@globiguard/sdk 1.0.0 → 1.0.1

package/dist/entitlements.node.js

@@ -0,0 +1,215 @@
+import crypto from "node:crypto";
+import { GLOBIGUARD_ENTITLEMENT_MANIFEST_TYPE, GLOBIGUARD_ENTITLEMENT_SIGNING_ALGORITHM } from "@globiguard/contracts";
+import { GlobiguardConfigError } from "./errors.js";
+const COMMERCIAL_PLANS = new Set([
+    "FREE",
+    "STARTER",
+    "GROWTH",
+    "SCALE",
+    "ENTERPRISE"
+]);
+const BILLING_STATUSES = new Set([
+    "FREE",
+    "PILOT",
+    "ACTIVE",
+    "GRACE",
+    "PAST_DUE",
+    "SUSPENDED",
+    "CANCELED"
+]);
+const OVERAGE_MODES = new Set([
+    "NONE",
+    "METERED",
+    "CONTRACT"
+]);
+const OFFLINE_DEPLOYMENT_MODES = new Set([
+    "self_hosted",
+    "sovereign"
+]);
+const MANIFEST_ENVIRONMENTS = new Set([
+    "sandbox",
+    "live"
+]);
+export function verifySignedEntitlementManifest(manifest, options) {
+    const decoded = decodeManifestToken(manifest.token);
+    if (manifest.serialization !== "jws-compact") {
+        throw new GlobiguardConfigError("Unsupported entitlement manifest serialization.");
+    }
+    if (JSON.stringify(manifest.protected) !== JSON.stringify(decoded.protected)) {
+        throw new GlobiguardConfigError("Entitlement manifest protected header does not match the signed token.");
+    }
+    if (JSON.stringify(manifest.payload) !== JSON.stringify(decoded.payload)) {
+        throw new GlobiguardConfigError("Entitlement manifest payload does not match the signed token.");
+    }
+    const rawPublicKey = options.publicKeysById[decoded.protected.kid];
+    if (!rawPublicKey) {
+        throw new GlobiguardConfigError(`Unknown entitlement manifest signing key "${decoded.protected.kid}".`);
+    }
+    const verified = crypto.verify(null, Buffer.from(decoded.signingInput, "utf8"), createEd25519PublicKey(rawPublicKey), decoded.signature);
+    if (!verified) {
+        throw new GlobiguardConfigError("Entitlement manifest signature verification failed.");
+    }
+    const now = options.now ?? new Date();
+    const issuedAt = parseIsoDate(decoded.payload.issuedAt, "issuedAt");
+    const notBefore = parseIsoDate(decoded.payload.notBefore, "notBefore");
+    const expiresAt = parseIsoDate(decoded.payload.expiresAt, "expiresAt");
+    if (!issuedAt) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"issuedAt\" must be present.");
+    }
+    if (!notBefore) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"notBefore\" must be present.");
+    }
+    if (!expiresAt) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"expiresAt\" must be present.");
+    }
+    if (issuedAt.getTime() > expiresAt.getTime()) {
+        throw new GlobiguardConfigError("Entitlement manifest timestamps are inconsistent.");
+    }
+    if (notBefore.getTime() > now.getTime()) {
+        throw new GlobiguardConfigError("Entitlement manifest is not active yet.");
+    }
+    if (expiresAt.getTime() <= now.getTime()) {
+        throw new GlobiguardConfigError("Entitlement manifest has expired.");
+    }
+    if (options.expectedIssuer &&
+        decoded.payload.issuer !== options.expectedIssuer) {
+        throw new GlobiguardConfigError("Entitlement manifest issuer does not match the expected issuer.");
+    }
+    if (options.expectedOrgId &&
+        decoded.payload.subject.orgId !== options.expectedOrgId) {
+        throw new GlobiguardConfigError("Entitlement manifest workspace does not match the expected workspace.");
+    }
+    if (options.expectedProjectId &&
+        decoded.payload.subject.projectId !== options.expectedProjectId) {
+        throw new GlobiguardConfigError("Entitlement manifest project does not match the expected project.");
+    }
+    if (options.expectedEnvironment &&
+        decoded.payload.subject.environment !== options.expectedEnvironment) {
+        throw new GlobiguardConfigError("Entitlement manifest environment does not match the expected environment.");
+    }
+    if (options.expectedDeploymentMode &&
+        decoded.payload.subject.deploymentMode !== options.expectedDeploymentMode) {
+        throw new GlobiguardConfigError("Entitlement manifest deployment mode does not match the expected deployment mode.");
+    }
+    return decoded.payload;
+}
+function decodeManifestToken(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new GlobiguardConfigError("Invalid entitlement manifest token.");
+    }
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    const protectedHeader = decodeJson(encodedHeader, "Invalid entitlement manifest protected header.");
