@datacules/agent-identity 0.2.1

package/dist/cjs/approval.js

@@ -0,0 +1,157 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApprovalManager = exports.SlackApprovalNotifier = exports.WebhookApprovalNotifier = exports.MemoryApprovalStore = void 0;
+// ─── MemoryApprovalStore ──────────────────────────────────────────────────────
+class MemoryApprovalStore {
+    constructor() {
+        this.store = new Map();
+    }
+    async create(request) {
+        this.store.set(request.requestId, { ...request });
+    }
+    async get(requestId) {
+        return this.store.get(requestId) ?? null;
+    }
+    async update(requestId, status, resolvedBy, justification) {
+        const existing = this.store.get(requestId);
+        if (!existing)
+            return;
+        this.store.set(requestId, {
+            ...existing,
+            status,
+            resolvedAt: new Date().toISOString(),
+            resolvedBy,
+            justification,
+        });
+    }
+    async listPending() {
+        return Array.from(this.store.values()).filter((r) => r.status === 'pending');
+    }
+}
+exports.MemoryApprovalStore = MemoryApprovalStore;
+// ─── WebhookApprovalNotifier ──────────────────────────────────────────────────
+class WebhookApprovalNotifier {
+    constructor(webhookUrl, secret) {
+        this.webhookUrl = webhookUrl;
+        this.secret = secret;
+    }
+    async notify(request, _policy) {
+        const body = JSON.stringify(request);
+        const headers = { 'Content-Type': 'application/json' };
+        if (this.secret) {
+            headers['X-Agent-Identity-Signature'] = this.secret;
+        }
+        try {
+            await fetch(this.webhookUrl, { method: 'POST', headers, body });
+        }
+        catch {
+            // Notification failure is non-fatal — approval still waits
+        }
+    }
+}
+exports.WebhookApprovalNotifier = WebhookApprovalNotifier;
+// ─── SlackApprovalNotifier ────────────────────────────────────────────────────
+class SlackApprovalNotifier {
+    constructor(webhookUrl) {
+        this.webhookUrl = webhookUrl;
+    }
+    async notify(request, _policy) {
+        const text = [
+            `*Approval required* — request \`${request.requestId}\``,
+            `User: ${request.context.userId}`,
+            `Action: ${request.context.action} on ${request.context.resourceId}`,
+            `Credential: ${request.credentialId}`,
+            `Expires: ${request.expiresAt}`,
+        ].join('\n');
+        try {
+            await fetch(this.webhookUrl, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ text }),
+            });
+        }
+        catch {
+            // Notification failure is non-fatal
+        }
+    }
+}
+exports.SlackApprovalNotifier = SlackApprovalNotifier;
+// ─── ApprovalManager ─────────────────────────────────────────────────────────
+class ApprovalManager {
+    constructor(store, notifiers = [], auditLogger) {
+        this.store = store;
+        this.notifiers = notifiers;
+        this.auditLogger = auditLogger;
+    }
+    /**
+     * Gate a resolve() call behind an approval policy.
+     * Returns 'approved' / 'break_glass' if the request was already
+     * approved, otherwise creates a new approval request, notifies approvers,
+     * and returns 'pending' (the router returns null — caller should retry).
+     */
+    async request(ctx, policy, credentialId, ruleId) {
+        // Generate deterministic request ID for idempotency within the same trace
+        const requestId = `approval-${ctx.traceId}-${ruleId}`;
+        const existing = await this.store.get(requestId);
+        if (existing) {
+            if (existing.status === 'approved' || existing.status === 'break_glass') {
+                return existing.status;
+            }
+            if (existing.status === 'rejected')
+                return 'rejected';
+            // Check timeout
+            if (new Date(existing.expiresAt) < new Date()) {
+                await this.store.update(requestId, 'timeout');
+                if (this.auditLogger) {
+                    await this.auditLogger.log({
+                        timestamp: new Date().toISOString(),
+                        traceId: ctx.traceId,
+                        userId: ctx.userId,
+                        action: 'credential.approval_timeout',
+                        resourceId: ctx.resourceId,
+                        resourceKind: ctx.resourceKind,
+                        provider: ctx.provider,
+                        model: ctx.model,
+                        credentialId,
+                        credentialKind: 'fixed',
+                        resolvedFor: ctx.userId,
+                    });
+                }
+                return 'timeout';
+            }
+            return 'pending';
+        }
+        // Create new request
+        const timeoutSeconds = policy.timeoutSeconds ?? 300;
+        const newRequest = {
+            requestId,
+            credentialId,
+            ruleId,
+            context: ctx,
+            status: 'pending',
+            requestedAt: new Date().toISOString(),
+            expiresAt: new Date(Date.now() + timeoutSeconds * 1000).toISOString(),
+        };
+        await this.store.create(newRequest);
+        // Notify all approvers
+        await Promise.allSettled(this.notifiers.map((n) => n.notify(newRequest, policy)));
+        if (this.auditLogger) {
+            await this.auditLogger.log({
+                timestamp: new Date().toISOString(),
+                traceId: ctx.traceId,
+                userId: ctx.userId,
+                action: 'credential.approval_requested',
+                resourceId: ctx.resourceId,
+                resourceKind: ctx.resourceKind,
+                provider: ctx.provider,
+                model: ctx.model,
+                credentialId,
+                credentialKind: 'fixed',
+                resolvedFor: ctx.userId,
+            });
+        }
+        return 'pending';
+    }
+}
+exports.ApprovalManager = ApprovalManager;
+//# sourceMappingURL=approval.js.map

