@getstackrun/sdk 0.4.1 → 0.5.1

package/dist/index.d.ts

@@ -14,6 +14,7 @@ import { ProxyService } from './services/proxy.js';
 import { ScanService } from './services/scan.js';
 import { AuditService } from './services/audit.js';
 import { DetectorConfigService } from './services/detector-config.js';
+import { IntentsService } from './services/intents.js';
 export declare class Stack {
     private readonly client;
     readonly agents: AgentService;
@@ -31,10 +32,14 @@ export declare class Stack {
     readonly scan: ScanService;
     readonly audit: AuditService;
     readonly detectorConfig: DetectorConfigService;
+    /** Phase 2.5a Macro 2 — intent simulate / submit / approve / reject. */
+    readonly intents: IntentsService;
     constructor(options?: ClientOptions);
 }
+export type { IntentInput, SimulationCost, SimulationDiagnostics, SimulateInput, SimulateResult, SubmitInput, SubmitResult, PendingApproval, DecisionResult, DecideInput, SubmitAndWaitResult, } from './services/intents.js';
 export type { ClientOptions } from './client.js';
 export * from './types.js';
 export * from './errors.js';
 export { verifyPassportOffline, type VerifiedPassportClaims, type VerifyOfflineOptions, } from './verify-offline.js';
+export { signClaimEnvelope, type ClaimEnvelope, type SignClaimEnvelopeOptions, } from './sign-claim.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAEtE,qBAAa,KAAK;IAChB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IAEpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,eAAe,EAAE,qBAAqB,CAAC;IAChD,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,cAAc,EAAE,oBAAoB,CAAC;IAC9C,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,qBAAqB,CAAC;gBAEnC,OAAO,GAAE,aAAkB;CAkBxC;AAGD,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAK5B,OAAO,EACL,qBAAqB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,qBAAa,KAAK;IAChB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;IAEpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,iBAAiB,CAAC;IACxC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,eAAe,EAAE,qBAAqB,CAAC;IAChD,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IAC5C,QAAQ,CAAC,cAAc,EAAE,oBAAoB,CAAC;IAC9C,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,QAAQ,CAAC,cAAc,EAAE,qBAAqB,CAAC;IAC/C,wEAAwE;IACxE,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;gBAErB,OAAO,GAAE,aAAkB;CAmBxC;AAGD,YAAY,EACV,WAAW,EACX,cAAc,EACd,qBAAqB,EACrB,aAAa,EACb,cAAc,EACd,WAAW,EACX,YAAY,EACZ,eAAe,EACf,cAAc,EACd,WAAW,EACX,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjD,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAK5B,OAAO,EACL,qBAAqB,EACrB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAQ7B,OAAO,EACL,iBAAiB,EACjB,KAAK,aAAa,EAClB,KAAK,wBAAwB,GAC9B,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -14,6 +14,7 @@ import { ProxyService } from './services/proxy.js';
 import { ScanService } from './services/scan.js';
 import { AuditService } from './services/audit.js';
 import { DetectorConfigService } from './services/detector-config.js';
+import { IntentsService } from './services/intents.js';
 export class Stack {
     client;
     agents;
@@ -31,6 +32,8 @@ export class Stack {
     scan;
     audit;
     detectorConfig;
+    /** Phase 2.5a Macro 2 — intent simulate / submit / approve / reject. */
+    intents;
     constructor(options = {}) {
         this.client = new HttpClient(options);
         this.agents = new AgentService(this.client);
@@ -48,6 +51,7 @@ export class Stack {
         this.scan = new ScanService(this.client);
         this.audit = new AuditService(this.client);
         this.detectorConfig = new DetectorConfigService(this.client);
+        this.intents = new IntentsService(this.client);
     }
 }
 export * from './types.js';
@@ -56,4 +60,11 @@ export * from './errors.js';
 // the STACK API. Pair with a cache against /v1/passports/verify if you
 // also need revocation-aware verdicts.
 export { verifyPassportOffline, } from './verify-offline.js';
+// Customer-side claim envelope signing for `customer_managed` agents
+// (Phase 2.5a Sub-chunk 1.11). Produces a COSE_Sign1 byte-identical to
+// what STACK's server-side ClaimSigner produces, so the same verify
+// path on STACK accepts both. Pair with the existing agent-auth.ts
+// enrollment flow: enroll once (POP-gated, stores pubkey), then sign
+// envelopes locally with the persisted privkey.
+export { signClaimEnvelope, } from './sign-claim.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAsB,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAEtE,MAAM,OAAO,KAAK;IACC,MAAM,CAAa;IAE3B,MAAM,CAAe;IACrB,SAAS,CAAkB;IAC3B,QAAQ,CAAiB;IACzB,WAAW,CAAoB;IAC/B,QAAQ,CAAiB;IACzB,MAAM,CAAe;IACrB,QAAQ,CAAkB;IAC1B,IAAI,CAAc;IAClB,eAAe,CAAwB;IACvC,aAAa,CAAsB;IACnC,cAAc,CAAuB;IACrC,KAAK,CAAe;IACpB,IAAI,CAAc;IAClB,KAAK,CAAe;IACpB,cAAc,CAAwB;IAE/C,YAAY,UAAyB,EAAE;QACrC,IAAI,CAAC,MAAM,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,eAAe,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9D,IAAI,CAAC,aAAa,GAAG,IAAI,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,cAAc,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,cAAc,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;CACF;AAID,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAE5B,wEAAwE;AACxE,uEAAuE;AACvE,uCAAuC;AACvC,OAAO,EACL,qBAAqB,GAGtB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAsB,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,MAAM,OAAO,KAAK;IACC,MAAM,CAAa;IAE3B,MAAM,CAAe;IACrB,SAAS,CAAkB;IAC3B,QAAQ,CAAiB;IACzB,WAAW,CAAoB;IAC/B,QAAQ,CAAiB;IACzB,MAAM,CAAe;IACrB,QAAQ,CAAkB;IAC1B,IAAI,CAAc;IAClB,eAAe,CAAwB;IACvC,aAAa,CAAsB;IACnC,cAAc,CAAuB;IACrC,KAAK,CAAe;IACpB,IAAI,CAAc;IAClB,KAAK,CAAe;IACpB,cAAc,CAAwB;IAC/C,wEAAwE;IAC/D,OAAO,CAAiB;IAEjC,YAAY,UAAyB,EAAE;QACrC,IAAI,CAAC,MAAM,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC,WAAW,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,eAAe,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9D,IAAI,CAAC,aAAa,GAAG,IAAI,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,cAAc,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,IAAI,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,cAAc,GAAG,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC;CACF;AAmBD,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAE5B,wEAAwE;AACxE,uEAAuE;AACvE,uCAAuC;AACvC,OAAO,EACL,qBAAqB,GAGtB,MAAM,qBAAqB,CAAC;AAE7B,qEAAqE;AACrE,uEAAuE;AACvE,oEAAoE;AACpE,mEAAmE;AACnE,qEAAqE;AACrE,gDAAgD;AAChD,OAAO,EACL,iBAAiB,GAGlB,MAAM,iBAAiB,CAAC"}

