@lucid-fdn/plugin-policy 0.1.0

package/dist/__tests__/audit.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit.test.d.ts.map

package/dist/__tests__/audit.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/audit.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit.test.js

@@ -0,0 +1,54 @@
+import { describe, it, expect, vi } from 'vitest';
+import { AuditEmitter } from '../audit.js';
+const event = {
+    timestamp: new Date().toISOString(),
+    pluginSlug: 'lucid-seo',
+    toolName: 'research_keywords',
+    executionPath: 'embedded',
+    durationMs: 5,
+    success: true,
+};
+describe('AuditEmitter', () => {
+    it('emits events to registered handlers', () => {
+        const emitter = new AuditEmitter();
+        const handler = vi.fn();
+        emitter.on(handler);
+        emitter.emit(event);
+        expect(handler).toHaveBeenCalledWith(event);
+    });
+    it('supports multiple handlers', () => {
+        const emitter = new AuditEmitter();
+        const h1 = vi.fn();
+        const h2 = vi.fn();
+        emitter.on(h1);
+        emitter.on(h2);
+        emitter.emit(event);
+        expect(h1).toHaveBeenCalledOnce();
+        expect(h2).toHaveBeenCalledOnce();
+    });
+    it('supports unsubscribe', () => {
+        const emitter = new AuditEmitter();
+        const handler = vi.fn();
+        const unsub = emitter.on(handler);
+        unsub();
+        emitter.emit(event);
+        expect(handler).not.toHaveBeenCalled();
+    });
+    it('does not throw when handler throws (fire-and-forget)', () => {
+        const emitter = new AuditEmitter();
+        emitter.on(() => { throw new Error('boom'); });
+        const good = vi.fn();
+        emitter.on(good);
+        expect(() => emitter.emit(event)).not.toThrow();
+        expect(good).toHaveBeenCalled();
+    });
+    it('clears all handlers', () => {
+        const emitter = new AuditEmitter();
+        emitter.on(vi.fn());
+        emitter.on(vi.fn());
+        expect(emitter.handlerCount).toBe(2);
+        emitter.clear();
+        expect(emitter.handlerCount).toBe(0);
+    });
+});
+//# sourceMappingURL=audit.test.js.map

package/dist/__tests__/audit.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.js","sourceRoot":"","sources":["../../src/__tests__/audit.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG1C,MAAM,KAAK,GAAe;IACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;IACnC,UAAU,EAAE,WAAW;IACvB,QAAQ,EAAE,mBAAmB;IAC7B,aAAa,EAAE,UAAU;IACzB,UAAU,EAAE,CAAC;IACb,OAAO,EAAE,IAAI;CACd,CAAA;AAED,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAA;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;QACvB,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,CAAA;QACnB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnB,MAAM,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;IAC7C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAA;QAClC,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;QAClB,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;QAClB,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;QACd,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;QACd,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnB,MAAM,CAAC,EAAE,CAAC,CAAC,oBAAoB,EAAE,CAAA;QACjC,MAAM,CAAC,EAAE,CAAC,CAAC,oBAAoB,EAAE,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAA;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;QACvB,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,CAAA;QACjC,KAAK,EAAE,CAAA;QACP,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnB,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAA;IACxC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAA;QAClC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;QAC7C,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;QACpB,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,CAAA;QAEhB,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAA;QAC/C,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAA;IACjC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAA;QAClC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAA;QACnB,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAA;QACnB,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACpC,OAAO,CAAC,KAAK,EAAE,CAAA;QACf,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/__tests__/manifest.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=manifest.test.d.ts.map

package/dist/__tests__/manifest.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/manifest.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/manifest.test.js

@@ -0,0 +1,83 @@
+import { describe, it, expect } from 'vitest';
+import { normalizePluginRow } from '../manifest.js';
+describe('normalizePluginRow', () => {
+    it('transforms snake_case DB row to camelCase ActivatedPlugin', () => {
+        const row = {
+            plugin_slug: 'lucid-seo',
+            plugin_name: 'Lucid SEO',
+            tool_manifest: [{ name: 'research', description: 'Research', parameters: {} }],
+            enabled_tools: null,
+            plugin_config: { depth: 3 },
+            org_config: { orgKey: 'val' },
+            source: 'first-party',
+            mcpgate_server_id: null,
+            kind: 'plugin',
+            transport: 'embedded',
+            trust_level: 'internal',
+            execution_mode: 'in_process',
+            auth_type: 'none',
+            auth_provider: null,
+        };
+        const result = normalizePluginRow(row);
+        expect(result.slug).toBe('lucid-seo');
+        expect(result.name).toBe('Lucid SEO');
+        expect(result.tools).toHaveLength(1);
+        expect(result.config).toEqual({ orgKey: 'val', depth: 3 });
+        expect(result.kind).toBe('plugin');
+        expect(result.transport).toBe('embedded');
+        expect(result.trustLevel).toBe('internal');
+        expect(result.executionMode).toBe('in_process');
+        expect(result.authType).toBe('none');
+    });
+    it('filters tools by enabled_tools', () => {
+        const row = {
+            plugin_slug: 'lucid-seo',
+            plugin_name: 'SEO',
+            tool_manifest: [
+                { name: 'research', description: 'A', parameters: {} },
+                { name: 'analyze', description: 'B', parameters: {} },
+            ],
+            enabled_tools: ['research'],
+            plugin_config: {},
+            org_config: {},
+            source: 'first-party',
+        };
+        const result = normalizePluginRow(row);
+        expect(result.tools).toHaveLength(1);
+        expect(result.tools[0].name).toBe('research');
+    });
+    it('handles missing unified fields (old format)', () => {
+        const row = {
+            plugin_slug: 'old-plugin',
+            plugin_name: 'Old Plugin',
+            manifest_snapshot: [{ name: 'tool1', description: 'T', parameters: {} }],
+            enabled_tools: null,
+            config: { key: 'val' },
+            source: 'mcpgate',
+            mcpgate_server_id: 'server-1',
+        };
+        const result = normalizePluginRow(row);
+        expect(result.slug).toBe('old-plugin');
+        expect(result.tools).toHaveLength(1);
+        expect(result.mcpgateServerId).toBe('server-1');
+        // Missing UCA fields get safe defaults (least-privileged posture)
+        expect(result.kind).toBe('plugin');
+        expect(result.transport).toBe('remote-mcp');
+        expect(result.trustLevel).toBe('community');
+        expect(result.executionMode).toBe('gateway');
+    });
+    it('merges org config and plugin config (plugin wins)', () => {
+        const row = {
+            plugin_slug: 'test',
+            plugin_name: 'Test',
+            tool_manifest: [],
+            enabled_tools: null,
+            org_config: { shared: 'org', orgOnly: 'yes' },
+            plugin_config: { shared: 'plugin', pluginOnly: 'yes' },
+            source: 'first-party',
+        };
+        const result = normalizePluginRow(row);
+        expect(result.config).toEqual({ shared: 'plugin', orgOnly: 'yes', pluginOnly: 'yes' });
+    });
+});
+//# sourceMappingURL=manifest.test.js.map

