@kya-os/consent 0.1.38 → 0.1.39

package/dist/bundle/inline.js.map

@@ -1 +1 @@
-{"version":3,"file":"inline.js","sourceRoot":"","sources":["../../src/bundle/inline.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAW,q08NAAq08N,CAAC;AAE528N;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAW,MAAM,CAAC"}
+{"version":3,"file":"inline.js","sourceRoot":"","sources":["../../src/bundle/inline.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAW,u68PAAu68P,CAAC;AAE988P;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAW,MAAM,CAAC"}

package/dist/bundle/shell.d.ts

@@ -43,6 +43,8 @@ export interface ConsentShellOptions {
     nonce?: string;
     /** Authentication mode (consent-only, credentials, oauth, magic-link, otp) */
     authMode?: string;
+    /** Human-readable agent name for display */
+    agentName?: string;
     /** Provider name for credentials/oauth flows */
     provider?: string;
     /** CSRF token for form security (required for credential auth) */
@@ -91,6 +93,27 @@ export interface ConsentShellOptions {
      * Used for display and delegation metadata
      */
     oauthProviderName?: string;
+    /**
+     * Operator-authored capability groups. When present, the new humanized
+     * consent layout renders instead of the legacy raw scope list.
+     */
+    capabilities?: import('../types/capabilities.types.js').CapabilityGroup[];
+    /** Resolved agent identity tile (logo, vendor, surface, verified). */
+    agentMetadata?: import('../types/capabilities.types.js').AgentMetadata;
+    /** Theme override (`light` / `dark`). Defaults to `light`. */
+    consentTheme?: import('../types/capabilities.types.js').ConsentTheme;
+    /** Org name shown in the headline + revocation footer. */
+    orgName?: string;
+    /** Operator-set headline verb (e.g., 'use', 'shop'). */
+    headlineVerb?: string;
+    /** Path the user can visit to revoke (footer notice). */
+    revocationPath?: string;
+    /** Days of inactivity before auto-revocation (footer notice). */
+    inactivityDays?: number;
+    /** Optional URL backing the "How does this work?" link. */
+    howItWorksUrl?: string;
+    /** Cedar template context bound at render time for "View policy" disclosures. */
+    cedarContext?: import('../types/capabilities.types.js').CedarTemplateContext;
 }
 /**
  * Generate the consent page HTML shell

package/dist/bundle/shell.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"shell.d.ts","sourceRoot":"","sources":["../../src/bundle/shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,MAAM,EAAE,aAAa,CAAC;IACtB,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kBAAkB;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kEAAkE;IAClE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,wEAAwE;IACxE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CA2NzE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,IAAI,CAAC,mBAAmB,EAAE,YAAY,CAAC,EAChD,YAAY,EAAE,MAAM,GACnB,MAAM,CAsDR"}
+{"version":3,"file":"shell.d.ts","sourceRoot":"","sources":["../../src/bundle/shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,MAAM,EAAE,aAAa,CAAC;IACtB,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,kCAAkC;IAClC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kBAAkB;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kEAAkE;IAClE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,wEAAwE;IACxE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,gCAAgC,EAAE,eAAe,EAAE,CAAC;IAE1E,sEAAsE;IACtE,aAAa,CAAC,EAAE,OAAO,gCAAgC,EAAE,aAAa,CAAC;IAEvE,8DAA8D;IAC9D,YAAY,CAAC,EAAE,OAAO,gCAAgC,EAAE,YAAY,CAAC;IAErE,0DAA0D;IAC1D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,iEAAiE;IACjE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,2DAA2D;IAC3D,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,iFAAiF;IACjF,YAAY,CAAC,EAAE,OAAO,gCAAgC,EAAE,oBAAoB,CAAC;CAC9E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,CAqPzE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,IAAI,CAAC,mBAAmB,EAAE,YAAY,CAAC,EAChD,YAAY,EAAE,MAAM,GACnB,MAAM,CAsDR"}

package/dist/bundle/shell.js

@@ -41,18 +41,32 @@ import { escapeHtml, escapeAttr } from '../security/escape.js';
  * ```
  */
 export function generateConsentShell(options) {
-    const { config, tool, scopes, agentDid, sessionId, projectId, serverUrl, oauthIdentity, bundlePath = '/consent.js', pageTitle = 'Permission Request', nonce, authMode, provider, csrfToken, credentialProviderType, credentialProvider, userDid, // CRITICAL: Bypasses KV consistency issues
+    const { config, tool, scopes, agentDid, sessionId, projectId, serverUrl, oauthIdentity, bundlePath = '/consent.js', pageTitle = 'Permission Request', nonce, authMode, agentName, provider, csrfToken, credentialProviderType, credentialProvider, userDid, // CRITICAL: Bypasses KV consistency issues
     credentialUserEmail, // User email from credential provider
     credentialProviderUserId, // Provider's user ID (e.g., customer ID)
     oauthUrl, // Pre-built OAuth authorization URL
     authorizationType, // Dynamic authorization type from tool protection
     oauthProviderType, // OAuth provider type from prior OAuth auth step
     oauthProviderName, // OAuth provider name (e.g., 'custom', 'github')
+    capabilities, // Operator-authored capability groups (humanized layout)
+    agentMetadata, // Resolved agent identity tile
+    consentTheme, // Theme override (`light`/`dark`)
+    orgName, // Org name for headline + footer
+    headlineVerb, // Operator-set headline verb
+    revocationPath, // Path the user can visit to revoke
+    inactivityDays, // Days of inactivity before auto-revocation
+    howItWorksUrl, // URL backing "How does this work?"
