@mandatez/sdk 0.1.0

package/dist/integrations/langchain/index.js

@@ -0,0 +1,91 @@
+/**
+ * MandateZ callback handler for LangChain.
+ *
+ * Implements the LangChain BaseCallbackHandler interface structurally —
+ * no @langchain/core dependency required. Pass this to any LangChain
+ * chain, agent, or LLM via the `callbacks` option.
+ *
+ * Tracked events:
+ *   - handleLLMStart      → action_type: 'call',   resource: 'langchain/llm:{model}'
+ *   - handleToolStart     → action_type: 'call',   resource: 'langchain/tool:{name}'
+ *   - handleToolEnd       → action_type: 'call',   resource: 'langchain/tool:{name}'
+ *   - handleChainError    → action_type: 'call',   resource: 'langchain/chain'
+ */
+export class MandateZLangChainCallback {
+    name = 'MandateZLangChainCallback';
+    client;
+    events = [];
+    constructor(client) {
+        this.client = client;
+    }
+    /** Returns all events tracked during this callback's lifetime. */
+    getEvents() {
+        return [...this.events];
+    }
+    /**
+     * Called when an LLM starts processing.
+     */
+    async handleLLMStart(llm, prompts) {
+        const model = llm.name ?? llm.id?.join('/') ?? 'unknown';
+        const event = await this.client.track({
+            action_type: 'call',
+            resource: `langchain/llm:${model}`,
+            outcome: 'allowed',
+            metadata: {
+                hook: 'llm_start',
+                model,
+                prompt_count: prompts.length,
+            },
+        });
+        this.events.push(event);
+    }
+    /**
+     * Called when a tool starts executing.
+     */
+    async handleToolStart(tool, input) {
+        const toolName = tool.name ?? tool.id ?? 'unknown';
+        const event = await this.client.track({
+            action_type: 'call',
+            resource: `langchain/tool:${toolName}`,
+            outcome: 'pending_approval',
+            metadata: {
+                hook: 'tool_start',
+                tool: toolName,
+                input_length: input.length,
+            },
+        });
+        this.events.push(event);
+    }
+    /**
+     * Called when a tool finishes executing.
+     */
+    async handleToolEnd(output) {
+        const event = await this.client.track({
+            action_type: 'call',
+            resource: 'langchain/tool',
+            outcome: 'allowed',
+            metadata: {
+                hook: 'tool_end',
+                output_length: output.length,
+            },
+        });
+        this.events.push(event);
+    }
+    /**
+     * Called when a chain encounters an error.
+     */
+    async handleChainError(error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const event = await this.client.track({
+            action_type: 'call',
+            resource: 'langchain/chain',
+            outcome: 'flagged',
+            metadata: {
+                hook: 'chain_error',
+                error: message,
+            },
+        });
+        this.events.push(event);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/integrations/langchain/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/integrations/langchain/index.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,yBAAyB;IACpC,IAAI,GAAG,2BAA2B,CAAC;IAE3B,MAAM,CAAiB;IACvB,MAAM,GAAiB,EAAE,CAAC;IAElC,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,kEAAkE;IAClE,SAAS;QACP,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,GAAqC,EACrC,OAAiB;QAEjB,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QACzD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE;gBACR,IAAI,EAAE,WAAW;gBACjB,KAAK;gBACL,YAAY,EAAE,OAAO,CAAC,MAAM;aAC7B;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,IAAoC,EACpC,KAAa;QAEb,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,IAAI,SAAS,CAAC;QACnD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,kBAAkB,QAAQ,EAAE;YACtC,OAAO,EAAE,kBAAkB;YAC3B,QAAQ,EAAE;gBACR,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,QAAQ;gBACd,YAAY,EAAE,KAAK,CAAC,MAAM;aAC3B;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,MAAc;QAChC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,gBAAgB;YAC1B,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE;gBACR,IAAI,EAAE,UAAU;gBAChB,aAAa,EAAE,MAAM,CAAC,MAAM;aAC7B;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,KAAc;QACnC,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACpC,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,iBAAiB;YAC3B,OAAO,EAAE,SAAS;YAClB,QAAQ,EAAE;gBACR,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,OAAO;aACf;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACF"}

