@datacules/agent-identity-audit 0.11.0 → 0.11.1

package/LICENSE

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+
+1. PERMISSION TO USE
+
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+
+2. ATTRIBUTION
+
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+
+3. COMMERCIAL USE
+
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+
+5. MODIFICATIONS
+
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+
+6. COMPATIBILITY
+
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/index.js

@@ -0,0 +1,215 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HashChainAuditLogger = exports.S3ChainAnchor = exports.StdoutChainAnchor = exports.CompositeAuditLogger = exports.SplunkAuditLogger = exports.DatadogAuditLogger = exports.WebhookAuditLogger = exports.ConsoleAuditLogger = void 0;
+// ──────────────────────────────────────────────────────────────────────────
+// Existing sinks
+// ──────────────────────────────────────────────────────────────────────────
+class ConsoleAuditLogger {
+    async log(entry) {
+        console.log('[agent-identity audit]', JSON.stringify(entry, null, 2));
+    }
+}
+exports.ConsoleAuditLogger = ConsoleAuditLogger;
+class WebhookAuditLogger {
+    constructor(options) {
+        this.options = { secret: '', timeoutMs: 5000, silent: true, ...options };
+    }
+    async log(entry) {
+        const { url, secret, timeoutMs, silent } = this.options;
+        const headers = { 'Content-Type': 'application/json' };
+        if (secret)
+            headers['X-Webhook-Secret'] = secret;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        try {
+            await fetch(url, { method: 'POST', headers, body: JSON.stringify(entry), signal: controller.signal });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] WebhookAuditLogger failed:', err);
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+}
+exports.WebhookAuditLogger = WebhookAuditLogger;
+class DatadogAuditLogger {
+    constructor(options) {
+        this.options = { service: 'agent-identity', site: 'datadoghq.com', silent: true, ...options };
+    }
+    async log(entry) {
+        const { apiKey, service, site, silent } = this.options;
+        try {
+            await fetch(`https://http-intake.logs.${site}/api/v2/logs`, {
+                method: 'POST',
+                headers: { 'DD-API-KEY': apiKey, 'Content-Type': 'application/json' },
+                body: JSON.stringify({ ddsource: 'agent-identity', service, message: JSON.stringify(entry) }),
+            });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] DatadogAuditLogger failed:', err);
+        }
+    }
+}
+exports.DatadogAuditLogger = DatadogAuditLogger;
+class SplunkAuditLogger {
+    constructor(options) {
+        this.options = { sourcetype: 'agent_identity', silent: true, ...options };
+    }
+    async log(entry) {
+        const { hecUrl, token, sourcetype, silent } = this.options;
+        try {
+            await fetch(hecUrl, {
+                method: 'POST',
+                headers: { Authorization: `Splunk ${token}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify({ event: entry, sourcetype }),
+            });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] SplunkAuditLogger failed:', err);
+        }
+    }
+}
+exports.SplunkAuditLogger = SplunkAuditLogger;
+class CompositeAuditLogger {
+    constructor(loggers) {
+        this.loggers = loggers;
+    }
+    async log(entry) {
+        await Promise.allSettled(this.loggers.map((l) => l.log(entry)));
+    }
+}
+exports.CompositeAuditLogger = CompositeAuditLogger;
+/** Prints the chain root to stdout — suitable for piping to a CI artifact */
+class StdoutChainAnchor {
+    async publish(rootHash, sequence, timestamp) {
+        console.log(`[agent-identity chain-anchor] seq=${sequence} root=${rootHash} ts=${timestamp}`);
+    }
+}
+exports.StdoutChainAnchor = StdoutChainAnchor;
+class S3ChainAnchor {
+    constructor(opts) {
+        this.opts = opts;
+    }
+    async publish(rootHash, sequence, timestamp) {
+        const key = `agent-identity/chain-roots/${sequence}-${timestamp}.json`;
+        const body = JSON.stringify({ rootHash, sequence, timestamp, publishedAt: new Date().toISOString() });
+        // S3 PutObject — in production use @aws-sdk/client-s3
+        const url = `https://${this.opts.bucketName}.s3.${this.opts.region}.amazonaws.com/${key}`;
+        await fetch(url, {
+            method: 'PUT',
+            headers: { 'Content-Type': 'application/json', 'Content-Length': String(body.length) },
+            body,
+        }).catch((err) => console.warn('[S3ChainAnchor] publish failed:', err));
+    }
+}
+exports.S3ChainAnchor = S3ChainAnchor;
+/**
+ * Wraps any AuditLogger with tamper-evident SHA-256 hash chaining.
+ *
+ * Each entry is hashed together with the hash of the previous entry.
+ * Any modification to a historical entry breaks the chain from that
+ * point forward — detectable by recomputing and comparing hashes.