+    cedarContext, // Cedar template context for "View policy" disclosures
      } = options;
     // Safely serialize config as JSON for attribute
     const configJson = JSON.stringify(config);
     const scopesJson = JSON.stringify(scopes);
     const oauthJson = oauthIdentity ? JSON.stringify(oauthIdentity) : null;
+    const capabilitiesJson = capabilities && capabilities.length > 0 ? JSON.stringify(capabilities) : null;
+    const agentMetadataJson = agentMetadata
+        ? JSON.stringify(agentMetadata)
+        : null;
+    const cedarContextJson = cedarContext ? JSON.stringify(cedarContext) : null;
     // Build nonce attribute if provided
     const nonceAttr = nonce ? ` nonce="${escapeAttr(nonce)}"` : '';
     return `<!DOCTYPE html>
@@ -192,6 +206,7 @@ export function generateConsentShell(options) {
     server-url="${escapeAttr(serverUrl)}"
     ${oauthJson ? `oauth-identity='${escapeAttr(oauthJson)}'` : ''}
     ${authMode ? `auth-mode="${escapeAttr(authMode)}"` : ''}
+    ${agentName ? `agent-name="${escapeAttr(agentName)}"` : ''}
     ${provider ? `provider="${escapeAttr(provider)}"` : ''}
     ${csrfToken ? `csrf-token="${escapeAttr(csrfToken)}"` : ''}
     ${credentialProviderType ? `credential-provider-type="${escapeAttr(credentialProviderType)}"` : ''}
@@ -203,6 +218,15 @@ export function generateConsentShell(options) {
     ${authorizationType ? `authorization-type="${escapeAttr(authorizationType)}"` : ''}
     ${oauthProviderType ? `oauth-provider-type="${escapeAttr(oauthProviderType)}"` : ''}
     ${oauthProviderName ? `oauth-provider="${escapeAttr(oauthProviderName)}"` : ''}
+    ${capabilitiesJson ? `capabilities='${escapeAttr(capabilitiesJson)}'` : ''}
+    ${agentMetadataJson ? `agent-metadata='${escapeAttr(agentMetadataJson)}'` : ''}
+    ${cedarContextJson ? `cedar-context='${escapeAttr(cedarContextJson)}'` : ''}
+    ${consentTheme ? `consent-theme="${escapeAttr(consentTheme)}"` : ''}
+    ${orgName ? `org-name="${escapeAttr(orgName)}"` : ''}
+    ${headlineVerb ? `headline-verb="${escapeAttr(headlineVerb)}"` : ''}
+    ${revocationPath ? `revocation-path="${escapeAttr(revocationPath)}"` : ''}
+    ${typeof inactivityDays === 'number' ? `inactivity-days="${escapeAttr(String(inactivityDays))}"` : ''}
+    ${howItWorksUrl ? `how-it-works-url="${escapeAttr(howItWorksUrl)}"` : ''}
   ></mcp-consent>
 
   <!-- Loading skeleton (hidden once component is defined) -->

package/dist/bundle/shell.js.map

@@ -1 +1 @@
-{"version":3,"file":"shell.js","sourceRoot":"","sources":["../../src/bundle/shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAqF/D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA4B;IAC/D,MAAM,EACJ,MAAM,EACN,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,SAAS,EACT,aAAa,EACb,UAAU,GAAG,aAAa,EAC1B,SAAS,GAAG,oBAAoB,EAChC,KAAK,EACL,QAAQ,EACR,QAAQ,EACR,SAAS,EACT,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EAAE,2CAA2C;IACpD,mBAAmB,EAAE,sCAAsC;IAC3D,wBAAwB,EAAE,yCAAyC;IACnE,QAAQ,EAAE,oCAAoC;IAC9C,iBAAiB,EAAE,kDAAkD;IACrE,iBAAiB,EAAE,iDAAiD;IACpE,iBAAiB,EAAE,iDAAiD;MACrE,GAAG,OAAO,CAAC;IAEZ,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEvE,oCAAoC;IACpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/D,OAAO;;;;;;WAME,UAAU,CAAC,SAAS,CAAC;;;8BAGF,UAAU,CAAC,UAAU,CAAC;;;+BAGrB,UAAU,CAAC,UAAU,CAAC,IAAI,SAAS;;UAExD,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAkHL,UAAU,CAAC,UAAU,CAAC;YACxB,UAAU,CAAC,IAAI,CAAC;cACd,UAAU,CAAC,UAAU,CAAC;iBACnB,UAAU,CAAC,QAAQ,CAAC;kBACnB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;MACjC,SAAS,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAC5D,QAAQ,CAAC,CAAC,CAAC,cAAc,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACrD,QAAQ,CAAC,CAAC,CAAC,aAAa,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACpD,SAAS,CAAC,CAAC,CAAC,eAAe,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACxD,sBAAsB,CAAC,CAAC,CAAC,6BAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAChG,kBAAkB,CAAC,CAAC,CAAC,wBAAwB,UAAU,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACnF,OAAO,CAAC,CAAC,CAAC,aAAa,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAClD,mBAAmB,CAAC,CAAC,CAAC,0BAA0B,UAAU,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACvF,wBAAwB,CAAC,CAAC