@hol-org/rb-client 0.1.179 → 0.1.181

package/dist/index.cjs

@@ -29,6 +29,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  GUARD_CANONICAL_PATH_PREFIX: () => GUARD_CANONICAL_PATH_PREFIX,
+  GUARD_COMPAT_PATH_PREFIX: () => GUARD_COMPAT_PATH_PREFIX,
   HOL_CHAT_PROTOCOL_ID: () => HOL_CHAT_PROTOCOL_ID,
   RegistryBrokerClient: () => RegistryBrokerClient,
   RegistryBrokerError: () => RegistryBrokerError,
@@ -975,10 +977,14 @@ var guardBucketBalanceSchema = import_zod2.z.object({
 });
 var guardPrincipalSchema = import_zod2.z.object({
   signedIn: import_zod2.z.boolean(),
+  principalType: import_zod2.z.enum(["user", "service"]).default("user"),
   userId: import_zod2.z.string().optional(),
   email: import_zod2.z.string().optional(),
   accountId: import_zod2.z.string().optional(),
   stripeCustomerId: import_zod2.z.string().optional(),
+  serviceId: import_zod2.z.string().optional(),
+  workspaceId: import_zod2.z.string().optional(),
+  serviceLabel: import_zod2.z.string().optional(),
   roles: import_zod2.z.array(import_zod2.z.string())
 });
 var guardEntitlementsSchema = import_zod2.z.object({
@@ -1005,6 +1011,65 @@ var guardBalanceResponseSchema = import_zod2.z.object({
   bucketingMode: import_zod2.z.enum(["shared-ledger", "product-bucketed"]),
   buckets: import_zod2.z.array(guardBucketBalanceSchema)
 });
+var guardFeedItemSchema = import_zod2.z.object({
+  id: import_zod2.z.string(),
+  artifactType: import_zod2.z.enum(["skill", "plugin"]),
+  slug: import_zod2.z.string(),
+  name: import_zod2.z.string(),
+  href: import_zod2.z.string(),
+  ecosystem: import_zod2.z.string().optional(),
+  safetyScore: import_zod2.z.number().nullable().optional(),
+  trustScore: import_zod2.z.number().nullable().optional(),
+  verified: import_zod2.z.boolean(),
+  recommendation: import_zod2.z.enum(["monitor", "review", "block"]),
+  updatedAt: import_zod2.z.string()
+});
+var guardFeedSummarySchema = import_zod2.z.object({
+  total: import_zod2.z.number(),
+  monitorCount: import_zod2.z.number(),
+  reviewCount: import_zod2.z.number(),
+  blockCount: import_zod2.z.number()
+});
+var guardFeedResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  items: import_zod2.z.array(guardFeedItemSchema),
+  summary: guardFeedSummarySchema
+});
+var guardIntegrationSchema = import_zod2.z.object({
+  id: import_zod2.z.enum(["openclaw", "hermes"]),
+  name: import_zod2.z.string(),
+  status: import_zod2.z.enum(["available", "planned"]),
+  href: import_zod2.z.string().nullable(),
+  summary: import_zod2.z.string()
+});
+var guardActionItemSchema = import_zod2.z.object({
+  title: import_zod2.z.string(),
+  description: import_zod2.z.string(),
+  href: import_zod2.z.string()
+});
+var guardOverviewResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  principal: guardPrincipalSchema,
+  entitlements: guardEntitlementsSchema,
+  balance: import_zod2.z.object({
+    accountId: import_zod2.z.string(),
+    availableCredits: import_zod2.z.number()
+  }).nullable(),
+  trustFeed: guardFeedResponseSchema,
+  integrations: import_zod2.z.array(guardIntegrationSchema),
+  actionItems: import_zod2.z.array(guardActionItemSchema)
+});
+var guardPolicySchema = import_zod2.z.object({
+  mode: import_zod2.z.enum(["observe", "prompt", "enforce"]),
+  defaultAction: import_zod2.z.enum(["allow", "warn", "block"]),
+  unknownPublisherAction: import_zod2.z.enum(["review", "block", "allow"]),
+  changedHashAction: import_zod2.z.enum(["allow", "warn", "require-reapproval", "block"]),
+  newNetworkDomainAction: import_zod2.z.enum(["allow", "warn", "block"]),
+  subprocessAction: import_zod2.z.enum(["allow", "warn", "block"]),
+  telemetryEnabled: import_zod2.z.boolean(),
+  syncEnabled: import_zod2.z.boolean(),
+  updatedAt: import_zod2.z.string()
+});
 var guardTrustMatchSchema = import_zod2.z.object({
   artifactId: import_zod2.z.string(),
   artifactName: import_zod2.z.string(),
@@ -1040,7 +1105,13 @@ var guardRevocationSchema = import_zod2.z.object({
