@paybond/kit 0.10.0 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/completion-presets/catalog.json +1187 -0
- package/completion-presets/catalog.sha256 +1 -0
- package/dev/trace-ui/dashboard.html +617 -0
- package/dist/agent/adapter.d.ts +51 -0
- package/dist/agent/adapter.js +66 -0
- package/dist/agent/attach-bundle.d.ts +37 -0
- package/dist/agent/attach-bundle.js +118 -0
- package/dist/agent/authorization-cache.d.ts +22 -0
- package/dist/agent/authorization-cache.js +36 -0
- package/dist/agent/deferred-tools.d.ts +11 -0
- package/dist/agent/deferred-tools.js +62 -0
- package/dist/agent/discover.d.ts +41 -0
- package/dist/agent/discover.js +147 -0
- package/dist/agent/evidence.d.ts +9 -0
- package/dist/agent/evidence.js +28 -0
- package/dist/agent/facade.d.ts +48 -0
- package/dist/agent/facade.js +112 -0
- package/dist/agent/gateway-trace-reporter.d.ts +28 -0
- package/dist/agent/gateway-trace-reporter.js +49 -0
- package/dist/agent/generic-runner.d.ts +14 -0
- package/dist/agent/generic-runner.js +49 -0
- package/dist/agent/generic-sandbox-demo.d.ts +36 -0
- package/dist/agent/generic-sandbox-demo.js +82 -0
- package/dist/agent/guarded-agent.d.ts +49 -0
- package/dist/agent/guarded-agent.js +100 -0
- package/dist/agent/index.d.ts +13 -0
- package/dist/agent/index.js +13 -0
- package/dist/agent/instrument.d.ts +156 -0
- package/dist/agent/instrument.js +442 -0
- package/dist/agent/interceptor.d.ts +24 -0
- package/dist/agent/interceptor.js +440 -0
- package/dist/agent/lazy-context-tools.d.ts +15 -0
- package/dist/agent/lazy-context-tools.js +81 -0
- package/dist/agent/registry-file.d.ts +39 -0
- package/dist/agent/registry-file.js +219 -0
- package/dist/agent/registry.d.ts +37 -0
- package/dist/agent/registry.js +128 -0
- package/dist/agent/run.d.ts +124 -0
- package/dist/agent/run.js +301 -0
- package/dist/agent/types.d.ts +318 -0
- package/dist/agent/types.js +42 -0
- package/dist/agent-recognition.d.ts +72 -0
- package/dist/agent-recognition.js +165 -0
- package/dist/bincode-wire.d.ts +18 -0
- package/dist/bincode-wire.js +93 -0
- package/dist/claude-agents/config.d.ts +21 -0
- package/dist/claude-agents/config.js +145 -0
- package/dist/claude-agents/index.d.ts +2 -0
- package/dist/claude-agents/index.js +2 -0
- package/dist/claude-agents/sandbox-demo.d.ts +30 -0
- package/dist/claude-agents/sandbox-demo.js +91 -0
- package/dist/cli/agent/env-quote.d.ts +1 -0
- package/dist/cli/agent/env-quote.js +6 -0
- package/dist/cli/agent/env-write.d.ts +8 -0
- package/dist/cli/agent/env-write.js +47 -0
- package/dist/cli/agent/paybond.d.ts +16 -0
- package/dist/cli/agent/paybond.js +55 -0
- package/dist/cli/agent/policy-file.d.ts +29 -0
- package/dist/cli/agent/policy-file.js +61 -0
- package/dist/cli/agent/production-evidence.d.ts +24 -0
- package/dist/cli/agent/production-evidence.js +98 -0
- package/dist/cli/agent/run-store.d.ts +30 -0
- package/dist/cli/agent/run-store.js +42 -0
- package/dist/cli/agent/run-trace-store.d.ts +39 -0
- package/dist/cli/agent/run-trace-store.js +143 -0
- package/dist/cli/agent-run-trace-table.d.ts +9 -0
- package/dist/cli/agent-run-trace-table.js +24 -0
- package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
- package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
- package/dist/cli/command-spec.d.ts +1 -0
- package/dist/cli/command-spec.js +286 -5
- package/dist/cli/commands/agent.d.ts +16 -0
- package/dist/cli/commands/agent.js +1135 -0
- package/dist/cli/commands/dev.d.ts +7 -0
- package/dist/cli/commands/dev.js +348 -0
- package/dist/cli/commands/discovery.js +3 -3
- package/dist/cli/commands/policy.d.ts +13 -0
- package/dist/cli/commands/policy.js +769 -0
- package/dist/cli/commands/setup.d.ts +3 -0
- package/dist/cli/commands/setup.js +124 -8
- package/dist/cli/commands/workflows.js +9 -4
- package/dist/cli/config.d.ts +2 -0
- package/dist/cli/config.js +4 -2
- package/dist/cli/context.js +2 -1
- package/dist/cli/credentials.js +2 -2
- package/dist/cli/doctor-agent-middleware.d.ts +5 -0
- package/dist/cli/doctor-agent-middleware.js +49 -0
- package/dist/cli/globals.d.ts +1 -0
- package/dist/cli/globals.js +11 -1
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +35 -3
- package/dist/cli/mcp-install.js +2 -2
- package/dist/cli/mcp-policy.d.ts +3 -0
- package/dist/cli/mcp-policy.js +19 -13
- package/dist/cli/mcp-verify-config.js +9 -11
- package/dist/cli/redact.js +29 -8
- package/dist/cli/router.js +105 -2
- package/dist/cli/smoke-deep-links.d.ts +15 -0
- package/dist/cli/smoke-deep-links.js +63 -0
- package/dist/cli/telemetry.d.ts +17 -0
- package/dist/cli/telemetry.js +94 -0
- package/dist/completion-catalog-digest.d.ts +2 -0
- package/dist/completion-catalog-digest.js +2 -0
- package/dist/completion-catalog-integrity.d.ts +2 -0
- package/dist/completion-catalog-integrity.js +17 -0
- package/dist/completion-catalog.d.ts +49 -0
- package/dist/completion-catalog.js +62 -0
- package/dist/completion-contract-digest.d.ts +37 -0
- package/dist/completion-contract-digest.js +73 -0
- package/dist/completion-forbidden-fields.d.ts +5 -0
- package/dist/completion-forbidden-fields.js +26 -0
