@devtrack-solution/codesdd 1.2.2 → 1.2.4-rc3

package/dist/core/sdd/deepagents/model-provider.js

@@ -0,0 +1,379 @@
+const OPENAI_COMPATIBLE_ENDPOINT_ENVS = [
+    'OPENAI_COMPATIBLE_BASE_URL',
+    'OPENAI_BASE_URL',
+    'SERVICE_URL_TWO',
+    'SERVICE_URL_ONE',
+];
+export const DEEPAGENTS_MODEL_PROVIDER_PROFILES = [
+    {
+        provider: 'openai',
+        aliases: ['openai'],
+        credentialEnvCandidates: ['OPENAI_API_KEY'],
+        endpointEnvCandidates: ['OPENAI_BASE_URL'],
+        defaultDomains: ['api.openai.com'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'anthropic',
+        aliases: ['anthropic'],
+        credentialEnvCandidates: ['ANTHROPIC_API_KEY'],
+        endpointEnvCandidates: [],
+        defaultDomains: ['api.anthropic.com'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'google',
+        aliases: ['google'],
+        credentialEnvCandidates: ['GOOGLE_API_KEY'],
+        endpointEnvCandidates: [],
+        defaultDomains: ['generativelanguage.googleapis.com'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'google-genai',
+        aliases: ['google-genai'],
+        credentialEnvCandidates: ['GOOGLE_API_KEY'],
+        endpointEnvCandidates: [],
+        defaultDomains: ['generativelanguage.googleapis.com'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'openrouter',
+        aliases: ['openrouter'],
+        credentialEnvCandidates: ['OPENROUTER_API_KEY'],
+        endpointEnvCandidates: ['OPENROUTER_BASE_URL'],
+        defaultDomains: ['openrouter.ai'],
+        defaultBaseUrl: 'https://openrouter.ai/api/v1',
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'fireworks',
+        aliases: ['fireworks'],
+        credentialEnvCandidates: ['FIREWORKS_API_KEY'],
+        endpointEnvCandidates: ['FIREWORKS_BASE_URL'],
+        defaultDomains: ['api.fireworks.ai'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'baseten',
+        aliases: ['baseten', 'base-ten'],
+        credentialEnvCandidates: ['BASETEN_API_KEY'],
+        endpointEnvCandidates: ['BASETEN_BASE_URL'],
+        defaultDomains: ['api.baseten.co'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+    {
+        provider: 'azure-openai',
+        aliases: ['azure', 'azure-openai', 'azure_openai'],
+        credentialEnvCandidates: ['AZURE_OPENAI_API_KEY', 'API_KEY'],
+        endpointEnvCandidates: [
+            'AZURE_OPENAI_ENDPOINT',
+            'AZURE_OPENAI_BASE_PATH',
+            'AZURE_OPENAI_API_INSTANCE_NAME',
+            'SERVICE_URL_TWO',
+            'SERVICE_URL_ONE',
+        ],
+        defaultDomains: ['openai.azure.com', 'api.cognitive.microsoft.com'],
+        materialization: 'azure-openai',
+        endpointRequired: true,
+    },
+    {
+        provider: 'azure-ai',
+        aliases: ['azure-ai', 'azure-ai-foundry', 'azure-inference'],
+        credentialEnvCandidates: ['AZURE_AI_API_KEY', 'AZURE_INFERENCE_API_KEY', 'API_KEY'],
+        endpointEnvCandidates: ['AZURE_AI_INFERENCE_ENDPOINT', 'AZURE_AI_ENDPOINT', 'SERVICE_URL_ONE'],
+        defaultDomains: ['services.ai.azure.com', 'models.inference.ai.azure.com'],
+        materialization: 'openai-compatible',
+        endpointRequired: true,
+    },
+    {
+        provider: 'openai-compatible',
+        aliases: ['openai-compatible', 'compatible', 'custom-openai'],
+        credentialEnvCandidates: ['OPENAI_COMPATIBLE_API_KEY', 'API_KEY'],
+        endpointEnvCandidates: OPENAI_COMPATIBLE_ENDPOINT_ENVS,
+        defaultDomains: [],
+        materialization: 'openai-compatible',
+        endpointRequired: true,
+    },
+    {
+        provider: 'xai',
+        aliases: ['xai'],
+        credentialEnvCandidates: ['XAI_API_KEY', 'GROK_API_KEY'],
+        endpointEnvCandidates: ['XAI_BASE_URL', 'GROK_BASE_URL'],
+        defaultDomains: ['api.x.ai'],
+        defaultBaseUrl: 'https://api.x.ai/v1',
+        materialization: 'openai-compatible',
+        endpointRequired: false,
+    },
+    {
