@lumenflow/kernel 3.0.0

package/dist/pack/pack-loader.d.ts

@@ -0,0 +1,108 @@
+import { KERNEL_EVENT_KINDS } from '../event-kinds.js';
+import type { PackPin, WorkspaceSpec } from '../kernel.schemas.js';
+import { type DomainPackManifest } from './manifest.js';
+/**
+ * Port interface for git operations used by PackLoader.
+ *
+ * Consumers must provide an implementation (e.g. wrapping simple-git)
+ * so that PackLoader remains testable without real git operations.
+ */
+export interface GitClient {
+    /** Clone a repository to the target directory. */
+    clone(url: string, targetDir: string): Promise<void>;
+    /** Pull latest changes in an existing repository. */
+    pull(repoDir: string): Promise<void>;
+    /** Checkout a specific tag or ref. */
+    checkout(repoDir: string, ref: string): Promise<void>;
+    /** Check whether a directory is an existing git repository. */
+    isRepo(dir: string): Promise<boolean>;
+}
+/**
+ * Port interface for registry operations used by PackLoader.
+ *
+ * Consumers must provide an implementation (e.g. wrapping fetch/got)
+ * so that PackLoader remains testable without real HTTP operations.
+ */
+export interface RegistryPackMetadata {
+    /** URL to the tarball containing the pack contents. */
+    tarball_url: string;
+    /** Integrity hash of the tarball (informational, actual verification uses pack hash). */
+    integrity: string;
+}
+export interface RegistryClient {
+    /** Fetch pack metadata from the registry API. */
+    fetchMetadata(packId: string, version: string, registryUrl: string): Promise<RegistryPackMetadata>;
+    /** Download and extract the tarball to the target directory. */
+    downloadTarball(tarballUrl: string, targetDir: string): Promise<void>;
+}
+export interface WorkspaceWarningEvent {
+    schema_version: 1;
+    kind: typeof KERNEL_EVENT_KINDS.WORKSPACE_WARNING;
+    timestamp: string;
+    message: string;
+}
+export interface PackLoaderOptions {
+    packsRoot: string;
+    manifestFileName?: string;
+    hashExclusions?: string[];
+    runtimeEnvironment?: string;
+    allowDevIntegrityInProduction?: boolean;
+    /** Directory for caching git-sourced packs. Defaults to ~/.lumenflow/pack-cache/ */
+    packCacheDir?: string;
+    /** Git client for resolving packs with source: git. Required when loading git packs. */
+    gitClient?: GitClient;
+    /** Registry client for resolving packs with source: registry. Required when loading registry packs. */
+    registryClient?: RegistryClient;
+    /** Default registry URL. Overridden by PackPin.registry_url when set. Defaults to https://registry.lumenflow.dev */
+    defaultRegistryUrl?: string;
+}
+export interface PackLoadInput {
+    workspaceSpec: WorkspaceSpec;
+    packId: string;
+    onWorkspaceWarning?: (event: WorkspaceWarningEvent) => void;
+}
+export interface LoadedDomainPack {
+    pin: PackPin;
+    manifest: DomainPackManifest;
+    packRoot: string;
+    integrity: string;
+}
+export declare function resolvePackToolEntryPath(packRoot: string, entry: string): string;
+export declare function validatePackImportBoundaries(packRoot: string, hashExclusions?: string[]): Promise<void>;
+export declare class PackLoader {
+    private readonly packsRoot;
+    private readonly manifestFileName;
+    private readonly hashExclusions?;
+    private readonly runtimeEnvironment;
+    private readonly allowDevIntegrityInProduction;
+    private readonly packCacheDir;
+    private readonly gitClient?;
+    private readonly registryClient?;
+    private readonly defaultRegistryUrl;
+    constructor(options: PackLoaderOptions);
+    load(input: PackLoadInput): Promise<LoadedDomainPack>;
+    /**
+     * Resolve the pack root directory based on the pin source.
+     * For local packs, resolves relative to packsRoot.
+     * For git packs, clones/pulls to the pack cache and checks out the version tag.
+     * For registry packs, fetches metadata and downloads tarball to the pack cache.
+     */
+    private resolvePackRoot;
+    /**
+     * Resolve a git-sourced pack by cloning or pulling to the pack cache,
+     * then checking out the version tag.
+     */
+    private resolveGitPackRoot;
+    /**
+     * Resolve a registry-sourced pack by fetching metadata and downloading the tarball
+     * to the pack cache. Skips download if the pack is already cached.
+     */
+    private resolveRegistryPackRoot;
+    /**
+     * Load pack from a resolved on-disk directory.
+     * Handles manifest parsing, tool entry validation, import boundary checks,
+     * integrity verification, and dev-mode warnings.
+     */
+    private loadFromDisk;
+}
+//# sourceMappingURL=pack-loader.d.ts.map

