@attested-intelligence/aga-mcp-server 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +57 -36
  2. package/dist/adapters/openclaw.d.ts +43 -0
  3. package/dist/adapters/openclaw.d.ts.map +1 -0
  4. package/dist/adapters/openclaw.js +86 -0
  5. package/dist/adapters/openclaw.js.map +1 -0
  6. package/dist/core/types.d.ts +0 -1
  7. package/dist/core/types.d.ts.map +1 -1
  8. package/dist/crypto/hash.d.ts +1 -1
  9. package/dist/crypto/hash.d.ts.map +1 -1
  10. package/dist/crypto/hash.js +1 -1
  11. package/dist/crypto/hash.js.map +1 -1
  12. package/dist/prompts/nccoe-demo.d.ts.map +1 -1
  13. package/dist/prompts/nccoe-demo.js +1 -2
  14. package/dist/prompts/nccoe-demo.js.map +1 -1
  15. package/dist/proxy/evaluator.d.ts +14 -0
  16. package/dist/proxy/evaluator.d.ts.map +1 -0
  17. package/dist/proxy/evaluator.js +141 -0
  18. package/dist/proxy/evaluator.js.map +1 -0
  19. package/dist/proxy/index.d.ts +22 -0
  20. package/dist/proxy/index.d.ts.map +1 -0
  21. package/dist/proxy/index.js +230 -0
  22. package/dist/proxy/index.js.map +1 -0
  23. package/dist/proxy/profiles.d.ts +16 -0
  24. package/dist/proxy/profiles.d.ts.map +1 -0
  25. package/dist/proxy/profiles.js +43 -0
  26. package/dist/proxy/profiles.js.map +1 -0
  27. package/dist/proxy/server.d.ts +106 -0
  28. package/dist/proxy/server.d.ts.map +1 -0
  29. package/dist/proxy/server.js +389 -0
  30. package/dist/proxy/server.js.map +1 -0
  31. package/dist/proxy/stdio-bridge.d.ts +42 -0
  32. package/dist/proxy/stdio-bridge.d.ts.map +1 -0
  33. package/dist/proxy/stdio-bridge.js +142 -0
  34. package/dist/proxy/stdio-bridge.js.map +1 -0
  35. package/dist/proxy/types.d.ts +36 -0
  36. package/dist/proxy/types.d.ts.map +1 -0
  37. package/dist/proxy/types.js +11 -0
  38. package/dist/proxy/types.js.map +1 -0
  39. package/dist/proxy/verify.d.ts +29 -0
  40. package/dist/proxy/verify.d.ts.map +1 -0
  41. package/dist/proxy/verify.js +183 -0
  42. package/dist/proxy/verify.js.map +1 -0
  43. package/dist/resources/cosai-mapping.d.ts +24 -0
  44. package/dist/resources/cosai-mapping.d.ts.map +1 -0
  45. package/dist/resources/cosai-mapping.js +127 -0
  46. package/dist/resources/cosai-mapping.js.map +1 -0
  47. package/dist/resources/crypto-primitives.d.ts +1 -1
  48. package/dist/resources/crypto-primitives.d.ts.map +1 -1
  49. package/dist/resources/crypto-primitives.js +2 -2
  50. package/dist/resources/specification.d.ts +1 -1
  51. package/dist/resources/specification.d.ts.map +1 -1
  52. package/dist/resources/specification.js +59 -5
  53. package/dist/resources/specification.js.map +1 -1
  54. package/dist/server.d.ts +1 -2
  55. package/dist/server.d.ts.map +1 -1
  56. package/dist/server.js +14 -17
  57. package/dist/server.js.map +1 -1
  58. package/dist/tools/server-info.d.ts.map +1 -1
  59. package/dist/tools/server-info.js +0 -1
  60. package/dist/tools/server-info.js.map +1 -1
  61. package/dist/types.d.ts +0 -1
  62. package/dist/types.d.ts.map +1 -1
  63. package/dist/types.js +0 -1
  64. package/dist/types.js.map +1 -1
  65. package/package.json +9 -5
  66. package/PATENTS.md +0 -28
  67. package/dist/resources/patent-claims.d.ts +0 -3
  68. package/dist/resources/patent-claims.d.ts.map +0 -1
  69. package/dist/resources/patent-claims.js +0 -67
  70. package/dist/resources/patent-claims.js.map +0 -1
package/README.md CHANGED
@@ -1,49 +1,47 @@
1
1
  # @attested-intelligence/aga-mcp-server v2.0.0
2
2
 
3
- MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
3
+ [![MCP Badge](https://lobehub.com/badge/mcp/attested-intelligence-aga-mcp-server)](https://lobehub.com/mcp/attested-intelligence-aga-mcp-server)
4
4
 
5
- **Patent Pending:** USPTO Application No. 19/433,835
6
- **Referenced in:** NIST-2025-0035, NCCoE AI Agent Identity and Authorization
5
+ MCP server implementing the Attested Governance Artifact (AGA) protocol - cryptographic compliance enforcement for autonomous AI systems.
7
6
 