   artifactName: import_zod2.z.string(),
   reason: import_zod2.z.string(),
   severity: import_zod2.z.enum(["low", "medium", "high"]),
-  publishedAt: import_zod2.z.string()
+  publishedAt: import_zod2.z.string(),
+  confidence: import_zod2.z.number().optional(),
+  remediation: import_zod2.z.string().nullable().optional(),
+  scope: import_zod2.z.enum(["artifact", "publisher", "domain", "workspace", "ecosystem"]).optional(),
+  source: import_zod2.z.string().optional(),
+  firstSeenAt: import_zod2.z.string().optional(),
+  lastUpdatedAt: import_zod2.z.string().optional()
 });
 var guardRevocationResponseSchema = import_zod2.z.object({
   generatedAt: import_zod2.z.string(),
@@ -1134,7 +1205,12 @@ var guardReceiptSyncResponseSchema = import_zod2.z.object({
   syncedAt: import_zod2.z.string(),
   receiptsStored: import_zod2.z.number(),
   inventoryStored: import_zod2.z.number().optional(),
-  inventoryDiff: guardInventoryDiffResponseSchema.optional()
+  inventoryDiff: guardInventoryDiffResponseSchema.optional(),
+  advisories: import_zod2.z.array(guardRevocationSchema).optional(),
+  policy: guardPolicySchema.optional(),
+  alertPreferences: import_zod2.z.lazy(() => guardAlertPreferencesSchema).optional(),
+  exceptions: import_zod2.z.array(import_zod2.z.lazy(() => guardExceptionItemSchema)).optional(),
+  teamPolicyPack: import_zod2.z.lazy(() => guardTeamPolicyPackSchema).optional()
 });
 var guardInventoryResponseSchema = import_zod2.z.object({
   generatedAt: import_zod2.z.string(),
@@ -1220,6 +1296,59 @@ var guardWatchlistResponseSchema = import_zod2.z.object({
   generatedAt: import_zod2.z.string(),
   items: import_zod2.z.array(guardWatchlistItemSchema)
 });
+var guardWatchlistLookupMatchSchema = import_zod2.z.object({
+  artifactId: import_zod2.z.string().nullable(),
+  publisher: import_zod2.z.string().nullable(),
+  domain: import_zod2.z.string().nullable(),
+  source: import_zod2.z.enum(["watchlist", "team-policy"]),
+  reason: import_zod2.z.string()
+});
+var guardWatchlistLookupResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  matched: import_zod2.z.boolean(),
+  scope: import_zod2.z.enum(["artifact", "publisher", "domain", "none"]),
+  item: guardWatchlistLookupMatchSchema.nullable()
+});
+var guardPainSignalSchema = import_zod2.z.object({
+  signalId: import_zod2.z.string(),
+  signalName: import_zod2.z.string(),
+  artifactId: import_zod2.z.string(),
+  artifactName: import_zod2.z.string(),
+  artifactType: import_zod2.z.enum(["skill", "plugin"]),
+  harness: import_zod2.z.string(),
+  latestSummary: import_zod2.z.string(),
+  firstSeenAt: import_zod2.z.string(),
+  lastSeenAt: import_zod2.z.string(),
+  count: import_zod2.z.number(),
+  source: import_zod2.z.literal("scanner"),
+  publisher: import_zod2.z.string().optional()
+});
+var guardPainSignalListResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  items: import_zod2.z.array(guardPainSignalSchema)
+});
+var guardPainSignalAggregateSchema = import_zod2.z.object({
+  artifactId: import_zod2.z.string(),
+  artifactName: import_zod2.z.string(),
+  artifactType: import_zod2.z.enum(["skill", "plugin"]),
+  signalName: import_zod2.z.string(),
+  latestSummary: import_zod2.z.string(),
+  firstSeenAt: import_zod2.z.string(),
+  lastSeenAt: import_zod2.z.string(),
+  totalCount: import_zod2.z.number(),
+  consumerCount: import_zod2.z.number(),
+  harnesses: import_zod2.z.array(import_zod2.z.string()),
+  publishers: import_zod2.z.array(import_zod2.z.string())
+});
+var guardPainSignalAggregateResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  summary: import_zod2.z.object({
+    totalSignals: import_zod2.z.number(),
+    uniqueArtifacts: import_zod2.z.number(),
+    uniqueConsumers: import_zod2.z.number()
+  }),
+  items: import_zod2.z.array(guardPainSignalAggregateSchema)
+});
 var guardExceptionItemSchema = import_zod2.z.object({
   exceptionId: import_zod2.z.string(),
   scope: import_zod2.z.enum(["artifact", "publisher", "harness", "global"]),