package/dist/pack/pack-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pack-loader.d.ts","sourceRoot":"","sources":["../../src/pack/pack-loader.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAQnE,OAAO,EAA4B,KAAK,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAElF;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,kDAAkD;IAClD,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,qDAAqD;IACrD,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,sCAAsC;IACtC,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtD,+DAA+D;IAC/D,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACvC;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,iDAAiD;IACjD,aAAa,CACX,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACjC,gEAAgE;IAChE,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvE;AAMD,MAAM,WAAW,qBAAqB;IACpC,cAAc,EAAE,CAAC,CAAC;IAClB,IAAI,EAAE,OAAO,kBAAkB,CAAC,iBAAiB,CAAC;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,oFAAoF;IACpF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wFAAwF;IACxF,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,uGAAuG;IACvG,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,oHAAoH;IACpH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,IAAI,CAAC;CAC7D;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,OAAO,CAAC;IACb,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAwDD,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAUhF;AAmED,wBAAsB,4BAA4B,CAChD,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC,IAAI,CAAC,CAef;AAUD,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAW;IAC3C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAU;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAY;IACvC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAiB;IACjD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;gBAEhC,OAAO,EAAE,iBAAiB;IAahC,IAAI,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAM3D;;;;;OAKG;YACW,eAAe;IAU7B;;;OAGG;YACW,kBAAkB;IAiChC;;;OAGG;YACW,uBAAuB;IA2BrC;;;;OAIG;YACW,YAAY;CAkE3B"}

