npm - @datacules/agent-identity - Versions diffs - 0.2.1 - Mend

@datacules/agent-identity 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/dist/cjs/approval.js +157 -0
package/dist/cjs/approval.js.map +1 -0
package/dist/cjs/attestation.js +89 -0
package/dist/cjs/attestation.js.map +1 -0
package/dist/cjs/budget.js +110 -0
package/dist/cjs/budget.js.map +1 -0
package/dist/cjs/credentials.js +14 -0
package/dist/cjs/credentials.js.map +1 -0
package/dist/cjs/decision.js +30 -0
package/dist/cjs/decision.js.map +1 -0
package/dist/cjs/federation.js +55 -0
package/dist/cjs/federation.js.map +1 -0
package/dist/cjs/index.js +42 -0
package/dist/cjs/index.js.map +1 -0
package/dist/cjs/providers.js +97 -0
package/dist/cjs/providers.js.map +1 -0
package/dist/cjs/rotation.js +127 -0
package/dist/cjs/rotation.js.map +1 -0
package/dist/cjs/router.js +216 -0
package/dist/cjs/router.js.map +1 -0
package/dist/cjs/schemas.js +127 -0
package/dist/cjs/schemas.js.map +1 -0
package/dist/cjs/types.js +4 -0
package/dist/cjs/types.js.map +1 -0
package/dist/esm/approval.js +150 -0
package/dist/esm/approval.js.map +1 -0
package/dist/esm/attestation.js +83 -0
package/dist/esm/attestation.js.map +1 -0
package/dist/esm/budget.js +105 -0
package/dist/esm/budget.js.map +1 -0
package/dist/esm/credentials.js +11 -0
package/dist/esm/credentials.js.map +1 -0
package/dist/esm/decision.js +27 -0
package/dist/esm/decision.js.map +1 -0
package/dist/esm/federation.js +50 -0
package/dist/esm/federation.js.map +1 -0
package/dist/esm/index.js +26 -0
package/dist/esm/index.js.map +1 -0
package/dist/esm/providers.js +92 -0
package/dist/esm/providers.js.map +1 -0
package/dist/esm/react/index.js +2 -0
package/dist/esm/react/index.js.map +1 -0
package/dist/esm/react/useAgentIdentity.js +100 -0
package/dist/esm/react/useAgentIdentity.js.map +1 -0
package/dist/esm/rotation.js +123 -0
package/dist/esm/rotation.js.map +1 -0
package/dist/esm/router.js +208 -0
package/dist/esm/router.js.map +1 -0
package/dist/esm/schemas.js +124 -0
package/dist/esm/schemas.js.map +1 -0
package/dist/esm/types.js +3 -0
package/dist/esm/types.js.map +1 -0
package/dist/types/approval.d.ts +48 -0
package/dist/types/approval.d.ts.map +1 -0
package/dist/types/attestation.d.ts +36 -0
package/dist/types/attestation.d.ts.map +1 -0
package/dist/types/budget.d.ts +38 -0
package/dist/types/budget.d.ts.map +1 -0
package/dist/types/credentials.d.ts +4 -0
package/dist/types/credentials.d.ts.map +1 -0
package/dist/types/decision.d.ts +3 -0
package/dist/types/decision.d.ts.map +1 -0
package/dist/types/federation.d.ts +23 -0
package/dist/types/federation.d.ts.map +1 -0
package/dist/types/index.d.ts +26 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/providers.d.ts +13 -0
package/dist/types/providers.d.ts.map +1 -0
package/dist/types/react/index.d.ts +3 -0
package/dist/types/react/index.d.ts.map +1 -0
package/dist/types/react/useAgentIdentity.d.ts +58 -0
package/dist/types/react/useAgentIdentity.d.ts.map +1 -0
package/dist/types/rotation.d.ts +51 -0
package/dist/types/rotation.d.ts.map +1 -0
package/dist/types/router.d.ts +48 -0
package/dist/types/router.d.ts.map +1 -0
package/dist/types/schemas.d.ts +434 -0
package/dist/types/schemas.d.ts.map +1 -0
package/dist/types/types.d.ts +263 -0
package/dist/types/types.d.ts.map +1 -0
package/package.json +59 -0

package/dist/types/schemas.d.ts ADDED Viewed

@@ -0,0 +1,434 @@
+/**
+ * @datacules/agent-identity/schemas
+ *
+ * Zod schemas mirroring every public type. Three uses simultaneously:
+ *   1. Runtime validation in route handlers (replaces manual field loops)
+ *   2. TypeScript type inference via z.infer<>
+ *   3. JSON Schema / OpenAPI generation via zod-to-json-schema
+ *
+ * Since zod is already in dependencies, this costs nothing to ship.