package/dist/__tests__/manifest.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.test.js","sourceRoot":"","sources":["../../src/__tests__/manifest.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AAEnD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,WAAW;YACxB,WAAW,EAAE,WAAW;YACxB,aAAa,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;YAC9E,aAAa,EAAE,IAAI;YACnB,aAAa,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;YAC3B,UAAU,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;YAC7B,MAAM,EAAE,aAAa;YACrB,iBAAiB,EAAE,IAAI;YACvB,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,UAAU;YACrB,WAAW,EAAE,UAAU;YACvB,cAAc,EAAE,YAAY;YAC5B,SAAS,EAAE,MAAM;YACjB,aAAa,EAAE,IAAI;SACpB,CAAA;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACtC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACrC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACrC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAA;QAC1D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QACzC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC1C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC/C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,WAAW;YACxB,WAAW,EAAE,KAAK;YAClB,aAAa,EAAE;gBACb,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE;gBACtD,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE;aACtD;YACD,aAAa,EAAE,CAAC,UAAU,CAAC;YAC3B,aAAa,EAAE,EAAE;YACjB,UAAU,EAAE,EAAE;YACd,MAAM,EAAE,aAAa;SACtB,CAAA;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,YAAY;YACzB,WAAW,EAAE,YAAY;YACzB,iBAAiB,EAAE,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;YACxE,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE;YACtB,MAAM,EAAE,SAAS;YACjB,iBAAiB,EAAE,UAAU;SAC9B,CAAA;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACtC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC/C,kEAAkE;QAClE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC3C,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC3C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,MAAM;YACnB,WAAW,EAAE,MAAM;YACnB,aAAa,EAAE,EAAE;YACjB,aAAa,EAAE,IAAI;YACnB,UAAU,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;YAC7C,aAAa,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE;YACtD,MAAM,EAAE,aAAa;SACtB,CAAA;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACtC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAA;IACxF,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/__tests__/policy.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policy.test.d.ts.map

package/dist/__tests__/policy.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/policy.test.js

@@ -0,0 +1,71 @@
+import { describe, it, expect } from 'vitest';
+import { resolvePolicy } from '../policy.js';
+describe('resolvePolicy', () => {
+    it('blocks plugins on the admin blocklist', () => {
+        const result = resolvePolicy({ slug: 'bad-plugin', trustLevel: 'internal', executionMode: 'in_process' }, { blockedPlugins: ['bad-plugin'] });
+        expect(result.decision).toBe('block');
+        expect(result.reason).toContain('blocklist');
+    });
+    it('forces gateway when forceGateway is set', () => {
+        const result = resolvePolicy({ slug: 'lucid-seo', trustLevel: 'internal', executionMode: 'in_process' }, { forceGateway: true });
+        expect(result.decision).toBe('allow_gateway');
+        expect(result.effectiveMode).toBe('gateway');
+    });
+    it('allows internal plugins in-process', () => {
+        const result = resolvePolicy({
+            slug: 'lucid-seo',
+            trustLevel: 'internal',
+            executionMode: 'in_process',
+        });
+        expect(result.decision).toBe('allow_in_process');
+        expect(result.effectiveMode).toBe('in_process');
+    });
+    it('allows verified plugins in-process', () => {
+        const result = resolvePolicy({
+            slug: 'partner-plugin',
+            trustLevel: 'verified',
+            executionMode: 'in_process',
+        });
+        expect(result.decision).toBe('allow_in_process');
+        expect(result.effectiveMode).toBe('in_process');
+    });
+    it('forces community plugins to gateway even if in_process requested', () => {
+        const result = resolvePolicy({
+            slug: 'community-plugin',
+            trustLevel: 'community',
+            executionMode: 'in_process',
+        });
+        expect(result.decision).toBe('allow_gateway');
+        expect(result.effectiveMode).toBe('gateway');
+        expect(result.reason).toContain('gateway-only');
+    });
+    it('allows community plugins in gateway mode', () => {
+        const result = resolvePolicy({
+            slug: 'community-plugin',
+            trustLevel: 'community',
+            executionMode: 'gateway',
+        });
+        expect(result.decision).toBe('allow_gateway');
+        expect(result.effectiveMode).toBe('gateway');
+    });
+    it('allows internal plugins in gateway mode when requested', () => {
+        const result = resolvePolicy({
+            slug: 'lucid-seo',
+            trustLevel: 'internal',
+            executionMode: 'gateway',
+        });
+        expect(result.decision).toBe('allow_gateway');
+        expect(result.effectiveMode).toBe('gateway');
+    });
+    it('defaults undefined trustLevel to community (safe default)', () => {
+        const result = resolvePolicy({
+            slug: 'old-plugin',
+            trustLevel: undefined,
+            executionMode: undefined,
+        });
+        expect(result.decision).toBe('allow_gateway');
+        expect(result.effectiveMode).toBe('gateway');
+        expect(result.reason).toContain('gateway-only');
+    });
+});
+//# sourceMappingURL=policy.test.js.map

package/dist/__tests__/policy.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.test.js","sourceRoot":"","sources":["../../src/__tests__/policy.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAE5C,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,MAAM,GAAG,aAAa,CAC1B,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,EAC3E,EAAE,cAAc,EAAE,CAAC,YAAY,CAAC,EAAE,CACnC,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACrC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,aAAa,CAC1B,EAAE,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,EAC1E,EAAE,YAAY,EAAE,IAAI,EAAE,CACvB,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC7C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,WAAW;YACjB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAA;QAChD,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,gBAAgB;YACtB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAA;QAChD,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,kBAAkB;YACxB,UAAU,EAAE,WAAW;YACvB,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC7C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAC5C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,kBAAkB;YACxB,UAAU,EAAE,WAAW;YACvB,aAAa,EAAE,SAAS;SACzB,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC7C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,WAAW;YACjB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,SAAS;SACzB,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC7C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC9C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,MAAM,GAAG,aAAa,CAAC;YAC3B,IAAI,EAAE,YAAY;YAClB,UAAU,EAAE,SAAmC;YAC/C,aAAa,EAAE,SAAiC;SACjD,CAAC,CAAA;QACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC7C,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAC5C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/__tests__/registry.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=registry.test.d.ts.map

package/dist/__tests__/registry.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/registry.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/registry.test.js