+        provider: 'grok',
+        aliases: ['grok'],
+        credentialEnvCandidates: ['GROK_API_KEY', 'XAI_API_KEY'],
+        endpointEnvCandidates: ['GROK_BASE_URL', 'XAI_BASE_URL'],
+        defaultDomains: ['api.x.ai'],
+        defaultBaseUrl: 'https://api.x.ai/v1',
+        materialization: 'openai-compatible',
+        endpointRequired: false,
+    },
+    {
+        provider: 'moonshot',
+        aliases: ['moonshot'],
+        credentialEnvCandidates: ['MOONSHOT_API_KEY', 'KIMI_API_KEY'],
+        endpointEnvCandidates: ['MOONSHOT_BASE_URL', 'KIMI_BASE_URL'],
+        defaultDomains: ['api.moonshot.ai'],
+        defaultBaseUrl: 'https://api.moonshot.ai/v1',
+        materialization: 'openai-compatible',
+        endpointRequired: false,
+    },
+    {
+        provider: 'kimi',
+        aliases: ['kimi'],
+        credentialEnvCandidates: ['KIMI_API_KEY', 'MOONSHOT_API_KEY'],
+        endpointEnvCandidates: ['KIMI_BASE_URL', 'MOONSHOT_BASE_URL'],
+        defaultDomains: ['api.moonshot.ai'],
+        defaultBaseUrl: 'https://api.moonshot.ai/v1',
+        materialization: 'openai-compatible',
+        endpointRequired: false,
+    },
+    {
+        provider: 'cohere',
+        aliases: ['cohere', 'coyers'],
+        credentialEnvCandidates: ['COHERE_API_KEY'],
+        endpointEnvCandidates: ['COHERE_BASE_URL'],
+        defaultDomains: ['api.cohere.com'],
+        materialization: 'pass-through',
+        endpointRequired: false,
+    },
+];
+export function parseDeepAgentsModelRef(model) {
+    const raw = safeTrim(model);
+    if (!raw) {
+        return undefined;
+    }
+    const separatorIndex = raw.indexOf(':');
+    if (separatorIndex > 0) {
+        return {
+            raw,
+            provider: raw.slice(0, separatorIndex).trim().toLowerCase(),
+            model: raw.slice(separatorIndex + 1).trim(),
+        };
+    }
+    return {
+        raw,
+        provider: inferProviderForBareModel(raw),
+        model: raw,
+    };
+}
+export function resolveDeepAgentsModelProvider(model, env = process.env) {
+    const modelRef = parseDeepAgentsModelRef(model);
+    const profile = modelRef ? findDeepAgentsModelProviderProfile(modelRef.provider) : undefined;
+    const credential = resolveCredential(profile, env);
+    const endpoint = resolveEndpoint(profile, env);
+    const deploymentResolution = resolveAzureDeployment(profile, modelRef, env);
+    const reasons = [];
+    if (modelRef && !profile) {
+        reasons.push(`No launcher credential mapping is defined for model provider ${modelRef.provider}.`);
+    }
+    if (profile && !credential.credentialEnv) {
+        reasons.push(`No launcher credential mapping is defined for model provider ${profile.provider}.`);
+    }
+    if (credential.credentialEnv && !credential.credentialPresent) {
+        reasons.push(`${credential.credentialEnv} is required by model provider ${profile?.provider ?? modelRef?.provider}.`);
+    }
+    if (profile?.endpointRequired && !endpoint.endpointPresent) {
+        reasons.push(`${profile.provider} requires one of ${endpoint.candidates.join(', ')} to resolve an approved endpoint.`);
+    }
+    if (profile?.endpointRequired && endpoint.endpointPresent && !endpoint.endpointValid) {
+        reasons.push(`${endpoint.endpointEnv ?? 'configured endpoint'} must be a valid http(s) URL for provider ${profile.provider}.`);
+    }
+    if (deploymentResolution.conflict) {
+        reasons.push(`Azure deployment aliases conflict: ${deploymentResolution.conflict.leftEnv}=${deploymentResolution.conflict.leftValue} differs from ${deploymentResolution.conflict.rightEnv}=${deploymentResolution.conflict.rightValue}.`);
+    }
+    return {
+        modelRef,
+        profile,
+        credential,
+        endpoint,
+        deploymentName: deploymentResolution.deploymentName,
+        defaultDomains: resolveDefaultDomains(profile, endpoint),
+        reasons,
+    };
+}