@@ -1237,6 +1366,45 @@ var guardExceptionListResponseSchema = import_zod2.z.object({
   generatedAt: import_zod2.z.string(),
   items: import_zod2.z.array(guardExceptionItemSchema)
 });
+var guardPreflightEvidenceSchema = import_zod2.z.object({
+  category: import_zod2.z.enum([
+    "policy",
+    "trust",
+    "watchlist",
+    "team-policy",
+    "exception"
+  ]),
+  source: import_zod2.z.string(),
+  detail: import_zod2.z.string()
+});
+var guardPreflightRequestSchema = import_zod2.z.object({
+  harness: import_zod2.z.string(),
+  artifactName: import_zod2.z.string(),
+  artifactType: import_zod2.z.enum(["skill", "plugin"]),
+  artifactId: import_zod2.z.string().optional(),
+  artifactSlug: import_zod2.z.string().optional(),
+  artifactHash: import_zod2.z.string().optional(),
+  publisher: import_zod2.z.string().optional(),
+  domain: import_zod2.z.string().optional(),
+  launchSummary: import_zod2.z.string().optional(),
+  capabilities: import_zod2.z.array(import_zod2.z.string()).optional(),
+  workspacePath: import_zod2.z.string().optional()
+});
+var guardPreflightVerdictResponseSchema = import_zod2.z.object({
+  generatedAt: import_zod2.z.string(),
+  principal: guardPrincipalSchema,
+  decision: import_zod2.z.enum(["allow", "review", "block"]),
+  recommendation: import_zod2.z.enum(["monitor", "review", "block"]),
+  rationale: import_zod2.z.string(),
+  category: import_zod2.z.enum(["exception", "team-policy", "watchlist", "trust", "policy"]).optional(),
+  confidence: import_zod2.z.number().optional(),
+  freshnessTimestamp: import_zod2.z.string().optional(),
+  evidenceSources: import_zod2.z.array(import_zod2.z.string()).optional(),
+  scope: import_zod2.z.enum(["artifact", "publisher", "domain", "policy"]),
+  matchedEvidence: import_zod2.z.array(guardPreflightEvidenceSchema),
+  matchedException: guardExceptionItemSchema.nullable(),
+  trustMatch: guardTrustMatchSchema.nullable()
+});
 var guardTeamPolicyAuditItemSchema = import_zod2.z.object({
   changedAt: import_zod2.z.string(),
   actor: import_zod2.z.string(),
@@ -1245,8 +1413,13 @@ var guardTeamPolicyAuditItemSchema = import_zod2.z.object({
 });
 var guardTeamPolicyPackSchema = import_zod2.z.object({
   name: import_zod2.z.string(),
-  sharedHarnessDefaults: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.enum(["observe", "prompt", "enforce"])),
+  sharedHarnessDefaults: import_zod2.z.record(
+    import_zod2.z.string(),
+    import_zod2.z.enum(["observe", "prompt", "enforce"])
+  ),
   allowedPublishers: import_zod2.z.array(import_zod2.z.string()),
+  blockedPublishers: import_zod2.z.array(import_zod2.z.string()).optional(),
+  blockedDomains: import_zod2.z.array(import_zod2.z.string()).optional(),
   blockedArtifacts: import_zod2.z.array(import_zod2.z.string()),
   alertChannel: import_zod2.z.enum(["email", "slack", "teams", "webhook"]),
   updatedAt: import_zod2.z.string(),
@@ -1661,13 +1834,11 @@ var skillDeprecationsResponseSchema = import_zod2.z.object({
   name: import_zod2.z.string(),
   items: import_zod2.z.array(skillDeprecationRecordSchema)
 }).passthrough();
-var skillSecurityBreakdownFindingSchema = import_zod2.z.record(jsonValueSchema);
-var skillSecurityBreakdownSummarySchema = import_zod2.z.record(jsonValueSchema);
 var skillSecurityBreakdownResponseSchema = import_zod2.z.object({
   jobId: import_zod2.z.string(),
   score: import_zod2.z.number().nullable().optional(),
-  findings: import_zod2.z.array(skillSecurityBreakdownFindingSchema).optional(),
-  summary: skillSecurityBreakdownSummarySchema.optional(),
+  findings: import_zod2.z.array(jsonValueSchema).optional(),
+  summary: jsonValueSchema.optional(),
   generatedAt: import_zod2.z.string().nullable().optional(),
   scannerVersion: import_zod2.z.string().nullable().optional()
 }).passthrough();
@@ -4124,10 +4295,98 @@ async function registerOwnedMoltbookAgent(client, uaid, request) {
 }
 
 // ../../src/services/registry-broker/client/guard.ts
+function isStatusError(error) {