8
7
  ## What It Does
9
8
 
10
9
  This server acts as a **Portal** (zero-trust Policy Enforcement Point) for AI agents. Every tool call is attested, measured against a sealed cryptographic reference, and logged to a tamper-evident continuity chain with signed receipts.
11
10
 
12
- **20 tools, 4 resources, 3 prompts, 159 tests**
11
+ **20 tools, 3 resources, 3 prompts, 159 tests**
13
12
 
14
13
  ## 20 MCP Tools
15
14
 
16
- | # | Tool | NIST/Patent Ref | Description |
17
- |---|------|-----------------|-------------|
18
- | 1 | `aga_server_info` | - | Server identity, keys, portal state, framework alignment |
19
- | 2 | `aga_init_chain` | Claim 3a | Initialize continuity chain with genesis event |
20
- | 3 | `aga_create_artifact` | Claims 1a-1d | Attest subject, generate sealed Policy Artifact |
21
- | 4 | `aga_measure_subject` | Claims 1e-1g | Measure subject, compare to sealed ref, generate receipt |
22
- | 5 | `aga_verify_artifact` | Claim 10 | Verify artifact signature against issuer key |
23
- | 6 | `aga_start_monitoring` | NIST-2025-0035 | Start/restart behavioral monitoring with baseline |
24
- | 7 | `aga_get_portal_state` | - | Current portal enforcement state and TTL |
25
- | 8 | `aga_trigger_measurement` | Claims 1e-1g | Trigger measurement with specific type |
26
- | 9 | `aga_generate_receipt` | V3 Promise | Generate signed measurement receipt manually |
27
- | 10 | `aga_export_bundle` | Claim 9 | Package artifact + receipts + Merkle proofs |
28
- | 11 | `aga_verify_bundle` | Section J | 4-step offline bundle verification |
29
- | 12 | `aga_disclose_claim` | Claim 2 | Privacy-preserving disclosure with auto-substitution |
30
- | 13 | `aga_get_chain` | Claim 3c | Get chain events with optional integrity verification |
31
- | 14 | `aga_quarantine_status` | Claim 5 | Quarantine state and forensic capture status |
32
- | 15 | `aga_revoke_artifact` | NCCoE 3b | Mid-session artifact revocation |
33
- | 16 | `aga_set_verification_tier` | - | Set verification tier (BRONZE/SILVER/GOLD) |
34
- | 17 | `aga_demonstrate_lifecycle` | All | Full lifecycle: attest, measure, checkpoint, verify |
35
- | 18 | `aga_measure_behavior` | NIST-2025-0035 | Behavioral drift detection (tool patterns) |
36
- | 19 | `aga_delegate_to_subagent` | NCCoE | Constrained sub-agent delegation (scope only diminishes) |
37
- | 20 | `aga_rotate_keys` | Claim 3 | Key rotation with chain event |
38
-
39
- ## 4 Resources
15
+ | # | Tool | Description |
16
+ | --- | --- | --- |
17
+ | 1 | `aga_server_info` | Server identity, keys, portal state, framework alignment |
18
+ | 2 | `aga_init_chain` | Initialize continuity chain with genesis event |
19
+ | 3 | `aga_create_artifact` | Attest subject, generate sealed Policy Artifact |
20
+ | 4 | `aga_measure_subject` | Measure subject, compare to sealed ref, generate receipt |
21
+ | 5 | `aga_verify_artifact` | Verify artifact signature against issuer key |
22
+ | 6 | `aga_start_monitoring` | Start/restart behavioral monitoring with baseline |
23
+ | 7 | `aga_get_portal_state` | Current portal enforcement state and TTL |
24
+ | 8 | `aga_trigger_measurement` | Trigger measurement with specific type |
25
+ | 9 | `aga_generate_receipt` | Generate signed measurement receipt manually |
26
+ | 10 | `aga_export_bundle` | Package artifact + receipts + Merkle proofs |
27
+ | 11 | `aga_verify_bundle` | 4-step offline bundle verification |
28
+ | 12 | `aga_disclose_claim` | Privacy-preserving disclosure with auto-substitution |
29
+ | 13 | `aga_get_chain` | Get chain events with optional integrity verification |
30
+ | 14 | `aga_quarantine_status` | Quarantine state and forensic capture status |
31
+ | 15 | `aga_revoke_artifact` | Mid-session artifact revocation |
32
+ | 16 | `aga_set_verification_tier` | Set verification tier (BRONZE/SILVER/GOLD) |
33
+ | 17 | `aga_demonstrate_lifecycle` | Full lifecycle: attest, measure, checkpoint, verify |
34
+ | 18 | `aga_measure_behavior` | Behavioral drift detection (tool patterns) |
35
+ | 19 | `aga_delegate_to_subagent` | Constrained sub-agent delegation (scope only diminishes) |
36
+ | 20 | `aga_rotate_keys` | Key rotation with chain event |
37
+
38
+ ## 3 Resources
40
39
 
