npm - @datacules/agent-identity-compliance - Versions diffs - 0.11.0 → 0.11.1 - Mend

@datacules/agent-identity-compliance 0.11.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+1. PERMISSION TO USE
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+2. ATTRIBUTION
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+3. COMMERCIAL USE
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+5. MODIFICATIONS
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+6. COMPATIBILITY
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/index.js ADDED Viewed

@@ -0,0 +1,292 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChainVerifier = exports.HashChainAuditLogger = exports.ComplianceReportGenerator = exports.MemoryReportStore = void 0;
+const node_crypto_1 = require("node:crypto");
+/** In-memory store for testing — populate with entries from your audit sink */
+class MemoryReportStore {
+    constructor(entries) {
+        this.entries = entries;
+    }
+    async queryEntries(from, to) {
+        const start = new Date(from).getTime();
+        const end = new Date(to).getTime();
+        return this.entries.filter((e) => {
+            const t = new Date(e.timestamp).getTime();
+            return t >= start && t <= end;
+        });
+    }
+}
+exports.MemoryReportStore = MemoryReportStore;
+// ─── Business hours helper ───────────────────────────────────────────────────────
+function isOffHours(timestamp, startHour = 9, endHour = 18) {
+    const d = new Date(timestamp);
+    const hour = d.getUTCHours();
+    const day = d.getUTCDay(); // 0 = Sun, 6 = Sat
+    if (day === 0 || day === 6)
+        return true; // weekends
+    return hour < startHour || hour >= endHour;
+}
+class ComplianceReportGenerator {
+    constructor(config) {
+        this.config = config;
+        this.piiTags = config.piiTags ?? ['pii', 'phi', 'personal'];
+        this.bhStart = config.businessHoursStart ?? 9;
+        this.bhEnd = config.businessHoursEnd ?? 18;
+    }
+    async generate(request) {
+        const allEntries = await this.config.store.queryEntries(request.from, request.to);
+        // Filter by agent IDs if specified
+        const entries = request.agentIds?.length
+            ? allEntries.filter((e) => request.agentIds.includes(e.userId))
+            : allEntries;
+        const agentAccessSummary = this.buildAgentAccessSummary(entries);
+        const piiResourceAccess = this.findPiiAccess(entries);
+        const offHoursAccess = this.findOffHoursAccess(entries);
+        const credentialRotationHistory = this.findRotationEvents(entries);
+        const anomalyEvents = this.findAnomalyEvents(entries);
+        const report = {
+            type: request.type,
+            generatedAt: new Date().toISOString(),
+            periodFrom: request.from,
+            periodTo: request.to,
+            agentAccessSummary,
+            piiResourceAccess,
+            offHoursAccess,
+            credentialRotationHistory,
+            anomalyEvents,
+            totalEntries: entries.length,
+            summary: this.buildSummary(request.type, entries.length, piiResourceAccess.length, offHoursAccess.length, anomalyEvents.length),
+        };
+        if (request.format === 'markdown') {
+            return { ...report, summary: this.buildMarkdownReport(report) };
+        }
+        return report;
+    }
+    buildAgentAccessSummary(entries) {
+        const map = new Map();
+        for (const e of entries) {
+            if (e.action.startsWith('credential.'))
+                continue; // system events
+            let s = map.get(e.userId);
+            if (!s) {
+                s = { userId: e.userId, credentialIds: [], resourceIds: [], actionCounts: {}, resolutionCount: 0, firstSeen: e.timestamp, lastSeen: e.timestamp };
+                map.set(e.userId, s);
+            }
+            if (!s.credentialIds.includes(e.credentialId))
+                s.credentialIds.push(e.credentialId);
+            if (!s.resourceIds.includes(e.resourceId))
+                s.resourceIds.push(e.resourceId);
+            s.actionCounts[e.action] = (s.actionCounts[e.action] ?? 0) + 1;
+            s.resolutionCount += 1;
+            if (e.timestamp < s.firstSeen)
+                s.firstSeen = e.timestamp;
+            if (e.timestamp > s.lastSeen)
+                s.lastSeen = e.timestamp;
+        }
+        return Array.from(map.values()).sort((a, b) => b.resolutionCount - a.resolutionCount);
+    }
+    findPiiAccess(entries) {
+        return entries.filter((e) => this.piiTags.some((tag) => e.resourceId.toLowerCase().includes(tag)));
+    }
+    findOffHoursAccess(entries) {
+        return entries
+            .filter((e) => !e.action.startsWith('credential.') && isOffHours(e.timestamp, this.bhStart, this.bhEnd))
+            .map((e) => ({ timestamp: e.timestamp, userId: e.userId, action: e.action, resourceId: e.resourceId, credentialId: e.credentialId }));
+    }
+    findRotationEvents(entries) {
+        return entries
+            .filter((e) => e.action === 'credential.rotated')
+            .map((e) => ({ credentialId: e.credentialId, rotatedAt: e.timestamp, triggeredBy: e.userId }));
+    }
+    findAnomalyEvents(entries) {
+        return entries
+            .filter((e) => e.action === 'credential.anomaly')
+            .map((e) => ({
+            timestamp: e.timestamp,
+            userId: e.userId,
+            credentialId: e.credentialId,
+            signal: e.signal ?? 'unknown',
+            severity: e.severity ?? 'unknown',
+        }));
+    }
+    buildSummary(type, total, pii, offHours, anomalies) {
+        return `${type.toUpperCase()} report: ${total} total resolutions, ${pii} PII resource accesses, ${offHours} off-hours accesses, ${anomalies} anomaly events`;
+    }
+    buildMarkdownReport(report) {
+        const lines = [
+            `# Agent Identity — ${report.type.toUpperCase()} Compliance Report`,
+            `**Period:** ${report.periodFrom} – ${report.periodTo}`,
+            `**Generated:** ${report.generatedAt}`,
+            `**Total resolutions:** ${report.totalEntries}`,
+            '',
+            '## Agent Access Summary',
+            '| Agent | Resolutions | Credentials | Resources | First Seen | Last Seen |',
+            '|-------|-------------|-------------|-----------|------------|-----------|',
+            ...report.agentAccessSummary.map((a) => `| ${a.userId} | ${a.resolutionCount} | ${a.credentialIds.length} | ${a.resourceIds.length} | ${a.firstSeen.slice(0, 10)} | ${a.lastSeen.slice(0, 10)} |`),
+            '',
+            `## PII Resource Access (${report.piiResourceAccess.length} events)`,
+            report.piiResourceAccess.length === 0 ? '_None_' : report.piiResourceAccess.map((e) => `- ${e.timestamp} | ${e.userId} | ${e.action} | ${e.resourceId}`).join('\n'),
+            '',
+            `## Off-Hours Access (${report.offHoursAccess.length} events)`,
+            report.offHoursAccess.length === 0 ? '_None_' : report.offHoursAccess.map((e) => `- ${e.timestamp} | ${e.userId} | ${e.action} | ${e.resourceId}`).join('\n'),
+            '',
+            `## Credential Rotation History (${report.credentialRotationHistory.length} rotations)`,
+            report.credentialRotationHistory.length === 0 ? '_None_' : report.credentialRotationHistory.map((r) => `- ${r.rotatedAt} | ${r.credentialId} | triggered by ${r.triggeredBy}`).join('\n'),
+            '',
+            `## Anomaly Events (${report.anomalyEvents.length} events)`,
+            report.anomalyEvents.length === 0 ? '_None_' : report.anomalyEvents.map((a) => `- ${a.timestamp} | ${a.userId} | ${a.credentialId} | ${a.signal} (${a.severity})`).join('\n'),
+        ];
+        return lines.join('\n');
+    }
+}
+exports.ComplianceReportGenerator = ComplianceReportGenerator;
+/**
+ * Computes the SHA-256 hash for a single audit log entry.
