@predicatesystems/authority 0.3.1

package/dist/src/contracts/decision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.js","sourceRoot":"","sources":["../../../src/contracts/decision.ts"],"names":[],"mappings":"AAUA,MAAM,UAAU,uBAAuB,CAAC,KAAc;IACpD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS;QAChC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAC9B,CAAC,GAAG,CAAC,UAAU,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC;QAC/D,CAAC,GAAG,CAAC,aAAa,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ,CAAC;QACrE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QACjC,GAAG,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAC/D,CAAC;AACJ,CAAC"}

package/dist/src/contracts/enums.d.ts

@@ -0,0 +1,7 @@
+export declare const AUTHORIZATION_REASONS: readonly ["allowed", "no_matching_policy", "explicit_deny", "missing_required_verification", "max_delegation_depth_exceeded", "invalid_mandate", "rate_limit_exceeded"];
+export type AuthorizationReason = (typeof AUTHORIZATION_REASONS)[number];
+export declare const VERIFICATION_STATUSES: readonly ["passed", "failed", "skipped"];
+export type VerificationStatus = (typeof VERIFICATION_STATUSES)[number];
+export declare const POLICY_EFFECTS: readonly ["allow", "deny"];
+export type PolicyEffect = (typeof POLICY_EFFECTS)[number];
+//# sourceMappingURL=enums.d.ts.map

package/dist/src/contracts/enums.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enums.d.ts","sourceRoot":"","sources":["../../../src/contracts/enums.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,qBAAqB,yKAQxB,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,eAAO,MAAM,qBAAqB,0CAA2C,CAAC;AAC9E,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAExE,eAAO,MAAM,cAAc,4BAA6B,CAAC;AACzD,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC"}

package/dist/src/contracts/enums.js

@@ -0,0 +1,12 @@
+export const AUTHORIZATION_REASONS = [
+    "allowed",
+    "no_matching_policy",
+    "explicit_deny",
+    "missing_required_verification",
+    "max_delegation_depth_exceeded",
+    "invalid_mandate",
+    "rate_limit_exceeded",
+];
+export const VERIFICATION_STATUSES = ["passed", "failed", "skipped"];
+export const POLICY_EFFECTS = ["allow", "deny"];
+//# sourceMappingURL=enums.js.map

package/dist/src/contracts/enums.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enums.js","sourceRoot":"","sources":["../../../src/contracts/enums.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,SAAS;IACT,oBAAoB;IACpB,eAAe;IACf,+BAA+B;IAC/B,+BAA+B;IAC/B,iBAAiB;IACjB,qBAAqB;CACb,CAAC;AAIX,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAU,CAAC;AAG9E,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,MAAM,CAAU,CAAC"}

package/dist/src/contracts/index.d.ts

@@ -0,0 +1,16 @@
+export type { ActionRequest, ActionSpec, AuthorizeRequest, PrincipalRef, SidecarAuthorizeRequest, StateEvidence, VerificationEvidence, VerificationSignal, } from "./action-request.js";
+export { toSidecarAuthorizeRequest } from "./action-request.js";
+export type { AuthorizationResponse } from "./decision.js";
+export { isAuthorizationResponse } from "./decision.js";
+export type { AuthorizationDecision } from "./authorization-decision.js";
+export { isAuthorizationDecision } from "./authorization-decision.js";
+export type { AuthorizationReason, PolicyEffect, VerificationStatus } from "./enums.js";
+export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES } from "./enums.js";
+export type { MandateClaims, SignedMandate } from "./mandate.js";
+export { isMandateClaims, isSignedMandate } from "./mandate.js";
+export type { PolicyRule } from "./policy-rule.js";
+export { isPolicyRule } from "./policy-rule.js";
+export type { ProofEvent } from "./proof-event.js";
+export { isProofEvent } from "./proof-event.js";
+export { isLabelPassed, passedLabels } from "./verification.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/src/contracts/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/contracts/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAChE,YAAY,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AACxD,YAAY,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACzE,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AACtE,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACxF,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAC1F,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAChE,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/src/contracts/index.js