41
40
  | Resource | URI | Description |
42
- |----------|-----|-------------|
41
+ | --- | --- | --- |
43
42
  | Protocol Spec | `aga://specification/protocol-v2` | Full protocol specification with SPIFFE alignment |
44
43
  | Sample Bundle | `aga://resources/sample-bundle` | Sample evidence bundle documentation |
45
44
  | Crypto Primitives | `aga://resources/crypto-primitives` | Cryptographic primitives documentation |
46
- | Patent Claims | `aga://resources/patent-claims` | 20 patent claims mapped to tools |
47
45
 
48
46
  ## 3 Prompts
49
47
 
@@ -53,20 +51,43 @@ This server acts as a **Portal** (zero-trust Policy Enforcement Point) for AI ag
53
51
  | `governance-report` | Session governance summary report |
54
52
  | `drift-analysis` | Drift event analysis and remediation |
55
53
 
54
+ ## CoSAI MCP Security Threat Coverage
55
+
56
+ The AGA MCP Server addresses all 12 threat categories identified in the
57
+ [CoSAI MCP Security whitepaper](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/main/model-context-protocol-security.md)
58
+ (Coalition for Secure AI / OASIS, January 2026).
59
+
60
+ | CoSAI Category | Threat Domain | AGA Governance Mechanism |
61
+ |---|---|---|
62
+ | T1: Improper Authentication | Identity & Access | Ed25519 artifact signatures, pinned issuer keys, TTL re-attestation, key rotation chain events |
63
+ | T2: Missing Access Control | Identity & Access | Portal as mandatory enforcement boundary, sealed constraints, delegation with scope diminishment |
64
+ | T3: Input Validation Failures | Input Handling | Runtime measurement against sealed reference, behavioral drift detection |
65
+ | T4: Data/Control Boundary Failures | Input Handling | Behavioral baseline (permitted tools, forbidden sequences, rate limits), phantom execution forensics |
66
+ | T5: Inadequate Data Protection | Data & Code | Salted commitments, privacy-preserving disclosure with substitution, inference risk prevention |
67
+ | T6: Missing Integrity Controls | Data & Code | Content-addressable hash binding, 10 measurement embodiments, continuous runtime verification |
68
+ | T7: Session/Transport Security | Network & Transport | TTL-based artifact expiration, fail-closed on expiry, mid-session revocation, Ed25519 signed receipts |
69
+ | T8: Network Isolation Failures | Network & Transport | Two-process architecture, agent holds no credentials, NETWORK_ISOLATE enforcement action |
70
+ | T9: Trust Boundary Failures | Trust & Design | Enforcement pre-committed by human authorities in sealed artifact, not delegated to LLM |
71
+ | T10: Resource Management | Trust & Design | Per-tool rate limits in behavioral baseline, configurable measurement cadence (10ms to 3600s) |
72
+ | T11: Supply Chain Failures | Operational | Content-addressable hashing at attestation, runtime hash comparison blocks modified components |
73
+ | T12: Insufficient Observability | Operational | Signed receipts, tamper-evident continuity chain, Merkle anchoring, offline evidence bundles |
74
+
75
+ Full mapping details available via the `aga://specification` resource.
76
+
56
77
  ## Quick Start
57
78
 
58
79
  ```bash
59
80
  npm install && npm run build && npm test
60
81
  ```
61
82
 
62
- ## Connect to Claude Desktop
83
+ ## Connect to an MCP Client
63
84
 
64
- Add to `%APPDATA%\Claude\claude_desktop_config.json`:
85
+ Add to your MCP client config:
65
86
 
66
87
  ```json
67
88
  {
68
89
  "mcpServers": {
69
- "aga": { "command": "node", "args": ["C:/Users/neuro/AIH/aga-mcp-server/dist/index.js"] }
90
+ "aga": { "command": "node", "args": ["/path/to/aga-mcp-server/dist/index.js"] }
70
91
  }
71
92
  }
72
93
  ```
@@ -74,17 +95,17 @@ Add to `%APPDATA%\Claude\claude_desktop_config.json`:
74
95
  ## Architecture
75
96
 
76
97
  ```
77
- MCP Client (Claude Desktop)
98
+ MCP Client
78
99
  │ JSON-RPC over stdio
79
100
 
80
- src/server.ts - 20 tools + 4 resources + 3 prompts
101
+ src/server.ts - 20 tools + 3 resources + 3 prompts
81
102
 
82
103
  ├── src/tools/ 20 individual tool handlers
83
104
  ├── src/core/ Protocol logic (artifact, chain, portal, etc.)
84
105
  ├── src/crypto/ Ed25519 + SHA-256 + Merkle + canonical JSON
85
106
  ├── src/middleware/ Zero-trust governance PEP
86
107
  ├── src/storage/ In-memory + optional SQLite
87
- ├── src/resources/ Protocol docs + patent claims
108
+ ├── src/resources/ Protocol docs + crypto primitives
88
109
  └── src/prompts/ Demo + report + analysis prompts
89
110
  ```
90
111
 
