@planu/cli 0.63.6 → 0.64.0

package/dist/engine/audit-trail/attestation.js

@@ -0,0 +1,47 @@
+// engine/audit-trail/attestation.ts — Generate attestation document for a spec (SPEC-167)
+// Produces structured JSON (no runtime PDF deps required).
+import { randomUUID } from 'node:crypto';
+import { queryAuditLog } from './query.js';
+import { verifyChainIntegrity } from './verifier.js';
+/**
+ * Build an event-type frequency map from an array of events.
+ */
+function buildEventTypeSummary(events) {
+    const counts = {};
+    for (const ev of events) {
+        counts[ev.eventType] = (counts[ev.eventType] ?? 0) + 1;
+    }
+    return counts;
+}
+/**
+ * Generate an attestation document for all events of a given spec.
+ * Verifies chain integrity and embeds the result in the attestation.
+ *
+ * @param filePath  Absolute path to the project's audit-log.jsonl.
+ * @param projectId Project identifier.
+ * @param specId    Spec identifier to filter events for.
+ */
+export async function generateAttestation(filePath, projectId, specId) {
+    const [queryResult, chainResult] = await Promise.all([
+        queryAuditLog(filePath, { projectId, specId, limit: 1000 }),
+        verifyChainIntegrity(filePath),
+    ]);
+    const events = queryResult.events;
+    const timestamps = events.map((e) => e.timestamp).sort();
+    const summary = {
+        totalEvents: events.length,
+        firstEvent: timestamps[0],
+        lastEvent: timestamps[timestamps.length - 1],
+        eventTypes: buildEventTypeSummary(events),
+    };
+    return {
+        attestationId: randomUUID(),
+        generatedAt: new Date().toISOString(),
+        projectId,
+        specId,
+        events,
+        chainValid: chainResult.valid,
+        summary,
+    };
+}
+//# sourceMappingURL=attestation.js.map

package/dist/engine/audit-trail/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/attestation.ts"],"names":[],"mappings":"AAAA,0FAA0F;AAC1F,2DAA2D;AAE3D,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAErD;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAoB;IACjD,MAAM,MAAM,GAA4C,EAAE,CAAC;IAC3D,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,SAAiB,EACjB,MAAc;IAEd,MAAM,CAAC,WAAW,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACnD,aAAa,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3D,oBAAoB,CAAC,QAAQ,CAAC;KAC/B,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC;IAClC,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC;IAEzD,MAAM,OAAO,GAAG;QACd,WAAW,EAAE,MAAM,CAAC,MAAM;QAC1B,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC;QACzB,SAAS,EAAE,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5C,UAAU,EAAE,qBAAqB,CAAC,MAAM,CAAC;KAC1C,CAAC;IAEF,OAAO;QACL,aAAa,EAAE,UAAU,EAAE;QAC3B,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,SAAS;QACT,MAAM;QACN,MAAM;QACN,UAAU,EAAE,WAAW,CAAC,KAAK;QAC7B,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/engine/audit-trail/index.d.ts

@@ -0,0 +1,6 @@
+export { appendEvent } from './logger.js';
+export type { AppendEventInput } from './logger.js';
+export { queryAuditLog } from './query.js';
+export { verifyChainIntegrity } from './verifier.js';
+export { generateAttestation } from './attestation.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/engine/audit-trail/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/engine/audit-trail/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAErD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/engine/audit-trail/index.js

@@ -0,0 +1,6 @@
+// engine/audit-trail/index.ts — Barrel export for audit-trail engine module (SPEC-167)
+export { appendEvent } from './logger.js';
+export { queryAuditLog } from './query.js';
+export { verifyChainIntegrity } from './verifier.js';
+export { generateAttestation } from './attestation.js';
+//# sourceMappingURL=index.js.map

package/dist/engine/audit-trail/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/index.ts"],"names":[],"mappings":"AAAA,uFAAuF;AAEvF,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AAErD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/engine/audit-trail/logger.d.ts