package/dist/integrations/n8n/index.d.ts

@@ -0,0 +1,26 @@
+import { MandateZClient } from '../../client.js';
+import type { AgentEvent } from '../../events/schema.js';
+export interface N8nExecutionContext {
+    workflowId: string;
+    nodeName: string;
+}
+/**
+ * MandateZ hook for n8n workflows.
+ *
+ * Drop this into any n8n custom node or credential hook to get
+ * cryptographically signed audit logs for every workflow execution.
+ */
+export declare class MandateZN8nHook {
+    private client;
+    constructor(client: MandateZClient);
+    /**
+     * Call before a node executes. Logs a 'call' action with 'pending_approval'.
+     */
+    beforeExecution(workflowId: string, nodeName: string, inputData: Record<string, unknown>): Promise<AgentEvent>;
+    /**
+     * Call after a node executes. Logs a 'call' action with
+     * 'allowed' on success or 'flagged' on failure.
+     */
+    afterExecution(workflowId: string, nodeName: string, outputData: Record<string, unknown>, success: boolean): Promise<AgentEvent>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/integrations/n8n/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/integrations/n8n/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAMD;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,EAAE,cAAc;IAIlC;;OAEG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,UAAU,CAAC;IAStB;;;OAGG;IACG,cAAc,CAClB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnC,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,UAAU,CAAC;CAQvB"}

package/dist/integrations/n8n/index.js

@@ -0,0 +1,39 @@
+function formatResource(ctx) {
+    return `n8n/workflow:${ctx.workflowId}/node:${ctx.nodeName}`;
+}
+/**
+ * MandateZ hook for n8n workflows.
+ *
+ * Drop this into any n8n custom node or credential hook to get
+ * cryptographically signed audit logs for every workflow execution.
+ */
+export class MandateZN8nHook {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Call before a node executes. Logs a 'call' action with 'pending_approval'.
+     */
+    async beforeExecution(workflowId, nodeName, inputData) {
+        return this.client.track({
+            action_type: 'call',
+            resource: formatResource({ workflowId, nodeName }),
+            outcome: 'pending_approval',
+            metadata: { direction: 'before', inputData },
+        });
+    }
+    /**
+     * Call after a node executes. Logs a 'call' action with
+     * 'allowed' on success or 'flagged' on failure.
+     */
+    async afterExecution(workflowId, nodeName, outputData, success) {
+        return this.client.track({
+            action_type: 'call',
+            resource: formatResource({ workflowId, nodeName }),
+            outcome: success ? 'allowed' : 'flagged',
+            metadata: { direction: 'after', outputData, success },
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/integrations/n8n/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/integrations/n8n/index.ts"],"names":[],"mappings":"AAQA,SAAS,cAAc,CAAC,GAAwB;IAC9C,OAAO,gBAAgB,GAAG,CAAC,UAAU,SAAS,GAAG,CAAC,QAAQ,EAAE,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,eAAe;IAClB,MAAM,CAAiB;IAE/B,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,UAAkB,EAClB,QAAgB,EAChB,SAAkC;QAElC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACvB,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,cAAc,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;YAClD,OAAO,EAAE,kBAAkB;YAC3B,QAAQ,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAClB,UAAkB,EAClB,QAAgB,EAChB,UAAmC,EACnC,OAAgB;QAEhB,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;YACvB,WAAW,EAAE,MAAM;YACnB,QAAQ,EAAE,cAAc,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;YAClD,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YACxC,QAAQ,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE;SACtD,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/oversight/alerts.d.ts

@@ -0,0 +1,32 @@
+export interface OversightAlert {
+    agent_id: string;
+    action_type: string;
+    resource: string;
+    metadata: Record<string, unknown>;
+    timestamp: string;
+    requires_approval: boolean;
+}
+/**
+ * Alert channel interface — implement this to add new notification targets.
+ */
+export interface AlertChannel {
+    send(alert: OversightAlert): Promise<void>;
+}
+/**
+ * Sends alerts to a Slack webhook URL.
+ */
+export declare class SlackAlertChannel implements AlertChannel {
+    private webhookUrl;
+    constructor(webhookUrl: string);
+    send(alert: OversightAlert): Promise<void>;
+}
+/**
+ * Sends alerts to an arbitrary webhook URL as JSON POST.
+ */
+export declare class WebhookAlertChannel implements AlertChannel {
+    private url;
+    private headers;
+    constructor(url: string, headers?: Record<string, string>);
+    send(alert: OversightAlert): Promise<void>;
+}
+//# sourceMappingURL=alerts.d.ts.map

