@paybond/kit 0.11.10 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/completion-presets/catalog.json +374 -3
- package/completion-presets/catalog.sha256 +1 -1
- package/dist/agent/facade.js +13 -0
- package/dist/agent/guarded-agent.d.ts +1 -1
- package/dist/agent/guarded-agent.js +19 -0
- package/dist/agent/index.d.ts +2 -1
- package/dist/agent/index.js +1 -0
- package/dist/agent/instrument.d.ts +6 -0
- package/dist/agent/instrument.js +6 -0
- package/dist/agent/interceptor.d.ts +9 -0
- package/dist/agent/interceptor.js +177 -1
- package/dist/agent/receipt-client.d.ts +49 -0
- package/dist/agent/receipt-client.js +45 -0
- package/dist/agent/registry.js +1 -0
- package/dist/agent/run.d.ts +2 -0
- package/dist/agent/run.js +52 -0
- package/dist/agent/types.d.ts +70 -0
- package/dist/agent-receipt-external-attestations.d.ts +29 -0
- package/dist/agent-receipt-external-attestations.js +124 -0
- package/dist/agent-receipt.d.ts +134 -0
- package/dist/agent-receipt.js +580 -0
- package/dist/agent-recognition.d.ts +25 -0
- package/dist/agent-recognition.js +36 -0
- package/dist/audit/exports.d.ts +72 -0
- package/dist/audit/exports.js +185 -0
- package/dist/audit/index.d.ts +3 -0
- package/dist/audit/index.js +3 -0
- package/dist/audit/verify.d.ts +8 -0
- package/dist/audit/verify.js +113 -0
- package/dist/audit/wire.d.ts +54 -0
- package/dist/audit/wire.js +80 -0
- package/dist/cli/agent/demo-loaders.d.ts +2 -0
- package/dist/cli/agent/demo-loaders.js +24 -0
- package/dist/cli/agent/production-evidence.d.ts +11 -0
- package/dist/cli/agent/production-evidence.js +17 -0
- package/dist/cli/audit-export.d.ts +2 -7
- package/dist/cli/audit-export.js +2 -120
- package/dist/cli/command-spec.js +43 -10
- package/dist/cli/commands/agent.d.ts +3 -0
- package/dist/cli/commands/agent.js +143 -1
- package/dist/cli/commands/discovery.js +39 -36
- package/dist/cli/commands/workflows.js +116 -18
- package/dist/cli/help.d.ts +1 -1
- package/dist/cli/help.js +12 -8
- package/dist/cli/intents-harbor-mutation.d.ts +18 -0
- package/dist/cli/intents-harbor-mutation.js +33 -0
- package/dist/cli/paybond.d.ts +9 -0
- package/dist/cli/paybond.js +23 -0
- package/dist/cli/redact.js +3 -0
- package/dist/cloudflare-agents/config.d.ts +24 -0
- package/dist/cloudflare-agents/config.js +23 -0
- package/dist/cloudflare-agents/index.d.ts +3 -0
- package/dist/cloudflare-agents/index.js +3 -0
- package/dist/cloudflare-agents/peer.d.ts +9 -0
- package/dist/cloudflare-agents/peer.js +20 -0
- package/dist/cloudflare-agents/sandbox-demo.d.ts +36 -0
- package/dist/cloudflare-agents/sandbox-demo.js +89 -0
- package/dist/completion-catalog-digest.d.ts +1 -1
- package/dist/completion-catalog-digest.js +1 -1
- package/dist/completion-init.js +8 -3
- package/dist/dev/offline-gateway.d.ts +2 -1
- package/dist/dev/offline-gateway.js +34 -3
- package/dist/dev/x402-fund-mock.d.ts +28 -0
- package/dist/dev/x402-fund-mock.js +124 -0
- package/dist/index.d.ts +125 -9
- package/dist/index.js +264 -17
- package/dist/init.js +113 -2
- package/dist/mastra/config.d.ts +30 -0
- package/dist/mastra/config.js +58 -0
- package/dist/mastra/index.d.ts +2 -0
- package/dist/mastra/index.js +2 -0
- package/dist/mastra/peer.d.ts +11 -0
- package/dist/mastra/peer.js +24 -0
- package/dist/mastra/sandbox-demo.d.ts +36 -0
- package/dist/mastra/sandbox-demo.js +87 -0
- package/dist/mcp/index.d.ts +1 -0
- package/dist/mcp/index.js +1 -0
- package/dist/mcp/sandbox-demo.d.ts +38 -0
- package/dist/mcp/sandbox-demo.js +112 -0
- package/dist/mcp-receipt-resource.d.ts +10 -0
- package/dist/mcp-receipt-resource.js +32 -0
- package/dist/mcp-server.d.ts +6 -0
- package/dist/mcp-server.js +124 -1
- package/dist/mpp-commercial.d.ts +19 -0
- package/dist/mpp-commercial.js +34 -0
- package/dist/mpp-funding.d.ts +71 -0
- package/dist/mpp-funding.js +192 -0
- package/dist/payment-transport.d.ts +30 -0
- package/dist/payment-transport.js +56 -0
- package/dist/policy/init.js +2 -0
- package/dist/policy/intent-spec.js +2 -0
- package/dist/principal-intent.d.ts +1 -1
- package/dist/principal-intent.js +4 -1
- package/dist/project-init.js +8 -0
- package/dist/template-init.d.ts +2 -2
- package/dist/template-init.js +6 -2
- package/dist/x402-funding.d.ts +52 -0
- package/dist/x402-funding.js +124 -0
- package/package.json +20 -2
- package/templates/manifest.json +28 -9
- package/templates/openai-shopping-agent/package-lock.json +16 -8
- package/templates/openai-shopping-agent/package.json +1 -1
- package/templates/paybond-aws-operator/package-lock.json +13 -5
- package/templates/paybond-aws-operator/package.json +1 -1
- package/templates/paybond-claude-agents-demo/package-lock.json +16 -8
- package/templates/paybond-claude-agents-demo/package.json +1 -1
- package/templates/paybond-invoice-agent/requirements.txt +1 -1
