@astrasyncai/verification-gateway 1.0.0 → 2.0.0

package/dist/agent/index.mjs

@@ -0,0 +1,323 @@
+// src/transport/http.ts
+var HEADER_PREFIX = "X-Astra-";
+function setHttpHeaders(headers, credentials) {
+  const result = { ...headers };
+  result[`${HEADER_PREFIX}ID`] = credentials.agentId;
+  if (credentials.verifyUrl) {
+    result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;
+  }
+  if (credentials.challengeUrl) {
+    result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;
+  }
+  if (credentials.pdlss?.purpose) {
+    const purposeValue = credentials.pdlss.purpose.action ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}` : credentials.pdlss.purpose.category;
+    result[`${HEADER_PREFIX}Purpose`] = purposeValue;
+  }
+  if (credentials.pdlss?.duration?.maxSessionDuration) {
+    result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);
+  }
+  if (credentials.pdlss?.scope?.jurisdiction) {
+    result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;
+  }
+  return result;
+}
+
+// src/transport/a2a.ts
+function setA2AMetadata(task, credentials) {
+  const astrasync = {
+    agentId: credentials.agentId
+  };
+  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;
+  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;
+  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;
+  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;
+  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;
+  return {
+    ...task,
+    metadata: {
+      ...task.metadata,
+      astrasync
+    }
+  };
+}
+
+// src/transport/mcp.ts
+function setMcpMeta(params, credentials) {
+  const astrasync = {
+    agentId: credentials.agentId
+  };
+  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;
+  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;
+  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;
+  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;
+  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;
+  return {
+    ...params,
+    _meta: {
+      ...params._meta,
+      astrasync
+    }
+  };
+}
+
+// src/transport/index.ts
+function applyCredentials(protocol, target, credentials) {
+  switch (protocol) {
+    case "http":
+      return setHttpHeaders(target, credentials);
+    case "a2a":
+      return setA2AMetadata(target, credentials);
+    case "mcp":
+      return setMcpMeta(target, credentials);
+    default:
+      return target;
+  }
+}
+
+// src/agent/client.ts
+var AgentClient = class {
+  constructor(config) {
+    this.credentials = {
+      agentId: config.agentId,
+      verifyUrl: config.verifyUrl ?? "https://api.astrasync.ai/agents/verify-access",
+      challengeUrl: config.challengeUrl,
+      pdlss: config.pdlss
+    };
+  }
+  /**
+   * Make an HTTP request with AstraSync headers automatically injected.
+   */
+  async fetch(url, options) {
+    const { purpose, action, ...fetchOptions } = options ?? {};
+    const creds = { ...this.credentials };
+    if (purpose) {
+      creds.pdlss = {
+        ...creds.pdlss,
+        purpose: { category: purpose, action }
+      };
+    }
+    const existingHeaders = {};
+    if (fetchOptions.headers) {
+      if (fetchOptions.headers instanceof Headers) {
+        fetchOptions.headers.forEach((value, key) => {
+          existingHeaders[key] = value;
+        });
+      } else if (Array.isArray(fetchOptions.headers)) {
+        for (const [key, value] of fetchOptions.headers) {
+          existingHeaders[key] = value;
+        }
+      } else {
+        Object.assign(existingHeaders, fetchOptions.headers);
+      }
+    }
+    const enrichedHeaders = setHttpHeaders(existingHeaders, creds);
+    return fetch(url, {
+      ...fetchOptions,
+      headers: enrichedHeaders
+    });
+  }
+  /**
+   * Prepare A2A task metadata with AstraSync credentials.
+   */
+  prepareA2AMetadata(task, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return setA2AMetadata(task, creds);
+  }
+  /**
+   * Prepare MCP params with AstraSync _meta.
+   */
+  prepareMcpMeta(params, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return setMcpMeta(params, creds);
+  }
+  /**
+   * Generic: apply credentials to any protocol.
+   */
+  applyCredentials(protocol, target, overrides) {
+    const creds = this.buildCredentials(overrides);
+    return applyCredentials(protocol, target, creds);
+  }
+  buildCredentials(overrides) {
+    if (!overrides?.purpose) return this.credentials;
+    return {
+      ...this.credentials,
+      pdlss: {
+        ...this.credentials.pdlss,
+        purpose: { category: overrides.purpose, action: overrides.action }
+      }
+    };
+  }
+};
+
+// src/agent/challenge-handler.ts
+var ChallengeHandler = class {
+  constructor(config) {
+    this.pendingCounterparties = /* @__PURE__ */ new Set();
+    this.agentId = config.agentId;
+  }
+  /**
+   * Register a counterparty as pending (before initiating contact).
+   */
+  registerPending(counterpartyId) {
+    this.pendingCounterparties.add(counterpartyId);
+  }
+  /**
+   * Remove a counterparty from pending list (after interaction complete).
+   */
+  removePending(counterpartyId) {
+    this.pendingCounterparties.delete(counterpartyId);
+  }
+  /**
+   * Get current pending counterparties list.
+   */
+  getPendingList() {
+    return [...this.pendingCounterparties];
+  }
+  /**
+   * Express middleware for the challenge endpoint.
+   * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())
+   */
+  expressMiddleware() {
+    return (req, res) => {
+      const result = this.handleChallenge(req.body);
+      res.status(result.status).json(result.body);
+    };
+  }
+  /**
+   * Generic handler (framework-agnostic).
+   * Returns { status, body } for the caller to send.
