@pingagent/sdk 0.1.7 → 0.1.9

package/dist/index.d.ts

@@ -8,6 +8,7 @@ declare class LocalStore {
     constructor(dbPath?: string);
     getDb(): Database.Database;
     close(): void;
+    private applyMigrations;
 }
 
 interface Contact {
@@ -98,8 +99,145 @@ declare class HistoryManager {
     }): Promise<{
         synced: number;
     }>;
+    listMergedRecent(client: PingAgentClient, conversationId: string, opts?: {
+        limit?: number;
+        box?: 'ready' | 'strangers' | 'all';
+    }): Promise<StoredMessage[]>;
+}
+
+type TrustState = 'stranger' | 'pending' | 'trusted' | 'blocked' | 'revoked';
+interface SessionState {
+    session_key: string;
+    remote_did?: string;
+    conversation_id?: string;
+    trust_state: TrustState;
+    last_message_preview?: string;
+    last_remote_activity_at?: number;
+    last_read_seq: number;
+    unread_count: number;
+    active: boolean;
+    updated_at: number;
+}
+interface SessionMessageInput {
+    session_key?: string;
+    remote_did?: string;
+    conversation_id: string;
+    trust_state?: TrustState;
+    sender_did?: string;
+    sender_is_self?: boolean;
+    schema?: string;
+    payload?: unknown;
+    seq?: number | null;
+    ts_ms?: number;
+}
+interface ReplyTarget {
+    session_key: string;
+    remote_did?: string;
+    conversation_id?: string;
+    trust_state: TrustState;
+}
+declare function previewFromPayload(payload: unknown): string;
+declare function buildSessionKey(opts: {
+    localDid?: string;
+    remoteDid?: string | null;
+    conversationId: string;
+    conversationType?: string | null;
+}): string;
+declare class SessionManager {
+    private store;
+    constructor(store: LocalStore);
+    upsert(state: Partial<SessionState> & {
+        session_key: string;
+    }): SessionState;
+    upsertFromMessage(input: SessionMessageInput): SessionState;
+    get(sessionKey: string): SessionState | null;
+    getByConversationId(conversationId: string): SessionState | null;
+    getActiveSession(): SessionState | null;
+    listRecentSessions(limit?: number): SessionState[];
+    focusSession(sessionKey: string): SessionState | null;
+    markRead(sessionKey: string, seq?: number | null): SessionState | null;
+    nextUnread(): SessionState | null;
+    resolveReplyTarget(sessionKey?: string): ReplyTarget | null;
 }
 
+type TaskThreadStatus = 'queued' | 'running' | 'processed' | 'failed' | 'cancelled';
+interface TaskThread {
+    task_id: string;
+    session_key: string;
+    conversation_id: string;
+    title?: string;
+    status: TaskThreadStatus;
+    started_at?: number;
+    updated_at: number;
+    result_summary?: string;
+    error_code?: string;
+    error_message?: string;
+}
+interface TaskThreadUpsert {
+    task_id: string;
+    session_key: string;
+    conversation_id: string;
+    title?: string;
+    status: TaskThreadStatus;
+    started_at?: number;
+    updated_at?: number;
+    result_summary?: string;
+    error_code?: string;
+    error_message?: string;
+}
+declare class TaskThreadManager {
+    private store;
+    constructor(store: LocalStore);
+    upsert(thread: TaskThreadUpsert): TaskThread;
+    get(taskId: string): TaskThread | null;
+    listBySession(sessionKey: string, limit?: number): TaskThread[];
+    listByConversation(conversationId: string, limit?: number): TaskThread[];
+    listRecent(limit?: number): TaskThread[];
+}
+
+interface EncryptionPublicKeyJwk {
+    kty: 'EC';
+    crv: 'P-256';
+    x: string;
+    y: string;
+    ext?: boolean;
+    key_ops?: string[];
+}
+interface EncryptionPrivateKeyJwk extends EncryptionPublicKeyJwk {
+    d: string;
+}
+interface EncryptionIdentityFields {
+    encryptionPublicKeyJwk: EncryptionPublicKeyJwk;
+    encryptionPrivateKeyJwk: EncryptionPrivateKeyJwk;
+}
+interface AgentEncryptionCard {
+    did: string;
+    encryption_public_key?: EncryptionPublicKeyJwk | null;
+}