+ *
+ * @example
+ * const logger = new HashChainAuditLogger({
+ *   sink: new DatadogAuditLogger({ apiKey: process.env.DD_API_KEY! }),
+ *   anchor: new S3ChainAnchor({ bucketName: 'my-audit-anchors', region: 'us-east-1' }),
+ * });
+ */
+class HashChainAuditLogger {
+    constructor(opts) {
+        this.opts = opts;
+        this.sequence = 0;
+        this.previousHash = opts.seedHash ?? '0';
+        this.anchorEveryN = opts.anchorEveryN ?? 1000;
+    }
+    async log(entry) {
+        this.sequence += 1;
+        const entryHash = await this.sha256(JSON.stringify(entry));
+        const chainHash = await this.sha256(`${this.previousHash}:${entryHash}`);
+        const chained = {
+            ...entry,
+            entryHash,
+            previousHash: this.previousHash,
+            sequence: this.sequence,
+        };
+        this.previousHash = chainHash;
+        await this.opts.sink.log(chained);
+        if (this.opts.anchor && this.sequence % this.anchorEveryN === 0) {
+            await this.opts.anchor
+                .publish(chainHash, this.sequence, new Date().toISOString())
+                .catch(console.error);
+        }
+    }
+    /** Verify an ordered array of chained entries; returns result with first broken sequence if any */
+    async verify(entries) {
+        let prevHash = this.opts.seedHash ?? '0';
+        for (const entry of entries) {
+            const { entryHash, previousHash, sequence, ...data } = entry;
+            const expectedEntryHash = await this.sha256(JSON.stringify(data));
+            if (expectedEntryHash !== entryHash) {
+                return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `entry hash mismatch at sequence ${sequence}` };
+            }
+            if (previousHash !== prevHash) {
+                return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `chain break at sequence ${sequence}` };
+            }
+            prevHash = await this.sha256(`${previousHash}:${entryHash}`);
+        }
+        return {
+            valid: true,
+            entriesChecked: entries.length,
+            firstEntry: entries[0],
+            lastEntry: entries[entries.length - 1],
+        };
+    }
+    async sha256(data) {
+        if (typeof crypto !== 'undefined' && crypto.subtle) {
+            const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(data));
+            return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, '0')).join('');
+        }
+        const { createHash } = await Promise.resolve().then(() => __importStar(require('crypto')));
+        return createHash('sha256').update(data).digest('hex');
+    }
+}
+exports.HashChainAuditLogger = HashChainAuditLogger;
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAUA,6EAA6E;AAC7E,iBAAiB;AACjB,6EAA6E;AAE7E,MAAa,kBAAkB;IAC7B,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;CACF;AAJD,gDAIC;AASD,MAAa,kBAAkB;IAE7B,YAAY,OAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAC3E,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QACxD,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QAC/E,IAAI,MAAM;YAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,MAAM,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CACF;AApBD,gDAoBC;AASD,MAAa,kBAAkB;IAE7B,YAAY,OAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAChG,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QACvD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,4BAA4B,IAAI,cAAc,EAAE;gBAC1D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACrE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;aAC9F,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;CACF;AAlBD,gDAkBC;AASD,MAAa,iBAAiB;IAE5B,YAAY,OAAiC;QAC3C,IAAI,CAAC,OAAO,GAAG,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAC5E,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,MAAM,EAAE;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACjF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;CACF;AAlBD,8CAkBC;AAED,MAAa,oBAAoB;IAC/B,YAA6B,OAAsB;QAAtB,YAAO,GAAP,OAAO,CAAe;IAAG,CAAC;IACvD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClE,CAAC;CACF;AALD,oDAKC;AA6BD,6EAA6E;AAC7E,MAAa,iBAAiB;IAC5B,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,QAAgB,EAAE,SAAiB;QACjE,OAAO,CAAC,GAAG,CAAC,qCAAqC,QAAQ,SAAS,QAAQ,OAAO,SAAS,EAAE,CAAC,CAAC;IAChG,CAAC;CACF;AAJD,8CAIC;AAUD,MAAa,aAAa;IACxB,YAA6B,IAA0B;QAA1B,SAAI,GAAJ,IAAI,CAAsB;IAAG,CAAC;IAE3D,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,QAAgB,EAAE,SAAiB;QACjE,MAAM,GAAG,GAAG,8BAA8B,QAAQ,IAAI,SAAS,OAAO,CAAC;QACvE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACtG,sDAAsD;QACtD,MAAM,GAAG,GAAG,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,kBAAkB,GAAG,EAAE,CAAC;QAC1F,MAAM,KAAK,CAAC,GAAG,EAAE;YACf,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;YACtF,IAAI;SACL,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1E,CAAC;CACF;AAdD,sCAcC;AAeD;;;;;;;;;;;;GAYG;AACH,MAAa,oBAAoB;IAK/B,YAA6B,IAAsB;QAAtB,SAAI,GAAJ,IAAI,CAAkB;QAH3C,aAAQ,GAAG,CAAC,CAAC;QAInB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC;QACzC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;QACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,IAAI,SAAS,EAAE,CAAC,CAAC;QAEzE,MAAM,OAAO,GAAyB;YACpC,GAAG,KAAK;YACR,SAAS;YACT,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;QAEF,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAE9B,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAmC,CAAC,CAAC;QAE9D,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM;iBACnB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;iBAC3D,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,mGAAmG;IACnG,KAAK,CAAC,MAAM,CAAC,OAA+B;QAC1C,IAAI,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC;QACzC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;YAC7D,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;gBACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,mCAAmC,QAAQ,EAAE,EAAE,CAAC;YAC9H,CAAC;YACD,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,2BAA2B,QAAQ,EAAE,EAAE,CAAC;YACtH,CAAC;YACD,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,YAAY,IAAI,SAAS,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,cAAc,EAAE,OAAO,CAAC,MAAM;YAC9B,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YACtB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;SACvC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,IAAY;QAC/B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;YAClF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9F,CAAC;QACD,MAAM,EAAE,UAAU,EAAE,GAAG,wDAAa,QAAQ,GAAC,CAAC;QAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;CACF;AA/DD,oDA+DC"}

package/dist/esm/index.js

@@ -0,0 +1,171 @@
+// ──────────────────────────────────────────────────────────────────────────
+// Existing sinks
+// ──────────────────────────────────────────────────────────────────────────
+export class ConsoleAuditLogger {
+    async log(entry) {
+        console.log('[agent-identity audit]', JSON.stringify(entry, null, 2));
+    }
+}
+export class WebhookAuditLogger {
