if (purpose.startsWith('payment.')) {\n    return String(args.description || args.merchant || args.amount || '');\n  }\n\n  // Fallback: try common field names\n  if (args.command) return String(args.command);\n  if (args.path) return String(args.path);\n  if (args.url) return String(args.url);\n\n  // Default: use first non-empty string argument or tool name\n  for (const val of Object.values(args)) {\n    if (typeof val === 'string' && val.length > 0) return val;\n  }\n  return toolName;\n}\n\n// -----------------------------------------------------------------------\n// Network domain extraction\n// -----------------------------------------------------------------------\n\n/**\n * Extract network domains from a URL target.\n * Returns undefined if the target is not a URL.\n */\nexport function extractNetworkDomains(target: string): string[] | undefined {\n  try {\n    if (target.startsWith('http://') || target.startsWith('https://')) {\n      const url = new URL(target);\n      return [url.hostname];\n    }\n  } catch {\n    // Not a URL\n  }\n  return undefined;\n}\n"],"mappings":";;;;;;;;AAWA,SAAS,YAAY,WAAW,eAAe,cAAc,iBAAiB;AAC9E,SAAS,YAAY;AACrB,SAAS,gBAAgB;;;ACDzB,IAAM,mBAA2C;AAAA;AAAA,EAE/C,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,SAAS;AAAA,EACT,eAAe;AAAA,EACf,sBAAsB;AAAA;AAAA,EAGtB,WAAW;AAAA,EACX,WAAW;AAAA;AAAA,EAGX,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,WAAW;AAAA;AAAA,EAGX,aAAa;AAAA,EACb,aAAa;AAAA;AAAA,EAGb,cAAc;AAAA,EACd,OAAO;AAAA,EACP,aAAa;AAAA;AAAA,EAGb,YAAY;AAAA,EACZ,YAAY;AAAA;AAAA,EAGZ,cAAc;AAAA;AAAA,EAGd,gBAAgB;AAAA,EAChB,gBAAgB;AAAA;AAAA,EAGhB,iBAAiB;AACnB;AAMO,SAAS,iBAAiB,UAA0B;AACzD,SAAO,iBAAiB,QAAQ,KAAK,QAAQ,QAAQ;AACvD;AAsBO,SAAS,cAAc,UAAkB,MAAuC;AACrF,QAAM,UAAU,iBAAiB,QAAQ;AAEzC,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,WAAW,KAAK,OAAO,KAAK,UAAU,EAAE;AAAA,EAC7D;AAEA,MAAI,QAAQ,WAAW,OAAO,GAAG;AAC/B,WAAO,OAAO,KAAK,QAAQ,KAAK,QAAQ,KAAK,YAAY,KAAK,aAAa,EAAE;AAAA,EAC/E;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,OAAO,EAAE;AAAA,EAC3D;AAEA,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,MAAM,KAAK,aAAa,KAAK,WAAW,EAAE;AAAA,EAC/D;AAEA,MAAI,QAAQ,WAAW,WAAW,GAAG;AACnC,WAAO,OAAO,KAAK,SAAS,KAAK,SAAS,EAAE;AAAA,EAC9C;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,eAAe,KAAK,YAAY,KAAK,UAAU,EAAE;AAAA,EACtE;AAGA,MAAI,KAAK,QAAS,QAAO,OAAO,KAAK,OAAO;AAC5C,MAAI,KAAK,KAAM,QAAO,OAAO,KAAK,IAAI;AACtC,MAAI,KAAK,IAAK,QAAO,OAAO,KAAK,GAAG;AAGpC,aAAW,OAAO,OAAO,OAAO,IAAI,GAAG;AACrC,QAAI,OAAO,QAAQ,YAAY,IAAI,SAAS,EAAG,QAAO;AAAA,EACxD;AACA,SAAO;AACT;;;ADtFA,IAAM,iBAAmC;AAAA,EACvC,aAAa;AAAA,EACb,OAAO,CAAC,UAAU;AACpB;AAMA,IAAM,cAAc;AAEpB,SAAS,eAAe,UAA6C;AACnE,SAAO