@globiguard/sdk 1.0.0 → 1.0.1

package/LICENSE

@@ -0,0 +1,128 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and
+configuration files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object
+code, generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form,
+made available under the License, as indicated by a copyright notice that is
+included in or attached to the work.
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original
+version of the Work and any modifications or additions to that Work or
+Derivative Works thereof, that is intentionally submitted to Licensor for
+inclusion in the Work by the copyright owner or by an individual or Legal
+Entity authorized to submit on behalf of the copyright owner.
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and
+such Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable patent license to make, have made, use, offer to sell, sell,
+import, and otherwise transfer the Work.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative Works a copy
+of this License; and
+
+(b) You must cause any modified files to carry prominent notices stating that
+You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works that You
+distribute, all copyright, patent, trademark, and attribution notices from the
+Source form of the Work, excluding those notices that do not pertain to any
+part of the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its distribution, then
+any Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides
+the Work on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied, including, without limitation, any warranties or
+conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law, shall any
+Contributor be liable to You for damages, including any direct, indirect,
+special, incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the Work.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License.
+

package/README.md

@@ -0,0 +1,80 @@
+# @globiguard/sdk
+
+Server-first TypeScript SDK for the GlobiGuard control plane and trusted brain
+connectivity.
+
+## Runtime expectations
+
+- Node.js **22+** for server usage
+- standards-based `fetch`, `Headers`, `FormData`, and `Blob` support
+- browser usage is supported only through the browser-safe client surface
+
+## Trust-boundary rule
+
+`createBrowserClient()` stops at the control plane.
+
+Direct brain access is reserved for `createServerClient()` in trusted runtimes
+using secret or local credentials.
+
+## Surface split
+
+- Browser-safe control-plane access: action authorization status, approval status,
+  evidence references/summaries, incident replay metadata, install
+  registration/heartbeat plus audit, policy, queue, workflow reads, and optional
+  realtime subscriptions when an explicit websocket bearer/API-key handshake is
+  provided
+- Trusted server management: governed action authorization, approval creation,
+  approval wait/polling, queue approvals, workflow management/runs, policy
+  management, org management, API-key administration, audit evidence exports,
+  incident replay lookup, and trust webhook verification through
+  `@globiguard/sdk/server`
+- Realtime subscriptions use the control-plane websocket gateway and are
+  intentionally configured separately from REST publishable/secret credentials
+  because the websocket handshake trusts bearer/API-key auth, not the browser
+  publishable-key header model
+- Audit evidence exports return a typed evidence-package artifact with requested
+  scope, control mappings, provenance references, review history, and summary
+  metadata aligned to the live control-plane export shape
+
+## Governed action quickstart
+
+Authorize actions only from a trusted runtime:
+
+```ts
+const decision = await serverClient.governedActions.authorizeAction({
+  context: {
+    actionType: "email.send",
+    destination: { type: "email", name: "customer-email" },
+    dataClasses: ["PII"],
+    payloadSummary: { topLevelKeys: ["recipient", "body"] },
+    idempotencyKey: "claim-123:email-status"
+  }
+});
+
+if (decision.decision === "ALLOW" || decision.decision === "MODIFY") {
+  // perform the real email send on the server
+}
+```
+
+Use a stable persisted idempotency key. A fresh random key per retry can
+duplicate queued/resumed business actions.
+
+Use `actionGateway: { mode: "sidecar" }` with `services.sidecar`, or `mode: "gateway"` with `services.gateway`, to route authorization through a local sidecar or governed gateway. Browser clients expose only `client.actions.getAuthorization()`, `getApproval()`, evidence reads, and incident replay metadata.
+
+## Webhook verification
+
+```ts
+import { verifyTrustWebhook } from "@globiguard/sdk/server";
+
+const verification = await verifyTrustWebhook({
+  headers,
+  rawBody,
+  signingSecret,
+  seenDelivery: async (deliveryId) => alreadyProcessed(deliveryId)
+});
+```
+
+The verifier checks signature, timestamp, event type, delivery ID, replay window,
+and optional duplicate delivery state. It fails fast in browser runtimes.
+
+Compatibility: these action contracts are beta (`2026-04-action-beta`) and intended for GlobiGuard control-plane/action gateway APIs that implement the same contract version.

