@axtary/actionpass 0.0.1 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/README.md +134 -21
- package/dist/caep.d.ts +89 -0
- package/dist/caep.d.ts.map +1 -0
- package/dist/caep.js +258 -0
- package/dist/caep.js.map +1 -0
- package/dist/dev-key.d.ts +50 -0
- package/dist/dev-key.d.ts.map +1 -0
- package/dist/dev-key.js +103 -0
- package/dist/dev-key.js.map +1 -0
- package/dist/explain.d.ts +12 -0
- package/dist/explain.d.ts.map +1 -0
- package/dist/explain.js +147 -0
- package/dist/explain.js.map +1 -0
- package/dist/index.d.ts +1670 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +2851 -0
- package/dist/index.js.map +1 -0
- package/dist/postgres.d.ts +21 -0
- package/dist/postgres.d.ts.map +1 -0
- package/dist/postgres.js +112 -0
- package/dist/postgres.js.map +1 -0
- package/dist/provenance.d.ts +59 -0
- package/dist/provenance.d.ts.map +1 -0
- package/dist/provenance.js +67 -0
- package/dist/provenance.js.map +1 -0
- package/dist/status-list.d.ts +158 -0
- package/dist/status-list.d.ts.map +1 -0
- package/dist/status-list.js +447 -0
- package/dist/status-list.js.map +1 -0
- package/package.json +18 -6
- package/src/index.ts +0 -552
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,1670 @@
|
|
|
1
|
+
import { type CryptoKey, type JWK, type KeyObject } from "jose";
|
|
2
|
+
import { z } from "zod";
|
|
3
|
+
import { type ActionPassStatusClaim } from "./status-list.js";
|
|
4
|
+
import { type ActionProvenance } from "./provenance.js";
|
|
5
|
+
import { type PolicyDecisionExplanation } from "./explain.js";
|
|
6
|
+
export * from "./caep.js";
|
|
7
|
+
export * from "./dev-key.js";
|
|
8
|
+
export * from "./explain.js";
|
|
9
|
+
export * from "./postgres.js";
|
|
10
|
+
export * from "./provenance.js";
|
|
11
|
+
export * from "./status-list.js";
|
|
12
|
+
export declare const ACTION_SCHEMA_VERSION = "axtary.action.v0";
|
|
13
|
+
export declare const ACTIONPASS_V0_VERSION = "axtary.actionpass.v0";
|
|
14
|
+
export declare const ACTIONPASS_V1_VERSION = "axtary.actionpass.v1";
|
|
15
|
+
export declare const ACTIONPASS_V2_VERSION = "axtary.actionpass.v2";
|
|
16
|
+
export declare const ACTIONPASS_VERSION = "axtary.actionpass.v0";
|
|
17
|
+
export declare const APPROVAL_ARTIFACT_VERSION = "axtary.approval.v0";
|
|
18
|
+
export declare const ACTIONPASS_REVOCATION_VERSION = "axtary.actionpass_revocation.v0";
|
|
19
|
+
export declare const ACTIONPASS_TRUST_STORE_VERSION = "axtary.actionpass_trust_store.v0";
|
|
20
|
+
export declare const LEDGER_SCHEMA_VERSION = "axtary.ledger.v0";
|
|
21
|
+
export declare const LEDGER_PROVIDER_EVIDENCE_VERSION = "axtary.ledger_provider_evidence.v0";
|
|
22
|
+
export declare const LEDGER_EXECUTION_OUTCOME_VERSION = "axtary.ledger_execution_outcome.v0";
|
|
23
|
+
export declare const DEFAULT_EXPIRES_IN_SECONDS = 600;
|
|
24
|
+
export declare const DEFAULT_SIGNING_ALGORITHM = "ES256";
|
|
25
|
+
export declare const DPOP_PROOF_TYP = "dpop+jwt";
|
|
26
|
+
export declare const DEFAULT_DPOP_MAX_AGE_SECONDS = 60;
|
|
27
|
+
export declare const DEFAULT_DPOP_CLOCK_SKEW_SECONDS = 5;
|
|
28
|
+
export type JsonValue = string | number | boolean | null | JsonValue[] | {
|
|
29
|
+
[key: string]: JsonValue;
|
|
30
|
+
};
|
|
31
|
+
export declare const BudgetAmountSchema: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
32
|
+
export type BudgetAmount = z.infer<typeof BudgetAmountSchema>;
|
|
33
|
+
export declare const ActionBudgetSchema: z.ZodObject<{
|
|
34
|
+
reservationId: z.ZodString;
|
|
35
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
36
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
37
|
+
commitStatus: z.ZodEnum<{
|
|
38
|
+
pending: "pending";
|
|
39
|
+
committed: "committed";
|
|
40
|
+
rolled_back: "rolled_back";
|
|
41
|
+
}>;
|
|
42
|
+
}, z.core.$strip>;
|
|
43
|
+
export type ActionBudget = z.infer<typeof ActionBudgetSchema>;
|
|
44
|
+
export declare const AxtaryDecisionSchema: z.ZodEnum<{
|
|
45
|
+
allow: "allow";
|
|
46
|
+
deny: "deny";
|
|
47
|
+
step_up: "step_up";
|
|
48
|
+
}>;
|
|
49
|
+
export type AxtaryDecision = z.infer<typeof AxtaryDecisionSchema>;
|
|
50
|
+
export declare const NormalizedActionSchema: z.ZodObject<{
|
|
51
|
+
schemaVersion: z.ZodDefault<z.ZodLiteral<"axtary.action.v0">>;
|
|
52
|
+
actor: z.ZodObject<{
|
|
53
|
+
agentId: z.ZodString;
|
|
54
|
+
humanOwner: z.ZodString;
|
|
55
|
+
runtime: z.ZodString;
|
|
56
|
+
tenant: z.ZodOptional<z.ZodString>;
|
|
57
|
+
}, z.core.$strip>;
|
|
58
|
+
intent: z.ZodObject<{
|
|
59
|
+
taskId: z.ZodString;
|
|
60
|
+
declaredGoal: z.ZodString;
|
|
61
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
62
|
+
}, z.core.$strip>;
|
|
63
|
+
capability: z.ZodObject<{
|
|
64
|
+
tool: z.ZodString;
|
|
65
|
+
resource: z.ZodString;
|
|
66
|
+
payload: z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
67
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
68
|
+
}, z.core.$strip>;
|
|
69
|
+
toolDefinition: z.ZodOptional<z.ZodObject<{
|
|
70
|
+
serverIdentity: z.ZodString;
|
|
71
|
+
schemaVersion: z.ZodString;
|
|
72
|
+
definitionHash: z.ZodString;
|
|
73
|
+
publisher: z.ZodOptional<z.ZodString>;
|
|
74
|
+
publisherKeyId: z.ZodOptional<z.ZodString>;
|
|
75
|
+
semver: z.ZodOptional<z.ZodString>;
|
|
76
|
+
priorDefinitionHash: z.ZodOptional<z.ZodString>;
|
|
77
|
+
}, z.core.$strip>>;
|
|
78
|
+
provenance: z.ZodOptional<z.ZodObject<{
|
|
79
|
+
schemaVersion: z.ZodDefault<z.ZodLiteral<"axtary.provenance.v0">>;
|
|
80
|
+
sources: z.ZodArray<z.ZodObject<{
|
|
81
|
+
id: z.ZodString;
|
|
82
|
+
kind: z.ZodEnum<{
|
|
83
|
+
unknown: "unknown";
|
|
84
|
+
task: "task";
|
|
85
|
+
operator: "operator";
|
|
86
|
+
document: "document";
|
|
87
|
+
tool_output: "tool_output";
|
|
88
|
+
connector: "connector";
|
|
89
|
+
}>;
|
|
90
|
+
integrity: z.ZodEnum<{
|
|
91
|
+
unknown: "unknown";
|
|
92
|
+
trusted: "trusted";
|
|
93
|
+
untrusted: "untrusted";
|
|
94
|
+
}>;
|
|
95
|
+
resource: z.ZodOptional<z.ZodString>;
|
|
96
|
+
observedAt: z.ZodOptional<z.ZodString>;
|
|
97
|
+
}, z.core.$strip>>;
|
|
98
|
+
bindings: z.ZodArray<z.ZodObject<{
|
|
99
|
+
path: z.ZodString;
|
|
100
|
+
sourceIds: z.ZodArray<z.ZodString>;
|
|
101
|
+
}, z.core.$strip>>;
|
|
102
|
+
}, z.core.$strip>>;
|
|
103
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
104
|
+
reservationId: z.ZodString;
|
|
105
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
106
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
107
|
+
commitStatus: z.ZodEnum<{
|
|
108
|
+
pending: "pending";
|
|
109
|
+
committed: "committed";
|
|
110
|
+
rolled_back: "rolled_back";
|
|
111
|
+
}>;
|
|
112
|
+
}, z.core.$strip>>;
|
|
113
|
+
}, z.core.$strip>;
|
|
114
|
+
export type NormalizedAction = z.infer<typeof NormalizedActionSchema>;
|
|
115
|
+
export declare const PolicyDecisionSchema: z.ZodObject<{
|
|
116
|
+
decision: z.ZodEnum<{
|
|
117
|
+
allow: "allow";
|
|
118
|
+
deny: "deny";
|
|
119
|
+
step_up: "step_up";
|
|
120
|
+
}>;
|
|
121
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
122
|
+
policy: z.ZodObject<{
|
|
123
|
+
nativeRule: z.ZodString;
|
|
124
|
+
version: z.ZodString;
|
|
125
|
+
cedarCompatible: z.ZodBoolean;
|
|
126
|
+
opaCompatible: z.ZodBoolean;
|
|
127
|
+
}, z.core.$strip>;
|
|
128
|
+
constraints: z.ZodObject<{
|
|
129
|
+
expiresInSeconds: z.ZodNumber;
|
|
130
|
+
maxFilesChanged: z.ZodNumber;
|
|
131
|
+
blockedPaths: z.ZodArray<z.ZodString>;
|
|
132
|
+
}, z.core.$strip>;
|
|
133
|
+
rule: z.ZodOptional<z.ZodObject<{
|
|
134
|
+
id: z.ZodString;
|
|
135
|
+
matchedRuleIds: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
136
|
+
}, z.core.$strip>>;
|
|
137
|
+
obligations: z.ZodOptional<z.ZodObject<{
|
|
138
|
+
requiredApproverRoles: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
139
|
+
timeWindow: z.ZodOptional<z.ZodObject<{
|
|
140
|
+
startHourUtc: z.ZodNumber;
|
|
141
|
+
endHourUtc: z.ZodNumber;
|
|
142
|
+
daysOfWeek: z.ZodDefault<z.ZodArray<z.ZodNumber>>;
|
|
143
|
+
}, z.core.$strip>>;
|
|
144
|
+
rateLimit: z.ZodOptional<z.ZodObject<{
|
|
145
|
+
ruleId: z.ZodString;
|
|
146
|
+
maxActions: z.ZodNumber;
|
|
147
|
+
windowSeconds: z.ZodNumber;
|
|
148
|
+
scope: z.ZodEnum<{
|
|
149
|
+
resource: "resource";
|
|
150
|
+
actor: "actor";
|
|
151
|
+
tenant: "tenant";
|
|
152
|
+
tool: "tool";
|
|
153
|
+
}>;
|
|
154
|
+
}, z.core.$strip>>;
|
|
155
|
+
}, z.core.$strip>>;
|
|
156
|
+
}, z.core.$strip>;
|
|
157
|
+
export type PolicyDecision = z.infer<typeof PolicyDecisionSchema>;
|
|
158
|
+
export type ActionPassDecision = PolicyDecision;
|
|
159
|
+
export declare const ApprovalSchema: z.ZodObject<{
|
|
160
|
+
mode: z.ZodEnum<{
|
|
161
|
+
none: "none";
|
|
162
|
+
human: "human";
|
|
163
|
+
policy_override: "policy_override";
|
|
164
|
+
}>;
|
|
165
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
166
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
167
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
168
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
169
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
170
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
171
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
172
|
+
}, z.core.$strip>;
|
|
173
|
+
export type Approval = z.infer<typeof ApprovalSchema>;
|
|
174
|
+
export declare const ApprovalArtifactSchema: z.ZodObject<{
|
|
175
|
+
schemaVersion: z.ZodLiteral<"axtary.approval.v0">;
|
|
176
|
+
id: z.ZodString;
|
|
177
|
+
mode: z.ZodEnum<{
|
|
178
|
+
human: "human";
|
|
179
|
+
policy_override: "policy_override";
|
|
180
|
+
}>;
|
|
181
|
+
approvedBy: z.ZodString;
|
|