@@ -0,0 +1,65 @@
+import { describe, it, expect } from 'vitest';
+import { PluginRegistry } from '../registry.js';
+const seoPlugin = {
+    slug: 'lucid-seo',
+    name: 'Lucid SEO',
+    tools: [
+        { name: 'research_keywords', description: 'Research keywords', parameters: {} },
+        { name: 'analyze_serp', description: 'Analyze SERP', parameters: {} },
+    ],
+    config: {},
+    kind: 'plugin',
+    transport: 'embedded',
+    trustLevel: 'internal',
+    executionMode: 'in_process',
+    authType: 'none',
+    authProvider: null,
+};
+const slackPlugin = {
+    slug: 'slack',
+    name: 'Slack',
+    tools: [{ name: 'send_message', description: 'Send a Slack message', parameters: {} }],
+    config: {},
+    kind: 'integration',
+    transport: 'remote-mcp',
+    trustLevel: 'community',
+    executionMode: 'gateway',
+    authType: 'oauth2',
+    authProvider: 'slack',
+};
+describe('PluginRegistry', () => {
+    it('registers and retrieves plugins', () => {
+        const reg = new PluginRegistry([seoPlugin]);
+        expect(reg.get('lucid-seo')).toEqual(seoPlugin);
+        expect(reg.has('lucid-seo')).toBe(true);
+        expect(reg.has('missing')).toBe(false);
+    });
+    it('returns all plugins', () => {
+        const reg = new PluginRegistry([seoPlugin, slackPlugin]);
+        expect(reg.getAll()).toHaveLength(2);
+        expect(reg.size).toBe(2);
+    });
+    it('resolves wire tool names with double underscore', () => {
+        const reg = new PluginRegistry([seoPlugin]);
+        const resolved = reg.resolveWireToolName('lucid-seo__research_keywords');
+        expect(resolved?.plugin.slug).toBe('lucid-seo');
+        expect(resolved?.tool.name).toBe('research_keywords');
+    });
+    it('resolves wire tool names with underscore slug (sanitized)', () => {
+        const reg = new PluginRegistry([seoPlugin]);
+        // Wire names replace hyphens with underscores
+        const resolved = reg.resolveWireToolName('lucid_seo__research_keywords');
+        expect(resolved?.plugin.slug).toBe('lucid-seo');
+        expect(resolved?.tool.name).toBe('research_keywords');
+    });
+    it('returns null for unknown wire tool names', () => {
+        const reg = new PluginRegistry([seoPlugin]);
+        expect(reg.resolveWireToolName('unknown__tool')).toBeNull();
+        expect(reg.resolveWireToolName('no-separator')).toBeNull();
+    });
+    it('returns null for known plugin but unknown tool', () => {
+        const reg = new PluginRegistry([seoPlugin]);
+        expect(reg.resolveWireToolName('lucid-seo__nonexistent_tool')).toBeNull();
+    });
+});
+//# sourceMappingURL=registry.test.js.map

package/dist/__tests__/registry.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.test.js","sourceRoot":"","sources":["../../src/__tests__/registry.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAA;AAG/C,MAAM,SAAS,GAAoB;IACjC,IAAI,EAAE,WAAW;IACjB,IAAI,EAAE,WAAW;IACjB,KAAK,EAAE;QACL,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,mBAAmB,EAAE,UAAU,EAAE,EAAE,EAAE;QAC/E,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,EAAE,EAAE;KACtE;IACD,MAAM,EAAE,EAAE;IACV,IAAI,EAAE,QAAQ;IACd,SAAS,EAAE,UAAU;IACrB,UAAU,EAAE,UAAU;IACtB,aAAa,EAAE,YAAY;IAC3B,QAAQ,EAAE,MAAM;IAChB,YAAY,EAAE,IAAI;CACnB,CAAA;AAED,MAAM,WAAW,GAAoB;IACnC,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,OAAO;IACb,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,sBAAsB,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IACtF,MAAM,EAAE,EAAE;IACV,IAAI,EAAE,aAAa;IACnB,SAAS,EAAE,YAAY;IACvB,UAAU,EAAE,WAAW;IACvB,aAAa,EAAE,SAAS;IACxB,QAAQ,EAAE,QAAQ;IAClB,YAAY,EAAE,OAAO;CACtB,CAAA;AAED,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAA;QAC3C,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAC/C,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACvC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACxC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,CAAA;QACxD,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAA;QAC3C,MAAM,QAAQ,GAAG,GAAG,CAAC,mBAAmB,CAAC,8BAA8B,CAAC,CAAA;QACxE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC/C,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;IACvD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAA;QAC3C,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,GAAG,CAAC,mBAAmB,CAAC,8BAA8B,CAAC,CAAA;QACxE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC/C,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;IACvD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAA;QAC3C,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;QAC3D,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;IAC5D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,CAAC,SAAS,CAAC,CAAC,CAAA;QAC3C,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,6BAA6B,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;IAC3E,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/__tests__/router.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=router.test.d.ts.map

package/dist/__tests__/router.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/router.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/router.test.js

@@ -0,0 +1,80 @@
+import { describe, it, expect } from 'vitest';
+import { routePlugin } from '../router.js';
+function makePlugin(overrides = {}) {
+    return {
+        slug: 'test-plugin',
+        name: 'Test Plugin',
+        tools: [],
+        config: {},
+        kind: 'plugin',
+        transport: 'embedded',
+        trustLevel: 'internal',
+        executionMode: 'in_process',
+        authType: 'none',
+        authProvider: null,
+        ...overrides,
+    };
+}
+describe('routePlugin', () => {
+    it('routes embedded + internal to embedded path', () => {
+        const result = routePlugin(makePlugin({
+            transport: 'embedded',
+            trustLevel: 'internal',
+            executionMode: 'in_process',
+        }));
+        expect(result.path).toBe('embedded');
+    });
+    it('routes embedded + community to gateway-mcp (policy override)', () => {
+        const result = routePlugin(makePlugin({
+            transport: 'embedded',
+            trustLevel: 'community',
+            executionMode: 'in_process',
+        }));
+        expect(result.path).toBe('gateway-mcp');
+        expect(result.policy.reason).toContain('gateway-only');
+    });
+    it('routes remote-mcp to gateway-mcp', () => {
+        const result = routePlugin(makePlugin({
+            transport: 'remote-mcp',
+            trustLevel: 'verified',
+            executionMode: 'gateway',
+            mcpgateServerId: 'server-xyz',
+        }));
+        expect(result.path).toBe('gateway-mcp');
+        expect(result.target).toBe('server-xyz');
+    });
+    it('routes rest transport to gateway-rest with endpointUrl as target', () => {
+        const result = routePlugin(makePlugin({
+            transport: 'rest',
+            trustLevel: 'verified',
+            executionMode: 'gateway',
+            endpointUrl: 'https://api.weather.com/v1',
+        }));
+        expect(result.path).toBe('gateway-rest');
+        expect(result.target).toBe('https://api.weather.com/v1');
+    });
+    it('blocks plugins on admin blocklist', () => {
+        const result = routePlugin(makePlugin({ slug: 'bad-plugin', transport: 'embedded', trustLevel: 'internal' }), { policy: { blockedPlugins: ['bad-plugin'] } });
+        expect(result.path).toBe('blocked');
+    });
+    it('defaults unknown fields to safe values', () => {
+        // Plugin with no unified fields (old format) — cast to bypass required fields
+        const result = routePlugin(makePlugin({
+            transport: undefined,
+            trustLevel: undefined,
+            executionMode: undefined,
+        }));
+        // Defaults: transport=remote-mcp, trustLevel=community, executionMode=gateway
+        expect(result.path).toBe('gateway-mcp');
+        expect(result.policy.effectiveMode).toBe('gateway');
+    });
+    it('uses builtin: prefix for fallback server ID', () => {
+        const result = routePlugin(makePlugin({
+            slug: 'lucid-seo',
+            transport: 'remote-mcp',
+            mcpgateServerId: undefined,
+        }));
+        expect(result.target).toBe('builtin:lucid-seo');
+    });
+});
+//# sourceMappingURL=router.test.js.map