package/dist/pack/pack-loader.js

@@ -0,0 +1,282 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+import { builtinModules } from 'node:module';
+import path from 'node:path';
+import { access, mkdir, readFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import YAML from 'yaml';
+import { KERNEL_EVENT_KINDS } from '../event-kinds.js';
+import { LUMENFLOW_DIR_NAME, PACK_MANIFEST_FILE_NAME, SHA256_INTEGRITY_PREFIX, UTF8_ENCODING, } from '../shared-constants.js';
+import { computeDeterministicPackHash, listPackFiles } from './hash.js';
+import { DomainPackManifestSchema } from './manifest.js';
+const PACK_CACHE_DIR_NAME = 'pack-cache';
+const VERSION_TAG_PREFIX = 'v';
+const DEFAULT_REGISTRY_URL = 'https://registry.lumenflow.dev';
+const NODE_BUILTINS = new Set(builtinModules.map((moduleName) => moduleName.replace(/^node:/, '')));
+const ALLOWED_BARE_IMPORT_SPECIFIERS = new Set(['simple-git']);
+const IMPORT_SPECIFIER_PATTERNS = [
+    /\bimport\s+(?:[^'"]*?\sfrom\s*)?["']([^"']+)["']/,
+    /\bexport\s+[^'"]*?\sfrom\s*["']([^"']+)["']/,
+    /\bimport\(\s*["']([^"']+)["']\s*\)/,
+];
+/**
+ * Best-effort import boundary scanner.
+ *
+ * LIMITATION: regex matching cannot fully parse JavaScript/TypeScript and can miss
+ * dynamic require/template-string patterns. This is an additional guard, not a
+ * replacement for sandboxing/runtime policy enforcement.
+ */
+function isWithinRoot(root, candidatePath) {
+    const relative = path.relative(root, candidatePath);
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+function isRuntimeSourceFile(relativePath) {
+    const normalizedPath = relativePath.replace(/\\/g, '/');
+    const extension = path.extname(normalizedPath);
+    const isCodeFile = ['.ts', '.tsx', '.mts', '.cts', '.js', '.mjs', '.cjs'].includes(extension);
+    if (!isCodeFile) {
+        return false;
+    }
+    if (normalizedPath.includes('/__tests__/')) {
+        return false;
+    }
+    return !/\.(test|spec)\.[cm]?[jt]sx?$/.test(normalizedPath);
+}
+function parseToolEntry(entry) {
+    const separator = entry.indexOf('#');
+    const modulePath = separator < 0 ? entry : entry.slice(0, separator);
+    const exportName = separator < 0 ? undefined : entry.slice(separator + 1);
+    if (modulePath.trim().length === 0) {
+        throw new Error(`Pack tool entry "${entry}" is missing a module path.`);
+    }
+    if (exportName !== undefined && exportName.trim().length === 0) {
+        throw new Error(`Pack tool entry "${entry}" has an empty export fragment.`);
+    }
+    return {
+        modulePath,
+        exportName,
+    };
+}
+export function resolvePackToolEntryPath(packRoot, entry) {
+    const absolutePackRoot = path.resolve(packRoot);
+    const { modulePath, exportName } = parseToolEntry(entry);
+    const absoluteModulePath = path.resolve(absolutePackRoot, modulePath);
+    if (!isWithinRoot(absolutePackRoot, absoluteModulePath)) {
+        throw new Error(`Pack tool entry "${entry}" resolves outside pack root.`);
+    }
+    return exportName ? `${absoluteModulePath}#${exportName}` : absoluteModulePath;
+}
+function extractImportSpecifiers(sourceCode) {
+    const specifiers = new Set();
+    for (const pattern of IMPORT_SPECIFIER_PATTERNS) {
+        // Create a fresh global matcher per call to avoid shared RegExp state.
+        const globalPattern = new RegExp(pattern.source, 'g');
+        for (const match of sourceCode.matchAll(globalPattern)) {
+            if (match[1]) {
+                specifiers.add(match[1]);
+            }
+        }
+    }
+    return [...specifiers];
+}
+function isAllowedKernelImport(specifier) {
+    return specifier === '@lumenflow/kernel' || specifier.startsWith('@lumenflow/kernel/');
+}
+function validateImportSpecifier(options) {
+    const { specifier, sourceFilePath, packRoot } = options;
+    if (specifier.startsWith('node:')) {
+        return;
+    }
+    if (NODE_BUILTINS.has(specifier)) {
+        return;
+    }
+    if (isAllowedKernelImport(specifier)) {
+        return;
+    }
+    if (specifier.startsWith('@lumenflow/')) {
+        throw new Error(`Import "${specifier}" in ${sourceFilePath} is not allowed; only @lumenflow/kernel and Node built-ins are permitted.`);
+    }
+    if (path.isAbsolute(specifier)) {
+        throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
+    }
+    if (specifier.startsWith('.')) {
+        const absoluteFilePath = path.resolve(packRoot, sourceFilePath);
+        const resolvedImport = path.resolve(path.dirname(absoluteFilePath), specifier);
+        if (!isWithinRoot(packRoot, resolvedImport)) {
+            throw new Error(`Import "${specifier}" in ${sourceFilePath} resolves outside pack root.`);
+        }
+        return;
+    }
+    if (ALLOWED_BARE_IMPORT_SPECIFIERS.has(specifier)) {
+        return;
+    }
+    throw new Error(`Bare package import "${specifier}" in ${sourceFilePath} is not allowed; only relative imports, @lumenflow/kernel, and Node built-ins are permitted.`);
+}
+export async function validatePackImportBoundaries(packRoot, hashExclusions) {
+    const files = await listPackFiles(packRoot, hashExclusions);
+    const candidateFiles = files.filter((relativePath) => isRuntimeSourceFile(relativePath));
+    for (const relativePath of candidateFiles) {
+        const sourceCode = await readFile(path.join(packRoot, relativePath), UTF8_ENCODING);
+        const importSpecifiers = extractImportSpecifiers(sourceCode);
+        for (const specifier of importSpecifiers) {
+            validateImportSpecifier({
+                specifier,
+                sourceFilePath: relativePath,
+                packRoot,
+            });
+        }
+    }
+}
+function resolvePackPin(workspaceSpec, packId) {
+    const pin = workspaceSpec.packs.find((candidate) => candidate.id === packId);
+    if (!pin) {
+        throw new Error(`Pack "${packId}" is not present in workspace PackPin entries.`);
+    }
+    return pin;
+}
+export class PackLoader {
+    packsRoot;
+    manifestFileName;
+    hashExclusions;
+    runtimeEnvironment;
+    allowDevIntegrityInProduction;
+    packCacheDir;
+    gitClient;
+    registryClient;
+    defaultRegistryUrl;
+    constructor(options) {
+        this.packsRoot = path.resolve(options.packsRoot);
+        this.manifestFileName = options.manifestFileName || PACK_MANIFEST_FILE_NAME;