182
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
183
|
+
approvedAt: z.ZodString;
|
|
184
|
+
actionHash: z.ZodString;
|
|
185
|
+
payloadHash: z.ZodString;
|
|
186
|
+
taskId: z.ZodString;
|
|
187
|
+
tool: z.ZodString;
|
|
188
|
+
resource: z.ZodString;
|
|
189
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
190
|
+
expiresAt: z.ZodOptional<z.ZodString>;
|
|
191
|
+
}, z.core.$strip>;
|
|
192
|
+
export type ApprovalArtifact = z.infer<typeof ApprovalArtifactSchema>;
|
|
193
|
+
export declare const ActionPassV0ClaimsSchema: z.ZodObject<{
|
|
194
|
+
iss: z.ZodString;
|
|
195
|
+
sub: z.ZodString;
|
|
196
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
197
|
+
exp: z.ZodNumber;
|
|
198
|
+
nbf: z.ZodNumber;
|
|
199
|
+
iat: z.ZodNumber;
|
|
200
|
+
jti: z.ZodString;
|
|
201
|
+
tenant: z.ZodString;
|
|
202
|
+
humanOwner: z.ZodString;
|
|
203
|
+
agentRuntime: z.ZodString;
|
|
204
|
+
intent: z.ZodObject<{
|
|
205
|
+
taskId: z.ZodString;
|
|
206
|
+
declaredGoal: z.ZodString;
|
|
207
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
208
|
+
}, z.core.$strip>;
|
|
209
|
+
capability: z.ZodObject<{
|
|
210
|
+
tool: z.ZodString;
|
|
211
|
+
resource: z.ZodString;
|
|
212
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
213
|
+
}, z.core.$strip>;
|
|
214
|
+
decision: z.ZodEnum<{
|
|
215
|
+
allow: "allow";
|
|
216
|
+
deny: "deny";
|
|
217
|
+
step_up: "step_up";
|
|
218
|
+
}>;
|
|
219
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
220
|
+
policy: z.ZodObject<{
|
|
221
|
+
nativeRule: z.ZodString;
|
|
222
|
+
version: z.ZodString;
|
|
223
|
+
cedarCompatible: z.ZodBoolean;
|
|
224
|
+
opaCompatible: z.ZodBoolean;
|
|
225
|
+
}, z.core.$strip>;
|
|
226
|
+
payloadHash: z.ZodString;
|
|
227
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
228
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
229
|
+
reservationId: z.ZodString;
|
|
230
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
231
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
232
|
+
commitStatus: z.ZodEnum<{
|
|
233
|
+
pending: "pending";
|
|
234
|
+
committed: "committed";
|
|
235
|
+
rolled_back: "rolled_back";
|
|
236
|
+
}>;
|
|
237
|
+
}, z.core.$strip>>;
|
|
238
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
239
|
+
mode: z.ZodEnum<{
|
|
240
|
+
none: "none";
|
|
241
|
+
human: "human";
|
|
242
|
+
policy_override: "policy_override";
|
|
243
|
+
}>;
|
|
244
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
245
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
246
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
247
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
248
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
249
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
250
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
251
|
+
}, z.core.$strip>>;
|
|
252
|
+
audit: z.ZodObject<{
|
|
253
|
+
traceId: z.ZodString;
|
|
254
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
255
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
256
|
+
}, z.core.$strip>;
|
|
257
|
+
apv: z.ZodLiteral<"axtary.actionpass.v0">;
|
|
258
|
+
}, z.core.$strip>;
|
|
259
|
+
export declare const ActionPassV1ClaimsSchema: z.ZodObject<{
|
|
260
|
+
cnf: z.ZodObject<{
|
|
261
|
+
jkt: z.ZodString;
|
|
262
|
+
}, z.core.$strip>;
|
|
263
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
264
|
+
depth: z.ZodNumber;
|
|
265
|
+
rootPassId: z.ZodString;
|
|
266
|
+
}, z.core.$strip>>;
|
|
267
|
+
iss: z.ZodString;
|
|
268
|
+
sub: z.ZodString;
|
|
269
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
270
|
+
exp: z.ZodNumber;
|
|
271
|
+
nbf: z.ZodNumber;
|
|
272
|
+
iat: z.ZodNumber;
|
|
273
|
+
jti: z.ZodString;
|
|
274
|
+
tenant: z.ZodString;
|
|
275
|
+
humanOwner: z.ZodString;
|
|
276
|
+
agentRuntime: z.ZodString;
|
|
277
|
+
intent: z.ZodObject<{
|
|
278
|
+
taskId: z.ZodString;
|
|
279
|
+
declaredGoal: z.ZodString;
|
|
280
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
281
|
+
}, z.core.$strip>;
|
|
282
|
+
capability: z.ZodObject<{
|
|
283
|
+
tool: z.ZodString;
|
|
284
|
+
resource: z.ZodString;
|
|
285
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
286
|
+
}, z.core.$strip>;
|
|
287
|
+
decision: z.ZodEnum<{
|
|
288
|
+
allow: "allow";
|
|
289
|
+
deny: "deny";
|
|
290
|
+
step_up: "step_up";
|
|
291
|
+
}>;
|
|
292
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
293
|
+
policy: z.ZodObject<{
|
|
294
|
+
nativeRule: z.ZodString;
|
|
295
|
+
version: z.ZodString;
|
|
296
|
+
cedarCompatible: z.ZodBoolean;
|
|
297
|
+
opaCompatible: z.ZodBoolean;
|
|
298
|
+
}, z.core.$strip>;
|
|
299
|
+
payloadHash: z.ZodString;
|
|
300
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
301
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
302
|
+
reservationId: z.ZodString;
|
|
303
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
304
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
305
|
+
commitStatus: z.ZodEnum<{
|
|
306
|
+
pending: "pending";
|
|
307
|
+
committed: "committed";
|
|
308
|
+
rolled_back: "rolled_back";
|
|
309
|
+
}>;
|
|
310
|
+
}, z.core.$strip>>;
|
|
311
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
312
|
+
mode: z.ZodEnum<{
|
|
313
|
+
none: "none";
|
|
314
|
+
human: "human";
|
|
315
|
+
policy_override: "policy_override";
|
|
316
|
+
}>;
|
|
317
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
318
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
319
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
320
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
321
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
322
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
323
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
324
|
+
}, z.core.$strip>>;
|
|
325
|
+
audit: z.ZodObject<{
|
|
326
|
+
traceId: z.ZodString;
|
|
327
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
328
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
329
|
+
}, z.core.$strip>;
|
|
330
|
+
apv: z.ZodLiteral<"axtary.actionpass.v1">;
|
|
331
|
+
}, z.core.$strip>;
|
|
332
|
+
export declare const ActionPassV2ClaimsSchema: z.ZodObject<{
|
|
333
|
+
cnf: z.ZodObject<{
|
|
334
|
+
jkt: z.ZodString;
|
|
335
|
+
}, z.core.$strip>;
|
|
336
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
337
|
+
depth: z.ZodNumber;
|
|
338
|
+
rootPassId: z.ZodString;
|
|
339
|
+
}, z.core.$strip>>;
|
|
340
|
+
status: z.ZodObject<{
|
|
341
|
+
status_list: z.ZodObject<{
|
|
342
|
+
idx: z.ZodNumber;
|
|
343
|
+
uri: z.ZodString;
|
|
344
|
+
}, z.core.$strip>;
|
|
345
|
+
}, z.core.$strip>;
|
|
346
|
+
iss: z.ZodString;
|
|
347
|
+
sub: z.ZodString;
|
|
348
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
349
|
+
exp: z.ZodNumber;
|
|
350
|
+
nbf: z.ZodNumber;
|
|
351
|
+
iat: z.ZodNumber;
|
|
352
|
+
jti: z.ZodString;
|
|
353
|
+
tenant: z.ZodString;
|
|
354
|
+
humanOwner: z.ZodString;
|
|
355
|
+
agentRuntime: z.ZodString;
|
|
356
|
+
intent: z.ZodObject<{
|
|
357
|
+
taskId: z.ZodString;
|
|
358
|
+
declaredGoal: z.ZodString;
|
|
359
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
360
|
+
}, z.core.$strip>;
|
|
361
|
+
capability: z.ZodObject<{
|
|
362
|
+
tool: z.ZodString;
|
|
363
|
+
resource: z.ZodString;
|
|
364
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
365
|
+
}, z.core.$strip>;
|
|
366
|
+
decision: z.ZodEnum<{
|
|
367
|
+
allow: "allow";
|
|
368
|
+
deny: "deny";
|
|
369
|
+
step_up: "step_up";
|
|
370
|
+
}>;
|
|
371
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
372
|
+
policy: z.ZodObject<{
|
|
373
|
+
nativeRule: z.ZodString;
|
|
374
|
+
version: z.ZodString;
|
|
375
|
+
cedarCompatible: z.ZodBoolean;
|
|
376
|
+
opaCompatible: z.ZodBoolean;
|
|
377
|
+
}, z.core.$strip>;
|
|
378
|
+
payloadHash: z.ZodString;
|
|
379
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
380
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
381
|
+
reservationId: z.ZodString;
|
|
382
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
383
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
384
|
+
commitStatus: z.ZodEnum<{
|
|
385
|
+
pending: "pending";
|
|
386
|
+
committed: "committed";
|
|
387
|
+
rolled_back: "rolled_back";
|
|
388
|
+
}>;
|
|
389
|
+
}, z.core.$strip>>;
|
|
390
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
391
|
+
mode: z.ZodEnum<{
|
|
392
|
+
none: "none";
|
|
393
|
+
human: "human";
|
|
394
|
+
policy_override: "policy_override";
|
|
395
|
+
}>;
|
|
396
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
397
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
398
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
399
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
400
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
401
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
402
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
403
|
+
}, z.core.$strip>>;
|
|
404
|
+
audit: z.ZodObject<{
|
|
405
|
+
traceId: z.ZodString;
|
|
406
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
407
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
408
|
+
}, z.core.$strip>;
|
|
409
|
+
apv: z.ZodLiteral<"axtary.actionpass.v2">;
|
|
410
|
+
}, z.core.$strip>;
|
|
411
|
+
export declare const ActionPassClaimsSchema: z.ZodUnion<readonly [z.ZodObject<{
|
|
412
|
+
iss: z.ZodString;
|
|
413
|
+
sub: z.ZodString;
|
|
414
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
415
|
+
exp: z.ZodNumber;
|
|
416
|
+
nbf: z.ZodNumber;
|
|
417
|
+
iat: z.ZodNumber;
|
|
418
|
+
jti: z.ZodString;
|
|
419
|
+
tenant: z.ZodString;
|
|
420
|
+
humanOwner: z.ZodString;
|
|
421
|
+