,CAAC,gCAAgC,UAAU,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACvG,QAAQ,CAAC,CAAC,CAAC,cAAc,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACrD,iBAAiB,CAAC,CAAC,CAAC,uBAAuB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAChF,iBAAiB,CAAC,CAAC,CAAC,wBAAwB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACjF,iBAAiB,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;wDAoB1B,UAAU,CAAC,SAAS,CAAC;;;;gDAI7B,UAAU,CAAC,IAAI,CAAC;kDACd,UAAU,CAAC,UAAU,CAAC;qDACnB,UAAU,CAAC,QAAQ,CAAC;sDACnB,UAAU,CAAC,SAAS,CAAC;sDACrB,UAAU,CAAC,SAAS,CAAC;;;;;;;;QAQnE,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAAgD,EAChD,YAAoB;IAEpB,MAAM,EACJ,MAAM,EACN,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,SAAS,EACT,aAAa,EACb,SAAS,GAAG,oBAAoB,EAChC,KAAK,GACN,GAAG,OAAO,CAAC;IAEZ,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/D,OAAO;;;;;WAKE,UAAU,CAAC,SAAS,CAAC;yBACP,SAAS;EAChC,YAAY;;UAEJ,SAAS;;;;;;;;;;;;;;;cAeL,UAAU,CAAC,UAAU,CAAC;YACxB,UAAU,CAAC,IAAI,CAAC;cACd,UAAU,CAAC,UAAU,CAAC;iBACnB,UAAU,CAAC,QAAQ,CAAC;kBACnB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;MACjC,SAAS,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;;;QAG1D,CAAC;AACT,CAAC"}
+{"version":3,"file":"shell.js","sourceRoot":"","sources":["../../src/bundle/shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAqH/D;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA4B;IAC/D,MAAM,EACJ,MAAM,EACN,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,SAAS,EACT,aAAa,EACb,UAAU,GAAG,aAAa,EAC1B,SAAS,GAAG,oBAAoB,EAChC,KAAK,EACL,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,SAAS,EACT,sBAAsB,EACtB,kBAAkB,EAClB,OAAO,EAAE,2CAA2C;IACpD,mBAAmB,EAAE,sCAAsC;IAC3D,wBAAwB,EAAE,yCAAyC;IACnE,QAAQ,EAAE,oCAAoC;IAC9C,iBAAiB,EAAE,kDAAkD;IACrE,iBAAiB,EAAE,iDAAiD;IACpE,iBAAiB,EAAE,iDAAiD;IACpE,YAAY,EAAE,yDAAyD;IACvE,aAAa,EAAE,+BAA+B;IAC9C,YAAY,EAAE,kCAAkC;IAChD,OAAO,EAAE,iCAAiC;IAC1C,YAAY,EAAE,6BAA6B;IAC3C,cAAc,EAAE,oCAAoC;IACpD,cAAc,EAAE,4CAA4C;IAC5D,aAAa,EAAE,oCAAoC;IACnD,YAAY,EAAE,uDAAuD;MACtE,GAAG,OAAO,CAAC;IAEZ,gDAAgD;IAChD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,MAAM,gBAAgB,GACpB,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChF,MAAM,iBAAiB,GAAG,aAAa;QACrC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC;IACT,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE5E,oCAAoC;IACpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/D,OAAO;;;;;;WAME,UAAU,CAAC,SAAS,CAAC;;;8BAGF,UAAU,CAAC,UAAU,CAAC;;;+BAGrB,UAAU,CAAC,UAAU,CAAC,IAAI,SAAS;;UAExD,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAkHL,UAAU,CAAC,UAAU,CAAC;YACxB,UAAU,CAAC,IAAI,CAAC;cACd,UAAU,CAAC,UAAU,CAAC;iBACnB,UAAU,CAAC,QAAQ,CAAC;kBACnB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;MACjC,SAAS,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAC5D,QAAQ,CAAC,CAAC,CAAC,cAAc,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACrD,SAAS,CAAC,CAAC,CAAC,eAAe,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACxD,QAAQ,CAAC,CAAC,CAAC,aAAa,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACpD,SAAS,CAAC,CAAC,CAAC,eAAe,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACxD,sBAAsB,CAAC,CAAC,CAAC,6BAA6B,UAAU,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAChG,kBAAkB,CAAC,CAAC,CAAC,wBAAwB,UAAU,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACnF,OAAO,CAAC,CAAC,CAAC,aAAa,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAClD,mBAAmB,CAAC,CAAC,CAAC,0BAA0B,UAAU,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACvF,wBAAwB,CAAC,CAAC,CAAC,gCAAgC,UAAU,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACvG,QAAQ,CAAC,CAAC,CAAC,cAAc,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACrD,iBAAiB,CAAC,CAAC,CAAC,uBAAuB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAChF,iBAAiB,CAAC,CAAC,CAAC,wBAAwB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACjF,iBAAiB,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAC5E,gBAAgB,CAAC,CAAC,CAAC,iBAAiB,UAAU,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACxE,iBAAiB,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAC5E,gBAAgB,CAAC,CAAC,CAAC,kBAAkB,UAAU,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACzE,YAAY,CAAC,CAAC,CAAC,kBAAkB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACjE,OAAO,CAAC,CAAC,CAAC,aAAa,