@paybond/kit 0.10.0 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +59 -15
- package/completion-presets/catalog.json +1187 -0
- package/completion-presets/catalog.sha256 +1 -0
- package/dev/trace-ui/dashboard.html +617 -0
- package/dist/agent/adapter.d.ts +51 -0
- package/dist/agent/adapter.js +66 -0
- package/dist/agent/attach-bundle.d.ts +37 -0
- package/dist/agent/attach-bundle.js +118 -0
- package/dist/agent/authorization-cache.d.ts +22 -0
- package/dist/agent/authorization-cache.js +36 -0
- package/dist/agent/deferred-tools.d.ts +11 -0
- package/dist/agent/deferred-tools.js +62 -0
- package/dist/agent/discover.d.ts +41 -0
- package/dist/agent/discover.js +147 -0
- package/dist/agent/evidence.d.ts +9 -0
- package/dist/agent/evidence.js +28 -0
- package/dist/agent/facade.d.ts +48 -0
- package/dist/agent/facade.js +112 -0
- package/dist/agent/gateway-trace-reporter.d.ts +28 -0
- package/dist/agent/gateway-trace-reporter.js +49 -0
- package/dist/agent/generic-runner.d.ts +14 -0
- package/dist/agent/generic-runner.js +49 -0
- package/dist/agent/generic-sandbox-demo.d.ts +36 -0
- package/dist/agent/generic-sandbox-demo.js +82 -0
- package/dist/agent/guarded-agent.d.ts +49 -0
- package/dist/agent/guarded-agent.js +100 -0
- package/dist/agent/index.d.ts +13 -0
- package/dist/agent/index.js +13 -0
- package/dist/agent/instrument.d.ts +156 -0
- package/dist/agent/instrument.js +442 -0
- package/dist/agent/interceptor.d.ts +24 -0
- package/dist/agent/interceptor.js +440 -0
- package/dist/agent/lazy-context-tools.d.ts +15 -0
- package/dist/agent/lazy-context-tools.js +81 -0
- package/dist/agent/registry-file.d.ts +39 -0
- package/dist/agent/registry-file.js +219 -0
- package/dist/agent/registry.d.ts +37 -0
- package/dist/agent/registry.js +128 -0
- package/dist/agent/run.d.ts +124 -0
- package/dist/agent/run.js +301 -0
- package/dist/agent/types.d.ts +318 -0
- package/dist/agent/types.js +42 -0
- package/dist/agent-recognition.d.ts +72 -0
- package/dist/agent-recognition.js +165 -0
- package/dist/bincode-wire.d.ts +18 -0
- package/dist/bincode-wire.js +93 -0
- package/dist/claude-agents/config.d.ts +21 -0
- package/dist/claude-agents/config.js +145 -0
- package/dist/claude-agents/index.d.ts +2 -0
- package/dist/claude-agents/index.js +2 -0
- package/dist/claude-agents/sandbox-demo.d.ts +30 -0
- package/dist/claude-agents/sandbox-demo.js +91 -0
- package/dist/cli/agent/demo-loaders.d.ts +4 -0
- package/dist/cli/agent/demo-loaders.js +66 -0
- package/dist/cli/agent/env-quote.d.ts +1 -0
- package/dist/cli/agent/env-quote.js +6 -0
- package/dist/cli/agent/env-write.d.ts +8 -0
- package/dist/cli/agent/env-write.js +47 -0
- package/dist/cli/agent/paybond.d.ts +16 -0
- package/dist/cli/agent/paybond.js +55 -0
- package/dist/cli/agent/policy-file.d.ts +29 -0
- package/dist/cli/agent/policy-file.js +61 -0
- package/dist/cli/agent/production-evidence.d.ts +24 -0
- package/dist/cli/agent/production-evidence.js +98 -0
- package/dist/cli/agent/run-store.d.ts +30 -0
- package/dist/cli/agent/run-store.js +42 -0
- package/dist/cli/agent/run-trace-store.d.ts +39 -0
- package/dist/cli/agent/run-trace-store.js +143 -0
- package/dist/cli/agent-run-trace-table.d.ts +9 -0
- package/dist/cli/agent-run-trace-table.js +24 -0
- package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
- package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
- package/dist/cli/command-spec.d.ts +1 -0
- package/dist/cli/command-spec.js +286 -5
- package/dist/cli/commands/agent.d.ts +16 -0
- package/dist/cli/commands/agent.js +1136 -0
- package/dist/cli/commands/dev.d.ts +7 -0
- package/dist/cli/commands/dev.js +348 -0
- package/dist/cli/commands/discovery.js +3 -3
- package/dist/cli/commands/policy.d.ts +13 -0
- package/dist/cli/commands/policy.js +769 -0
- package/dist/cli/commands/setup.d.ts +3 -0
- package/dist/cli/commands/setup.js +124 -8
- package/dist/cli/commands/workflows.js +9 -4
- package/dist/cli/config.d.ts +2 -0
- package/dist/cli/config.js +4 -2
- package/dist/cli/context.js +2 -1
- package/dist/cli/credentials.js +2 -2
- package/dist/cli/doctor-agent-middleware.d.ts +5 -0
- package/dist/cli/doctor-agent-middleware.js +49 -0
- package/dist/cli/globals.d.ts +1 -0
- package/dist/cli/globals.js +11 -1
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +35 -3
- package/dist/cli/mcp-install.js +2 -2
- package/dist/cli/mcp-policy.d.ts +3 -0
- package/dist/cli/mcp-policy.js +19 -13
- package/dist/cli/mcp-verify-config.js +9 -11