;AAAA,EACP,WAAW;AAAA,wDAC2C,aAAa,aAAa,SAAS,QAAQ;AAAA;AAAA;AAAA;AAAA,sCAI7D,QAAQ;AAAA;AAAA;AAG9C;AAUO,SAAS,gBACd,UACA,SAAoC,CAAC,GACO;AAC5C,QAAM,SAAS,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAC9C,QAAM,WAAW,KAAK,UAAU,QAAQ,OAAO;AAC/C,QAAM,YAAsB,CAAC;AAC7B,QAAM,UAAoB,CAAC;AAE3B,MAAI,CAAC,WAAW,KAAK,UAAU,MAAM,CAAC,GAAG;AACvC,UAAM,IAAI,MAAM,yBAAyB,QAAQ,EAAE;AAAA,EACrD;AAEA,MAAI,CAAC,WAAW,QAAQ,GAAG;AACzB,cAAU,UAAU,EAAE,WAAW,KAAK,CAAC;AAAA,EACzC;AAEA,aAAW,YAAY,OAAO,OAAO;AACnC,UAAM,WAAW,KAAK,UAAU,QAAQ;AAGxC,QAAI,WAAW,QAAQ,GAAG;AACxB,YAAM,UAAU,aAAa,UAAU,OAAO;AAC9C,UAAI,CAAC,QAAQ,SAAS,WAAW,GAAG;AAClC,gBAAQ,KAAK,QAAQ;AACrB;AAAA,MACF;AAAA,IACF;AAEA,kBAAc,UAAU,eAAe,QAAQ,GAAG,OAAO;AACzD,cAAU,UAAU,GAAK;AACzB,cAAU,KAAK,QAAQ;AAAA,EACzB;AAEA,SAAO,EAAE,WAAW,QAAQ;AAC9B;AAKO,SAAS,kBACd,UACA,QAAuC,CAAC,UAAU,GACxC;AACV,QAAM,WAAW,KAAK,UAAU,QAAQ,OAAO;AAC/C,QAAM,UAAoB,CAAC;AAE3B,aAAW,YAAY,OAAO;AAC5B,UAAM,WAAW,KAAK,UAAU,QAAQ;AACxC,QAAI,WAAW,QAAQ,GAAG;AACxB,YAAM,UAAU,aAAa,UAAU,OAAO;AAC9C,UAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,cAAM,EAAE,WAAW,IAAI,UAAQ,IAAI;AACnC,mBAAW,QAAQ;AACnB,gBAAQ,KAAK,QAAQ;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AASO,SAAS,gBAAgB,SAAoC,UAA4B;AAC9F,MAAI;AACF,QAAI;AACJ,QAAI,YAAY,YAAY;AAE1B,eAAS,SAAS,6EAA6E;AAAA,QAC7F,KAAK;AAAA,QACL,UAAU;AAAA,MACZ,CAAC;AAAA,IACH,OAAO;AAEL,eAAS,SAAS,iCAAiC;AAAA,QACjD,KAAK;AAAA,QACL,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AACA,WAAO,OAAO,MAAM,IAAI,EAAE,OAAO,OAAK,EAAE,KAAK,EAAE,SAAS,CAAC;AAAA,EAC3D,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAKO,SAAS,yBAAyB,UAAgC;AACvE,QAAM,UAAU,iBAAiB,YAAY;AAC7C,QAAM,SAAS,cAAc,cAAc,EAAE,MAAM,SAAS,CAAC;AAE7D,SAAO;AAAA,IACL;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,IACA,YAAY,CAAC,OAAO;AAAA,IACpB,cAAc;AAAA,EAChB;AACF;AAMA,eAAsB,qBACpB,SACA,OACA,SAAoC,CAAC,GACZ;AACzB,QAAM,SAAS,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAC9C,QAAM,UAA8D,CAAC;AACrE,MAAI,UAAU;AACd,MAAI,SAAS;AACb,MAAI,UAAU;AAEd,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,yBAAyB,IAAI;AAC7C,UAAM,WAAW,MAAM,QAAQ,SAAS,OAAO;AAE/C,YAAQ,KAAK,EAAE,MAAM,SAAS,CAAC;AAE/B,QAAI,SAAS,mBAAmB,QAAQ;AACtC;AAAA,IACF,WAAW,SAAS,mBAAmB,iBAAiB;AACtD;AAAA,IACF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,OAAO,gBAAgB,WAAY,UAAU;AAEjE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,MAAM;AAAA,IACb;AAAA,IACA,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,cAAc,cACT,OAAO,gBAAgB,2BAA2B,OAAO,8BAC1D;AAAA,EACN;AACF;AAgBO,SAAS,kBAAkB,SAAoC,CAAC,GAAY;AACjF,MAAI,CAAC,OAAO,qBAAqB,OAAO,kBAAkB,WAAW,GAAG;AACtE,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,SAAS,SAAS,mCAAmC,EAAE,UAAU,QAAQ,CAAC,EAAE,KAAK;AACvF,WAAO,OAAO,kBAAkB,KAAK,aAAW;AAC9C,UAAI,YAAY,OAAQ,QAAO;AAC/B,UAAI,QAAQ,SAAS,GAAG,KAAK,OAAO,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC,EAAG,QAAO;AAC7E,aAAO;AAAA,IACT,CAAC;AAAA,EACH,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/index-BhTbGU-o.d.mts