@@ -0,0 +1,17 @@
+import type { AuditEvent, AppendEventInput } from '../../types/audit-trail.js';
+export type { AppendEventInput };
+/**
+ * Compute SHA-256 hex digest of a string.
+ */
+export declare function sha256(input: string): string;
+/**
+ * Append a new audit event to the JSONL log at filePath.
+ * Each event's hash is derived from the previous entry's hash, forming a chain.
+ * The file is created (with parent dirs) if it does not exist.
+ *
+ * Writes are serialized per file via a promise queue to prevent race conditions
+ * that would break the hash chain when multiple events are appended concurrently.
+ */
+export declare function appendEvent(filePath: string, input: AppendEventInput): Promise<AuditEvent>;
+export { canonicalJson } from './utils.js';
+//# sourceMappingURL=logger.d.ts.map

package/dist/engine/audit-trail/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../../src/engine/audit-trail/logger.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAE/E,YAAY,EAAE,gBAAgB,EAAE,CAAC;AAEjC;;GAEG;AACH,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5C;AA0DD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC,CAgB1F;AAID,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/engine/audit-trail/logger.js

@@ -0,0 +1,78 @@
+// engine/audit-trail/logger.ts — Append-only audit logger with SHA-256 hash chain (SPEC-167)
+import { createHash, randomUUID } from 'node:crypto';
+import { appendFile, mkdir } from 'node:fs/promises';
+import { dirname } from 'node:path';
+import { canonicalJson, readJsonlLines } from './utils.js';
+/**
+ * Compute SHA-256 hex digest of a string.
+ */
+export function sha256(input) {
+    return createHash('sha256').update(input, 'utf8').digest('hex');
+}
+/**
+ * Read the hash of the last line in a JSONL file.
+ * Returns empty string if the file is empty or does not exist.
+ */
+async function readLastHash(filePath) {
+    const lines = await readJsonlLines(filePath);
+    if (lines.length === 0) {
+        return '';
+    }
+    const lastLine = lines[lines.length - 1] ?? '';
+    try {
+        const parsed = JSON.parse(lastLine);
+        return typeof parsed.hash === 'string' ? parsed.hash : '';
+    }
+    catch {
+        return '';
+    }
+}
+/**
+ * Per-file write queues to prevent race conditions on the hash chain.
+ * Node.js is single-threaded but async I/O allows two concurrent `appendEvent`
+ * calls to both read the same `lastHash` before either writes, breaking the
+ * chain integrity. Chaining each write onto a resolved promise serializes
+ * all writes to the same file without blocking the event loop.
+ */
+const writeQueues = new Map();
+/**
+ * Perform the actual append operation (must run serially per file).
+ */
+async function doAppend(filePath, input) {
+    await mkdir(dirname(filePath), { recursive: true });
+    const previousHash = await readLastHash(filePath);
+    const partial = {
+        id: randomUUID(),
+        timestamp: new Date().toISOString(),
+        eventType: input.eventType,
+        specId: input.specId,
+        userId: input.userId,
+        action: input.action,
+        details: input.details ?? {},
+        previousHash,
+    };
+    const hash = sha256(canonicalJson(partial));
+    const event = { ...partial, hash };
+    await appendFile(filePath, JSON.stringify(event) + '\n', 'utf-8');
+    return event;
+}
+/**
+ * Append a new audit event to the JSONL log at filePath.
+ * Each event's hash is derived from the previous entry's hash, forming a chain.
+ * The file is created (with parent dirs) if it does not exist.
+ *
+ * Writes are serialized per file via a promise queue to prevent race conditions
+ * that would break the hash chain when multiple events are appended concurrently.
+ */
+export function appendEvent(filePath, input) {
+    let result;
+    const next = (writeQueues.get(filePath) ?? Promise.resolve()).then(async () => {
+        result = await doAppend(filePath, input);
+    });
+    writeQueues.set(filePath, next.then(() => undefined, () => undefined));
+    return next.then(() => result);
+}
+// Re-export canonicalJson so consumers that need the hash logic (e.g., verifier)
+// can import it from the module barrel without reaching into utils directly.
+export { canonicalJson } from './utils.js';
+//# sourceMappingURL=logger.js.map

