@paybond/kit 0.10.0 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +59 -15
- package/completion-presets/catalog.json +1187 -0
- package/completion-presets/catalog.sha256 +1 -0
- package/dev/trace-ui/dashboard.html +617 -0
- package/dist/agent/adapter.d.ts +51 -0
- package/dist/agent/adapter.js +66 -0
- package/dist/agent/attach-bundle.d.ts +37 -0
- package/dist/agent/attach-bundle.js +118 -0
- package/dist/agent/authorization-cache.d.ts +22 -0
- package/dist/agent/authorization-cache.js +36 -0
- package/dist/agent/deferred-tools.d.ts +11 -0
- package/dist/agent/deferred-tools.js +62 -0
- package/dist/agent/discover.d.ts +41 -0
- package/dist/agent/discover.js +147 -0
- package/dist/agent/evidence.d.ts +9 -0
- package/dist/agent/evidence.js +28 -0
- package/dist/agent/facade.d.ts +48 -0
- package/dist/agent/facade.js +112 -0
- package/dist/agent/gateway-trace-reporter.d.ts +28 -0
- package/dist/agent/gateway-trace-reporter.js +49 -0
- package/dist/agent/generic-runner.d.ts +14 -0
- package/dist/agent/generic-runner.js +49 -0
- package/dist/agent/generic-sandbox-demo.d.ts +36 -0
- package/dist/agent/generic-sandbox-demo.js +82 -0
- package/dist/agent/guarded-agent.d.ts +49 -0
- package/dist/agent/guarded-agent.js +100 -0
- package/dist/agent/index.d.ts +13 -0
- package/dist/agent/index.js +13 -0
- package/dist/agent/instrument.d.ts +156 -0
- package/dist/agent/instrument.js +442 -0
- package/dist/agent/interceptor.d.ts +24 -0
- package/dist/agent/interceptor.js +440 -0
- package/dist/agent/lazy-context-tools.d.ts +15 -0
- package/dist/agent/lazy-context-tools.js +81 -0
- package/dist/agent/registry-file.d.ts +39 -0
- package/dist/agent/registry-file.js +219 -0
- package/dist/agent/registry.d.ts +37 -0
- package/dist/agent/registry.js +128 -0
- package/dist/agent/run.d.ts +124 -0
- package/dist/agent/run.js +301 -0
- package/dist/agent/types.d.ts +318 -0
- package/dist/agent/types.js +42 -0
- package/dist/agent-recognition.d.ts +72 -0
- package/dist/agent-recognition.js +165 -0
- package/dist/bincode-wire.d.ts +18 -0
- package/dist/bincode-wire.js +93 -0
- package/dist/claude-agents/config.d.ts +21 -0
- package/dist/claude-agents/config.js +145 -0
- package/dist/claude-agents/index.d.ts +2 -0
- package/dist/claude-agents/index.js +2 -0
- package/dist/claude-agents/sandbox-demo.d.ts +30 -0
- package/dist/claude-agents/sandbox-demo.js +91 -0
- package/dist/cli/agent/demo-loaders.d.ts +4 -0
- package/dist/cli/agent/demo-loaders.js +66 -0
- package/dist/cli/agent/env-quote.d.ts +1 -0
- package/dist/cli/agent/env-quote.js +6 -0
- package/dist/cli/agent/env-write.d.ts +8 -0
- package/dist/cli/agent/env-write.js +47 -0
- package/dist/cli/agent/paybond.d.ts +16 -0
- package/dist/cli/agent/paybond.js +55 -0
- package/dist/cli/agent/policy-file.d.ts +29 -0
- package/dist/cli/agent/policy-file.js +61 -0
- package/dist/cli/agent/production-evidence.d.ts +24 -0
- package/dist/cli/agent/production-evidence.js +98 -0
- package/dist/cli/agent/run-store.d.ts +30 -0
- package/dist/cli/agent/run-store.js +42 -0
- package/dist/cli/agent/run-trace-store.d.ts +39 -0
- package/dist/cli/agent/run-trace-store.js +143 -0
- package/dist/cli/agent-run-trace-table.d.ts +9 -0
- package/dist/cli/agent-run-trace-table.js +24 -0
- package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
- package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
- package/dist/cli/command-spec.d.ts +1 -0
- package/dist/cli/command-spec.js +286 -5
- package/dist/cli/commands/agent.d.ts +16 -0
- package/dist/cli/commands/agent.js +1136 -0
- package/dist/cli/commands/dev.d.ts +7 -0
- package/dist/cli/commands/dev.js +348 -0
- package/dist/cli/commands/discovery.js +3 -3
- package/dist/cli/commands/policy.d.ts +13 -0
- package/dist/cli/commands/policy.js +769 -0
- package/dist/cli/commands/setup.d.ts +3 -0
- package/dist/cli/commands/setup.js +124 -8
- package/dist/cli/commands/workflows.js +9 -4
- package/dist/cli/config.d.ts +2 -0
- package/dist/cli/config.js +4 -2
- package/dist/cli/context.js +2 -1
- package/dist/cli/credentials.js +2 -2
- package/dist/cli/doctor-agent-middleware.d.ts +5 -0
- package/dist/cli/doctor-agent-middleware.js +49 -0
- package/dist/cli/globals.d.ts +1 -0
- package/dist/cli/globals.js +11 -1
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +35 -3
- package/dist/cli/mcp-install.js +2 -2
- package/dist/cli/mcp-policy.d.ts +3 -0
- package/dist/cli/mcp-policy.js +19 -13
- package/dist/cli/mcp-verify-config.js +9 -11
- package/dist/cli/redact.js +29 -8
- package/dist/cli/router.js +105 -2
- package/dist/cli/smoke-deep-links.d.ts +15 -0
- package/dist/cli/smoke-deep-links.js +63 -0
- package/dist/cli/telemetry.d.ts +17 -0
- package/dist/cli/telemetry.js +94 -0
- package/dist/completion-catalog-digest.d.ts +2 -0
- package/dist/completion-catalog-digest.js +2 -0
- package/dist/completion-catalog-integrity.d.ts +2 -0
- package/dist/completion-catalog-integrity.js +17 -0
- package/dist/completion-catalog.d.ts +49 -0
- package/dist/completion-catalog.js +62 -0
- package/dist/completion-contract-digest.d.ts +37 -0
- package/dist/completion-contract-digest.js +73 -0
- package/dist/completion-forbidden-fields.d.ts +5 -0
- package/dist/completion-forbidden-fields.js +26 -0
- package/dist/completion-init.d.ts +8 -0
- package/dist/completion-init.js +334 -0
- package/dist/completion-resolve.d.ts +21 -0
- package/dist/completion-resolve.js +86 -0
- package/dist/completion-validate-evidence.d.ts +24 -0