@@ -0,0 +1,43 @@
1
+ /**
2
+ * OpenClaw Config Adapter
3
+ * Detects and patches openclaw.json to route MCP servers through the AGA governance proxy.
4
+ *
5
+ * All OpenClaw assumptions are documented inline. When a real OpenClaw instance
6
+ * becomes available, validate each assumption.
7
+ *
8
+ * Patent: USPTO App. No. 19/433,835
9
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
10
+ * SPDX-License-Identifier: MIT
11
+ */
12
+ export interface McpServerConfig {
13
+ name: string;
14
+ command?: string;
15
+ args?: string[];
16
+ url?: string;
17
+ env?: Record<string, string>;
18
+ [key: string]: unknown;
19
+ }
20
+ export interface AgentConfigAdapter {
21
+ detect(configPath?: string): Promise<{
22
+ found: boolean;
23
+ path: string;
24
+ version?: string;
25
+ }>;
26
+ readMcpServers(): Promise<McpServerConfig[]>;
27
+ patchMcpServers(proxyPort: number, originals: McpServerConfig[]): Promise<void>;
28
+ restore(): Promise<void>;
29
+ }
30
+ export declare class OpenClawAdapter implements AgentConfigAdapter {
31
+ private configPath;
32
+ private backupPath;
33
+ private getDefaultPath;
34
+ detect(configPath?: string): Promise<{
35
+ found: boolean;
36
+ path: string;
37
+ version?: string;
38
+ }>;
39
+ readMcpServers(): Promise<McpServerConfig[]>;
40
+ patchMcpServers(proxyPort: number, originals: McpServerConfig[]): Promise<void>;
41
+ restore(): Promise<void>;
42
+ }
43
+ //# sourceMappingURL=openclaw.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"openclaw.d.ts","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAmBH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED,qBAAa,eAAgB,YAAW,kBAAkB;IACxD,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,UAAU,CAAuB;IAEzC,OAAO,CAAC,cAAc;IAIhB,MAAM,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBxF,cAAc,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAW5C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA6B/E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAU/B"}
@@ -0,0 +1,86 @@
1
+ /**
2
+ * OpenClaw Config Adapter
3
+ * Detects and patches openclaw.json to route MCP servers through the AGA governance proxy.
4
+ *
5
+ * All OpenClaw assumptions are documented inline. When a real OpenClaw instance
6
+ * becomes available, validate each assumption.
7
+ *
8
+ * Patent: USPTO App. No. 19/433,835
9
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
10
+ * SPDX-License-Identifier: MIT
11
+ */
12
+ import * as fs from 'node:fs';
13
+ import * as path from 'node:path';
14
+ import * as os from 'node:os';
15
+ export class OpenClawAdapter {
16
+ configPath = null;
17
+ backupPath = null;
18
+ getDefaultPath() {
19
+ return path.join(os.homedir(), '.openclaw', 'openclaw.json');
20
+ }
21
+ async detect(configPath) {
22
+ const p = configPath ?? this.getDefaultPath();
23
+ this.configPath = p;
24
+ this.backupPath = p + '.aga-backup';
25
+ if (!fs.existsSync(p)) {
26
+ return { found: false, path: p };
27
+ }
28
+ try {
29
+ const config = JSON.parse(fs.readFileSync(p, 'utf-8'));
30
+ return {
31
+ found: true,
32
+ path: p,
33
+ version: config.version ?? config.openclaw_version ?? undefined,
34
+ };
35
+ }
36
+ catch {
37
+ return { found: false, path: p };
38
+ }
39
+ }
40
+ async readMcpServers() {
41
+ if (!this.configPath)
42
+ throw new Error('Call detect() first');
43
+ const config = JSON.parse(fs.readFileSync(this.configPath, 'utf-8'));
44
+ const servers = config.mcpServers ?? {};
45
+ return Object.entries(servers).map(([name, entry]) => ({
46
+ name,
47
+ ...entry,
48
+ }));
49
+ }
50
+ async patchMcpServers(proxyPort, originals) {
51
+ if (!this.configPath || !this.backupPath)
52
+ throw new Error('Call detect() first');
53
+ // Backup original
54
+ const originalContent = fs.readFileSync(this.configPath, 'utf-8');
55
+ fs.writeFileSync(this.backupPath, originalContent);
56
+ const config = JSON.parse(originalContent);
57
+ // Rewrite each MCP server entry to point at the proxy
58
+ // The proxy will forward to the original command/URL
59
+ for (const server of originals) {
60
+ if (config.mcpServers?.[server.name]) {
61
+ const original = config.mcpServers[server.name];
62
+ // Store original config for the proxy to use
63
+ config.mcpServers[server.name] = {
64
+ // Point at proxy instead
65
+ url: `http://127.0.0.1:${proxyPort}`,
66
+ // Preserve metadata
67
+ _aga_original: original,
68
+ _aga_governed: true,
69
+ };
70
+ }
71
+ }
72
+ fs.writeFileSync(this.configPath, JSON.stringify(config, null, 2));
73
+ }
74
+ async restore() {
75
+ if (!this.configPath || !this.backupPath)
76
+ throw new Error('Call detect() first');
77
+ if (fs.existsSync(this.backupPath)) {
78
+ fs.copyFileSync(this.backupPath, this.configPath);
79
+ fs.unlinkSync(this.backupPath);
80
+ }
81
+ else {
82
+ throw new Error('No backup found - cannot restore');
83
+ }
84
+ }
85
+ }
86
+ //# sourceMappingURL=openclaw.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"openclaw.js","sourceRoot":"","sources":["../../src/adapters/openclaw.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AA+B9B,MAAM,OAAO,eAAe;IAClB,UAAU,GAAkB,IAAI,CAAC;IACjC,UAAU,GAAkB,IAAI,CAAC;IAEjC,cAAc;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAmB;QAC9B,MAAM,CAAC,GAAG,UAAU,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,CAAC,GAAG,aAAa,CAAC;QAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,gBAAgB,IAAI,SAAS;aAChE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACrD,IAAI;YACJ,GAAI,KAAiC;SACtC,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,SAA4B;QACnE,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,kBAAkB;QAClB,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAClE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAE3C,sDAAsD;QACtD,qDAAqD;QACrD,KAAK,MAAM,MAAM,IAAI,SAAS,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAEhD,6CAA6C;gBAC7C,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;oBAC/B,yBAAyB;oBACzB,GAAG,EAAE,oBAAoB,SAAS,EAAE;oBACpC,oBAAoB;oBACpB,aAAa,EAAE,QAAQ;oBACvB,aAAa,EAAE,IAAI;iBACpB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEjF,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}
@@ -1,6 +1,5 @@
1
1
  /**
2
2
  * V3: Aligned with NIST-2025-0035 and NCCoE AI Agent Identity filings.
3