+ */
+import { z } from 'zod';
+export declare const SupportedProviderSchema: z.ZodEnum<["openai", "anthropic", "gemini", "mistral", "local"]>;
+export declare const ResourceKindSchema: z.ZodEnum<["shared", "personal"]>;
+export declare const CredentialKindSchema: z.ZodEnum<["fixed", "user-delegated"]>;
+export declare const CredentialStatusSchema: z.ZodEnum<["active", "pending", "revoked"]>;
+export declare const MigrationPhaseSchema: z.ZodEnum<["dry-run", "extract", "transform", "load", "verify", "rollback"]>;
+export declare const ApproverKindSchema: z.ZodEnum<["webhook", "email", "slack"]>;
+export declare const RotationPolicySchema: z.ZodObject<{
+    rotateAfterDays: z.ZodOptional<z.ZodNumber>;
+    rotateAfterUses: z.ZodOptional<z.ZodNumber>;
+    gracePeriodSeconds: z.ZodOptional<z.ZodNumber>;
+    notifyBeforeDays: z.ZodOptional<z.ZodNumber>;
+    provisioner: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    provisioner?: string | undefined;
+    rotateAfterDays?: number | undefined;
+    rotateAfterUses?: number | undefined;
+    gracePeriodSeconds?: number | undefined;
+    notifyBeforeDays?: number | undefined;
+}, {
+    provisioner?: string | undefined;
+    rotateAfterDays?: number | undefined;
+    rotateAfterUses?: number | undefined;
+    gracePeriodSeconds?: number | undefined;
+    notifyBeforeDays?: number | undefined;
+}>;
+export declare const BudgetPolicySchema: z.ZodObject<{
+    maxResolutionsPerHour: z.ZodOptional<z.ZodNumber>;
+    maxConcurrentSessions: z.ZodOptional<z.ZodNumber>;
+    maxDailySpendUsd: z.ZodOptional<z.ZodNumber>;
+    softThresholdPercent: z.ZodOptional<z.ZodNumber>;
+    resetSchedule: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    maxResolutionsPerHour?: number | undefined;
+    maxConcurrentSessions?: number | undefined;
+    maxDailySpendUsd?: number | undefined;
+    softThresholdPercent?: number | undefined;
+    resetSchedule?: string | undefined;
+}, {
+    maxResolutionsPerHour?: number | undefined;
+    maxConcurrentSessions?: number | undefined;
+    maxDailySpendUsd?: number | undefined;
+    softThresholdPercent?: number | undefined;
+    resetSchedule?: string | undefined;
+}>;
+export declare const ApproverSchema: z.ZodObject<{
+    kind: z.ZodEnum<["webhook", "email", "slack"]>;
+    target: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    kind: "webhook" | "email" | "slack";
+    target: string;
+}, {
+    kind: "webhook" | "email" | "slack";
+    target: string;
+}>;
+export declare const ApprovalPolicySchema: z.ZodObject<{
+    requiredApprovers: z.ZodNumber;
+    approvers: z.ZodArray<z.ZodObject<{
+        kind: z.ZodEnum<["webhook", "email", "slack"]>;
+        target: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        kind: "webhook" | "email" | "slack";
+        target: string;
+    }, {
+        kind: "webhook" | "email" | "slack";
+        target: string;
+    }>, "many">;
+    timeoutSeconds: z.ZodOptional<z.ZodNumber>;
+    breakGlass: z.ZodOptional<z.ZodObject<{
+        approver: z.ZodString;
+        requireJustification: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        approver: string;
+        requireJustification?: boolean | undefined;
+    }, {
+        approver: string;
+        requireJustification?: boolean | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    requiredApprovers: number;
+    approvers: {
+        kind: "webhook" | "email" | "slack";
+        target: string;
+    }[];
+    timeoutSeconds?: number | undefined;
+    breakGlass?: {
+        approver: string;
+        requireJustification?: boolean | undefined;
+    } | undefined;
+}, {
+    requiredApprovers: number;
+    approvers: {