- package/dist/cli/redact.js +29 -8
- package/dist/cli/router.js +105 -2
- package/dist/cli/smoke-deep-links.d.ts +15 -0
- package/dist/cli/smoke-deep-links.js +63 -0
- package/dist/cli/telemetry.d.ts +17 -0
- package/dist/cli/telemetry.js +94 -0
- package/dist/completion-catalog-digest.d.ts +2 -0
- package/dist/completion-catalog-digest.js +2 -0
- package/dist/completion-catalog-integrity.d.ts +2 -0
- package/dist/completion-catalog-integrity.js +17 -0
- package/dist/completion-catalog.d.ts +49 -0
- package/dist/completion-catalog.js +62 -0
- package/dist/completion-contract-digest.d.ts +37 -0
- package/dist/completion-contract-digest.js +73 -0
- package/dist/completion-forbidden-fields.d.ts +5 -0
- package/dist/completion-forbidden-fields.js +26 -0
- package/dist/completion-init.d.ts +8 -0
- package/dist/completion-init.js +334 -0
- package/dist/completion-resolve.d.ts +21 -0
- package/dist/completion-resolve.js +86 -0
- package/dist/completion-validate-evidence.d.ts +24 -0
- package/dist/completion-validate-evidence.js +145 -0
- package/dist/dev/offline-gateway.d.ts +24 -0
- package/dist/dev/offline-gateway.js +102 -0
- package/dist/dev/trace-buffer.d.ts +61 -0
- package/dist/dev/trace-buffer.js +330 -0
- package/dist/dev/trace-security-headers.d.ts +11 -0
- package/dist/dev/trace-security-headers.js +16 -0
- package/dist/dev/trace-server.d.ts +8 -0
- package/dist/dev/trace-server.js +38 -0
- package/dist/dev/trace-ui.d.ts +4 -0
- package/dist/dev/trace-ui.js +25 -0
- package/dist/dev/wiremock-up.d.ts +15 -0
- package/dist/dev/wiremock-up.js +118 -0
- package/dist/doctor-completion.d.ts +17 -0
- package/dist/doctor-completion.js +428 -0
- package/dist/gateway-url.d.ts +7 -0
- package/dist/gateway-url.js +69 -0
- package/dist/index.d.ts +119 -2
- package/dist/index.js +267 -6
- package/dist/init.js +374 -57
- package/dist/langgraph/awrap-tool-call.d.ts +25 -0
- package/dist/langgraph/awrap-tool-call.js +81 -0
- package/dist/langgraph/config.d.ts +13 -0
- package/dist/langgraph/config.js +11 -0
- package/dist/langgraph/index.d.ts +4 -0
- package/dist/langgraph/index.js +4 -0
- package/dist/langgraph/sandbox-demo.d.ts +40 -0
- package/dist/langgraph/sandbox-demo.js +96 -0
- package/dist/langgraph/tool-node.d.ts +10 -0
- package/dist/langgraph/tool-node.js +38 -0
- package/dist/login.js +7 -0
- package/dist/mcp/index.d.ts +1 -0
- package/dist/mcp/index.js +1 -0
- package/dist/mcp/tool-surface.d.ts +25 -0
- package/dist/mcp/tool-surface.js +17 -0
- package/dist/mcp-capability-token-cache.d.ts +24 -0
- package/dist/mcp-capability-token-cache.js +101 -0
- package/dist/mcp-evidence-policy.d.ts +48 -0
- package/dist/mcp-evidence-policy.js +117 -0
- package/dist/mcp-policy-reload.d.ts +79 -0
- package/dist/mcp-policy-reload.js +200 -0
- package/dist/mcp-sep2828-evidence.d.ts +36 -0
- package/dist/mcp-sep2828-evidence.js +65 -0
- package/dist/mcp-server.d.ts +6 -0
- package/dist/mcp-server.js +224 -44
- package/dist/openai-agents/index.d.ts +40 -0
- package/dist/openai-agents/index.js +151 -0
- package/dist/openai-agents/sandbox-demo.d.ts +34 -0
- package/dist/openai-agents/sandbox-demo.js +118 -0
- package/dist/payee-evidence.js +2 -29
- package/dist/policy/catalog.d.ts +31 -0
- package/dist/policy/catalog.js +48 -0
- package/dist/policy/compose-utils.d.ts +3 -0
- package/dist/policy/compose-utils.js +4 -0
- package/dist/policy/compose.d.ts +20 -0
- package/dist/policy/compose.js +240 -0
- package/dist/policy/digest.d.ts +7 -0
- package/dist/policy/digest.js +75 -0
- package/dist/policy/domain.d.ts +15 -0
- package/dist/policy/domain.js +28 -0
- package/dist/policy/guardrail-spec.d.ts +17 -0
- package/dist/policy/guardrail-spec.js +140 -0
- package/dist/policy/guardrails.d.ts +48 -0
- package/dist/policy/guardrails.js +72 -0
- package/dist/policy/index.d.ts +21 -0
- package/dist/policy/index.js +21 -0
- package/dist/policy/init.d.ts +102 -0
- package/dist/policy/init.js +351 -0
- package/dist/policy/intent-spec.d.ts +52 -0
- package/dist/policy/intent-spec.js +176 -0
- package/dist/policy/json-path.d.ts +4 -0
- package/dist/policy/json-path.js +23 -0
- package/dist/policy/layers-io.d.ts +7 -0
- package/dist/policy/layers-io.js +28 -0
- package/dist/policy/load-effective.d.ts +22 -0
- package/dist/policy/load-effective.js +77 -0
- package/dist/policy/load.d.ts +85 -0
- package/dist/policy/load.js +164 -0
- package/dist/policy/merge.d.ts +29 -0
- package/dist/policy/merge.js +297 -0
- package/dist/policy/parse-text.d.ts +2 -0
