@paybond/kit 0.9.8 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (368) hide show
  1. package/completion-presets/catalog.json +1187 -0
  2. package/completion-presets/catalog.sha256 +1 -0
  3. package/dev/trace-ui/dashboard.html +617 -0
  4. package/dist/agent/adapter.d.ts +51 -0
  5. package/dist/agent/adapter.js +66 -0
  6. package/dist/agent/attach-bundle.d.ts +37 -0
  7. package/dist/agent/attach-bundle.js +118 -0
  8. package/dist/agent/authorization-cache.d.ts +22 -0
  9. package/dist/agent/authorization-cache.js +36 -0
  10. package/dist/agent/deferred-tools.d.ts +11 -0
  11. package/dist/agent/deferred-tools.js +62 -0
  12. package/dist/agent/discover.d.ts +41 -0
  13. package/dist/agent/discover.js +147 -0
  14. package/dist/agent/evidence.d.ts +9 -0
  15. package/dist/agent/evidence.js +28 -0
  16. package/dist/agent/facade.d.ts +48 -0
  17. package/dist/agent/facade.js +112 -0
  18. package/dist/agent/gateway-trace-reporter.d.ts +28 -0
  19. package/dist/agent/gateway-trace-reporter.js +49 -0
  20. package/dist/agent/generic-runner.d.ts +14 -0
  21. package/dist/agent/generic-runner.js +49 -0
  22. package/dist/agent/generic-sandbox-demo.d.ts +36 -0
  23. package/dist/agent/generic-sandbox-demo.js +82 -0
  24. package/dist/agent/guarded-agent.d.ts +49 -0
  25. package/dist/agent/guarded-agent.js +100 -0
  26. package/dist/agent/index.d.ts +13 -0
  27. package/dist/agent/index.js +13 -0
  28. package/dist/agent/instrument.d.ts +156 -0
  29. package/dist/agent/instrument.js +442 -0
  30. package/dist/agent/interceptor.d.ts +24 -0
  31. package/dist/agent/interceptor.js +440 -0
  32. package/dist/agent/lazy-context-tools.d.ts +15 -0
  33. package/dist/agent/lazy-context-tools.js +81 -0
  34. package/dist/agent/registry-file.d.ts +39 -0
  35. package/dist/agent/registry-file.js +219 -0
  36. package/dist/agent/registry.d.ts +37 -0
  37. package/dist/agent/registry.js +128 -0
  38. package/dist/agent/run.d.ts +124 -0
  39. package/dist/agent/run.js +301 -0
  40. package/dist/agent/types.d.ts +318 -0
  41. package/dist/agent/types.js +42 -0
  42. package/dist/agent-recognition.d.ts +72 -0
  43. package/dist/agent-recognition.js +165 -0
  44. package/dist/bincode-wire.d.ts +18 -0
  45. package/dist/bincode-wire.js +93 -0
  46. package/dist/claude-agents/config.d.ts +21 -0
  47. package/dist/claude-agents/config.js +145 -0
  48. package/dist/claude-agents/index.d.ts +2 -0
  49. package/dist/claude-agents/index.js +2 -0
  50. package/dist/claude-agents/sandbox-demo.d.ts +30 -0
  51. package/dist/claude-agents/sandbox-demo.js +91 -0
  52. package/dist/cli/agent/env-quote.d.ts +1 -0
  53. package/dist/cli/agent/env-quote.js +6 -0
  54. package/dist/cli/agent/env-write.d.ts +8 -0
  55. package/dist/cli/agent/env-write.js +47 -0
  56. package/dist/cli/agent/paybond.d.ts +16 -0
  57. package/dist/cli/agent/paybond.js +55 -0
  58. package/dist/cli/agent/policy-file.d.ts +29 -0
  59. package/dist/cli/agent/policy-file.js +61 -0
  60. package/dist/cli/agent/production-evidence.d.ts +24 -0
  61. package/dist/cli/agent/production-evidence.js +98 -0
  62. package/dist/cli/agent/run-store.d.ts +30 -0
  63. package/dist/cli/agent/run-store.js +42 -0
  64. package/dist/cli/agent/run-trace-store.d.ts +39 -0
  65. package/dist/cli/agent/run-trace-store.js +143 -0
  66. package/dist/cli/agent-run-trace-table.d.ts +9 -0
  67. package/dist/cli/agent-run-trace-table.js +24 -0
  68. package/dist/cli/agent-sandbox-smoke-checklist.d.ts +9 -0
  69. package/dist/cli/agent-sandbox-smoke-checklist.js +50 -0
  70. package/dist/cli/audit-export.d.ts +7 -0
  71. package/dist/cli/audit-export.js +120 -0
  72. package/dist/cli/automation.d.ts +25 -0
  73. package/dist/cli/automation.js +297 -0
  74. package/dist/cli/body.d.ts +7 -0
  75. package/dist/cli/body.js +22 -0
  76. package/dist/cli/color.d.ts +15 -0
  77. package/dist/cli/color.js +39 -0
  78. package/dist/cli/command-spec.d.ts +13 -0
  79. package/dist/cli/command-spec.js +611 -0
  80. package/dist/cli/commands/agent.d.ts +16 -0
  81. package/dist/cli/commands/agent.js +1135 -0
  82. package/dist/cli/commands/dev.d.ts +7 -0
  83. package/dist/cli/commands/dev.js +348 -0
  84. package/dist/cli/commands/discovery.d.ts +8 -0
  85. package/dist/cli/commands/discovery.js +194 -0
  86. package/dist/cli/commands/policy.d.ts +13 -0
  87. package/dist/cli/commands/policy.js +769 -0
  88. package/dist/cli/commands/setup.d.ts +18 -0
  89. package/dist/cli/commands/setup.js +513 -0
  90. package/dist/cli/commands/workflows.d.ts +7 -0
  91. package/dist/cli/commands/workflows.js +214 -0
  92. package/dist/cli/config.d.ts +16 -0
  93. package/dist/cli/config.js +98 -0
  94. package/dist/cli/context.d.ts +22 -0
  95. package/dist/cli/context.js +110 -0
  96. package/dist/cli/credentials.d.ts +21 -0
  97. package/dist/cli/credentials.js +141 -0
  98. package/dist/cli/doctor-agent-middleware.d.ts +5 -0
  99. package/dist/cli/doctor-agent-middleware.js +49 -0
  100. package/dist/cli/doctor-agent.d.ts +15 -0
  101. package/dist/cli/doctor-agent.js +311 -0
  102. package/dist/cli/envelope.d.ts +14 -0
  103. package/dist/cli/envelope.js +46 -0
  104. package/dist/cli/globals.d.ts +23 -0
  105. package/dist/cli/globals.js +248 -0
  106. package/dist/cli/help.d.ts +3 -0
  107. package/dist/cli/help.js +83 -0
  108. package/dist/cli/mcp-install.d.ts +41 -0
  109. package/dist/cli/mcp-install.js +95 -0
  110. package/dist/cli/mcp-policy.d.ts +26 -0
  111. package/dist/cli/mcp-policy.js +110 -0
  112. package/dist/cli/mcp-verify-config.d.ts +37 -0
  113. package/dist/cli/mcp-verify-config.js +172 -0
  114. package/dist/cli/redact.d.ts +4 -0
  115. package/dist/cli/redact.js +88 -0
