@mandatez/sdk 0.1.2 → 0.1.8

package/README.md

@@ -1,95 +1,193 @@
-# MandateZ
-
-**Every agent needs a mandate.**
-
-MandateZ is the open, cross-vendor trust infrastructure for AI agents. Cryptographic identity, policy enforcement, human oversight, and tamper-proof audit logs — for any agent framework.
-
-## The Problem
-
-AI agents act autonomously. There is no standard way to prove what they did, enforce what they can do, or produce compliance audit trails. MandateZ solves all three.
-
-## Install
-
-```bash
-npm install @mandatez/sdk
-```
-
-## Usage
-
-```typescript
-import { generateAgentIdentity, MandateZClient } from '@mandatez/sdk';
-
-const identity = await generateAgentIdentity();
-const client = new MandateZClient({
-  agentId: identity.agent_id,
-  ownerId: 'your_org_id',
-  privateKey: identity.private_key,
-  supabaseUrl: process.env.SUPABASE_URL!,
-  supabaseAnonKey: process.env.SUPABASE_ANON_KEY!,
-});
-
-const event = await client.track({
-  action_type: 'read',
-  resource: 'emails',
-});
-// → signed, validated, emitted to your event stream
-```
-
-## What You Get
-
-- **Agent Identity** — Ed25519 keypair per agent, unique `ag_` prefixed IDs
-- **Signed Events** — every action produces a cryptographically signed, tamper-proof event
-- **Policy Engine** — allow/block/flag rules with wildcard resource matching
-- **Human Oversight** — pause execution, alert via Slack/webhook, auto-block on timeout
-- **Compliance Reports** — JSON + PDF audit trail export
-- **Framework Integrations** — LangChain, n8n, with more coming
-
-## Integrations
-
-### LangChain
-
-```typescript
-import { MandateZLangChainCallback } from '@mandatez/sdk';
-
-const callback = new MandateZLangChainCallback(client);
-const chain = new ChatOpenAI({ callbacks: [callback] });
-```
-
-### n8n
-
-```typescript
-import { MandateZN8nHook } from '@mandatez/sdk';
-
-const hook = new MandateZN8nHook(client);
-await hook.beforeExecution('wf_123', 'HTTP Request', inputData);
-await hook.afterExecution('wf_123', 'HTTP Request', outputData, true);
-```
-
-## Architecture
-
-Everything flows from one spine: the **Agent Event Stream**.
-
-```
-Agent Action → Policy Engine → Oversight Gate → Sign (Ed25519) → Emit to Stream
-```
-
-Every surface — SDK, dashboard, compliance engine, directory — reads the same stream. One data layer. No duplication.
-
-## Documentation
-
-- [Quickstart](https://mandatez.mintlify.app/quickstart)
-- [SDK Reference](https://mandatez.mintlify.app/sdk/track)
-- [Protocol Specification](./protocol/SPEC.md)
-
-## Project Structure
-
-```
-packages/sdk/          → @mandatez/sdk (open source, free forever)
-apps/dashboard/        → Next.js event monitoring dashboard
-protocol/              → Open protocol specification
-docs/                  → Documentation (Mintlify)
-```
-
-## License
-
-MIT
+# MandateZ
+
+**Every agent needs a mandate.**
+
+MandateZ is the open, cross-vendor trust infrastructure for AI agents. Cryptographic identity, policy enforcement, human oversight, and tamper-proof audit logs — for any agent framework.
+
+## Quickstart (30 seconds)
+
+```bash
+npm install @mandatez/sdk
+```
+
+```typescript
+import { MandateZAgent } from '@mandatez/sdk';
+
+const myAgent = MandateZAgent(yourAgentFunction, {
+  agentId: 'ag_...',
+  ownerId: 'your_owner_id',
+  privateKey: process.env.AGENT_PRIVATE_KEY!,
+  supabaseUrl: process.env.SUPABASE_URL!,
+  supabaseAnonKey: process.env.SUPABASE_ANON_KEY!,
+});
+
+// Your agent is now governed. That's it.
+```
+
+One import. One wrap. Every call is policy-checked, optionally identity-screened, and logged as a signed `AgentEvent`. Same function signature in, same function signature out.
+
+## The Problem
+
+AI agents act autonomously. There is no standard way to prove what they did, enforce what they can do, or produce compliance audit trails. MandateZ solves all three.
