@grc-claw/evidence 0.8.0

package/dist/action-ledger.d.ts

@@ -0,0 +1,56 @@
+export type ActionExecutionState = 'intent_recorded' | 'approval_required' | 'denied' | 'executing' | 'simulated' | 'recorded' | 'executed' | 'verified' | 'not_configured' | 'failed';
+export interface ActionLedgerEvent {
+    sequence: number;
+    actionId: string;
+    at: string;
+    kind: 'intent' | 'decision' | 'result';
+    tenantId: number;
+    sessionId: string;
+    tool: string;
+    idempotencyKey?: string;
+    executionState: ActionExecutionState;
+    decisionReason?: string;
+    requiresApproval?: boolean;
+    argsHash?: string;
+    argKeys?: string[];
+    outputHash?: string;
+    evidenceId?: string;
+    targetReceipt?: string;
+    previousHash: string;
+    hash: string;
+}
+/**
+ * Append-only local proof of an agent action. Payloads are represented by hashes and key names,
+ * keeping sensitive request and response content out of the operational ledger.
+ */
+export declare class ActionLedger {
+    private readonly filePath?;
+    private readonly events;
+    constructor(filePath?: string | undefined);
+    recordIntent(input: {
+        tenantId: number;
+        sessionId: string;
+        tool: string;
+        args: Record<string, unknown>;
+        idempotencyKey?: string;
+    }): ActionLedgerEvent;
+    recordDecision(intent: ActionLedgerEvent, input: {
+        allowed: boolean;
+        reason: string;
+        requiresApproval: boolean;
+    }): ActionLedgerEvent;
+    recordResult(intent: ActionLedgerEvent, input: {
+        executionState: Exclude<ActionExecutionState, 'intent_recorded' | 'approval_required' | 'denied' | 'executing'>;
+        output?: Record<string, unknown>;
+        evidenceId?: string;
+        targetReceipt?: string;
+    }): ActionLedgerEvent;
+    list(limit?: number): ActionLedgerEvent[];
+    verify(): {
+        ok: boolean;
+        checked: number;
+        error?: string;
+    };
+    private append;
+}
+//# sourceMappingURL=action-ledger.d.ts.map

package/dist/action-ledger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-ledger.d.ts","sourceRoot":"","sources":["../src/action-ledger.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,oBAAoB,GAC5B,iBAAiB,GACjB,mBAAmB,GACnB,QAAQ,GACR,WAAW,GACX,WAAW,GACX,UAAU,GACV,UAAU,GACV,UAAU,GACV,gBAAgB,GAChB,QAAQ,CAAC;AAEb,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,oBAAoB,CAAC;IACrC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAkCD;;;GAGG;AACH,qBAAa,YAAY;IAGX,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA2B;gBAErB,QAAQ,CAAC,EAAE,MAAM,YAAA;IAQ9C,YAAY,CAAC,KAAK,EAAE;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC9B,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GAAG,iBAAiB;IAcrB,cAAc,CACZ,MAAM,EAAE,iBAAiB,EACzB,KAAK,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,gBAAgB,EAAE,OAAO,CAAA;KAAE,GACrE,iBAAiB;IAkBpB,YAAY,CACV,MAAM,EAAE,iBAAiB,EACzB,KAAK,EAAE;QACL,cAAc,EAAE,OAAO,CAAC,oBAAoB,EAAE,iBAAiB,GAAG,mBAAmB,GAAG,QAAQ,GAAG,WAAW,CAAC,CAAC;QAChH,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjC,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,GACA,iBAAiB;IAepB,IAAI,CAAC,KAAK,SAAM,GAAG,iBAAiB,EAAE;IAItC,MAAM,IAAI;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAe1D,OAAO,CAAC,MAAM;CAgBf"}