package/dist/__tests__/router.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.test.js","sourceRoot":"","sources":["../../src/__tests__/router.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAG1C,SAAS,UAAU,CAAC,YAAsC,EAAE;IAC1D,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,EAAE;QACT,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,QAAQ;QACd,SAAS,EAAE,UAAU;QACrB,UAAU,EAAE,UAAU;QACtB,aAAa,EAAE,YAAY;QAC3B,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,IAAI;QAClB,GAAG,SAAS;KACb,CAAA;AACH,CAAC;AAED,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,SAAS,EAAE,UAAU;YACrB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC,CAAA;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,SAAS,EAAE,UAAU;YACrB,UAAU,EAAE,WAAW;YACvB,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC,CAAA;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAA;IACxD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,SAAS,EAAE,YAAY;YACvB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,SAAS;YACxB,eAAe,EAAE,YAAY;SAC9B,CAAC,CAAC,CAAA;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IAC1C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,SAAS,EAAE,MAAM;YACjB,UAAU,EAAE,UAAU;YACtB,aAAa,EAAE,SAAS;YACxB,WAAW,EAAE,4BAA4B;SAC1C,CAAC,CAAC,CAAA;QACH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAA;IAC1D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,MAAM,GAAG,WAAW,CACxB,UAAU,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,EACjF,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,CAC/C,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,8EAA8E;QAC9E,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,SAAS,EAAE,SAAgB;YAC3B,UAAU,EAAE,SAAgB;YAC5B,aAAa,EAAE,SAAgB;SAChC,CAAC,CAAC,CAAA;QACH,8EAA8E;QAC9E,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC;YACpC,IAAI,EAAE,WAAW;YACjB,SAAS,EAAE,YAAY;YACvB,eAAe,EAAE,SAAS;SAC3B,CAAC,CAAC,CAAA;QACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/audit.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Capability Core — Audit Hooks
+ *
+ * Pluggable audit system for plugin tool executions.
+ * Consumers register handlers; the audit emitter fires after each tool call.
+ *
+ * Handlers are fire-and-forget — audit failures never block tool execution.
+ */
+import type { AuditEvent, AuditHandler } from './types.js';
+export declare class AuditEmitter {
+    private readonly handlers;
+    /** Register an audit handler. Returns unsubscribe function. */
+    on(handler: AuditHandler): () => void;
+    /** Emit an audit event to all registered handlers (fire-and-forget). */
+    emit(event: AuditEvent): void;
+    /** Remove all handlers. */
+    clear(): void;
+    get handlerCount(): number;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAE1D,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqB;IAE9C,+DAA+D;IAC/D,EAAE,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM,IAAI;IAQrC,wEAAwE;IACxE,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAgB7B,2BAA2B;IAC3B,KAAK,IAAI,IAAI;IAIb,IAAI,YAAY,IAAI,MAAM,CAEzB;CACF"}

package/dist/audit.js

@@ -0,0 +1,46 @@
+/**
+ * Capability Core — Audit Hooks
+ *
+ * Pluggable audit system for plugin tool executions.
+ * Consumers register handlers; the audit emitter fires after each tool call.
+ *
+ * Handlers are fire-and-forget — audit failures never block tool execution.
+ */
+export class AuditEmitter {
+    handlers = [];
+    /** Register an audit handler. Returns unsubscribe function. */
+    on(handler) {
+        this.handlers.push(handler);
+        return () => {
+            const idx = this.handlers.indexOf(handler);
+            if (idx >= 0)
+                this.handlers.splice(idx, 1);
+        };
+    }
+    /** Emit an audit event to all registered handlers (fire-and-forget). */
+    emit(event) {
+        for (const handler of this.handlers) {
+            try {
+                const result = handler(event);
+                // If handler returns a promise, catch errors silently
+                if (result && typeof result === 'object' && 'catch' in result) {
+                    ;
+                    result.catch((err) => {
+                        console.error('[plugin-policy:audit] Handler error:', err);
+                    });
+                }
+            }
+            catch (err) {
+                console.error('[plugin-policy:audit] Handler error:', err);
+            }
+        }
+    }
+    /** Remove all handlers. */
+    clear() {
+        this.handlers.length = 0;
+    }
+    get handlerCount() {
+        return this.handlers.length;
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,MAAM,OAAO,YAAY;IACN,QAAQ,GAAmB,EAAE,CAAA;IAE9C,+DAA+D;IAC/D,EAAE,CAAC,OAAqB;QACtB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAC3B,OAAO,GAAG,EAAE;YACV,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;YAC1C,IAAI,GAAG,IAAI,CAAC;gBAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAC5C,CAAC,CAAA;IACH,CAAC;IAED,wEAAwE;IACxE,IAAI,CAAC,KAAiB;QACpB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;gBAC7B,sDAAsD;gBACtD,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;oBAC9D,CAAC;oBAAC,MAAwB,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBACvC,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,CAAA;oBAC5D,CAAC,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,CAAA;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK;QACH,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IAC1B,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAA;IAC7B,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @lucid/plugin-policy
+ *
+ * Unified capability registry, router, policy engine, and audit hooks.
+ * Shared between the worker (in-process execution) and MCPGate (gateway execution).
+ *
+ * Usage:
+ *   import { PluginRegistry, routePlugin, resolvePolicy, AuditEmitter } from '@lucid/plugin-policy'
+ */
+export type { PluginCatalogEntry, ToolDef, ActivatedPlugin, PolicyDecision, PolicyResult, PolicyConfig, ExecutionPath, RouteResult, AuditEvent, AuditHandler, } from './types.js';
+export { PluginRegistry } from './registry.js';
+export { resolvePolicy } from './policy.js';
+export { routePlugin } from './router.js';
+export type { RouterConfig } from './router.js';
+export { AuditEmitter } from './audit.js';
+export { normalizePluginRow } from './manifest.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,YAAY,EACV,kBAAkB,EAClB,OAAO,EACP,eAAe,EACf,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,WAAW,EACX,UAAU,EACV,YAAY,GACb,MAAM,YAAY,CAAA;AAGnB,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAG9C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAG3C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,YAAY,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG/C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAGzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA"}