package/dist/oversight/alerts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"alerts.d.ts","sourceRoot":"","sources":["../../src/oversight/alerts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5C;AAED;;GAEG;AACH,qBAAa,iBAAkB,YAAW,YAAY;IACpD,OAAO,CAAC,UAAU,CAAS;gBAEf,UAAU,EAAE,MAAM;IAIxB,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CAoBjD;AAED;;GAEG;AACH,qBAAa,mBAAoB,YAAW,YAAY;IACtD,OAAO,CAAC,GAAG,CAAS;IACpB,OAAO,CAAC,OAAO,CAAyB;gBAE5B,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM;IAKvD,IAAI,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;CAWjD"}

package/dist/oversight/alerts.js

@@ -0,0 +1,49 @@
+/**
+ * Sends alerts to a Slack webhook URL.
+ */
+export class SlackAlertChannel {
+    webhookUrl;
+    constructor(webhookUrl) {
+        this.webhookUrl = webhookUrl;
+    }
+    async send(alert) {
+        const emoji = alert.requires_approval ? ':rotating_light:' : ':warning:';
+        const text = [
+            `${emoji} *MandateZ Oversight Alert*`,
+            `*Agent:* \`${alert.agent_id}\``,
+            `*Action:* ${alert.action_type} on \`${alert.resource}\``,
+            `*Requires Approval:* ${alert.requires_approval ? 'Yes' : 'No'}`,
+            `*Time:* ${alert.timestamp}`,
+        ].join('\n');
+        const response = await fetch(this.webhookUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ text }),
+        });
+        if (!response.ok) {
+            throw new Error(`Slack alert failed: ${response.status} ${response.statusText}`);
+        }
+    }
+}
+/**
+ * Sends alerts to an arbitrary webhook URL as JSON POST.
+ */
+export class WebhookAlertChannel {
+    url;
+    headers;
+    constructor(url, headers = {}) {
+        this.url = url;
+        this.headers = headers;
+    }
+    async send(alert) {
+        const response = await fetch(this.url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', ...this.headers },
+            body: JSON.stringify(alert),
+        });
+        if (!response.ok) {
+            throw new Error(`Webhook alert failed: ${response.status} ${response.statusText}`);
+        }
+    }
+}
+//# sourceMappingURL=alerts.js.map

package/dist/oversight/alerts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"alerts.js","sourceRoot":"","sources":["../../src/oversight/alerts.ts"],"names":[],"mappings":"AAgBA;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACpB,UAAU,CAAS;IAE3B,YAAY,UAAkB;QAC5B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAqB;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,WAAW,CAAC;QACzE,MAAM,IAAI,GAAG;YACX,GAAG,KAAK,6BAA6B;YACrC,cAAc,KAAK,CAAC,QAAQ,IAAI;YAChC,aAAa,KAAK,CAAC,WAAW,SAAS,KAAK,CAAC,QAAQ,IAAI;YACzD,wBAAwB,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;YAChE,WAAW,KAAK,CAAC,SAAS,EAAE;SAC7B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;SAC/B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,mBAAmB;IACtB,GAAG,CAAS;IACZ,OAAO,CAAyB;IAExC,YAAY,GAAW,EAAE,UAAkC,EAAE;QAC3D,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAqB;QAC9B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE;YAChE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;CACF"}

