@datacules/agent-identity 0.2.1

package/dist/types/approval.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.d.ts","sourceRoot":"","sources":["../../src/approval.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,EAAE,mBAAmB,EAAE,cAAc,EAAE,eAAe,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAIjH,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IACxD,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9G,WAAW,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzE;AAID,qBAAa,mBAAoB,YAAW,aAAa;IACvD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsC;IAEtD,MAAM,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAI/C,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAIvD,MAAM,CACV,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,cAAc,EACtB,UAAU,CAAC,EAAE,MAAM,EACnB,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC;IAYV,WAAW,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;CAGhD;AAID,qBAAa,uBAAwB,YAAW,gBAAgB;IAClD,OAAO,CAAC,QAAQ,CAAC,UAAU;IAAU,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAA5C,UAAU,EAAE,MAAM,EAAmB,MAAM,CAAC,EAAE,MAAM,YAAA;IAE3E,MAAM,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CAY/E;AAID,qBAAa,qBAAsB,YAAW,gBAAgB;IAChD,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,MAAM;IAEzC,MAAM,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CAkB/E;AAID,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAFZ,KAAK,EAAE,aAAa,EACpB,SAAS,GAAE,gBAAgB,EAAO,EAClC,WAAW,CAAC,EAAE,WAAW,YAAA;IAG5C;;;;;OAKG;IACG,OAAO,CACX,GAAG,EAAE,mBAAmB,EACxB,MAAM,EAAE,cAAc,EACtB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,cAAc,CAAC;CAkE3B"}

package/dist/types/attestation.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Zero-Trust Credential Attestation — @datacules/agent-identity core
+ *
+ * Every resolve() call can sign a short-lived JWT attestation using an
+ * HMAC-SHA256 key. Downstream services verify the attestation independently
+ * without calling agent-identity again — the proof travels with the request.
+ *
+ * Uses Web Crypto API (crypto.subtle) exclusively — available in:
+ *   Node.js 18+ (global), browsers, Cloudflare Workers, Deno, Bun.
+ * No dynamic imports — compatible with both ESM and CJS builds.
+ */
+import type { AttestationSigner, AttestationPayload, ResolvedCredential, AgentRequestContext } from './types';
+export declare class HmacAttestationSigner implements AttestationSigner {
+    private readonly secret;
+    private readonly issuer;
+    private readonly ttlSeconds;
+    constructor(options: {
+        secret: string;
+        issuer?: string;
+        ttlSeconds?: number;
+    });
+    private base64url;
+    private bufToBase64url;
+    private hmacSign;
+    sign(payload: Record<string, unknown>): Promise<string>;
+    verify(token: string): Promise<Record<string, unknown> | null>;
+}
+export interface AttestationOptions {
+    signer: AttestationSigner;
+    issuer?: string;
+    ttlSeconds?: number;
+    ruleId?: string;
+}
+export declare function buildAttestation(ctx: AgentRequestContext, resolved: ResolvedCredential, options: AttestationOptions): Promise<string>;
+export declare function verifyAttestation(token: string, signer: AttestationSigner): Promise<AttestationPayload | null>;
+//# sourceMappingURL=attestation.d.ts.map

package/dist/types/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAI9G,qBAAa,qBAAsB,YAAW,iBAAiB;IAC7D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;IAM7E,OAAO,CAAC,SAAS;IASjB,OAAO,CAAC,cAAc;YAUR,QAAQ;IAahB,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAOvD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAerE;AAID,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,mBAAmB,EACxB,QAAQ,EAAE,kBAAkB,EAC5B,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,MAAM,CAAC,CAejB;AAID,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAMpC"}