+  if (error instanceof RegistryBrokerError) {
+    return true;
+  }
+  if (typeof error !== "object" || error === null || !("status" in error)) {
+    return false;
+  }
+  return typeof Reflect.get(error, "status") === "number";
+}
+function toPortalCanonicalGuardPath(path) {
+  const segments = path.split("/");
+  const findPatternStart = (size, matcher) => {
+    for (let startIndex = segments.length - size; startIndex >= 0; startIndex -= 1) {
+      if (matcher(startIndex)) {
+        return startIndex;
+      }
+    }
+    return -1;
+  };
+  const replaceAt = (startIndex, consumed) => [
+    ...segments.slice(0, startIndex),
+    "api",
+    "guard",
+    ...segments.slice(startIndex + consumed)
+  ].join("/");
+  const registryStart = findPatternStart(
+    4,
+    (startIndex) => segments[startIndex] === "registry" && segments[startIndex + 1] === "api" && /^v\d+$/.test(segments[startIndex + 2] ?? "") && segments[startIndex + 3] === "guard"
+  );
+  if (registryStart >= 0) {
+    return replaceAt(registryStart, 4);
+  }
+  const apiVersionStart = findPatternStart(
+    3,
+    (startIndex) => segments[startIndex] === "api" && /^v\d+$/.test(segments[startIndex + 1] ?? "") && segments[startIndex + 2] === "guard"
+  );
+  if (apiVersionStart >= 0) {
+    return replaceAt(apiVersionStart, 3);
+  }
+  for (let index = segments.length - 1; index >= 0; index -= 1) {
+    if (segments[index] === "guard" && segments[index - 1] !== "api") {
+      return [
+        ...segments.slice(0, index),
+        "api",
+        "guard",
+        ...segments.slice(index + 1)
+      ].join("/");
+    }
+  }
+  return path;
+}
+function buildPortalCanonicalGuardUrl(baseUrl, path) {
+  const target = new URL(path, "https://guard.local");
+  const normalizedBasePath = (() => {
+    try {
+      const base = new URL(baseUrl);
+      return base.pathname.replace(/\/+$/, "");
+    } catch {
+      return baseUrl.replace(/\/+$/, "");
+    }
+  })();
+  const requestedPath = `${normalizedBasePath}${target.pathname}`;
+  const canonicalPath = toPortalCanonicalGuardPath(requestedPath);
+  const canonicalRelativePath = `${canonicalPath}${target.search}`;
+  try {
+    const base = new URL(baseUrl);
+    return `${base.origin}${canonicalRelativePath}`;
+  } catch {
+    return canonicalRelativePath;
+  }
+}
+async function requestPortalFirstJson(client, path, init) {
+  try {
+    return await client.requestJson(path, init);
+  } catch (error) {
+    if (isStatusError(error) && (error.status === 404 || error.status === 501)) {
+      return client.requestAbsoluteJson(
+        buildPortalCanonicalGuardUrl(client.baseUrl, path),
+        init
+      );
+    }
+    throw error;
+  }
+}
 async function getGuardSession(client) {
-  const raw = await client.requestJson("/guard/auth/session", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/auth/session",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardSessionResponseSchema,
@@ -4135,9 +4394,13 @@ async function getGuardSession(client) {
   );
 }
 async function getGuardEntitlements(client) {
-  const raw = await client.requestJson("/guard/entitlements", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/entitlements",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardSessionResponseSchema,
@@ -4145,21 +4408,60 @@ async function getGuardEntitlements(client) {
   );
 }
 async function getGuardBillingBalance(client) {
-  const raw = await client.requestJson("/guard/billing/balance", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/billing/balance",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardBalanceResponseSchema,
     "guard billing balance response"
   );
 }
+async function getGuardFeed(client, limit) {
+  const params = new URLSearchParams();
+  if (typeof limit === "number" && Number.isFinite(limit) && Math.trunc(limit) > 0) {
+    params.set("limit", String(Math.trunc(limit)));
+  }
+  const query = params.toString();
+  const suffix = query ? `?${query}` : "";
