@paybond/kit 0.10.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (346) hide show
  1. package/README.md +59 -15
  2. package/completion-presets/catalog.json +1187 -0
  3. package/completion-presets/catalog.sha256 +1 -0
  4. package/dev/trace-ui/dashboard.html +617 -0
  5. package/dist/agent/adapter.d.ts +51 -0
  6. package/dist/agent/adapter.js +66 -0
  7. package/dist/agent/attach-bundle.d.ts +37 -0
  8. package/dist/agent/attach-bundle.js +118 -0
  9. package/dist/agent/authorization-cache.d.ts +22 -0
  10. package/dist/agent/authorization-cache.js +36 -0
  11. package/dist/agent/deferred-tools.d.ts +11 -0
  12. package/dist/agent/deferred-tools.js +62 -0
  13. package/dist/agent/discover.d.ts +41 -0
  14. package/dist/agent/discover.js +147 -0
  15. package/dist/agent/evidence.d.ts +9 -0
  16. package/dist/agent/evidence.js +28 -0
  17. package/dist/agent/facade.d.ts +48 -0
  18. package/dist/agent/facade.js +112 -0
  19. package/dist/agent/gateway-trace-reporter.d.ts +28 -0
  20. package/dist/agent/gateway-trace-reporter.js +49 -0
  21. package/dist/agent/generic-runner.d.ts +14 -0
  22. package/dist/agent/generic-runner.js +49 -0
  23. package/dist/agent/generic-sandbox-demo.d.ts +36 -0
  24. package/dist/agent/generic-sandbox-demo.js +82 -0
  25. package/dist/agent/guarded-agent.d.ts +49 -0
  26. package/dist/agent/guarded-agent.js +100 -0
  27. package/dist/agent/index.d.ts +13 -0
  28. package/dist/agent/index.js +13 -0
  29. package/dist/agent/instrument.d.ts +156 -0
  30. package/dist/agent/instrument.js +442 -0
  31. package/dist/agent/interceptor.d.ts +24 -0
  32. package/dist/agent/interceptor.js +440 -0
  33. package/dist/agent/lazy-context-tools.d.ts +15 -0
  34. package/dist/agent/lazy-context-tools.js +81 -0
  35. package/dist/agent/registry-file.d.ts +39 -0
  36. package/dist/agent/registry-file.js +219 -0
  37. package/dist/agent/registry.d.ts +37 -0
  38. package/dist/agent/registry.js +128 -0
  39. package/dist/agent/run.d.ts +124 -0
  40. package/dist/agent/run.js +301 -0
  41. package/dist/agent/types.d.ts +318 -0
  42. package/dist/agent/types.js +42 -0
  43. package/dist/agent-recognition.d.ts +72 -0
  44. package/dist/agent-recognition.js +165 -0
  45. package/dist/bincode-wire.d.ts +18 -0
  46. package/dist/bincode-wire.js +93 -0
  47. package/dist/claude-agents/config.d.ts +21 -0
  48. package/dist/claude-agents/config.js +145 -0
  49. package/dist/claude-agents/index.d.ts +2 -0
  50. package/dist/claude-agents/index.js +2 -0
  51. package/dist/claude-agents/sandbox-demo.d.ts +30 -0
  52. package/dist/claude-agents/sandbox-demo.js +91 -0
  53. package/dist/cli/agent/demo-loaders.d.ts +4 -0
  54. package/dist/cli/agent/demo-loaders.js +66 -0
  55. package/dist/cli/agent/env-quote.d.ts +1 -0
  56. package/dist/cli/agent/env-quote.js +6 -0
  57. package/dist/cli/agent/env-write.d.ts +8 -0
  58. package/dist/cli/agent/env-write.js +47 -0
  59. package/dist/cli/agent/paybond.d.ts +16 -0
  60. package/dist/cli/agent/paybond.js +55 -0
  61. package/dist/cli/agent/policy-file.d.ts +29 -0
  62. package/dist/cli/agent/policy-file.js +61 -0
  63. package/dist/cli/agent/production-evidence.d.ts +24 -0
  64. package/dist/cli/agent/production-evidence.js +98 -0
  65. package/dist/cli/agent/run-store.d.ts +30 -0
  66. package/dist/cli/agent/run-store.js +42 -0
  67. package/dist/cli/agent/run-trace-store.d.ts +39 -0
  68. package/dist/cli/agent/run-trace-store.js +143 -0
  69. package/dist/cli/agent-run-trace-table.d.ts +9 -0
  70. package/dist/cli/agent-run-trace-table.js +24 -0
  71. package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
  72. package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
  73. package/dist/cli/command-spec.d.ts +1 -0
  74. package/dist/cli/command-spec.js +286 -5
  75. package/dist/cli/commands/agent.d.ts +16 -0
  76. package/dist/cli/commands/agent.js +1136 -0
  77. package/dist/cli/commands/dev.d.ts +7 -0
  78. package/dist/cli/commands/dev.js +348 -0
  79. package/dist/cli/commands/discovery.js +3 -3
  80. package/dist/cli/commands/policy.d.ts +13 -0
  81. package/dist/cli/commands/policy.js +769 -0
  82. package/dist/cli/commands/setup.d.ts +3 -0
  83. package/dist/cli/commands/setup.js +124 -8
  84. package/dist/cli/commands/workflows.js +9 -4
  85. package/dist/cli/config.d.ts +2 -0
  86. package/dist/cli/config.js +4 -2
  87. package/dist/cli/context.js +2 -1
  88. package/dist/cli/credentials.js +2 -2
  89. package/dist/cli/doctor-agent-middleware.d.ts +5 -0
  90. package/dist/cli/doctor-agent-middleware.js +49 -0
  91. package/dist/cli/globals.d.ts +1 -0
  92. package/dist/cli/globals.js +11 -1
  93. package/dist/cli/help.d.ts +1 -1
  94. package/dist/cli/help.js +35 -3
  95. package/dist/cli/mcp-install.js +2 -2
  96. package/dist/cli/mcp-policy.d.ts +3 -0
  97. package/dist/cli/mcp-policy.js +19 -13
  98. package/dist/cli/mcp-verify-config.js +9 -11
  99. package/dist/cli/redact.js +29 -8
  100. package/dist/cli/router.js +105 -2
  101. package/dist/cli/smoke-deep-links.d.ts +15 -0
  102. package/dist/cli/smoke-deep-links.js +63 -0
  103. package/dist/cli/telemetry.d.ts +17 -0
  104. package/dist/cli/telemetry.js +94 -0
  105. package/dist/completion-catalog-digest.d.ts +2 -0
  106. package/dist/completion-catalog-digest.js +2 -0
  107. package/dist/completion-catalog-integrity.d.ts +2 -0
  108. package/dist/completion-catalog-integrity.js +17 -0
  109. package/dist/completion-catalog.d.ts +49 -0
  110. package/dist/completion-catalog.js +62 -0
  111. package/dist/completion-contract-digest.d.ts +37 -0
  112. package/dist/completion-contract-digest.js +73 -0
  113. package/dist/completion-forbidden-fields.d.ts +5 -0
  114. package/dist/completion-forbidden-fields.js +26 -0
  115. package/dist/completion-init.d.ts +8 -0
