@mindburn/helm-ai-kernel 0.5.10 → 0.5.12

package/README.md

@@ -10,7 +10,7 @@ npm ci
 npm run build
 ```
 
-Package metadata declares version `0.5.10` in `package.json`; this README does
+Package metadata declares version `0.5.12` in `package.json`; this README does
 not claim that a registry package has been published.
 
 ## Local Development
@@ -86,4 +86,4 @@ and sandbox grants attached to HELM-native receipts and EvidencePacks.
 
 ## Release Notes
 
-`0.5.10` is the release-hardening patch with the retained OpenAPI client surface and protobuf message bindings.
+`0.5.12` is the release-hardening patch with the retained OpenAPI client surface and protobuf message bindings.

package/dist/generated/boundary/extauthz/v1/extauthz.d.ts

@@ -0,0 +1,171 @@
+import { BinaryReader, BinaryWriter } from "@bufbuild/protobuf/wire";
+import { type CallOptions, type ChannelCredentials, Client, type ClientOptions, type ClientUnaryCall, type handleUnaryCall, type Metadata, type ServiceError, type UntypedServiceImplementation } from "@grpc/grpc-js";
+export declare const protobufPackage = "helm.boundary.extauthz.v1";
+/**
+ * HELM Boundary External Authorization Protocol Buffer Definitions
+ *
+ * Canonical IDL for the optional gRPC transport of the Kernel-owned
+ * pre-dispatch external authorization contract.
+ *
+ * Stability: v1 additive-only.
+ *
+ * This contract deliberately represents pre-dispatch authorization only. Final
+ * EFFECT receipts, ProofGraph edges, and EvidencePack refs are post-dispatch
+ * proof artifacts and must not be minted by the gateway.
+ */
+export declare enum Verdict {
+    VERDICT_UNSPECIFIED = 0,
+    VERDICT_ALLOW = 1,
+    VERDICT_DENY = 2,
+    VERDICT_ESCALATE = 3,
+    UNRECOGNIZED = -1
+}
+export declare function verdictFromJSON(object: any): Verdict;
+export declare function verdictToJSON(object: Verdict): string;
+export declare enum Protocol {
+    PROTOCOL_UNSPECIFIED = 0,
+    PROTOCOL_MCP = 1,
+    PROTOCOL_A2A = 2,
+    PROTOCOL_HTTP = 3,
+    PROTOCOL_GRPC = 4,
+    PROTOCOL_OPENAI = 5,
+    UNRECOGNIZED = -1
+}
+export declare function protocolFromJSON(object: any): Protocol;
+export declare function protocolToJSON(object: Protocol): string;
+export interface AuthorizationRequest {
+    schemaVersion: string;
+    contractVersion: string;
+    requestId: string;
+    tenantId: string;
+    workspaceId: string;
+    principalId: string;
+    principalSeq: number;
+    agentIdentityProfileRef: string;
+    protocol: Protocol;
+    actionUrn: string;
+    toolUrn: string;
+    connectorId: string;
+    connectorContractHash: string;
+    executorKind: string;
+    effectClass: string;
+    riskClass: string;
+    argsC14nHash: string;
+    requestBodyHash: string;
+    planHash: string;
+    policyHash: string;
+    p0Hash: string;
+    policyEpoch: string;
+    idempotencyKeyCandidate: string;
+    payloadClass: string;
+    redactionProfile: string;
+    upstreamTraceId: string;
+    upstreamRunId: string;
+    deadlineMs: number;
+    riskContext: {
+        [key: string]: any;
+    } | undefined;
+    riskContextHash: string;
+}
+export interface AuthorizationResponse {
+    schemaVersion: string;
+    contractVersion: string;
+    requestId: string;
+    tenantId: string;
+    workspaceId: string;
+    principalId: string;
+    principalSeq: number;
+    agentIdentityProfileRef: string;
+    protocol: Protocol;
+    actionUrn: string;
+    toolUrn: string;
+    connectorId: string;
+    connectorContractHash: string;
+    executorKind: string;
+    effectClass: string;
+    riskClass: string;
+    argsC14nHash: string;
+    requestBodyHash: string;
+    planHash: string;
+    policyHash: string;
+    p0Hash: string;
+    policyEpoch: string;
+    idempotencyKeyCandidate: string;
+    payloadClass: string;
+    redactionProfile: string;
