@edictum/core 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,1201 @@
+/** Exception classes for Edictum. */
+/** Raised when guard.run() denies a tool call in enforce mode. */
+declare class EdictumDenied extends Error {
+    readonly reason: string;
+    readonly decisionSource: string | null;
+    readonly decisionName: string | null;
+    constructor(reason: string, decisionSource?: string | null, decisionName?: string | null);
+}
+/** Raised for configuration/load-time errors (invalid YAML, schema failures, etc.). */
+declare class EdictumConfigError extends Error {
+    constructor(message: string);
+}
+/** Raised when the governed tool itself fails. */
+declare class EdictumToolError extends Error {
+    constructor(message: string);
+}
+
+/** Tool Invocation Envelope — immutable snapshot of a tool call. */
+/**
+ * Classification of tool side effects.
+ *
+ * Determines postcondition behavior and retry safety.
+ *
+ * DEFAULTS:
+ * - Unregistered tools -> IRREVERSIBLE (conservative)
+ * - Bash -> IRREVERSIBLE unless strict allowlist match
+ * - Classification errors always err toward MORE restrictive
+ */
+declare const SideEffect: {
+    readonly PURE: "pure";
+    readonly READ: "read";
+    readonly WRITE: "write";
+    readonly IRREVERSIBLE: "irreversible";
+};
+type SideEffect = (typeof SideEffect)[keyof typeof SideEffect];
+/**
+ * Identity context for audit attribution.
+ *
+ * NOTE: `claims` is a plain object. The Principal itself is frozen via
+ * `Object.freeze()`, making the reference immutable. Callers should treat
+ * claims as read-only after construction.
+ */
+interface Principal {
+    readonly userId: string | null;
+    readonly serviceId: string | null;
+    readonly orgId: string | null;
+    readonly role: string | null;
+    readonly ticketRef: string | null;
+    readonly claims: Readonly<Record<string, unknown>>;
+}
+/** Create a frozen Principal with defaults for omitted fields. */
+declare function createPrincipal(partial?: Partial<Principal>): Readonly<Principal>;
+/**
+ * Validate tool_name: reject empty, control chars, path separators.
+ *
+ * Throws EdictumConfigError for:
+ * - Empty string
+ * - Any ASCII control character (code < 0x20 or code === 0x7f)
+ * - Forward slash `/`
+ * - Backslash `\`
+ */
+declare function _validateToolName(toolName: string): void;
+/**
+ * Immutable snapshot of a tool invocation.
+ *
+ * Prefer `createEnvelope()` factory for deep-copy guarantees.
+ * Direct construction validates tool_name but does NOT deep-copy args.
+ */
+interface ToolEnvelope {
+    readonly toolName: string;
+    readonly args: Readonly<Record<string, unknown>>;
+    readonly callId: string;
+    readonly runId: string;
+    readonly callIndex: number;
+    readonly parentCallId: string | null;
+    readonly sideEffect: SideEffect;
+    readonly idempotent: boolean;
+    readonly environment: string;
+    readonly timestamp: Date;
+    readonly caller: string;
+    readonly toolUseId: string | null;
+    readonly principal: Readonly<Principal> | null;
+    readonly bashCommand: string | null;
+    readonly filePath: string | null;
+    readonly metadata: Readonly<Record<string, unknown>>;
+}
+/**
+ * Recursively freeze an object and all nested objects.
+ *
+ * Date objects are skipped — Object.freeze() cannot prevent mutation
+ * via Date prototype methods (setFullYear, setTime, etc.) because Date
+ * stores state in internal slots, not own properties.
+ */
+declare function deepFreeze<T>(obj: T): T;
+/** Maps tool names to governance properties. Unregistered tools default to IRREVERSIBLE. */
+declare class ToolRegistry {
+    private readonly _tools;
+    register(name: string, sideEffect?: SideEffect, idempotent?: boolean): void;
+    classify(toolName: string, _args: Record<string, unknown>): [SideEffect, boolean];
+}
+/**
+ * Classify bash commands by side-effect level.
+ *
+ * Default is IRREVERSIBLE. Only downgraded to READ via strict
+ * allowlist AND absence of shell operators.
+ *
+ * This is a heuristic, not a security boundary.
+ */
+declare const BashClassifier: {
+    readonly READ_ALLOWLIST: readonly ["ls", "cat", "head", "tail", "wc", "find", "grep", "rg", "git status", "git log", "git diff", "git show", "git branch", "git remote", "git tag", "echo", "pwd", "whoami", "date", "which", "file", "stat", "du", "df", "tree", "less", "more"];
+    readonly SHELL_OPERATORS: readonly ["\n", "\r", "<(", "<<", "$", "${", ">", ">>", "|", ";", "&&", "||", "$(", "`", "#{"];
+    readonly classify: (command: string) => SideEffect;
+};
+/** Options for `createEnvelope()` beyond the required positional args. */
+interface CreateEnvelopeOptions {
+    readonly runId?: string;
+    readonly callIndex?: number;
+    readonly callId?: string;
+    readonly parentCallId?: string | null;
+    readonly sideEffect?: SideEffect;
+    readonly idempotent?: boolean;
+    readonly environment?: string;
+    readonly timestamp?: Date;
+    readonly caller?: string;
+    readonly toolUseId?: string | null;
+    readonly principal?: Principal | null;
+    readonly metadata?: Record<string, unknown>;
+    readonly registry?: ToolRegistry | null;
+}
+/**
+ * Factory that enforces immutability guarantees.
+ *
+ * Prefer this factory over direct construction — it deep-copies args
+ * and metadata to ensure the envelope is a true immutable snapshot.
+ */
+declare function createEnvelope(toolName: string, toolInput: Record<string, unknown>, options?: CreateEnvelopeOptions): Readonly<ToolEnvelope>;
+
+/** StorageBackend interface + MemoryBackend implementation. */
+/**
+ * Protocol for persistent state storage.
+ *
+ * Requirements:
+ * - increment() MUST be atomic
+ * - get/set for simple key-value
+ *
+ * v0.1.0: No append() method (counters only, no list ops).
+ */
+interface StorageBackend {
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    delete(key: string): Promise<void>;
+    increment(key: string, amount?: number): Promise<number>;
+}
+/**
+ * In-memory storage for development and testing.
+ *
+ * WARNING: State lost on restart. Session contracts reset.
+ * Suitable for: local dev, tests, single-process scripts.
+ *
+ * Node.js is single-threaded — Map operations are atomic.
+ * No lock needed (unlike Python's asyncio.Lock).