  116. package/dist/completion-init.js +334 -0
  117. package/dist/completion-resolve.d.ts +21 -0
  118. package/dist/completion-resolve.js +86 -0
  119. package/dist/completion-validate-evidence.d.ts +24 -0
  120. package/dist/completion-validate-evidence.js +145 -0
  121. package/dist/dev/offline-gateway.d.ts +24 -0
  122. package/dist/dev/offline-gateway.js +102 -0
  123. package/dist/dev/trace-buffer.d.ts +61 -0
  124. package/dist/dev/trace-buffer.js +330 -0
  125. package/dist/dev/trace-security-headers.d.ts +11 -0
  126. package/dist/dev/trace-security-headers.js +16 -0
  127. package/dist/dev/trace-server.d.ts +8 -0
  128. package/dist/dev/trace-server.js +38 -0
  129. package/dist/dev/trace-ui.d.ts +4 -0
  130. package/dist/dev/trace-ui.js +25 -0
  131. package/dist/dev/wiremock-up.d.ts +15 -0
  132. package/dist/dev/wiremock-up.js +118 -0
  133. package/dist/doctor-completion.d.ts +17 -0
  134. package/dist/doctor-completion.js +428 -0
  135. package/dist/gateway-url.d.ts +7 -0
  136. package/dist/gateway-url.js +69 -0
  137. package/dist/index.d.ts +119 -2
  138. package/dist/index.js +267 -6
  139. package/dist/init.js +374 -57
  140. package/dist/langgraph/awrap-tool-call.d.ts +25 -0
  141. package/dist/langgraph/awrap-tool-call.js +81 -0
  142. package/dist/langgraph/config.d.ts +13 -0
  143. package/dist/langgraph/config.js +11 -0
  144. package/dist/langgraph/index.d.ts +4 -0
  145. package/dist/langgraph/index.js +4 -0
  146. package/dist/langgraph/sandbox-demo.d.ts +40 -0
  147. package/dist/langgraph/sandbox-demo.js +96 -0
  148. package/dist/langgraph/tool-node.d.ts +10 -0
  149. package/dist/langgraph/tool-node.js +38 -0
  150. package/dist/login.js +7 -0
  151. package/dist/mcp/index.d.ts +1 -0
  152. package/dist/mcp/index.js +1 -0
  153. package/dist/mcp/tool-surface.d.ts +25 -0
  154. package/dist/mcp/tool-surface.js +17 -0
  155. package/dist/mcp-capability-token-cache.d.ts +24 -0
  156. package/dist/mcp-capability-token-cache.js +101 -0
  157. package/dist/mcp-evidence-policy.d.ts +48 -0
  158. package/dist/mcp-evidence-policy.js +117 -0
  159. package/dist/mcp-policy-reload.d.ts +79 -0
  160. package/dist/mcp-policy-reload.js +200 -0
  161. package/dist/mcp-sep2828-evidence.d.ts +36 -0
  162. package/dist/mcp-sep2828-evidence.js +65 -0
  163. package/dist/mcp-server.d.ts +6 -0
  164. package/dist/mcp-server.js +224 -44
  165. package/dist/openai-agents/index.d.ts +40 -0
  166. package/dist/openai-agents/index.js +151 -0
  167. package/dist/openai-agents/sandbox-demo.d.ts +34 -0
  168. package/dist/openai-agents/sandbox-demo.js +118 -0
  169. package/dist/payee-evidence.js +2 -29
  170. package/dist/policy/catalog.d.ts +31 -0
  171. package/dist/policy/catalog.js +48 -0
  172. package/dist/policy/compose-utils.d.ts +3 -0
  173. package/dist/policy/compose-utils.js +4 -0
  174. package/dist/policy/compose.d.ts +20 -0
  175. package/dist/policy/compose.js +240 -0
  176. package/dist/policy/digest.d.ts +7 -0
  177. package/dist/policy/digest.js +75 -0
  178. package/dist/policy/domain.d.ts +15 -0
  179. package/dist/policy/domain.js +28 -0
  180. package/dist/policy/guardrail-spec.d.ts +17 -0
  181. package/dist/policy/guardrail-spec.js +140 -0
  182. package/dist/policy/guardrails.d.ts +48 -0
  183. package/dist/policy/guardrails.js +72 -0
  184. package/dist/policy/index.d.ts +21 -0
  185. package/dist/policy/index.js +21 -0
  186. package/dist/policy/init.d.ts +102 -0
  187. package/dist/policy/init.js +351 -0
  188. package/dist/policy/intent-spec.d.ts +52 -0
  189. package/dist/policy/intent-spec.js +176 -0
  190. package/dist/policy/json-path.d.ts +4 -0
  191. package/dist/policy/json-path.js +23 -0
  192. package/dist/policy/layers-io.d.ts +7 -0
  193. package/dist/policy/layers-io.js +28 -0
  194. package/dist/policy/load-effective.d.ts +22 -0
  195. package/dist/policy/load-effective.js +77 -0
  196. package/dist/policy/load.d.ts +85 -0
  197. package/dist/policy/load.js +164 -0
  198. package/dist/policy/merge.d.ts +29 -0
  199. package/dist/policy/merge.js +297 -0
  200. package/dist/policy/parse-text.d.ts +2 -0
  201. package/dist/policy/parse-text.js +126 -0
  202. package/dist/policy/policy-api.d.ts +45 -0
  203. package/dist/policy/policy-api.js +61 -0
  204. package/dist/policy/presets.d.ts +19 -0
  205. package/dist/policy/presets.js +66 -0
  206. package/dist/policy/registry.d.ts +7 -0
  207. package/dist/policy/registry.js +33 -0
  208. package/dist/policy/reload.d.ts +86 -0
  209. package/dist/policy/reload.js +233 -0
  210. package/dist/policy/render-yaml.d.ts +3 -0
  211. package/dist/policy/render-yaml.js +69 -0
  212. package/dist/policy/sandbox-bootstrap.d.ts +19 -0
  213. package/dist/policy/sandbox-bootstrap.js +66 -0
  214. package/dist/policy/schema.d.ts +204 -0
  215. package/dist/policy/schema.js +255 -0
  216. package/dist/policy/snapshot.d.ts +33 -0
  217. package/dist/policy/snapshot.js +23 -0
  218. package/dist/policy/validate-remote.d.ts +43 -0
  219. package/dist/policy/validate-remote.js +104 -0
  220. package/dist/policy/validate.d.ts +36 -0
  221. package/dist/policy/validate.js +150 -0
  222. package/dist/policy/watcher.d.ts +29 -0
  223. package/dist/policy/watcher.js +112 -0
  224. package/dist/principal-intent.d.ts +52 -0
  225. package/dist/principal-intent.js +193 -37
  226. package/dist/project-init.d.ts +34 -0
  227. package/dist/project-init.js +898 -0
  228. package/dist/sep2828-signature.d.ts +10 -0
  229. package/dist/sep2828-signature.js +134 -0
  230. package/dist/solutions/api.d.ts +22 -0
  231. package/dist/solutions/api.js +40 -0
  232. package/dist/solutions/catalog.d.ts +34 -0
  233. package/dist/solutions/catalog.js +129 -0
  234. package/dist/solutions/index.d.ts +2 -0
  235. package/dist/solutions/index.js +2 -0