- package/dist/completion-init.d.ts +8 -0
- package/dist/completion-init.js +334 -0
- package/dist/completion-resolve.d.ts +21 -0
- package/dist/completion-resolve.js +86 -0
- package/dist/completion-validate-evidence.d.ts +24 -0
- package/dist/completion-validate-evidence.js +145 -0
- package/dist/dev/offline-gateway.d.ts +24 -0
- package/dist/dev/offline-gateway.js +102 -0
- package/dist/dev/trace-buffer.d.ts +61 -0
- package/dist/dev/trace-buffer.js +330 -0
- package/dist/dev/trace-security-headers.d.ts +11 -0
- package/dist/dev/trace-security-headers.js +16 -0
- package/dist/dev/trace-server.d.ts +8 -0
- package/dist/dev/trace-server.js +38 -0
- package/dist/dev/trace-ui.d.ts +4 -0
- package/dist/dev/trace-ui.js +25 -0
- package/dist/dev/wiremock-up.d.ts +15 -0
- package/dist/dev/wiremock-up.js +118 -0
- package/dist/doctor-completion.d.ts +17 -0
- package/dist/doctor-completion.js +428 -0
- package/dist/gateway-url.d.ts +7 -0
- package/dist/gateway-url.js +69 -0
- package/dist/index.d.ts +119 -2
- package/dist/index.js +267 -6
- package/dist/init.js +374 -57
- package/dist/langgraph/awrap-tool-call.d.ts +25 -0
- package/dist/langgraph/awrap-tool-call.js +81 -0
- package/dist/langgraph/config.d.ts +13 -0
- package/dist/langgraph/config.js +11 -0
- package/dist/langgraph/index.d.ts +4 -0
- package/dist/langgraph/index.js +4 -0
- package/dist/langgraph/sandbox-demo.d.ts +40 -0
- package/dist/langgraph/sandbox-demo.js +96 -0
- package/dist/langgraph/tool-node.d.ts +10 -0
- package/dist/langgraph/tool-node.js +38 -0
- package/dist/login.js +7 -0
- package/dist/mcp/index.d.ts +1 -0
- package/dist/mcp/index.js +1 -0
- package/dist/mcp/tool-surface.d.ts +25 -0
- package/dist/mcp/tool-surface.js +17 -0
- package/dist/mcp-capability-token-cache.d.ts +24 -0
- package/dist/mcp-capability-token-cache.js +101 -0
- package/dist/mcp-evidence-policy.d.ts +48 -0
- package/dist/mcp-evidence-policy.js +117 -0
- package/dist/mcp-policy-reload.d.ts +79 -0
- package/dist/mcp-policy-reload.js +200 -0
- package/dist/mcp-sep2828-evidence.d.ts +36 -0
- package/dist/mcp-sep2828-evidence.js +65 -0
- package/dist/mcp-server.d.ts +6 -0
- package/dist/mcp-server.js +224 -44
- package/dist/openai-agents/index.d.ts +40 -0
- package/dist/openai-agents/index.js +151 -0
- package/dist/openai-agents/sandbox-demo.d.ts +34 -0
- package/dist/openai-agents/sandbox-demo.js +118 -0
- package/dist/payee-evidence.js +2 -29
- package/dist/policy/catalog.d.ts +31 -0
- package/dist/policy/catalog.js +48 -0
- package/dist/policy/compose-utils.d.ts +3 -0
- package/dist/policy/compose-utils.js +4 -0
- package/dist/policy/compose.d.ts +20 -0
- package/dist/policy/compose.js +240 -0
- package/dist/policy/digest.d.ts +7 -0
- package/dist/policy/digest.js +75 -0
- package/dist/policy/domain.d.ts +15 -0
- package/dist/policy/domain.js +28 -0
- package/dist/policy/guardrail-spec.d.ts +17 -0
- package/dist/policy/guardrail-spec.js +140 -0
- package/dist/policy/guardrails.d.ts +48 -0
- package/dist/policy/guardrails.js +72 -0
- package/dist/policy/index.d.ts +21 -0
- package/dist/policy/index.js +21 -0
- package/dist/policy/init.d.ts +102 -0
- package/dist/policy/init.js +351 -0
- package/dist/policy/intent-spec.d.ts +52 -0
- package/dist/policy/intent-spec.js +176 -0
- package/dist/policy/json-path.d.ts +4 -0
- package/dist/policy/json-path.js +23 -0
- package/dist/policy/layers-io.d.ts +7 -0
- package/dist/policy/layers-io.js +28 -0
- package/dist/policy/load-effective.d.ts +22 -0
- package/dist/policy/load-effective.js +77 -0
- package/dist/policy/load.d.ts +85 -0
- package/dist/policy/load.js +164 -0
- package/dist/policy/merge.d.ts +29 -0
- package/dist/policy/merge.js +297 -0
- package/dist/policy/parse-text.d.ts +2 -0
- package/dist/policy/parse-text.js +126 -0
- package/dist/policy/policy-api.d.ts +45 -0
- package/dist/policy/policy-api.js +61 -0
- package/dist/policy/presets.d.ts +19 -0
- package/dist/policy/presets.js +66 -0
- package/dist/policy/registry.d.ts +7 -0
- package/dist/policy/registry.js +33 -0
- package/dist/policy/reload.d.ts +86 -0
- package/dist/policy/reload.js +233 -0
- package/dist/policy/render-yaml.d.ts +3 -0
- package/dist/policy/render-yaml.js +69 -0
- package/dist/policy/sandbox-bootstrap.d.ts +19 -0
- package/dist/policy/sandbox-bootstrap.js +66 -0
- package/dist/policy/schema.d.ts +204 -0
- package/dist/policy/schema.js +255 -0
- package/dist/policy/snapshot.d.ts +33 -0
- package/dist/policy/snapshot.js +23 -0
- package/dist/policy/validate-remote.d.ts +43 -0
- package/dist/policy/validate-remote.js +104 -0
- package/dist/policy/validate.d.ts +36 -0
- package/dist/policy/validate.js +150 -0
- package/dist/policy/watcher.d.ts +29 -0
- package/dist/policy/watcher.js +112 -0
- package/dist/principal-intent.d.ts +52 -0
- package/dist/principal-intent.js +193 -37
- package/dist/project-init.d.ts +34 -0
- package/dist/project-init.js +898 -0
- package/dist/sep2828-signature.d.ts +10 -0
- package/dist/sep2828-signature.js +134 -0
- package/dist/solutions/api.d.ts +22 -0
- package/dist/solutions/api.js +40 -0
- package/dist/solutions/catalog.d.ts +34 -0