+        kind: "webhook" | "email" | "slack";
+        target: string;
+    }[];
+    timeoutSeconds?: number | undefined;
+    breakGlass?: {
+        approver: string;
+        requireJustification?: boolean | undefined;
+    } | undefined;
+}>;
+export declare const CredentialSchema: z.ZodObject<{
+    id: z.ZodString;
+    kind: z.ZodEnum<["fixed", "user-delegated"]>;
+    name: z.ZodString;
+    scope: z.ZodString;
+    status: z.ZodEnum<["active", "pending", "revoked"]>;
+    provider: z.ZodOptional<z.ZodString>;
+    ref: z.ZodString;
+    expiresAt: z.ZodOptional<z.ZodString>;
+    lastRotated: z.ZodOptional<z.ZodString>;
+    refreshTokenRef: z.ZodOptional<z.ZodString>;
+    rotationIntervalDays: z.ZodOptional<z.ZodNumber>;
+    rotation: z.ZodOptional<z.ZodObject<{
+        rotateAfterDays: z.ZodOptional<z.ZodNumber>;
+        rotateAfterUses: z.ZodOptional<z.ZodNumber>;
+        gracePeriodSeconds: z.ZodOptional<z.ZodNumber>;
+        notifyBeforeDays: z.ZodOptional<z.ZodNumber>;
+        provisioner: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        provisioner?: string | undefined;
+        rotateAfterDays?: number | undefined;
+        rotateAfterUses?: number | undefined;
+        gracePeriodSeconds?: number | undefined;
+        notifyBeforeDays?: number | undefined;
+    }, {
+        provisioner?: string | undefined;
+        rotateAfterDays?: number | undefined;
+        rotateAfterUses?: number | undefined;
+        gracePeriodSeconds?: number | undefined;
+        notifyBeforeDays?: number | undefined;
+    }>>;
+    budget: z.ZodOptional<z.ZodObject<{
+        maxResolutionsPerHour: z.ZodOptional<z.ZodNumber>;
+        maxConcurrentSessions: z.ZodOptional<z.ZodNumber>;
+        maxDailySpendUsd: z.ZodOptional<z.ZodNumber>;
+        softThresholdPercent: z.ZodOptional<z.ZodNumber>;
+        resetSchedule: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        maxResolutionsPerHour?: number | undefined;
+        maxConcurrentSessions?: number | undefined;
+        maxDailySpendUsd?: number | undefined;
+        softThresholdPercent?: number | undefined;
+        resetSchedule?: string | undefined;
+    }, {
+        maxResolutionsPerHour?: number | undefined;
+        maxConcurrentSessions?: number | undefined;
+        maxDailySpendUsd?: number | undefined;
+        softThresholdPercent?: number | undefined;
+        resetSchedule?: string | undefined;
+    }>>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    status: "active" | "pending" | "revoked";
+    name: string;
+    kind: "user-delegated" | "fixed";
+    id: string;
+    scope: string;
+    ref: string;
+    expiresAt?: string | undefined;
+    provider?: string | undefined;
+    lastRotated?: string | undefined;
+    refreshTokenRef?: string | undefined;
+    rotationIntervalDays?: number | undefined;
+    rotation?: {
+        provisioner?: string | undefined;
+        rotateAfterDays?: number | undefined;
+        rotateAfterUses?: number | undefined;
+        gracePeriodSeconds?: number | undefined;
+        notifyBeforeDays?: number | undefined;
+    } | undefined;
+    budget?: {
+        maxResolutionsPerHour?: number | undefined;
+        maxConcurrentSessions?: number | undefined;
+        maxDailySpendUsd?: number | undefined;
+        softThresholdPercent?: number | undefined;
+        resetSchedule?: string | undefined;
+    } | undefined;
+    tags?: string[] | undefined;
+}, {
+    status: "active" | "pending" | "revoked";
+    name: string;
+    kind: "user-delegated" | "fixed";
+    id: string;
+    scope: string;
+    ref: string;
+    expiresAt?: string | undefined;
+    provider?: string | undefined;