+
+## Install
+
+```bash
+npm install @mandatez/sdk
+```
+
+## Configuration
+
+MandateZ supports two configuration modes. Pick one.
+
+### Enterprise mode — `apiKey` (recommended)
+
+Generate a key at `/keys` in the MandateZ dashboard. One revocable string replaces the raw Supabase credentials your agents used to carry:
+
+```typescript
+import { MandateZClient } from '@mandatez/sdk';
+
+const client = new MandateZClient({
+  apiKey: process.env.MANDATEZ_API_KEY!,   // "mz_live_..."
+  agentId: 'ag_...',
+  ownerId: 'your_org_id',
+  privateKey: process.env.AGENT_PRIVATE_KEY!,
+});
+```
+
+Why enterprise customers prefer this:
+- **Revocable** — rotate a compromised key from the dashboard in one click without touching Supabase.
+- **Auditable** — every key has a name, creation time, and `last_used_at` timestamp.
+- **Scoped** — keys are bound to an `owner_id`; they cannot reach another tenant's data.
+- **One string, one secret** — no pasting Supabase URLs into a Vercel env var.
+
+### Legacy mode — raw Supabase credentials (still supported)
+
+The original configuration still works for local dev, one-off integrations, and anyone already shipping on it:
+
+```typescript
+import { generateAgentIdentity, MandateZClient } from '@mandatez/sdk';
+
+const identity = await generateAgentIdentity();
+const client = new MandateZClient({
+  agentId: identity.agent_id,
+  ownerId: 'your_org_id',
+  privateKey: identity.private_key,
+  supabaseUrl: process.env.SUPABASE_URL!,
+  supabaseAnonKey: process.env.SUPABASE_ANON_KEY!,
+});
+```
+
+## Usage
+
+```typescript
+const event = await client.track({
+  action_type: 'read',
+  resource: 'emails',
+});
+// → signed, validated, emitted to your event stream
+```
+
+## What You Get
+
+- **Agent Identity** — Ed25519 keypair per agent, unique `ag_` prefixed IDs
+- **Signed Events** — every action produces a cryptographically signed, tamper-proof event
+- **Policy Engine** — allow/block/flag rules with wildcard resource matching
+- **Human Oversight** — pause execution, alert via Slack/webhook, auto-block on timeout
+- **Compliance Reports** — JSON + PDF audit trail export
+- **Framework Integrations** — LangChain, n8n, with more coming
+
+## Observability Exporters
+
+Fan MandateZ events out to your existing observability or SIEM stack — Datadog, Splunk, any OpenTelemetry collector, or an arbitrary webhook. Exporters are fire-and-forget: they run in parallel after every `track()` and never block or throw on the hot path.
+
+```typescript
+import {
+  MandateZClient,
+  DatadogExporter,
+  WebhookExporter,
+} from '@mandatez/sdk';
+
+const client = new MandateZClient({
+  agentId: '...',
+  ownerId: '...',
+  privateKey: '...',
+  supabaseUrl: '...',
+  supabaseAnonKey: '...',
+  exporters: [
+    new DatadogExporter({
+      apiKey: process.env.DD_API_KEY!,
+      site: 'datadoghq.com',
+    }),
+    new WebhookExporter({
+      url: 'https://your-siem.com/mandatez',
+    }),
+  ],
+});
+
+// Every tracked event now flows to Datadog and your webhook.
+await client.track({ action_type: 'read', resource: 'emails' });
+```
+
+Built-in exporters:
+
+| Exporter | Destination | Import |
+|---|---|---|
+| `DatadogExporter` | Datadog Logs v2 HTTP intake | `@mandatez/sdk` |
+| `SplunkExporter` | Splunk HTTP Event Collector | `@mandatez/sdk` |
+| `OpenTelemetryExporter` | Any OTLP/HTTP collector (Grafana Tempo, Honeycomb, New Relic, etc.) | `@mandatez/sdk` |
+| `WebhookExporter` | Any HTTPS URL (generic fan-out) | `@mandatez/sdk` |
+
+Custom exporters implement the `EventExporter` interface — `{ name: string; export(event: AgentEvent): Promise<void> }` — and drop into the same `exporters: [...]` array.
+
+Full setup instructions and payload shapes: [Exporters docs](https://mandatez.mintlify.app/exporters).