- package/templates/paybond-mastra-travel-agent/.env.example +3 -0
- package/templates/paybond-mastra-travel-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-mastra-travel-agent/LICENSE +201 -0
- package/templates/paybond-mastra-travel-agent/README.md +29 -0
- package/templates/paybond-mastra-travel-agent/package-lock.json +3377 -0
- package/templates/paybond-mastra-travel-agent/package.json +22 -0
- package/templates/paybond-mastra-travel-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-mastra-travel-agent/src/index.ts +22 -0
- package/templates/paybond-mastra-travel-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-mastra-travel-agent/tsconfig.json +13 -0
- package/templates/paybond-mcp-coding-agent/package-lock.json +13 -5
- package/templates/paybond-mcp-coding-agent/package.json +1 -1
- package/templates/paybond-openai-agents-demo/package-lock.json +16 -8
- package/templates/paybond-openai-agents-demo/package.json +1 -1
- package/templates/paybond-procurement-agent/package-lock.json +13 -5
- package/templates/paybond-procurement-agent/package.json +1 -1
- package/templates/paybond-travel-agent/package-lock.json +16 -8
- package/templates/paybond-travel-agent/package.json +1 -1
- package/templates/paybond-vercel-shopping-agent/package-lock.json +13 -5
- package/templates/paybond-vercel-shopping-agent/package.json +1 -1
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
import { type AuditExportCreateFilter, type AuditExportJobGetResponse, type AuditExportListPage, type AuditVerifyResult } from "./wire.js";
|
|
2
|
+
export type AuditExportsGateway = {
|
|
3
|
+
getJson(path: string): Promise<Record<string, unknown>>;
|
|
4
|
+
postJson?(path: string, body: Record<string, unknown>): Promise<Record<string, unknown>>;
|
|
5
|
+
deleteJson?(path: string): Promise<Record<string, unknown>>;
|
|
6
|
+
};
|
|
7
|
+
export type GatewayAuditExportsClientOptions = {
|
|
8
|
+
staticGatewayBearerToken: string;
|
|
9
|
+
maxRetries?: number;
|
|
10
|
+
};
|
|
11
|
+
/**
|
|
12
|
+
* Gateway-backed compliance audit export client for `GET /v1/compliance/audit-exports`.
|
|
13
|
+
*/
|
|
14
|
+
export declare class GatewayAuditExportsClient implements AuditExportsGateway {
|
|
15
|
+
private readonly tenantId;
|
|
16
|
+
private readonly base;
|
|
17
|
+
private readonly bearerToken;
|
|
18
|
+
private readonly maxRetries;
|
|
19
|
+
constructor(gatewayBaseUrl: string, tenantId: string, options: GatewayAuditExportsClientOptions);
|
|
20
|
+
getJson(path: string): Promise<Record<string, unknown>>;
|
|
21
|
+
postJson(path: string, body: Record<string, unknown>): Promise<Record<string, unknown>>;
|
|
22
|
+
deleteJson(path: string): Promise<Record<string, unknown>>;
|
|
23
|
+
private requestJSON;
|
|
24
|
+
}
|
|
25
|
+
export type PaybondAuditExportsListParams = {
|
|
26
|
+
limit?: number;
|
|
27
|
+
cursor?: string;
|
|
28
|
+
};
|
|
29
|
+
export type PaybondAuditExportsGetParams = {
|
|
30
|
+
issueDownload?: boolean;
|
|
31
|
+
};
|
|
32
|
+
export type PaybondAuditExportsCreateParams = {
|
|
33
|
+
filter: AuditExportCreateFilter;
|
|
34
|
+
/** Defaults to `standard` when omitted. */
|
|
35
|
+
disclosureTier?: "standard" | "extended";
|
|
36
|
+
/** Bundle retention in hours (gateway default 168, max 720). */
|
|
37
|
+
retentionHours?: number;
|
|
38
|
+
};
|
|
39
|
+
/**
|
|
40
|
+
* SDK surface for compliance audit export jobs and local bundle verification.
|
|
41
|
+
*/
|
|
42
|
+
export declare class PaybondAuditExports {
|
|
43
|
+
private readonly gateway;
|
|
44
|
+
constructor(gateway: AuditExportsGateway);
|
|
45
|
+
/** Wrap an existing gateway client (CLI, tests, or custom transport). */
|
|
46
|
+
static fromGateway(gateway: AuditExportsGateway): PaybondAuditExports;
|
|
47
|
+
/** Open a tenant-bound audit exports client from gateway credentials. */
|
|
48
|
+
static open(gatewayBaseUrl: string, tenantId: string, options: GatewayAuditExportsClientOptions): PaybondAuditExports;
|
|
49
|
+
list(params?: PaybondAuditExportsListParams): Promise<AuditExportListPage>;
|
|
50
|
+
get(jobId: string, params?: PaybondAuditExportsGetParams): Promise<AuditExportJobGetResponse>;
|
|
51
|
+
/**
|
|
52
|
+
* Create a compliance audit export job (`POST /v1/compliance/audit-exports`).
|
|
53
|
+
* Tenant scope comes from the API key — never pass a tenant id.
|
|
54
|
+
*/
|
|
55
|
+
create(params: PaybondAuditExportsCreateParams): Promise<AuditExportJobGetResponse>;
|
|
56
|
+
delete(jobId: string): Promise<{
|
|
57
|
+
job_id: string;
|
|
58
|
+
deleted: true;
|
|
59
|
+
}>;
|
|
60
|
+
/**
|
|
61
|
+
* Verify a signed audit export manifest object or a local bundle path.
|
|
62
|
+
* Bundle verification requires filesystem access; use SDK/CLI rather than MCP.
