@grwnd/pi-governance 1.2.0

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Grwnd AI
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,199 @@
+<p align="center">
+  <img src="assets/logo.png" alt="pi-governance logo" width="180" />
+</p>
+
+<h1 align="center">@grwnd/pi-governance</h1>
+
+<p align="center">
+  Governance, RBAC, audit, and human-in-the-loop for Pi-based coding agents.
+</p>
+
+<p align="center">
+  <a href="https://github.com/Grwnd-AI/pi-governance/actions/workflows/ci.yml"><img src="https://github.com/Grwnd-AI/pi-governance/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
+  <a href="https://www.npmjs.com/package/@grwnd/pi-governance"><img src="https://img.shields.io/npm/v/@grwnd/pi-governance" alt="npm" /></a>
+  <a href="https://github.com/Grwnd-AI/pi-governance/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-Apache--2.0-blue" alt="License" /></a>
+  <a href="https://grwnd-ai.github.io/pi-governance/"><img src="https://img.shields.io/badge/docs-GitHub%20Pages-blue" alt="Docs" /></a>
+</p>
+
+---
+
+## What is this?
+
+`pi-governance` is a Pi extension that intercepts every tool call your AI coding agent makes and enforces policy before execution. It provides:
+
+- **Role-based access control** — define who can use which tools
+- **Bash command classification** — auto-block dangerous commands (`rm -rf`, `sudo`, `curl | sh`)
+- **Path-level file gating** — restrict read/write to scoped directories
+- **Human-in-the-loop approval** — require sign-off for sensitive operations
+- **Audit logging** — structured JSONL logs of every governance decision
+- **Prompt-level policy** — role-scoped system prompt templates
+
+It works as a drop-in shim. Install it, and your existing Pi agent gains governance controls without any code changes.
+
+## Quick Start
+
+### Install
+
+```bash
+pi install npm:@grwnd/pi-governance
+```
+
+That's it. On next session start, governance is active with sensible defaults:
+
+- All tools allowed
+- Dangerous bash commands blocked
+- Supervised mode (approval required for writes and bash)
+- Audit logged to `~/.pi/agent/audit.jsonl`
+
+### Configure
+
+Create `.pi/governance.yaml` in your project root (committed to git for team-wide policy):
+
+```yaml
+auth:
+  provider: env
+
+policy:
+  engine: yaml
+  yaml:
+    rules_file: ./governance-rules.yaml
+
+hitl:
+  default_mode: supervised
+  timeout_seconds: 300
+
+audit:
+  sinks:
+    - type: jsonl
+      path: ~/.pi/agent/audit.jsonl
+```
+
+### Define Roles
+
+Create `governance-rules.yaml`:
+
+```yaml
+roles:
+  analyst:
+    allowed_tools: [read]
+    blocked_tools: [write, edit, bash]
+    execution_mode: supervised
+    human_approval:
+      required_for: [all]
+    allowed_paths:
+      - '{{project_path}}/**'
+    blocked_paths:
+      - '**/secrets/**'
+      - '**/.env*'
+
+  project_lead:
+    allowed_tools: [read, write, edit, bash]
+    blocked_tools: []
+    execution_mode: supervised
+    human_approval:
+      required_for: [bash, write]
+      auto_approve: [read, edit]
+    allowed_paths:
+      - '{{project_path}}/**'
+    blocked_paths:
+      - '**/secrets/**'
+
+  admin:
+    allowed_tools: [all]
+    blocked_tools: []
+    execution_mode: autonomous
+    human_approval:
+      required_for: []
+    allowed_paths: ['**']
+    blocked_paths: []
+```
+
+### Set Identity
+
+Set environment variables before starting your Pi session:
+
+```bash
+export GRWND_USER=alice
+export GRWND_ROLE=project_lead
+export GRWND_ORG_UNIT=cornerstone_aec
+
+pi
+```
+
+Or use a local users file for team setups — see the [docs](https://grwnd-ai.github.io/pi-governance/).
+
+### Check Status
+
+Inside a governed Pi session:
+
+```
+/governance status
+```
+
+```
+Governance active
+  User:      alice
+  Role:      project_lead
+  Org Unit:  cornerstone_aec
+  Engine:    yaml
+  Mode:      supervised
+  Session:   3 tool calls, 0 denials
+```
+
+## Architecture
+
+```
+User message → Pi Agent Runtime
+                    │
+              ┌─────┴──────┐
+              │ onSessionStart │  ← Identity resolution
+              │  → load policy │  ← Select prompt template
+              └─────┬──────┘
+                    │
+              ┌─────┴──────────┐
+              │ onBeforeToolCall │  ← RBAC: tool allowed?
+              │  → classify bash │  ← Path check
+              │  → HITL approval │  ← Audit log
+              └─────┬──────────┘
+                    │
+               allow │ deny
+                    │    └→ Return denial message
+                    │
+              ┌─────┴──────────┐
+              │ onAfterToolCall  │  ← Audit result
+              └────────────────┘
+```
+
+## Dual Policy Engine
+
+Choose between two policy engines:
+
+| Engine             | Best for                                       | Dependency       |
+| ------------------ | ---------------------------------------------- | ---------------- |
+| **YAML** (default) | Simple setups, quick start                     | Zero — built-in  |
+| **Oso/Polar**      | Complex RBAC, relational policies, inheritance | `oso` (optional) |
+
+Switch engines in config:
+
+```yaml
+policy:
+  engine: oso
+  oso:
+    polar_files:
+      - ./policies/base.polar
+      - ./policies/tools.polar
+```
+
+## Documentation
+
+Full documentation at **[grwnd-ai.github.io/pi-governance](https://grwnd-ai.github.io/pi-governance/)**.
+
+- [Quick Start](https://grwnd-ai.github.io/pi-governance/guide/quickstart)
+- [Team Deployment](https://grwnd-ai.github.io/pi-governance/guide/team-deployment)
+- [YAML Policies](https://grwnd-ai.github.io/pi-governance/guide/yaml-policies)
+- [Bash Classifier](https://grwnd-ai.github.io/pi-governance/guide/bash-classifier)
+- [Configuration Reference](https://grwnd-ai.github.io/pi-governance/reference/config)
+
+## License
+
+[Apache-2.0](LICENSE)

package/dist/index.cjs

@@ -0,0 +1,195 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ConfigValidationError: () => ConfigValidationError,
+  loadConfig: () => loadConfig
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/lib/config/loader.ts
+var import_fs = require("fs");
+var import_yaml = require("yaml");
+var import_value = require("@sinclair/typebox/value");
+
+// src/lib/config/schema.ts
+var import_typebox = require("@sinclair/typebox");
+var AuthEnvConfig = import_typebox.Type.Object({
+  user_var: import_typebox.Type.String({ default: "GRWND_USER" }),
+  role_var: import_typebox.Type.String({ default: "GRWND_ROLE" }),