+interface EncryptedRecipientBlob {
+    did: string;
+    alg: 'ECDH-P256+A256GCM';
+    ephemeral_public_key: EncryptionPublicKeyJwk;
+    iv: string;
+    ciphertext: string;
+}
+interface EncryptedPayloadWrapper {
+    __e2ee: {
+        v: 1;
+        alg: 'ECDH-P256+A256GCM';
+        recipients: EncryptedRecipientBlob[];
+        cleartext: Record<string, unknown>;
+    };
+}
+declare function isEncryptedPayload(payload: unknown): payload is EncryptedPayloadWrapper;
+declare function shouldEncryptConversationPayload(conversationId: string, schema: string): boolean;
+declare function encryptPayloadForRecipients(opts: {
+    schema: string;
+    payload: Record<string, unknown>;
+    recipients: AgentEncryptionCard[];
+}): Promise<Record<string, unknown>>;
+declare function decryptPayloadForIdentity(schema: string, payload: Record<string, unknown>, identity: Identity & Partial<EncryptionIdentityFields>): Promise<Record<string, unknown>>;
+
 interface ClientOptions {
     serverUrl: string;
     identity: Identity;
@@ -136,6 +274,20 @@ interface TaskResult {
     };
     elapsed_ms: number;
 }
+interface TaskStatusResponse {
+    task_id: string;
+    status: 'queued' | 'running' | 'processed' | 'failed' | 'cancelled';
+    reason?: string;
+    error?: {
+        code?: string;
+        message?: string;
+    };
+    result_summary?: string;
+    last_update_ts_ms: number;
+}
+interface TaskListEntry extends TaskStatusResponse {
+    title?: string;
+}
 interface SubscriptionUsage {
     relay_today: number;
     relay_limit: number;
@@ -148,19 +300,27 @@ interface SubscriptionResponse {
     tier: string;
     limits: {
         relay_per_day: number;
+        relay_msgs_per_day?: number;
+        feed_post_per_day?: number;
+        channel_limit?: number;
         max_group_size: number;
         artifact_storage_mb: number;
+        store_forward_ttl_ms?: number;
         audit_export_allowed: boolean;
         alias_limit: number;
     };
     usage: SubscriptionUsage;
     has_stripe_customer: boolean;
+    billing_primary_did?: string | null;
+    is_billing_primary?: boolean;
+    linked_device_count?: number;
 }
 interface ConversationEntry {
     conversation_id: string;
     type: string;
     target_did: string;
     trusted: boolean;
+    recipient_encryption_public_key?: EncryptionPublicKeyJwk | null;
     created_at: number;
     /** Server-side last message write time (ms). Omitted or null when unknown; client should fetch when missing. */
     last_activity_at?: number | null;
@@ -177,6 +337,7 @@ interface AgentProfile {
     tags?: string[];
     verification_status?: string;
     discoverable?: boolean;
+    encryption_public_key?: EncryptionPublicKeyJwk | null;
 }
 interface DirectoryBrowseResponse {
     agents: AgentProfile[];
@@ -198,15 +359,37 @@ interface FeedByDidResponse {
     did: string;
     posts: FeedPost[];
 }
+interface AgentDirectoryCard {
+    did: string;
+    alias?: string | null;
+    display_name?: string | null;
+    verification_status?: string;
+    encryption_public_key?: EncryptionPublicKeyJwk | null;
+}
+interface DirectorySelfResponse {
+    did: string;
+    alias?: string | null;
+    verification_status?: string;
+    encryption_public_key?: EncryptionPublicKeyJwk | null;
+    mode?: string;
+    tier?: string;
+    billing_primary_did?: string | null;
+    is_billing_primary?: boolean;
+}
 declare class PingAgentClient {
     private opts;
     private transport;
     private identity;
     private contactManager?;
     private historyManager?;
+    private sessionManager?;
+    private taskThreadManager?;
+    private agentCardCache;
     constructor(opts: ClientOptions);
     getContactManager(): ContactManager | undefined;
     getHistoryManager(): HistoryManager | undefined;
+    getSessionManager(): SessionManager | undefined;
+    getTaskThreadManager(): TaskThreadManager | undefined;