|
|
63
|
+
*/
|
|
64
|
+
verify(manifestOrPath: Record<string, unknown> | string, options?: {
|
|
65
|
+
cwd?: string;
|
|
66
|
+
}): Promise<AuditVerifyResult>;
|
|
67
|
+
}
|
|
68
|
+
/** Namespace wrapper attached to {@link Paybond} as `paybond.audit.exports`. */
|
|
69
|
+
export declare class PaybondAudit {
|
|
70
|
+
readonly exports: PaybondAuditExports;
|
|
71
|
+
constructor(exports: PaybondAuditExports);
|
|
72
|
+
}
|
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
import { parseAuditExportJobGet, parseAuditExportList, } from "./wire.js";
|
|
2
|
+
import { auditVerifyResult, verifyAuditBundleLocal } from "./verify.js";
|
|
3
|
+
import process from "node:process";
|
|
4
|
+
function normalizeBase(url) {
|
|
5
|
+
return url.replace(/\/+$/, "");
|
|
6
|
+
}
|
|
7
|
+
function backoffMs(attempt) {
|
|
8
|
+
return Math.min(1000 * 2 ** attempt, 8000);
|
|
9
|
+
}
|
|
10
|
+
function parseRetryAfterSeconds(value) {
|
|
11
|
+
if (!value?.trim()) {
|
|
12
|
+
return null;
|
|
13
|
+
}
|
|
14
|
+
const seconds = Number.parseInt(value.trim(), 10);
|
|
15
|
+
return Number.isFinite(seconds) && seconds >= 0 ? seconds : null;
|
|
16
|
+
}
|
|
17
|
+
function delay(ms) {
|
|
18
|
+
return new Promise((resolve) => setTimeout(resolve, ms));
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Gateway-backed compliance audit export client for `GET /v1/compliance/audit-exports`.
|
|
22
|
+
*/
|
|
23
|
+
export class GatewayAuditExportsClient {
|
|
24
|
+
tenantId;
|
|
25
|
+
base;
|
|
26
|
+
bearerToken;
|
|
27
|
+
maxRetries;
|
|
28
|
+
constructor(gatewayBaseUrl, tenantId, options) {
|
|
29
|
+
this.tenantId = tenantId;
|
|
30
|
+
this.base = `${normalizeBase(gatewayBaseUrl)}/`;
|
|
31
|
+
this.bearerToken = options.staticGatewayBearerToken.trim();
|
|
32
|
+
this.maxRetries = Math.max(1, options.maxRetries ?? 3);
|
|
33
|
+
}
|
|
34
|
+
async getJson(path) {
|
|
35
|
+
return this.requestJSON("GET", path);
|
|
36
|
+
}
|
|
37
|
+
async postJson(path, body) {
|
|
38
|
+
return this.requestJSON("POST", path, body);
|
|
39
|
+
}
|
|
40
|
+
async deleteJson(path) {
|
|
41
|
+
return this.requestJSON("DELETE", path);
|
|
42
|
+
}
|
|
43
|
+
async requestJSON(method, path, body) {
|
|
44
|
+
const url = `${this.base}${path.replace(/^\//, "")}`;
|
|
45
|
+
let lastErr;
|
|
46
|
+
for (let attempt = 0; attempt < this.maxRetries; attempt++) {
|
|
47
|
+
let res;
|
|
48
|
+
try {
|
|
49
|
+
const headers = {
|
|
50
|
+
accept: "application/json",
|
|
51
|
+
authorization: `Bearer ${this.bearerToken}`,
|
|
52
|
+
};
|
|
53
|
+
const init = { method, headers };
|
|
54
|
+
if (method === "POST") {
|
|
55
|
+
headers["content-type"] = "application/json";
|
|
56
|
+
init.body = JSON.stringify(body ?? {});
|
|
57
|
+
}
|
|
58
|
+
res = await fetch(url, init);
|
|
59
|
+
}
|
|
60
|
+
catch (err) {
|
|
61
|
+
lastErr = err;
|
|
62
|
+
if (attempt + 1 >= this.maxRetries) {
|
|
63
|
+
throw err;
|
|
64
|
+
}
|
|
65
|
+
await delay(backoffMs(attempt));
|
|
66
|
+
continue;
|
|
67
|
+
}
|
|
68
|
+
if ([429, 500, 502, 503, 504].includes(res.status) && attempt + 1 < this.maxRetries) {
|
|
69
|
+
const retryAfter = parseRetryAfterSeconds(res.headers.get("retry-after"));
|
|
70
|
+
await delay(retryAfter != null ? retryAfter * 1000 : backoffMs(attempt));
|
|
71
|
+
continue;
|
|
72
|
+
}
|
|
73
|
+
const text = await res.text();
|
|
74
|
+
if (!res.ok) {
|
|
75
|
+
throw new Error(`Gateway ${method} ${path} HTTP ${res.status}: ${text}`);
|
|
76
|
+
}
|
|
77
|
+
if (!text.trim()) {
|
|
78
|
+
return {};
|
|
79
|
+
}
|
|
80
|
+
const parsed = JSON.parse(text);
|
|
81
|
+
if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
|
|
82
|
+
throw new Error(`Gateway ${method} ${path} returned non-object JSON`);
|
|
83
|
+
}
|
|
84
|
+
return parsed;
|
|
85
|
+
}
|
|
86
|
+
throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
function buildAuditExportCreateBody(params) {
|
|
90
|
+
const filter = {};
|
|
91
|
+
const f = params.filter;
|
|
92
|
+
if (f.time_start?.trim()) {
|
|
93
|
+
filter.time_start = f.time_start.trim();
|
|
94
|
+
}
|
|
95
|
+
if (f.time_end?.trim()) {
|
|
96
|
+
filter.time_end = f.time_end.trim();
|
|
97
|
+
}
|
|
98
|
+
if (f.intent_id?.trim()) {
|
|
99
|
+
filter.intent_id = f.intent_id.trim();
|
|
100
|
+
}
|
|
101
|
+
if (f.case_id?.trim()) {
|
|
102
|
+
filter.case_id = f.case_id.trim();
|
|
103
|
+
}
|
|
104
|
+
if (f.operator_did?.trim()) {
|
|
105
|
+
filter.operator_did = f.operator_did.trim();
|
|
106
|
+
}
|
|
107
|
+
if (f.includes && f.includes.length > 0) {
|
|
108
|
+
filter.includes = [...f.includes];
|
|
109
|
+
}
|
|
110
|
+
const body = {
|
|
111
|
+
filter,
|
|
112
|
+
disclosure_tier: params.disclosureTier ?? "standard",
|
|
113
|
+
};
|
|
114
|
+
if (params.retentionHours != null && params.retentionHours > 0) {
|
|
115
|
+
body.retention_hours = params.retentionHours;
|
|
116
|
+
}
|
|
117
|
+
return body;
|
|
118
|
+
}
|
|
119
|
+
/**
|
|
120
|
+
* SDK surface for compliance audit export jobs and local bundle verification.