+  org_unit_var: import_typebox.Type.String({ default: "GRWND_ORG_UNIT" })
+});
+var AuthLocalConfig = import_typebox.Type.Object({
+  users_file: import_typebox.Type.String({ default: "./users.yaml" })
+});
+var AuthConfig = import_typebox.Type.Object({
+  provider: import_typebox.Type.Union([import_typebox.Type.Literal("env"), import_typebox.Type.Literal("local"), import_typebox.Type.Literal("oidc")], {
+    default: "env"
+  }),
+  env: import_typebox.Type.Optional(AuthEnvConfig),
+  local: import_typebox.Type.Optional(AuthLocalConfig)
+});
+var YamlPolicyConfig = import_typebox.Type.Object({
+  rules_file: import_typebox.Type.String({ default: "./governance-rules.yaml" })
+});
+var OsoPolicyConfig = import_typebox.Type.Object({
+  polar_files: import_typebox.Type.Array(import_typebox.Type.String(), {
+    default: ["./policies/base.polar", "./policies/tools.polar"]
+  })
+});
+var PolicyConfig = import_typebox.Type.Object({
+  engine: import_typebox.Type.Union([import_typebox.Type.Literal("yaml"), import_typebox.Type.Literal("oso")], { default: "yaml" }),
+  yaml: import_typebox.Type.Optional(YamlPolicyConfig),
+  oso: import_typebox.Type.Optional(OsoPolicyConfig)
+});
+var TemplatesConfig = import_typebox.Type.Object({
+  directory: import_typebox.Type.String({ default: "./templates/" }),
+  default: import_typebox.Type.String({ default: "project-lead" })
+});
+var HitlWebhookConfig = import_typebox.Type.Object({
+  url: import_typebox.Type.String()
+});
+var HitlConfig = import_typebox.Type.Object({
+  default_mode: import_typebox.Type.Union(
+    [import_typebox.Type.Literal("autonomous"), import_typebox.Type.Literal("supervised"), import_typebox.Type.Literal("dry_run")],
+    { default: "supervised" }
+  ),
+  approval_channel: import_typebox.Type.Union([import_typebox.Type.Literal("cli"), import_typebox.Type.Literal("webhook")], { default: "cli" }),
+  timeout_seconds: import_typebox.Type.Number({ default: 300, minimum: 10, maximum: 3600 }),
+  webhook: import_typebox.Type.Optional(HitlWebhookConfig)
+});
+var JsonlSinkConfig = import_typebox.Type.Object({
+  type: import_typebox.Type.Literal("jsonl"),
+  path: import_typebox.Type.String({ default: "~/.pi/agent/audit.jsonl" })
+});
+var WebhookSinkConfig = import_typebox.Type.Object({
+  type: import_typebox.Type.Literal("webhook"),
+  url: import_typebox.Type.String()
+});
+var PostgresSinkConfig = import_typebox.Type.Object({
+  type: import_typebox.Type.Literal("postgres"),
+  connection: import_typebox.Type.String()
+});
+var AuditSinkConfig = import_typebox.Type.Union([JsonlSinkConfig, WebhookSinkConfig, PostgresSinkConfig]);
+var AuditConfig = import_typebox.Type.Object({
+  sinks: import_typebox.Type.Array(AuditSinkConfig, {
+    default: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  })
+});
+var OrgUnitOverride = import_typebox.Type.Object({
+  hitl: import_typebox.Type.Optional(import_typebox.Type.Partial(HitlConfig)),
+  policy: import_typebox.Type.Optional(
+    import_typebox.Type.Object({
+      extra_polar: import_typebox.Type.Optional(import_typebox.Type.String()),
+      extra_rules: import_typebox.Type.Optional(import_typebox.Type.String())
+    })
+  )
+});
+var GovernanceConfigSchema = import_typebox.Type.Object({
+  auth: import_typebox.Type.Optional(AuthConfig),
+  policy: import_typebox.Type.Optional(PolicyConfig),
+  templates: import_typebox.Type.Optional(TemplatesConfig),
+  hitl: import_typebox.Type.Optional(HitlConfig),
+  audit: import_typebox.Type.Optional(AuditConfig),
+  org_units: import_typebox.Type.Optional(import_typebox.Type.Record(import_typebox.Type.String(), OrgUnitOverride))
+});
+
+// src/lib/config/defaults.ts
+var DEFAULTS = {
+  auth: {
+    provider: "env",
+    env: {
+      user_var: "GRWND_USER",
+      role_var: "GRWND_ROLE",
+      org_unit_var: "GRWND_ORG_UNIT"
+    }
+  },
+  policy: {
+    engine: "yaml",
+    yaml: {
+      rules_file: "./governance-rules.yaml"
+    }
+  },
+  templates: {
+    directory: "./templates/",
+    default: "project-lead"
+  },
+  hitl: {
+    default_mode: "supervised",
+    approval_channel: "cli",
+    timeout_seconds: 300
+  },
+  audit: {
+    sinks: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  }
+};
+
+// src/lib/config/loader.ts
+var CONFIG_PATHS = [
+  process.env.GRWND_GOVERNANCE_CONFIG,
+  ".pi/governance.yaml",
+  `${process.env.HOME}/.pi/agent/governance.yaml`
+];
+function loadConfig() {
+  for (const path of CONFIG_PATHS) {
+    if (path && (0, import_fs.existsSync)(path)) {
+      const raw = (0, import_fs.readFileSync)(path, "utf-8");
+      const parsed = (0, import_yaml.parse)(raw);
+      const resolved = resolveEnvVars(parsed);
+      const errors = [...import_value.Value.Errors(GovernanceConfigSchema, resolved)];
+      if (errors.length > 0) {
+        throw new ConfigValidationError(
+          path,
+          errors.map((e) => ({ path: e.path, message: e.message }))
+        );
+      }
+      const config = import_value.Value.Default(GovernanceConfigSchema, resolved);
+      return { config, source: path };
+    }
+  }
+  return { config: DEFAULTS, source: "built-in" };
+}
+function resolveEnvVars(obj) {
+  if (typeof obj === "string") {
+    return obj.replace(/\$\{(\w+)\}/g, (_, name) => process.env[name] ?? "");
+  }
+  if (Array.isArray(obj)) return obj.map(resolveEnvVars);
+  if (obj && typeof obj === "object") {
+    return Object.fromEntries(
+      Object.entries(obj).map(([k, v]) => [k, resolveEnvVars(v)])
+    );
+  }
+  return obj;
+}
+var ConfigValidationError = class extends Error {
+  constructor(path, errors) {
+    const details = errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+    super(`Invalid governance config at ${path}:
+${details}`);
+    this.name = "ConfigValidationError";
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ConfigValidationError,
+  loadConfig