+    constructor(options) {
+        this.options = { secret: '', timeoutMs: 5000, silent: true, ...options };
+    }
+    async log(entry) {
+        const { url, secret, timeoutMs, silent } = this.options;
+        const headers = { 'Content-Type': 'application/json' };
+        if (secret)
+            headers['X-Webhook-Secret'] = secret;
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        try {
+            await fetch(url, { method: 'POST', headers, body: JSON.stringify(entry), signal: controller.signal });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] WebhookAuditLogger failed:', err);
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+}
+export class DatadogAuditLogger {
+    constructor(options) {
+        this.options = { service: 'agent-identity', site: 'datadoghq.com', silent: true, ...options };
+    }
+    async log(entry) {
+        const { apiKey, service, site, silent } = this.options;
+        try {
+            await fetch(`https://http-intake.logs.${site}/api/v2/logs`, {
+                method: 'POST',
+                headers: { 'DD-API-KEY': apiKey, 'Content-Type': 'application/json' },
+                body: JSON.stringify({ ddsource: 'agent-identity', service, message: JSON.stringify(entry) }),
+            });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] DatadogAuditLogger failed:', err);
+        }
+    }
+}
+export class SplunkAuditLogger {
+    constructor(options) {
+        this.options = { sourcetype: 'agent_identity', silent: true, ...options };
+    }
+    async log(entry) {
+        const { hecUrl, token, sourcetype, silent } = this.options;
+        try {
+            await fetch(hecUrl, {
+                method: 'POST',
+                headers: { Authorization: `Splunk ${token}`, 'Content-Type': 'application/json' },
+                body: JSON.stringify({ event: entry, sourcetype }),
+            });
+        }
+        catch (err) {
+            if (!silent)
+                throw err;
+            console.warn('[agent-identity] SplunkAuditLogger failed:', err);
+        }
+    }
+}
+export class CompositeAuditLogger {
+    constructor(loggers) {
+        this.loggers = loggers;
+    }
+    async log(entry) {
+        await Promise.allSettled(this.loggers.map((l) => l.log(entry)));
+    }
+}
+/** Prints the chain root to stdout — suitable for piping to a CI artifact */
+export class StdoutChainAnchor {
+    async publish(rootHash, sequence, timestamp) {
+        console.log(`[agent-identity chain-anchor] seq=${sequence} root=${rootHash} ts=${timestamp}`);
+    }
+}
+export class S3ChainAnchor {
+    constructor(opts) {
+        this.opts = opts;
+    }
+    async publish(rootHash, sequence, timestamp) {
+        const key = `agent-identity/chain-roots/${sequence}-${timestamp}.json`;
+        const body = JSON.stringify({ rootHash, sequence, timestamp, publishedAt: new Date().toISOString() });
+        // S3 PutObject — in production use @aws-sdk/client-s3
+        const url = `https://${this.opts.bucketName}.s3.${this.opts.region}.amazonaws.com/${key}`;
+        await fetch(url, {
+            method: 'PUT',
+            headers: { 'Content-Type': 'application/json', 'Content-Length': String(body.length) },
+            body,
+        }).catch((err) => console.warn('[S3ChainAnchor] publish failed:', err));
+    }
+}
+/**
+ * Wraps any AuditLogger with tamper-evident SHA-256 hash chaining.
+ *
+ * Each entry is hashed together with the hash of the previous entry.
+ * Any modification to a historical entry breaks the chain from that
+ * point forward — detectable by recomputing and comparing hashes.
+ *
+ * @example
+ * const logger = new HashChainAuditLogger({
+ *   sink: new DatadogAuditLogger({ apiKey: process.env.DD_API_KEY! }),
+ *   anchor: new S3ChainAnchor({ bucketName: 'my-audit-anchors', region: 'us-east-1' }),
+ * });
+ */
+export class HashChainAuditLogger {
+    constructor(opts) {
+        this.opts = opts;
+        this.sequence = 0;
+        this.previousHash = opts.seedHash ?? '0';
+        this.anchorEveryN = opts.anchorEveryN ?? 1000;
+    }
+    async log(entry) {
+        this.sequence += 1;
+        const entryHash = await this.sha256(JSON.stringify(entry));
+        const chainHash = await this.sha256(`${this.previousHash}:${entryHash}`);
+        const chained = {
+            ...entry,
+            entryHash,
+            previousHash: this.previousHash,
+            sequence: this.sequence,
+        };
+        this.previousHash = chainHash;
+        await this.opts.sink.log(chained);
+        if (this.opts.anchor && this.sequence % this.anchorEveryN === 0) {
+            await this.opts.anchor
+                .publish(chainHash, this.sequence, new Date().toISOString())
+                .catch(console.error);
+        }
+    }
+    /** Verify an ordered array of chained entries; returns result with first broken sequence if any */
+    async verify(entries) {
+        let prevHash = this.opts.seedHash ?? '0';
+        for (const entry of entries) {
+            const { entryHash, previousHash, sequence, ...data } = entry;
+            const expectedEntryHash = await this.sha256(JSON.stringify(data));
+            if (expectedEntryHash !== entryHash) {
+                return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `entry hash mismatch at sequence ${sequence}` };
+            }
+            if (previousHash !== prevHash) {
+                return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `chain break at sequence ${sequence}` };
+            }
+            prevHash = await this.sha256(`${previousHash}:${entryHash}`);
+        }
+        return {
+            valid: true,
+            entriesChecked: entries.length,
+            firstEntry: entries[0],
+            lastEntry: entries[entries.length - 1],
+        };
+    }
+    async sha256(data) {
+        if (typeof crypto !== 'undefined' && crypto.subtle) {
+            const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(data));
+            return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, '0')).join('');
+        }
+        const { createHash } = await import('crypto');
+        return createHash('sha256').update(data).digest('hex');