|
|
121
|
+
*/
|
|
122
|
+
export class PaybondAuditExports {
|
|
123
|
+
gateway;
|
|
124
|
+
constructor(gateway) {
|
|
125
|
+
this.gateway = gateway;
|
|
126
|
+
}
|
|
127
|
+
/** Wrap an existing gateway client (CLI, tests, or custom transport). */
|
|
128
|
+
static fromGateway(gateway) {
|
|
129
|
+
return new PaybondAuditExports(gateway);
|
|
130
|
+
}
|
|
131
|
+
/** Open a tenant-bound audit exports client from gateway credentials. */
|
|
132
|
+
static open(gatewayBaseUrl, tenantId, options) {
|
|
133
|
+
return new PaybondAuditExports(new GatewayAuditExportsClient(gatewayBaseUrl, tenantId, options));
|
|
134
|
+
}
|
|
135
|
+
async list(params) {
|
|
136
|
+
const search = new URLSearchParams();
|
|
137
|
+
const limit = params?.limit ?? 50;
|
|
138
|
+
search.set("limit", String(Math.max(1, Math.min(limit, 200))));
|
|
139
|
+
if (params?.cursor?.trim()) {
|
|
140
|
+
search.set("cursor", params.cursor.trim());
|
|
141
|
+
}
|
|
142
|
+
const body = await this.gateway.getJson(`/v1/compliance/audit-exports?${search.toString()}`);
|
|
143
|
+
return parseAuditExportList(body);
|
|
144
|
+
}
|
|
145
|
+
async get(jobId, params) {
|
|
146
|
+
const query = params?.issueDownload ? "?issue_download=1" : "";
|
|
147
|
+
const body = await this.gateway.getJson(`/v1/compliance/audit-exports/${encodeURIComponent(jobId)}${query}`);
|
|
148
|
+
return parseAuditExportJobGet(body);
|
|
149
|
+
}
|
|
150
|
+
/**
|
|
151
|
+
* Create a compliance audit export job (`POST /v1/compliance/audit-exports`).
|
|
152
|
+
* Tenant scope comes from the API key — never pass a tenant id.
|
|
153
|
+
*/
|
|
154
|
+
async create(params) {
|
|
155
|
+
if (!this.gateway.postJson) {
|
|
156
|
+
throw new Error("audit export create is not supported by this gateway adapter");
|
|
157
|
+
}
|
|
158
|
+
const body = await this.gateway.postJson("/v1/compliance/audit-exports", buildAuditExportCreateBody(params));
|
|
159
|
+
return parseAuditExportJobGet(body);
|
|
160
|
+
}
|
|
161
|
+
async delete(jobId) {
|
|
162
|
+
if (!this.gateway.deleteJson) {
|
|
163
|
+
throw new Error("audit export delete is not supported by this gateway adapter");
|
|
164
|
+
}
|
|
165
|
+
await this.gateway.deleteJson(`/v1/compliance/audit-exports/${encodeURIComponent(jobId)}`);
|
|
166
|
+
return { job_id: jobId, deleted: true };
|
|
167
|
+
}
|
|
168
|
+
/**
|
|
169
|
+
* Verify a signed audit export manifest object or a local bundle path.
|
|
170
|
+
* Bundle verification requires filesystem access; use SDK/CLI rather than MCP.
|
|
171
|
+
*/
|
|
172
|
+
async verify(manifestOrPath, options) {
|
|
173
|
+
if (typeof manifestOrPath === "string") {
|
|
174
|
+
return verifyAuditBundleLocal(manifestOrPath, options?.cwd ?? process.cwd());
|
|
175
|
+
}
|
|
176
|
+
return auditVerifyResult(manifestOrPath);
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
/** Namespace wrapper attached to {@link Paybond} as `paybond.audit.exports`. */
|
|
180
|
+
export class PaybondAudit {
|
|
181
|
+
exports;
|
|
182
|
+
constructor(exports) {
|
|
183
|
+
this.exports = exports;
|
|
184
|
+
}
|
|
185
|
+
}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { GatewayAuditExportsClient, PaybondAudit, PaybondAuditExports, type AuditExportsGateway, type GatewayAuditExportsClientOptions, type PaybondAuditExportsCreateParams, type PaybondAuditExportsGetParams, type PaybondAuditExportsListParams, } from "./exports.js";
|
|
2
|
+
export { auditVerifyResult, buildManifestCore, manifestCoreBytes, readManifestFromBundle, verifyAuditBundleLocal, verifyAuditManifest, MANIFEST_CORE_FIELD_ORDER, } from "./verify.js";
|
|
3
|
+
export { parseAuditExportJobGet, parseAuditExportList, type AuditExportCreateFilter, type AuditExportJobDetail, type AuditExportJobGetResponse, type AuditExportJobSummary, type AuditExportListPage, type AuditVerifyResult, } from "./wire.js";
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { GatewayAuditExportsClient, PaybondAudit, PaybondAuditExports, } from "./exports.js";
|
|
2
|
+
export { auditVerifyResult, buildManifestCore, manifestCoreBytes, readManifestFromBundle, verifyAuditBundleLocal, verifyAuditManifest, MANIFEST_CORE_FIELD_ORDER, } from "./verify.js";
|
|
3
|
+
export { parseAuditExportJobGet, parseAuditExportList, } from "./wire.js";
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { AuditVerifyResult } from "./wire.js";
|
|
2
|
+