+
+## Integrations
+
+### LangChain
+
+```typescript
+import { MandateZLangChainCallback } from '@mandatez/sdk';
+
+const callback = new MandateZLangChainCallback(client);
+const chain = new ChatOpenAI({ callbacks: [callback] });
+```
+
+### n8n
+
+```typescript
+import { MandateZN8nHook } from '@mandatez/sdk';
+
+const hook = new MandateZN8nHook(client);
+await hook.beforeExecution('wf_123', 'HTTP Request', inputData);
+await hook.afterExecution('wf_123', 'HTTP Request', outputData, true);
+```
+
+## Architecture
+
+Everything flows from one spine: the **Agent Event Stream**.
+
+```
+Agent Action → Policy Engine → Oversight Gate → Sign (Ed25519) → Emit to Stream
+```
+
+Every surface — SDK, dashboard, compliance engine, directory — reads the same stream. One data layer. No duplication.
+
+## Documentation
+
+- [Quickstart](https://mandatez.mintlify.app/quickstart)
+- [SDK Reference](https://mandatez.mintlify.app/sdk/track)
+- [Protocol Specification](./protocol/SPEC.md)
+
+## Project Structure
+
+```
+packages/sdk/          → @mandatez/sdk (open source, free forever)
+apps/dashboard/        → Next.js event monitoring dashboard
+protocol/              → Open protocol specification
+docs/                  → Documentation (Mintlify)
+```
+
+## License
+
+MIT

package/dist/attestations/index.d.ts

@@ -0,0 +1,50 @@
+export type Verdict = 'clean' | 'flagged' | 'violations_detected';
+export interface AttestationViolation {
+    event_id: string;
+    timestamp: string;
+    action_type: string;
+    resource: string;
+    outcome: 'blocked' | 'flagged';
+}
+export interface AttestationRecord {
+    id: string;
+    agent_id: string;
+    owner_id: string;
+    window_start: string;
+    window_end: string;
+    event_count: number;
+    events_hash: string;
+    verdict: Verdict;
+    violations: AttestationViolation[];
+    platform_signature: string;
+    platform_public_key: string;
+    metadata: Record<string, unknown>;
+    created_at: string;
+}
+export interface VerifyAttestationResponse {
+    valid: boolean;
+    attestation: AttestationRecord;
+    verified_at: string;
+}
+export interface VerifyAttestationOptions {
+    /**
+     * Base URL of the MandateZ dashboard hosting the verify endpoint.
+     * Defaults to the public production deployment.
+     */
+    apiUrl?: string;
+}
+/**
+ * Fetches and verifies a MandateZ attestation by its id.
+ *
+ * Public by design: an attestation link is the distribution primitive.
+ * The endpoint re-derives the canonical payload and checks the platform
+ * signature server-side, so a `valid: true` response from a trusted
+ * MandateZ host is sufficient proof that the row is unmodified.
+ *
+ * @example
+ * const result = await verifyAttestation('att_abc123');
+ * if (!result.valid) throw new Error('Attestation tampered');
+ * console.log(result.attestation.verdict);
+ */
+export declare function verifyAttestation(attestationId: string, options?: VerifyAttestationOptions): Promise<VerifyAttestationResponse>;
+//# sourceMappingURL=index.d.ts.map

package/dist/attestations/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/attestations/index.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,SAAS,GAAG,qBAAqB,CAAC;AAElE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,SAAS,GAAG,SAAS,CAAC;CAChC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,oBAAoB,EAAE,CAAC;IACnC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,iBAAiB,CAAC;IAC/B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAKD;;;;;;;;;;;;GAYG;AACH,wBAAsB,iBAAiB,CACrC,aAAa,EAAE,MAAM,EACrB,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,yBAAyB,CAAC,CAkBpC"}

package/dist/attestations/index.js

@@ -0,0 +1,30 @@
+const DEFAULT_API_URL = 'https://dashboard.mandatez.com';
+const ATTESTATION_ID_RE = /^att_[A-Za-z0-9_-]+$/;
+/**
+ * Fetches and verifies a MandateZ attestation by its id.
+ *
+ * Public by design: an attestation link is the distribution primitive.
+ * The endpoint re-derives the canonical payload and checks the platform
+ * signature server-side, so a `valid: true` response from a trusted
+ * MandateZ host is sufficient proof that the row is unmodified.
