@datacules/agent-identity 0.2.1

package/dist/esm/react/useAgentIdentity.js

@@ -0,0 +1,100 @@
+/**
+ * useAgentIdentity — production-safe React hook.
+ *
+ * Exported from @datacules/agent-identity/react.
+ *
+ * Unlike useCredentials (demo-only), this hook calls POST /api/resolve
+ * server-side. The raw credential never touches the browser.
+ *
+ * Features:
+ *   - Full loading / error / expiresAt lifecycle
+ *   - Auto-refresh 60s before credential expiry
+ *   - Configurable endpoint (works with custom Next.js routes or the Docker sidecar)
+ *   - onError callback for integration with error boundaries / toast systems
+ *
+ * Usage:
+ *   import { useAgentIdentity } from '@datacules/agent-identity/react';
+ *
+ *   function AiComposer({ userId }: { userId: string }) {
+ *     const ctx = {
+ *       userId,
+ *       resourceId: 'knowledge-base',
+ *       resourceKind: 'personal' as const,
+ *       provider: 'anthropic' as const,
+ *       model: 'claude-sonnet-4-20250514',
+ *       action: 'read',
+ *       traceId: crypto.randomUUID(),
+ *       requestedAt: new Date().toISOString(),
+ *     };
+ *     const { resolvedFor, loading, error, expiresAt } = useAgentIdentity(ctx);
+ *
+ *     if (loading) return <p>Resolving credentials…</p>;
+ *     if (error)   return <p>Auth error: {error.message}</p>;
+ *     return <div>Ready — acting as {resolvedFor}</div>;
+ *   }
+ */
+'use client'; // Next.js App Router compatibility
+import { useState, useCallback, useRef, useEffect } from 'react';
+export function useAgentIdentity(ctx, options = {}) {
+    const { resolveEndpoint = '/api/resolve', refreshBeforeExpirySeconds = 60, onError, disableAutoRefresh = false, } = options;
+    const [state, setState] = useState({
+        resolvedFor: null,
+        expiresAt: null,
+        loading: false,
+        error: null,
+    });
+    const refreshTimerRef = useRef(null);
+    const clearRefreshTimer = () => {
+        if (refreshTimerRef.current !== null) {
+            clearTimeout(refreshTimerRef.current);
+            refreshTimerRef.current = null;
+        }
+    };
+    const resolve = useCallback(async (context) => {
+        clearRefreshTimer();
+        setState((s) => ({ ...s, loading: true, error: null }));
+        try {
+            const res = await fetch(resolveEndpoint, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(context),
+            });
+            if (!res.ok) {
+                const body = await res.json().catch(() => ({}));
+                throw new Error(body.error ?? `HTTP ${res.status}`);
+            }
+            const data = await res.json();
+            setState({
+                resolvedFor: data.resolvedFor,
+                expiresAt: data.expiresAt ?? null,
+                loading: false,
+                error: null,
+            });
+            // Schedule auto-refresh before credential expires
+            if (!disableAutoRefresh && data.expiresAt) {
+                const msUntilRefresh = new Date(data.expiresAt).getTime() - Date.now() - refreshBeforeExpirySeconds * 1000;
+                if (msUntilRefresh > 0) {
+                    refreshTimerRef.current = setTimeout(() => resolve(context), msUntilRefresh);
+                }
+            }
+        }
+        catch (err) {
+            const e = err instanceof Error ? err : new Error(String(err));
+            setState((s) => ({ ...s, loading: false, error: e }));
+            onError?.(e);
+        }
+    }, 
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [resolveEndpoint, refreshBeforeExpirySeconds, disableAutoRefresh, onError]);
+    // Auto-resolve whenever ctx changes
+    useEffect(() => {
+        if (!ctx)
+            return;
+        void resolve(ctx);
+        return clearRefreshTimer;
+        // ctx is intentionally compared by reference; callers should memoize it
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [ctx]);
+    return { ...state, resolve };
+}
+//# sourceMappingURL=useAgentIdentity.js.map