export declare const MANIFEST_CORE_FIELD_ORDER: readonly ["schema_version", "kind", "tenant_realm_id", "job_id", "generated_at_rfc3339", "gateway_build_version", "score_model_version", "disclosure_tier", "redaction_profile", "checkpoint_last_ledger_seq", "export_filter", "artifacts"];
|
|
3
|
+
export declare function buildManifestCore(manifest: Record<string, unknown>): Record<string, unknown>;
|
|
4
|
+
export declare function manifestCoreBytes(manifest: Record<string, unknown>): Uint8Array;
|
|
5
|
+
export declare function verifyAuditManifest(manifest: Record<string, unknown>): boolean;
|
|
6
|
+
export declare function auditVerifyResult(manifest: Record<string, unknown>, path?: string): AuditVerifyResult;
|
|
7
|
+
export declare function readManifestFromBundle(bundlePath: string, cwd: string): Promise<string>;
|
|
8
|
+
export declare function verifyAuditBundleLocal(path: string, cwd: string): Promise<AuditVerifyResult>;
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
import { createHash } from "node:crypto";
|
|
2
|
+
import { readFile } from "node:fs/promises";
|
|
3
|
+
import { spawn } from "node:child_process";
|
|
4
|
+
import { verify as ed25519Verify } from "@noble/ed25519";
|
|
5
|
+
import { ensureEd25519Sha512Sync } from "../ed25519-sync.js";
|
|
6
|
+
export const MANIFEST_CORE_FIELD_ORDER = [
|
|
7
|
+
"schema_version",
|
|
8
|
+
"kind",
|
|
9
|
+
"tenant_realm_id",
|
|
10
|
+
"job_id",
|
|
11
|
+
"generated_at_rfc3339",
|
|
12
|
+
"gateway_build_version",
|
|
13
|
+
"score_model_version",
|
|
14
|
+
"disclosure_tier",
|
|
15
|
+
"redaction_profile",
|
|
16
|
+
"checkpoint_last_ledger_seq",
|
|
17
|
+
"export_filter",
|
|
18
|
+
"artifacts",
|
|
19
|
+
];
|
|
20
|
+
export function buildManifestCore(manifest) {
|
|
21
|
+
const core = {};
|
|
22
|
+
for (const key of MANIFEST_CORE_FIELD_ORDER) {
|
|
23
|
+
if (key === "checkpoint_last_ledger_seq") {
|
|
24
|
+
if (!(key in manifest)) {
|
|
25
|
+
continue;
|
|
26
|
+
}
|
|
27
|
+
const value = manifest[key];
|
|
28
|
+
if (value === 0 || value === null) {
|
|
29
|
+
continue;
|
|
30
|
+
}
|
|
31
|
+
core[key] = value;
|
|
32
|
+
continue;
|
|
33
|
+
}
|
|
34
|
+
if (key in manifest) {
|
|
35
|
+
core[key] = manifest[key];
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
return core;
|
|
39
|
+
}
|
|
40
|
+
export function manifestCoreBytes(manifest) {
|
|
41
|
+
const core = buildManifestCore(manifest);
|
|
42
|
+
return new TextEncoder().encode(JSON.stringify(core));
|
|
43
|
+
}
|
|
44
|
+
function hexToBytes(hex) {
|
|
45
|
+
const normalized = hex.trim();
|
|
46
|
+
const out = new Uint8Array(normalized.length / 2);
|
|
47
|
+
for (let i = 0; i < out.length; i += 1) {
|
|
48
|
+
out[i] = Number.parseInt(normalized.slice(i * 2, i * 2 + 2), 16);
|
|
49
|
+
}
|
|
50
|
+
return out;
|
|
51
|
+
}
|
|
52
|
+
function bytesToHex(bytes) {
|
|
53
|
+
return Array.from(bytes)
|
|
54
|
+
.map((byte) => byte.toString(16).padStart(2, "0"))
|
|
55
|
+
.join("");
|
|
56
|
+
}
|
|
57
|
+
export function verifyAuditManifest(manifest) {
|
|
58
|
+
const coreBytes = manifestCoreBytes(manifest);
|
|
59
|
+
const digest = createHash("sha256").update(coreBytes).digest();
|
|
60
|
+
const expected = String(manifest.signed_payload_sha256_hex ?? "").trim().toLowerCase();
|
|
61
|
+
if (bytesToHex(new Uint8Array(digest)) !== expected) {
|
|
62
|
+
return false;
|
|
63
|
+
}
|
|
64
|
+
const signatureHex = String(manifest.ed25519_signature_hex ?? "").trim();
|
|
65
|
+
const publicKeyHex = String(manifest.signing_public_key_ed25519_hex ?? "").trim();
|
|
66
|
+
if (!signatureHex || !publicKeyHex) {
|
|
67
|
+
return false;
|
|
68
|
+
}
|
|
69
|
+
ensureEd25519Sha512Sync();
|
|
70
|
+
return ed25519Verify(hexToBytes(signatureHex), digest, hexToBytes(publicKeyHex));
|
|
71
|
+
}
|
|
72
|
+
export function auditVerifyResult(manifest, path) {
|
|
73
|
+
return {
|
|
74
|
+
verified: verifyAuditManifest(manifest),
|
|
75
|
+
manifest_kind: String(manifest.kind ?? ""),
|
|
76
|
+
tenant_realm_id: String(manifest.tenant_realm_id ?? ""),
|
|
77
|
+
job_id: String(manifest.job_id ?? ""),
|
|
78
|
+
...(path ? { path } : {}),
|
|
79
|
+
};
|
|
80
|
+
}
|
|
81
|
+
export async function readManifestFromBundle(bundlePath, cwd) {
|
|
82
|
+
if (bundlePath.endsWith(".zip")) {
|
|
83
|
+
const result = await new Promise((resolvePromise) => {
|
|
84
|
+
const child = spawn("unzip", ["-p", bundlePath, "manifest.json"], { cwd });
|
|
85
|
+
let stdout = "";
|
|
86
|
+
let stderr = "";
|
|
87
|
+
child.stdout.on("data", (chunk) => {
