@graphrefly/graphrefly 0.41.0 → 0.43.0

package/dist/index-Ck35nA-T.d.ts

@@ -1,244 +0,0 @@
-import { A as Actor, N as Node, P as PolicyRuleData, G as GuardAction } from './node-BYInONRr.js';
-import { G as Graph, a as GraphOptions, c as GraphPersistSnapshot } from './graph-BkIkog4h.js';
-import { T as TopicGraph } from './index-40ZT4MHj.js';
-
-/**
- * Audit, policy enforcement, and compliance export (roadmap §9.2).
- *
- * Three composed factories that wrap any {@link Graph} with the harness
- * accountability layer:
- *
- * - {@link auditTrail} — reactive mutation log with by-node/by-actor/by-time
- *   queries.
- * - {@link policyGate} — reactive ABAC gate (Tier 2.3 rename of
- *   `policyEnforcer`); in `"audit"` mode records would-be denials, in
- *   `"enforce"` mode pushes guards onto target nodes so subsequent writes
- *   throw {@link GuardDenied}.
- * - {@link complianceSnapshot} — point-in-time export of graph state +
- *   audit trail + policies for regulatory archival.
- *
- * @module
- */
-
-/** A single recorded mutation/event in an {@link AuditTrailGraph}. */
-interface AuditEntry {
-    seq: number;
-    timestamp_ns: number;
-    wall_clock_ns: number;
-    path: string;
-    type: "data" | "dirty" | "resolved" | "invalidate" | "pause" | "resume" | "complete" | "error" | "teardown";
-    actor?: Actor;
-    value?: unknown;
-    error?: unknown;
-    annotation?: string;
-}
-/** Options for {@link auditTrail}. */
-interface AuditTrailOptions {
-    name?: string;
-    graph?: GraphOptions;
-    /** Ring-buffer cap for the underlying `reactiveLog`. Default: unbounded. */
-    maxSize?: number;
-    /**
-     * Which event types to record. Default: `["data", "error", "complete",
-     * "teardown"]` — the user-meaningful set. Opt in to mid-wave protocol
-     * events (`"dirty"`, `"resolved"`, `"invalidate"`, `"pause"`, `"resume"`)
-     * by listing them explicitly. Note: those tier-1/tier-2 events do not
-     * carry an `actor` (no `lastMutation` populated) — record them only for
-     * protocol-level diagnostics.
-     */
-    includeTypes?: readonly AuditEntry["type"][];
-    /** Per-event filter; return false to skip. */
-    filter?: (entry: AuditEntry) => boolean;
-}
-/**
- * Mounted audit log — `entries` exposes the reactive `AuditEntry[]`; query
- * helpers are sync convenience wrappers over the cached snapshot.
- */
-declare class AuditTrailGraph extends Graph {
-    readonly entries: Node<readonly AuditEntry[]>;
-    readonly count: Node<number>;
-    private readonly _log;
-    private readonly _target;
-    constructor(target: Graph, opts: AuditTrailOptions);
-    /** All entries currently in the ring (snapshot). */
-    all(): readonly AuditEntry[];
-    /** Entries matching `path`. Order preserved. */
-    byNode(path: string): readonly AuditEntry[];
-    /** Entries whose `actor.id` matches. Use `byActorType` for type filtering. */
-    byActor(actorId: string): readonly AuditEntry[];
-    /** Entries whose `actor.type` matches (e.g. `"llm"`, `"human"`). */
-    byActorType(type: string): readonly AuditEntry[];
-    /**
-     * Entries with `timestamp_ns` in `[start_ns, end_ns)` (end exclusive).
-     * Omit `end_ns` to query open-ended.
-     */
-    byTimeRange(start_ns: number, end_ns?: number): readonly AuditEntry[];
-    /** Reference to the audited graph (escape hatch for tooling). */
-    get target(): Graph;
-}
-/**
- * Wraps any {@link Graph} with a reactive audit trail recording every event
- * matching `includeTypes` (default: data + error + complete + teardown).