agentRuntime: z.ZodString;
|
|
422
|
+
intent: z.ZodObject<{
|
|
423
|
+
taskId: z.ZodString;
|
|
424
|
+
declaredGoal: z.ZodString;
|
|
425
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
426
|
+
}, z.core.$strip>;
|
|
427
|
+
capability: z.ZodObject<{
|
|
428
|
+
tool: z.ZodString;
|
|
429
|
+
resource: z.ZodString;
|
|
430
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
431
|
+
}, z.core.$strip>;
|
|
432
|
+
decision: z.ZodEnum<{
|
|
433
|
+
allow: "allow";
|
|
434
|
+
deny: "deny";
|
|
435
|
+
step_up: "step_up";
|
|
436
|
+
}>;
|
|
437
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
438
|
+
policy: z.ZodObject<{
|
|
439
|
+
nativeRule: z.ZodString;
|
|
440
|
+
version: z.ZodString;
|
|
441
|
+
cedarCompatible: z.ZodBoolean;
|
|
442
|
+
opaCompatible: z.ZodBoolean;
|
|
443
|
+
}, z.core.$strip>;
|
|
444
|
+
payloadHash: z.ZodString;
|
|
445
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
446
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
447
|
+
reservationId: z.ZodString;
|
|
448
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
449
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
450
|
+
commitStatus: z.ZodEnum<{
|
|
451
|
+
pending: "pending";
|
|
452
|
+
committed: "committed";
|
|
453
|
+
rolled_back: "rolled_back";
|
|
454
|
+
}>;
|
|
455
|
+
}, z.core.$strip>>;
|
|
456
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
457
|
+
mode: z.ZodEnum<{
|
|
458
|
+
none: "none";
|
|
459
|
+
human: "human";
|
|
460
|
+
policy_override: "policy_override";
|
|
461
|
+
}>;
|
|
462
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
463
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
464
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
465
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
466
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
467
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
468
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
469
|
+
}, z.core.$strip>>;
|
|
470
|
+
audit: z.ZodObject<{
|
|
471
|
+
traceId: z.ZodString;
|
|
472
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
473
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
474
|
+
}, z.core.$strip>;
|
|
475
|
+
apv: z.ZodLiteral<"axtary.actionpass.v0">;
|
|
476
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
477
|
+
cnf: z.ZodObject<{
|
|
478
|
+
jkt: z.ZodString;
|
|
479
|
+
}, z.core.$strip>;
|
|
480
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
481
|
+
depth: z.ZodNumber;
|
|
482
|
+
rootPassId: z.ZodString;
|
|
483
|
+
}, z.core.$strip>>;
|
|
484
|
+
iss: z.ZodString;
|
|
485
|
+
sub: z.ZodString;
|
|
486
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
487
|
+
exp: z.ZodNumber;
|
|
488
|
+
nbf: z.ZodNumber;
|
|
489
|
+
iat: z.ZodNumber;
|
|
490
|
+
jti: z.ZodString;
|
|
491
|
+
tenant: z.ZodString;
|
|
492
|
+
humanOwner: z.ZodString;
|
|
493
|
+
agentRuntime: z.ZodString;
|
|
494
|
+
intent: z.ZodObject<{
|
|
495
|
+
taskId: z.ZodString;
|
|
496
|
+
declaredGoal: z.ZodString;
|
|
497
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
498
|
+
}, z.core.$strip>;
|
|
499
|
+
capability: z.ZodObject<{
|
|
500
|
+
tool: z.ZodString;
|
|
501
|
+
resource: z.ZodString;
|
|
502
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
503
|
+
}, z.core.$strip>;
|
|
504
|
+
decision: z.ZodEnum<{
|
|
505
|
+
allow: "allow";
|
|
506
|
+
deny: "deny";
|
|
507
|
+
step_up: "step_up";
|
|
508
|
+
}>;
|
|
509
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
510
|
+
policy: z.ZodObject<{
|
|
511
|
+
nativeRule: z.ZodString;
|
|
512
|
+
version: z.ZodString;
|
|
513
|
+
cedarCompatible: z.ZodBoolean;
|
|
514
|
+
opaCompatible: z.ZodBoolean;
|
|
515
|
+
}, z.core.$strip>;
|
|
516
|
+
payloadHash: z.ZodString;
|
|
517
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
518
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
519
|
+
reservationId: z.ZodString;
|
|
520
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
521
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
522
|
+
commitStatus: z.ZodEnum<{
|
|
523
|
+
pending: "pending";
|
|
524
|
+
committed: "committed";
|
|
525
|
+
rolled_back: "rolled_back";
|
|
526
|
+
}>;
|
|
527
|
+
}, z.core.$strip>>;
|
|
528
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
529
|
+
mode: z.ZodEnum<{
|
|
530
|
+
none: "none";
|
|
531
|
+
human: "human";
|
|
532
|
+
policy_override: "policy_override";
|
|
533
|
+
}>;
|
|
534
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
535
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
536
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
537
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
538
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
539
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
540
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
541
|
+
}, z.core.$strip>>;
|
|
542
|
+
audit: z.ZodObject<{
|
|
543
|
+
traceId: z.ZodString;
|
|
544
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
545
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
546
|
+
}, z.core.$strip>;
|
|
547
|
+
apv: z.ZodLiteral<"axtary.actionpass.v1">;
|
|
548
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
549
|
+
cnf: z.ZodObject<{
|
|
550
|
+
jkt: z.ZodString;
|
|
551
|
+
}, z.core.$strip>;
|
|
552
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
553
|
+
depth: z.ZodNumber;
|
|
554
|
+
rootPassId: z.ZodString;
|
|
555
|
+
}, z.core.$strip>>;
|
|
556
|
+
status: z.ZodObject<{
|
|
557
|
+
status_list: z.ZodObject<{
|
|
558
|
+
idx: z.ZodNumber;
|
|
559
|
+
uri: z.ZodString;
|
|
560
|
+
}, z.core.$strip>;
|
|
561
|
+
}, z.core.$strip>;
|
|
562
|
+
iss: z.ZodString;
|
|
563
|
+
sub: z.ZodString;
|
|
564
|
+
aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
|
|
565
|
+
exp: z.ZodNumber;
|
|
566
|
+
nbf: z.ZodNumber;
|
|
567
|
+
iat: z.ZodNumber;
|
|
568
|
+
jti: z.ZodString;
|
|
569
|
+
tenant: z.ZodString;
|
|
570
|
+
humanOwner: z.ZodString;
|
|
571
|
+
agentRuntime: z.ZodString;
|
|
572
|
+
intent: z.ZodObject<{
|
|
573
|
+
taskId: z.ZodString;
|
|
574
|
+
declaredGoal: z.ZodString;
|
|
575
|
+
maxDelegationDepth: z.ZodOptional<z.ZodNumber>;
|
|
576
|
+
}, z.core.$strip>;
|
|
577
|
+
capability: z.ZodObject<{
|
|
578
|
+
tool: z.ZodString;
|
|
579
|
+
resource: z.ZodString;
|
|
580
|
+
constraints: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
581
|
+
}, z.core.$strip>;
|
|
582
|
+
decision: z.ZodEnum<{
|
|
583
|
+
allow: "allow";
|
|
584
|
+
deny: "deny";
|
|
585
|
+
step_up: "step_up";
|
|
586
|
+
}>;
|
|
587
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
588
|
+
policy: z.ZodObject<{
|
|
589
|
+
nativeRule: z.ZodString;
|
|
590
|
+
version: z.ZodString;
|
|
591
|
+
cedarCompatible: z.ZodBoolean;
|
|
592
|
+
opaCompatible: z.ZodBoolean;
|
|
593
|
+
}, z.core.$strip>;
|
|
594
|
+
payloadHash: z.ZodString;
|
|
595
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
596
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
597
|
+
reservationId: z.ZodString;
|
|
598
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
599
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
600
|
+
commitStatus: z.ZodEnum<{
|
|
601
|
+
pending: "pending";
|
|
602
|
+
committed: "committed";
|
|
603
|
+
rolled_back: "rolled_back";
|
|
604
|
+
}>;
|
|
605
|
+
}, z.core.$strip>>;
|
|
606
|
+
approval: z.ZodOptional<z.ZodObject<{
|
|
607
|
+
mode: z.ZodEnum<{
|
|
608
|
+
none: "none";
|
|
609
|
+
human: "human";
|
|
610
|
+
policy_override: "policy_override";
|
|
611
|
+
}>;
|
|
612
|
+
approvedBy: z.ZodOptional<z.ZodString>;
|
|
613
|
+
approverRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
614
|
+
approvalArtifact: z.ZodOptional<z.ZodString>;
|
|
615
|
+
approvalArtifactHash: z.ZodOptional<z.ZodString>;
|
|
616
|
+
actionHash: z.ZodOptional<z.ZodString>;
|
|
617
|
+
payloadHash: z.ZodOptional<z.ZodString>;
|
|
618
|
+
approvedAt: z.ZodOptional<z.ZodString>;
|
|
619
|
+
}, z.core.$strip>>;
|
|
620
|
+
audit: z.ZodObject<{
|
|
621
|
+
traceId: z.ZodString;
|
|
622
|
+
parentPassId: z.ZodNullable<z.ZodString>;
|
|
623
|
+
ledgerHash: z.ZodNullable<z.ZodString>;
|
|
624
|
+
}, z.core.$strip>;
|
|
625
|
+
apv: z.ZodLiteral<"axtary.actionpass.v2">;
|
|
626
|
+
}, z.core.$strip>]>;
|
|
627
|
+
export type ActionPassClaims = z.infer<typeof ActionPassClaimsSchema>;
|
|
628
|
+
export type ActionPassV1Claims = z.infer<typeof ActionPassV1ClaimsSchema>;
|
|
629
|
+
export type ActionPassV2Claims = z.infer<typeof ActionPassV2ClaimsSchema>;
|
|
630
|
+
export declare const DpopProofClaimsSchema: z.ZodObject<{
|
|
631
|
+
htm: z.ZodString;
|
|
632
|
+
htu: z.ZodString;
|
|
633
|
+
iat: z.ZodNumber;
|
|
634
|
+
jti: z.ZodString;
|
|
635
|
+
ath: z.ZodString;
|
|
636
|
+
nonce: z.ZodOptional<z.ZodString>;
|
|
637
|
+
}, z.core.$strip>;
|
|
638
|
+
export type DpopProofClaims = z.infer<typeof DpopProofClaimsSchema>;
|
|
639
|
+
export declare const ActionPassRevocationSchema: z.ZodObject<{
|
|
640
|
+
schemaVersion: z.ZodLiteral<"axtary.actionpass_revocation.v0">;
|
|
641
|
+
passId: z.ZodString;
|
|
642
|
+
revokedAt: z.ZodString;
|
|
643
|
+
revokedBy: z.ZodOptional<z.ZodString>;
|
|
644
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
645
|
+
}, z.core.$strip>;
|
|
646
|
+
export type ActionPassRevocation = z.infer<typeof ActionPassRevocationSchema>;
|
|
647
|
+
export declare const ActionPassVerificationKeyRecordSchema: z.ZodObject<{
|
|
648
|
+
kid: z.ZodString;
|
|
649
|
+
publicJwk: z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
650
|
+
algorithm: z.ZodOptional<z.ZodString>;
|
|
651
|
+
status: z.ZodDefault<z.ZodEnum<{
|
|
652
|
+
