@paybond/kit 0.12.4 → 0.12.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent/facade.d.ts +2 -0
- package/dist/agent/facade.js +10 -2
- package/dist/agent/guarded-agent.d.ts +3 -1
- package/dist/agent/guarded-agent.js +13 -2
- package/dist/agent/index.d.ts +2 -2
- package/dist/agent/index.js +1 -1
- package/dist/agent/instrument.d.ts +3 -0
- package/dist/agent/instrument.js +21 -10
- package/dist/agent/interceptor.js +19 -0
- package/dist/agent/types.d.ts +14 -0
- package/dist/agent-receipt-acta.d.ts +58 -0
- package/dist/agent-receipt-acta.js +140 -0
- package/dist/agent-receipt-inclusion.d.ts +40 -0
- package/dist/agent-receipt-inclusion.js +209 -0
- package/dist/agent-receipt-owner-disclosure.d.ts +71 -0
- package/dist/agent-receipt-owner-disclosure.js +277 -0
- package/dist/agent-receipt-pef.d.ts +69 -0
- package/dist/agent-receipt-pef.js +121 -0
- package/dist/agent-receipt-scitt.d.ts +50 -0
- package/dist/agent-receipt-scitt.js +382 -0
- package/dist/agent-receipt.d.ts +55 -0
- package/dist/agent-receipt.js +297 -4
- package/dist/claude-agents/config.d.ts +21 -2
- package/dist/claude-agents/config.js +37 -0
- package/dist/claude-agents/index.d.ts +1 -1
- package/dist/claude-agents/index.js +1 -1
- package/dist/cli/agent/demo-loaders.d.ts +1 -0
- package/dist/cli/agent/demo-loaders.js +12 -0
- package/dist/cli/command-spec.js +16 -1
- package/dist/cli/commands/agent.d.ts +4 -0
- package/dist/cli/commands/agent.js +107 -1
- package/dist/cli/help.js +4 -1
- package/dist/cloudflare-agents/config.d.ts +1 -1
- package/dist/cloudflare-agents/config.js +2 -2
- package/dist/google-adk/config.d.ts +36 -0
- package/dist/google-adk/config.js +172 -0
- package/dist/google-adk/index.d.ts +2 -0
- package/dist/google-adk/index.js +2 -0
- package/dist/google-adk/sandbox-demo.d.ts +32 -0
- package/dist/google-adk/sandbox-demo.js +104 -0
- package/dist/index.d.ts +10 -2
- package/dist/index.js +11 -3
- package/dist/init.js +29 -0
- package/dist/mcp-receipt-resource.js +3 -1
- package/dist/mcp-server.js +182 -10
- package/dist/policy/adapter-options.d.ts +9 -0
- package/dist/policy/adapter-options.js +11 -0
- package/dist/policy/index.d.ts +1 -0
- package/dist/policy/index.js +1 -0
- package/dist/policy/load.d.ts +7 -0
- package/dist/policy/load.js +13 -0
- package/dist/policy/merge.js +26 -0
- package/dist/policy/schema.d.ts +20 -0
- package/dist/policy/schema.js +34 -2
- package/dist/shopify/instrument.d.ts +8 -8
- package/dist/template-init.d.ts +2 -2
- package/dist/template-init.js +12 -4
- package/dist/vercel-ai/config.d.ts +2 -1
- package/dist/vercel-ai/config.js +2 -2
- package/dist/vercel-ai/index.d.ts +2 -1
- package/dist/vercel-ai/index.js +2 -1
- package/dist/vercel-ai/provider-executed.d.ts +7 -0
- package/dist/vercel-ai/provider-executed.js +20 -0
- package/dist/vercel-ai/tool-approval.d.ts +5 -0
- package/dist/vercel-ai/tool-approval.js +8 -1
- package/dist/vercel-ai/wrap-tools.d.ts +8 -1
- package/dist/vercel-ai/wrap-tools.js +17 -4
- package/glama.json +6 -0
- package/package.json +15 -5
- package/templates/manifest.json +57 -12
- package/templates/openai-shopping-agent/package-lock.json +379 -14
- package/templates/openai-shopping-agent/package.json +2 -2
- package/templates/paybond-aws-operator/package-lock.json +376 -11
- package/templates/paybond-aws-operator/package.json +2 -2
- package/templates/paybond-claude-agents-demo/package-lock.json +379 -14
- package/templates/paybond-claude-agents-demo/package.json +2 -2
- package/templates/paybond-cloudflare-shopping-agent/.env.example +3 -0
- package/templates/paybond-cloudflare-shopping-agent/.github/workflows/smoke.yml +20 -0
- package/templates/paybond-cloudflare-shopping-agent/LICENSE +201 -0
- package/templates/paybond-cloudflare-shopping-agent/README.md +29 -0
- package/templates/paybond-cloudflare-shopping-agent/package-lock.json +2671 -0
- package/templates/paybond-cloudflare-shopping-agent/package.json +23 -0
- package/templates/paybond-cloudflare-shopping-agent/paybond.policy.yaml +22 -0
- package/templates/paybond-cloudflare-shopping-agent/src/agent.ts +109 -0
- package/templates/paybond-cloudflare-shopping-agent/src/index.ts +22 -0
- package/templates/paybond-cloudflare-shopping-agent/src/paybond.config.ts +51 -0
- package/templates/paybond-cloudflare-shopping-agent/tsconfig.json +13 -0
- package/templates/paybond-crewai-procurement-agent/.env.example +3 -0
- package/templates/paybond-crewai-procurement-agent/.github/workflows/smoke.yml +19 -0
- package/templates/paybond-crewai-procurement-agent/LICENSE +201 -0
- package/templates/paybond-crewai-procurement-agent/README.md +73 -0
- package/templates/paybond-crewai-procurement-agent/app.py +79 -0
- package/templates/paybond-crewai-procurement-agent/crew.py +117 -0
- package/templates/paybond-crewai-procurement-agent/package.json +6 -0
- package/templates/paybond-crewai-procurement-agent/paybond.policy.yaml +28 -0
- package/templates/paybond-crewai-procurement-agent/paybond_config.py +45 -0
