@irisrun/auth 0.1.0 → 0.2.0

package/README.md

@@ -0,0 +1,27 @@
+# @irisrun/auth
+
+**A journaled, replayable approval audit you own.** Identity, a declarative
+who-may-approve policy on the existing human-in-the-loop gate, and every approval
+decision recorded in the *same* event log as model calls and tool effects — not a
+side log — so the approval trail replays and verifies straight from the journal.
+
+## What it is
+
+Pure governance over the existing approval gate (**zero kernel change**): it
+enriches the journaled `signal_recv` approval value. `authorize` evaluates the
+who-may-approve policy; `createApprovalInbox` + `makeGovernedApprovalPerformer`
+answer a gated tool call from that decision; `approvalAudit` / `auditApprovals` /
+`renderApprovalAudit` derive the queryable, replay-verified trail. Depends on
+`@irisrun/core` + `@irisrun/inspect` only.
+
+## Use it
+
+```sh
+iris serve ./image --policy ./policy.json    # turn on governed approvals
+```
+
+`iris chat` resolves the same gate inline. See **[docs/Governance &
+audit](../../docs/governance.md)**.
+
+---
+Part of [Iris](../../README.md) — own, portable, verifiable state.

package/dist/audit.js

@@ -1,4 +1,4 @@
-// The journaled approval audit trail (roadmap P1-5, done-when #2). Pure read over a
+// The journaled approval audit trail. Pure read over a
 // recorded session: every governed (or legacy) approval is already a journaled
 // `signal_recv` effect result, so the audit is a projection of the journal — nothing
 // new is stored.

package/dist/index.js

@@ -1,14 +1,14 @@
-// @irisrun/auth — the governance layer (roadmap P1-5). Identity + a declarative
+// @irisrun/auth — the governance layer. Identity + a declarative
 // who-may-approve authorization policy on the existing HITL approval gate, plus a
 // journaled, queryable approval audit trail. Pure: the governed decision rides the
 // existing journaled `signal_recv` effect result (the kernel's `foldApproval` reads
 // only `approved===true`), so governance enriches that value with ZERO kernel change.
 export const PACKAGE = "@irisrun/auth";
-// policy.ts — who-may-approve authorization (done-when #1)
+// policy.ts — who-may-approve authorization
 export { authorize } from "./policy.js";
 // approval.ts — combine human intent + policy into the journaled value
 export { decideApproval } from "./approval.js";
 // performer.ts — the first real governed signal_recv performer + the approval inbox
 export { createApprovalInbox, makeGovernedApprovalPerformer } from "./performer.js";
-// audit.ts — the journaled, queryable approval trail (done-when #2)
+// audit.ts — the journaled, queryable approval trail
 export { approvalAudit, auditApprovals, renderApprovalAudit } from "./audit.js";

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@irisrun/auth",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "type": "module",
-  "description": "Iris governance layer — identity + a declarative who-may-approve authorization policy on the existing HITL gate, plus a journaled, queryable approval audit trail. Pure: enriches the journaled signal_recv approval value (zero kernel change). Deps @irisrun/core + @irisrun/inspect only.",
+  "description": "Journaled, replayable approval audit you own — identity + a declarative who-may-approve policy on the existing HITL gate, where every approval decision is recorded in the same event log as model calls and tool effects (not a side log), so the approval trail replays and verifies from the journal. Pure: enriches the journaled signal_recv approval value (zero kernel change). Deps @irisrun/core + @irisrun/inspect only.",
   "exports": {
     ".": {
       "iris-src": "./src/index.ts",
@@ -11,8 +11,8 @@
     }
   },
   "dependencies": {
-    "@irisrun/core": "^0.1.0",
-    "@irisrun/inspect": "^0.1.0"
+    "@irisrun/core": "^0.2.0",
+    "@irisrun/inspect": "^0.2.0"
   },
   "license": "MIT",
   "engines": {