package/dist/cjs/approval.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.js","sourceRoot":"","sources":["../../src/approval.ts"],"names":[],"mappings":";;;AAqBA,iFAAiF;AAEjF,MAAa,mBAAmB;IAAhC;QACmB,UAAK,GAAG,IAAI,GAAG,EAA2B,CAAC;IA8B9D,CAAC;IA5BC,KAAK,CAAC,MAAM,CAAC,OAAwB;QACnC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,MAAM,CACV,SAAiB,EACjB,MAAsB,EACtB,UAAmB,EACnB,aAAsB;QAEtB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,QAAQ;YAAE,OAAO;QACtB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACxB,GAAG,QAAQ;YACX,MAAM;YACN,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,UAAU;YACV,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAC/E,CAAC;CACF;AA/BD,kDA+BC;AAED,iFAAiF;AAEjF,MAAa,uBAAuB;IAClC,YAA6B,UAAkB,EAAmB,MAAe;QAApD,eAAU,GAAV,UAAU,CAAQ;QAAmB,WAAM,GAAN,MAAM,CAAS;IAAG,CAAC;IAErF,KAAK,CAAC,MAAM,CAAC,OAAwB,EAAE,OAAuB;QAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QAC/E,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,4BAA4B,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;QACtD,CAAC;QACD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;QAC7D,CAAC;IACH,CAAC;CACF;AAfD,0DAeC;AAED,iFAAiF;AAEjF,MAAa,qBAAqB;IAChC,YAA6B,UAAkB;QAAlB,eAAU,GAAV,UAAU,CAAQ;IAAG,CAAC;IAEnD,KAAK,CAAC,MAAM,CAAC,OAAwB,EAAE,OAAuB;QAC5D,MAAM,IAAI,GAAG;YACX,mCAAmC,OAAO,CAAC,SAAS,IAAI;YACxD,SAAS,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE;YACjC,WAAW,OAAO,CAAC,OAAO,CAAC,MAAM,OAAO,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE;YACpE,eAAe,OAAO,CAAC,YAAY,EAAE;YACrC,YAAY,OAAO,CAAC,SAAS,EAAE;SAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE;gBAC3B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;IACH,CAAC;CACF;AArBD,sDAqBC;AAED,gFAAgF;AAEhF,MAAa,eAAe;IAC1B,YACmB,KAAoB,EACpB,YAAgC,EAAE,EAClC,WAAyB;QAFzB,UAAK,GAAL,KAAK,CAAe;QACpB,cAAS,GAAT,SAAS,CAAyB;QAClC,gBAAW,GAAX,WAAW,CAAc;IACzC,CAAC;IAEJ;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CACX,GAAwB,EACxB,MAAsB,EACtB,YAAoB,EACpB,MAAc;QAEd,0EAA0E;QAC1E,MAAM,SAAS,GAAG,YAAY,GAAG,CAAC,OAAO,IAAI,MAAM,EAAE,CAAC;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,IAAI,QAAQ,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;gBACxE,OAAO,QAAQ,CAAC,MAAM,CAAC;YACzB,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU;gBAAE,OAAO,UAAU,CAAC;YACtD,gBAAgB;YAChB,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC9C,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;gBAC9C,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,GAAG,CAAC,OAAO;wBACpB,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,MAAM,EAAE,6BAA6B;wBACrC,UAAU,EAAE,GAAG,CAAC,UAAU;wBAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;wBAC9B,QAAQ,EAAE,GAAG,CAAC,QAAQ;wBACtB,KAAK,EAAE,GAAG,CAAC,KAAK;wBAChB,YAAY;wBACZ,cAAc,EAAE,OAAO;wBACvB,WAAW,EAAE,GAAG,CAAC,MAAM;qBACxB,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,qBAAqB;QACrB,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,GAAG,CAAC;QACpD,MAAM,UAAU,GAAoB;YAClC,SAAS;YACT,YAAY;YACZ,MAAM;YACN,OAAO,EAAE,GAAG;YACZ,MAAM,EAAE,SAAS;YACjB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;SACtE,CAAC;QACF,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEpC,uBAAuB;QACvB,MAAM,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QAElF,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,MAAM,EAAE,+BAA+B;gBACvC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;gBAC9B,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,YAAY;gBACZ,cAAc,EAAE,OAAO;gBACvB,WAAW,EAAE,GAAG,CAAC,MAAM;aACxB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AApFD,0CAoFC"}