package/dist/services/intents.d.ts

@@ -0,0 +1,176 @@
+import type { HttpClient } from '../client.js';
+/** Subset of the IntentClaim payload — kept loose so SDK consumers
+ *  can ship through whatever they've assembled without us shipping
+ *  the entire Zod schema as a peer dependency. */
+export interface IntentInput {
+    type: 'intent_claim';
+    intent_type: 'http_call' | 'mcp_tool' | 'skill_invocation' | 'onchain_tx' | 'task_complete';
+    agent_id: string;
+    named_intent: string;
+    target: string;
+    action: string;
+    parameters: Record<string, unknown>;
+    estimated_cost: {
+        wallet_cents: number | null;
+        tokens: number | null;
+        gas_gwei: number | null;
+    };
+    accountability: 'enforced' | 'logged' | 'standard';
+    reason: string | null;
+    requires: string[];
+    user_subject: string | null;
+    mission_ref: string | null;
+    submitted_at: number;
+}
+export interface SimulationCost {
+    wallet_cents: number | null;
+    tokens: number | null;
+    gas_gwei: number | null;
+}
+export interface SimulationDiagnostics {
+    failed_constraint?: {
+        path: string;
+        op: string;
+    };
+    scope_missing_service?: string;
+    accountability_passport?: 'enforced' | 'logged' | 'standard';
+    accountability_intent?: 'enforced' | 'logged' | 'standard';
+    tier_limit?: {
+        meter: string;
+        cap: number | null;
+        used: number;
+        wallet_balance_cents: number;
+        overage_price_cents: number;
+    };
+}
+export interface SimulateInput {
+    intent: IntentInput;
+    intent_claim_ref?: string;
+    persist?: boolean;
+}
+export interface SimulateResult {
+    allowed: boolean;
+    denial_reasons: string[];
+    simulated_cost: SimulationCost;
+    predicted_detector_fires: Array<{
+        detector_key: string;
+        severity: string;
+    }>;
+    simulated_at: number;
+    claim_id?: string;
+    diagnostics: SimulationDiagnostics;
+}
+export interface SubmitInput {
+    intent: IntentInput;
+    expires_in_seconds?: number;
+    skip_simulation?: boolean;
+}
+export interface SubmitResult {
+    approval_id: string;
+    intent_claim_id: string;
+    simulated_claim_id?: string;
+    status: 'pending';
+    expires_at: string;
+    simulation?: SimulateResult;
+}
+export interface PendingApproval {
+    id: string;
+    operator_id: string;
+    agent_id: string;
+    passport_jti: string;
+    intent_claim_id: string;
+    simulated_claim_id: string | null;
+    status: 'pending' | 'approved' | 'rejected' | 'expired';
+    requested_at: string;
+    expires_at: string;
+    decided_at: string | null;
+    decided_by_member_id: string | null;
+    notes: string | null;
+    block_future: boolean;
+}
+export interface DecisionResult {
+    approval_id: string;
+    status: 'approved' | 'rejected';
+    decided_at: string;
+}
+export interface DecideInput {
+    notes?: string;
+    block_future?: boolean;
+}
+/**
+ * Result of `submitAndWait` — either the row reached a terminal status
+ * within the deadline (`status` is one of approved / rejected /
+ * expired) or polling timed out (`timed_out: true`).
+ */
+export type SubmitAndWaitResult = {
+    timed_out: false;
+    row: PendingApproval;
+    initial: SubmitResult;
+} | {
+    timed_out: true;
+    row: PendingApproval;
+    initial: SubmitResult;
+};
+export declare class IntentsService {
+    private client;
+    constructor(client: HttpClient);
+    /**
+     * Dry-run an Intent against a passport WITHOUT registering an
+     * approval. Sub-chunk 2.1 surface.
+     */
+    simulate(input: SimulateInput, options: {
+        passportToken: string;
+    }): Promise<SimulateResult>;
+    /**
+     * Submit an Intent for pre-execution operator approval. Registers
+     * the intent_claim, runs simulation (unless `skip_simulation=true`),
+     * persists a pending intent_approvals row, and notifies the operator
+     * via their configured channels. Returns the approval id; callers
+     * poll `/v1/intents/:id` (via `listPending` + custom filter, or via
+     * `submitAndWait`) until status leaves 'pending'.
+     */
+    submit(input: SubmitInput, options: {
+        passportToken: string;
+    }): Promise<SubmitResult>;
+    /**
+     * Convenience: submit + poll. Polls the operator's pending list at
+     * `intervalMs` until either the approval reaches a terminal status
+     * or `timeoutMs` elapses. The poll uses listPending which is
+     * operator-scope — the SDK caller must be authenticated as the
+     * operator (or a member with role=admin) for this to work end-to-end.
+     *
+     * Practical use: in batch / CI scripts where the agent and operator
+     * are the same identity. For agent-runtime mode where the operator
+     * approves async via dashboard, callers should subscribe to
+     * notifications or poll `listPending` themselves.
+     */
+    submitAndWait(input: SubmitInput, options: {
+        passportToken: string;
+        timeoutMs?: number;
+        intervalMs?: number;
+    }): Promise<SubmitAndWaitResult>;
+    /**
+     * Fetch a single approval row by id, regardless of status. Returns
+     * the full row when the calling operator owns it; 404s when the row
+     * doesn't exist OR belongs to a different operator (existence is
+     * hidden cross-tenant). Used by `submitAndWait` to distinguish
+     * approved from rejected reliably.
+     */
+    get(approvalId: string): Promise<PendingApproval>;
+    /** List pending approvals scoped to the calling operator. */
+    listPending(opts?: {
+        page?: number;
+        limit?: number;
+    }): Promise<{
+        items: PendingApproval[];
+        total: number;
+    }>;
+    /** Transition a pending approval → approved. */
+    approve(approvalId: string, input?: DecideInput): Promise<DecisionResult>;
+    /**
+     * Transition a pending approval → rejected. Auto-revokes the
+     * passport; `block_future=true` additionally suspends the agent.
+     */
+    reject(approvalId: string, input?: DecideInput): Promise<DecisionResult>;
+}
+//# sourceMappingURL=intents.d.ts.map

