npm - @connexum/ai-governance - Versions diffs - 1.0.0-beta.28 → 1.0.0-beta.30 - Mend

@connexum/ai-governance 1.0.0-beta.28 → 1.0.0-beta.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/cli/index.d.ts CHANGED Viewed

@@ -128,6 +128,13 @@ export declare function generateConfig(packs: string[], license: LicenseInfo, li
  * the new config so they survive the rewrite regardless of step ordering.
  */
 export declare function carryForwardPerAgentIdentity(config: GovernanceJsonConfig, configPath: string): void;
+/**
+ * Best-effort check for the 'inst' (installation-scope) claim in a JWT payload.
+ * NO signature verification — used only to decide whether a more-scoped token
+ * should be preserved over a less-scoped one. Returns false on any malformed
+ * input (Invariant 2: never throws).
+ */
+export declare function tokenHasInstClaim(token: string): boolean;
 /**
  * P0 install-safety guard. Governance is a PROJECT-LOCAL install: hooks are
  * written to `<projectDir>/.claude/settings.json`. If `init` runs from the

package/dist/cli/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AAMH,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAC;AAIrC,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,qBAAqB,CAAC;AA4D7E,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,gBAAgB,SAA6B,GAC5C,OAAO,CAAC,wBAAwB,CAAC,CAwEnC;AAWD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE;IACJ,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,EAAE,CAAC,EAAE,QAAQ,CAAC,SAAS,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACtB,GACL,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAA;CAAE,GAAG,IAAI,CAAC,CA2EhF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,UAAQ,GAAG,IAAI,CAsBjH;AAmDD,MAAM,MAAM,WAAW,GACnB,aAAa,GACb,QAAQ,GACR,UAAU,GACV,MAAM,GACN,OAAO,GACP,QAAQ,GACR,SAAS,GACT,OAAO,GACP,SAAS,CAAC;AAEd,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,CA2BzD;AAkBD,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,cAAc,GAAG,YAAY,CAAC;IACzD,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAyDD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAyCrE;AAsBD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE;QACT,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;IACF,KAAK,EAAE;QACL,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,UAAU,EAAE;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,kFAAkF;IAClF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE;QACR,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,yEAAyE;QACzE,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAS/D;AAED,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,WAAW,EACpB,gBAAgB,CAAC,EAAE,MAAM,EACzB,OAAO,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,GACxC,oBAAoB,CA8BtB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,oBAAoB,EAC5B,UAAU,EAAE,MAAM,GACjB,IAAI,~~CAgBN~~;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAgC7D;AAED,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,oBAAoB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CA2EtH;AAsFD;;;;;;;;;;;;;;GAcG;AAEH;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,IAAI,EACvB,QAAQ,SAAI,GACX,IAAI,CAuBN;AAED,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAO,GAC7B;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAiLjF;AAmmBD,6EAA6E;AAC7E,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE;QACV,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1B,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,oFAAoF;AACpF,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAwFrE;AAED,8FAA8F;AAC9F,wBAAgB,2BAA2B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAmEtE;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,CA4CtF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAqC9D;AAED,0EAA0E;AAC1E,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CA0DnF;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAkCvF;AAMD;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC,oEAAoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B;;;OAGG;IACH,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,4BAA4B,EAAE,EAC1C,WAAW,EAAE,aAAa,EAAE,EAC5B,IAAI,GAAE;IACJ;;;;;;;OAOG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACd,GACL,IAAI,CAmEN;AAGD,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE;IACJ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,OAAO,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAC1C,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,IAAI,CAAC,~~CAmEf~~;AAuED;;;;;;;;;;;GAWG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,cAAc,CAAA;KAAE,CAAC,CAAC;IACzG,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChD;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,GAAG,oBAAoB,CA0DvB;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,IAAI,CA6QrE;AA6JD;;;;;;;;;;GAUG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,aAAa,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,IAAI,CA0GN"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AAMH,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAC;AAIrC,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,qBAAqB,CAAC;AA4D7E,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7D;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,gBAAgB,SAA6B,GAC5C,OAAO,CAAC,wBAAwB,CAAC,CAwEnC;AAWD;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE;IACJ,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,EAAE