+    lastRotated?: string | undefined;
+    refreshTokenRef?: string | undefined;
+    rotationIntervalDays?: number | undefined;
+    rotation?: {
+        provisioner?: string | undefined;
+        rotateAfterDays?: number | undefined;
+        rotateAfterUses?: number | undefined;
+        gracePeriodSeconds?: number | undefined;
+        notifyBeforeDays?: number | undefined;
+    } | undefined;
+    budget?: {
+        maxResolutionsPerHour?: number | undefined;
+        maxConcurrentSessions?: number | undefined;
+        maxDailySpendUsd?: number | undefined;
+        softThresholdPercent?: number | undefined;
+        resetSchedule?: string | undefined;
+    } | undefined;
+    tags?: string[] | undefined;
+}>;
+export declare const RoutingRuleSchema: z.ZodObject<{
+    id: z.ZodString;
+    description: z.ZodString;
+    credentialRef: z.ZodString;
+    credentialKind: z.ZodEnum<["fixed", "user-delegated"]>;
+    priority: z.ZodNumber;
+    matchResourceKind: z.ZodOptional<z.ZodEnum<["shared", "personal"]>>;
+    matchAction: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    matchProvider: z.ZodOptional<z.ZodEnum<["openai", "anthropic", "gemini", "mistral", "local"]>>;
+    matchUserId: z.ZodOptional<z.ZodString>;
+    matchPhase: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["dry-run", "extract", "transform", "load", "verify", "rollback"]>, z.ZodArray<z.ZodEnum<["dry-run", "extract", "transform", "load", "verify", "rollback"]>, "many">]>>;
+    matchSpiffeId: z.ZodOptional<z.ZodString>;
+    readOnly: z.ZodOptional<z.ZodBoolean>;
+    canaryRef: z.ZodOptional<z.ZodString>;
+    canaryWeight: z.ZodOptional<z.ZodNumber>;
+    approval: z.ZodOptional<z.ZodObject<{
+        requiredApprovers: z.ZodNumber;
+        approvers: z.ZodArray<z.ZodObject<{
+            kind: z.ZodEnum<["webhook", "email", "slack"]>;
+            target: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }, {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }>, "many">;
+        timeoutSeconds: z.ZodOptional<z.ZodNumber>;
+        breakGlass: z.ZodOptional<z.ZodObject<{
+            approver: z.ZodString;
+            requireJustification: z.ZodOptional<z.ZodBoolean>;
+        }, "strip", z.ZodTypeAny, {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        }, {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        requiredApprovers: number;
+        approvers: {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }[];
+        timeoutSeconds?: number | undefined;
+        breakGlass?: {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        } | undefined;
+    }, {
+        requiredApprovers: number;
+        approvers: {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }[];
+        timeoutSeconds?: number | undefined;
+        breakGlass?: {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    description: string;
+    credentialRef: string;
+    credentialKind: "user-delegated" | "fixed";
+    priority: number;
+    matchResourceKind?: "shared" | "personal" | undefined;
+    matchAction?: string | string[] | undefined;
+    matchProvider?: "openai" | "anthropic" | "gemini" | "mistral" | "local" | undefined;
+    matchUserId?: string | undefined;
+    matchPhase?: "dry-run" | "extract" | "transform" | "load" | "verify" | "rollback" | ("dry-run" | "extract" | "transform" | "load" | "verify" | "rollback")[] | undefined;
+    matchSpiffeId?: string | undefined;
+    readOnly?: boolean | undefined;
+    canaryRef?: string | undefined;
+    canaryWeight?: number | undefined;
+    approval?: {
+        requiredApprovers: number;
+        approvers: {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }[];