package/dist/engine/audit-trail/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/logger.ts"],"names":[],"mappings":"AAAA,6FAA6F;AAE7F,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAG3D;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,KAAa;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,YAAY,CAAC,QAAgB;IAC1C,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAwB,CAAC;QAC3D,OAAO,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;AAErD;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,QAAgB,EAAE,KAAuB;IAC/D,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEpD,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElD,MAAM,OAAO,GAA6B;QACxC,EAAE,EAAE,UAAU,EAAE;QAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,EAAE;QAC5B,YAAY;KACb,CAAC;IAEF,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5C,MAAM,KAAK,GAAe,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,CAAC;IAE/C,MAAM,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAElE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,QAAgB,EAAE,KAAuB;IACnE,IAAI,MAAmB,CAAC;IAExB,MAAM,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;QAC5E,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,GAAG,CACb,QAAQ,EACR,IAAI,CAAC,IAAI,CACP,GAAG,EAAE,CAAC,SAAS,EACf,GAAG,EAAE,CAAC,SAAS,CAChB,CACF,CAAC;IAEF,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC;AAED,iFAAiF;AACjF,6EAA6E;AAC7E,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/engine/audit-trail/query.d.ts

@@ -0,0 +1,7 @@
+import type { AuditQuery, AuditQueryResult } from '../../types/audit-trail.js';
+/**
+ * Query the audit log JSONL file at filePath using the provided filters.
+ * Returns matching events up to the configured limit, in ascending timestamp order.
+ */
+export declare function queryAuditLog(filePath: string, query: AuditQuery): Promise<AuditQueryResult>;
+//# sourceMappingURL=query.d.ts.map

package/dist/engine/audit-trail/query.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../../src/engine/audit-trail/query.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAc,UAAU,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAqC3F;;;GAGG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAsB3B"}

package/dist/engine/audit-trail/query.js

@@ -0,0 +1,61 @@
+// engine/audit-trail/query.ts — Query the audit JSONL log with filters (SPEC-167)
+import { isNodeError, readJsonlLines } from './utils.js';
+const DEFAULT_LIMIT = 100;
+const MAX_LIMIT = 1000;
+/** Parse all valid AuditEvent lines from an array of raw JSONL strings. */
+function parseLines(lines) {
+    return lines.flatMap((line) => {
+        try {
+            return [JSON.parse(line)];
+        }
+        catch {
+            return [];
+        }
+    });
+}
+/** Apply query filters to an event. Returns true if the event matches all criteria. */
+function matchesFilter(event, query) {
+    if (query.specId !== undefined && event.specId !== query.specId) {
+        return false;
+    }
+    if (query.userId !== undefined && event.userId !== query.userId) {
+        return false;
+    }
+    if (query.eventType !== undefined && event.eventType !== query.eventType) {
+        return false;
+    }
+    if (query.from !== undefined && event.timestamp < query.from) {
+        return false;
+    }
+    if (query.to !== undefined && event.timestamp > query.to) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Query the audit log JSONL file at filePath using the provided filters.
+ * Returns matching events up to the configured limit, in ascending timestamp order.
+ */
+export async function queryAuditLog(filePath, query) {
+    let lines;
+    try {
+        lines = await readJsonlLines(filePath);
+    }
+    catch (err) {
+        if (isNodeError(err) && err.code === 'ENOENT') {
+            return { events: [], total: 0, truncated: false };
+        }
+        throw err;
+    }
+    const all = parseLines(lines);
+    const filtered = all.filter((ev) => matchesFilter(ev, query));
+    const limit = Math.min(query.limit ?? DEFAULT_LIMIT, MAX_LIMIT);
+    const truncated = filtered.length > limit;
+    const events = truncated ? filtered.slice(0, limit) : filtered;
+    return {
+        events,
+        total: filtered.length,
+        truncated,
+    };
+}
+//# sourceMappingURL=query.js.map

package/dist/engine/audit-trail/query.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/query.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAGlF,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEzD,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,SAAS,GAAG,IAAI,CAAC;AAEvB,2EAA2E;AAC3E,SAAS,UAAU,CAAC,KAAe;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAC5B,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,uFAAuF;AACvF,SAAS,aAAa,CAAC,KAAiB,EAAE,KAAiB;IACzD,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;QACzE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7D,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,EAAE,KAAK,SAAS,IAAI,KAAK,CAAC,SAAS,GAAG,KAAK,CAAC,EAAE,EAAE,CAAC;QACzD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,KAAiB;IAEjB,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC9C,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;QACpD,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,aAAa,EAAE,SAAS,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAE/D,OAAO;QACL,MAAM;QACN,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/engine/audit-trail/utils.d.ts