- package/templates/paybond-crewai-procurement-agent/requirements.txt +2 -0
- package/templates/paybond-invoice-agent/requirements.txt +1 -1
- package/templates/paybond-mastra-travel-agent/package-lock.json +379 -14
- package/templates/paybond-mastra-travel-agent/package.json +2 -2
- package/templates/paybond-mcp-coding-agent/package-lock.json +376 -11
- package/templates/paybond-mcp-coding-agent/package.json +2 -2
- package/templates/paybond-openai-agents-demo/package-lock.json +379 -14
- package/templates/paybond-openai-agents-demo/package.json +2 -2
- package/templates/paybond-procurement-agent/package-lock.json +376 -11
- package/templates/paybond-procurement-agent/package.json +2 -2
- package/templates/paybond-shopify-shopping-agent/package-lock.json +376 -11
- package/templates/paybond-shopify-shopping-agent/package.json +2 -2
- package/templates/paybond-stripe-agent-demo/package-lock.json +376 -11
- package/templates/paybond-stripe-agent-demo/package.json +2 -2
- package/templates/paybond-travel-agent/package-lock.json +376 -11
- package/templates/paybond-travel-agent/package.json +2 -2
- package/templates/paybond-vercel-shopping-agent/package-lock.json +376 -11
- package/templates/paybond-vercel-shopping-agent/package.json +2 -2
package/dist/agent/facade.d.ts
CHANGED
|
@@ -42,6 +42,8 @@ export type PaybondWrapToolsOptions = {
|
|
|
42
42
|
sandbox?: boolean;
|
|
43
43
|
attach?: import("./instrument.js").PaybondInstrumentAttachInput;
|
|
44
44
|
context?: import("./instrument.js").PaybondInstrumentContextInput;
|
|
45
|
+
/** Fail closed on provider-executed AI SDK tools (Vercel AI / Cloudflare Agents). */
|
|
46
|
+
denyProviderExecutedTools?: boolean;
|
|
45
47
|
};
|
|
46
48
|
/** Wrap tools for an existing bound run without reloading policy. */
|
|
47
49
|
export declare function wrapPaybondTools(run: PaybondAgentRun, tools: unknown, options?: PaybondWrapToolsOptions): unknown;
|
package/dist/agent/facade.js
CHANGED
|
@@ -3,6 +3,7 @@ import { createPaybondOpenAIAgentsConfig } from "../openai-agents/index.js";
|
|
|
3
3
|
import { isKnownPolicyPresetId, resolvePolicyPresetPath } from "../policy/presets.js";
|
|
4
4
|
import { createPaybondCloudflareAgentsConfig } from "../cloudflare-agents/config.js";
|
|
5
5
|
import { createPaybondMastraConfig } from "../mastra/config.js";
|
|
6
|
+
import { createPaybondGoogleAdkConfig } from "../google-adk/config.js";
|
|
6
7
|
import { createPaybondVercelAgentConfig } from "../vercel-ai/config.js";
|
|
7
8
|
import { createPaybondGenericAgentConfig, createPaybondGenericInputGuard, } from "./generic-runner.js";
|
|
8
9
|
import { instrumentPaybondAgent, PaybondInstrumentRuntime, } from "./instrument.js";
|
|
@@ -62,6 +63,8 @@ export function toPaybondAgentResult(result) {
|
|
|
62
63
|
break;
|
|
63
64
|
case "mastra":
|
|
64
65
|
break;
|
|
66
|
+
case "google-adk":
|
|
67
|
+
break;
|
|
65
68
|
case "cloudflare-agents":
|
|
66
69
|
if (result.toolApproval) {
|
|
67
70
|
hooks.toolApproval = result.toolApproval;
|
|
@@ -102,19 +105,24 @@ export async function createPaybondAgent(paybond, input) {
|
|
|
102
105
|
/** Wrap tools for an existing bound run without reloading policy. */
|
|
103
106
|
export function wrapPaybondTools(run, tools, options) {
|
|
104
107
|
const framework = options?.framework ?? "generic";
|
|
108
|
+
const adapterOptions = options?.denyProviderExecutedTools === true
|
|
109
|
+
? { denyProviderExecutedTools: true }
|
|
110
|
+
: undefined;
|
|
105
111
|
switch (framework) {
|
|
106
112
|
case "generic":
|
|
107
113
|
return createPaybondGenericAgentConfig(run, tools).tools;
|
|
108
114
|
case "vercel-ai":
|
|
109
|
-
return createPaybondVercelAgentConfig(run, tools).tools;
|
|
115
|
+
return createPaybondVercelAgentConfig(run, tools, adapterOptions).tools;
|
|
110
116
|
case "openai-agents":
|
|
111
117
|
return createPaybondOpenAIAgentsConfig(run, tools).tools;
|
|
112
118
|
case "claude-agents":
|
|
113
119
|
return createPaybondClaudeAgentsConfig(run, tools).agentTools;
|
|
114
120
|
case "mastra":
|
|
115
121
|
return createPaybondMastraConfig(run, tools).tools;
|
|
122
|
+
case "google-adk":
|
|
123
|
+
return createPaybondGoogleAdkConfig(run, tools).tools;
|
|
116
124
|
case "cloudflare-agents":
|
|
117
|
-
return createPaybondCloudflareAgentsConfig(run, tools).tools;
|
|
125
|
+
return createPaybondCloudflareAgentsConfig(run, tools, adapterOptions).tools;
|
|
118
126
|
case "langgraph":
|
|
119
127
|
throw new Error('framework "langgraph" does not wrap tools in place; use instrument() or createPaybondLangGraphHooks(run)');
|
|
120
128
|
default: {
|
|
@@ -7,11 +7,12 @@ import { paybondVercelToolApproval } from "../vercel-ai/tool-approval.js";
|
|
|
7
7
|
import { type PaybondLangGraphAwrapToolCall } from "../langgraph/awrap-tool-call.js";
|
|
8
8
|
import { paybondToolNode } from "../langgraph/tool-node.js";
|
|
9
9
|
import { type ClaudeAgentsConfig } from "../claude-agents/config.js";
|
|
10
|
+
import { type PaybondGoogleAdkConfig } from "../google-adk/config.js";
|
|
10
11
|