package/dist/types/budget.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Credential Budget Management — Feature #12 from FEATURE_SUGGESTIONS.md
+ *
+ * Enforces per-credential usage budgets (hourly resolution count,
+ * concurrent sessions, daily spend) at the routing layer — before any
+ * call reaches the provider.
+ */
+import type { Credential, AuditLogger } from './types';
+export interface BudgetResult {
+    allowed: boolean;
+    reason?: 'hourly_limit' | 'session_limit' | 'daily_spend_limit';
+    retryAfter?: string;
+}
+export interface BudgetStore {
+    getHourlyCount(credentialId: string): Promise<number>;
+    incrementHourlyCount(credentialId: string): Promise<void>;
+    getConcurrentSessions(credentialId: string): Promise<number>;
+    getDailySpend(credentialId: string): Promise<number>;
+    resetHourly(credentialId: string): Promise<void>;
+    resetDaily(credentialId: string): Promise<void>;
+}
+export declare class MemoryBudgetStore implements BudgetStore {
+    private readonly hourlyCounts;
+    private readonly dailySpend;
+    getHourlyCount(credentialId: string): Promise<number>;
+    incrementHourlyCount(credentialId: string): Promise<void>;
+    getConcurrentSessions(_credentialId: string): Promise<number>;
+    getDailySpend(credentialId: string): Promise<number>;
+    resetHourly(credentialId: string): Promise<void>;
+    resetDaily(credentialId: string): Promise<void>;
+}
+export declare class BudgetEnforcer {
+    private readonly store;
+    private readonly auditLogger?;
+    constructor(store: BudgetStore, auditLogger?: AuditLogger | undefined);
+    check(credential: Credential): Promise<BudgetResult>;
+}
+//# sourceMappingURL=budget.d.ts.map

package/dist/types/budget.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"budget.d.ts","sourceRoot":"","sources":["../../src/budget.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAIvD,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,cAAc,GAAG,eAAe,GAAG,mBAAmB,CAAC;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACtD,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACrD,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAID,qBAAa,iBAAkB,YAAW,WAAW;IACnD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA6D;IAC1F,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IAElD,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAWrD,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUzD,qBAAqB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK7D,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIpD,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIhD,UAAU,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGtD;AAID,qBAAa,cAAc;IAEvB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBADZ,KAAK,EAAE,WAAW,EAClB,WAAW,CAAC,EAAE,WAAW,YAAA;IAGtC,KAAK,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC;CA4D3D"}

package/dist/types/credentials.d.ts

@@ -0,0 +1,4 @@
+import type { Credential, RoutingRule } from './types';
+export declare const DEFAULT_CREDENTIALS: Credential[];
+export declare const DEFAULT_ROUTING_RULES: RoutingRule[];
+//# sourceMappingURL=credentials.d.ts.map

package/dist/types/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEvD,eAAO,MAAM,mBAAmB,EAAE,UAAU,EAK3C,CAAC;AAEF,eAAO,MAAM,qBAAqB,EAAE,WAAW,EAG9C,CAAC"}

package/dist/types/decision.d.ts

@@ -0,0 +1,3 @@
+import type { DecisionAnswers, DecisionResult } from './types';
+export declare function computeDecision(answers: DecisionAnswers): DecisionResult | null;
+//# sourceMappingURL=decision.d.ts.map

package/dist/types/decision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.d.ts","sourceRoot":"","sources":["../../src/decision.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/D,wBAAgB,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,cAAc,GAAG,IAAI,CAyB/E"}

package/dist/types/federation.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Agent Federation — Cross-Org Identity Chains — Feature #11
+ *
+ * Carries a signed IdentityChain token across trust boundaries so that
+ * the full principal history is verifiable at every hop.
+ *
+ * Uses only standard Web APIs — no dynamic imports, CJS + ESM compatible.
+ */
+import type { FederationConfig, IdentityChainEntry, AgentRequestContext } from './types';
+export declare class FederationVerifier {
+    private readonly config;
+    constructor(config: FederationConfig);
+    verify(chain: IdentityChainEntry[]): boolean;
+}
+export declare class FederationIssuer {
+    private readonly trustDomain;
+    private readonly agentId;
+    constructor(trustDomain: string, agentId: string);
+    issueEntry(ctx: AgentRequestContext): IdentityChainEntry;
+    issueChain(ctx: AgentRequestContext): IdentityChainEntry[];
+    extendChain(chain: IdentityChainEntry[], ctx: AgentRequestContext): IdentityChainEntry[];
+}
+//# sourceMappingURL=federation.d.ts.map