  236. package/dist/template-init.d.ts +54 -0
  237. package/dist/template-init.js +203 -0
  238. package/dist/vercel-ai/config.d.ts +15 -0
  239. package/dist/vercel-ai/config.js +13 -0
  240. package/dist/vercel-ai/index.d.ts +4 -0
  241. package/dist/vercel-ai/index.js +4 -0
  242. package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
  243. package/dist/vercel-ai/sandbox-demo.js +153 -0
  244. package/dist/vercel-ai/tool-approval.d.ts +16 -0
  245. package/dist/vercel-ai/tool-approval.js +41 -0
  246. package/dist/vercel-ai/wrap-tools.d.ts +9 -0
  247. package/dist/vercel-ai/wrap-tools.js +40 -0
  248. package/dist/x402-receipt-evidence.d.ts +29 -0
  249. package/dist/x402-receipt-evidence.js +97 -0
  250. package/dist/x402-receipt-signature.d.ts +12 -0
  251. package/dist/x402-receipt-signature.js +211 -0
  252. package/package.json +75 -3
  253. package/solutions/aws.json +17 -0
  254. package/solutions/saas.json +17 -0
  255. package/solutions/shopping.json +17 -0
  256. package/solutions/travel.json +18 -0
  257. package/templates/manifest.json +169 -0
  258. package/templates/openai-shopping-agent/.env.example +3 -0
  259. package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
  260. package/templates/openai-shopping-agent/LICENSE +201 -0
  261. package/templates/openai-shopping-agent/README.md +29 -0
  262. package/templates/openai-shopping-agent/package-lock.json +1525 -0
  263. package/templates/openai-shopping-agent/package.json +22 -0
  264. package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
  265. package/templates/openai-shopping-agent/src/index.ts +22 -0
  266. package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
  267. package/templates/openai-shopping-agent/tsconfig.json +13 -0
  268. package/templates/paybond-aws-operator/.env.example +3 -0
  269. package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
  270. package/templates/paybond-aws-operator/LICENSE +201 -0
  271. package/templates/paybond-aws-operator/README.md +29 -0
  272. package/templates/paybond-aws-operator/package-lock.json +151 -0
  273. package/templates/paybond-aws-operator/package.json +20 -0
  274. package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
  275. package/templates/paybond-aws-operator/src/index.ts +54 -0
  276. package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
  277. package/templates/paybond-aws-operator/tsconfig.json +13 -0
  278. package/templates/paybond-claude-agents-demo/.env.example +3 -0
  279. package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
  280. package/templates/paybond-claude-agents-demo/LICENSE +201 -0
  281. package/templates/paybond-claude-agents-demo/README.md +29 -0
  282. package/templates/paybond-claude-agents-demo/package-lock.json +1489 -0
  283. package/templates/paybond-claude-agents-demo/package.json +22 -0
  284. package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
  285. package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
  286. package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
  287. package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
  288. package/templates/paybond-invoice-agent/.env.example +3 -0
  289. package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
  290. package/templates/paybond-invoice-agent/LICENSE +201 -0
  291. package/templates/paybond-invoice-agent/README.md +29 -0
  292. package/templates/paybond-invoice-agent/app.py +27 -0
  293. package/templates/paybond-invoice-agent/package.json +6 -0
  294. package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
  295. package/templates/paybond-invoice-agent/paybond_config.py +45 -0
  296. package/templates/paybond-invoice-agent/requirements.txt +2 -0
  297. package/templates/paybond-mcp-coding-agent/.env.example +3 -0
  298. package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
  299. package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
  300. package/templates/paybond-mcp-coding-agent/README.md +39 -0
  301. package/templates/paybond-mcp-coding-agent/package-lock.json +151 -0
  302. package/templates/paybond-mcp-coding-agent/package.json +20 -0
  303. package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
  304. package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
  305. package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
  306. package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
  307. package/templates/paybond-openai-agents-demo/.env.example +3 -0
  308. package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
  309. package/templates/paybond-openai-agents-demo/LICENSE +201 -0
  310. package/templates/paybond-openai-agents-demo/README.md +29 -0
  311. package/templates/paybond-openai-agents-demo/package-lock.json +1525 -0
  312. package/templates/paybond-openai-agents-demo/package.json +22 -0
  313. package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
  314. package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
  315. package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
  316. package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
  317. package/templates/paybond-procurement-agent/.env.example +3 -0
  318. package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
  319. package/templates/paybond-procurement-agent/LICENSE +201 -0
  320. package/templates/paybond-procurement-agent/README.md +29 -0
  321. package/templates/paybond-procurement-agent/package-lock.json +151 -0
  322. package/templates/paybond-procurement-agent/package.json +20 -0
  323. package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
  324. package/templates/paybond-procurement-agent/src/index.ts +54 -0
  325. package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
  326. package/templates/paybond-procurement-agent/tsconfig.json +13 -0