package/dist/bootstrap.d.ts

@@ -0,0 +1,5 @@
+import type { GlobiguardBootstrapProfile, GlobiguardBuildInstallHeartbeatInput, GlobiguardBuildInstallRegistrationInput, GlobiguardInstallHeartbeatRequest, GlobiguardInstallRegistrationRequest, GlobiguardResolvedBootstrapProfile } from "@globiguard/contracts";
+export declare function resolveBootstrapProfile(profile: GlobiguardBootstrapProfile): GlobiguardResolvedBootstrapProfile;
+export declare function buildInstallRegistrationRequest(profile: GlobiguardBootstrapProfile, input: GlobiguardBuildInstallRegistrationInput): GlobiguardInstallRegistrationRequest;
+export declare function buildInstallHeartbeatRequest(profile: GlobiguardBootstrapProfile, input: GlobiguardBuildInstallHeartbeatInput): GlobiguardInstallHeartbeatRequest;
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,0BAA0B,EAC1B,oCAAoC,EACpC,uCAAuC,EACvC,iCAAiC,EACjC,oCAAoC,EACpC,kCAAkC,EACnC,MAAM,uBAAuB,CAAC;AAU/B,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,0BAA0B,GAClC,kCAAkC,CAqDpC;AAcD,wBAAgB,+BAA+B,CAC7C,OAAO,EAAE,0BAA0B,EACnC,KAAK,EAAE,uCAAuC,GAC7C,oCAAoC,CAiBtC;AAED,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,0BAA0B,EACnC,KAAK,EAAE,oCAAoC,GAC1C,iCAAiC,CAenC"}

package/dist/bootstrap.js

@@ -0,0 +1,67 @@
+import { GLOBIGUARD_DEPLOYMENT_MODES, GLOBIGUARD_ENVIRONMENTS, GLOBIGUARD_INSTALL_ISSUER_MODES, GLOBIGUARD_INSTALL_REPORTING_MODES } from "@globiguard/contracts";
+import { GlobiguardConfigError } from "./errors.js";
+export function resolveBootstrapProfile(profile) {
+    assertAllowedValue(profile.environment, GLOBIGUARD_ENVIRONMENTS, "environment");
+    assertAllowedValue(profile.deploymentMode, GLOBIGUARD_DEPLOYMENT_MODES, "deploymentMode");
+    assertAllowedValue(profile.issuerMode, GLOBIGUARD_INSTALL_ISSUER_MODES, "issuerMode");
+    assertAllowedValue(profile.installReporting, GLOBIGUARD_INSTALL_REPORTING_MODES, "installReporting");
+    if (profile.deploymentMode === "hosted" &&
+        profile.issuerMode !== "globiguard_issued") {
+        throw new GlobiguardConfigError("Hosted deployments must use globiguard-issued bootstrap credentials.");
+    }
+    if (profile.deploymentMode !== "hosted" &&
+        profile.issuerMode !== "customer_issued") {
+        throw new GlobiguardConfigError("Self-hosted and sovereign deployments must use customer-issued bootstrap credentials.");
+    }
+    if (profile.deploymentMode !== "hosted" &&
+        profile.installReporting === "default") {
+        throw new GlobiguardConfigError("Self-hosted and sovereign deployments must set installReporting to opt_in or disabled explicitly.");
+    }
+    return {
+        ...profile,
+        installRegistrationAllowed: profile.installReporting !== "disabled"
+    };
+}
+function assertAllowedValue(value, allowedValues, fieldName) {
+    if (!allowedValues.includes(value)) {
+        throw new GlobiguardConfigError(`${fieldName} must be one of: ${allowedValues.join(", ")}.`);
+    }
+}
+export function buildInstallRegistrationRequest(profile, input) {
+    const resolved = resolveBootstrapProfile(profile);
+    assertInstallRegistrationAllowed(resolved);
+    return {
+        packageName: input.packageName,
+        packageVersion: input.packageVersion,
+        integrationKind: input.integrationKind,
+        runtimeKind: input.runtimeKind,
+        environment: resolved.environment,
+        deploymentMode: resolved.deploymentMode,
+        issuerMode: resolved.issuerMode,
+        installReporting: resolved.installReporting,
+        installLabel: resolved.installLabel,
+        installFingerprint: resolved.installFingerprint,
+        metadata: input.metadata
+    };
+}
+export function buildInstallHeartbeatRequest(profile, input) {
+    const resolved = resolveBootstrapProfile(profile);
+    assertInstallRegistrationAllowed(resolved);
+    return {
+        packageVersion: input.packageVersion,
+        runtimeKind: input.runtimeKind,
+        environment: resolved.environment,
+        deploymentMode: resolved.deploymentMode,
+        issuerMode: resolved.issuerMode,
+        installReporting: resolved.installReporting,
+        installLabel: resolved.installLabel,
+        installFingerprint: resolved.installFingerprint,
+        metadata: input.metadata
+    };
+}
+function assertInstallRegistrationAllowed(profile) {
+    if (!profile.installRegistrationAllowed) {
+        throw new GlobiguardConfigError("Install registration and heartbeat are disabled for this bootstrap profile.");
+    }