package/dist/action-ledger.js

@@ -0,0 +1,122 @@
+import { createHash, randomUUID } from 'node:crypto';
+import { appendFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+const GENESIS_HASH = '0'.repeat(64);
+function sha256(value) {
+    return createHash('sha256').update(value).digest('hex');
+}
+function hashable(event) {
+    return JSON.stringify({
+        sequence: event.sequence,
+        actionId: event.actionId,
+        at: event.at,
+        kind: event.kind,
+        tenantId: event.tenantId,
+        sessionId: event.sessionId,
+        tool: event.tool,
+        idempotencyKey: event.idempotencyKey,
+        executionState: event.executionState,
+        decisionReason: event.decisionReason,
+        requiresApproval: event.requiresApproval,
+        argsHash: event.argsHash,
+        argKeys: event.argKeys,
+        outputHash: event.outputHash,
+        evidenceId: event.evidenceId,
+        targetReceipt: event.targetReceipt,
+        previousHash: event.previousHash,
+    });
+}
+/**
+ * Append-only local proof of an agent action. Payloads are represented by hashes and key names,
+ * keeping sensitive request and response content out of the operational ledger.
+ */
+export class ActionLedger {
+    filePath;
+    events = [];
+    constructor(filePath) {
+        this.filePath = filePath;
+        if (filePath && existsSync(filePath)) {
+            for (const line of readFileSync(filePath, 'utf8').split('\n').filter(Boolean)) {
+                this.events.push(JSON.parse(line));
+            }
+        }
+    }
+    recordIntent(input) {
+        return this.append({
+            actionId: randomUUID(),
+            kind: 'intent',
+            tenantId: input.tenantId,
+            sessionId: input.sessionId,
+            tool: input.tool,
+            idempotencyKey: input.idempotencyKey,
+            executionState: 'intent_recorded',
+            argsHash: sha256(JSON.stringify(input.args)),
+            argKeys: Object.keys(input.args).sort(),
+        });
+    }
+    recordDecision(intent, input) {
+        return this.append({
+            actionId: intent.actionId,
+            kind: 'decision',
+            tenantId: intent.tenantId,
+            sessionId: intent.sessionId,
+            tool: intent.tool,
+            idempotencyKey: intent.idempotencyKey,
+            executionState: input.allowed
+                ? 'executing'
+                : input.requiresApproval
+                    ? 'approval_required'
+                    : 'denied',
+            decisionReason: input.reason,
+            requiresApproval: input.requiresApproval,
+        });
+    }
+    recordResult(intent, input) {
+        return this.append({
+            actionId: intent.actionId,
+            kind: 'result',
+            tenantId: intent.tenantId,
+            sessionId: intent.sessionId,
+            tool: intent.tool,
+            idempotencyKey: intent.idempotencyKey,
+            executionState: input.executionState,
+            outputHash: input.output ? sha256(JSON.stringify(input.output)) : undefined,
+            evidenceId: input.evidenceId,
+            targetReceipt: input.targetReceipt,
+        });
+    }
+    list(limit = 100) {
+        return this.events.slice(-Math.max(1, Math.min(limit, 500))).reverse();
+    }
+    verify() {
+        let previousHash = GENESIS_HASH;
+        for (const event of this.events) {
+            if (event.previousHash !== previousHash) {
+                return { ok: false, checked: event.sequence - 1, error: `chain_break_at_${event.sequence}` };
+            }
+            const { hash, ...body } = event;
+            if (sha256(hashable(body)) !== hash) {
+                return { ok: false, checked: event.sequence - 1, error: `hash_mismatch_at_${event.sequence}` };
+            }
+            previousHash = event.hash;
+        }
+        return { ok: true, checked: this.events.length };
+    }
+    append(input) {
+        const previousHash = this.events.at(-1)?.hash ?? GENESIS_HASH;
+        const withoutHash = {
+            ...input,
+            sequence: this.events.length + 1,
+            at: input.at ?? new Date().toISOString(),
+            previousHash,
+        };
+        const event = { ...withoutHash, hash: sha256(hashable(withoutHash)) };
+        this.events.push(event);
+        if (this.filePath) {
+            mkdirSync(dirname(this.filePath), { recursive: true });
+            appendFileSync(this.filePath, `${JSON.stringify(event)}\n`, { mode: 0o600 });
+        }
+        return event;
+    }
+}
+//# sourceMappingURL=action-ledger.js.map

package/dist/action-ledger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-ledger.js","sourceRoot":"","sources":["../src/action-ledger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC9E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAuCpC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAEpC,SAAS,MAAM,CAAC,KAAa;IAC3B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,QAAQ,CAAC,KAAsC;IACtD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,YAAY,EAAE,KAAK,CAAC,YAAY;KACjC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,YAAY;IAGM;IAFZ,MAAM,GAAwB,EAAE,CAAC;IAElD,YAA6B,QAAiB;QAAjB,aAAQ,GAAR,QAAQ,CAAS;QAC5C,IAAI,QAAQ,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrC,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAsB,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;IAED,YAAY,CAAC,KAMZ;QACC,OAAO,IAAI,CAAC,MAAM,CAAC;YACjB,QAAQ,EAAE,UAAU,EAAE;YACtB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,cAAc,EAAE,iBAAiB;YACjC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5C,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,cAAc,CACZ,MAAyB,EACzB,KAAsE;QAEtE,OAAO,IAAI,CAAC,MAAM,CAAC;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,cAAc,EAAE,KAAK,CAAC,OAAO;gBAC3B,CAAC,CAAC,WAAW;gBACb,CAAC,CAAC,KAAK,CAAC,gBAAgB;oBACtB,CAAC,CAAC,mBAAmB;oBACrB,CAAC,CAAC,QAAQ;YACd,cAAc,EAAE,KAAK,CAAC,MAAM;YAC5B,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;SACzC,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CACV,MAAyB,EACzB,KAKC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;YAC3E,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,aAAa,EAAE,KAAK,CAAC,aAAa;SACnC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,KAAK,GAAG,GAAG;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC;IAED,MAAM;QACJ,IAAI,YAAY,GAAG,YAAY,CAAC;QAChC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,IAAI,KAAK,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;gBACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,KAAK,EAAE,kBAAkB,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC/F,CAAC;YACD,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC;YAChC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,QAAQ,GAAG,CAAC,EAAE,KAAK,EAAE,oBAAoB,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC;YACjG,CAAC;YACD,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC;QAC5B,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;IACnD,CAAC;IAEO,MAAM,CAAC,KAAuB;QACpC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,YAAY,CAAC;QAC9D,MAAM,WAAW,GAAoC;YACnD,GAAG,KAAK;YACR,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YAChC,EAAE,EAAE,KAAK,CAAC,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACxC,YAAY;SACb,CAAC;QACF,MAAM,KAAK,GAAsB,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACzF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACvD,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/assurance-envelope.d.ts