+ *
+ * The hash input is:
+ *   SHA256( JSON.stringify(coreFields) + prevHash )
+ *
+ * where coreFields are the entry's own data fields (excluding hash/prevHash
+ * themselves) sorted by key for deterministic serialisation.
+ */
+function computeEntryHash(entry, prevHash) {
+    // Exclude the chain fields from the payload so re-verification is stable
+    const { hash: _h, prevHash: _p, ...coreFields } = entry;
+    void _h;
+    void _p;
+    const sortedKeys = Object.keys(coreFields).sort();
+    const payload = {};
+    for (const k of sortedKeys) {
+        payload[k] = coreFields[k];
+    }
+    return (0, node_crypto_1.createHash)('sha256')
+        .update(JSON.stringify(payload) + prevHash)
+        .digest('hex');
+}
+/**
+ * HashChainAuditLogger wraps any existing AuditLogger and appends
+ * `hash` and `prevHash` fields to every entry before forwarding to
+ * the underlying sink.
+ *
+ * Each entry's hash covers its own data + the previous entry's hash,
+ * forming a SHA-256 linked list. Any retroactive modification to an
+ * entry breaks the chain from that point forward — detectable by
+ * ChainVerifier.verify() in O(n) time.
+ *
+ * Usage:
+ *   const base = new ConsoleAuditLogger();
+ *   const chained = new HashChainAuditLogger(base);
+ *   const router = createRouter(credentials, rules, chained);
+ *
+ * The underlying sink receives ChainedAuditLogEntry objects. If it
+ * serialises to JSONL (one JSON object per line), that file can be
+ * verified offline with:
+ *   agent-identity audit verify --file ./audit.jsonl
+ */
+class HashChainAuditLogger {
+    constructor(sink) {
+        this.sink = sink;
+        this.prevHash = '';
+    }
+    log(entry) {
+        const hash = computeEntryHash(entry, this.prevHash);
+        const chained = {
+            ...entry,
+            prevHash: this.prevHash,
+            hash,
+        };
+        this.prevHash = hash;
+        this.sink.log(chained);
+    }
+    /** Returns the hash of the most recently logged entry (the current chain tip) */
+    get currentHash() {
+        return this.prevHash;
+    }
+}
+exports.HashChainAuditLogger = HashChainAuditLogger;
+/**
+ * Verifies a sequence of ChainedAuditLogEntry objects.
+ *
+ * Replays the SHA-256 chain from the beginning. The first entry must
+ * have prevHash === '' (empty string). Every subsequent entry's hash
+ * must equal SHA256(sortedEntryData + prevEntry.hash).
+ *
+ * Any single field modification in any entry will break the chain
+ * from that entry onward.
+ */
+class ChainVerifier {
+    /**
+     * Verify an in-memory array of entries.
+     *
+     * @param entries - Array of entries parsed from an audit log
+     */
+    static verify(entries) {
+        if (entries.length === 0) {
+            return { intact: false, entryCount: 0, rootHash: null, brokenAt: null, brokenReason: 'Log is empty — nothing to verify' };
+        }
+        let prevHash = '';
+        for (let i = 0; i < entries.length; i++) {
+            const entry = entries[i];
+            // Check the recorded prevHash matches our running chain
+            if (entry.prevHash !== prevHash) {
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[i - 1]?.hash ?? null,
+                    brokenAt: i,
+                    brokenReason: `Entry ${i}: prevHash mismatch — expected ${prevHash.slice(0, 16)}… got ${entry.prevHash.slice(0, 16)}…`,
+                };
+            }
+            // Recompute the hash and check it matches what was recorded
+            const expected = computeEntryHash(entry, prevHash);
+            if (entry.hash !== expected) {
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[i - 1]?.hash ?? null,
+                    brokenAt: i,
+                    brokenReason: `Entry ${i}: hash mismatch — entry data appears to have been modified`,
+                };
+            }
+            prevHash = entry.hash;
+        }
+        return {
+            intact: true,
+            entryCount: entries.length,
+            rootHash: prevHash,
+            brokenAt: null,
+            brokenReason: null,
+        };
+    }
+    /**
+     * Parse a JSONL string (one JSON object per line) and verify the chain.
+     * Blank lines and lines that fail JSON.parse are skipped with a warning.