+ */
+declare class MemoryBackend implements StorageBackend {
+    private readonly _data;
+    private readonly _counters;
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    delete(key: string): Promise<void>;
+    increment(key: string, amount?: number): Promise<number>;
+    /**
+     * Retrieve multiple values in a single operation.
+     *
+     * In-memory implementation: multiple Map lookups, no network overhead.
+     */
+    batchGet(keys: readonly string[]): Promise<Record<string, string | null>>;
+}
+
+/** Session -- atomic counters backed by StorageBackend. */
+
+/**
+ * Tracks execution state via atomic counters in StorageBackend.
+ *
+ * All methods are ASYNC because StorageBackend is async.
+ *
+ * Counter semantics:
+ * - attempts: every PreToolUse, including denied (pre-execution)
+ * - execs: every PostToolUse (tool actually ran)
+ * - tool:{name}: per-tool execution count
+ * - consec_fail: resets on success, increments on failure
+ */
+declare class Session {
+    private readonly _sid;
+    private readonly _backend;
+    constructor(sessionId: string, backend: StorageBackend);
+    get sessionId(): string;
+    /** Increment attempt counter. Called in PreToolUse (before governance). */
+    incrementAttempts(): Promise<number>;
+    attemptCount(): Promise<number>;
+    /** Record a tool execution. Called in PostToolUse. */
+    recordExecution(toolName: string, success: boolean): Promise<void>;
+    executionCount(): Promise<number>;
+    toolExecutionCount(tool: string): Promise<number>;
+    consecutiveFailures(): Promise<number>;
+    /**
+     * Pre-fetch multiple session counters in a single backend call.
+     *
+     * Returns a record with keys: "attempts", "execs", and optionally
+     * "tool:{name}" if includeTool is provided.
+     *
+     * Uses batchGet() on the backend when available (single HTTP round
+     * trip for ServerBackend). Falls back to individual get() calls for
+     * backends without batchGet support.
+     */
+    batchGetCounters(options?: {
+        includeTool?: string;
+    }): Promise<Record<string, number>>;
+}
+
+/** Pre/Post Conditions — contract types for tool governance. */
+
+/** Outcome of a single contract check. */
+interface Verdict {
+    readonly passed: boolean;
+    readonly message: string | null;
+    readonly metadata: Readonly<Record<string, unknown>>;
+}
+/** Factory methods for Verdict. */
+declare const Verdict: {
+    /**
+     * Contract passed — tool call is acceptable.
+     */
+    pass_(): Verdict;
+    /**
+     * Contract failed with an actionable message (truncated to 500 chars).
+     *
+     * Make it SPECIFIC and INSTRUCTIVE — the agent uses it to self-correct.
+     */
+    fail(message: string, metadata?: Record<string, unknown>): Verdict;
+};
+/** Before execution. Safe to deny — tool hasn't run yet. */
+interface Precondition {
+    readonly contractType?: "pre";
+    readonly tool: string;
+    readonly check: (envelope: ToolEnvelope) => Verdict | Promise<Verdict>;
+    readonly when?: ((envelope: ToolEnvelope) => boolean) | null;
+}
+/**
+ * After execution. Observe-and-log.
+ *
+ * On failure for pure/read: inject context suggesting retry.
+ * On failure for write/irreversible: warn only, NO retry coaching.
+ */
+interface Postcondition {
+    readonly contractType: "post";
+    readonly tool: string;
+    readonly check: (envelope: ToolEnvelope, response: unknown) => Verdict | Promise<Verdict>;
+    readonly when?: ((envelope: ToolEnvelope) => boolean) | null;
+}
+/**
+ * Cross-turn governance using persisted atomic counters.
+ *
+ * Session methods are ASYNC. Session contract checks must be async.
+ *
+ * Example:
+ * ```typescript
+ * const maxOperations: SessionContract = {
+ *   check: async (session) => {
+ *     const count = await session.executionCount();
+ *     if (count >= 200) {
+ *       return Verdict.fail("Session limit reached.");
+ *     }
+ *     return Verdict.pass_();
+ *   },
+ * };
+ * ```
+ */
+interface SessionContract {
+    readonly check: (session: Session) => Verdict | Promise<Verdict>;
+}
+
+/** Hook interception — before/after tool execution. */
+declare const HookResult: {
+    readonly ALLOW: "allow";
+    readonly DENY: "deny";
+};
+type HookResult = (typeof HookResult)[keyof typeof HookResult];
+interface HookDecision {
+    readonly result: HookResult;
+    readonly reason: string | null;
+}
+declare const HookDecision: {
+    allow(): HookDecision;
+    deny(reason: string): HookDecision;
+};
+
+/** Operation Limits — tool call and attempt caps. */
+/**
+ * Operation limits for an agent session.
+ *
+ * Two counter types:
+ * - maxAttempts: caps ALL PreToolUse events (including denied)
+ * - maxToolCalls: caps EXECUTIONS only (PostToolUse)
+ *
+ * Both are checked. Whichever fires first wins.
+ */
+interface OperationLimits {
+    readonly maxAttempts: number;
+    readonly maxToolCalls: number;
+    readonly maxCallsPerTool: Readonly<Record<string, number>>;
+}
+declare const DEFAULT_LIMITS: OperationLimits;
+
+/** Shared types for Edictum internals. */
+type AnyFunction = (...args: any[]) => any;
+/** Registration for a hook callback. */
+interface HookRegistration {
+    readonly phase: "before" | "after";
+    readonly tool: string;
+    readonly callback: AnyFunction;
+    readonly when?: AnyFunction | null;
+}
+/** Internal tool configuration. */
+interface ToolConfig {
+    readonly name: string;
+    readonly sideEffect: string;
+    readonly idempotent: boolean;
+}
+
+/** Approval protocol for human-in-the-loop tool call authorization. */
+declare const ApprovalStatus: {
+    readonly PENDING: "pending";
+    readonly APPROVED: "approved";
+    readonly DENIED: "denied";
+    readonly TIMEOUT: "timeout";
+};
+type ApprovalStatus = (typeof ApprovalStatus)[keyof typeof ApprovalStatus];
+/** A request for human approval of a tool call. */
+interface ApprovalRequest {
+    readonly approvalId: string;
+    readonly toolName: string;
+    readonly toolArgs: Readonly<Record<string, unknown>>;
+    readonly message: string;
+    readonly timeout: number;
+    readonly timeoutEffect: string;
+    readonly principal: Readonly<Record<string, unknown>> | null;
+    readonly metadata: Readonly<Record<string, unknown>>;
+    readonly createdAt: Date;
+}
+/** The result of a human approval decision. */
+interface ApprovalDecision {
+    readonly approved: boolean;
+    readonly approver: string | null;
+    readonly reason: string | null;
+    readonly status: ApprovalStatus;
+    readonly timestamp: Date;
+}
+/** Protocol for human-in-the-loop approval providers. */
+interface ApprovalBackend {
+    requestApproval(toolName: string, toolArgs: Record<string, unknown>, message: string, options?: {
+        timeout?: number;
+        timeoutEffect?: string;
+        principal?: Record<string, unknown> | null;
+        metadata?: Record<string, unknown> | null;
+    }): Promise<ApprovalRequest>;
+    waitForDecision(approvalId: string, timeout?: number | null): Promise<ApprovalDecision>;
+}
+/**
+ * CLI-based approval backend for local testing.