import type { PaybondToolRegistry } from "./registry.js";
|
|
11
12
|
import type { PaybondAgentRunHost } from "./run.js";
|
|
12
13
|
import { PaybondAgentRun } from "./run.js";
|
|
13
14
|
import type { PaybondRunBindingAttachInput } from "./types.js";
|
|
14
|
-
export type GuardedAgentFramework = "generic" | "openai-agents" | "vercel-ai" | "langgraph" | "claude-agents" | "mastra" | "cloudflare-agents";
|
|
15
|
+
export type GuardedAgentFramework = "generic" | "openai-agents" | "google-adk" | "vercel-ai" | "langgraph" | "claude-agents" | "mastra" | "cloudflare-agents";
|
|
15
16
|
export type CreateGuardedAgentInput<TTools = unknown> = {
|
|
16
17
|
policy: PaybondPolicyLoadSource | PaybondPolicy;
|
|
17
18
|
/** Agent-agnostic wrapping when omitted. Pass a framework only when SDK-specific hooks are required. */
|
|
@@ -39,6 +40,7 @@ export type CreateGuardedAgentResultBase = {
|
|
|
39
40
|
openAIAgentsAdapter?: ReturnType<typeof createOpenAIAgentsAdapter>;
|
|
40
41
|
runConfig?: ReturnType<typeof createOpenAIAgentsAdapter>["runConfig"];
|
|
41
42
|
claudeAgentsConfig?: ClaudeAgentsConfig;
|
|
43
|
+
googleAdkConfig?: PaybondGoogleAdkConfig;
|
|
42
44
|
};
|
|
43
45
|
export type CreateGuardedAgentResult<TTools = unknown> = CreateGuardedAgentResultBase & {
|
|
44
46
|
agentTools: TTools;
|
|
@@ -5,6 +5,7 @@ import { createPaybondLangGraphHooks } from "../langgraph/config.js";
|
|
|
5
5
|
import { createPaybondClaudeAgentsConfig, } from "../claude-agents/config.js";
|
|
6
6
|
import { createPaybondCloudflareAgentsConfig, } from "../cloudflare-agents/config.js";
|
|
7
7
|
import { createPaybondMastraConfig, } from "../mastra/config.js";
|
|
8
|
+
import { createPaybondGoogleAdkConfig, } from "../google-adk/config.js";
|
|
8
9
|
import { createPaybondGenericAgentConfig, } from "./generic-runner.js";
|
|
9
10
|
import { PaybondAgentRun } from "./run.js";
|
|
10
11
|
async function resolvePolicy(source) {
|
|
@@ -48,13 +49,14 @@ export async function createGuardedAgent(paybond, input) {
|
|
|
48
49
|
const run = await bindGuardedRun(paybond, policy, input);
|
|
49
50
|
const base = { run, policy, registry };
|
|
50
51
|
const framework = input.framework ?? "generic";
|
|
52
|
+
const adapterOptions = policy.toAdapterOptions();
|
|
51
53
|
switch (framework) {
|
|
52
54
|
case "generic": {
|
|
53
55
|
const config = createPaybondGenericAgentConfig(run, input.tools);
|
|
54
56
|
return { ...base, framework: "generic", agentTools: config.tools };
|
|
55
57
|
}
|
|
56
58
|
case "vercel-ai": {
|
|
57
|
-
const config = createPaybondVercelAgentConfig(run, input.tools);
|
|
59
|
+
const config = createPaybondVercelAgentConfig(run, input.tools, adapterOptions);
|
|
58
60
|
return {
|
|
59
61
|
...base,
|
|
60
62
|
framework: "vercel-ai",
|
|
@@ -73,6 +75,15 @@ export async function createGuardedAgent(paybond, input) {
|
|
|
73
75
|
runConfig: config.runConfig,
|
|
74
76
|
};
|
|
75
77
|
}
|
|
78
|
+
case "google-adk": {
|
|
79
|
+
const googleAdkConfig = createPaybondGoogleAdkConfig(run, input.tools);
|
|
80
|
+
return {
|
|
81
|
+
...base,
|
|
82
|
+
framework: "google-adk",
|
|
83
|
+
agentTools: googleAdkConfig.tools,
|
|
84
|
+
googleAdkConfig,
|
|
85
|
+
};
|
|
86
|
+
}
|
|
76
87
|
case "langgraph": {
|
|
77
88
|
const hooks = createPaybondLangGraphHooks(run);
|
|
78
89
|
return {
|
|
@@ -101,7 +112,7 @@ export async function createGuardedAgent(paybond, input) {
|
|
|
101
112
|
};
|
|
102
113
|
}
|
|
103
114
|
case "cloudflare-agents": {
|
|
104
|
-
const config = createPaybondCloudflareAgentsConfig(run, input.tools);
|
|
115
|
+
const config = createPaybondCloudflareAgentsConfig(run, input.tools, adapterOptions);
|
|
105
116
|
return {
|
|
106
117
|
...base,
|
|
107
118
|
framework: "cloudflare-agents",
|
package/dist/agent/index.d.ts
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
export { PaybondAgentFacade, createPaybondAgentCallable, type GetAgentReceiptInput, type PaybondAgentCallable, } from "./receipt-client.js";
|
|
2
2
|
export { createGuardedAgent, createGuardedAgentRunner, type CreateGuardedAgentInput, type CreateGuardedAgentResult, type CreateGuardedAgentResultBase, type GuardedAgentFramework, } from "./guarded-agent.js";
|
|
3
3
|
export { createPaybondAgent, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, type PaybondAgentHooks, type PaybondAgentInput, type PaybondAgentResult, type PaybondInstrumentInput, type PaybondWrapToolsOptions, } from "./facade.js";
|
|
4
|
-
export { PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, type PaybondAgentInstrumentation, type PaybondInlinePolicy, type PaybondInstrumentAgentOptions, type PaybondInstrumentAttachInput, type PaybondInstrumentBinding, type PaybondInstrumentContext, type PaybondInstrumentContextInput, type PaybondInstrumentContextProvider, } from "./instrument.js";
|
|
4
|
+
export { PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondGoogleAdk, instrumentPaybondVercel, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, type PaybondAgentInstrumentation, type PaybondInlinePolicy, type PaybondInstrumentAgentOptions, type PaybondInstrumentAttachInput, type PaybondInstrumentBinding, type PaybondInstrumentContext, type PaybondInstrumentContextInput, type PaybondInstrumentContextProvider, } from "./instrument.js";
|
|
5
5
|
export { formatPaybondAttachEnvSnippet, openPaybondAttachBundle, PAYBOND_ATTACH_BUNDLE_ENV, PAYBOND_ATTACH_BUNDLE_PREFIX, PAYBOND_ATTACH_INTENT_ID_ENV, PAYBOND_CAPABILITY_TOKEN_ENV, productionEvidenceFromAttachBundle, resolveAttachContextFromEnv, sealPaybondAttachBundle, type PaybondAttachBundlePayloadV1, type PaybondAttachEnvRecord, } from "./attach-bundle.js";
|
|
6
6
|
export { createPaybondGenericAgentConfig, createPaybondGenericInputGuard, type PaybondGenericAgentConfig, } from "./generic-runner.js";
|
|
7
7
|
export { runGenericSandboxDemo, type RunGenericSandboxDemoInput, type RunGenericSandboxDemoResult, } from "./generic-sandbox-demo.js";
|
|
@@ -11,4 +11,4 @@ export { PaybondToolInterceptor } from "./interceptor.js";
|
|
|
11
11
|
export { PaybondToolRegistry, createPaybondToolRegistry, } from "./registry.js";
|
|
12
12
|
export { PaybondAgentRun, PaybondAgentRunFacade, type PaybondAgentRunHost, } from "./run.js";
|
|
13
13
|
export { agentRegistryDocumentToConfig, buildSmokeRegistry, loadAgentRegistryFile, parseAgentRegistryText, validateAgentRegistryDocument, type AgentRegistryFileDocument, type AgentRegistryValidationResult, } from "./registry-file.js";
|
|
14
|
-
export { PaybondAgentRunBindError, PaybondAutoEvidenceError, PaybondAutoEvidenceSubmitError, PaybondEvidenceSubmitError, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, type PaybondAgentRunBindInput, type PaybondAuthorizeToolCallInput, type PaybondEvidenceMapper, type PaybondExternalAttestationMapper, type PaybondInterceptEvidenceResult, type PaybondInterceptWrapExecuteInput, type PaybondInterceptWrapExecuteResult, type PaybondRunBinding, type PaybondRunBindingAttachInput, type PaybondRunBindingSandboxBootstrapInput, type PaybondRunProductionEvidenceCredentials, type PaybondRunGuard, type PaybondSideEffectingToolEntry, type PaybondSideEffectingToolPolicy, type PaybondSpendResolver, type PaybondToolCallContext, type PaybondToolInputGuardAllowDecision, type PaybondToolInputGuardApprovalRequiredDecision, type PaybondToolInputGuardDecision, type PaybondToolInputGuardDenyDecision, type PaybondToolRegistryConfig, type PaybondToolResolution, type PaybondTraceEvent, type PaybondTraceSink, } from "./types.js";
|
|
14
|
+
export { PaybondAgentRunBindError, PaybondAutoEvidenceError, PaybondAutoEvidenceSubmitError, PaybondEvidenceSubmitError, PaybondToolRegistryValidationError, PaybondUnregisteredSideEffectingToolError, type PaybondAgentRunBindInput, type PaybondAuthorizeToolCallInput, type PaybondEvidenceMapper, type PaybondExternalAttestationMapper, type AgentReceiptComposeResult, type AgentReceiptComposeStatus, type PaybondInterceptEvidenceResult, type PaybondInterceptWrapExecuteInput, type PaybondInterceptWrapExecuteResult, type PaybondRunBinding, type PaybondRunBindingAttachInput, type PaybondRunBindingSandboxBootstrapInput, type PaybondRunProductionEvidenceCredentials, type PaybondRunGuard, type PaybondSideEffectingToolEntry, type PaybondSideEffectingToolPolicy, type PaybondSpendResolver, type PaybondToolCallContext, type PaybondToolInputGuardAllowDecision, type PaybondToolInputGuardApprovalRequiredDecision, type PaybondToolInputGuardDecision, type PaybondToolInputGuardDenyDecision, type PaybondToolRegistryConfig, type PaybondToolResolution, type PaybondTraceEvent, type PaybondTraceSink, } from "./types.js";
|
package/dist/agent/index.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
export { PaybondAgentFacade, createPaybondAgentCallable, } from "./receipt-client.js";
|
|
2
2
|
export { createGuardedAgent, createGuardedAgentRunner, } from "./guarded-agent.js";
|
|
3
3
|
export { createPaybondAgent, resolveAgentPolicySource, toPaybondAgentResult, wrapPaybondTools, } from "./facade.js";
|
|
4
|
-
export { PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondVercel, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, } from "./instrument.js";
|
|
4
|
+
export { PaybondInstrumentBuilder, PaybondInstrumented, PaybondInstrumentRuntime, PaybondLazyContextError, PaybondUnboundContextError, discoverPolicyFromAgent, discoverToolNames, discoverToolsFromAgent, inlinePolicyToDocument, instrumentPaybondAgent, instrumentPaybondClaudeAgents, instrumentPaybondLangGraph, instrumentPaybondMCP, instrumentPaybondOpenAI, instrumentPaybondGoogleAdk, instrumentPaybondVercel, isInlinePolicy, isInstrumentableAgentObject, readPaybondAgentInstrumentation, } from "./instrument.js";
|
|
5
5
|
export { formatPaybondAttachEnvSnippet, openPaybondAttachBundle, PAYBOND_ATTACH_BUNDLE_ENV, PAYBOND_ATTACH_BUNDLE_PREFIX, PAYBOND_ATTACH_INTENT_ID_ENV, PAYBOND_CAPABILITY_TOKEN_ENV, productionEvidenceFromAttachBundle, resolveAttachContextFromEnv, sealPaybondAttachBundle, } from "./attach-bundle.js";
|
|
6
6
|
