@kya-os/checkpoint-wasm-runtime 1.5.1 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +127 -0
- package/dist/engine-edge.d.mts +52 -16
- package/dist/engine-edge.d.ts +52 -16
- package/dist/engine-edge.js +11 -4
- package/dist/engine-edge.mjs +11 -4
- package/dist/index.d.mts +118 -1
- package/dist/index.d.ts +118 -1
- package/dist/orchestrator-edge.js +29 -13
- package/dist/orchestrator-edge.mjs +29 -13
- package/dist/orchestrator-node.js +18 -9
- package/dist/orchestrator-node.mjs +18 -9
- package/dist/orchestrator.d.mts +52 -16
- package/dist/orchestrator.d.ts +52 -16
- package/dist/orchestrator.js +29 -13
- package/dist/orchestrator.mjs +29 -13
- package/dist/policy.d.mts +148 -0
- package/dist/policy.d.ts +148 -0
- package/dist/policy.js +52 -0
- package/dist/policy.mjs +53 -0
- package/dist/reporter.d.mts +102 -0
- package/dist/reporter.d.ts +102 -0
- package/dist/reporter.js +125 -0
- package/dist/reporter.mjs +122 -0
- package/package.json +15 -5
- package/wasm/kya-os-engine/kya_os_engine_bg.wasm +0 -0
- package/wasm/kya-os-engine-bundler/kya_os_engine_bg.wasm +0 -0
- package/wasm/kya-os-engine-cedar/README.md +26 -0
- package/wasm/kya-os-engine-cedar/kya_os_engine.d.ts +77 -0
- package/wasm/kya-os-engine-cedar/kya_os_engine.js +636 -0
- package/wasm/kya-os-engine-cedar/kya_os_engine_bg.wasm +0 -0
- package/wasm/kya-os-engine-cedar/kya_os_engine_bg.wasm.d.ts +11 -0
- package/wasm/kya-os-engine-cedar/package.json +29 -0
- package/wasm/kya-os-engine-cedar-web/README.md +26 -0
- package/wasm/kya-os-engine-cedar-web/kya_os_engine.d.ts +117 -0
- package/wasm/kya-os-engine-cedar-web/kya_os_engine.js +694 -0
- package/wasm/kya-os-engine-cedar-web/kya_os_engine_bg.wasm +0 -0
- package/wasm/kya-os-engine-cedar-web/kya_os_engine_bg.wasm.d.ts +11 -0
- package/wasm/kya-os-engine-cedar-web/package.json +31 -0
- package/wasm/kya-os-engine-web/kya_os_engine_bg.wasm +0 -0
- package/wasm/agentshield_wasm.d.ts +0 -485
- package/wasm/agentshield_wasm.js +0 -1551
- package/wasm/agentshield_wasm_bg.wasm +0 -0
- package/wasm/agentshield_wasm_bg.wasm.d.ts +0 -97
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
/* tslint:disable */
|
|
2
|
+
/* eslint-disable */
|
|
3
|
+
/**
|
|
4
|
+
* Cross-boundary `verify` wrapper. The JS host calls `engine.verify(input,
|
|
5
|
+
* ctxSpec)`; on success it gets a [`VerifyResult`] JSON object; on
|
|
6
|
+
* infrastructure failure (or malformed input) it gets a thrown JS error
|
|
7
|
+
* whose message names the failure mode.
|
|
8
|
+
*
|
|
9
|
+
* **Error semantics**:
|
|
10
|
+
*
|
|
11
|
+
* - Verification *verdicts* (Block/Challenge/etc.) surface inside the
|
|
12
|
+
* returned `VerifyResult` — they are not thrown.
|
|
13
|
+
* - Engine [`VerifyError`][crate::error::VerifyError] (resolver / cache /
|
|
14
|
+
* reputation / policy infra failures) surface as thrown JS errors.
|
|
15
|
+
* - Serde deserialisation failures (malformed JS input) surface as thrown
|
|
16
|
+
* JS errors too, mirroring the typed-vs-thrown split.
|
|
17
|
+
*
|
|
18
|
+
* # JS signature
|
|
19
|
+
*
|
|
20
|
+
* ```ts
|
|
21
|
+
* function verify(input: AgentRequest, ctx: ContextSpec): VerifyResult;
|
|
22
|
+
* ```
|
|
23
|
+
*/
|
|
24
|
+
export function verify(input_js: any, ctx_js: any): any;
|
|
25
|
+
/**
|
|
26
|
+
* Cross-boundary handle to a compiled Cedar policy bundle.
|
|
27
|
+
*
|
|
28
|
+
* Wraps a [`CedarPolicyEvaluator`] so a JS host can compile a tenant
|
|
29
|
+
* policy once and authorize many requests against it. Construction
|
|
30
|
+
* compiles the bundle; each [`authorize`][Self::authorize] call evaluates
|
|
31
|
+
* a single owned request and never re-parses policy text.