+export function requiredCredentialEnvForModel(model, env = process.env) {
+    return resolveDeepAgentsModelProvider(model, env).credential.credentialEnv;
+}
+export function inferNetworkDomainsForModel(model, env = process.env) {
+    if (!model) {
+        return [];
+    }
+    return resolveDeepAgentsModelProvider(model, env).defaultDomains;
+}
+export async function materializeDeepAgentsModel(model, env = process.env, importer = importOpenAiRuntime) {
+    const resolution = resolveDeepAgentsModelProvider(model, env);
+    if (!resolution.modelRef || !resolution.profile) {
+        return model;
+    }
+    if (resolution.profile.materialization === 'pass-through') {
+        return resolution.modelRef.raw;
+    }
+    const credentialEnv = resolution.credential.credentialEnv;
+    const apiKey = credentialEnv ? safeTrim(env[credentialEnv]) : undefined;
+    if (!apiKey) {
+        return resolution.modelRef.raw;
+    }
+    const endpoint = resolveEndpointValue(resolution.profile, env);
+    const openAi = await importer();
+    if (resolution.profile.materialization === 'azure-openai' && endpoint && !isOpenAiV1Endpoint(endpoint)) {
+        return new openAi.AzureChatOpenAI({
+            model: resolution.modelRef.model,
+            azureOpenAIApiKey: apiKey,
+            azureOpenAIEndpoint: endpoint,
+            azureOpenAIApiDeploymentName: resolution.deploymentName ?? resolution.modelRef.model,
+            azureOpenAIApiVersion: safeTrim(env.AZURE_OPENAI_API_VERSION) ?? safeTrim(env.CODESDD_DEEPAGENTS_AZURE_API_VERSION) ?? '2024-10-21',
+        });
+    }
+    return new openAi.ChatOpenAI({
+        model: resolution.modelRef.model,
+        apiKey,
+        configuration: {
+            baseURL: endpoint ?? resolution.profile.defaultBaseUrl,
+        },
+    });
+}
+export function findDeepAgentsModelProviderProfile(provider) {
+    const normalized = provider.trim().toLowerCase();
+    return DEEPAGENTS_MODEL_PROVIDER_PROFILES.find((profile) => profile.provider === normalized || profile.aliases.includes(normalized));
+}
+function resolveCredential(profile, env) {
+    const override = safeTrim(env.CODESDD_DEEPAGENTS_CREDENTIAL_ENV);
+    const candidates = normalizeEnvNames([
+        ...(override ? [override] : []),
+        ...(profile?.credentialEnvCandidates ?? []),
+    ]);
+    const credentialEnv = candidates.find((candidate) => Boolean(safeTrim(env[candidate]))) ?? candidates[0];
+    return {
+        candidates,
+        credentialEnv,
+        credentialPresent: Boolean(credentialEnv && safeTrim(env[credentialEnv])),
+        overrideUsed: Boolean(override),
+    };
+}
+function resolveEndpoint(profile, env) {
+    const candidates = endpointCandidates(profile, env);
+    const endpointEnv = candidates.find((candidate) => Boolean(resolveEndpointValueForEnv(candidate, env)));
+    const endpointValue = endpointEnv ? resolveEndpointValueForEnv(endpointEnv, env) : undefined;
+    const endpointDomain = endpointValue ? domainFromEndpoint(endpointValue) : undefined;
+    return {
+        candidates,
+        endpointEnv,
+        endpointPresent: Boolean(endpointValue),
+        endpointValid: endpointValue ? isEndpointValueValid(endpointValue) : false,
+        endpointDomain,
+        endpointRequired: Boolean(profile?.endpointRequired),
+    };
+}
+function endpointCandidates(profile, env) {
+    const override = safeTrim(env.CODESDD_DEEPAGENTS_ENDPOINT_ENV);
+    return normalizeEnvNames([...(override ? [override] : []), ...(profile?.endpointEnvCandidates ?? [])]);
+}
+function resolveEndpointValue(profile, env) {
+    for (const candidate of endpointCandidates(profile, env)) {
+        const value = resolveEndpointValueForEnv(candidate, env);
+        if (value) {
+            return value;
+        }
+    }
+    return profile.defaultBaseUrl;
+}
+function resolveEndpointValueForEnv(envName, env) {
+    if (envName === 'AZURE_OPENAI_API_INSTANCE_NAME') {