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MAClD,YAAY,CAAC,CAAC,CAAC,kBAAkB,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACjE,cAAc,CAAC,CAAC,CAAC,oBAAoB,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACvE,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,oBAAoB,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;MACnG,aAAa,CAAC,CAAC,CAAC,qBAAqB,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;;wDAoBpB,UAAU,CAAC,SAAS,CAAC;;;;gDAI7B,UAAU,CAAC,IAAI,CAAC;kDACd,UAAU,CAAC,UAAU,CAAC;qDACnB,UAAU,CAAC,QAAQ,CAAC;sDACnB,UAAU,CAAC,SAAS,CAAC;sDACrB,UAAU,CAAC,SAAS,CAAC;;;;;;;;QAQnE,CAAC;AACT,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAAgD,EAChD,YAAoB;IAEpB,MAAM,EACJ,MAAM,EACN,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,SAAS,EACT,SAAS,EACT,SAAS,EACT,aAAa,EACb,SAAS,GAAG,oBAAoB,EAChC,KAAK,GACN,GAAG,OAAO,CAAC;IAEZ,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACvE,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/D,OAAO;;;;;WAKE,UAAU,CAAC,SAAS,CAAC;yBACP,SAAS;EAChC,YAAY;;UAEJ,SAAS;;;;;;;;;;;;;;;cAeL,UAAU,CAAC,UAAU,CAAC;YACxB,UAAU,CAAC,IAAI,CAAC;cACd,UAAU,CAAC,UAAU,CAAC;iBACnB,UAAU,CAAC,QAAQ,CAAC;kBACnB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;kBACrB,UAAU,CAAC,SAAS,CAAC;MACjC,SAAS,CAAC,CAAC,CAAC,mBAAmB,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;;;QAG1D,CAAC;AACT,CAAC"}

package/dist/capabilities/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Capability registry exports.
+ *
+ * @module @kya-os/consent/capabilities
+ */
+export { DEFAULT_CAPABILITIES, resolveCapabilitiesForScopes } from "./registry.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/capabilities/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,oBAAoB,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC"}

package/dist/capabilities/index.js

@@ -0,0 +1,7 @@
+/**
+ * Capability registry exports.
+ *
+ * @module @kya-os/consent/capabilities
+ */
+export { DEFAULT_CAPABILITIES, resolveCapabilitiesForScopes } from "./registry.js";
+//# sourceMappingURL=index.js.map

package/dist/capabilities/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/capabilities/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,oBAAoB,EAAE,4BAA4B,EAAE,MAAM,eAAe,CAAC"}

package/dist/capabilities/registry.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Default Capability Registry
+ *
+ * Built-in capability definitions for common scopes. Operators override these
+ * via the WYSIWYG editor; the registry is the seed and the fallback when no
+ * override is present.
+ *
+ * Each default capability ships with an operator-authored Cedar fragment that
+ * uses templated placeholders ({{agent_did}}, {{user_did}}, {{org}},
+ * {{deployment}}). Placeholders are bound at compile time via
+ * `compileSingleCapability` / `compileCapabilitiesToCedar`.
+ *
+ * @module @kya-os/consent/capabilities/registry
+ */
+import type { Capability } from "../types/capabilities.types.js";
+/**
+ * Default capabilities keyed by capability id. Each entry is a complete
+ * `Capability` record, ready to render or to use as a template the operator
+ * customizes in the WYSIWYG.
+ */
+export declare const DEFAULT_CAPABILITIES: Record<string, Capability>;
+/**
+ * Resolve a list of scopes to capability records. Operator overrides win over
+ * the default registry; scopes that match no capability fall through as
+ * "unknown" capabilities so the consent screen can still render them as raw
+ * permission rows.
+ */
+export declare function resolveCapabilitiesForScopes(scopes: string[], overrides?: Capability[]): Capability[];
+//# sourceMappingURL=registry.d.ts.map

package/dist/capabilities/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/capabilities/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAEjE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAqG3D,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,MAAM,EAAE,EAChB,SAAS,GAAE,UAAU,EAAO,GAC3B,UAAU,EAAE,CAsCd"}

package/dist/capabilities/registry.js

@@ -0,0 +1,178 @@
+/**
+ * Default Capability Registry
+ *
+ * Built-in capability definitions for common scopes. Operators override these
+ * via the WYSIWYG editor; the registry is the seed and the fallback when no
+ * override is present.