  116. package/dist/cli/request-id.d.ts +2 -0
  117. package/dist/cli/request-id.js +5 -0
  118. package/dist/cli/router.d.ts +2 -0
  119. package/dist/cli/router.js +378 -0
  120. package/dist/cli/smoke-deep-links.d.ts +15 -0
  121. package/dist/cli/smoke-deep-links.js +63 -0
  122. package/dist/cli/suggest.d.ts +4 -0
  123. package/dist/cli/suggest.js +58 -0
  124. package/dist/cli/support-diagnostics.d.ts +19 -0
  125. package/dist/cli/support-diagnostics.js +47 -0
  126. package/dist/cli/telemetry.d.ts +17 -0
  127. package/dist/cli/telemetry.js +94 -0
  128. package/dist/cli/types.d.ts +72 -0
  129. package/dist/cli/types.js +60 -0
  130. package/dist/cli/ux.d.ts +8 -0
  131. package/dist/cli/ux.js +164 -0
  132. package/dist/cli.d.ts +2 -0
  133. package/dist/cli.js +38 -0
  134. package/dist/completion-catalog-digest.d.ts +2 -0
  135. package/dist/completion-catalog-digest.js +2 -0
  136. package/dist/completion-catalog-integrity.d.ts +2 -0
  137. package/dist/completion-catalog-integrity.js +17 -0
  138. package/dist/completion-catalog.d.ts +49 -0
  139. package/dist/completion-catalog.js +62 -0
  140. package/dist/completion-contract-digest.d.ts +37 -0
  141. package/dist/completion-contract-digest.js +73 -0
  142. package/dist/completion-forbidden-fields.d.ts +5 -0
  143. package/dist/completion-forbidden-fields.js +26 -0
  144. package/dist/completion-init.d.ts +8 -0
  145. package/dist/completion-init.js +334 -0
  146. package/dist/completion-resolve.d.ts +21 -0
  147. package/dist/completion-resolve.js +86 -0
  148. package/dist/completion-validate-evidence.d.ts +24 -0
  149. package/dist/completion-validate-evidence.js +145 -0
  150. package/dist/dev/offline-gateway.d.ts +24 -0
  151. package/dist/dev/offline-gateway.js +102 -0
  152. package/dist/dev/trace-buffer.d.ts +61 -0
  153. package/dist/dev/trace-buffer.js +330 -0
  154. package/dist/dev/trace-security-headers.d.ts +11 -0
  155. package/dist/dev/trace-security-headers.js +16 -0
  156. package/dist/dev/trace-server.d.ts +8 -0
  157. package/dist/dev/trace-server.js +38 -0
  158. package/dist/dev/trace-ui.d.ts +4 -0
  159. package/dist/dev/trace-ui.js +25 -0
  160. package/dist/dev/wiremock-up.d.ts +15 -0
  161. package/dist/dev/wiremock-up.js +118 -0
  162. package/dist/doctor-completion.d.ts +17 -0
  163. package/dist/doctor-completion.js +428 -0
  164. package/dist/gateway-url.d.ts +7 -0
  165. package/dist/gateway-url.js +69 -0
  166. package/dist/index.d.ts +119 -2
  167. package/dist/index.js +267 -6
  168. package/dist/init.js +380 -68
  169. package/dist/langgraph/awrap-tool-call.d.ts +25 -0
  170. package/dist/langgraph/awrap-tool-call.js +81 -0
  171. package/dist/langgraph/config.d.ts +13 -0
  172. package/dist/langgraph/config.js +11 -0
  173. package/dist/langgraph/index.d.ts +4 -0
  174. package/dist/langgraph/index.js +4 -0
  175. package/dist/langgraph/sandbox-demo.d.ts +40 -0
  176. package/dist/langgraph/sandbox-demo.js +96 -0
  177. package/dist/langgraph/tool-node.d.ts +10 -0
  178. package/dist/langgraph/tool-node.js +38 -0
  179. package/dist/login.d.ts +14 -1
  180. package/dist/login.js +130 -63
  181. package/dist/mcp/index.d.ts +1 -0
  182. package/dist/mcp/index.js +1 -0
  183. package/dist/mcp/tool-surface.d.ts +25 -0
  184. package/dist/mcp/tool-surface.js +17 -0
  185. package/dist/mcp-capability-token-cache.d.ts +24 -0
  186. package/dist/mcp-capability-token-cache.js +101 -0
  187. package/dist/mcp-evidence-policy.d.ts +48 -0
  188. package/dist/mcp-evidence-policy.js +117 -0
  189. package/dist/mcp-policy-reload.d.ts +79 -0
  190. package/dist/mcp-policy-reload.js +200 -0
  191. package/dist/mcp-sep2828-evidence.d.ts +36 -0
  192. package/dist/mcp-sep2828-evidence.js +65 -0
  193. package/dist/mcp-server.d.ts +10 -0
  194. package/dist/mcp-server.js +423 -115
  195. package/dist/openai-agents/index.d.ts +40 -0
  196. package/dist/openai-agents/index.js +151 -0
  197. package/dist/openai-agents/sandbox-demo.d.ts +34 -0
  198. package/dist/openai-agents/sandbox-demo.js +118 -0
  199. package/dist/payee-evidence.js +2 -29
  200. package/dist/policy/catalog.d.ts +31 -0
  201. package/dist/policy/catalog.js +48 -0
  202. package/dist/policy/compose-utils.d.ts +3 -0
  203. package/dist/policy/compose-utils.js +4 -0
  204. package/dist/policy/compose.d.ts +20 -0
  205. package/dist/policy/compose.js +240 -0
  206. package/dist/policy/digest.d.ts +7 -0
  207. package/dist/policy/digest.js +75 -0
  208. package/dist/policy/domain.d.ts +15 -0
  209. package/dist/policy/domain.js +28 -0
  210. package/dist/policy/guardrail-spec.d.ts +17 -0
  211. package/dist/policy/guardrail-spec.js +140 -0
  212. package/dist/policy/guardrails.d.ts +48 -0
  213. package/dist/policy/guardrails.js +72 -0
  214. package/dist/policy/index.d.ts +21 -0
  215. package/dist/policy/index.js +21 -0
  216. package/dist/policy/init.d.ts +102 -0
  217. package/dist/policy/init.js +351 -0
  218. package/dist/policy/intent-spec.d.ts +52 -0
  219. package/dist/policy/intent-spec.js +176 -0
  220. package/dist/policy/json-path.d.ts +4 -0
  221. package/dist/policy/json-path.js +23 -0
  222. package/dist/policy/layers-io.d.ts +7 -0
  223. package/dist/policy/layers-io.js +28 -0
  224. package/dist/policy/load-effective.d.ts +22 -0
  225. package/dist/policy/load-effective.js +77 -0
  226. package/dist/policy/load.d.ts +85 -0
  227. package/dist/policy/load.js +164 -0
  228. package/dist/policy/merge.d.ts +29 -0
  229. package/dist/policy/merge.js +297 -0
  230. package/dist/policy/parse-text.d.ts +2 -0
  231. package/dist/policy/parse-text.js +126 -0
  232. package/dist/policy/policy-api.d.ts +45 -0
  233. package/dist/policy/policy-api.js +61 -0