@@ -0,0 +1,9 @@
+export { toSidecarAuthorizeRequest } from "./action-request.js";
+export { isAuthorizationResponse } from "./decision.js";
+export { isAuthorizationDecision } from "./authorization-decision.js";
+export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES } from "./enums.js";
+export { isMandateClaims, isSignedMandate } from "./mandate.js";
+export { isPolicyRule } from "./policy-rule.js";
+export { isProofEvent } from "./proof-event.js";
+export { isLabelPassed, passedLabels } from "./verification.js";
+//# sourceMappingURL=index.js.map

package/dist/src/contracts/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/contracts/index.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AAEtE,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAE1F,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/src/contracts/mandate.d.ts

@@ -0,0 +1,29 @@
+export interface MandateClaims {
+    mandate_id: string;
+    principal_id: string;
+    action: string;
+    resource: string;
+    intent_hash: string;
+    state_hash: string;
+    issued_at_epoch_s: number;
+    expires_at_epoch_s: number;
+    delegated_by?: string | null;
+    parent_mandate_id?: string | null;
+    delegation_depth?: number;
+    delegation_chain_hash?: string | null;
+    iss?: string | null;
+    aud?: string | null;
+    sub?: string | null;
+    iat?: number | null;
+    exp?: number | null;
+    nbf?: number | null;
+    jti?: string | null;
+}
+export interface SignedMandate {
+    token: string;
+    claims: MandateClaims;
+    signature: string;
+}
+export declare function isMandateClaims(value: unknown): value is MandateClaims;
+export declare function isSignedMandate(value: unknown): value is SignedMandate;
+//# sourceMappingURL=mandate.d.ts.map

package/dist/src/contracts/mandate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mandate.d.ts","sourceRoot":"","sources":["../../../src/contracts/mandate.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,aAAa,CAetE;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,aAAa,CAUtE"}

package/dist/src/contracts/mandate.js

@@ -0,0 +1,24 @@
+export function isMandateClaims(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.mandate_id === "string" &&
+        typeof obj.principal_id === "string" &&
+        typeof obj.action === "string" &&
+        typeof obj.resource === "string" &&
+        typeof obj.intent_hash === "string" &&
+        typeof obj.state_hash === "string" &&
+        typeof obj.issued_at_epoch_s === "number" &&
+        typeof obj.expires_at_epoch_s === "number");
+}
+export function isSignedMandate(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.token === "string" &&
+        typeof obj.signature === "string" &&
+        isMandateClaims(obj.claims));
+}
+//# sourceMappingURL=mandate.js.map

package/dist/src/contracts/mandate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mandate.js","sourceRoot":"","sources":["../../../src/contracts/mandate.ts"],"names":[],"mappings":"AA4BA,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ;QACpC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAC9B,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAChC,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ;QACnC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,iBAAiB,KAAK,QAAQ;QACzC,OAAO,GAAG,CAAC,kBAAkB,KAAK,QAAQ,CAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;QAC7B,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAC5B,CAAC;AACJ,CAAC"}

package/dist/src/contracts/policy-rule.d.ts

@@ -0,0 +1,12 @@
+import type { PolicyEffect } from "./enums.js";
+export interface PolicyRule {
+    name: string;
+    effect: PolicyEffect;
+    principals: string[];
+    actions: string[];
+    resources: string[];
+    required_labels?: string[];
+    max_delegation_depth?: number;
+}
+export declare function isPolicyRule(value: unknown): value is PolicyRule;
+//# sourceMappingURL=policy-rule.d.ts.map

package/dist/src/contracts/policy-rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-rule.d.ts","sourceRoot":"","sources":["../../../src/contracts/policy-rule.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,UAAU,CAchE"}