+     *
+     * @param jsonl - Full JSONL file content as a string
+     */
+    static verifyJsonl(jsonl) {
+        const entries = [];
+        const lines = jsonl.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line)
+                continue;
+            try {
+                entries.push(JSON.parse(line));
+            }
+            catch {
+                // Non-JSON line — treat as a chain break
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[entries.length - 1]?.hash ?? null,
+                    brokenAt: entries.length,
+                    brokenReason: `Line ${i + 1}: failed to parse as JSON — log file may be corrupted`,
+                };
+            }
+        }
+        return ChainVerifier.verify(entries);
+    }
+}
+exports.ChainVerifier = ChainVerifier;
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAoBA,6CAAyC;AAuEzC,+EAA+E;AAC/E,MAAa,iBAAiB;IAC5B,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;IAAG,CAAC;IAEzD,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,EAAU;QACzC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC/B,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAXD,8CAWC;AAED,oFAAoF;AAEpF,SAAS,UAAU,CAAC,SAAiB,EAAE,SAAS,GAAG,CAAC,EAAE,OAAO,GAAG,EAAE;IAChE,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,mBAAmB;IAC9C,IAAI,GAAG,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,WAAW;IACpD,OAAO,IAAI,GAAG,SAAS,IAAI,IAAI,IAAI,OAAO,CAAC;AAC7C,CAAC;AAcD,MAAa,yBAAyB;IAKpC,YAA6B,MAAuC;QAAvC,WAAM,GAAN,MAAM,CAAiC;QAClE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAC5D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,kBAAkB,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAsB;QACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAElF,mCAAmC;QACnC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,EAAE,MAAM;YACtC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAChE,CAAC,CAAC,UAAU,CAAC;QAEf,MAAM,kBAAkB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,iBAAiB,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACtD,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAqB;YAC/B,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU,EAAE,OAAO,CAAC,IAAI;YACxB,QAAQ,EAAE,OAAO,CAAC,EAAE;YACpB,kBAAkB;YAClB,iBAAiB;YACjB,cAAc;YACd,yBAAyB;YACzB,aAAa;YACb,YAAY,EAAE,OAAO,CAAC,MAAM;YAC5B,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE,iBAAiB,CAAC,MAAM,EAAE,cAAc,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC;SAChI,CAAC;QAEF,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClC,OAAO,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;QAClE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAAC,OAAwB;QACtD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA8B,CAAC;QAClD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC;gBAAE,SAAS,CAAC,gBAAgB;YAClE,IAAI,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC1B,IAAI,CAAC,CAAC,EAAE,CAAC;gBACP,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;gBAClJ,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC;gBAAE,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;YACpF,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;gBAAE,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YAC5E,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC/D,CAAC,CAAC,eAAe,IAAI,CAAC,CAAC;YACvB,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC;YACzD,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,QAAQ;gBAAE,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC;QACzD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,CAAC,eAAe,CAAC,CAAC;IACxF,CAAC;IAEO,aAAa,CAAC,OAAwB;QAC5C,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC1B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CACrE,CAAC;IACJ,CAAC;IAEO,kBAAkB,CAAC,OAAwB;QACjD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;aACvG,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAC1I,CAAC;IAEO,kBAAkB,CAAC,OAAwB;QACjD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,CAAC;aAChD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACnG,CAAC;IAEO,iBAAiB,CAAC,OAAwB;QAChD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,CAAC;aAChD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,MAAM,EAAG,CAAuC,CAAC,MAAM,IAAI,SAAS;YACpE,QAAQ,EAAG,CAAuC,CAAC,QAAQ,IAAI,SAAS;SACzE,CAAC,CAAC,CAAC;IACR,CAAC;IAEO,YAAY,CAAC,IAAgB,EAAE,KAAa,EAAE,GAAW,EAAE,QAAgB,EAAE,SAAiB;QACpG,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,KAAK,uBAAuB,GAAG,2BAA2B,QAAQ,wBAAwB,SAAS,iBAAiB,CAAC;IAC/J,CAAC;IAEO,mBAAmB,CAAC,MAAwB;QAClD,MAAM,KAAK,GAAa;YACtB,sBAAsB,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,oBAAoB;YACnE,eAAe,MAAM,CAAC,UAAU,MAAM,MAAM,CAAC,QAAQ,EAAE;YACvD,kBAAkB,MAAM,CAAC,WAAW,EAAE;YACtC,0BAA0B,MAAM,CAAC,YAAY,EAAE;YAC/C,EAAE;YACF,yBAAyB;YACzB,4EAA4E;YAC5E,4EAA4E;YAC5E,GAAG,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,KAAK,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,eAAe,MAAM,CAAC,CAAC,aAAa,CAAC,MAAM,MAAM,CAAC,CAAC,WAAW,CAAC,MAAM,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAC,EAAE,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAC,EAAE,CAAC,IAAI,CACxJ;YACD,EAAE;YACF,2BAA2B,MAAM,CAAC,iBAAiB,CAAC,MAAM,UAAU;YACpE,MAAM,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACnK,EAAE;YACF,wBAAwB,MAAM,CAAC,cAAc,CAAC,MAAM,UAAU;YAC9D,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YAC7J,EAAE;YACF,mCAAmC,MAAM,CAAC,yBAAyB,CAAC,MAAM,aAAa;YACvF,MAAM,CAAC,yBAAyB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,YAAY,mBAAmB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACzL,EAAE;YACF,sBAAsB,MAAM,CAAC,aAAa,CAAC,MAAM,UAAU;YAC3D,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,YAAY,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;SAC9K,CAAC;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF;AA/HD,8DA+HC;AA+BD;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAoB,EAAE,QAAgB;IAC9D,yEAAyE;IACzE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,UAAU,EAAE,GAAG,KAA6B,CAAC;IAChF,KAAK,EAAE,CAAC;IAAC,KAAK,EAAE,CAAC;IACjB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,OAAO,CAAC,CAAC,CAAC,GAAI,UAAsC,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC;SAC1C,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,oBAAoB;IAG/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAFtC,aAAQ,GAAG,EAAE,CAAC;IAE2B,CAAC;IAElD,GAAG,CAAC,KAAoB;QACtB,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,OAAO,GAAyB;YACpC,GAAG,KAAK;YACR,