npm - @kya-os/checkpoint-express - Versions diffs - 1.1.1 → 1.1.2 - Mend

@kya-os/checkpoint-express 1.1.1 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,6 @@
 import nodeCrypto from 'crypto';
-import { gunzipSync } from 'zlib';
+import { verifyRequest, renderDecisionAsResponse } from '@kya-os/checkpoint-wasm-runtime/orchestrator';
+import { makeSystemClock, makePolicyEvaluator, makeReputationOracle, makeStatusListCache, makeDidResolver } from '@kya-os/checkpoint-wasm-runtime/adapters';
 import { shouldEnforce, acceptsHtml, encodeVerdictCookie, classifyResponseShape, BLOCKED_PATH, VERDICT_COOKIE_NAME } from '@kya-os/checkpoint-shared';
 export { DEFAULT_POLICY, ENFORCEMENT_ACTIONS, createEvaluationContext, evaluatePolicy } from '@kya-os/checkpoint-shared';
@@ -4921,10 +4922,10 @@ var init_nodejs = __esm({
       _noTokenize;
       _noStem;
       _from;
-      constructor(noTokenize = { noTokenize: false }, noStem = { noStem: false }, from2 = { from: null }) {
+      constructor(noTokenize = { noTokenize: false }, noStem = { noStem: false }, from = { from: null }) {
         this._noTokenize = noTokenize;
         this._noStem = noStem;
-        this._from = from2;
+        this._from = from;
       }
       noTokenize() {
         return new _TextFieldBuilder({ noTokenize: true }, this._noStem, this._from);
@@ -4947,9 +4948,9 @@ var init_nodejs = __esm({
     NumericFieldBuilder = class _NumericFieldBuilder {
       type;
       _from;
-      constructor(type, from2 = { from: null }) {
+      constructor(type, from = { from: null }) {
         this.type = type;
-        this._from = from2;
+        this._from = from;
       }
       from(field) {
         return new _NumericFieldBuilder(this.type, { from: field });
@@ -4968,9 +4969,9 @@ var init_nodejs = __esm({
     BoolFieldBuilder = class _BoolFieldBuilder {
       _fast;
       _from;
-      constructor(fast = { fast: false }, from2 = { from: null }) {
+      constructor(fast = { fast: false }, from = { from: null }) {
         this._fast = fast;
-        this._from = from2;
+        this._from = from;
       }
       fast() {
         return new _BoolFieldBuilder({ fast: true }, this._from);
@@ -5006,9 +5007,9 @@ var init_nodejs = __esm({
     DateFieldBuilder = class _DateFieldBuilder {
       _fast;
       _from;
-      constructor(fast = { fast: false }, from2 = { from: null }) {
+      constructor(fast = { fast: false }, from = { from: null }) {
         this._fast = fast;
-        this._from = from2;
+        this._from = from;
       }
       fast() {
         return new _DateFieldBuilder({ fast: true }, this._from);
@@ -5191,1346 +5192,6 @@ var init_nodejs = __esm({
     };
   }
 });
-// ../checkpoint-wasm-runtime/dist/orchestrator-node.mjs
-var BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
-var UnsafeOutboundUrl = class extends Error {
-  kind = "UnsafeOutboundUrl";
-};
-function assertSafeHttpsUrl(rawUrl, label = "outbound URL") {
-  let parsed;
-  try {
-    parsed = new URL(rawUrl);
-  } catch {
-    throw new UnsafeOutboundUrl(`${label} must be a valid URL: ${rawUrl}`);
-  }
-  if (parsed.protocol !== "https:") {
-    throw new UnsafeOutboundUrl(`${label} must use https: ${rawUrl}`);
-  }
-  if (parsed.username || parsed.password) {
-    throw new UnsafeOutboundUrl(`${label} must not contain credentials: ${rawUrl}`);
-  }
-  const hostname = normalizeHostname(parsed.hostname);
-  if (!hostname || isBlockedHostname(hostname)) {
-    throw new UnsafeOutboundUrl(`${label} targets a local or private host: ${rawUrl}`);
-  }
-  return rawUrl;
-}
-function normalizeHostname(hostname) {
-  let normalized = hostname.trim().toLowerCase();
-  if (normalized.startsWith("[") && normalized.endsWith("]")) {
-    normalized = normalized.slice(1, -1);
-  }
-  while (normalized.endsWith(".")) {
-    normalized = normalized.slice(0, -1);
-  }
-  return normalized;
-}
-function isBlockedHostname(hostname) {
-  if (BLOCKED_HOSTNAMES.has(hostname) || hostname.endsWith(".localhost")) {
-    return true;
-  }
-  const ipv4 = parseIpv4(hostname);
-  if (ipv4) {
-    return isBlockedIpv4(ipv4);
-  }
-  return isBlockedIpv6(hostname);
-}
-function parseIpv4(hostname) {
-  const parts = hostname.split(".");
-  if (parts.length !== 4) return null;
-  const octets = parts.map((part) => {
-    if (!/^\d{1,3}$/.test(part)) return Number.NaN;
-    const value = Number(part);
-    return value >= 0 && value <= 255 ? value : Number.NaN;
-  });
-  if (octets.some(Number.isNaN)) return null;
-  return octets;
-}
-function isBlockedIpv4([a, b]) {
-  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 198 && (b === 18 || b === 19) || a >= 224;
-}
-function isBlockedIpv6(hostname) {
-  if (!hostname.includes(":")) return false;
-  const ipv4Mapped = hostname.match(/(?:^|:)ffff:(\d{1,3}(?:\.\d{1,3}){3})$/);
-  if (ipv4Mapped) {
-    const ipv4 = parseIpv4(ipv4Mapped[1]);
-    return ipv4 ? isBlockedIpv4(ipv4) : true;
-  }
-  if (hostname === "::" || hostname === "::1" || hostname === "0:0:0:0:0:0:0:1") {
-    return true;
-  }
-  const firstSegment = Number.parseInt(hostname.split(":")[0] || "0", 16);
-  if (Number.isNaN(firstSegment)) return true;
-  return (firstSegment & 65024) === 64512 || // unique local fc00::/7
-  (firstSegment & 65472) === 65152 || // link-local fe80::/10
-  (firstSegment & 65280) === 65280;
-}
-function engineVerify(input, ctx) {
-  const result = (void 0)(input, ctx);
-  return result;
-}
-function base64UrlDecode(input) {
-  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
-  return new Uint8Array(Buffer.from(padded + padding, "base64"));
-}
-function buildAgentRequest(req, opts = {}) {
-  const mcpI = tryBuildMcpIFromBody(req);
-  if (mcpI) {
-    return { protocol: "McpI", request: mcpI };