- package/dist/completion-validate-evidence.js +145 -0
- package/dist/dev/offline-gateway.d.ts +24 -0
- package/dist/dev/offline-gateway.js +102 -0
- package/dist/dev/trace-buffer.d.ts +61 -0
- package/dist/dev/trace-buffer.js +330 -0
- package/dist/dev/trace-security-headers.d.ts +11 -0
- package/dist/dev/trace-security-headers.js +16 -0
- package/dist/dev/trace-server.d.ts +8 -0
- package/dist/dev/trace-server.js +38 -0
- package/dist/dev/trace-ui.d.ts +4 -0
- package/dist/dev/trace-ui.js +25 -0
- package/dist/dev/wiremock-up.d.ts +15 -0
- package/dist/dev/wiremock-up.js +118 -0
- package/dist/doctor-completion.d.ts +17 -0
- package/dist/doctor-completion.js +428 -0
- package/dist/gateway-url.d.ts +7 -0
- package/dist/gateway-url.js +69 -0
- package/dist/index.d.ts +119 -2
- package/dist/index.js +267 -6
- package/dist/init.js +374 -57
- package/dist/langgraph/awrap-tool-call.d.ts +25 -0
- package/dist/langgraph/awrap-tool-call.js +81 -0
- package/dist/langgraph/config.d.ts +13 -0
- package/dist/langgraph/config.js +11 -0
- package/dist/langgraph/index.d.ts +4 -0
- package/dist/langgraph/index.js +4 -0
- package/dist/langgraph/sandbox-demo.d.ts +40 -0
- package/dist/langgraph/sandbox-demo.js +96 -0
- package/dist/langgraph/tool-node.d.ts +10 -0
- package/dist/langgraph/tool-node.js +38 -0
- package/dist/login.js +7 -0
- package/dist/mcp/index.d.ts +1 -0
- package/dist/mcp/index.js +1 -0
- package/dist/mcp/tool-surface.d.ts +25 -0
- package/dist/mcp/tool-surface.js +17 -0
- package/dist/mcp-capability-token-cache.d.ts +24 -0
- package/dist/mcp-capability-token-cache.js +101 -0
- package/dist/mcp-evidence-policy.d.ts +48 -0
- package/dist/mcp-evidence-policy.js +117 -0
- package/dist/mcp-policy-reload.d.ts +79 -0
- package/dist/mcp-policy-reload.js +200 -0
- package/dist/mcp-sep2828-evidence.d.ts +36 -0
- package/dist/mcp-sep2828-evidence.js +65 -0
- package/dist/mcp-server.d.ts +6 -0
- package/dist/mcp-server.js +224 -44
- package/dist/openai-agents/index.d.ts +40 -0
- package/dist/openai-agents/index.js +151 -0
- package/dist/openai-agents/sandbox-demo.d.ts +34 -0
- package/dist/openai-agents/sandbox-demo.js +118 -0
- package/dist/payee-evidence.js +2 -29
- package/dist/policy/catalog.d.ts +31 -0
- package/dist/policy/catalog.js +48 -0
- package/dist/policy/compose-utils.d.ts +3 -0
- package/dist/policy/compose-utils.js +4 -0
- package/dist/policy/compose.d.ts +20 -0
- package/dist/policy/compose.js +240 -0
- package/dist/policy/digest.d.ts +7 -0
- package/dist/policy/digest.js +75 -0
- package/dist/policy/domain.d.ts +15 -0
- package/dist/policy/domain.js +28 -0
- package/dist/policy/guardrail-spec.d.ts +17 -0
- package/dist/policy/guardrail-spec.js +140 -0
- package/dist/policy/guardrails.d.ts +48 -0
- package/dist/policy/guardrails.js +72 -0
- package/dist/policy/index.d.ts +21 -0
- package/dist/policy/index.js +21 -0
- package/dist/policy/init.d.ts +102 -0
- package/dist/policy/init.js +351 -0
- package/dist/policy/intent-spec.d.ts +52 -0
- package/dist/policy/intent-spec.js +176 -0
- package/dist/policy/json-path.d.ts +4 -0
- package/dist/policy/json-path.js +23 -0
- package/dist/policy/layers-io.d.ts +7 -0
- package/dist/policy/layers-io.js +28 -0
- package/dist/policy/load-effective.d.ts +22 -0
- package/dist/policy/load-effective.js +77 -0
- package/dist/policy/load.d.ts +85 -0
- package/dist/policy/load.js +164 -0
- package/dist/policy/merge.d.ts +29 -0
- package/dist/policy/merge.js +297 -0
- package/dist/policy/parse-text.d.ts +2 -0
- package/dist/policy/parse-text.js +126 -0
- package/dist/policy/policy-api.d.ts +45 -0
- package/dist/policy/policy-api.js +61 -0
- package/dist/policy/presets.d.ts +19 -0
- package/dist/policy/presets.js +66 -0
- package/dist/policy/registry.d.ts +7 -0
- package/dist/policy/registry.js +33 -0
- package/dist/policy/reload.d.ts +86 -0
- package/dist/policy/reload.js +233 -0
- package/dist/policy/render-yaml.d.ts +3 -0
- package/dist/policy/render-yaml.js +69 -0
- package/dist/policy/sandbox-bootstrap.d.ts +19 -0
- package/dist/policy/sandbox-bootstrap.js +66 -0
- package/dist/policy/schema.d.ts +204 -0
- package/dist/policy/schema.js +255 -0
- package/dist/policy/snapshot.d.ts +33 -0
- package/dist/policy/snapshot.js +23 -0
- package/dist/policy/validate-remote.d.ts +43 -0
- package/dist/policy/validate-remote.js +104 -0
- package/dist/policy/validate.d.ts +36 -0
- package/dist/policy/validate.js +150 -0
- package/dist/policy/watcher.d.ts +29 -0
- package/dist/policy/watcher.js +112 -0
- package/dist/principal-intent.d.ts +52 -0
- package/dist/principal-intent.js +193 -37
- package/dist/project-init.d.ts +34 -0
- package/dist/project-init.js +898 -0
- package/dist/sep2828-signature.d.ts +10 -0
- package/dist/sep2828-signature.js +134 -0
- package/dist/solutions/api.d.ts +22 -0
- package/dist/solutions/api.js +40 -0
- package/dist/solutions/catalog.d.ts +34 -0
- package/dist/solutions/catalog.js +129 -0
- package/dist/solutions/index.d.ts +2 -0
- package/dist/solutions/index.js +2 -0
- package/dist/template-init.d.ts +54 -0
- package/dist/template-init.js +203 -0
- package/dist/vercel-ai/config.d.ts +15 -0
- package/dist/vercel-ai/config.js +13 -0
- package/dist/vercel-ai/index.d.ts +4 -0
- package/dist/vercel-ai/index.js +4 -0
- package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
- package/dist/vercel-ai/sandbox-demo.js +153 -0
- package/dist/vercel-ai/tool-approval.d.ts +16 -0
- package/dist/vercel-ai/tool-approval.js +41 -0