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,2BAA2B,EAC3B,uBAAuB,EACvB,+BAA+B,EAC/B,kCAAkC,EACnC,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,UAAU,uBAAuB,CACrC,OAAmC;IAEnC,kBAAkB,CAChB,OAAO,CAAC,WAAW,EACnB,uBAAuB,EACvB,aAAa,CACd,CAAC;IACF,kBAAkB,CAChB,OAAO,CAAC,cAAc,EACtB,2BAA2B,EAC3B,gBAAgB,CACjB,CAAC;IACF,kBAAkB,CAChB,OAAO,CAAC,UAAU,EAClB,+BAA+B,EAC/B,YAAY,CACb,CAAC;IACF,kBAAkB,CAChB,OAAO,CAAC,gBAAgB,EACxB,kCAAkC,EAClC,kBAAkB,CACnB,CAAC;IAEF,IACE,OAAO,CAAC,cAAc,KAAK,QAAQ;QACnC,OAAO,CAAC,UAAU,KAAK,mBAAmB,EAC1C,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IACE,OAAO,CAAC,cAAc,KAAK,QAAQ;QACnC,OAAO,CAAC,UAAU,KAAK,iBAAiB,EACxC,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,uFAAuF,CACxF,CAAC;IACJ,CAAC;IAED,IACE,OAAO,CAAC,cAAc,KAAK,QAAQ;QACnC,OAAO,CAAC,gBAAgB,KAAK,SAAS,EACtC,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,mGAAmG,CACpG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,GAAG,OAAO;QACV,0BAA0B,EAAE,OAAO,CAAC,gBAAgB,KAAK,UAAU;KACpE,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAa,EACb,aAAuB,EACvB,SAAiB;IAEjB,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAyB,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,qBAAqB,CAC7B,GAAG,SAAS,oBAAoB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC5D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,OAAmC,EACnC,KAA8C;IAE9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAClD,gCAAgC,CAAC,QAAQ,CAAC,CAAC;IAE3C,OAAO;QACL,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;QAC3C,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;QAC/C,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,4BAA4B,CAC1C,OAAmC,EACnC,KAA2C;IAE3C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAClD,gCAAgC,CAAC,QAAQ,CAAC,CAAC;IAE3C,OAAO;QACL,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,QAAQ,CAAC,WAAW;QACjC,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;QAC3C,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;QAC/C,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;AACJ,CAAC;AAED,SAAS,gCAAgC,CACvC,OAA2C;IAE3C,IAAI,CAAC,OAAO,CAAC,0BAA0B,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAC7B,6EAA6E,CAC9E,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,61 @@
+import type { GlobiguardActionGatewayConfig, GlobiguardActionsClient, GlobiguardActionsReadClient, GlobiguardAuditClient, GlobiguardAuditReadClient, GlobiguardEnvironment, GlobiguardInstallsClient, GlobiguardLocalCredential, GlobiguardOrgsClient, GlobiguardPoliciesClient, GlobiguardPoliciesReadClient, GlobiguardPublishableCredential, GlobiguardQueueClient, GlobiguardQueueReadClient, GlobiguardRealtimeClient, GlobiguardResolvedActionGatewayConfig, GlobiguardSecretCredential, GlobiguardServiceTargets, GlobiguardWorkflowsReadClient, GlobiguardWorkflowsClient } from "@globiguard/contracts";
+import { type GlobiguardGovernedActionsClient } from "./governed-actions.js";
+import { type GlobiguardRequestOptions } from "./fetch.js";
+import { type GlobiguardSdkRealtimeConfig } from "./realtime.js";
+export interface GlobiguardClientBaseConfig {
+    environment: GlobiguardEnvironment;
+    services: GlobiguardServiceTargets;
+    clientName?: string;
+    fetch?: typeof fetch;
+}
+export interface GlobiguardServerClientConfig extends GlobiguardClientBaseConfig {
+    credential: GlobiguardSecretCredential | GlobiguardLocalCredential;
+    actionGateway?: GlobiguardActionGatewayConfig;
+    realtime?: GlobiguardSdkRealtimeConfig;
+}
+export interface GlobiguardBrowserClientConfig extends Omit<GlobiguardClientBaseConfig, "services"> {
+    credential: GlobiguardPublishableCredential | GlobiguardLocalCredential;
+    services: Pick<GlobiguardServiceTargets, "controlPlane">;
+    realtime?: GlobiguardSdkRealtimeConfig;
+}
+export interface GlobiguardTransport {
+    request<TResponse>(path: string, options?: GlobiguardRequestOptions): Promise<TResponse>;
+}
+export interface GlobiguardReadTransport {
+    request<TResponse>(path: string, options?: Omit<GlobiguardRequestOptions, "body"> & {
+        method?: "GET";
+        body?: never;
+    }): Promise<TResponse>;
+}
+export interface GlobiguardServerClient {
+    kind: "server";
+    environment: GlobiguardEnvironment;
+    actionGateway: GlobiguardResolvedActionGatewayConfig;
+    controlPlane: GlobiguardTransport;
+    brain?: GlobiguardTransport;
+    gateway?: GlobiguardTransport;
+    sidecar?: GlobiguardTransport;
+    actions: GlobiguardActionsClient;
+    audit: GlobiguardAuditClient;
+    installs: GlobiguardInstallsClient;
+    orgs: GlobiguardOrgsClient;
+    policies: GlobiguardPoliciesClient;
+    queue: GlobiguardQueueClient;
+    realtime?: GlobiguardRealtimeClient;
+    workflows: GlobiguardWorkflowsClient;
+    governedActions: GlobiguardGovernedActionsClient;
+}
+export interface GlobiguardBrowserClient {