+        this.hashExclusions = options.hashExclusions;
+        this.runtimeEnvironment = options.runtimeEnvironment ?? process.env.NODE_ENV ?? 'development';
+        this.allowDevIntegrityInProduction = options.allowDevIntegrityInProduction ?? false;
+        this.packCacheDir =
+            options.packCacheDir ?? path.join(homedir(), LUMENFLOW_DIR_NAME, PACK_CACHE_DIR_NAME);
+        this.gitClient = options.gitClient;
+        this.registryClient = options.registryClient;
+        this.defaultRegistryUrl = options.defaultRegistryUrl ?? DEFAULT_REGISTRY_URL;
+    }
+    async load(input) {
+        const pin = resolvePackPin(input.workspaceSpec, input.packId);
+        const packRoot = await this.resolvePackRoot(pin);
+        return this.loadFromDisk(pin, packRoot, input);
+    }
+    /**
+     * Resolve the pack root directory based on the pin source.
+     * For local packs, resolves relative to packsRoot.
+     * For git packs, clones/pulls to the pack cache and checks out the version tag.
+     * For registry packs, fetches metadata and downloads tarball to the pack cache.
+     */
+    async resolvePackRoot(pin) {
+        if (pin.source === 'git') {
+            return this.resolveGitPackRoot(pin);
+        }
+        if (pin.source === 'registry') {
+            return this.resolveRegistryPackRoot(pin);
+        }
+        return path.resolve(this.packsRoot, pin.id);
+    }
+    /**
+     * Resolve a git-sourced pack by cloning or pulling to the pack cache,
+     * then checking out the version tag.
+     */
+    async resolveGitPackRoot(pin) {
+        if (!pin.url) {
+            throw new Error(`Pack "${pin.id}" has source: git but no url field. ` +
+                'Add a url field to the PackPin to specify the git repository.');
+        }
+        if (!this.gitClient) {
+            throw new Error(`Pack "${pin.id}" has source: git but no gitClient was provided to PackLoader. ` +
+                'Pass a gitClient in PackLoaderOptions to load git-sourced packs.');
+        }
+        const packCachePath = path.join(this.packCacheDir, `${pin.id}@${pin.version}`);
+        await mkdir(this.packCacheDir, { recursive: true });
+        const alreadyCached = await this.gitClient.isRepo(packCachePath);
+        if (alreadyCached) {
+            await this.gitClient.pull(packCachePath);
+        }
+        else {
+            await this.gitClient.clone(pin.url, packCachePath);
+        }
+        const versionTag = `${VERSION_TAG_PREFIX}${pin.version}`;
+        await this.gitClient.checkout(packCachePath, versionTag);
+        return packCachePath;
+    }
+    /**
+     * Resolve a registry-sourced pack by fetching metadata and downloading the tarball
+     * to the pack cache. Skips download if the pack is already cached.
+     */
+    async resolveRegistryPackRoot(pin) {
+        if (!this.registryClient) {
+            throw new Error(`Pack "${pin.id}" has source: registry but no registryClient was provided to PackLoader. ` +
+                'Pass a registryClient in PackLoaderOptions to load registry-sourced packs.');
+        }
+        const packCachePath = path.join(this.packCacheDir, `${pin.id}@${pin.version}`);
+        await mkdir(this.packCacheDir, { recursive: true });
+        // Skip download if the pack manifest already exists in cache
+        const manifestCachePath = path.join(packCachePath, this.manifestFileName);
+        const alreadyCached = await access(manifestCachePath)
+            .then(() => true)
+            .catch(() => false);
+        if (!alreadyCached) {
+            const registryUrl = pin.registry_url ?? this.defaultRegistryUrl;
+            const metadata = await this.registryClient.fetchMetadata(pin.id, pin.version, registryUrl);
+            await this.registryClient.downloadTarball(metadata.tarball_url, packCachePath);
+        }
+        return packCachePath;
+    }
+    /**
+     * Load pack from a resolved on-disk directory.
+     * Handles manifest parsing, tool entry validation, import boundary checks,
+     * integrity verification, and dev-mode warnings.
+     */
+    async loadFromDisk(pin, packRoot, input) {
+        const manifestPath = path.join(packRoot, this.manifestFileName);
+        const manifestRaw = await readFile(manifestPath, UTF8_ENCODING);
+        const manifest = DomainPackManifestSchema.parse(YAML.parse(manifestRaw));
+        if (manifest.id !== pin.id) {
+            throw new Error(`Pack manifest id mismatch: expected ${pin.id}, got ${manifest.id}`);
+        }
+        if (manifest.version !== pin.version) {
+            throw new Error(`Pack manifest version mismatch: expected ${pin.version}, got ${manifest.version}`);
+        }
+        for (const tool of manifest.tools) {
+            resolvePackToolEntryPath(packRoot, tool.entry);
+        }
+        await validatePackImportBoundaries(packRoot, this.hashExclusions);
+        const integrity = await computeDeterministicPackHash({
+            packRoot,
+            exclusions: this.hashExclusions,
+        });
+        if (pin.integrity === 'dev') {
+            if (this.runtimeEnvironment === 'production' && !this.allowDevIntegrityInProduction) {
+                throw new Error(`Pack ${pin.id}@${pin.version} uses integrity: dev is not allowed in production.`);
+            }
+            input.onWorkspaceWarning?.({
+                schema_version: 1,
+                kind: KERNEL_EVENT_KINDS.WORKSPACE_WARNING,
+                timestamp: new Date().toISOString(),
+                message: `Pack ${pin.id}@${pin.version} loaded with integrity: dev (verification skipped).`,
+            });
+            return {
+                pin,
+                manifest,
+                packRoot,
+                integrity,
+            };
+        }
+        const expectedIntegrity = pin.integrity.startsWith(SHA256_INTEGRITY_PREFIX)
+            ? pin.integrity.slice(SHA256_INTEGRITY_PREFIX.length)
+            : pin.integrity;
+        if (integrity !== expectedIntegrity) {
+            throw new Error(`Pack integrity mismatch for ${pin.id}: expected ${expectedIntegrity}, got ${integrity}`);
+        }
+        return {
+            pin,
+            manifest,
+            packRoot,
+            integrity,
+        };
+    }
+}
+//# sourceMappingURL=pack-loader.js.map