+   */
+  handleChallenge(body) {
+    if (!body || typeof body !== "object") {
+      return {
+        status: 400,
+        body: {
+          challengeId: "",
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          error: "Invalid challenge payload"
+        }
+      };
+    }
+    const payload = body;
+    if (!payload.challengeId || !payload.issuedAt || !payload.expiresAt) {
+      return {
+        status: 400,
+        body: {
+          challengeId: payload.challengeId ?? "",
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: (/* @__PURE__ */ new Date()).toISOString(),
+          error: "Missing required challenge fields"
+        }
+      };
+    }
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(payload.expiresAt);
+    if (now > expiresAt) {
+      return {
+        status: 410,
+        body: {
+          challengeId: payload.challengeId,
+          acknowledged: false,
+          pendingCounterparties: [],
+          respondedAt: now.toISOString(),
+          error: "Challenge has expired"
+        }
+      };
+    }
+    return {
+      status: 200,
+      body: {
+        challengeId: payload.challengeId,
+        acknowledged: true,
+        pendingCounterparties: this.getPendingList(),
+        respondedAt: now.toISOString()
+      }
+    };
+  }
+};
+
+// src/agent/pdlss-formatter.ts
+function formatPDLSSForTransport(pdlss) {
+  const transport = {};
+  if (pdlss.purpose?.categories?.length) {
+    transport.purpose = {
+      category: pdlss.purpose.categories[0],
+      action: pdlss.purpose.allowedActions?.[0]
+    };
+  }
+  if (pdlss.duration) {
+    const candidates = [];
+    if (pdlss.duration.maxSessionDuration) candidates.push(pdlss.duration.maxSessionDuration);
+    if (pdlss.duration.ttl) candidates.push(pdlss.duration.ttl);
+    if (candidates.length > 0) {
+      transport.duration = { maxSessionDuration: Math.min(...candidates) };
+    }
+  }
+  if (pdlss.scope?.jurisdictions?.length) {
+    transport.scope = { jurisdiction: pdlss.scope.jurisdictions[0] };
+  }
+  return transport;
+}
+function parsePDLSSFromTransport(transport) {
+  const pdlss = {};
+  if (transport.purpose) {
+    pdlss.purpose = {
+      categories: [transport.purpose.category],
+      allowedActions: transport.purpose.action ? [transport.purpose.action] : void 0
+    };
+  }
+  if (transport.duration) {
+    pdlss.duration = {
+      maxSessionDuration: transport.duration.maxSessionDuration
+    };
+  }
+  if (transport.scope) {
+    pdlss.scope = {
+      jurisdictions: transport.scope.jurisdiction ? [transport.scope.jurisdiction] : void 0
+    };
+  }
+  return pdlss;
+}
+
+// src/agent/decision-client.ts
+async function recordDecision(config, params) {
+  const { sessionId, ...body } = params;
+  const baseUrl = config.apiBaseUrl.replace(/\/$/, "");
+  const url = `${baseUrl}/agents/verify-access/${encodeURIComponent(sessionId)}/decision`;
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  if (config.apiKey) {
+    headers["Authorization"] = `Bearer ${config.apiKey}`;
+  }
+  if (config.customHeaders) {
+    Object.assign(headers, config.customHeaders);
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers,
+    body: JSON.stringify(body)
+  });
+  if (!response.ok) {
+    const errorText = await response.text().catch(() => "Unknown error");
+    throw new Error(
+      `Failed to record decision for session ${sessionId}: ${response.status} ${errorText}`
+    );
+  }
+  const result = await response.json();
+  return {
+    recorded: result.recorded ?? true,
+    blockchainTxHash: result.blockchainTxHash
+  };
+}
+export {
+  AgentClient,
+  ChallengeHandler,
+  formatPDLSSForTransport,
+  parsePDLSSFromTransport,
+  recordDecision
+};
+//# sourceMappingURL=index.mjs.map

package/dist/agent/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/transport/http.ts","../../src/transport/a2a.ts","../../src/transport/mcp.ts","../../src/transport/index.ts","../../src/agent/client.ts","../../src/agent/challenge-handler.ts","../../src/agent/pdlss-formatter.ts","../../src/agent/decision-client.ts"],"sourcesContent":["/**\n * HTTP Transport Adapter\n *\n * Maps AstraSync credentials to/from HTTP headers (X-Astra-* convention).\n */\n\nimport type { AstraSyncCredentials } from '../types';\n\nconst HEADER_PREFIX = 'X-Astra-';\n\n/**\n * Inject AstraSync credentials into HTTP headers.\n */\nexport function setHttpHeaders(\n  headers: Record<string, string>,\n  credentials: AstraSyncCredentials,\n): Record<string, string> {\n  const result = { ...headers };\n\n  result[`${HEADER_PREFIX}ID`] = credentials.agentId;\n\n  if (credentials.verifyUrl) {\n    result[`${HEADER_PREFIX}Verify`] = credentials.verifyUrl;\n  }\n\n  if (credentials.challengeUrl) {\n    result[`${HEADER_PREFIX}Challenge`] = credentials.challengeUrl;\n  }\n\n  if (credentials.pdlss?.purpose) {\n    const purposeValue = credentials.pdlss.purpose.action\n      ? `${credentials.pdlss.purpose.category}:${credentials.pdlss.purpose.action}`\n      : credentials.pdlss.purpose.category;\n    result[`${HEADER_PREFIX}Purpose`] = purposeValue;\n  }\n\n  if (credentials.pdlss?.duration?.maxSessionDuration) {\n    result[`${HEADER_PREFIX}Duration`] = String(credentials.pdlss.duration.maxSessionDuration);\n  }\n\n  if (credentials.pdlss?.scope?.jurisdiction) {\n    result[`${HEADER_PREFIX}Scope`] = credentials.pdlss.scope.jurisdiction;\n  }\n\n  return result;\n}\n\n/**\n * Extract AstraSync credentials from HTTP headers.