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAUA,6EAA6E;AAC7E,iBAAiB;AACjB,6EAA6E;AAE7E,MAAM,OAAO,kBAAkB;IAC7B,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;CACF;AASD,MAAM,OAAO,kBAAkB;IAE7B,YAAY,OAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAC3E,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QACxD,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QAC/E,IAAI,MAAM;YAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,MAAM,CAAC;QACjD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QACxG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CACF;AASD,MAAM,OAAO,kBAAkB;IAE7B,YAAY,OAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAChG,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QACvD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,4BAA4B,IAAI,cAAc,EAAE;gBAC1D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACrE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;aAC9F,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;CACF;AASD,MAAM,OAAO,iBAAiB;IAE5B,YAAY,OAAiC;QAC3C,IAAI,CAAC,OAAO,GAAG,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAC5E,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,MAAM,EAAE;gBAClB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBACjF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;CACF;AAED,MAAM,OAAO,oBAAoB;IAC/B,YAA6B,OAAsB;QAAtB,YAAO,GAAP,OAAO,CAAe;IAAG,CAAC;IACvD,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClE,CAAC;CACF;AA6BD,6EAA6E;AAC7E,MAAM,OAAO,iBAAiB;IAC5B,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,QAAgB,EAAE,SAAiB;QACjE,OAAO,CAAC,GAAG,CAAC,qCAAqC,QAAQ,SAAS,QAAQ,OAAO,SAAS,EAAE,CAAC,CAAC;IAChG,CAAC;CACF;AAUD,MAAM,OAAO,aAAa;IACxB,YAA6B,IAA0B;QAA1B,SAAI,GAAJ,IAAI,CAAsB;IAAG,CAAC;IAE3D,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,QAAgB,EAAE,SAAiB;QACjE,MAAM,GAAG,GAAG,8BAA8B,QAAQ,IAAI,SAAS,OAAO,CAAC;QACvE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACtG,sDAAsD;QACtD,MAAM,GAAG,GAAG,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,kBAAkB,GAAG,EAAE,CAAC;QAC1F,MAAM,KAAK,CAAC,GAAG,EAAE;YACf,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;YACtF,IAAI;SACL,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC,CAAC;IAC1E,CAAC;CACF;AAeD;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,oBAAoB;IAK/B,YAA6B,IAAsB;QAAtB,SAAI,GAAJ,IAAI,CAAkB;QAH3C,aAAQ,GAAG,CAAC,CAAC;QAInB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC;QACzC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAAoB;QAC5B,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;QACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,IAAI,SAAS,EAAE,CAAC,CAAC;QAEzE,MAAM,OAAO,GAAyB;YACpC,GAAG,KAAK;YACR,SAAS;YACT,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;QAEF,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAE9B,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAmC,CAAC,CAAC;QAE9D,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM;iBACnB,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;iBAC3D,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,mGAAmG;IACnG,KAAK,CAAC,MAAM,CAAC,OAA+B;QAC1C,IAAI,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC;QACzC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;YAC7D,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;gBACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,mCAAmC,QAAQ,EAAE,EAAE,CAAC;YAC9H,CAAC;YACD,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,2BAA2B,QAAQ,EAAE,EAAE,CAAC;YACtH,CAAC;YACD,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,YAAY,IAAI,SAAS,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,cAAc,EAAE,OAAO,CAAC,MAAM;YAC9B,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YACtB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;SACvC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,IAAY;QAC/B,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;YAClF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9F,CAAC;QACD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC9C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;CACF"}

package/dist/types/index.d.ts

@@ -0,0 +1,121 @@
+/**
+ * @datacules/agent-identity-audit — extended with hash-chain tamper-evident logging
+ *
+ * New in this version:
+ *   HashChainAuditLogger — wraps any existing AuditLogger and appends a SHA-256
+ *   hash chain to every entry. Detects tampering by recomputing the chain.
+ *   ChainAnchor interface + built-in S3 and stdout anchors.
+ */
+import type { AuditLogEntry, AuditLogger } from '@datacules/agent-identity';
+export declare class ConsoleAuditLogger implements AuditLogger {
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export interface WebhookAuditLoggerOptions {
+    url: string;
+    secret?: string;
+    timeoutMs?: number;
+    silent?: boolean;
+}
+export declare class WebhookAuditLogger implements AuditLogger {
+    private readonly options;
+    constructor(options: WebhookAuditLoggerOptions);
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export interface DatadogAuditLoggerOptions {
+    apiKey: string;
+    service?: string;
+    site?: string;
+    silent?: boolean;
+}
+export declare class DatadogAuditLogger implements AuditLogger {
+    private readonly options;
+    constructor(options: DatadogAuditLoggerOptions);
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export interface SplunkAuditLoggerOptions {
+    hecUrl: string;
+    token: string;
+    sourcetype?: string;
+    silent?: boolean;
+}
+export declare class SplunkAuditLogger implements AuditLogger {
+    private readonly options;
+    constructor(options: SplunkAuditLoggerOptions);
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export declare class CompositeAuditLogger implements AuditLogger {
+    private readonly loggers;
+    constructor(loggers: AuditLogger[]);
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export interface ChainedAuditLogEntry extends AuditLogEntry {
+    /** SHA-256 hash of this entry's data fields */
+    entryHash: string;
+    /** SHA-256 hash of the previous entry (or '0' for the first entry) */
+    previousHash: string;
+    /** Sequential position in the chain */
+    sequence: number;
+}
+export interface ChainVerificationResult {
+    valid: boolean;
+    entriesChecked: number;
+    firstEntry?: ChainedAuditLogEntry;
+    lastEntry?: ChainedAuditLogEntry;
+    brokenAt?: number;
+    error?: string;
+}
+export interface ChainAnchor {
+    /** Publish the chain root hash to an immutable external location */
+    publish(rootHash: string, sequence: number, timestamp: string): Promise<void>;
+}
+/** Prints the chain root to stdout — suitable for piping to a CI artifact */
+export declare class StdoutChainAnchor implements ChainAnchor {
+    publish(rootHash: string, sequence: number, timestamp: string): Promise<void>;
+}
+/** Publishes the chain root hash to an S3 object with Object Lock enabled */
+export interface S3ChainAnchorOptions {
+    bucketName: string;
+    region: string;
+    /** AWS credentials or SDK client — omit to use default credential chain */
+    credentialsJson?: string;
+}
+export declare class S3ChainAnchor implements ChainAnchor {
+    private readonly opts;
+    constructor(opts: S3ChainAnchorOptions);
+    publish(rootHash: string, sequence: number, timestamp: string): Promise<void>;
+}
+export interface HashChainOptions {
+    /** Downstream sink that receives chained entries */
+    sink: AuditLogger;
+    /** Publish chain root every N entries (default: 1000) */
+    anchorEveryN?: number;
+    /** Optional anchor to publish roots externally */
+    anchor?: ChainAnchor;
+    /** Seed hash for the first entry (default: '0') */
+    seedHash?: string;
+}
+/**
+ * Wraps any AuditLogger with tamper-evident SHA-256 hash chaining.