@@ -0,0 +1,60 @@
+import type { ActionLedgerEvent } from './action-ledger.js';
+export interface AssuranceEnvelope {
+    version: 'v1';
+    actionId: string;
+    tenantId: number;
+    sessionId: string;
+    tool: string;
+    idempotencyKey?: string;
+    createdAt: string;
+    updatedAt: string;
+    intent: {
+        argsHash?: string;
+        argKeys?: string[];
+        ledgerHash: string;
+    };
+    policy?: {
+        executionState: string;
+        allowed: boolean;
+        reason?: string;
+        requiresApproval?: boolean;
+        ledgerHash: string;
+    };
+    result?: {
+        executionState: string;
+        outputHash?: string;
+        evidenceId?: string;
+        targetReceipt?: string;
+        ledgerHash: string;
+    };
+    identity?: {
+        agentDid?: string;
+        status?: 'provisional' | 'verified';
+    };
+    assurance?: {
+        riskScore?: number;
+        blastRadiusImpact?: number;
+        controlId?: string;
+    };
+}
+export interface AssuranceEnvelopeVerification {
+    ok: boolean;
+    actionId: string;
+    envelopeHash: string;
+    checkedAt: string;
+    errors: string[];
+}
+export declare function hashAssuranceEnvelope(envelope: AssuranceEnvelope): string;
+/** Build a redacted, portable action receipt from hash-chained ledger events. */
+export declare function createAssuranceEnvelope(input: {
+    intent: ActionLedgerEvent;
+    decision?: ActionLedgerEvent;
+    result?: ActionLedgerEvent;
+    identity?: AssuranceEnvelope['identity'];
+    assurance?: AssuranceEnvelope['assurance'];
+}): AssuranceEnvelope;
+/** Verify an assurance receipt is complete enough for auditors and contains no raw payloads. */
+export declare function verifyAssuranceEnvelope(envelope: AssuranceEnvelope): AssuranceEnvelopeVerification;
+/** Return an auditor-safe receipt with only hashes, identity, policy, and assurance metadata. */
+export declare function redactAssuranceEnvelopeForSharing(envelope: AssuranceEnvelope): AssuranceEnvelope;
+//# sourceMappingURL=assurance-envelope.d.ts.map

package/dist/assurance-envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assurance-envelope.d.ts","sourceRoot":"","sources":["../src/assurance-envelope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAE5D,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,IAAI,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IACtE,MAAM,CAAC,EAAE;QAAE,cAAc,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IACvH,MAAM,CAAC,EAAE;QACP,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,QAAQ,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,aAAa,GAAG,UAAU,CAAA;KAAE,CAAC;IACtE,SAAS,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACpF;AAED,MAAM,WAAW,6BAA6B;IAC5C,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAgBD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CAEzE;AAED,iFAAiF;AACjF,wBAAgB,uBAAuB,CAAC,KAAK,EAAE;IAC7C,MAAM,EAAE,iBAAiB,CAAC;IAC1B,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,QAAQ,CAAC,EAAE,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACzC,SAAS,CAAC,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAC;CAC5C,GAAG,iBAAiB,CAiCpB;AAED,gGAAgG;AAChG,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,6BAA6B,CAiClG;AAED,iGAAiG;AACjG,wBAAgB,iCAAiC,CAAC,QAAQ,EAAE,iBAAiB,GAAG,iBAAiB,CAYhG"}