package/dist/cjs/attestation.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HmacAttestationSigner = void 0;
+exports.buildAttestation = buildAttestation;
+exports.verifyAttestation = verifyAttestation;
+// ─── HMAC Signer (built-in, zero deps) ──────────────────────────────────────
+class HmacAttestationSigner {
+    constructor(options) {
+        this.secret = options.secret;
+        this.issuer = options.issuer ?? 'agent-identity';
+        this.ttlSeconds = options.ttlSeconds ?? 300;
+    }
+    base64url(input) {
+        // Works in both browser and Node 18+ (Buffer is global in Node)
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(input).toString('base64url');
+        }
+        // Browser fallback via btoa
+        return btoa(input).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    }
+    bufToBase64url(buf) {
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(buf).toString('base64url');
+        }
+        const bytes = new Uint8Array(buf);
+        let binary = '';
+        for (let i = 0; i < bytes.byteLength; i++)
+            binary += String.fromCharCode(bytes[i]);
+        return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    }
+    async hmacSign(data) {
+        const enc = new TextEncoder();
+        const key = await crypto.subtle.importKey('raw', enc.encode(this.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const sig = await crypto.subtle.sign('HMAC', key, enc.encode(data));
+        return this.bufToBase64url(sig);
+    }
+    async sign(payload) {
+        const header = this.base64url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+        const body = this.base64url(JSON.stringify(payload));
+        const sig = await this.hmacSign(`${header}.${body}`);
+        return `${header}.${body}.${sig}`;
+    }
+    async verify(token) {
+        try {
+            const [header, body, sig] = token.split('.');
+            if (!header || !body || !sig)
+                return null;
+            const expected = await this.hmacSign(`${header}.${body}`);
+            if (expected !== sig)
+                return null;
+            // Decode body: Node uses Buffer, browsers use atob
+            const decoded = typeof Buffer !== 'undefined'
+                ? Buffer.from(body, 'base64url').toString('utf8')
+                : atob(body.replace(/-/g, '+').replace(/_/g, '/'));
+            return JSON.parse(decoded);
+        }
+        catch {
+            return null;
+        }
+    }
+}
+exports.HmacAttestationSigner = HmacAttestationSigner;
+async function buildAttestation(ctx, resolved, options) {
+    const now = Math.floor(Date.now() / 1000);
+    const payload = {
+        iss: options.issuer ?? 'agent-identity',
+        sub: ctx.userId,
+        credentialId: resolved.credentialId,
+        resolvedFor: resolved.resolvedFor,
+        action: ctx.action,
+        resourceId: ctx.resourceId,
+        traceId: ctx.traceId,
+        ruleId: options.ruleId,
+        iat: now,
+        exp: now + (options.ttlSeconds ?? 300),
+    };
+    return options.signer.sign(payload);
+}
+// ─── Standalone verifyAttestation helper ────────────────────────────────────
+async function verifyAttestation(token, signer) {
+    const raw = await signer.verify(token);
+    if (!raw)
+        return null;
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof raw.exp === 'number' && raw.exp < now)
+        return null;
+    return raw;
+}
+//# sourceMappingURL=attestation.js.map

package/dist/cjs/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":";;;AA2FA,4CAmBC;AAID,8CASC;AA9GD,+EAA+E;AAE/E,MAAa,qBAAqB;IAKhC,YAAY,OAAiE;QAC3E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;QACjD,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;IAC9C,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,gEAAgE;QAChE,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAClD,CAAC;QACD,4BAA4B;QAC5B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IAEO,cAAc,CAAC,GAAgB;QACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,EAAE;YAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAChF,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,IAAY;QACjC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EACvB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QACrD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAC;YAC1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;YAC1D,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAClC,mDAAmD;YACnD,MAAM,OAAO,GAAG,OAAO,MAAM,KAAK,WAAW;gBAC3C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACjD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YACrD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AAjED,sDAiEC;AAWM,KAAK,UAAU,gBAAgB,CACpC,GAAwB,EACxB,QAA4B,EAC5B,OAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAuB;QAClC,GAAG,EAAE,OAAO,CAAC,MAAM,IAAI,gBAAgB;QACvC,GAAG,EAAE,GAAG,CAAC,MAAM;QACf,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;KACvC,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAA6C,CAAC,CAAC;AAC5E,CAAC;AAED,+EAA+E;AAExE,KAAK,UAAU,iBAAiB,CACrC,KAAa,EACb,MAAyB;IAEzB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAoC,CAAC;AAC9C,CAAC"}