- package/dist/vercel-ai/wrap-tools.d.ts +9 -0
- package/dist/vercel-ai/wrap-tools.js +40 -0
- package/dist/x402-receipt-evidence.d.ts +29 -0
- package/dist/x402-receipt-evidence.js +97 -0
- package/dist/x402-receipt-signature.d.ts +12 -0
- package/dist/x402-receipt-signature.js +211 -0
- package/package.json +75 -3
- package/solutions/aws.json +17 -0
- package/solutions/saas.json +17 -0
- package/solutions/shopping.json +17 -0
- package/solutions/travel.json +18 -0
- package/templates/manifest.json +169 -0
- package/templates/openai-shopping-agent/.env.example +3 -0
- package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/openai-shopping-agent/LICENSE +201 -0
- package/templates/openai-shopping-agent/README.md +29 -0
- package/templates/openai-shopping-agent/package-lock.json +1525 -0
- package/templates/openai-shopping-agent/package.json +22 -0
- package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/openai-shopping-agent/src/index.ts +22 -0
- package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/openai-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-aws-operator/.env.example +3 -0
- package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-aws-operator/LICENSE +201 -0
- package/templates/paybond-aws-operator/README.md +29 -0
- package/templates/paybond-aws-operator/package-lock.json +151 -0
- package/templates/paybond-aws-operator/package.json +20 -0
- package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
- package/templates/paybond-aws-operator/src/index.ts +54 -0
- package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
- package/templates/paybond-aws-operator/tsconfig.json +13 -0
- package/templates/paybond-claude-agents-demo/.env.example +3 -0
- package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-claude-agents-demo/LICENSE +201 -0
- package/templates/paybond-claude-agents-demo/README.md +29 -0
- package/templates/paybond-claude-agents-demo/package-lock.json +1489 -0
- package/templates/paybond-claude-agents-demo/package.json +22 -0
- package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
- package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-invoice-agent/.env.example +3 -0
- package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
- package/templates/paybond-invoice-agent/LICENSE +201 -0
- package/templates/paybond-invoice-agent/README.md +29 -0
- package/templates/paybond-invoice-agent/app.py +27 -0
- package/templates/paybond-invoice-agent/package.json +6 -0
- package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-invoice-agent/paybond_config.py +45 -0
- package/templates/paybond-invoice-agent/requirements.txt +2 -0
- package/templates/paybond-mcp-coding-agent/.env.example +3 -0
- package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
- package/templates/paybond-mcp-coding-agent/README.md +39 -0
- package/templates/paybond-mcp-coding-agent/package-lock.json +151 -0
- package/templates/paybond-mcp-coding-agent/package.json +20 -0
- package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
- package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
- package/templates/paybond-openai-agents-demo/.env.example +3 -0
- package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-openai-agents-demo/LICENSE +201 -0
- package/templates/paybond-openai-agents-demo/README.md +29 -0
- package/templates/paybond-openai-agents-demo/package-lock.json +1525 -0
- package/templates/paybond-openai-agents-demo/package.json +22 -0
- package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
- package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
- package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
- package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
- package/templates/paybond-procurement-agent/.env.example +3 -0
- package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-procurement-agent/LICENSE +201 -0
- package/templates/paybond-procurement-agent/README.md +29 -0
- package/templates/paybond-procurement-agent/package-lock.json +151 -0
- package/templates/paybond-procurement-agent/package.json +20 -0
- package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
- package/templates/paybond-procurement-agent/src/index.ts +54 -0
- package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-procurement-agent/tsconfig.json +13 -0
- package/templates/paybond-travel-agent/.env.example +3 -0
- package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-travel-agent/LICENSE +201 -0
- package/templates/paybond-travel-agent/README.md +29 -0
- package/templates/paybond-travel-agent/package-lock.json +444 -0
- package/templates/paybond-travel-agent/package.json +23 -0
- package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-travel-agent/src/index.ts +22 -0
- package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-travel-agent/tsconfig.json +13 -0
- package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
- package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
- package/templates/paybond-vercel-shopping-agent/README.md +29 -0
- package/templates/paybond-vercel-shopping-agent/package-lock.json +265 -0
- package/templates/paybond-vercel-shopping-agent/package.json +22 -0
- package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
- package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
package/dist/index.js
CHANGED
|
@@ -2,8 +2,15 @@
|
|
|
2
2
|
* Paybond Kit — TypeScript Gateway client with tenant binding, retries, capability verification,
|
|
3
3
|
* and signed intent/evidence helpers.