,CAAC,EAAE,QAAQ,CAAC,SAAS,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACtB,GACL,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAA;CAAE,GAAG,IAAI,CAAC,CA2EhF;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,UAAQ,GAAG,IAAI,CAsBjH;AAmDD,MAAM,MAAM,WAAW,GACnB,aAAa,GACb,QAAQ,GACR,UAAU,GACV,MAAM,GACN,OAAO,GACP,QAAQ,GACR,SAAS,GACT,OAAO,GACP,SAAS,CAAC;AAEd,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,CA2BzD;AAkBD,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,cAAc,GAAG,YAAY,CAAC;IACzD,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAyDD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAyCrE;AAsBD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE;QACT,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,WAAW,EAAE,MAAM,EAAE,CAAC;KACvB,CAAC;IACF,KAAK,EAAE;QACL,OAAO,EAAE,OAAO,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,UAAU,EAAE;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,kFAAkF;IAClF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE;QACR,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,yEAAyE;QACzE,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAS/D;AAED,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,WAAW,EACpB,gBAAgB,CAAC,EAAE,MAAM,EACzB,OAAO,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,GACxC,oBAAoB,CA8BtB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,oBAAoB,EAC5B,UAAU,EAAE,MAAM,GACjB,IAAI,CAqCN;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAWxD;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAgC7D;AAED,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,oBAAoB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CA2EtH;AAsFD;;;;;;;;;;;;;;GAcG;AAEH;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,IAAI,EACvB,QAAQ,SAAI,GACX,IAAI,CAuBN;AAED,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,EAClB,IAAI,GAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAO,GAC7B;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,EAAE,CAAC;IAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAiLjF;AAmmBD,6EAA6E;AAC7E,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE;QACV,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1B,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,oFAAoF;AACpF,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAwFrE;AAED,8FAA8F;AAC9F,wBAAgB,2BAA2B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAmEtE;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,CA4CtF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAqC9D;AAED,0EAA0E;AAC1E,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CA0DnF;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAkCvF;AAMD;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC,oEAAoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B;;;OAGG;IACH,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,4BAA4B,EAAE,EAC1C,WAAW,EAAE,aAAa,EAAE,EAC5B,IAAI,GAAE;IACJ;;;;;;;OAOG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACd,GACL,IAAI,CAmEN;AAGD,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE;IACJ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,OAAO,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAC1C,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,IAAI,CAAC,CA4Ef;AAuED;;;;;;;;;;;GAWG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,cAAc,CAAA;KAAE,CAAC,CAAC;IACzG,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChD;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,GAAG,oBAAoB,CA0DvB;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,GAAG,IAAI,CA6QrE;AA6JD;;;;;;;;;;GAUG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,aAAa,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,IAAI,CA0GN"}

package/dist/cli/index.js CHANGED Viewed

@@ -56,6 +56,7 @@ exports.validateLegacyLicense = validateLegacyLicense;
 exports.readLicenseServerUrl = readLicenseServerUrl;
 exports.generateConfig = generateConfig;
 exports.carryForwardPerAgentIdentity = carryForwardPerAgentIdentity;
+exports.tokenHasInstClaim = tokenHasInstClaim;
 exports.assertSafeInstallDir = assertSafeInstallDir;
 exports.installHooks = installHooks;
 exports.removePerAgentRuntime = removePerAgentRuntime;
@@ -573,10 +574,51 @@ function carryForwardPerAgentIdentity(config, configPath) {
     if (Array.isArray(prior.agents) && prior.agents.length > 0) {
         cfgRec['agents'] = prior.agents;
     }
+    // F3-2: preserve the pinned org public key across a config rewrite. The pin
+    // is a one-time trusted exchange (init-time TLS); a fresh generateConfig
+    // object has no orgPublicKey, so writing it verbatim would DROP the key and
+    // every subsequent `sync` would fail-closed ("cannot verify authenticity").
+    if (typeof prior.orgPublicKey === 'string' && prior.orgPublicKey.length > 0) {
+        cfgRec['orgPublicKey'] = prior.orgPublicKey;
+    }
     const priorAgentDir = prior.runtime?.agentDir;
     if (typeof priorAgentDir === 'string' && config.runtime) {
         config.runtime['agentDir'] = priorAgentDir;
     }
+    // F3-3: preserve a prior inst-bearing runtime.serviceToken when the fresh
+    // config's runtime token lacks the 'inst' claim. sync persists an
+    // inst-bearing token into runtime.serviceToken (so /cli/agent-governance
+    // stops 400-ing); a later init/generateConfig rewrite with the original
+    // org-scoped token would undo that. Keep the more-scoped token.