+ *
+ * Each entry is hashed together with the hash of the previous entry.
+ * Any modification to a historical entry breaks the chain from that
+ * point forward — detectable by recomputing and comparing hashes.
+ *
+ * @example
+ * const logger = new HashChainAuditLogger({
+ *   sink: new DatadogAuditLogger({ apiKey: process.env.DD_API_KEY! }),
+ *   anchor: new S3ChainAnchor({ bucketName: 'my-audit-anchors', region: 'us-east-1' }),
+ * });
+ */
+export declare class HashChainAuditLogger implements AuditLogger {
+    private readonly opts;
+    private previousHash;
+    private sequence;
+    private readonly anchorEveryN;
+    constructor(opts: HashChainOptions);
+    log(entry: AuditLogEntry): Promise<void>;
+    /** Verify an ordered array of chained entries; returns result with first broken sequence if any */
+    verify(entries: ChainedAuditLogEntry[]): Promise<ChainVerificationResult>;
+    private sha256;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAM5E,qBAAa,kBAAmB,YAAW,WAAW;IAC9C,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C;AAED,MAAM,WAAW,yBAAyB;IACxC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,kBAAmB,YAAW,WAAW;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsC;gBAClD,OAAO,EAAE,yBAAyB;IAGxC,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAe/C;AAED,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,kBAAmB,YAAW,WAAW;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsC;gBAClD,OAAO,EAAE,yBAAyB;IAGxC,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAa/C;AAED,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,iBAAkB,YAAW,WAAW;IACnD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;gBACjD,OAAO,EAAE,wBAAwB;IAGvC,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAa/C;AAED,qBAAa,oBAAqB,YAAW,WAAW;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,WAAW,EAAE;IAC7C,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C;AAID,MAAM,WAAW,oBAAqB,SAAQ,aAAa;IACzD,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,sEAAsE;IACtE,YAAY,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,oBAAoB,CAAC;IAClC,SAAS,CAAC,EAAE,oBAAoB,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/E;AAED,6EAA6E;AAC7E,qBAAa,iBAAkB,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGpF;AAED,6EAA6E;AAC7E,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,qBAAa,aAAc,YAAW,WAAW;IACnC,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAJ,IAAI,EAAE,oBAAoB;IAEjD,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWpF;AAID,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,IAAI,EAAE,WAAW,CAAC;IAClB,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,mDAAmD;IACnD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,oBAAqB,YAAW,WAAW;IAK1C,OAAO,CAAC,QAAQ,CAAC,IAAI;IAJjC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAK;IACrB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;gBAET,IAAI,EAAE,gBAAgB;IAK7C,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAuB9C,mGAAmG;IAC7F,MAAM,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC,uBAAuB,CAAC;YAqBjE,MAAM;CAQrB"}

package/package.json

@@ -1,18 +1,47 @@
 {
   "name": "@datacules/agent-identity-audit",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "Pre-built audit logger sinks for @datacules/agent-identity (Console, Webhook, Datadog, Splunk)",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/audit"
+  },
+  "keywords": [
+    "agent-identity",
+    "audit",
+    "logging",
+    "datadog",
+    "splunk",
+    "webhook",
+    "ai-agents",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "test": "vitest run",
     "type-check": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.8.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "devDependencies": {
     "@datacules/agent-identity": "*",

package/src/audit.test.ts

@@ -1,213 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-import {
-  ConsoleAuditLogger,
-  WebhookAuditLogger,
-  DatadogAuditLogger,
-  SplunkAuditLogger,
-  CompositeAuditLogger,
-} from './index';
-import type { AuditLogEntry } from '@datacules/agent-identity';
-
-// All HTTP calls are mocked via vi.stubGlobal('fetch', ...).
-// No live webhook, Datadog, or Splunk endpoint is needed.