+ *
+ * @example
+ * const result = await verifyAttestation('att_abc123');
+ * if (!result.valid) throw new Error('Attestation tampered');
+ * console.log(result.attestation.verdict);
+ */
+export async function verifyAttestation(attestationId, options = {}) {
+    if (!ATTESTATION_ID_RE.test(attestationId)) {
+        throw new Error('verifyAttestation: attestationId must start with att_');
+    }
+    const base = (options.apiUrl ?? DEFAULT_API_URL).replace(/\/+$/, '');
+    const res = await fetch(`${base}/api/attestations/${attestationId}/verify`);
+    if (!res.ok) {
+        const err = (await res.json().catch(() => ({})));
+        throw new Error(err.error
+            ? `verifyAttestation failed: ${err.error}`
+            : `verifyAttestation failed: HTTP ${res.status}`);
+    }
+    return (await res.json());
+}
+//# sourceMappingURL=index.js.map

package/dist/attestations/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/attestations/index.ts"],"names":[],"mappings":"AAwCA,MAAM,eAAe,GAAG,gCAAgC,CAAC;AACzD,MAAM,iBAAiB,GAAG,sBAAsB,CAAC;AAEjD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,aAAqB,EACrB,UAAoC,EAAE;IAEtC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACrE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,qBAAqB,aAAa,SAAS,CAAC,CAAC;IAE5E,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAuB,CAAC;QACvE,MAAM,IAAI,KAAK,CACb,GAAG,CAAC,KAAK;YACP,CAAC,CAAC,6BAA6B,GAAG,CAAC,KAAK,EAAE;YAC1C,CAAC,CAAC,kCAAkC,GAAG,CAAC,MAAM,EAAE,CACnD,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA8B,CAAC;AACzD,CAAC"}

package/dist/client.d.ts

@@ -1,6 +1,10 @@
+import type { AgentTrustProfile } from './trust/posture.js';
 import type { AgentEvent, AgentEventInput } from './events/schema.js';
 import type { Policy } from './policy/index.js';
 import type { OversightConfig } from './oversight/index.js';
+import type { IdentityCheckResult } from './identity/hibp.js';
+import type { EventExporter } from './exporters/index.js';
+import type { RiskScoreRecord } from './risk/index.js';
 /** The action fields a developer passes to track() */
 export interface TrackInput {
     action_type: AgentEventInput['action_type'];
@@ -12,6 +16,36 @@ export interface TrackInput {
      *  and this is not provided, timeout_action applies immediately. */
     waitForApproval?: () => Promise<boolean>;
 }
+/** Minimal input for a batched event. Each is signed locally before upload. */
+export interface TrackBatchInput {
+    action_type: AgentEventInput['action_type'];
+    resource: string;
+    outcome?: AgentEventInput['outcome'];
+    policy_id?: string | null;
+    metadata?: Record<string, unknown>;
+}
+export interface TrackBatchResult {
+    accepted: number;
+    rejected: number;
+    errors?: Array<{
+        index: number;
+        event_id?: string;
+        reason: string;
+        detail?: string;
+    }>;
+}
+/**
+ * Internal buffering config. When enabled, track() returns immediately
+ * after signing and queues the event — a background flush posts batches
+ * to /api/events/batch when the buffer hits maxSize or maxWaitMs elapses.
+ */
+export interface BatchConfig {
+    enabled: boolean;
+    /** Flush when the buffer reaches this many events. */
+    maxSize: number;
+    /** Flush after this many milliseconds since the first queued event. */
+    maxWaitMs: number;
+}
 export interface MandateZClientConfig {
     agentId: string;
     ownerId: string;
@@ -22,6 +56,78 @@ export interface MandateZClientConfig {
     policies?: Policy[];
     /** Optional oversight config — if provided, flagged actions pause for human approval */
     oversight?: OversightConfig;
+    /** HaveIBeenPwned API key — required for checkIdentity() */
+    hibpApiKey?: string;
+    /** MandateZ directory base URL used by verifyAgent(). Defaults to https://core-directory.vercel.app */
+    directoryUrl?: string;
+    /**
+     * Optional list of downstream exporters. After each track() call the
+     * signed event is fanned out to every configured exporter in parallel
+     * (fire-and-forget — exporter failures never block or throw from track()).
+     */
+    exporters?: EventExporter[];
+    /**
+     * Dashboard API base URL. Required for trackBatch() and for track()
+     * buffering mode. Example: 'https://dashboard.mandatez.com'.