package/dist/index.js

@@ -0,0 +1,20 @@
+/**
+ * @lucid/plugin-policy
+ *
+ * Unified capability registry, router, policy engine, and audit hooks.
+ * Shared between the worker (in-process execution) and MCPGate (gateway execution).
+ *
+ * Usage:
+ *   import { PluginRegistry, routePlugin, resolvePolicy, AuditEmitter } from '@lucid/plugin-policy'
+ */
+// Registry
+export { PluginRegistry } from './registry.js';
+// Policy
+export { resolvePolicy } from './policy.js';
+// Router
+export { routePlugin } from './router.js';
+// Audit
+export { AuditEmitter } from './audit.js';
+// Manifest normalization
+export { normalizePluginRow } from './manifest.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAgBH,WAAW;AACX,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAE9C,SAAS;AACT,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE3C,SAAS;AACT,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAGzC,QAAQ;AACR,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAEzC,yBAAyB;AACzB,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA"}

package/dist/manifest.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Capability Core — Manifest Normalization
+ *
+ * Normalizes DB rows (snake_case) into the internal ActivatedPlugin format (camelCase).
+ * Used by the worker when transforming RPC results.
+ */
+import type { ActivatedPlugin } from './types.js';
+/**
+ * Transform a raw DB row from get_assistant_active_plugins RPC into an ActivatedPlugin.
+ * Handles both old (source/mcpgate_server_id only) and new (unified fields) formats.
+ */
+export declare function normalizePluginRow(row: Record<string, unknown>): ActivatedPlugin;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAEjD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,CAiDhF"}

package/dist/manifest.js

@@ -0,0 +1,56 @@
+/**
+ * Capability Core — Manifest Normalization
+ *
+ * Normalizes DB rows (snake_case) into the internal ActivatedPlugin format (camelCase).
+ * Used by the worker when transforming RPC results.
+ */
+/**
+ * Transform a raw DB row from get_assistant_active_plugins RPC into an ActivatedPlugin.
+ * Handles both old (source/mcpgate_server_id only) and new (unified fields) formats.
+ */
+export function normalizePluginRow(row) {
+    // Tool manifest: may be JSONB array or stringified
+    let tools = [];
+    const rawManifest = row.tool_manifest ?? row.manifest_snapshot;
+    if (Array.isArray(rawManifest)) {
+        tools = rawManifest;
+    }
+    else if (typeof rawManifest === 'string') {
+        try {
+            tools = JSON.parse(rawManifest);
+        }
+        catch {
+            tools = [];
+        }
+    }
+    // Filter tools by enabled_tools if present
+    const enabledTools = row.enabled_tools;
+    if (enabledTools && Array.isArray(enabledTools)) {
+        tools = tools.filter((t) => enabledTools.includes(t.name ?? ''));
+    }
+    // Merge org config + plugin config (plugin config takes precedence)
+    const orgConfig = (row.org_config ?? {});
+    const pluginConfig = (row.plugin_config ?? row.config ?? {});
+    const config = { ...orgConfig, ...pluginConfig };
+    return {
+        slug: row.plugin_slug,
+        name: row.plugin_name,
+        tools,
+        config,
+        // UCA dimensions (required — safe defaults match DB column defaults)
+        kind: (row.kind ?? 'plugin'),
+        transport: (row.transport ?? 'remote-mcp'),
+        trustLevel: (row.trust_level ?? 'community'),
+        executionMode: (row.execution_mode ?? 'gateway'),
+        authType: (row.auth_type ?? 'none'),
+        authProvider: row.auth_provider ?? null,
+        // Routing targets
+        mcpgateServerId: row.mcpgate_server_id ?? undefined,
+        endpointUrl: row.endpoint_url ?? undefined,
+        // Fallback policy
+        fallbackMode: (row.fallback_mode ?? null),
+        // Deprecated (kept for wire compat)
+        source: row.source ?? undefined,
+    };
+}
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAA4B;IAC7D,mDAAmD;IACnD,IAAI,KAAK,GAAG,EAAE,CAAA;IACd,MAAM,WAAW,GAAG,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,iBAAiB,CAAA;IAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,KAAK,GAAG,WAAW,CAAA;IACrB,CAAC;SAAM,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC3C,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,EAAE,CAAA;QACZ,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,YAAY,GAAG,GAAG,CAAC,aAAgC,CAAA;IACzD,IAAI,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAChD,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAoB,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAA;IACrF,CAAC;IAED,oEAAoE;IACpE,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAA4B,CAAA;IACnE,MAAM,YAAY,GAAG,CAAC,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAA4B,CAAA;IACvF,MAAM,MAAM,GAAG,EAAE,GAAG,SAAS,EAAE,GAAG,YAAY,EAAE,CAAA;IAEhD,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,WAAqB;QAC/B,IAAI,EAAE,GAAG,CAAC,WAAqB;QAC/B,KAAK;QACL,MAAM;QAEN,qEAAqE;QACrE,IAAI,EAAE,CAAE,GAAG,CAAC,IAAe,IAAI,QAAQ,CAA4B;QACnE,SAAS,EAAE,CAAE,GAAG,CAAC,SAAoB,IAAI,YAAY,CAAiC;QACtF,UAAU,EAAE,CAAE,GAAG,CAAC,WAAsB,IAAI,WAAW,CAAkC;QACzF,aAAa,EAAE,CAAE,GAAG,CAAC,cAAyB,IAAI,SAAS,CAAqC;QAChG,QAAQ,EAAE,CAAE,GAAG,CAAC,SAAoB,IAAI,MAAM,CAAgC;QAC9E,YAAY,EAAG,GAAG,CAAC,aAAwB,IAAI,IAAI;QAEnD,kBAAkB;QAClB,eAAe,EAAG,GAAG,CAAC,iBAA4B,IAAI,SAAS;QAC/D,WAAW,EAAG,GAAG,CAAC,YAAuB,IAAI,SAAS;QAEtD,kBAAkB;QAClB,YAAY,EAAE,CAAE,GAAG,CAAC,aAAwB,IAAI,IAAI,CAAoC;QAExF,oCAAoC;QACpC,MAAM,EAAG,GAAG,CAAC,MAAoC,IAAI,SAAS;KAC/D,CAAA;AACH,CAAC"}