package/dist/types/federation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"federation.d.ts","sourceRoot":"","sources":["../../src/federation.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAIzF,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,gBAAgB;IAErD,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,OAAO;CAS7C;AAID,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,OAAO;gBADP,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM;IAGlC,UAAU,CAAC,GAAG,EAAE,mBAAmB,GAAG,kBAAkB;IAoBxD,UAAU,CAAC,GAAG,EAAE,mBAAmB,GAAG,kBAAkB,EAAE;IAI1D,WAAW,CAAC,KAAK,EAAE,kBAAkB,EAAE,EAAE,GAAG,EAAE,mBAAmB,GAAG,kBAAkB,EAAE;CAGzF"}

package/dist/types/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @datacules/agent-identity — public API
+ *
+ * Provider-agnostic credential routing and identity management for AI agents.
+ * The model/LLM layer never receives raw credentials.
+ *
+ * @example
+ * ```typescript
+ * import { createRouter } from '@datacules/agent-identity';
+ * import type { AgentRequestContext } from '@datacules/agent-identity';
+ *
+ * const router = createRouter(credentials, rules, logger);
+ * const resolved = await router.resolveAsync(ctx);
+ * ```
+ */
+export type * from './types';
+export * from './router';
+export * from './providers';
+export * from './credentials';
+export * from './decision';
+export * from './rotation';
+export * from './attestation';
+export * from './approval';
+export * from './budget';
+export * from './federation';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,mBAAmB,SAAS,CAAC;AAG7B,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC"}

package/dist/types/providers.d.ts

@@ -0,0 +1,13 @@
+import type { ProviderAdapter, SupportedProvider } from './types';
+export declare const PROVIDER_ADAPTERS: Record<SupportedProvider, ProviderAdapter>;
+export declare function getAdapter(provider: SupportedProvider): ProviderAdapter;
+/**
+ * Registry pattern — register a custom provider adapter without forking core.
+ * Registered adapters are available via getAdapter() immediately.
+ *
+ * Example:
+ *   import { registerProvider } from '@datacules/agent-identity';
+ *   registerProvider({ id: 'cohere' as SupportedProvider, label: 'Cohere', injectCredential: ... });
+ */
+export declare function registerProvider(adapter: ProviderAdapter): void;
+//# sourceMappingURL=providers.d.ts.map

package/dist/types/providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.d.ts","sourceRoot":"","sources":["../../src/providers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,eAAe,EAAsB,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAwEtG,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,EAAE,eAAe,CAMxE,CAAC;AAEF,wBAAgB,UAAU,CAAC,QAAQ,EAAE,iBAAiB,GAAG,eAAe,CAEvE;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,eAAe,GAAG,IAAI,CAE/D"}

package/dist/types/react/index.d.ts

@@ -0,0 +1,3 @@
+export { useAgentIdentity } from './useAgentIdentity';
+export type { UseAgentIdentityOptions, UseAgentIdentityReturn, AgentIdentityState } from './useAgentIdentity';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/react/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/react/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/types/react/useAgentIdentity.d.ts