+        const instanceName = safeTrim(env[envName]);
+        return instanceName ? `https://${instanceName}.openai.azure.com/` : undefined;
+    }
+    return safeTrim(env[envName]);
+}
+function resolveAzureDeployment(profile, modelRef, env) {
+    if (!profile || profile.provider !== 'azure-openai') {
+        return { deploymentName: modelRef?.model };
+    }
+    const canonical = safeTrim(env.AZURE_OPENAI_DEPLOYMENT_NAME);
+    const alias = safeTrim(env.AZURE_OPENAI_DEPLOYMENT);
+    const legacy = safeTrim(env.AZURE_OPENAI_API_DEPLOYMENT_NAME);
+    const deploymentName = canonical ?? alias ?? legacy ?? modelRef?.model;
+    if (canonical && alias && canonical !== alias) {
+        return {
+            deploymentName,
+            conflict: {
+                leftEnv: 'AZURE_OPENAI_DEPLOYMENT_NAME',
+                leftValue: canonical,
+                rightEnv: 'AZURE_OPENAI_DEPLOYMENT',
+                rightValue: alias,
+            },
+        };
+    }
+    return { deploymentName };
+}
+function resolveDefaultDomains(profile, endpoint) {
+    if (endpoint.endpointDomain) {
+        return [endpoint.endpointDomain];
+    }
+    return [...new Set(profile?.defaultDomains ?? [])].sort();
+}
+function inferProviderForBareModel(model) {
+    const normalized = model.trim().toLowerCase();
+    if (normalized.startsWith('gpt-') || normalized.startsWith('o1') || normalized.startsWith('o3')) {
+        return 'openai';
+    }
+    if (normalized.includes('claude')) {
+        return 'anthropic';
+    }
+    if (normalized.includes('kimi')) {
+        return 'kimi';
+    }
+    if (normalized.includes('grok')) {
+        return 'grok';
+    }
+    return 'openai';
+}
+function domainFromEndpoint(endpoint) {
+    try {
+        return new URL(endpoint).hostname.toLowerCase();
+    }
+    catch {
+        return endpoint
+            .replace(/^https?:\/\//u, '')
+            .replace(/\/.*$/u, '')
+            .trim()
+            .toLowerCase() || undefined;
+    }
+}
+function isOpenAiV1Endpoint(endpoint) {
+    return /\/openai\/v1\/?$/u.test(endpoint) || /\/v1\/?$/u.test(endpoint);
+}
+function isEndpointValueValid(endpoint) {
+    try {
+        const url = new URL(endpoint);
+        return url.protocol === 'http:' || url.protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+function normalizeEnvNames(values) {
+    return [...new Set(values.map((value) => value.trim().toUpperCase()).filter(Boolean))];
+}
+function safeTrim(value) {
+    const trimmed = (value || '').trim();
+    return trimmed || undefined;
+}
+async function importOpenAiRuntime() {
+    return import('@langchain/openai');
+}
+//# sourceMappingURL=model-provider.js.map

package/dist/core/sdd/deepagents/policy-enforcement.d.ts

@@ -0,0 +1,30 @@
+import { type DeepAgentsAccessDecision, type DeepAgentsExecutionMode, type DeepAgentsTrustTier } from './backend.js';
+import { evaluateEnvPassThrough, evaluateNetworkAccess, type DeepAgentsOperation, type DeepAgentsPolicySnapshot } from './policy.js';
+export interface DeepAgentsRuntimePolicyRequest {
+    projectRoot?: string;
+    mode: DeepAgentsExecutionMode;
+    trustTier?: DeepAgentsTrustTier;
+    writeScope?: string[];
+    plannedWrites?: string[];
+    requestedEnv?: string[];
+    networkDomains?: string[];
+    operations?: DeepAgentsOperation[];
+    approvalGrants?: string[];
+    env?: NodeJS.ProcessEnv;
+}
+export interface DeepAgentsRuntimePolicyDecision {
+    status: 'allowed' | 'blocked';
+    fail_closed: true;
+    direct_state_write_allowed: false;
+    reasons: string[];
+    env: ReturnType<typeof evaluateEnvPassThrough>;
+    network: ReturnType<typeof evaluateNetworkAccess>;
+    writes: DeepAgentsAccessDecision[];
+    hitl: {
+        required_operations: DeepAgentsOperation[];
+        missing_approvals: DeepAgentsOperation[];
+        granted: string[];
+    };
+}
+export declare function evaluateDeepAgentsRuntimePolicyEnforcement(snapshot: DeepAgentsPolicySnapshot, request: DeepAgentsRuntimePolicyRequest): DeepAgentsRuntimePolicyDecision;