package/dist/esm/react/useAgentIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useAgentIdentity.js","sourceRoot":"","sources":["../../../src/react/useAgentIdentity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,YAAY,CAAC,CAAC,mCAAmC;AAEjD,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AA0BjE,MAAM,UAAU,gBAAgB,CAC9B,GAA+B,EAC/B,UAAmC,EAAE;IAErC,MAAM,EACJ,eAAe,GAAG,cAAc,EAChC,0BAA0B,GAAG,EAAE,EAC/B,OAAO,EACP,kBAAkB,GAAG,KAAK,GAC3B,GAAG,OAAO,CAAC;IAEZ,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,QAAQ,CAAqB;QACrD,WAAW,EAAE,IAAI;QACjB,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,IAAI;KACZ,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,MAAM,CAAuC,IAAI,CAAC,CAAC;IAE3E,MAAM,iBAAiB,GAAG,GAAG,EAAE;QAC7B,IAAI,eAAe,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;YACrC,YAAY,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACtC,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC;QACjC,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,OAAO,GAAG,WAAW,CACzB,KAAK,EAAE,OAA4B,EAAiB,EAAE;QACpD,iBAAiB,EAAE,CAAC;QACpB,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE;gBACvC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAE,IAA2B,CAAC,KAAK,IAAI,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9E,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAiD,CAAC;YAE7E,QAAQ,CAAC;gBACP,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBACjC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,IAAI;aACZ,CAAC,CAAC;YAEH,kDAAkD;YAClD,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC1C,MAAM,cAAc,GAClB,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,0BAA0B,GAAG,IAAI,CAAC;gBACtF,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;oBACvB,eAAe,CAAC,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,cAAc,CAAC,CAAC;gBAC/E,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9D,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;YACtD,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QACf,CAAC;IACH,CAAC;IACD,uDAAuD;IACvD,CAAC,eAAe,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAC3E,CAAC;IAEF,oCAAoC;IACpC,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,GAAG;YAAE,OAAO;QACjB,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,iBAAiB,CAAC;QACzB,wEAAwE;QACxE,uDAAuD;IACzD,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEV,OAAO,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC"}

package/dist/esm/rotation.js

@@ -0,0 +1,123 @@
+// ─── CredentialRotationScheduler ─────────────────────────────────────────────
+export class CredentialRotationScheduler {
+    constructor(repository, auditLogger) {
+        this.repository = repository;
+        this.auditLogger = auditLogger;
+        this.providers = new Map();
+        this.intervalHandle = null;
+    }
+    registerProvider(provider) {
+        this.providers.set(provider.id, provider);
+    }
+    /**
+     * Check all active credentials for pending rotation and rotate them.
+     * Call this on a schedule (e.g. every hour via cron or setInterval).
+     */
+    async runOnce() {
+        const credentials = await this.repository.listActive();
+        const now = new Date();
+        for (const cred of credentials) {
+            if (!cred.rotation)
+                continue;
+            const due = this.isRotationDue(cred, cred.rotation, now);
+            if (!due) {
+                await this.maybeEmitWarning(cred, cred.rotation, now);
+                continue;
+            }
+            const provider = cred.rotation.provisioner
+                ? this.providers.get(cred.rotation.provisioner)
+                : null;
+            if (!provider) {
+                console.warn(`[RotationScheduler] No provider for credential ${cred.id} (provisioner: ${cred.rotation.provisioner ?? 'unset'})`);
+                continue;
+            }
+            try {
+                const { newRef, rotatedAt } = await provider.rotate(cred);
+                await this.repository.update(cred.id, { ref: newRef, lastRotated: rotatedAt });
+                if (this.auditLogger) {
+                    await this.auditLogger.log({
+                        timestamp: new Date().toISOString(),
+                        traceId: `rotation-${cred.id}`,
+                        userId: 'system',
+                        action: 'credential.rotated',
+                        resourceId: cred.id,
+                        resourceKind: 'shared',
+                        provider: 'local',
+                        model: 'system',
+                        credentialId: cred.id,
+                        credentialKind: cred.kind,
+                        resolvedFor: 'system',
+                    });
+                }
+            }
+            catch (err) {
+                console.error(`[RotationScheduler] Rotation failed for ${cred.id}:`, err);
+                if (this.auditLogger) {
+                    await this.auditLogger.log({
+                        timestamp: new Date().toISOString(),
+                        traceId: `rotation-${cred.id}`,
+                        userId: 'system',
+                        action: 'credential.rotation_failed',
+                        resourceId: cred.id,
+                        resourceKind: 'shared',
+                        provider: 'local',
+                        model: 'system',
+                        credentialId: cred.id,
+                        credentialKind: cred.kind,
+                        resolvedFor: 'system',
+                    });
+                }
+            }
+        }
+    }
+    /**
+     * Start a background rotation loop at the given interval.
+     * @param intervalMs Check frequency in milliseconds (default: 3600000 = 1 hour)
+     */
+    start(intervalMs = 3600000) {
+        if (this.intervalHandle !== null)
+            return;
+        this.intervalHandle = setInterval(() => {
+            this.runOnce().catch(console.error);
+        }, intervalMs);
+    }
+    stop() {
+        if (this.intervalHandle !== null) {
+            clearInterval(this.intervalHandle);
+            this.intervalHandle = null;
+        }
+    }
+    isRotationDue(cred, policy, now) {
+        if (policy.rotateAfterDays !== undefined && cred.lastRotated) {
+            const lastRotated = new Date(cred.lastRotated);
+            const daysSince = (now.getTime() - lastRotated.getTime()) / 86400000;
+            if (daysSince >= policy.rotateAfterDays)
+                return true;
+        }
+        return false;
+    }
+    async maybeEmitWarning(cred, policy, now) {
+        if (!this.auditLogger)
+            return;
+        if (policy.notifyBeforeDays !== undefined && policy.rotateAfterDays !== undefined && cred.lastRotated) {
+            const lastRotated = new Date(cred.lastRotated);
+            const daysUntilDue = policy.rotateAfterDays - (now.getTime() - lastRotated.getTime()) / 86400000;
+            if (daysUntilDue > 0 && daysUntilDue <= policy.notifyBeforeDays) {
+                await this.auditLogger.log({
+                    timestamp: new Date().toISOString(),
+                    traceId: `rotation-warning-${cred.id}`,
+                    userId: 'system',
+                    action: 'credential.rotation_due',
+                    resourceId: cred.id,
+                    resourceKind: 'shared',
+                    provider: 'local',
+                    model: 'system',
+                    credentialId: cred.id,
+                    credentialKind: cred.kind,
+                    resolvedFor: 'system',
+                });
+            }
+        }
+    }
+}
+//# sourceMappingURL=rotation.js.map