@@ -0,0 +1,206 @@
+import { c as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bf8pML07.mjs';
+
+/**
+ * AgentClient — Credential Presentation
+ *
+ * Agent-side SDK for automatically injecting AstraSync credentials
+ * into outgoing requests across all supported protocols.
+ */
+
+interface AgentClientConfig {
+    agentId: string;
+    verifyUrl?: string;
+    challengeUrl?: string;
+    pdlss?: AstraSyncCredentials['pdlss'];
+}
+interface FetchOptions extends RequestInit {
+    purpose?: string;
+    action?: string;
+}
+declare class AgentClient {
+    private credentials;
+    constructor(config: AgentClientConfig);
+    /**
+     * Make an HTTP request with AstraSync headers automatically injected.
+     */
+    fetch(url: string, options?: FetchOptions): Promise<Response>;
+    /**
+     * Prepare A2A task metadata with AstraSync credentials.
+     */
+    prepareA2AMetadata(task: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    /**
+     * Prepare MCP params with AstraSync _meta.
+     */
+    prepareMcpMeta(params: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    /**
+     * Generic: apply credentials to any protocol.
+     */
+    applyCredentials(protocol: ProtocolTransport, target: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    private buildCredentials;
+}
+
+/**
+ * ChallengeHandler — Agent-Side Runtime Challenge Responder
+ *
+ * Handles incoming runtime challenges from AstraSync's verification service.
+ * Agents register pending counterparties before initiating contact,
+ * then this handler validates and responds to challenges.
+ */
+interface ChallengeResponse {
+    status: number;
+    body: {
+        challengeId: string;
+        acknowledged: boolean;
+        pendingCounterparties: string[];
+        respondedAt: string;
+        error?: string;
+    };
+}
+interface ChallengeHandlerConfig {
+    agentId: string;
+}
+declare class ChallengeHandler {
+    private agentId;
+    private pendingCounterparties;
+    constructor(config: ChallengeHandlerConfig);
+    /**
+     * Register a counterparty as pending (before initiating contact).
+     */
+    registerPending(counterpartyId: string): void;
+    /**
+     * Remove a counterparty from pending list (after interaction complete).
+     */
+    removePending(counterpartyId: string): void;
+    /**
+     * Get current pending counterparties list.