+     */
+    apiUrl?: string;
+    /** Optional API key ("mz_live_...") sent to dashboard endpoints. */
+    apiKey?: string;
+    /** Enable internal batching on track() calls. Off by default. */
+    batchConfig?: BatchConfig;
+}
+export interface CheckIdentityInput {
+    email: string;
+    /** Override the client's default agentId for this check */
+    agentId?: string;
+    /** What to do when an identity comes back flagged. Defaults to 'restrict'. */
+    onFlagged?: 'restrict' | 'block' | 'allow';
+}
+export interface CheckIdentityOutput extends IdentityCheckResult {
+    /** Effective action to take based on status + onFlagged policy */
+    recommendation: 'allow' | 'restrict' | 'block';
+}
+export type AgentTrustGrade = 'unverified' | 'low' | 'medium' | 'high' | 'verified';
+export interface VerifyAgentInput {
+    requestingAgentId: string;
+    targetAgentId: string;
+    /** Minimum trust score the target must meet. Default 60. */
+    requiredMinScore?: number;
+    /** Minimum trust grade the target must meet. Default "medium". */
+    requiredMinGrade?: AgentTrustGrade;
+}
+export interface VerifyAgentOutput {
+    verified: boolean;
+    targetTrustScore: number;
+    targetTrustGrade: AgentTrustGrade;
+    targetPublicKey: string;
+    verificationId: string;
+    /** Raw response from the directory for callers that need the full payload */
+    raw: VerifyAgentRawResponse;
+}
+export interface VerifyAgentRawResponse {
+    verified: boolean;
+    requesting_agent: {
+        id: string;
+        name: string;
+        trust_score: number;
+        trust_grade: AgentTrustGrade;
+    };
+    target_agent: {
+        id: string;
+        name: string;
+        trust_score: number;
+        trust_grade: AgentTrustGrade;
+        public_key: string;
+    };
+    verification: {
+        score_met: boolean;
+        grade_met: boolean;
+        required_min_score: number;
+        required_min_grade: AgentTrustGrade;
+        timestamp: string;
+        verification_id: string;
+    };
 }
 /**
  * Main SDK surface for developers.
@@ -36,6 +142,15 @@ export declare class MandateZClient {
     private transport;
     private policyEngine;
     private oversightGate;
+    private trustProfile;
+    private hibpApiKey;
+    private directoryUrl;
+    private exporters;
+    private apiUrl;
+    private apiKey;
+    private batchConfig;
+    private buffer;
+    private bufferFlushTimer;
     constructor(config: MandateZClientConfig);
     /**
      * Track an agent action.
@@ -49,5 +164,73 @@ export declare class MandateZClient {
      * 4. Sign event, emit to Supabase, return
      */
     track(input: TrackInput): Promise<AgentEvent>;
+    /**
+     * Signs each input event locally and posts the batch to /api/events/batch.
+     *
+     * Requires `apiUrl` in config. The endpoint rejects the entire batch if
+     * any signature or schema check fails, so a returned `rejected` count is
+     * either 0 (all accepted) or equal to the input length (nothing inserted).
+     */
+    trackBatch(events: TrackBatchInput[]): Promise<TrackBatchResult>;
+    /**
+     * Flushes any buffered events immediately. Callers should invoke this
+     * during graceful shutdown to avoid dropping queued events.
+     */
+    flush(): Promise<TrackBatchResult>;
+    private enqueue;
+    private postBatch;
+    private fanOutToExporters;
+    /**
+     * Fetches all events for this agent from Supabase, recomputes
+     * the trust score, and updates the agents table.
+     */
+    recomputeTrustScore(): Promise<AgentTrustProfile>;
+    /**
+     * Returns the last computed trust profile, or null if not yet computed.
+     */
+    getTrustProfile(): AgentTrustProfile | null;
+    /**
+     * Checks an email against HaveIBeenPwned, stores the result in
+     * Supabase (identity_checks table), and returns a recommendation.
+     *
+     * Recommendation logic:
+     * - status=clean    → allow
+     * - status=flagged  → onFlagged (default: 'restrict')
+     * - status=blocked  → block (cannot be overridden)
+     */
+    checkIdentity(input: CheckIdentityInput): Promise<CheckIdentityOutput>;
+    /**
+     * Verify another agent's MandateZ credentials before transacting with it.