package/dist/esm/rotation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AA+BA,gFAAgF;AAEhF,MAAM,OAAO,2BAA2B;IAItC,YACmB,UAA8B,EAC9B,WAAyB;QADzB,eAAU,GAAV,UAAU,CAAoB;QAC9B,gBAAW,GAAX,WAAW,CAAc;QAL3B,cAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;QACzD,mBAAc,GAA0C,IAAI,CAAC;IAKlE,CAAC;IAEJ,gBAAgB,CAAC,QAA0B;QACzC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;gBACtD,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW;gBACxC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC/C,CAAC,CAAC,IAAI,CAAC;YAET,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,kDAAkD,IAAI,CAAC,EAAE,kBAAkB,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,OAAO,GAAG,CAAC,CAAC;gBACjI,SAAS;YACX,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC1D,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;gBAE/E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,oBAAoB;wBAC5B,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,2CAA2C,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;gBAC1E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;wBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,YAAY,IAAI,CAAC,EAAE,EAAE;wBAC9B,MAAM,EAAE,QAAQ;wBAChB,MAAM,EAAE,4BAA4B;wBACpC,UAAU,EAAE,IAAI,CAAC,EAAE;wBACnB,YAAY,EAAE,QAAQ;wBACtB,QAAQ,EAAE,OAAO;wBACjB,KAAK,EAAE,QAAQ;wBACf,YAAY,EAAE,IAAI,CAAC,EAAE;wBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;wBACzB,WAAW,EAAE,QAAQ;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,GAAG,OAAS;QAC1B,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI;YAAE,OAAO;QACzC,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YACrC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;IACjB,CAAC;IAED,IAAI;QACF,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;YACjC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QACvE,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACvE,IAAI,SAAS,IAAI,MAAM,CAAC,eAAe;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,IAAgB,EAAE,MAAsB,EAAE,GAAS;QAChF,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAC9B,IAAI,MAAM,CAAC,gBAAgB,KAAK,SAAS,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACtG,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,QAAU,CAAC;YACnG,IAAI,YAAY,GAAG,CAAC,IAAI,YAAY,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBAChE,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,OAAO,EAAE,oBAAoB,IAAI,CAAC,EAAE,EAAE;oBACtC,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,yBAAyB;oBACjC,UAAU,EAAE,IAAI,CAAC,EAAE;oBACnB,YAAY,EAAE,QAAQ;oBACtB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,QAAQ;oBACf,YAAY,EAAE,IAAI,CAAC,EAAE;oBACrB,cAAc,EAAE,IAAI,CAAC,IAAI;oBACzB,WAAW,EAAE,QAAQ;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/esm/router.js