package/dist/src/contracts/policy-rule.js

@@ -0,0 +1,17 @@
+export function isPolicyRule(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.name === "string" &&
+        (obj.effect === "allow" || obj.effect === "deny") &&
+        isStringArray(obj.principals) &&
+        isStringArray(obj.actions) &&
+        isStringArray(obj.resources) &&
+        (obj.required_labels === undefined || isStringArray(obj.required_labels)) &&
+        (obj.max_delegation_depth === undefined || typeof obj.max_delegation_depth === "number"));
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+//# sourceMappingURL=policy-rule.js.map

package/dist/src/contracts/policy-rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-rule.js","sourceRoot":"","sources":["../../../src/contracts/policy-rule.ts"],"names":[],"mappings":"AAYA,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAC5B,CAAC,GAAG,CAAC,MAAM,KAAK,OAAO,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC;QACjD,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC;QAC7B,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC;QAC1B,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC;QAC5B,CAAC,GAAG,CAAC,eAAe,KAAK,SAAS,IAAI,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACzE,CAAC,GAAG,CAAC,oBAAoB,KAAK,SAAS,IAAI,OAAO,GAAG,CAAC,oBAAoB,KAAK,QAAQ,CAAC,CACzF,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC;AACjF,CAAC"}

package/dist/src/contracts/proof-event.d.ts

@@ -0,0 +1,13 @@
+import type { AuthorizationReason } from "./enums.js";
+export interface ProofEvent {
+    event_type: string;
+    principal_id: string;
+    action: string;
+    resource: string;
+    reason: AuthorizationReason | string;
+    allowed: boolean;
+    mandate_id: string | null;
+    emitted_at_epoch_s: number;
+}
+export declare function isProofEvent(value: unknown): value is ProofEvent;
+//# sourceMappingURL=proof-event.d.ts.map

package/dist/src/contracts/proof-event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof-event.d.ts","sourceRoot":"","sources":["../../../src/contracts/proof-event.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEtD,MAAM,WAAW,UAAU;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,mBAAmB,GAAG,MAAM,CAAC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,UAAU,CAehE"}

package/dist/src/contracts/proof-event.js

@@ -0,0 +1,15 @@
+export function isProofEvent(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.event_type === "string" &&
+        typeof obj.principal_id === "string" &&
+        typeof obj.action === "string" &&
+        typeof obj.resource === "string" &&
+        typeof obj.reason === "string" &&
+        typeof obj.allowed === "boolean" &&
+        (obj.mandate_id === null || typeof obj.mandate_id === "string") &&
+        typeof obj.emitted_at_epoch_s === "number");
+}
+//# sourceMappingURL=proof-event.js.map

package/dist/src/contracts/proof-event.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proof-event.js","sourceRoot":"","sources":["../../../src/contracts/proof-event.ts"],"names":[],"mappings":"AAaA,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ;QACpC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAC9B,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAChC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAC9B,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS;QAChC,CAAC,GAAG,CAAC,UAAU,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC;QAC/D,OAAO,GAAG,CAAC,kBAAkB,KAAK,QAAQ,CAC3C,CAAC;AACJ,CAAC"}

package/dist/src/contracts/verification.d.ts

@@ -0,0 +1,4 @@
+import type { VerificationEvidence } from "./action-request.js";
+export declare function isLabelPassed(evidence: VerificationEvidence | undefined, label: string): boolean;
+export declare function passedLabels(evidence: VerificationEvidence | undefined): string[];
+//# sourceMappingURL=verification.d.ts.map

package/dist/src/contracts/verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.d.ts","sourceRoot":"","sources":["../../../src/contracts/verification.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,oBAAoB,GAAG,SAAS,EAC1C,KAAK,EAAE,MAAM,GACZ,OAAO,CAOT;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,oBAAoB,GAAG,SAAS,GAAG,MAAM,EAAE,CAOjF"}

package/dist/src/contracts/verification.js

@@ -0,0 +1,15 @@
+export function isLabelPassed(evidence, label) {
+    if (!evidence?.signals || label.trim() === "") {
+        return false;
+    }
+    return evidence.signals.some((signal) => signal.label === label && signal.status === "passed");
+}
+export function passedLabels(evidence) {
+    if (!evidence?.signals) {
+        return [];
+    }
+    return evidence.signals
+        .filter((signal) => signal.status === "passed")
+        .map((signal) => signal.label);
+}
+//# sourceMappingURL=verification.js.map