package/dist/assurance-envelope.js

@@ -0,0 +1,109 @@
+import { createHash } from 'node:crypto';
+function stableSerialize(value) {
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableSerialize(item)).join(',')}]`;
+    }
+    if (value && typeof value === 'object') {
+        return `{${Object.entries(value)
+            .filter(([, item]) => item !== undefined)
+            .sort(([a], [b]) => a.localeCompare(b))
+            .map(([key, item]) => `${JSON.stringify(key)}:${stableSerialize(item)}`)
+            .join(',')}}`;
+    }
+    return JSON.stringify(value);
+}
+export function hashAssuranceEnvelope(envelope) {
+    return createHash('sha256').update(stableSerialize(envelope)).digest('hex');
+}
+/** Build a redacted, portable action receipt from hash-chained ledger events. */
+export function createAssuranceEnvelope(input) {
+    const { intent, decision, result } = input;
+    return {
+        version: 'v1',
+        actionId: intent.actionId,
+        tenantId: intent.tenantId,
+        sessionId: intent.sessionId,
+        tool: intent.tool,
+        idempotencyKey: intent.idempotencyKey,
+        createdAt: intent.at,
+        updatedAt: result?.at ?? decision?.at ?? intent.at,
+        intent: { argsHash: intent.argsHash, argKeys: intent.argKeys, ledgerHash: intent.hash },
+        policy: decision
+            ? {
+                executionState: decision.executionState,
+                allowed: decision.executionState === 'executing',
+                reason: decision.decisionReason,
+                requiresApproval: decision.requiresApproval,
+                ledgerHash: decision.hash,
+            }
+            : undefined,
+        result: result
+            ? {
+                executionState: result.executionState,
+                outputHash: result.outputHash,
+                evidenceId: result.evidenceId,
+                targetReceipt: result.targetReceipt,
+                ledgerHash: result.hash,
+            }
+            : undefined,
+        identity: input.identity,
+        assurance: input.assurance,
+    };
+}
+/** Verify an assurance receipt is complete enough for auditors and contains no raw payloads. */
+export function verifyAssuranceEnvelope(envelope) {
+    const errors = [];
+    if (envelope.version !== 'v1')
+        errors.push('unsupported_version');
+    if (!envelope.actionId)
+        errors.push('missing_action_id');
+    if (!Number.isFinite(envelope.tenantId))
+        errors.push('missing_tenant_id');
+    if (!envelope.sessionId)
+        errors.push('missing_session_id');
+    if (!envelope.tool)
+        errors.push('missing_tool');
+    if (!envelope.createdAt)
+        errors.push('missing_created_at');
+    if (!envelope.updatedAt)
+        errors.push('missing_updated_at');
+    if (!envelope.intent?.ledgerHash)
+        errors.push('missing_intent_ledger_hash');
+    if (envelope.policy && !envelope.policy.ledgerHash)
+        errors.push('missing_policy_ledger_hash');
+    if (envelope.result && !envelope.result.ledgerHash)
+        errors.push('missing_result_ledger_hash');
+    const serialized = JSON.stringify({
+        idempotencyKey: envelope.idempotencyKey,
+        identity: envelope.identity,
+        assurance: envelope.assurance,
+    });
+    const rawPayloadMarkers = ['password', 'secret', 'token', 'apiKey', 'privateKey'];
+    for (const marker of rawPayloadMarkers) {
+        if (serialized.includes(`"${marker}":`)) {
+            errors.push(`raw_payload_marker_${marker}`);
+        }
+    }
+    return {
+        ok: errors.length === 0,
+        actionId: envelope.actionId,
+        envelopeHash: hashAssuranceEnvelope(envelope),
+        checkedAt: new Date().toISOString(),
+        errors,
+    };
+}
+/** Return an auditor-safe receipt with only hashes, identity, policy, and assurance metadata. */
+export function redactAssuranceEnvelopeForSharing(envelope) {
+    return {
+        ...envelope,
+        idempotencyKey: envelope.idempotencyKey ? `redacted:${hashAssuranceEnvelope(envelope).slice(0, 12)}` : undefined,
+        intent: {
+            argsHash: envelope.intent.argsHash,
+            argKeys: envelope.intent.argKeys,
+            ledgerHash: envelope.intent.ledgerHash,
+        },
+        policy: envelope.policy,
+        result: envelope.result,
+    };
+}
+//# sourceMappingURL=assurance-envelope.js.map