+ *
+ * Prompts on stdout, reads from stdin. Blocks until response or timeout.
+ */
+declare class LocalApprovalBackend implements ApprovalBackend {
+    private readonly _pending;
+    requestApproval(toolName: string, toolArgs: Record<string, unknown>, message: string, options?: {
+        timeout?: number;
+        timeoutEffect?: string;
+        principal?: Record<string, unknown> | null;
+        metadata?: Record<string, unknown> | null;
+    }): Promise<ApprovalRequest>;
+    waitForDecision(approvalId: string, timeout?: number | null): Promise<ApprovalDecision>;
+    /** Read a single line from stdin with a timeout. */
+    private _readStdin;
+}
+
+/** Redaction policy for sensitive data in audit events. */
+/**
+ * Redact sensitive data from audit events.
+ *
+ * Recurses into dicts AND lists. Normalizes keys to lowercase.
+ * Caps total payload size. Detects common secret patterns in values.
+ */
+declare class RedactionPolicy {
+    static readonly DEFAULT_SENSITIVE_KEYS: ReadonlySet<string>;
+    static readonly BASH_REDACTION_PATTERNS: ReadonlyArray<readonly [string, string]>;
+    static readonly SECRET_VALUE_PATTERNS: ReadonlyArray<string>;
+    static readonly MAX_PAYLOAD_SIZE = 32768;
+    static readonly MAX_REGEX_INPUT = 10000;
+    static readonly MAX_PATTERN_LENGTH = 10000;
+    private readonly _keys;
+    private readonly _patterns;
+    private readonly _compiledPatterns;
+    private readonly _compiledSecretPatterns;
+    private readonly _detectValues;
+    constructor(sensitiveKeys?: ReadonlySet<string> | null, customPatterns?: ReadonlyArray<readonly [string, string]> | null, detectSecretValues?: boolean);
+    /** Recursively redact sensitive data from tool arguments. */
+    redactArgs(args: unknown): unknown;
+    /** Check if a key name indicates sensitive data. */
+    _isSensitiveKey(key: string): boolean;
+    /** Check if a string value looks like a known secret format. */
+    _looksLikeSecret(value: string): boolean;
+    /** Apply redaction patterns to a bash command string. */
+    redactBashCommand(command: string): string;
+    /** Apply redaction patterns and truncate a result string. */
+    redactResult(result: string, maxLength?: number): string;
+    /** Cap total serialized size of audit payload. Returns a new object if truncated. */
+    capPayload(data: Record<string, unknown>): Record<string, unknown>;
+}
+
+/** Structured Event Log with Redaction. */
+
+declare const AuditAction: {
+    readonly CALL_DENIED: "call_denied";
+    readonly CALL_WOULD_DENY: "call_would_deny";
+    readonly CALL_ALLOWED: "call_allowed";
+    readonly CALL_EXECUTED: "call_executed";
+    readonly CALL_FAILED: "call_failed";
+    readonly POSTCONDITION_WARNING: "postcondition_warning";
+    readonly CALL_APPROVAL_REQUESTED: "call_approval_requested";
+    readonly CALL_APPROVAL_GRANTED: "call_approval_granted";
+    readonly CALL_APPROVAL_DENIED: "call_approval_denied";
+    readonly CALL_APPROVAL_TIMEOUT: "call_approval_timeout";
+};
+type AuditAction = (typeof AuditAction)[keyof typeof AuditAction];
+interface AuditEvent {
+    schemaVersion: string;
+    timestamp: Date;
+    runId: string;
+    callId: string;
+    callIndex: number;
+    parentCallId: string | null;
+    toolName: string;
+    toolArgs: Record<string, unknown>;
+    sideEffect: string;
+    environment: string;
+    principal: Record<string, unknown> | null;
+    action: AuditAction;
+    decisionSource: string | null;
+    decisionName: string | null;
+    reason: string | null;
+    hooksEvaluated: Record<string, unknown>[];
+    contractsEvaluated: Record<string, unknown>[];
+    toolSuccess: boolean | null;
+    postconditionsPassed: boolean | null;
+    durationMs: number;
+    error: string | null;
+    resultSummary: string | null;
+    sessionAttemptCount: number;
+    sessionExecutionCount: number;
+    mode: string;
+    policyVersion: string | null;
+    policyError: boolean;
+}
+/** Factory with defaults matching the Python dataclass. */
+declare function createAuditEvent(f?: Partial<AuditEvent>): AuditEvent;
+interface AuditSink {
+    emit(event: AuditEvent): Promise<void>;
+}
+/** Raised when a mark references events evicted from the buffer. */
+declare class MarkEvictedError extends Error {
+    constructor(message: string);
+}
+/** Fan-out sink: emits to all sinks, raises AggregateError on failures. */
+declare class CompositeSink implements AuditSink {
+    private readonly _sinks;
+    constructor(sinks: AuditSink[]);
+    get sinks(): AuditSink[];
+    emit(event: AuditEvent): Promise<void>;
+}
+declare class StdoutAuditSink implements AuditSink {
+    private readonly _redaction;
+    constructor(redaction?: RedactionPolicy | null);
+    emit(event: AuditEvent): Promise<void>;
+}
+declare class FileAuditSink implements AuditSink {
+    private readonly _path;
+    private readonly _redaction;
+    constructor(path: string, redaction?: RedactionPolicy | null);
+    emit(event: AuditEvent): Promise<void>;
+}
+/** In-memory ring buffer sink for programmatic inspection. */
+declare class CollectingAuditSink implements AuditSink {
+    private _events;
+    private readonly _maxEvents;
+    private _totalEmitted;
+    constructor(maxEvents?: number);
+    emit(event: AuditEvent): Promise<void>;
+    get events(): AuditEvent[];
+    mark(): number;
+    sinceMark(m: number): AuditEvent[];
+    last(): AuditEvent;
+    filter(action: AuditAction): AuditEvent[];
+    clear(): void;
+}
+
+/** Evaluation result types for dry-run contract evaluation. */
+/** Result of evaluating a single contract. */
+interface ContractResult {
+    readonly contractId: string;
+    readonly contractType: string;
+    readonly passed: boolean;
+    readonly message: string | null;
+    readonly tags: readonly string[];
+    readonly observed: boolean;
+    readonly effect: string;
+    readonly policyError: boolean;
+}
+/** Create a frozen ContractResult with defaults matching the Python dataclass. */
+declare function createContractResult(fields: Pick<ContractResult, "contractId" | "contractType" | "passed"> & Partial<Omit<ContractResult, "contractId" | "contractType" | "passed">>): ContractResult;
+/** Result of dry-run evaluation of a tool call against contracts. */
+interface EvaluationResult {
+    readonly verdict: string;
+    readonly toolName: string;
+    readonly contracts: readonly ContractResult[];
+    readonly denyReasons: readonly string[];
+    readonly warnReasons: readonly string[];
+    readonly contractsEvaluated: number;
+    readonly policyError: boolean;
+}
+/** Create a frozen EvaluationResult with defaults matching the Python dataclass. */
+declare function createEvaluationResult(fields: Pick<EvaluationResult, "verdict" | "toolName"> & Partial<Omit<EvaluationResult, "verdict" | "toolName">>): EvaluationResult;
+
+/** Structured postcondition findings. */
+/**
+ * A structured finding from a postcondition evaluation.