package/dist/src/contracts/verification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.js","sourceRoot":"","sources":["../../../src/contracts/verification.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,aAAa,CAC3B,QAA0C,EAC1C,KAAa;IAEb,IAAI,CAAC,QAAQ,EAAE,OAAO,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO,CAAC,IAAI,CAC1B,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,KAAK,KAAK,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CACjE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAA0C;IACrE,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO;SACpB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC;SAC9C,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC"}

package/dist/src/errors.d.ts

@@ -0,0 +1,13 @@
+export type AuthorityClientErrorCode = "timeout" | "network_error" | "protocol_error" | "bad_request" | "unauthorized" | "forbidden" | "server_error";
+export declare class AuthorityClientError extends Error {
+    readonly code: AuthorityClientErrorCode;
+    readonly status?: number;
+    readonly details?: unknown;
+    constructor(message: string, options: {
+        code: AuthorityClientErrorCode;
+        status?: number;
+        details?: unknown;
+        cause?: unknown;
+    });
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/src/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,wBAAwB,GAChC,SAAS,GACT,eAAe,GACf,gBAAgB,GAChB,aAAa,GACb,cAAc,GACd,WAAW,GACX,cAAc,CAAC;AAEnB,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;gBAGzB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;QACP,IAAI,EAAE,wBAAwB,CAAC;QAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB;CAWJ"}

package/dist/src/errors.js

@@ -0,0 +1,16 @@
+export class AuthorityClientError extends Error {
+    code;
+    status;
+    details;
+    constructor(message, options) {
+        super(message);
+        this.name = "AuthorityClientError";
+        this.code = options.code;
+        this.status = options.status;
+        this.details = options.details;
+        if (options.cause !== undefined) {
+            this.cause = options.cause;
+        }
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/src/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AASA,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IACpC,IAAI,CAA2B;IAC/B,MAAM,CAAU;IAChB,OAAO,CAAW;IAE3B,YACE,OAAe,EACf,OAKC;QAED,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAoC,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC9D,CAAC;IACH,CAAC;CACF"}

package/dist/src/evidence/non-web.d.ts

@@ -0,0 +1,47 @@
+import type { StateEvidence, VerificationEvidence, VerificationSignal } from "../contracts/action-request.js";
+export type EvidenceHasher = (material: string) => string;
+export interface TerminalSessionSnapshot {
+    session_id?: string;
+    terminal_id?: string;
+    cwd?: string;
+    command?: string;
+    transcript_hash?: string;
+    observed_at?: string;
+    confidence?: number;
+}
+export interface DesktopAccessibilitySnapshot {
+    app_name?: string;
+    window_title?: string;
+    focused_role?: string;
+    focused_name?: string;
+    ui_tree_hash?: string;
+    observed_at?: string;
+    confidence?: number;
+}
+export interface TerminalEvidenceProvider {
+    captureTerminalSnapshot(): Promise<TerminalSessionSnapshot> | TerminalSessionSnapshot;
+}
+export interface DesktopAccessibilityEvidenceProvider {
+    captureAccessibilitySnapshot(): Promise<DesktopAccessibilitySnapshot> | DesktopAccessibilitySnapshot;
+}
+export interface VerificationSignalProvider {
+    collectVerificationSignals(): Promise<VerificationSignal[]> | VerificationSignal[];
+}
+export interface TerminalStateEvidenceOptions {
+    snapshot: TerminalSessionSnapshot;
+    stateHash?: string;
+    schemaVersion?: string;
+    confidence?: number;
+    hasher?: EvidenceHasher;
+}
+export interface DesktopStateEvidenceOptions {
+    snapshot: DesktopAccessibilitySnapshot;
+    stateHash?: string;
+    schemaVersion?: string;
+    confidence?: number;
+    hasher?: EvidenceHasher;
+}
+export declare function buildTerminalStateEvidence(options: TerminalStateEvidenceOptions): StateEvidence;
+export declare function buildDesktopAccessibilityStateEvidence(options: DesktopStateEvidenceOptions): StateEvidence;
+export declare function collectVerificationEvidence(provider: VerificationSignalProvider): Promise<VerificationEvidence>;
+//# sourceMappingURL=non-web.d.ts.map