+    const priorRuntimeToken = prior.runtime?.serviceToken;
+    if (typeof priorRuntimeToken === 'string' && priorRuntimeToken.length > 0 && config.runtime) {
+        const freshToken = config.runtime['serviceToken'];
+        const priorHasInst = tokenHasInstClaim(priorRuntimeToken);
+        const freshHasInst = typeof freshToken === 'string' ? tokenHasInstClaim(freshToken) : false;
+        if (priorHasInst && !freshHasInst) {
+            config.runtime['serviceToken'] = priorRuntimeToken;
+        }
+    }
+}
+/**
+ * Best-effort check for the 'inst' (installation-scope) claim in a JWT payload.
+ * NO signature verification — used only to decide whether a more-scoped token
+ * should be preserved over a less-scoped one. Returns false on any malformed
+ * input (Invariant 2: never throws).
+ */
+function tokenHasInstClaim(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return false;
+        const parsed = JSON.parse(Buffer.from(parts[1], 'base64url').toString('utf8'));
+        return !!parsed && typeof parsed === 'object' && !Array.isArray(parsed)
+            && typeof parsed['inst'] === 'string'
+            && parsed['inst'].length > 0;
+    }
+    catch {
+        return false;
+    }
 }
 // --- Hook installation ---
 /**
@@ -1955,7 +1997,19 @@ async function nonInteractiveInit(projectDir, opts) {
     }
     const config = generateConfig(validPacks, license, opts.licenseServerUrl, opts.runtime);
     const configPath = path.join(projectDir, '.governance.json');
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+    // PRESERVE per-agent identity data on rewrite (Thomas 2026-06-12, F3-1): the
+    // --agent-dir IIFE's writePerAgentIdentities() landed agents[] + runtime.agentDir
+    // (and possibly a pinned orgPublicKey + inst-bearing runtime token) into this
+    // SAME file. generateConfig builds a FRESH object that has NONE of them, so
+    // writing it verbatim here clobbers the reconciled fleet — leaving sync --apply
+    // with only the single runtime.agentId (1 of N agents). carryForwardPerAgentIdentity
+    // re-merges those fields regardless of which path wrote first (ordering-robust).
+    carryForwardPerAgentIdentity(config, configPath);
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    try {
+        fs.chmodSync(configPath, 0o600);
+    }
+    catch { /* best-effort on Windows */ }
     const { installed, errors } = installHooks(projectDir, config);
     // Create directories
     const govDir = path.join(projectDir, '.governance');
@@ -3177,6 +3231,67 @@ if (isDirectRun) {
                                             });
                                             process.stdout.write(`[CLI] per-agent identities written to .governance.json ` +
                                                 `(${safeRegistered.length} agent(s)).\n`);
+                                            // F3-2 + F3-4: pin the org public key AND adopt an
+                                            // inst-bearing runtime token straight from THIS register-fleet
+                                            // response — INSIDE the IIFE, before the early process.exit(0)
+                                            // below can terminate the run. Two reasons this must happen here:
+                                            //   (1) the --agent-dir IIFE may process.exit(0) at the bottom
+                                            //       before the synchronous nonInteractiveInit's pin runs, so
+                                            //       pinning only there would leave .governance.json with no
+                                            //       orgPublicKey → every later `sync` bundle REJECTED.
+                                            //   (2) the runtime token from exchange-install-link is
+                                            //       org-scoped (no 'inst' claim); if the server returns an
+                                            //       inst-bearing installToken, persist it so GET
+                                            //       /cli/agent-governance stops 400-ing at sync time.
+                                            // Both come from the SAME trusted TLS exchange that registered
+                                            // the fleet — no extra unauthenticated fetch. Non-fatal: a
+                                            // missing field falls back to the post-init pin path (Invariant 2).
+                                            try {
+                                                const cfgPath = path.join(projectDir, '.governance.json');
+                                                let cfg = {};
+                                                if (fs.existsSync(cfgPath)) {
+                                                    try {
+                                                        cfg = JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
+                                                    }
+                                                    catch { /* fresh */ }
+                                                }
+                                                let dirty = false;
+                                                if (typeof resp.orgPublicKey === 'string' && resp.orgPublicKey.length > 0) {
+                                                    // Sanity: must decode to a 32-byte Ed25519 raw key before pinning.