- package/dist/policy/parse-text.js +126 -0
- package/dist/policy/policy-api.d.ts +45 -0
- package/dist/policy/policy-api.js +61 -0
- package/dist/policy/presets.d.ts +19 -0
- package/dist/policy/presets.js +66 -0
- package/dist/policy/registry.d.ts +7 -0
- package/dist/policy/registry.js +33 -0
- package/dist/policy/reload.d.ts +86 -0
- package/dist/policy/reload.js +233 -0
- package/dist/policy/render-yaml.d.ts +3 -0
- package/dist/policy/render-yaml.js +69 -0
- package/dist/policy/sandbox-bootstrap.d.ts +19 -0
- package/dist/policy/sandbox-bootstrap.js +66 -0
- package/dist/policy/schema.d.ts +204 -0
- package/dist/policy/schema.js +255 -0
- package/dist/policy/snapshot.d.ts +33 -0
- package/dist/policy/snapshot.js +23 -0
- package/dist/policy/validate-remote.d.ts +43 -0
- package/dist/policy/validate-remote.js +104 -0
- package/dist/policy/validate.d.ts +36 -0
- package/dist/policy/validate.js +150 -0
- package/dist/policy/watcher.d.ts +29 -0
- package/dist/policy/watcher.js +112 -0
- package/dist/principal-intent.d.ts +52 -0
- package/dist/principal-intent.js +193 -37
- package/dist/project-init.d.ts +34 -0
- package/dist/project-init.js +898 -0
- package/dist/sep2828-signature.d.ts +10 -0
- package/dist/sep2828-signature.js +134 -0
- package/dist/solutions/api.d.ts +22 -0
- package/dist/solutions/api.js +40 -0
- package/dist/solutions/catalog.d.ts +34 -0
- package/dist/solutions/catalog.js +129 -0
- package/dist/solutions/index.d.ts +2 -0
- package/dist/solutions/index.js +2 -0
- package/dist/template-init.d.ts +54 -0
- package/dist/template-init.js +203 -0
- package/dist/vercel-ai/config.d.ts +15 -0
- package/dist/vercel-ai/config.js +13 -0
- package/dist/vercel-ai/index.d.ts +4 -0
- package/dist/vercel-ai/index.js +4 -0
- package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
- package/dist/vercel-ai/sandbox-demo.js +153 -0
- package/dist/vercel-ai/tool-approval.d.ts +16 -0
- package/dist/vercel-ai/tool-approval.js +41 -0
- package/dist/vercel-ai/wrap-tools.d.ts +9 -0
- package/dist/vercel-ai/wrap-tools.js +40 -0
- package/dist/x402-receipt-evidence.d.ts +29 -0
- package/dist/x402-receipt-evidence.js +97 -0
- package/dist/x402-receipt-signature.d.ts +12 -0
- package/dist/x402-receipt-signature.js +211 -0
- package/package.json +75 -3
- package/solutions/aws.json +17 -0
- package/solutions/saas.json +17 -0
- package/solutions/shopping.json +17 -0
- package/solutions/travel.json +18 -0
- package/templates/manifest.json +169 -0
- package/templates/openai-shopping-agent/.env.example +3 -0
- package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/openai-shopping-agent/LICENSE +201 -0
- package/templates/openai-shopping-agent/README.md +29 -0
- package/templates/openai-shopping-agent/package-lock.json +1525 -0
- package/templates/openai-shopping-agent/package.json +22 -0
- package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/openai-shopping-agent/src/index.ts +22 -0
- package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/openai-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-aws-operator/.env.example +3 -0
- package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-aws-operator/LICENSE +201 -0
- package/templates/paybond-aws-operator/README.md +29 -0
- package/templates/paybond-aws-operator/package-lock.json +151 -0
- package/templates/paybond-aws-operator/package.json +20 -0
- package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
- package/templates/paybond-aws-operator/src/index.ts +54 -0
- package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
- package/templates/paybond-aws-operator/tsconfig.json +13 -0
- package/templates/paybond-claude-agents-demo/.env.example +3 -0
- package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-claude-agents-demo/LICENSE +201 -0
- package/templates/paybond-claude-agents-demo/README.md +29 -0
- package/templates/paybond-claude-agents-demo/package-lock.json +1489 -0
- package/templates/paybond-claude-agents-demo/package.json +22 -0
- package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
- package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-invoice-agent/.env.example +3 -0
- package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
- package/templates/paybond-invoice-agent/LICENSE +201 -0
- package/templates/paybond-invoice-agent/README.md +29 -0
- package/templates/paybond-invoice-agent/app.py +27 -0
- package/templates/paybond-invoice-agent/package.json +6 -0