\n */\nexport function extractHttpCredentials(\n  headers: Record<string, string | string[] | undefined>,\n): AstraSyncCredentials | null {\n  const getValue = (key: string): string | undefined => {\n    const v = headers[key] ?? headers[key.toLowerCase()];\n    return Array.isArray(v) ? v[0] : v;\n  };\n\n  const agentId = getValue(`${HEADER_PREFIX}ID`) ?? getValue('x-astra-id');\n  if (!agentId) return null;\n\n  const credentials: AstraSyncCredentials = { agentId };\n\n  const verifyUrl = getValue(`${HEADER_PREFIX}Verify`) ?? getValue('x-astra-verify');\n  if (verifyUrl) credentials.verifyUrl = verifyUrl;\n\n  const challengeUrl = getValue(`${HEADER_PREFIX}Challenge`) ?? getValue('x-astra-challenge');\n  if (challengeUrl) credentials.challengeUrl = challengeUrl;\n\n  const purpose = getValue(`${HEADER_PREFIX}Purpose`) ?? getValue('x-astra-purpose');\n  if (purpose) {\n    const [category, action] = purpose.split(':');\n    credentials.pdlss = {\n      ...credentials.pdlss,\n      purpose: { category, action },\n    };\n  }\n\n  const duration = getValue(`${HEADER_PREFIX}Duration`) ?? getValue('x-astra-duration');\n  if (duration) {\n    credentials.pdlss = {\n      ...credentials.pdlss,\n      duration: { maxSessionDuration: parseInt(duration, 10) },\n    };\n  }\n\n  const scope = getValue(`${HEADER_PREFIX}Scope`) ?? getValue('x-astra-scope');\n  if (scope) {\n    credentials.pdlss = {\n      ...credentials.pdlss,\n      scope: { jurisdiction: scope },\n    };\n  }\n\n  return credentials;\n}\n","/**\n * A2A (Agent-to-Agent) Transport Adapter\n *\n * Maps AstraSync credentials to/from A2A task metadata.astrasync block.\n */\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface A2ATask {\n  metadata?: Record<string, unknown>;\n  [key: string]: unknown;\n}\n\ninterface AstraSyncMetadata {\n  agentId: string;\n  verifyUrl?: string;\n  challengeUrl?: string;\n  purpose?: { category: string; action?: string };\n  duration?: { maxSessionDuration?: number };\n  scope?: { jurisdiction?: string };\n}\n\n/**\n * Add AstraSync credentials to an A2A task's metadata block.\n */\nexport function setA2AMetadata(\n  task: A2ATask,\n  credentials: AstraSyncCredentials,\n): A2ATask {\n  const astrasync: AstraSyncMetadata = {\n    agentId: credentials.agentId,\n  };\n\n  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n  return {\n    ...task,\n    metadata: {\n      ...task.metadata,\n      astrasync,\n    },\n  };\n}\n\n/**\n * Extract AstraSync credentials from an A2A task's metadata block.\n */\nexport function extractA2ACredentials(task: A2ATask): AstraSyncCredentials | null {\n  const meta = task.metadata?.astrasync as AstraSyncMetadata | undefined;\n  if (!meta?.agentId) return null;\n\n  const credentials: AstraSyncCredentials = {\n    agentId: meta.agentId,\n  };\n\n  if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n  if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n  if (meta.purpose || meta.duration || meta.scope) {\n    credentials.pdlss = {};\n    if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n    if (meta.duration) credentials.pdlss.duration = meta.duration;\n    if (meta.scope) credentials.pdlss.scope = meta.scope;\n  }\n\n  return credentials;\n}\n","/**\n * MCP (Model Context Protocol) Transport Adapter\n *\n * Maps AstraSync credentials to/from MCP params._meta.astrasync block.\n */\n\nimport type { AstraSyncCredentials } from '../types';\n\ninterface McpParams {\n  _meta?: Record<string, unknown>;\n  [key: string]: unknown;\n}\n\ninterface AstraSyncMeta {\n  agentId: string;\n  verifyUrl?: string;\n  challengeUrl?: string;\n  purpose?: { category: string; action?: string };\n  duration?: { maxSessionDuration?: number };\n  scope?: { jurisdiction?: string };\n}\n\n/**\n * Add AstraSync credentials to MCP params' _meta block.\n */\nexport function setMcpMeta(\n  params: McpParams,\n  credentials: AstraSyncCredentials,\n): McpParams {\n  const astrasync: AstraSyncMeta = {\n    agentId: credentials.agentId,\n  };\n\n  if (credentials.verifyUrl) astrasync.verifyUrl = credentials.verifyUrl;\n  if (credentials.challengeUrl) astrasync.challengeUrl = credentials.challengeUrl;\n  if (credentials.pdlss?.purpose) astrasync.purpose = credentials.pdlss.purpose;\n  if (credentials.pdlss?.duration) astrasync.duration = credentials.pdlss.duration;\n  if (credentials.pdlss?.scope) astrasync.scope = credentials.pdlss.scope;\n\n  return {\n    ...params,\n    _meta: {\n      ...params._meta,\n      astrasync,\n    },\n  };\n}\n\n/**\n * Extract AstraSync credentials from MCP params' _meta block.\n */\nexport function extractMcpCredentials(params: McpParams): AstraSyncCredentials | null {\n  const meta = params._meta?.astrasync as AstraSyncMeta | undefined;\n  if (!meta?.agentId) return null;\n\n  const credentials: AstraSyncCredentials = {\n    agentId: meta.agentId,\n  };\n\n  if (meta.verifyUrl) credentials.verifyUrl = meta.verifyUrl;\n  if (meta.challengeUrl) credentials.challengeUrl = meta.challengeUrl;\n\n  if (meta.purpose || meta.duration || meta.scope) {\n    credentials.pdlss = {};\n    if (meta.purpose) credentials.pdlss.purpose = meta.purpose;\n    if (meta.duration) credentials.pdlss.duration = meta.duration;\n    if (meta.scope) credentials.pdlss.scope = meta.scope;\n  }\n\n  return credentials;\n}\n","/**\n * Cross-Protocol Transport Module\n *\n * Provides adapters for injecting/extracting AstraSync credentials\n * across HTTP, A2A, and MCP protocols.