+    kind: "browser";
+    environment: GlobiguardEnvironment;
+    actions: GlobiguardActionsReadClient;
+    audit: GlobiguardAuditReadClient;
+    installs: GlobiguardInstallsClient;
+    policies: GlobiguardPoliciesReadClient;
+    queue: GlobiguardQueueReadClient;
+    realtime?: GlobiguardRealtimeClient;
+    workflows: GlobiguardWorkflowsReadClient;
+}
+export declare function createServerClient(config: GlobiguardServerClientConfig): GlobiguardServerClient;
+export declare function createBrowserClient(config: GlobiguardBrowserClientConfig): GlobiguardBrowserClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,6BAA6B,EAC7B,uBAAuB,EACvB,2BAA2B,EAC3B,qBAAqB,EACrB,yBAAyB,EACzB,qBAAqB,EACrB,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,wBAAwB,EACxB,4BAA4B,EAC5B,+BAA+B,EAC/B,qBAAqB,EACrB,yBAAyB,EACzB,wBAAwB,EACxB,qCAAqC,EACrC,0BAA0B,EAC1B,wBAAwB,EACxB,6BAA6B,EAC7B,yBAAyB,EAC1B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,KAAK,+BAA+B,EACrC,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAe,KAAK,wBAAwB,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,EAAwB,KAAK,2BAA2B,EAAE,MAAM,eAAe,CAAC;AAWvF,MAAM,WAAW,0BAA0B;IACzC,WAAW,EAAE,qBAAqB,CAAC;IACnC,QAAQ,EAAE,wBAAwB,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED,MAAM,WAAW,4BAA6B,SAAQ,0BAA0B;IAC9E,UAAU,EAAE,0BAA0B,GAAG,yBAAyB,CAAC;IACnE,aAAa,CAAC,EAAE,6BAA6B,CAAC;IAC9C,QAAQ,CAAC,EAAE,2BAA2B,CAAC;CACxC;AAED,MAAM,WAAW,6BACf,SAAQ,IAAI,CAAC,0BAA0B,EAAE,UAAU,CAAC;IACpD,UAAU,EAAE,+BAA+B,GAAG,yBAAyB,CAAC;IACxE,QAAQ,EAAE,IAAI,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC;IACzD,QAAQ,CAAC,EAAE,2BAA2B,CAAC;CACxC;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,CAAC,SAAS,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,wBAAwB,GACjC,OAAO,CAAC,SAAS,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,CAAC,SAAS,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,IAAI,CAAC,wBAAwB,EAAE,MAAM,CAAC,GAAG;QACjD,MAAM,CAAC,EAAE,KAAK,CAAC;QACf,IAAI,CAAC,EAAE,KAAK,CAAC;KACd,GACA,OAAO,CAAC,SAAS,CAAC,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,QAAQ,CAAC;IACf,WAAW,EAAE,qBAAqB,CAAC;IACnC,aAAa,EAAE,qCAAqC,CAAC;IACrD,YAAY,EAAE,mBAAmB,CAAC;IAClC,KAAK,CAAC,EAAE,mBAAmB,CAAC;IAC5B,OAAO,CAAC,EAAE,mBAAmB,CAAC;IAC9B,OAAO,CAAC,EAAE,mBAAmB,CAAC;IAC9B,OAAO,EAAE,uBAAuB,CAAC;IACjC,KAAK,EAAE,qBAAqB,CAAC;IAC7B,QAAQ,EAAE,wBAAwB,CAAC;IACnC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,QAAQ,EAAE,wBAAwB,CAAC;IACnC,KAAK,EAAE,qBAAqB,CAAC;IAC7B,QAAQ,CAAC,EAAE,wBAAwB,CAAC;IACpC,SAAS,EAAE,yBAAyB,CAAC;IACrC,eAAe,EAAE,+BAA+B,CAAC;CAClD;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,SAAS,CAAC;IAChB,WAAW,EAAE,qBAAqB,CAAC;IACnC,OAAO,EAAE,2BAA2B,CAAC;IACrC,KAAK,EAAE,yBAAyB,CAAC;IACjC,QAAQ,EAAE,wBAAwB,CAAC;IACnC,QAAQ,EAAE,4BAA4B,CAAC;IACvC,KAAK,EAAE,yBAAyB,CAAC;IACjC,QAAQ,CAAC,EAAE,wBAAwB,CAAC;IACpC,SAAS,EAAE,6BAA6B,CAAC;CAC1C;AAiLD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,4BAA4B,GACnC,sBAAsB,CA6JxB;AAED,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,6BAA6B,GACpC,uBAAuB,CA2DzB"}

package/dist/client.js

@@ -0,0 +1,260 @@
+import { GlobiguardConfigError } from "./errors.js";
+import { createGovernedActionsClient } from "./governed-actions.js";
+import { createActionsClient, createActionsReadClient } from "./resources/actions.js";
+import { requestJson } from "./fetch.js";
+import { createRealtimeClient } from "./realtime.js";
+import { createAuditClient, createAuditReadClient } from "./resources/audit.js";
+import { createInstallsClient } from "./resources/installs.js";
+import { createOrgsClient } from "./resources/orgs.js";
+import { createPoliciesClient, createPoliciesReadClient } from "./resources/policies.js";
+import { createQueueClient, createQueueReadClient } from "./resources/queue.js";
+import { createWorkflowsClient, createWorkflowsReadClient } from "./resources/workflows.js";
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function assertSecretCredentialShape(credential) {
+    if (!isNonEmptyString(credential.token) || !isNonEmptyString(credential.projectId)) {
+        throw new GlobiguardConfigError("Secret credentials require non-empty projectId and token values.");
+    }
+}
+function assertPublishableCredentialShape(credential) {
+    if (!isNonEmptyString(credential.token) || !isNonEmptyString(credential.projectId)) {
+        throw new GlobiguardConfigError("Publishable credentials require non-empty projectId and token values.");
+    }
+}
+function assertServiceUrl(serviceName, serviceUrl, environment, requireLocalHost = false) {
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(serviceUrl);
+    }
+    catch {