- package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-invoice-agent/paybond_config.py +45 -0
- package/templates/paybond-invoice-agent/requirements.txt +2 -0
- package/templates/paybond-mcp-coding-agent/.env.example +3 -0
- package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
- package/templates/paybond-mcp-coding-agent/README.md +39 -0
- package/templates/paybond-mcp-coding-agent/package-lock.json +151 -0
- package/templates/paybond-mcp-coding-agent/package.json +20 -0
- package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
- package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
- package/templates/paybond-openai-agents-demo/.env.example +3 -0
- package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-openai-agents-demo/LICENSE +201 -0
- package/templates/paybond-openai-agents-demo/README.md +29 -0
- package/templates/paybond-openai-agents-demo/package-lock.json +1525 -0
- package/templates/paybond-openai-agents-demo/package.json +22 -0
- package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
- package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-procurement-agent/.env.example +3 -0
- package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-procurement-agent/LICENSE +201 -0
- package/templates/paybond-procurement-agent/README.md +29 -0
- package/templates/paybond-procurement-agent/package-lock.json +151 -0
- package/templates/paybond-procurement-agent/package.json +20 -0
- package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-procurement-agent/src/index.ts +54 -0
- package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-procurement-agent/tsconfig.json +13 -0
- package/templates/paybond-travel-agent/.env.example +3 -0
- package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-travel-agent/LICENSE +201 -0
- package/templates/paybond-travel-agent/README.md +29 -0
- package/templates/paybond-travel-agent/package-lock.json +444 -0
- package/templates/paybond-travel-agent/package.json +23 -0
- package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-travel-agent/src/index.ts +22 -0
- package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-travel-agent/tsconfig.json +13 -0
- package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
- package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
- package/templates/paybond-vercel-shopping-agent/README.md +29 -0
- package/templates/paybond-vercel-shopping-agent/package-lock.json +265 -0
- package/templates/paybond-vercel-shopping-agent/package.json +22 -0
- package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
- package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
export declare const LOCAL_GATEWAY_HOSTS: Set<string>;
|
|
2
|
+
export declare class InsecureGatewayURLError extends Error {
|
|
3
|
+
constructor(message: string);
|
|
4
|
+
}
|
|
5
|
+
export declare function isLocalGatewayHost(hostname: string): boolean;
|
|
6
|
+
/** Return a normalized gateway base URL or throw when TLS requirements are not met. */
|
|
7
|
+
export declare function requireSecureGatewayUrl(url: string): string;
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
export const LOCAL_GATEWAY_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
|
|
2
|
+
export class InsecureGatewayURLError extends Error {
|
|
3
|
+
constructor(message) {
|
|
4
|
+
super(message);
|
|
5
|
+
this.name = "InsecureGatewayURLError";
|
|
6
|
+
}
|
|
7
|
+
}
|
|
8
|
+
function parseIPv4Octets(ip) {
|
|
9
|
+
const parts = ip.trim().split(".");
|
|
10
|
+
if (parts.length !== 4) {
|
|
11
|
+
return null;
|
|
12
|
+
}
|
|
13
|
+
const octets = parts.map((part) => Number.parseInt(part, 10));
|
|
14
|
+
if (octets.some((octet) => !Number.isInteger(octet) || octet < 0 || octet > 255)) {
|
|
15
|
+
return null;
|
|
16
|
+
}
|
|
17
|
+
return octets;
|
|
18
|
+
}
|
|
19
|
+
/** True for loopback hostnames and RFC1918 private IPv4 addresses. */
|
|
20
|
+
function isRfc1918IPv4(hostname) {
|
|
21
|
+
const octets = parseIPv4Octets(hostname);
|
|
22
|
+
if (!octets) {
|
|
23
|
+
return false;
|
|
24
|
+
}
|
|
25
|
+
const [first, second] = octets;
|
|
26
|
+
if (first === 10) {
|
|
27
|
+
return true;
|
|
28
|
+
}
|
|
29
|
+
if (first === 192 && second === 168) {
|
|
30
|
+
return true;
|
|
31
|
+
}
|
|
32
|
+
return first === 172 && second >= 16 && second <= 31;
|
|
33
|
+
}
|
|
34
|
+
export function isLocalGatewayHost(hostname) {
|
|
35
|
+
const lowered = hostname.trim().toLowerCase();
|
|
36
|
+
if (LOCAL_GATEWAY_HOSTS.has(lowered)) {
|
|
37
|
+
return true;