-  }
-  if (opts.legacyEnvelopeFallback) {
-    const legacyMcpI = tryBuildMcpIFromLegacyHeader(req);
-    if (legacyMcpI) {
-      return { protocol: "McpI", request: legacyMcpI };
-    }
-  }
-  if (getHeader(req, "signature-input")) {
-    return { protocol: "HttpSigned", request: buildHttpSigned(req) };
-  }
-  return { protocol: "PlainHttp", request: buildPlainHttp(req) };
-}
-function hasMalformedJwsBody(req) {
-  const parsed = parseBodyAsObject(req.body);
-  if (!parsed || typeof parsed !== "object") return false;
-  const meta = parsed._meta;
-  if (!meta || typeof meta !== "object") return false;
-  const proof = meta.proof;
-  if (!proof || typeof proof !== "object") return false;
-  const jws = proof.jws;
-  if (typeof jws !== "string" || jws.length === 0) return false;
-  const raw = Array.from(Buffer.from(jws, "utf8"));
-  return parseJwsPayloadStruct(raw) === null;
-}
-function extractIssuer(request) {
-  if (request.protocol === "McpI") return request.request.payload.iss || null;
-  return null;
-}
-function extractAgentDid(request) {
-  if (request.protocol === "McpI") return request.request.payload.sub || null;
-  return null;
-}
-function extractCredentialStatusUrl(request) {
-  if (request.protocol !== "McpI") return null;
-  const raw = decodeJwsPayloadJson(request.request.raw);
-  if (!raw) return null;
-  const vc = raw.vc;
-  if (!vc || typeof vc !== "object") return null;
-  const credentialStatus = vc.credentialStatus;
-  if (!credentialStatus || typeof credentialStatus !== "object") return null;
-  const id = credentialStatus.id;
-  return typeof id === "string" ? id : null;
-}
-function tryBuildMcpIFromBody(req) {
-  const parsed = parseBodyAsObject(req.body);
-  if (!parsed) return null;
-  const meta = parsed._meta;
-  if (!meta || typeof meta !== "object") return null;
-  const proof = meta.proof;
-  if (!proof || typeof proof !== "object") return null;
-  const jws = proof.jws;
-  if (typeof jws !== "string" || jws.length === 0) return null;
-  const raw = Array.from(Buffer.from(jws, "utf8"));
-  const payload = parseJwsPayloadStruct(raw);
-  if (!payload) return null;
-  return { raw, payload };
-}
-function parseBodyAsObject(body) {
-  if (!body) return null;
-  if (Buffer.isBuffer(body)) {
-    try {
-      return JSON.parse(body.toString("utf8"));
-    } catch {
-      return null;
-    }
-  }
-  if (typeof body === "string") {
-    try {
-      return JSON.parse(body);
-    } catch {
-      return null;
-    }
-  }
-  if (typeof body === "object") return body;
-  return null;
-}
-function tryBuildMcpIFromLegacyHeader(req) {
-  const header = getHeader(req, "kya-delegation");
-  if (!header) return null;
-  let parsed;
-  try {
-    parsed = JSON.parse(header);
-  } catch {
-    return null;
-  }
-  if (!parsed || typeof parsed !== "object") return null;
-  const obj = parsed;
-  const protectedSeg = obj.protected;
-  const payloadSeg = obj.payload;
-  const signatureSeg = obj.signature;
-  if (typeof protectedSeg !== "string" || typeof payloadSeg !== "string" || typeof signatureSeg !== "string") {
-    return null;
-  }
-  const compact = `${protectedSeg}.${payloadSeg}.${signatureSeg}`;
-  const raw = Array.from(Buffer.from(compact, "utf8"));
-  const payload = parseJwsPayloadStruct(raw);
-  if (!payload) return null;
-  return { raw, payload };
-}
-function parseJwsPayloadStruct(rawBytes) {
-  const json = decodeJwsPayloadJson(rawBytes);
-  if (!json || typeof json !== "object") return null;
-  return projectMcpIPayload(json);
-}
-function decodeJwsPayloadJson(rawBytes) {
-  const text = Buffer.from(rawBytes).toString("utf8");
-  const segments = text.split(".");
-  if (segments.length !== 3) return null;
-  let decoded;
-  try {
-    decoded = base64UrlDecode(segments[1]);
-  } catch {
-    return null;
-  }
-  try {
-    return JSON.parse(Buffer.from(decoded).toString("utf8"));
-  } catch {
-    return null;
-  }
-}
-function projectMcpIPayload(raw) {
-  const aud = raw.aud;
-  const iss = raw.iss;
-  const sub = raw.sub;
-  const nonce = raw.nonce;
-  const sessionId = raw.sessionId;
-  const ts = raw.ts;
-  const requestHash = raw.requestHash;
-  const responseHash = raw.responseHash;
-  if (typeof aud !== "string" || typeof iss !== "string" || typeof sub !== "string" || typeof nonce !== "string" || typeof sessionId !== "string" || typeof ts !== "number" || typeof requestHash !== "string" || typeof responseHash !== "string") {
-    return null;
-  }
-  return { aud, iss, sub, nonce, sessionId, ts, requestHash, responseHash };
-}
-function buildHttpSigned(req) {
-  return {
-    raw: bodyAsBytes(req.body),
-    method: req.method,
-    path: req.url,
-    headers: flattenHeaders(req.headers)
-  };
-}
-function buildPlainHttp(req) {
-  return {
-    raw: bodyAsBytes(req.body),
-    method: req.method,
-    path: req.url,
-    headers: flattenHeaders(req.headers),
-    userAgent: getHeader(req, "user-agent") ?? null,
-    remoteIp: req.remoteAddress ?? null
-  };
-}
-function getHeader(req, name) {
-  const lowered = name.toLowerCase();
-  for (const [key, value] of Object.entries(req.headers)) {
-    if (key.toLowerCase() !== lowered) continue;
-    if (Array.isArray(value)) return value[0] ?? null;
-    if (typeof value === "string") return value;
-  }
-  return null;
-}
-function flattenHeaders(headers) {
-  const out = [];
-  for (const [key, value] of Object.entries(headers)) {
-    if (value === void 0) continue;
-    if (Array.isArray(value)) {
-      for (const v of value) out.push([key, v]);
-    } else {
-      out.push([key, value]);
-    }
-  }
-  return out;
-}
-function bodyAsBytes(body) {
-  if (!body) return [];
-  if (Buffer.isBuffer(body)) return Array.from(body);