- * Every interface annotated with patent reference numeral.
4
3
  */
5
4
  import type { HashHex, SignatureBase64, SaltHex, MerkleInclusionProof } from '../crypto/types.js';
6
5
  export interface SubjectIdentifier {
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;CACtC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,YAAY,GACZ,gBAAgB,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,GACZ,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC5E"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAIlG,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAID,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,YAAY,GACZ,YAAY,GACZ,kBAAkB,GAClB,qBAAqB,GACrB,YAAY,CAAC;AAEjB,MAAM,MAAM,eAAe,GACvB,kBAAkB,GAAG,gBAAgB,GAAG,iBAAiB,GACzD,iBAAiB,GAAI,MAAM,GAAa,WAAW,GACnD,gBAAgB,GAAK,cAAc,GAAK,mBAAmB,GAC3D,gBAAgB,CAAC;AAErB,MAAM,WAAW,iBAAiB;IAChC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,oBAAoB,EAAE,iBAAiB,EAAE,CAAC;IAC1C,uBAAuB,EAAE,OAAO,CAAC;IACjC,iBAAiB,EAAE,eAAe,EAAE,CAAC;CACtC;AAID,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,aAAa,GAAG,SAAS,GAAG,aAAa,CAAC;AAC/E,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAEzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,WAAW,CAAC;IACzB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,eAAe,EAAE,cAAc,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,WAAW,EAAE,CAAC;IAC/B,kBAAkB,EAAE,gBAAgB,EAAE,CAAC;CACxC;AAID,MAAM,WAAW,wBAAwB;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAID,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sBAAsB,EAAE,iBAAiB,CAAC;IAC1C,iBAAiB,EAAE,gBAAgB,CAAC;IACpC,oBAAoB,EAAE,wBAAwB,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,iBAAiB,CAAC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kBAAkB,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC7C,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,iBAAiB,GACjB,qBAAqB,GACrB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,cAAc,GACd,cAAc,GACd,kBAAkB,GAClB,YAAY,GACZ,gBAAgB,CAAC;AAErB,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,OAAO,GAAG,IAAI,CAAC;CACpC;AAID,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAID,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;IACtC,oBAAoB,EAAE,mBAAmB,CAAC;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,eAAe,CAAC;CACnC;AAID,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,eAAe,CAAC;CAC5B;AAID,MAAM,MAAM,WAAW,GACnB,gBAAgB,GAChB,uBAAuB,GACvB,mBAAmB,GACnB,gBAAgB,GAChB,oBAAoB,GACpB,YAAY,GACZ,YAAY,CAAC;AAEjB,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAM5D,MAAM,WAAW,gBAAgB;IAC/B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC5E"}
@@ -2,7 +2,7 @@ import type { HashHex } from './types.js';
2
2
  export declare function sha256Bytes(data: Uint8Array): HashHex;
3
3
  export declare function sha256Str(data: string): HashHex;
4
4
  export declare function blake2b256(data: Uint8Array): HashHex;
5
- /** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
5
+ /** Concatenate inputs (NO delimiter) and SHA-256. No delimiters per protocol spec. */
6
6
  export declare function sha256Cat(...parts: (Uint8Array | string)[]): HashHex;
7
7
  /** Concatenate hex strings as text (no decode) and hash. For sealed_hash computation. */
8
8
  export declare function sha256HexCat(...hexes: string[]): HashHex;
@@ -1 +1 @@
1
- {"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAI1C,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAErD;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAEpD;AAED,wFAAwF;AACxF,wBAAgB,SAAS,CAAC,GAAG,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,OAAO,CAOpE;AAED,yFAAyF;AACzF,wBAAgB,YAAY,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAExD"}
1
+ {"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAI1C,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAErD;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAEpD;AAED,sFAAsF;AACtF,wBAAgB,SAAS,CAAC,GAAG,KAAK,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC,EAAE,GAAG,OAAO,CAOpE;AAED,yFAAyF;AACzF,wBAAgB,YAAY,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAExD"}
@@ -11,7 +11,7 @@ export function sha256Str(data) {
11
11
  export function blake2b256(data) {
12
12
  return bytesToHex(blake2b(data, { dkLen: 32 }));
13
13
  }
14
- /** Concatenate inputs (NO delimiter) and SHA-256. Patent Section D: "no delimiters." */
14
+ /** Concatenate inputs (NO delimiter) and SHA-256. No delimiters per protocol spec. */
15
15
  export function sha256Cat(...parts) {
16
16
  const bufs = parts.map(p => typeof p === 'string' ? enc.encode(p) : p);
17
17
  const total = bufs.reduce((n, b) => n + b.length, 0);
@@ -1 +1 @@
1
- {"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,IAAgB;IAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,SAAS,CAAC,GAAG,KAA8B;IACzD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IAChE,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,YAAY,CAAC,GAAG,KAAe;IAC7C,OAAO,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC"}
1
+ {"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGjD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,IAAgB;IAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAgB;IACzC,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,sFAAsF;AACtF,MAAM,UAAU,SAAS,CAAC,GAAG,KAA8B;IACzD,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAAC,CAAC;IAChE,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,YAAY,CAAC,GAAG,KAAe;IAC7C,OAAO,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;AACnC,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"nccoe-demo.d.ts","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB;;;;;;;;qBAOX;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;KAAE;CAuCtE,CAAC"}
1
+ {"version":3,"file":"nccoe-demo.d.ts","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB;;;;;;;;qBAOX;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;KAAE;CAsCtE,CAAC"}
@@ -42,7 +42,6 @@ ${args.include_behavioral === 'true' ? '14' : '12'}. Call \`aga_get_chain\` with
42
42
  ${args.include_behavioral === 'true' ? '15' : '13'}. Call \`aga_export_bundle\` to generate evidence bundle (need checkpoint first)
43
43
  ${args.include_behavioral === 'true' ? '16' : '14'}. Call \`aga_verify_bundle\` with the bundle and issuer public key
44
44
 