- *
- * Each entry carries `seq`, `timestamp_ns` (monotonic), `wall_clock_ns`,
- * `path`, `type`, and — when available — `actor`, `value`, `error`, and the
- * `graph.trace()` reasoning annotation for the path.
- *
- * The returned graph mounts an `entries` node + `count` derived. Query
- * helpers (`byNode`, `byActor`, `byTimeRange`) operate on the cached
- * snapshot synchronously.
- */
-declare function auditTrail(target: Graph, opts?: AuditTrailOptions): AuditTrailGraph;
-/** A single policy denial recorded by {@link PolicyGateGraph}. */
-interface PolicyViolation {
-    timestamp_ns: number;
-    wall_clock_ns: number;
-    path: string;
-    actor: Actor;
-    action: GuardAction;
-    mode: "audit" | "enforce";
-    /** `"observed"` (audit mode after-the-fact) or `"blocked"` (enforce mode pre-write). */
-    result: "observed" | "blocked";
-}
-/** Options for {@link policyGate}. */
-interface PolicyGateOptions {
-    name?: string;
-    graph?: GraphOptions;
-    /**
-     * `"audit"` (default) — observe events and record would-be denials;
-     * does not block writes. Audit mode requires `lastMutation` attribution
-     * on the audited node — anonymous/internal writes (no `actor` passed,
-     * unguarded node) are skipped silently because the policy cannot be
-     * evaluated without an actor.
-     *
-     * `"enforce"` — push guards onto target nodes so disallowed writes
-     * throw {@link GuardDenied}. Reverted on dispose.
-     */
-    mode?: "audit" | "enforce";
-    /**
-     * Restrict enforcement to specific node paths (qualified). When omitted,
-     * applies to every node visible in `target.describe()` at construction
-     * time (subgraphs are walked transitively) AND subscribes to the full
-     * topology tree via {@link watchTopologyTree}, so nodes added to
-     * `target` OR any transitively-mounted subgraph after construction are
-     * guarded automatically (enforce mode only).
-     *
-     * Accepts a static `readonly string[]` or a reactive
-     * `Node<readonly string[]>` (Tier 3.4 — F.9 reactive primitive carve-out).
-     * When a `Node` is passed, the enforcer rebinds the guarded path set on
-     * every emission: paths added to the new set get wrapped, paths removed
-     * from the new set get released, and the audit-mode allow-list filter
-     * uses the latest cached value. Static-array callers retain the current
-     * "caller owns the path set" semantics.
-     *
-     * **Cost:** unrestricted mode runs `describe({detail:"minimal"})` once
-     * at construction (O(N) over the graph tree) plus one topology
-     * subscription per graph instance in the mount tree. Restricted mode
-     * (static or reactive) skips both and disables `watchTopologyTree`
-     * dynamic coverage — for reactive callers, the path-set Node is the
-     * single source of truth for which paths are guarded.
-     */
-    paths?: readonly string[] | Node<readonly string[]>;
-    /**
-     * Ring-buffer cap for the violations topic. Default: 1000. Static
-     * number only — reactive form is deferred pending TopicGraph reactive
-     * `retainedLimit` support (see Tier 10.8 design follow-up in
-     * `docs/optimizations.md`).
-     */
-    violationsLimit?: number;
-}
-/**
- * Reactive ABAC enforcement layer. Policies are reactive — pass a
- * `Node<readonly PolicyRuleData[]>` to allow LLMs (or any reactive source)
- * to update them at runtime; the enforcer rebinds its internal
- * {@link NodeGuard} on every push.
- */
-declare class PolicyGateGraph extends Graph {
-    readonly policies: Node<readonly PolicyRuleData[]>;
-    readonly violations: TopicGraph<PolicyViolation>;
-    readonly violationCount: Node<number>;
-    private readonly _target;
-    private readonly _mode;
-    private _currentGuard;
-    constructor(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts: PolicyGateOptions);
-    private _publishViolation;
-    /** Snapshot of recorded violations. */
-    all(): readonly PolicyViolation[];
-    get mode(): "audit" | "enforce";
-    get target(): Graph;
-}
-/**
- * Wraps a {@link Graph} with reactive policy enforcement. Pass either a
- * static rule list or a {@link Node} of rules (LLM-updatable). Records
- * `PolicyViolation` entries to `violations` topic; in `"enforce"` mode also
- * pushes guards onto target nodes so disallowed writes throw.