+        timeoutSeconds?: number | undefined;
+        breakGlass?: {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        } | undefined;
+    } | undefined;
+}, {
+    id: string;
+    description: string;
+    credentialRef: string;
+    credentialKind: "user-delegated" | "fixed";
+    priority: number;
+    matchResourceKind?: "shared" | "personal" | undefined;
+    matchAction?: string | string[] | undefined;
+    matchProvider?: "openai" | "anthropic" | "gemini" | "mistral" | "local" | undefined;
+    matchUserId?: string | undefined;
+    matchPhase?: "dry-run" | "extract" | "transform" | "load" | "verify" | "rollback" | ("dry-run" | "extract" | "transform" | "load" | "verify" | "rollback")[] | undefined;
+    matchSpiffeId?: string | undefined;
+    readOnly?: boolean | undefined;
+    canaryRef?: string | undefined;
+    canaryWeight?: number | undefined;
+    approval?: {
+        requiredApprovers: number;
+        approvers: {
+            kind: "webhook" | "email" | "slack";
+            target: string;
+        }[];
+        timeoutSeconds?: number | undefined;
+        breakGlass?: {
+            approver: string;
+            requireJustification?: boolean | undefined;
+        } | undefined;
+    } | undefined;
+}>;
+export declare const AgentRequestContextSchema: z.ZodObject<{
+    userId: z.ZodString;
+    resourceId: z.ZodString;
+    resourceKind: z.ZodEnum<["shared", "personal"]>;
+    provider: z.ZodEnum<["openai", "anthropic", "gemini", "mistral", "local"]>;
+    model: z.ZodString;
+    action: z.ZodString;
+    traceId: z.ZodString;
+    sessionId: z.ZodOptional<z.ZodString>;
+    requestedAt: z.ZodString;
+    parentTraceId: z.ZodOptional<z.ZodString>;
+    spiffeId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    model: string;
+    provider: "openai" | "anthropic" | "gemini" | "mistral" | "local";
+    userId: string;
+    resourceId: string;
+    resourceKind: "shared" | "personal";
+    action: string;
+    traceId: string;
+    requestedAt: string;
+    sessionId?: string | undefined;
+    parentTraceId?: string | undefined;
+    spiffeId?: string | undefined;
+}, {
+    model: string;
+    provider: "openai" | "anthropic" | "gemini" | "mistral" | "local";
+    userId: string;
+    resourceId: string;
+    resourceKind: "shared" | "personal";
+    action: string;
+    traceId: string;
+    requestedAt: string;
+    sessionId?: string | undefined;
+    parentTraceId?: string | undefined;
+    spiffeId?: string | undefined;
+}>;
+export declare const MigrationContextSchema: z.ZodObject<{
+    userId: z.ZodString;
+    resourceId: z.ZodString;
+    resourceKind: z.ZodEnum<["shared", "personal"]>;
+    provider: z.ZodEnum<["openai", "anthropic", "gemini", "mistral", "local"]>;
+    model: z.ZodString;
+    action: z.ZodString;
+    traceId: z.ZodString;
+    sessionId: z.ZodOptional<z.ZodString>;
+    requestedAt: z.ZodString;
+    parentTraceId: z.ZodOptional<z.ZodString>;
+    spiffeId: z.ZodOptional<z.ZodString>;
+} & {
+    migrationId: z.ZodString;
+    phase: z.ZodEnum<["dry-run", "extract", "transform", "load", "verify", "rollback"]>;
+    sourceResourceId: z.ZodString;
+    targetResourceId: z.ZodString;
+    dryRun: z.ZodBoolean;
+    batchIndex: z.ZodOptional<z.ZodNumber>;
+    totalBatches: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    migrationId: string;
+    model: string;
+    provider: "openai" | "anthropic" | "gemini" | "mistral" | "local";
+    userId: string;
+    resourceId: string;
+    resourceKind: "shared" | "personal";
+    action: string;
+    traceId: string;
+    requestedAt: string;
+    phase: "dry-run" | "extract" | "transform" | "load" | "verify" | "rollback";