  234. package/dist/policy/presets.d.ts +19 -0
  235. package/dist/policy/presets.js +66 -0
  236. package/dist/policy/registry.d.ts +7 -0
  237. package/dist/policy/registry.js +33 -0
  238. package/dist/policy/reload.d.ts +86 -0
  239. package/dist/policy/reload.js +233 -0
  240. package/dist/policy/render-yaml.d.ts +3 -0
  241. package/dist/policy/render-yaml.js +69 -0
  242. package/dist/policy/sandbox-bootstrap.d.ts +19 -0
  243. package/dist/policy/sandbox-bootstrap.js +66 -0
  244. package/dist/policy/schema.d.ts +204 -0
  245. package/dist/policy/schema.js +255 -0
  246. package/dist/policy/snapshot.d.ts +33 -0
  247. package/dist/policy/snapshot.js +23 -0
  248. package/dist/policy/validate-remote.d.ts +43 -0
  249. package/dist/policy/validate-remote.js +104 -0
  250. package/dist/policy/validate.d.ts +36 -0
  251. package/dist/policy/validate.js +150 -0
  252. package/dist/policy/watcher.d.ts +29 -0
  253. package/dist/policy/watcher.js +112 -0
  254. package/dist/principal-intent.d.ts +52 -0
  255. package/dist/principal-intent.js +193 -37
  256. package/dist/project-init.d.ts +34 -0
  257. package/dist/project-init.js +898 -0
  258. package/dist/sep2828-signature.d.ts +10 -0
  259. package/dist/sep2828-signature.js +134 -0
  260. package/dist/solutions/api.d.ts +22 -0
  261. package/dist/solutions/api.js +40 -0
  262. package/dist/solutions/catalog.d.ts +34 -0
  263. package/dist/solutions/catalog.js +129 -0
  264. package/dist/solutions/index.d.ts +2 -0
  265. package/dist/solutions/index.js +2 -0
  266. package/dist/template-init.d.ts +54 -0
  267. package/dist/template-init.js +203 -0
  268. package/dist/vercel-ai/config.d.ts +15 -0
  269. package/dist/vercel-ai/config.js +13 -0
  270. package/dist/vercel-ai/index.d.ts +4 -0
  271. package/dist/vercel-ai/index.js +4 -0
  272. package/dist/vercel-ai/sandbox-demo.d.ts +44 -0
  273. package/dist/vercel-ai/sandbox-demo.js +153 -0
  274. package/dist/vercel-ai/tool-approval.d.ts +16 -0
  275. package/dist/vercel-ai/tool-approval.js +41 -0
  276. package/dist/vercel-ai/wrap-tools.d.ts +9 -0
  277. package/dist/vercel-ai/wrap-tools.js +40 -0
  278. package/dist/x402-receipt-evidence.d.ts +29 -0
  279. package/dist/x402-receipt-evidence.js +97 -0
  280. package/dist/x402-receipt-signature.d.ts +12 -0
  281. package/dist/x402-receipt-signature.js +211 -0
  282. package/package.json +79 -4
  283. package/solutions/aws.json +17 -0
  284. package/solutions/saas.json +17 -0
  285. package/solutions/shopping.json +17 -0
  286. package/solutions/travel.json +18 -0
  287. package/templates/manifest.json +169 -0
  288. package/templates/openai-shopping-agent/.env.example +3 -0
  289. package/templates/openai-shopping-agent/.github/workflows/smoke.yml +20 -0
  290. package/templates/openai-shopping-agent/LICENSE +201 -0
  291. package/templates/openai-shopping-agent/README.md +29 -0
  292. package/templates/openai-shopping-agent/package.json +22 -0
  293. package/templates/openai-shopping-agent/paybond.policy.yaml +22 -0
  294. package/templates/openai-shopping-agent/src/index.ts +22 -0
  295. package/templates/openai-shopping-agent/src/paybond.config.ts +51 -0
  296. package/templates/openai-shopping-agent/tsconfig.json +13 -0
  297. package/templates/paybond-aws-operator/.env.example +3 -0
  298. package/templates/paybond-aws-operator/.github/workflows/smoke.yml +20 -0
  299. package/templates/paybond-aws-operator/LICENSE +201 -0
  300. package/templates/paybond-aws-operator/README.md +29 -0
  301. package/templates/paybond-aws-operator/package.json +20 -0
  302. package/templates/paybond-aws-operator/paybond.policy.yaml +22 -0
  303. package/templates/paybond-aws-operator/src/index.ts +54 -0
  304. package/templates/paybond-aws-operator/src/paybond.config.ts +51 -0
  305. package/templates/paybond-aws-operator/tsconfig.json +13 -0
  306. package/templates/paybond-claude-agents-demo/.env.example +3 -0
  307. package/templates/paybond-claude-agents-demo/.github/workflows/smoke.yml +20 -0
  308. package/templates/paybond-claude-agents-demo/LICENSE +201 -0
  309. package/templates/paybond-claude-agents-demo/README.md +29 -0
  310. package/templates/paybond-claude-agents-demo/package.json +22 -0
  311. package/templates/paybond-claude-agents-demo/paybond.policy.yaml +22 -0
  312. package/templates/paybond-claude-agents-demo/src/index.ts +22 -0
  313. package/templates/paybond-claude-agents-demo/src/paybond.config.ts +51 -0
  314. package/templates/paybond-claude-agents-demo/tsconfig.json +13 -0
  315. package/templates/paybond-invoice-agent/.env.example +3 -0
  316. package/templates/paybond-invoice-agent/.github/workflows/smoke.yml +19 -0
  317. package/templates/paybond-invoice-agent/LICENSE +201 -0
  318. package/templates/paybond-invoice-agent/README.md +29 -0
  319. package/templates/paybond-invoice-agent/app.py +27 -0
  320. package/templates/paybond-invoice-agent/package.json +6 -0
  321. package/templates/paybond-invoice-agent/paybond.policy.yaml +22 -0
  322. package/templates/paybond-invoice-agent/paybond_config.py +45 -0
  323. package/templates/paybond-invoice-agent/requirements.txt +2 -0
  324. package/templates/paybond-mcp-coding-agent/.env.example +3 -0
  325. package/templates/paybond-mcp-coding-agent/.github/workflows/smoke.yml +20 -0
  326. package/templates/paybond-mcp-coding-agent/LICENSE +201 -0
  327. package/templates/paybond-mcp-coding-agent/README.md +39 -0
  328. package/templates/paybond-mcp-coding-agent/package.json +20 -0
  329. package/templates/paybond-mcp-coding-agent/paybond.policy.yaml +25 -0
  330. package/templates/paybond-mcp-coding-agent/src/index.ts +40 -0
  331. package/templates/paybond-mcp-coding-agent/src/paybond.config.ts +51 -0
