@canonmsg/core 0.2.2

package/dist/agent-profiles.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Shared agent profile management — loading, locking, and resolution.
+ * Used by both host.ts and server.ts.
+ */
+export interface AgentProfile {
+    apiKey: string;
+    agentId: string;
+    agentName: string;
+    registeredAt: string;
+}
+export declare const CANON_DIR: string;
+export declare const AGENTS_PATH: string;
+export declare const LOCKS_DIR: string;
+export declare function loadProfiles(): Record<string, AgentProfile>;
+export declare function isProcessAlive(pid: number): boolean;
+export declare function isProfileLocked(profile: string): {
+    locked: boolean;
+    pid?: number;
+};
+export declare function acquireLock(profile: string): void;
+export declare function releaseLock(profile: string): void;

package/dist/agent-profiles.js

@@ -0,0 +1,63 @@
+/**
+ * Shared agent profile management — loading, locking, and resolution.
+ * Used by both host.ts and server.ts.
+ */
+import { readFileSync, writeFileSync, unlinkSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+// ── Paths ────────────────────────────────────────────────────────────
+export const CANON_DIR = join(homedir(), '.canon');
+export const AGENTS_PATH = join(CANON_DIR, 'agents.json');
+export const LOCKS_DIR = join(CANON_DIR, 'locks');
+// ── Profile loading ──────────────────────────────────────────────────
+export function loadProfiles() {
+    try {
+        return JSON.parse(readFileSync(AGENTS_PATH, 'utf-8'));
+    }
+    catch {
+        return {};
+    }
+}
+// ── Process locking ──────────────────────────────────────────────────
+export function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function isProfileLocked(profile) {
+    const lockPath = join(LOCKS_DIR, `${profile}.lock`);
+    try {
+        const pid = parseInt(readFileSync(lockPath, 'utf-8').trim());
+        if (isProcessAlive(pid))
+            return { locked: true, pid };
+        // Stale lock — clean it up
+        try {
+            unlinkSync(lockPath);
+        }
+        catch { }
+    }
+    catch {
+        // No lock file
+    }
+    return { locked: false };
+}
+export function acquireLock(profile) {
+    mkdirSync(LOCKS_DIR, { recursive: true });
+    const lockPath = join(LOCKS_DIR, `${profile}.lock`);
+    const check = isProfileLocked(profile);
+    if (check.locked) {
+        throw new Error(`Agent "${profile}" is in use by another session (PID ${check.pid})`);
+    }
+    writeFileSync(lockPath, String(process.pid));
+}
+export function releaseLock(profile) {
+    const lockPath = join(LOCKS_DIR, `${profile}.lock`);
+    try {
+        unlinkSync(lockPath);
+    }
+    catch { }
+}

package/dist/agent-resolver.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Unified agent resolution — resolves Canon agent credentials from
+ * environment variables or ~/.canon/agents.json profiles.
+ *
+ * Used by the Claude Code plugin (host.ts, server.ts) and available
+ * for any future agent integration.
+ *
+ * Resolution order:
+ * 1. CANON_API_KEY env var (highest priority, no lock)
+ * 2. CANON_AGENT env var (named profile with lock)
+ * 3. Auto-select from profiles (first unlocked, with lock)
+ */
+export interface ResolvedAgent {
+    apiKey: string;
+    agentId?: string;
+    profile: string | null;
+}
+/** Get the currently locked profile name (for cleanup on shutdown). */
+export declare function getActiveProfile(): string | null;
+/**
+ * Resolve Canon agent credentials.
+ *
+ * @param opts.logPrefix - Log prefix for console messages (default: '[canon]')
+ * @returns Resolved agent with API key, optional agentId, and profile name
+ * @throws Error if no agent can be resolved
+ */
+export declare function resolveCanonAgent(opts?: {
+    logPrefix?: string;
+}): ResolvedAgent;