package/dist/pack/pack-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pack-loader.js","sourceRoot":"","sources":["../../src/pack/pack-loader.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,uBAAuB,EACvB,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,4BAA4B,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,wBAAwB,EAA2B,MAAM,eAAe,CAAC;AA2ClF,MAAM,mBAAmB,GAAG,YAAqB,CAAC;AAClD,MAAM,kBAAkB,GAAG,GAAY,CAAC;AACxC,MAAM,oBAAoB,GAAG,gCAAyC,CAAC;AAsCvE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AACpG,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;AAC/D,MAAM,yBAAyB,GAAG;IAChC,kDAAkD;IAClD,6CAA6C;IAC7C,oCAAoC;CAC5B,CAAC;AAEX;;;;;;GAMG;AAEH,SAAS,YAAY,CAAC,IAAY,EAAE,aAAqB;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACpD,OAAO,QAAQ,KAAK,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvF,CAAC;AAED,SAAS,mBAAmB,CAAC,YAAoB;IAC/C,MAAM,cAAc,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC9F,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,CAAC,8BAA8B,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IAE1E,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,6BAA6B,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,iCAAiC,CAAC,CAAC;IAC9E,CAAC;IAED,OAAO;QACL,UAAU;QACV,UAAU;KACX,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,QAAgB,EAAE,KAAa;IACtE,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IAEtE,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,+BAA+B,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,UAAU,CAAC,CAAC,CAAC,GAAG,kBAAkB,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,kBAAkB,CAAC;AACjF,CAAC;AAED,SAAS,uBAAuB,CAAC,UAAkB;IACjD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,OAAO,IAAI,yBAAyB,EAAE,CAAC;QAChD,uEAAuE;QACvE,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACvD,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACb,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,UAAU,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,OAAO,SAAS,KAAK,mBAAmB,IAAI,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;AACzF,CAAC;AAED,SAAS,uBAAuB,CAAC,OAIhC;IACC,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAExD,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO;IACT,CAAC;IAED,IAAI,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,OAAO;IACT,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CACb,WAAW,SAAS,QAAQ,cAAc,2EAA2E,CACtH,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,QAAQ,cAAc,8BAA8B,CAAC,CAAC;IAC5F,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAChE,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,SAAS,CAAC,CAAC;QAC/E,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,QAAQ,cAAc,8BAA8B,CAAC,CAAC;QAC5F,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,8BAA8B,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAClD,OAAO;IACT,CAAC;IAED,MAAM,IAAI,KAAK,CACb,wBAAwB,SAAS,QAAQ,cAAc,8FAA8F,CACtJ,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,QAAgB,EAChB,cAAyB;IAEzB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC5D,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC,CAAC;IAEzF,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;QAC1C,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,aAAa,CAAC,CAAC;QACpF,MAAM,gBAAgB,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAC;QAC7D,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;YACzC,uBAAuB,CAAC;gBACtB,SAAS;gBACT,cAAc,EAAE,YAAY;gBAC5B,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,aAA4B,EAAE,MAAc;IAClE,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IAC7E,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,SAAS,MAAM,gDAAgD,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,OAAO,UAAU;IACJ,SAAS,CAAS;IAClB,gBAAgB,CAAS;IACzB,cAAc,CAAY;IAC1B,kBAAkB,CAAS;IAC3B,6BAA6B,CAAU;IACvC,YAAY,CAAS;IACrB,SAAS,CAAa;IACtB,cAAc,CAAkB;IAChC,kBAAkB,CAAS;IAE5C,YAAY,OAA0B;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACjD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,uBAAuB,CAAC;QAC5E,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;QAC9F,IAAI,CAAC,6BAA6B,GAAG,OAAO,CAAC,6BAA6B,IAAI,KAAK,CAAC;QACpF,IAAI,CAAC,YAAY;YACf,OAAO,CAAC,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,kBAAkB,EAAE,mBAAmB,CAAC,CAAC;QACxF,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,oBAAoB,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAoB;QAC7B,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,eAAe,CAAC,GAAY;QACxC,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,kBAAkB,CAAC,GAAY;QAC3C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,SAAS,GAAG,CAAC,EAAE,sCAAsC;gBACnD,+DAA+D,CAClE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,SAAS,GAAG,CAAC,EAAE,iEAAiE;gBAC9E,kEAAkE,CACrE,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjE,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,UAAU,GAAG,GAAG,kBAAkB,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QACzD,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAEzD,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,uBAAuB,CAAC,GAAY;QAChD,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,SAAS,GAAG,CAAC,EAAE,2EAA2E;gBACxF,4EAA4E,CAC/E,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,MAAM,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpD,6DAA6D;QAC7D,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC1E,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC;aAClD,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;aAChB,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QAEtB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,kBAAkB,CAAC;YAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAC3F,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QACjF,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,YAAY,CACxB,GAAY,EACZ,QAAgB,EAChB,KAAoB;QAEpB,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAChE,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAChE,MAAM,QAAQ,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;QAEzE,IAAI,QAAQ,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,uCAAuC,GAAG,CAAC,EAAE,SAAS,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;QACvF,CAAC;QACD,IAAI,QAAQ,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,4CAA4C,GAAG,CAAC,OAAO,SAAS,QAAQ,CAAC,OAAO,EAAE,CACnF,CAAC;QACJ,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YAClC,wBAAwB,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,4BAA4B,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAElE,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC;YACnD,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,cAAc;SAChC,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,SAAS,KAAK,KAAK,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,kBAAkB,KAAK,YAAY,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE,CAAC;gBACpF,MAAM,IAAI,KAAK,CACb,QAAQ,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,oDAAoD,CAClF,CAAC;YACJ,CAAC;YAED,KAAK,CAAC,kBAAkB,EAAE,CAAC;gBACzB,cAAc,EAAE,CAAC;gBACjB,IAAI,EAAE,kBAAkB,CAAC,iBAAiB;gBAC1C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,OAAO,EAAE,QAAQ,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,qDAAqD;aAC5F,CAAC,CAAC;YACH,OAAO;gBACL,GAAG;gBACH,QAAQ;gBACR,QAAQ;gBACR,SAAS;aACV,CAAC;QACJ,CAAC;QAED,MAAM,iBAAiB,GAAG,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,uBAAuB,CAAC;YACzE,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,uBAAuB,CAAC,MAAM,CAAC;YACrD,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC;QAClB,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,CAAC,EAAE,cAAc,iBAAiB,SAAS,SAAS,EAAE,CACzF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,GAAG;YACH,QAAQ;YACR,QAAQ;YACR,SAAS;SACV,CAAC;IACJ,CAAC;CACF"}