+     */
+    getPendingList(): string[];
+    /**
+     * Express middleware for the challenge endpoint.
+     * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())
+     */
+    expressMiddleware(): (req: {
+        body: unknown;
+    }, res: {
+        status: (code: number) => {
+            json: (body: unknown) => void;
+        };
+    }) => void;
+    /**
+     * Generic handler (framework-agnostic).
+     * Returns { status, body } for the caller to send.
+     */
+    handleChallenge(body: unknown): ChallengeResponse;
+}
+
+/**
+ * PDLSS Formatter — Transport Format Conversion
+ *
+ * Converts between full PDLSS boundaries and compact transport format
+ * used in HTTP headers, A2A metadata, and MCP _meta blocks.
+ */
+
+/**
+ * Full PDLSS configuration (as returned by the backend).
+ */
+interface PDLSSConfig {
+    purpose?: {
+        categories?: string[];
+        allowedActions?: string[];
+        deniedActions?: string[];
+    };
+    duration?: {
+        maxSessionDuration?: number;
+        ttl?: number;
+        allowedDays?: number[];
+        allowedHours?: {
+            start: number;
+            end: number;
+        };
+    };
+    limits?: {
+        autonomousThreshold?: number;
+        stepUpThreshold?: number;
+        approvalThreshold?: number;
+        currency?: string;
+    };
+    scope?: {
+        jurisdictions?: string[];
+        resources?: string[];
+        resourceTypes?: string[];
+    };
+    selfInstantiation?: {
+        allowed: boolean;
+        maxDepth?: number;
+        maxSubAgents?: number;
+    };
+}
+/**
+ * Compact transport format (embedded in headers/metadata).
+ */
+type TransportPDLSS = NonNullable<AstraSyncCredentials['pdlss']>;
+/**
+ * Convert full PDLSS boundaries into compact transport format.
+ * Used by AgentClient when building credential headers/metadata.
+ */
+declare function formatPDLSSForTransport(pdlss: PDLSSConfig): TransportPDLSS;
+/**
+ * Parse transport format back into full PDLSS config.
+ * Used by counterparty-side when receiving credentials.
+ */
+declare function parsePDLSSFromTransport(transport: TransportPDLSS): PDLSSConfig;
+
+/**
+ * Decision Client — Counterparty-Side Decision Recording
+ *
+ * Helper for counterparties to record their grant/deny decisions
+ * back to AstraSync after receiving a verification result.
+ */
+
+interface RecordDecisionParams {
+    sessionId: string;
+    decision: 'granted' | 'denied';
+    reason?: string;
+    tokenIssued?: boolean;
+    auditId?: string;
+}
+interface RecordDecisionResult {
+    recorded: boolean;
+    blockchainTxHash?: string;
+}
+/**
+ * Record a counterparty's grant/deny decision for a verification session.
+ * POST to /agents/verify-access/:sessionId/decision
+ */
+declare function recordDecision(config: GatewayConfig, params: RecordDecisionParams): Promise<RecordDecisionResult>;
+
+/**
+ * Agent-Side SDK Module
+ *
+ * Tools for AI agents to present credentials, handle challenges,
+ * and interact with the AstraSync verification protocol.