|
|
4
4
|
*/
|
|
5
|
-
import { buildSignedCreateIntentBody, } from "./principal-intent.js";
|
|
5
|
+
import { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, } from "./principal-intent.js";
|
|
6
6
|
import { signPayeeEvidenceBinding } from "./payee-evidence.js";
|
|
7
|
+
import { PaybondAgentRunFacade, PaybondInstrumentBuilder, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondToolRegistry, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, resolveAgentPolicySource, wrapPaybondTools, } from "./agent/index.js";
|
|
8
|
+
import { GatewayAgentRunTraceReporter, } from "./agent/gateway-trace-reporter.js";
|
|
9
|
+
import { parsePolicyRemoteValidateResponse, policyValidateQueryString, } from "./policy/validate-remote.js";
|
|
10
|
+
import { parsePolicyEffectiveResolveResponse, } from "./policy/load-effective.js";
|
|
11
|
+
import { paybondPolicyPresets } from "./policy/policy-api.js";
|
|
12
|
+
import { paybondSolutionPresets } from "./solutions/api.js";
|
|
13
|
+
import { requireSecureGatewayUrl } from "./gateway-url.js";
|
|
7
14
|
function parseVerifyCapabilityBody(body, expectedTenant, expectedIntentId) {
|
|
8
15
|
const tenant = String(body.tenant ?? "");
|
|
9
16
|
const intentId = String(body.intent_id ?? "");
|
|
@@ -78,7 +85,7 @@ function verifyCapabilityPayload(input) {
|
|
|
78
85
|
export const DEFAULT_PAYBOND_GATEWAY_BASE_URL = "https://api.paybond.ai";
|
|
79
86
|
function defaultGatewayBaseUrl(value) {
|
|
80
87
|
const trimmed = value?.trim();
|
|
81
|
-
return trimmed
|
|
88
|
+
return requireSecureGatewayUrl(trimmed || DEFAULT_PAYBOND_GATEWAY_BASE_URL);
|
|
82
89
|
}
|
|
83
90
|
/**
|
|
84
91
|
* Structured HTTP failure from Harbor with operator-facing diagnostics.
|
|
@@ -178,7 +185,7 @@ function protocolHTTPErrorMessage(prefix, statusCode, bodyText) {
|
|
|
178
185
|
return `${prefix} HTTP ${statusCode}: ${bodyText}`;
|
|
179
186
|
}
|
|
180
187
|
function normalizeBase(url) {
|
|
181
|
-
return url
|
|
188
|
+
return requireSecureGatewayUrl(url);
|
|
182
189
|
}
|
|
183
190
|
function backoffMs(attempt) {
|
|
184
191
|
const base = 200 * 2 ** attempt;
|
|
@@ -293,6 +300,18 @@ export class PaybondSpendGuard {
|
|
|
293
300
|
}
|
|
294
301
|
await complete.call(this.harbor, { decisionId, outcome });
|
|
295
302
|
}
|
|
303
|
+
/**
|
|
304
|
+
* Authorize spend for `input.operation`, then invoke `handler`.
|
|
305
|
+
*
|
|
306
|
+
* The `operation` label and `requestedSpendCents` are sent to Harbor for
|
|
307
|
+
* policy evaluation only. This wrapper does not inspect or constrain what
|
|
308
|
+
* `handler` actually does — callers must keep the authorization label,
|
|
309
|
+
* spend amount, and handler side effects aligned with the bound intent's
|
|
310
|
+
* `allowedTools` and policy predicates.
|
|
311
|
+
*
|
|
312
|
+
* For registry-backed operation-to-handler coupling, prefer
|
|
313
|
+
* `paybond.instrument()` or `wrapTools()` over per-tool `guardTool`.