package/dist/agent-resolver.js

@@ -0,0 +1,68 @@
+/**
+ * Unified agent resolution — resolves Canon agent credentials from
+ * environment variables or ~/.canon/agents.json profiles.
+ *
+ * Used by the Claude Code plugin (host.ts, server.ts) and available
+ * for any future agent integration.
+ *
+ * Resolution order:
+ * 1. CANON_API_KEY env var (highest priority, no lock)
+ * 2. CANON_AGENT env var (named profile with lock)
+ * 3. Auto-select from profiles (first unlocked, with lock)
+ */
+import { loadProfiles, isProfileLocked, acquireLock, } from './agent-profiles.js';
+let activeResolvedProfile = null;
+/** Get the currently locked profile name (for cleanup on shutdown). */
+export function getActiveProfile() {
+    return activeResolvedProfile;
+}
+/**
+ * Resolve Canon agent credentials.
+ *
+ * @param opts.logPrefix - Log prefix for console messages (default: '[canon]')
+ * @returns Resolved agent with API key, optional agentId, and profile name
+ * @throws Error if no agent can be resolved
+ */
+export function resolveCanonAgent(opts) {
+    const prefix = opts?.logPrefix ?? '[canon]';
+    // 1. Explicit API key (highest priority, no lock)
+    // CANON_API_KEY is set by the host wrapper or user environment.
+    // CANON_PLUGIN_API_KEY is set by plugin.json from user_config.
+    const envKey = process.env.CANON_API_KEY || process.env.CANON_PLUGIN_API_KEY;
+    if (envKey) {
+        return { apiKey: envKey, profile: null };
+    }
+    const profiles = loadProfiles();
+    const names = Object.keys(profiles);
+    // 2. Named profile via env var
+    if (process.env.CANON_AGENT) {
+        const name = process.env.CANON_AGENT;
+        const p = profiles[name];
+        if (!p) {
+            throw new Error(`${prefix} Profile "${name}" not found in ~/.canon/agents.json`);
+        }
+        acquireLock(name);
+        activeResolvedProfile = name;
+        return { apiKey: p.apiKey, agentId: p.agentId, profile: name };
+    }
+    // 3. Auto-select from profiles
+    if (names.length === 0) {
+        throw new Error(`${prefix} No agents registered. Run canon-register first.`);
+    }
+    if (names.length === 1) {
+        const name = names[0];
+        acquireLock(name);
+        activeResolvedProfile = name;
+        return { apiKey: profiles[name].apiKey, agentId: profiles[name].agentId, profile: name };
+    }
+    // Multiple agents — pick first unlocked
+    for (const name of names) {
+        if (!isProfileLocked(name).locked) {
+            acquireLock(name);
+            activeResolvedProfile = name;
+            console.error(`${prefix} Auto-selected agent "${name}" (${profiles[name].agentName})`);
+            return { apiKey: profiles[name].apiKey, agentId: profiles[name].agentId, profile: name };
+        }
+    }
+    throw new Error(`${prefix} All agents are in use by other sessions.`);
+}

package/dist/approval-format.d.ts

@@ -0,0 +1,21 @@
+import type { ApprovalRequestMetadata, ApprovalReplyMetadata, SessionRule } from './approval-types.js';
+export declare function generateApprovalId(): string;
+export declare function redactSecrets(text: string, patterns: string[]): string;
+export declare function buildApprovalRequest(approvalId: string, toolName: string, toolInput: Record<string, unknown>, opts: {
+    riskLevel?: 'normal' | 'destructive';
+    expiresAt: string;
+    redactPatterns?: string[];
+}): {
+    text: string;
+    metadata: ApprovalRequestMetadata;
+};
+export declare function buildApprovalReply(approvalId: string, decision: 'allow' | 'deny', sessionRule?: SessionRule): {
+    text: string;
+    metadata: ApprovalReplyMetadata;
+};
+export declare function buildApprovalOutcome(approvalId: string, toolName: string, toolSummary: string, decision: 'allow' | 'deny', reason: 'replied' | 'timeout' | 'session-rule'): string;
+export declare function parseTextApprovalReply(text: string): {
+    decision: 'allow' | 'deny';
+    sessionRule?: SessionRule;
+    targetApprovalId?: string;
+} | null;