package/dist/assurance-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assurance-envelope.js","sourceRoot":"","sources":["../src/assurance-envelope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiCzC,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACrE,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;aACxD,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,SAAS,CAAC;aACxC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;aACtC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;aACvE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAClB,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAA2B;IAC/D,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,uBAAuB,CAAC,KAMvC;IACC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IAC3C,OAAO;QACL,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,SAAS,EAAE,MAAM,CAAC,EAAE;QACpB,SAAS,EAAE,MAAM,EAAE,EAAE,IAAI,QAAQ,EAAE,EAAE,IAAI,MAAM,CAAC,EAAE;QAClD,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE;QACvF,MAAM,EAAE,QAAQ;YACd,CAAC,CAAC;gBACE,cAAc,EAAE,QAAQ,CAAC,cAAc;gBACvC,OAAO,EAAE,QAAQ,CAAC,cAAc,KAAK,WAAW;gBAChD,MAAM,EAAE,QAAQ,CAAC,cAAc;gBAC/B,gBAAgB,EAAE,QAAQ,CAAC,gBAAgB;gBAC3C,UAAU,EAAE,QAAQ,CAAC,IAAI;aAC1B;YACH,CAAC,CAAC,SAAS;QACb,MAAM,EAAE,MAAM;YACZ,CAAC,CAAC;gBACE,cAAc,EAAE,MAAM,CAAC,cAAc;gBACrC,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,UAAU,EAAE,MAAM,CAAC,IAAI;aACxB;YACH,CAAC,CAAC,SAAS;QACb,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,CAAC;AACJ,CAAC;AAED,gGAAgG;AAChG,MAAM,UAAU,uBAAuB,CAAC,QAA2B;IACjE,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAClE,IAAI,CAAC,QAAQ,CAAC,QAAQ;QAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC1E,IAAI,CAAC,QAAQ,CAAC,SAAS;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC3D,IAAI,CAAC,QAAQ,CAAC,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ,CAAC,SAAS;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC3D,IAAI,CAAC,QAAQ,CAAC,SAAS;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAC3D,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC5E,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC9F,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU;QAAE,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAE9F,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,cAAc,EAAE,QAAQ,CAAC,cAAc;QACvC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;KAC9B,CAAC,CAAC;IACH,MAAM,iBAAiB,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;IAClF,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QACvB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,YAAY,EAAE,qBAAqB,CAAC,QAAQ,CAAC;QAC7C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM;KACP,CAAC;AACJ,CAAC;AAED,iGAAiG;AACjG,MAAM,UAAU,iCAAiC,CAAC,QAA2B;IAC3E,OAAO;QACL,GAAG,QAAQ;QACX,cAAc,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,qBAAqB,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;QAChH,MAAM,EAAE;YACN,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ;YAClC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO;YAChC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;SACvC;QACD,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,MAAM,EAAE,QAAQ,CAAC,MAAM;KACxB,CAAC;AACJ,CAAC"}

package/dist/assurance-envelope.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=assurance-envelope.test.d.ts.map

package/dist/assurance-envelope.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assurance-envelope.test.d.ts","sourceRoot":"","sources":["../src/assurance-envelope.test.ts"],"names":[],"mappings":""}

package/dist/assurance-envelope.test.js

@@ -0,0 +1,60 @@
+import assert from 'node:assert/strict';
+import { describe, it } from 'node:test';
+import { ActionLedger, createAssuranceEnvelope, hashAssuranceEnvelope, redactAssuranceEnvelopeForSharing, verifyAssuranceEnvelope, } from './index.js';
+describe('assurance envelopes', () => {
+    it('creates deterministic, auditor-safe receipts without raw invocation payloads', () => {
+        const ledger = new ActionLedger();
+        const intent = ledger.recordIntent({
+            tenantId: 42,
+            sessionId: 'agentic-assurance-test',
+            tool: 'evidence.attach',
+            args: { controlId: 'CMMC-AC.L1-3.1.1', secret: 'do-not-leak' },
+            idempotencyKey: 'receipt-test-key',
+        });
+        const decision = ledger.recordDecision(intent, {
+            allowed: true,
+            reason: 'within_policy',
+            requiresApproval: false,
+        });
+        const result = ledger.recordResult(intent, {
+            executionState: 'recorded',
+            evidenceId: 'ev-test',
+            output: { token: 'also-do-not-leak' },
+        });
+        const envelope = createAssuranceEnvelope({
+            intent,
+            decision,
+            result,
+            identity: { agentDid: 'did:grc:test-agent', status: 'verified' },
+            assurance: { riskScore: 4, blastRadiusImpact: 2, controlId: 'CMMC-AC.L1-3.1.1' },
+        });
+        const serialized = JSON.stringify(envelope);
+        assert.equal(serialized.includes('do-not-leak'), false);
+        assert.equal(serialized.includes('also-do-not-leak'), false);
+        assert.equal(envelope.intent.argKeys?.includes('secret'), true);
+        const verification = verifyAssuranceEnvelope(envelope);
+        assert.equal(verification.ok, true);
+        assert.equal(verification.errors.length, 0);
+        assert.equal(verification.envelopeHash, hashAssuranceEnvelope(envelope));
+        const shared = redactAssuranceEnvelopeForSharing(envelope);
+        assert.match(shared.idempotencyKey ?? '', /^redacted:/);
+        assert.equal(hashAssuranceEnvelope(envelope), hashAssuranceEnvelope(envelope));
+    });
+    it('flags structurally incomplete receipts', () => {
+        const incomplete = {
+            version: 'v1',
+            actionId: '',
+            tenantId: Number.NaN,
+            sessionId: '',
+            tool: '',
+            createdAt: '',
+            updatedAt: '',
+            intent: { ledgerHash: '' },
+        };
+        const verification = verifyAssuranceEnvelope(incomplete);
+        assert.equal(verification.ok, false);
+        assert.ok(verification.errors.includes('missing_action_id'));
+        assert.ok(verification.errors.includes('missing_intent_ledger_hash'));
+    });
+});
+//# sourceMappingURL=assurance-envelope.test.js.map