- package/dist/solutions/catalog.js +129 -0
- package/dist/solutions/index.d.ts +2 -0
- package/dist/solutions/index.js +2 -0
- package/dist/template-init.d.ts +54 -0
- package/dist/template-init.js +203 -0
- package/dist/vercel-ai/config.d.ts +15 -0
- package/dist/vercel-ai/config.js +13 -0
- package/dist/vercel-ai/index.d.ts +4 -0
- package/dist/vercel-ai/index.js +4 -0
- package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
- package/dist/vercel-ai/sandbox-demo.js +153 -0
- package/dist/vercel-ai/tool-approval.d.ts +16 -0
- package/dist/vercel-ai/tool-approval.js +41 -0
- package/dist/vercel-ai/wrap-tools.d.ts +9 -0
- package/dist/vercel-ai/wrap-tools.js +40 -0
- package/dist/x402-receipt-evidence.d.ts +29 -0
- package/dist/x402-receipt-evidence.js +97 -0
- package/dist/x402-receipt-signature.d.ts +12 -0
- package/dist/x402-receipt-signature.js +211 -0
- package/package.json +75 -3
- package/solutions/aws.json +17 -0
- package/solutions/saas.json +17 -0
- package/solutions/shopping.json +17 -0
- package/solutions/travel.json +18 -0
- package/templates/manifest.json +169 -0
- package/templates/openai-shopping-agent/.env.example +3 -0
- package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/openai-shopping-agent/LICENSE +201 -0
- package/templates/openai-shopping-agent/README.md +29 -0
- package/templates/openai-shopping-agent/package.json +22 -0
- package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/openai-shopping-agent/src/index.ts +22 -0
- package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/openai-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-aws-operator/.env.example +3 -0
- package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-aws-operator/LICENSE +201 -0
- package/templates/paybond-aws-operator/README.md +29 -0
- package/templates/paybond-aws-operator/package.json +20 -0
- package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
- package/templates/paybond-aws-operator/src/index.ts +54 -0
- package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
- package/templates/paybond-aws-operator/tsconfig.json +13 -0
- package/templates/paybond-claude-agents-demo/.env.example +3 -0
- package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-claude-agents-demo/LICENSE +201 -0
- package/templates/paybond-claude-agents-demo/README.md +29 -0
- package/templates/paybond-claude-agents-demo/package.json +22 -0
- package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
- package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-invoice-agent/.env.example +3 -0
- package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
- package/templates/paybond-invoice-agent/LICENSE +201 -0
- package/templates/paybond-invoice-agent/README.md +29 -0
- package/templates/paybond-invoice-agent/app.py +27 -0
- package/templates/paybond-invoice-agent/package.json +6 -0
- package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-invoice-agent/paybond_config.py +45 -0
- package/templates/paybond-invoice-agent/requirements.txt +2 -0
- package/templates/paybond-mcp-coding-agent/.env.example +3 -0
- package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
- package/templates/paybond-mcp-coding-agent/README.md +39 -0
- package/templates/paybond-mcp-coding-agent/package.json +20 -0
- package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
- package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
- package/templates/paybond-openai-agents-demo/.env.example +3 -0
- package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-openai-agents-demo/LICENSE +201 -0
- package/templates/paybond-openai-agents-demo/README.md +29 -0
- package/templates/paybond-openai-agents-demo/package.json +22 -0
- package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
- package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-procurement-agent/.env.example +3 -0
- package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-procurement-agent/LICENSE +201 -0
- package/templates/paybond-procurement-agent/README.md +29 -0
- package/templates/paybond-procurement-agent/package.json +20 -0
- package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-procurement-agent/src/index.ts +54 -0
- package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-procurement-agent/tsconfig.json +13 -0
- package/templates/paybond-travel-agent/.env.example +3 -0
- package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-travel-agent/LICENSE +201 -0
- package/templates/paybond-travel-agent/README.md +29 -0
- package/templates/paybond-travel-agent/package.json +23 -0
- package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-travel-agent/src/index.ts +22 -0
- package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-travel-agent/tsconfig.json +13 -0
- package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
- package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
- package/templates/paybond-vercel-shopping-agent/README.md +29 -0
- package/templates/paybond-vercel-shopping-agent/package.json +22 -0
- package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