+    sourceResourceId: string;
+    targetResourceId: string;
+    dryRun: boolean;
+    sessionId?: string | undefined;
+    parentTraceId?: string | undefined;
+    spiffeId?: string | undefined;
+    batchIndex?: number | undefined;
+    totalBatches?: number | undefined;
+}, {
+    migrationId: string;
+    model: string;
+    provider: "openai" | "anthropic" | "gemini" | "mistral" | "local";
+    userId: string;
+    resourceId: string;
+    resourceKind: "shared" | "personal";
+    action: string;
+    traceId: string;
+    requestedAt: string;
+    phase: "dry-run" | "extract" | "transform" | "load" | "verify" | "rollback";
+    sourceResourceId: string;
+    targetResourceId: string;
+    dryRun: boolean;
+    sessionId?: string | undefined;
+    parentTraceId?: string | undefined;
+    spiffeId?: string | undefined;
+    batchIndex?: number | undefined;
+    totalBatches?: number | undefined;
+}>;
+export type AgentRequestContextInput = z.infer<typeof AgentRequestContextSchema>;
+export type MigrationContextInput = z.infer<typeof MigrationContextSchema>;
+export type RoutingRuleInput = z.infer<typeof RoutingRuleSchema>;
+export type CredentialInput = z.infer<typeof CredentialSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/types/schemas.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,uBAAuB,kEAMlC,CAAC;AAEH,eAAO,MAAM,kBAAkB,mCAAiC,CAAC;AAEjE,eAAO,MAAM,oBAAoB,wCAAsC,CAAC;AAExE,eAAO,MAAM,sBAAsB,6CAA2C,CAAC;AAE/E,eAAO,MAAM,oBAAoB,8EAO/B,CAAC;AAEH,eAAO,MAAM,kBAAkB,0CAAwC,CAAC;AAIxE,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;EAM/B,CAAC;AAIH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;EAM7B,CAAC;AAIH,eAAO,MAAM,cAAc;;;;;;;;;EAGzB,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU/B,CAAC;AAIH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAe3B,CAAC;AAIH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkB5B,CAAC;AAIH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQjC,CAAC;AAKH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACjF,MAAM,MAAM,qBAAqB,GAAM,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAC9E,MAAM,MAAM,gBAAgB,GAAW,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AACzE,MAAM,MAAM,eAAe,GAAY,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/types/types.d.ts ADDED Viewed

@@ -0,0 +1,263 @@
+export type IdentityType = 'user-delegated' | 'fixed-service' | 'hybrid' | 'agent-as-service';
+export interface Identity {
+    id: string;
+    type: IdentityType;
+    name: string;
+    description: string;
+    tags: string[];
+}
+export type AuthPatternType = 'individual-user-auth' | 'fixed-credential' | 'context-switched' | 'token-exchange';
+export interface AuthPattern {
+    id: AuthPatternType;
+    name: string;
+    description: string;
+    badgeLabel: string;
+    recommended?: boolean;
+    flowNodes: FlowNode[];
+}
+export interface FlowNode {
+    label: string;
+    sublabel: string;
+    variant: 'default' | 'blue' | 'red' | 'green' | 'amber';
+}
+export interface RotationPolicy {
+    rotateAfterDays?: number;
+    rotateAfterUses?: number;
+    gracePeriodSeconds?: number;
+    notifyBeforeDays?: number;
+    /** Matches a registered RotationProvider.id */
+    provisioner?: string;
+}
+export interface BudgetPolicy {
+    maxResolutionsPerHour?: number;
+    maxConcurrentSessions?: number;
+    maxDailySpendUsd?: number;
+    /** Percentage of any limit at which to emit a budget_warning event (default: 80) */
+    softThresholdPercent?: number;
+    /** Cron expression for reset schedule (default: daily midnight UTC) */
+    resetSchedule?: string;
+}
+export type CredentialKind = 'fixed' | 'user-delegated';