-  if (typeof body === "string") return Array.from(Buffer.from(body, "utf8"));
-  if (typeof body === "object") return Array.from(Buffer.from(JSON.stringify(body), "utf8"));
-  return [];
-}
-var DEFAULT_REPUTATION_BASELINE = 1;
-async function verifyRequest(req, opts) {
-  return verifyRequest_internal(req, opts);
-}
-async function verifyRequest_internal(req, opts) {
-  if (hasMalformedJwsBody(req)) {
-    return blockWithParseError("malformed JWS body", opts.enforcementMode);
-  }
-  const agentRequest = buildAgentRequest(req, {
-    legacyEnvelopeFallback: opts.legacyEnvelopeFallback
-  });
-  const issuer = extractIssuer(agentRequest);
-  const agentDid = extractAgentDid(agentRequest);
-  const credentialStatusUrl = extractCredentialStatusUrl(agentRequest);
-  const baseline = opts.reputationBaseline ?? DEFAULT_REPUTATION_BASELINE;
-  const [didResult, statusResult, repResult] = await Promise.allSettled([
-    issuer ? opts.didResolver.resolve(issuer) : Promise.resolve(null),
-    credentialStatusUrl ? fetchCredentialStatus(credentialStatusUrl, opts.statusListCache) : Promise.resolve(null),
-    agentDid ? opts.reputationOracle.score(agentDid) : Promise.resolve(baseline)
-  ]);
-  if (didResult.status === "rejected") {
-    if (isDidResolverError(didResult.reason)) {
-      return blockWithParseError(
-        didResult.reason instanceof Error ? didResult.reason.message : String(didResult.reason),
-        opts.enforcementMode
-      );
-    }
-    throw didResult.reason;
-  }
-  if (statusResult.status === "rejected") {
-    if (statusResult.reason instanceof UnsafeOutboundUrl) {
-      return blockWithParseError(statusResult.reason.message, opts.enforcementMode);
-    }
-    throw statusResult.reason;
-  }
-  if (repResult.status === "rejected") {
-    throw repResult.reason;
-  }
-  const didDoc = didResult.value;
-  const revokedIndices = statusResult.value;
-  const repScore = repResult.value;
-  const tenantDecision = await opts.policyEvaluator.evaluate({
-    tenantHost: opts.tenantHost,
-    reputation: repScore
-  });
-  const ctx = {
-    didDocs: didDoc && issuer ? { [issuer]: didDoc } : {},
-    revoked: revokedIndices !== null && credentialStatusUrl ? { [credentialStatusUrl]: revokedIndices } : {},
-    reputation: agentDid ? { [agentDid]: repScore } : {},
-    tenantDecision,
-    nowUnix: opts.clock.nowUnix(),
-    enforcementMode: opts.enforcementMode
-  };
-  return engineVerify(agentRequest, ctx);
-}
-async function fetchCredentialStatus(credentialStatusUrl, statusListCache) {
-  assertSafeHttpsUrl(credentialStatusUrl, "credential status URL");
-  return statusListCache.fetch(credentialStatusUrl);
-}
-function isDidResolverError(err) {
-  if (!(err instanceof Error)) return false;
-  const kind = err.kind;
-  return kind === "DidNotFound" || kind === "DidResolverTimeout" || kind === "DidResolverError" || kind === "MalformedDid" || kind === "UnsupportedKeyType" || kind === "UnsupportedDidMethod";
-}
-function blockWithParseError(detail, enforcementMode) {
-  return {
-    decision: {
-      kind: "Block",
-      reason: {
-        kind: "ParseError",
-        detail
-      }
-    },
-    enforcementMode,
-    engineInfo: {
-      name: "checkpoint-engine-wasm",
-      version: "0.0.0-host-synth",
-      rulesetHash: "sha256:host-synthesized",
-      rulesetVersion: "0.0.0-host-synth",
-      extras: { synthesized: true }
-    }
-  };
-}
-function renderDecisionAsResponse(result) {
-  const baseHeaders = buildBaseHeaders(result);
-  if (result.enforcementMode === "observe") {
-    return {
-      status: null,
-      headers: {
-        ...baseHeaders,
-        "X-Checkpoint-Mode": "observe",
-        "X-Checkpoint-Would-Have-Been": result.decision.kind,
-        ...wouldHaveBeenReasonHeader(result)
-      }
-    };
-  }
-  switch (result.decision.kind) {
-    case "Permit":
-      return {
-        status: null,
-        headers: { ...baseHeaders, "X-Checkpoint-Decision": "permit" }
-      };
-    case "Block": {
-      const reason = result.decision.reason;
-      return {
-        status: httpStatusForBlockReason(reason),
-        headers: {
-          ...baseHeaders,
-          ...blockHeaders(reason),
-          "X-Checkpoint-Decision": "block",
-          "X-Checkpoint-Reason": reason.kind
-        },
-        body: blockResponseBody(reason)
-      };
-    }
-    case "Challenge": {
-      const params = result.decision.params;
-      return {
-        status: 401,
-        headers: {
-          ...baseHeaders,
-          "X-Checkpoint-Decision": "challenge",
-          "X-Checkpoint-Challenge": params.nonce
-        },
-        body: {
-          challenge: params
-        }
-      };
-    }
-    case "Redirect": {
-      const target = result.decision.target;
-      return {
-        status: 302,
-        headers: {
-          ...baseHeaders,
-          "X-Checkpoint-Decision": "redirect",
-          Location: target.url,
-          "X-Checkpoint-Redirect-Reason": target.reason
-        }
-      };
-    }
-    case "Instruct": {
-      const payload = result.decision.payload;
-      return {
-        status: 422,
-        headers: {
-          ...baseHeaders,
-          "X-Checkpoint-Decision": "instruct",
-          "Content-Type": "application/problem+json"
-        },
-        body: {
-          type: payload.problem,
-          title: payload.title,
-          suggestedActions: payload.suggestedActions
-        }
-      };
-    }
-  }
-}
-function buildBaseHeaders(result) {
-  const headers = {
-    "X-Checkpoint-Engine": result.engineInfo.name,
-    "X-Checkpoint-Engine-Version": result.engineInfo.version
-  };
-  if (result.engineInfo.rulesetHash) {
-    headers["X-Checkpoint-Ruleset-Hash"] = result.engineInfo.rulesetHash;
-  }
-  return headers;
-}