  332. package/templates/paybond-mcp-coding-agent/tsconfig.json +13 -0
  333. package/templates/paybond-openai-agents-demo/.env.example +3 -0
  334. package/templates/paybond-openai-agents-demo/.github/workflows/smoke.yml +20 -0
  335. package/templates/paybond-openai-agents-demo/LICENSE +201 -0
  336. package/templates/paybond-openai-agents-demo/README.md +29 -0
  337. package/templates/paybond-openai-agents-demo/package.json +22 -0
  338. package/templates/paybond-openai-agents-demo/paybond.policy.yaml +22 -0
  339. package/templates/paybond-openai-agents-demo/src/index.ts +22 -0
  340. package/templates/paybond-openai-agents-demo/src/paybond.config.ts +51 -0
  341. package/templates/paybond-openai-agents-demo/tsconfig.json +13 -0
  342. package/templates/paybond-procurement-agent/.env.example +3 -0
  343. package/templates/paybond-procurement-agent/.github/workflows/smoke.yml +20 -0
  344. package/templates/paybond-procurement-agent/LICENSE +201 -0
  345. package/templates/paybond-procurement-agent/README.md +29 -0
  346. package/templates/paybond-procurement-agent/package.json +20 -0
  347. package/templates/paybond-procurement-agent/paybond.policy.yaml +25 -0
  348. package/templates/paybond-procurement-agent/src/index.ts +54 -0
  349. package/templates/paybond-procurement-agent/src/paybond.config.ts +51 -0
  350. package/templates/paybond-procurement-agent/tsconfig.json +13 -0
  351. package/templates/paybond-travel-agent/.env.example +3 -0
  352. package/templates/paybond-travel-agent/.github/workflows/smoke.yml +20 -0
  353. package/templates/paybond-travel-agent/LICENSE +201 -0
  354. package/templates/paybond-travel-agent/README.md +29 -0
  355. package/templates/paybond-travel-agent/package.json +23 -0
  356. package/templates/paybond-travel-agent/paybond.policy.yaml +22 -0
  357. package/templates/paybond-travel-agent/src/index.ts +22 -0
  358. package/templates/paybond-travel-agent/src/paybond.config.ts +51 -0
  359. package/templates/paybond-travel-agent/tsconfig.json +13 -0
  360. package/templates/paybond-vercel-shopping-agent/.env.example +3 -0
  361. package/templates/paybond-vercel-shopping-agent/.github/workflows/smoke.yml +20 -0
  362. package/templates/paybond-vercel-shopping-agent/LICENSE +201 -0
  363. package/templates/paybond-vercel-shopping-agent/README.md +29 -0
  364. package/templates/paybond-vercel-shopping-agent/package.json +22 -0
  365. package/templates/paybond-vercel-shopping-agent/paybond.policy.yaml +22 -0
  366. package/templates/paybond-vercel-shopping-agent/src/index.ts +22 -0
  367. package/templates/paybond-vercel-shopping-agent/src/paybond.config.ts +51 -0
  368. package/templates/paybond-vercel-shopping-agent/tsconfig.json +13 -0
@@ -0,0 +1,204 @@
1
+ import { z } from "zod";
2
+ /** Supported `paybond.policy.yaml` schema revisions. */
3
+ export declare const PAYBOND_POLICY_SCHEMA_VERSION: 1;
4
+ export declare const PAYBOND_POLICY_SCHEMA_VERSION_V2: 2;
5
+ declare const policyToolEntrySchema: z.ZodObject<{
6
+ side_effecting: z.ZodBoolean;
7
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
8
+ spend_from_args: z.ZodOptional<z.ZodString>;
9
+ evidence_preset: z.ZodOptional<z.ZodString>;
10
+ vendor_pack: z.ZodOptional<z.ZodString>;
11
+ operation: z.ZodOptional<z.ZodString>;
12
+ }, z.core.$strict>;
13
+ declare const policyToolOverrideEntrySchema: z.ZodObject<{
14
+ side_effecting: z.ZodOptional<z.ZodBoolean>;
15
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
16
+ spend_from_args: z.ZodOptional<z.ZodString>;
17
+ evidence_preset: z.ZodOptional<z.ZodString>;
18
+ vendor_pack: z.ZodOptional<z.ZodString>;
19
+ operation: z.ZodOptional<z.ZodString>;
20
+ }, z.core.$strict>;
21
+ declare const policyBindingSchema: z.ZodObject<{
22
+ template_id: z.ZodString;
23
+ version_seq: z.ZodOptional<z.ZodNumber>;
24
+ head_digest: z.ZodOptional<z.ZodString>;
25
+ }, z.core.$strict>;
26
+ declare const policyBindingOverrideSchema: z.ZodObject<{
27
+ template_id: z.ZodOptional<z.ZodString>;
28
+ version_seq: z.ZodOptional<z.ZodNumber>;
29
+ head_digest: z.ZodOptional<z.ZodString>;
30
+ }, z.core.$strict>;
31
+ declare const policyBudgetSchema: z.ZodObject<{
32
+ currency: z.ZodString;
33
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
34
+ }, z.core.$loose>;
35
+ declare const policyIntentSchema: z.ZodObject<{
36
+ policy_binding: z.ZodOptional<z.ZodObject<{
37
+ template_id: z.ZodString;
38
+ version_seq: z.ZodOptional<z.ZodNumber>;
39
+ head_digest: z.ZodOptional<z.ZodString>;
40
+ }, z.core.$strict>>;
41
+ budget: z.ZodOptional<z.ZodObject<{
42
+ currency: z.ZodString;
43
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
44
+ }, z.core.$loose>>;
45
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
46
+ }, z.core.$strict>;
47
+ declare const policyIntentOverrideSchema: z.ZodObject<{
48
+ policy_binding: z.ZodOptional<z.ZodObject<{
49
+ template_id: z.ZodOptional<z.ZodString>;
50
+ version_seq: z.ZodOptional<z.ZodNumber>;
51
+ head_digest: z.ZodOptional<z.ZodString>;
52
+ }, z.core.$strict>>;
53
+ budget: z.ZodOptional<z.ZodObject<{
54
+ currency: z.ZodString;
55
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
56
+ }, z.core.$loose>>;
57
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
58
+ }, z.core.$strict>;
59
+ declare const policyExtendsSchema: z.ZodObject<{
60
+ org_policy_id: z.ZodString;
61
+ org_id: z.ZodString;
62
+ base_digest: z.ZodOptional<z.ZodString>;
63
+ base_policy: z.ZodOptional<z.ZodString>;
64
+ }, z.core.$strict>;
65
+ declare const policyOverridesSchema: z.ZodObject<{
66
+ default_deny: z.ZodOptional<z.ZodBoolean>;
67
+ tools: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
68
+ side_effecting: z.ZodOptional<z.ZodBoolean>;