- package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { guardrails, type PolicyGuardrailLayer } from "./guardrails.js";
|
|
2
|
+
export type GuardrailCatalogEntry = {
|
|
3
|
+
id: string;
|
|
4
|
+
title: string;
|
|
5
|
+
description: string;
|
|
6
|
+
parameterized?: boolean;
|
|
7
|
+
};
|
|
8
|
+
/** Built-in guardrail ids accepted by `policy init --guardrails` and solution manifests. */
|
|
9
|
+
export declare const GUARDRAIL_CATALOG_ENTRIES: GuardrailCatalogEntry[];
|
|
10
|
+
/** Resolve a solution-manifest guardrail token (for example `max_spend_usd_200`). */
|
|
11
|
+
export declare function resolveGuardrailManifestToken(token: string): PolicyGuardrailLayer;
|
|
12
|
+
/** Parse one guardrail token from CLI `--guardrails` or solution manifests. */
|
|
13
|
+
export declare function parseGuardrailSpec(spec: string): PolicyGuardrailLayer;
|
|
14
|
+
/** Parse a comma-separated guardrail spec list from CLI flags. */
|
|
15
|
+
export declare function parseGuardrailSpecs(csv: string): PolicyGuardrailLayer[];
|
|
16
|
+
export declare function listGuardrailCatalogEntries(): GuardrailCatalogEntry[];
|
|
17
|
+
export { guardrails };
|
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
import { auditOnly, allowDryRun, defaultDeny, guardrails, maxSpend, maxSpendUsd, readOnly, readOnlySearch, requireEvidence, strict, } from "./guardrails.js";
|
|
2
|
+
/** Built-in guardrail ids accepted by `policy init --guardrails` and solution manifests. */
|
|
3
|
+
export const GUARDRAIL_CATALOG_ENTRIES = [
|
|
4
|
+
{
|
|
5
|
+
id: "default-deny",
|
|
6
|
+
title: "Default deny",
|
|
7
|
+
description: "Require explicit tool registration (default_deny: true)",
|
|
8
|
+
},
|
|
9
|
+
{
|
|
10
|
+
id: "read-only",
|
|
11
|
+
title: "Read only",
|
|
12
|
+
description: "Keep only non-side-effecting tools",
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "read-only-search",
|
|
16
|
+
title: "Read-only search",
|
|
17
|
+
description: "Keep only non-side-effecting search.* tools",
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
id: "strict",
|
|
21
|
+
title: "Strict",
|
|
22
|
+
description: "Tight caps, default deny, and evidence required on side-effecting tools",
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
id: "require-evidence",
|
|
26
|
+
title: "Require evidence",
|
|
27
|
+
description: "Validate evidence_preset on side-effecting tools at compose time",
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
id: "audit-only",
|
|
31
|
+
title: "Audit only",
|
|
32
|
+
description: "Reserved governance hook (no-op layer today)",
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
id: "allow-dry-run",
|
|
36
|
+
title: "Allow dry run",
|
|
37
|
+
description: "Reserved governance hook (no-op layer today)",
|
|
38
|
+
},
|
|
39
|
+
{
|
|
40
|
+
id: "max-spend:<usd>",
|
|
41
|
+
title: "Max spend (USD)",
|
|
42
|
+
description: "Cap intent budget and side-effecting tool spend (USD parameter)",
|
|
43
|
+
parameterized: true,
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
id: "max-spend-cents:<cents>",
|
|
47
|
+
title: "Max spend (cents)",
|
|
48
|
+
description: "Cap side-effecting tool spend in cents",
|
|
49
|
+
parameterized: true,
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
id: "max-spend-usd:<usd>",
|
|
53
|
+
title: "Max spend budget (USD)",
|
|
54
|
+
description: "Cap intent budget max_spend_usd only",
|
|
55
|
+
parameterized: true,
|
|
56
|
+
},
|
|
57
|
+
];
|
|
58
|
+
function normalizeGuardrailToken(token) {
|
|
59
|
+
return token.trim().toLowerCase().replace(/_/g, "-");
|
|
60
|
+
}
|
|
61
|
+
function parsePositiveNumber(raw, label) {
|
|
62
|
+
const value = Number(raw);
|
|
63
|
+
if (!Number.isFinite(value) || value < 0) {
|
|
64
|
+
throw new Error(`${label} requires a non-negative number`);
|
|
65
|
+
}
|
|
66
|
+
return value;
|
|
67
|
+
}
|
|
68
|
+
/** Resolve a solution-manifest guardrail token (for example `max_spend_usd_200`). */
|
|
69
|
+
export function resolveGuardrailManifestToken(token) {
|
|
70
|
+
const trimmed = token.trim();
|
|
71
|
+
const manifestUsd = /^max_spend_usd_(\d+(?:\.\d+)?)$/i.exec(trimmed);
|
|
72
|
+
if (manifestUsd) {
|
|
73
|
+
return maxSpendUsd(parsePositiveNumber(manifestUsd[1], "max_spend_usd"));
|
|
74
|
+
}
|
|
75
|
+
return parseGuardrailSpec(trimmed);
|
|
76
|
+
}
|
|
77
|
+
/** Parse one guardrail token from CLI `--guardrails` or solution manifests. */
|
|
78
|
+
export function parseGuardrailSpec(spec) {
|
|
79
|
+
const normalized = normalizeGuardrailToken(spec);
|
|
80
|
+
if (!normalized) {
|
|
81
|
+
throw new Error("guardrail spec must not be empty");
|
|
82
|
+
}
|
|
83
|
+
const maxSpendMatch = /^max-spend:(\d+(?:\.\d+)?)$/.exec(normalized);
|
|
84
|
+
if (maxSpendMatch) {
|
|
85
|
+
const usd = parsePositiveNumber(maxSpendMatch[1], "max-spend");
|
|
86
|
+
return {
|
|
87
|
+
caps: {
|
|
88
|
+
budgetMaxSpendUsd: usd,
|
|
89
|
+
sideEffectingMaxSpendCents: Math.round(usd * 100),
|
|
90
|
+
},
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
const maxSpendUsdMatch = /^max-spend-usd:(\d+(?:\.\d+)?)$/.exec(normalized);
|
|
94
|
