@hol-org/rb-client 0.1.179 → 0.1.181

package/dist/index.js

@@ -916,10 +916,14 @@ var guardBucketBalanceSchema = z2.object({
 });
 var guardPrincipalSchema = z2.object({
   signedIn: z2.boolean(),
+  principalType: z2.enum(["user", "service"]).default("user"),
   userId: z2.string().optional(),
   email: z2.string().optional(),
   accountId: z2.string().optional(),
   stripeCustomerId: z2.string().optional(),
+  serviceId: z2.string().optional(),
+  workspaceId: z2.string().optional(),
+  serviceLabel: z2.string().optional(),
   roles: z2.array(z2.string())
 });
 var guardEntitlementsSchema = z2.object({
@@ -946,6 +950,65 @@ var guardBalanceResponseSchema = z2.object({
   bucketingMode: z2.enum(["shared-ledger", "product-bucketed"]),
   buckets: z2.array(guardBucketBalanceSchema)
 });
+var guardFeedItemSchema = z2.object({
+  id: z2.string(),
+  artifactType: z2.enum(["skill", "plugin"]),
+  slug: z2.string(),
+  name: z2.string(),
+  href: z2.string(),
+  ecosystem: z2.string().optional(),
+  safetyScore: z2.number().nullable().optional(),
+  trustScore: z2.number().nullable().optional(),
+  verified: z2.boolean(),
+  recommendation: z2.enum(["monitor", "review", "block"]),
+  updatedAt: z2.string()
+});
+var guardFeedSummarySchema = z2.object({
+  total: z2.number(),
+  monitorCount: z2.number(),
+  reviewCount: z2.number(),
+  blockCount: z2.number()
+});
+var guardFeedResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  items: z2.array(guardFeedItemSchema),
+  summary: guardFeedSummarySchema
+});
+var guardIntegrationSchema = z2.object({
+  id: z2.enum(["openclaw", "hermes"]),
+  name: z2.string(),
+  status: z2.enum(["available", "planned"]),
+  href: z2.string().nullable(),
+  summary: z2.string()
+});
+var guardActionItemSchema = z2.object({
+  title: z2.string(),
+  description: z2.string(),
+  href: z2.string()
+});
+var guardOverviewResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  principal: guardPrincipalSchema,
+  entitlements: guardEntitlementsSchema,
+  balance: z2.object({
+    accountId: z2.string(),
+    availableCredits: z2.number()
+  }).nullable(),
+  trustFeed: guardFeedResponseSchema,
+  integrations: z2.array(guardIntegrationSchema),
+  actionItems: z2.array(guardActionItemSchema)
+});
+var guardPolicySchema = z2.object({
+  mode: z2.enum(["observe", "prompt", "enforce"]),
+  defaultAction: z2.enum(["allow", "warn", "block"]),
+  unknownPublisherAction: z2.enum(["review", "block", "allow"]),
+  changedHashAction: z2.enum(["allow", "warn", "require-reapproval", "block"]),
+  newNetworkDomainAction: z2.enum(["allow", "warn", "block"]),
+  subprocessAction: z2.enum(["allow", "warn", "block"]),
+  telemetryEnabled: z2.boolean(),
+  syncEnabled: z2.boolean(),
+  updatedAt: z2.string()
+});
 var guardTrustMatchSchema = z2.object({
   artifactId: z2.string(),
   artifactName: z2.string(),
@@ -981,7 +1044,13 @@ var guardRevocationSchema = z2.object({
   artifactName: z2.string(),
   reason: z2.string(),
   severity: z2.enum(["low", "medium", "high"]),
-  publishedAt: z2.string()
+  publishedAt: z2.string(),
+  confidence: z2.number().optional(),
+  remediation: z2.string().nullable().optional(),
+  scope: z2.enum(["artifact", "publisher", "domain", "workspace", "ecosystem"]).optional(),
+  source: z2.string().optional(),
+  firstSeenAt: z2.string().optional(),
+  lastUpdatedAt: z2.string().optional()
 });
 var guardRevocationResponseSchema = z2.object({
   generatedAt: z2.string(),
@@ -1075,7 +1144,12 @@ var guardReceiptSyncResponseSchema = z2.object({
   syncedAt: z2.string(),
   receiptsStored: z2.number(),
   inventoryStored: z2.number().optional(),
-  inventoryDiff: guardInventoryDiffResponseSchema.optional()
+  inventoryDiff: guardInventoryDiffResponseSchema.optional(),
+  advisories: z2.array(guardRevocationSchema).optional(),
+  policy: guardPolicySchema.optional(),
+  alertPreferences: z2.lazy(() => guardAlertPreferencesSchema).optional(),
+  exceptions: z2.array(z2.lazy(() => guardExceptionItemSchema)).optional(),
+  teamPolicyPack: z2.lazy(() => guardTeamPolicyPackSchema).optional()
 });
 var guardInventoryResponseSchema = z2.object({
   generatedAt: z2.string(),
@@ -1161,6 +1235,59 @@ var guardWatchlistResponseSchema = z2.object({
   generatedAt: z2.string(),