export { createPaybondGenericAgentConfig, createPaybondGenericInputGuard, } from "./generic-runner.js";
|
|
7
7
|
export { runGenericSandboxDemo, } from "./generic-sandbox-demo.js";
|
|
@@ -145,6 +145,9 @@ export declare function instrumentPaybondLangGraph<TTools>(paybond: PaybondAgent
|
|
|
145
145
|
export declare function instrumentPaybondOpenAI<TTools>(paybond: PaybondAgentRunHost, input: Omit<PaybondInstrumentBaseInput<TTools>, "framework"> & {
|
|
146
146
|
tools: TTools;
|
|
147
147
|
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
148
|
+
export declare function instrumentPaybondGoogleAdk<TTools>(paybond: PaybondAgentRunHost, input: Omit<PaybondInstrumentBaseInput<TTools>, "framework"> & {
|
|
149
|
+
tools: TTools;
|
|
150
|
+
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
|
148
151
|
export declare function instrumentPaybondVercel<TTools>(paybond: PaybondAgentRunHost, input: Omit<PaybondInstrumentBaseInput<TTools>, "framework"> & {
|
|
149
152
|
tools: TTools;
|
|
150
153
|
}): Promise<PaybondInstrumented<TTools> | PaybondInstrumentRuntime<TTools>>;
|
package/dist/agent/instrument.js
CHANGED
|
@@ -3,6 +3,8 @@ import { wrapDeferredTools } from "./deferred-tools.js";
|
|
|
3
3
|
import { PaybondLazyContextError, wrapLazyContextTools } from "./lazy-context-tools.js";
|
|
4
4
|
import { attachPaybondAgentInstrumentation, discoverPolicyFromAgent, discoverToolsFromAgent, isInstrumentableAgentObject, } from "./discover.js";
|
|
5
5
|
import { createGuardedAgent, } from "./guarded-agent.js";
|
|
6
|
+
import { createPaybondGenericInputGuard, } from "./generic-runner.js";
|
|
7
|
+
import { paybondVercelToolApproval } from "../vercel-ai/tool-approval.js";
|
|
6
8
|
import { toPaybondAgentResult, wrapPaybondTools, } from "./facade.js";
|
|
7
9
|
import { PaybondAgentRun } from "./run.js";
|
|
8
10
|
import { resolveAttachContextFromEnv, } from "./attach-bundle.js";
|
|
@@ -186,14 +188,25 @@ function bindingFromRun(run, mode, userId) {
|
|
|
186
188
|
function hooksFromGuardedResult(result) {
|
|
187
189
|
return toPaybondAgentResult(result).hooks;
|
|
188
190
|
}
|
|
189
|
-
function wrapToolsForFramework(run, rawTools, framework, guarded) {
|
|
191
|
+
function wrapToolsForFramework(run, rawTools, framework, guarded, adapterOptions) {
|
|
190
192
|
if (framework === "langgraph") {
|
|
191
193
|
return rawTools;
|
|
192
194
|
}
|
|
193
195
|
if (guarded) {
|
|
194
196
|
return guarded.agentTools;
|
|
195
197
|
}
|
|
196
|
-
return wrapPaybondTools(run, rawTools, { framework });
|
|
198
|
+
return wrapPaybondTools(run, rawTools, { framework, ...adapterOptions });
|
|
199
|
+
}
|
|
200
|
+
function hooksForAttachedFramework(run, framework, adapterOptions) {
|
|
201
|
+
const hooks = {};
|
|
202
|
+
if (framework === "generic") {
|
|
203
|
+
hooks.inputGuard = createPaybondGenericInputGuard(run);
|
|
204
|
+
return hooks;
|
|
205
|
+
}
|
|
206
|
+
if (framework === "vercel-ai" || framework === "cloudflare-agents") {
|
|
207
|
+
hooks.toolApproval = paybondVercelToolApproval(run, adapterOptions);
|
|
208
|
+
}
|
|
209
|
+
return hooks;
|
|
197
210
|
}
|
|
198
211
|
/**
|
|
199
212
|
* Bound Paybond runtime for one agent session — immutable; create a new runtime per request.
|
|
@@ -299,14 +312,9 @@ async function createBoundRuntime(paybond, policy, rawTools, framework, context,
|
|
|
299
312
|
attach,
|
|
300
313
|
traceSink,
|
|
301
314
|
});
|
|
302
|
-
const
|
|
303
|
-
const
|
|
304
|
-
|
|
305
|
-
policy,
|
|
306
|
-
registry: policy.toToolRegistry(),
|
|
307
|
-
framework,
|
|
308
|
-
agentTools: tools,
|
|
309
|
-
});
|
|
315
|
+
const adapterOptions = policy.toAdapterOptions();
|
|
316
|
+
const tools = wrapToolsForFramework(run, rawTools, framework, undefined, adapterOptions);
|
|
317
|
+
const hooks = hooksForAttachedFramework(run, framework, adapterOptions);
|
|
310
318
|
return new PaybondInstrumentRuntime(tools, run, policy, hooks, bindingFromRun(run, "attach", context.userId));
|
|
311
319
|
}
|
|
312
320
|
function toPaybondInstrumentRuntime(result, rawTools, bindMode, userId) {
|
|
@@ -431,6 +439,9 @@ export function instrumentPaybondLangGraph(paybond, input) {
|
|
|
431
439
|
export function instrumentPaybondOpenAI(paybond, input) {
|
|
432
440
|
return frameworkInstrument(paybond, "openai-agents", input);
|
|
433
441
|
}
|
|
442
|
+
export function instrumentPaybondGoogleAdk(paybond, input) {
|
|
443
|
+
return frameworkInstrument(paybond, "google-adk", input);
|
|
444
|
+
}
|
|
434
445
|
export function instrumentPaybondVercel(paybond, input) {
|
|
435
446
|
return frameworkInstrument(paybond, "vercel-ai", input);
|
|
436
447
|
}
|
|
@@ -23,6 +23,23 @@ function assertOperationAllowed(operation, allowedTools) {
|
|
|
23
23
|
throw new Error(`operation "${operation}" is not in bound intent allowedTools (${allowedTools.join(", ")})`);
|
|
24
24
|
}
|
|
25
25
|
}
|
|
26
|
+
function parseAgentReceiptComposeResult(value) {
|
|
27
|
+
if (!value || typeof value !== "object" || Array.isArray(value)) {
|
|
28
|
+
return undefined;
|
|
29
|
+
}
|
|
30
|
+
const record = value;