  327. package/templates/paybond-travel-agent/.env.example +3 -0
  328. package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
  329. package/templates/paybond-travel-agent/LICENSE +201 -0
  330. package/templates/paybond-travel-agent/README.md +29 -0
  331. package/templates/paybond-travel-agent/package-lock.json +444 -0
  332. package/templates/paybond-travel-agent/package.json +23 -0
  333. package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
  334. package/templates/paybond-travel-agent/src/index.ts +22 -0
  335. package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
  336. package/templates/paybond-travel-agent/tsconfig.json +13 -0
  337. package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
  338. package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
  339. package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
  340. package/templates/paybond-vercel-shopping-agent/README.md +29 -0
  341. package/templates/paybond-vercel-shopping-agent/package-lock.json +265 -0
  342. package/templates/paybond-vercel-shopping-agent/package.json +22 -0
  343. package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
  344. package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
  345. package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
  346. package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
@@ -0,0 +1,351 @@
1
+ import { access, writeFile } from "node:fs/promises";
2
+ import { constants } from "node:fs";
3
+ import { getCompletionPreset } from "../completion-catalog.js";
4
+ import { composePolicyLayers } from "./compose.js";
5
+ import { domain } from "./domain.js";
6
+ import { parseGuardrailSpecs } from "./guardrail-spec.js";
7
+ import { resolveComposedPresetDocument } from "./presets.js";
8
+ import { renderPolicyDocumentYaml } from "./render-yaml.js";
9
+ import { PaybondPolicyValidationError } from "./schema.js";
10
+ import { parsePolicyDocumentText } from "./parse-text.js";
11
+ const ORG_ID_RE = /^org_[a-z][a-z0-9_]*$/;
12
+ const POLICY_NAME_RE = /^[a-z][a-z0-9-]*$/;
13
+ function policyPresetScaffoldHeader(regenerateCommand) {
14
+ return `# Reference implementation — edit freely. Regenerate with:\n# ${regenerateCommand}\n\n`;
15
+ }
16
+ function applyMaxSpendUsdOverride(document, maxSpendUsdValue) {
17
+ const cents = Math.round(maxSpendUsdValue * 100);
18
+ const next = {
19
+ ...document,
20
+ tools: Object.fromEntries(Object.entries(document.tools).map(([toolName, entry]) => [
21
+ toolName,
22
+ entry.side_effecting ? { ...entry, max_spend_cents: cents } : { ...entry },
23
+ ])),
24
+ intent: document.intent
25
+ ? {
26
+ ...document.intent,
27
+ budget: {
28
+ ...document.intent.budget,
29
+ currency: document.intent.budget?.currency ?? "usd",
30
+ max_spend_usd: maxSpendUsdValue,
31
+ },
32
+ }
33
+ : {
34
+ budget: { currency: "usd", max_spend_usd: maxSpendUsdValue },
35
+ },
36
+ };
37
+ return next;
38
+ }
39
+ function resolvePresetInitDocument(options) {
40
+ const document = resolveComposedPresetDocument(options.presetId);
41
+ if (options.maxSpendUsd === undefined) {
42
+ return document;
43
+ }
44
+ return applyMaxSpendUsdOverride(document, options.maxSpendUsd);
45
+ }
46
+ function resolveComposedInitDocument(options) {
47
+ const layers = parseGuardrailSpecs(options.guardrails);
48
+ return composePolicyLayers(domain[options.domainId](), ...layers);
49
+ }
50
+ /** Parse `org_id/org_policy_id` extends reference used by CLI and docs. */
51
+ export function parsePolicyExtendsRef(ref) {
52
+ const trimmed = ref.trim();
53
+ const slash = trimmed.indexOf("/");
54
+ if (slash <= 0 || slash === trimmed.length - 1) {
55
+ throw new PaybondPolicyValidationError("extends must be org_id/org_policy_id (example: org_acme_corp/acme-agent-spend-v1)");
56
+ }
57
+ const orgId = trimmed.slice(0, slash);
58
+ const orgPolicyId = trimmed.slice(slash + 1);
59
+ if (!ORG_ID_RE.test(orgId)) {
60
+ throw new PaybondPolicyValidationError(`org_id must match org_<snake_case>: ${orgId}`);
61
+ }
62
+ if (!POLICY_NAME_RE.test(orgPolicyId)) {
63
+ throw new PaybondPolicyValidationError(`org_policy_id must be a lowercase policy name: ${orgPolicyId}`);
64
+ }
65
+ return { orgId, orgPolicyId };
66
+ }
67
+ function overlayNameFromPolicyId(orgPolicyId, explicit) {
68
+ if (explicit?.trim()) {
69
+ return explicit.trim();
70
+ }
71
+ return orgPolicyId.endsWith("-overlay-v1") ? orgPolicyId : `${orgPolicyId}-overlay-v1`;
72
+ }
73
+ function policyNameFromOperation(operation) {
74
+ const slug = operation
75
+ .trim()
76
+ .toLowerCase()
77
+ .replace(/[._]+/g, "-")
78
+ .replace(/[^a-z0-9-]+/g, "-")
79
+ .replace(/-+/g, "-")
80
+ .replace(/^-+|-+$/g, "");
81
+ const base = slug || "agent";
82
+ return base.endsWith("-v1") ? base : `${base}-v1`;
83
+ }
84
+ function templateIdStubForPreset(presetId) {
85
+ try {
86
+ return getCompletionPreset(presetId).harbor_template_id;
87
+ }
88
+ catch {
89
+ return "completion_v1";
90
+ }
91
+ }
92
+ /** Render a starter paybond.policy.yaml document. */
93
+ export function renderPaybondPolicyYaml(options) {
94
+ const operation = options.operation.trim();
95
+ const evidencePreset = options.evidencePreset.trim();
96
+ if (!operation) {
97
+ throw new PaybondPolicyValidationError("operation is required");
98
+ }
99
+ if (!evidencePreset) {
100
+ throw new PaybondPolicyValidationError("evidence preset is required");
101
+ }
102
+ getCompletionPreset(evidencePreset);
103
+ const name = policyNameFromOperation(operation);
104
+ const templateId = templateIdStubForPreset(evidencePreset);
105
+ return `version: 1
106
+ name: ${name}
107
+ default_deny: true
108
+
109
+ tools:
110
+ ${operation}:
111
+ side_effecting: true
112
+ evidence_preset: ${evidencePreset}
113
+ operation: ${operation}
114
+
115