69
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
70
+ spend_from_args: z.ZodOptional<z.ZodString>;
71
+ evidence_preset: z.ZodOptional<z.ZodString>;
72
+ vendor_pack: z.ZodOptional<z.ZodString>;
73
+ operation: z.ZodOptional<z.ZodString>;
74
+ }, z.core.$strict>>>;
75
+ intent: z.ZodOptional<z.ZodObject<{
76
+ policy_binding: z.ZodOptional<z.ZodObject<{
77
+ template_id: z.ZodOptional<z.ZodString>;
78
+ version_seq: z.ZodOptional<z.ZodNumber>;
79
+ head_digest: z.ZodOptional<z.ZodString>;
80
+ }, z.core.$strict>>;
81
+ budget: z.ZodOptional<z.ZodObject<{
82
+ currency: z.ZodString;
83
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
84
+ }, z.core.$loose>>;
85
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
86
+ }, z.core.$strict>>;
87
+ }, z.core.$strict>;
88
+ export declare const paybondPolicyDocumentV1Schema: z.ZodObject<{
89
+ version: z.ZodLiteral<1>;
90
+ name: z.ZodString;
91
+ default_deny: z.ZodBoolean;
92
+ tools: z.ZodRecord<z.ZodString, z.ZodObject<{
93
+ side_effecting: z.ZodBoolean;
94
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
95
+ spend_from_args: z.ZodOptional<z.ZodString>;
96
+ evidence_preset: z.ZodOptional<z.ZodString>;
97
+ vendor_pack: z.ZodOptional<z.ZodString>;
98
+ operation: z.ZodOptional<z.ZodString>;
99
+ }, z.core.$strict>>;
100
+ intent: z.ZodOptional<z.ZodObject<{
101
+ policy_binding: z.ZodOptional<z.ZodObject<{
102
+ template_id: z.ZodString;
103
+ version_seq: z.ZodOptional<z.ZodNumber>;
104
+ head_digest: z.ZodOptional<z.ZodString>;
105
+ }, z.core.$strict>>;
106
+ budget: z.ZodOptional<z.ZodObject<{
107
+ currency: z.ZodString;
108
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
109
+ }, z.core.$loose>>;
110
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
111
+ }, z.core.$strict>>;
112
+ }, z.core.$strict>;
113
+ export declare const paybondPolicyDocumentV2Schema: z.ZodObject<{
114
+ version: z.ZodLiteral<2>;
115
+ name: z.ZodString;
116
+ default_deny: z.ZodBoolean;
117
+ extends: z.ZodOptional<z.ZodObject<{
118
+ org_policy_id: z.ZodString;
119
+ org_id: z.ZodString;
120
+ base_digest: z.ZodOptional<z.ZodString>;
121
+ base_policy: z.ZodOptional<z.ZodString>;
122
+ }, z.core.$strict>>;
123
+ overrides: z.ZodOptional<z.ZodObject<{
124
+ default_deny: z.ZodOptional<z.ZodBoolean>;
125
+ tools: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
126
+ side_effecting: z.ZodOptional<z.ZodBoolean>;
127
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
128
+ spend_from_args: z.ZodOptional<z.ZodString>;
129
+ evidence_preset: z.ZodOptional<z.ZodString>;
130
+ vendor_pack: z.ZodOptional<z.ZodString>;
131
+ operation: z.ZodOptional<z.ZodString>;
132
+ }, z.core.$strict>>>;
133
+ intent: z.ZodOptional<z.ZodObject<{
134
+ policy_binding: z.ZodOptional<z.ZodObject<{
135
+ template_id: z.ZodOptional<z.ZodString>;
136
+ version_seq: z.ZodOptional<z.ZodNumber>;
137
+ head_digest: z.ZodOptional<z.ZodString>;
138
+ }, z.core.$strict>>;
139
+ budget: z.ZodOptional<z.ZodObject<{
140
+ currency: z.ZodString;
141
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
142
+ }, z.core.$loose>>;
143
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
144
+ }, z.core.$strict>>;
145
+ }, z.core.$strict>>;
146
+ tools: z.ZodRecord<z.ZodString, z.ZodObject<{
147
+ side_effecting: z.ZodBoolean;
148
+ max_spend_cents: z.ZodOptional<z.ZodNumber>;
149
+ spend_from_args: z.ZodOptional<z.ZodString>;
150
+ evidence_preset: z.ZodOptional<z.ZodString>;
151
+ vendor_pack: z.ZodOptional<z.ZodString>;
152
+ operation: z.ZodOptional<z.ZodString>;
153
+ }, z.core.$strict>>;
154
+ intent: z.ZodOptional<z.ZodObject<{
155
+ policy_binding: z.ZodOptional<z.ZodObject<{
156
+ template_id: z.ZodString;
157
+ version_seq: z.ZodOptional<z.ZodNumber>;
158
+ head_digest: z.ZodOptional<z.ZodString>;
159
+ }, z.core.$strict>>;
160
+ budget: z.ZodOptional<z.ZodObject<{
161
+ currency: z.ZodString;
162
+ max_spend_usd: z.ZodOptional<z.ZodNumber>;
163
+ }, z.core.$loose>>;
164
+ allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
165
+ }, z.core.$strict>>;
166
+ }, z.core.$strict>;
167
+ export type PaybondPolicyToolEntry = z.infer<typeof policyToolEntrySchema>;
168
+ export type PaybondPolicyToolOverrideEntry = z.infer<typeof policyToolOverrideEntrySchema>;
169
+ export type PaybondPolicyBinding = z.infer<typeof policyBindingSchema>;
170
+ export type PaybondPolicyBindingOverride = z.infer<typeof policyBindingOverrideSchema>;
171
+ export type PaybondPolicyBudget = z.infer<typeof policyBudgetSchema>;
172
+ export type PaybondPolicyIntentSection = z.infer<typeof policyIntentSchema>;
173
+ export type PaybondPolicyIntentOverrideSection = z.infer<typeof policyIntentOverrideSchema>;
174
+ export type PaybondPolicyExtends = z.infer<typeof policyExtendsSchema>;
175
+ export type PaybondPolicyOverrides = z.infer<typeof policyOverridesSchema>;
176
+ export type PaybondPolicyDocumentV1 = z.infer<typeof paybondPolicyDocumentV1Schema>;
177
+ export type PaybondPolicyDocumentV2 = z.infer<typeof paybondPolicyDocumentV2Schema>;
178
+ export type PaybondPolicyDocument = PaybondPolicyDocumentV1 | PaybondPolicyDocumentV2;
179
+ export type PaybondPolicyValidationIssue = {
180
+ path: string;
181
+ code: string;
182
+ message: string;
183
+ };
184
+ /** Raised when a policy document fails schema validation. */
185
+ export declare class PaybondPolicyValidationError extends Error {
186
+ readonly issues: PaybondPolicyValidationIssue[];
187
+ constructor(message: string, issues?: PaybondPolicyValidationIssue[]);
188
+ }
189
+ /**
190
+ * Parse and validate a raw policy document (already-decoded JSON or YAML object).
191
+ * Accepts v1 flat policies and v2 org-base or tenant-overlay documents.