|
|
314
|
+
*/
|
|
296
315
|
guardTool(input, handler) {
|
|
297
316
|
return async (...args) => {
|
|
298
317
|
const auth = await this.assertSpendAuthorized(input);
|
|
@@ -320,6 +339,7 @@ export class PaybondSpendGuard {
|
|
|
320
339
|
export async function authorizeSpend(source, input) {
|
|
321
340
|
return new PaybondSpendGuard(source).authorizeSpend(input);
|
|
322
341
|
}
|
|
342
|
+
/** Standalone alias for {@link PaybondSpendGuard.guardTool}. */
|
|
323
343
|
export function guardTool(source, input, handler) {
|
|
324
344
|
return new PaybondSpendGuard(source).guardTool(input, handler);
|
|
325
345
|
}
|
|
@@ -356,7 +376,24 @@ export function paybondRuntimeToolCallAdapter(init) {
|
|
|
356
376
|
}
|
|
357
377
|
throw new PaybondSpendDeniedError(result);
|
|
358
378
|
}
|
|
359
|
-
|
|
379
|
+
try {
|
|
380
|
+
const out = await init.execute(call);
|
|
381
|
+
if (result.decisionId) {
|
|
382
|
+
await guard.completeSpendAuthorization(result.decisionId, "consumed");
|
|
383
|
+
}
|
|
384
|
+
return out;
|
|
385
|
+
}
|
|
386
|
+
catch (err) {
|
|
387
|
+
if (result.decisionId) {
|
|
388
|
+
try {
|
|
389
|
+
await guard.completeSpendAuthorization(result.decisionId, "released");
|
|
390
|
+
}
|
|
391
|
+
catch {
|
|
392
|
+
// Best-effort release when the guarded handler fails.
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
throw err;
|
|
396
|
+
}
|
|
360
397
|
};
|
|
361
398
|
}
|
|
362
399
|
/**
|
|
@@ -791,9 +828,15 @@ export class GatewayHarborClient {
|
|
|
791
828
|
throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
|
|
792
829
|
}
|
|
793
830
|
async postJSON(path, payload, extraHeaders) {
|
|
831
|
+
return this.requestJSON("POST", path, payload, extraHeaders);
|
|
832
|
+
}
|
|
833
|
+
async putJSON(path, payload, extraHeaders) {
|
|
834
|
+
return this.requestJSON("PUT", path, payload, extraHeaders);
|
|
835
|
+
}
|
|
836
|
+
async requestJSON(method, path, payload, extraHeaders) {
|
|
794
837
|
const url = `${this.base}${path.replace(/^\/+/, "")}`;
|
|
795
838
|
const res = await this.fetchWithRetries(url, {
|
|
796
|
-
method
|
|
839
|
+
method,
|
|
797
840
|
headers: this.headers({
|
|
798
841
|
"content-type": "application/json",
|
|
799
842
|
...(extraHeaders ?? {}),
|
|
@@ -803,6 +846,65 @@ export class GatewayHarborClient {
|
|
|
803
846
|
const text = await res.text();
|
|
804
847
|
return { res, text, url };
|
|
805
848
|
}
|
|
849
|
+
async getJSON(path) {
|
|
850
|
+
const url = `${this.base}${path.replace(/^\/+/, "")}`;
|
|
851
|
+
const res = await this.fetchWithRetries(url, {
|
|
852
|
+
method: "GET",
|
|
853
|
+
headers: this.headers(),
|
|
854
|
+
});
|
|
855
|
+
const text = await res.text();
|
|
856
|
+
return { res, text, url };
|
|
857
|
+
}
|
|
858
|
+
/** Tenant-scoped Harbor operator intent detail (for attach run binding). */
|
|
859
|
+
async getIntent(intentId) {
|
|
860
|
+
const trimmed = intentId.trim();
|
|
861
|
+
if (!trimmed) {
|
|
862
|
+
throw new Error("getIntent requires a non-empty intentId");
|
|
863
|
+
}
|
|
864
|
+
const { res, text, url } = await this.getJSON(`/harbor/operator/v1/intents/${encodeURIComponent(trimmed)}`);
|
|
865
|
+
if (!res.ok) {
|
|
866
|
+
throw new HarborHttpError(`Gateway Harbor get intent HTTP ${res.status}: ${text}`, {
|
|
867
|
+
statusCode: res.status,
|
|
868
|
+
url,
|
|
869
|
+
bodyText: text,
|
|
870
|
+
});
|
|
871
|
+
}
|
|
872
|
+
const body = JSON.parse(text);
|
|
873
|
+
const tenant = String(body.tenant_id ?? "").trim();
|
|
874
|
+
if (tenant !== this.tenantId) {
|
|
875
|
+
throw new Error(`intent tenant mismatch: client=${this.tenantId} gateway=${tenant}`);
|
|
876
|
+
}
|
|
877
|
+
return body;
|
|
878
|
+
}
|
|
879
|
+
/** Gateway-backed middleware trace reporter for tenant console agent-runs view. */
|
|
880
|
+
createAgentRunTraceReporter(runId) {
|
|
881
|
+
const trimmed = runId.trim();
|
|
882
|
+
if (!trimmed) {
|
|
883
|
+
throw new Error("createAgentRunTraceReporter requires a non-empty runId");
|
|
884
|
+
}
|
|
885
|
+
return new GatewayAgentRunTraceReporter(async (method, path, body) => {
|
|
886
|
+
if (method === "PUT") {
|
|
887
|
+
const { res, text, url } = await this.putJSON(path, body);
|
|
888
|
+
if (!res.ok) {
|
|
889
|
+
throw new HarborHttpError(`Gateway agent run upsert HTTP ${res.status}: ${text}`, {
|
|
890
|
+
statusCode: res.status,
|
|
891
|
+
url,
|
|
892
|
+
bodyText: text,
|
|
893
|
+
});
|
|
894
|
+
}
|
|
895
|
+
return JSON.parse(text);
|
|
896
|
+
}
|
|
897
|
+
const { res, text, url } = await this.postJSON(path, body);
|
|
898
|
+
if (!res.ok) {
|
|
899
|
+
throw new HarborHttpError(`Gateway agent run trace HTTP ${res.status}: ${text}`, {
|
|
900
|
+
statusCode: res.status,
|
|
901
|
+
url,
|
|
902
|
+
bodyText: text,
|
|
903
|
+
});
|
|
904
|
+
}
|
|
905
|
+
return JSON.parse(text);
|
|
906
|
+
}, trimmed);
|
|
907
|
+
}
|
|
806
908
|
mutationHeaders(operation, options, headers) {
|
|
807
909
|
const proof = options?.recognitionProof;
|
|
808
910
|
if (!proof || typeof proof !== "object" || Array.isArray(proof)) {
|
|
@@ -847,6 +949,42 @@ export class GatewayHarborClient {
|
|
|
847
949
|
});
|
|
848
950
|
}
|
|
849
951
|
}
|
|
952
|
+
/**
|
|
953
|
+
* Validate a paybond.policy.yaml document against the tenant Harbor registry
|
|
954
|
+
* (`POST /v1/policy/validate`).