package/dist/assurance-envelope.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assurance-envelope.test.js","sourceRoot":"","sources":["../src/assurance-envelope.test.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,qBAAqB,EACrB,iCAAiC,EACjC,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAEpB,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC;YACjC,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,wBAAwB;YACnC,IAAI,EAAE,iBAAiB;YACvB,IAAI,EAAE,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,EAAE;YAC9D,cAAc,EAAE,kBAAkB;SACnC,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE;YAC7C,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,eAAe;YACvB,gBAAgB,EAAE,KAAK;SACxB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE;YACzC,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE;SACtC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,uBAAuB,CAAC;YACvC,MAAM;YACN,QAAQ;YACR,MAAM;YACN,QAAQ,EAAE,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,EAAE,UAAU,EAAE;YAChE,SAAS,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,iBAAiB,EAAE,CAAC,EAAE,SAAS,EAAE,kBAAkB,EAAE;SACjF,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,KAAK,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC;QAEhE,MAAM,YAAY,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,EAAE,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAEzE,MAAM,MAAM,GAAG,iCAAiC,CAAC,QAAQ,CAAC,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,IAAI,EAAE,EAAE,YAAY,CAAC,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE,qBAAqB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,UAAU,GAAG;YACjB,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,MAAM,CAAC,GAAG;YACpB,SAAS,EAAE,EAAE;YACb,IAAI,EAAE,EAAE;YACR,SAAS,EAAE,EAAE;YACb,SAAS,EAAE,EAAE;YACb,MAAM,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;SACpB,CAAC;QAET,MAAM,YAAY,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;QAC7D,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,43 @@
+export * from './action-ledger.js';
+export * from './assurance-envelope.js';
+export interface EvidenceRecord {
+    id: string;
+    controlId: string;
+    tenantId: number;
+    sha256: string;
+    uri: string;
+    collectedAt: string;
+    lineage: {
+        parentHash?: string;
+        source: string;
+    };
+}
+export interface EvidenceDatabase {
+    query<T = Record<string, unknown>>(sql: string, params?: unknown[]): Promise<{
+        rows: T[];
+        rowCount: number;
+    }>;
+    execute(sql: string, params?: unknown[]): Promise<void>;
+}
+export declare class EvidenceStore {
+    private readonly records;
+    private readonly db?;
+    private pendingWrites;
+    constructor(database?: EvidenceDatabase);
+    static hashContent(buffer: Buffer | string): string;
+    private writeToDbWithRetry;
+    attach(input: Omit<EvidenceRecord, 'id' | 'sha256'> & {
+        content?: Buffer | string;
+    }): EvidenceRecord;
+    get(id: string): EvidenceRecord | undefined;
+    /** Read a single evidence record from PostgreSQL (primary) with in-memory fallback */
+    getFromDb(id: string): Promise<EvidenceRecord | undefined>;
+    /** Synchronous read from in-memory write-through cache */
+    listByControl(controlId: string): EvidenceRecord[];
+    /** Read evidence for a control from PostgreSQL (primary) with in-memory fallback */
+    listByControlFromDb(controlId: string): Promise<EvidenceRecord[]>;
+    /** Flush all pending PostgreSQL writes */
+    flush(): Promise<void>;
+    loadFromDatabase(): Promise<void>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,oBAAoB,CAAC;AACnC,cAAc,yBAAyB,CAAC;AAExC,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CAClD;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9G,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AASD,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;IAC7D,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAmB;IACvC,OAAO,CAAC,aAAa,CAAuB;gBAEhC,QAAQ,CAAC,EAAE,gBAAgB;IAIvC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM;YAIrC,kBAAkB;IAkChC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,EAAE,IAAI,GAAG,QAAQ,CAAC,GAAG;QAAE,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,GAAG,cAAc;IAkBpG,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI3C,sFAAsF;IAChF,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC;IAoChE,0DAA0D;IAC1D,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,EAAE;IAIlD,oFAAoF;IAC9E,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAsCvE,0CAA0C;IACpC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAMtB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;CA8BxC"}