+ *
+ * Each default capability ships with an operator-authored Cedar fragment that
+ * uses templated placeholders ({{agent_did}}, {{user_did}}, {{org}},
+ * {{deployment}}). Placeholders are bound at compile time via
+ * `compileSingleCapability` / `compileCapabilitiesToCedar`.
+ *
+ * @module @kya-os/consent/capabilities/registry
+ */
+/**
+ * Default capabilities keyed by capability id. Each entry is a complete
+ * `Capability` record, ready to render or to use as a template the operator
+ * customizes in the WYSIWYG.
+ */
+export const DEFAULT_CAPABILITIES = {
+    "cart.browse": {
+        id: "cart.browse",
+        label: "Browse products and check prices",
+        description: "Look at what's for sale, see what's in stock, and compare options.",
+        icon: "search",
+        riskLevel: "low",
+        defaultOn: true,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            "  action in [",
+            '    Action::"get-products:execute",',
+            '    Action::"get-cart:execute",',
+            '    Action::"get-brands:execute",',
+            '    Action::"get-brand:execute"',
+            "  ],",
+            '  resource in Org::"{{org}}"::Catalog::"*"',
+            ");",
+        ].join("\n"),
+        scopes: [
+            "get-products:execute",
+            "get-cart:execute",
+            "get-brands:execute",
+            "get-brand:execute",
+        ],
+        category: "Browse",
+    },
+    "cart.add": {
+        id: "cart.add",
+        label: "Add items to your cart",
+        description: "Put things in your shopping cart so you can review before buying.",
+        icon: "cart",
+        riskLevel: "medium",
+        defaultOn: true,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            '  action == Action::"add-to-cart:execute",',
+            '  resource in Org::"{{org}}"::Cart::"*"',
+            ");",
+        ].join("\n"),
+        scopes: ["add-to-cart:execute"],
+        category: "Cart",
+    },
+    "payment.use-saved": {
+        id: "payment.use-saved",
+        label: "Use your saved payment methods",
+        description: "Pay with cards already on your account. The agent never sees the card numbers.",
+        icon: "card",
+        riskLevel: "high",
+        defaultOn: true,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            '  action == Action::"payment:use-saved",',
+            '  resource in User::"{{user_did}}"::PaymentMethod::"saved"',
+            ");",
+        ].join("\n"),
+        scopes: ["payment:use-saved"],
+        category: "Checkout",
+    },
+    "shipping.use-saved": {
+        id: "shipping.use-saved",
+        label: "Ship to your saved addresses",
+        description: "Send orders only to addresses already on file — your home, your office, etc.",
+        icon: "pin",
+        riskLevel: "medium",
+        defaultOn: true,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            '  action == Action::"shipping:use-saved",',
+            '  resource in User::"{{user_did}}"::Address::"saved"',
+            ");",
+        ].join("\n"),
+        scopes: ["shipping:use-saved"],
+        category: "Checkout",
+    },
+    "shipping.new": {
+        id: "shipping.new",
+        label: "Ship to new addresses",
+        description: "Send orders to places you've never shipped to before. Off by default — turn on only if you want the agent to ship gifts or deliver to new locations.",
+        icon: "pin-new",
+        riskLevel: "high",
+        defaultOn: false,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            '  action == Action::"shipping:ship-new",',
+            '  resource in User::"{{user_did}}"::Address::"new"',
+            ");",
+        ].join("\n"),
+        scopes: ["shipping:ship-new"],
+        category: "Checkout",
+    },
+};
+/**
+ * Resolve a list of scopes to capability records. Operator overrides win over
+ * the default registry; scopes that match no capability fall through as
+ * "unknown" capabilities so the consent screen can still render them as raw
+ * permission rows.
+ */
+export function resolveCapabilitiesForScopes(scopes, overrides = []) {
+    const indexedOverrides = new Map();
+    for (const override of overrides) {
+        indexedOverrides.set(override.id, override);
+        for (const scope of override.scopes) {
+            indexedOverrides.set(`scope:${scope}`, override);
+        }
+    }
+    const matched = new Map();
+    const unmatchedScopes = [];
+    for (const scope of scopes) {
+        const overrideMatch = indexedOverrides.get(`scope:${scope}`);
+        if (overrideMatch) {
+            matched.set(overrideMatch.id, overrideMatch);
+            continue;
+        }
+        const defaultMatch = Object.values(DEFAULT_CAPABILITIES).find((c) => c.scopes.includes(scope));
+        if (defaultMatch) {
+            const override = indexedOverrides.get(defaultMatch.id);
+            matched.set(defaultMatch.id, override ?? defaultMatch);
+            continue;
+        }
+        unmatchedScopes.push(scope);
+    }
+    const resolved = Array.from(matched.values());
+    for (const scope of unmatchedScopes) {
+        resolved.push(buildUnknownCapability(scope));
+    }
+    return resolved;
+}
+/**
+ * Build a placeholder capability for a scope we don't recognize. Keeps the
+ * consent screen renderable for never-before-seen scopes without crashing.