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/lib/config/loader.ts","../src/lib/config/schema.ts","../src/lib/config/defaults.ts"],"sourcesContent":["export { type GovernanceConfig } from './lib/config/schema.js';\nexport { loadConfig, ConfigValidationError } from './lib/config/loader.js';\nexport {\n  type PolicyEngine,\n  type PolicyDecision,\n  type PathOperation,\n  type ExecutionMode,\n  type BashOverrides,\n} from './lib/policy/engine.js';\nexport { type IdentityProvider, type ResolvedIdentity } from './lib/identity/provider.js';\nexport { type FactStore, type RoleBinding, type Relation } from './lib/facts/store.js';\nexport { type BashClassification } from './lib/bash/classifier.js';\nexport { type AuditSink } from './lib/audit/sinks/sink.js';\n","import { existsSync, readFileSync } from 'fs';\nimport { parse as parseYaml } from 'yaml';\nimport { Value } from '@sinclair/typebox/value';\nimport { GovernanceConfigSchema, type GovernanceConfig } from './schema.js';\nimport { DEFAULTS } from './defaults.js';\n\nconst CONFIG_PATHS = [\n  process.env.GRWND_GOVERNANCE_CONFIG,\n  '.pi/governance.yaml',\n  `${process.env.HOME}/.pi/agent/governance.yaml`,\n];\n\nexport function loadConfig(): { config: GovernanceConfig; source: string } {\n  for (const path of CONFIG_PATHS) {\n    if (path && existsSync(path)) {\n      const raw = readFileSync(path, 'utf-8');\n      const parsed = parseYaml(raw);\n\n      const resolved = resolveEnvVars(parsed);\n\n      const errors = [...Value.Errors(GovernanceConfigSchema, resolved)];\n      if (errors.length > 0) {\n        throw new ConfigValidationError(\n          path,\n          errors.map((e) => ({ path: e.path, message: e.message })),\n        );\n      }\n\n      const config = Value.Default(GovernanceConfigSchema, resolved) as GovernanceConfig;\n      return { config, source: path };\n    }\n  }\n\n  return { config: DEFAULTS, source: 'built-in' };\n}\n\nfunction resolveEnvVars(obj: unknown): unknown {\n  if (typeof obj === 'string') {\n    return obj.replace(/\\$\\{(\\w+)\\}/g, (_, name: string) => process.env[name] ?? '');\n  }\n  if (Array.isArray(obj)) return obj.map(resolveEnvVars);\n  if (obj && typeof obj === 'object') {\n    return Object.fromEntries(\n      Object.entries(obj as Record<string, unknown>).map(([k, v]) => [k, resolveEnvVars(v)]),\n    );\n  }\n  return obj;\n}\n\nexport class ConfigValidationError extends Error {\n  constructor(path: string, errors: Array<{ path: string; message: string }>) {\n    const details = errors.map((e) => `  ${e.path}: ${e.message}`).join('\\n');\n    super(`Invalid governance config at ${path}:\\n${details}`);\n    this.name = 'ConfigValidationError';\n  }\n}\n","import { Type, type Static } from '@sinclair/typebox';\n\nconst AuthEnvConfig = Type.Object({\n  user_var: Type.String({ default: 'GRWND_USER' }),\n  role_var: Type.String({ default: 'GRWND_ROLE' }),\n  org_unit_var: Type.String({ default: 'GRWND_ORG_UNIT' }),\n});\n\nconst AuthLocalConfig = Type.Object({\n  users_file: Type.String({ default: './users.yaml' }),\n});\n\nconst AuthConfig = Type.Object({\n  provider: Type.Union([Type.Literal('env'), Type.Literal('local'), Type.Literal('oidc')], {\n    default: 'env',\n  }),\n  env: Type.Optional(AuthEnvConfig),\n  local: Type.Optional(AuthLocalConfig),\n});\n\nexport type AuthConfigType = Static<typeof AuthConfig>;\n\nconst YamlPolicyConfig = Type.Object({\n  rules_file: Type.String({ default: './governance-rules.yaml' }),\n});\n\nconst OsoPolicyConfig = Type.Object({\n  polar_files: Type.Array(Type.String(), {\n    default: ['./policies/base.polar', './policies/tools.polar'],\n  }),\n});\n\nconst PolicyConfig = Type.Object({\n  engine: Type.Union([Type.Literal('yaml'), Type.Literal('oso')], { default: 'yaml' }),\n  yaml: Type.Optional(YamlPolicyConfig),\n  oso: Type.Optional(OsoPolicyConfig),\n});\n\nconst TemplatesConfig = Type.Object({\n  directory: Type.String({ default: './templates/' }),\n  default: Type.String({ default: 'project-lead' }),\n});\n\nconst HitlWebhookConfig = Type.Object({\n  url: Type.String(),\n});\n\nconst HitlConfig = Type.Object({\n  default_mode: Type.Union(\n    [Type.Literal('autonomous'), Type.Literal('supervised'), Type.Literal('dry_run')],\n    { default: 'supervised' },\n  ),\n  approval_channel: Type.Union([Type.Literal('cli'), Type.Literal('webhook')], { default: 'cli' }),\n  timeout_seconds: Type.Number({ default: 300, minimum: 10, maximum: 3600 }),\n  webhook: Type.Optional(HitlWebhookConfig),\n});\n\nconst JsonlSinkConfig = Type.Object({\n  type: Type.Literal('jsonl'),\n  path: Type.String({ default: '~/.pi/agent/audit.jsonl' }),\n});\n\nconst WebhookSinkConfig = Type.Object({\n  type: Type.Literal('webhook'),\n  url: Type.String(),\n});\n\nconst PostgresSinkConfig = Type.Object({\n  type: Type.Literal('postgres'),\n  connection: Type.String(),\n});\n\nconst AuditSinkConfig = Type.Union([JsonlSinkConfig, WebhookSinkConfig, PostgresSinkConfig]);\n\nconst AuditConfig = Type.Object({\n  sinks: Type.Array(AuditSinkConfig, {\n    default: [{ type: 'jsonl', path: '~/.pi/agent/audit.jsonl' }],\n  }),\n});\n\nconst OrgUnitOverride = Type.Object({\n  hitl: Type.Optional(Type.Partial(HitlConfig)),\n  policy: Type.Optional(\n    Type.Object({\n      extra_polar: Type.Optional(Type.String()),\n      extra_rules: Type.Optional(Type.String()),\n    }),\n  ),\n});\n\nexport const GovernanceConfigSchema = Type.Object({\n  auth: Type.Optional(AuthConfig),\n  policy: Type.Optional(PolicyConfig),\n  templates: Type.Optional(TemplatesConfig),\n  hitl: Type.Optional(HitlConfig),\n  audit: Type.Optional(AuditConfig),\n  org_units: Type.Optional(Type.Record(Type.String(), OrgUnitOverride)),\n});\n\nexport type GovernanceConfig = Static<typeof GovernanceConfigSchema>;\n","import type { GovernanceConfig } from './schema.js';\n\nexport const DEFAULTS: GovernanceConfig = {\n  auth: {\n    provider: 'env',\n    env: {\n      user_var: 'GRWND_USER',\n      role_var: 'GRWND_ROLE',\n      org_unit_var: 'GRWND_ORG_UNIT',\n    },\n  },\n  policy: {\n    engine: 'yaml',\n    yaml: {\n      rules_file: './governance-rules.yaml',\n    },\n  },\n  templates: {\n    directory: './templates/',\n    default: 'project-lead',\n  },\n  hitl: {\n    default_mode: 'supervised',\n    approval_channel: 'cli',\n    timeout_seconds: 300,\n  },\n  audit: {\n    sinks: [{ type: 'jsonl', path: '~/.pi/agent/audit.jsonl' }],\n  },\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,gBAAyC;AACzC,kBAAmC;AACnC,mBAAsB;;;ACFtB,qBAAkC;AAElC,IAAM,gBAAgB,oBAAK,OAAO;AAAA,EAChC,UAAU,oBAAK,OAAO,EAAE,SAAS,aAAa,CAAC;AAAA,EAC/C,UAAU,oBAAK,OAAO,EAAE,SAAS,aAAa,CAAC;AAAA,EAC/C,cAAc,oBAAK,OAAO,EAAE,SAAS,iBAAiB,CAAC;AACzD,CAAC;AAED,IAAM,kBAAkB,oBAAK,OAAO;AAAA,EAClC,YAAY,oBAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AACrD,CAAC;AAED,IAAM,aAAa,oBAAK,OAAO;AAAA,EAC7B,UAAU,oBAAK,MAAM,CAAC,oBAAK,QAAQ,KAAK,GAAG,oBAAK,QAAQ,OAAO,GAAG,oBAAK,QAAQ,MAAM,CAAC,GAAG;AAAA,IACvF,SAAS;AAAA,EACX,CAAC;AAAA,EACD,KAAK,oBAAK,SAAS,aAAa;AAAA,EAChC,OAAO,oBAAK,SAAS,eAAe;AACtC,CAAC;AAID,IAAM,mBAAmB,oBAAK,OAAO;AAAA,EACnC,YAAY,oBAAK,OAAO,EAAE,SAAS,0BAA0B,CAAC;AAChE,CAAC;AAED,IAAM,kBAAkB,oBAAK,OAAO;AAAA,EAClC,aAAa,oBAAK,MAAM,oBAAK,OAAO,GAAG;AAAA,IACrC,SAAS,CAAC,yBAAyB,wBAAwB;AAAA,EAC7D,CAAC;AACH,CAAC;AAED,IAAM,eAAe,oBAAK,OAAO;AAAA,EAC/B,QAAQ,oBAAK,MAAM,CAAC,oBAAK,QAAQ,MAAM,GAAG,oBAAK,QAAQ,KAAK,CAAC,GAAG,EAAE,SAAS,OAAO,CAAC;AAAA,EACnF,MAAM,oBAAK,SAAS,gBAAgB;AAAA,EACpC,KAAK,oBAAK,SAAS,eAAe;AACpC,CAAC;AAED,IAAM,kBAAkB,oBAAK,OAAO;AAAA,EAClC,WAAW,oBAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AAAA,EAClD,SAAS,oBAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AAClD,CAAC;AAED,IAAM,oBAAoB,oBAAK,OAAO;AAAA,EACpC,KAAK,oBAAK,OAAO;AACnB,CAAC;AAED,IAAM,aAAa,oBAAK,OAAO;AAAA,EAC7B,cAAc,oBAAK;AAAA,IACjB,CAAC,oBAAK,QAAQ,YAAY,GAAG,oBAAK,QAAQ,YAAY,GAAG,oBAAK,QAAQ,SAAS,CAAC;AAAA,IAChF,EAAE,SAAS,aAAa;AAAA,EAC1B;AAAA,EACA,kBAAkB,oBAAK,MAAM,CAAC,oBAAK,QAAQ,KAAK,GAAG,oBAAK,QAAQ,SAAS,CAAC,GAAG,EAAE,SAAS,MAAM,CAAC;AAAA,EAC/F,iBAAiB,oBAAK,OAAO,EAAE,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,CAAC;AAAA,EACzE,SAAS,oBAAK,SAAS,iBAAiB;AAC1C,CAAC;AAED,IAAM,kBAAkB,oBAAK,OAAO;AAAA,EAClC,MAAM,oBAAK,QAAQ,OAAO;AAAA,EAC1B,MAAM,oBAAK,OAAO,EAAE,SAAS,0BAA0B,CAAC;AAC1D,CAAC;AAED,IAAM,oBAAoB,oBAAK,OAAO;AAAA,EACpC,MAAM,oBAAK,QAAQ,SAAS;AAAA,EAC5B,KAAK,oBAAK,OAAO;AACnB,CAAC;AAED,IAAM,qBAAqB,oBAAK,OAAO;AAAA,EACrC,MAAM,oBAAK,QAAQ,UAAU;AAAA,EAC7B,YAAY,oBAAK,OAAO;AAC1B,CAAC;AAED,IAAM,kBAAkB,oBAAK,MAAM,CAAC,iBAAiB,mBAAmB,kBAAkB,CAAC;AAE3F,IAAM,cAAc,oBAAK,OAAO;AAAA,EAC9B,OAAO,oBAAK,MAAM,iBAAiB;AAAA,IACjC,SAAS,CAAC,EAAE,MAAM,SAAS,MAAM,0BAA0B,CAAC;AAAA,EAC9D,CAAC;AACH,CAAC;AAED,IAAM,kBAAkB,oBAAK,OAAO;AAAA,EAClC,MAAM,oBAAK,SAAS,oBAAK,QAAQ,UAAU,CAAC;AAAA,EAC5C,QAAQ,oBAAK;AAAA,IACX,oBAAK,OAAO;AAAA,MACV,aAAa,oBAAK,SAAS,oBAAK,OAAO,CAAC;AAAA,MACxC,aAAa,oBAAK,SAAS,oBAAK,OAAO,CAAC;AAAA,IAC1C,CAAC;AAAA,EACH;AACF,CAAC;AAEM,IAAM,yBAAyB,oBAAK,OAAO;AAAA,EAChD,MAAM,oBAAK,SAAS,UAAU;AAAA,EAC9B,QAAQ,oBAAK,SAAS,YAAY;AAAA,EAClC,WAAW,oBAAK,SAAS,eAAe;AAAA,EACxC,MAAM,oBAAK,SAAS,UAAU;AAAA,EAC9B,OAAO,oBAAK,SAAS,WAAW;AAAA,EAChC,WAAW,oBAAK,SAAS,oBAAK,OAAO,oBAAK,OAAO,GAAG,eAAe,CAAC;AACtE,CAAC;;;AC/FM,IAAM,WAA6B;AAAA,EACxC,MAAM;AAAA,IACJ,UAAU;AAAA,IACV,KAAK;AAAA,MACH,UAAU;AAAA,MACV,UAAU;AAAA,MACV,cAAc;AAAA,IAChB;AAAA,EACF;AAAA,EACA,QAAQ;AAAA,IACN,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,YAAY;AAAA,IACd;AAAA,EACF;AAAA,EACA,WAAW;AAAA,IACT,WAAW;AAAA,IACX,SAAS;AAAA,EACX;AAAA,EACA,MAAM;AAAA,IACJ,cAAc;AAAA,IACd,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,EACnB;AAAA,EACA,OAAO;AAAA,IACL,OAAO,CAAC,EAAE,MAAM,SAAS,MAAM,0BAA0B,CAAC;AAAA,EAC5D;AACF;;;AFvBA,IAAM,eAAe;AAAA,EACnB,QAAQ,IAAI;AAAA,EACZ;AAAA,EACA,GAAG,QAAQ,IAAI,IAAI;AACrB;AAEO,SAAS,aAA2D;AACzE,aAAW,QAAQ,cAAc;AAC/B,QAAI,YAAQ,sBAAW,IAAI,GAAG;AAC5B,YAAM,UAAM,wBAAa,MAAM,OAAO;AACtC,YAAM,aAAS,YAAAA,OAAU,GAAG;AAE5B,YAAM,WAAW,eAAe,MAAM;AAEtC,YAAM,SAAS,CAAC,GAAG,mBAAM,OAAO,wBAAwB,QAAQ,CAAC;AACjE,UAAI,OAAO,SAAS,GAAG;AACrB,cAAM,IAAI;AAAA,UACR;AAAA,UACA,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,EAAE,QAAQ,EAAE;AAAA,QAC1D;AAAA,MACF;AAEA,YAAM,SAAS,mBAAM,QAAQ,wBAAwB,QAAQ;AAC7D,aAAO,EAAE,QAAQ,QAAQ,KAAK;AAAA,IAChC;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,UAAU,QAAQ,WAAW;AAChD;AAEA,SAAS,eAAe,KAAuB;AAC7C,MAAI,OAAO,QAAQ,UAAU;AAC3B,WAAO,IAAI,QAAQ,gBAAgB,CAAC,GAAG,SAAiB,QAAQ,IAAI,IAAI,KAAK,EAAE;AAAA,EACjF;AACA,MAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,IAAI,cAAc;AACrD,MAAI,OAAO,OAAO,QAAQ,UAAU;AAClC,WAAO,OAAO;AAAA,MACZ,OAAO,QAAQ,GAA8B,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC;AAAA,IACvF;AAAA,EACF;AACA,SAAO;AACT;AAEO,IAAM,wBAAN,cAAoC,MAAM;AAAA,EAC/C,YAAY,MAAc,QAAkD;AAC1E,UAAM,UAAU,OAAO,IAAI,CAAC,MAAM,KAAK,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AACxE,UAAM,gCAAgC,IAAI;AAAA,EAAM,OAAO,EAAE;AACzD,SAAK,OAAO;AAAA,EACd;AACF;","names":["parseYaml"]}

package/dist/index.d.cts

@@ -0,0 +1,129 @@
+import * as _sinclair_typebox from '@sinclair/typebox';
+import { Static } from '@sinclair/typebox';
+
+declare const GovernanceConfigSchema: _sinclair_typebox.TObject<{
+    auth: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        provider: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"env">, _sinclair_typebox.TLiteral<"local">, _sinclair_typebox.TLiteral<"oidc">]>;
+        env: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            user_var: _sinclair_typebox.TString;
+            role_var: _sinclair_typebox.TString;
+            org_unit_var: _sinclair_typebox.TString;
+        }>>;
+        local: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            users_file: _sinclair_typebox.TString;
+        }>>;
+    }>>;
+    policy: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        engine: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"yaml">, _sinclair_typebox.TLiteral<"oso">]>;
+        yaml: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            rules_file: _sinclair_typebox.TString;
+        }>>;
+        oso: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            polar_files: _sinclair_typebox.TArray<_sinclair_typebox.TString>;
+        }>>;
+    }>>;
+    templates: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        directory: _sinclair_typebox.TString;
+        default: _sinclair_typebox.TString;
+    }>>;
+    hitl: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        default_mode: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"autonomous">, _sinclair_typebox.TLiteral<"supervised">, _sinclair_typebox.TLiteral<"dry_run">]>;
+        approval_channel: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"cli">, _sinclair_typebox.TLiteral<"webhook">]>;
+        timeout_seconds: _sinclair_typebox.TNumber;
+        webhook: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            url: _sinclair_typebox.TString;
+        }>>;
+    }>>;
+    audit: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        sinks: _sinclair_typebox.TArray<_sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"jsonl">;
+            path: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"webhook">;
+            url: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"postgres">;
+            connection: _sinclair_typebox.TString;
+        }>]>>;
+    }>>;
+    org_units: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TObject<{
+        hitl: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            default_mode: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"autonomous">, _sinclair_typebox.TLiteral<"supervised">, _sinclair_typebox.TLiteral<"dry_run">]>>;