+
if (maxSpendUsdMatch) {
|
|
95
|
+
return maxSpendUsd(parsePositiveNumber(maxSpendUsdMatch[1], "max-spend-usd"));
|
|
96
|
+
}
|
|
97
|
+
const maxSpendCentsMatch = /^max-spend-cents:(\d+)$/.exec(normalized);
|
|
98
|
+
if (maxSpendCentsMatch) {
|
|
99
|
+
return maxSpend(parsePositiveNumber(maxSpendCentsMatch[1], "max-spend-cents"));
|
|
100
|
+
}
|
|
101
|
+
switch (normalized) {
|
|
102
|
+
case "default-deny":
|
|
103
|
+
case "defaultdeny":
|
|
104
|
+
return defaultDeny();
|
|
105
|
+
case "read-only":
|
|
106
|
+
case "readonly":
|
|
107
|
+
return readOnly();
|
|
108
|
+
case "read-only-search":
|
|
109
|
+
case "readonlysearch":
|
|
110
|
+
return readOnlySearch();
|
|
111
|
+
case "strict":
|
|
112
|
+
return strict();
|
|
113
|
+
case "require-evidence":
|
|
114
|
+
case "requireevidence":
|
|
115
|
+
return requireEvidence();
|
|
116
|
+
case "audit-only":
|
|
117
|
+
case "auditonly":
|
|
118
|
+
return auditOnly();
|
|
119
|
+
case "allow-dry-run":
|
|
120
|
+
case "allowdryrun":
|
|
121
|
+
return allowDryRun();
|
|
122
|
+
default:
|
|
123
|
+
throw new Error(`unknown guardrail: ${spec}`);
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
/** Parse a comma-separated guardrail spec list from CLI flags. */
|
|
127
|
+
export function parseGuardrailSpecs(csv) {
|
|
128
|
+
const tokens = csv
|
|
129
|
+
.split(",")
|
|
130
|
+
.map((token) => token.trim())
|
|
131
|
+
.filter((token) => token.length > 0);
|
|
132
|
+
if (tokens.length === 0) {
|
|
133
|
+
throw new Error("guardrails list must include at least one entry");
|
|
134
|
+
}
|
|
135
|
+
return tokens.map((token) => parseGuardrailSpec(token));
|
|
136
|
+
}
|
|
137
|
+
export function listGuardrailCatalogEntries() {
|
|
138
|
+
return [...GUARDRAIL_CATALOG_ENTRIES];
|
|
139
|
+
}
|
|
140
|
+
export { guardrails };
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import type { PaybondPolicyIntentSection, PaybondPolicyToolEntry } from "./schema.js";
|
|
2
|
+
/** Partial policy patch applied on top of a domain document during compose. */
|
|
3
|
+
export type PolicyGuardrailLayer = {
|
|
4
|
+
default_deny?: boolean;
|
|
5
|
+
tools?: Record<string, Partial<PaybondPolicyToolEntry>>;
|
|
6
|
+
intent?: Partial<PaybondPolicyIntentSection>;
|
|
7
|
+
filters?: {
|
|
8
|
+
readOnly?: boolean;
|
|
9
|
+
readOnlySearch?: boolean;
|
|
10
|
+
};
|
|
11
|
+
caps?: {
|
|
12
|
+
sideEffectingMaxSpendCents?: number;
|
|
13
|
+
budgetMaxSpendUsd?: number;
|
|
14
|
+
};
|
|
15
|
+
requireEvidence?: boolean;
|
|
16
|
+
};
|
|
17
|
+
/** Require `default_deny: true` (stricter wins when stacked). */
|
|
18
|
+
export declare function defaultDeny(): PolicyGuardrailLayer;
|
|
19
|
+
/** Cap every side-effecting tool at `cents` (stricter min wins when stacked). */
|
|
20
|
+
export declare function maxSpend(cents: number): PolicyGuardrailLayer;
|
|
21
|
+
/** Cap intent budget at `usd` dollars (stricter min wins when stacked). */
|
|
22
|
+
export declare function maxSpendUsd(usd: number): PolicyGuardrailLayer;
|
|
23
|
+
/** Keep only non-side-effecting tools and intersect allowed_tools. */
|
|
24
|
+
export declare function readOnly(): PolicyGuardrailLayer;
|
|
25
|
+
/** Keep only non-side-effecting search.* tools. */
|
|
26
|
+
export declare function readOnlySearch(): PolicyGuardrailLayer;
|
|
27
|
+
/** Tight caps, default deny, and evidence required on side-effecting tools. */
|
|
28
|
+
export declare function strict(): PolicyGuardrailLayer;
|
|
29
|
+
/** Governance hook: validate evidence presets at compose time (no extra fields). */
|
|
30
|
+
export declare function requireEvidence(): PolicyGuardrailLayer;
|
|
31
|
+
/** Governance hook reserved for audit-only execution modes (no-op layer today). */
|
|
32
|
+
export declare function auditOnly(): PolicyGuardrailLayer;
|
|
33
|
+
/** Governance hook reserved for dry-run modes (no-op layer today). */
|
|
34
|
+
export declare function allowDryRun(): PolicyGuardrailLayer;
|
|
35
|
+
/** Convert a bundled guardrails YAML object into a compose layer. */
|
|
36
|
+
export declare function guardrailLayerFromDocument(document: Record<string, unknown>): PolicyGuardrailLayer;
|
|
37
|
+
export declare const guardrails: {
|
|
38
|
+
readonly defaultDeny: typeof defaultDeny;
|
|
39
|
+
readonly maxSpend: typeof maxSpend;
|
|
40
|
+
readonly maxSpendUsd: typeof maxSpendUsd;
|
|
41
|
+
readonly readOnly: typeof readOnly;
|
|
42
|
+
readonly readOnlySearch: typeof readOnlySearch;
|
|
43
|
+
readonly strict: typeof strict;
|
|
44
|
+
readonly requireEvidence: typeof requireEvidence;
|
|
45
|
+
readonly auditOnly: typeof auditOnly;
|
|
46
|
+
readonly allowDryRun: typeof allowDryRun;
|
|
47
|
+
readonly fromDocument: typeof guardrailLayerFromDocument;
|
|
48
|
+
};
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
/** Require `default_deny: true` (stricter wins when stacked). */
|
|
2
|
+
export function defaultDeny() {
|
|
3
|
+
return { default_deny: true };
|
|
4
|
+
}
|
|
5
|
+
/** Cap every side-effecting tool at `cents` (stricter min wins when stacked). */
|
|
6
|
+
export function maxSpend(cents) {
|
|
7
|