|
|
955
|
+
*/
|
|
956
|
+
async validatePolicy(document, options) {
|
|
957
|
+
const qs = policyValidateQueryString(options ?? {});
|
|
958
|
+
const { res, text, url } = await this.postJSON(`/v1/policy/validate${qs}`, document);
|
|
959
|
+
if (!res.ok) {
|
|
960
|
+
throw new HarborHttpError(`Gateway policy validate HTTP ${res.status}: ${text}`, {
|
|
961
|
+
statusCode: res.status,
|
|
962
|
+
url,
|
|
963
|
+
bodyText: text,
|
|
964
|
+
});
|
|
965
|
+
}
|
|
966
|
+
return parsePolicyRemoteValidateResponse(JSON.parse(text));
|
|
967
|
+
}
|
|
968
|
+
/**
|
|
969
|
+
* Resolve merged effective policy for a tenant overlay via
|
|
970
|
+
* `POST /v1/org-policies/{policy_id}/effective`.
|
|
971
|
+
*/
|
|
972
|
+
async resolvePolicyEffective(orgPolicyId, overlay, options) {
|
|
973
|
+
let path = `/v1/org-policies/${encodeURIComponent(orgPolicyId)}/effective`;
|
|
974
|
+
const currentDigest = options?.currentDigest?.trim();
|
|
975
|
+
if (currentDigest) {
|
|
976
|
+
path += `?digest=${encodeURIComponent(currentDigest)}`;
|
|
977
|
+
}
|
|
978
|
+
const { res, text, url } = await this.postJSON(path, overlay);
|
|
979
|
+
if (!res.ok) {
|
|
980
|
+
throw new HarborHttpError(`Gateway policy effective HTTP ${res.status}: ${text}`, {
|
|
981
|
+
statusCode: res.status,
|
|
982
|
+
url,
|
|
983
|
+
bodyText: text,
|
|
984
|
+
});
|
|
985
|
+
}
|
|
986
|
+
return parsePolicyEffectiveResolveResponse(JSON.parse(text));
|
|
987
|
+
}
|
|
850
988
|
async createIntent(body, options) {
|
|
851
989
|
const { res, text, url } = await this.postJSON("/harbor/intents", body, this.mutationHeaders("createIntent", options));
|
|
852
990
|
if (!res.ok) {
|
|
@@ -967,6 +1105,15 @@ export class PaybondGuardrails {
|
|
|
967
1105
|
if (input.metadata !== undefined) {
|
|
968
1106
|
payload.metadata = input.metadata;
|
|
969
1107
|
}
|
|
1108
|
+
if (input.completionPreset !== undefined) {
|
|
1109
|
+
payload.completion_preset = input.completionPreset;
|
|
1110
|
+
}
|
|
1111
|
+
if (input.templateId !== undefined) {
|
|
1112
|
+
payload.template_id = input.templateId;
|
|
1113
|
+
}
|
|
1114
|
+
if (input.parameters !== undefined) {
|
|
1115
|
+
payload.parameters = input.parameters;
|
|
1116
|
+
}
|
|
970
1117
|
const { res, text, url } = await this.postJSON("/v1/sandbox/guardrails/bootstrap", payload, { idempotencyKey: input.idempotencyKey });
|
|
971
1118
|
if (!res.ok) {
|
|
972
1119
|
throw new HarborHttpError(`Gateway sandbox guardrail bootstrap HTTP ${res.status}: ${text}`, {
|
|
@@ -987,6 +1134,9 @@ export class PaybondGuardrails {
|
|
|
987
1134
|
if (input.payload !== undefined) {
|
|
988
1135
|
payload.payload = input.payload;
|
|
989
1136
|
}
|
|
1137
|
+
if (input.vendorPayload !== undefined) {
|
|
1138
|
+
payload.vendor_payload = input.vendorPayload;
|
|
1139
|
+
}
|
|
990
1140
|
if (input.artifacts !== undefined) {
|
|
991
1141
|
payload.artifacts = input.artifacts;
|
|
992
1142
|
}
|
|
@@ -1137,9 +1287,32 @@ function parseSandboxGuardrailEvidenceResponse(value, init) {
|
|
|
1137
1287
|
: undefined,
|
|
1138
1288
|
payload_digest: sandboxGuardrailOptionalString(body.payload_digest),
|
|
1139
1289
|
artifacts_digest: sandboxGuardrailOptionalString(body.artifacts_digest),
|
|
1290
|
+
schema_validation: readSchemaValidationReport(body.schema_validation),
|
|
1140
1291
|
simulator_event: body.simulator_event,
|
|
1141
1292
|
};
|
|
1142
1293
|
}
|
|
1294
|
+
function readSchemaValidationReport(value) {
|
|
1295
|
+
if (value === null || typeof value !== "object" || Array.isArray(value)) {
|
|
1296
|
+
return undefined;
|
|
1297
|
+
}
|
|
1298
|
+
const report = value;
|
|
1299
|
+
if (typeof report.vendor_schema_ok !== "boolean" || typeof report.canonical_schema_ok !== "boolean") {
|
|
1300
|
+
return undefined;
|
|
1301
|
+
}
|
|
1302
|
+
const qualityFields = report.quality_fields_missing;
|
|
1303
|
+
const driftKinds = report.drift_kinds;
|
|
1304
|
+
return {
|
|
1305
|
+
vendor_schema_ok: report.vendor_schema_ok,
|
|
1306
|
+
canonical_schema_ok: report.canonical_schema_ok,