package/dist/policy/approval-event.d.ts

@@ -0,0 +1,29 @@
+import { z } from 'zod';
+export declare const ApprovalScopeSchema: z.ZodObject<{
+    level: z.ZodEnum<{
+        task: "task";
+        workspace: "workspace";
+        pack: "pack";
+        lane: "lane";
+    }>;
+    id: z.ZodString;
+}, z.core.$strip>;
+export declare const ApprovalEventSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<1>;
+    kind: z.ZodLiteral<"approval_event">;
+    run_id: z.ZodString;
+    scope: z.ZodObject<{
+        level: z.ZodEnum<{
+            task: "task";
+            workspace: "workspace";
+            pack: "pack";
+            lane: "lane";
+        }>;
+        id: z.ZodString;
+    }, z.core.$strip>;
+    approved_by: z.ZodString;
+    expires_at: z.ZodString;
+    reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ApprovalEvent = z.infer<typeof ApprovalEventSchema>;
+//# sourceMappingURL=approval-event.d.ts.map

package/dist/policy/approval-event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-event.d.ts","sourceRoot":"","sources":["../../src/policy/approval-event.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,mBAAmB;;;;;;;;iBAG9B,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;iBAQ9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/policy/approval-event.js

@@ -0,0 +1,17 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+import { z } from 'zod';
+export const ApprovalScopeSchema = z.object({
+    level: z.enum(['workspace', 'lane', 'pack', 'task']),
+    id: z.string().min(1),
+});
+export const ApprovalEventSchema = z.object({
+    schema_version: z.literal(1),
+    kind: z.literal('approval_event'),
+    run_id: z.string().min(1),
+    scope: ApprovalScopeSchema,
+    approved_by: z.string().min(1),
+    expires_at: z.string().datetime(),
+    reason: z.string().min(1).optional(),
+});
+//# sourceMappingURL=approval-event.js.map

package/dist/policy/approval-event.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-event.js","sourceRoot":"","sources":["../../src/policy/approval-event.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACpD,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACtB,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,cAAc,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,KAAK,EAAE,mBAAmB;IAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC"}