+            approval_channel: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"cli">, _sinclair_typebox.TLiteral<"webhook">]>>;
+            timeout_seconds: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            webhook: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+                url: _sinclair_typebox.TString;
+            }>>;
+        }>>;
+        policy: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            extra_polar: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            extra_rules: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>>;
+    }>>>;
+}>;
+type GovernanceConfig = Static<typeof GovernanceConfigSchema>;
+
+declare function loadConfig(): {
+    config: GovernanceConfig;
+    source: string;
+};
+declare class ConfigValidationError extends Error {
+    constructor(path: string, errors: Array<{
+        path: string;
+        message: string;
+    }>);
+}
+
+type PolicyDecision = 'allow' | 'deny' | 'needs_approval';
+type PathOperation = 'read' | 'write';
+type ExecutionMode = 'autonomous' | 'supervised' | 'dry_run';
+interface BashOverrides {
+    additionalBlocked?: RegExp[];
+    additionalAllowed?: RegExp[];
+}
+interface PolicyEngine {
+    evaluateTool(role: string, tool: string): PolicyDecision;
+    evaluatePath(role: string, orgUnit: string, operation: PathOperation, path: string): PolicyDecision;
+    requiresApproval(role: string, tool: string): boolean;
+    getExecutionMode(role: string): ExecutionMode;
+    getTemplateName(role: string): string;
+    getBashOverrides(role: string): BashOverrides;
+    getTokenBudget(role: string): number;
+}
+
+interface ResolvedIdentity {
+    userId: string;
+    role: string;
+    orgUnit: string;
+    source: string;
+}
+interface IdentityProvider {
+    name: string;
+    resolve(): Promise<ResolvedIdentity | null>;
+}
+
+interface RoleBinding {
+    userId: string;
+    role: string;
+    orgUnit: string;
+    config?: Record<string, unknown>;
+}
+interface Relation {
+    subject: string;
+    predicate: string;
+    object: string;
+}
+interface FactStore {
+    getRoles(userId: string): Promise<RoleBinding[]>;
+    getAllRoleBindings(): Promise<RoleBinding[]>;
+    getRelations(subject: string, predicate: string): Promise<Relation[]>;
+}
+
+type BashClassification = 'safe' | 'dangerous' | 'needs_review';
+
+interface AuditSink {
+    write(record: Record<string, unknown>): Promise<void>;
+    flush(): Promise<void>;
+}
+
+export { type AuditSink, type BashClassification, type BashOverrides, ConfigValidationError, type ExecutionMode, type FactStore, type GovernanceConfig, type IdentityProvider, type PathOperation, type PolicyDecision, type PolicyEngine, type Relation, type ResolvedIdentity, type RoleBinding, loadConfig };

package/dist/index.d.ts

@@ -0,0 +1,129 @@
+import * as _sinclair_typebox from '@sinclair/typebox';
+import { Static } from '@sinclair/typebox';
+
+declare const GovernanceConfigSchema: _sinclair_typebox.TObject<{
+    auth: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        provider: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"env">, _sinclair_typebox.TLiteral<"local">, _sinclair_typebox.TLiteral<"oidc">]>;
+        env: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            user_var: _sinclair_typebox.TString;
+            role_var: _sinclair_typebox.TString;
+            org_unit_var: _sinclair_typebox.TString;
+        }>>;
+        local: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            users_file: _sinclair_typebox.TString;
+        }>>;
+    }>>;
+    policy: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        engine: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"yaml">, _sinclair_typebox.TLiteral<"oso">]>;
+        yaml: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            rules_file: _sinclair_typebox.TString;
+        }>>;
+        oso: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            polar_files: _sinclair_typebox.TArray<_sinclair_typebox.TString>;
+        }>>;
+    }>>;
+    templates: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        directory: _sinclair_typebox.TString;
+        default: _sinclair_typebox.TString;
+    }>>;
+    hitl: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        default_mode: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"autonomous">, _sinclair_typebox.TLiteral<"supervised">, _sinclair_typebox.TLiteral<"dry_run">]>;
+        approval_channel: _sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"cli">, _sinclair_typebox.TLiteral<"webhook">]>;
+        timeout_seconds: _sinclair_typebox.TNumber;
+        webhook: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            url: _sinclair_typebox.TString;
+        }>>;
+    }>>;
+    audit: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+        sinks: _sinclair_typebox.TArray<_sinclair_typebox.TUnion<[_sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"jsonl">;
+            path: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"webhook">;
+            url: _sinclair_typebox.TString;
+        }>, _sinclair_typebox.TObject<{
+            type: _sinclair_typebox.TLiteral<"postgres">;
+            connection: _sinclair_typebox.TString;
+        }>]>>;
+    }>>;
+    org_units: _sinclair_typebox.TOptional<_sinclair_typebox.TRecord<_sinclair_typebox.TString, _sinclair_typebox.TObject<{
+        hitl: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            default_mode: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"autonomous">, _sinclair_typebox.TLiteral<"supervised">, _sinclair_typebox.TLiteral<"dry_run">]>>;
+            approval_channel: _sinclair_typebox.TOptional<_sinclair_typebox.TUnion<[_sinclair_typebox.TLiteral<"cli">, _sinclair_typebox.TLiteral<"webhook">]>>;
+            timeout_seconds: _sinclair_typebox.TOptional<_sinclair_typebox.TNumber>;
+            webhook: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+                url: _sinclair_typebox.TString;
+            }>>;
+        }>>;
+        policy: _sinclair_typebox.TOptional<_sinclair_typebox.TObject<{
+            extra_polar: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+            extra_rules: _sinclair_typebox.TOptional<_sinclair_typebox.TString>;
+        }>>;
+    }>>>;
+}>;
+type GovernanceConfig = Static<typeof GovernanceConfigSchema>;
+
+declare function loadConfig(): {
+    config: GovernanceConfig;
+    source: string;