+                                                    let okKey = false;
+                                                    try {
+                                                        okKey = Buffer.from(resp.orgPublicKey, 'base64url').length === 32;
+                                                    }
+                                                    catch {
+                                                        okKey = false;
+                                                    }
+                                                    if (okKey && cfg['orgPublicKey'] !== resp.orgPublicKey) {
+                                                        cfg['orgPublicKey'] = resp.orgPublicKey;
+                                                        dirty = true;
+                                                        process.stderr.write(`[CLI] org public key pinned from register-fleet (${resp.orgPublicKey.slice(0, 8)}...).\n`);
+                                                    }
+                                                }
+                                                if (typeof resp.installToken === 'string' && tokenHasInstClaim(resp.installToken)) {
+                                                    const rt = cfg['runtime'] ?? {};
+                                                    const cur = rt['serviceToken'];
+                                                    if (typeof cur !== 'string' || !tokenHasInstClaim(cur)) {
+                                                        rt['serviceToken'] = resp.installToken;
+                                                        cfg['runtime'] = rt;
+                                                        dirty = true;
+                                                        process.stderr.write('[CLI] runtime token upgraded to installation scope (inst claim) from register-fleet.\n');
+                                                    }
+                                                }
+                                                if (dirty) {
+                                                    fs.writeFileSync(cfgPath, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+                                                    try {
+                                                        fs.chmodSync(cfgPath, 0o600);
+                                                    }
+                                                    catch { /* best-effort on Windows */ }
+                                                }
+                                            }
+                                            catch (pinErr) {
+                                                process.stderr.write(`[CLI] org-key/inst-token pin from register-fleet skipped (non-fatal): ${pinErr.message}\n`);
+                                            }
                                             // Identity RFC B1 (Pass 1): land each agent's identity in
                                             // ITS OWN folder — <agent>/.connexum/identity.json. No
                                             // secret at this pass (tokens are minted at payment
@@ -3286,6 +3401,41 @@ if (isDirectRun) {
                 else if (skipPreflight) {
                     process.stdout.write('\nPreflight skipped (--skip-preflight).\n');
                 }
+                // F3-2 FALLBACK: if register-fleet did NOT carry the org public key in
+                // its response (older server, or option B not chosen), pin it here via
+                // the dedicated public-key endpoint — still BEFORE the early exit below,
+                // so a pure --agent-dir --link run never leaves .governance.json without
+                // a pinned key. Idempotent with the in-IIFE pin above (skips if already
+                // pinned). Non-fatal (Invariant 2): a failed fetch leaves sync to
+                // fail-closed until the operator re-runs init when the server is reachable.
+                if (runtimeConfig?.govServerUrl && runtimeConfig?.orgId) {
+                    try {
+                        const cfgPath = path.join(projectDir, '.governance.json');
+                        let alreadyPinned = false;
+                        if (fs.existsSync(cfgPath)) {
+                            try {
+                                const cur = JSON.parse(fs.readFileSync(cfgPath, 'utf-8'));
+                                alreadyPinned = typeof cur['orgPublicKey'] === 'string' && cur['orgPublicKey'].length > 0;
+                            }
+                            catch { /* fresh */ }
+                        }
+                        if (!alreadyPinned) {
+                            const { fetchAndPinOrgPublicKey } = require('./sync.js');
+                            const pinned = fetchAndPinOrgPublicKey(runtimeConfig.govServerUrl, runtimeConfig.orgId, cfgPath);
+                            if (pinned) {
+                                process.stderr.write(`[CLI] org public key pinned to .governance.json (${pinned.slice(0, 8)}...).\n`);
+                            }
+                            else {
+                                process.stderr.write('[CLI] WARNING: could not fetch org public key for pinning. ' +
+                                    '`ai-governance sync` will fail closed until the key is pinned. ' +
+                                    'Re-run `ai-governance init` when the server is reachable to pin the key.\n');
+                            }
+                        }
+                    }
+                    catch (e) {
+                        process.stderr.write(`[CLI] org public key pin (fallback) skipped (non-fatal): ${e.message}\n`);
+                    }
+                }
                 // --agent-dir is a standalone operation — do not fall through to interactive init
                 // unless --ci or interactive flow flags are also explicitly set.
                 if (!ciMode && !vendorCodeFlag && !offlineFlag) {