@@ -0,0 +1,58 @@
+/**
+ * useAgentIdentity — production-safe React hook.
+ *
+ * Exported from @datacules/agent-identity/react.
+ *
+ * Unlike useCredentials (demo-only), this hook calls POST /api/resolve
+ * server-side. The raw credential never touches the browser.
+ *
+ * Features:
+ *   - Full loading / error / expiresAt lifecycle
+ *   - Auto-refresh 60s before credential expiry
+ *   - Configurable endpoint (works with custom Next.js routes or the Docker sidecar)
+ *   - onError callback for integration with error boundaries / toast systems
+ *
+ * Usage:
+ *   import { useAgentIdentity } from '@datacules/agent-identity/react';
+ *
+ *   function AiComposer({ userId }: { userId: string }) {
+ *     const ctx = {
+ *       userId,
+ *       resourceId: 'knowledge-base',
+ *       resourceKind: 'personal' as const,
+ *       provider: 'anthropic' as const,
+ *       model: 'claude-sonnet-4-20250514',
+ *       action: 'read',
+ *       traceId: crypto.randomUUID(),
+ *       requestedAt: new Date().toISOString(),
+ *     };
+ *     const { resolvedFor, loading, error, expiresAt } = useAgentIdentity(ctx);
+ *
+ *     if (loading) return <p>Resolving credentials…</p>;
+ *     if (error)   return <p>Auth error: {error.message}</p>;
+ *     return <div>Ready — acting as {resolvedFor}</div>;
+ *   }
+ */
+import type { AgentRequestContext } from '../types';
+export interface UseAgentIdentityOptions {
+    /** Defaults to '/api/resolve' */
+    resolveEndpoint?: string;
+    /** Re-resolve this many seconds before the credential expires (default: 60) */
+    refreshBeforeExpirySeconds?: number;
+    /** Called on every error; use for toast / error boundary integration */
+    onError?: (err: Error) => void;
+    /** Disable auto-refresh on expiry (default: false) */
+    disableAutoRefresh?: boolean;
+}
+export interface AgentIdentityState {
+    resolvedFor: string | null;
+    expiresAt: string | null;
+    loading: boolean;
+    error: Error | null;
+}
+export interface UseAgentIdentityReturn extends AgentIdentityState {
+    /** Manually trigger a resolve (called automatically when ctx changes) */
+    resolve: (ctx: AgentRequestContext) => Promise<void>;
+}
+export declare function useAgentIdentity(ctx: AgentRequestContext | null, options?: UseAgentIdentityOptions): UseAgentIdentityReturn;
+//# sourceMappingURL=useAgentIdentity.d.ts.map

package/dist/types/react/useAgentIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useAgentIdentity.d.ts","sourceRoot":"","sources":["../../../src/react/useAgentIdentity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAKH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAEpD,MAAM,WAAW,uBAAuB;IACtC,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,+EAA+E;IAC/E,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,wEAAwE;IACxE,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC;IAC/B,sDAAsD;IACtD,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,sBAAuB,SAAQ,kBAAkB;IAChE,yEAAyE;IACzE,OAAO,EAAE,CAAC,GAAG,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAED,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,mBAAmB,GAAG,IAAI,EAC/B,OAAO,GAAE,uBAA4B,GACpC,sBAAsB,CA8ExB"}

package/dist/types/rotation.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Automated Credential Rotation — Feature #4 from FEATURE_SUGGESTIONS.md
+ *
+ * RotationPolicy on Credential + CredentialRotationScheduler that detects
+ * expiring/due credentials and calls registered RotationProvider instances
+ * to mint new secrets.
+ */
+import type { Credential, AuditLogger } from './types';
+/**
+ * A RotationProvider mints a new secret for a credential and updates the
+ * store. Built-in providers: VaultRotationProvider, AwsRotationProvider.
+ * Custom providers implement this interface.
+ */
+export interface RotationProvider {
+    id: string;
+    rotate(credential: Credential): Promise<{
+        newRef: string;
+        rotatedAt: string;
+    }>;
+}
+/**
+ * CredentialRepository is a minimal interface over any CredentialStore that
+ * supports mutation — listing and updating credentials. The core store
+ * interface is read-only for callers; rotation needs write access.
+ */
+export interface RotationRepository {
+    listActive(): Promise<Credential[]>;
+    update(id: string, patch: Partial<Credential>): Promise<void>;
+}
+export declare class CredentialRotationScheduler {
+    private readonly repository;
+    private readonly auditLogger?;
+    private readonly providers;
+    private intervalHandle;
+    constructor(repository: RotationRepository, auditLogger?: AuditLogger | undefined);
+    registerProvider(provider: RotationProvider): void;
+    /**
+     * Check all active credentials for pending rotation and rotate them.
+     * Call this on a schedule (e.g. every hour via cron or setInterval).
+     */
+    runOnce(): Promise<void>;
+    /**
+     * Start a background rotation loop at the given interval.
+     * @param intervalMs Check frequency in milliseconds (default: 3600000 = 1 hour)
+     */
+    start(intervalMs?: number): void;
+    stop(): void;
+    private isRotationDue;
+    private maybeEmitWarning;
+}
+//# sourceMappingURL=rotation.d.ts.map