|
|
38
|
+
}
|
|
39
|
+
if (isRfc1918IPv4(lowered)) {
|
|
40
|
+
return true;
|
|
41
|
+
}
|
|
42
|
+
if (lowered.startsWith("127.")) {
|
|
43
|
+
return true;
|
|
44
|
+
}
|
|
45
|
+
return false;
|
|
46
|
+
}
|
|
47
|
+
/** Return a normalized gateway base URL or throw when TLS requirements are not met. */
|
|
48
|
+
export function requireSecureGatewayUrl(url) {
|
|
49
|
+
const trimmed = url.trim();
|
|
50
|
+
if (!trimmed) {
|
|
51
|
+
throw new InsecureGatewayURLError("gateway URL is required");
|
|
52
|
+
}
|
|
53
|
+
let parsed;
|
|
54
|
+
try {
|
|
55
|
+
parsed = new URL(trimmed);
|
|
56
|
+
}
|
|
57
|
+
catch {
|
|
58
|
+
throw new InsecureGatewayURLError("gateway URL must be an absolute URL");
|
|
59
|
+
}
|
|
60
|
+
const scheme = parsed.protocol.replace(":", "").toLowerCase();
|
|
61
|
+
const hostname = parsed.hostname.toLowerCase();
|
|
62
|
+
if (scheme === "https") {
|
|
63
|
+
return trimmed.replace(/\/+$/, "");
|
|
64
|
+
}
|
|
65
|
+
if (scheme === "http" && isLocalGatewayHost(hostname)) {
|
|
66
|
+
return trimmed.replace(/\/+$/, "");
|
|
67
|
+
}
|
|
68
|
+
throw new InsecureGatewayURLError("gateway URL must use https:// (http:// is allowed only for loopback and private networks)");
|
|
69
|
+
}
|
package/dist/index.d.ts
CHANGED
|
@@ -2,8 +2,12 @@
|
|
|
2
2
|
* Paybond Kit — TypeScript Gateway client with tenant binding, retries, capability verification,
|
|
3
3
|
* and signed intent/evidence helpers.
|
|
4
4
|
*/
|
|
5
|
-
import { type BuildSignedCreateIntentParams, type SettlementRail } from "./principal-intent.js";
|
|
5
|
+
import { type BuildSignedCreateIntentParams, type BuildSignedCreateIntentWithPolicyBindingParams, type SettlementRail } from "./principal-intent.js";
|
|
6
6
|
import { type SignPayeeEvidenceParams } from "./payee-evidence.js";
|
|
7
|
+
import { PaybondAgentRunFacade, PaybondInstrumentBuilder, PaybondInstrumentRuntime, PaybondToolRegistry, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type PaybondAgentInput, type PaybondAgentResult, type PaybondInlinePolicy, type PaybondInstrumentAgentOptions, type PaybondInstrumentInput, type PaybondInstrumented, type PaybondToolRegistryConfig, type PaybondWrapToolsOptions } from "./agent/index.js";
|
|
8
|
+
import { GatewayAgentRunTraceReporter } from "./agent/gateway-trace-reporter.js";
|
|
9
|
+
import { type PolicyRemoteValidateOptions, type PolicyRemoteValidateResult } from "./policy/validate-remote.js";
|
|
10
|
+
import { type PolicyEffectiveResolveResult } from "./policy/load-effective.js";
|
|
7
11
|
export type SpendScope = {
|
|
8
12
|
scope_type: string;
|
|
9
13
|
scope_key: string;
|
|
@@ -105,10 +109,15 @@ export type SandboxGuardrailBootstrapInput = {
|
|
|
105
109
|
evidenceSchema?: Record<string, unknown>;
|
|
106
110
|
metadata?: Record<string, unknown>;
|
|
107
111
|
idempotencyKey?: string;
|
|
112
|
+
completionPreset?: string;
|
|
113
|
+
templateId?: string;
|
|
114
|
+
parameters?: Record<string, unknown>;
|
|
108
115
|
};
|
|
109
116
|
export type SandboxGuardrailEvidenceInput = {
|
|
110
117
|
intentId: string;
|
|
111
118
|
payload?: Record<string, unknown>;
|
|
119
|
+
/** Raw vendor response for vendor_pack presets; forwarded to Harbor schema drift checks. */
|
|
120
|
+
vendorPayload?: Record<string, unknown>;
|
|
112
121
|
artifacts?: string[];
|
|
113
122
|
operation?: string;
|
|
114
123
|
requestedSpendCents?: number;
|
|
@@ -139,6 +148,13 @@ export type SandboxGuardrailEvidenceResult = {
|
|
|
139
148
|
predicate_passed?: boolean | null;
|
|
140
149
|
payload_digest?: string;
|
|
141
150
|
artifacts_digest?: string;
|
|
151
|
+
schema_validation?: {
|
|
152
|
+
vendor_schema_ok: boolean;
|
|
153
|
+
canonical_schema_ok: boolean;
|
|
154
|
+
quality_fields_missing: string[];
|
|
155
|
+
pack_stale: boolean;
|
|
156
|
+
drift_kinds: string[];
|
|
157
|
+
};
|
|
142
158
|
simulator_event?: unknown;
|
|
143
159
|
};
|
|
144
160
|
export declare const DEFAULT_PAYBOND_GATEWAY_BASE_URL = "https://api.paybond.ai";
|
|
@@ -770,9 +786,22 @@ export declare class PaybondSpendGuard {
|
|
|
770
786
|
assertSpendAuthorized(input: PaybondSpendAuthorizationInput): Promise<VerifyCapabilityResult>;
|
|
771
787
|
/** Finalizes scope reservations tied to an authorization decision after tool execution. */
|
|
772
788
|
completeSpendAuthorization(decisionId: string, outcome: "consumed" | "released"): Promise<void>;
|
|
789
|
+
/**
|
|
790
|
+
* Authorize spend for `input.operation`, then invoke `handler`.