package/dist/index.js

@@ -0,0 +1,151 @@
+import { createHash } from 'node:crypto';
+export * from './action-ledger.js';
+export * from './assurance-envelope.js';
+const MAX_RETRIES = 3;
+const BASE_BACKOFF_MS = 100;
+async function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+export class EvidenceStore {
+    records = new Map();
+    db;
+    pendingWrites = [];
+    constructor(database) {
+        this.db = database;
+    }
+    static hashContent(buffer) {
+        return createHash('sha256').update(buffer).digest('hex');
+    }
+    async writeToDbWithRetry(record) {
+        if (!this.db)
+            return;
+        let lastError;
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                await this.db.execute(`INSERT INTO evidence (id, tenant_id, control_id, sha256, uri, metadata, lineage, collected_at, created_at)
+           VALUES ($1, $2, $3, $4, $5, $6, $7, $8, NOW())
+           ON CONFLICT (id) DO NOTHING`, [
+                    record.id,
+                    String(record.tenantId),
+                    record.controlId,
+                    record.sha256,
+                    record.uri,
+                    JSON.stringify({}),
+                    JSON.stringify(record.lineage),
+                    record.collectedAt,
+                ]);
+                return;
+            }
+            catch (err) {
+                lastError = err instanceof Error ? err : new Error(String(err));
+                if (attempt < MAX_RETRIES - 1) {
+                    await sleep(BASE_BACKOFF_MS * Math.pow(2, attempt));
+                }
+            }
+        }
+        console.warn(`[EVIDENCE] PostgreSQL write failed after ${MAX_RETRIES} retries for ${record.id}:`, lastError?.message);
+    }
+    attach(input) {
+        const sha256 = input.content !== undefined
+            ? EvidenceStore.hashContent(input.content)
+            : EvidenceStore.hashContent(`${input.uri}|${input.collectedAt}`);
+        const id = `ev-${sha256.slice(0, 16)}`;
+        const record = { ...input, id, sha256 };
+        // Write to PostgreSQL first, then update in-memory cache
+        const writePromise = this.writeToDbWithRetry(record);
+        this.pendingWrites.push(writePromise);
+        // Update in-memory cache immediately for fast reads
+        this.records.set(id, record);
+        return record;
+    }
+    get(id) {
+        return this.records.get(id);
+    }
+    /** Read a single evidence record from PostgreSQL (primary) with in-memory fallback */
+    async getFromDb(id) {
+        if (this.db) {
+            try {
+                const { rows } = await this.db.query(`SELECT id, control_id, tenant_id, sha256, uri, collected_at, lineage FROM evidence WHERE id = $1`, [id]);
+                if (rows.length > 0) {
+                    const row = rows[0];
+                    const record = {
+                        id: row.id,
+                        controlId: row.control_id,
+                        tenantId: Number(row.tenant_id),
+                        sha256: row.sha256,
+                        uri: row.uri,
+                        collectedAt: row.collected_at,
+                        lineage: row.lineage,
+                    };
+                    this.records.set(id, record);
+                    return record;
+                }
+            }
+            catch {
+                // fall back to in-memory
+            }
+        }
+        return this.records.get(id);
+    }
+    /** Synchronous read from in-memory write-through cache */
+    listByControl(controlId) {
+        return [...this.records.values()].filter((r) => r.controlId === controlId);
+    }
+    /** Read evidence for a control from PostgreSQL (primary) with in-memory fallback */
+    async listByControlFromDb(controlId) {
+        if (this.db) {
+            try {
+                const { rows } = await this.db.query(`SELECT id, control_id, tenant_id, sha256, uri, collected_at, lineage FROM evidence WHERE control_id = $1`, [controlId]);
+                if (rows.length > 0) {
+                    const results = rows.map((row) => ({
+                        id: row.id,
+                        controlId: row.control_id,
+                        tenantId: Number(row.tenant_id),
+                        sha256: row.sha256,
+                        uri: row.uri,
+                        collectedAt: row.collected_at,
+                        lineage: row.lineage,
+                    }));
+                    // Update cache with DB results
+                    for (const r of results) {
+                        this.records.set(r.id, r);
+                    }
+                    return results;
+                }
+            }
+            catch {
+                // fall back to in-memory
+            }
+        }
+        return [...this.records.values()].filter((r) => r.controlId === controlId);
+    }
+    /** Flush all pending PostgreSQL writes */
+    async flush() {
+        const pending = [...this.pendingWrites];
+        this.pendingWrites = [];
+        await Promise.allSettled(pending);