package/dist/policy/index.d.ts

@@ -0,0 +1,3 @@
+export * from './approval-event.js';
+export * from './policy-engine.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/policy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAGA,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC"}

package/dist/policy/index.js

@@ -0,0 +1,5 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+export * from './approval-event.js';
+export * from './policy-engine.js';
+//# sourceMappingURL=index.js.map

package/dist/policy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC"}

package/dist/policy/policy-engine.d.ts

@@ -0,0 +1,52 @@
+import type { PolicyDecision } from '../kernel.schemas.js';
+export declare const POLICY_TRIGGERS: {
+    readonly ON_TOOL_REQUEST: "on_tool_request";
+    readonly ON_CLAIM: "on_claim";
+    readonly ON_COMPLETION: "on_completion";
+    readonly ON_EVIDENCE_ADDED: "on_evidence_added";
+};
+export type PolicyTrigger = (typeof POLICY_TRIGGERS)[keyof typeof POLICY_TRIGGERS];
+export type PolicyLayerLevel = 'workspace' | 'lane' | 'pack' | 'task';
+export type PolicyEffect = 'allow' | 'deny';
+export interface PolicyEvaluationContext {
+    trigger: PolicyTrigger;
+    run_id: string;
+    tool_name?: string;
+    task_id?: string;
+    lane_id?: string;
+    pack_id?: string;
+}
+export interface PolicyRule {
+    id: string;
+    trigger: PolicyTrigger;
+    decision: PolicyEffect;
+    reason?: string;
+    when?: (context: PolicyEvaluationContext) => boolean;
+}
+export interface PolicyLayer {
+    level: PolicyLayerLevel;
+    default_decision?: PolicyEffect;
+    /**
+     * Opt-in for this layer to relax inherited deny defaults/rules.
+     *
+     * Important boundary: explicit deny rules remain sticky across the full
+     * evaluation. allow_loosening never overrides a hard deny emitted by an
+     * earlier layer.
+     */
+    allow_loosening?: boolean;
+    rules: PolicyRule[];
+}
+export interface PolicyEngineOptions {
+    layers: PolicyLayer[];
+}
+export interface PolicyEvaluationResult {
+    decision: PolicyEffect;
+    decisions: PolicyDecision[];
+    warnings: string[];
+}
+export declare class PolicyEngine {
+    private readonly layers;
+    constructor(options: PolicyEngineOptions);
+    evaluate(context: PolicyEvaluationContext): Promise<PolicyEvaluationResult>;
+}
+//# sourceMappingURL=policy-engine.d.ts.map

package/dist/policy/policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../../src/policy/policy-engine.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,eAAO,MAAM,eAAe;;;;;CAKlB,CAAC;AAEX,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,OAAO,eAAe,CAAC,CAAC;AACnF,MAAM,MAAM,gBAAgB,GAAG,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AACtE,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5C,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,aAAa,CAAC;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,uBAAuB,KAAK,OAAO,CAAC;CACtD;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,gBAAgB,CAAC;IACxB,gBAAgB,CAAC,EAAE,YAAY,CAAC;IAChC;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,KAAK,EAAE,UAAU,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,WAAW,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,YAAY,CAAC;IACvB,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAyBD,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;gBAE3B,OAAO,EAAE,mBAAmB;IAMlC,QAAQ,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,sBAAsB,CAAC;CA0DlF"}