package/dist/services/intents.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"intents.d.ts","sourceRoot":"","sources":["../../src/services/intents.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C;;kDAEkD;AAClD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,cAAc,CAAC;IACrB,WAAW,EAAE,WAAW,GAAG,UAAU,GAAG,kBAAkB,GAAG,YAAY,GAAG,eAAe,CAAC;IAC5F,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,cAAc,EAAE;QAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAChG,cAAc,EAAE,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAC;IACnD,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,qBAAqB;IACpC,iBAAiB,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,uBAAuB,CAAC,EAAE,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAC;IAC7D,qBAAqB,CAAC,EAAE,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAC;IAC3D,UAAU,CAAC,EAAE;QACX,KAAK,EAAE,MAAM,CAAC;QACd,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,oBAAoB,EAAE,MAAM,CAAC;QAC7B,mBAAmB,EAAE,MAAM,CAAC;KAC7B,CAAC;CACH;AAID,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,WAAW,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,EAAE,cAAc,CAAC;IAC/B,wBAAwB,EAAE,KAAK,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5E,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,qBAAqB,CAAC;CACpC;AAID,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,WAAW,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,cAAc,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,UAAU,GAAG,UAAU,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC3B;IAAE,SAAS,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,GACjE;IAAE,SAAS,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,YAAY,CAAA;CAAE,CAAC;AAErE,qBAAa,cAAc;IACb,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,UAAU;IAEtC;;;OAGG;IACG,QAAQ,CAAC,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC;IAMjG;;;;;;;OAOG;IACG,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAM3F;;;;;;;;;;;OAWG;IACG,aAAa,CACjB,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GAC1E,OAAO,CAAC,mBAAmB,CAAC;IAyB/B;;;;;;OAMG;IACG,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAIvD,6DAA6D;IACvD,WAAW,CAAC,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAOjH,gDAAgD;IAC1C,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC;IAI/E;;;OAGG;IACG,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC;CAG/E"}