+
if (!Number.isInteger(cents) || cents < 0) {
|
|
8
|
+
throw new Error("maxSpend requires a non-negative integer cents value");
|
|
9
|
+
}
|
|
10
|
+
return { caps: { sideEffectingMaxSpendCents: cents } };
|
|
11
|
+
}
|
|
12
|
+
/** Cap intent budget at `usd` dollars (stricter min wins when stacked). */
|
|
13
|
+
export function maxSpendUsd(usd) {
|
|
14
|
+
if (typeof usd !== "number" || usd < 0 || !Number.isFinite(usd)) {
|
|
15
|
+
throw new Error("maxSpendUsd requires a non-negative finite USD value");
|
|
16
|
+
}
|
|
17
|
+
return { caps: { budgetMaxSpendUsd: usd } };
|
|
18
|
+
}
|
|
19
|
+
/** Keep only non-side-effecting tools and intersect allowed_tools. */
|
|
20
|
+
export function readOnly() {
|
|
21
|
+
return { filters: { readOnly: true } };
|
|
22
|
+
}
|
|
23
|
+
/** Keep only non-side-effecting search.* tools. */
|
|
24
|
+
export function readOnlySearch() {
|
|
25
|
+
return { filters: { readOnlySearch: true } };
|
|
26
|
+
}
|
|
27
|
+
/** Tight caps, default deny, and evidence required on side-effecting tools. */
|
|
28
|
+
export function strict() {
|
|
29
|
+
return {
|
|
30
|
+
default_deny: true,
|
|
31
|
+
caps: { sideEffectingMaxSpendCents: 1000, budgetMaxSpendUsd: 10 },
|
|
32
|
+
requireEvidence: true,
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
/** Governance hook: validate evidence presets at compose time (no extra fields). */
|
|
36
|
+
export function requireEvidence() {
|
|
37
|
+
return { requireEvidence: true };
|
|
38
|
+
}
|
|
39
|
+
/** Governance hook reserved for audit-only execution modes (no-op layer today). */
|
|
40
|
+
export function auditOnly() {
|
|
41
|
+
return {};
|
|
42
|
+
}
|
|
43
|
+
/** Governance hook reserved for dry-run modes (no-op layer today). */
|
|
44
|
+
export function allowDryRun() {
|
|
45
|
+
return {};
|
|
46
|
+
}
|
|
47
|
+
/** Convert a bundled guardrails YAML object into a compose layer. */
|
|
48
|
+
export function guardrailLayerFromDocument(document) {
|
|
49
|
+
const layer = {};
|
|
50
|
+
if (document.default_deny === true) {
|
|
51
|
+
layer.default_deny = true;
|
|
52
|
+
}
|
|
53
|
+
if (document.tools && typeof document.tools === "object" && !Array.isArray(document.tools)) {
|
|
54
|
+
layer.tools = document.tools;
|
|
55
|
+
}
|
|
56
|
+
if (document.intent && typeof document.intent === "object" && !Array.isArray(document.intent)) {
|
|
57
|
+
layer.intent = document.intent;
|
|
58
|
+
}
|
|
59
|
+
return layer;
|
|
60
|
+
}
|
|
61
|
+
export const guardrails = {
|
|
62
|
+
defaultDeny,
|
|
63
|
+
maxSpend,
|
|
64
|
+
maxSpendUsd,
|
|
65
|
+
readOnly,
|
|
66
|
+
readOnlySearch,
|
|
67
|
+
strict,
|
|
68
|
+
requireEvidence,
|
|
69
|
+
auditOnly,
|
|
70
|
+
allowDryRun,
|
|
71
|
+
fromDocument: guardrailLayerFromDocument,
|
|
72
|
+
};
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
export { canonicalPolicyDocumentDigest, policyDocumentToDict, policyVersionLabel, } from "./digest.js";
|
|
2
|
+
export { PaybondPolicy, type PaybondPolicyLoadSource, type PaybondPolicyLoadEffectiveResult } from "./load.js";
|
|
3
|
+
export { isKnownPolicyPresetId, isLayeredPolicyPresetId, listPolicyPresetIds, readPolicyPresetYaml, resolveComposedPresetDocument, resolvePolicyPresetPath, type LayeredPolicyPresetId, type PolicyPresetId, } from "./presets.js";
|
|
4
|
+
export { assertLayeredPresetMatchesFlat, bundledDefaultGuardrails, composeBundledPresetDefault, composeLayeredPolicyPresetDocument, composePolicyLayers, composePolicyPresetLayers, isLayeredPolicyPreset, LAYERED_POLICY_PRESET_IDS, } from "./compose.js";
|
|
5
|
+
export { domain } from "./domain.js";
|
|
6
|
+
export { auditOnly, allowDryRun, defaultDeny, guardrailLayerFromDocument, guardrails, maxSpend, maxSpendUsd, readOnly, readOnlySearch, requireEvidence, strict, type PolicyGuardrailLayer, } from "./guardrails.js";
|
|
7
|
+
export { paybondPolicyPresets, type PaybondPolicyPresets, type VerticalPolicyOptions } from "./policy-api.js";
|
|
8
|
+
export { createPolicySnapshot, createPolicySnapshotFromEffective, type CreatePolicySnapshotInput, type PaybondPolicySnapshot, type PaybondPolicySnapshotSource, } from "./snapshot.js";
|
|
9
|
+
export { parsePolicyExtendsRef, renderOrgBasePolicyYaml, renderPaybondPolicyYaml, renderTenantOverlayPolicyYaml, scaffoldOrgBasePolicy, scaffoldPaybondPolicy, scaffoldPolicyFromPreset, scaffoldTenantOverlayPolicy, type ScaffoldOrgBasePolicyOptions, type ScaffoldPaybondPolicyOptions, type ScaffoldPolicyFromPresetOptions, type ScaffoldTenantOverlayPolicyOptions, } from "./init.js";
|
|
10
|
+
export { PaybondPolicyIntentSpecError, policyToIntentCreateInput, type PaybondPolicyIntentCreateInput, type PaybondPolicyIntentCreateOverrides, } from "./intent-spec.js";
|
|
11
|
+
export { PaybondPolicySandboxBootstrapError, policySandboxBootstrap, type PaybondPolicySandboxBootstrapOptions, } from "./sandbox-bootstrap.js";
|
|
12
|
+
export { resolveJsonPath, resolveSpendCentsFromJsonPath } from "./json-path.js";
|
|
13
|
+
export { parsePolicyDocumentText } from "./parse-text.js";
|
|
14
|
+
export { policyDocumentToToolRegistryConfig, policyToToolRegistry, } from "./registry.js";