@@ -0,0 +1,208 @@
+/**
+ * Credential Router — core of @datacules/agent-identity.
+ *
+ * Key features added in this version:
+ * - Canary routing: canaryRef + canaryWeight on RoutingRule
+ * - Attestation: optional AttestationSigner on router config
+ * - Budget enforcement: BudgetEnforcer check before resolving
+ * - Approval gate: ApprovalManager integration on rules with approval policy
+ */
+import { buildAttestation } from './attestation';
+function isSyncCapable(store) {
+    return typeof store.findByRefSync === 'function';
+}
+export class MemoryCredentialStore {
+    constructor(credentials) {
+        this.reservations = new Map();
+        this.creds = credentials;
+    }
+    findByRefSync(ref) {
+        return this.creds.find((c) => c.ref === ref && c.status === 'active') ?? null;
+    }
+    async findByRef(ref) {
+        return this.findByRefSync(ref);
+    }
+    async listActive() {
+        return this.creds.filter((c) => c.status === 'active');
+    }
+    async listByKind(kind) {
+        return this.creds.filter((c) => c.kind === kind);
+    }
+    async reserve(ref, migrationId, ttlSeconds) {
+        const existing = this.reservations.get(ref);
+        const now = Date.now();
+        if (existing && existing.migrationId !== migrationId && existing.expiresAt > now)
+            return false;
+        this.reservations.set(ref, { migrationId, expiresAt: now + ttlSeconds * 1000 });
+        return true;
+    }
+    async release(ref, migrationId) {
+        const existing = this.reservations.get(ref);
+        if (existing?.migrationId === migrationId)
+            this.reservations.delete(ref);
+    }
+}
+export class CredentialRouter {
+    constructor(config) {
+        this.config = config;
+    }
+    // ─── Sync resolve (requires SyncCapable store) ────────────────────────────
+    resolve(ctx) {
+        const { store, rules } = this.config;
+        const matching = rules
+            .filter((r) => this.ruleMatches(r, ctx))
+            .sort((a, b) => b.priority - a.priority);
+        const rule = matching[0];
+        if (!rule)
+            return null;
+        if (!isSyncCapable(store)) {
+            console.warn('[CredentialRouter] resolve() requires findByRefSync(). Use resolveAsync() for async stores.');
+            return null;
+        }
+        // Canary selection
+        const ref = this.selectRef(rule);
+        const isCanary = ref === rule.canaryRef;
+        const cred = store.findByRefSync(ref);
+        if (!cred)
+            return null;
+        if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
+            return null;
+        if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
+            return null;
+        const resolved = {
+            credentialId: cred.id,
+            kind: cred.kind,
+            ref: cred.ref,
+            resolvedFor: cred.kind === 'user-delegated' ? ctx.userId : 'service',
+            expiresAt: cred.expiresAt,
+            isCanary,
+        };
+        if (this.config.logger) {
+            this.config.logger.log(this.buildAuditEntry(ctx, resolved, rule, isCanary)).catch(console.error);
+        }
+        return resolved;
+    }
+    // ─── Async resolve (all stores; supports approval + budget + attestation) ─
+    async resolveAsync(ctx) {
+        const { store, rules, approvalManager, budgetEnforcer, attestationSigner } = this.config;
+        const matching = rules
+            .filter((r) => this.ruleMatches(r, ctx))
+            .sort((a, b) => b.priority - a.priority);
+        const rule = matching[0];
+        if (!rule)
+            return null;
+        // Approval gate
+        if (rule.approval && approvalManager) {
+            const status = await approvalManager.request(ctx, rule.approval, rule.credentialRef, rule.id);
+            if (status !== 'approved' && status !== 'break_glass')
+                return null;
+        }
+        const ref = this.selectRef(rule);
+        const isCanary = ref === rule.canaryRef;
+        const cred = await store.findByRef(ref);
+        if (!cred)
+            return null;
+        if (cred.expiresAt && new Date(cred.expiresAt) < new Date())