+ */
+
+type index_AgentClient = AgentClient;
+declare const index_AgentClient: typeof AgentClient;
+type index_ChallengeHandler = ChallengeHandler;
+declare const index_ChallengeHandler: typeof ChallengeHandler;
+type index_PDLSSConfig = PDLSSConfig;
+type index_TransportPDLSS = TransportPDLSS;
+declare const index_formatPDLSSForTransport: typeof formatPDLSSForTransport;
+declare const index_parsePDLSSFromTransport: typeof parsePDLSSFromTransport;
+declare const index_recordDecision: typeof recordDecision;
+declare namespace index {
+  export { index_AgentClient as AgentClient, index_ChallengeHandler as ChallengeHandler, type index_PDLSSConfig as PDLSSConfig, type index_TransportPDLSS as TransportPDLSS, index_formatPDLSSForTransport as formatPDLSSForTransport, index_parsePDLSSFromTransport as parsePDLSSFromTransport, index_recordDecision as recordDecision };
+}
+
+export { AgentClient as A, ChallengeHandler as C, type PDLSSConfig as P, type TransportPDLSS as T, formatPDLSSForTransport as f, index as i, parsePDLSSFromTransport as p, recordDecision as r };

package/dist/index-Bhfxq9xI.d.ts

@@ -0,0 +1,206 @@
+import { c as AstraSyncCredentials, g as ProtocolTransport, G as GatewayConfig } from './types-Bf8pML07.js';
+
+/**
+ * AgentClient — Credential Presentation
+ *
+ * Agent-side SDK for automatically injecting AstraSync credentials
+ * into outgoing requests across all supported protocols.
+ */
+
+interface AgentClientConfig {
+    agentId: string;
+    verifyUrl?: string;
+    challengeUrl?: string;
+    pdlss?: AstraSyncCredentials['pdlss'];
+}
+interface FetchOptions extends RequestInit {
+    purpose?: string;
+    action?: string;
+}
+declare class AgentClient {
+    private credentials;
+    constructor(config: AgentClientConfig);
+    /**
+     * Make an HTTP request with AstraSync headers automatically injected.
+     */
+    fetch(url: string, options?: FetchOptions): Promise<Response>;
+    /**
+     * Prepare A2A task metadata with AstraSync credentials.
+     */
+    prepareA2AMetadata(task: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    /**
+     * Prepare MCP params with AstraSync _meta.
+     */
+    prepareMcpMeta(params: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    /**
+     * Generic: apply credentials to any protocol.
+     */
+    applyCredentials(protocol: ProtocolTransport, target: Record<string, unknown>, overrides?: {
+        purpose?: string;
+        action?: string;
+    }): Record<string, unknown>;
+    private buildCredentials;
+}
+
+/**
+ * ChallengeHandler — Agent-Side Runtime Challenge Responder
+ *
+ * Handles incoming runtime challenges from AstraSync's verification service.
+ * Agents register pending counterparties before initiating contact,
+ * then this handler validates and responds to challenges.
+ */
+interface ChallengeResponse {
+    status: number;
+    body: {
+        challengeId: string;
+        acknowledged: boolean;
+        pendingCounterparties: string[];
+        respondedAt: string;
+        error?: string;
+    };
+}
+interface ChallengeHandlerConfig {
+    agentId: string;
+}
+declare class ChallengeHandler {
+    private agentId;
+    private pendingCounterparties;
+    constructor(config: ChallengeHandlerConfig);
+    /**
+     * Register a counterparty as pending (before initiating contact).
+     */
+    registerPending(counterpartyId: string): void;
+    /**
+     * Remove a counterparty from pending list (after interaction complete).
+     */
+    removePending(counterpartyId: string): void;
+    /**
+     * Get current pending counterparties list.
+     */
+    getPendingList(): string[];
+    /**
+     * Express middleware for the challenge endpoint.
+     * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())
+     */
+    expressMiddleware(): (req: {
+        body: unknown;
+    }, res: {
+        status: (code: number) => {
+            json: (body: unknown) => void;
+        };
+    }) => void;
+    /**
+     * Generic handler (framework-agnostic).
+     * Returns { status, body } for the caller to send.
+     */
+    handleChallenge(body: unknown): ChallengeResponse;
+}
+
+/**
+ * PDLSS Formatter — Transport Format Conversion
+ *
+ * Converts between full PDLSS boundaries and compact transport format
+ * used in HTTP headers, A2A metadata, and MCP _meta blocks.
+ */
+
+/**
+ * Full PDLSS configuration (as returned by the backend).