+        throw new GlobiguardConfigError(`${serviceName} service URL must be a valid URL.`);
+    }
+    if (environment !== "local" && parsedUrl.protocol !== "https:") {
+        throw new GlobiguardConfigError(`${serviceName} service URL must use HTTPS outside the local environment.`);
+    }
+    if (parsedUrl.pathname !== "/" && parsedUrl.pathname !== "") {
+        throw new GlobiguardConfigError(`${serviceName} service URL must be a service origin, not a versioned API path.`);
+    }
+    if (requireLocalHost &&
+        parsedUrl.hostname !== "localhost" &&
+        parsedUrl.hostname !== "127.0.0.1" &&
+        parsedUrl.hostname !== "::1" &&
+        !parsedUrl.hostname.endsWith(".localhost")) {
+        throw new GlobiguardConfigError(`${serviceName} service URL must use a localhost or loopback host with local credentials.`);
+    }
+}
+function getFetch(fetchImpl) {
+    if (fetchImpl) {
+        return fetchImpl;
+    }
+    if (typeof fetch !== "function") {
+        throw new GlobiguardConfigError("A fetch implementation is required in this runtime.");
+    }
+    return fetch;
+}
+function createTransport(config) {
+    return {
+        request(path, options) {
+            return requestJson({
+                baseUrl: config.baseUrl,
+                clientName: config.clientName,
+                credential: config.credential,
+                environment: config.environment,
+                fetchImpl: config.fetchImpl,
+                path,
+                options
+            });
+        }
+    };
+}
+function createReadTransport(transport) {
+    return {
+        request(path, options) {
+            if (options?.method && options.method !== "GET") {
+                throw new GlobiguardConfigError("Browser control-plane transport only supports GET requests.");
+            }
+            if (options?.body !== undefined) {
+                throw new GlobiguardConfigError("Browser control-plane transport does not accept request bodies.");
+            }
+            return transport.request(path, {
+                ...options,
+                method: "GET"
+            });
+        }
+    };
+}
+function resolveActionGatewayConfig(actionGateway, services) {
+    const config = actionGateway ?? { mode: "control_plane" };
+    switch (config.mode) {
+        case "control_plane":
+            return {
+                ...config,
+                baseUrl: services.controlPlane
+            };
+        case "sidecar":
+            if (!services.sidecar) {
+                throw new GlobiguardConfigError("Action gateway mode 'sidecar' requires services.sidecar.");
+            }
+            return {
+                ...config,
+                baseUrl: services.sidecar
+            };
+        case "gateway":
+            if (!services.gateway) {
+                throw new GlobiguardConfigError("Action gateway mode 'gateway' requires services.gateway.");
+            }
+            return {
+                ...config,
+                baseUrl: services.gateway
+            };
+        default:
+            throw new GlobiguardConfigError("Action gateway mode must be control_plane, sidecar, or gateway.");
+    }
+}
+export function createServerClient(config) {
+    const fetchImpl = getFetch(config.fetch);
+    const clientName = config.clientName ?? "@globiguard/sdk";
+    const credentialKind = config.credential.kind;
+    if (!config.services.controlPlane) {
+        throw new GlobiguardConfigError("controlPlane service URL is required.");
+    }
+    assertServiceUrl("controlPlane", config.services.controlPlane, config.environment, credentialKind === "local");
+    if (credentialKind === "publishable") {
+        throw new GlobiguardConfigError("Server clients require secret or local credentials.");
+    }
+    if (credentialKind !== "secret" && credentialKind !== "local") {
+        throw new GlobiguardConfigError("Server clients require a recognized secret or local credential kind.");
+    }
+    if (config.credential.kind === "local" && config.environment !== "local") {
+        throw new GlobiguardConfigError("Local credentials may only be used with the local environment.");
+    }
+    if (credentialKind === "secret") {
+        assertSecretCredentialShape(config.credential);
+    }
+    if (config.credential.kind === "secret" &&
+        config.credential.environment !== config.environment) {
+        throw new GlobiguardConfigError("Secret credential environment must match the client environment.");
+    }
+    const controlPlane = createTransport({
+        baseUrl: config.services.controlPlane,
+        clientName,
+        credential: config.credential,