+    upstreamTraceId: string;
+    upstreamRunId: string;
+    deadlineMs: number;
+    riskContextHash: string;
+    verdict: Verdict;
+    reasonCode: string;
+    kernelTrustRootId: string;
+    signingKeyRef: string;
+    kernelVerdictRef: string;
+    kernelVerdictHash: string;
+    kernelVerdictSignature: Uint8Array;
+    kernelVerdictIssuedAt: Date | undefined;
+    kernelVerdictExpiresAt: Date | undefined;
+    /** ALLOW-only, single-use pre-dispatch permit fields. */
+    effectPermitRef: string;
+    permitNonce: string;
+    permitExpiry: Date | undefined;
+    proofSessionRef: string;
+    evidenceReservationRef: string;
+    budgetReservationRef: string;
+    cachePolicy: string;
+    replayHint: string;
+    /** DENY/ESCALATE references are pre-dispatch records, not final effect proof. */
+    denialReceiptRef: string;
+    escalationRef: string;
+    escalationReceiptRef: string;
+    proofObligation: string;
+    connectorReceiptPolicy: string;
+    proofFinalizationPolicy: string;
+}
+export declare const AuthorizationRequest: MessageFns<AuthorizationRequest>;
+export declare const AuthorizationResponse: MessageFns<AuthorizationResponse>;
+export type ExternalAuthorizationServiceService = typeof ExternalAuthorizationServiceService;
+export declare const ExternalAuthorizationServiceService: {
+    readonly authorize: {
+        readonly path: "/helm.boundary.extauthz.v1.ExternalAuthorizationService/Authorize";
+        readonly requestStream: false;
+        readonly responseStream: false;
+        readonly requestSerialize: (value: AuthorizationRequest) => Buffer;
+        readonly requestDeserialize: (value: Buffer) => AuthorizationRequest;
+        readonly responseSerialize: (value: AuthorizationResponse) => Buffer;
+        readonly responseDeserialize: (value: Buffer) => AuthorizationResponse;
+    };
+};
+export interface ExternalAuthorizationServiceServer extends UntypedServiceImplementation {
+    authorize: handleUnaryCall<AuthorizationRequest, AuthorizationResponse>;
+}
+export interface ExternalAuthorizationServiceClient extends Client {
+    authorize(request: AuthorizationRequest, callback: (error: ServiceError | null, response: AuthorizationResponse) => void): ClientUnaryCall;
+    authorize(request: AuthorizationRequest, metadata: Metadata, callback: (error: ServiceError | null, response: AuthorizationResponse) => void): ClientUnaryCall;
+    authorize(request: AuthorizationRequest, metadata: Metadata, options: Partial<CallOptions>, callback: (error: ServiceError | null, response: AuthorizationResponse) => void): ClientUnaryCall;
+}
+export declare const ExternalAuthorizationServiceClient: {
+    new (address: string, credentials: ChannelCredentials, options?: Partial<ClientOptions>): ExternalAuthorizationServiceClient;
+    service: typeof ExternalAuthorizationServiceService;
+    serviceName: string;
+};
+type Builtin = Date | Function | Uint8Array | string | number | boolean | undefined;
+export type DeepPartial<T> = T extends Builtin ? T : T extends globalThis.Array<infer U> ? globalThis.Array<DeepPartial<U>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepPartial<U>> : T extends {} ? {
+    [K in keyof T]?: DeepPartial<T[K]>;
+} : Partial<T>;
+type KeysOfUnion<T> = T extends T ? keyof T : never;
+export type Exact<P, I extends P> = P extends Builtin ? P : P & {
+    [K in keyof P]: Exact<P[K], I[K]>;
+} & {
+    [K in Exclude<keyof I, KeysOfUnion<P>>]: never;
+};
+export interface MessageFns<T> {
+    encode(message: T, writer?: BinaryWriter): BinaryWriter;
+    decode(input: BinaryReader | Uint8Array, length?: number): T;
+    fromJSON(object: any): T;
+    toJSON(message: T): unknown;
+    create<I extends Exact<DeepPartial<T>, I>>(base?: I): T;
+    fromPartial<I extends Exact<DeepPartial<T>, I>>(object: I): T;
+}
+export {};