package/dist/approval-format.js

@@ -0,0 +1,148 @@
+// ── ID generation ───────────────────────────────────────────────────
+let seq = 0;
+export function generateApprovalId() {
+    const ts = Date.now().toString(36);
+    const r = Math.random().toString(36).slice(2, 6);
+    return `apr_${ts}${r}${++seq}`;
+}
+// ── Tool input summarisation ────────────────────────────────────────
+function summarizeToolInput(toolName, toolInput) {
+    // Bash: show the command
+    if (toolName === 'Bash' && typeof toolInput.command === 'string') {
+        return toolInput.command;
+    }
+    // Edit/Write: show the file path
+    if ((toolName === 'Edit' || toolName === 'Write') && typeof toolInput.file_path === 'string') {
+        return toolInput.file_path;
+    }
+    // Generic: compact JSON, truncated
+    const json = JSON.stringify(toolInput);
+    return json.length > 200 ? json.slice(0, 200) + '...' : json;
+}
+// ── Redaction ───────────────────────────────────────────────────────
+export function redactSecrets(text, patterns) {
+    let result = text;
+    for (const pat of patterns) {
+        result = result.replace(new RegExp(pat, 'gi'), '[REDACTED]');
+    }
+    return result;
+}
+// ── Build approval request message ──────────────────────────────────
+export function buildApprovalRequest(approvalId, toolName, toolInput, opts) {
+    let summary = summarizeToolInput(toolName, toolInput);
+    if (opts.redactPatterns?.length) {
+        summary = redactSecrets(summary, opts.redactPatterns);
+    }
+    const timeoutMin = Math.round((new Date(opts.expiresAt).getTime() - Date.now()) / 60_000);
+    const lines = [
+        `Tool Approval Required [${approvalId}]`,
+        '',
+        `Tool: ${toolName}`,
+        summary,
+        '',
+    ];
+    if (opts.riskLevel === 'destructive') {
+        lines.push('This is a destructive operation');
+        lines.push('');
+    }
+    lines.push(`Reply "approve" or "deny" (expires in ${timeoutMin}m)`);
+    const metadata = {
+        type: 'approval_request',
+        approvalId,
+        toolName,
+        toolSummary: summary,
+        riskLevel: opts.riskLevel ?? 'normal',
+        expiresAt: opts.expiresAt,
+    };
+    return { text: lines.join('\n'), metadata };
+}
+// ── Build approval reply message (used by app) ─────────────────────
+export function buildApprovalReply(approvalId, decision, sessionRule) {
+    const label = decision === 'allow' ? 'Approved' : 'Denied';
+    return {
+        text: label,
+        metadata: {
+            type: 'approval_reply',
+            approvalId,
+            decision,
+            ...(sessionRule ? { sessionRule } : {}),
+        },
+    };
+}
+// ── Build outcome confirmation message ──────────────────────────────
+export function buildApprovalOutcome(approvalId, toolName, toolSummary, decision, reason) {
+    const icon = decision === 'allow' ? 'Approved' : 'Denied';
+    const short = toolSummary.length > 60 ? toolSummary.slice(0, 60) + '...' : toolSummary;
+    if (reason === 'timeout') {
+        return `Expired [${approvalId}] -- ${toolName}: ${short} (auto-denied)`;
+    }
+    if (reason === 'session-rule') {
+        return `Auto-approved (session rule) -- ${toolName}: ${short}`;
+    }
+    return `${icon} [${approvalId}] -- ${toolName}: ${short}`;
+}
+// ── Parse text-based approval reply (fallback for non-card UIs) ─────
+const ALLOW_WORDS = new Set([
+    'approve', 'approved', 'allow', 'yes', 'y', 'ok', 'go', 'do it', 'go ahead',
+]);
+const DENY_WORDS = new Set([
+    'deny', 'denied', 'reject', 'no', 'n', 'nope', 'stop', "don't",
+]);
+export function parseTextApprovalReply(text) {
+    const trimmed = text.trim().toLowerCase();
+    if (!trimmed)
+        return null;
+    // "approve apr_xxxxx" or "deny apr_xxxxx" — target specific approval
+    const idMatch = trimmed.match(/^(approve|deny|allow|reject)\s+(apr_\w+)$/);
+    if (idMatch) {
+        const decision = idMatch[1] === 'deny' || idMatch[1] === 'reject' ? 'deny' : 'allow';
+        return { decision, targetApprovalId: idMatch[2] };
+    }
+    // "approve all for Xm" — time-limited blanket
+    const timeMatch = trimmed.match(/^approve\s+all\s+for\s+(\d+)\s*m(?:in(?:utes?)?)?$/);
+    if (timeMatch) {
+        const minutes = parseInt(timeMatch[1], 10);
+        return {
+            decision: 'allow',
+            sessionRule: {
+                type: 'approve-all',
+                expiresAt: new Date(Date.now() + minutes * 60_000).toISOString(),
+            },
+        };
+    }
+    // "approve all <ToolName>" — per-tool blanket
+    const toolMatch = trimmed.match(/^approve\s+all\s+(\w+)$/);
+    if (toolMatch && toolMatch[1] !== 'for') {
+        return {
+            decision: 'allow',
+            sessionRule: {
+                type: 'approve-tool',
+                toolPattern: toolMatch[1],
+            },
+        };
+    }
+    // "deny all <ToolName>"
+    const denyToolMatch = trimmed.match(/^deny\s+all\s+(\w+)$/);
+    if (denyToolMatch) {
+        return {
+            decision: 'deny',
+            sessionRule: {
+                type: 'deny-tool',
+                toolPattern: denyToolMatch[1],
+            },
+        };
+    }
+    // "approve all" — session blanket
+    if (trimmed === 'approve all' || trimmed === 'allow all') {
+        return {
+            decision: 'allow',
+            sessionRule: { type: 'approve-all' },
+        };
+    }
+    // Simple allow/deny words
+    if (ALLOW_WORDS.has(trimmed))
+        return { decision: 'allow' };
+    if (DENY_WORDS.has(trimmed))
+        return { decision: 'deny' };
+    return null;
+}