+ */
+interface PDLSSConfig {
+    purpose?: {
+        categories?: string[];
+        allowedActions?: string[];
+        deniedActions?: string[];
+    };
+    duration?: {
+        maxSessionDuration?: number;
+        ttl?: number;
+        allowedDays?: number[];
+        allowedHours?: {
+            start: number;
+            end: number;
+        };
+    };
+    limits?: {
+        autonomousThreshold?: number;
+        stepUpThreshold?: number;
+        approvalThreshold?: number;
+        currency?: string;
+    };
+    scope?: {
+        jurisdictions?: string[];
+        resources?: string[];
+        resourceTypes?: string[];
+    };
+    selfInstantiation?: {
+        allowed: boolean;
+        maxDepth?: number;
+        maxSubAgents?: number;
+    };
+}
+/**
+ * Compact transport format (embedded in headers/metadata).
+ */
+type TransportPDLSS = NonNullable<AstraSyncCredentials['pdlss']>;
+/**
+ * Convert full PDLSS boundaries into compact transport format.
+ * Used by AgentClient when building credential headers/metadata.
+ */
+declare function formatPDLSSForTransport(pdlss: PDLSSConfig): TransportPDLSS;
+/**
+ * Parse transport format back into full PDLSS config.
+ * Used by counterparty-side when receiving credentials.
+ */
+declare function parsePDLSSFromTransport(transport: TransportPDLSS): PDLSSConfig;
+
+/**
+ * Decision Client — Counterparty-Side Decision Recording
+ *
+ * Helper for counterparties to record their grant/deny decisions
+ * back to AstraSync after receiving a verification result.
+ */
+
+interface RecordDecisionParams {
+    sessionId: string;
+    decision: 'granted' | 'denied';
+    reason?: string;
+    tokenIssued?: boolean;
+    auditId?: string;
+}
+interface RecordDecisionResult {
+    recorded: boolean;
+    blockchainTxHash?: string;
+}
+/**
+ * Record a counterparty's grant/deny decision for a verification session.
+ * POST to /agents/verify-access/:sessionId/decision
+ */
+declare function recordDecision(config: GatewayConfig, params: RecordDecisionParams): Promise<RecordDecisionResult>;
+
+/**
+ * Agent-Side SDK Module
+ *
+ * Tools for AI agents to present credentials, handle challenges,
+ * and interact with the AstraSync verification protocol.
+ */
+
+type index_AgentClient = AgentClient;
+declare const index_AgentClient: typeof AgentClient;
+type index_ChallengeHandler = ChallengeHandler;
+declare const index_ChallengeHandler: typeof ChallengeHandler;
+type index_PDLSSConfig = PDLSSConfig;
+type index_TransportPDLSS = TransportPDLSS;
+declare const index_formatPDLSSForTransport: typeof formatPDLSSForTransport;
+declare const index_parsePDLSSFromTransport: typeof parsePDLSSFromTransport;
+declare const index_recordDecision: typeof recordDecision;
+declare namespace index {
+  export { index_AgentClient as AgentClient, index_ChallengeHandler as ChallengeHandler, type index_PDLSSConfig as PDLSSConfig, type index_TransportPDLSS as TransportPDLSS, index_formatPDLSSForTransport as formatPDLSSForTransport, index_parsePDLSSFromTransport as parsePDLSSFromTransport, index_recordDecision as recordDecision };
+}
+
+export { AgentClient as A, ChallengeHandler as C, type PDLSSConfig as P, type TransportPDLSS as T, formatPDLSSForTransport as f, index as i, parsePDLSSFromTransport as p, recordDecision as r };

package/dist/index-CNkmHmpi.d.ts

@@ -0,0 +1,89 @@
+import { c as AstraSyncCredentials, g as ProtocolTransport } from './types-Bf8pML07.js';
+
+/**
+ * HTTP Transport Adapter
+ *
+ * Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).
+ */
+
+/**
+ * Inject AstraSync credentials into HTTP headers.