+};
+declare class ConfigValidationError extends Error {
+    constructor(path: string, errors: Array<{
+        path: string;
+        message: string;
+    }>);
+}
+
+type PolicyDecision = 'allow' | 'deny' | 'needs_approval';
+type PathOperation = 'read' | 'write';
+type ExecutionMode = 'autonomous' | 'supervised' | 'dry_run';
+interface BashOverrides {
+    additionalBlocked?: RegExp[];
+    additionalAllowed?: RegExp[];
+}
+interface PolicyEngine {
+    evaluateTool(role: string, tool: string): PolicyDecision;
+    evaluatePath(role: string, orgUnit: string, operation: PathOperation, path: string): PolicyDecision;
+    requiresApproval(role: string, tool: string): boolean;
+    getExecutionMode(role: string): ExecutionMode;
+    getTemplateName(role: string): string;
+    getBashOverrides(role: string): BashOverrides;
+    getTokenBudget(role: string): number;
+}
+
+interface ResolvedIdentity {
+    userId: string;
+    role: string;
+    orgUnit: string;
+    source: string;
+}
+interface IdentityProvider {
+    name: string;
+    resolve(): Promise<ResolvedIdentity | null>;
+}
+
+interface RoleBinding {
+    userId: string;
+    role: string;
+    orgUnit: string;
+    config?: Record<string, unknown>;
+}
+interface Relation {
+    subject: string;
+    predicate: string;
+    object: string;
+}
+interface FactStore {
+    getRoles(userId: string): Promise<RoleBinding[]>;
+    getAllRoleBindings(): Promise<RoleBinding[]>;
+    getRelations(subject: string, predicate: string): Promise<Relation[]>;
+}
+
+type BashClassification = 'safe' | 'dangerous' | 'needs_review';
+
+interface AuditSink {
+    write(record: Record<string, unknown>): Promise<void>;
+    flush(): Promise<void>;
+}
+
+export { type AuditSink, type BashClassification, type BashOverrides, ConfigValidationError, type ExecutionMode, type FactStore, type GovernanceConfig, type IdentityProvider, type PathOperation, type PolicyDecision, type PolicyEngine, type Relation, type ResolvedIdentity, type RoleBinding, loadConfig };

package/dist/index.js

@@ -0,0 +1,167 @@
+// src/lib/config/loader.ts
+import { existsSync, readFileSync } from "fs";
+import { parse as parseYaml } from "yaml";
+import { Value } from "@sinclair/typebox/value";
+
+// src/lib/config/schema.ts
+import { Type } from "@sinclair/typebox";
+var AuthEnvConfig = Type.Object({
+  user_var: Type.String({ default: "GRWND_USER" }),
+  role_var: Type.String({ default: "GRWND_ROLE" }),
+  org_unit_var: Type.String({ default: "GRWND_ORG_UNIT" })
+});
+var AuthLocalConfig = Type.Object({
+  users_file: Type.String({ default: "./users.yaml" })
+});
+var AuthConfig = Type.Object({
+  provider: Type.Union([Type.Literal("env"), Type.Literal("local"), Type.Literal("oidc")], {
+    default: "env"
+  }),
+  env: Type.Optional(AuthEnvConfig),
+  local: Type.Optional(AuthLocalConfig)
+});
+var YamlPolicyConfig = Type.Object({
+  rules_file: Type.String({ default: "./governance-rules.yaml" })
+});
+var OsoPolicyConfig = Type.Object({
+  polar_files: Type.Array(Type.String(), {
+    default: ["./policies/base.polar", "./policies/tools.polar"]
+  })
+});
+var PolicyConfig = Type.Object({
+  engine: Type.Union([Type.Literal("yaml"), Type.Literal("oso")], { default: "yaml" }),
+  yaml: Type.Optional(YamlPolicyConfig),
+  oso: Type.Optional(OsoPolicyConfig)
+});
+var TemplatesConfig = Type.Object({
+  directory: Type.String({ default: "./templates/" }),
+  default: Type.String({ default: "project-lead" })
+});
+var HitlWebhookConfig = Type.Object({
+  url: Type.String()
+});
+var HitlConfig = Type.Object({
+  default_mode: Type.Union(
+    [Type.Literal("autonomous"), Type.Literal("supervised"), Type.Literal("dry_run")],
+    { default: "supervised" }
+  ),
+  approval_channel: Type.Union([Type.Literal("cli"), Type.Literal("webhook")], { default: "cli" }),
+  timeout_seconds: Type.Number({ default: 300, minimum: 10, maximum: 3600 }),
+  webhook: Type.Optional(HitlWebhookConfig)
+});
+var JsonlSinkConfig = Type.Object({
+  type: Type.Literal("jsonl"),
+  path: Type.String({ default: "~/.pi/agent/audit.jsonl" })
+});
+var WebhookSinkConfig = Type.Object({
+  type: Type.Literal("webhook"),
+  url: Type.String()
+});
+var PostgresSinkConfig = Type.Object({
+  type: Type.Literal("postgres"),
+  connection: Type.String()
+});
+var AuditSinkConfig = Type.Union([JsonlSinkConfig, WebhookSinkConfig, PostgresSinkConfig]);
+var AuditConfig = Type.Object({
+  sinks: Type.Array(AuditSinkConfig, {
+    default: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  })
+});
+var OrgUnitOverride = Type.Object({
+  hitl: Type.Optional(Type.Partial(HitlConfig)),
+  policy: Type.Optional(
+    Type.Object({
+      extra_polar: Type.Optional(Type.String()),
+      extra_rules: Type.Optional(Type.String())
+    })
+  )
+});
+var GovernanceConfigSchema = Type.Object({
+  auth: Type.Optional(AuthConfig),
+  policy: Type.Optional(PolicyConfig),
+  templates: Type.Optional(TemplatesConfig),
+  hitl: Type.Optional(HitlConfig),
+  audit: Type.Optional(AuditConfig),
+  org_units: Type.Optional(Type.Record(Type.String(), OrgUnitOverride))
+});
+
+// src/lib/config/defaults.ts
+var DEFAULTS = {
+  auth: {
+    provider: "env",
+    env: {
+      user_var: "GRWND_USER",
+      role_var: "GRWND_ROLE",
+      org_unit_var: "GRWND_ORG_UNIT"
+    }
+  },
+  policy: {
+    engine: "yaml",
+    yaml: {
+      rules_file: "./governance-rules.yaml"
+    }
+  },
+  templates: {
+    directory: "./templates/",
+    default: "project-lead"
+  },
+  hitl: {
+    default_mode: "supervised",
+    approval_channel: "cli",
+    timeout_seconds: 300
+  },
+  audit: {
+    sinks: [{ type: "jsonl", path: "~/.pi/agent/audit.jsonl" }]
+  }
+};
+
+// src/lib/config/loader.ts
+var CONFIG_PATHS = [
+  process.env.GRWND_GOVERNANCE_CONFIG,
+  ".pi/governance.yaml",
+  `${process.env.HOME}/.pi/agent/governance.yaml`
+];
+function loadConfig() {
+  for (const path of CONFIG_PATHS) {
+    if (path && existsSync(path)) {
+      const raw = readFileSync(path, "utf-8");
+      const parsed = parseYaml(raw);
+      const resolved = resolveEnvVars(parsed);
+      const errors = [...Value.Errors(GovernanceConfigSchema, resolved)];
+      if (errors.length > 0) {
+        throw new ConfigValidationError(
+          path,
+          errors.map((e) => ({ path: e.path, message: e.message }))
+        );
+      }
+      const config = Value.Default(GovernanceConfigSchema, resolved);
+      return { config, source: path };
+    }