package/dist/oversight/index.d.ts

@@ -0,0 +1,58 @@
+import type { AgentEventInput } from '../events/schema.js';
+import type { AlertChannel, OversightAlert } from './alerts.js';
+export type { AlertChannel, OversightAlert } from './alerts.js';
+export { SlackAlertChannel, WebhookAlertChannel } from './alerts.js';
+export type TimeoutAction = 'block' | 'allow';
+export interface OversightConfig {
+    /** Action types that require human approval before proceeding */
+    require_human_approval: AgentEventInput['action_type'][];
+    /** Alert channels to notify when approval is needed */
+    channels: AlertChannel[];
+    /** Seconds to wait for human response before timeout_action kicks in */
+    timeout_seconds: number;
+    /** What to do if no human responds in time */
+    timeout_action: TimeoutAction;
+}
+export type ApprovalDecision = 'approved' | 'rejected' | 'timeout';
+export interface OversightResult {
+    decision: ApprovalDecision;
+    outcome: 'allowed' | 'blocked';
+    timed_out: boolean;
+}
+/**
+ * Human oversight gate.
+ *
+ * When an agent attempts a flagged action type, execution pauses,
+ * alerts fire, and we wait for a human decision or timeout.
+ *
+ * The approval callback is injected by the caller — this keeps the gate
+ * transport-agnostic (could be a webhook, a Supabase realtime subscription,
+ * a CLI prompt, etc).
+ */
+export declare class OversightGate {
+    private config;
+    constructor(config: OversightConfig);
+    /**
+     * Does this action type require human approval?
+     */
+    requiresApproval(actionType: AgentEventInput['action_type']): boolean;
+    /**
+     * Fire alerts on all configured channels.
+     * Errors on individual channels are collected, not thrown,
+     * so one failing channel doesn't block the others.
+     */
+    sendAlerts(alert: OversightAlert): Promise<{
+        errors: Error[];
+    }>;
+    /**
+     * Request human approval. Fires alerts, then races the approval
+     * callback against the timeout.
+     *
+     * @param alert - The alert payload describing the action
+     * @param waitForApproval - Async function that resolves when a human
+     *   responds. Should return true for approved, false for rejected.
+     *   If not provided, the gate immediately applies timeout_action.
+     */
+    requestApproval(alert: OversightAlert, waitForApproval?: () => Promise<boolean>): Promise<OversightResult>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/oversight/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/oversight/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEhE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAErE,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,OAAO,CAAC;AAE9C,MAAM,WAAW,eAAe;IAC9B,iEAAiE;IACjE,sBAAsB,EAAE,eAAe,CAAC,aAAa,CAAC,EAAE,CAAC;IACzD,uDAAuD;IACvD,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IACxB,8CAA8C;IAC9C,cAAc,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;AAEnE,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,OAAO,EAAE,SAAS,GAAG,SAAS,CAAC;IAC/B,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;;;;;;;;GASG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAkB;gBAEpB,MAAM,EAAE,eAAe;IAInC;;OAEG;IACH,gBAAgB,CAAC,UAAU,EAAE,eAAe,CAAC,aAAa,CAAC,GAAG,OAAO;IAIrE;;;;OAIG;IACG,UAAU,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,KAAK,EAAE,CAAA;KAAE,CAAC;IAgBrE;;;;;;;;OAQG;IACG,eAAe,CACnB,KAAK,EAAE,cAAc,EACrB,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GACvC,OAAO,CAAC,eAAe,CAAC;CAiC5B"}