+ */
+declare function setHttpHeaders(headers: Record<string, string>, credentials: AstraSyncCredentials): Record<string, string>;
+/**
+ * Extract AstraSync credentials from HTTP headers.
+ */
+declare function extractHttpCredentials(headers: Record<string, string | string[] | undefined>): AstraSyncCredentials | null;
+
+/**
+ * A2A (Agent-to-Agent) Transport Adapter
+ *
+ * Maps AstraSync credentials to/from A2A task metadata.astrasync block.
+ */
+
+interface A2ATask {
+    metadata?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+/**
+ * Add AstraSync credentials to an A2A task's metadata block.
+ */
+declare function setA2AMetadata(task: A2ATask, credentials: AstraSyncCredentials): A2ATask;
+/**
+ * Extract AstraSync credentials from an A2A task's metadata block.
+ */
+declare function extractA2ACredentials(task: A2ATask): AstraSyncCredentials | null;
+
+/**
+ * MCP (Model Context Protocol) Transport Adapter
+ *
+ * Maps AstraSync credentials to/from MCP params._meta.astrasync block.
+ */
+
+interface McpParams {
+    _meta?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+/**
+ * Add AstraSync credentials to MCP params' _meta block.
+ */
+declare function setMcpMeta(params: McpParams, credentials: AstraSyncCredentials): McpParams;
+/**
+ * Extract AstraSync credentials from MCP params' _meta block.
+ */
+declare function extractMcpCredentials(params: McpParams): AstraSyncCredentials | null;
+
+/**
+ * Cross-Protocol Transport Module
+ *
+ * Provides adapters for injecting/extracting AstraSync credentials
+ * across HTTP, A2A, and MCP protocols.
+ */
+
+/**
+ * Auto-detect protocol from request/context shape.
+ */
+declare function detectProtocol(context: Record<string, unknown>): ProtocolTransport;
+/**
+ * Apply credentials to any protocol target.
+ */
+declare function applyCredentials(protocol: ProtocolTransport, target: Record<string, unknown>, credentials: AstraSyncCredentials): Record<string, unknown>;
+/**
+ * Extract credentials from any protocol context.
+ */
+declare function extractCredentialsFromProtocol(protocol: ProtocolTransport, context: Record<string, unknown>): AstraSyncCredentials | null;
+
+declare const index_applyCredentials: typeof applyCredentials;
+declare const index_detectProtocol: typeof detectProtocol;
+declare const index_extractA2ACredentials: typeof extractA2ACredentials;
+declare const index_extractCredentialsFromProtocol: typeof extractCredentialsFromProtocol;
+declare const index_extractHttpCredentials: typeof extractHttpCredentials;
+declare const index_extractMcpCredentials: typeof extractMcpCredentials;
+declare const index_setA2AMetadata: typeof setA2AMetadata;
+declare const index_setHttpHeaders: typeof setHttpHeaders;
+declare const index_setMcpMeta: typeof setMcpMeta;
+declare namespace index {
+  export { index_applyCredentials as applyCredentials, index_detectProtocol as detectProtocol, index_extractA2ACredentials as extractA2ACredentials, index_extractCredentialsFromProtocol as extractCredentialsFromProtocol, index_extractHttpCredentials as extractHttpCredentials, index_extractMcpCredentials as extractMcpCredentials, index_setA2AMetadata as setA2AMetadata, index_setHttpHeaders as setHttpHeaders, index_setMcpMeta as setMcpMeta };
+}
+
+export { applyCredentials as a, extractCredentialsFromProtocol as b, extractHttpCredentials as c, detectProtocol as d, extractA2ACredentials as e, extractMcpCredentials as f, setHttpHeaders as g, setMcpMeta as h, index as i, setA2AMetadata as s };

package/dist/index-CoLebmwv.d.mts

@@ -0,0 +1,89 @@
+import { c as AstraSyncCredentials, g as ProtocolTransport } from './types-Bf8pML07.mjs';
+
+/**
+ * HTTP Transport Adapter
+ *
+ * Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).