192
+ */
193
+ export declare function parsePaybondPolicyDocument(raw: unknown): PaybondPolicyDocument;
194
+ /** Parse a v1-only policy document. */
195
+ export declare function parsePaybondPolicyDocumentV1(raw: unknown): PaybondPolicyDocumentV1;
196
+ /** Parse a v2 policy document (org base or tenant overlay). */
197
+ export declare function parsePaybondPolicyDocumentV2(raw: unknown): PaybondPolicyDocumentV2;
198
+ /** Type guard for an already-validated v1 policy document. */
199
+ export declare function isPaybondPolicyDocumentV1(value: unknown): value is PaybondPolicyDocumentV1;
200
+ /** Type guard for an already-validated v2 policy document. */
201
+ export declare function isPaybondPolicyDocumentV2(value: unknown): value is PaybondPolicyDocumentV2;
202
+ /** True when a v2 document is a tenant overlay (declares extends). */
203
+ export declare function isPaybondPolicyOverlay(document: PaybondPolicyDocumentV2): boolean;
204
+ export {};
@@ -0,0 +1,255 @@
1
+ import { z } from "zod";
2
+ /** Supported `paybond.policy.yaml` schema revisions. */
3
+ export const PAYBOND_POLICY_SCHEMA_VERSION = 1;
4
+ export const PAYBOND_POLICY_SCHEMA_VERSION_V2 = 2;
5
+ const IDENTIFIER_PATTERN = /^[a-z0-9_]{1,64}$/;
6
+ const POLICY_NAME_PATTERN = /^[a-z][a-z0-9_-]{0,63}$/;
7
+ const TOOL_NAME_PATTERN = /^[a-z][a-z0-9_.-]{0,127}$/;
8
+ const JSON_PATH_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_.]*$/;
9
+ const HEAD_DIGEST_PATTERN = /^sha256:[0-9a-fA-F]{64}$/;
10
+ const CURRENCY_PATTERN = /^[a-z]{3}$/;
11
+ const ORG_ID_PATTERN = /^org_[a-z][a-z0-9_]{0,57}$/;
12
+ const identifierSchema = z
13
+ .string()
14
+ .regex(IDENTIFIER_PATTERN, "must be snake_case identifier (1-64 chars)");
15
+ const toolNameSchema = z
16
+ .string()
17
+ .regex(TOOL_NAME_PATTERN, "must be a lowercase tool name (dots allowed)");
18
+ const jsonPathSchema = z
19
+ .string()
20
+ .regex(JSON_PATH_PATTERN, "must be a dot-separated JSON path");
21
+ const headDigestSchema = z
22
+ .string()
23
+ .regex(HEAD_DIGEST_PATTERN, "must be sha256:<64-hex>");
24
+ const orgIdSchema = z
25
+ .string()
26
+ .regex(ORG_ID_PATTERN, "must be an org identifier (org_<snake_case>)");
27
+ function refineSpendExclusivity(entry, ctx, pathPrefix) {
28
+ if (entry.max_spend_cents !== undefined &&
29
+ entry.spend_from_args !== undefined) {
30
+ ctx.addIssue({
31
+ code: "custom",
32
+ path: [...pathPrefix, "spend_from_args"],
33
+ message: "max_spend_cents and spend_from_args are mutually exclusive",
34
+ });
35
+ }
36
+ }
37
+ function refineSideEffectingEvidence(entry, ctx, pathPrefix) {
38
+ if (entry.side_effecting && !entry.evidence_preset) {
39
+ ctx.addIssue({
40
+ code: "custom",
41
+ path: [...pathPrefix, "evidence_preset"],
42
+ message: "side-effecting tools must declare evidence_preset",
43
+ });
44
+ }
45
+ }
46
+ const policyToolEntrySchema = z
47
+ .object({
48
+ side_effecting: z.boolean(),
49
+ max_spend_cents: z.number().int().nonnegative().optional(),
50
+ spend_from_args: jsonPathSchema.optional(),
51
+ evidence_preset: identifierSchema.optional(),
52
+ vendor_pack: identifierSchema.optional(),
53
+ operation: z.string().min(1).max(128).optional(),
54
+ })
55
+ .strict()
56
+ .superRefine((entry, ctx) => {
57
+ refineSideEffectingEvidence(entry, ctx, []);
58
+ refineSpendExclusivity(entry, ctx, []);
59
+ });
60
+ const policyToolOverrideEntrySchema = z
61
+ .object({
62
+ side_effecting: z.boolean().optional(),
63
+ max_spend_cents: z.number().int().nonnegative().optional(),
64
+ spend_from_args: jsonPathSchema.optional(),
65
+ evidence_preset: identifierSchema.optional(),
66
+ vendor_pack: identifierSchema.optional(),
67
+ operation: z.string().min(1).max(128).optional(),
68
+ })
69
+ .strict()
70
+ .superRefine((entry, ctx) => {
71
+ if (Object.keys(entry).length === 0) {
72
+ ctx.addIssue({
73
+ code: "custom",
74
+ path: [],
75
+ message: "tool override must set at least one field",
76
+ });
77
+ }
78
+ refineSideEffectingEvidence(entry, ctx, []);
79
+ refineSpendExclusivity(entry, ctx, []);
80
+ });
81
+ const policyBindingSchema = z
82
+ .object({
83
+ template_id: identifierSchema,
84
+ version_seq: z.number().int().positive().optional(),
85
+ head_digest: headDigestSchema.optional(),
86
+ })
87
+ .strict();
88
+ const policyBindingOverrideSchema = z
89
+ .object({
90
+ template_id: identifierSchema.optional(),
91
+ version_seq: z.number().int().positive().optional(),
92
+ head_digest: headDigestSchema.optional(),
93
+ })
94
+ .strict()
95
+ .superRefine((binding, ctx) => {
96
+ if (Object.keys(binding).length === 0) {
97
+ ctx.addIssue({
98
+ code: "custom",
99
+ path: [],
100
+ message: "policy_binding override must set at least one field",
101
+ });
102
+ }
103
+ });
104
+ const policyBudgetSchema = z
105
+ .object({
106
+ currency: z.string().regex(CURRENCY_PATTERN, "must be a lowercase ISO-4217 code"),
107
+ max_spend_usd: z.number().nonnegative().optional(),
108
+ })
109
+ .passthrough();
110
+ const policyIntentSchema = z
111
+ .object({
112
+ policy_binding: policyBindingSchema.optional(),
113
+ budget: policyBudgetSchema.optional(),
114
+ allowed_tools: z.array(toolNameSchema).optional(),
115
+ })
116
+ .strict();
117
+ const policyIntentOverrideSchema = z
118
+ .object({
119
+ policy_binding: policyBindingOverrideSchema.optional(),
120
+ budget: policyBudgetSchema.optional(),
121
+ allowed_tools: z.array(toolNameSchema).optional(),
122
+ })
123
+ .strict()
124
+ .superRefine((intent, ctx) => {
125
+ if (Object.keys(intent).length === 0) {
126
+ ctx.addIssue({
127
+ code: "custom",
128
+ path: [],
129
+ message: "intent override must set at least one field",
130
+ });
131
+ }
132
+ });
133
+ const policyExtendsSchema = z
134
+ .object({
135
+ org_policy_id: z
136
+ .string()
137
+ .regex(POLICY_NAME_PATTERN, "must be a lowercase policy name"),
138
+ org_id: orgIdSchema,
139
+ base_digest: headDigestSchema.optional(),
140
+ base_policy: z.string().min(1).max(512).optional(),
141
+ })
142
+ .strict();
143
+ const policyOverridesSchema = z
144
+ .object({
145
+ default_deny: z.boolean().optional(),
146
+ tools: z.record(toolNameSchema, policyToolOverrideEntrySchema).optional(),
147
+ intent: policyIntentOverrideSchema.optional(),
148
+ })
149
+ .strict()
150
+ .superRefine((overrides, ctx) => {
151
+ if (overrides.default_deny === undefined &&
152
+ !overrides.tools &&
153
+ !overrides.intent) {
154
+ ctx.addIssue({
155
+ code: "custom",
156
+ path: [],
157