package/dist/policy.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Capability Core — Policy Engine
+ *
+ * Resolves the effective execution mode for a plugin based on:
+ *   1. Admin blocklist
+ *   2. Trust level → execution mode matrix
+ *   3. Environment overrides (e.g., force gateway in staging)
+ *
+ * Policy matrix (RFC Section 4.2):
+ *   internal  + in_process → allow_in_process
+ *   internal  + gateway    → allow_gateway
+ *   verified  + in_process → allow_in_process
+ *   verified  + gateway    → allow_gateway
+ *   community + in_process → allow_gateway (OVERRIDE — community never runs in-process)
+ *   community + gateway    → allow_gateway
+ */
+import type { PluginCatalogEntry, PolicyConfig, PolicyResult } from './types.js';
+/**
+ * Resolve the execution policy for a plugin.
+ * Takes the full catalog entry so policy can inspect any field.
+ */
+export declare function resolvePolicy(plugin: Pick<PluginCatalogEntry, 'slug' | 'trustLevel' | 'executionMode'>, config?: PolicyConfig): PolicyResult;
+//# sourceMappingURL=policy.d.ts.map

package/dist/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAEhF;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,IAAI,CAAC,kBAAkB,EAAE,MAAM,GAAG,YAAY,GAAG,eAAe,CAAC,EACzE,MAAM,CAAC,EAAE,YAAY,GACpB,YAAY,CAgDd"}

package/dist/policy.js

@@ -0,0 +1,65 @@
+/**
+ * Capability Core — Policy Engine
+ *
+ * Resolves the effective execution mode for a plugin based on:
+ *   1. Admin blocklist
+ *   2. Trust level → execution mode matrix
+ *   3. Environment overrides (e.g., force gateway in staging)
+ *
+ * Policy matrix (RFC Section 4.2):
+ *   internal  + in_process → allow_in_process
+ *   internal  + gateway    → allow_gateway
+ *   verified  + in_process → allow_in_process
+ *   verified  + gateway    → allow_gateway
+ *   community + in_process → allow_gateway (OVERRIDE — community never runs in-process)
+ *   community + gateway    → allow_gateway
+ */
+/**
+ * Resolve the execution policy for a plugin.
+ * Takes the full catalog entry so policy can inspect any field.
+ */
+export function resolvePolicy(plugin, config) {
+    // 1. Admin blocklist
+    if (config?.blockedPlugins?.includes(plugin.slug)) {
+        return {
+            decision: 'block',
+            reason: `Plugin "${plugin.slug}" is on the admin blocklist`,
+            effectiveMode: 'gateway',
+        };
+    }
+    // 2. Environment override — force everything through gateway
+    if (config?.forceGateway) {
+        return {
+            decision: 'allow_gateway',
+            reason: 'Environment forces gateway mode',
+            effectiveMode: 'gateway',
+        };
+    }
+    // 3. Trust level → execution mode matrix
+    // Default undefined to safest posture (community + gateway) — matches DB column defaults.
+    // Without this, an old DB row missing these fields would fall through to allow_in_process.
+    const trustLevel = plugin.trustLevel ?? 'community';
+    const executionMode = plugin.executionMode ?? 'gateway';
+    // Community plugins: NEVER in-process, regardless of requested mode
+    if (trustLevel === 'community') {
+        return {
+            decision: 'allow_gateway',
+            reason: 'Community plugins are gateway-only (policy enforced)',
+            effectiveMode: 'gateway',
+        };
+    }
+    // Internal or verified: respect the requested execution mode
+    if (executionMode === 'in_process') {
+        return {
+            decision: 'allow_in_process',
+            reason: `${trustLevel} plugin allowed in-process`,
+            effectiveMode: 'in_process',
+        };
+    }
+    return {
+        decision: 'allow_gateway',
+        reason: `${trustLevel} plugin requested gateway mode`,
+        effectiveMode: 'gateway',
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAyE,EACzE,MAAqB;IAErB,qBAAqB;IACrB,IAAI,MAAM,EAAE,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClD,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,WAAW,MAAM,CAAC,IAAI,6BAA6B;YAC3D,aAAa,EAAE,SAAS;SACzB,CAAA;IACH,CAAC;IAED,6DAA6D;IAC7D,IAAI,MAAM,EAAE,YAAY,EAAE,CAAC;QACzB,OAAO;YACL,QAAQ,EAAE,eAAe;YACzB,MAAM,EAAE,iCAAiC;YACzC,aAAa,EAAE,SAAS;SACzB,CAAA;IACH,CAAC;IAED,yCAAyC;IACzC,0FAA0F;IAC1F,2FAA2F;IAC3F,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,WAAW,CAAA;IACnD,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,SAAS,CAAA;IAEvD,oEAAoE;IACpE,IAAI,UAAU,KAAK,WAAW,EAAE,CAAC;QAC/B,OAAO;YACL,QAAQ,EAAE,eAAe;YACzB,MAAM,EAAE,sDAAsD;YAC9D,aAAa,EAAE,SAAS;SACzB,CAAA;IACH,CAAC;IAED,6DAA6D;IAC7D,IAAI,aAAa,KAAK,YAAY,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,kBAAkB;YAC5B,MAAM,EAAE,GAAG,UAAU,4BAA4B;YACjD,aAAa,EAAE,YAAY;SAC5B,CAAA;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,eAAe;QACzB,MAAM,EAAE,GAAG,UAAU,gCAAgC;QACrD,aAAa,EAAE,SAAS;KACzB,CAAA;AACH,CAAC"}

package/dist/registry.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Capability Core — Registry
+ *
+ * In-memory registry of activated plugins for a given context (e.g., assistant run).
+ * Provides lookup by slug and wire tool name parsing.
+ *
+ * Not a singleton — each agent run creates its own registry from the DB result.
+ */
+import type { ActivatedPlugin, ToolDef } from './types.js';
+export declare class PluginRegistry {
+    private readonly plugins;
+    constructor(plugins?: ActivatedPlugin[]);
+    register(plugin: ActivatedPlugin): void;
+    get(slug: string): ActivatedPlugin | undefined;
+    has(slug: string): boolean;
+    getAll(): ActivatedPlugin[];
+    /** Resolve a wire tool name (e.g., 'lucid_seo__research_keywords') to plugin + tool. */
+    resolveWireToolName(wireName: string): {
+        plugin: ActivatedPlugin;
+        tool: ToolDef;
+    } | null;
+    get size(): number;
+}
+//# sourceMappingURL=registry.d.ts.map

package/dist/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAK1D,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqC;gBAEjD,OAAO,CAAC,EAAE,eAAe,EAAE;IAQvC,QAAQ,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI;IAIvC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAI9C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B,MAAM,IAAI,eAAe,EAAE;IAI3B,wFAAwF;IACxF,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG;QAAE,MAAM,EAAE,eAAe,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI;IAiBxF,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/registry.js