+        environment: config.environment,
+        fetchImpl
+    });
+    const brain = config.services.brain
+        ? createTransport({
+            baseUrl: config.services.brain,
+            clientName,
+            credential: config.credential,
+            environment: config.environment,
+            fetchImpl
+        })
+        : undefined;
+    const gateway = config.services.gateway
+        ? createTransport({
+            baseUrl: config.services.gateway,
+            clientName,
+            credential: config.credential,
+            environment: config.environment,
+            fetchImpl
+        })
+        : undefined;
+    const sidecar = config.services.sidecar
+        ? createTransport({
+            baseUrl: config.services.sidecar,
+            clientName,
+            credential: config.credential,
+            environment: config.environment,
+            fetchImpl
+        })
+        : undefined;
+    if (config.services.brain) {
+        assertServiceUrl("brain", config.services.brain, config.environment, credentialKind === "local");
+    }
+    if (config.services.gateway) {
+        assertServiceUrl("gateway", config.services.gateway, config.environment, credentialKind === "local");
+    }
+    if (config.services.sidecar) {
+        assertServiceUrl("sidecar", config.services.sidecar, config.environment, credentialKind === "local");
+    }
+    const actionGateway = resolveActionGatewayConfig(config.actionGateway, config.services);
+    const actionTransport = actionGateway.mode === "sidecar"
+        ? sidecar
+        : actionGateway.mode === "gateway"
+            ? gateway
+            : controlPlane;
+    if (!actionTransport) {
+        throw new GlobiguardConfigError("Action gateway transport could not be resolved.");
+    }
+    const actions = createActionsClient(actionTransport);
+    const audit = createAuditClient(controlPlane);
+    const queue = createQueueClient(controlPlane);
+    return {
+        kind: "server",
+        environment: config.environment,
+        actionGateway,
+        controlPlane,
+        brain,
+        gateway,
+        sidecar,
+        actions,
+        audit,
+        installs: createInstallsClient(controlPlane),
+        orgs: createOrgsClient(controlPlane),
+        policies: createPoliciesClient(controlPlane),
+        queue,
+        realtime: config.realtime
+            ? createRealtimeClient(config.services.controlPlane, config.realtime)
+            : undefined,
+        workflows: createWorkflowsClient(controlPlane),
+        governedActions: createGovernedActionsClient({
+            actions,
+            audit,
+            queue
+        })
+    };
+}
+export function createBrowserClient(config) {
+    const fetchImpl = getFetch(config.fetch);
+    const clientName = config.clientName ?? "@globiguard/sdk";
+    const credentialKind = config.credential.kind;
+    if (!config.services.controlPlane) {
+        throw new GlobiguardConfigError("controlPlane service URL is required.");
+    }
+    assertServiceUrl("controlPlane", config.services.controlPlane, config.environment, credentialKind === "local");
+    if (credentialKind === "secret") {
+        throw new GlobiguardConfigError("Browser clients require publishable or local credentials.");
+    }
+    if (credentialKind !== "publishable" && credentialKind !== "local") {
+        throw new GlobiguardConfigError("Browser clients require a recognized publishable or local credential kind.");
+    }
+    if (config.credential.kind === "local" && config.environment !== "local") {
+        throw new GlobiguardConfigError("Local credentials may only be used with the local environment.");
+    }
+    if (credentialKind === "publishable") {
+        assertPublishableCredentialShape(config.credential);
+    }
+    const controlPlane = createTransport({
+        baseUrl: config.services.controlPlane,
+        clientName,
+        credential: config.credential,
+        environment: config.environment,
+        fetchImpl
+    });
+    return {
+        kind: "browser",
+        environment: config.environment,
+        actions: createActionsReadClient(controlPlane),
+        audit: createAuditReadClient(controlPlane),
+        installs: createInstallsClient(controlPlane),
+        policies: createPoliciesReadClient(controlPlane),
+        queue: createQueueReadClient(controlPlane),
+        realtime: config.realtime
+            ? createRealtimeClient(config.services.controlPlane, config.realtime)
+            : undefined,
+        workflows: createWorkflowsReadClient(controlPlane)
+    };