-const mockFetch = vi.fn();
-vi.stubGlobal('fetch', mockFetch);
-
-const ENTRY: AuditLogEntry = {
-  userId: 'user-alice',
-  resourceId: 'knowledge-base',
-  resourceKind: 'shared',
-  provider: 'openai',
-  action: 'read',
-  credentialId: 'cred-openai-prod',
-  credentialKind: 'fixed',
-  resolvedFor: 'service',
-  traceId: 'trace-abc123',
-  sessionId: 'sess-xyz',
-  requestedAt: '2026-05-30T12:00:00.000Z',
-  model: 'gpt-4o',
-};
-
-// ── ConsoleAuditLogger ─────────────────────────────────────────────────────
-
-describe('ConsoleAuditLogger', () => {
-  it('calls console.log with the [agent-identity audit] prefix and JSON entry', async () => {
-    const spy = vi.spyOn(console, 'log').mockImplementation(() => {});
-    const logger = new ConsoleAuditLogger();
-    await logger.log(ENTRY);
-    expect(spy).toHaveBeenCalledOnce();
-    const [prefix, json] = spy.mock.calls[0] as [string, string];
-    expect(prefix).toBe('[agent-identity audit]');
-    expect(json).toContain('cred-openai-prod');
-    spy.mockRestore();
-  });
-
-  it('resolves without throwing on any valid AuditLogEntry', async () => {
-    vi.spyOn(console, 'log').mockImplementation(() => {});
-    const logger = new ConsoleAuditLogger();
-    await expect(logger.log(ENTRY)).resolves.not.toThrow();
-    vi.restoreAllMocks();
-  });
-});
-
-// ── WebhookAuditLogger ─────────────────────────────────────────────────────
-
-describe('WebhookAuditLogger', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('POSTs the entry as JSON to the configured webhook URL', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new WebhookAuditLogger({ url: 'https://hooks.example.com/agent-identity' });
-    await logger.log(ENTRY);
-    expect(mockFetch).toHaveBeenCalledWith(
-      'https://hooks.example.com/agent-identity',
-      expect.objectContaining({
-        method: 'POST',
-        headers: expect.objectContaining({ 'Content-Type': 'application/json' }),
-        body: expect.stringContaining('cred-openai-prod'),
-      })
-    );
-  });
-
-  it('adds the X-Webhook-Secret header when a secret is configured', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new WebhookAuditLogger({
-      url: 'https://hooks.example.com/ai',
-      secret: 'hmac-secret-xyz',
-    });
-    await logger.log(ENTRY);
-    expect(mockFetch).toHaveBeenCalledWith(
-      expect.any(String),
-      expect.objectContaining({
-        headers: expect.objectContaining({ 'X-Webhook-Secret': 'hmac-secret-xyz' }),
-      })
-    );
-  });
-
-  it('resolves without throwing when fetch fails and silent=true (default)', async () => {
-    mockFetch.mockRejectedValueOnce(new Error('Network unreachable'));
-    vi.spyOn(console, 'warn').mockImplementation(() => {});
-    const logger = new WebhookAuditLogger({ url: 'https://hooks.example.com/agent-identity' });
-    await expect(logger.log(ENTRY)).resolves.not.toThrow();
-    vi.restoreAllMocks();
-  });
-
-  it('throws when fetch fails and silent=false', async () => {
-    mockFetch.mockRejectedValueOnce(new Error('Connection refused'));
-    const logger = new WebhookAuditLogger({
-      url: 'https://hooks.example.com/ai',
-      silent: false,
-    });
-    await expect(logger.log(ENTRY)).rejects.toThrow('Connection refused');
-  });
-});
-
-// ── DatadogAuditLogger ─────────────────────────────────────────────────────
-
-describe('DatadogAuditLogger', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('POSTs to the Datadog log intake URL with the DD-API-KEY header', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new DatadogAuditLogger({ apiKey: 'dd-api-key-test-123' });
-    await logger.log(ENTRY);
-    expect(mockFetch).toHaveBeenCalledWith(
-      expect.stringContaining('https://http-intake.logs.datadoghq.com/api/v2/logs'),
-      expect.objectContaining({
-        headers: expect.objectContaining({ 'DD-API-KEY': 'dd-api-key-test-123' }),
-      })
-    );
-  });
-
-  it('uses a custom Datadog site when the site option is specified', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new DatadogAuditLogger({ apiKey: 'key', site: 'datadoghq.eu' });
-    await logger.log(ENTRY);
-    const [url] = mockFetch.mock.calls[0] as [string];
-    expect(url).toContain('datadoghq.eu');
-  });
-
-  it('is silent by default when fetch fails (resolves without throwing)', async () => {
-    mockFetch.mockRejectedValueOnce(new Error('Datadog unreachable'));
-    vi.spyOn(console, 'warn').mockImplementation(() => {});
-    const logger = new DatadogAuditLogger({ apiKey: 'key' });
-    await expect(logger.log(ENTRY)).resolves.not.toThrow();
-    vi.restoreAllMocks();
-  });
-});
-
-// ── SplunkAuditLogger ─────────────────────────────────────────────────────
-
-describe('SplunkAuditLogger', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('POSTs to the HEC URL with a Splunk token Authorization header', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new SplunkAuditLogger({
-      hecUrl: 'https://splunk.example.com:8088/services/collector',
-      token: 'splunk-token-abc',
-    });
-    await logger.log(ENTRY);
-    expect(mockFetch).toHaveBeenCalledWith(
-      'https://splunk.example.com:8088/services/collector',
-      expect.objectContaining({
-        headers: expect.objectContaining({ Authorization: 'Splunk splunk-token-abc' }),
-      })
-    );
-  });
-
-  it('includes the audit entry inside the Splunk event payload', async () => {
-    mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-    const logger = new SplunkAuditLogger({
-      hecUrl: 'https://splunk.example.com/collector',
-      token: 'tok',
-    });
-    await logger.log(ENTRY);
-    const body = JSON.parse(
-      (mockFetch.mock.calls[0][1] as RequestInit).body as string
-    ) as { event: AuditLogEntry; sourcetype: string };