- *
- * Self-tags via `g.tagFactory("policyGate", placeholderArgs(opts))` so
- * `graph.describe()` surfaces `factory: "policyGate"` provenance (Phase 2.5
- * DT5 ride-along, locked with the Tier 2.3 rename).
- */
-declare function policyGate(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts?: PolicyGateOptions): PolicyGateGraph;
-/** Options for {@link complianceSnapshot}. */
-interface ComplianceSnapshotOptions {
-    audit?: AuditTrailGraph;
-    policies?: PolicyGateGraph;
-    /** Actor recorded as the snapshot taker. */
-    actor?: Actor;
-}
-/** Output of {@link complianceSnapshot}. JSON-serializable. */
-interface ComplianceSnapshotResult {
-    format_version: 1;
-    timestamp_ns: number;
-    wall_clock_ns: number;
-    actor?: Actor;
-    graph: GraphPersistSnapshot;
-    audit?: {
-        count: number;
-        entries: AuditEntry[];
-    };
-    policies?: {
-        mode: "audit" | "enforce";
-        rules: readonly PolicyRuleData[];
-        violations: readonly PolicyViolation[];
-    };
-    /**
-     * Truncated SHA-256 hex (16 chars / ~64 bits) over a canonical encoding
-     * of every field above (excluding `fingerprint` itself). Deterministic
-     * across runs given identical inputs. Suitable for casual tamper-evidence
-     * and content-addressed dedup; for full cryptographic strength, hash the
-     * canonical JSON externally with Web Crypto / Node `crypto`.
-     */
-    fingerprint: string;
-}
-/**
- * One-shot point-in-time export of a {@link Graph}'s state plus optional
- * audit + policy bundles. Returns a JSON-serializable object with a
- * deterministic truncated-SHA-256 {@link ComplianceSnapshotResult.fingerprint}
- * over the canonical payload for tamper-evidence in regulatory archival.
- *
- * **Cryptographic strength:** the fingerprint is truncated to 64 bits for
- * compact archival. Collision-resistant for casual integrity checks but NOT
- * sufficient for adversarial tamper-evidence — pair with a full SHA-256
- * (or stronger) over the canonical JSON when regulatory requirements demand
- * collision resistance.
- */
-declare function complianceSnapshot(target: Graph, opts?: ComplianceSnapshotOptions): ComplianceSnapshotResult;
-
-type index_AuditEntry = AuditEntry;
-type index_AuditTrailGraph = AuditTrailGraph;
-declare const index_AuditTrailGraph: typeof AuditTrailGraph;
-type index_AuditTrailOptions = AuditTrailOptions;
-type index_ComplianceSnapshotOptions = ComplianceSnapshotOptions;
-type index_ComplianceSnapshotResult = ComplianceSnapshotResult;
-type index_PolicyGateGraph = PolicyGateGraph;
-declare const index_PolicyGateGraph: typeof PolicyGateGraph;
-type index_PolicyGateOptions = PolicyGateOptions;
-type index_PolicyViolation = PolicyViolation;
-declare const index_auditTrail: typeof auditTrail;
-declare const index_complianceSnapshot: typeof complianceSnapshot;
-declare const index_policyGate: typeof policyGate;
-declare namespace index {
-  export { type index_AuditEntry as AuditEntry, index_AuditTrailGraph as AuditTrailGraph, type index_AuditTrailOptions as AuditTrailOptions, type index_ComplianceSnapshotOptions as ComplianceSnapshotOptions, type index_ComplianceSnapshotResult as ComplianceSnapshotResult, index_PolicyGateGraph as PolicyGateGraph, type index_PolicyGateOptions as PolicyGateOptions, type index_PolicyViolation as PolicyViolation, index_auditTrail as auditTrail, index_complianceSnapshot as complianceSnapshot, index_policyGate as policyGate };
-}
-
-export { type AuditEntry as A, type ComplianceSnapshotOptions as C, PolicyGateGraph as P, type PolicyViolation as a, AuditTrailGraph as b, type AuditTrailOptions as c, type ComplianceSnapshotResult as d, type PolicyGateOptions as e, auditTrail as f, complianceSnapshot as g, index as i, policyGate as p };

package/dist/index-CuPUehFa.d.cts

@@ -1,218 +0,0 @@
-import { N as Node, A as Actor, P as PolicyRuleData } from './node-BYInONRr.cjs';
-import { G as Graph, b as GraphDescribeOutput, a as GraphOptions, d as GraphDescribeOptions, D as DescribeFilter } from './graph-E6likq7w.cjs';
-import { P as PolicyGateGraph, a as PolicyViolation } from './index-BmSQLAZo.cjs';
-import { T as TopicGraph } from './index-Cnr1WrlX.cjs';
-
-/**
- * Composable safety layer (roadmap §9.0b — Tier 5.1 Wave-B rebuild).