+  const raw = await requestPortalFirstJson(
+    client,
+    `/guard/feed${suffix}`,
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardFeedResponseSchema,
+    "guard feed response"
+  );
+}
+async function getGuardOverview(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/overview",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardOverviewResponseSchema,
+    "guard overview response"
+  );
+}
 async function getGuardTrustByHash(client, sha256) {
   const normalizedHash = sha256.trim();
   if (!normalizedHash) {
     throw new Error("sha256 is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/trust/by-hash/${encodeURIComponent(normalizedHash)}`,
     { method: "GET" }
   );
@@ -4181,7 +4483,8 @@ async function resolveGuardTrust(client, query) {
     params.set("version", query.version.trim());
   }
   const suffix = params.size > 0 ? `?${params.toString()}` : "";
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/trust/resolve${suffix}`,
     { method: "GET" }
   );
@@ -4192,19 +4495,55 @@ async function resolveGuardTrust(client, query) {
   );
 }
 async function getGuardRevocations(client) {
-  const raw = await client.requestJson("/guard/revocations", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/revocations",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardRevocationResponseSchema,
     "guard revocations response"
   );
 }
+async function fetchGuardAdvisories(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/advisories",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardRevocationResponseSchema,
+    "guard advisories response"
+  );
+}
+async function fetchGuardPolicy(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/policy/fetch",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPolicySchema,
+    "guard policy response"
+  );
+}
 async function getGuardInventory(client) {
-  const raw = await client.requestJson("/guard/inventory", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardInventoryResponseSchema,
@@ -4212,9 +4551,13 @@ async function getGuardInventory(client) {
   );
 }
 async function getGuardReceiptHistory(client) {
-  const raw = await client.requestJson("/guard/history", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/history",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptHistoryResponseSchema,
@@ -4226,7 +4569,8 @@ async function getGuardArtifactTimeline(client, artifactId) {
   if (!normalizedArtifactId) {
     throw new Error("artifactId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/history/${encodeURIComponent(normalizedArtifactId)}`,
     { method: "GET" }
   );
@@ -4237,7 +4581,7 @@ async function getGuardArtifactTimeline(client, artifactId) {
   );
 }
 async function exportGuardAbom(client) {
-  const raw = await client.requestJson("/guard/abom", {
+  const raw = await requestPortalFirstJson(client, "/guard/abom", {
     method: "GET"
   });
   return client.parseWithSchema(
@@ -4246,10 +4590,30 @@ async function exportGuardAbom(client) {
     "guard abom response"
   );
 }
+async function exportGuardArtifactAbom(client, artifactId) {
+  const normalizedArtifactId = artifactId.trim();
+  if (!normalizedArtifactId) {
+    throw new Error("artifactId is required");
+  }
+  const raw = await requestPortalFirstJson(
+    client,
+    `/guard/abom/${encodeURIComponent(normalizedArtifactId)}`,
+    { method: "GET" }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardAbomResponseSchema,
+    "guard artifact abom response"
+  );
+}
 async function exportGuardReceipts(client) {
-  const raw = await client.requestJson("/guard/receipts/export", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/export",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptExportResponseSchema,
@@ -4257,9 +4621,13 @@ async function exportGuardReceipts(client) {
   );
 }
 async function getGuardInventoryDiff(client) {
-  const raw = await client.requestJson("/guard/inventory/diff", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory/diff",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardInventoryDiffResponseSchema,
@@ -4267,9 +4635,13 @@ async function getGuardInventoryDiff(client) {
   );
 }
 async function getGuardDevices(client) {
-  const raw = await client.requestJson("/guard/devices", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/devices",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardDeviceListResponseSchema,
@@ -4277,9 +4649,13 @@ async function getGuardDevices(client) {
   );
 }
 async function getGuardAlertPreferences(client) {
-  const raw = await client.requestJson("/guard/alerts/preferences", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/alerts/preferences",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardAlertPreferencesSchema,
@@ -4287,10 +4663,14 @@ async function getGuardAlertPreferences(client) {
   );
 }
 async function updateGuardAlertPreferences(client, payload) {
-  const raw = await client.requestJson("/guard/alerts/preferences", {
-    method: "PUT",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/alerts/preferences",
+    {
+      method: "PUT",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardAlertPreferencesSchema,
@@ -4298,9 +4678,13 @@ async function updateGuardAlertPreferences(client, payload) {
   );
 }
 async function getGuardExceptions(client) {
-  const raw = await client.requestJson("/guard/exceptions", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardExceptionListResponseSchema,
@@ -4308,20 +4692,126 @@ async function getGuardExceptions(client) {
   );
 }
 async function getGuardWatchlist(client) {
-  const raw = await client.requestJson("/guard/watchlist", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardWatchlistResponseSchema,
     "guard watchlist response"
   );
 }
-async function addGuardWatchlistItem(client, payload) {
-  const raw = await client.requestJson("/guard/watchlist", {
+async function lookupGuardWatchlist(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist/lookup",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardWatchlistLookupResponseSchema,
+    "guard watchlist lookup response"
+  );
+}
+async function getGuardPainSignals(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalListResponseSchema,
+    "guard pain signals response"
+  );
+}
+async function getGuardAggregatedPainSignals(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain/aggregate",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalAggregateResponseSchema,
+    "guard aggregated pain signals response"
+  );
+}
+async function getGuardPreflightVerdict(client, path, payload) {
+  const raw = await requestPortalFirstJson(client, path, {
     method: "POST",
     body: payload
   });
+  return client.parseWithSchema(
+    raw,
+    guardPreflightVerdictResponseSchema,
+    "guard preflight verdict response"
+  );
+}
+async function getGuardPreInstallVerdict(client, payload) {
+  return getGuardPreflightVerdict(
+    client,
+    "/guard/verdict/pre-install",
+    payload
+  );
+}
+async function getGuardPreExecutionVerdict(client, payload) {
+  return getGuardPreflightVerdict(
+    client,
+    "/guard/verdict/pre-execution",
+    payload
+  );
+}
+async function ingestGuardPainSignals(client, items) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain",
+    {
+      method: "POST",
+      body: { items }
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalListResponseSchema,
+    "guard pain signals response"
+  );
+}
+async function submitGuardReceipts(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/submit",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardReceiptSyncResponseSchema,
+    "guard receipt submit response"
+  );
+}
+async function addGuardWatchlistItem(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardWatchlistResponseSchema,
@@ -4333,7 +4823,8 @@ async function removeGuardWatchlistItem(client, artifactId) {
   if (!normalizedArtifactId) {
     throw new Error("artifactId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/watchlist/${encodeURIComponent(normalizedArtifactId)}`,