-    expect(body.event).toMatchObject({ credentialId: 'cred-openai-prod' });
-    expect(body.sourcetype).toBe('agent_identity');
-  });
-
-  it('is silent by default when fetch fails (resolves without throwing)', async () => {
-    mockFetch.mockRejectedValueOnce(new Error('HEC unreachable'));
-    vi.spyOn(console, 'warn').mockImplementation(() => {});
-    const logger = new SplunkAuditLogger({
-      hecUrl: 'https://splunk.example.com/collector',
-      token: 'tok',
-    });
-    await expect(logger.log(ENTRY)).resolves.not.toThrow();
-    vi.restoreAllMocks();
-  });
-});
-
-// ── CompositeAuditLogger ───────────────────────────────────────────────────
-
-describe('CompositeAuditLogger', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('forwards the entry to all registered loggers', async () => {
-    const logA = { log: vi.fn<[AuditLogEntry], Promise<void>>().mockResolvedValue(undefined) };
-    const logB = { log: vi.fn<[AuditLogEntry], Promise<void>>().mockResolvedValue(undefined) };
-    const composite = new CompositeAuditLogger([logA, logB]);
-    await composite.log(ENTRY);
-    expect(logA.log).toHaveBeenCalledWith(ENTRY);
-    expect(logB.log).toHaveBeenCalledWith(ENTRY);
-  });
-
-  it('continues via Promise.allSettled even when one logger rejects', async () => {
-    const logA = { log: vi.fn<[AuditLogEntry], Promise<void>>().mockRejectedValue(new Error('Sink A failed')) };
-    const logB = { log: vi.fn<[AuditLogEntry], Promise<void>>().mockResolvedValue(undefined) };
-    const composite = new CompositeAuditLogger([logA, logB]);
-    await expect(composite.log(ENTRY)).resolves.not.toThrow();
-    expect(logB.log).toHaveBeenCalledWith(ENTRY);
-  });
-
-  it('works correctly with a single logger', async () => {
-    const logA = { log: vi.fn<[AuditLogEntry], Promise<void>>().mockResolvedValue(undefined) };
-    const composite = new CompositeAuditLogger([logA]);
-    await composite.log(ENTRY);
-    expect(logA.log).toHaveBeenCalledOnce();
-  });
-});

package/src/index.ts

@@ -1,258 +0,0 @@
-/**
- * @datacules/agent-identity-audit — extended with hash-chain tamper-evident logging
- *
- * New in this version:
- *   HashChainAuditLogger — wraps any existing AuditLogger and appends a SHA-256
- *   hash chain to every entry. Detects tampering by recomputing the chain.
- *   ChainAnchor interface + built-in S3 and stdout anchors.
- */
-import type { AuditLogEntry, AuditLogger } from '@datacules/agent-identity';
-
-// ──────────────────────────────────────────────────────────────────────────
-// Existing sinks
-// ──────────────────────────────────────────────────────────────────────────
-
-export class ConsoleAuditLogger implements AuditLogger {
-  async log(entry: AuditLogEntry): Promise<void> {
-    console.log('[agent-identity audit]', JSON.stringify(entry, null, 2));
-  }
-}
-
-export interface WebhookAuditLoggerOptions {
-  url: string;
-  secret?: string;
-  timeoutMs?: number;
-  silent?: boolean;
-}
-
-export class WebhookAuditLogger implements AuditLogger {
-  private readonly options: Required<WebhookAuditLoggerOptions>;
-  constructor(options: WebhookAuditLoggerOptions) {
-    this.options = { secret: '', timeoutMs: 5000, silent: true, ...options };
-  }
-  async log(entry: AuditLogEntry): Promise<void> {
-    const { url, secret, timeoutMs, silent } = this.options;
-    const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-    if (secret) headers['X-Webhook-Secret'] = secret;
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    try {
-      await fetch(url, { method: 'POST', headers, body: JSON.stringify(entry), signal: controller.signal });
-    } catch (err) {
-      if (!silent) throw err;
-      console.warn('[agent-identity] WebhookAuditLogger failed:', err);
-    } finally {
-      clearTimeout(timer);
-    }
-  }
-}
-
-export interface DatadogAuditLoggerOptions {
-  apiKey: string;
-  service?: string;
-  site?: string;
-  silent?: boolean;
-}
-
-export class DatadogAuditLogger implements AuditLogger {
-  private readonly options: Required<DatadogAuditLoggerOptions>;
-  constructor(options: DatadogAuditLoggerOptions) {
-    this.options = { service: 'agent-identity', site: 'datadoghq.com', silent: true, ...options };
-  }
-  async log(entry: AuditLogEntry): Promise<void> {
-    const { apiKey, service, site, silent } = this.options;
-    try {
-      await fetch(`https://http-intake.logs.${site}/api/v2/logs`, {
-        method: 'POST',
-        headers: { 'DD-API-KEY': apiKey, 'Content-Type': 'application/json' },
-        body: JSON.stringify({ ddsource: 'agent-identity', service, message: JSON.stringify(entry) }),
-      });
-    } catch (err) {
-      if (!silent) throw err;
-      console.warn('[agent-identity] DatadogAuditLogger failed:', err);
-    }
-  }
-}
-
-export interface SplunkAuditLoggerOptions {
-  hecUrl: string;
-  token: string;
-  sourcetype?: string;
-  silent?: boolean;
-}
-
-export class SplunkAuditLogger implements AuditLogger {
-  private readonly options: Required<SplunkAuditLoggerOptions>;
-  constructor(options: SplunkAuditLoggerOptions) {
-    this.options = { sourcetype: 'agent_identity', silent: true, ...options };
-  }
-  async log(entry: AuditLogEntry): Promise<void> {
-    const { hecUrl, token, sourcetype, silent } = this.options;
-    try {
-      await fetch(hecUrl, {
-        method: 'POST',
-        headers: { Authorization: `Splunk ${token}`, 'Content-Type': 'application/json' },
-        body: JSON.stringify({ event: entry, sourcetype }),
-      });
-    } catch (err) {
-      if (!silent) throw err;
-      console.warn('[agent-identity] SplunkAuditLogger failed:', err);
-    }
-  }
-}
-
-export class CompositeAuditLogger implements AuditLogger {
-  constructor(private readonly loggers: AuditLogger[]) {}
-  async log(entry: AuditLogEntry): Promise<void> {