- *
- * {@link guardedExecution} wraps any {@link Graph} with:
- *
- * - {@link policyGate} — reactive ABAC (Tier 2.3 rename of `policyEnforcer`),
- *   policies stored as a `Node` so LLMs / humans can update them at runtime.
- *   Full transitive dynamic coverage via `watchTopologyTree`.
- * - Reactive {@link GuardedExecutionGraph.scopedDescribeNode} — a thin
- *   delegate over `target.describe({ reactive: true, actor })` that re-derives
- *   on every settle (topology change, error transition, actor swap).
- * - The enforcer's `violations` topic is republished as `violations` on
- *   the wrapper, composable with {@link graphLens}'s `health`.
- * - The wrapper-level `lints` topic surfaces non-policy diagnostic warnings
- *   (`empty-policies` / `audit-no-effect` / `no-actor`) so misconfigurations
- *   are caught reactively rather than via thrown errors at scattered call sites.
- * - The `scope` derived publishes the current configuration tuple
- *   (`{actor, mode, policiesCount}`) for dashboards.
- *
- * V1 scope: policies + actor + reactive scoped describe + lints + scope.
- * Budget-as-option is NOT in V1 — it requires a cost-tracking design that
- * hasn't landed yet. Callers who need a budget limit today append a
- * budget-aware {@link PolicyRuleData} to the policies list (check current
- * cost and `deny` when exhausted).
- *
- * @module
- */
-
-/** Diagnostic warning published on {@link GuardedExecutionGraph.lints}. */
-interface GuardedExecutionLint {
-    /**
-     * - `"empty-policies"` — `policies` Node emitted an empty array in
-     *   `mode: "enforce"`. Static empty arrays throw at construction; this
-     *   covers the reactive case.
-     * - `"audit-no-effect"` — `mode: "audit"` plus the target has no per-node
-     *   guards, so `scopedDescribeNode` filters by per-node guards only and
-     *   policies will never gate visibility (they still populate `violations`
-     *   on writes).
-     * - `"no-actor"` — neither a wrapper-configured nor per-call actor was
-     *   supplied. `scopedDescribeNode` falls back to "describe everything"
-     *   for the corresponding subscription.
-     */
-    kind: "empty-policies" | "audit-no-effect" | "no-actor";
-    message: string;
-    timestamp_ns: number;
-}
-/** Configuration tuple published on {@link GuardedExecutionGraph.scope}. */
-interface GuardedScope {
-    /** The wrapper-configured default actor, or `null` when none configured. */
-    actor: Actor | null;
-    mode: "audit" | "enforce";
-    /** Current policy count (reactive — re-emits on `policies` Node updates). */
-    policiesCount: number;
-}
-/** Options for {@link guardedExecution}. */
-interface GuardedExecutionOptions {
-    /**
-     * Policies enforced against every guarded write. Static list or a live
-     * `Node<readonly PolicyRuleData[]>` (LLM-updatable).
-     *
-     * **Empty-policies handling:**
-     * - Static empty array + `mode: "enforce"` throws `RangeError` at
-     *   construction (deny-by-default is almost certainly a misconfiguration).