     { method: "DELETE" }
   );
@@ -4344,22 +4835,57 @@ async function removeGuardWatchlistItem(client, artifactId) {
   );
 }
 async function addGuardException(client, payload) {
-  const raw = await client.requestJson("/guard/exceptions", {
-    method: "POST",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardExceptionListResponseSchema,
     "guard exceptions response"
   );
 }
+async function requestGuardException(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions/request",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardExceptionListResponseSchema,
+    "guard exception request response"
+  );
+}
+async function syncGuardInventory(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory/sync",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardReceiptSyncResponseSchema,
+    "guard inventory sync response"
+  );
+}
 async function removeGuardException(client, exceptionId) {
   const normalizedExceptionId = exceptionId.trim();
   if (!normalizedExceptionId) {
     throw new Error("exceptionId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/exceptions/${encodeURIComponent(normalizedExceptionId)}`,
     { method: "DELETE" }
   );
@@ -4370,9 +4896,13 @@ async function removeGuardException(client, exceptionId) {
   );
 }
 async function getGuardTeamPolicyPack(client) {
-  const raw = await client.requestJson("/guard/team/policy-pack", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/team/policy-pack",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardTeamPolicyPackSchema,
@@ -4380,10 +4910,14 @@ async function getGuardTeamPolicyPack(client) {
   );
 }
 async function updateGuardTeamPolicyPack(client, payload) {
-  const raw = await client.requestJson("/guard/team/policy-pack", {
-    method: "PUT",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/team/policy-pack",
+    {
+      method: "PUT",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardTeamPolicyPackSchema,
@@ -4391,10 +4925,14 @@ async function updateGuardTeamPolicyPack(client, payload) {
   );
 }
 async function syncGuardReceipts(client, payload) {
-  const raw = await client.requestJson("/guard/receipts/sync", {
-    method: "POST",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/sync",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptSyncResponseSchema,
@@ -5730,7 +6268,7 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
     const normalisedPath = path.startsWith("/") ? path : `/${path}`;
     return `${this.baseUrl}${normalisedPath}`;
   }
-  async request(path, config) {
+  buildRequestInit(config) {
     const headers = new Headers();
     Object.entries(this.defaultHeaders).forEach(([key, value]) => {
       headers.set(key, value);
@@ -5756,6 +6294,10 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
         headers.set("content-type", "application/json");
       }
     }
+    return init;
+  }
+  async request(path, config) {
+    const init = this.buildRequestInit(config);
     const response = await this.fetchImpl(this.buildUrl(path), init);
     if (response.ok) {
       return response;
@@ -5767,6 +6309,19 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
       body: errorBody
     });
   }
+  async requestAbsolute(url, config) {
+    const init = this.buildRequestInit(config);
+    const response = await this.fetchImpl(url, init);
+    if (response.ok) {
+      return response;
+    }
+    const errorBody = await this.extractErrorBody(response);
+    throw new RegistryBrokerError("Registry broker request failed", {
+      status: response.status,
+      statusText: response.statusText,
+      body: errorBody
+    });
+  }
   async requestJson(path, config) {
     const response = await this.request(path, config);
     const contentType = response.headers?.get("content-type") ?? "";
@@ -5779,6 +6334,18 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
     }
     return await response.json();
   }
+  async requestAbsoluteJson(url, config) {