   items: z2.array(guardWatchlistItemSchema)
 });
+var guardWatchlistLookupMatchSchema = z2.object({
+  artifactId: z2.string().nullable(),
+  publisher: z2.string().nullable(),
+  domain: z2.string().nullable(),
+  source: z2.enum(["watchlist", "team-policy"]),
+  reason: z2.string()
+});
+var guardWatchlistLookupResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  matched: z2.boolean(),
+  scope: z2.enum(["artifact", "publisher", "domain", "none"]),
+  item: guardWatchlistLookupMatchSchema.nullable()
+});
+var guardPainSignalSchema = z2.object({
+  signalId: z2.string(),
+  signalName: z2.string(),
+  artifactId: z2.string(),
+  artifactName: z2.string(),
+  artifactType: z2.enum(["skill", "plugin"]),
+  harness: z2.string(),
+  latestSummary: z2.string(),
+  firstSeenAt: z2.string(),
+  lastSeenAt: z2.string(),
+  count: z2.number(),
+  source: z2.literal("scanner"),
+  publisher: z2.string().optional()
+});
+var guardPainSignalListResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  items: z2.array(guardPainSignalSchema)
+});
+var guardPainSignalAggregateSchema = z2.object({
+  artifactId: z2.string(),
+  artifactName: z2.string(),
+  artifactType: z2.enum(["skill", "plugin"]),
+  signalName: z2.string(),
+  latestSummary: z2.string(),
+  firstSeenAt: z2.string(),
+  lastSeenAt: z2.string(),
+  totalCount: z2.number(),
+  consumerCount: z2.number(),
+  harnesses: z2.array(z2.string()),
+  publishers: z2.array(z2.string())
+});
+var guardPainSignalAggregateResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  summary: z2.object({
+    totalSignals: z2.number(),
+    uniqueArtifacts: z2.number(),
+    uniqueConsumers: z2.number()
+  }),
+  items: z2.array(guardPainSignalAggregateSchema)
+});
 var guardExceptionItemSchema = z2.object({
   exceptionId: z2.string(),
   scope: z2.enum(["artifact", "publisher", "harness", "global"]),
@@ -1178,6 +1305,45 @@ var guardExceptionListResponseSchema = z2.object({
   generatedAt: z2.string(),
   items: z2.array(guardExceptionItemSchema)
 });
+var guardPreflightEvidenceSchema = z2.object({
+  category: z2.enum([
+    "policy",
+    "trust",
+    "watchlist",
+    "team-policy",
+    "exception"
+  ]),
+  source: z2.string(),
+  detail: z2.string()
+});
+var guardPreflightRequestSchema = z2.object({
+  harness: z2.string(),
+  artifactName: z2.string(),
+  artifactType: z2.enum(["skill", "plugin"]),
+  artifactId: z2.string().optional(),
+  artifactSlug: z2.string().optional(),
+  artifactHash: z2.string().optional(),
+  publisher: z2.string().optional(),
+  domain: z2.string().optional(),
+  launchSummary: z2.string().optional(),
+  capabilities: z2.array(z2.string()).optional(),
+  workspacePath: z2.string().optional()
+});
+var guardPreflightVerdictResponseSchema = z2.object({
+  generatedAt: z2.string(),
+  principal: guardPrincipalSchema,
+  decision: z2.enum(["allow", "review", "block"]),
+  recommendation: z2.enum(["monitor", "review", "block"]),
+  rationale: z2.string(),
+  category: z2.enum(["exception", "team-policy", "watchlist", "trust", "policy"]).optional(),
+  confidence: z2.number().optional(),
+  freshnessTimestamp: z2.string().optional(),
+  evidenceSources: z2.array(z2.string()).optional(),
+  scope: z2.enum(["artifact", "publisher", "domain", "policy"]),
+  matchedEvidence: z2.array(guardPreflightEvidenceSchema),
+  matchedException: guardExceptionItemSchema.nullable(),
+  trustMatch: guardTrustMatchSchema.nullable()
+});
 var guardTeamPolicyAuditItemSchema = z2.object({
   changedAt: z2.string(),
   actor: z2.string(),
@@ -1186,8 +1352,13 @@ var guardTeamPolicyAuditItemSchema = z2.object({
 });
 var guardTeamPolicyPackSchema = z2.object({
   name: z2.string(),
-  sharedHarnessDefaults: z2.record(z2.string(), z2.enum(["observe", "prompt", "enforce"])),
+  sharedHarnessDefaults: z2.record(
+    z2.string(),
+    z2.enum(["observe", "prompt", "enforce"])
+  ),
   allowedPublishers: z2.array(z2.string()),
+  blockedPublishers: z2.array(z2.string()).optional(),
+  blockedDomains: z2.array(z2.string()).optional(),
   blockedArtifacts: z2.array(z2.string()),
   alertChannel: z2.enum(["email", "slack", "teams", "webhook"]),
   updatedAt: z2.string(),
@@ -1602,13 +1773,11 @@ var skillDeprecationsResponseSchema = z2.object({