+ intent:
116
+ policy_binding:
117
+ template_id: ${templateId}
118
+ allowed_tools:
119
+ - ${operation}
120
+ `;
121
+ }
122
+ /** Render a v2 org base policy document (no extends). */
123
+ export function renderOrgBasePolicyYaml(options) {
124
+ const policyId = options.policyId.trim();
125
+ const operation = options.operation.trim();
126
+ const evidencePreset = options.evidencePreset.trim();
127
+ if (!policyId) {
128
+ throw new PaybondPolicyValidationError("policy_id is required");
129
+ }
130
+ if (!POLICY_NAME_RE.test(policyId)) {
131
+ throw new PaybondPolicyValidationError("policy_id must be a lowercase policy name");
132
+ }
133
+ if (!operation) {
134
+ throw new PaybondPolicyValidationError("operation is required");
135
+ }
136
+ if (!evidencePreset) {
137
+ throw new PaybondPolicyValidationError("evidence preset is required");
138
+ }
139
+ getCompletionPreset(evidencePreset);
140
+ const templateId = templateIdStubForPreset(evidencePreset);
141
+ const maxSpendLine = options.maxSpendCents !== undefined ? `\n max_spend_cents: ${options.maxSpendCents}` : "";
142
+ return `version: 2
143
+ name: ${policyId}
144
+ default_deny: true
145
+
146
+ tools:
147
+ ${operation}:
148
+ side_effecting: true
149
+ evidence_preset: ${evidencePreset}${maxSpendLine}
150
+ operation: ${operation}
151
+
152
+ intent:
153
+ policy_binding:
154
+ template_id: ${templateId}
155
+ allowed_tools:
156
+ - ${operation}
157
+ `;
158
+ }
159
+ /** Write a v2 org base policy file for platform operators. */
160
+ export async function scaffoldOrgBasePolicy(options) {
161
+ if (!options.force) {
162
+ try {
163
+ await access(options.out, constants.F_OK);
164
+ throw new PaybondPolicyValidationError(`${options.out} already exists (pass --force to overwrite)`);
165
+ }
166
+ catch (err) {
167
+ if (err instanceof PaybondPolicyValidationError) {
168
+ throw err;
169
+ }
170
+ }
171
+ }
172
+ const yaml = renderOrgBasePolicyYaml(options);
173
+ await writeFile(options.out, yaml, "utf8");
174
+ return {
175
+ out: options.out,
176
+ policy_id: options.policyId.trim(),
177
+ operation: options.operation.trim(),
178
+ evidence_preset: options.evidencePreset.trim(),
179
+ bytes_written: Buffer.byteLength(yaml, "utf8"),
180
+ };
181
+ }
182
+ /** Render a v2 tenant overlay policy that extends an org base. */
183
+ export function renderTenantOverlayPolicyYaml(options) {
184
+ const { orgId, orgPolicyId } = parsePolicyExtendsRef(options.extendsRef);
185
+ const name = overlayNameFromPolicyId(orgPolicyId, options.name);
186
+ if (!POLICY_NAME_RE.test(name)) {
187
+ throw new PaybondPolicyValidationError("overlay name must be a lowercase policy name");
188
+ }
189
+ const operation = options.operation?.trim();
190
+ const evidencePreset = options.evidencePreset?.trim();
191
+ if (operation && !evidencePreset) {
192
+ throw new PaybondPolicyValidationError("tenant-only tool requires --evidence-preset");
193
+ }
194
+ if (evidencePreset && !operation) {
195
+ throw new PaybondPolicyValidationError("--evidence-preset requires --operation for tenant-only tools");
196
+ }
197
+ if (evidencePreset) {
198
+ getCompletionPreset(evidencePreset);
199
+ }
200
+ const basePolicyLine = options.basePolicy?.trim()
201
+ ? `\n base_policy: ${options.basePolicy.trim()}`
202
+ : "";
203
+ const toolsBlock = operation && evidencePreset
204
+ ? `tools:
205
+ ${operation}:
206
+ side_effecting: true
207
+ evidence_preset: ${evidencePreset}
208
+ operation: ${operation}
209
+ `
210
+ : "";
211
+ return `version: 2
212
+ name: ${name}
213
+ extends:
214
+ org_policy_id: ${orgPolicyId}
215
+ org_id: ${orgId}${basePolicyLine}
216
+ default_deny: true
217
+
218
+ ${toolsBlock}`;
219
+ }
220
+ /** Write a v2 tenant overlay policy file extending an org base. */
221
+ export async function scaffoldTenantOverlayPolicy(options) {
222
+ const { orgId, orgPolicyId } = parsePolicyExtendsRef(options.extendsRef);
223
+ const name = overlayNameFromPolicyId(orgPolicyId, options.name);
224
+ if (!options.force) {
225
+ try {
226
+ await access(options.out, constants.F_OK);
227
+ throw new PaybondPolicyValidationError(`${options.out} already exists (pass --force to overwrite)`);
228
+ }
229
+ catch (err) {
230
+ if (err instanceof PaybondPolicyValidationError) {
231
+ throw err;
232
+ }
233
+ }
234
+ }
235
+ const yaml = renderTenantOverlayPolicyYaml(options);
236
+ await writeFile(options.out, yaml, "utf8");
237
+ const operation = options.operation?.trim();
238
+ const evidencePreset = options.evidencePreset?.trim();
239
+ return {
240
+ out: options.out,
241
+ name,
242
+ org_id: orgId,
243
+ org_policy_id: orgPolicyId,
244
+ ...(operation ? { operation } : {}),
245
+ ...(evidencePreset ? { evidence_preset: evidencePreset } : {}),
246
+ bytes_written: Buffer.byteLength(yaml, "utf8"),
247
+ };
248
+ }
249
+ /** Render a bundled preset as editable local YAML with a scaffold header comment. */
250
+ export function renderPolicyPresetScaffoldYaml(presetId, options) {
251
+ const regenerate = options?.maxSpendUsd !== undefined
252
+ ? `paybond policy init --preset ${presetId} --max-spend ${options.maxSpendUsd} --force`
253
+ : `paybond policy init --preset ${presetId} --force`;
254
+ const body = renderPolicyDocumentYaml(options?.maxSpendUsd !== undefined
255
+ ? resolvePresetInitDocument({ out: "", presetId, maxSpendUsd: options.maxSpendUsd })
256
+ : resolveComposedPresetDocument(presetId)).trimEnd();
257
+ return `${policyPresetScaffoldHeader(regenerate)}${body}\n`;
258
+ }
259
+ /** Render a composed domain + guardrails policy as editable local YAML. */
260
+ export function renderComposedPolicyScaffoldYaml(options) {
261
+ const regenerate = `paybond policy init --domain ${options.domainId} --guardrails ${options.guardrails} --force`;
262