-    await Promise.allSettled(this.loggers.map((l) => l.log(entry)));
-  }
-}
-
-// ─── Hash chain types ────────────────────────────────────────────────────────────
-
-export interface ChainedAuditLogEntry extends AuditLogEntry {
-  /** SHA-256 hash of this entry's data fields */
-  entryHash: string;
-  /** SHA-256 hash of the previous entry (or '0' for the first entry) */
-  previousHash: string;
-  /** Sequential position in the chain */
-  sequence: number;
-}
-
-export interface ChainVerificationResult {
-  valid: boolean;
-  entriesChecked: number;
-  firstEntry?: ChainedAuditLogEntry;
-  lastEntry?: ChainedAuditLogEntry;
-  brokenAt?: number; // sequence number where chain breaks
-  error?: string;
-}
-
-// ─── Chain Anchor ────────────────────────────────────────────────────────────────
-
-export interface ChainAnchor {
-  /** Publish the chain root hash to an immutable external location */
-  publish(rootHash: string, sequence: number, timestamp: string): Promise<void>;
-}
-
-/** Prints the chain root to stdout — suitable for piping to a CI artifact */
-export class StdoutChainAnchor implements ChainAnchor {
-  async publish(rootHash: string, sequence: number, timestamp: string): Promise<void> {
-    console.log(`[agent-identity chain-anchor] seq=${sequence} root=${rootHash} ts=${timestamp}`);
-  }
-}
-
-/** Publishes the chain root hash to an S3 object with Object Lock enabled */
-export interface S3ChainAnchorOptions {
-  bucketName: string;
-  region: string;
-  /** AWS credentials or SDK client — omit to use default credential chain */
-  credentialsJson?: string;
-}
-
-export class S3ChainAnchor implements ChainAnchor {
-  constructor(private readonly opts: S3ChainAnchorOptions) {}
-
-  async publish(rootHash: string, sequence: number, timestamp: string): Promise<void> {
-    const key = `agent-identity/chain-roots/${sequence}-${timestamp}.json`;
-    const body = JSON.stringify({ rootHash, sequence, timestamp, publishedAt: new Date().toISOString() });
-    // S3 PutObject — in production use @aws-sdk/client-s3
-    const url = `https://${this.opts.bucketName}.s3.${this.opts.region}.amazonaws.com/${key}`;
-    await fetch(url, {
-      method: 'PUT',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': String(body.length) },
-      body,
-    }).catch((err) => console.warn('[S3ChainAnchor] publish failed:', err));
-  }
-}
-
-// ─── HashChainAuditLogger ──────────────────────────────────────────────────────
-
-export interface HashChainOptions {
-  /** Downstream sink that receives chained entries */
-  sink: AuditLogger;
-  /** Publish chain root every N entries (default: 1000) */
-  anchorEveryN?: number;
-  /** Optional anchor to publish roots externally */
-  anchor?: ChainAnchor;
-  /** Seed hash for the first entry (default: '0') */
-  seedHash?: string;
-}
-
-/**
- * Wraps any AuditLogger with tamper-evident SHA-256 hash chaining.
- *
- * Each entry is hashed together with the hash of the previous entry.
- * Any modification to a historical entry breaks the chain from that
- * point forward — detectable by recomputing and comparing hashes.
- *
- * @example
- * const logger = new HashChainAuditLogger({
- *   sink: new DatadogAuditLogger({ apiKey: process.env.DD_API_KEY! }),
- *   anchor: new S3ChainAnchor({ bucketName: 'my-audit-anchors', region: 'us-east-1' }),
- * });
- */
-export class HashChainAuditLogger implements AuditLogger {
-  private previousHash: string;
-  private sequence = 0;
-  private readonly anchorEveryN: number;
-
-  constructor(private readonly opts: HashChainOptions) {
-    this.previousHash = opts.seedHash ?? '0';
-    this.anchorEveryN = opts.anchorEveryN ?? 1000;
-  }
-
-  async log(entry: AuditLogEntry): Promise<void> {
-    this.sequence += 1;
-    const entryHash = await this.sha256(JSON.stringify(entry));
-    const chainHash = await this.sha256(`${this.previousHash}:${entryHash}`);
-
-    const chained: ChainedAuditLogEntry = {
-      ...entry,
-      entryHash,
-      previousHash: this.previousHash,
-      sequence: this.sequence,
-    };
-
-    this.previousHash = chainHash;
-
-    await this.opts.sink.log(chained as unknown as AuditLogEntry);
-
-    if (this.opts.anchor && this.sequence % this.anchorEveryN === 0) {
-      await this.opts.anchor
-        .publish(chainHash, this.sequence, new Date().toISOString())
-        .catch(console.error);
-    }
-  }
-
-  /** Verify an ordered array of chained entries; returns result with first broken sequence if any */
-  async verify(entries: ChainedAuditLogEntry[]): Promise<ChainVerificationResult> {
-    let prevHash = this.opts.seedHash ?? '0';
-    for (const entry of entries) {
-      const { entryHash, previousHash, sequence, ...data } = entry;
-      const expectedEntryHash = await this.sha256(JSON.stringify(data));
-      if (expectedEntryHash !== entryHash) {
-        return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `entry hash mismatch at sequence ${sequence}` };
-      }
-      if (previousHash !== prevHash) {
-        return { valid: false, entriesChecked: sequence, brokenAt: sequence, error: `chain break at sequence ${sequence}` };
-      }
-      prevHash = await this.sha256(`${previousHash}:${entryHash}`);
-    }
-    return {
-      valid: true,
-      entriesChecked: entries.length,
-      firstEntry: entries[0],
-      lastEntry: entries[entries.length - 1],
-    };
-  }
-
-  private async sha256(data: string): Promise<string> {
-    if (typeof crypto !== 'undefined' && crypto.subtle) {
-      const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(data));
-      return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, '0')).join('');
-    }
-    const { createHash } = await import('crypto');
-    return createHash('sha256').update(data).digest('hex');
-  }
-}