@@ -0,0 +1,18 @@
+import type { AuditEvent } from '../../types/audit-trail.js';
+/**
+ * Type guard for Node.js filesystem errors (ErrnoException).
+ */
+export declare function isNodeError(err: unknown): err is NodeJS.ErrnoException;
+/**
+ * Compute the canonical JSON string used for hashing an AuditEvent.
+ * Excludes the `hash` field itself to avoid circular dependency.
+ * CRITICAL: must stay in sync with how events are written in logger.ts.
+ * If this function diverges from the write path, chain verification breaks silently.
+ */
+export declare function canonicalJson(event: Omit<AuditEvent, 'hash'>): string;
+/**
+ * Read a JSONL file and return all non-empty lines.
+ * Returns an empty array when the file does not exist (ENOENT).
+ */
+export declare function readJsonlLines(filePath: string): Promise<string[]>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/engine/audit-trail/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/engine/audit-trail/utils.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAE7D;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,MAAM,CAAC,cAAc,CAEtE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,GAAG,MAAM,CAWrE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWxE"}

package/dist/engine/audit-trail/utils.js

@@ -0,0 +1,44 @@
+// engine/audit-trail/utils.ts — Shared low-level utilities for the audit-trail module
+import { readFile } from 'node:fs/promises';
+/**
+ * Type guard for Node.js filesystem errors (ErrnoException).
+ */
+export function isNodeError(err) {
+    return err instanceof Error && 'code' in err;
+}
+/**
+ * Compute the canonical JSON string used for hashing an AuditEvent.
+ * Excludes the `hash` field itself to avoid circular dependency.
+ * CRITICAL: must stay in sync with how events are written in logger.ts.
+ * If this function diverges from the write path, chain verification breaks silently.
+ */
+export function canonicalJson(event) {
+    return JSON.stringify({
+        id: event.id,
+        timestamp: event.timestamp,
+        eventType: event.eventType,
+        specId: event.specId,
+        userId: event.userId,
+        action: event.action,
+        details: event.details,
+        previousHash: event.previousHash,
+    });
+}
+/**
+ * Read a JSONL file and return all non-empty lines.
+ * Returns an empty array when the file does not exist (ENOENT).
+ */
+export async function readJsonlLines(filePath) {
+    let raw;
+    try {
+        raw = await readFile(filePath, 'utf-8');
+    }
+    catch (err) {
+        if (isNodeError(err) && err.code === 'ENOENT') {
+            return [];
+        }
+        throw err;
+    }
+    return raw.split('\n').filter((l) => l.trim().length > 0);
+}
+//# sourceMappingURL=utils.js.map

package/dist/engine/audit-trail/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/utils.ts"],"names":[],"mappings":"AAAA,sFAAsF;AAEtF,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY;IACtC,OAAO,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,CAAC;AAC/C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAA+B;IAC3D,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,YAAY,EAAE,KAAK,CAAC,YAAY;KACjC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB;IACnD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC9C,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/engine/audit-trail/verifier.d.ts

@@ -0,0 +1,10 @@
+import type { ChainVerificationResult } from '../../types/audit-trail.js';
+/**
+ * Verify that the SHA-256 hash chain of the JSONL log file at filePath is intact.
+ * Validates:
+ *   1. Each entry's `hash` matches the recomputed hash of its canonical JSON.
+ *   2. Each entry's `previousHash` matches the previous entry's `hash`.
+ *   3. The first entry has an empty `previousHash`.
+ */
+export declare function verifyChainIntegrity(filePath: string): Promise<ChainVerificationResult>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/engine/audit-trail/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/engine/audit-trail/verifier.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAc,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AAStF;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAmE7F"}