+            return null;
+        if (rule.readOnly && !cred.scope.toLowerCase().includes('read'))
+            return null;
+        // Budget check
+        if (budgetEnforcer) {
+            const budget = await budgetEnforcer.check(cred);
+            if (!budget.allowed)
+                return null;
+        }
+        const resolved = {
+            credentialId: cred.id,
+            kind: cred.kind,
+            ref: cred.ref,
+            resolvedFor: cred.kind === 'user-delegated' ? ctx.userId : 'service',
+            expiresAt: cred.expiresAt,
+            isCanary,
+        };
+        // Attestation
+        if (attestationSigner) {
+            resolved.credentialAttestation = await buildAttestation(ctx, resolved, {
+                signer: attestationSigner,
+                ruleId: rule.id,
+            });
+        }
+        if (this.config.logger) {
+            await this.config.logger.log(this.buildAuditEntry(ctx, resolved, rule, isCanary));
+        }
+        return resolved;
+    }
+    // ─── Pair resolve for migration ───────────────────────────────────────────
+    resolvePair(ctx) {
+        const sourceCtx = { ...ctx, resourceId: ctx.sourceResourceId, action: 'read' };
+        const targetCtx = { ...ctx, resourceId: ctx.targetResourceId, action: ctx.dryRun ? 'read' : ctx.action };
+        const source = this.resolve(sourceCtx);
+        const target = this.resolve(targetCtx);
+        if (!source || !target)
+            return null;
+        return { source, target, migrationId: ctx.migrationId };
+    }
+    // ─── Canary selection ─────────────────────────────────────────────────────
+    selectRef(rule) {
+        if (rule.canaryRef && rule.canaryWeight && rule.canaryWeight > 0) {
+            const roll = Math.random() * 100;
+            if (roll < rule.canaryWeight)
+                return rule.canaryRef;
+        }
+        return rule.credentialRef;
+    }
+    // ─── Rule matching ────────────────────────────────────────────────────────
+    ruleMatches(rule, ctx) {
+        if (rule.matchResourceKind && rule.matchResourceKind !== ctx.resourceKind)
+            return false;
+        if (rule.matchProvider && rule.matchProvider !== ctx.provider)
+            return false;
+        if (rule.matchUserId && rule.matchUserId !== ctx.userId)
+            return false;
+        if (rule.matchSpiffeId && ctx.spiffeId !== rule.matchSpiffeId)
+            return false;
+        if (rule.matchAction) {
+            const actions = Array.isArray(rule.matchAction) ? rule.matchAction : [rule.matchAction];
+            if (!actions.includes(ctx.action))
+                return false;
+        }
+        if (rule.matchPhase) {
+            const migCtx = ctx;
+            if (!migCtx.phase)
+                return false;
+            const phases = Array.isArray(rule.matchPhase) ? rule.matchPhase : [rule.matchPhase];
+            if (!phases.includes(migCtx.phase))
+                return false;
+        }
+        return true;
+    }
+    // ─── Audit entry builder ─────────────────────────────────────────────────
+    buildAuditEntry(ctx, resolved, rule, isCanary) {
+        return {
+            timestamp: new Date().toISOString(),
+            traceId: ctx.traceId,
+            userId: ctx.userId,
+            action: ctx.action,
+            resourceId: ctx.resourceId,
+            resourceKind: ctx.resourceKind,
+            provider: ctx.provider,
+            model: ctx.model,
+            credentialId: resolved.credentialId,
+            credentialKind: resolved.kind,
+            resolvedFor: resolved.resolvedFor,
+            isCanary,
+            spiffeId: ctx.spiffeId,
+        };
+    }
+}
+// ─── Factory functions ────────────────────────────────────────────────────────
+export function createRouter(credentials, rules, logger) {
+    return new CredentialRouter({ store: new MemoryCredentialStore(credentials), rules, logger });
+}
+export function createRouterFromStore(store, rules, logger) {
+    return new CredentialRouter({ store, rules, logger });
+}
+export function createRouterWithConfig(config) {
+    return new CredentialRouter(config);
+}
+//# sourceMappingURL=router.js.map