|
|
31
|
+
const composeStatus = record.compose_status;
|
|
32
|
+
if (composeStatus !== "composed" && composeStatus !== "failed") {
|
|
33
|
+
return undefined;
|
|
34
|
+
}
|
|
35
|
+
return {
|
|
36
|
+
composeStatus,
|
|
37
|
+
receiptId: typeof record.receipt_id === "string" ? record.receipt_id : undefined,
|
|
38
|
+
scope: typeof record.scope === "string" ? record.scope : undefined,
|
|
39
|
+
warningCode: typeof record.warning_code === "string" ? record.warning_code : undefined,
|
|
40
|
+
warningMessage: typeof record.warning_message === "string" ? record.warning_message : undefined,
|
|
41
|
+
};
|
|
42
|
+
}
|
|
26
43
|
function mapSandboxEvidenceResult(result) {
|
|
27
44
|
return {
|
|
28
45
|
submitted: true,
|
|
@@ -31,6 +48,7 @@ function mapSandboxEvidenceResult(result) {
|
|
|
31
48
|
sandboxLifecycleStatus: result.sandbox_lifecycle_status,
|
|
32
49
|
payloadDigestSha256Hex: result.payload_digest?.trim().toLowerCase() || undefined,
|
|
33
50
|
artifactsDigestSha256Hex: result.artifacts_digest?.trim().toLowerCase() || undefined,
|
|
51
|
+
agentReceipt: parseAgentReceiptComposeResult(result.agent_receipt),
|
|
34
52
|
};
|
|
35
53
|
}
|
|
36
54
|
function isSpendApprovalRequiredError(err) {
|
|
@@ -486,6 +504,7 @@ export class PaybondToolInterceptor {
|
|
|
486
504
|
predicatePassed,
|
|
487
505
|
payloadDigestSha256Hex,
|
|
488
506
|
artifactsDigestSha256Hex,
|
|
507
|
+
agentReceipt: parseAgentReceiptComposeResult(resultRecord.agent_receipt),
|
|
489
508
|
};
|
|
490
509
|
}
|
|
491
510
|
catch (err) {
|
package/dist/agent/types.d.ts
CHANGED
|
@@ -165,6 +165,15 @@ export type PaybondRunGuard = {
|
|
|
165
165
|
assertSpendAuthorized(input: PaybondRunGuardAuthInput): Promise<PaybondRunGuardAuthResult>;
|
|
166
166
|
completeSpendAuthorization(decisionId: string, outcome: "consumed" | "released"): Promise<void>;
|
|
167
167
|
};
|
|
168
|
+
export type AgentReceiptComposeStatus = "composed" | "failed";
|
|
169
|
+
/** Structured Gateway compose outcome attached to Harbor evidence responses when signing is configured. */
|
|
170
|
+
export type AgentReceiptComposeResult = {
|
|
171
|
+
composeStatus: AgentReceiptComposeStatus;
|
|
172
|
+
receiptId?: string;
|
|
173
|
+
scope?: string;
|
|
174
|
+
warningCode?: string;
|
|
175
|
+
warningMessage?: string;
|
|
176
|
+
};
|
|
168
177
|
export type PaybondInterceptEvidenceResult = {
|
|
169
178
|
submitted: true;
|
|
170
179
|
intentId: string;
|
|
@@ -175,6 +184,11 @@ export type PaybondInterceptEvidenceResult = {
|
|
|
175
184
|
payloadDigestSha256Hex?: string;
|
|
176
185
|
/** sha256 hex digest of submitted evidence artifacts, when returned by Harbor. */
|
|
177
186
|
artifactsDigestSha256Hex?: string;
|
|
187
|
+
/**
|
|
188
|
+
* Gateway agent-receipt compose outcome when `PAYBOND_AGENT_RECEIPT_SIGNING_KEY_HEX` is
|
|
189
|
+
* configured. `composeStatus: "failed"` is a structured warning — evidence still succeeded.
|
|
190
|
+
*/
|
|
191
|
+
agentReceipt?: AgentReceiptComposeResult;
|
|
178
192
|
};
|
|
179
193
|
export type PaybondInterceptWrapExecuteResult<TResult> = {
|
|
180
194
|
toolResult: TResult;
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ACTA decision-receipt projection for `paybond.agent_receipt_v1`.
|
|
3
|
+
*
|
|
4
|
+
* Maps ARS fields into the ACTA Signed Decision Receipt shape
|
|
5
|
+
* (`draft-farley-acta-signed-receipts`) for MCP / governance handoff.
|
|
6
|
+
* This is an export projection only — ARS remains the canonical wire format
|
|
7
|
+
* and authenticity is verified via native ARS verify, not ACTA JCS re-sign.
|
|
8
|
+
*/
|
|
9
|
+
import type { AgentReceiptV1 } from "./agent-receipt.js";
|
|
10
|
+
/** ACTA payload `type` for Paybond agent-receipt projections. */
|
|
11
|
+
export declare const ACTA_AGENT_RECEIPT_TYPE = "paybond:agent_receipt";
|
|
12
|
+
/** ACTA signature algorithm label used in the projected envelope. */
|
|
13
|
+
export declare const ACTA_SIGNATURE_ALG_EDDSA = "EdDSA";
|
|
14
|
+
export type ActaDecision = "allow" | "deny";
|
|
15
|
+
export type ActaDecisionReceiptPayloadV1 = {
|
|
16
|
+
type: typeof ACTA_AGENT_RECEIPT_TYPE;
|
|
17
|
+
issued_at: string;
|
|
18
|
+
issuer_id: string;
|
|
19
|
+
tool_name?: string;
|
|
20
|
+
decision: ActaDecision;
|
|
21
|
+
reason?: string;
|
|
22
|
+
policy_digest?: string;
|
|
23
|
+
session_id?: string;
|
|
24
|
+
action_ref?: string;
|
|
25
|
+
payload_digest?: string;
|
|
26
|
+
/** Correlation: native ARS receipt_id. */
|
|
27
|
+
ars_receipt_id: string;
|
|
28
|
+
/** Correlation: ARS scope (`action` | `intent_terminal`). */
|
|
29
|
+
ars_scope: string;
|
|
30
|
+
/** Correlation: ARS kind constant. */
|
|
31
|
+
ars_kind: "paybond.agent_receipt_v1";
|
|
32
|
+
};
|
|
33
|
+
export type ActaDecisionReceiptSignatureV1 = {
|
|
34
|
+
alg: typeof ACTA_SIGNATURE_ALG_EDDSA;
|
|
35
|
+
kid: string;
|
|
36
|
+
sig: string;
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
39
|
+
* ACTA-shaped decision receipt projected from a verified/composed ARS envelope.