package/dist/services/intents.js

@@ -0,0 +1,111 @@
+// Phase 2.5a Macro 2 Sub-chunk 2.2 — IntentsService TS SDK wrapper.
+//
+// Three groupings:
+//   1. simulate()    Sub-chunk 2.1 dry-run dispatcher.
+//   2. submit()      Sub-chunk 2.2 pre-execution gate. Registers the
+//                    intent_claim, runs simulation, persists a pending
+//                    intent_approvals row, returns an approval id.
+//      submitAndWait() Polls /v1/intents/:id until status leaves
+//                      'pending' or the deadline passes.
+//   3. listPending() / approve() / reject() — operator-side surface.
+//
+// Every shape stays a plain interface mirroring the wire JSON so
+// consumers can compose without TypeScript reaching for our internals.
+export class IntentsService {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Dry-run an Intent against a passport WITHOUT registering an
+     * approval. Sub-chunk 2.1 surface.
+     */
+    async simulate(input, options) {
+        return this.client.post('/v1/intents/simulate', input, {
+            headers: { 'X-Passport-Token': options.passportToken },
+        });
+    }
+    /**
+     * Submit an Intent for pre-execution operator approval. Registers
+     * the intent_claim, runs simulation (unless `skip_simulation=true`),
+     * persists a pending intent_approvals row, and notifies the operator
+     * via their configured channels. Returns the approval id; callers
+     * poll `/v1/intents/:id` (via `listPending` + custom filter, or via
+     * `submitAndWait`) until status leaves 'pending'.
+     */
+    async submit(input, options) {
+        return this.client.post('/v1/intents/submit', input, {
+            headers: { 'X-Passport-Token': options.passportToken },
+        });
+    }
+    /**
+     * Convenience: submit + poll. Polls the operator's pending list at
+     * `intervalMs` until either the approval reaches a terminal status
+     * or `timeoutMs` elapses. The poll uses listPending which is
+     * operator-scope — the SDK caller must be authenticated as the
+     * operator (or a member with role=admin) for this to work end-to-end.
+     *
+     * Practical use: in batch / CI scripts where the agent and operator
+     * are the same identity. For agent-runtime mode where the operator
+     * approves async via dashboard, callers should subscribe to
+     * notifications or poll `listPending` themselves.
+     */
+    async submitAndWait(input, options) {
+        const initial = await this.submit(input, options);
+        const timeoutMs = options.timeoutMs ?? 60_000;
+        const intervalMs = options.intervalMs ?? 1_000;
+        const deadline = Date.now() + timeoutMs;
+        let last = null;
+        // Poll the per-id endpoint so we can read the actual terminal
+        // status (approved | rejected | expired) — listPending alone can't
+        // distinguish "no longer pending" from "approved", which made the
+        // 0.5.0 implementation silently treat rejections as approvals.
+        while (Date.now() < deadline) {
+            const row = await this.get(initial.approval_id);
+            last = row;
+            if (row.status !== 'pending') {
+                return { timed_out: false, row, initial };
+            }
+            await sleep(intervalMs);
+        }
+        return {
+            timed_out: true,
+            row: last ?? { id: initial.approval_id, status: 'pending' },
+            initial,
+        };
+    }
+    /**
+     * Fetch a single approval row by id, regardless of status. Returns
+     * the full row when the calling operator owns it; 404s when the row
+     * doesn't exist OR belongs to a different operator (existence is
+     * hidden cross-tenant). Used by `submitAndWait` to distinguish
+     * approved from rejected reliably.
+     */
+    async get(approvalId) {
+        return this.client.get(`/v1/intents/${encodeURIComponent(approvalId)}`);
+    }
+    /** List pending approvals scoped to the calling operator. */
+    async listPending(opts) {
+        const query = {};
+        if (opts?.page !== undefined)
+            query['page'] = String(opts.page);
+        if (opts?.limit !== undefined)
+            query['limit'] = String(opts.limit);
+        return this.client.get('/v1/intents/pending', query);
+    }
+    /** Transition a pending approval → approved. */
+    async approve(approvalId, input) {
+        return this.client.post(`/v1/intents/${encodeURIComponent(approvalId)}/approve`, input ?? {});
+    }
+    /**
+     * Transition a pending approval → rejected. Auto-revokes the
+     * passport; `block_future=true` additionally suspends the agent.
+     */
+    async reject(approvalId, input) {
+        return this.client.post(`/v1/intents/${encodeURIComponent(approvalId)}/reject`, input ?? {});
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=intents.js.map

package/dist/services/intents.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"intents.js","sourceRoot":"","sources":["../../src/services/intents.ts"],"names":[],"mappings":"AAAA,oEAAoE;AACpE,EAAE;AACF,mBAAmB;AACnB,uDAAuD;AACvD,qEAAqE;AACrE,uEAAuE;AACvE,mEAAmE;AACnE,iEAAiE;AACjE,yDAAyD;AACzD,qEAAqE;AACrE,EAAE;AACF,iEAAiE;AACjE,uEAAuE;AAqHvE,MAAM,OAAO,cAAc;IACL;IAApB,YAAoB,MAAkB;QAAlB,WAAM,GAAN,MAAM,CAAY;IAAG,CAAC;IAE1C;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAoB,EAAE,OAAkC;QACrE,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAiB,sBAAsB,EAAE,KAAK,EAAE;YACrE,OAAO,EAAE,EAAE,kBAAkB,EAAE,OAAO,CAAC,aAAa,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CAAC,KAAkB,EAAE,OAAkC;QACjE,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAe,oBAAoB,EAAE,KAAK,EAAE;YACjE,OAAO,EAAE,EAAE,kBAAkB,EAAE,OAAO,CAAC,aAAa,EAAE;SACvD,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,aAAa,CACjB,KAAkB,EAClB,OAA2E;QAE3E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;QAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACxC,IAAI,IAAI,GAA2B,IAAI,CAAC;QACxC,8DAA8D;QAC9D,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,GAAG,GAAG,CAAC;YACX,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YAC5C,CAAC;YACD,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO;YACL,SAAS,EAAE,IAAI;YACf,GAAG,EAAE,IAAI,IAAK,EAAE,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAsB;YAChF,OAAO;SACR,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,GAAG,CAAC,UAAkB;QAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAkB,eAAe,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,WAAW,CAAC,IAAwC;QACxD,MAAM,KAAK,GAAuC,EAAE,CAAC;QACrD,IAAI,IAAI,EAAE,IAAI,KAAK,SAAS;YAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChE,IAAI,IAAI,EAAE,KAAK,KAAK,SAAS;YAAE,KAAK,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAA8C,qBAAqB,EAAE,KAAK,CAAC,CAAC;IACpG,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,KAAmB;QACnD,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAiB,eAAe,kBAAkB,CAAC,UAAU,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAChH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,UAAkB,EAAE,KAAmB;QAClD,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAiB,eAAe,kBAAkB,CAAC,UAAU,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC/G,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/sign-claim.d.ts