package/dist/esm/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAcH,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAQjD,SAAS,aAAa,CAAC,KAAsB;IAC3C,OAAO,OAAQ,KAA0B,CAAC,aAAa,KAAK,UAAU,CAAC;AACzE,CAAC;AAcD,MAAM,OAAO,qBAAqB;IAIhC,YAAY,WAAyB;QAFpB,iBAAY,GAAG,IAAI,GAAG,EAAsD,CAAC;QAG5F,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC;IAC3B,CAAC;IAED,aAAa,CAAC,GAAW;QACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAwB;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,QAAQ,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW,IAAI,QAAQ,CAAC,SAAS,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAC/F,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,GAAG,UAAU,GAAG,IAAI,EAAE,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,QAAQ,EAAE,WAAW,KAAK,WAAW;YAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3E,CAAC;CACF;AAED,MAAM,OAAO,gBAAgB;IAC3B,YAA6B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IAAG,CAAC;IAErD,6EAA6E;IAE7E,OAAO,CAAC,GAAwB;QAC9B,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACrC,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;YAC5G,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;SACT,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACnG,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,6EAA6E;IAE7E,KAAK,CAAC,YAAY,CAAC,GAAwB;QACzC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACzF,MAAM,QAAQ,GAAG,KAAK;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,gBAAgB;QAChB,IAAI,IAAI,CAAC,QAAQ,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAC9F,IAAI,MAAM,KAAK,UAAU,IAAI,MAAM,KAAK,aAAa;gBAAE,OAAO,IAAI,CAAC;QACrE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC;QAExC,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE;YAAE,OAAO,IAAI,CAAC;QACzE,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7E,eAAe;QACf,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAuB;YACnC,YAAY,EAAE,IAAI,CAAC,EAAE;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,WAAW,EAAE,IAAI,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACpE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,QAAQ;SACT,CAAC;QAEF,cAAc;QACd,IAAI,iBAAiB,EAAE,CAAC;YACtB,QAAQ,CAAC,qBAAqB,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE;gBACrE,MAAM,EAAE,iBAAiB;gBACzB,MAAM,EAAE,IAAI,CAAC,EAAE;aAChB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpF,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,6EAA6E;IAE7E,WAAW,CAAC,GAAqB;QAC/B,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACpG,MAAM,SAAS,GAAwB,EAAE,GAAG,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAE9H,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;IAC1D,CAAC;IAED,6EAA6E;IAErE,SAAS,CAAC,IAAiB;QACjC,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC;YACjC,IAAI,IAAI,GAAG,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QACtD,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED,6EAA6E;IAErE,WAAW,CAAC,IAAiB,EAAE,GAAwB;QAC7D,IAAI,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,iBAAiB,KAAK,GAAG,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QACxF,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,KAAK,GAAG,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,KAAK,GAAG,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACtE,IAAI,IAAI,CAAC,aAAa,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAC5E,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACxF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QAClD,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,GAAuB,CAAC;YACvC,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAChC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACpF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4EAA4E;IAEpE,eAAe,CACrB,GAAwB,EACxB,QAA4B,EAC5B,IAAiB,EACjB,QAAiB;QAEjB,OAAO;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,cAAc,EAAE,QAAQ,CAAC,IAAI;YAC7B,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ;YACR,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;IACJ,CAAC;CACF;AAED,iFAAiF;AAEjF,MAAM,UAAU,YAAY,CAC1B,WAAyB,EACzB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,IAAI,qBAAqB,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAAsB,EACtB,KAAoB,EACpB,MAAoB;IAEpB,OAAO,IAAI,gBAAgB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAoB;IACzD,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC"}