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,IAAI;SACL,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAmC,CAAC,CAAC;IACrD,CAAC;IAED,iFAAiF;IACjF,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AApBD,oDAoBC;AAED;;;;;;;;;GASG;AACH,MAAa,aAAa;IACxB;;;;OAIG;IACH,MAAM,CAAC,MAAM,CAAC,OAA+B;QAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,kCAAkC,EAAE,CAAC;QAC5H,CAAC;QAED,IAAI,QAAQ,GAAG,EAAE,CAAC;QAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAEzB,wDAAwD;YACxD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAChC,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACtC,QAAQ,EAAE,CAAC;oBACX,YAAY,EAAE,SAAS,CAAC,kCAAkC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;iBACvH,CAAC;YACJ,CAAC;YAED,4DAA4D;YAC5D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACnD,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5B,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACtC,QAAQ,EAAE,CAAC;oBACX,YAAY,EAAE,SAAS,CAAC,4DAA4D;iBACrF,CAAC;YACJ,CAAC;YAED,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,IAAI;SACnB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,WAAW,CAAC,KAAa;QAC9B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI;gBAAE,SAAS;YACpB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyB,CAAC,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;gBACzC,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACnD,QAAQ,EAAE,OAAO,CAAC,MAAM;oBACxB,YAAY,EAAE,QAAQ,CAAC,GAAG,CAAC,uDAAuD;iBACnF,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;CACF;AA9ED,sCA8EC"}

package/dist/esm/index.js ADDED Viewed

@@ -0,0 +1,285 @@
+import { createHash } from 'node:crypto';
+/** In-memory store for testing — populate with entries from your audit sink */
+export class MemoryReportStore {
+    constructor(entries) {
+        this.entries = entries;
+    }
+    async queryEntries(from, to) {
+        const start = new Date(from).getTime();
+        const end = new Date(to).getTime();
+        return this.entries.filter((e) => {
+            const t = new Date(e.timestamp).getTime();
+            return t >= start && t <= end;
+        });
+    }
+}
+// ─── Business hours helper ───────────────────────────────────────────────────────
+function isOffHours(timestamp, startHour = 9, endHour = 18) {
+    const d = new Date(timestamp);
+    const hour = d.getUTCHours();
+    const day = d.getUTCDay(); // 0 = Sun, 6 = Sat
+    if (day === 0 || day === 6)
+        return true; // weekends
+    return hour < startHour || hour >= endHour;
+}
+export class ComplianceReportGenerator {
+    constructor(config) {
+        this.config = config;
+        this.piiTags = config.piiTags ?? ['pii', 'phi', 'personal'];
+        this.bhStart = config.businessHoursStart ?? 9;
+        this.bhEnd = config.businessHoursEnd ?? 18;
+    }
+    async generate(request) {
+        const allEntries = await this.config.store.queryEntries(request.from, request.to);
+        // Filter by agent IDs if specified
+        const entries = request.agentIds?.length
+            ? allEntries.filter((e) => request.agentIds.includes(e.userId))
+            : allEntries;
+        const agentAccessSummary = this.buildAgentAccessSummary(entries);
+        const piiResourceAccess = this.findPiiAccess(entries);
+        const offHoursAccess = this.findOffHoursAccess(entries);
+        const credentialRotationHistory = this.findRotationEvents(entries);
+        const anomalyEvents = this.findAnomalyEvents(entries);
+        const report = {
+            type: request.type,
+            generatedAt: new Date().toISOString(),
+            periodFrom: request.from,
+            periodTo: request.to,
+            agentAccessSummary,
+            piiResourceAccess,
+            offHoursAccess,
+            credentialRotationHistory,
+            anomalyEvents,
+            totalEntries: entries.length,
+            summary: this.buildSummary(request.type, entries.length, piiResourceAccess.length, offHoursAccess.length, anomalyEvents.length),
+        };
+        if (request.format === 'markdown') {
+            return { ...report, summary: this.buildMarkdownReport(report) };
+        }
+        return report;
+    }
+    buildAgentAccessSummary(entries) {
+        const map = new Map();
+        for (const e of entries) {
+            if (e.action.startsWith('credential.'))
+                continue; // system events
+            let s = map.get(e.userId);
+            if (!s) {
+                s = { userId: e.userId, credentialIds: [], resourceIds: [], actionCounts: {}, resolutionCount: 0, firstSeen: e.timestamp, lastSeen: e.timestamp };
+                map.set(e.userId, s);
+            }
+            if (!s.credentialIds.includes(e.credentialId))
+                s.credentialIds.push(e.credentialId);
+            if (!s.resourceIds.includes(e.resourceId))
+                s.resourceIds.push(e.resourceId);
+            s.actionCounts[e.action] = (s.actionCounts[e.action] ?? 0) + 1;
+            s.resolutionCount += 1;
+            if (e.timestamp < s.firstSeen)
+                s.firstSeen = e.timestamp;
+            if (e.timestamp > s.lastSeen)
+                s.lastSeen = e.timestamp;
+        }
+        return Array.from(map.values()).sort((a, b) => b.resolutionCount - a.resolutionCount);
+    }
+    findPiiAccess(entries) {
+        return entries.filter((e) => this.piiTags.some((tag) => e.resourceId.toLowerCase().includes(tag)));
+    }
+    findOffHoursAccess(entries) {
+        return entries
+            .filter((e) => !e.action.startsWith('credential.') && isOffHours(e.timestamp, this.bhStart, this.bhEnd))
+            .map((e) => ({ timestamp: e.timestamp, userId: e.userId, action: e.action, resourceId: e.resourceId, credentialId: e.credentialId }));
+    }
+    findRotationEvents(entries) {
+        return entries
+            .filter((e) => e.action === 'credential.rotated')
+            .map((e) => ({ credentialId: e.credentialId, rotatedAt: e.timestamp, triggeredBy: e.userId }));
+    }
+    findAnomalyEvents(entries) {
+        return entries
+            .filter((e) => e.action === 'credential.anomaly')
+            .map((e) => ({
+            timestamp: e.timestamp,
+            userId: e.userId,
+            credentialId: e.credentialId,
+            signal: e.signal ?? 'unknown',
+            severity: e.severity ?? 'unknown',
+        }));
+    }