package/dist/policy/policy-engine.js

@@ -0,0 +1,83 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+export const POLICY_TRIGGERS = {
+    ON_TOOL_REQUEST: 'on_tool_request',
+    ON_CLAIM: 'on_claim',
+    ON_COMPLETION: 'on_completion',
+    ON_EVIDENCE_ADDED: 'on_evidence_added',
+};
+const POLICY_LAYER_ORDER = ['workspace', 'lane', 'pack', 'task'];
+function layerOrderScore(level) {
+    const index = POLICY_LAYER_ORDER.indexOf(level);
+    return index < 0 ? POLICY_LAYER_ORDER.length : index;
+}
+function matchingRules(layer, context) {
+    return layer.rules.filter((rule) => {
+        if (rule.trigger !== context.trigger) {
+            return false;
+        }
+        if (!rule.when) {
+            return true;
+        }
+        return rule.when(context);
+    });
+}
+function canLoosen(layer) {
+    return layer.allow_loosening === true;
+}
+export class PolicyEngine {
+    layers;
+    constructor(options) {
+        this.layers = [...options.layers].sort((left, right) => layerOrderScore(left.level) - layerOrderScore(right.level));
+    }
+    async evaluate(context) {
+        let effectiveDecision = 'deny';
+        let hasInitializedDecision = false;
+        // Once a deny rule matches, deny-wins is sticky until evaluation completes.
+        let hasHardDeny = false;
+        const warnings = [];
+        const decisions = [];
+        for (const layer of this.layers) {
+            if (!hasInitializedDecision) {
+                if (layer.default_decision) {
+                    effectiveDecision = layer.default_decision;
+                }
+                hasInitializedDecision = true;
+            }
+            else if (layer.default_decision) {
+                if (effectiveDecision === 'deny' &&
+                    layer.default_decision === 'allow' &&
+                    !canLoosen(layer)) {
+                    warnings.push(`Policy layer "${layer.level}" attempted loosening default decision without explicit opt-in.`);
+                }
+                else {
+                    effectiveDecision = layer.default_decision;
+                }
+            }
+            const layerRules = matchingRules(layer, context);
+            for (const rule of layerRules) {
+                decisions.push({
+                    policy_id: rule.id,
+                    decision: rule.decision,
+                    reason: rule.reason,
+                });
+                if (rule.decision === 'deny') {
+                    hasHardDeny = true;
+                    effectiveDecision = 'deny';
+                    continue;
+                }
+                if (effectiveDecision === 'deny' && !canLoosen(layer)) {
+                    warnings.push(`Policy layer "${layer.level}" attempted loosening via rule "${rule.id}" without explicit opt-in.`);
+                    continue;
+                }
+                effectiveDecision = 'allow';
+            }
+        }
+        return {
+            decision: hasHardDeny ? 'deny' : effectiveDecision,
+            decisions,
+            warnings,
+        };
+    }
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/policy/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/policy/policy-engine.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAItC,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,eAAe,EAAE,iBAAiB;IAClC,QAAQ,EAAE,UAAU;IACpB,aAAa,EAAE,eAAe;IAC9B,iBAAiB,EAAE,mBAAmB;CAC9B,CAAC;AA+CX,MAAM,kBAAkB,GAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAErF,SAAS,eAAe,CAAC,KAAuB;IAC9C,MAAM,KAAK,GAAG,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,OAAO,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,aAAa,CAAC,KAAkB,EAAE,OAAgC;IACzE,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAAC,KAAkB;IACnC,OAAO,KAAK,CAAC,eAAe,KAAK,IAAI,CAAC;AACxC,CAAC;AAED,MAAM,OAAO,YAAY;IACN,MAAM,CAAgB;IAEvC,YAAY,OAA4B;QACtC,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CACpC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,KAAK,CAAC,CAC5E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAgC;QAC7C,IAAI,iBAAiB,GAAiB,MAAM,CAAC;QAC7C,IAAI,sBAAsB,GAAG,KAAK,CAAC;QACnC,4EAA4E;QAC5E,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAqB,EAAE,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBAC5B,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;oBAC3B,iBAAiB,GAAG,KAAK,CAAC,gBAAgB,CAAC;gBAC7C,CAAC;gBACD,sBAAsB,GAAG,IAAI,CAAC;YAChC,CAAC;iBAAM,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;gBAClC,IACE,iBAAiB,KAAK,MAAM;oBAC5B,KAAK,CAAC,gBAAgB,KAAK,OAAO;oBAClC,CAAC,SAAS,CAAC,KAAK,CAAC,EACjB,CAAC;oBACD,QAAQ,CAAC,IAAI,CACX,iBAAiB,KAAK,CAAC,KAAK,iEAAiE,CAC9F,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,iBAAiB,GAAG,KAAK,CAAC,gBAAgB,CAAC;gBAC7C,CAAC;YACH,CAAC;YAED,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACjD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;gBAC9B,SAAS,CAAC,IAAI,CAAC;oBACb,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAAC,CAAC;gBAEH,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;oBAC7B,WAAW,GAAG,IAAI,CAAC;oBACnB,iBAAiB,GAAG,MAAM,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,iBAAiB,KAAK,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtD,QAAQ,CAAC,IAAI,CACX,iBAAiB,KAAK,CAAC,KAAK,mCAAmC,IAAI,CAAC,EAAE,4BAA4B,CACnG,CAAC;oBACF,SAAS;gBACX,CAAC;gBACD,iBAAiB,GAAG,OAAO,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB;YAClD,SAAS;YACT,QAAQ;SACT,CAAC;IACJ,CAAC;CACF"}

package/dist/runtime/index.d.ts

@@ -0,0 +1,2 @@
+export * from './kernel-runtime.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAGA,cAAc,qBAAqB,CAAC"}

package/dist/runtime/index.js

@@ -0,0 +1,4 @@
+// Copyright (c) 2026 Hellmai Ltd
+// SPDX-License-Identifier: Apache-2.0
+export * from './kernel-runtime.js';
+//# sourceMappingURL=index.js.map