package/dist/esm/schemas.js

@@ -0,0 +1,124 @@
+/**
+ * @datacules/agent-identity/schemas
+ *
+ * Zod schemas mirroring every public type. Three uses simultaneously:
+ *   1. Runtime validation in route handlers (replaces manual field loops)
+ *   2. TypeScript type inference via z.infer<>
+ *   3. JSON Schema / OpenAPI generation via zod-to-json-schema
+ *
+ * Since zod is already in dependencies, this costs nothing to ship.
+ */
+import { z } from 'zod';
+// ─── Primitives ───────────────────────────────────────────────────────────────
+export const SupportedProviderSchema = z.enum([
+    'openai',
+    'anthropic',
+    'gemini',
+    'mistral',
+    'local',
+]);
+export const ResourceKindSchema = z.enum(['shared', 'personal']);
+export const CredentialKindSchema = z.enum(['fixed', 'user-delegated']);
+export const CredentialStatusSchema = z.enum(['active', 'pending', 'revoked']);
+export const MigrationPhaseSchema = z.enum([
+    'dry-run',
+    'extract',
+    'transform',
+    'load',
+    'verify',
+    'rollback',
+]);
+export const ApproverKindSchema = z.enum(['webhook', 'email', 'slack']);
+// ─── Rotation Policy ─────────────────────────────────────────────────────────
+export const RotationPolicySchema = z.object({
+    rotateAfterDays: z.number().int().positive().optional(),
+    rotateAfterUses: z.number().int().positive().optional(),
+    gracePeriodSeconds: z.number().int().nonnegative().optional(),
+    notifyBeforeDays: z.number().int().positive().optional(),
+    provisioner: z.string().optional(),
+});
+// ─── Budget Policy ────────────────────────────────────────────────────────────
+export const BudgetPolicySchema = z.object({
+    maxResolutionsPerHour: z.number().int().positive().optional(),
+    maxConcurrentSessions: z.number().int().positive().optional(),
+    maxDailySpendUsd: z.number().positive().optional(),
+    softThresholdPercent: z.number().min(0).max(100).optional(),
+    resetSchedule: z.string().optional(),
+});
+// ─── Approval Policy ─────────────────────────────────────────────────────────
+export const ApproverSchema = z.object({
+    kind: ApproverKindSchema,
+    target: z.string().min(1),
+});
+export const ApprovalPolicySchema = z.object({
+    requiredApprovers: z.number().int().positive(),
+    approvers: z.array(ApproverSchema),
+    timeoutSeconds: z.number().int().positive().optional(),
+    breakGlass: z
+        .object({
+        approver: z.string().min(1),
+        requireJustification: z.boolean().optional(),
+    })
+        .optional(),
+});
+// ─── Credential ─────────────────────────────────────────────────────────────
+export const CredentialSchema = z.object({
+    id: z.string().min(1),
+    kind: CredentialKindSchema,
+    name: z.string().min(1),
+    scope: z.string(),
+    status: CredentialStatusSchema,
+    provider: z.string().optional(),
+    ref: z.string().min(1),
+    expiresAt: z.string().datetime().optional(),
+    lastRotated: z.string().datetime().optional(),
+    refreshTokenRef: z.string().optional(),
+    rotationIntervalDays: z.number().int().nonnegative().optional(),
+    rotation: RotationPolicySchema.optional(),
+    budget: BudgetPolicySchema.optional(),
+    tags: z.array(z.string()).optional(),
+});
+// ─── Routing Rule ──────────────────────────────────────────────────────────
+export const RoutingRuleSchema = z.object({
+    id: z.string().min(1),
+    description: z.string(),
+    credentialRef: z.string().min(1),
+    credentialKind: CredentialKindSchema,
+    priority: z.number().int(),
+    matchResourceKind: ResourceKindSchema.optional(),
+    matchAction: z.union([z.string(), z.array(z.string())]).optional(),
+    matchProvider: SupportedProviderSchema.optional(),
+    matchUserId: z.string().optional(),
+    matchPhase: z
+        .union([MigrationPhaseSchema, z.array(MigrationPhaseSchema)])
+        .optional(),
+    matchSpiffeId: z.string().optional(),
+    readOnly: z.boolean().optional(),
+    canaryRef: z.string().optional(),
+    canaryWeight: z.number().int().min(0).max(100).optional(),
+    approval: ApprovalPolicySchema.optional(),
+});
+// ─── Agent Request Context ───────────────────────────────────────────────
+export const AgentRequestContextSchema = z.object({
+    userId: z.string().min(1),
+    resourceId: z.string().min(1),
+    resourceKind: ResourceKindSchema,
+    provider: SupportedProviderSchema,
+    model: z.string().min(1),
+    action: z.string().min(1),
+    traceId: z.string().min(1),
+    sessionId: z.string().optional(),
+    requestedAt: z.string().datetime(),
+    parentTraceId: z.string().optional(),
+    spiffeId: z.string().optional(),
+});
+export const MigrationContextSchema = AgentRequestContextSchema.extend({
+    migrationId: z.string().min(1),
+    phase: MigrationPhaseSchema,
+    sourceResourceId: z.string().min(1),
+    targetResourceId: z.string().min(1),
+    dryRun: z.boolean(),
+    batchIndex: z.number().int().nonnegative().optional(),
+    totalBatches: z.number().int().positive().optional(),
+});
+//# sourceMappingURL=schemas.js.map