   name: z2.string(),
   items: z2.array(skillDeprecationRecordSchema)
 }).passthrough();
-var skillSecurityBreakdownFindingSchema = z2.record(jsonValueSchema);
-var skillSecurityBreakdownSummarySchema = z2.record(jsonValueSchema);
 var skillSecurityBreakdownResponseSchema = z2.object({
   jobId: z2.string(),
   score: z2.number().nullable().optional(),
-  findings: z2.array(skillSecurityBreakdownFindingSchema).optional(),
-  summary: skillSecurityBreakdownSummarySchema.optional(),
+  findings: z2.array(jsonValueSchema).optional(),
+  summary: jsonValueSchema.optional(),
   generatedAt: z2.string().nullable().optional(),
   scannerVersion: z2.string().nullable().optional()
 }).passthrough();
@@ -4064,10 +4233,98 @@ async function registerOwnedMoltbookAgent(client, uaid, request) {
 }
 
 // ../../src/services/registry-broker/client/guard.ts
+function isStatusError(error) {
+  if (error instanceof RegistryBrokerError) {
+    return true;
+  }
+  if (typeof error !== "object" || error === null || !("status" in error)) {
+    return false;
+  }
+  return typeof Reflect.get(error, "status") === "number";
+}
+function toPortalCanonicalGuardPath(path) {
+  const segments = path.split("/");
+  const findPatternStart = (size, matcher) => {
+    for (let startIndex = segments.length - size; startIndex >= 0; startIndex -= 1) {
+      if (matcher(startIndex)) {
+        return startIndex;
+      }
+    }
+    return -1;
+  };
+  const replaceAt = (startIndex, consumed) => [
+    ...segments.slice(0, startIndex),
+    "api",
+    "guard",
+    ...segments.slice(startIndex + consumed)
+  ].join("/");
+  const registryStart = findPatternStart(
+    4,
+    (startIndex) => segments[startIndex] === "registry" && segments[startIndex + 1] === "api" && /^v\d+$/.test(segments[startIndex + 2] ?? "") && segments[startIndex + 3] === "guard"
+  );
+  if (registryStart >= 0) {
+    return replaceAt(registryStart, 4);
+  }
+  const apiVersionStart = findPatternStart(
+    3,
+    (startIndex) => segments[startIndex] === "api" && /^v\d+$/.test(segments[startIndex + 1] ?? "") && segments[startIndex + 2] === "guard"
+  );
+  if (apiVersionStart >= 0) {
+    return replaceAt(apiVersionStart, 3);
+  }
+  for (let index = segments.length - 1; index >= 0; index -= 1) {
+    if (segments[index] === "guard" && segments[index - 1] !== "api") {
+      return [
+        ...segments.slice(0, index),
+        "api",
+        "guard",
+        ...segments.slice(index + 1)
+      ].join("/");
+    }
+  }
+  return path;
+}
+function buildPortalCanonicalGuardUrl(baseUrl, path) {
+  const target = new URL(path, "https://guard.local");
+  const normalizedBasePath = (() => {
+    try {
+      const base = new URL(baseUrl);
+      return base.pathname.replace(/\/+$/, "");
+    } catch {
+      return baseUrl.replace(/\/+$/, "");
+    }
+  })();
+  const requestedPath = `${normalizedBasePath}${target.pathname}`;
+  const canonicalPath = toPortalCanonicalGuardPath(requestedPath);
+  const canonicalRelativePath = `${canonicalPath}${target.search}`;
+  try {
+    const base = new URL(baseUrl);
+    return `${base.origin}${canonicalRelativePath}`;
+  } catch {
+    return canonicalRelativePath;
+  }
+}
+async function requestPortalFirstJson(client, path, init) {
+  try {
+    return await client.requestJson(path, init);
+  } catch (error) {
+    if (isStatusError(error) && (error.status === 404 || error.status === 501)) {
+      return client.requestAbsoluteJson(
+        buildPortalCanonicalGuardUrl(client.baseUrl, path),
+        init
+      );
+    }
+    throw error;
+  }
+}
 async function getGuardSession(client) {
-  const raw = await client.requestJson("/guard/auth/session", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/auth/session",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardSessionResponseSchema,
@@ -4075,9 +4332,13 @@ async function getGuardSession(client) {
   );
 }
 async function getGuardEntitlements(client) {
-  const raw = await client.requestJson("/guard/entitlements", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/entitlements",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardSessionResponseSchema,
@@ -4085,21 +4346,60 @@ async function getGuardEntitlements(client) {
   );
 }