+//# sourceMappingURL=policy-enforcement.d.ts.map

package/dist/core/sdd/deepagents/policy-enforcement.js

@@ -0,0 +1,90 @@
+import { DeepAgentsSandboxBackend, InMemoryStateBackend, InMemoryStoreBackend, VirtualFilesystemBackend, } from './backend.js';
+import { evaluateEnvPassThrough, evaluateNetworkAccess, inferNetworkDomainsForModel, requiresHumanApproval, } from './policy.js';
+export function evaluateDeepAgentsRuntimePolicyEnforcement(snapshot, request) {
+    const plannedWrites = request.plannedWrites ?? [];
+    const requestedEnv = request.requestedEnv ?? [];
+    const networkDomains = normalizeNetworkDomains([
+        ...(request.networkDomains ?? []),
+        ...inferRuntimeNetworkDomains(snapshot, request.env),
+    ]);
+    const operations = normalizeOperations([
+        ...(request.operations ?? ['read']),
+        ...(networkDomains.length > 0 ? ['network'] : []),
+    ]);
+    const approvalGrants = normalizeApprovalGrants(request.approvalGrants ?? []);
+    const env = evaluateEnvPassThrough(requestedEnv, snapshot.envAllowlist);
+    const network = evaluateNetworkAccess(networkDomains, snapshot.networkPolicy, snapshot.allowedDomains);
+    const writes = evaluatePlannedWrites(snapshot, request, plannedWrites);
+    const requiredOperations = operations.filter((operation) => requiresHumanApproval(request.mode, operation, snapshot.requireHitl));
+    const missingApprovals = requiredOperations.filter((operation) => !approvalGrants.includes(operation) && !approvalGrants.includes('all'));
+    const reasons = [
+        ...env.blocked.map((entry) => `Environment variable ${entry.env} blocked by ${entry.reason}.`),
+        ...network.blocked.map((domain) => `Network domain ${domain} blocked by ${network.policy} policy.`),
+        ...writes
+            .filter((decision) => !decision.allowed)
+            .map((decision) => `Write ${decision.relativePath ?? decision.absolutePath ?? 'unknown'} blocked by ${decision.code}.`),
+        ...missingApprovals.map((operation) => `Operation ${operation} requires HITL approval.`),
+    ];
+    return {
+        status: reasons.length > 0 ? 'blocked' : 'allowed',
+        fail_closed: true,
+        direct_state_write_allowed: false,
+        reasons,
+        env,
+        network,
+        writes,
+        hitl: {
+            required_operations: requiredOperations,
+            missing_approvals: missingApprovals,
+            granted: approvalGrants,
+        },
+    };
+}
+function evaluatePlannedWrites(snapshot, request, plannedWrites) {
+    if (plannedWrites.length === 0) {
+        return [];
+    }
+    if (!request.projectRoot) {
+        return plannedWrites.map((relativePath) => ({
+            allowed: false,
+            code: 'OUTSIDE_PROJECT_ROOT',
+            message: 'Planned writes require a projectRoot for sandbox policy evaluation.',
+            relativePath,
+        }));
+    }
+    const backend = new DeepAgentsSandboxBackend({
+        projectRoot: request.projectRoot,
+        mode: request.mode,
+        trustTier: request.trustTier ?? 'enterprise-approved',
+        writeScope: request.writeScope ?? snapshot.writeScope,
+    }, new VirtualFilesystemBackend(), new InMemoryStateBackend(), new InMemoryStoreBackend());
+    return plannedWrites.map((relativePath) => backend.authorizeWrite(relativePath));
+}
+function normalizeOperations(operations) {
+    return [...new Set(operations)].sort();
+}
+function normalizeNetworkDomains(domains) {
+    return [...new Set(domains.map((domain) => domain.trim().toLowerCase()).filter(Boolean))].sort();
+}
+function inferRuntimeNetworkDomains(snapshot, env = process.env) {
+    if (!snapshot.enabled || snapshot.runtime !== 'deepagents-js' || !snapshot.model) {
+        return [];
+    }
+    return inferNetworkDomainsForModel(snapshot.model, env);
+}
+function normalizeApprovalGrants(grants) {