+    const payload = decodeJson(encodedPayload, "Invalid entitlement manifest payload.");
+    if (protectedHeader.alg !== GLOBIGUARD_ENTITLEMENT_SIGNING_ALGORITHM ||
+        protectedHeader.typ !== GLOBIGUARD_ENTITLEMENT_MANIFEST_TYPE ||
+        !protectedHeader.kid) {
+        throw new GlobiguardConfigError("Unsupported entitlement manifest protected header.");
+    }
+    if (payload.manifestType !== GLOBIGUARD_ENTITLEMENT_MANIFEST_TYPE ||
+        payload.manifestVersion !== 1) {
+        throw new GlobiguardConfigError("Unsupported entitlement manifest payload.");
+    }
+    validateManifestPayload(payload);
+    return {
+        protected: protectedHeader,
+        payload,
+        signature: decodeBase64Url(encodedSignature),
+        signingInput: `${encodedHeader}.${encodedPayload}`
+    };
+}
+function parseIsoDate(value, fieldName) {
+    if (!value) {
+        return null;
+    }
+    const timestamp = Date.parse(value);
+    if (Number.isNaN(timestamp)) {
+        throw new GlobiguardConfigError(`Entitlement manifest field "${fieldName}" must be a valid ISO timestamp.`);
+    }
+    return new Date(timestamp);
+}
+function validateManifestPayload(payload) {
+    requireNonEmptyString(payload.manifestId, "manifestId");
+    requireNonEmptyString(payload.issuer, "issuer");
+    requireNonEmptyString(payload.issuedAt, "issuedAt");
+    requireNonEmptyString(payload.notBefore, "notBefore");
+    requireNonEmptyString(payload.expiresAt, "expiresAt");
+    validateManifestSubject(payload.subject);
+    validateCommercialState(payload.commercial);
+    validateEntitlements(payload.entitlements);
+}
+function validateManifestSubject(subject) {
+    requireNonEmptyString(subject.orgId, "subject.orgId");
+    requireNonEmptyString(subject.workspaceName, "subject.workspaceName");
+    requireNonEmptyString(subject.orgSlug, "subject.orgSlug");
+    requireNonEmptyString(subject.projectId, "subject.projectId");
+    requireNonEmptyString(subject.projectSlug, "subject.projectSlug");
+    requireRequiredEnvironment(subject.environment, "subject.environment");
+    if (!OFFLINE_DEPLOYMENT_MODES.has(subject.deploymentMode)) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"subject.deploymentMode\" is invalid.");
+    }
+}
+function validateCommercialState(commercial) {
+    if (!COMMERCIAL_PLANS.has(commercial.commercialPlan)) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"commercial.commercialPlan\" is invalid.");
+    }
+    if (!BILLING_STATUSES.has(commercial.billingStatus)) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"commercial.billingStatus\" is invalid.");
+    }
+    if (typeof commercial.pilotActive !== "boolean") {
+        throw new GlobiguardConfigError("Entitlement manifest field \"commercial.pilotActive\" is invalid.");
+    }
+}
+function validateEntitlements(entitlements) {
+    requireNullableNonNegativeInteger(entitlements.includedQueriesPerMonth, "entitlements.includedQueriesPerMonth");
+    requireNullableNonNegativeInteger(entitlements.frameworkSlots, "entitlements.frameworkSlots");
+    if (!OVERAGE_MODES.has(entitlements.overageMode)) {
+        throw new GlobiguardConfigError("Entitlement manifest field \"entitlements.overageMode\" is invalid.");
+    }
+}
+function requireNonEmptyString(value, fieldName) {
+    if (typeof value !== "string" || value.length === 0) {
+        throw new GlobiguardConfigError(`Entitlement manifest field "${fieldName}" must be a non-empty string.`);
+    }
+}
+function requireRequiredEnvironment(value, fieldName) {
+    if (!MANIFEST_ENVIRONMENTS.has(value)) {
+        throw new GlobiguardConfigError(`Entitlement manifest field "${fieldName}" is invalid.`);
+    }
+}
+function requireNullableNonNegativeInteger(value, fieldName) {
+    if (value === null) {
+        return;
+    }
+    if (!Number.isInteger(value) || value < 0) {
+        throw new GlobiguardConfigError(`Entitlement manifest field "${fieldName}" must be a non-negative integer or null.`);
+    }
+}
+function createEd25519PublicKey(base64UrlKey) {
+    const rawKey = decodeBase64Url(base64UrlKey);
+    if (rawKey.length !== 32) {
+        throw new GlobiguardConfigError("Entitlement manifest public key must be a base64url-encoded Ed25519 key.");
+    }
+    const spkiPrefix = Buffer.from("302a300506032b6570032100", "hex");
+    return crypto.createPublicKey({
+        key: Buffer.concat([spkiPrefix, rawKey]),
+        format: "der",