 async function getGuardBillingBalance(client) {
-  const raw = await client.requestJson("/guard/billing/balance", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/billing/balance",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardBalanceResponseSchema,
     "guard billing balance response"
   );
 }
+async function getGuardFeed(client, limit) {
+  const params = new URLSearchParams();
+  if (typeof limit === "number" && Number.isFinite(limit) && Math.trunc(limit) > 0) {
+    params.set("limit", String(Math.trunc(limit)));
+  }
+  const query = params.toString();
+  const suffix = query ? `?${query}` : "";
+  const raw = await requestPortalFirstJson(
+    client,
+    `/guard/feed${suffix}`,
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardFeedResponseSchema,
+    "guard feed response"
+  );
+}
+async function getGuardOverview(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/overview",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardOverviewResponseSchema,
+    "guard overview response"
+  );
+}
 async function getGuardTrustByHash(client, sha256) {
   const normalizedHash = sha256.trim();
   if (!normalizedHash) {
     throw new Error("sha256 is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/trust/by-hash/${encodeURIComponent(normalizedHash)}`,
     { method: "GET" }
   );
@@ -4121,7 +4421,8 @@ async function resolveGuardTrust(client, query) {
     params.set("version", query.version.trim());
   }
   const suffix = params.size > 0 ? `?${params.toString()}` : "";
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/trust/resolve${suffix}`,
     { method: "GET" }
   );
@@ -4132,19 +4433,55 @@ async function resolveGuardTrust(client, query) {
   );
 }
 async function getGuardRevocations(client) {
-  const raw = await client.requestJson("/guard/revocations", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/revocations",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardRevocationResponseSchema,
     "guard revocations response"
   );
 }
+async function fetchGuardAdvisories(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/advisories",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardRevocationResponseSchema,
+    "guard advisories response"
+  );
+}
+async function fetchGuardPolicy(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/policy/fetch",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPolicySchema,
+    "guard policy response"
+  );
+}
 async function getGuardInventory(client) {
-  const raw = await client.requestJson("/guard/inventory", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardInventoryResponseSchema,
@@ -4152,9 +4489,13 @@ async function getGuardInventory(client) {
   );
 }
 async function getGuardReceiptHistory(client) {
-  const raw = await client.requestJson("/guard/history", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/history",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptHistoryResponseSchema,
@@ -4166,7 +4507,8 @@ async function getGuardArtifactTimeline(client, artifactId) {
   if (!normalizedArtifactId) {
     throw new Error("artifactId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/history/${encodeURIComponent(normalizedArtifactId)}`,
     { method: "GET" }
   );
@@ -4177,7 +4519,7 @@ async function getGuardArtifactTimeline(client, artifactId) {
   );
 }
 async function exportGuardAbom(client) {
-  const raw = await client.requestJson("/guard/abom", {
+  const raw = await requestPortalFirstJson(client, "/guard/abom", {
     method: "GET"
   });
   return client.parseWithSchema(
@@ -4186,10 +4528,30 @@ async function exportGuardAbom(client) {
     "guard abom response"
   );
 }
+async function exportGuardArtifactAbom(client, artifactId) {
+  const normalizedArtifactId = artifactId.trim();
+  if (!normalizedArtifactId) {
+    throw new Error("artifactId is required");
+  }
+  const raw = await requestPortalFirstJson(
+    client,
+    `/guard/abom/${encodeURIComponent(normalizedArtifactId)}`,
+    { method: "GET" }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardAbomResponseSchema,
+    "guard artifact abom response"
+  );
+}
 async function exportGuardReceipts(client) {
-  const raw = await client.requestJson("/guard/receipts/export", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/export",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptExportResponseSchema,