package/dist/engine/audit-trail/verifier.js

@@ -0,0 +1,78 @@
+// engine/audit-trail/verifier.ts — Validate SHA-256 hash chain integrity (SPEC-167)
+import { sha256 } from './logger.js';
+import { isNodeError, canonicalJson, readJsonlLines } from './utils.js';
+/** Recompute the canonical hash for an event using the shared canonicalJson helper. */
+function recomputeHash(event) {
+    return sha256(canonicalJson(event));
+}
+/**
+ * Verify that the SHA-256 hash chain of the JSONL log file at filePath is intact.
+ * Validates:
+ *   1. Each entry's `hash` matches the recomputed hash of its canonical JSON.
+ *   2. Each entry's `previousHash` matches the previous entry's `hash`.
+ *   3. The first entry has an empty `previousHash`.
+ */
+export async function verifyChainIntegrity(filePath) {
+    let lines;
+    try {
+        lines = await readJsonlLines(filePath);
+    }
+    catch (err) {
+        if (isNodeError(err) && err.code === 'ENOENT') {
+            return {
+                valid: true,
+                totalEntries: 0,
+                message: 'Audit log is empty — chain is valid.',
+            };
+        }
+        throw err;
+    }
+    if (lines.length === 0) {
+        return {
+            valid: true,
+            totalEntries: 0,
+            message: 'Audit log is empty — chain is valid.',
+        };
+    }
+    let previousHash = '';
+    for (let i = 0; i < lines.length; i++) {
+        let event;
+        try {
+            event = JSON.parse(lines[i] ?? '');
+        }
+        catch {
+            return {
+                valid: false,
+                totalEntries: lines.length,
+                firstBrokenAt: i + 1,
+                message: `Line ${String(i + 1)} is not valid JSON.`,
+            };
+        }
+        // Verify previousHash linkage
+        if (event.previousHash !== previousHash) {
+            return {
+                valid: false,
+                totalEntries: lines.length,
+                firstBrokenAt: i + 1,
+                message: `Chain broken at entry ${String(i + 1)}: previousHash mismatch.`,
+            };
+        }
+        // Verify self-hash
+        const expected = recomputeHash(event);
+        if (event.hash !== expected) {
+            return {
+                valid: false,
+                totalEntries: lines.length,
+                firstBrokenAt: i + 1,
+                message: `Entry ${String(i + 1)} hash mismatch — possible tampering detected.`,
+            };
+        }
+        previousHash = event.hash;
+    }
+    return {
+        valid: true,
+        totalEntries: lines.length,
+        message: `Chain verified — ${String(lines.length)} entries are intact.`,
+    };
+}
+//# sourceMappingURL=verifier.js.map

package/dist/engine/audit-trail/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/engine/audit-trail/verifier.ts"],"names":[],"mappings":"AAAA,oFAAoF;AAGpF,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAExE,uFAAuF;AACvF,SAAS,aAAa,CAAC,KAAiB;IACtC,OAAO,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,QAAgB;IACzD,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC9C,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,CAAC;gBACf,OAAO,EAAE,sCAAsC;aAChD,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,CAAC;YACf,OAAO,EAAE,sCAAsC;SAChD,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,GAAG,EAAE,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,KAAiB,CAAC;QACtB,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAe,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,YAAY,EAAE,KAAK,CAAC,MAAM;gBAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;gBACpB,OAAO,EAAE,QAAQ,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,qBAAqB;aACpD,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,KAAK,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;YACxC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,YAAY,EAAE,KAAK,CAAC,MAAM;gBAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;gBACpB,OAAO,EAAE,yBAAyB,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,0BAA0B;aAC1E,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,YAAY,EAAE,KAAK,CAAC,MAAM;gBAC1B,aAAa,EAAE,CAAC,GAAG,CAAC;gBACpB,OAAO,EAAE,SAAS,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,+CAA+C;aAC/E,CAAC;QACJ,CAAC;QAED,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC;IAC5B,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,OAAO,EAAE,oBAAoB,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,sBAAsB;KACxE,CAAC;AACJ,CAAC"}

package/dist/engine/auth/config.d.ts

@@ -0,0 +1,20 @@
+import type { AuthConfig } from '../../types/index.js';
+/**
+ * Load auth config from disk. Returns null when no config has been set yet.
+ * Config is cached in memory after the first load.
+ */
+export declare function loadAuthConfig(): Promise<AuthConfig | null>;
+/**
+ * Save auth config to disk and update the in-memory cache.
+ * Ensures the data/global directory exists before writing.
+ */
+export declare function saveAuthConfig(config: AuthConfig): Promise<void>;
+/**
+ * Check whether auth has been configured (config file exists and is valid).
+ */
+export declare function isAuthConfigured(): Promise<boolean>;
+/**
+ * Reset the in-memory cache. Used in tests and after config deletion.
+ */
+export declare function resetAuthConfigCache(): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/engine/auth/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/engine/auth/config.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAOvD;;;GAGG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAajE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAKtE;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,OAAO,CAAC,CAGzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}