active: "active";
|
|
653
|
+
retired: "retired";
|
|
654
|
+
revoked: "revoked";
|
|
655
|
+
}>>;
|
|
656
|
+
notBefore: z.ZodOptional<z.ZodString>;
|
|
657
|
+
expiresAt: z.ZodOptional<z.ZodString>;
|
|
658
|
+
}, z.core.$strip>;
|
|
659
|
+
export type ActionPassVerificationKeyRecord = z.infer<typeof ActionPassVerificationKeyRecordSchema>;
|
|
660
|
+
export type ActionPassVerificationKeyRecordInput = Omit<z.input<typeof ActionPassVerificationKeyRecordSchema>, "publicJwk"> & {
|
|
661
|
+
publicJwk: Record<string, JsonValue> | JWK;
|
|
662
|
+
};
|
|
663
|
+
export declare const ActionPassTrustStoreSchema: z.ZodObject<{
|
|
664
|
+
schemaVersion: z.ZodLiteral<"axtary.actionpass_trust_store.v0">;
|
|
665
|
+
keys: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
666
|
+
kid: z.ZodString;
|
|
667
|
+
publicJwk: z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
668
|
+
algorithm: z.ZodOptional<z.ZodString>;
|
|
669
|
+
status: z.ZodDefault<z.ZodEnum<{
|
|
670
|
+
active: "active";
|
|
671
|
+
retired: "retired";
|
|
672
|
+
revoked: "revoked";
|
|
673
|
+
}>>;
|
|
674
|
+
notBefore: z.ZodOptional<z.ZodString>;
|
|
675
|
+
expiresAt: z.ZodOptional<z.ZodString>;
|
|
676
|
+
}, z.core.$strip>>>;
|
|
677
|
+
revocations: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
678
|
+
schemaVersion: z.ZodLiteral<"axtary.actionpass_revocation.v0">;
|
|
679
|
+
passId: z.ZodString;
|
|
680
|
+
revokedAt: z.ZodString;
|
|
681
|
+
revokedBy: z.ZodOptional<z.ZodString>;
|
|
682
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
683
|
+
}, z.core.$strip>>>;
|
|
684
|
+
}, z.core.$strip>;
|
|
685
|
+
export type ActionPassTrustStoreData = z.infer<typeof ActionPassTrustStoreSchema>;
|
|
686
|
+
export declare const LedgerProviderEvidenceDiffLineSchema: z.ZodObject<{
|
|
687
|
+
type: z.ZodEnum<{
|
|
688
|
+
context: "context";
|
|
689
|
+
addition: "addition";
|
|
690
|
+
deletion: "deletion";
|
|
691
|
+
}>;
|
|
692
|
+
content: z.ZodString;
|
|
693
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
694
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
695
|
+
}, z.core.$strip>;
|
|
696
|
+
export type LedgerProviderEvidenceDiffLine = z.infer<typeof LedgerProviderEvidenceDiffLineSchema>;
|
|
697
|
+
export declare const LedgerProviderEvidenceDiffFileSchema: z.ZodObject<{
|
|
698
|
+
path: z.ZodString;
|
|
699
|
+
oldPath: z.ZodOptional<z.ZodString>;
|
|
700
|
+
status: z.ZodEnum<{
|
|
701
|
+
added: "added";
|
|
702
|
+
modified: "modified";
|
|
703
|
+
deleted: "deleted";
|
|
704
|
+
renamed: "renamed";
|
|
705
|
+
}>;
|
|
706
|
+
additions: z.ZodDefault<z.ZodNumber>;
|
|
707
|
+
deletions: z.ZodDefault<z.ZodNumber>;
|
|
708
|
+
hunks: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
709
|
+
header: z.ZodString;
|
|
710
|
+
lines: z.ZodArray<z.ZodObject<{
|
|
711
|
+
type: z.ZodEnum<{
|
|
712
|
+
context: "context";
|
|
713
|
+
addition: "addition";
|
|
714
|
+
deletion: "deletion";
|
|
715
|
+
}>;
|
|
716
|
+
content: z.ZodString;
|
|
717
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
718
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
719
|
+
}, z.core.$strip>>;
|
|
720
|
+
}, z.core.$strip>>>;
|
|
721
|
+
}, z.core.$strip>;
|
|
722
|
+
export type LedgerProviderEvidenceDiffFile = z.infer<typeof LedgerProviderEvidenceDiffFileSchema>;
|
|
723
|
+
export declare const LedgerProviderSchema: z.ZodEnum<{
|
|
724
|
+
github: "github";
|
|
725
|
+
slack: "slack";
|
|
726
|
+
linear: "linear";
|
|
727
|
+
docs: "docs";
|
|
728
|
+
drive: "drive";
|
|
729
|
+
mcp: "mcp";
|
|
730
|
+
aws: "aws";
|
|
731
|
+
gcp: "gcp";
|
|
732
|
+
jira: "jira";
|
|
733
|
+
postgres: "postgres";
|
|
734
|
+
}>;
|
|
735
|
+
export type LedgerProvider = z.infer<typeof LedgerProviderSchema>;
|
|
736
|
+
export declare const LedgerProviderEvidenceDiffSchema: z.ZodObject<{
|
|
737
|
+
provider: z.ZodEnum<{
|
|
738
|
+
github: "github";
|
|
739
|
+
slack: "slack";
|
|
740
|
+
linear: "linear";
|
|
741
|
+
docs: "docs";
|
|
742
|
+
drive: "drive";
|
|
743
|
+
mcp: "mcp";
|
|
744
|
+
aws: "aws";
|
|
745
|
+
gcp: "gcp";
|
|
746
|
+
jira: "jira";
|
|
747
|
+
postgres: "postgres";
|
|
748
|
+
}>;
|
|
749
|
+
summary: z.ZodOptional<z.ZodString>;
|
|
750
|
+
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
751
|
+
path: z.ZodString;
|
|
752
|
+
oldPath: z.ZodOptional<z.ZodString>;
|
|
753
|
+
status: z.ZodEnum<{
|
|
754
|
+
added: "added";
|
|
755
|
+
modified: "modified";
|
|
756
|
+
deleted: "deleted";
|
|
757
|
+
renamed: "renamed";
|
|
758
|
+
}>;
|
|
759
|
+
additions: z.ZodDefault<z.ZodNumber>;
|
|
760
|
+
deletions: z.ZodDefault<z.ZodNumber>;
|
|
761
|
+
hunks: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
762
|
+
header: z.ZodString;
|
|
763
|
+
lines: z.ZodArray<z.ZodObject<{
|
|
764
|
+
type: z.ZodEnum<{
|
|
765
|
+
context: "context";
|
|
766
|
+
addition: "addition";
|
|
767
|
+
deletion: "deletion";
|
|
768
|
+
}>;
|
|
769
|
+
content: z.ZodString;
|
|
770
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
771
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
772
|
+
}, z.core.$strip>>;
|
|
773
|
+
}, z.core.$strip>>>;
|
|
774
|
+
}, z.core.$strip>>>;
|
|
775
|
+
}, z.core.$strip>;
|
|
776
|
+
export type LedgerProviderEvidenceDiff = z.infer<typeof LedgerProviderEvidenceDiffSchema>;
|
|
777
|
+
export declare const LedgerProviderEvidenceFieldChangeSchema: z.ZodObject<{
|
|
778
|
+
field: z.ZodString;
|
|
779
|
+
before: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
780
|
+
after: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
781
|
+
}, z.core.$strip>;
|
|
782
|
+
export type LedgerProviderEvidenceFieldChange = z.infer<typeof LedgerProviderEvidenceFieldChangeSchema>;
|
|
783
|
+
export declare const LedgerProviderEvidenceSchema: z.ZodObject<{
|
|
784
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_provider_evidence.v0">;
|
|
785
|
+
provider: z.ZodEnum<{
|
|
786
|
+
github: "github";
|
|
787
|
+
slack: "slack";
|
|
788
|
+
linear: "linear";
|
|
789
|
+
docs: "docs";
|
|
790
|
+
drive: "drive";
|
|
791
|
+
mcp: "mcp";
|
|
792
|
+
aws: "aws";
|
|
793
|
+
gcp: "gcp";
|
|
794
|
+
jira: "jira";
|
|
795
|
+
postgres: "postgres";
|
|
796
|
+
}>;
|
|
797
|
+
tool: z.ZodString;
|
|
798
|
+
operation: z.ZodString;
|
|
799
|
+
resource: z.ZodObject<{
|
|
800
|
+
provider: z.ZodEnum<{
|
|
801
|
+
github: "github";
|
|
802
|
+
slack: "slack";
|
|
803
|
+
linear: "linear";
|
|
804
|
+
docs: "docs";
|
|
805
|
+
drive: "drive";
|
|
806
|
+
mcp: "mcp";
|
|
807
|
+
aws: "aws";
|
|
808
|
+
gcp: "gcp";
|
|
809
|
+
jira: "jira";
|
|
810
|
+
postgres: "postgres";
|
|
811
|
+
}>;
|
|
812
|
+
kind: z.ZodString;
|
|
813
|
+
id: z.ZodString;
|
|
814
|
+
label: z.ZodOptional<z.ZodString>;
|
|
815
|
+
url: z.ZodOptional<z.ZodString>;
|
|
816
|
+
}, z.core.$strict>;
|
|
817
|
+
normalized: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
818
|
+
fieldChanges: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
819
|
+
field: z.ZodString;
|
|
820
|
+
before: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
821
|
+
after: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
822
|
+
}, z.core.$strip>>>;
|
|
823
|
+
diff: z.ZodOptional<z.ZodObject<{
|
|
824
|
+
provider: z.ZodEnum<{
|
|
825
|
+
github: "github";
|
|
826
|
+
slack: "slack";
|
|
827
|
+
linear: "linear";
|
|
828
|
+
docs: "docs";
|
|
829
|
+
drive: "drive";
|
|
830
|
+
mcp: "mcp";
|
|
831
|
+
aws: "aws";
|
|
832
|
+
gcp: "gcp";
|
|
833
|
+
jira: "jira";
|
|
834
|
+
postgres: "postgres";
|
|
835
|
+
}>;
|
|
836
|
+
summary: z.ZodOptional<z.ZodString>;
|
|
837
|
+
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
838
|
+
path: z.ZodString;
|
|
839
|
+
oldPath: z.ZodOptional<z.ZodString>;
|
|
840
|
+
status: z.ZodEnum<{
|
|
841
|
+
added: "added";
|
|
842
|
+
modified: "modified";
|
|
843
|
+
deleted: "deleted";
|
|
844
|
+
renamed: "renamed";
|
|
845
|
+
}>;
|
|
846
|
+
additions: z.ZodDefault<z.ZodNumber>;
|
|
847
|
+
deletions: z.ZodDefault<z.ZodNumber>;
|
|
848
|
+
hunks: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
849
|
+
header: z.ZodString;
|
|
850
|
+
lines: z.ZodArray<z.ZodObject<{
|
|
851
|
+
type: z.ZodEnum<{
|
|
852
|
+
context: "context";
|
|
853
|
+
addition: "addition";
|
|
854
|
+
deletion: "deletion";
|
|
855
|
+
}>;
|
|
856
|
+
content: z.ZodString;
|
|
857
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
858
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
859
|
+
}, z.core.$strip>>;
|
|
860
|
+
}, z.core.$strip>>>;
|
|
861
|
+
}, z.core.$strip>>>;
|
|
862
|
+
}, z.core.$strip>>;
|
|
863
|
+
}, z.core.$strip>;
|
|
864
|
+
export type LedgerProviderEvidence = z.infer<typeof LedgerProviderEvidenceSchema>;
|
|
865
|
+
export type ConnectorProvider = "github" | "slack" | "linear" | "jira" | "aws" | "gcp" | "mcp" | "docs" | "drive" | "postgres";
|
|
866
|
+
export type ConnectorCapabilityOperation = "read" | "write" | "external_message" | "identity_read" | "identity_mutation";
|
|
867
|
+
export type ConnectorCapabilityStatus = "supported" | "demo_only" | "planned";
|
|
868
|
+
export type ConnectorCapability = {
|
|
869
|
+
id: string;
|
|
870
|
+
provider: ConnectorProvider;
|
|
871
|
+
connector: string;
|
|
872
|
+
label: string;
|
|
873
|
+
tool: string;
|
|
874
|
+
operation: ConnectorCapabilityOperation;
|
|
875
|
+
status: ConnectorCapabilityStatus;
|
|
876
|
+
supportedModes: string[];
|
|
877
|
+
requiresActionPass: boolean;
|
|
878
|
+
defaultPolicy: "allow" | "deny" | "step_up" | "deny_until_scoped";
|
|
879
|
+
payloadFields: string[];
|
|
880
|
+
approvalTriggers: string[];
|
|
881
|
+
credentialBoundary: string;
|