+    }
+    async loadFromDatabase() {
+        if (!this.db)
+            return;
+        try {
+            const { rows } = await this.db.query(`SELECT id, control_id, tenant_id, sha256, uri, collected_at, lineage FROM evidence`);
+            for (const row of rows) {
+                const record = {
+                    id: row.id,
+                    controlId: row.control_id,
+                    tenantId: Number(row.tenant_id),
+                    sha256: row.sha256,
+                    uri: row.uri,
+                    collectedAt: row.collected_at,
+                    lineage: row.lineage,
+                };
+                this.records.set(record.id, record);
+            }
+        }
+        catch {
+            // fall back to empty in-memory state
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,cAAc,oBAAoB,CAAC;AACnC,cAAc,yBAAyB,CAAC;AAiBxC,MAAM,WAAW,GAAG,CAAC,CAAC;AACtB,MAAM,eAAe,GAAG,GAAG,CAAC;AAE5B,KAAK,UAAU,KAAK,CAAC,EAAU;IAC7B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,OAAO,aAAa;IACP,OAAO,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC5C,EAAE,CAAoB;IAC/B,aAAa,GAAoB,EAAE,CAAC;IAE5C,YAAY,QAA2B;QACrC,IAAI,CAAC,EAAE,GAAG,QAAQ,CAAC;IACrB,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,MAAuB;QACxC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,MAAsB;QACrD,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO;QACrB,IAAI,SAA4B,CAAC;QACjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,CACnB;;uCAE6B,EAC7B;oBACE,MAAM,CAAC,EAAE;oBACT,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;oBACvB,MAAM,CAAC,SAAS;oBAChB,MAAM,CAAC,MAAM;oBACb,MAAM,CAAC,GAAG;oBACV,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;oBAClB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC;oBAC9B,MAAM,CAAC,WAAW;iBACnB,CACF,CAAC;gBACF,OAAO;YACT,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChE,IAAI,OAAO,GAAG,WAAW,GAAG,CAAC,EAAE,CAAC;oBAC9B,MAAM,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,CAAC,IAAI,CACV,4CAA4C,WAAW,gBAAgB,MAAM,CAAC,EAAE,GAAG,EACnF,SAAS,EAAE,OAAO,CACnB,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAA4E;QACjF,MAAM,MAAM,GACV,KAAK,CAAC,OAAO,KAAK,SAAS;YACzB,CAAC,CAAC,aAAa,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC;YAC1C,CAAC,CAAC,aAAa,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QACrE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACvC,MAAM,MAAM,GAAmB,EAAE,GAAG,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QAExD,yDAAyD;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAEtC,oDAAoD;QACpD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAE7B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,GAAG,CAAC,EAAU;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,sFAAsF;IACtF,KAAK,CAAC,SAAS,CAAC,EAAU;QACxB,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CASlC,kGAAkG,EAClG,CAAC,EAAE,CAAC,CACL,CAAC;gBACF,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;oBACrB,MAAM,MAAM,GAAmB;wBAC7B,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,SAAS,EAAE,GAAG,CAAC,UAAU;wBACzB,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;wBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,GAAG,EAAE,GAAG,CAAC,GAAG;wBACZ,WAAW,EAAE,GAAG,CAAC,YAAY;wBAC7B,OAAO,EAAE,GAAG,CAAC,OAAO;qBACrB,CAAC;oBACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;oBAC7B,OAAO,MAAM,CAAC;gBAChB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,0DAA0D;IAC1D,aAAa,CAAC,SAAiB;QAC7B,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED,oFAAoF;IACpF,KAAK,CAAC,mBAAmB,CAAC,SAAiB;QACzC,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CASlC,0GAA0G,EAC1G,CAAC,SAAS,CAAC,CACZ,CAAC;gBACF,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;wBACjC,EAAE,EAAE,GAAG,CAAC,EAAE;wBACV,SAAS,EAAE,GAAG,CAAC,UAAU;wBACzB,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;wBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,GAAG,EAAE,GAAG,CAAC,GAAG;wBACZ,WAAW,EAAE,GAAG,CAAC,YAAY;wBAC7B,OAAO,EAAE,GAAG,CAAC,OAAO;qBACrB,CAAC,CAAC,CAAC;oBACJ,+BAA+B;oBAC/B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;wBACxB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;oBAC5B,CAAC;oBACD,OAAO,OAAO,CAAC;gBACjB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED,0CAA0C;IAC1C,KAAK,CAAC,KAAK;QACT,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC;QACxB,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CASlC,oFAAoF,CACrF,CAAC;YACF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,MAAM,GAAmB;oBAC7B,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,SAAS,EAAE,GAAG,CAAC,UAAU;oBACzB,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC;oBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,WAAW,EAAE,GAAG,CAAC,YAAY;oBAC7B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;gBACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@grc-claw/evidence",
+  "version": "0.8.0",
+  "license": "MIT",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "node --import tsx --test src/**/*.test.ts"
+  },
+  "dependencies": {
+    "@grc-claw/core": "*"
+  },
+  "devDependencies": {
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/AAH20/GRC_Claw"
+  }
+}