@clawbureau/clawverify-core 0.1.0 → 0.2.0

package/dist/hashcash.js

@@ -0,0 +1,97 @@
+/**
+ * hashcash.ts — Proof-of-Work for VaaS DoS protection
+ *
+ * Red Team Fix #8: Requires unauthenticated API callers to present a
+ * valid PoW token, making volumetric DoS economically infeasible.
+ *
+ * Uses WebCrypto (crypto.subtle) for Cloudflare Workers compatibility.
+ *
+ * Challenge format: `${dateHourUTC}:${clientIdentifier}`
+ * The client must find a nonce such that SHA-256(challenge + ":" + nonce)
+ * has `difficulty` leading zero hex characters.
+ *
+ * Default difficulty: 4 (approx 65,536 attempts, ~100ms on modern hardware).
+ */
+/** Default number of leading zero hex chars required. */
+export const DEFAULT_POW_DIFFICULTY = 4;
+/**
+ * Generate the current date-hour challenge component.
+ * Format: YYYYMMDDHH (UTC).
+ */
+export function getDateHourUTC(date) {
+    const d = date ?? new Date();
+    const year = d.getUTCFullYear();
+    const month = String(d.getUTCMonth() + 1).padStart(2, '0');
+    const day = String(d.getUTCDate()).padStart(2, '0');
+    const hour = String(d.getUTCHours()).padStart(2, '0');
+    return `${year}${month}${day}${hour}`;
+}
+/**
+ * Build a challenge string from the date-hour and client identifier.
+ */
+export function buildChallenge(clientIdentifier, date) {
+    return `${getDateHourUTC(date)}:${clientIdentifier}`;
+}
+/**
+ * Compute SHA-256 of a string and return hex digest.
+ * Uses WebCrypto for CF Workers compatibility.
+ */
+async function sha256Hex(input) {
+    const data = new TextEncoder().encode(input);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const hashArray = new Uint8Array(hashBuffer);
+    return Array.from(hashArray)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+/**
+ * Check if a hex string has the required number of leading zero characters.
+ */
+function hasLeadingZeros(hex, difficulty) {
+    if (hex.length < difficulty)
+        return false;
+    for (let i = 0; i < difficulty; i++) {
+        if (hex[i] !== '0')
+            return false;
+    }
+    return true;
+}
+/**
+ * Find a nonce such that SHA-256(challenge + ":" + nonce) has `difficulty`
+ * leading zero hex characters.
+ *
+ * @param challenge  The challenge string (e.g. "2026021223:192.168.1.1")
+ * @param difficulty Number of leading zero hex chars required (default: 4)
+ * @returns          The nonce string that satisfies the PoW
+ */
+export async function generatePoW(challenge, difficulty = DEFAULT_POW_DIFFICULTY) {
+    if (difficulty < 1 || difficulty > 16) {
+        throw new Error(`PoW difficulty must be between 1 and 16, got ${difficulty}`);
+    }
+    for (let nonce = 0;; nonce++) {
+        const candidate = `${challenge}:${nonce}`;
+        const hex = await sha256Hex(candidate);
+        if (hasLeadingZeros(hex, difficulty)) {
+            return String(nonce);
+        }
+    }
+}
+/**
+ * Verify that a nonce satisfies the PoW requirement.
+ *
+ * @param challenge  The challenge string
+ * @param nonce      The claimed nonce
+ * @param difficulty Number of leading zero hex chars required (default: 4)
+ * @returns          true if the PoW is valid
+ */
+export async function verifyPoW(challenge, nonce, difficulty = DEFAULT_POW_DIFFICULTY) {
+    if (difficulty < 1 || difficulty > 16)
+        return false;
+    // Reject non-numeric or excessively long nonces
+    if (!/^\d{1,15}$/.test(nonce))
+        return false;
+    const candidate = `${challenge}:${nonce}`;
+    const hex = await sha256Hex(candidate);
+    return hasLeadingZeros(hex, difficulty);
+}
+//# sourceMappingURL=hashcash.js.map