+export type CredentialStatus = 'active' | 'pending' | 'revoked';
+export interface Credential {
+    id: string;
+    kind: CredentialKind;
+    name: string;
+    scope: string;
+    status: CredentialStatus;
+    provider?: string;
+    /** Never the raw secret — a reference/slot identifier */
+    ref: string;
+    /** ISO 8601 — undefined means does not expire */
+    expiresAt?: string;
+    lastRotated?: string;
+    refreshTokenRef?: string;
+    rotationIntervalDays?: number;
+    /** Automated rotation policy — undefined means manual rotation only */
+    rotation?: RotationPolicy;
+    /** Usage budget enforcement policy */
+    budget?: BudgetPolicy;
+    /** Arbitrary tags e.g. ['pii', 'financial', 'prod'] — used by compliance reports */
+    tags?: string[];
+}
+export type ApproverKind = 'webhook' | 'email' | 'slack';
+export interface Approver {
+    kind: ApproverKind;
+    /** Webhook URL, email address, or Slack channel ID */
+    target: string;
+}
+export interface ApprovalPolicy {
+    requiredApprovers: number;
+    approvers: Approver[];
+    /** Seconds before auto-reject (default: 300) */
+    timeoutSeconds?: number;
+    breakGlass?: {
+        /** User ID of the emergency approver */
+        approver: string;
+        /** Whether to require a written justification */
+        requireJustification?: boolean;
+    };
+}
+export type ResourceKind = 'shared' | 'personal';
+export interface RoutingRule {
+    id: string;
+    description: string;
+    credentialRef: string;
+    credentialKind: CredentialKind;
+    priority: number;
+    matchResourceKind?: ResourceKind;
+    matchAction?: string | string[];
+    matchProvider?: SupportedProvider;
+    matchUserId?: string;
+    matchPhase?: MigrationPhase | MigrationPhase[];
+    matchSpiffeId?: string;
+    readOnly?: boolean;
+    /** Secondary credential ref receiving canaryWeight % of traffic */
+    canaryRef?: string;
+    /** 0–100 — percentage of traffic routed to canaryRef (default: 0) */
+    canaryWeight?: number;
+    /** Approval required before credential resolves */
+    approval?: ApprovalPolicy;
+}
+export interface AgentRequestContext {
+    userId: string;
+    resourceId: string;
+    resourceKind: ResourceKind;
+    provider: SupportedProvider;
+    model: string;
+    action: string;
+    traceId: string;
+    sessionId?: string;
+    requestedAt: string;
+    parentTraceId?: string;
+    /** SPIFFE SVID of the calling workload (set by SpiffeCredentialStore) */
+    spiffeId?: string;
+}
+export interface ResolvedCredential {
+    credentialId: string;
+    kind: CredentialKind;
+    ref: string;
+    resolvedFor: string;
+    /** ISO 8601 expiry of this resolved credential */
+    expiresAt?: string;
+    /** Signed JWT attestation — present when AttestationSigner is configured */
+    credentialAttestation?: string;
+    /** True when this resolution was routed to the canary ref */
+    isCanary?: boolean;
+}
+export type MigrationPhase = 'dry-run' | 'extract' | 'transform' | 'load' | 'verify' | 'rollback';
+export interface MigrationContext extends AgentRequestContext {
+    migrationId: string;
+    phase: MigrationPhase;
+    sourceResourceId: string;
+    targetResourceId: string;
+    batchIndex?: number;
+    totalBatches?: number;
+    dryRun: boolean;
+}
+export interface ResolvedCredentialPair {
+    source: ResolvedCredential;
+    target: ResolvedCredential;
+    migrationId: string;
+    expiresAt?: string;
+}
+export type SupportedProvider = 'openai' | 'anthropic' | 'gemini' | 'mistral' | 'local';
+export interface ProviderAdapter {
+    id: SupportedProvider;
+    label: string;