|
|
15
|
+
export { mergePaybondPolicies, toEffectivePolicyDocument, type PolicyMergeDeniedWidening, type PolicyMergeOptions, type PolicyMergeReport, type PolicyMergeResult, } from "./merge.js";
|
|
16
|
+
export { PAYBOND_POLICY_SCHEMA_VERSION, PAYBOND_POLICY_SCHEMA_VERSION_V2, PaybondPolicyValidationError, isPaybondPolicyDocumentV1, isPaybondPolicyDocumentV2, isPaybondPolicyOverlay, parsePaybondPolicyDocument, parsePaybondPolicyDocumentV1, parsePaybondPolicyDocumentV2, paybondPolicyDocumentV1Schema, paybondPolicyDocumentV2Schema, type PaybondPolicyBinding, type PaybondPolicyBindingOverride, type PaybondPolicyBudget, type PaybondPolicyDocument, type PaybondPolicyDocumentV1, type PaybondPolicyDocumentV2, type PaybondPolicyExtends, type PaybondPolicyIntentOverrideSection, type PaybondPolicyIntentSection, type PaybondPolicyOverrides, type PaybondPolicyToolEntry, type PaybondPolicyToolOverrideEntry, type PaybondPolicyValidationIssue, } from "./schema.js";
|
|
17
|
+
export { PolicyValidator, type PolicyGatewayTemplateLookup, type PolicyValidatorError, type PolicyValidatorOptions, type PolicyValidatorResult, type PolicyValidatorToolCounts, } from "./validate.js";
|
|
18
|
+
export { parsePolicyRemoteValidateResponse, policyRemoteValidateResultToDict, policyValidateQueryString, validatePolicyPayloadRemote, validatePolicyRemote, type PolicyRemoteValidateCheck, type PolicyRemoteValidateClient, type PolicyRemoteValidateIssue, type PolicyRemoteValidateOptions, type PolicyRemoteValidateResult, } from "./validate-remote.js";
|
|
19
|
+
export { parseMergeReport, parsePolicyEffectiveResolveResponse, resolvePolicyEffectiveRemote, type PolicyEffectiveResolveClient, type PolicyEffectiveResolveResult, } from "./load-effective.js";
|
|
20
|
+
export { PaybondPolicyReloadController, type PaybondPolicyReloadControllerState, type PolicyReloadRunner, } from "./watcher.js";
|
|
21
|
+
export { PaybondPolicyReloadError, PaybondPolicyReloadUnchangedError, applyPolicySnapshotToRun, detectPolicyLoosening, loadPolicySnapshotFromEffectivePoll, loadPolicySnapshotFromFile, reloadPolicyOnHandle, reloadPolicyOnRun, requiresIntentRebind, type PaybondPolicyReloadBindConfig, type PaybondPolicyReloadFailedEvent, type PaybondPolicyReloadOptions, type PaybondPolicyReloadResult, type PaybondPolicyReloadedEvent, type PolicyReloadHandle, } from "./reload.js";
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
export { canonicalPolicyDocumentDigest, policyDocumentToDict, policyVersionLabel, } from "./digest.js";
|
|
2
|
+
export { PaybondPolicy } from "./load.js";
|
|
3
|
+
export { isKnownPolicyPresetId, isLayeredPolicyPresetId, listPolicyPresetIds, readPolicyPresetYaml, resolveComposedPresetDocument, resolvePolicyPresetPath, } from "./presets.js";
|
|
4
|
+
export { assertLayeredPresetMatchesFlat, bundledDefaultGuardrails, composeBundledPresetDefault, composeLayeredPolicyPresetDocument, composePolicyLayers, composePolicyPresetLayers, isLayeredPolicyPreset, LAYERED_POLICY_PRESET_IDS, } from "./compose.js";
|
|
5
|
+
export { domain } from "./domain.js";
|
|
6
|
+
export { auditOnly, allowDryRun, defaultDeny, guardrailLayerFromDocument, guardrails, maxSpend, maxSpendUsd, readOnly, readOnlySearch, requireEvidence, strict, } from "./guardrails.js";
|
|
7
|
+
export { paybondPolicyPresets } from "./policy-api.js";
|
|
8
|
+
export { createPolicySnapshot, createPolicySnapshotFromEffective, } from "./snapshot.js";
|
|
9
|
+
export { parsePolicyExtendsRef, renderOrgBasePolicyYaml, renderPaybondPolicyYaml, renderTenantOverlayPolicyYaml, scaffoldOrgBasePolicy, scaffoldPaybondPolicy, scaffoldPolicyFromPreset, scaffoldTenantOverlayPolicy, } from "./init.js";
|
|
10
|
+
export { PaybondPolicyIntentSpecError, policyToIntentCreateInput, } from "./intent-spec.js";
|
|
11
|
+
export { PaybondPolicySandboxBootstrapError, policySandboxBootstrap, } from "./sandbox-bootstrap.js";
|
|
12
|
+
export { resolveJsonPath, resolveSpendCentsFromJsonPath } from "./json-path.js";
|
|
13
|
+
export { parsePolicyDocumentText } from "./parse-text.js";
|
|
14
|
+
export { policyDocumentToToolRegistryConfig, policyToToolRegistry, } from "./registry.js";
|
|
15
|
+
export { mergePaybondPolicies, toEffectivePolicyDocument, } from "./merge.js";
|
|
16
|
+
export { PAYBOND_POLICY_SCHEMA_VERSION, PAYBOND_POLICY_SCHEMA_VERSION_V2, PaybondPolicyValidationError, isPaybondPolicyDocumentV1, isPaybondPolicyDocumentV2, isPaybondPolicyOverlay, parsePaybondPolicyDocument, parsePaybondPolicyDocumentV1, parsePaybondPolicyDocumentV2, paybondPolicyDocumentV1Schema, paybondPolicyDocumentV2Schema, } from "./schema.js";
|
|
17
|
+
export { PolicyValidator, } from "./validate.js";
|
|
18
|
+
export { parsePolicyRemoteValidateResponse, policyRemoteValidateResultToDict, policyValidateQueryString, validatePolicyPayloadRemote, validatePolicyRemote, } from "./validate-remote.js";
|
|
19
|
+
export { parseMergeReport, parsePolicyEffectiveResolveResponse, resolvePolicyEffectiveRemote, } from "./load-effective.js";
|
|
20
|
+
export { PaybondPolicyReloadController, } from "./watcher.js";
|
|
21
|