package/dist/hashcash.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashcash.js","sourceRoot":"","sources":["../src/hashcash.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,yDAAyD;AACzD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAExC;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,IAAW;IACxC,MAAM,CAAC,GAAG,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,GAAG,IAAI,GAAG,KAAK,GAAG,GAAG,GAAG,IAAI,EAAE,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,gBAAwB,EACxB,IAAW;IAEX,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,gBAAgB,EAAE,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CAAC,KAAa;IACpC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;SACzB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW,EAAE,UAAkB;IACtD,IAAI,GAAG,CAAC,MAAM,GAAG,UAAU;QAAE,OAAO,KAAK,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,OAAO,KAAK,CAAC;IACnC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,aAAqB,sBAAsB;IAE3C,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,gDAAgD,UAAU,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,KAAK,IAAI,KAAK,GAAG,CAAC,GAAI,KAAK,EAAE,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,GAAG,SAAS,IAAI,KAAK,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,eAAe,CAAC,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;YACrC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,SAAiB,EACjB,KAAa,EACb,aAAqB,sBAAsB;IAE3C,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAEpD,gDAAgD;IAChD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE5C,MAAM,SAAS,GAAG,GAAG,SAAS,IAAI,KAAK,EAAE,CAAC;IAC1C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IACvC,OAAO,eAAe,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;AAC1C,CAAC"}

package/dist/index.d.ts

@@ -24,4 +24,14 @@ export { verifyAuditResultAttestation } from './verify-audit-result-attestation.
 export { verifyLogInclusionProof } from './verify-log-inclusion-proof.js';
 export { base64UrlDecode, base64UrlEncode, computeHash, extractPublicKeyFromDidKey, verifySignature, } from './crypto.js';
 export { jcsCanonicalize } from './jcs.js';
+export { mapToSOC2, mapToISO27001, mapToEUAIAct, generateComplianceReport, } from './compliance.js';
+export type { ComplianceFramework, ControlStatus, EvidenceType, ControlResult, ComplianceGap, ComplianceReport, ComplianceBundleInput, CompliancePolicyInput, } from './compliance.js';
+export { evaluatePolicy, evaluatePolicyBatch, convertV1toV2, } from './policy-evaluator.js';
+export type { WPCv1, WPCv2, WPC, PolicyStatement, PolicyConditions, ConditionMap, PolicyContext, PolicyDecision, PolicyDecisionEffect, PolicyResolver, } from './policy-evaluator.js';
+export { verifyCausalIntegrity } from './verify-causal-integrity.js';
+export type { CausalIntegrityBundleInput, CausalIntegritySeverity, CausalIntegrityFinding, CausalIntegrityResult, } from './verify-causal-integrity.js';
+export { generatePoW, verifyPoW, buildChallenge, getDateHourUTC, DEFAULT_POW_DIFFICULTY, } from './hashcash.js';
+export { computeBadgeStatus } from './badge-health.js';
+export type { BadgeColor, BadgeStats, BadgeStatus, } from './badge-health.js';
+export { compileSemanticTrace } from './trace-compiler.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAE3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,YAAY,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAE3E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC;AAE3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,YAAY,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAE3E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,OAAO,EACL,SAAS,EACT,aAAa,EACb,YAAY,EACZ,wBAAwB,GACzB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,aAAa,GACd,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,KAAK,EACL,KAAK,EACL,GAAG,EACH,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,cAAc,GACf,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,YAAY,EACV,0BAA0B,EAC1B,uBAAuB,EACvB,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,8BAA8B,CAAC;AAGtC,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,cAAc,EACd,sBAAsB,GACvB,MAAM,eAAe,CAAC;AAGvB,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,YAAY,EACV,UAAU,EACV,UAAU,EACV,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -21,4 +21,14 @@ export { verifyAuditResultAttestation } from './verify-audit-result-attestation.
 export { verifyLogInclusionProof } from './verify-log-inclusion-proof.js';
 export { base64UrlDecode, base64UrlEncode, computeHash, extractPublicKeyFromDidKey, verifySignature, } from './crypto.js';
 export { jcsCanonicalize } from './jcs.js';
+export { mapToSOC2, mapToISO27001, mapToEUAIAct, generateComplianceReport, } from './compliance.js';
+export { evaluatePolicy, evaluatePolicyBatch, convertV1toV2, } from './policy-evaluator.js';
+// Red Team Fix #11: TOCTOU causal integrity verification
+export { verifyCausalIntegrity } from './verify-causal-integrity.js';
+// Red Team Fix #8: Hashcash PoW for VaaS DoS protection
+export { generatePoW, verifyPoW, buildChallenge, getDateHourUTC, DEFAULT_POW_DIFFICULTY, } from './hashcash.js';
+// Red Team Fix #9: Heartbeat Badge status computation
+export { computeBadgeStatus } from './badge-health.js';
+// Sentinel trace compiler
+export { compileSemanticTrace } from './trace-compiler.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAG7D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,cAAc,YAAY,CAAC;AAE3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAG7D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AACjF,OAAO,EAAE,4BAA4B,EAAE,MAAM,sCAAsC,CAAC;AACpF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAE1E,OAAO,EACL,eAAe,EACf,eAAe,EACf,WAAW,EACX,0BAA0B,EAC1B,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,OAAO,EACL,SAAS,EACT,aAAa,EACb,YAAY,EACZ,wBAAwB,GACzB,MAAM,iBAAiB,CAAC;AAYzB,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,aAAa,GACd,MAAM,uBAAuB,CAAC;AAc/B,yDAAyD;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAQrE,wDAAwD;AACxD,OAAO,EACL,WAAW,EACX,SAAS,EACT,cAAc,EACd,cAAc,EACd,sBAAsB,GACvB,MAAM,eAAe,CAAC;AAEvB,sDAAsD;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAOvD,0BAA0B;AAC1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/policy-evaluator.d.ts