+        type: "spki"
+    });
+}
+function decodeJson(value, message) {
+    try {
+        return JSON.parse(decodeBase64Url(value).toString("utf8"));
+    }
+    catch {
+        throw new GlobiguardConfigError(message);
+    }
+}
+function decodeBase64Url(value) {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = normalized.length % 4 === 0
+        ? ""
+        : "=".repeat(4 - (normalized.length % 4));
+    return Buffer.from(normalized + padding, "base64");
+}
+//# sourceMappingURL=entitlements.node.js.map

package/dist/entitlements.node.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlements.node.js","sourceRoot":"","sources":["../src/entitlements.node.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AASjC,OAAO,EACL,oCAAoC,EACpC,wCAAwC,EACzC,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,MAAM;IACN,SAAS;IACT,QAAQ;IACR,OAAO;IACP,YAAY;CACJ,CAAC,CAAC;AAEZ,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,MAAM;IACN,OAAO;IACP,QAAQ;IACR,OAAO;IACP,UAAU;IACV,WAAW;IACX,UAAU;CACF,CAAC,CAAC;AAEZ,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,MAAM;IACN,SAAS;IACT,UAAU;CACF,CAAC,CAAC;AAEZ,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC;IACvC,aAAa;IACb,WAAW;CACH,CAAC,CAAC;AAEZ,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,SAAS;IACT,MAAM;CACE,CAAC,CAAC;AAYZ,MAAM,UAAU,+BAA+B,CAC7C,QAA6C,EAC7C,OAA+C;IAE/C,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEpD,IAAI,QAAQ,CAAC,aAAa,KAAK,aAAa,EAAE,CAAC;QAC7C,MAAM,IAAI,qBAAqB,CAC7B,iDAAiD,CAClD,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,qBAAqB,CAC7B,wEAAwE,CACzE,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,qBAAqB,CAC7B,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACnE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,qBAAqB,CAC7B,6CAA6C,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAC5B,IAAI,EACJ,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,EACzC,sBAAsB,CAAC,YAAY,CAAC,EACpC,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAC7B,qDAAqD,CACtD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACpE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACvE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAC7B,0DAA0D,CAC3D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAC7B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAC7B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7C,MAAM,IAAI,qBAAqB,CAC7B,mDAAmD,CACpD,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAC7B,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,CAAC,OAAO,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACzC,MAAM,IAAI,qBAAqB,CAAC,mCAAmC,CAAC,CAAC;IACvE,CAAC;IACD,IACE,OAAO,CAAC,cAAc;QACtB,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,OAAO,CAAC,cAAc,EACjD,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,iEAAiE,CAClE,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,aAAa;QACrB,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,OAAO,CAAC,aAAa,EACvD,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,uEAAuE,CACxE,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,iBAAiB;QACzB,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,iBAAiB,EAC/D,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,mEAAmE,CACpE,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,mBAAmB;QAC3B,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,KAAK,OAAO,CAAC,mBAAmB,EACnE,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,sBAAsB;QAC9B,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,KAAK,OAAO,CAAC,sBAAsB,EACzE,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,mFAAmF,CACpF,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC;AACzB,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IAMxC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,qCAAqC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAChE,MAAM,eAAe,GAAG,UAAU,CAChC,aAAa,EACb,gDAAgD,CACjD,CAAC;IACF,MAAM,OAAO,GAAG,UAAU,CACxB,cAAc,EACd,uCAAuC,CACxC,CAAC;IAEF,IACE,eAAe,CAAC,GAAG,KAAK,wCAAwC;QAChE,eAAe,CAAC,GAAG,KAAK,oCAAoC;QAC5D,CAAC,eAAe,CAAC,GAAG,EACpB,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,IACE,OAAO,CAAC,YAAY,KAAK,oCAAoC;QAC7D,OAAO,CAAC,eAAe,KAAK,CAAC,EAC7B,CAAC;QACD,MAAM,IAAI,qBAAqB,CAC7B,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IACD,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAEjC,OAAO;QACL,SAAS,EAAE,eAAe;QAC1B,OAAO;QACP,SAAS,EAAE,eAAe,CAAC,gBAAgB,CAAC;QAC5C,YAAY,EAAE,GAAG,aAAa,IAAI,cAAc,EAAE;KACnD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,KAAyB,EACzB,SAAiB;IAEjB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACpC,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,qBAAqB,CAC7B,+BAA+B,SAAS,kCAAkC,CAC3E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,uBAAuB,CAC9B,OAA6C;IAE7C,qBAAqB,CAAC,OAAO,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACxD,qBAAqB,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAChD,qBAAqB,CAAC,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACpD,qBAAqB,CAAC,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACtD,qBAAqB,CAAC,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAEtD,uBAAuB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACzC,uBAAuB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC5C,oBAAoB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,uBAAuB,CAC9B,OAAwD;IAExD,qBAAqB,CAAC,OAAO,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACtD,qBAAqB,CAAC,OAAO,CAAC,aAAa,EAAE,uBAAuB,CAAC,CAAC;IACtE,qBAAqB,CAAC,OAAO,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IAC1D,qBAAqB,CAAC,OAAO,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAC9D,qBAAqB,CAAC,OAAO,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IAClE,0BAA0B,CAAC,OAAO,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACvE,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,qBAAqB,CAC7B,mEAAmE,CACpE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAC9B,UAA8D;IAE9D,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,qBAAqB,CAC7B,sEAAsE,CACvE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,qBAAqB,CAC7B,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,UAAU,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QAChD,MAAM,IAAI,qBAAqB,CAC7B,mEAAmE,CACpE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAC3B,YAAkE;IAElE,iCAAiC,CAC/B,YAAY,CAAC,uBAAuB,EACpC,sCAAsC,CACvC,CAAC;IACF,iCAAiC,CAC/B,YAAY,CAAC,cAAc,EAC3B,6BAA6B,CAC9B,CAAC;IACF,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,qBAAqB,CAC7B,qEAAqE,CACtE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa,EAAE,SAAiB;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,qBAAqB,CAC7B,+BAA+B,SAAS,+BAA+B,CACxE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAa,EACb,SAAiB;IAEjB,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,KAA2B,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,qBAAqB,CAC7B,+BAA+B,SAAS,eAAe,CACxD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,iCAAiC,CACxC,KAAoB,EACpB,SAAiB;IAEjB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,qBAAqB,CAC7B,+BAA+B,SAAS,2CAA2C,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,YAAoB;IAClD,MAAM,MAAM,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,qBAAqB,CAC7B,0EAA0E,CAC3E,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,eAAe,CAAC;QAC5B,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACxC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;AACL,CAAC;AAED,SAAS,UAAU,CAAI,KAAa,EAAE,OAAe;IACnD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAM,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,OAAO,GACX,UAAU,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QACzB,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,QAAQ,CAAC,CAAC;AACrD,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,21 @@
+import type { GlobiguardSdkErrorKind, GlobiguardSdkErrorShape } from "@globiguard/contracts";
+export type { GlobiguardSdkErrorKind, GlobiguardSdkErrorShape };
+export declare class GlobiguardAuthorityError extends Error {
+    readonly kind: GlobiguardSdkErrorKind;
+    readonly authorizationId?: string;
+    readonly queueEntryId?: string | null;
+    readonly evidencePackageId?: string;
+    readonly retryAfterSeconds?: number;
+    readonly safeDetails?: Record<string, string | number | boolean | null>;
+    constructor(shape: GlobiguardSdkErrorShape);
+    toJSON(): GlobiguardSdkErrorShape;
+}
+export declare class GlobiguardConfigError extends Error {
+    constructor(message: string);
+}
+export declare class GlobiguardHttpError extends Error {
+    readonly status: number;
+    readonly body: unknown;
+    constructor(message: string, status: number, body: unknown);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,sBAAsB,EACtB,uBAAuB,EACxB,MAAM,uBAAuB,CAAC;AAE/B,YAAY,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,CAAC;AAEhE,qBAAa,wBAAyB,SAAQ,KAAK;IACjD,QAAQ,CAAC,IAAI,EAAE,sBAAsB,CAAC;IACtC,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;gBAE5D,KAAK,EAAE,uBAAuB;IAW1C,MAAM,IAAI,uBAAuB;CAWlC;AAED,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;gBAEX,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;CAM3D"}