|
|
791
|
+
*
|
|
792
|
+
* The `operation` label and `requestedSpendCents` are sent to Harbor for
|
|
793
|
+
* policy evaluation only. This wrapper does not inspect or constrain what
|
|
794
|
+
* `handler` actually does — callers must keep the authorization label,
|
|
795
|
+
* spend amount, and handler side effects aligned with the bound intent's
|
|
796
|
+
* `allowedTools` and policy predicates.
|
|
797
|
+
*
|
|
798
|
+
* For registry-backed operation-to-handler coupling, prefer
|
|
799
|
+
* `paybond.instrument()` or `wrapTools()` over per-tool `guardTool`.
|
|
800
|
+
*/
|
|
773
801
|
guardTool<TArgs extends unknown[], TResult>(input: PaybondSpendAuthorizationInput, handler: PaybondToolHandler<TArgs, TResult>): PaybondGuardedToolHandler<TArgs, TResult>;
|
|
774
802
|
}
|
|
775
803
|
export declare function authorizeSpend(source: PaybondSpendGuardInit | PaybondCapabilityBinding, input: PaybondSpendAuthorizationInput): Promise<VerifyCapabilityResult>;
|
|
804
|
+
/** Standalone alias for {@link PaybondSpendGuard.guardTool}. */
|
|
776
805
|
export declare function guardTool<TArgs extends unknown[], TResult>(source: PaybondSpendGuardInit | PaybondCapabilityBinding, input: PaybondSpendAuthorizationInput, handler: PaybondToolHandler<TArgs, TResult>): PaybondGuardedToolHandler<TArgs, TResult>;
|
|
777
806
|
export declare const paybondAgentToolSpendGuard: typeof guardTool;
|
|
778
807
|
export declare const paybondRuntimeNeutralToolSpendGuard: typeof guardTool;
|
|
@@ -927,6 +956,13 @@ export declare class GatewayHarborClient {
|
|
|
927
956
|
private headers;
|
|
928
957
|
private fetchWithRetries;
|
|
929
958
|
private postJSON;
|
|
959
|
+
private putJSON;
|
|
960
|
+
private requestJSON;
|
|
961
|
+
private getJSON;
|
|
962
|
+
/** Tenant-scoped Harbor operator intent detail (for attach run binding). */
|
|
963
|
+
getIntent(intentId: string): Promise<Record<string, unknown>>;
|
|
964
|
+
/** Gateway-backed middleware trace reporter for tenant console agent-runs view. */
|
|
965
|
+
createAgentRunTraceReporter(runId: string): GatewayAgentRunTraceReporter;
|
|
930
966
|
private mutationHeaders;
|
|
931
967
|
verifyCapability(input: PaybondSpendAuthorizationInput & {
|
|
932
968
|
intentId: string;
|
|
@@ -949,6 +985,18 @@ export declare class GatewayHarborClient {
|
|
|
949
985
|
decisionId: string;
|
|
950
986
|
outcome: "consumed" | "released";
|
|
951
987
|
}): Promise<void>;
|
|
988
|
+
/**
|
|
989
|
+
* Validate a paybond.policy.yaml document against the tenant Harbor registry
|
|
990
|
+
* (`POST /v1/policy/validate`).
|
|
991
|
+
*/
|
|
992
|
+
validatePolicy(document: Record<string, unknown>, options?: PolicyRemoteValidateOptions): Promise<PolicyRemoteValidateResult>;
|
|
993
|
+
/**
|
|
994
|
+
* Resolve merged effective policy for a tenant overlay via
|
|
995
|
+
* `POST /v1/org-policies/{policy_id}/effective`.
|
|
996
|
+
*/
|
|
997
|
+
resolvePolicyEffective(orgPolicyId: string, overlay: Record<string, unknown>, options?: {
|
|
998
|
+
currentDigest?: string;
|
|
999
|
+
}): Promise<PolicyEffectiveResolveResult>;
|
|
952
1000
|
createIntent(body: Record<string, unknown>, options: GatewayHarborMutationOptions): Promise<Record<string, unknown>>;
|
|
953
1001
|
fundIntent(intentId: string, options: GatewayHarborMutationOptions & {
|
|
954
1002
|
paymentSignature?: string;
|
|
@@ -1133,6 +1181,11 @@ export type PaybondSubmitEvidenceParams = Omit<SignPayeeEvidenceParams, "tenantI
|
|
|
1133
1181
|
submittedAtRfc3339?: string;
|
|
1134
1182
|
recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
|
|
1135
1183
|
};
|
|
1184
|
+
/** Parameters for production intent create with a published managed-policy head (signing v5). */
|
|
1185
|
+
export type PaybondCreateIntentWithPolicyBindingParams = Omit<BuildSignedCreateIntentWithPolicyBindingParams, "tenantId" | "intentId"> & {
|
|
1186
|
+
intentId?: string;
|
|
1187
|
+
recognitionProof: AgentRecognitionProofV1 | Record<string, unknown>;
|
|
1188
|
+
};
|
|
1136
1189
|
/**
|
|
1137
1190
|
* Ergonomic intent helpers: principal-signed intent create, x402 funding, and payee-signed evidence.