package/dist/approval-manager.d.ts

@@ -0,0 +1,51 @@
+import type { CanonClient } from './client.js';
+import type { ApprovalConfig, ApprovalResult, SessionRule } from './approval-types.js';
+/**
+ * Platform-agnostic approval protocol for Canon.
+ *
+ * Manages the lifecycle of tool approval requests:
+ * send request → wait for reply → resolve with decision.
+ *
+ * Session rules allow the owner to blanket-approve categories of tools.
+ */
+export declare class ApprovalManager {
+    private client;
+    private agentId;
+    private ownerId;
+    private config;
+    /** Pending approvals keyed by approvalId */
+    private pending;
+    /** Active session rules */
+    private rules;
+    constructor(client: CanonClient, agentId: string, ownerId: string, config?: Partial<ApprovalConfig>);
+    /**
+     * Request approval for a tool call.
+     *
+     * 1. Checks session rules — may resolve immediately.
+     * 2. Sends a message with approval card metadata.
+     * 3. Waits for the owner's reply (or timeout).
+     */
+    requestApproval(conversationId: string, toolName: string, toolInput: Record<string, unknown>, opts?: {
+        riskLevel?: 'normal' | 'destructive';
+    }): Promise<ApprovalResult>;
+    /**
+     * Feed an inbound message to the approval manager.
+     * Returns true if the message was consumed as an approval reply.
+     */
+    handleMessage(conversationId: string, message: {
+        senderId: string;
+        text?: string;
+        metadata?: Record<string, unknown>;
+    }): boolean;
+    /** Check if a tool would be auto-resolved by a session rule */
+    checkSessionRules(toolName: string): SessionRule | null;
+    getSessionRules(): SessionRule[];
+    clearSessionRules(): void;
+    get pendingCount(): number;
+    dispose(): void;
+    private resolveApproval;
+    private findMostRecentPending;
+    private pruneExpiredRules;
+    private summarizeTool;
+    private describeRule;
+}