\n */\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders, extractHttpCredentials } from './http';\nimport { setA2AMetadata, extractA2ACredentials } from './a2a';\nimport { setMcpMeta, extractMcpCredentials } from './mcp';\n\nexport { setHttpHeaders, extractHttpCredentials } from './http';\nexport { setA2AMetadata, extractA2ACredentials } from './a2a';\nexport { setMcpMeta, extractMcpCredentials } from './mcp';\n\n/**\n * Auto-detect protocol from request/context shape.\n */\nexport function detectProtocol(context: Record<string, unknown>): ProtocolTransport {\n  // A2A: has metadata block with task-like structure\n  if (context.metadata && typeof context.metadata === 'object') {\n    return 'a2a';\n  }\n\n  // MCP: has _meta block (MCP convention)\n  if (context._meta && typeof context._meta === 'object') {\n    return 'mcp';\n  }\n\n  // Default to HTTP\n  return 'http';\n}\n\n/**\n * Apply credentials to any protocol target.\n */\nexport function applyCredentials(\n  protocol: ProtocolTransport,\n  target: Record<string, unknown>,\n  credentials: AstraSyncCredentials,\n): Record<string, unknown> {\n  switch (protocol) {\n    case 'http':\n      return setHttpHeaders(target as Record<string, string>, credentials);\n    case 'a2a':\n      return setA2AMetadata(target, credentials);\n    case 'mcp':\n      return setMcpMeta(target, credentials);\n    default:\n      return target;\n  }\n}\n\n/**\n * Extract credentials from any protocol context.\n */\nexport function extractCredentialsFromProtocol(\n  protocol: ProtocolTransport,\n  context: Record<string, unknown>,\n): AstraSyncCredentials | null {\n  switch (protocol) {\n    case 'http':\n      return extractHttpCredentials(context as Record<string, string | string[] | undefined>);\n    case 'a2a':\n      return extractA2ACredentials(context);\n    case 'mcp':\n      return extractMcpCredentials(context);\n    default:\n      return null;\n  }\n}\n","/**\n * AgentClient — Credential Presentation\n *\n * Agent-side SDK for automatically injecting AstraSync credentials\n * into outgoing requests across all supported protocols.\n */\n\nimport type { AstraSyncCredentials, ProtocolTransport } from '../types';\nimport { setHttpHeaders } from '../transport/http';\nimport { setA2AMetadata } from '../transport/a2a';\nimport { setMcpMeta } from '../transport/mcp';\nimport { applyCredentials } from '../transport';\n\ninterface AgentClientConfig {\n  agentId: string;\n  verifyUrl?: string;\n  challengeUrl?: string;\n  pdlss?: AstraSyncCredentials['pdlss'];\n}\n\ninterface FetchOptions extends RequestInit {\n  purpose?: string;\n  action?: string;\n}\n\nexport class AgentClient {\n  private credentials: AstraSyncCredentials;\n\n  constructor(config: AgentClientConfig) {\n    this.credentials = {\n      agentId: config.agentId,\n      verifyUrl: config.verifyUrl ?? 'https://api.astrasync.ai/agents/verify-access',\n      challengeUrl: config.challengeUrl,\n      pdlss: config.pdlss,\n    };\n  }\n\n  /**\n   * Make an HTTP request with AstraSync headers automatically injected.\n   */\n  async fetch(url: string, options?: FetchOptions): Promise<Response> {\n    const { purpose, action, ...fetchOptions } = options ?? {};\n\n    // Build credentials with optional overrides\n    const creds: AstraSyncCredentials = { ...this.credentials };\n    if (purpose) {\n      creds.pdlss = {\n        ...creds.pdlss,\n        purpose: { category: purpose, action },\n      };\n    }\n\n    // Inject AstraSync headers\n    const existingHeaders: Record<string, string> = {};\n    if (fetchOptions.headers) {\n      if (fetchOptions.headers instanceof Headers) {\n        fetchOptions.headers.forEach((value, key) => {\n          existingHeaders[key] = value;\n        });\n      } else if (Array.isArray(fetchOptions.headers)) {\n        for (const [key, value] of fetchOptions.headers) {\n          existingHeaders[key] = value;\n        }\n      } else {\n        Object.assign(existingHeaders, fetchOptions.headers);\n      }\n    }\n\n    const enrichedHeaders = setHttpHeaders(existingHeaders, creds);\n\n    return fetch(url, {\n      ...fetchOptions,\n      headers: enrichedHeaders,\n    });\n  }\n\n  /**\n   * Prepare A2A task metadata with AstraSync credentials.\n   */\n  prepareA2AMetadata(\n    task: Record<string, unknown>,\n    overrides?: { purpose?: string; action?: string },\n  ): Record<string, unknown> {\n    const creds = this.buildCredentials(overrides);\n    return setA2AMetadata(task, creds);\n  }\n\n  /**\n   * Prepare MCP params with AstraSync _meta.\n   */\n  prepareMcpMeta(\n    params: Record<string, unknown>,\n    overrides?: { purpose?: string; action?: string },\n  ): Record<string, unknown> {\n    const creds = this.buildCredentials(overrides);\n    return setMcpMeta(params, creds);\n  }\n\n  /**\n   * Generic: apply credentials to any protocol.