package/dist/errors.js

@@ -0,0 +1,46 @@
+export class GlobiguardAuthorityError extends Error {
+    kind;
+    authorizationId;
+    queueEntryId;
+    evidencePackageId;
+    retryAfterSeconds;
+    safeDetails;
+    constructor(shape) {
+        super(shape.message);
+        this.name = "GlobiguardAuthorityError";
+        this.kind = shape.kind;
+        this.authorizationId = shape.authorizationId;
+        this.queueEntryId = shape.queueEntryId;
+        this.evidencePackageId = shape.evidencePackageId;
+        this.retryAfterSeconds = shape.retryAfterSeconds;
+        this.safeDetails = shape.safeDetails;
+    }
+    toJSON() {
+        return {
+            kind: this.kind,
+            message: this.message,
+            authorizationId: this.authorizationId,
+            queueEntryId: this.queueEntryId,
+            evidencePackageId: this.evidencePackageId,
+            retryAfterSeconds: this.retryAfterSeconds,
+            safeDetails: this.safeDetails
+        };
+    }
+}
+export class GlobiguardConfigError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "GlobiguardConfigError";
+    }
+}
+export class GlobiguardHttpError extends Error {
+    status;
+    body;
+    constructor(message, status, body) {
+        super(message);
+        this.name = "GlobiguardHttpError";
+        this.status = status;
+        this.body = body;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAOA,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACxC,IAAI,CAAyB;IAC7B,eAAe,CAAU;IACzB,YAAY,CAAiB;IAC7B,iBAAiB,CAAU;IAC3B,iBAAiB,CAAU;IAC3B,WAAW,CAAoD;IAExE,YAAY,KAA8B;QACxC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;QACvB,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC,eAAe,CAAC;QAC7C,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACvC,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC,iBAAiB,CAAC;QACjD,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC,iBAAiB,CAAC;QACjD,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;IACvC,CAAC;IAED,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;YACzC,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,MAAM,CAAS;IACf,IAAI,CAAU;IAEvB,YAAY,OAAe,EAAE,MAAc,EAAE,IAAa;QACxD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF"}

package/dist/fetch.d.ts

@@ -0,0 +1,21 @@
+import type { GlobiguardCredential, GlobiguardEnvironment } from "@globiguard/contracts";
+type QueryValue = string | number | boolean | null | undefined;
+export interface GlobiguardRequestOptions {
+    method?: string;
+    headers?: HeadersInit;
+    query?: Record<string, QueryValue>;
+    body?: unknown;
+    signal?: AbortSignal;
+}
+interface RequestJsonArgs {
+    baseUrl: string;
+    clientName: string;
+    credential: GlobiguardCredential;
+    environment: GlobiguardEnvironment;
+    fetchImpl: typeof fetch;
+    path: string;
+    options?: GlobiguardRequestOptions;
+}
+export declare function requestJson<TResponse>({ baseUrl, clientName, credential, environment, fetchImpl, path, options }: RequestJsonArgs): Promise<TResponse>;
+export {};
+//# sourceMappingURL=fetch.d.ts.map

package/dist/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,uBAAuB,CAAC;AAI/B,KAAK,UAAU,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,wBAAwB;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACnC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,UAAU,eAAe;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,oBAAoB,CAAC;IACjC,WAAW,EAAE,qBAAqB,CAAC;IACnC,SAAS,EAAE,OAAO,KAAK,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,wBAAwB,CAAC;CACpC;AAuKD,wBAAsB,WAAW,CAAC,SAAS,EAAE,EAC3C,OAAO,EACP,UAAU,EACV,UAAU,EACV,WAAW,EACX,SAAS,EACT,IAAI,EACJ,OAAO,EACR,EAAE,eAAe,GAAG,OAAO,CAAC,SAAS,CAAC,CAqDtC"}

package/dist/fetch.js

@@ -0,0 +1,151 @@
+import { GlobiguardConfigError, GlobiguardHttpError } from "./errors.js";
+function joinUrl(baseUrl, path) {
+    if (/^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(path) || path.startsWith("//")) {
+        throw new GlobiguardConfigError("Request paths must be relative to the configured GlobiGuard service.");
+    }
+    if (!path.startsWith("/")) {
+        throw new GlobiguardConfigError("Request paths must start with '/'.");
+    }
+    if (path.includes("?") || path.includes("#")) {
+        throw new GlobiguardConfigError("Request paths must not include query strings or fragments.");
+    }
+    if (path.includes("\\")) {