|
|
88
|
+
stdout += String(chunk);
|
|
89
|
+
});
|
|
90
|
+
child.stderr.on("data", (chunk) => {
|
|
91
|
+
stderr += String(chunk);
|
|
92
|
+
});
|
|
93
|
+
child.on("close", (code) => resolvePromise({ code, stdout, stderr }));
|
|
94
|
+
child.on("error", () => resolvePromise({ code: 127, stdout: "", stderr: "unzip not found" }));
|
|
95
|
+
});
|
|
96
|
+
if (result.code !== 0 || !result.stdout.trim()) {
|
|
97
|
+
throw new Error(result.stderr.trim() || "unable to read manifest.json from ZIP bundle");
|
|
98
|
+
}
|
|
99
|
+
return result.stdout;
|
|
100
|
+
}
|
|
101
|
+
const manifestPath = bundlePath.endsWith("manifest.json")
|
|
102
|
+
? bundlePath
|
|
103
|
+
: `${bundlePath.replace(/\/+$/, "")}/manifest.json`;
|
|
104
|
+
return readFile(manifestPath, "utf8");
|
|
105
|
+
}
|
|
106
|
+
export async function verifyAuditBundleLocal(path, cwd) {
|
|
107
|
+
const manifestRaw = await readManifestFromBundle(path, cwd);
|
|
108
|
+
const manifest = JSON.parse(manifestRaw);
|
|
109
|
+
if (!manifest || typeof manifest !== "object" || Array.isArray(manifest)) {
|
|
110
|
+
throw new Error("manifest.json must be a JSON object");
|
|
111
|
+
}
|
|
112
|
+
return auditVerifyResult(manifest, path);
|
|
113
|
+
}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
/** Wire types for Gateway `GET /v1/compliance/audit-exports` responses. */
|
|
2
|
+
export type AuditExportJobSummary = Readonly<{
|
|
3
|
+
id: string;
|
|
4
|
+
status: string;
|
|
5
|
+
disclosure_tier: string;
|
|
6
|
+
created_at: string;
|
|
7
|
+
expires_at: string;
|
|
8
|
+
manifest_sha256: string;
|
|
9
|
+
bundle_sha256: string;
|
|
10
|
+
bundle_size_bytes: number;
|
|
11
|
+
}>;
|
|
12
|
+
export type AuditExportListPage = Readonly<{
|
|
13
|
+
tenant_realm_id: string;
|
|
14
|
+
jobs: ReadonlyArray<AuditExportJobSummary>;
|
|
15
|
+
next_cursor?: string;
|
|
16
|
+
}>;
|
|
17
|
+
export type AuditExportCreateFilter = Readonly<{
|
|
18
|
+
time_start?: string;
|
|
19
|
+
time_end?: string;
|
|
20
|
+
intent_id?: string;
|
|
21
|
+
case_id?: string;
|
|
22
|
+
operator_did?: string;
|
|
23
|
+
includes?: ReadonlyArray<string>;
|
|
24
|
+
}>;
|
|
25
|
+
export type AuditExportJobDetail = Readonly<{
|
|
26
|
+
id: string;
|
|
27
|
+
status: string;
|
|
28
|
+
tenant_realm_id: string;
|
|
29
|
+
disclosure_tier: string;
|
|
30
|
+
created_at: string;
|
|
31
|
+
expires_at: string;
|
|
32
|
+
error: string;
|
|
33
|
+
manifest_sha256: string;
|
|
34
|
+
bundle_sha256: string;
|
|
35
|
+
download_token?: string;
|
|
36
|
+
/** Present on `POST /v1/compliance/audit-exports` create responses. */
|
|
37
|
+
bundle_size_bytes?: number;
|
|
38
|
+
download_token_expires?: string;
|
|
39
|
+
download_path?: string;
|
|
40
|
+
}>;
|
|
41
|
+
export type AuditExportJobGetResponse = Readonly<{
|
|
42
|
+
job: AuditExportJobDetail;
|
|
43
|
+
}>;
|
|
44
|
+
export type AuditVerifyResult = Readonly<{
|
|
45
|
+
verified: boolean;
|
|
46
|
+
manifest_kind: string;
|
|
47
|
+
tenant_realm_id: string;
|
|
48
|
+
job_id: string;
|
|
49
|
+
path?: string;
|
|
50
|
+
}>;
|
|
51
|
+
/** Parses list response from `GET /v1/compliance/audit-exports`. */
|
|
52
|
+
export declare function parseAuditExportList(json: unknown): AuditExportListPage;
|
|
53
|
+
/** Parses job detail from `GET /v1/compliance/audit-exports/{id}`. */
|
|
54
|
+
export declare function parseAuditExportJobGet(json: unknown): AuditExportJobGetResponse;
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/** Wire types for Gateway `GET /v1/compliance/audit-exports` responses. */
|
|
2
|
+
function assertJsonObject(value) {
|
|
3
|
+
if (value === null || typeof value !== "object" || Array.isArray(value)) {
|
|
4
|
+
throw new Error("Expected JSON object");
|
|
5
|
+
}
|
|
6
|
+
}
|
|
7
|
+
function readString(value, field) {
|
|
8
|
+
if (typeof value !== "string") {
|
|
9
|
+
throw new Error(`Invalid ${field}`);
|
|
10
|
+
}
|
|
11
|
+
return value;
|
|
12
|
+
}
|
|
13
|
+
function readNumber(value, field) {
|
|
14
|
+
if (typeof value !== "number" || !Number.isFinite(value)) {
|
|
15
|
+
throw new Error(`Invalid ${field}`);
|
|
16
|
+
}
|
|
17
|
+
return value;
|
|
18
|
+
}
|
|
19
|
+
function extractNextCursor(body) {
|
|
20
|
+
const cursor = body.next_cursor ?? body.nextCursor;
|
|
21
|
+
if (typeof cursor === "string" && cursor.trim()) {
|
|
22
|
+
return cursor.trim();
|
|
23
|
+
}
|
|
24
|
+
return undefined;
|
|
25
|
+
}
|
|
26
|
+