package/dist/esm/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,iFAAiF;AAEjF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,OAAO;CACR,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAEjE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAExE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;AAE/E,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC;IACzC,SAAS;IACT,SAAS;IACT,WAAW;IACX,MAAM;IACN,QAAQ;IACR,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAExE,gFAAgF;AAEhF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACxD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAC;AAEH,iFAAiF;AAEjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAClD,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC3D,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH,gFAAgF;AAEhF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC9C,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC;IAClC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IACtD,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;KAC7C,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,+EAA+E;AAE/E,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,IAAI,EAAE,oBAAoB;IAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,MAAM,EAAE,sBAAsB;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC3C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC/D,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,cAAc,EAAE,oBAAoB;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC1B,iBAAiB,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IAChD,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClE,aAAa,EAAE,uBAAuB,CAAC,QAAQ,EAAE;IACjD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,CAAC;SACV,KAAK,CAAC,CAAC,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;SAC5D,QAAQ,EAAE;IACb,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACzD,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH,4EAA4E;AAE5E,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,YAAY,EAAE,kBAAkB;IAChC,QAAQ,EAAE,uBAAuB;IACjC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,yBAAyB,CAAC,MAAM,CAAC;IACrE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,KAAK,EAAE,oBAAoB;IAC3B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE;IACnB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACrD,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC"}

package/dist/esm/types.js

@@ -0,0 +1,3 @@
+// ─── Identity Types ───────────────────────────────────────────────────────────
+export {};
+//# sourceMappingURL=types.js.map

package/dist/esm/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA,iFAAiF"}

package/dist/types/approval.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Multi-Party Approval Workflows — Feature #5 from FEATURE_SUGGESTIONS.md
+ *
+ * Intercepts resolve() when a RoutingRule has an ApprovalPolicy, holds
+ * resolution pending human sign-off, and fires notifiers.
+ */
+import type { AgentRequestContext, ApprovalPolicy, ApprovalRequest, ApprovalStatus, AuditLogger } from './types';
+export interface ApprovalStore {
+    create(request: ApprovalRequest): Promise<void>;
+    get(requestId: string): Promise<ApprovalRequest | null>;
+    update(requestId: string, status: ApprovalStatus, resolvedBy?: string, justification?: string): Promise<void>;
+    listPending(): Promise<ApprovalRequest[]>;
+}
+export interface ApprovalNotifier {
+    notify(request: ApprovalRequest, policy: ApprovalPolicy): Promise<void>;
+}
+export declare class MemoryApprovalStore implements ApprovalStore {
+    private readonly store;
+    create(request: ApprovalRequest): Promise<void>;
+    get(requestId: string): Promise<ApprovalRequest | null>;
+    update(requestId: string, status: ApprovalStatus, resolvedBy?: string, justification?: string): Promise<void>;
+    listPending(): Promise<ApprovalRequest[]>;
+}
+export declare class WebhookApprovalNotifier implements ApprovalNotifier {
+    private readonly webhookUrl;
+    private readonly secret?;
+    constructor(webhookUrl: string, secret?: string | undefined);
+    notify(request: ApprovalRequest, _policy: ApprovalPolicy): Promise<void>;
+}
+export declare class SlackApprovalNotifier implements ApprovalNotifier {
+    private readonly webhookUrl;
+    constructor(webhookUrl: string);
+    notify(request: ApprovalRequest, _policy: ApprovalPolicy): Promise<void>;
+}
+export declare class ApprovalManager {
+    private readonly store;
+    private readonly notifiers;
+    private readonly auditLogger?;
+    constructor(store: ApprovalStore, notifiers?: ApprovalNotifier[], auditLogger?: AuditLogger | undefined);
+    /**
+     * Gate a resolve() call behind an approval policy.
+     * Returns 'approved' / 'break_glass' if the request was already
+     * approved, otherwise creates a new approval request, notifies approvers,
+     * and returns 'pending' (the router returns null — caller should retry).
+     */
+    request(ctx: AgentRequestContext, policy: ApprovalPolicy, credentialId: string, ruleId: string): Promise<ApprovalStatus>;
+}
+//# sourceMappingURL=approval.d.ts.map