|
|
32
|
+
*/
|
|
33
|
+
export class PolicyEvaluator {
|
|
34
|
+
free(): void;
|
|
35
|
+
[Symbol.dispose](): void;
|
|
36
|
+
/**
|
|
37
|
+
* Compile `policy_text` into a reusable evaluator.
|
|
38
|
+
*
|
|
39
|
+
* The Cedar policy bundle is parsed and compiled exactly once here;
|
|
40
|
+
* the resulting evaluator is held for the lifetime of the handle and
|
|
41
|
+
* reused by every [`authorize`][Self::authorize] call.
|
|
42
|
+
*
|
|
43
|
+
* # Errors
|
|
44
|
+
*
|
|
45
|
+
* Returns a thrown JS error whose message names the failure when
|
|
46
|
+
* `policy_text` is not syntactically valid Cedar
|
|
47
|
+
* ([`PolicyEvaluationError::Malformed`][crate::error::PolicyEvaluationError::Malformed]).
|
|
48
|
+
* A malformed bundle is an infrastructure fault surfaced at
|
|
49
|
+
* construction, never as a per-request deny.
|
|
50
|
+
*/
|
|
51
|
+
constructor(policy_text: string);
|
|
52
|
+
/**
|
|
53
|
+
* Authorize one owned request against the compiled policy bundle.
|
|
54
|
+
*
|
|
55
|
+
* The JS host calls `evaluator.authorize(input)` with an
|
|
56
|
+
* [`AuthorizeInput`]-shaped object (camelCase keys); it gets back a
|
|
57
|
+
* [`Decision`][crate::types::Decision] JSON object. The evaluator owns
|
|
58
|
+
* the fail-closed posture — a request it cannot marshal, or one
|
|
59
|
+
* matching no `permit`, comes back as a
|
|
60
|
+
* [`Decision::Block`][crate::types::Decision::Block], not a thrown
|
|
61
|
+
* error.
|
|
62
|
+
*
|
|
63
|
+
* # Errors
|
|
64
|
+
*
|
|
65
|
+
* Returns a thrown JS error only for boundary faults: a malformed
|
|
66
|
+
* `input_js` that fails [`AuthorizeInput`] deserialisation, or a
|
|
67
|
+
* failure serialising the resulting `Decision`. Authorization
|
|
68
|
+
* *verdicts* never throw — they surface inside the returned value.
|
|
69
|
+
*
|
|
70
|
+
* # JS signature
|
|
71
|
+
*
|
|
72
|
+
* ```ts
|
|
73
|
+
* authorize(input: AuthorizeInput): Decision;
|
|
74
|
+
* ```
|
|
75
|
+
*/
|
|
76
|
+
authorize(input_js: any): any;
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
|
|
80
|
+
|
|
81
|
+
export interface InitOutput {
|
|
82
|
+
readonly memory: WebAssembly.Memory;
|
|
83
|
+
readonly __wbg_policyevaluator_free: (a: number, b: number) => void;
|
|
84
|
+
readonly policyevaluator_authorize: (a: number, b: number, c: number) => void;
|
|
85
|
+
readonly policyevaluator_new: (a: number, b: number, c: number) => void;
|
|
86
|
+
readonly verify: (a: number, b: number, c: number) => void;
|
|
87
|
+
readonly __wbindgen_export: (a: number, b: number) => number;
|
|
88
|
+
readonly __wbindgen_export2: (a: number, b: number, c: number, d: number) => number;
|
|
89
|
+
readonly __wbindgen_export3: (a: number) => void;
|
|
90
|
+
readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
export type SyncInitInput = BufferSource | WebAssembly.Module;
|
|
94
|
+
/**
|
|
95
|
+
* Instantiates the given `module`, which can either be bytes or
|
|
96
|
+
* a precompiled `WebAssembly.Module`.
|
|
97
|
+
*
|
|
98
|
+
* @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
|
|
99
|
+
*
|
|
100
|
+
* @returns {InitOutput}
|
|
101
|
+
*/
|
|
102
|
+
export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
|
|
103
|
+
|
|
104
|
+
/**
|
|
105
|
+
* If `module_or_path` is {RequestInfo} or {URL}, makes a request and
|
|
106
|
+
* for everything else, calls `WebAssembly.instantiate` directly.
|
|
107
|
+
*
|
|
108
|
+
* @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
|
|
109
|
+
*
|
|
110
|
+
* @returns {Promise<InitOutput>}
|
|
111
|
+
*/
|
|
112
|
+
export default function __wbg_init(
|
|
113
|
+
module_or_path?:
|
|
114
|
+
| { module_or_path: InitInput | Promise<InitInput> }
|
|
115
|
+
| InitInput
|
|
116
|
+
| Promise<InitInput>
|
|
117
|
+
): Promise<InitOutput>;
|