/** Parses list response from `GET /v1/compliance/audit-exports`. */
|
|
27
|
+
export function parseAuditExportList(json) {
|
|
28
|
+
assertJsonObject(json);
|
|
29
|
+
const tenantRealmId = readString(json.tenant_realm_id, "tenant_realm_id");
|
|
30
|
+
const jobsRaw = json.jobs ?? json.items ?? json.exports;
|
|
31
|
+
if (!Array.isArray(jobsRaw)) {
|
|
32
|
+
throw new Error("Invalid export list: jobs");
|
|
33
|
+
}
|
|
34
|
+
const jobs = jobsRaw.map((row) => {
|
|
35
|
+
assertJsonObject(row);
|
|
36
|
+
return {
|
|
37
|
+
id: readString(row.id ?? row.job_id, "jobs[].id"),
|
|
38
|
+
status: readString(row.status, "jobs[].status"),
|
|
39
|
+
disclosure_tier: readString(row.disclosure_tier, "jobs[].disclosure_tier"),
|
|
40
|
+
created_at: readString(row.created_at, "jobs[].created_at"),
|
|
41
|
+
expires_at: readString(row.expires_at, "jobs[].expires_at"),
|
|
42
|
+
manifest_sha256: typeof row.manifest_sha256 === "string" ? row.manifest_sha256 : "",
|
|
43
|
+
bundle_sha256: typeof row.bundle_sha256 === "string" ? row.bundle_sha256 : "",
|
|
44
|
+
bundle_size_bytes: readNumber(row.bundle_size_bytes ?? 0, "jobs[].bundle_size_bytes"),
|
|
45
|
+
};
|
|
46
|
+
});
|
|
47
|
+
const nextCursor = extractNextCursor(json);
|
|
48
|
+
return nextCursor ? { tenant_realm_id: tenantRealmId, jobs, next_cursor: nextCursor } : { tenant_realm_id: tenantRealmId, jobs };
|
|
49
|
+
}
|
|
50
|
+
/** Parses job detail from `GET /v1/compliance/audit-exports/{id}`. */
|
|
51
|
+
export function parseAuditExportJobGet(json) {
|
|
52
|
+
assertJsonObject(json);
|
|
53
|
+
const jobRaw = json.job ?? json;
|
|
54
|
+
assertJsonObject(jobRaw);
|
|
55
|
+
const bundleSize = typeof jobRaw.bundle_size_bytes === "number" && Number.isFinite(jobRaw.bundle_size_bytes)
|
|
56
|
+
? jobRaw.bundle_size_bytes
|
|
57
|
+
: undefined;
|
|
58
|
+
const downloadTokenExpires = typeof jobRaw.download_token_expires === "string" && jobRaw.download_token_expires
|
|
59
|
+
? jobRaw.download_token_expires
|
|
60
|
+
: typeof jobRaw.download_token_expires_at === "string" && jobRaw.download_token_expires_at
|
|
61
|
+
? jobRaw.download_token_expires_at
|
|
62
|
+
: undefined;
|
|
63
|
+
const downloadPath = typeof jobRaw.download_path === "string" && jobRaw.download_path ? jobRaw.download_path : undefined;
|
|
64
|
+
const job = {
|
|
65
|
+
id: readString(jobRaw.id ?? jobRaw.job_id, "job.id"),
|
|
66
|
+
status: readString(jobRaw.status, "job.status"),
|
|
67
|
+
tenant_realm_id: readString(jobRaw.tenant_realm_id, "job.tenant_realm_id"),
|
|
68
|
+
disclosure_tier: readString(jobRaw.disclosure_tier, "job.disclosure_tier"),
|
|
69
|
+
created_at: typeof jobRaw.created_at === "string" ? jobRaw.created_at : "",
|
|
70
|
+
expires_at: readString(jobRaw.expires_at, "job.expires_at"),
|
|
71
|
+
error: typeof jobRaw.error === "string" ? jobRaw.error : "",
|
|
72
|
+
manifest_sha256: typeof jobRaw.manifest_sha256 === "string" ? jobRaw.manifest_sha256 : "",
|
|
73
|
+
bundle_sha256: typeof jobRaw.bundle_sha256 === "string" ? jobRaw.bundle_sha256 : "",
|
|
74
|
+
download_token: typeof jobRaw.download_token === "string" && jobRaw.download_token ? jobRaw.download_token : undefined,
|
|
75
|
+
bundle_size_bytes: bundleSize,
|
|
76
|
+
download_token_expires: downloadTokenExpires,
|
|
77
|
+
download_path: downloadPath,
|
|
78
|
+
};
|
|
79
|
+
return { job };
|
|
80
|
+
}
|
|
@@ -2,3 +2,5 @@ export declare function loadRunVercelAiSandboxDemo(): Promise<typeof import("../
|
|
|
2
2
|
export declare function loadRunLangGraphSandboxDemo(): Promise<typeof import("../../langgraph/sandbox-demo.js").runLangGraphSandboxDemo>;
|
|
3
3
|
export declare function loadRunClaudeAgentsSandboxDemo(): Promise<typeof import("../../claude-agents/sandbox-demo.js").runClaudeAgentsSandboxDemo>;
|
|
4
4
|
export declare function loadRunOpenAIAgentsSandboxDemo(): Promise<typeof import("../../openai-agents/sandbox-demo.js").runOpenAIAgentsSandboxDemo>;
|
|
5
|
+
export declare function loadRunMastraSandboxDemo(): Promise<typeof import("../../mastra/sandbox-demo.js").runMastraSandboxDemo>;
|
|
6
|
+
export declare function loadRunCloudflareAgentsSandboxDemo(): Promise<typeof import("../../cloudflare-agents/sandbox-demo.js").runCloudflareAgentsSandboxDemo>;
|
|
@@ -64,3 +64,27 @@ export async function loadRunOpenAIAgentsSandboxDemo() {
|
|
|
64
64
|
throw err;
|
|
65
65
|
}
|
|
66
66
|
}
|
|
67
|
+
export async function loadRunMastraSandboxDemo() {
|
|
68
|
+
try {
|
|
69
|
+