@@ -0,0 +1,64 @@
+import type { JWK } from 'jose';
+/**
+ * Shape of the STACK claim envelope. Mirrors the server-side
+ * `ClaimEnvelope` Zod schema (see `@stack/shared` schemas/passport-
+ * claims/envelope.ts) at the field level. Re-declared here so the SDK
+ * does not have to import the shared package's full schema graph for
+ * one type.
+ *
+ * `claim_type` discriminates the payload shape. The signer treats the
+ * envelope as opaque CBOR-encodable JSON — it does NOT validate the
+ * payload against the per-claim-type Zod schema. The customer is
+ * responsible for producing a well-formed envelope; STACK validates
+ * shape on the receive side.
+ */
+export interface ClaimEnvelope {
+    envelope_version: 1;
+    issuer: string;
+    subject: string;
+    issued_at: number;
+    claim_type: string;
+    claim_version: number;
+    payload: unknown;
+    receipt: unknown | null;
+    co_signatures: unknown[];
+    [extra: string]: unknown;
+}
+export interface SignClaimEnvelopeOptions {
+    /**
+     * The agent's local private key, in JWK form. For customers using the
+     * SDK's built-in enrollment, the keypair is persisted at
+     * `~/.stack/agents/<agent_id>.json` by `agent-auth.ts`; pass
+     * `storedKey.privateKey` into this option. For customers managing
+     * their own key material, pass the JWK directly.
+     */
+    privateKey: JWK;
+    /**
+     * The agent id this signature speaks for. The COSE protected header's
+     * `kid` is set to `agent:<id>:v1`. STACK's verifyPreSigned path uses
+     * the kid to look up the enrolled pubkey; a mismatch fails
+     * verification.
+     */
+    agentId: string;
+    /**
+     * Defaults to 'EdDSA'. ML-DSA-65 is reserved but not yet implemented
+     * (waiting on the JOSE/COSE post-quantum draft).
+     */
+    alg?: 'EdDSA' | 'ML-DSA-65';
+}
+/**
+ * Sign a STACK claim envelope locally and produce a base64url-encoded
+ * COSE_Sign1 message. The output is the wire-format string the customer
+ * submits to STACK in the body of the eventual `POST /v1/claims`
+ * endpoint (lands with the producer migrations in Sub-chunks 1.16-1.20).
+ *
+ * The function is synchronous-friendly (no awaits beyond what cbor-x
+ * needs). Throws on unsupported algorithm or malformed JWK.
+ *
+ * Wire-format compatibility: byte-identical output to
+ * `@stack/vault`'s `ClaimSigner.sign` over the same envelope + kid +
+ * key material. Verified by the vault-side test
+ * `AgentSigner.verifyPreSigned` consuming the SDK's output unmodified.
+ */
+export declare function signClaimEnvelope(envelope: ClaimEnvelope, opts: SignClaimEnvelopeOptions): string;
+//# sourceMappingURL=sign-claim.d.ts.map

package/dist/sign-claim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-claim.d.ts","sourceRoot":"","sources":["../src/sign-claim.ts"],"names":[],"mappings":"AA2BA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAsBhC;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,aAAa;IAC5B,gBAAgB,EAAE,CAAC,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,OAAO,EAAE,CAAC;IACzB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC;;;;;;OAMG;IACH,UAAU,EAAE,GAAG,CAAC;IAChB;;;;;OAKG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,GAAG,CAAC,EAAE,OAAO,GAAG,WAAW,CAAC;CAC7B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,aAAa,EACvB,IAAI,EAAE,wBAAwB,GAC7B,MAAM,CAiDR"}

package/dist/sign-claim.js

@@ -0,0 +1,97 @@
+/**
+ * Customer-side COSE_Sign1 signer for `customer_managed` agents.
+ *
+ * Phase 2.5a Macro 1 Sub-chunk 1.11 of the Signed Primitive epic.
+ *
+ * `customer_managed` mode (ADR Design Decision 10) keeps the agent's
+ * private key on customer infrastructure. STACK only stores the pubkey
+ * (registered via the proof-of-possession dance at `POST /v1/agents/:id
+ * /enroll`). When the customer's agent produces a STACK claim envelope
+ * (intent_claim, intent_outcome, detector_signal, intent_denial,
+ * intent_simulation), the envelope is signed locally with this helper
+ * and submitted pre-signed.
+ *
+ * The wire format is byte-identical to what `@stack/vault`'s
+ * `ClaimSigner.sign` produces server-side, so the same `ClaimSigner
+ * .verify` path on STACK accepts both. We do NOT depend on
+ * `@stack/vault` here — that's a server package, not published, and
+ * we don't want a transitive `@aws-sdk/client-kms` blob landing in
+ * customer apps. The encoding logic is small (~50 lines) and trivially
+ * duplicated.
+ *
+ * Defaults to EdDSA / Ed25519. Algorithm is pluggable from day one so
+ * the same call site picks up ML-DSA-65 when the JOSE/COSE post-quantum
+ * draft hits RFC.
+ */
+import { encode as cborEncode } from 'cbor-x';
+import { createPrivateKey, sign as cryptoSign } from 'node:crypto';
+// ─── COSE constants per RFC 9052 / 9053 ─────────────────────────────
+/** Algorithm identifier for EdDSA (Ed25519) — RFC 9053 §2.2. */
+const COSE_ALG_EDDSA = -8;
+/** Protected header label for `alg` — RFC 9052 §3.1. */
+const COSE_HEADER_ALG = 1;
+/** Protected header label for `kid`. */
+const COSE_HEADER_KID = 4;
+/** Protected header label for `typ` (content type). */
+const COSE_HEADER_TYP = 16;
+/** Stable media-type label for a STACK claim envelope. */
+const STACK_CLAIM_TYP = 'stack/claim+cose';
+/** Sig_structure1 context string — RFC 9052 §4.4. */
+const SIG_STRUCTURE_CONTEXT = 'Signature1';
+/**
+ * Sign a STACK claim envelope locally and produce a base64url-encoded
+ * COSE_Sign1 message. The output is the wire-format string the customer
+ * submits to STACK in the body of the eventual `POST /v1/claims`
+ * endpoint (lands with the producer migrations in Sub-chunks 1.16-1.20).
+ *
+ * The function is synchronous-friendly (no awaits beyond what cbor-x
+ * needs). Throws on unsupported algorithm or malformed JWK.
+ *
+ * Wire-format compatibility: byte-identical output to
+ * `@stack/vault`'s `ClaimSigner.sign` over the same envelope + kid +
+ * key material. Verified by the vault-side test
+ * `AgentSigner.verifyPreSigned` consuming the SDK's output unmodified.
+ */
+export function signClaimEnvelope(envelope, opts) {
+    const alg = opts.alg ?? 'EdDSA';
+    if (alg !== 'EdDSA') {
+        throw new Error(`signClaimEnvelope: algorithm '${alg}' is reserved but not yet ` +
+            `implemented. Only 'EdDSA' is supported in v1. ML-DSA-65 ships ` +
+            `when the JOSE/COSE post-quantum draft (draft-ietf-cose-dilithium) ` +
+            `lands at RFC.`);
+    }
+    const kid = `agent:${opts.agentId}:v1`;
+    const privateKey = createPrivateKey({
+        key: opts.privateKey,
+        format: 'jwk',
+    });
+    // Payload bytes — CBOR-encoded envelope. Deterministic given the
+    // input (cbor-x stable iteration order for plain objects).
+    const payloadBytes = cborEncode(envelope);
+    // Protected header — kid + alg + typ. Order is fixed for byte-
+    // identical output across SDK + vault.
+    const protectedHeader = new Map([
+        [COSE_HEADER_ALG, COSE_ALG_EDDSA],
+        [COSE_HEADER_KID, Buffer.from(kid, 'utf8')],
+        [COSE_HEADER_TYP, STACK_CLAIM_TYP],
+    ]);
+    const protectedBytes = cborEncode(protectedHeader);
+    // Sig_structure1 per RFC 9052 §4.4. The signer signs this whole
+    // structure, not the envelope or payload alone. external_aad is
+    // empty (we don't use AAD on STACK claims).
+    const sigStructure = [
+        SIG_STRUCTURE_CONTEXT,
+        protectedBytes,
+        Buffer.alloc(0),
+        payloadBytes,
+    ];
+    const sigStructureBytes = cborEncode(sigStructure);
+    // Ed25519: pass null as digest — algorithm has its own internal
+    // hashing per RFC 8032.
+    const signature = cryptoSign(null, sigStructureBytes, privateKey);
+    // COSE_Sign1 = [protected, unprotected, payload, signature]
+    const coseSign1 = [protectedBytes, new Map(), payloadBytes, signature];
+    const coseBytes = cborEncode(coseSign1);
+    return Buffer.from(coseBytes).toString('base64url');
+}
+//# sourceMappingURL=sign-claim.js.map