-function httpStatusForBlockReason(reason) {
-  switch (reason.kind) {
-    case "Unauthenticated":
-    case "Expired":
-      return 401;
-    case "ParseError":
-      return 400;
-    case "InvalidSignature":
-    case "Revoked":
-    case "OutOfScope":
-    case "LowReputation":
-    case "PolicyDenied":
-      return 403;
-  }
-}
-function blockHeaders(reason) {
-  if (reason.kind === "Unauthenticated") {
-    return { "WWW-Authenticate": 'KyaProof realm="checkpoint"' };
-  }
-  return {};
-}
-function blockResponseBody(reason) {
-  switch (reason.kind) {
-    case "Revoked":
-    case "InvalidSignature":
-    case "Unauthenticated":
-    case "Expired":
-      return { error: humanError(reason.kind), reason: reason.kind };
-    case "OutOfScope":
-      return {
-        error: "requested scope is not granted",
-        reason: "OutOfScope",
-        requested: reason.requested,
-        granted: reason.granted
-      };
-    case "LowReputation":
-      return {
-        error: "agent reputation below tenant threshold",
-        reason: "LowReputation",
-        score: reason.score,
-        threshold: reason.threshold
-      };
-    case "PolicyDenied":
-      return {
-        error: "tenant policy denied the request",
-        reason: "PolicyDenied",
-        detail: reason.detail
-      };
-    case "ParseError":
-      return {
-        error: "request envelope could not be parsed",
-        reason: "ParseError",
-        detail: reason.detail
-      };
-  }
-}
-function humanError(kind) {
-  switch (kind) {
-    case "Revoked":
-      return "credential has been revoked";
-    case "InvalidSignature":
-      return "request signature failed verification";
-    case "Unauthenticated":
-      return "authentication required";
-    case "Expired":
-      return "credential is expired";
-  }
-}
-function wouldHaveBeenReasonHeader(result) {
-  if (result.decision.kind === "Block") {
-    return { "X-Checkpoint-Would-Have-Been-Reason": result.decision.reason.kind };
-  }
-  return {};
-}
-function coerce(o) {
-  if (o instanceof Uint8Array && o.constructor.name === "Uint8Array") {
-    return o;
-  }
-  if (o instanceof ArrayBuffer) {
-    return new Uint8Array(o);
-  }
-  if (ArrayBuffer.isView(o)) {
-    return new Uint8Array(o.buffer, o.byteOffset, o.byteLength);
-  }
-  throw new Error("Unknown type, must be binary type");
-}
-// ../../node_modules/.pnpm/multiformats@13.4.2/node_modules/multiformats/dist/src/vendor/base-x.js
-function base(ALPHABET, name) {
-  if (ALPHABET.length >= 255) {
-    throw new TypeError("Alphabet too long");
-  }
-  var BASE_MAP = new Uint8Array(256);
-  for (var j = 0; j < BASE_MAP.length; j++) {
-    BASE_MAP[j] = 255;
-  }
-  for (var i = 0; i < ALPHABET.length; i++) {
-    var x = ALPHABET.charAt(i);
-    var xc = x.charCodeAt(0);
-    if (BASE_MAP[xc] !== 255) {
-      throw new TypeError(x + " is ambiguous");
-    }
-    BASE_MAP[xc] = i;
-  }
-  var BASE = ALPHABET.length;
-  var LEADER = ALPHABET.charAt(0);
-  var FACTOR = Math.log(BASE) / Math.log(256);
-  var iFACTOR = Math.log(256) / Math.log(BASE);
-  function encode(source) {
-    if (source instanceof Uint8Array)
-      ;
-    else if (ArrayBuffer.isView(source)) {
-      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
-    } else if (Array.isArray(source)) {
-      source = Uint8Array.from(source);
-    }
-    if (!(source instanceof Uint8Array)) {
-      throw new TypeError("Expected Uint8Array");
-    }
-    if (source.length === 0) {
-      return "";
-    }
-    var zeroes = 0;
-    var length = 0;
-    var pbegin = 0;
-    var pend = source.length;
-    while (pbegin !== pend && source[pbegin] === 0) {
-      pbegin++;
-      zeroes++;
-    }
-    var size = (pend - pbegin) * iFACTOR + 1 >>> 0;
-    var b58 = new Uint8Array(size);
-    while (pbegin !== pend) {
-      var carry = source[pbegin];
-      var i2 = 0;
-      for (var it1 = size - 1; (carry !== 0 || i2 < length) && it1 !== -1; it1--, i2++) {
-        carry += 256 * b58[it1] >>> 0;
-        b58[it1] = carry % BASE >>> 0;
-        carry = carry / BASE >>> 0;
-      }
-      if (carry !== 0) {
-        throw new Error("Non-zero carry");
-      }
-      length = i2;
-      pbegin++;
-    }
-    var it2 = size - length;
-    while (it2 !== size && b58[it2] === 0) {
-      it2++;
-    }
-    var str = LEADER.repeat(zeroes);
-    for (; it2 < size; ++it2) {
-      str += ALPHABET.charAt(b58[it2]);
-    }
-    return str;
-  }
-  function decodeUnsafe(source) {
-    if (typeof source !== "string") {
-      throw new TypeError("Expected String");
-    }
-    if (source.length === 0) {
-      return new Uint8Array();
-    }
-    var psz = 0;
-    if (source[psz] === " ") {
-      return;
-    }
-    var zeroes = 0;
-    var length = 0;
-    while (source[psz] === LEADER) {
-      zeroes++;
-      psz++;
-    }
-    var size = (source.length - psz) * FACTOR + 1 >>> 0;
-    var b256 = new Uint8Array(size);
-    while (source[psz]) {
-      var carry = BASE_MAP[source.charCodeAt(psz)];
-      if (carry === 255) {
-        return;
-      }
-      var i2 = 0;
-      for (var it3 = size - 1; (carry !== 0 || i2 < length) && it3 !== -1; it3--, i2++) {
-        carry += BASE * b256[it3] >>> 0;
-        b256[it3] = carry % 256 >>> 0;
-        carry = carry / 256 >>> 0;
-      }
-      if (carry !== 0) {
-        throw new Error("Non-zero carry");
-      }
-      length = i2;
-      psz++;
-    }
-    if (source[psz] === " ") {
-      return;
-    }
-    var it4 = size - length;
-    while (it4 !== size && b256[it4] === 0) {
-      it4++;
-    }
-    var vch = new Uint8Array(zeroes + (size - it4));
-    var j2 = zeroes;
-    while (it4 !== size) {
-      vch[j2++] = b256[it4++];
-    }
-    return vch;
-  }