package/dist/src/evidence/non-web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"non-web.d.ts","sourceRoot":"","sources":["../../../src/evidence/non-web.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAE9G,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;AAE1D,MAAM,WAAW,uBAAuB;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAGD,MAAM,WAAW,wBAAwB;IACvC,uBAAuB,IAAI,OAAO,CAAC,uBAAuB,CAAC,GAAG,uBAAuB,CAAC;CACvF;AAED,MAAM,WAAW,oCAAoC;IACnD,4BAA4B,IACxB,OAAO,CAAC,4BAA4B,CAAC,GACrC,4BAA4B,CAAC;CAClC;AAED,MAAM,WAAW,0BAA0B;IACzC,0BAA0B,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC,GAAG,kBAAkB,EAAE,CAAC;CACpF;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,uBAAuB,CAAC;IAClC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,4BAA4B,CAAC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,cAAc,CAAC;CACzB;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,4BAA4B,GAAG,aAAa,CAQ/F;AAED,wBAAgB,sCAAsC,CACpD,OAAO,EAAE,2BAA2B,GACnC,aAAa,CAQf;AAED,wBAAsB,2BAA2B,CAC/C,QAAQ,EAAE,0BAA0B,GACnC,OAAO,CAAC,oBAAoB,CAAC,CAE/B"}

package/dist/src/evidence/non-web.js

@@ -0,0 +1,58 @@
+export function buildTerminalStateEvidence(options) {
+    const stateHash = options.stateHash ?? hashMaterial(materializeTerminalSnapshot(options.snapshot), options.hasher);
+    return {
+        source: "terminal",
+        state_hash: stateHash,
+        schema_version: options.schemaVersion ?? "terminal-v1",
+        confidence: options.confidence ?? options.snapshot.confidence,
+    };
+}
+export function buildDesktopAccessibilityStateEvidence(options) {
+    const stateHash = options.stateHash ?? hashMaterial(materializeDesktopSnapshot(options.snapshot), options.hasher);
+    return {
+        source: "desktop_accessibility",
+        state_hash: stateHash,
+        schema_version: options.schemaVersion ?? "desktop-a11y-v1",
+        confidence: options.confidence ?? options.snapshot.confidence,
+    };
+}
+export async function collectVerificationEvidence(provider) {
+    return { signals: await provider.collectVerificationSignals() };
+}
+function materializeTerminalSnapshot(snapshot) {
+    return JSON.stringify({
+        command: snapshot.command ?? "",
+        confidence: snapshot.confidence ?? "",
+        cwd: snapshot.cwd ?? "",
+        observed_at: snapshot.observed_at ?? "",
+        session_id: snapshot.session_id ?? "",
+        terminal_id: snapshot.terminal_id ?? "",
+        transcript_hash: snapshot.transcript_hash ?? "",
+    });
+}
+function materializeDesktopSnapshot(snapshot) {
+    return JSON.stringify({
+        app_name: snapshot.app_name ?? "",
+        confidence: snapshot.confidence ?? "",
+        focused_name: snapshot.focused_name ?? "",
+        focused_role: snapshot.focused_role ?? "",
+        observed_at: snapshot.observed_at ?? "",
+        ui_tree_hash: snapshot.ui_tree_hash ?? "",
+        window_title: snapshot.window_title ?? "",
+    });
+}
+function hashMaterial(material, hasher) {
+    if (hasher) {
+        return hasher(material);
+    }
+    return `sh_${fnv1a32Hex(material)}`;
+}
+function fnv1a32Hex(input) {
+    let hash = 0x811c9dc5;
+    for (let i = 0; i < input.length; i += 1) {
+        hash ^= input.charCodeAt(i);
+        hash = Math.imul(hash, 0x01000193);
+    }
+    return (hash >>> 0).toString(16).padStart(8, "0");
+}
+//# sourceMappingURL=non-web.js.map