+ *
+ * Produced when a postcondition warns or detects an issue.
+ * Returned to the caller via PostCallResult so they can
+ * decide how to remediate.
+ */
+interface Finding {
+    readonly type: string;
+    readonly contractId: string;
+    readonly field: string;
+    readonly message: string;
+    readonly metadata: Readonly<Record<string, unknown>>;
+}
+/** Create a frozen Finding with defaults for metadata. */
+declare function createFinding(fields: Pick<Finding, "type" | "contractId" | "field" | "message"> & Partial<Pick<Finding, "metadata">>): Finding;
+/**
+ * Result from a governed tool call, including postcondition findings.
+ *
+ * Returned by adapter's postToolCall and available via asToolWrapper.
+ *
+ * When postconditionsPassed is false, the findings list contains
+ * structured Finding objects describing what was detected. The caller
+ * can then decide how to remediate (redact, replace, log, etc.).
+ */
+interface PostCallResult {
+    readonly result: unknown;
+    readonly postconditionsPassed: boolean;
+    readonly findings: readonly Finding[];
+    readonly outputSuppressed: boolean;
+}
+/** Create a PostCallResult with defaults. */
+declare function createPostCallResult(fields: Pick<PostCallResult, "result"> & Partial<Omit<PostCallResult, "result">>): PostCallResult;
+/**
+ * Classify a postcondition finding type from contract ID and message.
+ *
+ * Returns a standard finding type string.
+ */
+declare function classifyFinding(contractId: string, verdictMessage: string): string;
+/**
+ * Structural type for the PostDecision fields consumed by buildFindings.
+ *
+ * The full PostDecision lives in pipeline.ts. This captures only the
+ * subset needed here to avoid a circular import.
+ */
+interface PostDecisionLike {
+    readonly contractsEvaluated: ReadonlyArray<{
+        readonly passed?: boolean;
+        readonly name: string;
+        readonly message?: string;
+        readonly metadata?: Record<string, unknown>;
+    }>;
+}
+/**
+ * Build Finding objects from a PostDecision's failed postconditions.
+ *
+ * The `field` value is extracted from `metadata.field` if the
+ * contract provides it (e.g. `Verdict.fail("msg", { field: "output.text" })`),
+ * otherwise defaults to `"output"` for postconditions.
+ */
+declare function buildFindings(postDecision: PostDecisionLike): Finding[];
+
+/**
+ * Internal contract representations used by GuardLike and GovernancePipeline.
+ *
+ * User-facing types (Precondition, Postcondition, SessionContract) are plain
+ * objects optimized for DX. These internal types carry the metadata the
+ * pipeline needs (name, mode, source, effect, timeout) that Python stores
+ * as _edictum_* function attributes.
+ *
+ * The Guard class converts user contracts → internal contracts at construction.
+ * The YAML compiler produces internal contracts directly.
+ */
+
+interface InternalContractBase {
+    readonly name: string;
+    readonly mode?: "enforce" | "observe";
+    readonly source?: string;
+}
+/** Internal precondition — enriched with pipeline metadata. */
+interface InternalPrecondition extends InternalContractBase {
+    readonly type: "precondition";
+    readonly tool: string;
+    readonly check: (envelope: ToolEnvelope) => Verdict | Promise<Verdict>;
+    readonly when?: ((envelope: ToolEnvelope) => boolean) | null;
+    readonly effect?: "deny" | "approve";
+    readonly timeout?: number;
+    readonly timeoutEffect?: "deny" | "allow";
+}
+/** Internal postcondition — enriched with effect and redaction info. */
+interface InternalPostcondition extends InternalContractBase {
+    readonly type: "postcondition";
+    readonly tool: string;
+    readonly check: (envelope: ToolEnvelope, response: unknown) => Verdict | Promise<Verdict>;
+    readonly when?: ((envelope: ToolEnvelope) => boolean) | null;
+    readonly effect?: "warn" | "redact" | "deny";
+    readonly redactPatterns?: readonly RegExp[];
+}
+/** Internal session contract. */
+interface InternalSessionContract extends InternalContractBase {
+    readonly type: "session_contract";
+    readonly check: (session: Session) => Verdict | Promise<Verdict>;
+}
+/** Internal sandbox contract — tool matching uses tools[] not tool. */
+interface InternalSandboxContract extends InternalContractBase {
+    readonly type: "sandbox";
+    readonly tools: readonly string[];
+    readonly check: (envelope: ToolEnvelope) => Verdict | Promise<Verdict>;
+    readonly effect?: "deny" | "approve";
+    readonly timeout?: number;
+    readonly timeoutEffect?: "deny" | "allow";
+}
+/** Union of all internal contract types. */
+type InternalContract = InternalPrecondition | InternalPostcondition | InternalSessionContract | InternalSandboxContract;
+/**
+ * Interface representing what the GovernancePipeline needs from the Guard.
+ *
+ * Decouples pipeline from concrete Guard class for testability.
+ * The real Edictum class implements this.