+ const body = renderPolicyDocumentYaml(resolveComposedInitDocument(options)).trimEnd();
263
+ return `${policyPresetScaffoldHeader(regenerate)}${body}\n`;
264
+ }
265
+ /** Preview composed domain + guardrails YAML for `paybond policy presets show`. */
266
+ export function renderComposedPolicyPreviewYaml(options) {
267
+ return renderPolicyDocumentYaml(resolveComposedInitDocument({ out: "", domainId: options.domainId, guardrails: options.guardrails }));
268
+ }
269
+ /** Preview composed policy YAML for `paybond policy presets show`. */
270
+ export function renderPolicyPresetPreviewYaml(presetId, options) {
271
+ const document = options?.maxSpendUsd !== undefined
272
+ ? resolvePresetInitDocument({ out: "", presetId, maxSpendUsd: options.maxSpendUsd })
273
+ : resolveComposedPresetDocument(presetId);
274
+ return renderPolicyDocumentYaml(document);
275
+ }
276
+ /** Write a bundled vertical preset to an owned local policy file. */
277
+ export async function scaffoldPolicyFromPreset(options) {
278
+ if (!options.force) {
279
+ try {
280
+ await access(options.out, constants.F_OK);
281
+ throw new PaybondPolicyValidationError(`${options.out} already exists (pass --force to overwrite)`);
282
+ }
283
+ catch (err) {
284
+ if (err instanceof PaybondPolicyValidationError) {
285
+ throw err;
286
+ }
287
+ }
288
+ }
289
+ const yaml = renderPolicyPresetScaffoldYaml(options.presetId, {
290
+ maxSpendUsd: options.maxSpendUsd,
291
+ });
292
+ await writeFile(options.out, yaml, "utf8");
293
+ const parsed = parsePolicyDocumentText(yaml, options.out);
294
+ const name = typeof parsed.name === "string" ? parsed.name : options.presetId;
295
+ return {
296
+ out: options.out,
297
+ preset: options.presetId,
298
+ name,
299
+ ...(options.maxSpendUsd !== undefined ? { max_spend_usd: options.maxSpendUsd } : {}),
300
+ bytes_written: Buffer.byteLength(yaml, "utf8"),
301
+ };
302
+ }
303
+ /** Write a composed domain + guardrails policy file. */
304
+ export async function scaffoldComposedPolicy(options) {
305
+ if (!options.force) {
306
+ try {
307
+ await access(options.out, constants.F_OK);
308
+ throw new PaybondPolicyValidationError(`${options.out} already exists (pass --force to overwrite)`);
309
+ }
310
+ catch (err) {
311
+ if (err instanceof PaybondPolicyValidationError) {
312
+ throw err;
313
+ }
314
+ }
315
+ }
316
+ const yaml = renderComposedPolicyScaffoldYaml(options);
317
+ await writeFile(options.out, yaml, "utf8");
318
+ const parsed = parsePolicyDocumentText(yaml, options.out);
319
+ const name = typeof parsed.name === "string" ? parsed.name : options.domainId;
320
+ return {
321
+ out: options.out,
322
+ domain: options.domainId,
323
+ guardrails: options.guardrails,
324
+ name,
325
+ bytes_written: Buffer.byteLength(yaml, "utf8"),
326
+ };
327
+ }
328
+ /** Write a starter paybond.policy.yaml file. */
329
+ export async function scaffoldPaybondPolicy(options) {
330
+ if (!options.force) {
331
+ try {
332
+ await access(options.out, constants.F_OK);
333
+ throw new PaybondPolicyValidationError(`${options.out} already exists (pass --force to overwrite)`);
334
+ }
335
+ catch (err) {
336
+ if (err instanceof PaybondPolicyValidationError) {
337
+ throw err;
338
+ }
339
+ // File does not exist — continue.
340
+ }
341
+ }
342
+ const yaml = renderPaybondPolicyYaml(options);
343
+ await writeFile(options.out, yaml, "utf8");
344
+ return {
345
+ out: options.out,
346
+ name: policyNameFromOperation(options.operation),
347
+ operation: options.operation.trim(),
348
+ evidence_preset: options.evidencePreset.trim(),
349
+ bytes_written: Buffer.byteLength(yaml, "utf8"),
350
+ };
351
+ }
@@ -0,0 +1,52 @@
1
+ import type { CompletionContractSnapshot, PolicyBindingRef, PublishedPolicyHead, SettlementRail } from "../principal-intent.js";
2
+ import { type PaybondPolicyDocumentV1 } from "./schema.js";
3
+ /** Raised when policy intent fields cannot be aligned to a Harbor create payload. */
4
+ export declare class PaybondPolicyIntentSpecError extends Error {
5
+ constructor(message: string);
6
+ }
7
+ /** Runtime fields required to build a production intent create payload from policy. */
8
+ export type PaybondPolicyIntentCreateOverrides = {
9
+ principalDid: string;
10
+ principalSigningSeed: Uint8Array;
11
+ payeeDid: string;
12
+ payeeSigningSeed: Uint8Array;
13
+ deadlineRfc3339: string;
14
+ settlementRail: SettlementRail;
15
+ recognitionProof: Record<string, unknown>;
16
+ publishedPolicyHead: PublishedPolicyHead;
17
+ intentId?: string;
18
+ predicateRef?: string;
19
+ amountCents?: number;
20
+ currency?: string;
21
+ budget?: Record<string, unknown>;
22
+ allowedTools?: string[];
23
+ completionPresetId?: string;
24
+ evidenceSchema?: Record<string, unknown>;
25
+ policyBinding?: PolicyBindingRef;
26
+ };
27
+ /** Params for {@link PaybondIntents.createWithPolicyBinding} derived from policy + runtime signing context. */
28
+ export type PaybondPolicyIntentCreateInput = {
29
+ principalDid: string;
30
+ principalSigningSeed: Uint8Array;
31
+ payeeDid: string;
32
+ payeeSigningSeed: Uint8Array;
33
+ budget: Record<string, unknown>;
34
+ currency: string;
35
+ amountCents: number;
36
+ evidenceSchema: Record<string, unknown>;
37
+ deadlineRfc3339: string;
38
+ allowedTools: string[];
39
+ settlementRail: SettlementRail;
40
+ policyBinding: PolicyBindingRef;
41
+ publishedPolicyHead: PublishedPolicyHead;
42
+ recognitionProof: Record<string, unknown>;
43
+ intentId?: string;
44
+ predicateRef?: string;
45
+ completionPresetId?: string;
46
+ completionContract?: CompletionContractSnapshot;
47
+ };
48
+ /**
49
+ * Build {@link PaybondIntents.createWithPolicyBinding} input from a validated policy document.
50
+ * Merges policy intent alignment (`allowed_tools`, `budget`, `policy_binding`) with caller signing context.