|
|
1138
1191
|
*/
|
|
@@ -1143,6 +1196,12 @@ export declare class PaybondIntents {
|
|
|
1143
1196
|
* Build a principal-signed `POST /intents` body and submit it. `principalSigningSeed` must be
|
|
1144
1197
|
* 32 bytes. `settlementRail` is signed as the requested rail; destinations stay server-owned.
|
|
1145
1198
|
*/
|
|
1199
|
+
createWithPolicyBinding(params: PaybondCreateIntentWithPolicyBindingParams & {
|
|
1200
|
+
idempotencyKey?: string;
|
|
1201
|
+
}): Promise<Record<string, unknown>>;
|
|
1202
|
+
/**
|
|
1203
|
+
* Build a principal-signed `POST /intents` body and submit it (raw predicate_dsl, signing v6).
|
|
1204
|
+
*/
|
|
1146
1205
|
create(params: PaybondCreateIntentParams & {
|
|
1147
1206
|
idempotencyKey?: string;
|
|
1148
1207
|
}): Promise<Record<string, unknown>>;
|
|
@@ -1176,19 +1235,77 @@ export declare class Paybond {
|
|
|
1176
1235
|
readonly a2a: GatewayA2AClient;
|
|
1177
1236
|
readonly protocol: GatewayProtocolClient;
|
|
1178
1237
|
readonly intents: PaybondIntents;
|
|
1238
|
+
readonly agentRun: PaybondAgentRunFacade;
|
|
1179
1239
|
private constructor();
|
|
1180
1240
|
/** Open a tenant-bound hosted Paybond session from a service-account API key. */
|
|
1181
1241
|
static open(init: PaybondOpenOptions): Promise<Paybond>;
|
|
1182
1242
|
/** Reserved for future HTTP client cleanup; safe to call after work completes. */
|
|
1183
1243
|
aclose(): Promise<void>;
|
|
1184
1244
|
spendGuard(intentId: string, capabilityToken: string): PaybondSpendGuard;
|
|
1245
|
+
/** Build a validated side-effecting tool registry for agent middleware. */
|
|
1246
|
+
toolRegistry(config: PaybondToolRegistryConfig): PaybondToolRegistry;
|
|
1185
1247
|
authorizeSpend(input: {
|
|
1186
1248
|
intentId: string;
|
|
1187
1249
|
token: string;
|
|
1188
1250
|
operation: string;
|
|
1189
1251
|
requestedSpendCents?: number;
|
|
1190
1252
|
}): Promise<VerifyCapabilityResult>;
|
|
1253
|
+
/** Policy-driven agent factory: load policy, bind a run, and wire framework tools. */
|
|
1254
|
+
createGuardedAgent<TTools>(input: CreateGuardedAgentInput<TTools>): Promise<CreateGuardedAgentResult<TTools>>;
|
|
1255
|
+
/** Alias for {@link Paybond.createGuardedAgent} matching runner helper naming. */
|
|
1256
|
+
createGuardedAgentRunner<TTools>(input: CreateGuardedAgentInput<TTools>): Promise<CreateGuardedAgentResult<TTools>>;
|
|
1257
|
+
/**
|
|
1258
|
+
* One-liner instrumentation: load policy and return deferred tools or a bound runtime.
|
|
1259
|
+
* Await for tools, or read `.binding`, `.bind()`, and `.status` on the result.
|
|
1260
|
+
*/
|
|
1261
|
+
instrument<TTools>(input: PaybondInstrumentInput<TTools>, options?: PaybondWrapToolsOptions): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1262
|
+
instrument<TAgent extends object>(agent: TAgent, options?: PaybondWrapToolsOptions & PaybondInstrumentAgentOptions): Promise<TAgent>;
|
|
1263
|
+
/** Fluent builder: `paybond.policy("./paybond.policy.yaml").instrument(tools)`. */
|
|
1264
|
+
policy(source: import("./policy/load.js").PaybondPolicyLoadSource | PaybondInlinePolicy): PaybondInstrumentBuilder;
|
|
1265
|
+
/** Fluent builder for bundled vertical presets (`travel`, `shopping`, `saas`, `aws`). */
|
|
1266
|
+
usePolicy(presetId: string): PaybondInstrumentBuilder;
|
|
1267
|
+
instrumentLangGraph<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
|
|
1268
|
+
tools: TTools;
|
|
1269
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1270
|
+
instrumentOpenAI<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
|
|
1271
|
+
tools: TTools;
|
|
1272
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1273
|
+
instrumentVercel<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
|
|
1274
|
+
tools: TTools;
|
|
1275
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1276
|
+
instrumentClaudeAgents<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
|
|
1277
|
+
tools: TTools;
|
|
1278
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1279
|
+
/** Agent-agnostic instrumentation for MCP-style `{ name, execute }` tool hosts. */
|
|
1280
|
+
instrumentMCP<TTools>(input: Omit<PaybondInstrumentInput<TTools>, "framework"> & {
|
|
1281
|
+
tools: TTools;
|
|
1282
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
1283
|
+
/**
|
|
1284
|
+
* Opinionated quickstart: resolve named policy presets (for example `travel`) or file paths,
|
|
1285
|
+
* then instrument tools for the selected framework.