package/dist/sign-claim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-claim.js","sourceRoot":"","sources":["../src/sign-claim.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,IAAI,IAAI,UAAU,EAAmB,MAAM,aAAa,CAAC;AAGpF,uEAAuE;AAEvE,gEAAgE;AAChE,MAAM,cAAc,GAAG,CAAC,CAAC,CAAC;AAE1B,wDAAwD;AACxD,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,wCAAwC;AACxC,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,uDAAuD;AACvD,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,0DAA0D;AAC1D,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAE3C,qDAAqD;AACrD,MAAM,qBAAqB,GAAG,YAAY,CAAC;AAqD3C;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,IAA8B;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC;IAChC,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,iCAAiC,GAAG,4BAA4B;YAC9D,gEAAgE;YAChE,oEAAoE;YACpE,eAAe,CAClB,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,SAAS,IAAI,CAAC,OAAO,KAAK,CAAC;IACvC,MAAM,UAAU,GAAG,gBAAgB,CAAC;QAClC,GAAG,EAAE,IAAI,CAAC,UAAwB;QAClC,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,iEAAiE;IACjE,2DAA2D;IAC3D,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE1C,+DAA+D;IAC/D,uCAAuC;IACvC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAkB;QAC/C,CAAC,eAAe,EAAE,cAAc,CAAC;QACjC,CAAC,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC,eAAe,EAAE,eAAe,CAAC;KACnC,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,UAAU,CAAC,eAAe,CAAC,CAAC;IAEnD,gEAAgE;IAChE,gEAAgE;IAChE,4CAA4C;IAC5C,MAAM,YAAY,GAAG;QACnB,qBAAqB;QACrB,cAAc;QACd,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACf,YAAY;KACb,CAAC;IACF,MAAM,iBAAiB,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAEnD,gEAAgE;IAChE,wBAAwB;IACxB,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,EAAE,iBAAiB,EAAE,UAAU,CAAC,CAAC;IAElE,4DAA4D;IAC5D,MAAM,SAAS,GAAG,CAAC,cAAc,EAAE,IAAI,GAAG,EAAE,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC"}

package/dist/sign-claim.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sign-claim.test.d.ts.map

package/dist/sign-claim.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-claim.test.d.ts","sourceRoot":"","sources":["../src/sign-claim.test.ts"],"names":[],"mappings":""}