51
+ */
52
+ export declare function policyToIntentCreateInput(document: PaybondPolicyDocumentV1, overrides: PaybondPolicyIntentCreateOverrides): PaybondPolicyIntentCreateInput;
@@ -0,0 +1,176 @@
1
+ import { PaybondToolRegistryValidationError } from "../agent/types.js";
2
+ import { resolveCompletionPreset, contractSnapshotForPreset } from "../completion-resolve.js";
3
+ import { policyToToolRegistry } from "./registry.js";
4
+ /** Raised when policy intent fields cannot be aligned to a Harbor create payload. */
5
+ export class PaybondPolicyIntentSpecError extends Error {
6
+ constructor(message) {
7
+ super(message);
8
+ this.name = "PaybondPolicyIntentSpecError";
9
+ }
10
+ }
11
+ function normalizeDigestHex(digest) {
12
+ const trimmed = digest.trim().toLowerCase();
13
+ if (trimmed.startsWith("sha256:")) {
14
+ return trimmed.slice("sha256:".length);
15
+ }
16
+ return trimmed.replace(/^0x/, "");
17
+ }
18
+ function resolveAllowedHarborOperations(document, registry, override) {
19
+ const raw = override ?? document.intent?.allowed_tools;
20
+ if (!raw || raw.length === 0) {
21
+ throw new PaybondPolicyIntentSpecError("policy intent.allowed_tools is required for toIntentCreateInput");
22
+ }
23
+ const operations = registry.sideEffectingOperations();
24
+ const seen = new Set();
25
+ const resolved = [];
26
+ for (const name of raw) {
27
+ let operation;
28
+ if (registry.isSideEffecting(name)) {
29
+ operation = registry.resolveOperation(name);
30
+ }
31
+ else if (operations.includes(name)) {
32
+ operation = name;
33
+ }
34
+ else {
35
+ throw new PaybondPolicyIntentSpecError(`allowed_tools entry "${name}" is not a registered side-effecting tool or Harbor operation`);
36
+ }
37
+ if (!seen.has(operation)) {
38
+ seen.add(operation);
39
+ resolved.push(operation);
40
+ }
41
+ }
42
+ if (resolved.length === 0) {
43
+ throw new PaybondPolicyIntentSpecError("allowed_tools must resolve to at least one Harbor operation");
44
+ }
45
+ try {
46
+ registry.validateForBind(resolved);
47
+ }
48
+ catch (err) {
49
+ if (err instanceof PaybondToolRegistryValidationError) {
50
+ throw new PaybondPolicyIntentSpecError(err.message);
51
+ }
52
+ throw err;
53
+ }
54
+ return resolved;
55
+ }
56
+ function resolveEvidencePresetForOperations(registry, allowedOperations) {
57
+ const presets = new Set();
58
+ for (const operation of allowedOperations) {
59
+ for (const toolName of registry.sideEffectingToolNames()) {
60
+ if (registry.resolveOperation(toolName) !== operation) {
61
+ continue;
62
+ }
63
+ const preset = registry.getSideEffectingEntry(toolName)?.evidencePreset;
64
+ if (preset) {
65
+ presets.add(preset);
66
+ }
67
+ }
68
+ }
69
+ if (presets.size === 0) {
70
+ throw new PaybondPolicyIntentSpecError("could not resolve evidence_preset from policy allowed_tools");
71
+ }
72
+ if (presets.size > 1) {
73
+ throw new PaybondPolicyIntentSpecError(`allowed_tools reference multiple evidence_preset values: ${[...presets].join(", ")}`);
74
+ }
75
+ return [...presets][0];
76
+ }
77
+ function resolvePolicyBindingRef(document, publishedHead, override) {
78
+ const policyBinding = document.intent?.policy_binding;
79
+ if (!override && !policyBinding) {
80
+ throw new PaybondPolicyIntentSpecError("policy intent.policy_binding is required for toIntentCreateInput");
81
+ }
82
+ const binding = override ?? {
83
+ templateId: policyBinding.template_id,
84
+ versionSeq: policyBinding.version_seq ?? publishedHead.versionSeq,
85
+ };
86
+ if (binding.templateId !== publishedHead.templateId) {
87
+ throw new PaybondPolicyIntentSpecError("publishedPolicyHead.templateId must match policy intent.policy_binding.template_id");
88
+ }
89
+ if (binding.versionSeq !== publishedHead.versionSeq) {
90
+ throw new PaybondPolicyIntentSpecError("publishedPolicyHead.versionSeq must match policy intent.policy_binding.version_seq");
91
+ }
92
+ if (policyBinding?.version_seq !== undefined &&
93
+ policyBinding.version_seq !== publishedHead.versionSeq) {
94
+ throw new PaybondPolicyIntentSpecError("policy intent.policy_binding.version_seq does not match publishedPolicyHead.versionSeq");
95
+ }
96
+ const headDigest = policyBinding?.head_digest;
97
+ if (headDigest) {
98
+ const expected = normalizeDigestHex(headDigest);
99
+ const actual = normalizeDigestHex(publishedHead.policyContentDigestHex);
100
+ if (expected !== actual) {
101
+ throw new PaybondPolicyIntentSpecError("policy intent.policy_binding.head_digest does not match publishedPolicyHead.policyContentDigestHex");
102
+ }
103
+ }
104
+ return binding;
105
+ }
106
+ function resolveBudgetFields(document, overrides) {
107
+ if (overrides.budget !== undefined &&
108
+ overrides.currency !== undefined &&
109
+ overrides.amountCents !== undefined) {
110
+ return {
111
+ budget: overrides.budget,
112
+ currency: overrides.currency,
113
+ amountCents: overrides.amountCents,
114
+ };
115
+ }
116
+ const intentBudget = document.intent?.budget;
117
+ const currency = overrides.currency ??
118
+ (typeof intentBudget?.currency === "string" ? intentBudget.currency : undefined) ??
119
+ "usd";
120
+ let amountCents = overrides.amountCents;
121
+ if (amountCents === undefined && intentBudget && typeof intentBudget.max_spend_usd === "number") {
122
+ amountCents = Math.round(intentBudget.max_spend_usd * 100);
123
+ }
124
+ if (amountCents === undefined) {
125
+ throw new PaybondPolicyIntentSpecError("amountCents is required when policy intent.budget.max_spend_usd is not set");
126
+ }
127
+ const budget = overrides.budget ?? {
128
+ ...(intentBudget ?? {}),
129
+ max: amountCents,
130
+ };
131
+ if (!("max" in budget)) {
132
+ budget.max = amountCents;
133
+ }
134
+ return { budget, currency, amountCents };
135
+ }
136
+ /**
137
+ * Build {@link PaybondIntents.createWithPolicyBinding} input from a validated policy document.
138
+ * Merges policy intent alignment (`allowed_tools`, `budget`, `policy_binding`) with caller signing context.
139
+ */
140
+ export function policyToIntentCreateInput(document, overrides) {
141
+ const registry = policyToToolRegistry(document);
142
+ const allowedTools = resolveAllowedHarborOperations(document, registry, overrides.allowedTools);
143
+ const policyBinding = resolvePolicyBindingRef(document, overrides.publishedPolicyHead, overrides.policyBinding);
144
+ const { budget, currency, amountCents } = resolveBudgetFields(document, overrides);
145
+ const completionPresetId = overrides.completionPresetId ??