+
export { PaybondPolicyReloadError, PaybondPolicyReloadUnchangedError, applyPolicySnapshotToRun, detectPolicyLoosening, loadPolicySnapshotFromEffectivePoll, loadPolicySnapshotFromFile, reloadPolicyOnHandle, reloadPolicyOnRun, requiresIntentRebind, } from "./reload.js";
|
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
import { type LayeredPolicyPresetId } from "./compose.js";
|
|
2
|
+
import { type PolicyPresetId } from "./presets.js";
|
|
3
|
+
export type ScaffoldPaybondPolicyOptions = {
|
|
4
|
+
out: string;
|
|
5
|
+
operation: string;
|
|
6
|
+
evidencePreset: string;
|
|
7
|
+
force?: boolean;
|
|
8
|
+
};
|
|
9
|
+
export type ScaffoldPolicyFromPresetOptions = {
|
|
10
|
+
out: string;
|
|
11
|
+
presetId: PolicyPresetId;
|
|
12
|
+
/** Intent budget and side-effecting tool cap override in USD. */
|
|
13
|
+
maxSpendUsd?: number;
|
|
14
|
+
force?: boolean;
|
|
15
|
+
};
|
|
16
|
+
export type ScaffoldComposedPolicyOptions = {
|
|
17
|
+
out: string;
|
|
18
|
+
domainId: LayeredPolicyPresetId;
|
|
19
|
+
guardrails: string;
|
|
20
|
+
force?: boolean;
|
|
21
|
+
};
|
|
22
|
+
export type ScaffoldOrgBasePolicyOptions = {
|
|
23
|
+
out: string;
|
|
24
|
+
policyId: string;
|
|
25
|
+
operation: string;
|
|
26
|
+
evidencePreset: string;
|
|
27
|
+
maxSpendCents?: number;
|
|
28
|
+
force?: boolean;
|
|
29
|
+
};
|
|
30
|
+
export type ScaffoldTenantOverlayPolicyOptions = {
|
|
31
|
+
out: string;
|
|
32
|
+
extendsRef: string;
|
|
33
|
+
name?: string;
|
|
34
|
+
operation?: string;
|
|
35
|
+
evidencePreset?: string;
|
|
36
|
+
basePolicy?: string;
|
|
37
|
+
force?: boolean;
|
|
38
|
+
};
|
|
39
|
+
/** Parse `org_id/org_policy_id` extends reference used by CLI and docs. */
|
|
40
|
+
export declare function parsePolicyExtendsRef(ref: string): {
|
|
41
|
+
orgId: string;
|
|
42
|
+
orgPolicyId: string;
|
|
43
|
+
};
|
|
44
|
+
/** Render a starter paybond.policy.yaml document. */
|
|
45
|
+
export declare function renderPaybondPolicyYaml(options: ScaffoldPaybondPolicyOptions): string;
|
|
46
|
+
/** Render a v2 org base policy document (no extends). */
|
|
47
|
+
export declare function renderOrgBasePolicyYaml(options: ScaffoldOrgBasePolicyOptions): string;
|
|
48
|
+
/** Write a v2 org base policy file for platform operators. */
|
|
49
|
+
export declare function scaffoldOrgBasePolicy(options: ScaffoldOrgBasePolicyOptions): Promise<{
|
|
50
|
+
out: string;
|
|
51
|
+
policy_id: string;
|
|
52
|
+
operation: string;
|
|
53
|
+
evidence_preset: string;
|
|
54
|
+
bytes_written: number;
|
|
55
|
+
}>;
|
|
56
|
+
/** Render a v2 tenant overlay policy that extends an org base. */
|
|
57
|
+
export declare function renderTenantOverlayPolicyYaml(options: ScaffoldTenantOverlayPolicyOptions): string;
|
|
58
|
+
/** Write a v2 tenant overlay policy file extending an org base. */
|
|
59
|
+
export declare function scaffoldTenantOverlayPolicy(options: ScaffoldTenantOverlayPolicyOptions): Promise<{
|
|
60
|
+
out: string;
|
|
61
|
+
name: string;
|
|
62
|
+
org_id: string;
|
|
63
|
+
org_policy_id: string;
|
|
64
|
+
operation?: string;
|
|
65
|
+
evidence_preset?: string;
|
|
66
|
+
bytes_written: number;
|
|
67
|
+
}>;
|
|
68
|
+
/** Render a bundled preset as editable local YAML with a scaffold header comment. */
|
|
69
|
+
export declare function renderPolicyPresetScaffoldYaml(presetId: PolicyPresetId, options?: {
|
|
70
|
+
maxSpendUsd?: number;
|
|
71
|
+
}): string;
|
|
72
|
+
/** Render a composed domain + guardrails policy as editable local YAML. */
|
|
73
|
+
export declare function renderComposedPolicyScaffoldYaml(options: ScaffoldComposedPolicyOptions): string;
|
|
74
|
+
/** Preview composed domain + guardrails YAML for `paybond policy presets show`. */
|
|
75
|
+
export declare function renderComposedPolicyPreviewYaml(options: Pick<ScaffoldComposedPolicyOptions, "domainId" | "guardrails">): string;
|
|
76
|
+
/** Preview composed policy YAML for `paybond policy presets show`. */
|
|
77
|
+
export declare function renderPolicyPresetPreviewYaml(presetId: PolicyPresetId, options?: {
|
|
78
|
+
maxSpendUsd?: number;
|
|
79
|
+
}): string;
|
|
80
|
+
/** Write a bundled vertical preset to an owned local policy file. */
|
|
81
|
+
export declare function scaffoldPolicyFromPreset(options: ScaffoldPolicyFromPresetOptions): Promise<{
|
|
82
|
+
out: string;
|
|
83
|
+
preset: string;
|
|
84
|
+
name: string;
|
|
85
|
+
bytes_written: number;
|
|
86
|
+
}>;
|
|
87
|
+
/** Write a composed domain + guardrails policy file. */
|
|
88
|
+
export declare function scaffoldComposedPolicy(options: ScaffoldComposedPolicyOptions): Promise<{
|
|
89
|
+
out: string;
|
|
90
|
+
domain: string;
|
|
91
|
+
guardrails: string;
|
|
92
|
+
name: string;
|
|
93
|
+
bytes_written: number;
|
|
94
|
+
}>;
|
|
95
|
+
/** Write a starter paybond.policy.yaml file. */
|
|
96
|
+
export declare function scaffoldPaybondPolicy(options: ScaffoldPaybondPolicyOptions): Promise<{
|
|
97
|
+
out: string;
|
|
98
|
+
name: string;
|
|
99
|
+
operation: string;
|
|
100
|
+
evidence_preset: string;
|
|
101
|
+
bytes_written: number;
|
|
102
|
+
}>;
|