\n   */\n  applyCredentials(\n    protocol: ProtocolTransport,\n    target: Record<string, unknown>,\n    overrides?: { purpose?: string; action?: string },\n  ): Record<string, unknown> {\n    const creds = this.buildCredentials(overrides);\n    return applyCredentials(protocol, target, creds);\n  }\n\n  private buildCredentials(overrides?: { purpose?: string; action?: string }): AstraSyncCredentials {\n    if (!overrides?.purpose) return this.credentials;\n\n    return {\n      ...this.credentials,\n      pdlss: {\n        ...this.credentials.pdlss,\n        purpose: { category: overrides.purpose, action: overrides.action },\n      },\n    };\n  }\n}\n","/**\n * ChallengeHandler — Agent-Side Runtime Challenge Responder\n *\n * Handles incoming runtime challenges from AstraSync's verification service.\n * Agents register pending counterparties before initiating contact,\n * then this handler validates and responds to challenges.\n */\n\ninterface ChallengePayload {\n  challengeId: string;\n  type: string;\n  counterpartyId?: string | null;\n  counterpartyUrl?: string | null;\n  question?: string;\n  issuedAt: string;\n  expiresAt: string;\n}\n\ninterface ChallengeResponse {\n  status: number;\n  body: {\n    challengeId: string;\n    acknowledged: boolean;\n    pendingCounterparties: string[];\n    respondedAt: string;\n    error?: string;\n  };\n}\n\ninterface ChallengeHandlerConfig {\n  agentId: string;\n}\n\nexport class ChallengeHandler {\n  private agentId: string;\n  private pendingCounterparties: Set<string> = new Set();\n\n  constructor(config: ChallengeHandlerConfig) {\n    this.agentId = config.agentId;\n  }\n\n  /**\n   * Register a counterparty as pending (before initiating contact).\n   */\n  registerPending(counterpartyId: string): void {\n    this.pendingCounterparties.add(counterpartyId);\n  }\n\n  /**\n   * Remove a counterparty from pending list (after interaction complete).\n   */\n  removePending(counterpartyId: string): void {\n    this.pendingCounterparties.delete(counterpartyId);\n  }\n\n  /**\n   * Get current pending counterparties list.\n   */\n  getPendingList(): string[] {\n    return [...this.pendingCounterparties];\n  }\n\n  /**\n   * Express middleware for the challenge endpoint.\n   * Mount at: app.post('/astrasync/challenge', handler.expressMiddleware())\n   */\n  expressMiddleware(): (req: { body: unknown }, res: { status: (code: number) => { json: (body: unknown) => void } }) => void {\n    return (req, res) => {\n      const result = this.handleChallenge(req.body);\n      res.status(result.status).json(result.body);\n    };\n  }\n\n  /**\n   * Generic handler (framework-agnostic).\n   * Returns { status, body } for the caller to send.\n   */\n  handleChallenge(body: unknown): ChallengeResponse {\n    // Validate payload shape\n    if (!body || typeof body !== 'object') {\n      return {\n        status: 400,\n        body: {\n          challengeId: '',\n          acknowledged: false,\n          pendingCounterparties: [],\n          respondedAt: new Date().toISOString(),\n          error: 'Invalid challenge payload',\n        },\n      };\n    }\n\n    const payload = body as ChallengePayload;\n\n    if (!payload.challengeId || !payload.issuedAt || !payload.expiresAt) {\n      return {\n        status: 400,\n        body: {\n          challengeId: payload.challengeId ?? '',\n          acknowledged: false,\n          pendingCounterparties: [],\n          respondedAt: new Date().toISOString(),\n          error: 'Missing required challenge fields',\n        },\n      };\n    }\n\n    // Check if challenge has expired\n    const now = new Date();\n    const expiresAt = new Date(payload.expiresAt);\n    if (now > expiresAt) {\n      return {\n        status: 410,\n        body: {\n          challengeId: payload.challengeId,\n          acknowledged: false,\n          pendingCounterparties: [],\n          respondedAt: now.toISOString(),\n          error: 'Challenge has expired',\n        },\n      };\n    }\n\n    // Respond with current pending list\n    return {\n      status: 200,\n      body: {\n        challengeId: payload.challengeId,\n        acknowledged: true,\n        pendingCounterparties: this.getPendingList(),\n        respondedAt: now.toISOString(),\n      },\n    };\n  }\n}\n","/**\n * PDLSS Formatter — Transport Format Conversion\n *\n * Converts between full PDLSS boundaries and compact transport format\n * used in HTTP headers, A2A metadata, and MCP _meta blocks.\n */\n\nimport type { AstraSyncCredentials } from '../types';\n\n/**\n * Full PDLSS configuration (as returned by the backend).\n */\nexport interface PDLSSConfig {\n  purpose?: {\n    categories?: string[];\n    allowedActions?: string[];\n    deniedActions?: string[];\n  };\n  duration?: {\n    maxSessionDuration?: number;\n    ttl?: number;\n    allowedDays?: number[];\n    allowedHours?: { start: number; end: number };\n  };\n  limits?: {\n    autonomousThreshold?: number;\n    stepUpThreshold?: number;\n    approvalThreshold?: number;\n    currency?: string;\n  };\n  scope?: {\n    jurisdictions?: string[];\n    resources?: string[];\n    resourceTypes?: string[];\n  };\n  selfInstantiation?: {\n    allowed: boolean;\n    maxDepth?: number;\n    maxSubAgents?: number;\n  };\n}\n\n/**\n * Compact transport format (embedded in headers/metadata).