+    buildSummary(type, total, pii, offHours, anomalies) {
+        return `${type.toUpperCase()} report: ${total} total resolutions, ${pii} PII resource accesses, ${offHours} off-hours accesses, ${anomalies} anomaly events`;
+    }
+    buildMarkdownReport(report) {
+        const lines = [
+            `# Agent Identity — ${report.type.toUpperCase()} Compliance Report`,
+            `**Period:** ${report.periodFrom} – ${report.periodTo}`,
+            `**Generated:** ${report.generatedAt}`,
+            `**Total resolutions:** ${report.totalEntries}`,
+            '',
+            '## Agent Access Summary',
+            '| Agent | Resolutions | Credentials | Resources | First Seen | Last Seen |',
+            '|-------|-------------|-------------|-----------|------------|-----------|',
+            ...report.agentAccessSummary.map((a) => `| ${a.userId} | ${a.resolutionCount} | ${a.credentialIds.length} | ${a.resourceIds.length} | ${a.firstSeen.slice(0, 10)} | ${a.lastSeen.slice(0, 10)} |`),
+            '',
+            `## PII Resource Access (${report.piiResourceAccess.length} events)`,
+            report.piiResourceAccess.length === 0 ? '_None_' : report.piiResourceAccess.map((e) => `- ${e.timestamp} | ${e.userId} | ${e.action} | ${e.resourceId}`).join('\n'),
+            '',
+            `## Off-Hours Access (${report.offHoursAccess.length} events)`,
+            report.offHoursAccess.length === 0 ? '_None_' : report.offHoursAccess.map((e) => `- ${e.timestamp} | ${e.userId} | ${e.action} | ${e.resourceId}`).join('\n'),
+            '',
+            `## Credential Rotation History (${report.credentialRotationHistory.length} rotations)`,
+            report.credentialRotationHistory.length === 0 ? '_None_' : report.credentialRotationHistory.map((r) => `- ${r.rotatedAt} | ${r.credentialId} | triggered by ${r.triggeredBy}`).join('\n'),
+            '',
+            `## Anomaly Events (${report.anomalyEvents.length} events)`,
+            report.anomalyEvents.length === 0 ? '_None_' : report.anomalyEvents.map((a) => `- ${a.timestamp} | ${a.userId} | ${a.credentialId} | ${a.signal} (${a.severity})`).join('\n'),
+        ];
+        return lines.join('\n');
+    }
+}
+/**
+ * Computes the SHA-256 hash for a single audit log entry.
+ *
+ * The hash input is:
+ *   SHA256( JSON.stringify(coreFields) + prevHash )
+ *
+ * where coreFields are the entry's own data fields (excluding hash/prevHash
+ * themselves) sorted by key for deterministic serialisation.
+ */
+function computeEntryHash(entry, prevHash) {
+    // Exclude the chain fields from the payload so re-verification is stable
+    const { hash: _h, prevHash: _p, ...coreFields } = entry;
+    void _h;
+    void _p;
+    const sortedKeys = Object.keys(coreFields).sort();
+    const payload = {};
+    for (const k of sortedKeys) {
+        payload[k] = coreFields[k];
+    }
+    return createHash('sha256')
+        .update(JSON.stringify(payload) + prevHash)
+        .digest('hex');
+}
+/**
+ * HashChainAuditLogger wraps any existing AuditLogger and appends
+ * `hash` and `prevHash` fields to every entry before forwarding to
+ * the underlying sink.
+ *
+ * Each entry's hash covers its own data + the previous entry's hash,
+ * forming a SHA-256 linked list. Any retroactive modification to an
+ * entry breaks the chain from that point forward — detectable by
+ * ChainVerifier.verify() in O(n) time.
+ *
+ * Usage:
+ *   const base = new ConsoleAuditLogger();
+ *   const chained = new HashChainAuditLogger(base);
+ *   const router = createRouter(credentials, rules, chained);
+ *
+ * The underlying sink receives ChainedAuditLogEntry objects. If it
+ * serialises to JSONL (one JSON object per line), that file can be
+ * verified offline with:
+ *   agent-identity audit verify --file ./audit.jsonl
+ */
+export class HashChainAuditLogger {
+    constructor(sink) {
+        this.sink = sink;
+        this.prevHash = '';
+    }
+    log(entry) {
+        const hash = computeEntryHash(entry, this.prevHash);
+        const chained = {
+            ...entry,
+            prevHash: this.prevHash,
+            hash,
+        };
+        this.prevHash = hash;
+        this.sink.log(chained);
+    }
+    /** Returns the hash of the most recently logged entry (the current chain tip) */
+    get currentHash() {
+        return this.prevHash;
+    }
+}
+/**
+ * Verifies a sequence of ChainedAuditLogEntry objects.
+ *
+ * Replays the SHA-256 chain from the beginning. The first entry must
+ * have prevHash === '' (empty string). Every subsequent entry's hash
+ * must equal SHA256(sortedEntryData + prevEntry.hash).
+ *
+ * Any single field modification in any entry will break the chain
+ * from that entry onward.
+ */
+export class ChainVerifier {
+    /**
+     * Verify an in-memory array of entries.
+     *
+     * @param entries - Array of entries parsed from an audit log
+     */
+    static verify(entries) {
+        if (entries.length === 0) {
+            return { intact: false, entryCount: 0, rootHash: null, brokenAt: null, brokenReason: 'Log is empty — nothing to verify' };
+        }
+        let prevHash = '';
+        for (let i = 0; i < entries.length; i++) {
+            const entry = entries[i];
+            // Check the recorded prevHash matches our running chain
+            if (entry.prevHash !== prevHash) {
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[i - 1]?.hash ?? null,
+                    brokenAt: i,
+                    brokenReason: `Entry ${i}: prevHash mismatch — expected ${prevHash.slice(0, 16)}… got ${entry.prevHash.slice(0, 16)}…`,
+                };
+            }
+            // Recompute the hash and check it matches what was recorded
+            const expected = computeEntryHash(entry, prevHash);
+            if (entry.hash !== expected) {
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[i - 1]?.hash ?? null,
+                    brokenAt: i,
+                    brokenReason: `Entry ${i}: hash mismatch — entry data appears to have been modified`,
+                };
+            }
+            prevHash = entry.hash;
+        }
+        return {
+            intact: true,
+            entryCount: entries.length,
+            rootHash: prevHash,
+            brokenAt: null,
+            brokenReason: null,
+        };
+    }
+    /**
+     * Parse a JSONL string (one JSON object per line) and verify the chain.