@@ -0,0 +1,119 @@
+/**
+ * WPC v2 Policy Evaluator — IAM-style policy engine.
+ *
+ * Evaluation rules (matching AWS IAM semantics):
+ * 1. Default deny: if no statement explicitly allows, the action is denied.
+ * 2. Explicit Deny always wins over Allow.
+ * 3. Strict Intersection: when `inherits` is set, parent AND child must both allow.
+ *
+ * Pure TypeScript, zero external dependencies, deterministic, offline.
+ * Designed to run in Cloudflare Workers (<5ms for 20 statements).
+ */
+/** WPC v1 schema (for backward compatibility). */
+export interface WPCv1 {
+    policy_version: '1';
+    policy_id: string;
+    issuer_did: string;
+    allowed_providers?: string[];
+    allowed_models?: string[];
+    minimum_model_identity_tier?: string;
+    egress_allowlist?: string[];
+    redaction_rules?: unknown[];
+    receipt_privacy_mode?: string;
+    required_audit_packs?: string[];
+    metadata?: Record<string, unknown>;
+}
+/** Condition operator map: context-key -> expected value. */
+export type ConditionMap = Record<string, string>;
+/** Condition operators supported by the evaluator. */
+export interface PolicyConditions {
+    StringEquals?: ConditionMap;
+    StringNotEquals?: ConditionMap;
+    StringLike?: ConditionMap;
+    StringNotLike?: ConditionMap;
+    NumericEquals?: ConditionMap;
+    NumericLessThan?: ConditionMap;
+    NumericGreaterThan?: ConditionMap;
+    Bool?: ConditionMap;
+    IpAddress?: ConditionMap;
+}
+/** A single IAM-style policy statement. */
+export interface PolicyStatement {
+    sid: string;
+    effect: 'Allow' | 'Deny';
+    actions: string[];
+    resources: string[];
+    conditions?: PolicyConditions;
+}
+/** WPC v2 schema. */
+export interface WPCv2 {
+    policy_version: '2';
+    policy_id: string;
+    issuer_did: string;
+    inherits?: string;
+    statements: PolicyStatement[];
+    metadata?: Record<string, unknown>;
+}
+/** Union type for any WPC version. */
+export type WPC = WPCv1 | WPCv2;
+/** Context keys available during policy evaluation. */
+export interface PolicyContext {
+    /** Agent's DID (Agent:DID) */
+    'Agent:DID'?: string;
+    /** Model provider (Model:Provider) */
+    'Model:Provider'?: string;
+    /** Model name (Model:Name) */
+    'Model:Name'?: string;
+    /** Proof tier from receipt (Receipt:ProofTier) */
+    'Receipt:ProofTier'?: string;
+    /** Whether human approval was obtained (Request:HasHumanApproval) */
+    'Request:HasHumanApproval'?: string;
+    /** Target domain for network egress (SideEffect:TargetDomain) */
+    'SideEffect:TargetDomain'?: string;
+    /** Tool name being invoked (Tool:Name) */
+    'Tool:Name'?: string;
+    /** Hour of day 0-23 (Context:Hour) */
+    'Context:Hour'?: string;
+    /** Allow additional context keys. */
+    [key: string]: string | undefined;
+}
+export type PolicyDecisionEffect = 'ALLOW' | 'DENY';
+/** Result of evaluating a policy against an action + context. */
+export interface PolicyDecision {
+    effect: PolicyDecisionEffect;
+    /** Human-readable reason for the decision. */
+    reason: string;
+    /** Statement IDs that contributed to the decision. */
+    matched_statements: string[];
+}
+/** Resolver for parent policies (used in Strict Intersection). */
+export type PolicyResolver = (policyId: string) => WPCv2 | WPC | null;
+/**
+ * Convert a WPC v1 to v2 statements for evaluation.
+ * This mirrors the logic in the migration helper but is kept inline
+ * to avoid circular deps.
+ */
+export declare function convertV1toV2(v1: WPCv1): WPCv2;
+/**
+ * Evaluate a WPC policy against an action, resource, and context.
+ *
+ * Supports both WPC v1 (auto-converted) and v2 policies.
+ * When `inherits` is set and a `resolver` is provided, performs
+ * Strict Intersection (parent AND child must both allow).
+ *
+ * @param policy - The WPC policy (v1 or v2)
+ * @param action - The action being requested (e.g., "model:invoke")
+ * @param resource - The resource being acted upon (e.g., "src/index.ts")
+ * @param context - Context keys from the proof bundle / runtime
+ * @param resolver - Optional resolver for parent policies (Strict Intersection)
+ */
+export declare function evaluatePolicy(policy: WPC, action: string, resource: string, context: PolicyContext, resolver?: PolicyResolver): PolicyDecision;
+/**
+ * Convenience: evaluate multiple actions against a policy.
+ * Returns a map of action -> PolicyDecision.
+ */
+export declare function evaluatePolicyBatch(policy: WPC, requests: Array<{
+    action: string;
+    resource: string;
+}>, context: PolicyContext, resolver?: PolicyResolver): Map<string, PolicyDecision>;
+//# sourceMappingURL=policy-evaluator.d.ts.map