package/dist/sign-claim.test.js

@@ -0,0 +1,164 @@
+import { describe, it, expect } from 'vitest';
+import { generateKeyPair, exportJWK } from 'jose';
+import { encode as cborEncode, decode as cborDecode } from 'cbor-x';
+import { createPublicKey, verify as cryptoVerify } from 'node:crypto';
+import { signClaimEnvelope } from './sign-claim.js';
+/**
+ * The SDK's signClaimEnvelope produces a COSE_Sign1 wire format that
+ * @stack/vault's ClaimSigner.verify accepts unmodified (Sub-chunk
+ * 1.11 wire-compat guarantee). We can't import vault here (it's a
+ * server-side package), so this test inlines the verification logic
+ * using the same primitives (cbor-x + node:crypto). The vault-side
+ * test `agent-signer.test.ts > verifyPreSigned` covers the same
+ * round-trip in the opposite direction — together they pin the wire
+ * format on both sides.
+ */
+// COSE constants — must match sign-claim.ts.
+const COSE_ALG_EDDSA = -8;
+const COSE_HEADER_ALG = 1;
+const COSE_HEADER_KID = 4;
+const COSE_HEADER_TYP = 16;
+const STACK_CLAIM_TYP = 'stack/claim+cose';
+async function newEd25519KeyPair() {
+    const { privateKey, publicKey } = await generateKeyPair('EdDSA', {
+        crv: 'Ed25519',
+        extractable: true,
+    });
+    return {
+        privateJwk: await exportJWK(privateKey),
+        publicJwk: await exportJWK(publicKey),
+    };
+}
+function makeEnvelope() {
+    return {
+        envelope_version: 1,
+        issuer: 'op_cust',
+        subject: 'stack://operator/op_cust/passport/ppt_abc',
+        issued_at: 1778600000000,
+        claim_type: 'intent_claim',
+        claim_version: 1,
+        payload: { intent_type: 'http_call', target: 'https://api.example.com' },
+        receipt: null,
+        co_signatures: [],
+    };
+}
+/**
+ * Inline COSE_Sign1 verify — mirrors what @stack/vault's
+ * ClaimSigner.verify does, with the kid pinned to the agent's kid.
+ * Returns { valid, kid, envelope } or { valid: false, error }.
+ */
+function verifyCose(base64Cose, pubkey) {
+    try {
+        const coseBytes = Buffer.from(base64Cose, 'base64url');
+        const cose = cborDecode(coseBytes);
+        if (!Array.isArray(cose) || cose.length !== 4) {
+            return { valid: false, error: 'not a 4-element COSE_Sign1 array' };
+        }
+        const [protectedBytes, , payloadBytes, signatureBytes] = cose;
+        const protectedMap = cborDecode(protectedBytes);
+        if (!(protectedMap instanceof Map)) {
+            return { valid: false, error: 'protected header is not a CBOR map' };
+        }
+        const alg = protectedMap.get(COSE_HEADER_ALG);
+        if (alg !== COSE_ALG_EDDSA) {
+            return { valid: false, error: `unsupported alg ${alg}` };
+        }
+        const typ = protectedMap.get(COSE_HEADER_TYP);
+        if (typ !== STACK_CLAIM_TYP) {
+            return { valid: false, error: `unexpected typ ${typ}` };
+        }
+        const kidRaw = protectedMap.get(COSE_HEADER_KID);
+        const kid = kidRaw instanceof Uint8Array
+            ? Buffer.from(kidRaw).toString('utf8')
+            : typeof kidRaw === 'string'
+                ? kidRaw
+                : null;
+        if (!kid)
+            return { valid: false, error: 'kid missing' };
+        const publicKey = createPublicKey({
+            key: pubkey,
+            format: 'jwk',
+        });
+        const sigStructure = [
+            'Signature1',
+            protectedBytes,
+            Buffer.alloc(0),
+            payloadBytes,
+        ];
+        const sigStructureBytes = cborEncode(sigStructure);
+        const valid = cryptoVerify(null, sigStructureBytes, publicKey, signatureBytes);
+        if (!valid)
+            return { valid: false, kid, error: 'signature verification failed' };
+        const envelope = cborDecode(payloadBytes);
+        return { valid: true, kid, envelope };
+    }
+    catch (err) {
+        return { valid: false, error: err.message };
+    }
+}
+describe('signClaimEnvelope (customer-managed claim signing)', () => {
+    it('produces a COSE_Sign1 that round-trips under the customer pubkey', async () => {
+        const { privateJwk, publicJwk } = await newEd25519KeyPair();
+        const envelope = makeEnvelope();
+        const cose = signClaimEnvelope(envelope, {
+            privateKey: privateJwk,
+            agentId: 'ag_cust',
+        });
+        expect(cose).toMatch(/^[A-Za-z0-9_-]+$/);
+        const result = verifyCose(cose, publicJwk);
+        expect(result.valid).toBe(true);
+        expect(result.kid).toBe('agent:ag_cust:v1');
+        expect(result.envelope?.claim_type).toBe('intent_claim');
+        expect(result.envelope?.payload?.intent_type).toBe('http_call');
+    });
+    it('signs every standard claim_type variant', async () => {
+        const { privateJwk, publicJwk } = await newEd25519KeyPair();
+        const claimTypes = [
+            'intent_claim',
+            'intent_outcome',
+            'detector_signal',
+            'intent_denial',
+            'intent_simulation',
+        ];
+        for (const claim_type of claimTypes) {
+            const cose = signClaimEnvelope({ ...makeEnvelope(), claim_type }, { privateKey: privateJwk, agentId: 'ag_cust' });
+            const result = verifyCose(cose, publicJwk);
+            expect(result.valid, `claim_type=${claim_type}`).toBe(true);
+            expect(result.envelope?.claim_type).toBe(claim_type);
+        }
+    });
+    it('does not verify under a different keypair', async () => {
+        const { privateJwk } = await newEd25519KeyPair();
+        const { publicJwk: otherPubkey } = await newEd25519KeyPair();
+        const cose = signClaimEnvelope(makeEnvelope(), {
+            privateKey: privateJwk,
+            agentId: 'ag_cust',
+        });
+        const result = verifyCose(cose, otherPubkey);
+        expect(result.valid).toBe(false);
+        expect(result.error).toBe('signature verification failed');
+    });
+    it('throws on unsupported algorithm', async () => {
+        const { privateJwk } = await newEd25519KeyPair();
+        expect(() => signClaimEnvelope(makeEnvelope(), {
+            privateKey: privateJwk,
+            agentId: 'ag_cust',
+            alg: 'ML-DSA-65',
+        })).toThrow(/reserved but not yet implemented/);
+    });
+    it("embeds kid 'agent:<id>:v1' in the protected header", async () => {
+        const { privateJwk } = await newEd25519KeyPair();
+        const cose = signClaimEnvelope(makeEnvelope(), {
+            privateKey: privateJwk,
+            agentId: 'ag_xyz_2',
+        });
+        // Decode just to inspect the kid — verification uses pubkey above.
+        const buf = Buffer.from(cose, 'base64url');
+        const cosePieces = cborDecode(buf);
+        const headerMap = cborDecode(cosePieces[0]);
+        const kidRaw = headerMap.get(COSE_HEADER_KID);
+        const kid = kidRaw instanceof Uint8Array ? Buffer.from(kidRaw).toString('utf8') : kidRaw;
+        expect(kid).toBe('agent:ag_xyz_2:v1');
+    });
+});
+//# sourceMappingURL=sign-claim.test.js.map