+     * Blank lines and lines that fail JSON.parse are skipped with a warning.
+     *
+     * @param jsonl - Full JSONL file content as a string
+     */
+    static verifyJsonl(jsonl) {
+        const entries = [];
+        const lines = jsonl.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i].trim();
+            if (!line)
+                continue;
+            try {
+                entries.push(JSON.parse(line));
+            }
+            catch {
+                // Non-JSON line — treat as a chain break
+                return {
+                    intact: false,
+                    entryCount: entries.length,
+                    rootHash: entries[entries.length - 1]?.hash ?? null,
+                    brokenAt: entries.length,
+                    brokenReason: `Line ${i + 1}: failed to parse as JSON — log file may be corrupted`,
+                };
+            }
+        }
+        return ChainVerifier.verify(entries);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAuEzC,+EAA+E;AAC/E,MAAM,OAAO,iBAAiB;IAC5B,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;IAAG,CAAC;IAEzD,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,EAAU;QACzC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC/B,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,oFAAoF;AAEpF,SAAS,UAAU,CAAC,SAAiB,EAAE,SAAS,GAAG,CAAC,EAAE,OAAO,GAAG,EAAE;IAChE,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,mBAAmB;IAC9C,IAAI,GAAG,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,WAAW;IACpD,OAAO,IAAI,GAAG,SAAS,IAAI,IAAI,IAAI,OAAO,CAAC;AAC7C,CAAC;AAcD,MAAM,OAAO,yBAAyB;IAKpC,YAA6B,MAAuC;QAAvC,WAAM,GAAN,MAAM,CAAiC;QAClE,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAC5D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,kBAAkB,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAsB;QACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAElF,mCAAmC;QACnC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,EAAE,MAAM;YACtC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAChE,CAAC,CAAC,UAAU,CAAC;QAEf,MAAM,kBAAkB,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,iBAAiB,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACtD,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,yBAAyB,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAEtD,MAAM,MAAM,GAAqB;YAC/B,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,UAAU,EAAE,OAAO,CAAC,IAAI;YACxB,QAAQ,EAAE,OAAO,CAAC,EAAE;YACpB,kBAAkB;YAClB,iBAAiB;YACjB,cAAc;YACd,yBAAyB;YACzB,aAAa;YACb,YAAY,EAAE,OAAO,CAAC,MAAM;YAC5B,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE,iBAAiB,CAAC,MAAM,EAAE,cAAc,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC;SAChI,CAAC;QAEF,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClC,OAAO,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;QAClE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAAC,OAAwB;QACtD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA8B,CAAC;QAClD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC;gBAAE,SAAS,CAAC,gBAAgB;YAClE,IAAI,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAC1B,IAAI,CAAC,CAAC,EAAE,CAAC;gBACP,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;gBAClJ,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACvB,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC;gBAAE,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;YACpF,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;gBAAE,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YAC5E,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC/D,CAAC,CAAC,eAAe,IAAI,CAAC,CAAC;YACvB,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC;YACzD,IAAI,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,QAAQ;gBAAE,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC;QACzD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,CAAC,eAAe,CAAC,CAAC;IACxF,CAAC;IAEO,aAAa,CAAC,OAAwB;QAC5C,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC1B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CACrE,CAAC;IACJ,CAAC;IAEO,kBAAkB,CAAC,OAAwB;QACjD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;aACvG,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;IAC1I,CAAC;IAEO,kBAAkB,CAAC,OAAwB;QACjD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,CAAC;aAChD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACnG,CAAC;IAEO,iBAAiB,CAAC,OAAwB;QAChD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,CAAC;aAChD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,MAAM,EAAG,CAAuC,CAAC,MAAM,IAAI,SAAS;YACpE,QAAQ,EAAG,CAAuC,CAAC,QAAQ,IAAI,SAAS;SACzE,CAAC,CAAC,CAAC;IACR,CAAC;IAEO,YAAY,CAAC,IAAgB,EAAE,KAAa,EAAE,GAAW,EAAE,QAAgB,EAAE,SAAiB;QACpG,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,YAAY,KAAK,uBAAuB,GAAG,2BAA2B,QAAQ,wBAAwB,SAAS,iBAAiB,CAAC;IAC/J,CAAC;IAEO,mBAAmB,CAAC,MAAwB;QAClD,MAAM,KAAK,GAAa;YACtB,sBAAsB,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,oBAAoB;YACnE,eAAe,MAAM,CAAC,UAAU,MAAM,MAAM,CAAC,QAAQ,EAAE;YACvD,kBAAkB,MAAM,CAAC,WAAW,EAAE;YACtC,0BAA0B,MAAM,CAAC,YAAY,EAAE;YAC/C,EAAE;YACF,yBAAyB;YACzB,4EAA4E;YAC5E,4EAA4E;YAC5E,GAAG,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,KAAK,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,eAAe,MAAM,CAAC,CAAC,aAAa,CAAC,MAAM,MAAM,CAAC,CAAC,WAAW,CAAC,MAAM,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAC,EAAE,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAC,EAAE,CAAC,IAAI,CACxJ;YACD,EAAE;YACF,2BAA2B,MAAM,CAAC,iBAAiB,CAAC,MAAM,UAAU;YACpE,MAAM,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACnK,EAAE;YACF,wBAAwB,MAAM,CAAC,cAAc,CAAC,MAAM,UAAU;YAC9D,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YAC7J,EAAE;YACF,mCAAmC,MAAM,CAAC,yBAAyB,CAAC,MAAM,aAAa;YACvF,MAAM,CAAC,yBAAyB,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,yBAAyB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,YAAY,mBAAmB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACzL,EAAE;YACF,sBAAsB,MAAM,CAAC,aAAa,CAAC,MAAM,UAAU;YAC3D,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,YAAY,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;SAC9K,CAAC;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF;AA+BD;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAoB,EAAE,QAAgB;IAC9D,yEAAyE;IACzE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,UAAU,EAAE,GAAG,KAA6B,CAAC;IAChF,KAAK,EAAE,CAAC;IAAC,KAAK,EAAE,CAAC;IACjB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,OAAO,CAAC,CAAC,CAAC,GAAI,UAAsC,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC;SAC1C,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,oBAAoB;IAG/B,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;QAFtC,aAAQ,GAAG,EAAE,CAAC;IAE2B,CAAC;IAElD,GAAG,CAAC,KAAoB;QACtB,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,OAAO,GAAyB;YACpC,GAAG,KAAK;YACR,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,IAAI;SACL,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAmC,CAAC,CAAC;IACrD,CAAC;IAED,iFAAiF;IACjF,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAED;;;;;;;;;GASG;AACH,MAAM,OAAO,aAAa;IACxB;;;;OAIG;IACH,MAAM,CAAC,MAAM,CAAC,OAA+B;QAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,kCAAkC,EAAE,CAAC;QAC5H,CAAC;QAED,IAAI,QAAQ,GAAG,EAAE,CAAC;QAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAEzB,wDAAwD;YACxD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAChC,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACtC,QAAQ,EAAE,CAAC;oBACX,YAAY,EAAE,SAAS,CAAC,kCAAkC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;iBACvH,CAAC;YACJ,CAAC;YAED,4DAA4D;YAC5D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACnD,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC5B,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACtC,QAAQ,EAAE,CAAC;oBACX,YAAY,EAAE,SAAS,CAAC,4DAA4D;iBACrF,CAAC;YACJ,CAAC;YAED,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;QACxB,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,IAAI;SACnB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,WAAW,CAAC,KAAa;QAC9B,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI;gBAAE,SAAS;YACpB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAyB,CAAC,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;gBACzC,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,IAAI,IAAI,IAAI;oBACnD,QAAQ,EAAE,OAAO,CAAC,MAAM;oBACxB,YAAY,EAAE,QAAQ,CAAC,GAAG,CAAC,uDAAuD;iBACnF,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;CACF"}

package/dist/types/index.d.ts ADDED Viewed

@@ -0,0 +1,186 @@
+/**
+ * @datacules/agent-identity-compliance
+ *
+ * Automated compliance report generation from agent-identity audit logs.
+ * Answers regulatory questions directly — no custom queries needed.
+ *
+ * Supported report types:
+ *   soc2   — SOC 2 CC6 Logical and Physical Access Controls
+ *   gdpr   — GDPR Article 30 Records of Processing Activities
+ *   hipaa  — HIPAA §164.312 Access Controls
+ *
+ * Usage:
+ *   const generator = new ComplianceReportGenerator({ store });
+ *   const report = await generator.generate({
+ *     type: 'soc2',
+ *     from: '2026-01-01T00:00:00Z',
+ *     to: '2026-03-31T23:59:59Z',
+ *   });
+ */
+import type { AuditLogEntry, AuditLogger } from '@datacules/agent-identity';
+export type ReportType = 'soc2' | 'gdpr' | 'hipaa' | 'custom';
+export interface ReportRequest {
+    type: ReportType;
+    /** ISO 8601 start of the reporting period */
+    from: string;
+    /** ISO 8601 end of the reporting period */
+    to: string;
+    /** Only include entries for these agent IDs (optional — all agents if omitted) */
+    agentIds?: string[];
+    /** Only include entries where resourceId tags include these tags (optional) */
+    resourceTags?: string[];
+    format?: 'json' | 'markdown';
+}
+export interface AgentAccessSummary {
+    userId: string;
+    credentialIds: string[];
+    resourceIds: string[];
+    actionCounts: Record<string, number>;
+    resolutionCount: number;
+    firstSeen: string;
+    lastSeen: string;
+}
+export interface CredentialRotationEntry {
+    credentialId: string;
+    rotatedAt: string;
+    triggeredBy: string;
+}
+export interface AnomalyEventEntry {
+    timestamp: string;
+    userId: string;
+    credentialId: string;
+    signal: string;
+    severity: string;
+}
+export interface OffHoursEntry {
+    timestamp: string;
+    userId: string;
+    action: string;
+    resourceId: string;
+    credentialId: string;
+}
+export interface ComplianceReport {
+    type: ReportType;
+    generatedAt: string;
+    periodFrom: string;
+    periodTo: string;
+    agentAccessSummary: AgentAccessSummary[];
+    piiResourceAccess: AuditLogEntry[];
+    offHoursAccess: OffHoursEntry[];
+    credentialRotationHistory: CredentialRotationEntry[];
+    anomalyEvents: AnomalyEventEntry[];
+    totalEntries: number;
+    summary: string;
+}
+export interface ReportStore {
+    queryEntries(from: string, to: string): Promise<AuditLogEntry[]>;
+}
+/** In-memory store for testing — populate with entries from your audit sink */
+export declare class MemoryReportStore implements ReportStore {
+    private readonly entries;
+    constructor(entries: AuditLogEntry[]);
+    queryEntries(from: string, to: string): Promise<AuditLogEntry[]>;
+}
+export interface ComplianceReportGeneratorConfig {
+    store: ReportStore;
+    /** Tags that identify PII resources (default: ['pii', 'phi', 'personal']) */
+    piiTags?: string[];
+    /** Business hours start (UTC, default: 9) */
+    businessHoursStart?: number;
+    /** Business hours end (UTC, default: 18) */
+    businessHoursEnd?: number;
+}
+export declare class ComplianceReportGenerator {
+    private readonly config;
+    private readonly piiTags;
+    private readonly bhStart;
+    private readonly bhEnd;
+    constructor(config: ComplianceReportGeneratorConfig);
+    generate(request: ReportRequest): Promise<ComplianceReport>;
+    private buildAgentAccessSummary;
+    private findPiiAccess;
+    private findOffHoursAccess;
+    private findRotationEvents;
+    private findAnomalyEvents;
+    private buildSummary;
+    private buildMarkdownReport;
+}
+/**
+ * A chained audit log entry — extends the base AuditLogEntry with two
+ * additional fields that form the tamper-evident SHA-256 chain.