+ message: "overrides must set default_deny, tools, and/or intent",
158
+ });
159
+ }
160
+ });
161
+ export const paybondPolicyDocumentV1Schema = z
162
+ .object({
163
+ version: z.literal(PAYBOND_POLICY_SCHEMA_VERSION),
164
+ name: z.string().regex(POLICY_NAME_PATTERN, "must be a lowercase policy name"),
165
+ default_deny: z.boolean(),
166
+ tools: z
167
+ .record(toolNameSchema, policyToolEntrySchema)
168
+ .refine((tools) => Object.keys(tools).length > 0, {
169
+ message: "tools must declare at least one entry",
170
+ }),
171
+ intent: policyIntentSchema.optional(),
172
+ })
173
+ .strict();
174
+ export const paybondPolicyDocumentV2Schema = z
175
+ .object({
176
+ version: z.literal(PAYBOND_POLICY_SCHEMA_VERSION_V2),
177
+ name: z.string().regex(POLICY_NAME_PATTERN, "must be a lowercase policy name"),
178
+ default_deny: z.boolean(),
179
+ extends: policyExtendsSchema.optional(),
180
+ overrides: policyOverridesSchema.optional(),
181
+ tools: z.record(toolNameSchema, policyToolEntrySchema),
182
+ intent: policyIntentSchema.optional(),
183
+ })
184
+ .strict()
185
+ .superRefine((document, ctx) => {
186
+ if (!document.extends && Object.keys(document.tools).length === 0) {
187
+ ctx.addIssue({
188
+ code: "custom",
189
+ path: ["tools"],
190
+ message: "tools must declare at least one entry when extends is omitted",
191
+ });
192
+ }
193
+ });
194
+ /** Raised when a policy document fails schema validation. */
195
+ export class PaybondPolicyValidationError extends Error {
196
+ issues;
197
+ constructor(message, issues = []) {
198
+ super(message);
199
+ this.name = "PaybondPolicyValidationError";
200
+ this.issues = issues;
201
+ }
202
+ }
203
+ function zodIssuesToPolicyIssues(issues) {
204
+ return issues.map((issue) => ({
205
+ path: issue.path.length > 0 ? issue.path.map(String).join(".") : "(root)",
206
+ code: issue.code,
207
+ message: issue.message,
208
+ }));
209
+ }
210
+ function parseWithSchema(schema, raw) {
211
+ const result = schema.safeParse(raw);
212
+ if (!result.success) {
213
+ const issues = zodIssuesToPolicyIssues(result.error.issues);
214
+ const summary = issues.map((issue) => `${issue.path}: ${issue.message}`).join("; ");
215
+ throw new PaybondPolicyValidationError(summary || "invalid paybond.policy.yaml document", issues);
216
+ }
217
+ return result.data;
218
+ }
219
+ /**
220
+ * Parse and validate a raw policy document (already-decoded JSON or YAML object).
221
+ * Accepts v1 flat policies and v2 org-base or tenant-overlay documents.
222
+ */
223
+ export function parsePaybondPolicyDocument(raw) {
224
+ if (typeof raw !== "object" || raw === null) {
225
+ throw new PaybondPolicyValidationError("(root) must be an object");
226
+ }
227
+ const version = raw.version;
228
+ if (version === PAYBOND_POLICY_SCHEMA_VERSION) {
229
+ return parseWithSchema(paybondPolicyDocumentV1Schema, raw);
230
+ }
231
+ if (version === PAYBOND_POLICY_SCHEMA_VERSION_V2) {
232
+ return parseWithSchema(paybondPolicyDocumentV2Schema, raw);
233
+ }
234
+ throw new PaybondPolicyValidationError(`version must be ${PAYBOND_POLICY_SCHEMA_VERSION} or ${PAYBOND_POLICY_SCHEMA_VERSION_V2}`, [{ path: "version", code: "invalid_literal", message: "unsupported policy schema version" }]);
235
+ }
236
+ /** Parse a v1-only policy document. */
237
+ export function parsePaybondPolicyDocumentV1(raw) {
238
+ return parseWithSchema(paybondPolicyDocumentV1Schema, raw);
239
+ }
240
+ /** Parse a v2 policy document (org base or tenant overlay). */
241
+ export function parsePaybondPolicyDocumentV2(raw) {
242
+ return parseWithSchema(paybondPolicyDocumentV2Schema, raw);
243
+ }
244
+ /** Type guard for an already-validated v1 policy document. */
245
+ export function isPaybondPolicyDocumentV1(value) {
246
+ return paybondPolicyDocumentV1Schema.safeParse(value).success;
247
+ }
248
+ /** Type guard for an already-validated v2 policy document. */
249
+ export function isPaybondPolicyDocumentV2(value) {
250
+ return paybondPolicyDocumentV2Schema.safeParse(value).success;
251
+ }
252
+ /** True when a v2 document is a tenant overlay (declares extends). */
253
+ export function isPaybondPolicyOverlay(document) {
254
+ return document.extends !== undefined;
255
+ }
@@ -0,0 +1,33 @@
1
+ import type { PaybondToolRegistry } from "../agent/registry.js";
2
+ import type { PaybondPolicyDocumentV1 } from "./schema.js";
3
+ export type PaybondPolicySnapshotSource = "file" | "remote" | "effective";
4
+ /** Versioned policy snapshot loaded at bind time (Tier 7 hot-reload foundation). */
5
+ export type PaybondPolicySnapshot = {
6
+ /** `sha256:<hex>` digest of the canonical policy JSON. */
7
+ digest: string;
8
+ /** `{policy_name}@{digest_short}` label for audit and status output. */
9
+ version: string;
10
+ /** RFC3339 timestamp when this snapshot was loaded. */
11
+ loadedAt: string;
12
+ source: PaybondPolicySnapshotSource;
13
+ registry: PaybondToolRegistry;
14
+ /** Effective policy document backing this snapshot (used for reload loosening checks). */
15
+ document: PaybondPolicyDocumentV1;
16
+ };
17
+ export type CreatePolicySnapshotInput = {
18
+ document: PaybondPolicyDocumentV1;
19
+ registry: PaybondToolRegistry;
20
+ source: PaybondPolicySnapshotSource;
21
+ /** When omitted, digest is computed locally from the document. */
22
+ digest?: string;
23
+ loadedAt?: string;
24
+ };
25
+ /** Build a policy snapshot for {@link PaybondAgentRun.bind}. */
26
+ export declare function createPolicySnapshot(input: CreatePolicySnapshotInput): PaybondPolicySnapshot;
27
+ /** Build a snapshot from a Gateway effective-policy resolution. */
28
+ export declare function createPolicySnapshotFromEffective(input: {
29
+ document: PaybondPolicyDocumentV1;
30
+ registry: PaybondToolRegistry;
31
+ effectivePolicyDigest: string;
32
+ loadedAt?: string;
33
+ }): PaybondPolicySnapshot;
@@ -0,0 +1,23 @@
1
+ import { canonicalPolicyDocumentDigest, policyVersionLabel } from "./digest.js";
2
+ /** Build a policy snapshot for {@link PaybondAgentRun.bind}. */
3
+ export function createPolicySnapshot(input) {
4
+ const digest = input.digest?.trim() || canonicalPolicyDocumentDigest(input.document);
5
+ return {
6
+ digest,
7
+ version: policyVersionLabel(input.document.name, digest),
8
+ loadedAt: input.loadedAt ?? new Date().toISOString(),
9
+ source: input.source,
10
+ registry: input.registry,
11
+ document: input.document,
12
+ };
13
+ }
14
+ /** Build a snapshot from a Gateway effective-policy resolution. */
15
+ export function createPolicySnapshotFromEffective(input) {