package/dist/oversight/index.js

@@ -0,0 +1,77 @@
+export { SlackAlertChannel, WebhookAlertChannel } from './alerts.js';
+/**
+ * Human oversight gate.
+ *
+ * When an agent attempts a flagged action type, execution pauses,
+ * alerts fire, and we wait for a human decision or timeout.
+ *
+ * The approval callback is injected by the caller — this keeps the gate
+ * transport-agnostic (could be a webhook, a Supabase realtime subscription,
+ * a CLI prompt, etc).
+ */
+export class OversightGate {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Does this action type require human approval?
+     */
+    requiresApproval(actionType) {
+        return this.config.require_human_approval.includes(actionType);
+    }
+    /**
+     * Fire alerts on all configured channels.
+     * Errors on individual channels are collected, not thrown,
+     * so one failing channel doesn't block the others.
+     */
+    async sendAlerts(alert) {
+        const errors = [];
+        await Promise.all(this.config.channels.map(async (channel) => {
+            try {
+                await channel.send(alert);
+            }
+            catch (err) {
+                errors.push(err instanceof Error ? err : new Error(String(err)));
+            }
+        }));
+        return { errors };
+    }
+    /**
+     * Request human approval. Fires alerts, then races the approval
+     * callback against the timeout.
+     *
+     * @param alert - The alert payload describing the action
+     * @param waitForApproval - Async function that resolves when a human
+     *   responds. Should return true for approved, false for rejected.
+     *   If not provided, the gate immediately applies timeout_action.
+     */
+    async requestApproval(alert, waitForApproval) {
+        // Fire alerts (non-blocking on individual channel failures)
+        await this.sendAlerts(alert);
+        // If no approval callback, immediately apply timeout action
+        if (!waitForApproval) {
+            return {
+                decision: 'timeout',
+                outcome: this.config.timeout_action === 'block' ? 'blocked' : 'allowed',
+                timed_out: true,
+            };
+        }
+        // Race: human response vs timeout
+        const timeoutMs = this.config.timeout_seconds * 1000;
+        const result = await Promise.race([
+            waitForApproval().then((approved) => ({
+                decision: approved ? 'approved' : 'rejected',
+                outcome: approved ? 'allowed' : 'blocked',
+                timed_out: false,
+            })),
+            new Promise((resolve) => setTimeout(() => resolve({
+                decision: 'timeout',
+                outcome: this.config.timeout_action === 'block' ? 'blocked' : 'allowed',
+                timed_out: true,
+            }), timeoutMs)),
+        ]);
+        return result;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/oversight/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/oversight/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAuBrE;;;;;;;;;GASG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,CAAkB;IAEhC,YAAY,MAAuB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,UAA0C;QACzD,OAAO,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACjE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU,CAAC,KAAqB;QACpC,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,MAAM,OAAO,CAAC,GAAG,CACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YACzC,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnE,CAAC;QACH,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,eAAe,CACnB,KAAqB,EACrB,eAAwC;QAExC,4DAA4D;QAC5D,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QAE7B,4DAA4D;QAC5D,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBACvE,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC;QAErD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAChC,eAAe,EAAE,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAmB,EAAE,CAAC,CAAC;gBACrD,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU;gBAC5C,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBACzC,SAAS,EAAE,KAAK;aACjB,CAAC,CAAC;YACH,IAAI,OAAO,CAAkB,CAAC,OAAO,EAAE,EAAE,CACvC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC;gBACvB,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBACvE,SAAS,EAAE,IAAI;aAChB,CAAC,EAAE,SAAS,CAAC,CACf;SACF,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/dist/policy/index.d.ts

@@ -0,0 +1,68 @@
+import { z } from 'zod';
+import type { AgentEventInput } from '../events/schema.js';
+export declare const PolicyRuleSchema: z.ZodObject<{
+    id: z.ZodString;
+    action_types: z.ZodArray<z.ZodEnum<{
+        read: "read";
+        write: "write";
+        export: "export";
+        delete: "delete";
+        call: "call";
+        payment: "payment";
+        "*": "*";
+    }>>;
+    resource_pattern: z.ZodString;
+    effect: z.ZodEnum<{
+        allow: "allow";
+        block: "block";
+        flag: "flag";
+    }>;
+}, z.core.$strip>;
+export type PolicyRule = z.infer<typeof PolicyRuleSchema>;
+export declare const PolicySchema: z.ZodObject<{
+    id: z.ZodString;
+    owner_id: z.ZodString;
+    name: z.ZodString;
+    rules: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        action_types: z.ZodArray<z.ZodEnum<{
+            read: "read";
+            write: "write";
+            export: "export";
+            delete: "delete";
+            call: "call";
+            payment: "payment";
+            "*": "*";
+        }>>;
+        resource_pattern: z.ZodString;
+        effect: z.ZodEnum<{
+            allow: "allow";
+            block: "block";
+            flag: "flag";
+        }>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type Policy = z.infer<typeof PolicySchema>;
+export type PolicyOutcome = 'allowed' | 'blocked' | 'flagged';
+export interface PolicyEvaluation {
+    outcome: PolicyOutcome;
+    matched_rule: PolicyRule | null;
+    policy_id: string | null;
+}
+/**
+ * Policy engine — evaluates rules against an action.
+ *
+ * Rules are evaluated in order. First match wins.
+ * If no rule matches, the default outcome is 'allowed'.
+ */
+export declare class PolicyEngine {
+    private policies;
+    addPolicy(policy: Policy): void;
+    removePolicy(policyId: string): void;
+    /**
+     * Evaluate all policies against an action.
+     * First matching rule across all policies wins.
+     */
+    evaluate(actionType: AgentEventInput['action_type'], resource: string): PolicyEvaluation;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/policy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;iBAQ3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;iBAKvB,CAAC;AAEH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAE9D,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,UAAU,GAAG,IAAI,CAAC;IAChC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAiCD;;;;;GAKG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAgB;IAEhC,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAK/B,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAIpC;;;OAGG;IACH,QAAQ,CACN,UAAU,EAAE,eAAe,CAAC,aAAa,CAAC,EAC1C,QAAQ,EAAE,MAAM,GACf,gBAAgB;CAmBpB"}