     /** Update the in-memory access token (e.g. after proactive refresh from disk). */
     setAccessToken(token: string): void;
     register(developerToken?: string): Promise<ApiResponse>;
@@ -214,8 +397,13 @@ declare class PingAgentClient {
         conversation_id: string;
         type: string;
         trusted: boolean;
+        target_did: string;
+        recipient_encryption_public_key?: EncryptionPublicKeyJwk | null;
         relay_ws_url: string;
     }>>;
+    private resolveConversationPeer;
+    private getRecipientEncryptionCard;
+    private sameEncryptionPublicKey;
     sendMessage(conversationId: string, schema: string, payload: Record<string, unknown>): Promise<ApiResponse<SendResponse>>;
     sendTask(conversationId: string, task: {
         task_id: string;
@@ -257,12 +445,19 @@ declare class PingAgentClient {
     resolveAlias(alias: string): Promise<ApiResponse<{
         did: string;
         alias: string;
+        encryption_public_key?: EncryptionPublicKeyJwk | null;
     }>>;
+    getAgentCard(did: string): Promise<ApiResponse<AgentDirectoryCard>>;
     registerAlias(alias: string): Promise<ApiResponse>;
     listConversations(opts?: {
         type?: string;
     }): Promise<ApiResponse<ConversationListResponse>>;
+    getTaskStatus(conversationId: string, taskId: string): Promise<ApiResponse<TaskStatusResponse>>;
+    listTaskThreads(conversationId: string): Promise<ApiResponse<{
+        tasks: TaskListEntry[];
+    }>>;
     getProfile(): Promise<ApiResponse<AgentProfile>>;
+    getDirectorySelf(): Promise<ApiResponse<DirectorySelfResponse>>;
     updateProfile(profile: {
         display_name?: string;
         bio?: string;
@@ -270,6 +465,10 @@ declare class PingAgentClient {
         tags?: string[];
         discoverable?: boolean;
     }): Promise<ApiResponse<AgentProfile>>;
+    ensureEncryptionKeyPublished(): Promise<ApiResponse<{
+        published: boolean;
+        status: 'already_registered' | 'updated';
+    }>>;
     enableDiscovery(): Promise<ApiResponse<{
         discoverable: boolean;
     }>>;
@@ -342,6 +541,10 @@ declare class PingAgentClient {
         relay_ws_url: string;
     }>>;
     getDid(): string;
+    decryptEnvelopePayload(envelope: {
+        schema: string;
+        payload: Record<string, unknown>;
+    }): Promise<Record<string, unknown>>;
     createBillingLinkCode(): Promise<ApiResponse<{
         code: string;
         expires_in_seconds: number;
@@ -365,15 +568,16 @@ declare class PingAgentClient {
     }): Promise<TaskResult>;
 }
 
-declare function generateIdentity(): Identity;
+declare function ensureIdentityEncryptionKeys(identity: Partial<EncryptionIdentityFields>): EncryptionIdentityFields;
+declare function generateIdentity(): Identity & EncryptionIdentityFields;
 declare function identityExists(identityPath?: string): boolean;
-declare function loadIdentity(identityPath?: string): Identity & {
+declare function loadIdentity(identityPath?: string): Identity & EncryptionIdentityFields & {
     serverUrl?: string;
     accessToken?: string;
     tokenExpiresAt?: number;
     mode?: string;
 };
-declare function saveIdentity(identity: Identity, opts?: {
+declare function saveIdentity(identity: Identity & Partial<EncryptionIdentityFields>, opts?: {
     serverUrl?: string;
     accessToken?: string;
     tokenExpiresAt?: number;
@@ -422,6 +626,200 @@ declare class HttpTransport {
     private refreshToken;
 }
 
+type ContactPolicyAction = 'approve' | 'manual' | 'reject';
+type TaskPolicyAction = 'bridge' | 'execute' | 'deny';
+type RuntimeMode = 'bridge' | 'executor';
+interface TrustPolicyRule<A extends string> {
+    match: string;
+    action: A;
+}
+interface TrustPolicyDoc {
+    version: 1;
+    contact_policy: {
+        enabled: boolean;
+        default_action: ContactPolicyAction;
+        rules: Array<TrustPolicyRule<ContactPolicyAction>>;
+    };
+    task_policy: {