+ */
+function buildUnknownCapability(scope) {
+    const label = scope
+        .replace(/[_:.-]/g, " ")
+        .replace(/\b\w/g, (c) => c.toUpperCase());
+    return {
+        id: `unknown.${scope.replace(/[^a-z0-9]/gi, "-").toLowerCase()}`,
+        label,
+        description: `Permission required by the ${scope} scope.`,
+        icon: "neutral",
+        riskLevel: "medium",
+        defaultOn: false,
+        cedar: [
+            "permit (",
+            '  principal == Agent::"{{agent_did}}",',
+            `  action == Action::"${scope}",`,
+            '  resource in Org::"{{org}}"::Resource::"*"',
+            ");",
+        ].join("\n"),
+        scopes: [scope],
+    };
+}
+//# sourceMappingURL=registry.js.map

package/dist/capabilities/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/capabilities/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAA+B;IAC9D,aAAa,EAAE;QACb,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,oEAAoE;QACtE,IAAI,EAAE,QAAQ;QACd,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,IAAI;QACf,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,eAAe;YACf,qCAAqC;YACrC,iCAAiC;YACjC,mCAAmC;YACnC,iCAAiC;YACjC,MAAM;YACN,4CAA4C;YAC5C,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE;YACN,sBAAsB;YACtB,kBAAkB;YAClB,oBAAoB;YACpB,mBAAmB;SACpB;QACD,QAAQ,EAAE,QAAQ;KACnB;IACD,UAAU,EAAE;QACV,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,mEAAmE;QACrE,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,QAAQ;QACnB,SAAS,EAAE,IAAI;QACf,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,4CAA4C;YAC5C,yCAAyC;YACzC,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,CAAC,qBAAqB,CAAC;QAC/B,QAAQ,EAAE,MAAM;KACjB;IACD,mBAAmB,EAAE;QACnB,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gFAAgF;QAClF,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,IAAI;QACf,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,0CAA0C;YAC1C,4DAA4D;YAC5D,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,CAAC,mBAAmB,CAAC;QAC7B,QAAQ,EAAE,UAAU;KACrB;IACD,oBAAoB,EAAE;QACpB,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,8EAA8E;QAChF,IAAI,EAAE,KAAK;QACX,SAAS,EAAE,QAAQ;QACnB,SAAS,EAAE,IAAI;QACf,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,2CAA2C;YAC3C,sDAAsD;YACtD,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,CAAC,oBAAoB,CAAC;QAC9B,QAAQ,EAAE,UAAU;KACrB;IACD,cAAc,EAAE;QACd,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EACT,sJAAsJ;QACxJ,IAAI,EAAE,SAAS;QACf,SAAS,EAAE,MAAM;QACjB,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,0CAA0C;YAC1C,oDAAoD;YACpD,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,CAAC,mBAAmB,CAAC;QAC7B,QAAQ,EAAE,UAAU;KACrB;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,4BAA4B,CAC1C,MAAgB,EAChB,YAA0B,EAAE;IAE5B,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAsB,CAAC;IACvD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC5C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpC,gBAAgB,CAAC,GAAG,CAAC,SAAS,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC9C,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,KAAK,EAAE,CAAC,CAAC;QAC7D,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,aAAa,CAAC,CAAC;YAC7C,SAAS;QACX,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAClE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CACzB,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,IAAI,YAAY,CAAC,CAAC;YACvD,SAAS;QACX,CAAC;QAED,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE9C,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,KAAa;IAC3C,MAAM,KAAK,GAAG,KAAK;SAChB,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC;SACvB,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5C,OAAO;QACL,EAAE,EAAE,WAAW,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE;QAChE,KAAK;QACL,WAAW,EAAE,8BAA8B,KAAK,SAAS;QACzD,IAAI,EAAE,SAAS;QACf,SAAS,EAAE,QAAQ;QACnB,SAAS,EAAE,KAAK;QAChB,KAAK,EAAE;YACL,UAAU;YACV,wCAAwC;YACxC,wBAAwB,KAAK,IAAI;YACjC,6CAA6C;YAC7C,IAAI;SACL,CAAC,IAAI,CAAC,IAAI,CAAC;QACZ,MAAM,EAAE,CAAC,KAAK,CAAC;KAChB,CAAC;AACJ,CAAC"}

package/dist/cedar/compile.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Cedar Policy Compilation
+ *
+ * Pure-string composition of Cedar policy fragments. We compile the granted
+ * `Capability[]` into one Cedar policy (a) attached as `cedarPolicy` claim on
+ * the delegation VC, (b) shown in the success-screen "View policy" disclosure.
+ *
+ * No `@cedar-policy/cedar-wasm` dependency — this module only emits Cedar
+ * source text. Runtime evaluation, if ever added, lives elsewhere.
+ *
+ * @module @kya-os/consent/cedar/compile
+ */
+import type { Capability, CedarTemplateContext } from "../types/capabilities.types.js";
+/**
+ * Compile a single capability's Cedar fragment by binding placeholders to the
+ * given template context. Used by the per-row "View policy" disclosure so the
+ * end user sees the same exact Cedar source that lands on the VC.