package/dist/cjs/budget.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BudgetEnforcer = exports.MemoryBudgetStore = void 0;
+// ─── MemoryBudgetStore ────────────────────────────────────────────────────────
+class MemoryBudgetStore {
+    constructor() {
+        this.hourlyCounts = new Map();
+        this.dailySpend = new Map();
+    }
+    async getHourlyCount(credentialId) {
+        const entry = this.hourlyCounts.get(credentialId);
+        if (!entry)
+            return 0;
+        const hourMs = 3600000;
+        if (Date.now() - entry.windowStart > hourMs) {
+            this.hourlyCounts.delete(credentialId);
+            return 0;
+        }
+        return entry.count;
+    }
+    async incrementHourlyCount(credentialId) {
+        const existing = this.hourlyCounts.get(credentialId);
+        const hourMs = 3600000;
+        if (!existing || Date.now() - existing.windowStart > hourMs) {
+            this.hourlyCounts.set(credentialId, { count: 1, windowStart: Date.now() });
+        }
+        else {
+            existing.count++;
+        }
+    }
+    async getConcurrentSessions(_credentialId) {
+        // Placeholder — real impl tracks open sessions with TTL
+        return 0;
+    }
+    async getDailySpend(credentialId) {
+        return this.dailySpend.get(credentialId) ?? 0;
+    }
+    async resetHourly(credentialId) {
+        this.hourlyCounts.delete(credentialId);
+    }
+    async resetDaily(credentialId) {
+        this.dailySpend.delete(credentialId);
+    }
+}
+exports.MemoryBudgetStore = MemoryBudgetStore;
+// ─── BudgetEnforcer ──────────────────────────────────────────────────────────
+class BudgetEnforcer {
+    constructor(store, auditLogger) {
+        this.store = store;
+        this.auditLogger = auditLogger;
+    }
+    async check(credential) {
+        const policy = credential.budget;
+        if (!policy)
+            return { allowed: true };
+        // Hourly resolution limit
+        if (policy.maxResolutionsPerHour !== undefined) {
+            const count = await this.store.getHourlyCount(credential.id);
+            const soft = policy.softThresholdPercent ?? 80;
+            const softLimit = Math.floor((policy.maxResolutionsPerHour * soft) / 100);
+            if (count >= policy.maxResolutionsPerHour) {
+                const retryAfter = new Date(Date.now() + 3600000).toISOString();
+                if (this.auditLogger) {
+                    // Fire-and-forget — budget exceeded audit event
+                    void this.auditLogger.log({
+                        timestamp: new Date().toISOString(),
+                        traceId: 'budget-enforcer',
+                        userId: 'system',
+                        action: 'credential.budget_exceeded',
+                        resourceId: credential.id,
+                        resourceKind: 'shared',
+                        provider: 'local',
+                        model: 'system',
+                        credentialId: credential.id,
+                        credentialKind: credential.kind,
+                        resolvedFor: 'system',
+                    });
+                }
+                return { allowed: false, reason: 'hourly_limit', retryAfter };
+            }
+            if (count >= softLimit && this.auditLogger) {
+                void this.auditLogger.log({
+                    timestamp: new Date().toISOString(),
+                    traceId: 'budget-enforcer',
+                    userId: 'system',
+                    action: 'credential.budget_warning',
+                    resourceId: credential.id,
+                    resourceKind: 'shared',
+                    provider: 'local',
+                    model: 'system',
+                    credentialId: credential.id,
+                    credentialKind: credential.kind,
+                    resolvedFor: 'system',
+                });
+            }
+        }
+        // Concurrent sessions limit
+        if (policy.maxConcurrentSessions !== undefined) {
+            const sessions = await this.store.getConcurrentSessions(credential.id);
+            if (sessions >= policy.maxConcurrentSessions) {
+                return { allowed: false, reason: 'session_limit' };
+            }
+        }
+        // Record the resolution
+        await this.store.incrementHourlyCount(credential.id);
+        return { allowed: true };
+    }
+}
+exports.BudgetEnforcer = BudgetEnforcer;
+//# sourceMappingURL=budget.js.map