+    const response = await this.requestAbsolute(url, config);
+    const contentType = response.headers?.get("content-type") ?? "";
+    if (!JSON_CONTENT_TYPE.test(contentType)) {
+      const body = await response.text();
+      throw new RegistryBrokerParseError(
+        "Expected JSON response from registry broker",
+        body
+      );
+    }
+    return await response.json();
+  }
   async getAgentFeedback(uaid, options = {}) {
     const normalized = uaid.trim();
     if (!normalized) {
@@ -6217,6 +6784,12 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardBillingBalance() {
     return getGuardBillingBalance(this);
   }
+  async getGuardFeed(limit) {
+    return getGuardFeed(this, limit);
+  }
+  async getGuardOverview() {
+    return getGuardOverview(this);
+  }
   async getGuardTrustByHash(sha256) {
     return getGuardTrustByHash(this, sha256);
   }
@@ -6226,6 +6799,12 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardRevocations() {
     return getGuardRevocations(this);
   }
+  async fetchGuardAdvisories() {
+    return fetchGuardAdvisories(this);
+  }
+  async fetchGuardPolicy() {
+    return fetchGuardPolicy(this);
+  }
   async getGuardInventory() {
     return getGuardInventory(this);
   }
@@ -6241,6 +6820,9 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async exportGuardAbom() {
     return exportGuardAbom(this);
   }
+  async exportGuardArtifactAbom(artifactId) {
+    return exportGuardArtifactAbom(this, artifactId);
+  }
   async exportGuardReceipts() {
     return exportGuardReceipts(this);
   }
@@ -6259,6 +6841,21 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardWatchlist() {
     return getGuardWatchlist(this);
   }
+  async lookupGuardWatchlist(payload) {
+    return lookupGuardWatchlist(this, payload);
+  }
+  async getGuardPainSignals() {
+    return getGuardPainSignals(this);
+  }
+  async getGuardAggregatedPainSignals() {
+    return getGuardAggregatedPainSignals(this);
+  }
+  async getGuardPreInstallVerdict(payload) {
+    return getGuardPreInstallVerdict(this, payload);
+  }
+  async getGuardPreExecutionVerdict(payload) {
+    return getGuardPreExecutionVerdict(this, payload);
+  }
   async addGuardWatchlistItem(payload) {
     return addGuardWatchlistItem(this, payload);
   }
@@ -6268,12 +6865,24 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async addGuardException(payload) {
     return addGuardException(this, payload);
   }
+  async requestGuardException(payload) {
+    return requestGuardException(this, payload);
+  }
   async removeGuardException(exceptionId) {
     return removeGuardException(this, exceptionId);
   }
+  async ingestGuardPainSignals(items) {
+    return ingestGuardPainSignals(this, items);
+  }
   async syncGuardReceipts(payload) {
     return syncGuardReceipts(this, payload);
   }
+  async syncGuardInventory(payload) {
+    return syncGuardInventory(this, payload);
+  }
+  async submitGuardReceipts(payload) {
+    return submitGuardReceipts(this, payload);
+  }
   async getGuardTeamPolicyPack() {
     return getGuardTeamPolicyPack(this);
   }
@@ -6662,6 +7271,10 @@ var isPendingRegisterAgentResponse = (response) => response.status === "pending"
 var isPartialRegisterAgentResponse = (response) => response.status === "partial" && response.success === false;
 var isSuccessRegisterAgentResponse = (response) => response.success === true && response.status !== "pending";
 
+// ../../src/services/registry-broker/types.ts
+var GUARD_CANONICAL_PATH_PREFIX = "/api/guard";
+var GUARD_COMPAT_PATH_PREFIX = "/guard";
+
 // ../../src/services/registry-broker/hol-chat-ops.ts
 var HOL_CHAT_PROTOCOL_ID = "hol-chat";
 var isRecord = (value) => Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -6719,6 +7332,8 @@ var buildJobStatusMessage = (input) => JSON.stringify({
 });
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  GUARD_CANONICAL_PATH_PREFIX,
+  GUARD_COMPAT_PATH_PREFIX,
   HOL_CHAT_PROTOCOL_ID,
   RegistryBrokerClient,
   RegistryBrokerError,