@@ -0,0 +1,52 @@
+/**
+ * Capability Core — Registry
+ *
+ * In-memory registry of activated plugins for a given context (e.g., assistant run).
+ * Provides lookup by slug and wire tool name parsing.
+ *
+ * Not a singleton — each agent run creates its own registry from the DB result.
+ */
+/** Wire tool name format: {pluginSlug}__{toolName} (double underscore separator). */
+const WIRE_SEPARATOR = '__';
+export class PluginRegistry {
+    plugins = new Map();
+    constructor(plugins) {
+        if (plugins) {
+            for (const p of plugins) {
+                this.register(p);
+            }
+        }
+    }
+    register(plugin) {
+        this.plugins.set(plugin.slug, plugin);
+    }
+    get(slug) {
+        return this.plugins.get(slug);
+    }
+    has(slug) {
+        return this.plugins.has(slug);
+    }
+    getAll() {
+        return Array.from(this.plugins.values());
+    }
+    /** Resolve a wire tool name (e.g., 'lucid_seo__research_keywords') to plugin + tool. */
+    resolveWireToolName(wireName) {
+        const idx = wireName.indexOf(WIRE_SEPARATOR);
+        if (idx === -1)
+            return null;
+        const slugPart = wireName.slice(0, idx);
+        const toolName = wireName.slice(idx + WIRE_SEPARATOR.length);
+        // Wire names sanitize hyphens to underscores, so try both
+        const plugin = this.plugins.get(slugPart) ?? this.plugins.get(slugPart.replace(/_/g, '-'));
+        if (!plugin)
+            return null;
+        const tool = plugin.tools.find((t) => t.name === toolName);
+        if (!tool)
+            return null;
+        return { plugin, tool };
+    }
+    get size() {
+        return this.plugins.size;
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,qFAAqF;AACrF,MAAM,cAAc,GAAG,IAAI,CAAA;AAE3B,MAAM,OAAO,cAAc;IACR,OAAO,GAAG,IAAI,GAAG,EAA2B,CAAA;IAE7D,YAAY,OAA2B;QACrC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IAED,QAAQ,CAAC,MAAuB;QAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IACvC,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IAC1C,CAAC;IAED,wFAAwF;IACxF,mBAAmB,CAAC,QAAgB;QAClC,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;QAC5C,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAA;QAE3B,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QACvC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;QAE5D,0DAA0D;QAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAA;QAC1F,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QAExB,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAA;QAC1D,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAA;QAEtB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAA;IACzB,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAA;IAC1B,CAAC;CACF"}

package/dist/router.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Capability Core — Router
+ *
+ * Determines the execution path for a plugin tool call:
+ *   embedded      → in-process MCP via InMemoryTransport
+ *   gateway-mcp   → HTTP call to MCPGate (remote MCP)
+ *   gateway-rest   → HTTP call to REST API endpoint
+ *   blocked        → execution denied by policy
+ *
+ * Decision table (RFC Section 3.2):
+ *   transport=embedded   + policy=in_process → embedded
+ *   transport=embedded   + policy=gateway    → gateway-mcp (fallback)
+ *   transport=remote-mcp + any               → gateway-mcp
+ *   transport=rest       + any               → gateway-rest
+ *   policy=block                             → blocked
+ */
+import type { ActivatedPlugin, PolicyConfig, RouteResult } from './types.js';
+export interface RouterConfig {
+    /** MCPGate gateway URL (from MCPGATE_URL env). */
+    mcpgateUrl?: string;
+    /** Policy configuration. */
+    policy?: PolicyConfig;
+}
+/**
+ * Route a plugin to its execution path.
+ */
+export declare function routePlugin(plugin: ActivatedPlugin, config?: RouterConfig): RouteResult;
+//# sourceMappingURL=router.d.ts.map

package/dist/router.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAG5E,MAAM,WAAW,YAAY;IAC3B,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,4BAA4B;IAC5B,MAAM,CAAC,EAAE,YAAY,CAAA;CACtB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,WAAW,CAuDvF"}

package/dist/router.js

@@ -0,0 +1,68 @@
+/**
+ * Capability Core — Router
+ *
+ * Determines the execution path for a plugin tool call:
+ *   embedded      → in-process MCP via InMemoryTransport
+ *   gateway-mcp   → HTTP call to MCPGate (remote MCP)
+ *   gateway-rest   → HTTP call to REST API endpoint
+ *   blocked        → execution denied by policy
+ *
+ * Decision table (RFC Section 3.2):
+ *   transport=embedded   + policy=in_process → embedded
+ *   transport=embedded   + policy=gateway    → gateway-mcp (fallback)
+ *   transport=remote-mcp + any               → gateway-mcp
+ *   transport=rest       + any               → gateway-rest
+ *   policy=block                             → blocked
+ */
+import { resolvePolicy } from './policy.js';
+/**
+ * Route a plugin to its execution path.
+ */
+export function routePlugin(plugin, config) {
+    const trustLevel = plugin.trustLevel ?? 'community';
+    const executionMode = plugin.executionMode ?? 'gateway';
+    const transport = plugin.transport ?? 'remote-mcp';
+    // Resolve policy
+    const policy = resolvePolicy({ slug: plugin.slug, trustLevel, executionMode }, config?.policy);
+    // Blocked by policy
+    if (policy.decision === 'block') {
+        return { path: 'blocked', policy };
+    }
+    // Route based on transport + effective mode
+    switch (transport) {
+        case 'embedded': {
+            if (policy.effectiveMode === 'in_process') {
+                return { path: 'embedded', policy };
+            }
+            // Embedded plugin forced to gateway by policy → route through MCPGate
+            return {
+                path: 'gateway-mcp',
+                target: plugin.mcpgateServerId ?? `builtin:${plugin.slug}`,
+                policy,
+            };
+        }
+        case 'remote-mcp': {
+            return {
+                path: 'gateway-mcp',
+                target: plugin.mcpgateServerId ?? `builtin:${plugin.slug}`,
+                policy,
+            };
+        }
+        case 'rest': {
+            return {
+                path: 'gateway-rest',
+                target: plugin.endpointUrl ?? plugin.slug,
+                policy,
+            };
+        }
+        default: {
+            // Unknown transport → gateway as safe default
+            return {
+                path: 'gateway-mcp',
+                target: plugin.mcpgateServerId ?? `builtin:${plugin.slug}`,
+                policy,
+            };
+        }
+    }
+}
+//# sourceMappingURL=router.js.map