|
882
|
+
smokeCheck: string | null;
|
|
883
|
+
};
|
|
884
|
+
export type ConnectorProviderMode = "fake" | "rest" | "app" | "web" | "graphql" | "local" | "local-wrapper" | "postgres" | "off" | "planned";
|
|
885
|
+
export declare const GitHubNativeConnectorConfigSchema: z.ZodObject<{
|
|
886
|
+
mode: z.ZodDefault<z.ZodEnum<{
|
|
887
|
+
fake: "fake";
|
|
888
|
+
rest: "rest";
|
|
889
|
+
app: "app";
|
|
890
|
+
}>>;
|
|
891
|
+
tokenEnv: z.ZodDefault<z.ZodString>;
|
|
892
|
+
apiBaseUrl: z.ZodDefault<z.ZodString>;
|
|
893
|
+
userAgent: z.ZodDefault<z.ZodString>;
|
|
894
|
+
appId: z.ZodOptional<z.ZodString>;
|
|
895
|
+
appIdEnv: z.ZodDefault<z.ZodString>;
|
|
896
|
+
installationId: z.ZodOptional<z.ZodString>;
|
|
897
|
+
installationIdEnv: z.ZodDefault<z.ZodString>;
|
|
898
|
+
privateKeyEnv: z.ZodDefault<z.ZodString>;
|
|
899
|
+
}, z.core.$strip>;
|
|
900
|
+
export type GitHubNativeConnectorConfig = z.infer<typeof GitHubNativeConnectorConfigSchema>;
|
|
901
|
+
export declare const DEFAULT_GITHUB_NATIVE_CONNECTOR_CONFIG: GitHubNativeConnectorConfig;
|
|
902
|
+
export declare const LinearNativeConnectorConfigSchema: z.ZodObject<{
|
|
903
|
+
mode: z.ZodDefault<z.ZodEnum<{
|
|
904
|
+
fake: "fake";
|
|
905
|
+
graphql: "graphql";
|
|
906
|
+
}>>;
|
|
907
|
+
tokenEnv: z.ZodDefault<z.ZodString>;
|
|
908
|
+
apiUrl: z.ZodDefault<z.ZodString>;
|
|
909
|
+
}, z.core.$strip>;
|
|
910
|
+
export type LinearNativeConnectorConfig = z.infer<typeof LinearNativeConnectorConfigSchema>;
|
|
911
|
+
export declare const DEFAULT_LINEAR_NATIVE_CONNECTOR_CONFIG: LinearNativeConnectorConfig;
|
|
912
|
+
export declare const JiraNativeConnectorConfigSchema: z.ZodObject<{
|
|
913
|
+
mode: z.ZodDefault<z.ZodEnum<{
|
|
914
|
+
fake: "fake";
|
|
915
|
+
rest: "rest";
|
|
916
|
+
}>>;
|
|
917
|
+
auth: z.ZodDefault<z.ZodEnum<{
|
|
918
|
+
api_token: "api_token";
|
|
919
|
+
oauth: "oauth";
|
|
920
|
+
}>>;
|
|
921
|
+
tokenEnv: z.ZodDefault<z.ZodString>;
|
|
922
|
+
emailEnv: z.ZodDefault<z.ZodString>;
|
|
923
|
+
siteUrl: z.ZodDefault<z.ZodString>;
|
|
924
|
+
cloudId: z.ZodOptional<z.ZodString>;
|
|
925
|
+
cloudIdEnv: z.ZodDefault<z.ZodString>;
|
|
926
|
+
}, z.core.$strip>;
|
|
927
|
+
export type JiraNativeConnectorConfig = z.infer<typeof JiraNativeConnectorConfigSchema>;
|
|
928
|
+
export declare const DEFAULT_JIRA_NATIVE_CONNECTOR_CONFIG: JiraNativeConnectorConfig;
|
|
929
|
+
export declare const PostgresNativeConnectorConfigSchema: z.ZodObject<{
|
|
930
|
+
mode: z.ZodDefault<z.ZodEnum<{
|
|
931
|
+
postgres: "postgres";
|
|
932
|
+
off: "off";
|
|
933
|
+
}>>;
|
|
934
|
+
dsnEnv: z.ZodDefault<z.ZodString>;
|
|
935
|
+
allowedTables: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
936
|
+
allowedFunctions: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
937
|
+
requireRls: z.ZodDefault<z.ZodBoolean>;
|
|
938
|
+
maxRows: z.ZodDefault<z.ZodNumber>;
|
|
939
|
+
statementTimeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
940
|
+
lockTimeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
941
|
+
idleTransactionTimeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
942
|
+
}, z.core.$strip>;
|
|
943
|
+
export type PostgresNativeConnectorConfig = z.infer<typeof PostgresNativeConnectorConfigSchema>;
|
|
944
|
+
export declare const DEFAULT_POSTGRES_NATIVE_CONNECTOR_CONFIG: PostgresNativeConnectorConfig;
|
|
945
|
+
export declare const DriveNativeConnectorConfigSchema: z.ZodObject<{
|
|
946
|
+
mode: z.ZodDefault<z.ZodEnum<{
|
|
947
|
+
rest: "rest";
|
|
948
|
+
off: "off";
|
|
949
|
+
}>>;
|
|
950
|
+
tokenEnv: z.ZodDefault<z.ZodString>;
|
|
951
|
+
selectedFileId: z.ZodOptional<z.ZodString>;
|
|
952
|
+
apiBaseUrl: z.ZodDefault<z.ZodString>;
|
|
953
|
+
allowedMimeTypes: z.ZodDefault<z.ZodArray<z.ZodString>>;
|
|
954
|
+
maxReadBytes: z.ZodDefault<z.ZodNumber>;
|
|
955
|
+
}, z.core.$strip>;
|
|
956
|
+
export type DriveNativeConnectorConfig = z.infer<typeof DriveNativeConnectorConfigSchema>;
|
|
957
|
+
export declare const DEFAULT_DRIVE_NATIVE_CONNECTOR_CONFIG: DriveNativeConnectorConfig;
|
|
958
|
+
export type NativeConnectorToolDescriptor = {
|
|
959
|
+
capability: ConnectorCapability;
|
|
960
|
+
normalizeEvidence: (action: NormalizedAction, payload: Record<string, JsonValue>) => LedgerProviderEvidence;
|
|
961
|
+
};
|
|
962
|
+
export type NativeConnectorGovernanceDescriptor<TConfig> = {
|
|
963
|
+
provider: ConnectorProvider;
|
|
964
|
+
connector: string;
|
|
965
|
+
mode: ConnectorProviderMode;
|
|
966
|
+
configSchema: z.ZodType<TConfig>;
|
|
967
|
+
defaultConfig: TConfig;
|
|
968
|
+
requiredScopes: readonly string[];
|
|
969
|
+
smokeCheck: string;
|
|
970
|
+
tools: readonly NativeConnectorToolDescriptor[];
|
|
971
|
+
};
|
|
972
|
+
export declare const LedgerExecutionOutcomeSchema: z.ZodObject<{
|
|
973
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_execution_outcome.v0">;
|
|
974
|
+
status: z.ZodEnum<{
|
|
975
|
+
succeeded: "succeeded";
|
|
976
|
+
failed: "failed";
|
|
977
|
+
}>;
|
|
978
|
+
provider: z.ZodOptional<z.ZodEnum<{
|
|
979
|
+
github: "github";
|
|
980
|
+
slack: "slack";
|
|
981
|
+
linear: "linear";
|
|
982
|
+
docs: "docs";
|
|
983
|
+
drive: "drive";
|
|
984
|
+
mcp: "mcp";
|
|
985
|
+
aws: "aws";
|
|
986
|
+
gcp: "gcp";
|
|
987
|
+
jira: "jira";
|
|
988
|
+
postgres: "postgres";
|
|
989
|
+
}>>;
|
|
990
|
+
resultId: z.ZodOptional<z.ZodString>;
|
|
991
|
+
resultUrl: z.ZodOptional<z.ZodString>;
|
|
992
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
993
|
+
resourceLabel: z.ZodOptional<z.ZodString>;
|
|
994
|
+
failureReason: z.ZodOptional<z.ZodString>;
|
|
995
|
+
errorClass: z.ZodOptional<z.ZodString>;
|
|
996
|
+
sideEffectProof: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
997
|
+
}, z.core.$strict>;
|
|
998
|
+
export type LedgerExecutionOutcome = z.infer<typeof LedgerExecutionOutcomeSchema>;
|
|
999
|
+
export declare const DelegationLedgerEdgeSchema: z.ZodObject<{
|
|
1000
|
+
parentPassId: z.ZodString;
|
|
1001
|
+
childPassId: z.ZodString;
|
|
1002
|
+
depth: z.ZodNumber;
|
|
1003
|
+
rootPassId: z.ZodString;
|
|
1004
|
+
}, z.core.$strip>;
|
|
1005
|
+
export type DelegationLedgerEdge = z.infer<typeof DelegationLedgerEdgeSchema>;
|
|
1006
|
+
export declare const BudgetLedgerEventSchema: z.ZodObject<{
|
|
1007
|
+
reservationId: z.ZodNullable<z.ZodString>;
|
|
1008
|
+
scope: z.ZodString;
|
|
1009
|
+
status: z.ZodEnum<{
|
|
1010
|
+
pending: "pending";
|
|
1011
|
+
committed: "committed";
|
|
1012
|
+
rolled_back: "rolled_back";
|
|
1013
|
+
denied: "denied";
|
|
1014
|
+
}>;
|
|
1015
|
+
expiresAt: z.ZodNullable<z.ZodString>;
|
|
1016
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1017
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1018
|
+
committedBefore: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1019
|
+
committedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1020
|
+
reservedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1021
|
+
}, z.core.$strip>;
|
|
1022
|
+
export type BudgetLedgerEvent = z.infer<typeof BudgetLedgerEventSchema>;
|
|
1023
|
+
export declare const LedgerAuditContextSchema: z.ZodObject<{
|
|
1024
|
+
tenant: z.ZodNullable<z.ZodString>;
|
|
1025
|
+
agentId: z.ZodString;
|
|
1026
|
+
humanOwner: z.ZodString;
|
|
1027
|
+
taskId: z.ZodString;
|
|
1028
|
+
tool: z.ZodString;
|
|
1029
|
+
resource: z.ZodString;
|
|
1030
|
+
}, z.core.$strip>;
|
|
1031
|
+
export type LedgerAuditContext = z.infer<typeof LedgerAuditContextSchema>;
|
|
1032
|
+
export declare const LedgerRecordSchema: z.ZodObject<{
|
|
1033
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger.v0">;
|
|
1034
|
+
id: z.ZodString;
|
|
1035
|
+
occurredAt: z.ZodString;
|
|
1036
|
+
auditContext: z.ZodOptional<z.ZodObject<{
|
|
1037
|
+
tenant: z.ZodNullable<z.ZodString>;
|
|
1038
|
+
agentId: z.ZodString;
|
|
1039
|
+
humanOwner: z.ZodString;
|
|
1040
|
+
taskId: z.ZodString;
|
|
1041
|
+
tool: z.ZodString;
|
|
1042
|
+
resource: z.ZodString;
|
|
1043
|
+
}, z.core.$strip>>;
|
|
1044
|
+
actionHash: z.ZodString;
|
|
1045
|
+
payloadHash: z.ZodString;
|
|
1046
|
+
provenanceHash: z.ZodOptional<z.ZodString>;
|
|
1047
|
+
decision: z.ZodEnum<{
|
|
1048
|
+
allow: "allow";
|
|
1049
|
+
deny: "deny";
|
|
1050
|
+
step_up: "step_up";
|
|
1051
|
+
}>;
|
|
1052
|
+
reasons: z.ZodArray<z.ZodString>;
|
|
1053
|
+
policy: z.ZodObject<{
|
|
1054
|
+
nativeRule: z.ZodString;
|
|
1055
|
+
version: z.ZodString;
|
|
1056
|
+
cedarCompatible: z.ZodBoolean;
|
|
1057
|
+
opaCompatible: z.ZodBoolean;
|
|
1058
|
+
}, z.core.$strip>;
|
|
1059
|
+
providerEvidence: z.ZodOptional<z.ZodObject<{
|
|
1060
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_provider_evidence.v0">;
|
|
1061
|
+
provider: z.ZodEnum<{
|
|
1062
|
+
github: "github";
|
|
1063
|
+
slack: "slack";
|
|
1064
|
+
linear: "linear";
|
|
1065
|
+
docs: "docs";
|
|
1066
|
+
drive: "drive";
|
|
1067
|
+
mcp: "mcp";
|
|
1068
|
+
aws: "aws";
|
|
1069
|
+
gcp: "gcp";
|
|
1070
|
+
jira: "jira";
|
|
1071
|
+
postgres: "postgres";
|
|
1072
|
+
}>;
|
|
1073
|
+
tool: z.ZodString;
|
|
1074
|
+
operation: z.ZodString;
|
|
1075
|
+
resource: z.ZodObject<{
|
|
1076
|
+
provider: z.ZodEnum<{
|
|
1077
|
+
github: "github";
|
|
1078
|
+
slack: "slack";
|
|
1079
|
+
linear: "linear";
|
|
1080
|
+
docs: "docs";
|
|
1081
|
+
drive: "drive";
|
|
1082
|
+
mcp: "mcp";
|
|
1083
|
+
aws: "aws";
|
|
1084
|
+
gcp: "gcp";
|
|
1085
|
+
jira: "jira";
|
|
1086
|
+
postgres: "postgres";
|
|
1087
|
+
}>;
|
|
1088
|
+
kind: z.ZodString;
|
|
1089
|
+
id: z.ZodString;
|
|
1090
|
+
label: z.ZodOptional<z.ZodString>;