+ */
+interface GuardLike {
+    readonly limits: OperationLimits;
+    getHooks(phase: "before" | "after", envelope: ToolEnvelope): HookRegistration[];
+    getPreconditions(envelope: ToolEnvelope): InternalPrecondition[];
+    getPostconditions(envelope: ToolEnvelope): InternalPostcondition[];
+    getSessionContracts(): InternalSessionContract[];
+    getSandboxContracts(envelope: ToolEnvelope): InternalSandboxContract[];
+    getObservePreconditions(envelope: ToolEnvelope): InternalPrecondition[];
+    getObservePostconditions(envelope: ToolEnvelope): InternalPostcondition[];
+    getObserveSandboxContracts(envelope: ToolEnvelope): InternalSandboxContract[];
+    getObserveSessionContracts(): InternalSessionContract[];
+}
+
+/**
+ * _CompiledState -- frozen snapshot of compiled contracts.
+ *
+ * All contract lists are readonly arrays (frozen). The entire state is
+ * replaced atomically via a single reference assignment in reload(),
+ * ensuring concurrent evaluations never see a mix of old and new
+ * contracts.
+ */
+
+interface CompiledState {
+    readonly preconditions: readonly InternalPrecondition[];
+    readonly postconditions: readonly InternalPostcondition[];
+    readonly sessionContracts: readonly InternalSessionContract[];
+    readonly sandboxContracts: readonly InternalSandboxContract[];
+    readonly observePreconditions: readonly InternalPrecondition[];
+    readonly observePostconditions: readonly InternalPostcondition[];
+    readonly observeSessionContracts: readonly InternalSessionContract[];
+    readonly observeSandboxContracts: readonly InternalSandboxContract[];
+    readonly limits: OperationLimits;
+    readonly policyVersion: string | null;
+}
+declare function createCompiledState(partial?: Partial<CompiledState>): CompiledState;
+
+/**
+ * GovernancePipeline -- single source of governance logic.
+ *
+ * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's pipeline.py
+ * (485 LOC). PreDecision + PostDecision types + the 5-stage pre/post engine
+ * form a single cohesive evaluation flow that would be harder to follow if split.
+ */
+
+/** Result of pre-execution governance evaluation. */
+interface PreDecision {
+    readonly action: "allow" | "deny" | "pending_approval";
+    readonly reason: string | null;
+    readonly decisionSource: string | null;
+    readonly decisionName: string | null;
+    readonly hooksEvaluated: Record<string, unknown>[];
+    readonly contractsEvaluated: Record<string, unknown>[];
+    readonly observed: boolean;
+    readonly policyError: boolean;
+    readonly observeResults: Record<string, unknown>[];
+    readonly approvalTimeout: number;
+    readonly approvalTimeoutEffect: string;
+    readonly approvalMessage: string | null;
+}
+/** Create a PreDecision with defaults for omitted fields. */
+declare function createPreDecision(partial: Partial<PreDecision> & Pick<PreDecision, "action">): PreDecision;
+/** Result of post-execution governance evaluation. */
+interface PostDecision {
+    readonly toolSuccess: boolean;
+    readonly postconditionsPassed: boolean;
+    readonly warnings: string[];
+    readonly contractsEvaluated: Record<string, unknown>[];
+    readonly policyError: boolean;
+    readonly redactedResponse: unknown;
+    readonly outputSuppressed: boolean;
+}
+/** Create a PostDecision with defaults for omitted fields. */
+declare function createPostDecision(partial: Partial<PostDecision> & Pick<PostDecision, "toolSuccess">): PostDecision;
+/**
+ * Orchestrates all governance checks.
+ *
+ * This is the single source of truth for governance logic.
+ * Adapters call preExecute() and postExecute(), then translate
+ * the structured results into framework-specific formats.
+ */
+declare class GovernancePipeline {
+    private readonly _guard;
+    constructor(guard: GuardLike);
+    preExecute(envelope: ToolEnvelope, session: Session): Promise<PreDecision>;
+    postExecute(envelope: ToolEnvelope, toolResponse: unknown, toolSuccess: boolean): Promise<PostDecision>;
+    /**
+     * Evaluate observe-mode contracts without affecting the real decision.
+     *
+     * Observe-mode contracts are identified by mode === "observe" on the
+     * internal contract. Results are returned as dicts for audit emission
+     * but never block calls.
+     */
+    private _evaluateObserveContracts;
+}
+
+/** Bundle Composer — merge multiple parsed YAML bundles into one. */
+/** Records a contract that was replaced during composition. */
+interface CompositionOverride {
+    readonly contractId: string;
+    readonly overriddenBy: string;
+    readonly originalSource: string;
+}
+/** Records a contract added as an observe-mode copy (observe_alongside). */
+interface ObserveContract {
+    readonly contractId: string;
+    readonly enforcedSource: string;
+    readonly observedSource: string;
+}
+/** Report of what happened during composition. */
+interface CompositionReport {
+    readonly overriddenContracts: readonly CompositionOverride[];
+    readonly observeContracts: readonly ObserveContract[];
+}
+/** Result of composing multiple bundles. */
+interface ComposedBundle {
+    readonly bundle: Record<string, unknown>;
+    readonly report: CompositionReport;
+}
+/**
+ * Merge multiple parsed bundle dicts left to right.
+ *
+ * Each entry is a tuple of [bundleData, sourceLabel]. Later layers
+ * have higher priority.
+ */
+declare function composeBundles(...bundles: [Record<string, unknown>, string][]): ComposedBundle;
+
+/** Built-in operators for YAML condition evaluation. */
+/** Cap regex input to prevent catastrophic backtracking DoS. */
+declare const MAX_REGEX_INPUT = 10000;
+/** All built-in operator names (including "exists" which is special-cased). */
+declare const BUILTIN_OPERATOR_NAMES: ReadonlySet<string>;
+
+/** Selector resolution — map YAML selector paths to ToolEnvelope values. */
+
+declare const BUILTIN_SELECTOR_PREFIXES: ReadonlySet<string>;
+
+/** Condition Evaluator — resolve selectors and apply operators against ToolEnvelope. */
+
+/**
+ * Sentinel indicating a type mismatch or evaluation error.
+ *
+ * Converts to `true` conceptually — errors trigger the contract (fail-closed).
+ * Callers should treat PolicyError as "condition matched" and apply
+ * deny/warn + policyError flag.