-  function decode2(string) {
-    var buffer = decodeUnsafe(string);
-    if (buffer) {
-      return buffer;
-    }
-    throw new Error(`Non-${name} character`);
-  }
-  return {
-    encode,
-    decodeUnsafe,
-    decode: decode2
-  };
-}
-var src = base;
-var _brrp__multiformats_scope_baseX = src;
-var base_x_default = _brrp__multiformats_scope_baseX;
-// ../../node_modules/.pnpm/multiformats@13.4.2/node_modules/multiformats/dist/src/bases/base.js
-var Encoder = class {
-  name;
-  prefix;
-  baseEncode;
-  constructor(name, prefix, baseEncode) {
-    this.name = name;
-    this.prefix = prefix;
-    this.baseEncode = baseEncode;
-  }
-  encode(bytes) {
-    if (bytes instanceof Uint8Array) {
-      return `${this.prefix}${this.baseEncode(bytes)}`;
-    } else {
-      throw Error("Unknown type, must be binary type");
-    }
-  }
-};
-var Decoder = class {
-  name;
-  prefix;
-  baseDecode;
-  prefixCodePoint;
-  constructor(name, prefix, baseDecode) {
-    this.name = name;
-    this.prefix = prefix;
-    const prefixCodePoint = prefix.codePointAt(0);
-    if (prefixCodePoint === void 0) {
-      throw new Error("Invalid prefix character");
-    }
-    this.prefixCodePoint = prefixCodePoint;
-    this.baseDecode = baseDecode;
-  }
-  decode(text) {
-    if (typeof text === "string") {
-      if (text.codePointAt(0) !== this.prefixCodePoint) {
-        throw Error(`Unable to decode multibase string ${JSON.stringify(text)}, ${this.name} decoder only supports inputs prefixed with ${this.prefix}`);
-      }
-      return this.baseDecode(text.slice(this.prefix.length));
-    } else {
-      throw Error("Can only multibase decode strings");
-    }
-  }
-  or(decoder) {
-    return or(this, decoder);
-  }
-};
-var ComposedDecoder = class {
-  decoders;
-  constructor(decoders) {
-    this.decoders = decoders;
-  }
-  or(decoder) {
-    return or(this, decoder);
-  }
-  decode(input) {
-    const prefix = input[0];
-    const decoder = this.decoders[prefix];
-    if (decoder != null) {
-      return decoder.decode(input);
-    } else {
-      throw RangeError(`Unable to decode multibase string ${JSON.stringify(input)}, only inputs prefixed with ${Object.keys(this.decoders)} are supported`);
-    }
-  }
-};
-function or(left, right) {
-  return new ComposedDecoder({
-    ...left.decoders ?? { [left.prefix]: left },
-    ...right.decoders ?? { [right.prefix]: right }
-  });
-}
-var Codec = class {
-  name;
-  prefix;
-  baseEncode;
-  baseDecode;
-  encoder;
-  decoder;
-  constructor(name, prefix, baseEncode, baseDecode) {
-    this.name = name;
-    this.prefix = prefix;
-    this.baseEncode = baseEncode;
-    this.baseDecode = baseDecode;
-    this.encoder = new Encoder(name, prefix, baseEncode);
-    this.decoder = new Decoder(name, prefix, baseDecode);
-  }
-  encode(input) {
-    return this.encoder.encode(input);
-  }
-  decode(input) {
-    return this.decoder.decode(input);
-  }
-};
-function from({ name, prefix, encode, decode: decode2 }) {
-  return new Codec(name, prefix, encode, decode2);
-}
-function baseX({ name, prefix, alphabet }) {
-  const { encode, decode: decode2 } = base_x_default(alphabet, name);
-  return from({
-    prefix,
-    name,
-    encode,
-    decode: (text) => coerce(decode2(text))
-  });
-}
-// ../../node_modules/.pnpm/multiformats@13.4.2/node_modules/multiformats/dist/src/bases/base58.js
-var base58btc = baseX({
-  name: "base58btc",
-  prefix: "z",
-  alphabet: "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
-});
-baseX({
-  name: "base58flickr",
-  prefix: "Z",
-  alphabet: "123456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ"
-});
-var BLOCKED_HOSTNAMES2 = /* @__PURE__ */ new Set(["localhost", "metadata", "metadata.google.internal"]);
-var UnsafeOutboundUrl2 = class extends Error {
-  kind = "UnsafeOutboundUrl";
-};
-function assertSafeHttpsUrl2(rawUrl, label = "outbound URL") {
-  let parsed;
-  try {
-    parsed = new URL(rawUrl);
-  } catch {
-    throw new UnsafeOutboundUrl2(`${label} must be a valid URL: ${rawUrl}`);
-  }
-  if (parsed.protocol !== "https:") {
-    throw new UnsafeOutboundUrl2(`${label} must use https: ${rawUrl}`);
-  }
-  if (parsed.username || parsed.password) {
-    throw new UnsafeOutboundUrl2(`${label} must not contain credentials: ${rawUrl}`);
-  }
-  const hostname = normalizeHostname2(parsed.hostname);
-  if (!hostname || isBlockedHostname2(hostname)) {
-    throw new UnsafeOutboundUrl2(`${label} targets a local or private host: ${rawUrl}`);
-  }
-  return rawUrl;
-}
-function normalizeHostname2(hostname) {
-  let normalized = hostname.trim().toLowerCase();
-  if (normalized.startsWith("[") && normalized.endsWith("]")) {
-    normalized = normalized.slice(1, -1);
-  }
-  while (normalized.endsWith(".")) {
-    normalized = normalized.slice(0, -1);
-  }
-  return normalized;
-}
-function isBlockedHostname2(hostname) {
-  if (BLOCKED_HOSTNAMES2.has(hostname) || hostname.endsWith(".localhost")) {
-    return true;
-  }
-  const ipv4 = parseIpv42(hostname);
-  if (ipv4) {
-    return isBlockedIpv42(ipv4);
-  }
-  return isBlockedIpv62(hostname);
-}
-function parseIpv42(hostname) {
-  const parts = hostname.split(".");
-  if (parts.length !== 4) return null;
-  const octets = parts.map((part) => {
-    if (!/^\d{1,3}$/.test(part)) return Number.NaN;
-    const value = Number(part);
-    return value >= 0 && value <= 255 ? value : Number.NaN;
-  });
-  if (octets.some(Number.isNaN)) return null;
-  return octets;
-}
-function isBlockedIpv42([a, b]) {
-  return a === 0 || a === 10 || a === 127 || a === 100 && b >= 64 && b <= 127 || a === 169 && b === 254 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 198 && (b === 18 || b === 19) || a >= 224;
-}
-function isBlockedIpv62(hostname) {