+        enabled: boolean;
+        default_action: TaskPolicyAction;
+        rules: Array<TrustPolicyRule<TaskPolicyAction>>;
+    };
+}
+interface TrustPolicyContext {
+    sender_did?: string;
+    sender_alias?: string;
+    sender_verification_status?: string;
+}
+interface LegacyAutoApproveRule {
+    match: string;
+    action: 'approve' | 'reject';
+}
+interface ContactPolicyDecision {
+    action: ContactPolicyAction;
+    source: 'rule' | 'default' | 'legacy_auto_approve' | 'runtime_default';
+    matched_rule?: TrustPolicyRule<ContactPolicyAction>;
+    explanation: string;
+}
+interface TaskPolicyDecision {
+    action: TaskPolicyAction;
+    source: 'rule' | 'default' | 'runtime_default';
+    matched_rule?: TrustPolicyRule<TaskPolicyAction>;
+    explanation: string;
+}
+declare function defaultTrustPolicyDoc(): TrustPolicyDoc;
+declare function normalizeTrustPolicyDoc(raw: any): TrustPolicyDoc;
+declare function matchesTrustPolicyRule(match: string, context: TrustPolicyContext): boolean;
+declare function decideContactPolicy(policyDoc: TrustPolicyDoc, context: TrustPolicyContext, opts?: {
+    legacyAutoApproveEnabled?: boolean;
+    legacyAutoApproveRules?: LegacyAutoApproveRule[];
+}): ContactPolicyDecision;
+declare function decideTaskPolicy(policyDoc: TrustPolicyDoc, context: TrustPolicyContext, opts?: {
+    runtimeMode?: RuntimeMode;
+}): TaskPolicyDecision;
+
+type TrustPolicyAuditEventType = 'contact_decision' | 'contact_auto_approved' | 'contact_manual_review' | 'contact_rejected' | 'policy_default_updated' | 'policy_rule_upserted' | 'policy_rule_removed' | 'recommendation_applied' | 'recommendation_dismissed' | 'recommendation_reopened' | 'task_decision' | 'task_bridged' | 'task_executed' | 'task_denied' | 'task_processed' | 'task_failed' | 'task_cancelled' | 'session_blocked' | 'session_revoked';
+interface TrustPolicyAuditEvent {
+    id: number;
+    ts_ms: number;
+    event_type: TrustPolicyAuditEventType;
+    policy_scope?: 'contact' | 'task' | 'session';
+    remote_did?: string;
+    sender_alias?: string;
+    sender_verification_status?: string;
+    session_key?: string;
+    conversation_id?: string;
+    action?: string;
+    outcome?: string;
+    explanation?: string;
+    matched_rule?: string;
+    detail?: Record<string, unknown>;
+}
+interface TrustPolicyAuditInput {
+    ts_ms?: number;
+    event_type: TrustPolicyAuditEventType;
+    policy_scope?: 'contact' | 'task' | 'session';
+    remote_did?: string;
+    sender_alias?: string;
+    sender_verification_status?: string;
+    session_key?: string;
+    conversation_id?: string;
+    action?: string;
+    outcome?: string;
+    explanation?: string;
+    matched_rule?: string;
+    detail?: Record<string, unknown>;
+}
+interface TrustPolicyAuditSummary {
+    total_events: number;
+    latest_ts_ms?: number;
+    by_type: Record<string, number>;
+    by_policy_scope: Record<string, number>;
+}
+interface AuditStore {
+    getDb(): any;
+}
+interface TrustPolicyLearningSummary {
+    remote_did: string;
+    last_seen_at?: number;
+    trusted_sessions: number;
+    pending_sessions: number;
+    blocked_sessions: number;
+    revoked_sessions: number;
+    processed_tasks: number;
+    failed_tasks: number;
+    cancelled_tasks: number;
+    contact_approvals: number;
+    contact_manual_reviews: number;
+    contact_rejections: number;
+    task_bridged: number;
+    task_executed: number;
+    task_denied: number;
+}
+interface TrustPolicyRecommendation {
+    id: string;
+    policy: 'contact' | 'task';
+    remote_did: string;
+    match: string;
+    action: ContactPolicyAction | TaskPolicyAction;
+    current_action: ContactPolicyAction | TaskPolicyAction;
+    confidence: 'medium' | 'high';
+    reason: string;
+    signals: {
+        trusted_sessions: number;
+        blocked_sessions: number;
+        revoked_sessions: number;