+ */
+declare class PolicyError {
+    readonly message: string;
+    constructor(message: string);
+}
+type CustomOperator = (fieldValue: unknown, opValue: unknown) => boolean;
+type CustomSelector = (envelope: ToolEnvelope) => Record<string, unknown>;
+interface EvaluateOptions$1 {
+    readonly customOperators?: Readonly<Record<string, CustomOperator>> | null;
+    readonly customSelectors?: Readonly<Record<string, CustomSelector>> | null;
+}
+/**
+ * Evaluate a boolean expression tree against an envelope.
+ *
+ * Returns `true` if the expression matches, `false` if not.
+ * Returns a `PolicyError` if a type mismatch or evaluation error occurs
+ * (caller should treat as deny/warn + policyError).
+ *
+ * Missing fields always evaluate to `false` (contract doesn't fire).
+ */
+declare function evaluateExpression(expr: Record<string, unknown>, envelope: ToolEnvelope, outputText?: string | null, options?: EvaluateOptions$1): boolean | PolicyError;
+
+/**
+ * Factory functions for creating Edictum instances from YAML bundles.
+ *
+ * Ports Python's _factory.py: fromYaml, fromYamlString, reload.
+ *
+ * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _factory.py
+ * (384 LOC). The three factory functions share option types and helper logic
+ * that would create unnecessary coupling if split.
+ *
+ * Guard.ts delegates to these via dynamic import to avoid circular deps.
+ */
+
+/** Options shared by fromYaml and fromYamlString. */
+interface YamlFactoryOptions {
+    readonly mode?: "enforce" | "observe";
+    readonly tools?: Record<string, {
+        side_effect?: string;
+        idempotent?: boolean;
+    }>;
+    readonly auditSink?: AuditSink | AuditSink[];
+    readonly redaction?: RedactionPolicy;
+    readonly backend?: StorageBackend;
+    readonly environment?: string;
+    readonly onDeny?: (envelope: ToolEnvelope, reason: string, source: string | null) => void;
+    readonly onAllow?: (envelope: ToolEnvelope) => void;
+    readonly customOperators?: Record<string, CustomOperator>;
+    readonly customSelectors?: Record<string, CustomSelector>;
+    readonly successCheck?: (toolName: string, result: unknown) => boolean;
+    readonly principal?: Principal;
+    readonly principalResolver?: (toolName: string, toolInput: Record<string, unknown>) => Principal;
+    readonly approvalBackend?: ApprovalBackend;
+}
+/** Options for fromYaml, extending base with returnReport. */
+interface FromYamlOptions extends YamlFactoryOptions {
+    readonly returnReport?: boolean;
+}
+/**
+ * Create an Edictum instance from one or more YAML contract bundle paths.
+ *
+ * When multiple paths are given, bundles are composed left-to-right
+ * (later layers override earlier ones).
+ *
+ * EXCEPTION TO "ALL ASYNC" RULE: This factory is intentionally synchronous,
+ * matching Python's from_yaml(). File I/O uses Node's readFileSync and YAML
+ * parsing is CPU-bound — neither benefits from async. The returned Edictum
+ * instance's run()/evaluate()/evaluateBatch() methods are fully async.
+ * Making this async would force all callers to await at module init time
+ * for no concurrency benefit.
+ */
+declare function fromYaml(...args: [...string[], FromYamlOptions] | string[]): Edictum | [Edictum, CompositionReport];
+/**
+ * Create an Edictum instance from a YAML string or Uint8Array.
+ *
+ * Like fromYaml but accepts YAML content directly instead of a file path.
+ *
+ * EXCEPTION TO "ALL ASYNC" RULE: Synchronous by design — see fromYaml docs.
+ */
+declare function fromYamlString(content: string | Uint8Array, options?: YamlFactoryOptions): Edictum;
+/** Options for reload(). */
+interface ReloadOptions {
+    readonly customOperators?: Record<string, CustomOperator>;
+    readonly customSelectors?: Record<string, CustomSelector>;
+}
+/**
+ * Atomically replace a guard's contracts from a YAML string.
+ *
+ * Builds a new CompiledState from the YAML content and swaps the
+ * guard's internal state reference. Concurrent evaluations that
+ * started before reload() see the old state; evaluations after
+ * see the new state.
+ */
+declare function reload(guard: Edictum, yamlContent: string, options?: ReloadOptions): void;
+
+/**
+ * Core Edictum class -- construction, contract registry, and accessor methods.
+ *
+ * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _guard.py
+ * (314 LOC) which is already the decomposed version of the original god class.
+ * The contract classification + accessor methods form a cohesive unit.
+ *
+ * Minimum viable guard: constructor + contract classification + accessors.
+ * run(), from_yaml(), from_server() are delegated methods added later.
+ */
+
+/** Constructor options for the Edictum guard. */
+interface EdictumOptions {
+    readonly environment?: string;
+    readonly mode?: "enforce" | "observe";
+    readonly limits?: OperationLimits;
+    readonly tools?: Record<string, {
+        side_effect?: string;
+        idempotent?: boolean;
+    }>;
+    readonly contracts?: ReadonlyArray<Precondition | Postcondition | SessionContract>;
+    readonly hooks?: ReadonlyArray<HookRegistration>;
+    readonly auditSink?: AuditSink | AuditSink[];
+    readonly redaction?: RedactionPolicy;
+    readonly backend?: StorageBackend;
+    readonly policyVersion?: string;
+    readonly onDeny?: (envelope: ToolEnvelope, reason: string, source: string | null) => void;
+    readonly onAllow?: (envelope: ToolEnvelope) => void;
+    readonly successCheck?: (toolName: string, result: unknown) => boolean;
+    readonly principal?: Principal;
+    readonly principalResolver?: (toolName: string, toolInput: Record<string, unknown>) => Principal;
+    readonly approvalBackend?: ApprovalBackend;
+}
+/**
+ * Main configuration and entrypoint.
+ *
+ * Two usage modes:
+ * 1. With framework adapter: use the appropriate adapter
+ * 2. Framework-agnostic: use guard.run() directly
+ */
+declare class Edictum implements GuardLike {
+    readonly environment: string;
+    readonly mode: "enforce" | "observe";
+    readonly backend: StorageBackend;
+    readonly redaction: RedactionPolicy;
+    readonly toolRegistry: ToolRegistry;
+    readonly auditSink: AuditSink;
+    private readonly _localSink;
+    private _state;
+    private readonly _beforeHooks;
+    private readonly _afterHooks;
+    private readonly _sessionId;
+    /** @internal */ readonly _onDeny: ((envelope: ToolEnvelope, reason: string, source: string | null) => void) | null;
+    /** @internal */ readonly _onAllow: ((envelope: ToolEnvelope) => void) | null;
+    /** @internal */ readonly _successCheck: ((toolName: string, result: unknown) => boolean) | null;
+    private _principal;
+    private readonly _principalResolver;
+    /** @internal */ readonly _approvalBackend: ApprovalBackend | null;
+    constructor(options?: EdictumOptions);
+    /** The local in-memory audit event collector. Always present. */
+    get localSink(): CollectingAuditSink;
+    /** Operation limits for the current contract set. */
+    get limits(): OperationLimits;
+    /** Update operation limits (replaces compiled state atomically). */
+    set limits(value: OperationLimits);
+    /** SHA256 hash identifying the active contract bundle. */
+    get policyVersion(): string | null;
+    /**
+     * Replace the compiled state atomically.