+        throw new GlobiguardConfigError("Request paths must not contain backslashes.");
+    }
+    const normalizedBase = baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`;
+    const base = new URL(normalizedBase);
+    const trimmedPath = path.startsWith("/") ? path.slice(1) : path;
+    const segments = trimmedPath.split("/").filter(Boolean);
+    for (const segment of segments) {
+        let decodedSegment;
+        try {
+            decodedSegment = decodeURIComponent(segment);
+        }
+        catch {
+            throw new GlobiguardConfigError("Request paths must contain valid percent-encoding.");
+        }
+        if (decodedSegment === "." || decodedSegment === "..") {
+            throw new GlobiguardConfigError("Request paths must not contain dot segments.");
+        }
+    }
+    const url = new URL(trimmedPath, base);
+    if (url.origin !== base.origin) {
+        throw new GlobiguardConfigError("Resolved request URL must stay on the configured GlobiGuard origin.");
+    }
+    if (!url.pathname.startsWith(base.pathname)) {
+        throw new GlobiguardConfigError("Resolved request URL must stay under the configured GlobiGuard base path.");
+    }
+    return url;
+}
+function applyQuery(url, query) {
+    if (!query) {
+        return;
+    }
+    for (const [key, value] of Object.entries(query)) {
+        if (value === undefined || value === null) {
+            continue;
+        }
+        url.searchParams.set(key, String(value));
+    }
+}
+function buildCredentialHeaders(credential) {
+    const headers = new Headers();
+    if (credential.projectId) {
+        headers.set("x-globiguard-project-id", credential.projectId);
+    }
+    switch (credential.kind) {
+        case "publishable":
+            headers.set("x-globiguard-publishable-key", credential.token);
+            break;
+        case "secret":
+            headers.set("x-globiguard-secret-key", credential.token);
+            break;
+        case "local":
+            headers.set("x-globiguard-local-mode", "true");
+            if (credential.token) {
+                headers.set("x-globiguard-local-token", credential.token);
+            }
+            break;
+        default:
+            throw new GlobiguardConfigError("Unrecognized GlobiGuard credential kind.");
+    }
+    return headers;
+}
+function isReservedHeader(name) {
+    const normalized = name.toLowerCase();
+    return (normalized === "x-globiguard-client" ||
+        normalized === "x-globiguard-environment" ||
+        normalized === "x-globiguard-project-id" ||
+        normalized === "x-globiguard-publishable-key" ||
+        normalized === "x-globiguard-secret-key" ||
+        normalized === "x-globiguard-local-mode" ||
+        normalized === "x-globiguard-local-token");
+}
+function buildBody(body) {
+    if (body === undefined) {
+        return {
+            body: undefined,
+            setJsonContentType: false
+        };
+    }
+    if (ArrayBuffer.isView(body)) {
+        const bytes = new Uint8Array(body.buffer, body.byteOffset, body.byteLength);
+        return {
+            body: bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength),
+            setJsonContentType: false
+        };
+    }
+    if (typeof body === "string" ||
+        body instanceof Blob ||
+        body instanceof FormData ||
+        body instanceof URLSearchParams ||
+        body instanceof ArrayBuffer) {
+        return {
+            body,
+            setJsonContentType: false
+        };
+    }
+    return {
+        body: JSON.stringify(body),
+        setJsonContentType: true
+    };
+}
+export async function requestJson({ baseUrl, clientName, credential, environment, fetchImpl, path, options }) {
+    const url = joinUrl(baseUrl, path);
+    applyQuery(url, options?.query);
+    const callerHeaders = new Headers(options?.headers);
+    const headers = buildCredentialHeaders(credential);
+    callerHeaders.forEach((value, key) => {
+        if (!isReservedHeader(key)) {
+            headers.set(key, value);
+        }
+    });
+    headers.set("x-globiguard-client", clientName);
+    headers.set("x-globiguard-environment", environment);
+    const requestBody = buildBody(options?.body);
+    if (requestBody.setJsonContentType &&
+        !headers.has("content-type") &&
+        !(requestBody.body instanceof FormData)) {
+        headers.set("content-type", "application/json");
+    }
+    const response = await fetchImpl(url, {
+        method: options?.method ?? "GET",