-     * - Node-supplied empty array + `mode: "enforce"` emits a one-time
-     *   `"empty-policies"` lint on first such emission (the wrapper can't
-     *   throw mid-run — surface the warning reactively).
-     * - `mode: "audit"` tolerates empty policies (no guards stacked; policies
-     *   only feed the `violations` channel on writes).
-     */
-    policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>;
-    /**
-     * Default actor used when the caller invokes
-     * {@link GuardedExecutionGraph.scopedDescribeNode} without an override.
-     * Accepts a static {@link Actor} or a `Node<Actor>` — when a Node is
-     * supplied, the reactive describe re-derives on every actor emission so
-     * harnesses binding a per-turn actor get a single live describe Node
-     * instead of re-creating one per turn.
-     *
-     * Omit to scope per-call only. A `"no-actor"` lint fires once per instance
-     * if neither a configured nor per-call actor is ever supplied (the
-     * resulting describe is unscoped — full visibility).
-     */
-    actor?: Actor | Node<Actor>;
-    /**
-     * `"enforce"` (default) — push guards onto target nodes so disallowed
-     * writes throw {@link GuardDenied}.
-     * `"audit"` — record would-be denials to the `violations` topic without
-     * blocking writes.
-     */
-    mode?: "audit" | "enforce";
-    /** Ring-buffer cap for the `violations` topic. Default 1000 (inherited from policyGate). */
-    violationsLimit?: number;
-    /** Ring-buffer cap for the `lints` topic. Default 64 — each lint kind fires at most once per instance. */
-    lintsLimit?: number;
-    /** Wrapper graph name. Default `${target.name}_guarded`. */
-    name?: string;
-    /** Wrapper graph options. */
-    graph?: GraphOptions;
-}
-/**
- * Wrapper over a target {@link Graph} providing reactive ABAC + reactive
- * scoped describe + diagnostic lints. Mounts a {@link PolicyGateGraph} under
- * `enforcer`, a {@link TopicGraph} of {@link GuardedExecutionLint} under
- * `lints`, and a `scope` derived publishing `{actor, mode, policiesCount}`.
- *
- * @category patterns
- */
-declare class GuardedExecutionGraph extends Graph {
-    readonly enforcer: PolicyGateGraph;
-    readonly violations: TopicGraph<PolicyViolation>;
-    readonly lints: TopicGraph<GuardedExecutionLint>;
-    readonly scope: Node<GuardedScope>;
-    /**
-     * Canonical reactive describe scoped to the wrapper's configured `actor`.
-     * Subscribes ONCE at construction; lifecycle owned by the wrapper (disposed
-     * on `wrapper.destroy()`). Use this property for the common case
-     * (long-lived consumer wanting "describe scoped to my actor"); use
-     * {@link scopedDescribeNode} only when a per-call actor override or
-     * different `detail`/`fields` is required.
-     *
-     * Re-derives on every settle of the target graph: structural changes,
-     * status transitions (errors flip nodes into `"errored"`), and actor
-     * emissions (when a `Node<Actor>` is bound, including the SENTINEL bridge
-     * applied internally — see qa G1B).
-     */
-    readonly scopedDescribe: Node<GraphDescribeOutput>;
-    private readonly _target;
-    private readonly _actorNode;
-    private readonly _mode;
-    private readonly _firedLintKinds;
-    constructor(target: Graph, opts: GuardedExecutionOptions);
-    private _fireLint;
-    /**
-     * **Per-call escape hatch.** Prefer {@link scopedDescribe} (the mounted
-     * property) for the common case of "describe scoped to my actor." Use
-     * this method ONLY when you need a per-call actor override or different
-     * `detail`/`fields`/`filter`.
-     *
-     * Returns a live `Node<GraphDescribeOutput>` scoped to the supplied (or
-     * configured) actor, plus an explicit `dispose` for caller-controlled
-     * lifecycle. Re-derives on every settle of the target graph: structural
-     * changes, status transitions, and actor emissions (when a `Node<Actor>`
-     * is bound).