+     *
+     * Calls the MandateZ directory's /api/agents/verify endpoint and returns
+     * whether the target agent meets the minimum trust score and grade you
+     * specified. Use this at the edge of any cross-agent interaction.
+     *
+     * @example
+     * const result = await client.verifyAgent({
+     *   requestingAgentId: 'ag_my_agent',
+     *   targetAgentId: 'ag_partner_agent',
+     *   requiredMinScore: 70,
+     * });
+     * if (!result.verified) {
+     *   throw new Error('Partner agent failed MandateZ verification');
+     * }
+     */
+    verifyAgent(input: VerifyAgentInput): Promise<VerifyAgentOutput>;
+    /**
+     * Fetch the most recent risk score for an agent from the MandateZ
+     * dashboard. The server auto-computes a fresh score if none exists yet,
+     * so this never returns null.
+     *
+     * Requires `apiUrl` and `apiKey` in the client config.
+     */
+    getRiskScore(agentId: string): Promise<RiskScoreRecord>;
+    /**
+     * Trigger a fresh risk-score recomputation for an agent. The returned
+     * record is the newly persisted snapshot.
+     *
+     * Requires `apiUrl` and `apiKey` in the client config.
+     */
+    computeRiskScore(agentId: string, windowDays?: number): Promise<RiskScoreRecord>;
 }
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE5D,sDAAsD;AACtD,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,eAAe,CAAC,aAAa,CAAC,CAAC;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC;IACrC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC;wEACoE;IACpE,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,wFAAwF;IACxF,SAAS,CAAC,EAAE,eAAe,CAAC;CAC7B;AAED;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAoB;IACrC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,aAAa,CAAuB;gBAEhC,MAAM,EAAE,oBAAoB;IAqBxC;;;;;;;;;;OAUG;IACG,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CA+CpD"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEvD,sDAAsD;AACtD,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,eAAe,CAAC,aAAa,CAAC,CAAC;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC;IACrC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC;wEACoE;IACpE,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1C;AAED,+EAA+E;AAC/E,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,eAAe,CAAC,aAAa,CAAC,CAAC;IAC5C,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC;IACrC,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACvF;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,OAAO,EAAE,MAAM,CAAC;IAChB,uEAAuE;IACvE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,wFAAwF;IACxF,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uGAAuG;IACvG,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,SAAS,CAAC,EAAE,aAAa,EAAE,CAAC;IAC5B;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iEAAiE;IACjE,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,UAAU,GAAG,OAAO,GAAG,OAAO,CAAC;CAC5C;AAED,MAAM,WAAW,mBAAoB,SAAQ,mBAAmB;IAC9D,kEAAkE;IAClE,cAAc,EAAE,OAAO,GAAG,UAAU,GAAG,OAAO,CAAC;CAChD;AAED,MAAM,MAAM,eAAe,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAEpF,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kEAAkE;IAClE,gBAAgB,CAAC,EAAE,eAAe,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,6EAA6E;IAC7E,GAAG,EAAE,sBAAsB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,EAAE;QAChB,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,eAAe,CAAC;KAC9B,CAAC;IACF,YAAY,EAAE;QACZ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,eAAe,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,YAAY,EAAE;QACZ,SAAS,EAAE,OAAO,CAAC;QACnB,SAAS,EAAE,OAAO,CAAC;QACnB,kBAAkB,EAAE,MAAM,CAAC;QAC3B,kBAAkB,EAAE,eAAe,CAAC;QACpC,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;CACH;AAID;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAoB;IACrC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,UAAU,CAAgB;IAClC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,SAAS,CAAkB;IACnC,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,gBAAgB,CAA8C;gBAE1D,MAAM,EAAE,oBAAoB;IA2BxC;;;;;;;;;;OAUG;IACG,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAwEnD;;;;;;OAMG;IACG,UAAU,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA8BtE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAaxC,OAAO,CAAC,OAAO;YAiBD,SAAS;IAqCvB,OAAO,CAAC,iBAAiB;IAYzB;;;OAGG;IACG,mBAAmB,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAUvD;;OAEG;IACH,eAAe,IAAI,iBAAiB,GAAG,IAAI;IAI3C;;;;;;;;OAQG;IACG,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IA6B5E;;;;;;;;;;;;;;;;OAgBG;IACG,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAiCtE;;;;;;OAMG;IACG,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAS7D;;;;;OAKG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;CAYvF"}