package/dist/engine/auth/config.js

@@ -0,0 +1,49 @@
+// engine/auth/config.ts — AuthConfig loading and saving (SPEC-161)
+// Persists to data/global/auth-config.json. Never persists tokens.
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+const CONFIG_DIR = join(process.cwd(), 'data', 'global');
+const CONFIG_PATH = join(CONFIG_DIR, 'auth-config.json');
+let cached = null;
+/**
+ * Load auth config from disk. Returns null when no config has been set yet.
+ * Config is cached in memory after the first load.
+ */
+export async function loadAuthConfig() {
+    if (cached !== null) {
+        return cached;
+    }
+    try {
+        const raw = await readFile(CONFIG_PATH, 'utf-8');
+        cached = JSON.parse(raw);
+        return cached;
+    }
+    catch {
+        // File does not exist or is unreadable — no config set yet.
+        return null;
+    }
+}
+/**
+ * Save auth config to disk and update the in-memory cache.
+ * Ensures the data/global directory exists before writing.
+ */
+export async function saveAuthConfig(config) {
+    await mkdir(CONFIG_DIR, { recursive: true });
+    const serialized = JSON.stringify(config, null, 2);
+    await writeFile(CONFIG_PATH, serialized, 'utf-8');
+    cached = config;
+}
+/**
+ * Check whether auth has been configured (config file exists and is valid).
+ */
+export async function isAuthConfigured() {
+    const config = await loadAuthConfig();
+    return config !== null;
+}
+/**
+ * Reset the in-memory cache. Used in tests and after config deletion.
+ */
+export function resetAuthConfigCache() {
+    cached = null;
+}
+//# sourceMappingURL=config.js.map

package/dist/engine/auth/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/engine/auth/config.ts"],"names":[],"mappings":"AAAA,mEAAmE;AACnE,mEAAmE;AAEnE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AACzD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAEzD,IAAI,MAAM,GAAsB,IAAI,CAAC;AAErC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;QACvC,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAkB;IACrD,MAAM,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACnD,MAAM,SAAS,CAAC,WAAW,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,GAAG,MAAM,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IACtC,OAAO,MAAM,KAAK,IAAI,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,GAAG,IAAI,CAAC;AAChB,CAAC"}

package/dist/engine/auth/index.d.ts

@@ -0,0 +1,6 @@
+export { loadAuthConfig, saveAuthConfig, isAuthConfigured, resetAuthConfigCache, } from './config.js';
+export { generateCodeVerifier, deriveCodeChallenge, generatePkceChallenge } from './pkce.js';
+export { resolveAllowedTools, isToolAllowed, BUILTIN_SCOPE_MAPPINGS } from './scope-mapper.js';
+export { extractBearerToken, validateToken } from './token-validator.js';
+export { evaluateAuthContext, authorizeToolCall } from './middleware.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/engine/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/engine/auth/index.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/engine/auth/index.js

@@ -0,0 +1,7 @@
+// engine/auth/index.ts — Barrel export for the auth engine module (SPEC-161)
+export { loadAuthConfig, saveAuthConfig, isAuthConfigured, resetAuthConfigCache, } from './config.js';
+export { generateCodeVerifier, deriveCodeChallenge, generatePkceChallenge } from './pkce.js';
+export { resolveAllowedTools, isToolAllowed, BUILTIN_SCOPE_MAPPINGS } from './scope-mapper.js';
+export { extractBearerToken, validateToken } from './token-validator.js';
+export { evaluateAuthContext, authorizeToolCall } from './middleware.js';
+//# sourceMappingURL=index.js.map

package/dist/engine/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/engine/auth/index.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAE7E,OAAO,EACL,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC/F,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/engine/auth/middleware.d.ts