-     *
-     * **Lifecycle (qa G1A — EC1 fix).** Each call instantiates a fresh
-     * `target.describe({reactive: true})` handle (with its own version state,
-     * observe handle, transitive topology subscriptions, derived + keepalive).
-     * The caller MUST invoke the returned `dispose()` when finished to release
-     * these resources. Disposers ARE also tracked on the wrapper graph so
-     * `wrapper.destroy()` cleans up any handles the caller forgot — but a
-     * long-lived wrapper with heavy per-call usage will leak until destroy
-     * unless `dispose()` is called explicitly.
-     *
-     * @param actorOverride - Optional per-call override. Static {@link Actor}
-     *   or `Node<Actor>`. Omit to use the wrapper-configured default.
-     * @param opts - Standard {@link GraphDescribeOptions} fields (`detail`,
-     *   `fields`, `filter`). `actor` / `reactive` / `reactiveName` are
-     *   controlled by the wrapper.
-     * @returns `{node, dispose}` — `node` is the live describe Node; `dispose`
-     *   tears down the underlying reactive describe subscription idempotently.
-     */
-    scopedDescribeNode(actorOverride?: Actor | Node<Actor>, opts?: Omit<GraphDescribeOptions, "actor" | "reactive" | "reactiveName">): {
-        node: Node<GraphDescribeOutput>;
-        dispose: () => void;
-    };
-    /** The wrapped graph (escape hatch for tooling). */
-    get target(): Graph;
-}
-/**
- * Wrap a {@link Graph} with {@link policyGate} plus a reactive scoped describe
- * lens. Returns a {@link GuardedExecutionGraph} that can be mounted, diffed,
- * or composed with {@link graphLens}.
- *
- * @param target - The graph to guard.
- * @param opts - See {@link GuardedExecutionOptions}.
- *
- * @example
- * ```ts
- * const guarded = guardedExecution(app, {
- *   actor: state<Actor>({ type: "human", id: "alice" }), // reactive — re-derive on swap
- *   policies: [
- *     { effect: "allow", action: "read", actorType: "human" },
- *     { effect: "deny", action: "write", pathPattern: "system::*" },
- *   ],
- *   mode: "enforce",
- * });
- *
- * // Canonical: subscribe to the mounted reactive describe (no per-call leak).
- * guarded.scopedDescribe.subscribe((msgs) => { /* live describe per actor / topology change *\/ });
- * // Per-call escape hatch (different actor / detail) — caller manages dispose.
- * const detailed = guarded.scopedDescribeNode(undefined, { detail: "standard" });
- * try { detailed.node.subscribe(/* … *\/); } finally { detailed.dispose(); }
- * guarded.violations.events.subscribe(msgs => console.log("violations:", msgs));
- * guarded.lints.events.subscribe(msgs => console.warn("lints:", msgs));
- * guarded.scope.subscribe(msgs => console.log("scope:", msgs));
- * ```
- *
- * @category patterns
- */
-declare function guardedExecution(target: Graph, opts: GuardedExecutionOptions): GuardedExecutionGraph;
-
-declare const index_DescribeFilter: typeof DescribeFilter;
-type index_GuardedExecutionGraph = GuardedExecutionGraph;
-declare const index_GuardedExecutionGraph: typeof GuardedExecutionGraph;
-type index_GuardedExecutionLint = GuardedExecutionLint;
-type index_GuardedExecutionOptions = GuardedExecutionOptions;
-type index_GuardedScope = GuardedScope;
-declare const index_guardedExecution: typeof guardedExecution;
-declare namespace index {
-  export { index_DescribeFilter as DescribeFilter, index_GuardedExecutionGraph as GuardedExecutionGraph, type index_GuardedExecutionLint as GuardedExecutionLint, type index_GuardedExecutionOptions as GuardedExecutionOptions, type index_GuardedScope as GuardedScope, index_guardedExecution as guardedExecution };
-}
-
-export { GuardedExecutionGraph as G, type GuardedExecutionLint as a, type GuardedExecutionOptions as b, type GuardedScope as c, guardedExecution as g, index as i };