package/dist/cjs/budget.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"budget.js","sourceRoot":"","sources":["../../src/budget.ts"],"names":[],"mappings":";;;AA0BA,iFAAiF;AAEjF,MAAa,iBAAiB;IAA9B;QACmB,iBAAY,GAAG,IAAI,GAAG,EAAkD,CAAC;QACzE,eAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAuC1D,CAAC;IArCC,KAAK,CAAC,cAAc,CAAC,YAAoB;QACvC,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,CAAC;QACrB,MAAM,MAAM,GAAG,OAAQ,CAAC;QACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,WAAW,GAAG,MAAM,EAAE,CAAC;YAC5C,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACvC,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,YAAoB;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,OAAQ,CAAC;QACxB,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,WAAW,GAAG,MAAM,EAAE,CAAC;YAC5D,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,aAAqB;QAC/C,wDAAwD;QACxD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,YAAoB;QACtC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,YAAoB;QACpC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,YAAoB;QACnC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACvC,CAAC;CACF;AAzCD,8CAyCC;AAED,gFAAgF;AAEhF,MAAa,cAAc;IACzB,YACmB,KAAkB,EAClB,WAAyB;QADzB,UAAK,GAAL,KAAK,CAAa;QAClB,gBAAW,GAAX,WAAW,CAAc;IACzC,CAAC;IAEJ,KAAK,CAAC,KAAK,CAAC,UAAsB;QAChC,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QACjC,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEtC,0BAA0B;QAC1B,IAAI,MAAM,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,oBAAoB,IAAI,EAAE,CAAC;YAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;YAE1E,IAAI,KAAK,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;gBAC1C,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;gBACjE,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,gDAAgD;oBAChD,KAAK,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,iBAAiB;wBAC1B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,4BAA4B;wBACpC,UAAU,EAAE,UAAU,CAAC,EAAE;wBACzB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,UAAU,CAAC,EAAE;wBAC3B,cAAc,EAAE,UAAU,CAAC,IAAI;wBAC/B,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;YAChE,CAAC;YAED,IAAI,KAAK,IAAI,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC3C,KAAK,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,OAAO,EAAE,iBAAiB;oBAC1B,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,2BAA2B;oBACnC,UAAU,EAAE,UAAU,CAAC,EAAE;oBACzB,YAAY,EAAE,QAAQ;oBACtB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,QAAQ;oBACf,YAAY,EAAE,UAAU,CAAC,EAAE;oBAC3B,cAAc,EAAE,UAAU,CAAC,IAAI;oBAC/B,WAAW,EAAE,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,MAAM,CAAC,qBAAqB,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YACvE,IAAI,QAAQ,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;gBAC7C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;YACrD,CAAC;QACH,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;CACF;AAlED,wCAkEC"}

package/dist/cjs/credentials.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_ROUTING_RULES = exports.DEFAULT_CREDENTIALS = void 0;
+exports.DEFAULT_CREDENTIALS = [
+    { id: 'cred-linear', kind: 'fixed', name: 'Linear service account', scope: 'All projects - read/write', status: 'active', provider: 'Linear', ref: 'linear-service-account-slot', rotationIntervalDays: 90 },
+    { id: 'cred-analytics-db', kind: 'fixed', name: 'Shared analytics DB', scope: 'Read-only replica', status: 'active', provider: 'PostgreSQL', ref: 'analytics-db-readonly-slot', rotationIntervalDays: 180 },
+    { id: 'cred-knowledge-base', kind: 'user-delegated', name: 'Company knowledge base', scope: 'Variable - resolved per user at call time', status: 'active', provider: 'Notion', ref: 'knowledge-base-user-slot', rotationIntervalDays: 0 },
+    { id: 'cred-gmail', kind: 'user-delegated', name: 'Gmail / inbox access', scope: "User's mailbox - OAuth 2.0", status: 'active', provider: 'Google', ref: 'gmail-oauth-user-slot', rotationIntervalDays: 0 },
+];
+exports.DEFAULT_ROUTING_RULES = [
+    { id: 'rule-shared-tools', description: 'Shared tools → fixed service account', matchResourceKind: 'shared', credentialKind: 'fixed', credentialRef: 'linear-service-account-slot', priority: 10 },
+    { id: 'rule-personal-resources', description: 'Personal resources → user-delegated token', matchResourceKind: 'personal', credentialKind: 'user-delegated', credentialRef: 'knowledge-base-user-slot', priority: 10 },
+];
+//# sourceMappingURL=credentials.js.map