package/dist/policy/index.js

@@ -0,0 +1,82 @@
+import { z } from 'zod';
+export const PolicyRuleSchema = z.object({
+    id: z.string().min(1),
+    /** Which action types this rule applies to. '*' means all. */
+    action_types: z.array(z.enum(['read', 'write', 'export', 'delete', 'call', 'payment', '*'])),
+    /** Glob-like resource pattern. '*' matches everything. */
+    resource_pattern: z.string().min(1),
+    /** The effect when this rule matches */
+    effect: z.enum(['allow', 'block', 'flag']),
+});
+export const PolicySchema = z.object({
+    id: z.string().min(1),
+    owner_id: z.string().min(1),
+    name: z.string().min(1),
+    rules: z.array(PolicyRuleSchema),
+});
+/**
+ * Matches a resource string against a pattern.
+ * Supports '*' as a wildcard segment and '**' as a recursive wildcard.
+ *
+ *   'emails'          matches 'emails'
+ *   'api/*'           matches 'api/stripe', 'api/slack'
+ *   'api/**'          matches 'api/stripe', 'api/stripe/charges'
+ *   '*'               matches everything
+ */
+function matchResource(pattern, resource) {
+    if (pattern === '*')
+        return true;
+    const patternParts = pattern.split('/');
+    const resourceParts = resource.split('/');
+    let pi = 0;
+    let ri = 0;
+    while (pi < patternParts.length && ri < resourceParts.length) {
+        if (patternParts[pi] === '**')
+            return true;
+        if (patternParts[pi] === '*' || patternParts[pi] === resourceParts[ri]) {
+            pi++;
+            ri++;
+        }
+        else {
+            return false;
+        }
+    }
+    return pi === patternParts.length && ri === resourceParts.length;
+}
+/**
+ * Policy engine — evaluates rules against an action.
+ *
+ * Rules are evaluated in order. First match wins.
+ * If no rule matches, the default outcome is 'allowed'.
+ */
+export class PolicyEngine {
+    policies = [];
+    addPolicy(policy) {
+        PolicySchema.parse(policy);
+        this.policies.push(policy);
+    }
+    removePolicy(policyId) {
+        this.policies = this.policies.filter((p) => p.id !== policyId);
+    }
+    /**
+     * Evaluate all policies against an action.
+     * First matching rule across all policies wins.
+     */
+    evaluate(actionType, resource) {
+        for (const policy of this.policies) {
+            for (const rule of policy.rules) {
+                const actionMatch = rule.action_types.includes('*') || rule.action_types.includes(actionType);
+                const resourceMatch = matchResource(rule.resource_pattern, resource);
+                if (actionMatch && resourceMatch) {
+                    return {
+                        outcome: rule.effect === 'allow' ? 'allowed' : rule.effect === 'block' ? 'blocked' : 'flagged',
+                        matched_rule: rule,
+                        policy_id: policy.id,
+                    };
+                }
+            }
+        }
+        return { outcome: 'allowed', matched_rule: null, policy_id: null };
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/policy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,8DAA8D;IAC9D,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5F,0DAA0D;IAC1D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,wCAAwC;IACxC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;CAC3C,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;CACjC,CAAC,CAAC;AAYH;;;;;;;;GAQG;AACH,SAAS,aAAa,CAAC,OAAe,EAAE,QAAgB;IACtD,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEjC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,aAAa,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE1C,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,IAAI,EAAE,GAAG,CAAC,CAAC;IAEX,OAAO,EAAE,GAAG,YAAY,CAAC,MAAM,IAAI,EAAE,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC;QAC7D,IAAI,YAAY,CAAC,EAAE,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC3C,IAAI,YAAY,CAAC,EAAE,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,EAAE,CAAC,KAAK,aAAa,CAAC,EAAE,CAAC,EAAE,CAAC;YACvE,EAAE,EAAE,CAAC;YACL,EAAE,EAAE,CAAC;QACP,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,YAAY,CAAC,MAAM,IAAI,EAAE,KAAK,aAAa,CAAC,MAAM,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,YAAY;IACf,QAAQ,GAAa,EAAE,CAAC;IAEhC,SAAS,CAAC,MAAc;QACtB,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,YAAY,CAAC,QAAgB;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC;IACjE,CAAC;IAED;;;OAGG;IACH,QAAQ,CACN,UAA0C,EAC1C,QAAgB;QAEhB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,MAAM,WAAW,GACf,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;gBAC5E,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;gBAErE,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;oBACjC,OAAO;wBACL,OAAO,EAAE,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;wBAC9F,YAAY,EAAE,IAAI;wBAClB,SAAS,EAAE,MAAM,CAAC,EAAE;qBACrB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACrE,CAAC;CACF"}