+        processed_tasks: number;
+        failed_tasks: number;
+        cancelled_tasks: number;
+        contact_approvals: number;
+        contact_rejections: number;
+        task_denied: number;
+        last_seen_at?: number;
+    };
+}
+declare class TrustPolicyAuditManager {
+    private store;
+    constructor(store: AuditStore);
+    record(event: TrustPolicyAuditInput): TrustPolicyAuditEvent;
+    listRecent(limit?: number): TrustPolicyAuditEvent[];
+    listBySession(sessionKey: string, limit?: number): TrustPolicyAuditEvent[];
+    listByRemoteDid(remoteDid: string, limit?: number): TrustPolicyAuditEvent[];
+    summarize(limit?: number): TrustPolicyAuditSummary;
+}
+declare function buildTrustPolicyRecommendations(opts: {
+    policyDoc: TrustPolicyDoc;
+    sessions: SessionState[];
+    tasks: TaskThread[];
+    auditEvents: TrustPolicyAuditEvent[];
+    runtimeMode: RuntimeMode;
+    limit?: number;
+}): TrustPolicyRecommendation[];
+declare function upsertTrustPolicyRecommendation(policyDoc: TrustPolicyDoc, recommendation: TrustPolicyRecommendation): TrustPolicyDoc;
+declare function summarizeTrustPolicyAudit(events: TrustPolicyAuditEvent[]): TrustPolicyAuditSummary;
+
+interface RecommendationStore {
+    getDb(): any;
+}
+type TrustRecommendationStatus = 'open' | 'applied' | 'dismissed' | 'superseded';
+interface StoredTrustRecommendation extends TrustPolicyRecommendation {
+    status: TrustRecommendationStatus;
+    first_seen_at: number;
+    last_seen_at: number;
+    updated_at: number;
+    last_state_change_at?: number;
+    applied_at?: number;
+    dismissed_at?: number;
+}
+interface SyncTrustRecommendationsInput {
+    policyDoc: TrustPolicyDoc;
+    sessions: SessionState[];
+    tasks: TaskThread[];
+    auditEvents: TrustPolicyAuditEvent[];
+    runtimeMode: RuntimeMode;
+    limit?: number;
+}
+interface RecommendationSummary {
+    total: number;
+    by_status: Record<string, number>;
+}
+declare class TrustRecommendationManager {
+    private store;
+    constructor(store: RecommendationStore);
+    private upsertRecommendation;
+    sync(input: SyncTrustRecommendationsInput): StoredTrustRecommendation[];
+    get(id: string): StoredTrustRecommendation | null;
+    list(opts?: {
+        status?: TrustRecommendationStatus | TrustRecommendationStatus[];
+        remoteDid?: string;
+        limit?: number;
+    }): StoredTrustRecommendation[];
+    apply(id: string): StoredTrustRecommendation | null;
+    dismiss(id: string): StoredTrustRecommendation | null;
+    reopen(id: string): StoredTrustRecommendation | null;
+    summarize(): RecommendationSummary;
+}
+
 /**
  * A2A adapter for PingAgentClient.
  * Allows PingAgent to call external agents that speak the A2A protocol,
@@ -483,7 +881,7 @@ interface WsSubscriptionOptions {
     getAccessToken: () => string | Promise<string>;
     myDid: string;
     listConversations: () => Promise<ConversationEntry[]>;
-    onMessage: (envelope: any, conversationId: string) => void;
+    onMessage: (envelope: any, conversationId: string) => void | Promise<void>;
     onControl?: (control: WsControlPayload, conversationId: string) => void;
     onError?: (err: Error) => void;
     /** Optional debug hook for observability (non-fatal events). */
@@ -549,4 +947,4 @@ declare class WsSubscription {
     private syncConnections;
 }
 
-export { A2AAdapter, type A2AAdapterOptions, type A2ATaskResult, type AgentProfile, type ClientOptions, type Contact, ContactManager, type ConversationEntry, type ConversationListResponse, type DirectoryBrowseResponse, type FeedByDidResponse, type FeedPost, type FeedPublicResponse, type FetchResponse, HistoryManager, HttpTransport, LocalStore, PingAgentClient, type SendResponse, type StoredMessage, type SubscriptionResponse, type SubscriptionUsage, type TaskResult, type TransportOptions, WsSubscription, type WsSubscriptionOptions, ensureTokenValid, generateIdentity, getIdentityPath, getProfile, getRootDir, getStorePath, identityExists, loadIdentity, saveIdentity, updateStoredToken };