package/dist/sign-claim.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-claim.test.js","sourceRoot":"","sources":["../src/sign-claim.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,SAAS,EAAY,MAAM,MAAM,CAAC;AAC5D,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,YAAY,EAAmB,MAAM,aAAa,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAsB,MAAM,iBAAiB,CAAC;AAExE;;;;;;;;;GASG;AAEH,6CAA6C;AAC7C,MAAM,cAAc,GAAG,CAAC,CAAC,CAAC;AAC1B,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAE3C,KAAK,UAAU,iBAAiB;IAC9B,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE;QAC/D,GAAG,EAAE,SAAS;QACd,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IACH,OAAO;QACL,UAAU,EAAE,MAAM,SAAS,CAAC,UAAU,CAAC;QACvC,SAAS,EAAE,MAAM,SAAS,CAAC,SAAS,CAAC;KACtC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,OAAO;QACL,gBAAgB,EAAE,CAAC;QACnB,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,2CAA2C;QACpD,SAAS,EAAE,aAAa;QACxB,UAAU,EAAE,cAAc;QAC1B,aAAa,EAAE,CAAC;QAChB,OAAO,EAAE,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,EAAE,yBAAyB,EAAE;QACxE,OAAO,EAAE,IAAI;QACb,aAAa,EAAE,EAAE;KAClB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,UAAkB,EAAE,MAAW;IAMjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAc,CAAC;QAChD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,CAAC,cAAc,EAAE,AAAD,EAAG,YAAY,EAAE,cAAc,CAAC,GAAG,IAKxD,CAAC;QACF,MAAM,YAAY,GAAG,UAAU,CAAC,cAAc,CAAyB,CAAC;QACxE,IAAI,CAAC,CAAC,YAAY,YAAY,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QACvE,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,GAAa,EAAE,EAAE,CAAC;QACrE,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,GAAG,KAAK,eAAe,EAAE,CAAC;YAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,GAAa,EAAE,EAAE,CAAC;QACpE,CAAC;QACD,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,GAAG,GACP,MAAM,YAAY,UAAU;YAC1B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,OAAO,MAAM,KAAK,QAAQ;gBAC1B,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,IAAI,CAAC;QACb,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QAExD,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC,GAAG,EAAE,MAAoB;YACzB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QACH,MAAM,YAAY,GAAG;YACnB,YAAY;YACZ,cAAc;YACd,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACf,YAAY;SACb,CAAC;QACF,MAAM,iBAAiB,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;QAC/E,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QAEjF,MAAM,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAkB,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IACzD,CAAC;AACH,CAAC;AAED,QAAQ,CAAC,oDAAoD,EAAE,GAAG,EAAE;IAClE,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,YAAY,EAAE,CAAC;QAEhC,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,EAAE;YACvC,UAAU,EAAE,UAAU;YACtB,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAEzC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,CAAE,MAAM,CAAC,QAAQ,EAAE,OAAmC,EAAE,WAAW,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG;YACjB,cAAc;YACd,gBAAgB;YAChB,iBAAiB;YACjB,eAAe;YACf,mBAAmB;SACpB,CAAC;QAEF,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,iBAAiB,CAC5B,EAAE,GAAG,YAAY,EAAE,EAAE,UAAU,EAAE,EACjC,EAAE,UAAU,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,CAC/C,CAAC;YACF,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,cAAc,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5D,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QACjD,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QAE7D,MAAM,IAAI,GAAG,iBAAiB,CAAC,YAAY,EAAE,EAAE;YAC7C,UAAU,EAAE,UAAU;YACtB,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QACjD,MAAM,CAAC,GAAG,EAAE,CACV,iBAAiB,CAAC,YAAY,EAAE,EAAE;YAChC,UAAU,EAAE,UAAU;YACtB,OAAO,EAAE,SAAS;YAClB,GAAG,EAAE,WAAW;SACjB,CAAC,CACH,CAAC,OAAO,CAAC,kCAAkC,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,iBAAiB,EAAE,CAAC;QACjD,MAAM,IAAI,GAAG,iBAAiB,CAAC,YAAY,EAAE,EAAE;YAC7C,UAAU,EAAE,UAAU;YACtB,OAAO,EAAE,UAAU;SACpB,CAAC,CAAC;QAEH,mEAAmE;QACnE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAC3C,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAiB,CAAC;QACnD,MAAM,SAAS,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC,CAAE,CAAyB,CAAC;QACrE,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACzF,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@getstackrun/sdk",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "description": "Official JavaScript/TypeScript SDK for STACK - the runtime control plane for AI agents",
   "type": "module",
   "exports": {
@@ -19,6 +19,7 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
+    "test": "vitest run",
     "typecheck": "tsc --noEmit",
     "clean": "node -e \"const fs=require('fs');fs.rmSync('dist',{recursive:true,force:true});fs.rmSync('.turbo',{recursive:true,force:true})\"",
     "prepublishOnly": "npm run clean && npm run build"
@@ -55,9 +56,11 @@
     "access": "public"
   },
   "dependencies": {
+    "cbor-x": "^1.6.4",
     "jose": "^6.2.2"
   },
   "devDependencies": {
-    "typescript": "^5.8.0"
+    "typescript": "^5.8.0",
+    "vitest": "^3.1.0"
   }
 }