+    injectCredential(request: Record<string, unknown>, credential: ResolvedCredential): Record<string, unknown>;
+    validate?(request: Record<string, unknown>): void;
+    validateForMigration?(credential: ResolvedCredential, phase: MigrationPhase): void;
+}
+export interface CredentialStore {
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: CredentialKind): Promise<Credential[]>;
+    reserve?(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
+    release?(ref: string, migrationId: string): Promise<void>;
+}
+export interface AuditLogEntry {
+    timestamp: string;
+    traceId: string;
+    userId: string;
+    action: string;
+    resourceId: string;
+    resourceKind: ResourceKind;
+    provider: SupportedProvider;
+    model: string;
+    credentialId: string;
+    credentialKind: CredentialKind;
+    resolvedFor: string;
+    /** True when this entry was routed via canary */
+    isCanary?: boolean;
+    /** Identity chain for federated agent calls */
+    identityChain?: IdentityChainEntry[];
+    /** SPIFFE ID of the calling workload */
+    spiffeId?: string;
+}
+export interface MigrationAuditLogEntry extends AuditLogEntry {
+    migrationId: string;
+    phase: MigrationPhase;
+    rowsRead?: number;
+    rowsWritten?: number;
+    rowsFailed?: number;
+    dryRun: boolean;
+    sourceCredentialId: string;
+    targetCredentialId: string;
+    errorSummary?: string;
+}
+export interface AuditLogger {
+    log(entry: AuditLogEntry): Promise<void>;
+}
+export interface MigrationAuditLogger extends AuditLogger {
+    summarize(migrationId: string): Promise<MigrationSummary>;
+}
+export interface MigrationSummary {
+    migrationId: string;
+    phases: MigrationPhase[];
+    totalRowsRead: number;
+    totalRowsWritten: number;
+    totalRowsFailed: number;
+    startedAt: string;
+    completedAt?: string;
+    errors: string[];
+}
+export interface DecisionAnswers {
+    variableAccess: boolean | null;
+    mixedResources: boolean | null;
+    auditRequired: boolean | null;
+    longTermTokenStorage: boolean | null;
+}
+export interface DecisionResult {
+    pattern: AuthPatternType;
+    label: string;
+    explanation: string;
+}
+export interface AttestationSigner {
+    /** Sign a payload and return a compact JWT string */
+    sign(payload: Record<string, unknown>): Promise<string>;
+    /** Verify a compact JWT string; returns the payload or null if invalid */
+    verify(token: string): Promise<Record<string, unknown> | null>;
+}
+export interface AttestationPayload {
+    iss: string;
+    sub: string;
+    credentialId: string;
+    resolvedFor: string;
+    action: string;
+    resourceId: string;
+    traceId: string;
+    ruleId?: string;
+    iat: number;
+    exp: number;
+}
+export type ApprovalStatus = 'pending' | 'approved' | 'rejected' | 'timeout' | 'break_glass';
+export interface ApprovalRequest {
+    requestId: string;
+    credentialId: string;
+    ruleId: string;
+    context: AgentRequestContext;
+    status: ApprovalStatus;
+    requestedAt: string;
+    resolvedAt?: string;
+    resolvedBy?: string;
+    justification?: string;
+    expiresAt: string;
+}
+export interface IdentityChainEntry {
+    /** Trust domain e.g. 'acme.com' */
+    org: string;
+    userId: string;
+    agentId: string;
+    /** ISO 8601 timestamp when this entry was issued */
+    issuedAt: string;
+    /** Ed25519 signature over the canonical entry JSON */
+    signature: string;
+}
+export interface FederationConfig {
+    /** The local org's trust domain */
+    trustDomain: string;
+    /** Map of trustDomain → base64 public key for verification */
+    trustedDomains: Record<string, string>;
+}
+//# sourceMappingURL=types.d.ts.map