|
|
40
|
+
*
|
|
41
|
+
* `signature` copies ARS Ed25519 material for correlation. Consumers MUST verify
|
|
42
|
+
* the original ARS envelope (or `payload_digest`) with native ARS verify —
|
|
43
|
+
* ACTA JCS signing over this projected payload is not performed.
|
|
44
|
+
*/
|
|
45
|
+
export type ActaDecisionReceiptV1 = {
|
|
46
|
+
payload: ActaDecisionReceiptPayloadV1;
|
|
47
|
+
signature: ActaDecisionReceiptSignatureV1;
|
|
48
|
+
};
|
|
49
|
+
/**
|
|
50
|
+
* Maps ARS execution / outcome fields to an ACTA allow/deny decision.
|
|
51
|
+
*/
|
|
52
|
+
export declare function projectActaDecisionFromAgentReceipt(receipt: AgentReceiptV1 | Record<string, unknown>): ActaDecision;
|
|
53
|
+
/**
|
|
54
|
+
* Projects a composed/verified ARS receipt into an ACTA decision-receipt shape.
|
|
55
|
+
*
|
|
56
|
+
* @throws Error when required ARS correlation fields are missing
|
|
57
|
+
*/
|
|
58
|
+
export declare function projectAgentReceiptToActaDecisionReceipt(receipt: AgentReceiptV1 | Record<string, unknown>): ActaDecisionReceiptV1;
|
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ACTA decision-receipt projection for `paybond.agent_receipt_v1`.
|
|
3
|
+
*
|
|
4
|
+
* Maps ARS fields into the ACTA Signed Decision Receipt shape
|
|
5
|
+
* (`draft-farley-acta-signed-receipts`) for MCP / governance handoff.
|
|
6
|
+
* This is an export projection only — ARS remains the canonical wire format
|
|
7
|
+
* and authenticity is verified via native ARS verify, not ACTA JCS re-sign.
|
|
8
|
+
*/
|
|
9
|
+
/** ACTA payload `type` for Paybond agent-receipt projections. */
|
|
10
|
+
export const ACTA_AGENT_RECEIPT_TYPE = "paybond:agent_receipt";
|
|
11
|
+
/** ACTA signature algorithm label used in the projected envelope. */
|
|
12
|
+
export const ACTA_SIGNATURE_ALG_EDDSA = "EdDSA";
|
|
13
|
+
function asRecord(value) {
|
|
14
|
+
if (!value || typeof value !== "object" || Array.isArray(value)) {
|
|
15
|
+
return null;
|
|
16
|
+
}
|
|
17
|
+
return value;
|
|
18
|
+
}
|
|
19
|
+
function optionalString(value) {
|
|
20
|
+
if (typeof value !== "string") {
|
|
21
|
+
return undefined;
|
|
22
|
+
}
|
|
23
|
+
const trimmed = value.trim();
|
|
24
|
+
return trimmed.length > 0 ? trimmed : undefined;
|
|
25
|
+
}
|
|
26
|
+
function sha256Prefixed(hexDigest) {
|
|
27
|
+
const normalized = hexDigest.trim().toLowerCase();
|
|
28
|
+
if (normalized.startsWith("sha256:")) {
|
|
29
|
+
return normalized;
|
|
30
|
+
}
|
|
31
|
+
return `sha256:${normalized}`;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Maps ARS execution / outcome fields to an ACTA allow/deny decision.
|
|
35
|
+
*/
|
|
36
|
+
export function projectActaDecisionFromAgentReceipt(receipt) {
|
|
37
|
+
const doc = receipt;
|
|
38
|
+
const scope = optionalString(doc.scope)?.toLowerCase();
|
|
39
|
+
const outcome = asRecord(doc.outcome);
|
|
40
|
+
const execution = asRecord(doc.execution);
|
|
41
|
+
const evidence = asRecord(doc.evidence);
|
|
42
|
+
if (scope === "intent_terminal") {
|
|
43
|
+
const settlement = optionalString(outcome?.settlement_outcome)?.toUpperCase();
|
|
44
|
+
if (settlement === "FAILED" || settlement === "REVERSED") {
|
|
45
|
+
return "deny";
|
|
46
|
+
}
|
|
47
|
+
if (settlement === "SETTLED" || settlement === "PENDING_FINALITY") {
|
|
48
|
+
return "allow";
|
|
49
|
+
}
|
|
50
|
+
const harbor = optionalString(outcome?.harbor_state)?.toLowerCase();
|
|
51
|
+
if (harbor === "failed" || harbor === "failure" || harbor === "refunded") {
|
|
52
|
+
return "deny";
|
|
53
|
+
}
|
|
54
|
+
return "allow";
|
|
55
|
+
}
|
|
56
|
+
const execOutcome = optionalString(execution?.outcome)?.toLowerCase();
|
|
57
|
+
if (execOutcome && execOutcome !== "executed") {
|
|
58
|
+
return "deny";
|
|
59
|
+
}
|
|
60
|
+
if (evidence?.predicate_passed === false || outcome?.predicate_passed === false) {
|
|
61
|
+
return "deny";
|
|
62
|
+
}
|
|
63
|
+
return "allow";
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Projects a composed/verified ARS receipt into an ACTA decision-receipt shape.