+ *
+ * Throws when the fragment references an unknown placeholder or when the
+ * compiled output is empty.
+ */
+export declare function compileSingleCapability(capability: Capability, context: CedarTemplateContext): string;
+/**
+ * Compile the granted capability set into one Cedar policy ready to attach to
+ * a delegation VC. Each capability's fragment is bound and concatenated with
+ * a comment header that records the capability id and label, so reviewers can
+ * map a `permit (...)` block back to the row the user clicked.
+ */
+export declare function compileCapabilitiesToCedar(grants: Capability[], context: CedarTemplateContext): string;
+//# sourceMappingURL=compile.d.ts.map

package/dist/cedar/compile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compile.d.ts","sourceRoot":"","sources":["../../src/cedar/compile.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EACV,UAAU,EACV,oBAAoB,EACrB,MAAM,gCAAgC,CAAC;AAIxC;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,oBAAoB,GAC5B,MAAM,CAkBR;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,UAAU,EAAE,EACpB,OAAO,EAAE,oBAAoB,GAC5B,MAAM,CAeR"}

package/dist/cedar/compile.js

@@ -0,0 +1,55 @@
+/**
+ * Cedar Policy Compilation
+ *
+ * Pure-string composition of Cedar policy fragments. We compile the granted
+ * `Capability[]` into one Cedar policy (a) attached as `cedarPolicy` claim on
+ * the delegation VC, (b) shown in the success-screen "View policy" disclosure.
+ *
+ * No `@cedar-policy/cedar-wasm` dependency — this module only emits Cedar
+ * source text. Runtime evaluation, if ever added, lives elsewhere.
+ *
+ * @module @kya-os/consent/cedar/compile
+ */
+const PLACEHOLDER_PATTERN = /\{\{\s*(agent_did|user_did|org|deployment)\s*\}\}/g;
+/**
+ * Compile a single capability's Cedar fragment by binding placeholders to the
+ * given template context. Used by the per-row "View policy" disclosure so the
+ * end user sees the same exact Cedar source that lands on the VC.
+ *
+ * Throws when the fragment references an unknown placeholder or when the
+ * compiled output is empty.
+ */
+export function compileSingleCapability(capability, context) {
+    const compiled = capability.cedar.replace(PLACEHOLDER_PATTERN, (_, key) => {
+        const value = context[key];
+        if (typeof value !== "string" || value.length === 0) {
+            throw new Error(`Cedar template context missing required value for placeholder \`${key}\``);
+        }
+        return value;
+    });
+    if (compiled.trim().length === 0) {
+        throw new Error(`Cedar fragment for capability \`${capability.id}\` is empty after compilation`);
+    }
+    return compiled;
+}
+/**
+ * Compile the granted capability set into one Cedar policy ready to attach to
+ * a delegation VC. Each capability's fragment is bound and concatenated with
+ * a comment header that records the capability id and label, so reviewers can
+ * map a `permit (...)` block back to the row the user clicked.
+ */
+export function compileCapabilitiesToCedar(grants, context) {
+    if (grants.length === 0) {
+        return "";
+    }
+    const blocks = grants.map((grant) => {
+        const compiled = compileSingleCapability(grant, context);
+        return [
+            `// capability: ${grant.id} — ${grant.label}`,
+            `// risk: ${grant.riskLevel}; default-on: ${String(grant.defaultOn)}`,
+            compiled.trim(),
+        ].join("\n");
+    });
+    return blocks.join("\n\n");
+}
+//# sourceMappingURL=compile.js.map

package/dist/cedar/compile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compile.js","sourceRoot":"","sources":["../../src/cedar/compile.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH,MAAM,mBAAmB,GAAG,oDAAoD,CAAC;AAEjF;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAsB,EACtB,OAA6B;IAE7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,GAAW,EAAE,EAAE;QAChF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAiC,CAAC,CAAC;QACzD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CACb,mEAAmE,GAAG,IAAI,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,mCAAmC,UAAU,CAAC,EAAE,+BAA+B,CAChF,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAoB,EACpB,OAA6B;IAE7B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACzD,OAAO;YACL,kBAAkB,KAAK,CAAC,EAAE,MAAM,KAAK,CAAC,KAAK,EAAE;YAC7C,YAAY,KAAK,CAAC,SAAS,iBAAiB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE;YACrE,QAAQ,CAAC,IAAI,EAAE;SAChB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC7B,CAAC"}

package/dist/cedar/explain.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Cedar Policy Plain-Language Gloss
+ *
+ * Extracts a human-readable summary from a Cedar fragment so the per-row
+ * "View policy" disclosure can display both the raw Cedar and a sentence the
+ * end user can parse without knowing Cedar.
+ *
+ * The implementation is intentionally regex-based and tolerant. We never
+ * promise to gloss every Cedar feature — we promise the gloss is *useful*
+ * for the fragments we ship and authors typically write, and that the
+ * function never throws on novel input (it returns best-effort fields).
+ *
+ * @module @kya-os/consent/cedar/explain
+ */
+import type { CedarExplanation } from "../types/capabilities.types.js";
+/**
+ * Extract actions, resource expression, and condition clauses from a Cedar
+ * fragment. Returns best-effort fields; missing elements come back empty
+ * rather than throwing.