16
+ return createPolicySnapshot({
17
+ document: input.document,
18
+ registry: input.registry,
19
+ source: "effective",
20
+ digest: input.effectivePolicyDigest,
21
+ loadedAt: input.loadedAt,
22
+ });
23
+ }
@@ -0,0 +1,43 @@
1
+ import type { PolicyMergeReport } from "./merge.js";
2
+ import type { PaybondPolicyDocumentV1 } from "./schema.js";
3
+ export type PolicyRemoteValidateIssue = {
4
+ path: string;
5
+ code: string;
6
+ message: string;
7
+ };
8
+ export type PolicyRemoteValidateCheck = {
9
+ name: string;
10
+ passed: boolean;
11
+ };
12
+ export type PolicyRemoteValidateResult = {
13
+ valid: boolean;
14
+ local_valid: boolean;
15
+ remote_valid: boolean;
16
+ policy_name: string | null;
17
+ tenant_id: string;
18
+ errors: PolicyRemoteValidateIssue[];
19
+ warnings: PolicyRemoteValidateIssue[];
20
+ checks: PolicyRemoteValidateCheck[];
21
+ effective_policy_digest?: string;
22
+ merge_report?: PolicyMergeReport;
23
+ };
24
+ export type PolicyRemoteValidateOptions = {
25
+ /** When true, side-effecting tools must appear in intent.allowed_tools when that list is set. */
26
+ strict?: boolean;
27
+ /** When true, treat the body as a v2 tenant overlay and merge org base server-side. */
28
+ resolveInheritance?: boolean;
29
+ };
30
+ /** Gateway client surface used by {@link validatePolicyRemote}. */
31
+ export type PolicyRemoteValidateClient = {
32
+ validatePolicy(document: Record<string, unknown>, options?: PolicyRemoteValidateOptions): Promise<PolicyRemoteValidateResult>;
33
+ };
34
+ /** Build query parameters for Gateway `POST /v1/policy/validate`. */
35
+ export declare function policyValidateQueryString(options?: PolicyRemoteValidateOptions): string;
36
+ /** Parse a Gateway `POST /v1/policy/validate` JSON body. */
37
+ export declare function parsePolicyRemoteValidateResponse(body: unknown): PolicyRemoteValidateResult;
38
+ /** Serialize a remote validation report for CLI or logging output. */
39
+ export declare function policyRemoteValidateResultToDict(result: PolicyRemoteValidateResult): Record<string, unknown>;
40
+ /** Validate a raw policy payload against the tenant-scoped Gateway registry endpoint. */
41
+ export declare function validatePolicyPayloadRemote(document: Record<string, unknown>, client: PolicyRemoteValidateClient, options?: PolicyRemoteValidateOptions): Promise<PolicyRemoteValidateResult>;
42
+ /** Validate a policy document against the tenant-scoped Gateway registry endpoint. */
43
+ export declare function validatePolicyRemote(document: PaybondPolicyDocumentV1, client: PolicyRemoteValidateClient, options?: PolicyRemoteValidateOptions): Promise<PolicyRemoteValidateResult>;
@@ -0,0 +1,104 @@
1
+ import { policyDocumentToDict } from "./digest.js";
2
+ import { parseMergeReport } from "./load-effective.js";
3
+ function parseIssue(value) {
4
+ if (!value || typeof value !== "object" || Array.isArray(value)) {
5
+ return null;
6
+ }
7
+ const row = value;
8
+ const path = String(row.path ?? "");
9
+ const code = String(row.code ?? "");
10
+ const message = String(row.message ?? "");
11
+ if (!path || !code || !message) {
12
+ return null;
13
+ }
14
+ return { path, code, message };
15
+ }
16
+ function parseCheck(value) {
17
+ if (!value || typeof value !== "object" || Array.isArray(value)) {
18
+ return null;
19
+ }
20
+ const row = value;
21
+ const name = String(row.name ?? "");
22
+ if (!name || typeof row.passed !== "boolean") {
23
+ return null;
24
+ }
25
+ return { name, passed: row.passed };
26
+ }
27
+ /** Build query parameters for Gateway `POST /v1/policy/validate`. */
28
+ export function policyValidateQueryString(options = {}) {
29
+ const params = new URLSearchParams();
30
+ if (options.strict) {
31
+ params.set("strict", "1");
32
+ }
33
+ if (options.resolveInheritance) {
34
+ params.set("resolve_inheritance", "1");
35
+ }
36
+ const qs = params.toString();
37
+ return qs ? `?${qs}` : "";
38
+ }
39
+ /** Parse a Gateway `POST /v1/policy/validate` JSON body. */
40
+ export function parsePolicyRemoteValidateResponse(body) {
41
+ if (!body || typeof body !== "object" || Array.isArray(body)) {
42
+ throw new Error("policy validate response must be a JSON object");
43
+ }
44
+ const row = body;
45
+ const errors = Array.isArray(row.errors)
46
+ ? row.errors.map(parseIssue).filter((issue) => issue !== null)
47
+ : [];
48
+ const warnings = Array.isArray(row.warnings)
49
+ ? row.warnings.map(parseIssue).filter((issue) => issue !== null)
50
+ : [];
51
+ const checks = Array.isArray(row.checks)
52
+ ? row.checks.map(parseCheck).filter((check) => check !== null)
53
+ : [];
54
+ const result = {
55
+ valid: Boolean(row.valid),
56
+ local_valid: Boolean(row.local_valid),
57
+ remote_valid: Boolean(row.remote_valid),
58
+ policy_name: row.policy_name === null || row.policy_name === undefined
59
+ ? null
60
+ : String(row.policy_name),
61
+ tenant_id: String(row.tenant_id ?? ""),
62
+ errors,
63
+ warnings,
64
+ checks,
65
+ };
66
+ if (row.effective_policy_digest != null) {
67
+ const digest = String(row.effective_policy_digest);
68
+ if (digest) {
69
+ result.effective_policy_digest = digest;
70
+ }
71
+ }
72
+ if (row.merge_report != null) {
73
+ result.merge_report = parseMergeReport(row.merge_report);
74
+ }
75
+ return result;
76
+ }
77
+ /** Serialize a remote validation report for CLI or logging output. */
78
+ export function policyRemoteValidateResultToDict(result) {
79
+ const payload = {
80
+ valid: result.valid,
81
+ local_valid: result.local_valid,
82
+ remote_valid: result.remote_valid,
83
+ policy_name: result.policy_name,
84
+ tenant_id: result.tenant_id,
85
+ errors: result.errors,
86
+ warnings: result.warnings,
87
+ checks: result.checks,
88
+ };
89
+ if (result.effective_policy_digest) {
90
+ payload.effective_policy_digest = result.effective_policy_digest;
91
+ }
92
+ if (result.merge_report) {
93
+ payload.merge_report = result.merge_report;
94
+ }
95
+ return payload;
96
+ }
97
+ /** Validate a raw policy payload against the tenant-scoped Gateway registry endpoint. */
98
+ export async function validatePolicyPayloadRemote(document, client, options = {}) {
99
+ return client.validatePolicy(document, options);
100
+ }
101
+ /** Validate a policy document against the tenant-scoped Gateway registry endpoint. */
102
+ export async function validatePolicyRemote(document, client, options = {}) {
103
+ return validatePolicyPayloadRemote(policyDocumentToDict(document), client, options);
104
+ }