|
|
1091
|
+
url: z.ZodOptional<z.ZodString>;
|
|
1092
|
+
}, z.core.$strict>;
|
|
1093
|
+
normalized: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
1094
|
+
fieldChanges: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
1095
|
+
field: z.ZodString;
|
|
1096
|
+
before: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
1097
|
+
after: z.ZodOptional<z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>;
|
|
1098
|
+
}, z.core.$strip>>>;
|
|
1099
|
+
diff: z.ZodOptional<z.ZodObject<{
|
|
1100
|
+
provider: z.ZodEnum<{
|
|
1101
|
+
github: "github";
|
|
1102
|
+
slack: "slack";
|
|
1103
|
+
linear: "linear";
|
|
1104
|
+
docs: "docs";
|
|
1105
|
+
drive: "drive";
|
|
1106
|
+
mcp: "mcp";
|
|
1107
|
+
aws: "aws";
|
|
1108
|
+
gcp: "gcp";
|
|
1109
|
+
jira: "jira";
|
|
1110
|
+
postgres: "postgres";
|
|
1111
|
+
}>;
|
|
1112
|
+
summary: z.ZodOptional<z.ZodString>;
|
|
1113
|
+
files: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
1114
|
+
path: z.ZodString;
|
|
1115
|
+
oldPath: z.ZodOptional<z.ZodString>;
|
|
1116
|
+
status: z.ZodEnum<{
|
|
1117
|
+
added: "added";
|
|
1118
|
+
modified: "modified";
|
|
1119
|
+
deleted: "deleted";
|
|
1120
|
+
renamed: "renamed";
|
|
1121
|
+
}>;
|
|
1122
|
+
additions: z.ZodDefault<z.ZodNumber>;
|
|
1123
|
+
deletions: z.ZodDefault<z.ZodNumber>;
|
|
1124
|
+
hunks: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
1125
|
+
header: z.ZodString;
|
|
1126
|
+
lines: z.ZodArray<z.ZodObject<{
|
|
1127
|
+
type: z.ZodEnum<{
|
|
1128
|
+
context: "context";
|
|
1129
|
+
addition: "addition";
|
|
1130
|
+
deletion: "deletion";
|
|
1131
|
+
}>;
|
|
1132
|
+
content: z.ZodString;
|
|
1133
|
+
oldLine: z.ZodOptional<z.ZodNumber>;
|
|
1134
|
+
newLine: z.ZodOptional<z.ZodNumber>;
|
|
1135
|
+
}, z.core.$strip>>;
|
|
1136
|
+
}, z.core.$strip>>>;
|
|
1137
|
+
}, z.core.$strip>>>;
|
|
1138
|
+
}, z.core.$strip>>;
|
|
1139
|
+
}, z.core.$strip>>;
|
|
1140
|
+
executionOutcome: z.ZodOptional<z.ZodObject<{
|
|
1141
|
+
schemaVersion: z.ZodLiteral<"axtary.ledger_execution_outcome.v0">;
|
|
1142
|
+
status: z.ZodEnum<{
|
|
1143
|
+
succeeded: "succeeded";
|
|
1144
|
+
failed: "failed";
|
|
1145
|
+
}>;
|
|
1146
|
+
provider: z.ZodOptional<z.ZodEnum<{
|
|
1147
|
+
github: "github";
|
|
1148
|
+
slack: "slack";
|
|
1149
|
+
linear: "linear";
|
|
1150
|
+
docs: "docs";
|
|
1151
|
+
drive: "drive";
|
|
1152
|
+
mcp: "mcp";
|
|
1153
|
+
aws: "aws";
|
|
1154
|
+
gcp: "gcp";
|
|
1155
|
+
jira: "jira";
|
|
1156
|
+
postgres: "postgres";
|
|
1157
|
+
}>>;
|
|
1158
|
+
resultId: z.ZodOptional<z.ZodString>;
|
|
1159
|
+
resultUrl: z.ZodOptional<z.ZodString>;
|
|
1160
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
1161
|
+
resourceLabel: z.ZodOptional<z.ZodString>;
|
|
1162
|
+
failureReason: z.ZodOptional<z.ZodString>;
|
|
1163
|
+
errorClass: z.ZodOptional<z.ZodString>;
|
|
1164
|
+
sideEffectProof: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodType<JsonValue, unknown, z.core.$ZodTypeInternals<JsonValue, unknown>>>>;
|
|
1165
|
+
}, z.core.$strict>>;
|
|
1166
|
+
traceId: z.ZodOptional<z.ZodString>;
|
|
1167
|
+
actionPassId: z.ZodNullable<z.ZodString>;
|
|
1168
|
+
delegation: z.ZodOptional<z.ZodObject<{
|
|
1169
|
+
parentPassId: z.ZodString;
|
|
1170
|
+
childPassId: z.ZodString;
|
|
1171
|
+
depth: z.ZodNumber;
|
|
1172
|
+
rootPassId: z.ZodString;
|
|
1173
|
+
}, z.core.$strip>>;
|
|
1174
|
+
budget: z.ZodOptional<z.ZodObject<{
|
|
1175
|
+
reservationId: z.ZodNullable<z.ZodString>;
|
|
1176
|
+
scope: z.ZodString;
|
|
1177
|
+
status: z.ZodEnum<{
|
|
1178
|
+
pending: "pending";
|
|
1179
|
+
committed: "committed";
|
|
1180
|
+
rolled_back: "rolled_back";
|
|
1181
|
+
denied: "denied";
|
|
1182
|
+
}>;
|
|
1183
|
+
expiresAt: z.ZodNullable<z.ZodString>;
|
|
1184
|
+
cost: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1185
|
+
limit: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1186
|
+
committedBefore: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1187
|
+
committedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1188
|
+
reservedAfter: z.ZodRecord<z.ZodString, z.ZodNumber>;
|
|
1189
|
+
}, z.core.$strip>>;
|
|
1190
|
+
correlationId: z.ZodOptional<z.ZodString>;
|
|
1191
|
+
previousLedgerHash: z.ZodNullable<z.ZodString>;
|
|
1192
|
+
ledgerHash: z.ZodString;
|
|
1193
|
+
}, z.core.$strip>;
|
|
1194
|
+
export type LedgerRecord = z.infer<typeof LedgerRecordSchema>;
|
|
1195
|
+
export type SigningKey = CryptoKey | KeyObject | JWK | Uint8Array;
|
|
1196
|
+
export type VerificationKey = CryptoKey | KeyObject | JWK | Uint8Array;
|
|
1197
|
+
export type VerificationKeySet = Readonly<Record<string, VerificationKey>>;
|
|
1198
|
+
export type VerificationKeyResolver = (keyId: string | undefined) => VerificationKey | undefined | Promise<VerificationKey | undefined>;
|
|
1199
|
+
export type SigningAlgorithm = "ES256" | "EdDSA";
|
|
1200
|
+
export type PolicyOptions = {
|
|
1201
|
+
allowedTool?: string;
|
|
1202
|
+
requiredBaseBranch?: string;
|
|
1203
|
+
maxFilesChanged?: number;
|
|
1204
|
+
blockedPathPrefixes?: string[];
|
|
1205
|
+
policyVersion?: string;
|
|
1206
|
+
};
|
|
1207
|
+
export type IssueActionPassInput = {
|
|
1208
|
+
action: unknown;
|
|
1209
|
+
decision: PolicyDecision;
|
|
1210
|
+
issuer: string;
|
|
1211
|
+
tenant: string;
|
|
1212
|
+
signingKey: SigningKey;
|
|
1213
|
+
keyId?: string;
|
|
1214
|
+
algorithm?: SigningAlgorithm;
|
|
1215
|
+
now?: Date;
|
|
1216
|
+
expiresInSeconds?: number;
|
|
1217
|
+
approval?: Approval;
|
|
1218
|
+
approvalArtifact?: ApprovalArtifact;
|
|
1219
|
+
parentPassId?: string | null;
|
|
1220
|
+
ledgerHash?: string | null;
|
|
1221
|
+
traceId?: string;
|
|
1222
|
+
passId?: string;
|
|
1223
|
+
};
|
|
1224
|
+
export type IssueActionPassV1Input = IssueActionPassInput & {
|
|
1225
|
+
holderPublicJwk: JWK;
|
|
1226
|
+
delegation?: {
|
|
1227
|
+
depth: number;
|
|
1228
|
+
rootPassId: string;
|
|
1229
|
+
};
|
|
1230
|
+
};
|
|
1231
|
+
export type IssueActionPassV2Input = IssueActionPassV1Input & {
|
|
1232
|
+
status: ActionPassStatusClaim;
|
|
1233
|
+
};
|
|
1234
|
+
export type IssueActionPassResult = {
|
|
1235
|
+
token: string;
|
|
1236
|
+
claims: ActionPassClaims;
|
|
1237
|
+
};
|
|
1238
|
+
export type IssueActionPassV1Result = {
|
|
1239
|
+
token: string;
|
|
1240
|
+
claims: ActionPassV1Claims;
|
|
1241
|
+
};
|
|
1242
|
+
export type IssueActionPassV2Result = {
|
|
1243
|
+
token: string;
|
|
1244
|
+
claims: ActionPassV2Claims;
|
|
1245
|
+
};
|
|
1246
|
+
export type AuthorizeInput = {
|
|
1247
|
+
action: unknown;
|
|
1248
|
+
issuer: string;
|
|
1249
|
+
tenant: string;
|
|
1250
|
+
signingKey: SigningKey;
|
|
1251
|
+
keyId?: string;
|
|
1252
|
+
algorithm?: SigningAlgorithm;
|
|
1253
|
+
now?: Date;
|
|
1254
|
+
policy?: PolicyOptions;
|
|
1255
|
+
approval?: Approval;
|
|
1256
|
+
approvalArtifact?: ApprovalArtifact;
|
|
1257
|
+
previousLedgerHash?: string | null;
|
|
1258
|
+
traceId?: string;
|
|
1259
|
+
};
|
|
1260
|
+
export type AuthorizeResult = {
|
|
1261
|
+
action: NormalizedAction;
|
|
1262
|
+
decision: PolicyDecision;
|
|
1263
|
+
payloadHash: string;
|
|
1264
|
+
actionPass: IssueActionPassResult | null;
|
|
1265
|
+
ledger: LedgerRecord;
|
|
1266
|
+
};
|
|
1267
|
+
export type VerifyActionPassInput = {
|
|
1268
|
+
token: string;
|
|
1269
|
+
action: unknown;
|
|
1270
|
+
verificationKey?: VerificationKey;
|
|
1271
|
+
verificationKeys?: VerificationKeySet | VerificationKeyResolver;
|
|
1272
|
+
issuer?: string;
|
|
1273
|
+
audience?: string | string[];
|
|
1274
|
+
algorithms?: SigningAlgorithm[];
|
|
1275
|
+
clockTolerance?: string | number;
|
|
1276
|
+
currentDate?: Date;
|
|
1277
|
+
dpopProof?: string;
|
|
1278
|
+
dpopMethod?: string;
|
|
1279
|
+
dpopUri?: string;
|
|
1280
|
+
dpopNonce?: string;
|
|
1281
|
+
dpopAlgorithms?: SigningAlgorithm[];
|
|
1282
|
+
dpopMaxAgeSeconds?: number;
|
|
1283
|
+
dpopClockSkewSeconds?: number;
|
|
1284
|
+
dpopReplayStore?: DpopReplayStore;
|
|
1285
|
+
revokedPassIds?: Iterable<string>;
|
|
1286
|
+
revocations?: Iterable<ActionPassRevocation>;
|
|
1287
|
+
isRevoked?: (claims: ActionPassClaims) => boolean | string | Promise<boolean | string>;
|
|
1288
|
+
getStatus?: (claims: ActionPassV2Claims) => number | string | Promise<number | string>;
|
|
1289
|
+
};
|
|
1290
|
+
export type ActionPassRevocationSource = Pick<VerifyActionPassInput, "revokedPassIds" | "revocations" | "isRevoked" | "getStatus">;
|
|
1291
|
+
export type CreateDpopProofInput = {
|
|
1292
|
+
actionPass: string;
|
|
1293
|
+
method: string;
|
|
1294
|
+
uri: string;
|
|
1295
|
+
signingKey: SigningKey;
|
|
1296
|
+
publicJwk: JWK;
|
|
1297
|
+
algorithm?: SigningAlgorithm;
|
|
1298
|
+
now?: Date;
|
|
1299
|
+
proofId?: string;
|
|
1300
|
+
nonce?: string;
|
|
1301
|
+
};
|
|
1302
|
+
export type CreateDpopProofResult = {
|
|
1303
|
+
proof: string;
|
|
1304
|
+
claims: DpopProofClaims;
|
|
1305
|
+
jkt: string;
|
|
1306
|
+
};
|
|
1307
|
+
export type DpopReplayStore = {
|
|
1308
|
+
consume(proofId: string, expiresAt: Date, now?: Date): boolean | Promise<boolean>;
|
|
1309
|
+
};
|
|
1310
|
+
export type VerifyActionPassResult = {
|
|
1311
|
+
valid: true;
|
|
1312
|
+
claims: ActionPassClaims;
|
|
1313
|
+
payloadHash: string;
|
|
1314
|
+
} | {
|
|
1315
|
+
valid: false;
|
|
1316
|
+
reason: string;
|
|
1317
|
+
};
|
|
1318
|
+
export type VerifyDelegationChainInput = {
|
|
1319
|
+
/**
|
|
1320
|
+
* Root-to-leaf chain. Every entry is signature/content verified; the leaf
|
|
1321
|
+
* entry must additionally carry a fresh DPoP proof.