+        headers,
+        body: requestBody.body,
+        signal: options?.signal
+    });
+    const hasNoContent = response.status === 204 ||
+        response.status === 205 ||
+        response.headers.get("content-length") === "0";
+    const contentType = response.headers.get("content-type") ?? "";
+    const responseBody = hasNoContent
+        ? undefined
+        : contentType.includes("application/json")
+            ? await response.json()
+            : await response.text();
+    if (!response.ok) {
+        throw new GlobiguardHttpError(`GlobiGuard request failed with status ${response.status}.`, response.status, responseBody);
+    }
+    return responseBody;
+}
+//# sourceMappingURL=fetch.js.map

package/dist/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAsBzE,SAAS,OAAO,CAAC,OAAe,EAAE,IAAY;IAC5C,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,qBAAqB,CAC7B,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,qBAAqB,CAAC,oCAAoC,CAAC,CAAC;IACxE,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,qBAAqB,CAC7B,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,qBAAqB,CAC7B,6CAA6C,CAC9C,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,GAAG,CAAC;IACvE,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,cAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,cAAc,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,qBAAqB,CAC7B,oDAAoD,CACrD,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,KAAK,GAAG,IAAI,cAAc,KAAK,IAAI,EAAE,CAAC;YACtD,MAAM,IAAI,qBAAqB,CAC7B,8CAA8C,CAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;IAEvC,IAAI,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,qBAAqB,CAC7B,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,qBAAqB,CAC7B,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,UAAU,CAAC,GAAQ,EAAE,KAAkC;IAC9D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;IACT,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC1C,SAAS;QACX,CAAC;QAED,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,UAAgC;IAC9D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAE9B,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IAC/D,CAAC;IAED,QAAQ,UAAU,CAAC,IAAI,EAAE,CAAC;QACxB,KAAK,aAAa;YAChB,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;YAC9D,MAAM;QACR,KAAK,QAAQ;YACX,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;YACzD,MAAM;QACR,KAAK,OAAO;YACV,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,MAAM,CAAC,CAAC;YAC/C,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;YAC5D,CAAC;YACD,MAAM;QACR;YACE,MAAM,IAAI,qBAAqB,CAC7B,0CAA0C,CAC3C,CAAC;IACN,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEtC,OAAO,CACL,UAAU,KAAK,qBAAqB;QACpC,UAAU,KAAK,0BAA0B;QACzC,UAAU,KAAK,yBAAyB;QACxC,UAAU,KAAK,8BAA8B;QAC7C,UAAU,KAAK,yBAAyB;QACxC,UAAU,KAAK,yBAAyB;QACxC,UAAU,KAAK,0BAA0B,CAC1C,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,IAAa;IAI9B,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,SAAS;YACf,kBAAkB,EAAE,KAAK;SAC1B,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,IAAI,UAAU,CAC1B,IAAI,CAAC,MAAqB,EAC1B,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,UAAU,CAChB,CAAC;QAEF,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK,CACtB,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CACpC;YACD,kBAAkB,EAAE,KAAK;SAC1B,CAAC;IACJ,CAAC;IAED,IACE,OAAO,IAAI,KAAK,QAAQ;QACxB,IAAI,YAAY,IAAI;QACpB,IAAI,YAAY,QAAQ;QACxB,IAAI,YAAY,eAAe;QAC/B,IAAI,YAAY,WAAW,EAC3B,CAAC;QACD,OAAO;YACL,IAAI;YACJ,kBAAkB,EAAE,KAAK;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,kBAAkB,EAAE,IAAI;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAY,EAC3C,OAAO,EACP,UAAU,EACV,UAAU,EACV,WAAW,EACX,SAAS,EACT,IAAI,EACJ,OAAO,EACS;IAChB,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACnC,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAEhC,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;IAEnD,aAAa,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACnC,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,UAAU,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,WAAW,CAAC,CAAC;IAErD,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC7C,IACE,WAAW,CAAC,kBAAkB;QAC9B,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAC5B,CAAC,CAAC,WAAW,CAAC,IAAI,YAAY,QAAQ,CAAC,EACvC,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;QACpC,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,KAAK;QAChC,OAAO;QACP,IAAI,EAAE,WAAW,CAAC,IAAI;QACtB,MAAM,EAAE,OAAO,EAAE,MAAM;KACxB,CAAC,CAAC;IAEH,MAAM,YAAY,GAChB,QAAQ,CAAC,MAAM,KAAK,GAAG;QACvB,QAAQ,CAAC,MAAM,KAAK,GAAG;QACvB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,GAAG,CAAC;IAEjD,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC/D,MAAM,YAAY,GAAG,YAAY;QAC/B,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACxC,CAAC,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE;YACvB,CAAC,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,mBAAmB,CAC3B,yCAAyC,QAAQ,CAAC,MAAM,GAAG,EAC3D,QAAQ,CAAC,MAAM,EACf,YAAY,CACb,CAAC;IACJ,CAAC;IAED,OAAO,YAAyB,CAAC;AACnC,CAAC"}