-  if (!hostname.includes(":")) return false;
-  const ipv4Mapped = hostname.match(/(?:^|:)ffff:(\d{1,3}(?:\.\d{1,3}){3})$/);
-  if (ipv4Mapped) {
-    const ipv4 = parseIpv42(ipv4Mapped[1]);
-    return ipv4 ? isBlockedIpv42(ipv4) : true;
-  }
-  if (hostname === "::" || hostname === "::1" || hostname === "0:0:0:0:0:0:0:1") {
-    return true;
-  }
-  const firstSegment = Number.parseInt(hostname.split(":")[0] || "0", 16);
-  if (Number.isNaN(firstSegment)) return true;
-  return (firstSegment & 65024) === 64512 || // unique local fc00::/7
-  (firstSegment & 65472) === 65152 || // link-local fe80::/10
-  (firstSegment & 65280) === 65280;
-}
-function base64UrlDecode2(input) {
-  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
-  return new Uint8Array(Buffer.from(padded + padding, "base64"));
-}
-var ED25519_PUBLIC_KEY_LENGTH = 32;
-var MalformedDid = class extends Error {
-  kind = "MalformedDid";
-};
-var UnsupportedKeyType = class extends Error {
-  kind = "UnsupportedKeyType";
-};
-var DidNotFound = class extends Error {
-  kind = "DidNotFound";
-};
-var DidResolverTimeout = class extends Error {
-  kind = "DidResolverTimeout";
-};
-var DidResolverError = class extends Error {
-  kind = "DidResolverError";
-};
-var UnsupportedDidMethod = class extends Error {
-  kind = "UnsupportedDidMethod";
-};
-var ED25519_MULTICODEC_PREFIX = [237, 1];
-var DEFAULT_FETCH_TIMEOUT_MS = 3e3;
-var DEFAULT_TTL_MS = 5 * 6e4;
-function makeDidResolver(opts = {}) {
-  const timeoutMs = opts.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS;
-  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS;
-  const fetchImpl = opts.fetch ?? fetch;
-  const cache = opts.cache ?? /* @__PURE__ */ new Map();
-  const now = opts.now ?? (() => Date.now());
-  return {
-    async resolve(did) {
-      const cached = cache.get(did);
-      if (cached && now() - cached.fetchedAt < ttlMs) {
-        return cached.value;
-      }
-      if (did.startsWith("did:key:")) {
-        const doc = decodeDidKey(did);
-        cache.set(did, { value: doc, fetchedAt: now() });
-        return doc;
-      }
-      if (did.startsWith("did:web:")) {
-        const doc = await resolveDidWeb(did, fetchImpl, timeoutMs);
-        cache.set(did, { value: doc, fetchedAt: now() });
-        return doc;
-      }
-      throw new UnsupportedDidMethod(`Phase 1 supports did:key and did:web only; got: ${did}`);
-    }
-  };
-}
-function decodeDidKey(did) {
-  if (!did.startsWith("did:key:")) {
-    throw new MalformedDid(`expected did:key prefix, got: ${did}`);
-  }
-  const multibaseValue = did.slice("did:key:".length);
-  if (!multibaseValue.startsWith("z")) {
-    throw new MalformedDid(
-      `did:key expects base58btc (multibase 'z' prefix); got: ${multibaseValue[0] ?? "<empty>"}`
-    );
-  }
-  let decoded;
-  try {
-    decoded = base58btc.decode(multibaseValue);
-  } catch (cause) {
-    throw new MalformedDid(`did:key multibase decode failed: ${String(cause)}`);
-  }
-  if (decoded.length < 2 || decoded[0] !== ED25519_MULTICODEC_PREFIX[0] || decoded[1] !== ED25519_MULTICODEC_PREFIX[1]) {
-    const prefixHex = decoded.length >= 2 ? `0x${decoded[0].toString(16).padStart(2, "0")}${decoded[1].toString(16).padStart(2, "0")}` : "<too short>";
-    throw new UnsupportedKeyType(
-      `did:key expects Ed25519 multicodec 0xed01; got ${prefixHex} (only Ed25519 supported in Phase 1)`
-    );
-  }
-  const publicKey = decoded.slice(2);
-  if (publicKey.length !== 32) {
-    throw new MalformedDid(`did:key Ed25519 public key must be 32 bytes; got ${publicKey.length}`);
-  }
-  const vm = {
-    id: `${did}#${multibaseValue}`,
-    // multibase as fragment — mcp-i-core PR #16
-    keyType: "Ed25519",
-    publicKeyBytes: Array.from(publicKey)
-  };
-  return {
-    id: did,
-    verificationMethods: [vm]
-  };
-}
-async function resolveDidWeb(did, fetchImpl, timeoutMs) {
-  const transformedUrl = didWebToUrl(did);
-  let url;
-  try {
-    url = assertSafeHttpsUrl2(transformedUrl, "did:web resolution URL");
-  } catch (cause) {
-    if (cause instanceof UnsafeOutboundUrl2) {
-      throw new DidResolverError(cause.message);
-    }
-    throw cause;
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let response;
-  try {
-    response = await fetchImpl(url, { signal: controller.signal });
-  } catch (cause) {
-    if (cause instanceof Error && cause.name === "AbortError") {
-      throw new DidResolverTimeout(`did:web fetch timed out after ${timeoutMs}ms: ${url}`);
-    }
-    throw new DidResolverError(`did:web fetch failed: ${url}: ${String(cause)}`);
-  } finally {
-    clearTimeout(timer);
-  }
-  if (response.status === 404) {
-    throw new DidNotFound(`no DID document at ${url}`);
-  }
-  if (!response.ok) {
-    throw new DidResolverError(`did:web HTTP ${response.status} at ${url}`);
-  }
-  let raw;
-  try {
-    raw = await response.json();
-  } catch (cause) {
-    throw new DidResolverError(`did:web response not valid JSON at ${url}: ${String(cause)}`);
-  }
-  return mapW3CDocToEngineShape(raw, did);
-}
-function didWebToUrl(did) {
-  const path = did.slice("did:web:".length);
-  if (!path) {
-    throw new MalformedDid(`did:web with empty path: ${did}`);
-  }
-  const parts = path.split(":").map((segment) => {
-    try {
-      return decodeURIComponent(segment);
-    } catch {
-      throw new MalformedDid(`did:web segment contains invalid percent-encoding: ${segment}`);
-    }
-  });
-  if (parts.length === 1) {
-    return `https://${parts[0]}/.well-known/did.json`;
-  }
-  return `https://${parts[0]}/${parts.slice(1).join("/")}/did.json`;
-}
-function mapW3CDocToEngineShape(raw, requestedDid) {
-  if (raw === null || typeof raw !== "object") {
-    throw new DidResolverError(`did:web response must be a JSON object`);