45
- All operations should produce signed receipts and chain events.
46
- Each step maps to specific patent claims (see aga://resources/patent-claims).`,
45
+ All operations should produce signed receipts and chain events.`,
47
46
  };
48
47
  //# sourceMappingURL=nccoe-demo.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"nccoe-demo.js","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,YAAY;IAClB,WAAW,EAAE,+FAA+F;IAC5G,SAAS,EAAE;QACT,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,KAAK,EAAE;QACvF,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,0CAA0C,EAAE,QAAQ,EAAE,KAAK,EAAE;KACzG;IACD,QAAQ,EAAE,CAAC,IAA0D,EAAE,EAAE,CAAC;;;;;;yDAMnB,IAAI,CAAC,UAAU,IAAI,0CAA0C;;EAEpH,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,+MAA+M,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;EAmBzP,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC;;;CAGtC,CAAC,CAAC,CAAC,EAAE;;;EAGJ,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;;;8EAG4B;CAC7E,CAAC"}
1
+ {"version":3,"file":"nccoe-demo.js","sourceRoot":"","sources":["../../src/prompts/nccoe-demo.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,YAAY;IAClB,WAAW,EAAE,+FAA+F;IAC5G,SAAS,EAAE;QACT,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,KAAK,EAAE;QACvF,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,0CAA0C,EAAE,QAAQ,EAAE,KAAK,EAAE;KACzG;IACD,QAAQ,EAAE,CAAC,IAA0D,EAAE,EAAE,CAAC;;;;;;yDAMnB,IAAI,CAAC,UAAU,IAAI,0CAA0C;;EAEpH,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,+MAA+M,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;EAmBzP,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC;;;CAGtC,CAAC,CAAC,CAAC,EAAE;;;EAGJ,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;EAChD,IAAI,CAAC,kBAAkB,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;;gEAEc;CAC/D,CAAC"}
@@ -0,0 +1,14 @@
1
+ /**
2
+ * AGA Governance Proxy - Tool Policy Evaluator
3
+ * Ported from aga-mcp-gateway/src/governance/policy.ts with rate limiting.
4
+ *
5
+ * Patent: USPTO App. No. 19/433,835
6
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
7
+ * SPDX-License-Identifier: MIT
8
+ */
9
+ import type { ToolPolicy, ToolCallDecision } from './types.js';
10
+ export declare function resetRateLimits(): void;
11
+ export declare function cleanPath(p: string): string;
12
+ export declare function matchesPrefix(prefix: string, candidate: string): boolean;
13
+ export declare function evaluate(policy: ToolPolicy, toolName: string, args?: Record<string, unknown>): ToolCallDecision;
14
+ //# sourceMappingURL=evaluator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/proxy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA6B/D,wBAAgB,eAAe,IAAI,IAAI,CAEtC;AAID,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAwB3C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAOxE;AAyCD,wBAAgB,QAAQ,CACtB,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,gBAAgB,CAqDlB"}
@@ -0,0 +1,141 @@
1
+ /**
2
+ * AGA Governance Proxy - Tool Policy Evaluator
3
+ * Ported from aga-mcp-gateway/src/governance/policy.ts with rate limiting.
4
+ *
5
+ * Patent: USPTO App. No. 19/433,835
6
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
7
+ * SPDX-License-Identifier: MIT
8
+ */
9
+ const rateLimits = new Map();
10
+ function checkRateLimit(toolName, maxPerMinute) {
11
+ const now = Date.now();
12
+ const cutoff = now - 60_000;
13
+ let window = rateLimits.get(toolName);
14
+ if (!window) {
15
+ window = { timestamps: [] };
16
+ rateLimits.set(toolName, window);
17
+ }
18
+ // Prune expired entries
19
+ window.timestamps = window.timestamps.filter(t => t > cutoff);
20
+ if (window.timestamps.length >= maxPerMinute)
21
+ return false;
22
+ window.timestamps.push(now);
23
+ return true;
24
+ }
25
+ export function resetRateLimits() {
26
+ rateLimits.clear();
27
+ }
28
+ // ── Path Utilities (from aga-mcp-gateway) ───────────────────
29
+ export function cleanPath(p) {
30
+ p = p.replace(/\\/g, '/');
31
+ p = p.replace(/\/+/g, '/');
32
+ const segments = p.split('/');
33
+ const resolved = [];
34
+ const absolute = segments[0] === '';
35
+ for (const seg of segments) {
36
+ if (seg === '' || seg === '.')
37
+ continue;
38
+ if (seg === '..') {
39
+ if (resolved.length > 0 && resolved[resolved.length - 1] !== '..') {