@@ -4197,9 +4559,13 @@ async function exportGuardReceipts(client) {
   );
 }
 async function getGuardInventoryDiff(client) {
-  const raw = await client.requestJson("/guard/inventory/diff", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory/diff",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardInventoryDiffResponseSchema,
@@ -4207,9 +4573,13 @@ async function getGuardInventoryDiff(client) {
   );
 }
 async function getGuardDevices(client) {
-  const raw = await client.requestJson("/guard/devices", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/devices",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardDeviceListResponseSchema,
@@ -4217,9 +4587,13 @@ async function getGuardDevices(client) {
   );
 }
 async function getGuardAlertPreferences(client) {
-  const raw = await client.requestJson("/guard/alerts/preferences", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/alerts/preferences",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardAlertPreferencesSchema,
@@ -4227,10 +4601,14 @@ async function getGuardAlertPreferences(client) {
   );
 }
 async function updateGuardAlertPreferences(client, payload) {
-  const raw = await client.requestJson("/guard/alerts/preferences", {
-    method: "PUT",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/alerts/preferences",
+    {
+      method: "PUT",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardAlertPreferencesSchema,
@@ -4238,9 +4616,13 @@ async function updateGuardAlertPreferences(client, payload) {
   );
 }
 async function getGuardExceptions(client) {
-  const raw = await client.requestJson("/guard/exceptions", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardExceptionListResponseSchema,
@@ -4248,20 +4630,126 @@ async function getGuardExceptions(client) {
   );
 }
 async function getGuardWatchlist(client) {
-  const raw = await client.requestJson("/guard/watchlist", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardWatchlistResponseSchema,
     "guard watchlist response"
   );
 }
-async function addGuardWatchlistItem(client, payload) {
-  const raw = await client.requestJson("/guard/watchlist", {
+async function lookupGuardWatchlist(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist/lookup",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardWatchlistLookupResponseSchema,
+    "guard watchlist lookup response"
+  );
+}
+async function getGuardPainSignals(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalListResponseSchema,
+    "guard pain signals response"
+  );
+}
+async function getGuardAggregatedPainSignals(client) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain/aggregate",
+    {
+      method: "GET"
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalAggregateResponseSchema,
+    "guard aggregated pain signals response"
+  );
+}
+async function getGuardPreflightVerdict(client, path, payload) {
+  const raw = await requestPortalFirstJson(client, path, {
     method: "POST",
     body: payload
   });
+  return client.parseWithSchema(
+    raw,
+    guardPreflightVerdictResponseSchema,
+    "guard preflight verdict response"
+  );
+}
+async function getGuardPreInstallVerdict(client, payload) {
+  return getGuardPreflightVerdict(
+    client,
+    "/guard/verdict/pre-install",
+    payload
+  );
+}
+async function getGuardPreExecutionVerdict(client, payload) {
+  return getGuardPreflightVerdict(
+    client,
+    "/guard/verdict/pre-execution",
+    payload
+  );
+}
+async function ingestGuardPainSignals(client, items) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/signals/pain",
+    {
+      method: "POST",
+      body: { items }
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardPainSignalListResponseSchema,
+    "guard pain signals response"
+  );
+}
+async function submitGuardReceipts(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/submit",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardReceiptSyncResponseSchema,
+    "guard receipt submit response"
+  );
+}
+async function addGuardWatchlistItem(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/watchlist",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardWatchlistResponseSchema,