-  }
-  const doc = raw;
-  const id = typeof doc.id === "string" ? doc.id : requestedDid;
-  const w3cMethods = Array.isArray(doc.verificationMethod) ? doc.verificationMethod : [];
-  const verificationMethods = [];
-  for (const entry of w3cMethods) {
-    if (entry === null || typeof entry !== "object") continue;
-    const vm = entry;
-    if (!isEd25519Type(vm.type)) continue;
-    const vmId = typeof vm.id === "string" ? vm.id : void 0;
-    if (!vmId) continue;
-    const pubKey = extractEd25519PublicKey(vm);
-    if (!pubKey) continue;
-    verificationMethods.push({
-      id: vmId,
-      keyType: "Ed25519",
-      publicKeyBytes: Array.from(pubKey)
-    });
-  }
-  return { id, verificationMethods };
-}
-function isEd25519Type(type) {
-  return type === "Ed25519VerificationKey2020" || type === "Ed25519VerificationKey2018";
-}
-function extractEd25519PublicKey(vm) {
-  if (typeof vm.publicKeyMultibase === "string") {
-    const mb = vm.publicKeyMultibase;
-    if (!mb.startsWith("z")) return null;
-    try {
-      const decoded = base58btc.decode(mb);
-      if (decoded.length === 34 && decoded[0] === ED25519_MULTICODEC_PREFIX[0] && decoded[1] === ED25519_MULTICODEC_PREFIX[1]) {
-        return decoded.slice(2);
-      }
-      if (decoded.length === 32) return decoded;
-    } catch {
-      return null;
-    }
-    return null;
-  }
-  if (vm.publicKeyJwk && typeof vm.publicKeyJwk === "object") {
-    const jwk = vm.publicKeyJwk;
-    if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") return null;
-    if (typeof jwk.x !== "string") return null;
-    let decoded;
-    try {
-      decoded = base64UrlDecode2(jwk.x);
-    } catch {
-      return null;
-    }
-    if (decoded.length !== ED25519_PUBLIC_KEY_LENGTH) {
-      return null;
-    }
-    return decoded;
-  }
-  return null;
-}
-var StatusListUnavailable = class extends Error {
-  kind = "StatusListUnavailable";
-};
-var MalformedStatusList = class extends Error {
-  kind = "MalformedStatusList";
-};
-var StatusListTimeout = class extends Error {
-  kind = "StatusListTimeout";
-};
-var DEFAULT_FETCH_TIMEOUT_MS2 = 3e3;
-var DEFAULT_TTL_MS2 = 3e4;
-function makeStatusListCache(opts = {}) {
-  const timeoutMs = opts.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS2;
-  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS2;
-  const fetchImpl = opts.fetch ?? fetch;
-  const cache = opts.cache ?? /* @__PURE__ */ new Map();
-  const now = opts.now ?? (() => Date.now());
-  return {
-    async fetch(url) {
-      const cached = cache.get(url);
-      if (cached && now() - cached.fetchedAt < ttlMs) {
-        return cached.indices;
-      }
-      const indices = await fetchAndDecode(url, fetchImpl, timeoutMs);
-      cache.set(url, { indices, fetchedAt: now() });
-      return indices;
-    }
-  };
-}
-async function fetchAndDecode(url, fetchImpl, timeoutMs) {
-  let safeUrl;
-  try {
-    safeUrl = assertSafeHttpsUrl2(url, "status list URL");
-  } catch (cause) {
-    if (cause instanceof UnsafeOutboundUrl2) {
-      throw new StatusListUnavailable(cause.message);
-    }
-    throw cause;
-  }
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let response;
-  try {
-    response = await fetchImpl(safeUrl, { signal: controller.signal });
-  } catch (cause) {
-    if (cause instanceof Error && cause.name === "AbortError") {
-      throw new StatusListTimeout(`status list fetch timed out after ${timeoutMs}ms: ${url}`);
-    }
-    throw new StatusListUnavailable(`status list fetch failed: ${url}: ${String(cause)}`);
-  } finally {
-    clearTimeout(timer);
-  }
-  if (!response.ok) {
-    throw new StatusListUnavailable(`status list HTTP ${response.status} at ${url}`);
-  }
-  let vc;
-  try {
-    vc = await response.json();
-  } catch (cause) {
-    throw new MalformedStatusList(
-      `status list response not valid JSON at ${url}: ${String(cause)}`
-    );
-  }
-  const encoded = extractEncodedList(vc);
-  return enumerateRevokedIndices(encoded);
-}
-function extractEncodedList(vc) {
-  if (vc === null || typeof vc !== "object") {
-    throw new MalformedStatusList("status list VC must be a JSON object");
-  }
-  const obj = vc;
-  const subject = obj.credentialSubject;
-  if (subject === null || typeof subject !== "object") {
-    throw new MalformedStatusList("status list VC missing credentialSubject");
-  }
-  const encoded = subject.encodedList;
-  if (typeof encoded !== "string") {
-    throw new MalformedStatusList("status list VC missing credentialSubject.encodedList string");
-  }
-  return encoded;
-}
-function enumerateRevokedIndices(encodedList) {
-  let bytes;
-  try {
-    const compressed = base64UrlDecode2(encodedList);
-    bytes = new Uint8Array(gunzipSync(compressed));
-  } catch (cause) {
-    throw new MalformedStatusList(`status list bitstring decode failed: ${String(cause)}`);
-  }
-  const indices = [];
-  for (let byteIndex = 0; byteIndex < bytes.length; byteIndex += 1) {
-    const byte = bytes[byteIndex];
-    if (byte === 0) continue;
-    for (let bit = 0; bit < 8; bit += 1) {
-      const mask = 1 << 7 - bit;
-      if ((byte & mask) !== 0) {
-        indices.push(byteIndex * 8 + bit);
-      }
-    }
-  }
-  return indices;
-}
-var DEFAULT_FETCH_TIMEOUT_MS3 = 1500;
-var DEFAULT_TTL_MS3 = 1e4;
-var DEFAULT_BASELINE = 1;
-function makeReputationOracle(opts = {}) {
-  const argusUrl = opts.argusUrl;
-  const timeoutMs = opts.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS3;
-  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS3;
-  const fetchImpl = opts.fetch ?? fetch;
-  const baseline = opts.baselineWhenUnreachable ?? DEFAULT_BASELINE;
-  const cache = opts.cache ?? /* @__PURE__ */ new Map();