\n */\nexport type TransportPDLSS = NonNullable<AstraSyncCredentials['pdlss']>;\n\n/**\n * Convert full PDLSS boundaries into compact transport format.\n * Used by AgentClient when building credential headers/metadata.\n */\nexport function formatPDLSSForTransport(pdlss: PDLSSConfig): TransportPDLSS {\n  const transport: TransportPDLSS = {};\n\n  // Purpose: pick the primary category and first allowed action\n  if (pdlss.purpose?.categories?.length) {\n    transport.purpose = {\n      category: pdlss.purpose.categories[0],\n      action: pdlss.purpose.allowedActions?.[0],\n    };\n  }\n\n  // Duration: use the shorter of maxSessionDuration and ttl\n  if (pdlss.duration) {\n    const candidates: number[] = [];\n    if (pdlss.duration.maxSessionDuration) candidates.push(pdlss.duration.maxSessionDuration);\n    if (pdlss.duration.ttl) candidates.push(pdlss.duration.ttl);\n    if (candidates.length > 0) {\n      transport.duration = { maxSessionDuration: Math.min(...candidates) };\n    }\n  }\n\n  // Scope: use the primary jurisdiction\n  if (pdlss.scope?.jurisdictions?.length) {\n    transport.scope = { jurisdiction: pdlss.scope.jurisdictions[0] };\n  }\n\n  return transport;\n}\n\n/**\n * Parse transport format back into full PDLSS config.\n * Used by counterparty-side when receiving credentials.\n */\nexport function parsePDLSSFromTransport(transport: TransportPDLSS): PDLSSConfig {\n  const pdlss: PDLSSConfig = {};\n\n  if (transport.purpose) {\n    pdlss.purpose = {\n      categories: [transport.purpose.category],\n      allowedActions: transport.purpose.action ? [transport.purpose.action] : undefined,\n    };\n  }\n\n  if (transport.duration) {\n    pdlss.duration = {\n      maxSessionDuration: transport.duration.maxSessionDuration,\n    };\n  }\n\n  if (transport.scope) {\n    pdlss.scope = {\n      jurisdictions: transport.scope.jurisdiction ? [transport.scope.jurisdiction] : undefined,\n    };\n  }\n\n  return pdlss;\n}\n","/**\n * Decision Client — Counterparty-Side Decision Recording\n *\n * Helper for counterparties to record their grant/deny decisions\n * back to AstraSync after receiving a verification result.\n */\n\nimport type { GatewayConfig } from '../types';\n\ninterface RecordDecisionParams {\n  sessionId: string;\n  decision: 'granted' | 'denied';\n  reason?: string;\n  tokenIssued?: boolean;\n  auditId?: string;\n}\n\ninterface RecordDecisionResult {\n  recorded: boolean;\n  blockchainTxHash?: string;\n}\n\n/**\n * Record a counterparty's grant/deny decision for a verification session.\n * POST to /agents/verify-access/:sessionId/decision\n */\nexport async function recordDecision(\n  config: GatewayConfig,\n  params: RecordDecisionParams,\n): Promise<RecordDecisionResult> {\n  const { sessionId, ...body } = params;\n  const baseUrl = config.apiBaseUrl.replace(/\\/$/, '');\n  const url = `${baseUrl}/agents/verify-access/${encodeURIComponent(sessionId)}/decision`;\n\n  const headers: Record<string, string> = {\n    'Content-Type': 'application/json',\n  };\n\n  if (config.apiKey) {\n    headers['Authorization'] = `Bearer ${config.apiKey}`;\n  }\n\n  if (config.customHeaders) {\n    Object.assign(headers, config.customHeaders);\n  }\n\n  const response = await fetch(url, {\n    method: 'POST',\n    headers,\n    body: JSON.stringify(body),\n  });\n\n  if (!response.ok) {\n    const errorText = await response.text().catch(() => 'Unknown error');\n    throw new Error(\n      `Failed to record decision for session ${sessionId}: ${response.status} ${errorText}`,\n    );\n  }\n\n  const result = await response.json();\n\n  return {\n    recorded: result.recorded ?? true,\n    blockchainTxHash: result.blockchainTxHash,\n  };\n}\n"],"mappings":";AAQA,IAAM,gBAAgB;AAKf,SAAS,eACd,SACA,aACwB;AACxB,QAAM,SAAS,EAAE,GAAG,QAAQ;AAE5B,SAAO,GAAG,aAAa,IAAI,IAAI,YAAY;AAE3C,MAAI,YAAY,WAAW;AACzB,WAAO,GAAG,aAAa,QAAQ,IAAI,YAAY;AAAA,EACjD;AAEA,MAAI,YAAY,cAAc;AAC5B,WAAO,GAAG,aAAa,WAAW,IAAI,YAAY;AAAA,EACpD;AAEA,MAAI,YAAY,OAAO,SAAS;AAC9B,UAAM,eAAe,YAAY,MAAM,QAAQ,SAC3C,GAAG,YAAY,MAAM,QAAQ,QAAQ,IAAI,YAAY,MAAM,QAAQ,MAAM,KACzE,YAAY,MAAM,QAAQ;AAC9B,WAAO,GAAG,aAAa,SAAS,IAAI;AAAA,EACtC;AAEA,MAAI,YAAY,OAAO,UAAU,oBAAoB;AACnD,WAAO,GAAG,aAAa,UAAU,IAAI,OAAO,YAAY,MAAM,SAAS,kBAAkB;AAAA,EAC3F;AAEA,MAAI,YAAY,OAAO,OAAO,cAAc;AAC1C,WAAO,GAAG,aAAa,OAAO,IAAI,YAAY,MAAM,MAAM;AAAA,EAC5D;AAEA,SAAO;AACT;;;ACpBO,SAAS,eACd,MACA,aACS;AACT,QAAM,YAA+B;AAAA,IACnC,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,UAAU;AAAA,MACR,GAAG,KAAK;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;;;ACrBO,SAAS,WACd,QACA,aACW;AACX,QAAM,YAA2B;AAAA,IAC/B,SAAS,YAAY;AAAA,EACvB;AAEA,MAAI,YAAY,UAAW,WAAU,YAAY,YAAY;AAC7D,MAAI,YAAY,aAAc,WAAU,eAAe,YAAY;AACnE,MAAI,YAAY,OAAO,QAAS,WAAU,UAAU,YAAY,MAAM;AACtE,MAAI,YAAY,OAAO,SAAU,WAAU,WAAW,YAAY,MAAM;AACxE,MAAI,YAAY,OAAO,MAAO,WAAU,QAAQ,YAAY,MAAM;AAElE,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO;AAAA,MACL,GAAG,OAAO;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;;;ACTO,SAAS,iBACd,UACA,QACA,aACyB;AACzB,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO,eAAe,QAAkC,WAAW;AAAA,IACrE,KAAK;AACH,aAAO,eAAe,QAAQ,WAAW;AAAA,IAC3C,KAAK;AACH,aAAO,WAAW,QAAQ,WAAW;AAAA,IACvC;AACE,aAAO;AAAA,EACX;AACF;;;AC3BO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAY,QAA2B;AACrC,SAAK,cAAc;AAAA,MACjB,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO,aAAa;AAAA,MAC/B,cAAc,OAAO;AAAA,MACrB,OAAO,OAAO;AAAA,IAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,KAAa,SAA2C;AAClE,UAAM,EAAE,SAAS,QAAQ,GAAG,aAAa,IAAI,WAAW,CAAC;AAGzD,UAAM,QAA8B,EAAE,GAAG,KAAK,YAAY;AAC1D,QAAI,SAAS;AACX,YAAM,QAAQ;AAAA,QACZ,GAAG,MAAM;AAAA,QACT,SAAS,EAAE,UAAU,SAAS,OAAO;AAAA,MACvC;AAAA,IACF;AAGA,UAAM,kBAA0C,CAAC;AACjD,QAAI,aAAa,SAAS;AACxB,UAAI,aAAa,mBAAmB,SAAS;AAC3C,qBAAa,QAAQ,QAAQ,CAAC,OAAO,QAAQ;AAC3C,0BAAgB,GAAG,IAAI;AAAA,QACzB,CAAC;AAAA,MACH,WAAW,MAAM,QAAQ,aAAa,OAAO,GAAG;AAC9C,mBAAW,CAAC,KAAK,KAAK,KAAK,aAAa,SAAS;AAC/C,0BAAgB,GAAG,IAAI;AAAA,QACzB;AAAA,MACF,OAAO;AACL,eAAO,OAAO,iBAAiB,aAAa,OAAO;AAAA,MACrD;AAAA,IACF;AAEA,UAAM,kBAAkB,eAAe,iBAAiB,KAAK;AAE7D,WAAO,MAAM,KAAK;AAAA,MAChB,GAAG;AAAA,MACH,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,mBACE,MACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,eAAe,MAAM,KAAK;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKA,eACE,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,WAAW,QAAQ,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,iBACE,UACA,QACA,WACyB;AACzB,UAAM,QAAQ,KAAK,iBAAiB,SAAS;AAC7C,WAAO,iBAAiB,UAAU,QAAQ,KAAK;AAAA,EACjD;AAAA,EAEQ,iBAAiB,WAAyE;AAChG,QAAI,CAAC,WAAW,QAAS,QAAO,KAAK;AAErC,WAAO;AAAA,MACL,GAAG,KAAK;AAAA,MACR,OAAO;AAAA,QACL,GAAG,KAAK,YAAY;AAAA,QACpB,SAAS,EAAE,UAAU,UAAU,SAAS,QAAQ,UAAU,OAAO;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AACF;;;ACxFO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,QAAgC;AAF5C,SAAQ,wBAAqC,oBAAI,IAAI;AAGnD,SAAK,UAAU,OAAO;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,gBAA8B;AAC5C,SAAK,sBAAsB,IAAI,cAAc;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,gBAA8B;AAC1C,SAAK,sBAAsB,OAAO,cAAc;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA2B;AACzB,WAAO,CAAC,GAAG,KAAK,qBAAqB;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAA4H;AAC1H,WAAO,CAAC,KAAK,QAAQ;AACnB,YAAM,SAAS,KAAK,gBAAgB,IAAI,IAAI;AAC5C,UAAI,OAAO,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,MAAkC;AAEhD,QAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa;AAAA,UACb,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAEA,UAAM,UAAU;AAEhB,QAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,YAAY,CAAC,QAAQ,WAAW;AACnE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ,eAAe;AAAA,UACpC,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,UACpC,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,MAAM,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,aAAa,QAAQ;AAAA,UACrB,cAAc;AAAA,UACd,uBAAuB,CAAC;AAAA,UACxB,aAAa,IAAI,YAAY;AAAA,UAC7B,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,QACJ,aAAa,QAAQ;AAAA,QACrB,cAAc;AAAA,QACd,uBAAuB,KAAK,eAAe;AAAA,QAC3C,aAAa,IAAI,YAAY;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AACF;;;ACnFO,SAAS,wBAAwB,OAAoC;AAC1E,QAAM,YAA4B,CAAC;AAGnC,MAAI,MAAM,SAAS,YAAY,QAAQ;AACrC,cAAU,UAAU;AAAA,MAClB,UAAU,MAAM,QAAQ,WAAW,CAAC;AAAA,MACpC,QAAQ,MAAM,QAAQ,iBAAiB,CAAC;AAAA,IAC1C;AAAA,EACF;AAGA,MAAI,MAAM,UAAU;AAClB,UAAM,aAAuB,CAAC;AAC9B,QAAI,MAAM,SAAS,mBAAoB,YAAW,KAAK,MAAM,SAAS,kBAAkB;AACxF,QAAI,MAAM,SAAS,IAAK,YAAW,KAAK,MAAM,SAAS,GAAG;AAC1D,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,WAAW,EAAE,oBAAoB,KAAK,IAAI,GAAG,UAAU,EAAE;AAAA,IACrE;AAAA,EACF;AAGA,MAAI,MAAM,OAAO,eAAe,QAAQ;AACtC,cAAU,QAAQ,EAAE,cAAc,MAAM,MAAM,cAAc,CAAC,EAAE;AAAA,EACjE;AAEA,SAAO;AACT;AAMO,SAAS,wBAAwB,WAAwC;AAC9E,QAAM,QAAqB,CAAC;AAE5B,MAAI,UAAU,SAAS;AACrB,UAAM,UAAU;AAAA,MACd,YAAY,CAAC,UAAU,QAAQ,QAAQ;AAAA,MACvC,gBAAgB,UAAU,QAAQ,SAAS,CAAC,UAAU,QAAQ,MAAM,IAAI;AAAA,IAC1E;AAAA,EACF;AAEA,MAAI,UAAU,UAAU;AACtB,UAAM,WAAW;AAAA,MACf,oBAAoB,UAAU,SAAS;AAAA,IACzC;AAAA,EACF;AAEA,MAAI,UAAU,OAAO;AACnB,UAAM,QAAQ;AAAA,MACZ,eAAe,UAAU,MAAM,eAAe,CAAC,UAAU,MAAM,YAAY,IAAI;AAAA,IACjF;AAAA,EACF;AAEA,SAAO;AACT;;;ACjFA,eAAsB,eACpB,QACA,QAC+B;AAC/B,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,QAAM,UAAU,OAAO,WAAW,QAAQ,OAAO,EAAE;AACnD,QAAM,MAAM,GAAG,OAAO,yBAAyB,mBAAmB,SAAS,CAAC;AAE5E,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,EAClB;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,EACpD;AAEA,MAAI,OAAO,eAAe;AACxB,WAAO,OAAO,SAAS,OAAO,aAAa;AAAA,EAC7C;AAEA,QAAM,WAAW,MAAM,MAAM,KAAK;AAAA,IAChC,QAAQ;AAAA,IACR;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,eAAe;AACnE,UAAM,IAAI;AAAA,MACR,yCAAyC,SAAS,KAAK,SAAS,MAAM,IAAI,SAAS;AAAA,IACrF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,SAAS,KAAK;AAEnC,SAAO;AAAA,IACL,UAAU,OAAO,YAAY;AAAA,IAC7B,kBAAkB,OAAO;AAAA,EAC3B;AACF;","names":[]}

package/dist/browser/browser-adapter.d.mts

@@ -0,0 +1,106 @@
+import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.mjs';
+import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-BvpGdsv1.mjs';
+import '../gateway/gateway.mjs';
+import '../types-Bf8pML07.mjs';
+
+/**
+ * @astrasyncai/adapter-openclaw-browser
+ *
+ * Layer 4 adapter for browser-based AI agents (e.g. OpenClaw browser extension).
+ * Intercepts page navigation, form submissions, and network requests
+ * made by the agent in the browser DOM.
+ *
+ * The adapter does NOT depend on chrome types. The browser extension
+ * passes the chrome/browser API via a minimal interface at initialize() time.
+ *
+ * ~300 lines — thin, disposable, platform-specific.