@@ -4273,7 +4761,8 @@ async function removeGuardWatchlistItem(client, artifactId) {
   if (!normalizedArtifactId) {
     throw new Error("artifactId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/watchlist/${encodeURIComponent(normalizedArtifactId)}`,
     { method: "DELETE" }
   );
@@ -4284,22 +4773,57 @@ async function removeGuardWatchlistItem(client, artifactId) {
   );
 }
 async function addGuardException(client, payload) {
-  const raw = await client.requestJson("/guard/exceptions", {
-    method: "POST",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardExceptionListResponseSchema,
     "guard exceptions response"
   );
 }
+async function requestGuardException(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/exceptions/request",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardExceptionListResponseSchema,
+    "guard exception request response"
+  );
+}
+async function syncGuardInventory(client, payload) {
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/inventory/sync",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
+  return client.parseWithSchema(
+    raw,
+    guardReceiptSyncResponseSchema,
+    "guard inventory sync response"
+  );
+}
 async function removeGuardException(client, exceptionId) {
   const normalizedExceptionId = exceptionId.trim();
   if (!normalizedExceptionId) {
     throw new Error("exceptionId is required");
   }
-  const raw = await client.requestJson(
+  const raw = await requestPortalFirstJson(
+    client,
     `/guard/exceptions/${encodeURIComponent(normalizedExceptionId)}`,
     { method: "DELETE" }
   );
@@ -4310,9 +4834,13 @@ async function removeGuardException(client, exceptionId) {
   );
 }
 async function getGuardTeamPolicyPack(client) {
-  const raw = await client.requestJson("/guard/team/policy-pack", {
-    method: "GET"
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/team/policy-pack",
+    {
+      method: "GET"
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardTeamPolicyPackSchema,
@@ -4320,10 +4848,14 @@ async function getGuardTeamPolicyPack(client) {
   );
 }
 async function updateGuardTeamPolicyPack(client, payload) {
-  const raw = await client.requestJson("/guard/team/policy-pack", {
-    method: "PUT",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/team/policy-pack",
+    {
+      method: "PUT",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardTeamPolicyPackSchema,
@@ -4331,10 +4863,14 @@ async function updateGuardTeamPolicyPack(client, payload) {
   );
 }
 async function syncGuardReceipts(client, payload) {
-  const raw = await client.requestJson("/guard/receipts/sync", {
-    method: "POST",
-    body: payload
-  });
+  const raw = await requestPortalFirstJson(
+    client,
+    "/guard/receipts/sync",
+    {
+      method: "POST",
+      body: payload
+    }
+  );
   return client.parseWithSchema(
     raw,
     guardReceiptSyncResponseSchema,
@@ -5670,7 +6206,7 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
     const normalisedPath = path.startsWith("/") ? path : `/${path}`;
     return `${this.baseUrl}${normalisedPath}`;
   }
-  async request(path, config) {
+  buildRequestInit(config) {
     const headers = new Headers();
     Object.entries(this.defaultHeaders).forEach(([key, value]) => {
       headers.set(key, value);
@@ -5696,6 +6232,10 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
         headers.set("content-type", "application/json");
       }
     }
+    return init;
+  }
+  async request(path, config) {
+    const init = this.buildRequestInit(config);
     const response = await this.fetchImpl(this.buildUrl(path), init);
     if (response.ok) {
       return response;
@@ -5707,6 +6247,19 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
       body: errorBody
     });
   }
+  async requestAbsolute(url, config) {
+    const init = this.buildRequestInit(config);
+    const response = await this.fetchImpl(url, init);
+    if (response.ok) {
+      return response;
+    }
+    const errorBody = await this.extractErrorBody(response);
+    throw new RegistryBrokerError("Registry broker request failed", {
+      status: response.status,
+      statusText: response.statusText,
+      body: errorBody
+    });
+  }
   async requestJson(path, config) {
     const response = await this.request(path, config);