|
|
1322
|
+
*/
|
|
1323
|
+
chain: VerifyActionPassInput[];
|
|
1324
|
+
currentDate?: Date;
|
|
1325
|
+
/**
|
|
1326
|
+
* One authority-owned source applied to every root-to-leaf member. This is
|
|
1327
|
+
* what makes revoking any ancestor invalidate all descendant presentations.
|
|
1328
|
+
*/
|
|
1329
|
+
revocation?: ActionPassRevocationSource;
|
|
1330
|
+
};
|
|
1331
|
+
export type VerifyDelegationChainResult = {
|
|
1332
|
+
valid: true;
|
|
1333
|
+
claims: Array<ActionPassV1Claims | ActionPassV2Claims>;
|
|
1334
|
+
actions: NormalizedAction[];
|
|
1335
|
+
} | {
|
|
1336
|
+
valid: false;
|
|
1337
|
+
reason: string;
|
|
1338
|
+
};
|
|
1339
|
+
export type DelegateActionPassV1Input = Omit<IssueActionPassV1Input, "action" | "decision" | "holderPublicJwk" | "parentPassId" | "delegation"> & {
|
|
1340
|
+
parentChain: VerifyActionPassInput[];
|
|
1341
|
+
childAction: unknown;
|
|
1342
|
+
childDecision: PolicyDecision;
|
|
1343
|
+
childHolderPublicJwk: JWK;
|
|
1344
|
+
revocation?: ActionPassRevocationSource;
|
|
1345
|
+
};
|
|
1346
|
+
export type DelegateActionPassV1Result = IssueActionPassV1Result & {
|
|
1347
|
+
delegation: DelegationLedgerEdge;
|
|
1348
|
+
};
|
|
1349
|
+
export type DelegateActionPassV2Input = Omit<IssueActionPassV2Input, "action" | "decision" | "holderPublicJwk" | "parentPassId" | "delegation" | "status"> & {
|
|
1350
|
+
parentChain: VerifyActionPassInput[];
|
|
1351
|
+
childAction: unknown;
|
|
1352
|
+
childDecision: PolicyDecision;
|
|
1353
|
+
childHolderPublicJwk: JWK;
|
|
1354
|
+
childStatus: ActionPassStatusClaim;
|
|
1355
|
+
revocation?: ActionPassRevocationSource;
|
|
1356
|
+
};
|
|
1357
|
+
export type DelegateActionPassV2Result = IssueActionPassV2Result & {
|
|
1358
|
+
delegation: DelegationLedgerEdge;
|
|
1359
|
+
};
|
|
1360
|
+
export type CreateApprovalArtifactInput = {
|
|
1361
|
+
action: unknown;
|
|
1362
|
+
mode: "human" | "policy_override";
|
|
1363
|
+
approvedBy: string;
|
|
1364
|
+
approverRoles?: string[];
|
|
1365
|
+
approvedAt?: Date;
|
|
1366
|
+
reason?: string;
|
|
1367
|
+
expiresAt?: Date;
|
|
1368
|
+
id?: string;
|
|
1369
|
+
};
|
|
1370
|
+
export type CreateApprovalArtifactResult = {
|
|
1371
|
+
artifact: ApprovalArtifact;
|
|
1372
|
+
artifactHash: string;
|
|
1373
|
+
approval: Approval;
|
|
1374
|
+
};
|
|
1375
|
+
export type RevokeActionPassInput = {
|
|
1376
|
+
passId: string;
|
|
1377
|
+
revokedAt?: Date;
|
|
1378
|
+
revokedBy?: string;
|
|
1379
|
+
reason?: string;
|
|
1380
|
+
};
|
|
1381
|
+
export type ActionPassTrustStore = {
|
|
1382
|
+
getVerificationKey: (keyId: string | undefined) => VerificationKey | undefined | Promise<VerificationKey | undefined>;
|
|
1383
|
+
isPassRevoked: (passId: string) => boolean | string | Promise<boolean | string>;
|
|
1384
|
+
};
|
|
1385
|
+
export type VerifyActionPassWithTrustStoreInput = Omit<VerifyActionPassInput, "verificationKey" | "verificationKeys" | "revokedPassIds" | "revocations" | "isRevoked"> & {
|
|
1386
|
+
trustStore: ActionPassTrustStore | string;
|
|
1387
|
+
};
|
|
1388
|
+
export declare const demoAction: NormalizedAction;
|
|
1389
|
+
export declare function parseNormalizedAction(action: unknown): NormalizedAction;
|
|
1390
|
+
export declare function evaluateAction(actionInput: unknown, options?: PolicyOptions): PolicyDecision;
|
|
1391
|
+
export declare function authorize(input: AuthorizeInput): Promise<AuthorizeResult>;
|
|
1392
|
+
export declare function createApprovalArtifact(input: CreateApprovalArtifactInput): CreateApprovalArtifactResult;
|
|
1393
|
+
export declare function issueActionPass(input: IssueActionPassInput): Promise<IssueActionPassResult>;
|
|
1394
|
+
export declare function issueActionPassV1(input: IssueActionPassV1Input): Promise<IssueActionPassV1Result>;
|
|
1395
|
+
export declare function issueActionPassV2(input: IssueActionPassV2Input): Promise<IssueActionPassV2Result>;
|
|
1396
|
+
export declare function delegateActionPassV1(input: DelegateActionPassV1Input): Promise<DelegateActionPassV1Result>;
|
|
1397
|
+
export declare function delegateActionPassV2(input: DelegateActionPassV2Input): Promise<DelegateActionPassV2Result>;
|
|
1398
|
+
export declare function createDpopProof(input: CreateDpopProofInput): Promise<CreateDpopProofResult>;
|
|
1399
|
+
export declare class InMemoryDpopReplayStore implements DpopReplayStore {
|
|
1400
|
+
private readonly entries;
|
|
1401
|
+
consume(proofId: string, expiresAt: Date, currentDate?: Date): boolean;
|
|
1402
|
+
}
|
|
1403
|
+
export type FileDpopReplayStoreOptions = {
|
|
1404
|
+
lock?: {
|
|
1405
|
+
staleMs?: number;
|
|
1406
|
+
updateMs?: number;
|
|
1407
|
+
retries?: number;
|
|
1408
|
+
minTimeoutMs?: number;
|
|
1409
|
+
maxTimeoutMs?: number;
|
|
1410
|
+
};
|
|
1411
|
+
};
|
|
1412
|
+
/**
|
|
1413
|
+
* Durable, inter-process replay store for DPoP proof `jti`s. A proof captured
|
|
1414
|
+
* before a restart stays rejected after restart, for as long as it remains
|
|
1415
|
+
* inside its own time window. Entries live only until their proof expires, so
|
|
1416
|
+
* the on-disk set stays bounded to the in-flight window rather than growing
|
|
1417
|
+
* unboundedly.
|
|
1418
|
+
*
|
|
1419
|
+
* This is a single-file local store, not a cross-host distributed one: it
|
|
1420
|
+
* defends one machine's verifiers (shared across handlers/processes on that
|
|
1421
|
+
* host). Authenticated cross-host distribution is out of scope here.
|
|
1422
|
+
*
|
|
1423
|
+
* Durability mirrors the local ledger: a `proper-lockfile` lease serializes the
|
|
1424
|
+
* read-modify-write so `consume` is atomic across processes, appended lines are
|
|
1425
|
+
* `fsync`ed before the lease releases, and the file is compacted in place once
|
|
1426
|
+
* expired lines outnumber live ones so it cannot grow without bound.
|
|
1427
|
+
*/
|
|
1428
|
+
export declare class FileDpopReplayStore implements DpopReplayStore {
|
|
1429
|
+
readonly filePath: string;
|
|
1430
|
+
private readonly options;
|
|
1431
|
+
constructor(filePath: string, options?: FileDpopReplayStoreOptions);
|
|
1432
|
+
consume(proofId: string, expiresAt: Date, currentDate?: Date): Promise<boolean>;
|
|
1433
|
+
private acquireLock;
|
|
1434
|
+
private readLiveEntries;
|
|
1435
|
+
private append;
|
|
1436
|
+
private compact;
|
|
1437
|
+
}
|
|
1438
|
+
export declare function verifyActionPass(input: VerifyActionPassInput): Promise<VerifyActionPassResult>;
|
|
1439
|
+
export declare function verifyDelegationChain(input: VerifyDelegationChainInput): Promise<VerifyDelegationChainResult>;
|
|
1440
|
+
export declare function revokeActionPass(input: RevokeActionPassInput): ActionPassRevocation;
|
|
1441
|
+
export declare class LocalActionPassTrustStore implements ActionPassTrustStore {
|
|
1442
|
+
readonly filePath: string;
|
|
1443
|
+
constructor(filePath: string);
|
|
1444
|
+
read(): Promise<ActionPassTrustStoreData>;
|
|
1445
|
+
write(dataInput: Partial<ActionPassTrustStoreData>): Promise<ActionPassTrustStoreData>;
|
|
1446
|
+
putVerificationKey(keyInput: ActionPassVerificationKeyRecordInput): Promise<ActionPassVerificationKeyRecord>;
|
|
1447
|
+
revokeActionPass(input: RevokeActionPassInput | ActionPassRevocation): Promise<ActionPassRevocation>;
|
|
1448
|
+
getVerificationKey(keyId: string | undefined, now?: Date): Promise<VerificationKey | undefined>;
|
|
1449
|
+
isPassRevoked(passId: string): Promise<boolean>;
|
|
1450
|
+
}
|
|
1451
|
+
export declare function verifyActionPassWithTrustStore(input: VerifyActionPassWithTrustStoreInput): Promise<VerifyActionPassResult>;
|
|
1452
|
+
export declare function recordDecision(input: {
|
|
1453
|
+
action: unknown;
|
|
1454
|
+
decision: PolicyDecision;
|
|
1455
|
+
actionPassId?: string | null;
|
|
1456
|
+
delegation?: DelegationLedgerEdge;
|
|
1457
|
+
budget?: BudgetLedgerEvent;
|
|
1458
|
+
previousLedgerHash?: string | null;
|
|
1459
|
+
occurredAt?: Date;
|
|
1460
|
+
traceId?: string;
|
|
1461
|
+
providerEvidence?: LedgerProviderEvidence;
|
|
1462
|
+
executionOutcome?: LedgerExecutionOutcome;
|
|
1463
|
+
correlationId?: string | null;
|
|
1464
|
+
}): LedgerRecord;
|
|
1465
|
+
/**
|
|
1466
|
+
* Canonical reason token marking a ledger record as the tamper-evident
|
|
1467
|
+
* revocation event for its pass. Matches the forensics `cascade_containment`
|
|
1468
|
+
* convention (spec §9.5) and the trust-store revocation authority (spec §7).
|
|
1469
|
+
*/
|
|
1470
|
+
export declare const REVOCATION_LEDGER_REASON = "actionpass_revoked";
|
|
1471
|
+
/**
|
|
1472
|
+
* Build a tamper-evident revocation event for a previously recorded pass. The
|
|
1473
|
+
* event is a `deny` record naming the pass with `actionpass_revoked`, reusing
|
|
1474
|
+
* the revoked record's action/payload hashes, policy, and audit context so the
|
|
1475
|
+
* revocation is bound to the exact action it cancels. It carries no delegation
|
|
1476
|
+
* edge or budget event (those describe the original action, not the
|
|
1477
|
+
* revocation). The durable enforcement authority remains the trust store (§7);
|
|
1478
|
+
* this record is the auditable logbook entry, not the enforcement source.