+    return [
+        ...new Set(grants
+            .map((grant) => grant.trim().toLowerCase())
+            .filter((grant) => grant === 'all' ||
+            grant === 'read' ||
+            grant === 'write' ||
+            grant === 'execute' ||
+            grant === 'network' ||
+            grant === 'plugin-apply' ||
+            grant === 'finalize' ||
+            grant === 'dependency-change' ||
+            grant === 'process-spawn')),
+    ].sort();
+}
+//# sourceMappingURL=policy-enforcement.js.map

package/dist/core/sdd/deepagents/policy.d.ts

@@ -0,0 +1,75 @@
+import type { DeepAgentsExecutionMode } from './backend.js';
+import { inferNetworkDomainsForModel, requiredCredentialEnvForModel, resolveDeepAgentsModelProvider } from './model-provider.js';
+export type DeepAgentsNetworkPolicy = 'disabled' | 'restricted' | 'enabled';
+export type DeepAgentsRuntimeMode = 'disabled' | 'fake' | 'deepagents-js';
+export type DeepAgentsOperation = 'read' | 'write' | 'execute' | 'network' | 'plugin-apply' | 'finalize' | 'dependency-change' | 'process-spawn';
+export interface DeepAgentsPolicySnapshot {
+    provider: string;
+    enabled: boolean;
+    runtime: DeepAgentsRuntimeMode;
+    defaultMode: DeepAgentsExecutionMode;
+    requireHitl: boolean;
+    networkPolicy: DeepAgentsNetworkPolicy;
+    envAllowlist: string[];
+    allowedDomains: string[];
+    writeScope: string[];
+    model?: string;
+    plannerModel?: string;
+    reviewerModel?: string;
+    coderModel?: string;
+    maxIterations?: number;
+    maxSubagents?: number;
+    maxParallel?: number;
+    sandboxRoot?: string;
+    worktreeRoot?: string;
+    configFingerprint: string;
+}
+export interface DeepAgentsRuntimeReadiness {
+    status: 'disabled' | 'ready' | 'blocked';
+    runtime: DeepAgentsRuntimeMode;
+    model?: string;
+    provider?: string;
+    credentialEnv?: string;
+    credentialPresent: boolean;
+    endpointEnv?: string;
+    endpointPresent?: boolean;
+    reasons: string[];
+}
+export interface DeepAgentsPreflightCheck {
+    id: 'provider' | 'runtime' | 'model' | 'credential' | 'endpoint' | 'network';
+    status: 'pass' | 'fail' | 'skip';
+    message: string;
+}
+export interface DeepAgentsOperationalPreflight {
+    status: 'disabled' | 'ready' | 'blocked';
+    provider: string;
+    runtime: DeepAgentsRuntimeMode;
+    model?: string;
+    reasons: string[];
+    checks: DeepAgentsPreflightCheck[];
+    required_env: string[];
+    missing_env: string[];
+    allowed_domains: string[];
+    inferred_domains: string[];
+}
+export interface EnvPassThroughDecision {
+    allowed: string[];
+    blocked: Array<{
+        env: string;
+        reason: 'SECRET_ENV_BLOCKED' | 'ENV_NOT_ALLOWLISTED';
+    }>;
+}
+export interface NetworkDecision {
+    allowed: string[];
+    blocked: string[];
+    policy: DeepAgentsNetworkPolicy;
+}
+export declare function createDeepAgentsPolicySnapshot(env?: NodeJS.ProcessEnv): DeepAgentsPolicySnapshot;
+export declare function evaluateDeepAgentsRuntimeReadiness(snapshot: DeepAgentsPolicySnapshot, env?: NodeJS.ProcessEnv): DeepAgentsRuntimeReadiness;
+export declare function buildDeepAgentsOperationalPreflight(snapshot: DeepAgentsPolicySnapshot, env?: NodeJS.ProcessEnv): DeepAgentsOperationalPreflight;
+export declare function evaluateEnvPassThrough(requestedEnv: string[], allowlist: string[]): EnvPassThroughDecision;
+export declare function evaluateNetworkAccess(requestedDomains: string[], policy: DeepAgentsNetworkPolicy, allowlist: string[]): NetworkDecision;
+export declare function requiresHumanApproval(mode: DeepAgentsExecutionMode, operation: DeepAgentsOperation, requireHitl: boolean): boolean;
+export declare function buildDeepAgentsConfigFingerprint(config: Record<string, unknown>): string;
+export { inferNetworkDomainsForModel, requiredCredentialEnvForModel, resolveDeepAgentsModelProvider };
+//# sourceMappingURL=policy.d.ts.map