     const contentType = response.headers?.get("content-type") ?? "";
@@ -5719,6 +6272,18 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
     }
     return await response.json();
   }
+  async requestAbsoluteJson(url, config) {
+    const response = await this.requestAbsolute(url, config);
+    const contentType = response.headers?.get("content-type") ?? "";
+    if (!JSON_CONTENT_TYPE.test(contentType)) {
+      const body = await response.text();
+      throw new RegistryBrokerParseError(
+        "Expected JSON response from registry broker",
+        body
+      );
+    }
+    return await response.json();
+  }
   async getAgentFeedback(uaid, options = {}) {
     const normalized = uaid.trim();
     if (!normalized) {
@@ -6157,6 +6722,12 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardBillingBalance() {
     return getGuardBillingBalance(this);
   }
+  async getGuardFeed(limit) {
+    return getGuardFeed(this, limit);
+  }
+  async getGuardOverview() {
+    return getGuardOverview(this);
+  }
   async getGuardTrustByHash(sha256) {
     return getGuardTrustByHash(this, sha256);
   }
@@ -6166,6 +6737,12 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardRevocations() {
     return getGuardRevocations(this);
   }
+  async fetchGuardAdvisories() {
+    return fetchGuardAdvisories(this);
+  }
+  async fetchGuardPolicy() {
+    return fetchGuardPolicy(this);
+  }
   async getGuardInventory() {
     return getGuardInventory(this);
   }
@@ -6181,6 +6758,9 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async exportGuardAbom() {
     return exportGuardAbom(this);
   }
+  async exportGuardArtifactAbom(artifactId) {
+    return exportGuardArtifactAbom(this, artifactId);
+  }
   async exportGuardReceipts() {
     return exportGuardReceipts(this);
   }
@@ -6199,6 +6779,21 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async getGuardWatchlist() {
     return getGuardWatchlist(this);
   }
+  async lookupGuardWatchlist(payload) {
+    return lookupGuardWatchlist(this, payload);
+  }
+  async getGuardPainSignals() {
+    return getGuardPainSignals(this);
+  }
+  async getGuardAggregatedPainSignals() {
+    return getGuardAggregatedPainSignals(this);
+  }
+  async getGuardPreInstallVerdict(payload) {
+    return getGuardPreInstallVerdict(this, payload);
+  }
+  async getGuardPreExecutionVerdict(payload) {
+    return getGuardPreExecutionVerdict(this, payload);
+  }
   async addGuardWatchlistItem(payload) {
     return addGuardWatchlistItem(this, payload);
   }
@@ -6208,12 +6803,24 @@ var RegistryBrokerClient = class _RegistryBrokerClient {
   async addGuardException(payload) {
     return addGuardException(this, payload);
   }
+  async requestGuardException(payload) {
+    return requestGuardException(this, payload);
+  }
   async removeGuardException(exceptionId) {
     return removeGuardException(this, exceptionId);
   }
+  async ingestGuardPainSignals(items) {
+    return ingestGuardPainSignals(this, items);
+  }
   async syncGuardReceipts(payload) {
     return syncGuardReceipts(this, payload);
   }
+  async syncGuardInventory(payload) {
+    return syncGuardInventory(this, payload);
+  }
+  async submitGuardReceipts(payload) {
+    return submitGuardReceipts(this, payload);
+  }
   async getGuardTeamPolicyPack() {
     return getGuardTeamPolicyPack(this);
   }
@@ -6602,6 +7209,10 @@ var isPendingRegisterAgentResponse = (response) => response.status === "pending"
 var isPartialRegisterAgentResponse = (response) => response.status === "partial" && response.success === false;
 var isSuccessRegisterAgentResponse = (response) => response.success === true && response.status !== "pending";
 
+// ../../src/services/registry-broker/types.ts
+var GUARD_CANONICAL_PATH_PREFIX = "/api/guard";
+var GUARD_COMPAT_PATH_PREFIX = "/guard";
+
 // ../../src/services/registry-broker/hol-chat-ops.ts
 var HOL_CHAT_PROTOCOL_ID = "hol-chat";
 var isRecord = (value) => Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -6658,6 +7269,8 @@ var buildJobStatusMessage = (input) => JSON.stringify({
   data: { job_id: input.jobId }
 });
 export {
+  GUARD_CANONICAL_PATH_PREFIX,
+  GUARD_COMPAT_PATH_PREFIX,
   HOL_CHAT_PROTOCOL_ID,
   RegistryBrokerClient,
   RegistryBrokerError,