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAuBA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EACL,2BAA2B,EAE5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACtF,OAAO,EAAE,WAAW,EAAiC,MAAM,YAAY,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAoC,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAChF,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAChF,OAAO,EACL,qBAAqB,EACrB,yBAAyB,EAC1B,MAAM,0BAA0B,CAAC;AAsElC,SAAS,gBAAgB,CAAC,KAAc;IACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,2BAA2B,CAClC,UAAoD;IAEpD,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnF,MAAM,IAAI,qBAAqB,CAC7B,kEAAkE,CACnE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,gCAAgC,CACvC,UAAoD;IAEpD,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnF,MAAM,IAAI,qBAAqB,CAC7B,uEAAuE,CACxE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,WAAmB,EACnB,UAAkB,EAClB,WAAkC,EAClC,gBAAgB,GAAG,KAAK;IAExB,IAAI,SAAc,CAAC;IAEnB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,GAAG,WAAW,mCAAmC,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,WAAW,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC/D,MAAM,IAAI,qBAAqB,CAC7B,GAAG,WAAW,4DAA4D,CAC3E,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,CAAC,QAAQ,KAAK,GAAG,IAAI,SAAS,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC5D,MAAM,IAAI,qBAAqB,CAC7B,GAAG,WAAW,kEAAkE,CACjF,CAAC;IACJ,CAAC;IAED,IACE,gBAAgB;QAChB,SAAS,CAAC,QAAQ,KAAK,WAAW;QAClC,SAAS,CAAC,QAAQ,KAAK,WAAW;QAClC,SAAS,CAAC,QAAQ,KAAK,KAAK;QAC5B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAC1C,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,GAAG,WAAW,4EAA4E,CAC3F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,SAAwB;IACxC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,UAAU,EAAE,CAAC;QAChC,MAAM,IAAI,qBAAqB,CAC7B,qDAAqD,CACtD,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,MASxB;IACC,OAAO;QACL,OAAO,CAAY,IAAY,EAAE,OAAkC;YACjE,OAAO,WAAW,CAAY;gBAC5B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,IAAI;gBACJ,OAAO;aACR,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,SAA8B;IAE9B,OAAO;QACL,OAAO,CACL,IAAY,EACZ,OAGC;YAED,IAAI,OAAO,EAAE,MAAM,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBAChD,MAAM,IAAI,qBAAqB,CAC7B,6DAA6D,CAC9D,CAAC;YACJ,CAAC;YAED,IAAI,OAAO,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,IAAI,qBAAqB,CAC7B,iEAAiE,CAClE,CAAC;YACJ,CAAC;YAED,OAAO,SAAS,CAAC,OAAO,CAAY,IAAI,EAAE;gBACxC,GAAG,OAAO;gBACV,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CACjC,aAAwD,EACxD,QAAkC;IAElC,MAAM,MAAM,GAAG,aAAa,IAAI,EAAE,IAAI,EAAE,eAAwB,EAAE,CAAC;IAEnE,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,eAAe;YAClB,OAAO;gBACL,GAAG,MAAM;gBACT,OAAO,EAAE,QAAQ,CAAC,YAAY;aAC/B,CAAC;QACJ,KAAK,SAAS;YACZ,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACtB,MAAM,IAAI,qBAAqB,CAC7B,0DAA0D,CAC3D,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,GAAG,MAAM;gBACT,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC;QACJ,KAAK,SAAS;YACZ,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACtB,MAAM,IAAI,qBAAqB,CAC7B,0DAA0D,CAC3D,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,GAAG,MAAM;gBACT,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC;QACJ;YACE,MAAM,IAAI,qBAAqB,CAC7B,iEAAiE,CAClE,CAAC;IACN,CAAC;AACH,CAAC;AAGD,MAAM,UAAU,kBAAkB,CAChC,MAAoC;IAEpC,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAC1D,MAAM,cAAc,GAAI,MAAM,CAAC,UAA+B,CAAC,IAAI,CAAC;IAEpE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,qBAAqB,CAAC,uCAAuC,CAAC,CAAC;IAC3E,CAAC;IAED,gBAAgB,CACd,cAAc,EACd,MAAM,CAAC,QAAQ,CAAC,YAAY,EAC5B,MAAM,CAAC,WAAW,EAClB,cAAc,KAAK,OAAO,CAC3B,CAAC;IAEF,IAAI,cAAc,KAAK,aAAa,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAC7B,qDAAqD,CACtD,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,KAAK,QAAQ,IAAI,cAAc,KAAK,OAAO,EAAE,CAAC;QAC9D,MAAM,IAAI,qBAAqB,CAC7B,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO,IAAI,MAAM,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACzE,MAAM,IAAI,qBAAqB,CAC7B,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;QAChC,2BAA2B,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,IACE,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,QAAQ;QACnC,MAAM,CAAC,UAAU,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,EACpD,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,kEAAkE,CACnE,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,eAAe,CAAC;QACnC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY;QACrC,UAAU;QACV,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS;KACV,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK;QACjC,CAAC,CAAC,eAAe,CAAC;YACd,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;YAC9B,UAAU;YACV,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;QACJ,