package/dist/approval-manager.js

@@ -0,0 +1,225 @@
+import { DEFAULT_APPROVAL_CONFIG } from './approval-types.js';
+import { generateApprovalId, buildApprovalRequest, buildApprovalOutcome, parseTextApprovalReply, } from './approval-format.js';
+// ── ApprovalManager ─────────────────────────────────────────────────
+/**
+ * Platform-agnostic approval protocol for Canon.
+ *
+ * Manages the lifecycle of tool approval requests:
+ * send request → wait for reply → resolve with decision.
+ *
+ * Session rules allow the owner to blanket-approve categories of tools.
+ */
+export class ApprovalManager {
+    client;
+    agentId;
+    ownerId;
+    config;
+    /** Pending approvals keyed by approvalId */
+    pending = new Map();
+    /** Active session rules */
+    rules = [];
+    constructor(client, agentId, ownerId, config) {
+        this.client = client;
+        this.agentId = agentId;
+        this.ownerId = ownerId;
+        this.config = { ...DEFAULT_APPROVAL_CONFIG, ...config };
+    }
+    // ── Public API ────────────────────────────────────────────────────
+    /**
+     * Request approval for a tool call.
+     *
+     * 1. Checks session rules — may resolve immediately.
+     * 2. Sends a message with approval card metadata.
+     * 3. Waits for the owner's reply (or timeout).
+     */
+    async requestApproval(conversationId, toolName, toolInput, opts) {
+        // Check session rules first
+        const matchingRule = this.checkSessionRules(toolName);
+        if (matchingRule) {
+            const decision = matchingRule.type === 'deny-tool' ? 'deny' : 'allow';
+            // Send silent log (fire-and-forget)
+            const summary = this.summarizeTool(toolName, toolInput);
+            const logMsg = buildApprovalOutcome('', toolName, summary, decision, 'session-rule');
+            this.client.sendMessage(conversationId, logMsg, {
+                metadata: { type: 'approval_outcome' },
+            }).catch(() => { });
+            return { decision };
+        }
+        const approvalId = generateApprovalId();
+        const expiresAt = new Date(Date.now() + this.config.timeoutSeconds * 1000).toISOString();
+        const { text, metadata } = buildApprovalRequest(approvalId, toolName, toolInput, {
+            riskLevel: opts?.riskLevel,
+            expiresAt,
+            redactPatterns: this.config.redactPatterns,
+        });
+        // Send the approval request message with metadata
+        // Spread to satisfy Record<string, unknown> without double cast
+        await this.client.sendMessage(conversationId, text, {
+            metadata: { ...metadata },
+        });
+        // Wait for reply or timeout
+        return new Promise((resolve) => {
+            const timer = setTimeout(() => {
+                this.pending.delete(approvalId);
+                const summary = this.summarizeTool(toolName, toolInput);
+                const msg = buildApprovalOutcome(approvalId, toolName, summary, 'deny', 'timeout');
+                this.client.sendMessage(conversationId, msg, {
+                    metadata: { type: 'approval_outcome' },
+                }).catch(() => { });
+                resolve({ decision: 'deny' });
+            }, this.config.timeoutSeconds * 1000);
+            this.pending.set(approvalId, {
+                approvalId,
+                conversationId,
+                toolName,
+                toolSummary: this.summarizeTool(toolName, toolInput),
+                resolve,
+                timer,
+            });
+        });
+    }
+    /**
+     * Feed an inbound message to the approval manager.
+     * Returns true if the message was consumed as an approval reply.
+     */
+    handleMessage(conversationId, message) {
+        // Only accept messages from the owner
+        if (message.senderId !== this.ownerId)
+            return false;
+        if (this.pending.size === 0)
+            return false;
+        // Try structured metadata first (from card UI)
+        if (message.metadata?.type === 'approval_reply') {
+            const m = message.metadata;
+            const approvalId = m.approvalId;
+            const decision = m.decision;
+            const sessionRule = m.sessionRule;
+            return this.resolveApproval(approvalId, decision, sessionRule, conversationId);
+        }
+        // Fall back to text parsing
+        if (message.text) {
+            const parsed = parseTextApprovalReply(message.text);
+            if (!parsed)
+                return false;
+            // If the user targeted a specific approval ID
+            if (parsed.targetApprovalId) {
+                return this.resolveApproval(parsed.targetApprovalId, parsed.decision, parsed.sessionRule, conversationId);
+            }
+            // Otherwise match the most recent pending in this conversation
+            const pending = this.findMostRecentPending(conversationId);
+            if (!pending)
+                return false;
+            return this.resolveApproval(pending.approvalId, parsed.decision, parsed.sessionRule, conversationId);
+        }
+        return false;
+    }
+    /** Check if a tool would be auto-resolved by a session rule */
+    checkSessionRules(toolName) {
+        this.pruneExpiredRules();
+        for (const rule of this.rules) {
+            if (rule.type === 'approve-all')
+                return rule;
+            if ((rule.type === 'approve-tool' || rule.type === 'deny-tool') &&
+                rule.toolPattern) {
+                const re = new RegExp(`^${rule.toolPattern}$`, 'i');
+                if (re.test(toolName))
+                    return rule;
+            }
+        }
+        return null;
+    }
+    getSessionRules() {
+        this.pruneExpiredRules();
+        return [...this.rules];
+    }
+    clearSessionRules() {
+        this.rules = [];
+    }
+    get pendingCount() {
+        return this.pending.size;
+    }
+    dispose() {
+        for (const p of this.pending.values()) {
+            clearTimeout(p.timer);
+        }
+        this.pending.clear();
+        this.rules = [];
+    }
+    // ── Private helpers ───────────────────────────────────────────────
+    resolveApproval(approvalId, decision, sessionRule, conversationId) {
+        const entry = this.pending.get(approvalId);
+        if (!entry) {
+            // No exact match — try most recent
+            if (approvalId && this.pending.size > 0) {
+                return false;
+            }
+            return false;
+        }
+        clearTimeout(entry.timer);
+        this.pending.delete(approvalId);
+        // Store session rule if provided
+        if (sessionRule) {
+            this.rules.push(sessionRule);
+        }
+        // Send confirmation (fire-and-forget)
+        const msg = buildApprovalOutcome(approvalId, entry.toolName, entry.toolSummary, decision, 'replied');
+        this.client.sendMessage(conversationId, msg, {
+            metadata: { type: 'approval_outcome' },
+        }).catch(() => { });
+        // If session rule was set, log that too
+        if (sessionRule) {
+            const ruleDesc = this.describeRule(sessionRule);
+            this.client
+                .sendMessage(conversationId, `Session rule set: ${ruleDesc}`, {
+                metadata: { type: 'approval_outcome' },
+            })
+                .catch(() => { });
+        }
+        entry.resolve({ decision, sessionRule });
+        return true;
+    }
+    findMostRecentPending(conversationId) {
+        let latest = null;
+        for (const p of this.pending.values()) {
+            if (p.conversationId === conversationId) {
+                latest = p; // Map iterates in insertion order, so last = most recent
+            }
+        }
+        return latest;
+    }
+    pruneExpiredRules() {
+        const now = Date.now();
+        this.rules = this.rules.filter((r) => {
+            if (!r.expiresAt)
+                return true;
+            return new Date(r.expiresAt).getTime() > now;
+        });
+    }
+    summarizeTool(toolName, toolInput) {
+        if (toolName === 'Bash' && typeof toolInput.command === 'string') {
+            return toolInput.command;
+        }
+        if ((toolName === 'Edit' || toolName === 'Write') &&
+            typeof toolInput.file_path === 'string') {
+            return toolInput.file_path;
+        }
+        const json = JSON.stringify(toolInput);
+        return json.length > 100 ? json.slice(0, 100) + '...' : json;
+    }
+    describeRule(rule) {
+        if (rule.type === 'approve-all') {
+            if (rule.expiresAt) {
+                const min = Math.round((new Date(rule.expiresAt).getTime() - Date.now()) / 60_000);
+                return `auto-approving all tools for ${min}m`;
+            }
+            return 'auto-approving all tools for this session';
+        }
+        if (rule.type === 'approve-tool') {
+            return `auto-approving all ${rule.toolPattern} commands`;
+        }
+        if (rule.type === 'deny-tool') {
+            return `auto-denying all ${rule.toolPattern} commands`;
+        }
+        return 'unknown rule';
+    }
+}