+ */
+export declare function explainCedarFragment(cedar: string): CedarExplanation;
+//# sourceMappingURL=explain.d.ts.map

package/dist/cedar/explain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../src/cedar/explain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AASvE;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CAMpE"}

package/dist/cedar/explain.js

@@ -0,0 +1,72 @@
+/**
+ * Cedar Policy Plain-Language Gloss
+ *
+ * Extracts a human-readable summary from a Cedar fragment so the per-row
+ * "View policy" disclosure can display both the raw Cedar and a sentence the
+ * end user can parse without knowing Cedar.
+ *
+ * The implementation is intentionally regex-based and tolerant. We never
+ * promise to gloss every Cedar feature — we promise the gloss is *useful*
+ * for the fragments we ship and authors typically write, and that the
+ * function never throws on novel input (it returns best-effort fields).
+ *
+ * @module @kya-os/consent/cedar/explain
+ */
+const ACTION_SINGLE = /action\s*==\s*Action::"([^"]+)"/g;
+const ACTION_LIST = /action\s+in\s*\[([^\]]+)\]/g;
+const ACTION_STRING_IN_LIST = /Action::"([^"]+)"/g;
+const RESOURCE_IN = /resource\s+in\s+([^,)\n]+)/i;
+const RESOURCE_EQ = /resource\s*==\s*([^,)\n]+)/i;
+const CONDITION_BLOCK = /(when|unless)\s*\{([^}]+)\}/g;
+/**
+ * Extract actions, resource expression, and condition clauses from a Cedar
+ * fragment. Returns best-effort fields; missing elements come back empty
+ * rather than throwing.
+ */
+export function explainCedarFragment(cedar) {
+    return {
+        actions: extractActions(cedar),
+        resource: extractResource(cedar),
+        conditions: extractConditions(cedar),
+    };
+}
+function extractActions(cedar) {
+    const actions = new Set();
+    for (const match of cedar.matchAll(ACTION_SINGLE)) {
+        if (match[1])
+            actions.add(match[1]);
+    }
+    for (const listMatch of cedar.matchAll(ACTION_LIST)) {
+        const inner = listMatch[1];
+        if (!inner)
+            continue;
+        for (const stringMatch of inner.matchAll(ACTION_STRING_IN_LIST)) {
+            if (stringMatch[1])
+                actions.add(stringMatch[1]);
+        }
+    }
+    return Array.from(actions);
+}
+function extractResource(cedar) {
+    const inMatch = RESOURCE_IN.exec(cedar);
+    if (inMatch && inMatch[1]) {
+        return inMatch[1].trim();
+    }
+    const eqMatch = RESOURCE_EQ.exec(cedar);
+    if (eqMatch && eqMatch[1]) {
+        return eqMatch[1].trim();
+    }
+    return "";
+}
+function extractConditions(cedar) {
+    const conditions = [];
+    for (const match of cedar.matchAll(CONDITION_BLOCK)) {
+        const keyword = match[1];
+        const body = match[2];
+        if (!keyword || !body)
+            continue;
+        conditions.push(`${keyword} ${body.trim().replace(/\s+/g, " ")}`);
+    }
+    return conditions;
+}
+//# sourceMappingURL=explain.js.map

package/dist/cedar/explain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../src/cedar/explain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,aAAa,GAAG,kCAAkC,CAAC;AACzD,MAAM,WAAW,GAAG,6BAA6B,CAAC;AAClD,MAAM,qBAAqB,GAAG,oBAAoB,CAAC;AACnD,MAAM,WAAW,GAAG,6BAA6B,CAAC;AAClD,MAAM,WAAW,GAAG,6BAA6B,CAAC;AAClD,MAAM,eAAe,GAAG,8BAA8B,CAAC;AAEvD;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,OAAO;QACL,OAAO,EAAE,cAAc,CAAC,KAAK,CAAC;QAC9B,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC;QAChC,UAAU,EAAE,iBAAiB,CAAC,KAAK,CAAC;KACrC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,KAAK,MAAM,WAAW,IAAI,KAAK,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;YAChE,IAAI,WAAW,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACtC,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACpD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI;YAAE,SAAS;QAChC,UAAU,CAAC,IAAI,CAAC,GAAG,OAAO,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/cedar/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Cedar policy compilation + plain-language gloss exports.
+ *
+ * @module @kya-os/consent/cedar
+ */
+export { compileSingleCapability, compileCapabilitiesToCedar, } from "./compile.js";
+export { explainCedarFragment } from "./explain.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/cedar/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cedar/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC"}

package/dist/cedar/index.js

@@ -0,0 +1,8 @@
+/**
+ * Cedar policy compilation + plain-language gloss exports.
+ *
+ * @module @kya-os/consent/cedar
+ */
+export { compileSingleCapability, compileCapabilitiesToCedar, } from "./compile.js";
+export { explainCedarFragment } from "./explain.js";
+//# sourceMappingURL=index.js.map

package/dist/cedar/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cedar/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC"}