|
|
1307
|
+
quality_fields_missing: Array.isArray(qualityFields)
|
|
1308
|
+
? qualityFields.filter((entry) => typeof entry === "string")
|
|
1309
|
+
: [],
|
|
1310
|
+
pack_stale: Boolean(report.pack_stale),
|
|
1311
|
+
drift_kinds: Array.isArray(driftKinds)
|
|
1312
|
+
? driftKinds.filter((entry) => typeof entry === "string")
|
|
1313
|
+
: [],
|
|
1314
|
+
};
|
|
1315
|
+
}
|
|
1143
1316
|
function sandboxGuardrailString(body, field, init) {
|
|
1144
1317
|
const value = body[field];
|
|
1145
1318
|
if (typeof value === "string" && value.trim()) {
|
|
@@ -2040,6 +2213,19 @@ export class PaybondIntents {
|
|
|
2040
2213
|
* Build a principal-signed `POST /intents` body and submit it. `principalSigningSeed` must be
|
|
2041
2214
|
* 32 bytes. `settlementRail` is signed as the requested rail; destinations stay server-owned.
|
|
2042
2215
|
*/
|
|
2216
|
+
async createWithPolicyBinding(params) {
|
|
2217
|
+
const { idempotencyKey, intentId: maybeIntentId, recognitionProof, ...fields } = params;
|
|
2218
|
+
const intentId = maybeIntentId ?? globalThis.crypto.randomUUID();
|
|
2219
|
+
const body = buildSignedCreateIntentBodyWithPolicyBinding({
|
|
2220
|
+
tenantId: this.harbor.tenantId,
|
|
2221
|
+
intentId,
|
|
2222
|
+
...fields,
|
|
2223
|
+
});
|
|
2224
|
+
return this.harbor.createIntent(body, { idempotencyKey, recognitionProof });
|
|
2225
|
+
}
|
|
2226
|
+
/**
|
|
2227
|
+
* Build a principal-signed `POST /intents` body and submit it (raw predicate_dsl, signing v6).
|
|
2228
|
+
*/
|
|
2043
2229
|
async create(params) {
|
|
2044
2230
|
const { idempotencyKey, intentId: maybeIntentId, recognitionProof, ...fields } = params;
|
|
2045
2231
|
const intentId = maybeIntentId ?? globalThis.crypto.randomUUID();
|
|
@@ -2088,6 +2274,7 @@ export class Paybond {
|
|
|
2088
2274
|
a2a;
|
|
2089
2275
|
protocol;
|
|
2090
2276
|
intents;
|
|
2277
|
+
agentRun;
|
|
2091
2278
|
constructor(harbor, guardrails, signal, fraud, a2a, protocol) {
|
|
2092
2279
|
this.harbor = harbor;
|
|
2093
2280
|
this.guardrails = guardrails;
|
|
@@ -2096,6 +2283,7 @@ export class Paybond {
|
|
|
2096
2283
|
this.a2a = a2a;
|
|
2097
2284
|
this.protocol = protocol;
|
|
2098
2285
|
this.intents = new PaybondIntents(harbor);
|
|
2286
|
+
this.agentRun = new PaybondAgentRunFacade(this);
|
|
2099
2287
|
}
|
|
2100
2288
|
/** Open a tenant-bound hosted Paybond session from a service-account API key. */
|
|
2101
2289
|
static async open(init) {
|
|
@@ -2135,10 +2323,83 @@ export class Paybond {
|
|
|
2135
2323
|
spendGuard(intentId, capabilityToken) {
|
|
2136
2324
|
return new PaybondSpendGuard({ harbor: this.harbor, intentId, capabilityToken });
|
|
2137
2325
|
}
|
|
2326
|
+
/** Build a validated side-effecting tool registry for agent middleware. */
|
|
2327
|
+
toolRegistry(config) {
|
|
2328
|
+
return createPaybondToolRegistry(config);
|
|
2329
|
+
}
|
|
2138
2330
|
async authorizeSpend(input) {
|
|
2139
2331
|
return this.harbor.authorizeSpend(input);
|
|
2140
2332
|
}
|
|
2333
|
+
/** Policy-driven agent factory: load policy, bind a run, and wire framework tools. */
|
|
2334
|
+
createGuardedAgent(input) {
|
|
2335
|
+
return createGuardedAgent(this, input);
|
|
2336
|
+
}
|
|
2337
|
+
/** Alias for {@link Paybond.createGuardedAgent} matching runner helper naming. */
|
|
2338
|
+
createGuardedAgentRunner(input) {
|
|
2339
|
+
return createGuardedAgentRunner(this, input);
|
|
2340
|
+
}
|
|
2341
|
+
instrument(input, options) {
|
|
2342
|
+
return instrumentPaybondAgent(this, input, options);
|
|
2343
|
+
}
|
|
2344
|
+
/** Fluent builder: `paybond.policy("./paybond.policy.yaml").instrument(tools)`. */
|
|
2345
|
+
policy(source) {
|
|
2346
|
+
const resolved = typeof source === "string" ? resolveAgentPolicySource(source) : source;
|
|
2347
|
+
return new PaybondInstrumentBuilder(this, resolved);
|
|
2348
|
+
}
|
|
2349
|
+
/** Fluent builder for bundled vertical presets (`travel`, `shopping`, `saas`, `aws`). */
|
|
2350
|
+
usePolicy(presetId) {
|
|
2351
|
+