40
+ resolved.pop();
41
+ }
42
+ else if (!absolute) {
43
+ resolved.push('..');
44
+ }
45
+ }
46
+ else {
47
+ resolved.push(seg);
48
+ }
49
+ }
50
+ let result = (absolute ? '/' : '') + resolved.join('/');
51
+ if (result === '')
52
+ result = '.';
53
+ return result;
54
+ }
55
+ export function matchesPrefix(prefix, candidate) {
56
+ const cleanPrefix = cleanPath(prefix);
57
+ const cleanCandidate = cleanPath(candidate);
58
+ if (cleanCandidate === cleanPrefix)
59
+ return true;
60
+ const prefixWithSlash = cleanPrefix.endsWith('/') ? cleanPrefix : cleanPrefix + '/';
61
+ return cleanCandidate.startsWith(prefixWithSlash);
62
+ }
63
+ function checkPathConstraints(constraint, args) {
64
+ if (!constraint.path_prefix)
65
+ return null;
66
+ const keys = constraint.path_keys?.length ? constraint.path_keys : ['path'];
67
+ if (!args)
68
+ return null;
69
+ for (const key of keys) {
70
+ const val = args[key];
71
+ if (typeof val === 'string') {
72
+ if (!matchesPrefix(constraint.path_prefix, val)) {
73
+ return `path "${val}" outside allowed prefix "${constraint.path_prefix}"`;
74
+ }
75
+ }
76
+ }
77
+ return null;
78
+ }
79
+ function checkDeniedPatterns(constraint, args) {
80
+ if (!constraint.denied_patterns?.length)
81
+ return null;
82
+ if (!args)
83
+ return null;
84
+ for (const [, val] of Object.entries(args)) {
85
+ if (typeof val !== 'string')
86
+ continue;
87
+ for (const pattern of constraint.denied_patterns) {
88
+ if (val.includes(pattern)) {
89
+ return `argument value matches denied pattern "${pattern}"`;
90
+ }
91
+ }
92
+ }
93
+ return null;
94
+ }
95
+ // ── Main Evaluator ──────────────────────────────────────────
96
+ export function evaluate(policy, toolName, args) {
97
+ const base = { tool_name: toolName, policy_mode: policy.mode };
98
+ // Audit-only mode: always permit
99
+ if (policy.mode === 'audit_only') {
100
+ return { ...base, allowed: true, reason: 'audit_only: all calls permitted' };
101
+ }
102
+ if (policy.mode !== 'allowlist' && policy.mode !== 'denylist') {
103
+ return { ...base, allowed: false, reason: `unknown policy mode: ${policy.mode}` };
104
+ }
105
+ const constraint = policy.constraints[toolName];
106
+ if (policy.mode === 'allowlist') {
107
+ if (!constraint) {
108
+ return { ...base, allowed: false, reason: 'tool not in allowlist' };
109
+ }
110
+ if (!constraint.allowed) {
111
+ return { ...base, allowed: false, reason: 'tool explicitly disallowed' };
112
+ }
113
+ // Rate limit check
114
+ if (constraint.max_calls_per_minute) {
115
+ if (!checkRateLimit(toolName, constraint.max_calls_per_minute)) {
116
+ return { ...base, allowed: false, reason: `rate limit exceeded: ${constraint.max_calls_per_minute}/min` };
117
+ }
118
+ }
119
+ const pathResult = checkPathConstraints(constraint, args);
120
+ if (pathResult !== null) {
121
+ return { ...base, allowed: false, reason: pathResult };
122
+ }
123
+ const patternResult = checkDeniedPatterns(constraint, args);
124
+ if (patternResult !== null) {
125
+ return { ...base, allowed: false, reason: patternResult };
126
+ }
127
+ return { ...base, allowed: true, reason: 'tool permitted by allowlist' };
128
+ }
129
+ // Denylist mode
130
+ if (constraint && !constraint.allowed) {
131
+ return { ...base, allowed: false, reason: 'tool denied by denylist' };
132
+ }
133
+ // Rate limit check for denylist mode (tool not explicitly denied)
134
+ if (constraint?.max_calls_per_minute) {
135
+ if (!checkRateLimit(toolName, constraint.max_calls_per_minute)) {
136
+ return { ...base, allowed: false, reason: `rate limit exceeded: ${constraint.max_calls_per_minute}/min` };
137
+ }
138
+ }
139
+ return { ...base, allowed: true, reason: 'tool not denied' };
140
+ }
141