+  }
+  return { config: DEFAULTS, source: "built-in" };
+}
+function resolveEnvVars(obj) {
+  if (typeof obj === "string") {
+    return obj.replace(/\$\{(\w+)\}/g, (_, name) => process.env[name] ?? "");
+  }
+  if (Array.isArray(obj)) return obj.map(resolveEnvVars);
+  if (obj && typeof obj === "object") {
+    return Object.fromEntries(
+      Object.entries(obj).map(([k, v]) => [k, resolveEnvVars(v)])
+    );
+  }
+  return obj;
+}
+var ConfigValidationError = class extends Error {
+  constructor(path, errors) {
+    const details = errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
+    super(`Invalid governance config at ${path}:
+${details}`);
+    this.name = "ConfigValidationError";
+  }
+};
+export {
+  ConfigValidationError,
+  loadConfig
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/config/loader.ts","../src/lib/config/schema.ts","../src/lib/config/defaults.ts"],"sourcesContent":["import { existsSync, readFileSync } from 'fs';\nimport { parse as parseYaml } from 'yaml';\nimport { Value } from '@sinclair/typebox/value';\nimport { GovernanceConfigSchema, type GovernanceConfig } from './schema.js';\nimport { DEFAULTS } from './defaults.js';\n\nconst CONFIG_PATHS = [\n  process.env.GRWND_GOVERNANCE_CONFIG,\n  '.pi/governance.yaml',\n  `${process.env.HOME}/.pi/agent/governance.yaml`,\n];\n\nexport function loadConfig(): { config: GovernanceConfig; source: string } {\n  for (const path of CONFIG_PATHS) {\n    if (path && existsSync(path)) {\n      const raw = readFileSync(path, 'utf-8');\n      const parsed = parseYaml(raw);\n\n      const resolved = resolveEnvVars(parsed);\n\n      const errors = [...Value.Errors(GovernanceConfigSchema, resolved)];\n      if (errors.length > 0) {\n        throw new ConfigValidationError(\n          path,\n          errors.map((e) => ({ path: e.path, message: e.message })),\n        );\n      }\n\n      const config = Value.Default(GovernanceConfigSchema, resolved) as GovernanceConfig;\n      return { config, source: path };\n    }\n  }\n\n  return { config: DEFAULTS, source: 'built-in' };\n}\n\nfunction resolveEnvVars(obj: unknown): unknown {\n  if (typeof obj === 'string') {\n    return obj.replace(/\\$\\{(\\w+)\\}/g, (_, name: string) => process.env[name] ?? '');\n  }\n  if (Array.isArray(obj)) return obj.map(resolveEnvVars);\n  if (obj && typeof obj === 'object') {\n    return Object.fromEntries(\n      Object.entries(obj as Record<string, unknown>).map(([k, v]) => [k, resolveEnvVars(v)]),\n    );\n  }\n  return obj;\n}\n\nexport class ConfigValidationError extends Error {\n  constructor(path: string, errors: Array<{ path: string; message: string }>) {\n    const details = errors.map((e) => `  ${e.path}: ${e.message}`).join('\\n');\n    super(`Invalid governance config at ${path}:\\n${details}`);\n    this.name = 'ConfigValidationError';\n  }\n}\n","import { Type, type Static } from '@sinclair/typebox';\n\nconst AuthEnvConfig = Type.Object({\n  user_var: Type.String({ default: 'GRWND_USER' }),\n  role_var: Type.String({ default: 'GRWND_ROLE' }),\n  org_unit_var: Type.String({ default: 'GRWND_ORG_UNIT' }),\n});\n\nconst AuthLocalConfig = Type.Object({\n  users_file: Type.String({ default: './users.yaml' }),\n});\n\nconst AuthConfig = Type.Object({\n  provider: Type.Union([Type.Literal('env'), Type.Literal('local'), Type.Literal('oidc')], {\n    default: 'env',\n  }),\n  env: Type.Optional(AuthEnvConfig),\n  local: Type.Optional(AuthLocalConfig),\n});\n\nexport type AuthConfigType = Static<typeof AuthConfig>;\n\nconst YamlPolicyConfig = Type.Object({\n  rules_file: Type.String({ default: './governance-rules.yaml' }),\n});\n\nconst OsoPolicyConfig = Type.Object({\n  polar_files: Type.Array(Type.String(), {\n    default: ['./policies/base.polar', './policies/tools.polar'],\n  }),\n});\n\nconst PolicyConfig = Type.Object({\n  engine: Type.Union([Type.Literal('yaml'), Type.Literal('oso')], { default: 'yaml' }),\n  yaml: Type.Optional(YamlPolicyConfig),\n  oso: Type.Optional(OsoPolicyConfig),\n});\n\nconst TemplatesConfig = Type.Object({\n  directory: Type.String({ default: './templates/' }),\n  default: Type.String({ default: 'project-lead' }),\n});\n\nconst HitlWebhookConfig = Type.Object({\n  url: Type.String(),\n});\n\nconst HitlConfig = Type.Object({\n  default_mode: Type.Union(\n    [Type.Literal('autonomous'), Type.Literal('supervised'), Type.Literal('dry_run')],\n    { default: 'supervised' },\n  ),\n  approval_channel: Type.Union([Type.Literal('cli'), Type.Literal('webhook')], { default: 'cli' }),\n  timeout_seconds: Type.Number({ default: 300, minimum: 10, maximum: 3600 }),\n  webhook: Type.Optional(HitlWebhookConfig),\n});\n\nconst JsonlSinkConfig = Type.Object({\n  type: Type.Literal('jsonl'),\n  path: Type.String({ default: '~/.pi/agent/audit.jsonl' }),\n});\n\nconst WebhookSinkConfig = Type.Object({\n  type: Type.Literal('webhook'),\n  url: Type.String(),\n});\n\nconst PostgresSinkConfig = Type.Object({\n  type: Type.Literal('postgres'),\n  connection: Type.String(),\n});\n\nconst AuditSinkConfig = Type.Union([JsonlSinkConfig, WebhookSinkConfig, PostgresSinkConfig]);\n\nconst AuditConfig = Type.Object({\n  sinks: Type.Array(AuditSinkConfig, {\n    default: [{ type: 'jsonl', path: '~/.pi/agent/audit.jsonl' }],\n  }),\n});\n\nconst OrgUnitOverride = Type.Object({\n  hitl: Type.Optional(Type.Partial(HitlConfig)),\n  policy: Type.Optional(\n    Type.Object({\n      extra_polar: Type.Optional(Type.String()),\n      extra_rules: Type.Optional(Type.String()),\n    }),\n  ),\n});\n\nexport const GovernanceConfigSchema = Type.Object({\n  auth: Type.Optional(AuthConfig),\n  policy: Type.Optional(PolicyConfig),\n  templates: Type.Optional(TemplatesConfig),\n  hitl: Type.Optional(HitlConfig),\n  audit: Type.Optional(AuditConfig),\n  org_units: Type.Optional(Type.Record(Type.String(), OrgUnitOverride)),\n});\n\nexport type GovernanceConfig = Static<typeof GovernanceConfigSchema>;\n","import type { GovernanceConfig } from './schema.js';\n\nexport const DEFAULTS: GovernanceConfig = {\n  auth: {\n    provider: 'env',\n    env: {\n      user_var: 'GRWND_USER',\n      role_var: 'GRWND_ROLE',\n      org_unit_var: 'GRWND_ORG_UNIT',\n    },\n  },\n  policy: {\n    engine: 'yaml',\n    yaml: {\n      rules_file: './governance-rules.yaml',\n    },\n  },\n  templates: {\n    directory: './templates/',\n    default: 'project-lead',\n  },\n  hitl: {\n    default_mode: 'supervised',\n    approval_channel: 'cli',\n    timeout_seconds: 