package/dist/transport/index.d.ts

@@ -0,0 +1,3 @@
+export { SupabaseTransport } from './supabase.js';
+export type { SupabaseTransportConfig } from './supabase.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/transport/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/transport/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,YAAY,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC"}

package/dist/transport/index.js

@@ -0,0 +1,2 @@
+export { SupabaseTransport } from './supabase.js';
+//# sourceMappingURL=index.js.map

package/dist/transport/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/transport/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC"}

package/dist/transport/supabase.d.ts

@@ -0,0 +1,15 @@
+import type { AgentEvent } from '../events/schema.js';
+export interface SupabaseTransportConfig {
+    supabaseUrl: string;
+    supabaseAnonKey: string;
+}
+export declare class SupabaseTransport {
+    private client;
+    constructor(config: SupabaseTransportConfig);
+    /**
+     * Inserts a signed AgentEvent into the agent_events table.
+     * Throws on Supabase errors so callers can handle failures.
+     */
+    emitEvent(event: AgentEvent): Promise<AgentEvent>;
+}
+//# sourceMappingURL=supabase.d.ts.map

package/dist/transport/supabase.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.d.ts","sourceRoot":"","sources":["../../src/transport/supabase.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,EAAE,uBAAuB;IAI3C;;;OAGG;IACG,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAqBxD"}

package/dist/transport/supabase.js

@@ -0,0 +1,31 @@
+import { createClient } from '@supabase/supabase-js';
+export class SupabaseTransport {
+    client;
+    constructor(config) {
+        this.client = createClient(config.supabaseUrl, config.supabaseAnonKey);
+    }
+    /**
+     * Inserts a signed AgentEvent into the agent_events table.
+     * Throws on Supabase errors so callers can handle failures.
+     */
+    async emitEvent(event) {
+        const { error } = await this.client.from('agent_events').insert({
+            id: event.event_id,
+            agent_id: event.agent_id,
+            owner_id: event.owner_id,
+            timestamp: event.timestamp,
+            action_type: event.action_type,
+            resource: event.resource,
+            outcome: event.outcome,
+            policy_id: event.policy_id,
+            metadata: event.metadata,
+            signature: event.signature,
+            public_key: event.public_key,
+        });
+        if (error) {
+            throw new Error(`Failed to emit event: ${error.message}`);
+        }
+        return event;
+    }
+}
+//# sourceMappingURL=supabase.js.map

package/dist/transport/supabase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../src/transport/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAkB,MAAM,uBAAuB,CAAC;AAQrE,MAAM,OAAO,iBAAiB;IACpB,MAAM,CAAiB;IAE/B,YAAY,MAA+B;QACzC,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IACzE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,KAAiB;QAC/B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;YAC9D,EAAE,EAAE,KAAK,CAAC,QAAQ;YAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}