|
|
67
|
+
*
|
|
68
|
+
* @throws Error when required ARS correlation fields are missing
|
|
69
|
+
*/
|
|
70
|
+
export function projectAgentReceiptToActaDecisionReceipt(receipt) {
|
|
71
|
+
const doc = receipt;
|
|
72
|
+
const receiptId = optionalString(doc.receipt_id);
|
|
73
|
+
const issuedAt = optionalString(doc.issued_at);
|
|
74
|
+
const scope = optionalString(doc.scope);
|
|
75
|
+
const pubKey = optionalString(doc.signing_public_key_ed25519_hex)?.toLowerCase();
|
|
76
|
+
const sig = optionalString(doc.ed25519_signature_hex)?.toLowerCase();
|
|
77
|
+
const messageDigest = optionalString(doc.message_digest_sha256_hex)?.toLowerCase();
|
|
78
|
+
if (!receiptId) {
|
|
79
|
+
throw new Error("acta projection: receipt_id is required");
|
|
80
|
+
}
|
|
81
|
+
if (!issuedAt) {
|
|
82
|
+
throw new Error("acta projection: issued_at is required");
|
|
83
|
+
}
|
|
84
|
+
if (!scope) {
|
|
85
|
+
throw new Error("acta projection: scope is required");
|
|
86
|
+
}
|
|
87
|
+
if (!pubKey) {
|
|
88
|
+
throw new Error("acta projection: signing_public_key_ed25519_hex is required");
|
|
89
|
+
}
|
|
90
|
+
if (!sig) {
|
|
91
|
+
throw new Error("acta projection: ed25519_signature_hex is required");
|
|
92
|
+
}
|
|
93
|
+
const authorization = asRecord(doc.authorization);
|
|
94
|
+
const policy = asRecord(authorization?.policy);
|
|
95
|
+
const execution = asRecord(doc.execution);
|
|
96
|
+
const outcome = asRecord(doc.outcome);
|
|
97
|
+
const continuity = asRecord(doc.continuity);
|
|
98
|
+
const policyDigestHex = optionalString(policy?.content_digest_sha256_hex);
|
|
99
|
+
const toolName = optionalString(execution?.tool_name);
|
|
100
|
+
const sessionId = optionalString(execution?.run_id) ?? optionalString(continuity?.run_id);
|
|
101
|
+
const actionRef = optionalString(execution?.arguments_digest_sha256_hex) ?? messageDigest;
|
|
102
|
+
const reason = optionalString(outcome?.harbor_state) ??
|
|
103
|
+
optionalString(outcome?.spend_reservation_outcome) ??
|
|
104
|
+
optionalString(outcome?.settlement_outcome);
|
|
105
|
+
const payload = {
|
|
106
|
+
type: ACTA_AGENT_RECEIPT_TYPE,
|
|
107
|
+
issued_at: issuedAt,
|
|
108
|
+
issuer_id: pubKey,
|
|
109
|
+
decision: projectActaDecisionFromAgentReceipt(doc),
|
|
110
|
+
ars_receipt_id: receiptId,
|
|
111
|
+
ars_scope: scope,
|
|
112
|
+
ars_kind: "paybond.agent_receipt_v1",
|
|
113
|
+
};
|
|
114
|
+
if (toolName) {
|
|
115
|
+
payload.tool_name = toolName;
|
|
116
|
+
}
|
|
117
|
+
if (reason) {
|
|
118
|
+
payload.reason = reason;
|
|
119
|
+
}
|
|
120
|
+
if (policyDigestHex) {
|
|
121
|
+
payload.policy_digest = sha256Prefixed(policyDigestHex);
|
|
122
|
+
}
|
|
123
|
+
if (sessionId) {
|
|
124
|
+
payload.session_id = sessionId;
|
|
125
|
+
}
|
|
126
|
+
if (actionRef) {
|
|
127
|
+
payload.action_ref = actionRef.toLowerCase();
|
|
128
|
+
}
|
|
129
|
+
if (messageDigest) {
|
|
130
|
+
payload.payload_digest = sha256Prefixed(messageDigest);
|
|
131
|
+
}
|
|
132
|
+
return {
|
|
133
|
+
payload,
|
|
134
|
+
signature: {
|
|
135
|
+
alg: ACTA_SIGNATURE_ALG_EDDSA,
|
|
136
|
+
kid: pubKey,
|
|
137
|
+
sig,
|
|
138
|
+
},
|
|
139
|
+
};
|
|
140
|
+
}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import { type VerifyAgentReceiptV1Options } from "./agent-receipt.js";
|
|
2
|
+
export declare const AGENT_RECEIPT_TRANSPARENCY_STH_KIND_V1 = "paybond.agent_receipt_transparency_sth_v1";
|
|
3
|
+
export declare const AGENT_RECEIPT_TRANSPARENCY_INCLUSION_PROOF_KIND_V1 = "paybond.agent_receipt_transparency_inclusion_proof_v1";
|
|
4
|
+
export declare const AGENT_RECEIPT_TRANSPARENCY_SCHEMA_VERSION = 1;
|
|
5
|
+
export type SignedTreeHeadV1 = {
|
|
6
|
+
kind: string;
|
|
7
|
+
schema_version: number;
|
|
8
|
+
tenant_id: string;
|
|
9
|
+
tree_size: number;
|
|
10
|
+
root_hash_sha256_hex: string;
|
|
11
|
+
issued_at: string;
|
|
12
|
+
signing_algorithm: string;
|
|
13
|
+
signing_public_key_ed25519_hex: string;
|
|
14
|
+
message_digest_sha256_hex: string;
|
|
15
|
+
ed25519_signature_hex: string;
|
|
16
|
+
};
|
|
17
|
+
export type InclusionProofV1 = {
|
|
18
|
+
kind: string;
|
|
19
|
+
schema_version: number;
|
|
20
|
+
tenant_id: string;
|
|
21
|
+
receipt_id: string;
|
|
22
|
+
message_digest_sha256_hex: string;
|
|
23
|
+
leaf_index: number;
|
|
24
|
+
tree_size: number;
|
|
25
|
+
leaf_hash_sha256_hex: string;
|
|
26
|
+
audit_path_sha256_hex: string[];
|
|
27
|
+
root_hash_sha256_hex: string;
|
|
28
|
+
tree_head: SignedTreeHeadV1;
|
|
29
|
+
};
|
|
30
|
+
/** RFC 6962 leaf hash: SHA-256(0x00 || leafData). */
|
|
31
|
+
export declare function merkleLeafHashRFC6962(leafData: Uint8Array): Uint8Array;
|
|
32
|
+
/** RFC 6962 internal node hash: SHA-256(0x01 || left || right). */
|
|
33
|
+
export declare function merkleNodeHashRFC6962(left: Uint8Array, right: Uint8Array): Uint8Array;
|
|
34
|
+
/** Verifies a signed tree head (digest + Ed25519). */
|
|
35
|
+
export declare function verifySignedTreeHeadV1(sth: SignedTreeHeadV1, options?: VerifyAgentReceiptV1Options): Promise<SignedTreeHeadV1>;
|
|
36
|
+
/**
|
|
37
|
+
* Verifies that a receipt message digest is included in a published signed tree head
|
|
38
|
+
* via an RFC 6962 Merkle inclusion proof.
|
|
39
|
+
*/
|
|
40
|
+
export declare function verifyAgentReceiptInclusion(proof: InclusionProofV1, options?: VerifyAgentReceiptV1Options): Promise<InclusionProofV1>;
|