@@ -0,0 +1,19 @@
+import type { AuthContext } from '../../types/index.js';
+/**
+ * Evaluate an incoming Authorization header against the current auth config.
+ *
+ * Behavior:
+ * - No auth config → returns disabled context (all tools allowed, no enforcement).
+ * - Auth config present but no token → returns invalid context.
+ * - Auth config present and token provided → validates and maps scopes to tools.
+ *
+ * This function is async because it loads config from disk on first call
+ * (cached thereafter) and may call the introspection endpoint.
+ */
+export declare function evaluateAuthContext(authorizationHeader: string | undefined): Promise<AuthContext>;
+/**
+ * Check whether the caller is authorized to invoke a specific tool.
+ * When auth is disabled (stdio mode), all tools are accessible.
+ */
+export declare function authorizeToolCall(toolName: string, context: AuthContext): boolean;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/engine/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/engine/auth/middleware.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAc,MAAM,sBAAsB,CAAC;AAWpE;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,mBAAmB,EAAE,MAAM,GAAG,SAAS,GACtC,OAAO,CAAC,WAAW,CAAC,CAyBtB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAQjF"}

package/dist/engine/auth/middleware.js

@@ -0,0 +1,64 @@
+// engine/auth/middleware.ts — Auth middleware for hosted MCP requests (SPEC-161)
+// Is a no-op when auth is not configured (local stdio mode).
+// Never logs token values.
+import { loadAuthConfig } from './config.js';
+import { validateToken, extractBearerToken } from './token-validator.js';
+import { resolveAllowedTools } from './scope-mapper.js';
+/** Unauthenticated context returned when auth is disabled (stdio mode). */
+const DISABLED_CONTEXT = {
+    enabled: false,
+    allowedTools: [],
+};
+/**
+ * Evaluate an incoming Authorization header against the current auth config.
+ *
+ * Behavior:
+ * - No auth config → returns disabled context (all tools allowed, no enforcement).
+ * - Auth config present but no token → returns invalid context.
+ * - Auth config present and token provided → validates and maps scopes to tools.
+ *
+ * This function is async because it loads config from disk on first call
+ * (cached thereafter) and may call the introspection endpoint.
+ */
+export async function evaluateAuthContext(authorizationHeader) {
+    const config = await loadAuthConfig();
+    if (config === null) {
+        return DISABLED_CONTEXT;
+    }
+    const token = extractBearerToken(authorizationHeader);
+    if (!token) {
+        return buildInvalidContext(config, 'Missing or malformed Authorization: Bearer <token> header');
+    }
+    const validation = await validateToken(token, config);
+    if (!validation.valid) {
+        return buildInvalidContext(config, validation.reason ?? 'Token validation failed');
+    }
+    const allowedTools = resolveAllowedTools(validation.scopes, config.scopeMappings);
+    return {
+        enabled: true,
+        validation,
+        allowedTools,
+    };
+}
+/**
+ * Check whether the caller is authorized to invoke a specific tool.
+ * When auth is disabled (stdio mode), all tools are accessible.
+ */
+export function authorizeToolCall(toolName, context) {
+    if (!context.enabled) {
+        return true;
+    }
+    if (!context.validation?.valid) {
+        return false;
+    }
+    return context.allowedTools.includes(toolName);
+}
+function buildInvalidContext(config, reason) {
+    void config; // Config is loaded but only used to mark auth as enabled
+    return {
+        enabled: true,
+        validation: { valid: false, scopes: [], reason },
+        allowedTools: [],
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/engine/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/engine/auth/middleware.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,6DAA6D;AAC7D,2BAA2B;AAG3B,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAExD,2EAA2E;AAC3E,MAAM,gBAAgB,GAAgB;IACpC,OAAO,EAAE,KAAK;IACd,YAAY,EAAE,EAAE;CACjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,mBAAuC;IAEvC,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;IAEtC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,MAAM,KAAK,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;IACtD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,mBAAmB,CAAC,MAAM,EAAE,2DAA2D,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAEtD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO,mBAAmB,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,yBAAyB,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IAElF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,UAAU;QACV,YAAY;KACb,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,OAAoB;IACtE,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC;QAC/B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAkB,EAAE,MAAc;IAC7D,KAAK,MAAM,CAAC,CAAC,yDAAyD;IACtE,OAAO;QACL,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE;QAChD,YAAY,EAAE,EAAE;KACjB,CAAC;AACJ,CAAC"}