+ */
+
+interface WebRequestDetails {
+    requestId: string;
+    url: string;
+    method: string;
+    type: string;
+    tabId: number;
+    initiator?: string;
+    documentUrl?: string;
+}
+interface BlockingResponse {
+    cancel?: boolean;
+    redirectUrl?: string;
+}
+interface RequestFilter {
+    urls: string[];
+    types?: string[];
+}
+interface BrowserExtensionAPI {
+    webRequest: {
+        onBeforeRequest: {
+            addListener(callback: (details: WebRequestDetails) => BlockingResponse | void, filter: RequestFilter, extraInfoSpec?: string[]): void;
+            removeListener(callback: (details: WebRequestDetails) => BlockingResponse | void): void;
+        };
+    };
+    webNavigation: {
+        onBeforeNavigate: {
+            addListener(callback: (details: NavigationDetails) => void): void;
+            removeListener(callback: (details: NavigationDetails) => void): void;
+        };
+    };
+    runtime: {
+        sendMessage(message: unknown): Promise<unknown>;
+        onMessage: {
+            addListener(callback: (message: unknown, sender: unknown, sendResponse: (response: unknown) => void) => boolean | void): void;
+            removeListener(callback: (...args: unknown[]) => void): void;
+        };
+    };
+    notifications?: {
+        create(id: string, options: {
+            type: string;
+            title: string;
+            message: string;
+            iconUrl?: string;
+        }): void;
+    };
+}
+interface NavigationDetails {
+    tabId: number;
+    url: string;
+    frameId: number;
+}
+interface BrowserAdapterOptions {
+    /** The browser extension API object (chrome or browser) */
+    browserAPI: BrowserExtensionAPI;
+    /** URL patterns to intercept (default: ['<all_urls>']) */
+    urlPatterns?: string[];
+    /** Request types to intercept (default: main_frame, xmlhttprequest, sub_frame) */
+    requestTypes?: string[];
+    /** Callback for MANUAL_REVIEW decisions */
+    onApprovalRequired?: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;
+}
+declare class BrowserAdapter implements PlatformAdapter {
+    readonly interfaceVersion = 1;
+    private gateway;
+    private browserAPI;
+    private options;
+    private requestListener;
+    private navigationListener;
+    private messageListener;
+    private _isRunning;
+    constructor(options?: Partial<BrowserAdapterOptions>);
+    get isRunning(): boolean;
+    initialize(config: AdapterConfig): Promise<void>;
+    shutdown(): Promise<void>;
+    interceptAction(action: AgentAction): Promise<InterceptResult>;
+    extractContext(action: AgentAction): PDLSSContext;
+    enforceDecision(decision: VerificationDecision): Promise<void>;
+    private handleWebRequest;
+    private handleNavigation;
+    private handleContentScriptAction;
+    /**
+     * Synchronous evaluation using the gateway's local evaluator.
+     * Falls back to ALLOW if async-only (online mode).
+     */
+    private evaluateSync;
+}
+
+export { type BlockingResponse, BrowserAdapter, type BrowserAdapterOptions, type BrowserExtensionAPI, type NavigationDetails, type RequestFilter, type WebRequestDetails };

package/dist/browser/browser-adapter.d.ts

@@ -0,0 +1,106 @@
+import { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface.js';
+import { P as PDLSSContext, V as VerificationDecision, A as AgentAction, I as InterceptResult } from '../types-Ce2mFJkO.js';
+import '../gateway/gateway.js';
+import '../types-Bf8pML07.js';
+
+/**
+ * @astrasyncai/adapter-openclaw-browser
+ *
+ * Layer 4 adapter for browser-based AI agents (e.g. OpenClaw browser extension).
+ * Intercepts page navigation, form submissions, and network requests
+ * made by the agent in the browser DOM.
+ *
+ * The adapter does NOT depend on chrome types. The browser extension
+ * passes the chrome/browser API via a minimal interface at initialize() time.
+ *
+ * ~300 lines — thin, disposable, platform-specific.
+ */
+
+interface WebRequestDetails {
+    requestId: string;
+    url: string;
+    method: string;
+    type: string;
+    tabId: number;
+    initiator?: string;
+    documentUrl?: string;
+}
+interface BlockingResponse {
+    cancel?: boolean;
+    redirectUrl?: string;
+}
+interface RequestFilter {
+    urls: string[];
+    types?: string[];
+}
+interface BrowserExtensionAPI {
+    webRequest: {
+        onBeforeRequest: {
+            addListener(callback: (details: WebRequestDetails) => BlockingResponse | void, filter: RequestFilter, extraInfoSpec?: string[]): void;
+            removeListener(callback: (details: WebRequestDetails) => BlockingResponse | void): void;
+        };
+    };
+    webNavigation: {
+        onBeforeNavigate: {
+            addListener(callback: (details: NavigationDetails) => void): void;
+            removeListener(callback: (details: NavigationDetails) => void): void;
+        };
+    };
+    runtime: {
+        sendMessage(message: unknown): Promise<unknown>;
+        onMessage: {
+            addListener(callback: (message: unknown, sender: unknown, sendResponse: (response: unknown) => void) => boolean | void): void;
+            removeListener(callback: (...args: unknown[]) => void): void;
+        };
+    };
+    notifications?: {
+        create(id: string, options: {
+            type: string;
+            title: string;
+            message: string;
+            iconUrl?: string;
+        }): void;
+    };
+}
+interface NavigationDetails {
+    tabId: number;
+    url: string;
+    frameId: number;
+}
+interface BrowserAdapterOptions {
+    /** The browser extension API object (chrome or browser) */
+    browserAPI: BrowserExtensionAPI;
+    /** URL patterns to intercept (default: ['<all_urls>']) */
+    urlPatterns?: string[];
+    /** Request types to intercept (default: main_frame, xmlhttprequest, sub_frame) */
+    requestTypes?: string[];
+    /** Callback for MANUAL_REVIEW decisions */
+    onApprovalRequired?: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;
+}
+declare class BrowserAdapter implements PlatformAdapter {
+    readonly interfaceVersion = 1;
+    private gateway;
+    private browserAPI;
+    private options;
+    private requestListener;
+    private navigationListener;
+    private messageListener;
+    private _isRunning;
+    constructor(options?: Partial<BrowserAdapterOptions>);
+    get isRunning(): boolean;
+    initialize(config: AdapterConfig): Promise<void>;
+    shutdown(): Promise<void>;
+    interceptAction(action: AgentAction): Promise<InterceptResult>;
+    extractContext(action: AgentAction): PDLSSContext;
+    enforceDecision(decision: VerificationDecision): Promise<void>;
+    private handleWebRequest;
+    private handleNavigation;
+    private handleContentScriptAction;
+    /**
+     * Synchronous evaluation using the gateway's local evaluator.
+     * Falls back to ALLOW if async-only (online mode).
+     */
+    private evaluateSync;
+}
+
+export { type BlockingResponse, BrowserAdapter, type BrowserAdapterOptions, type BrowserExtensionAPI, type NavigationDetails, type RequestFilter, type WebRequestDetails };