package/dist/types/rotation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../src/rotation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAIvE;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChF;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/D;AAID,qBAAa,2BAA2B;IAKpC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;IAL/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAuC;IACjE,OAAO,CAAC,cAAc,CAA+C;gBAGlD,UAAU,EAAE,kBAAkB,EAC9B,WAAW,CAAC,EAAE,WAAW,YAAA;IAG5C,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAIlD;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IA8D9B;;;OAGG;IACH,KAAK,CAAC,UAAU,SAAY,GAAG,IAAI;IAOnC,IAAI,IAAI,IAAI;IAOZ,OAAO,CAAC,aAAa;YASP,gBAAgB;CAsB/B"}

package/dist/types/router.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Credential Router — core of @datacules/agent-identity.
+ *
+ * Key features added in this version:
+ * - Canary routing: canaryRef + canaryWeight on RoutingRule
+ * - Attestation: optional AttestationSigner on router config
+ * - Budget enforcement: BudgetEnforcer check before resolving
+ * - Approval gate: ApprovalManager integration on rules with approval policy
+ */
+import type { AgentRequestContext, AuditLogger, Credential, CredentialStore, MigrationContext, ResolvedCredential, ResolvedCredentialPair, RoutingRule, AttestationSigner } from './types';
+import type { BudgetEnforcer } from './budget';
+import type { ApprovalManager } from './approval';
+export interface RouterConfig {
+    store: CredentialStore;
+    rules: RoutingRule[];
+    logger?: AuditLogger;
+    /** Sign a JWT attestation and attach it to every ResolvedCredential */
+    attestationSigner?: AttestationSigner;
+    /** Enforce per-credential budget limits */
+    budgetEnforcer?: BudgetEnforcer;
+    /** Gate high-risk resolutions behind human approval */
+    approvalManager?: ApprovalManager;
+}
+export declare class MemoryCredentialStore implements CredentialStore {
+    private readonly creds;
+    private readonly reservations;
+    constructor(credentials: Credential[]);
+    findByRefSync(ref: string): Credential | null;
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: Credential['kind']): Promise<Credential[]>;
+    reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
+    release(ref: string, migrationId: string): Promise<void>;
+}
+export declare class CredentialRouter {
+    private readonly config;
+    constructor(config: RouterConfig);
+    resolve(ctx: AgentRequestContext): ResolvedCredential | null;
+    resolveAsync(ctx: AgentRequestContext): Promise<ResolvedCredential | null>;
+    resolvePair(ctx: MigrationContext): ResolvedCredentialPair | null;
+    private selectRef;
+    private ruleMatches;
+    private buildAuditEntry;
+}
+export declare function createRouter(credentials: Credential[], rules: RoutingRule[], logger?: AuditLogger): CredentialRouter;
+export declare function createRouterFromStore(store: CredentialStore, rules: RoutingRule[], logger?: AuditLogger): CredentialRouter;
+export declare function createRouterWithConfig(config: RouterConfig): CredentialRouter;
+//# sourceMappingURL=router.d.ts.map

package/dist/types/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,mBAAmB,EAEnB,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,sBAAsB,EACtB,WAAW,EACX,iBAAiB,EAClB,MAAM,SAAS,CAAC;AAEjB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAUlD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,eAAe,CAAC;IACvB,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,uEAAuE;IACvE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,2CAA2C;IAC3C,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,uDAAuD;IACvD,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED,qBAAa,qBAAsB,YAAW,eAAe;IAC3D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiE;gBAElF,WAAW,EAAE,UAAU,EAAE;IAIrC,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAIvC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAIlD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAInC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAI3D,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ/E,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAI/D;AAED,qBAAa,gBAAgB;IACf,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,YAAY;IAIjD,OAAO,CAAC,GAAG,EAAE,mBAAmB,GAAG,kBAAkB,GAAG,IAAI;IAyCtD,YAAY,CAAC,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAuDhF,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,sBAAsB,GAAG,IAAI;IAajE,OAAO,CAAC,SAAS;IAUjB,OAAO,CAAC,WAAW;IAoBnB,OAAO,CAAC,eAAe;CAsBxB;AAID,wBAAgB,YAAY,CAC1B,WAAW,EAAE,UAAU,EAAE,EACzB,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,gBAAgB,CAElB;AAED,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,eAAe,EACtB,KAAK,EAAE,WAAW,EAAE,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,gBAAgB,CAElB;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CAE7E"}