package/dist/cjs/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":";;;AAEa,QAAA,mBAAmB,GAAiB;IAC/C,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,2BAA2B,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,6BAA6B,EAAE,oBAAoB,EAAE,EAAE,EAAE;IAC5M,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,mBAAmB,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,4BAA4B,EAAE,oBAAoB,EAAE,GAAG,EAAE;IAC3M,EAAE,EAAE,EAAE,qBAAqB,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,2CAA2C,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,0BAA0B,EAAE,oBAAoB,EAAE,CAAC,EAAE;IACzO,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,4BAA4B,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,uBAAuB,EAAE,oBAAoB,EAAE,CAAC,EAAE;CAC7M,CAAC;AAEW,QAAA,qBAAqB,GAAkB;IAClD,EAAE,EAAE,EAAE,mBAAmB,EAAE,WAAW,EAAE,sCAAsC,EAAE,iBAAiB,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE,6BAA6B,EAAE,QAAQ,EAAE,EAAE,EAAE;IAClM,EAAE,EAAE,EAAE,yBAAyB,EAAE,WAAW,EAAE,2CAA2C,EAAE,iBAAiB,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,aAAa,EAAE,0BAA0B,EAAE,QAAQ,EAAE,EAAE,EAAE;CACtN,CAAC"}

package/dist/cjs/decision.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeDecision = computeDecision;
+function computeDecision(answers) {
+    const { variableAccess, mixedResources, auditRequired, longTermTokenStorage } = answers;
+    if (variableAccess === null || mixedResources === null || auditRequired === null)
+        return null;
+    if (variableAccess && longTermTokenStorage === null)
+        return null;
+    if (variableAccess && mixedResources) {
+        return { pattern: 'context-switched', label: 'Hybrid (context-switched)', explanation: 'Your agent needs both fixed credentials for shared resources and user-delegated tokens for personal data. Set explicit routing rules so the agent always knows which to use.' };
+    }
+    if (variableAccess && !mixedResources) {
+        if (!longTermTokenStorage) {
+            return { pattern: 'token-exchange', label: 'Token exchange / impersonation', explanation: 'You need per-user access but cannot store tokens long-term. Use OAuth token exchange or STS assume-role to get scoped user tokens at request time, without persisting them.' };
+        }
+        return { pattern: 'individual-user-auth', label: 'Individual user auth', explanation: "Users have different access levels, so each request must carry that user's own token. The agent passes it through; the downstream resource enforces the ACL." };
+    }
+    if (!variableAccess && mixedResources) {
+        return { pattern: 'fixed-credential', label: 'Fixed credential with resource-type awareness', explanation: 'All users are equal but the agent accesses different resource types. A single fixed credential works — ensure its scope covers both resource types your agent needs.' };
+    }
+    if (!variableAccess && !auditRequired) {
+        return { pattern: 'fixed-credential', label: 'Fixed credential', explanation: "All users are equal and audit trail isn't critical. A single service account keeps setup simple. Store the key encrypted; never pass it to the model layer." };
+    }
+    if (!variableAccess && auditRequired) {
+        return { pattern: 'fixed-credential', label: 'Fixed credential + request tagging', explanation: "Use a shared service account, but tag each request with the calling user's ID in your own logs. Gives you the simplicity of a fixed credential with an audit trail layer above it." };
+    }
+    return null;
+}
+//# sourceMappingURL=decision.js.map