+export { A2AAdapter, type A2AAdapterOptions, type A2ATaskResult, type AgentEncryptionCard, type AgentProfile, type ClientOptions, type Contact, ContactManager, type ContactPolicyAction, type ContactPolicyDecision, type ConversationEntry, type ConversationListResponse, type DirectoryBrowseResponse, type DirectorySelfResponse, type EncryptedPayloadWrapper, type EncryptionIdentityFields, type EncryptionPrivateKeyJwk, type EncryptionPublicKeyJwk, type FeedByDidResponse, type FeedPost, type FeedPublicResponse, type FetchResponse, HistoryManager, HttpTransport, LocalStore, PingAgentClient, type RecommendationSummary, type ReplyTarget, type RuntimeMode, type SendResponse, SessionManager, type SessionMessageInput, type SessionState, type StoredMessage, type StoredTrustRecommendation, type SubscriptionResponse, type SubscriptionUsage, type SyncTrustRecommendationsInput, type TaskPolicyAction, type TaskPolicyDecision, type TaskResult, type TaskThread, TaskThreadManager, type TaskThreadStatus, type TaskThreadUpsert, type TransportOptions, type TrustPolicyAuditEvent, type TrustPolicyAuditEventType, type TrustPolicyAuditInput, TrustPolicyAuditManager, type TrustPolicyAuditSummary, type TrustPolicyContext, type TrustPolicyDoc, type TrustPolicyLearningSummary, type TrustPolicyRecommendation, TrustRecommendationManager, type TrustRecommendationStatus, type TrustState, WsSubscription, type WsSubscriptionOptions, buildSessionKey, buildTrustPolicyRecommendations, decideContactPolicy, decideTaskPolicy, decryptPayloadForIdentity, defaultTrustPolicyDoc, encryptPayloadForRecipients, ensureIdentityEncryptionKeys, ensureTokenValid, generateIdentity, getIdentityPath, getProfile, getRootDir, getStorePath, identityExists, isEncryptedPayload, loadIdentity, matchesTrustPolicyRule, normalizeTrustPolicyDoc, previewFromPayload, saveIdentity, shouldEncryptConversationPayload, summarizeTrustPolicyAudit, updateStoredToken, upsertTrustPolicyRecommendation };

package/dist/index.js

@@ -5,7 +5,19 @@ import {
   HttpTransport,
   LocalStore,
   PingAgentClient,
+  SessionManager,
+  TaskThreadManager,
+  TrustPolicyAuditManager,
+  TrustRecommendationManager,
   WsSubscription,
+  buildSessionKey,
+  buildTrustPolicyRecommendations,
+  decideContactPolicy,
+  decideTaskPolicy,
+  decryptPayloadForIdentity,
+  defaultTrustPolicyDoc,
+  encryptPayloadForRecipients,
+  ensureIdentityEncryptionKeys,
   ensureTokenValid,
   generateIdentity,
   getIdentityPath,
@@ -13,10 +25,17 @@ import {
   getRootDir,
   getStorePath,
   identityExists,
+  isEncryptedPayload,
   loadIdentity,
+  matchesTrustPolicyRule,
+  normalizeTrustPolicyDoc,
+  previewFromPayload,
   saveIdentity,
-  updateStoredToken
-} from "./chunk-OVLKR4JF.js";
+  shouldEncryptConversationPayload,
+  summarizeTrustPolicyAudit,
+  updateStoredToken,
+  upsertTrustPolicyRecommendation
+} from "./chunk-PFABO4C7.js";
 export {
   A2AAdapter,
   ContactManager,
@@ -24,7 +43,19 @@ export {
   HttpTransport,
   LocalStore,
   PingAgentClient,
+  SessionManager,
+  TaskThreadManager,
+  TrustPolicyAuditManager,
+  TrustRecommendationManager,
   WsSubscription,
+  buildSessionKey,
+  buildTrustPolicyRecommendations,
+  decideContactPolicy,
+  decideTaskPolicy,
+  decryptPayloadForIdentity,
+  defaultTrustPolicyDoc,
+  encryptPayloadForRecipients,
+  ensureIdentityEncryptionKeys,
   ensureTokenValid,
   generateIdentity,
   getIdentityPath,
@@ -32,7 +63,14 @@ export {
   getRootDir,
   getStorePath,
   identityExists,
+  isEncryptedPayload,
   loadIdentity,
+  matchesTrustPolicyRule,
+  normalizeTrustPolicyDoc,
+  previewFromPayload,
   saveIdentity,
-  updateStoredToken
+  shouldEncryptConversationPayload,
+  summarizeTrustPolicyAudit,
+  updateStoredToken,
+  upsertTrustPolicyRecommendation
 };