package/dist/policy-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-evaluator.d.ts","sourceRoot":"","sources":["../src/policy-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,kDAAkD;AAClD,MAAM,WAAW,KAAK;IACpB,cAAc,EAAE,GAAG,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,2BAA2B,CAAC,EAAE,MAAM,CAAC;IACrC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,eAAe,CAAC,EAAE,OAAO,EAAE,CAAC;IAC5B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,6DAA6D;AAC7D,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAElD,sDAAsD;AACtD,MAAM,WAAW,gBAAgB;IAC/B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,eAAe,CAAC,EAAE,YAAY,CAAC;IAC/B,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,eAAe,CAAC,EAAE,YAAY,CAAC;IAC/B,kBAAkB,CAAC,EAAE,YAAY,CAAC;IAClC,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB,SAAS,CAAC,EAAE,YAAY,CAAC;CAC1B;AAED,2CAA2C;AAC3C,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAED,qBAAqB;AACrB,MAAM,WAAW,KAAK;IACpB,cAAc,EAAE,GAAG,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,sCAAsC;AACtC,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC;AAEhC,uDAAuD;AACvD,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,qEAAqE;IACrE,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,iEAAiE;IACjE,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qCAAqC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC;AAED,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,MAAM,CAAC;AAEpD,iEAAiE;AACjE,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,oBAAoB,CAAC;IAC7B,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,sDAAsD;IACtD,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,KAAK,GAAG,GAAG,GAAG,IAAI,CAAC;AA6LtE;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,EAAE,EAAE,KAAK,GAAG,KAAK,CA0H9C;AAmED;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,GAAG,EACX,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,cAAc,GACxB,cAAc,CA8DhB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,GAAG,EACX,QAAQ,EAAE,KAAK,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,EACrD,OAAO,EAAE,aAAa,EACtB,QAAQ,CAAC,EAAE,cAAc,GACxB,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAO7B"}