|
|
1286
|
+
*/
|
|
1287
|
+
agent<TTools>(input: PaybondAgentInput<TTools>): Promise<PaybondAgentResult<TTools>>;
|
|
1288
|
+
/** Wrap tools for an existing bound run without reloading policy. */
|
|
1289
|
+
wrapTools(run: import("./agent/run.js").PaybondAgentRun, tools: unknown, options?: PaybondWrapToolsOptions): unknown;
|
|
1290
|
+
/**
|
|
1291
|
+
* Compose bundled policy presets (`travel`, `shopping`, …) and guardrail layers.
|
|
1292
|
+
* Example: `paybond.policyPresets.travel({ maxSpendUsd: 500 })`.
|
|
1293
|
+
*/
|
|
1294
|
+
get policyPresets(): import("./policy/policy-api.js").PaybondPolicyPresets;
|
|
1295
|
+
/**
|
|
1296
|
+
* Bundled solution references (`travel`, `shopping`, …) with policy, smoke defaults,
|
|
1297
|
+
* completion preset, and vendor pack metadata.
|
|
1298
|
+
* Example: `paybond.solution.travel()`.
|
|
1299
|
+
*/
|
|
1300
|
+
get solution(): import("./solutions/api.js").PaybondSolutionPresets;
|
|
1191
1301
|
}
|
|
1192
1302
|
export { normalizeJson, jsonValueDigest } from "./json-digest.js";
|
|
1193
|
-
export { buildSignedCreateIntentBody, intentCreationSignBytesRaw, type BuildSignedCreateIntentParams, type SettlementRail, } from "./principal-intent.js";
|
|
1303
|
+
export { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, intentCreationSignBytesRaw, intentCreationSignBytesWithPolicyBinding, type BuildSignedCreateIntentParams, type BuildSignedCreateIntentWithPolicyBindingParams, type PolicyBindingRef, type PublishedPolicyHead, type SettlementRail, } from "./principal-intent.js";
|
|
1194
1304
|
export { artifactsDigest, signPayeeEvidenceBinding, type SignPayeeEvidenceParams } from "./payee-evidence.js";
|
|
1305
|
+
export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborEvidenceSubmitRecognitionProof, type SignAgentRecognitionProofV1Params, type SignedAgentRecognitionProofV1, } from "./agent-recognition.js";
|
|
1306
|
+
export { validateCompletionEvidence, type CompletionEvidenceValidationReport, } from "./completion-validate-evidence.js";
|
|
1307
|
+
export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, type VendorContract, type VendorContractDigests, } from "./completion-contract-digest.js";
|
|
1308
|
+
export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
|
|
1309
|
+
export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, PaybondEvidenceSubmitError, PaybondFrameworkAdapter, PaybondToolInterceptor, PaybondToolRegistry, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, buildAutoEvidencePayload, createGenericToolExecutor, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondGenericAgentConfig, createPaybondGenericInputGuard, createPaybondToolRegistry, createToolInputGuardAdapter, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, paybondGenericToolExecutorAdapter, paybondToolInputGuardAdapter, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type GuardedAgentFramework, type PaybondAgentHooks, type PaybondAgentInput, type PaybondAgentResult, type PaybondAgentRunBindInput, type PaybondAuthorizeToolCallInput, type PaybondEvidenceMapper, type PaybondGenericAgentConfig, type PaybondGenericToolCall, type PaybondGenericToolDefinition, type PaybondGenericWrappedToolDefinition, type PaybondInlinePolicy, type PaybondAgentInstrumentation, type PaybondInstrumentAgentOptions, type PaybondInstrumentBinding, type PaybondInstrumentContext, type PaybondInstrumentContextInput, type PaybondInstrumentContextProvider, type PaybondInstrumentInput, type PaybondInterceptEvidenceResult, type PaybondInterceptWrapExecuteInput, type PaybondInterceptWrapExecuteResult, type PaybondRunBinding, type PaybondRunBindingAttachInput, type PaybondRunBindingSandboxBootstrapInput, type PaybondRunGuard, type PaybondSideEffectingToolEntry, type PaybondSideEffectingToolPolicy, type PaybondSpendResolver, type PaybondToolCallContext, type PaybondToolInputGuardAllowDecision, type PaybondToolInputGuardApprovalRequiredDecision, type PaybondToolInputGuardDecision, type PaybondToolInputGuardDenyDecision, type PaybondToolInputGuardAdapter, type PaybondToolRegistryConfig, type PaybondToolResolution, type PaybondWrapToolsOptions, } from "./agent/index.js";
|
|
1310
|
+
export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, type LayeredPolicyPresetId, type PaybondPolicyPresets, type PolicyGuardrailLayer, type PolicyPresetId, type VerticalPolicyOptions, } from "./policy/index.js";
|
|
1311
|
+
export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, type PaybondSolutionBundle, type PaybondSolutionPresets, type SolutionId, type SolutionManifest, type SolutionSmokeDefaults, } from "./solutions/index.js";
|