+     *
+     * @internal — used by factory.ts reload(). Not part of the public API.
+     */
+    _replaceState(newState: CompiledState): void;
+    /**
+     * Read the current compiled state.
+     *
+     * @internal — used by factory.ts reload(). Not part of the public API.
+     */
+    _getState(): CompiledState;
+    /** Update policy version (replaces compiled state atomically). */
+    set policyVersion(value: string | null);
+    /** The persistent session ID for this guard instance. */
+    get sessionId(): string;
+    /** Update the principal used for subsequent tool calls. */
+    setPrincipal(principal: Principal): void;
+    /** Resolve the principal for a tool call. */
+    _resolvePrincipal(toolName: string, toolInput: Record<string, unknown>): Principal | null;
+    private _registerHook;
+    getHooks(phase: "before" | "after", envelope: ToolEnvelope): HookRegistration[];
+    getPreconditions(envelope: ToolEnvelope): InternalPrecondition[];
+    getPostconditions(envelope: ToolEnvelope): InternalPostcondition[];
+    getSessionContracts(): InternalSessionContract[];
+    getSandboxContracts(envelope: ToolEnvelope): InternalSandboxContract[];
+    getObservePreconditions(envelope: ToolEnvelope): InternalPrecondition[];
+    getObservePostconditions(envelope: ToolEnvelope): InternalPostcondition[];
+    getObserveSessionContracts(): InternalSessionContract[];
+    getObserveSandboxContracts(envelope: ToolEnvelope): InternalSandboxContract[];
+    /**
+     * Classify user-facing and internal contracts into enforce/observe lists.
+     *
+     * User-facing contracts (Precondition, Postcondition, SessionContract)
+     * are converted to internal representations. Internal contracts (from
+     * YAML compiler) carry _edictum_* metadata and are classified by their
+     * _edictum_observe flag (Python uses _edictum_shadow — wire-format parity).
+     */
+    private static _classifyContracts;
+    /** Route an internal contract to the appropriate enforce/observe list. */
+    private static _classifyInternal;
+    /** Filter contracts by tool pattern and optional `when` guard. */
+    private static _filterByTool;
+    /** Filter sandbox contracts by tool patterns array. */
+    private static _filterSandbox;
+    /** Execute a tool call with full governance pipeline. */
+    run(toolName: string, args: Record<string, unknown>, toolCallable: (args: Record<string, unknown>) => unknown | Promise<unknown>, options?: {
+        sessionId?: string;
+        environment?: string;
+        principal?: Principal;
+    }): Promise<unknown>;
+    /**
+     * Dry-run evaluation of a tool call against all matching contracts.
+     *
+     * Never executes the tool. Evaluates exhaustively (no short-circuit).
+     * Session contracts are skipped.
+     */
+    evaluate(toolName: string, args: Record<string, unknown>, options?: {
+        principal?: Principal;
+        output?: string;
+        environment?: string;
+    }): Promise<EvaluationResult>;
+    /** Evaluate a batch of tool calls. Thin wrapper over evaluate(). */
+    evaluateBatch(calls: Array<{
+        tool: string;
+        args?: Record<string, unknown>;
+        principal?: Record<string, unknown>;
+        output?: string | Record<string, unknown>;
+        environment?: string;
+    }>): Promise<EvaluationResult[]>;
+    /**
+     * Create an Edictum instance from one or more YAML contract bundle paths.
+     *
+     * When multiple paths are given, bundles are composed left-to-right
+     * (later layers override earlier ones).
+     *
+     * When the trailing options object has `returnReport: true`, returns
+     * a tuple of [Edictum, CompositionReport].
+     */
+    static fromYaml(...args: [...string[], FromYamlOptions & {
+        returnReport: true;
+    }]): [Edictum, CompositionReport];
+    static fromYaml(...args: [...string[], FromYamlOptions] | string[]): Edictum;
+    /**
+     * Create an Edictum instance from a YAML string or Uint8Array.
+     */
+    static fromYamlString(content: string | Uint8Array, options?: YamlFactoryOptions): Edictum;
+    /**
+     * Atomically replace this guard's contracts from a YAML string.
+     *
+     * Pass customOperators/customSelectors if the new YAML uses custom
+     * operators or selectors that were passed to fromYaml/fromYamlString.
+     */
+    reload(yamlContent: string, options?: ReloadOptions): void;
+}
+
+/**
+ * Execution logic for Edictum.run() -- governance pipeline with tool execution.
+ *
+ * Ports Python's _runner.py. Governance pipeline + tool callable execution.
+ *
+ * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _runner.py
+ * (350 LOC). The full run() flow (pre-execute → approval → execute → post-execute
+ * → audit) is a single cohesive transaction that would be harder to follow if split.
+ */
+
+/**
+ * Default heuristic for tool success detection.
+ *
+ * Matches the heuristic used by all framework adapters:
+ * - null/undefined is success
+ * - object with is_error truthy is failure
+ * - string starting with "error:" or "fatal:" (case-insensitive) is failure
+ * - everything else is success
+ */
+declare function defaultSuccessCheck(_toolName: string, result: unknown): boolean;
+/** Options for the run() function beyond the required positional args. */
+interface RunOptions {
+    readonly sessionId?: string;
+    readonly environment?: string;
+    readonly principal?: Principal;
+}
+/**
+ * Framework-agnostic entrypoint for governed tool execution.
+ *
+ * Creates session, pipeline, envelope. Runs pre-execute governance,
+ * handles approval flow, executes the tool, runs post-execute governance,
+ * emits audit events, and returns the (potentially redacted) result.
+ */
+declare function run(guard: Edictum, toolName: string, args: Record<string, unknown>, toolCallable: (args: Record<string, unknown>) => unknown | Promise<unknown>, options?: RunOptions): Promise<unknown>;
+
+/**
+ * Dry-run evaluation logic for Edictum.evaluate() and evaluateBatch().