package/dist/cjs/decision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.js","sourceRoot":"","sources":["../../src/decision.ts"],"names":[],"mappings":";;AAEA,0CAyBC;AAzBD,SAAgB,eAAe,CAAC,OAAwB;IACtD,MAAM,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC;IAExF,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,IAAI,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9F,IAAI,cAAc,IAAI,oBAAoB,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjE,IAAI,cAAc,IAAI,cAAc,EAAE,CAAC;QACrC,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,2BAA2B,EAAE,WAAW,EAAE,8KAA8K,EAAE,CAAC;IAC1Q,CAAC;IACD,IAAI,cAAc,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,gCAAgC,EAAE,WAAW,EAAE,6KAA6K,EAAE,CAAC;QAC5Q,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,8JAA8J,EAAE,CAAC;IACzP,CAAC;IACD,IAAI,CAAC,cAAc,IAAI,cAAc,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,+CAA+C,EAAE,WAAW,EAAE,sKAAsK,EAAE,CAAC;IACtR,CAAC;IACD,IAAI,CAAC,cAAc,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,6JAA6J,EAAE,CAAC;IAChP,CAAC;IACD,IAAI,CAAC,cAAc,IAAI,aAAa,EAAE,CAAC;QACrC,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,oCAAoC,EAAE,WAAW,EAAE,oLAAoL,EAAE,CAAC;IACzR,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cjs/federation.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FederationIssuer = exports.FederationVerifier = void 0;
+// ─── FederationVerifier ──────────────────────────────────────────────────────
+class FederationVerifier {
+    constructor(config) {
+        this.config = config;
+    }
+    verify(chain) {
+        if (!chain || chain.length === 0)
+            return false;
+        for (const entry of chain) {
+            const trustedKey = this.config.trustedDomains[entry.org];
+            if (!trustedKey)
+                return false;
+            if (!entry.signature || entry.signature.length === 0)
+                return false;
+        }
+        return true;
+    }
+}
+exports.FederationVerifier = FederationVerifier;
+// ─── FederationIssuer ────────────────────────────────────────────────────────
+class FederationIssuer {
+    constructor(trustDomain, agentId) {
+        this.trustDomain = trustDomain;
+        this.agentId = agentId;
+    }
+    issueEntry(ctx) {
+        const payload = JSON.stringify({
+            org: this.trustDomain,
+            userId: ctx.userId,
+            agentId: this.agentId,
+        });
+        // Placeholder signature — replace with Ed25519 in production
+        const signature = typeof Buffer !== 'undefined'
+            ? Buffer.from(payload).toString('base64')
+            : btoa(payload);
+        return {
+            org: this.trustDomain,
+            userId: ctx.userId,
+            agentId: this.agentId,
+            issuedAt: new Date().toISOString(),
+            signature,
+        };
+    }
+    issueChain(ctx) {
+        return [this.issueEntry(ctx)];
+    }
+    extendChain(chain, ctx) {
+        return [...chain, this.issueEntry(ctx)];
+    }
+}
+exports.FederationIssuer = FederationIssuer;
+//# sourceMappingURL=federation.js.map

package/dist/cjs/federation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"federation.js","sourceRoot":"","sources":["../../src/federation.ts"],"names":[],"mappings":";;;AAUA,gFAAgF;AAEhF,MAAa,kBAAkB;IAC7B,YAA6B,MAAwB;QAAxB,WAAM,GAAN,MAAM,CAAkB;IAAG,CAAC;IAEzD,MAAM,CAAC,KAA2B;QAChC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/C,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,UAAU;gBAAE,OAAO,KAAK,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QACrE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAZD,gDAYC;AAED,gFAAgF;AAEhF,MAAa,gBAAgB;IAC3B,YACmB,WAAmB,EACnB,OAAe;QADf,gBAAW,GAAX,WAAW,CAAQ;QACnB,YAAO,GAAP,OAAO,CAAQ;IAC/B,CAAC;IAEJ,UAAU,CAAC,GAAwB;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC7B,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;QACH,6DAA6D;QAC7D,MAAM,SAAS,GAAG,OAAO,MAAM,KAAK,WAAW;YAC7C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElB,OAAO;YACL,GAAG,EAAE,IAAI,CAAC,WAAW;YACrB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,SAAS;SACV,CAAC;IACJ,CAAC;IAED,UAAU,CAAC,GAAwB;QACjC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,CAAC;IAED,WAAW,CAAC,KAA2B,EAAE,GAAwB;QAC/D,OAAO,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1C,CAAC;CACF;AAjCD,4CAiCC"}

package/dist/cjs/index.js

@@ -0,0 +1,42 @@
+"use strict";
+/**
+ * @datacules/agent-identity — public API
+ *
+ * Provider-agnostic credential routing and identity management for AI agents.
+ * The model/LLM layer never receives raw credentials.
+ *
+ * @example
+ * ```typescript
+ * import { createRouter } from '@datacules/agent-identity';
+ * import type { AgentRequestContext } from '@datacules/agent-identity';
+ *
+ * const router = createRouter(credentials, rules, logger);
+ * const resolved = await router.resolveAsync(ctx);
+ * ```
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// ─── Runtime modules (classes, functions, const) ─────────────────────────────
+__exportStar(require("./router"), exports);
+__exportStar(require("./providers"), exports);
+__exportStar(require("./credentials"), exports);
+__exportStar(require("./decision"), exports);
+__exportStar(require("./rotation"), exports);
+__exportStar(require("./attestation"), exports);
+__exportStar(require("./approval"), exports);
+__exportStar(require("./budget"), exports);
+__exportStar(require("./federation"), exports);
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;AAOH,gFAAgF;AAChF,2CAAyB;AACzB,8CAA4B;AAC5B,gDAA8B;AAC9B,6CAA2B;AAC3B,6CAA2B;AAC3B,gDAA8B;AAC9B,6CAA2B;AAC3B,2CAAyB;AACzB,+CAA6B"}