+ //# sourceMappingURL=evaluator.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/proxy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAUH,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,SAAS,cAAc,CAAC,QAAgB,EAAE,YAAoB;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC;IAE5B,IAAI,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC5B,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,wBAAwB;IACxB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IAE9D,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,IAAI,YAAY;QAAE,OAAO,KAAK,CAAC;IAE3D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,UAAU,CAAC,KAAK,EAAE,CAAC;AACrB,CAAC;AAED,+DAA+D;AAE/D,MAAM,UAAU,SAAS,CAAC,CAAS;IACjC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC1B,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAE3B,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,GAAG,KAAK,EAAE,IAAI,GAAG,KAAK,GAAG;YAAE,SAAS;QACxC,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClE,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,CAAC;iBAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACrB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,MAAM,KAAK,EAAE;QAAE,MAAM,GAAG,GAAG,CAAC;IAChC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,SAAiB;IAC7D,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IAE5C,IAAI,cAAc,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAChD,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,GAAG,GAAG,CAAC;IACpF,OAAO,cAAc,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,oBAAoB,CAC3B,UAA0D,EAC1D,IAA8B;IAE9B,IAAI,CAAC,UAAU,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC5E,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;gBAChD,OAAO,SAAS,GAAG,6BAA6B,UAAU,CAAC,WAAW,GAAG,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAC1B,UAA0C,EAC1C,IAA8B;IAE9B,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,KAAK,MAAM,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,SAAS;QACtC,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;YACjD,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,OAAO,0CAA0C,OAAO,GAAG,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+DAA+D;AAE/D,MAAM,UAAU,QAAQ,CACtB,MAAkB,EAClB,QAAgB,EAChB,IAA8B;IAE9B,MAAM,IAAI,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;IAE/D,iCAAiC;IACjC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QACjC,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;IACpF,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAEhD,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;QACtE,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAC3E,CAAC;QAED,mBAAmB;QACnB,IAAI,UAAU,CAAC,oBAAoB,EAAE,CAAC;YACpC,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC/D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,UAAU,CAAC,oBAAoB,MAAM,EAAE,CAAC;YAC5G,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,oBAAoB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC1D,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACzD,CAAC;QACD,MAAM,aAAa,GAAG,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC5D,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAC5D,CAAC;QACD,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;IAC3E,CAAC;IAED,gBAAgB;IAChB,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACtC,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;IACxE,CAAC;IAED,kEAAkE;IAClE,IAAI,UAAU,EAAE,oBAAoB,EAAE,CAAC;QACrC,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,UAAU,CAAC,oBAAoB,MAAM,EAAE,CAAC;QAC5G,CAAC;IACH,CAAC;IAED,OAAO,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;AAC/D,CAAC"}
@@ -0,0 +1,22 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * AGA Governance Proxy - CLI Entry Point
4
+ *
5
+ * Usage:
6
+ * aga-proxy start --upstream "node server.js" # stdio upstream
7
+ * aga-proxy start --upstream-url http://host:port # HTTP upstream
8
+ * aga-proxy start --profile standard # policy profile
9
+ * aga-proxy stop
10
+ * aga-proxy status
11
+ * aga-proxy export --output bundle.json
12
+ * aga-proxy verify bundle.json
13
+ *
14
+ * Patent: USPTO App. No. 19/433,835
15
+ * Copyright (c) 2026 Attested Intelligence Holdings LLC
16
+ * SPDX-License-Identifier: MIT
17
+ */
18
+ export { GovernanceProxy } from './server.js';
19
+ export { evaluate, resetRateLimits } from './evaluator.js';
20
+ export { PROFILES, PERMISSIVE, STANDARD, RESTRICTIVE } from './profiles.js';
21
+ export type { ToolPolicy, ToolConstraint, ToolCallDecision, ProxyConfig } from './types.js';
22
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/proxy/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;GAeG;AAsOH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5E,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC"}