+ *
+ * Ports Python's _dry_run.py. Exhaustive contract evaluation without
+ * tool execution. Session contracts are skipped (no session state).
+ *
+ * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's
+ * _dry_run.py (205 LOC). evaluate() + evaluateBatch() are a cohesive unit.
+ */
+
+/** Options for the evaluate() function. */
+interface EvaluateOptions {
+    readonly principal?: Principal;
+    readonly output?: string;
+    readonly environment?: string;
+}
+/** A single call in an evaluateBatch() batch. */
+interface BatchCall {
+    readonly tool: string;
+    readonly args?: Record<string, unknown>;
+    readonly principal?: Record<string, unknown>;
+    readonly output?: string | Record<string, unknown>;
+    readonly environment?: string;
+}
+
+/**
+ * Minimal Python fnmatch.fnmatch() port for glob pattern matching.
+ *
+ * Used by Edictum for contract tool filtering and hook registration.
+ */
+/**
+ * Match a name against a glob pattern (fnmatch-style).
+ *
+ * Supports: `*` (any sequence), `?` (any single char), literal match.
+ * Does NOT support `[...]` character classes (not used by edictum contracts).
+ *
+ * Input capped at 10,000 characters to prevent regex DoS.
+ */
+declare function fnmatch(name: string, pattern: string): boolean;
+
+/** Compiler — convert parsed YAML contracts into contract objects and OperationLimits. */
+
+/** Result of compiling a YAML contract bundle. */
+interface CompiledBundle {
+    readonly preconditions: readonly unknown[];
+    readonly postconditions: readonly unknown[];
+    readonly sessionContracts: readonly unknown[];
+    readonly sandboxContracts: readonly unknown[];
+    readonly limits: OperationLimits;
+    readonly defaultMode: string;
+    readonly tools: Readonly<Record<string, Record<string, unknown>>>;
+}
+interface CompileOptions {
+    readonly customOperators?: Readonly<Record<string, CustomOperator>> | null;
+    readonly customSelectors?: Readonly<Record<string, CustomSelector>> | null;
+}
+/**
+ * Compile a validated YAML bundle into contract objects.
+ *
+ * @param bundle - A validated bundle dict (output of loadBundle).
+ * @param options - Optional custom operators and selectors.
+ * @returns CompiledBundle with preconditions, postconditions, sessionContracts,
+ *          and merged OperationLimits.
+ */
+declare function compileContracts(bundle: Record<string, unknown>, options?: CompileOptions): CompiledBundle;
+
+/** Compiler utilities — validation, regex precompilation, message expansion. */
+
+/**
+ * Expand {placeholder} tokens in a message template.
+ *
+ * Missing placeholders are kept as-is. Each expansion is capped at 200 chars.
+ * Values that look like secrets are redacted.
+ */
+declare function expandMessage(template: string, envelope: ToolEnvelope, outputText?: string | null, customSelectors?: Readonly<Record<string, CustomSelector>> | null): string;
+/** Validate that all operators used in the bundle are known (built-in or custom). */
+declare function validateOperators(bundle: Record<string, unknown>, customOperators: Readonly<Record<string, unknown>> | null): void;
+
+/** YAML Bundle Loader — parse, validate, compute bundle hash. */
+
+/** Maximum bundle file size in bytes (1 MB). */
+declare const MAX_BUNDLE_SIZE = 1048576;
+/** SHA256 hash of raw YAML bytes, used as policy_version. */
+interface BundleHash {
+    readonly hex: string;
+}
+/** Compute SHA256 hash of raw YAML bytes. */
+declare function computeHash(rawBytes: Uint8Array): BundleHash;
+/**
+ * Load and validate a YAML contract bundle from a file path.
+ *
+ * @returns Tuple of [parsed bundle dict, bundle hash].
+ * @throws EdictumConfigError on validation failure.
+ * @throws Error if the file does not exist.
+ */
+declare function loadBundle(source: string): [Record<string, unknown>, BundleHash];
+/**
+ * Load and validate a YAML contract bundle from a string or bytes.
+ *
+ * Like {@link loadBundle} but accepts YAML content directly instead of
+ * a file path. Useful when YAML is generated programmatically or fetched
+ * from an API.
+ *
+ * @returns Tuple of [parsed bundle dict, bundle hash].
+ * @throws EdictumConfigError on validation failure.
+ */
+declare function loadBundleString(content: string | Uint8Array): [Record<string, unknown>, BundleHash];
+
+/** Edictum — Runtime contract enforcement for AI agent tool calls. */
+declare const VERSION = "0.1.0";
+
+export { type ApprovalBackend, type ApprovalDecision, type ApprovalRequest, ApprovalStatus, AuditAction, type AuditEvent, type AuditSink, BUILTIN_OPERATOR_NAMES, BUILTIN_SELECTOR_PREFIXES, BashClassifier, type BatchCall, type BundleHash, CollectingAuditSink, type CompileOptions, type CompiledBundle, type CompiledState, type ComposedBundle, CompositeSink, type CompositionReport, type ContractResult, type CreateEnvelopeOptions, type CustomOperator, type CustomSelector, DEFAULT_LIMITS, Edictum, EdictumConfigError, EdictumDenied, type EdictumOptions, EdictumToolError, type EvaluateOptions, type EvaluationResult, FileAuditSink, type Finding, type FromYamlOptions, GovernancePipeline, type GuardLike, HookDecision, type HookRegistration, HookResult, type InternalContract, type InternalPostcondition, type InternalPrecondition, type InternalSandboxContract, type InternalSessionContract, LocalApprovalBackend, MAX_BUNDLE_SIZE, MAX_REGEX_INPUT, MarkEvictedError, MemoryBackend, type OperationLimits, PolicyError, type PostCallResult, type PostDecision, type PostDecisionLike, type Postcondition, type PreDecision, type Precondition, type Principal, RedactionPolicy, type ReloadOptions, type RunOptions, Session, type SessionContract, SideEffect, StdoutAuditSink, type StorageBackend, type ToolConfig, type ToolEnvelope, ToolRegistry, VERSION, Verdict, type YamlFactoryOptions, _validateToolName, buildFindings, classifyFinding, compileContracts, composeBundles, computeHash, createAuditEvent, createCompiledState, createContractResult, createEnvelope, createEvaluationResult, createFinding, createPostCallResult, createPostDecision, createPreDecision, createPrincipal, deepFreeze, defaultSuccessCheck, evaluateExpression, expandMessage, fnmatch, fromYaml, fromYamlString, loadBundle, loadBundleString, reload, run, validateOperators };