package/dist/cjs/providers.js

@@ -0,0 +1,97 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROVIDER_ADAPTERS = void 0;
+exports.getAdapter = getAdapter;
+exports.registerProvider = registerProvider;
+function assertMigrationScope(credential, phase, adapterId) {
+    const writePhases = ['load', 'rollback'];
+    const readOnlyRef = credential.ref.includes('readonly') || credential.ref.endsWith('-ro');
+    if (writePhases.includes(phase) && readOnlyRef) {
+        throw new Error(`[${adapterId}] Migration phase "${phase}" requires a write-scoped credential, but ref "${credential.ref}" appears read-only.`);
+    }
+    if (phase === 'dry-run' && !readOnlyRef) {
+        console.warn(`[${adapterId}] dry-run received potentially write-capable ref "${credential.ref}". Ensure dryRun:true is enforced.`);
+    }
+}
+const openaiAdapter = {
+    id: 'openai',
+    label: 'OpenAI',
+    injectCredential(request, credential) {
+        return { ...request, user: credential.resolvedFor, _agentIdentityMeta: { credentialRef: credential.ref, resolvedFor: credential.resolvedFor, injectionPoint: 'Authorization: Bearer header (server-side)' } };
+    },
+    validate(request) {
+        if (!request.model)
+            throw new Error('[openai] request.model is required');
+    },
+    validateForMigration(credential, phase) { assertMigrationScope(credential, phase, 'openai'); },
+};
+const anthropicAdapter = {
+    id: 'anthropic',
+    label: 'Anthropic',
+    injectCredential(request, credential) {
+        return { ...request, metadata: { ...request.metadata, user_id: credential.resolvedFor, _agentIdentityMeta: { credentialRef: credential.ref, injectionPoint: 'x-api-key header (server-side)' } } };
+    },
+    validate(request) {
+        if (!request.model)
+            throw new Error('[anthropic] request.model is required');
+        if (!request.messages)
+            throw new Error('[anthropic] request.messages is required');
+    },
+    validateForMigration(credential, phase) { assertMigrationScope(credential, phase, 'anthropic'); },
+};
+const geminiAdapter = {
+    id: 'gemini',
+    label: 'Gemini',
+    injectCredential(request, credential) {
+        return { ...request, labels: { ...request.labels, user_id: credential.resolvedFor }, _agentIdentityMeta: { credentialRef: credential.ref, resolvedFor: credential.resolvedFor, injectionPoint: 'x-goog-api-key header (server-side)' } };
+    },
+    validate(request) {
+        if (!request.contents)
+            throw new Error('[gemini] request.contents is required');
+    },
+    validateForMigration(credential, phase) { assertMigrationScope(credential, phase, 'gemini'); },
+};
+const mistralAdapter = {
+    id: 'mistral',
+    label: 'Mistral',
+    injectCredential(request, credential) {
+        return { ...request, _agentIdentityMeta: { credentialRef: credential.ref, resolvedFor: credential.resolvedFor, injectionPoint: 'Authorization: Bearer header (server-side)' } };
+    },
+    validate(request) {
+        if (!request.model)
+            throw new Error('[mistral] request.model is required');
+        if (!request.messages)
+            throw new Error('[mistral] request.messages is required');
+    },
+    validateForMigration(credential, phase) { assertMigrationScope(credential, phase, 'mistral'); },
+};
+const localAdapter = {
+    id: 'local',
+    label: 'Local / self-hosted',
+    injectCredential(request, credential) {
+        return { ...request, _agentIdentityMeta: { credentialRef: credential.ref, resolvedFor: credential.resolvedFor, injectionPoint: 'varies by runtime' } };
+    },
+    validateForMigration(credential, phase) { assertMigrationScope(credential, phase, 'local'); },
+};
+exports.PROVIDER_ADAPTERS = {
+    openai: openaiAdapter,
+    anthropic: anthropicAdapter,
+    gemini: geminiAdapter,
+    mistral: mistralAdapter,
+    local: localAdapter,
+};
+function getAdapter(provider) {
+    return exports.PROVIDER_ADAPTERS[provider];
+}
+/**
+ * Registry pattern — register a custom provider adapter without forking core.
+ * Registered adapters are available via getAdapter() immediately.
+ *
+ * Example:
+ *   import { registerProvider } from '@datacules/agent-identity';
+ *   registerProvider({ id: 'cohere' as SupportedProvider, label: 'Cohere', injectCredential: ... });
+ */
+function registerProvider(adapter) {
+    exports.PROVIDER_ADAPTERS[adapter.id] = adapter;
+}
+//# sourceMappingURL=providers.js.map