-  const now = opts.now ?? (() => Date.now());
-  const log = opts.logger ?? (() => {
-  });
-  return {
-    async score(agentDid) {
-      const cached = cache.get(agentDid);
-      if (cached && now() - cached.fetchedAt < ttlMs) {
-        return cached.value;
-      }
-      if (!argusUrl) {
-        return baseline;
-      }
-      const value = await fetchAndValidate(argusUrl, agentDid, fetchImpl, timeoutMs, baseline, log);
-      cache.set(agentDid, { value, fetchedAt: now() });
-      return value;
-    }
-  };
-}
-async function fetchAndValidate(argusUrl, agentDid, fetchImpl, timeoutMs, baseline, log) {
-  const url = `${argusUrl.replace(/\/$/, "")}/v1/reputation?agent=${encodeURIComponent(agentDid)}`;
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let response;
-  try {
-    response = await fetchImpl(url, { signal: controller.signal });
-  } catch (cause) {
-    if (cause instanceof Error && cause.name === "AbortError") {
-      log(
-        `[reputation-oracle] Argus timed out after ${timeoutMs}ms (${agentDid}); using baseline ${baseline}`
-      );
-    } else {
-      log(
-        `[reputation-oracle] Argus fetch failed (${agentDid}): ${String(cause)}; using baseline ${baseline}`
-      );
-    }
-    return baseline;
-  } finally {
-    clearTimeout(timer);
-  }
-  if (!response.ok) {
-    log(
-      `[reputation-oracle] Argus HTTP ${response.status} (${agentDid}); using baseline ${baseline}`
-    );
-    return baseline;
-  }
-  let body;
-  try {
-    body = await response.json();
-  } catch (cause) {
-    log(
-      `[reputation-oracle] Argus response not JSON (${agentDid}): ${String(cause)}; using baseline ${baseline}`
-    );
-    return baseline;
-  }
-  if (body === null || typeof body !== "object") {
-    log(
-      `[reputation-oracle] Argus response not an object (${agentDid}); using baseline ${baseline}`
-    );
-    return baseline;
-  }
-  const score = body.score;
-  if (typeof score !== "number" || !Number.isFinite(score)) {
-    log(
-      `[reputation-oracle] Argus score not a finite number (${agentDid}): ${String(score)}; using baseline ${baseline}`
-    );
-    return baseline;
-  }
-  if (score < 0 || score > 1) {
-    log(
-      `[reputation-oracle] Argus score out of range (${agentDid}): ${score}; using baseline ${baseline}`
-    );
-    return baseline;
-  }
-  return score;
-}
-var DEFAULT_FETCH_TIMEOUT_MS4 = 2e3;
-var DEFAULT_TTL_MS4 = 6e4;
-var PERMIT_BY_DEFAULT_POLICY = { reputationThreshold: 0 };
-function makePolicyEvaluator(opts = {}) {
-  const dashboardUrl = opts.dashboardUrl;
-  const timeoutMs = opts.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS4;
-  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS4;
-  const fetchImpl = opts.fetch ?? fetch;
-  const fallbackPolicy = opts.defaultPolicy ?? PERMIT_BY_DEFAULT_POLICY;
-  const cache = opts.cache ?? /* @__PURE__ */ new Map();
-  const now = opts.now ?? (() => Date.now());
-  const log = opts.logger ?? (() => {
-  });
-  return {
-    async evaluate(input) {
-      const policy = await getOrFetchPolicy(
-        input.tenantHost,
-        dashboardUrl,
-        fetchImpl,
-        timeoutMs,
-        fallbackPolicy,
-        cache,
-        ttlMs,
-        now,
-        log
-      );
-      return computeDecision(policy, input);
-    }
-  };
-}
-function computeDecision(policy, input) {
-  if (input.reputation < policy.reputationThreshold) {
-    return {
-      kind: "Block",
-      reason: {
-        kind: "LowReputation",
-        score: input.reputation,
-        threshold: policy.reputationThreshold
-      }
-    };
-  }
-  return { kind: "Permit" };
-}
-async function getOrFetchPolicy(tenantHost, dashboardUrl, fetchImpl, timeoutMs, fallbackPolicy, cache, ttlMs, now, log) {
-  const cached = cache.get(tenantHost);
-  if (cached && now() - cached.fetchedAt < ttlMs) {
-    return cached.policy;
-  }
-  const cacheFallback = () => {
-    cache.set(tenantHost, { policy: fallbackPolicy, fetchedAt: now() });
-    return fallbackPolicy;
-  };
-  if (!dashboardUrl) {
-    return cacheFallback();
-  }
-  const url = `${dashboardUrl.replace(/\/$/, "")}/api/policy?tenant=${encodeURIComponent(tenantHost)}`;
-  const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let response;
-  try {
-    response = await fetchImpl(url, { signal: controller.signal });
-  } catch (cause) {
-    log(`[policy-evaluator] fetch failed (${tenantHost}): ${String(cause)}; using fallback`);
-    return cacheFallback();
-  } finally {
-    clearTimeout(timer);
-  }
-  if (!response.ok) {
-    log(`[policy-evaluator] dashboard HTTP ${response.status} (${tenantHost}); using fallback`);
-    return cacheFallback();
-  }
-  let body;
-  try {
-    body = await response.json();
-  } catch (cause) {
-    log(
-      `[policy-evaluator] dashboard response not JSON (${tenantHost}): ${String(cause)}; using fallback`
-    );
-    return cacheFallback();
-  }
-  const parsed = parseTenantPolicy(body);
-  if (!parsed) {
-    log(`[policy-evaluator] dashboard response malformed (${tenantHost}); using fallback`);
-    return cacheFallback();
-  }
-  cache.set(tenantHost, { policy: parsed, fetchedAt: now() });
-  return parsed;
-}
-function parseTenantPolicy(raw) {
-  if (raw === null || typeof raw !== "object") return null;
-  const threshold = raw.reputationThreshold;
-  if (typeof threshold !== "number" || !Number.isFinite(threshold) || threshold < 0 || threshold > 1) {
-    return null;
-  }
-  return { reputationThreshold: threshold };
-}
-function makeSystemClock() {
-  return { nowUnix: () => Math.floor(Date.now() / 1e3) };
-}
 function adaptToExpressResponse(rendered, req, res, next) {
   const clientAcceptsHtml = acceptsHtml(req.headers);
   const verdictCookie = encodeVerdictCookie(rendered);