300,\n  },\n  audit: {\n    sinks: [{ type: 'jsonl', path: '~/.pi/agent/audit.jsonl' }],\n  },\n};\n"],"mappings":";AAAA,SAAS,YAAY,oBAAoB;AACzC,SAAS,SAAS,iBAAiB;AACnC,SAAS,aAAa;;;ACFtB,SAAS,YAAyB;AAElC,IAAM,gBAAgB,KAAK,OAAO;AAAA,EAChC,UAAU,KAAK,OAAO,EAAE,SAAS,aAAa,CAAC;AAAA,EAC/C,UAAU,KAAK,OAAO,EAAE,SAAS,aAAa,CAAC;AAAA,EAC/C,cAAc,KAAK,OAAO,EAAE,SAAS,iBAAiB,CAAC;AACzD,CAAC;AAED,IAAM,kBAAkB,KAAK,OAAO;AAAA,EAClC,YAAY,KAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AACrD,CAAC;AAED,IAAM,aAAa,KAAK,OAAO;AAAA,EAC7B,UAAU,KAAK,MAAM,CAAC,KAAK,QAAQ,KAAK,GAAG,KAAK,QAAQ,OAAO,GAAG,KAAK,QAAQ,MAAM,CAAC,GAAG;AAAA,IACvF,SAAS;AAAA,EACX,CAAC;AAAA,EACD,KAAK,KAAK,SAAS,aAAa;AAAA,EAChC,OAAO,KAAK,SAAS,eAAe;AACtC,CAAC;AAID,IAAM,mBAAmB,KAAK,OAAO;AAAA,EACnC,YAAY,KAAK,OAAO,EAAE,SAAS,0BAA0B,CAAC;AAChE,CAAC;AAED,IAAM,kBAAkB,KAAK,OAAO;AAAA,EAClC,aAAa,KAAK,MAAM,KAAK,OAAO,GAAG;AAAA,IACrC,SAAS,CAAC,yBAAyB,wBAAwB;AAAA,EAC7D,CAAC;AACH,CAAC;AAED,IAAM,eAAe,KAAK,OAAO;AAAA,EAC/B,QAAQ,KAAK,MAAM,CAAC,KAAK,QAAQ,MAAM,GAAG,KAAK,QAAQ,KAAK,CAAC,GAAG,EAAE,SAAS,OAAO,CAAC;AAAA,EACnF,MAAM,KAAK,SAAS,gBAAgB;AAAA,EACpC,KAAK,KAAK,SAAS,eAAe;AACpC,CAAC;AAED,IAAM,kBAAkB,KAAK,OAAO;AAAA,EAClC,WAAW,KAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AAAA,EAClD,SAAS,KAAK,OAAO,EAAE,SAAS,eAAe,CAAC;AAClD,CAAC;AAED,IAAM,oBAAoB,KAAK,OAAO;AAAA,EACpC,KAAK,KAAK,OAAO;AACnB,CAAC;AAED,IAAM,aAAa,KAAK,OAAO;AAAA,EAC7B,cAAc,KAAK;AAAA,IACjB,CAAC,KAAK,QAAQ,YAAY,GAAG,KAAK,QAAQ,YAAY,GAAG,KAAK,QAAQ,SAAS,CAAC;AAAA,IAChF,EAAE,SAAS,aAAa;AAAA,EAC1B;AAAA,EACA,kBAAkB,KAAK,MAAM,CAAC,KAAK,QAAQ,KAAK,GAAG,KAAK,QAAQ,SAAS,CAAC,GAAG,EAAE,SAAS,MAAM,CAAC;AAAA,EAC/F,iBAAiB,KAAK,OAAO,EAAE,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,CAAC;AAAA,EACzE,SAAS,KAAK,SAAS,iBAAiB;AAC1C,CAAC;AAED,IAAM,kBAAkB,KAAK,OAAO;AAAA,EAClC,MAAM,KAAK,QAAQ,OAAO;AAAA,EAC1B,MAAM,KAAK,OAAO,EAAE,SAAS,0BAA0B,CAAC;AAC1D,CAAC;AAED,IAAM,oBAAoB,KAAK,OAAO;AAAA,EACpC,MAAM,KAAK,QAAQ,SAAS;AAAA,EAC5B,KAAK,KAAK,OAAO;AACnB,CAAC;AAED,IAAM,qBAAqB,KAAK,OAAO;AAAA,EACrC,MAAM,KAAK,QAAQ,UAAU;AAAA,EAC7B,YAAY,KAAK,OAAO;AAC1B,CAAC;AAED,IAAM,kBAAkB,KAAK,MAAM,CAAC,iBAAiB,mBAAmB,kBAAkB,CAAC;AAE3F,IAAM,cAAc,KAAK,OAAO;AAAA,EAC9B,OAAO,KAAK,MAAM,iBAAiB;AAAA,IACjC,SAAS,CAAC,EAAE,MAAM,SAAS,MAAM,0BAA0B,CAAC;AAAA,EAC9D,CAAC;AACH,CAAC;AAED,IAAM,kBAAkB,KAAK,OAAO;AAAA,EAClC,MAAM,KAAK,SAAS,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC5C,QAAQ,KAAK;AAAA,IACX,KAAK,OAAO;AAAA,MACV,aAAa,KAAK,SAAS,KAAK,OAAO,CAAC;AAAA,MACxC,aAAa,KAAK,SAAS,KAAK,OAAO,CAAC;AAAA,IAC1C,CAAC;AAAA,EACH;AACF,CAAC;AAEM,IAAM,yBAAyB,KAAK,OAAO;AAAA,EAChD,MAAM,KAAK,SAAS,UAAU;AAAA,EAC9B,QAAQ,KAAK,SAAS,YAAY;AAAA,EAClC,WAAW,KAAK,SAAS,eAAe;AAAA,EACxC,MAAM,KAAK,SAAS,UAAU;AAAA,EAC9B,OAAO,KAAK,SAAS,WAAW;AAAA,EAChC,WAAW,KAAK,SAAS,KAAK,OAAO,KAAK,OAAO,GAAG,eAAe,CAAC;AACtE,CAAC;;;AC/FM,IAAM,WAA6B;AAAA,EACxC,MAAM;AAAA,IACJ,UAAU;AAAA,IACV,KAAK;AAAA,MACH,UAAU;AAAA,MACV,UAAU;AAAA,MACV,cAAc;AAAA,IAChB;AAAA,EACF;AAAA,EACA,QAAQ;AAAA,IACN,QAAQ;AAAA,IACR,MAAM;AAAA,MACJ,YAAY;AAAA,IACd;AAAA,EACF;AAAA,EACA,WAAW;AAAA,IACT,WAAW;AAAA,IACX,SAAS;AAAA,EACX;AAAA,EACA,MAAM;AAAA,IACJ,cAAc;AAAA,IACd,kBAAkB;AAAA,IAClB,iBAAiB;AAAA,EACnB;AAAA,EACA,OAAO;AAAA,IACL,OAAO,CAAC,EAAE,MAAM,SAAS,MAAM,0BAA0B,CAAC;AAAA,EAC5D;AACF;;;AFvBA,IAAM,eAAe;AAAA,EACnB,QAAQ,IAAI;AAAA,EACZ;AAAA,EACA,GAAG,QAAQ,IAAI,IAAI;AACrB;AAEO,SAAS,aAA2D;AACzE,aAAW,QAAQ,cAAc;AAC/B,QAAI,QAAQ,WAAW,IAAI,GAAG;AAC5B,YAAM,MAAM,aAAa,MAAM,OAAO;AACtC,YAAM,SAAS,UAAU,GAAG;AAE5B,YAAM,WAAW,eAAe,MAAM;AAEtC,YAAM,SAAS,CAAC,GAAG,MAAM,OAAO,wBAAwB,QAAQ,CAAC;AACjE,UAAI,OAAO,SAAS,GAAG;AACrB,cAAM,IAAI;AAAA,UACR;AAAA,UACA,OAAO,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,EAAE,QAAQ,EAAE;AAAA,QAC1D;AAAA,MACF;AAEA,YAAM,SAAS,MAAM,QAAQ,wBAAwB,QAAQ;AAC7D,aAAO,EAAE,QAAQ,QAAQ,KAAK;AAAA,IAChC;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,UAAU,QAAQ,WAAW;AAChD;AAEA,SAAS,eAAe,KAAuB;AAC7C,MAAI,OAAO,QAAQ,UAAU;AAC3B,WAAO,IAAI,QAAQ,gBAAgB,CAAC,GAAG,SAAiB,QAAQ,IAAI,IAAI,KAAK,EAAE;AAAA,EACjF;AACA,MAAI,MAAM,QAAQ,GAAG,EAAG,QAAO,IAAI,IAAI,cAAc;AACrD,MAAI,OAAO,OAAO,QAAQ,UAAU;AAClC,WAAO,OAAO;AAAA,MACZ,OAAO,QAAQ,GAA8B,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC;AAAA,IACvF;AAAA,EACF;AACA,SAAO;AACT;AAEO,IAAM,wBAAN,cAAoC,MAAM;AAAA,EAC/C,YAAY,MAAc,QAAkD;AAC1E,UAAM,UAAU,OAAO,IAAI,CAAC,MAAM,KAAK,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AACxE,UAAM,gCAAgC,IAAI;AAAA,EAAM,OAAO,EAAE;AACzD,SAAK,OAAO;AAAA,EACd;AACF;","names":[]}

package/package.json

@@ -0,0 +1,112 @@
+{
+  "name": "@grwnd/pi-governance",
+  "version": "1.2.0",
+  "description": "Governance, RBAC, audit, and HITL for Pi-based coding agents",
+  "keywords": [
+    "pi-package",
+    "governance",
+    "rbac",
+    "audit",
+    "hitl"
+  ],
+  "license": "Apache-2.0",
+  "author": "Grwnd AI",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Grwnd-AI/pi-governance.git"
+  },
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "files": [
+    "dist",
+    "prompts",
+    "policies",
+    "skills"
+  ],
+  "pi": {
+    "extensions": [
+      "./dist/extensions"
+    ],
+    "skills": [
+      "./skills"
+    ],
+    "prompts": [
+      "./prompts"
+    ]
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint .",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "typecheck": "tsc --noEmit",
+    "docs:dev": "vitepress dev docs",
+    "docs:build": "vitepress build docs",
+    "docs:preview": "vitepress preview docs",
+    "prepare": "husky"
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": ">=0.50.0"
+  },
+  "peerDependenciesMeta": {
+    "@mariozechner/pi-coding-agent": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@sinclair/typebox": "^0.33.0",
+    "minimatch": "^9.0.0",
+    "yaml": "^2.0.0"
+  },
+  "optionalDependencies": {
+    "oso": "^0.27.0"
+  },
+  "devDependencies": {
+    "@semantic-release/changelog": "^6.0.0",
+    "@semantic-release/git": "^10.0.0",
+    "@types/node": "^25.3.3",
+    "@typescript-eslint/eslint-plugin": "^8.0.0",
+    "@typescript-eslint/parser": "^8.0.0",
+    "@vitest/coverage-v8": "^3.0.0",
+    "eslint": "^9.0.0",
+    "husky": "^9.0.0",
+    "lint-staged": "^15.0.0",
+    "prettier": "^3.3.0",
+    "semantic-release": "^24.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.5.0",
+    "typescript-eslint": "^8.0.0",
+    "vitepress": "^1.6.0",
+    "vitest": "^3.0.0"
+  },
+  "lint-staged": {
+    "*.{ts,tsx}": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "*.{json,md,yaml,yml}": [
+      "prettier --write"
+    ]
+  },
+  "packageManager": "pnpm@10.30.3",
+  "engines": {
+    "node": ">=20"
+  }
+}