package/dist/approval-types.d.ts

@@ -0,0 +1,33 @@
+export interface ApprovalRequestMetadata {
+    type: 'approval_request';
+    approvalId: string;
+    toolName: string;
+    /** Pre-computed, redacted summary — raw toolInput is never stored */
+    toolSummary: string;
+    riskLevel?: 'normal' | 'destructive';
+    expiresAt: string;
+}
+export interface ApprovalReplyMetadata {
+    type: 'approval_reply';
+    approvalId: string;
+    decision: 'allow' | 'deny';
+    sessionRule?: SessionRule;
+}
+export interface SessionRule {
+    type: 'approve-all' | 'approve-tool' | 'deny-tool';
+    /** Tool name pattern (regex) — only for approve-tool/deny-tool */
+    toolPattern?: string;
+    /** When this rule expires (ISO 8601), null = session lifetime */
+    expiresAt?: string | null;
+}
+export interface ApprovalResult {
+    decision: 'allow' | 'deny';
+    sessionRule?: SessionRule;
+}
+export interface ApprovalConfig {
+    enabled: boolean;
+    timeoutSeconds: number;
+    defaultOnTimeout: 'deny' | 'ask';
+    redactPatterns: string[];
+}
+export declare const DEFAULT_APPROVAL_CONFIG: ApprovalConfig;

package/dist/approval-types.js

@@ -0,0 +1,9 @@
+// ── Approval request metadata (attached to agent's message) ─────────
+export const DEFAULT_APPROVAL_CONFIG = {
+    enabled: true,
+    timeoutSeconds: 300,
+    defaultOnTimeout: 'deny',
+    redactPatterns: [
+        '(?:api[_-]?key|token|secret|password)\\s*[:=]\\s*\\S+',
+    ],
+};