return this.policy(presetId);
|
|
2352
|
+
}
|
|
2353
|
+
instrumentLangGraph(input) {
|
|
2354
|
+
return instrumentPaybondLangGraph(this, input);
|
|
2355
|
+
}
|
|
2356
|
+
instrumentOpenAI(input) {
|
|
2357
|
+
return instrumentPaybondOpenAI(this, input);
|
|
2358
|
+
}
|
|
2359
|
+
instrumentVercel(input) {
|
|
2360
|
+
return instrumentPaybondVercel(this, input);
|
|
2361
|
+
}
|
|
2362
|
+
instrumentClaudeAgents(input) {
|
|
2363
|
+
return instrumentPaybondClaudeAgents(this, input);
|
|
2364
|
+
}
|
|
2365
|
+
/** Agent-agnostic instrumentation for MCP-style `{ name, execute }` tool hosts. */
|
|
2366
|
+
instrumentMCP(input) {
|
|
2367
|
+
return instrumentPaybondMCP(this, input);
|
|
2368
|
+
}
|
|
2369
|
+
/**
|
|
2370
|
+
* Opinionated quickstart: resolve named policy presets (for example `travel`) or file paths,
|
|
2371
|
+
* then instrument tools for the selected framework.
|
|
2372
|
+
*/
|
|
2373
|
+
agent(input) {
|
|
2374
|
+
return createPaybondAgent(this, input);
|
|
2375
|
+
}
|
|
2376
|
+
/** Wrap tools for an existing bound run without reloading policy. */
|
|
2377
|
+
wrapTools(run, tools, options) {
|
|
2378
|
+
return wrapPaybondTools(run, tools, options);
|
|
2379
|
+
}
|
|
2380
|
+
/**
|
|
2381
|
+
* Compose bundled policy presets (`travel`, `shopping`, …) and guardrail layers.
|
|
2382
|
+
* Example: `paybond.policyPresets.travel({ maxSpendUsd: 500 })`.
|
|
2383
|
+
*/
|
|
2384
|
+
get policyPresets() {
|
|
2385
|
+
return paybondPolicyPresets;
|
|
2386
|
+
}
|
|
2387
|
+
/**
|
|
2388
|
+
* Bundled solution references (`travel`, `shopping`, …) with policy, smoke defaults,
|
|
2389
|
+
* completion preset, and vendor pack metadata.
|
|
2390
|
+
* Example: `paybond.solution.travel()`.
|
|
2391
|
+
*/
|
|
2392
|
+
get solution() {
|
|
2393
|
+
return paybondSolutionPresets;
|
|
2394
|
+
}
|
|
2141
2395
|
}
|
|
2142
2396
|
export { normalizeJson, jsonValueDigest } from "./json-digest.js";
|
|
2143
|
-
export { buildSignedCreateIntentBody, intentCreationSignBytesRaw, } from "./principal-intent.js";
|
|
2397
|
+
export { buildSignedCreateIntentBody, buildSignedCreateIntentBodyWithPolicyBinding, intentCreationSignBytesRaw, intentCreationSignBytesWithPolicyBinding, } from "./principal-intent.js";
|
|
2144
2398
|
export { artifactsDigest, signPayeeEvidenceBinding } from "./payee-evidence.js";
|
|
2399
|
+
export { AGENT_RECOGNITION_GATEWAY_VERIFIER_ID, AGENT_RECOGNITION_PROOF_KIND_V1, AGENT_RECOGNITION_PURPOSE_EVIDENCE_SUBMIT, newAgentRecognitionRequestEnvelope, signAgentRecognitionProofV1, signHarborEvidenceSubmitRecognitionProof, } from "./agent-recognition.js";
|
|
2400
|
+
export { validateCompletionEvidence, } from "./completion-validate-evidence.js";
|
|
2401
|
+
export { completionSchemaDigestHex, computeVendorContractDigests, verifyVendorContract, verifyCatalogVendorContracts, } from "./completion-contract-digest.js";
|
|
2402
|
+
export { contractSnapshotForPreset, mapVendorEvidenceToCanonical, resolveCompletionPreset, } from "./completion-resolve.js";
|
|
2403
|
+
export { PaybondAgentRun, PaybondAgentRunBindError, PaybondAgentRunFacade, PaybondEvidenceSubmitError, PaybondToolInterceptor, PaybondToolRegistry, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, buildAutoEvidencePayload, createGenericToolExecutor, createGuardedAgent, createGuardedAgentRunner, createPaybondAgent, createPaybondGenericAgentConfig, createPaybondGenericInputGuard, createPaybondToolRegistry, createToolInputGuardAdapter, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, paybondGenericToolExecutorAdapter, paybondToolInputGuardAdapter, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, } from "./agent/index.js";
|
|
2404
|
+
export { PaybondPolicy, composePolicyLayers, composeBundledPresetDefault, domain, guardrails, paybondPolicyPresets, resolveComposedPresetDocument, } from "./policy/index.js";
|
|
2405
|
+
export { getSolutionSmokeDefaults, isKnownSolutionId, listSolutionIds, loadSolutionManifest, paybondSolutionPresets, } from "./solutions/index.js";
|