package/dist/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../src/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAS3C;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,MAAuB,EAAE,MAAqB;IACxE,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,WAAW,CAAA;IACnD,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,SAAS,CAAA;IACvD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,YAAY,CAAA;IAElD,iBAAiB;IACjB,MAAM,MAAM,GAAG,aAAa,CAC1B,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,aAAa,EAAE,EAChD,MAAM,EAAE,MAAM,CACf,CAAA;IAED,oBAAoB;IACpB,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,CAAA;IACpC,CAAC;IAED,4CAA4C;IAC5C,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,IAAI,MAAM,CAAC,aAAa,KAAK,YAAY,EAAE,CAAC;gBAC1C,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;YACrC,CAAC;YACD,sEAAsE;YACtE,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,MAAM,CAAC,eAAe,IAAI,WAAW,MAAM,CAAC,IAAI,EAAE;gBAC1D,MAAM;aACP,CAAA;QACH,CAAC;QAED,KAAK,YAAY,CAAC,CAAC,CAAC;YAClB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,MAAM,CAAC,eAAe,IAAI,WAAW,MAAM,CAAC,IAAI,EAAE;gBAC1D,MAAM;aACP,CAAA;QACH,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,OAAO;gBACL,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,IAAI;gBACzC,MAAM;aACP,CAAA;QACH,CAAC;QAED,OAAO,CAAC,CAAC,CAAC;YACR,8CAA8C;YAC9C,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,MAAM,CAAC,eAAe,IAAI,WAAW,MAAM,CAAC,IAAI,EAAE;gBAC1D,MAAM;aACP,CAAA;QACH,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Capability Core — Types
+ *
+ * Canonical types for the unified capability architecture.
+ * These mirror contracts/plugin.ts but are framework-independent.
+ */
+export interface PluginCatalogEntry {
+    id: string;
+    slug: string;
+    name: string;
+    description: string | null;
+    version: string;
+    source: 'first-party' | 'mcpgate' | 'community';
+    kind: 'plugin' | 'integration';
+    transport: 'embedded' | 'remote-mcp' | 'rest';
+    trustLevel: 'internal' | 'verified' | 'community';
+    executionMode: 'in_process' | 'gateway';
+    authType: 'none' | 'oauth2' | 'api-key' | 'env-var';
+    authProvider: string | null;
+    toolManifest: ToolDef[];
+    mcpgateServerId?: string | null;
+    riskLevel: 'read' | 'write' | 'destructive';
+    verified: boolean;
+    isPublished: boolean;
+    maxTools: number;
+}
+export interface ToolDef {
+    name: string;
+    description: string;
+    parameters: Record<string, unknown>;
+}
+export interface ActivatedPlugin {
+    slug: string;
+    name: string;
+    tools: ToolDef[];
+    config: Record<string, unknown>;
+    kind: 'plugin' | 'integration';
+    transport: 'embedded' | 'remote-mcp' | 'rest';
+    trustLevel: 'internal' | 'verified' | 'community';
+    executionMode: 'in_process' | 'gateway';
+    authType: 'none' | 'oauth2' | 'api-key' | 'env-var';
+    authProvider: string | null;
+    mcpgateServerId?: string;
+    endpointUrl?: string;
+    fallbackMode?: 'gateway' | null;
+    /** @deprecated Use trustLevel + transport instead. Kept for DB wire compat. */
+    source?: 'first-party' | 'mcpgate' | 'community';
+}
+export type PolicyDecision = 'allow_in_process' | 'allow_gateway' | 'block';
+export interface PolicyResult {
+    decision: PolicyDecision;
+    reason: string;
+    /** Effective execution mode after policy resolution. */
+    effectiveMode: 'in_process' | 'gateway';
+}
+export interface PolicyConfig {
+    /** Admin blocklist — slugs that are blocked regardless of trust. */
+    blockedPlugins?: string[];
+    /** Environment override (e.g., force gateway in staging). */
+    forceGateway?: boolean;
+}
+export type ExecutionPath = 'embedded' | 'gateway-mcp' | 'gateway-rest' | 'blocked';
+export interface RouteResult {
+    path: ExecutionPath;
+    /** The target URL or server ID for gateway paths. */
+    target?: string;
+    /** Policy result that determined this route. */
+    policy: PolicyResult;
+}
+export interface AuditEvent {
+    timestamp: string;
+    pluginSlug: string;
+    toolName: string;
+    executionPath: ExecutionPath;
+    durationMs: number;
+    success: boolean;
+    error?: string;
+    /** Who triggered it (assistant ID, org ID). */
+    context?: Record<string, unknown>;
+}
+export type AuditHandler = (event: AuditEvent) => void | Promise<void>;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,aAAa,GAAG,SAAS,GAAG,WAAW,CAAA;IAG/C,IAAI,EAAE,QAAQ,GAAG,aAAa,CAAA;IAC9B,SAAS,EAAE,UAAU,GAAG,YAAY,GAAG,MAAM,CAAA;IAC7C,UAAU,EAAE,UAAU,GAAG,UAAU,GAAG,WAAW,CAAA;IACjD,aAAa,EAAE,YAAY,GAAG,SAAS,CAAA;IACvC,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAA;IACnD,YAAY,EAAE,MAAM,GAAG,IAAI,CAAA;IAG3B,YAAY,EAAE,OAAO,EAAE,CAAA;IAGvB,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAG/B,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,aAAa,CAAA;IAC3C,QAAQ,EAAE,OAAO,CAAA;IACjB,WAAW,EAAE,OAAO,CAAA;IACpB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC;AAMD,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,OAAO,EAAE,CAAA;IAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAG/B,IAAI,EAAE,QAAQ,GAAG,aAAa,CAAA;IAC9B,SAAS,EAAE,UAAU,GAAG,YAAY,GAAG,MAAM,CAAA;IAC7C,UAAU,EAAE,UAAU,GAAG,UAAU,GAAG,WAAW,CAAA;IACjD,aAAa,EAAE,YAAY,GAAG,SAAS,CAAA;IACvC,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAA;IACnD,YAAY,EAAE,MAAM,GAAG,IAAI,CAAA;IAG3B,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,CAAA;IAGpB,YAAY,CAAC,EAAE,SAAS,GAAG,IAAI,CAAA;IAE/B,+EAA+E;IAC/E,MAAM,CAAC,EAAE,aAAa,GAAG,SAAS,GAAG,WAAW,CAAA;CACjD;AAMD,MAAM,MAAM,cAAc,GAAG,kBAAkB,GAAG,eAAe,GAAG,OAAO,CAAA;AAE3E,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,cAAc,CAAA;IACxB,MAAM,EAAE,MAAM,CAAA;IACd,wDAAwD;IACxD,aAAa,EAAE,YAAY,GAAG,SAAS,CAAA;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,6DAA6D;IAC7D,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB;AAMD,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,aAAa,GAAG,cAAc,GAAG,SAAS,CAAA;AAEnF,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,aAAa,CAAA;IACnB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,gDAAgD;IAChD,MAAM,EAAE,YAAY,CAAA;CACrB;AAMD,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,EAAE,aAAa,CAAA;IAC5B,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC;AAED,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA"}

package/dist/types.js

@@ -0,0 +1,8 @@
+/**
+ * Capability Core — Types
+ *
+ * Canonical types for the unified capability architecture.
+ * These mirror contracts/plugin.ts but are framework-independent.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@lucid-fdn/plugin-policy",
+  "version": "0.1.0",
+  "description": "Unified capability registry, router, policy engine, and audit hooks for plugins and integrations",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.7.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "license": "MIT",
+  "files": [
+    "dist"
+  ]
+}