+ */
+export interface ChainedAuditLogEntry extends AuditLogEntry {
+    /** SHA-256 hash of (serialised entry data + prevHash) */
+    hash: string;
+    /** Hash of the immediately preceding entry, or '' for the first entry */
+    prevHash: string;
+}
+/**
+ * Result returned by ChainVerifier.verify()
+ */
+export interface VerificationResult {
+    /** true only if every entry's hash recomputes correctly */
+    intact: boolean;
+    /** Number of entries verified */
+    entryCount: number;
+    /** SHA-256 hash of the last valid entry (the chain root for anchoring) */
+    rootHash: string | null;
+    /** Index of the first broken link (null if intact) */
+    brokenAt: number | null;
+    /** Human-readable reason for breakage (null if intact) */
+    brokenReason: string | null;
+}
+/**
+ * HashChainAuditLogger wraps any existing AuditLogger and appends
+ * `hash` and `prevHash` fields to every entry before forwarding to
+ * the underlying sink.
+ *
+ * Each entry's hash covers its own data + the previous entry's hash,
+ * forming a SHA-256 linked list. Any retroactive modification to an
+ * entry breaks the chain from that point forward — detectable by
+ * ChainVerifier.verify() in O(n) time.
+ *
+ * Usage:
+ *   const base = new ConsoleAuditLogger();
+ *   const chained = new HashChainAuditLogger(base);
+ *   const router = createRouter(credentials, rules, chained);
+ *
+ * The underlying sink receives ChainedAuditLogEntry objects. If it
+ * serialises to JSONL (one JSON object per line), that file can be
+ * verified offline with:
+ *   agent-identity audit verify --file ./audit.jsonl
+ */
+export declare class HashChainAuditLogger implements AuditLogger {
+    private readonly sink;
+    private prevHash;
+    constructor(sink: AuditLogger);
+    log(entry: AuditLogEntry): void;
+    /** Returns the hash of the most recently logged entry (the current chain tip) */
+    get currentHash(): string;
+}
+/**
+ * Verifies a sequence of ChainedAuditLogEntry objects.
+ *
+ * Replays the SHA-256 chain from the beginning. The first entry must
+ * have prevHash === '' (empty string). Every subsequent entry's hash
+ * must equal SHA256(sortedEntryData + prevEntry.hash).
+ *
+ * Any single field modification in any entry will break the chain
+ * from that entry onward.
+ */
+export declare class ChainVerifier {
+    /**
+     * Verify an in-memory array of entries.
+     *
+     * @param entries - Array of entries parsed from an audit log
+     */
+    static verify(entries: ChainedAuditLogEntry[]): VerificationResult;
+    /**
+     * Parse a JSONL string (one JSON object per line) and verify the chain.
+     * Blank lines and lines that fail JSON.parse are skipped with a warning.
+     *
+     * @param jsonl - Full JSONL file content as a string
+     */
+    static verifyJsonl(jsonl: string): VerificationResult;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAK5E,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAE9D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,UAAU,CAAC;IACjB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IACb,2CAA2C;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,kFAAkF;IAClF,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,+EAA+E;IAC/E,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,GAAG,UAAU,CAAC;CAC9B;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,kBAAkB,EAAE,CAAC;IACzC,iBAAiB,EAAE,aAAa,EAAE,CAAC;IACnC,cAAc,EAAE,aAAa,EAAE,CAAC;IAChC,yBAAyB,EAAE,uBAAuB,EAAE,CAAC;IACrD,aAAa,EAAE,iBAAiB,EAAE,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;CACjB;AAID,MAAM,WAAW,WAAW;IAC1B,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;CAClE;AAED,+EAA+E;AAC/E,qBAAa,iBAAkB,YAAW,WAAW;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,aAAa,EAAE;IAE/C,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;CAQvE;AAcD,MAAM,WAAW,+BAA+B;IAC9C,KAAK,EAAE,WAAW,CAAC;IACnB,6EAA6E;IAC7E,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,6CAA6C;IAC7C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,4CAA4C;IAC5C,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,qBAAa,yBAAyB;IAKxB,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;IACnC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;gBAEF,MAAM,EAAE,+BAA+B;IAM9D,QAAQ,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmCjE,OAAO,CAAC,uBAAuB;IAmB/B,OAAO,CAAC,aAAa;IAMrB,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,kBAAkB;IAM1B,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,mBAAmB;CA4B5B;AAID;;;GAGG;AACH,MAAM,WAAW,oBAAqB,SAAQ,aAAa;IACzD,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,yEAAyE;IACzE,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,2DAA2D;IAC3D,MAAM,EAAE,OAAO,CAAC;IAChB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,0DAA0D;IAC1D,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAyBD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,oBAAqB,YAAW,WAAW;IAG1C,OAAO,CAAC,QAAQ,CAAC,IAAI;IAFjC,OAAO,CAAC,QAAQ,CAAM;gBAEO,IAAI,EAAE,WAAW;IAE9C,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAW/B,iFAAiF;IACjF,IAAI,WAAW,IAAI,MAAM,CAExB;CACF;AAED;;;;;;;;;GASG;AACH,qBAAa,aAAa;IACxB;;;;OAIG;IACH,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,kBAAkB;IA6ClE;;;;;OAKG;IACH,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,kBAAkB;CAqBtD"}

package/package.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "name": "@datacules/agent-identity-compliance",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "Compliance report generator + tamper-evident audit log for @datacules/agent-identity — SOC 2, GDPR, HIPAA reports, SHA-256 chain verification CLI",
   "author": "Datacules LLC",
-  "license": "MIT",
+  "license": "SEE LICENSE IN LICENSE",
   "repository": {
     "type": "git",
     "url": "https://github.com/hvrcharon1/agent-identity.git",
@@ -26,10 +26,11 @@
   "files": [
     "dist",
     "bin",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit",
     "lint": "eslint src --ext .ts"
   },
@@ -38,6 +39,17 @@
     "typescript": "^5"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.8.0"
-  }
+    "@datacules/agent-identity": "^0.11.1"
+  },
+  "keywords": [
+    "agent-identity",
+    "compliance",
+    "soc2",
+    "gdpr",
+    "hipaa",
+    "audit",
+    "hash-chain",
+    "ai-agents",
+    "datacules"
+  ]
 }