+ */
+
+/**
+ * Inject AstraSync credentials into HTTP headers.
+ */
+declare function setHttpHeaders(headers: Record<string, string>, credentials: AstraSyncCredentials): Record<string, string>;
+/**
+ * Extract AstraSync credentials from HTTP headers.
+ */
+declare function extractHttpCredentials(headers: Record<string, string | string[] | undefined>): AstraSyncCredentials | null;
+
+/**
+ * A2A (Agent-to-Agent) Transport Adapter
+ *
+ * Maps AstraSync credentials to/from A2A task metadata.astrasync block.
+ */
+
+interface A2ATask {
+    metadata?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+/**
+ * Add AstraSync credentials to an A2A task's metadata block.
+ */
+declare function setA2AMetadata(task: A2ATask, credentials: AstraSyncCredentials): A2ATask;
+/**
+ * Extract AstraSync credentials from an A2A task's metadata block.
+ */
+declare function extractA2ACredentials(task: A2ATask): AstraSyncCredentials | null;
+
+/**
+ * MCP (Model Context Protocol) Transport Adapter
+ *
+ * Maps AstraSync credentials to/from MCP params._meta.astrasync block.
+ */
+
+interface McpParams {
+    _meta?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+/**
+ * Add AstraSync credentials to MCP params' _meta block.
+ */
+declare function setMcpMeta(params: McpParams, credentials: AstraSyncCredentials): McpParams;
+/**
+ * Extract AstraSync credentials from MCP params' _meta block.
+ */
+declare function extractMcpCredentials(params: McpParams): AstraSyncCredentials | null;
+
+/**
+ * Cross-Protocol Transport Module
+ *
+ * Provides adapters for injecting/extracting AstraSync credentials
+ * across HTTP, A2A, and MCP protocols.
+ */
+
+/**
+ * Auto-detect protocol from request/context shape.
+ */
+declare function detectProtocol(context: Record<string, unknown>): ProtocolTransport;
+/**
+ * Apply credentials to any protocol target.
+ */
+declare function applyCredentials(protocol: ProtocolTransport, target: Record<string, unknown>, credentials: AstraSyncCredentials): Record<string, unknown>;
+/**
+ * Extract credentials from any protocol context.
+ */
+declare function extractCredentialsFromProtocol(protocol: ProtocolTransport, context: Record<string, unknown>): AstraSyncCredentials | null;
+
+declare const index_applyCredentials: typeof applyCredentials;
+declare const index_detectProtocol: typeof detectProtocol;
+declare const index_extractA2ACredentials: typeof extractA2ACredentials;
+declare const index_extractCredentialsFromProtocol: typeof extractCredentialsFromProtocol;
+declare const index_extractHttpCredentials: typeof extractHttpCredentials;
+declare const index_extractMcpCredentials: typeof extractMcpCredentials;
+declare const index_setA2AMetadata: typeof setA2AMetadata;
+declare const index_setHttpHeaders: typeof setHttpHeaders;
+declare const index_setMcpMeta: typeof setMcpMeta;
+declare namespace index {
+  export { index_applyCredentials as applyCredentials, index_detectProtocol as detectProtocol, index_extractA2ACredentials as extractA2ACredentials, index_extractCredentialsFromProtocol as extractCredentialsFromProtocol, index_extractHttpCredentials as extractHttpCredentials, index_extractMcpCredentials as extractMcpCredentials, index_setA2AMetadata as setA2AMetadata, index_setHttpHeaders as setHttpHeaders, index_setMcpMeta as setMcpMeta };
+}
+
+export { applyCredentials as a, extractCredentialsFromProtocol as b, extractHttpCredentials as c, detectProtocol as d, extractA2ACredentials as e, extractMcpCredentials as f, setHttpHeaders as g, setMcpMeta as h, index as i, setA2AMetadata as s };