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO;QACrC,CAAC,CAAC,eAAe,CAAC;YACd,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;YAChC,UAAU;YACV,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;QACJ,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO;QACrC,CAAC,CAAC,eAAe,CAAC;YACd,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO;YAChC,UAAU;YACV,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;QACJ,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC1B,gBAAgB,CACd,OAAO,EACP,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,MAAM,CAAC,WAAW,EAClB,cAAc,KAAK,OAAO,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC5B,gBAAgB,CACd,SAAS,EACT,MAAM,CAAC,QAAQ,CAAC,OAAO,EACvB,MAAM,CAAC,WAAW,EAClB,cAAc,KAAK,OAAO,CAC3B,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC5B,gBAAgB,CACd,SAAS,EACT,MAAM,CAAC,QAAQ,CAAC,OAAO,EACvB,MAAM,CAAC,WAAW,EAClB,cAAc,KAAK,OAAO,CAC3B,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,0BAA0B,CAC9C,MAAM,CAAC,aAAa,EACpB,MAAM,CAAC,QAAQ,CAChB,CAAC;IACF,MAAM,eAAe,GACnB,aAAa,CAAC,IAAI,KAAK,SAAS;QAC9B,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,aAAa,CAAC,IAAI,KAAK,SAAS;YAChC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,YAAY,CAAC;IAErB,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,qBAAqB,CAC7B,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAE9C,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,aAAa;QACb,YAAY;QACZ,KAAK;QACL,OAAO;QACP,OAAO;QACP,OAAO;QACP,KAAK;QACL,QAAQ,EAAE,oBAAoB,CAAC,YAAY,CAAC;QAC5C,IAAI,EAAE,gBAAgB,CAAC,YAAY,CAAC;QACpC,QAAQ,EAAE,oBAAoB,CAAC,YAAY,CAAC;QAC5C,KAAK;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACvB,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC;YACrE,CAAC,CAAC,SAAS;QACb,SAAS,EAAE,qBAAqB,CAAC,YAAY,CAAC;QAC9C,eAAe,EAAE,2BAA2B,CAAC;YAC3C,OAAO;YACP,KAAK;YACL,KAAK;SACN,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,MAAqC;IAErC,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAC1D,MAAM,cAAc,GAAI,MAAM,CAAC,UAA+B,CAAC,IAAI,CAAC;IAEpE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,IAAI,qBAAqB,CAAC,uCAAuC,CAAC,CAAC;IAC3E,CAAC;IAED,gBAAgB,CACd,cAAc,EACd,MAAM,CAAC,QAAQ,CAAC,YAAY,EAC5B,MAAM,CAAC,WAAW,EAClB,cAAc,KAAK,OAAO,CAC3B,CAAC;IAEF,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,qBAAqB,CAC7B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,KAAK,aAAa,IAAI,cAAc,KAAK,OAAO,EAAE,CAAC;QACnE,MAAM,IAAI,qBAAqB,CAC7B,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,OAAO,IAAI,MAAM,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACzE,MAAM,IAAI,qBAAqB,CAC7B,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,KAAK,aAAa,EAAE,CAAC;QACrC,gCAAgC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,YAAY,GAAG,eAAe,CAAC;QACnC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY;QACrC,UAAU;QACV,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS;KACV,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,uBAAuB,CAAC,YAAY,CAAC;QAC9C,KAAK,EAAE,qBAAqB,CAAC,YAAY,CAAC;QAC1C,QAAQ,EAAE,oBAAoB,CAAC,YAAY,CAAC;QAC5C,QAAQ,EAAE,wBAAwB,CAAC,YAAY,CAAC;QAChD,KAAK,EAAE,qBAAqB,CAAC,YAAY,CAAC;QAC1C,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACvB,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC;YACrE,CAAC,CAAC,SAAS;QACb,SAAS,EAAE,yBAAyB,CAAC,YAAY,CAAC;KACnD,CAAC;AACJ,CAAC"}

package/dist/entitlements.node.d.ts

@@ -0,0 +1,12 @@
+import type { GlobiguardEntitlementManifestEnvironment, GlobiguardOfflineDeploymentMode, GlobiguardSignedEntitlementManifest, GlobiguardEntitlementManifestPayload } from "@globiguard/contracts";
+export interface VerifySignedEntitlementManifestOptions {
+    publicKeysById: Record<string, string>;
+    expectedIssuer?: string;
+    expectedOrgId?: string;
+    expectedProjectId?: string;
+    expectedEnvironment?: GlobiguardEntitlementManifestEnvironment;
+    expectedDeploymentMode?: GlobiguardOfflineDeploymentMode;
+    now?: Date;
+}
+export declare function verifySignedEntitlementManifest(manifest: GlobiguardSignedEntitlementManifest, options: VerifySignedEntitlementManifestOptions): GlobiguardEntitlementManifestPayload;
+//# sourceMappingURL=entitlements.node.d.ts.map

package/dist/entitlements.node.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlements.node.d.ts","sourceRoot":"","sources":["../src/entitlements.node.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,wCAAwC,EACxC,+BAA+B,EAC/B,mCAAmC,EAEnC,oCAAoC,EACrC,MAAM,uBAAuB,CAAC;AA0C/B,MAAM,WAAW,sCAAsC;IACrD,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,mBAAmB,CAAC,EAAE,wCAAwC,CAAC;IAC/D,sBAAsB,CAAC,EAAE,+BAA+B,CAAC;IACzD,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,wBAAgB,+BAA+B,CAC7C,QAAQ,EAAE,mCAAmC,EAC7C,OAAO,EAAE,sCAAsC,GAC9C,oCAAoC,CAiHtC"}