|
|
1479
|
+
*/
|
|
1480
|
+
export declare function recordActionPassRevocationEvent(input: {
|
|
1481
|
+
revokedRecord: LedgerRecord;
|
|
1482
|
+
revokedBy?: string;
|
|
1483
|
+
reason?: string;
|
|
1484
|
+
occurredAt?: Date;
|
|
1485
|
+
previousLedgerHash?: string | null;
|
|
1486
|
+
}): LedgerRecord;
|
|
1487
|
+
export declare function hashPayload(payload: unknown): string;
|
|
1488
|
+
export declare function hashProvenance(provenance: ActionProvenance): string;
|
|
1489
|
+
export declare function hashAction(action: unknown): string;
|
|
1490
|
+
export declare const GITHUB_NATIVE_CONNECTOR_GOVERNANCE: NativeConnectorGovernanceDescriptor<GitHubNativeConnectorConfig>;
|
|
1491
|
+
export declare const LINEAR_NATIVE_CONNECTOR_GOVERNANCE: NativeConnectorGovernanceDescriptor<LinearNativeConnectorConfig>;
|
|
1492
|
+
export declare const JIRA_NATIVE_CONNECTOR_GOVERNANCE: NativeConnectorGovernanceDescriptor<JiraNativeConnectorConfig>;
|
|
1493
|
+
export declare const POSTGRES_NATIVE_CONNECTOR_GOVERNANCE: NativeConnectorGovernanceDescriptor<PostgresNativeConnectorConfig>;
|
|
1494
|
+
export declare const DRIVE_NATIVE_CONNECTOR_GOVERNANCE: NativeConnectorGovernanceDescriptor<DriveNativeConnectorConfig>;
|
|
1495
|
+
export declare const NATIVE_CONNECTOR_GOVERNANCE_REGISTRY: readonly [NativeConnectorGovernanceDescriptor<{
|
|
1496
|
+
mode: "fake" | "rest" | "app";
|
|
1497
|
+
tokenEnv: string;
|
|
1498
|
+
apiBaseUrl: string;
|
|
1499
|
+
userAgent: string;
|
|
1500
|
+
appIdEnv: string;
|
|
1501
|
+
installationIdEnv: string;
|
|
1502
|
+
privateKeyEnv: string;
|
|
1503
|
+
appId?: string | undefined;
|
|
1504
|
+
installationId?: string | undefined;
|
|
1505
|
+
}>, NativeConnectorGovernanceDescriptor<{
|
|
1506
|
+
mode: "fake" | "graphql";
|
|
1507
|
+
tokenEnv: string;
|
|
1508
|
+
apiUrl: string;
|
|
1509
|
+
}>, NativeConnectorGovernanceDescriptor<{
|
|
1510
|
+
mode: "fake" | "rest";
|
|
1511
|
+
auth: "api_token" | "oauth";
|
|
1512
|
+
tokenEnv: string;
|
|
1513
|
+
emailEnv: string;
|
|
1514
|
+
siteUrl: string;
|
|
1515
|
+
cloudIdEnv: string;
|
|
1516
|
+
cloudId?: string | undefined;
|
|
1517
|
+
}>, NativeConnectorGovernanceDescriptor<{
|
|
1518
|
+
mode: "postgres" | "off";
|
|
1519
|
+
dsnEnv: string;
|
|
1520
|
+
allowedTables: string[];
|
|
1521
|
+
allowedFunctions: string[];
|
|
1522
|
+
requireRls: boolean;
|
|
1523
|
+
maxRows: number;
|
|
1524
|
+
statementTimeoutMs: number;
|
|
1525
|
+
lockTimeoutMs: number;
|
|
1526
|
+
idleTransactionTimeoutMs: number;
|
|
1527
|
+
}>, NativeConnectorGovernanceDescriptor<{
|
|
1528
|
+
mode: "rest" | "off";
|
|
1529
|
+
tokenEnv: string;
|
|
1530
|
+
apiBaseUrl: string;
|
|
1531
|
+
allowedMimeTypes: string[];
|
|
1532
|
+
maxReadBytes: number;
|
|
1533
|
+
selectedFileId?: string | undefined;
|
|
1534
|
+
}>];
|
|
1535
|
+
export declare function providerEvidenceForAction(actionInput: unknown): LedgerProviderEvidence | undefined;
|
|
1536
|
+
export declare function hashJson(value: unknown): string;
|
|
1537
|
+
export declare function stableStringify(value: unknown): string;
|
|
1538
|
+
export declare function computeDpopAccessTokenHash(token: string): string;
|
|
1539
|
+
export declare function normalizeDpopMethod(method: string): string;
|
|
1540
|
+
export declare function normalizeDpopUri(uri: string): string;
|
|
1541
|
+
export declare function actionPassDpopTarget(actionInput: unknown): {
|
|
1542
|
+
method: "POST";
|
|
1543
|
+
uri: string;
|
|
1544
|
+
};
|
|
1545
|
+
export declare function validateApprovalArtifact(artifactInput: unknown, actionInput: unknown, now?: Date): string | null;
|
|
1546
|
+
export declare const AXTARY_DEFAULT_ISSUER = "axtary-dev";
|
|
1547
|
+
export declare const AXTARY_DEFAULT_TENANT = "local";
|
|
1548
|
+
export declare const AXTARY_DEFAULT_RUNTIME = "sdk";
|
|
1549
|
+
/** Flat authorization request — the shape from PRD §8.2. */
|
|
1550
|
+
export type AxtaryAuthorizeRequest = {
|
|
1551
|
+
agent: string;
|
|
1552
|
+
human: string;
|
|
1553
|
+
intent: string;
|
|
1554
|
+
tool: string;
|
|
1555
|
+
resource: string;
|
|
1556
|
+
payload?: Record<string, JsonValue>;
|
|
1557
|
+
/** Agent runtime label; defaults to the instance runtime ("sdk"). */
|
|
1558
|
+
runtime?: string;
|
|
1559
|
+
/** Stable task id for ledger correlation; generated when omitted. */
|
|
1560
|
+
task?: string;
|
|
1561
|
+
/** Tenant; defaults to the instance tenant. */
|
|
1562
|
+
tenant?: string;
|
|
1563
|
+
constraints?: Record<string, JsonValue>;
|
|
1564
|
+
budget?: ActionBudget;
|
|
1565
|
+
toolDefinition?: NormalizedAction["toolDefinition"];
|
|
1566
|
+
provenance?: ActionProvenance;
|
|
1567
|
+
maxDelegationDepth?: number;
|
|
1568
|
+
};
|
|
1569
|
+
export type AxtaryPass = IssueActionPassResult;
|
|
1570
|
+
export type AxtaryAuthorizeResult = {
|
|
1571
|
+
/** Alias of `decision.decision` so `result.status === "allow"` reads cleanly. */
|
|
1572
|
+
status: AxtaryDecision;
|
|
1573
|
+
decision: PolicyDecision;
|
|
1574
|
+
reasons: string[];
|
|
1575
|
+
explanation: PolicyDecisionExplanation;
|
|
1576
|
+
payloadHash: string;
|
|
1577
|
+
action: NormalizedAction;
|
|
1578
|
+
pass: AxtaryPass | null;
|
|
1579
|
+
ledger: LedgerRecord;
|
|
1580
|
+
};
|
|
1581
|
+
export type AxtaryAuthorizeOptions = {
|
|
1582
|
+
policy?: PolicyOptions;
|
|
1583
|
+
approval?: Approval;
|
|
1584
|
+
approvalArtifact?: ApprovalArtifact;
|
|
1585
|
+
now?: Date;
|
|
1586
|
+
};
|
|
1587
|
+
export type AxtaryExecutionOutcome = Omit<LedgerExecutionOutcome, "schemaVersion" | "sideEffectProof"> & {
|
|
1588
|
+
sideEffectProof?: Record<string, JsonValue>;
|
|
1589
|
+
};
|
|
1590
|
+
export type AxtaryRecordInput = {
|
|
1591
|
+
action: AxtaryAuthorizeRequest | NormalizedAction;
|
|
1592
|
+
decision: PolicyDecision;
|
|
1593
|
+
pass?: AxtaryPass | string | null;
|
|
1594
|
+
outcome?: AxtaryExecutionOutcome;
|
|
1595
|
+
correlationId?: string | null;
|
|
1596
|
+
previousLedgerHash?: string | null;
|
|
1597
|
+
};
|
|
1598
|
+
export type AxtaryRevokeOptions = {
|
|
1599
|
+
revokedBy?: string;
|
|
1600
|
+
reason?: string;
|
|
1601
|
+
revokedAt?: Date;
|
|
1602
|
+
};
|
|
1603
|
+
export type AxtaryConfig = {
|
|
1604
|
+
issuer?: string;
|
|
1605
|
+
tenant?: string;
|
|
1606
|
+
runtime?: string;
|
|
1607
|
+
/** Issuer signing key. Omit to use a persistent local dev key (see devKeypair). */
|
|
1608
|
+
signingKey?: SigningKey;
|
|
1609
|
+
signingKeyId?: string;
|
|
1610
|
+
/** Public verification key matching `signingKey`; required for `verify`. */
|
|
1611
|
+
verificationKey?: VerificationKey;
|
|
1612
|
+
algorithm?: SigningAlgorithm;
|
|
1613
|
+
/** Default policy options applied to every authorize call. */
|
|
1614
|
+
policy?: PolicyOptions;
|
|
1615
|
+
/** Override the dev keyring file path used when no signing key is configured. */
|
|
1616
|
+
keyPath?: string;
|
|
1617
|
+
/** Suppress the one-time dev-key warning. */
|
|
1618
|
+
quiet?: boolean;
|
|
1619
|
+
};
|
|
1620
|
+
export declare class Axtary {
|
|
1621
|
+
readonly issuer: string;
|
|
1622
|
+
readonly tenant: string;
|
|
1623
|
+
readonly runtime: string;
|
|
1624
|
+
private readonly defaultPolicy?;
|
|
1625
|
+
private readonly algorithm;
|
|
1626
|
+
private readonly quiet;
|
|
1627
|
+
private readonly configuredSigningKey?;
|
|
1628
|
+
private readonly configuredKeyId?;
|
|
1629
|
+
private readonly configuredVerificationKey?;
|
|
1630
|
+
private readonly keyPath?;
|
|
1631
|
+
private signerPromise?;
|
|
1632
|
+
private ledgerHead;
|
|
1633
|
+
private readonly revocations;
|
|
1634
|
+
constructor(config?: AxtaryConfig);
|
|
1635
|
+
/** Current local ledger head (hash of the last record this instance wrote). */
|
|
1636
|
+
get ledgerHash(): string | null;
|
|
1637
|
+
private resolveSigner;
|
|
1638
|
+
private toNormalizedAction;
|
|
1639
|
+
/**
|
|
1640
|
+
* Decide an action and, for an allow, issue an ActionPass. Always returns a
|
|
1641
|
+
* decision (the policy evaluation is keyless); a deny/step-up returns
|
|
1642
|
+
* `pass: null`. Threads the local ledger head so successive calls chain.
|
|
1643
|
+
*/
|
|
1644
|
+
authorize(request: AxtaryAuthorizeRequest | NormalizedAction, options?: AxtaryAuthorizeOptions): Promise<AxtaryAuthorizeResult>;
|
|
1645
|
+
/**
|
|
1646
|
+
* Verify a previously issued pass against an action. Accepts an authorize
|
|
1647
|
+
* result, a pass object, or a raw token; the action defaults to the result's
|
|
1648
|
+
* action when one is supplied. Fails closed for a pass this instance revoked.
|
|
1649
|
+
*/
|
|
1650
|
+
verify(pass: AxtaryAuthorizeResult | AxtaryPass | string, action?: AxtaryAuthorizeRequest | NormalizedAction): Promise<VerifyActionPassResult>;
|
|
1651
|
+
/**
|
|
1652
|
+
* Append an execution result to the local ledger, chained after the decision
|
|
1653
|
+
* record from `authorize`. Returns the tamper-evident record; durable
|
|
1654
|
+
* persistence is the proxy/CLI's responsibility.
|
|
1655
|
+
*/
|
|
1656
|
+
record(input: AxtaryRecordInput): LedgerRecord;
|
|
1657
|
+
/**
|
|
1658
|
+
* Revoke a pass by id. The revocation is held in this instance so a later
|
|
1659
|
+
* `verify` of that pass fails closed. Durable cross-process revocation is the
|
|
1660
|
+
* CLI/trust-store path (`axtary revoke`).
|
|
1661
|
+
*/
|
|
1662
|
+
revoke(passId: string, options?: AxtaryRevokeOptions): ActionPassRevocation;
|
|
1663
|
+
/** Deterministic, human-readable explanation of a decision (no model call). */
|
|
1664
|
+
explain(decision: PolicyDecision | AxtaryAuthorizeResult): PolicyDecisionExplanation;
|
|
1665
|
+
}
|
|
1666
|
+
/** Create an Axtary SDK instance. */
|
|
1667
|
+
export declare function createAxtary(config?: AxtaryConfig): Axtary;
|
|
1668
|
+
/** Default Axtary SDK instance (PRD §8.2 `import { axtary }`). */
|
|
1669
|
+
export declare const axtary: Axtary;
|
|
1670
|
+
//# sourceMappingURL=index.d.ts.map
|