package/dist/governed-actions.d.ts

@@ -0,0 +1,34 @@
+import type { GlobiguardActionAuthorizationRequest, GlobiguardActionAuthorizationResponse, GlobiguardActionsClient, GlobiguardApproval, GlobiguardApprovalCreateRequest, GlobiguardAuditClient, GlobiguardEvidenceListRequest, GlobiguardEvidencePackageSummary, GlobiguardEvidenceRef, GlobiguardIncidentReplay, GlobiguardIncidentReplayLookupRequest, GlobiguardQueueEntry, GlobiguardQueueReadClient } from "@globiguard/contracts";
+export interface GlobiguardGovernedActionRuntimeConfig {
+    actions: GlobiguardActionsClient;
+    audit: GlobiguardAuditClient;
+    queue: GlobiguardQueueReadClient;
+}
+export interface GlobiguardWaitForApprovalOptions {
+    queueEntryId: string;
+    signal?: AbortSignal;
+    maxAttempts?: number;
+    intervalMs?: number;
+}
+export interface GlobiguardIdempotencyKeyInput {
+    stableSeed: string;
+    actionType: string;
+    actorId?: string;
+    payloadSha256?: string;
+    windowBucket?: string;
+}
+export interface GlobiguardGovernedActionsClient {
+    authorizeAction(request: GlobiguardActionAuthorizationRequest): Promise<GlobiguardActionAuthorizationResponse>;
+    authorizeActionOrThrow(request: GlobiguardActionAuthorizationRequest): Promise<GlobiguardActionAuthorizationResponse>;
+    requestApproval(request: GlobiguardApprovalCreateRequest): Promise<GlobiguardApproval>;
+    getApprovalStatus(approvalId: string): Promise<GlobiguardApproval>;
+    getEvidenceReferences(request?: GlobiguardEvidenceListRequest): Promise<GlobiguardEvidenceRef[]>;
+    exportEvidencePackage(request?: Parameters<GlobiguardAuditClient["export"]>[0]): ReturnType<GlobiguardAuditClient["export"]>;
+    getEvidencePackageSummary(evidencePackageId: string): Promise<GlobiguardEvidencePackageSummary>;
+    getIncidentReplay(request: GlobiguardIncidentReplayLookupRequest): Promise<GlobiguardIncidentReplay>;
+    waitForApproval(options: GlobiguardWaitForApprovalOptions): Promise<GlobiguardQueueEntry>;
+}
+export declare function createGovernedActionsClient(config: GlobiguardGovernedActionRuntimeConfig): GlobiguardGovernedActionsClient;
+export declare function deriveActionIdempotencyKey(input: GlobiguardIdempotencyKeyInput): Promise<string>;
+export declare function generateCorrelationId(): string;
+//# sourceMappingURL=governed-actions.d.ts.map

package/dist/governed-actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"governed-actions.d.ts","sourceRoot":"","sources":["../src/governed-actions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,qCAAqC,EACrC,uBAAuB,EACvB,kBAAkB,EAClB,+BAA+B,EAC/B,qBAAqB,EACrB,6BAA6B,EAC7B,gCAAgC,EAChC,qBAAqB,EACrB,wBAAwB,EACxB,qCAAqC,EACrC,oBAAoB,EACpB,yBAAyB,EAC1B,MAAM,uBAAuB,CAAC;AAI/B,MAAM,WAAW,qCAAqC;IACpD,OAAO,EAAE,uBAAuB,CAAC;IACjC,KAAK,EAAE,qBAAqB,CAAC;IAC7B,KAAK,EAAE,yBAAyB,CAAC;CAClC;AAED,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,6BAA6B;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,+BAA+B;IAC9C,eAAe,CACb,OAAO,EAAE,oCAAoC,GAC5C,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAClD,sBAAsB,CACpB,OAAO,EAAE,oCAAoC,GAC5C,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAClD,eAAe,CAAC,OAAO,EAAE,+BAA+B,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACvF,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACnE,qBAAqB,CACnB,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAAC;IACpC,qBAAqB,CACnB,OAAO,CAAC,EAAE,UAAU,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,GACvD,UAAU,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/C,yBAAyB,CACvB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,gCAAgC,CAAC,CAAC;IAC7C,iBAAiB,CACf,OAAO,EAAE,qCAAqC,GAC7C,OAAO,CAAC,wBAAwB,CAAC,CAAC;IACrC,eAAe,CAAC,OAAO,EAAE,gCAAgC,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;CAC3F;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,qCAAqC,GAC5C,+BAA+B,CAkEjC;AAED,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,6BAA6B,GACnC,OAAO,CAAC,MAAM,CAAC,CAcjB;AAED,wBAAgB,qBAAqB,IAAI,MAAM,CAY9C"}