const mod = await import("../../mastra/sandbox-demo.js");
|
|
70
|
+
return mod.runMastraSandboxDemo;
|
|
71
|
+
}
|
|
72
|
+
catch (err) {
|
|
73
|
+
if (isMissingModuleError(err, "@mastra/core")) {
|
|
74
|
+
throw missingPeerDependencyError("@mastra/core", "mastra");
|
|
75
|
+
}
|
|
76
|
+
throw err;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
export async function loadRunCloudflareAgentsSandboxDemo() {
|
|
80
|
+
try {
|
|
81
|
+
const mod = await import("../../cloudflare-agents/sandbox-demo.js");
|
|
82
|
+
return mod.runCloudflareAgentsSandboxDemo;
|
|
83
|
+
}
|
|
84
|
+
catch (err) {
|
|
85
|
+
if (isMissingModuleError(err, "ai")) {
|
|
86
|
+
throw missingPeerDependencyError("ai", "cloudflare-agents");
|
|
87
|
+
}
|
|
88
|
+
throw err;
|
|
89
|
+
}
|
|
90
|
+
}
|
|
@@ -12,6 +12,17 @@ export declare function resolveProductionEvidenceFromCli(input: {
|
|
|
12
12
|
agentRecognitionKeyId?: string;
|
|
13
13
|
agentRecognitionSigningSeedHex?: string;
|
|
14
14
|
}): Promise<PaybondRunProductionEvidenceCredentials>;
|
|
15
|
+
export type AgentRecognitionCredentials = {
|
|
16
|
+
agentRecognitionKeyId: string;
|
|
17
|
+
agentRecognitionSigningSeed: Uint8Array;
|
|
18
|
+
};
|
|
19
|
+
/** Resolve agent recognition signing credentials from CLI flags and APP_* env fallbacks. */
|
|
20
|
+
export declare function resolveAgentRecognitionFromCli(input: {
|
|
21
|
+
cwd: string;
|
|
22
|
+
envFile: string;
|
|
23
|
+
agentRecognitionKeyId?: string;
|
|
24
|
+
agentRecognitionSigningSeedHex?: string;
|
|
25
|
+
}): Promise<AgentRecognitionCredentials>;
|
|
15
26
|
export declare function productionEvidenceToPersisted(credentials: PaybondRunProductionEvidenceCredentials): PersistedProductionEvidence;
|
|
16
27
|
/** Re-supply signing seeds at tool execute (or other re-attach) time; metadata comes from the run store. */
|
|
17
28
|
export declare function resolveProductionEvidenceForReattach(input: {
|
|
@@ -65,6 +65,23 @@ export async function resolveProductionEvidenceFromCli(input) {
|
|
|
65
65
|
agentRecognitionSigningSeed: parseSeed32Hex(agentRecognitionSigningSeedHex, "--agent-recognition-signing-seed-hex"),
|
|
66
66
|
};
|
|
67
67
|
}
|
|
68
|
+
/** Resolve agent recognition signing credentials from CLI flags and APP_* env fallbacks. */
|
|
69
|
+
export async function resolveAgentRecognitionFromCli(input) {
|
|
70
|
+
const agentRecognitionKeyId = input.agentRecognitionKeyId?.trim() ||
|
|
71
|
+
(await readConfiguredEnvValue(input.cwd, input.envFile, "APP_AGENT_RECOGNITION_KEY_ID"));
|
|
72
|
+
const agentRecognitionSigningSeedHex = input.agentRecognitionSigningSeedHex?.trim() ||
|
|
73
|
+
(await readConfiguredEnvValue(input.cwd, input.envFile, "APP_AGENT_RECOGNITION_SEED_HEX"));
|
|
74
|
+
if (!agentRecognitionKeyId) {
|
|
75
|
+
throw new CliError("Harbor intent mutation requires --agent-recognition-key-id or APP_AGENT_RECOGNITION_KEY_ID", { category: "usage", code: "cli.agent.recognition_incomplete" });
|
|
76
|
+
}
|
|
77
|
+
if (!agentRecognitionSigningSeedHex) {
|
|
78
|
+
throw new CliError("Harbor intent mutation requires --agent-recognition-signing-seed-hex or APP_AGENT_RECOGNITION_SEED_HEX", { category: "usage", code: "cli.agent.recognition_incomplete" });
|
|
79
|
+
}
|
|
80
|
+
return {
|
|
81
|
+
agentRecognitionKeyId,
|
|
82
|
+
agentRecognitionSigningSeed: parseSeed32Hex(agentRecognitionSigningSeedHex, "--agent-recognition-signing-seed-hex"),
|
|
83
|
+
};
|
|
84
|
+
}
|
|
68
85
|
export function productionEvidenceToPersisted(credentials) {
|
|
69
86
|
return {
|
|
70
87
|
payee_did: credentials.payeeDid,
|
|
@@ -1,7 +1,2 @@
|
|
|
1
|
-
|
|
2
|
-
export
|
|
3
|
-
export declare function manifestCoreBytes(manifest: Record<string, unknown>): Uint8Array;
|
|
4
|
-
export declare function verifyAuditManifest(manifest: Record<string, unknown>): boolean;
|
|
5
|
-
export declare function auditVerifyResult(manifest: Record<string, unknown>, path: string): Record<string, unknown>;
|
|
6
|
-
export declare function readManifestFromBundle(bundlePath: string, cwd: string): Promise<string>;
|
|
7
|
-
export declare function verifyAuditBundleLocal(path: string, cwd: string): Promise<Record<string, unknown>>;
|
|
1
|
+
/** @deprecated Import from `../audit/verify.js` instead. */
|
|
2
|
+
export { auditVerifyResult, buildManifestCore, manifestCoreBytes, readManifestFromBundle, verifyAuditBundleLocal, verifyAuditManifest, MANIFEST_CORE_FIELD_ORDER, } from "../audit/verify.js";
|