146
+ resolveEvidencePresetForOperations(registry, allowedTools);
147
+ const resolvedPreset = resolveCompletionPreset(completionPresetId);
148
+ const evidenceSchema = overrides.evidenceSchema ?? resolvedPreset.evidenceSchema;
149
+ let completionContract;
150
+ try {
151
+ completionContract = contractSnapshotForPreset(completionPresetId);
152
+ }
153
+ catch (err) {
154
+ throw new PaybondPolicyIntentSpecError(err instanceof Error ? err.message : "failed to build completion contract snapshot");
155
+ }
156
+ return {
157
+ principalDid: overrides.principalDid,
158
+ principalSigningSeed: overrides.principalSigningSeed,
159
+ payeeDid: overrides.payeeDid,
160
+ payeeSigningSeed: overrides.payeeSigningSeed,
161
+ budget,
162
+ currency,
163
+ amountCents,
164
+ evidenceSchema,
165
+ deadlineRfc3339: overrides.deadlineRfc3339,
166
+ allowedTools,
167
+ settlementRail: overrides.settlementRail,
168
+ policyBinding,
169
+ publishedPolicyHead: overrides.publishedPolicyHead,
170
+ recognitionProof: overrides.recognitionProof,
171
+ intentId: overrides.intentId,
172
+ predicateRef: overrides.predicateRef,
173
+ completionPresetId,
174
+ completionContract,
175
+ };
176
+ }
@@ -0,0 +1,4 @@
1
+ /** Read a dot-separated JSON path from tool call arguments. */
2
+ export declare function resolveJsonPath(args: unknown, path: string): unknown;
3
+ /** Resolve non-negative integer spend cents from a JSON path at intercept time. */
4
+ export declare function resolveSpendCentsFromJsonPath(args: unknown, path: string, toolName: string): number | undefined;
@@ -0,0 +1,23 @@
1
+ import { PaybondPolicyValidationError } from "./schema.js";
2
+ /** Read a dot-separated JSON path from tool call arguments. */
3
+ export function resolveJsonPath(args, path) {
4
+ let current = args;
5
+ for (const segment of path.split(".")) {
6
+ if (current === null || typeof current !== "object" || Array.isArray(current)) {
7
+ return undefined;
8
+ }
9
+ current = current[segment];
10
+ }
11
+ return current;
12
+ }
13
+ /** Resolve non-negative integer spend cents from a JSON path at intercept time. */
14
+ export function resolveSpendCentsFromJsonPath(args, path, toolName) {
15
+ const value = resolveJsonPath(args, path);
16
+ if (value === undefined) {
17
+ return undefined;
18
+ }
19
+ if (typeof value !== "number" || !Number.isInteger(value) || value < 0) {
20
+ throw new PaybondPolicyValidationError(`tool "${toolName}" spend_from_args path "${path}" must resolve to a non-negative integer`);
21
+ }
22
+ return value;
23
+ }
@@ -0,0 +1,7 @@
1
+ import type { LayeredPolicyPresetId } from "./compose.js";
2
+ export declare function presetLayerCandidatePaths(subdir: string, fileName: string): string[];
3
+ export declare function readPresetLayerYaml(subdir: string, fileName: string): string;
4
+ /** Load a bundled domain layer YAML document. */
5
+ export declare function loadBundledDomainDocument(presetId: LayeredPolicyPresetId): Record<string, unknown>;
6
+ /** Load a bundled default guardrails layer YAML document. */
7
+ export declare function loadBundledDefaultGuardrailsDocument(presetId: LayeredPolicyPresetId): Record<string, unknown>;
@@ -0,0 +1,28 @@
1
+ import { existsSync, readFileSync } from "node:fs";
2
+ import { dirname, join } from "node:path";
3
+ import { fileURLToPath } from "node:url";
4
+ import { parsePolicyDocumentText } from "./parse-text.js";
5
+ const MODULE_DIR = dirname(fileURLToPath(import.meta.url));
6
+ export function presetLayerCandidatePaths(subdir, fileName) {
7
+ return [
8
+ join(MODULE_DIR, "../../policy/presets", subdir, fileName),
9
+ join(MODULE_DIR, "../../../policy/presets", subdir, fileName),
10
+ join(MODULE_DIR, "../../../../kit/policy/presets", subdir, fileName),
11
+ ];
12
+ }
13
+ export function readPresetLayerYaml(subdir, fileName) {
14
+ for (const candidate of presetLayerCandidatePaths(subdir, fileName)) {
15
+ if (existsSync(candidate)) {
16
+ return readFileSync(candidate, "utf8");
17
+ }
18
+ }
19
+ throw new Error(`policy preset layer not found: ${subdir}/${fileName}`);
20
+ }
21
+ /** Load a bundled domain layer YAML document. */
22
+ export function loadBundledDomainDocument(presetId) {
23
+ return parsePolicyDocumentText(readPresetLayerYaml("domain", `${presetId}.yaml`), `domain/${presetId}.yaml`);
24
+ }
25
+ /** Load a bundled default guardrails layer YAML document. */
26
+ export function loadBundledDefaultGuardrailsDocument(presetId) {
27
+ return parsePolicyDocumentText(readPresetLayerYaml("guardrails", `default-${presetId}.yaml`), `guardrails/default-${presetId}.yaml`);
28
+ }
@@ -0,0 +1,22 @@
1
+ import type { PaybondPolicyDocumentV2 } from "./schema.js";
2
+ import type { PolicyMergeReport } from "./merge.js";
3
+ export type PolicyEffectiveResolveResult = {
4
+ effective_policy: Record<string, unknown>;
5
+ effective_policy_digest: string;
6
+ effective_policy_version: string;
7
+ merge_report: PolicyMergeReport;
8
+ org_base_version_seq: number;
9
+ org_base_content_digest: string;
10
+ unchanged?: boolean;
11
+ };
12
+ /** Gateway client surface used by {@link resolvePolicyEffectiveRemote}. */
13
+ export type PolicyEffectiveResolveClient = {
14
+ resolvePolicyEffective(orgPolicyId: string, overlay: Record<string, unknown>, options?: {
15
+ currentDigest?: string;
16
+ }): Promise<PolicyEffectiveResolveResult>;
17
+ };
18
+ export declare function parseMergeReport(value: unknown): PolicyMergeReport;
19
+ /** Parse a Gateway org-policy effective resolution JSON body. */
20
+ export declare function parsePolicyEffectiveResolveResponse(body: unknown): PolicyEffectiveResolveResult;
21
+ /** Resolve merged effective policy via Gateway org-policy inheritance endpoint. */
22
+ export declare function resolvePolicyEffectiveRemote(overlay: PaybondPolicyDocumentV2, client: PolicyEffectiveResolveClient): Promise<PolicyEffectiveResolveResult>;