package/dist/src/evidence/non-web.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"non-web.js","sourceRoot":"","sources":["../../../src/evidence/non-web.ts"],"names":[],"mappings":"AAuDA,MAAM,UAAU,0BAA0B,CAAC,OAAqC;IAC9E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,YAAY,CAAC,2BAA2B,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACnH,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,UAAU,EAAE,SAAS;QACrB,cAAc,EAAE,OAAO,CAAC,aAAa,IAAI,aAAa;QACtD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sCAAsC,CACpD,OAAoC;IAEpC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,YAAY,CAAC,0BAA0B,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAClH,OAAO;QACL,MAAM,EAAE,uBAAuB;QAC/B,UAAU,EAAE,SAAS;QACrB,cAAc,EAAE,OAAO,CAAC,aAAa,IAAI,iBAAiB;QAC1D,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,QAAoC;IAEpC,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC,0BAA0B,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,2BAA2B,CAAC,QAAiC;IACpE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,EAAE;QAC/B,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;QACrC,GAAG,EAAE,QAAQ,CAAC,GAAG,IAAI,EAAE;QACvB,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,EAAE;QACvC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;QACrC,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,EAAE;QACvC,eAAe,EAAE,QAAQ,CAAC,eAAe,IAAI,EAAE;KAChD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,0BAA0B,CAAC,QAAsC;IACxE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,EAAE;QACjC,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;QACrC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,EAAE;QACzC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,EAAE;QACzC,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,EAAE;QACvC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,EAAE;QACzC,YAAY,EAAE,QAAQ,CAAC,YAAY,IAAI,EAAE;KAC1C,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,MAAuB;IAC7D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,IAAI,GAAG,UAAU,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,IAAI,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACpD,CAAC"}

package/dist/src/evidence/web-state.d.ts

@@ -0,0 +1,33 @@
+import type { StateEvidence } from "../contracts/action-request.js";
+export interface WebStateSnapshot {
+    url?: string;
+    title?: string;
+    dom_hash?: string;
+    visible_text_hash?: string;
+    event_id?: string;
+    observed_at?: string;
+    dominant_group_key?: string;
+    snapshot_timestamp?: string;
+    confidence?: number;
+    confidence_reasons?: string[];
+}
+export interface RuntimeSnapshotLike {
+    url?: string;
+    timestamp?: string;
+    dominant_group_key?: string;
+    diagnostics?: {
+        confidence?: number | null;
+        reasons?: string[];
+    };
+}
+export interface WebStateEvidenceOptions {
+    snapshot: WebStateSnapshot;
+    stateHash?: string;
+    schemaVersion?: string;
+    confidence?: number;
+    hasher?: (material: string) => string;
+}
+export declare function buildWebStateEvidence(options: WebStateEvidenceOptions): StateEvidence;
+export declare function webStateSnapshotFromRuntimeSnapshot(snapshot: RuntimeSnapshotLike): WebStateSnapshot;
+export declare function buildWebStateEvidenceFromRuntimeSnapshot(snapshot: RuntimeSnapshotLike, options?: Omit<WebStateEvidenceOptions, "snapshot" | "confidence">): StateEvidence;
+//# sourceMappingURL=web-state.d.ts.map

package/dist/src/evidence/web-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-state.d.ts","sourceRoot":"","sources":["../../../src/evidence/web-state.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAEpE,MAAM,WAAW,gBAAgB;IAC/B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,WAAW,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;CACvC;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,uBAAuB,GAAG,aAAa,CAQrF;AAED,wBAAgB,mCAAmC,CAAC,QAAQ,EAAE,mBAAmB,GAAG,gBAAgB,CASnG;AAED,wBAAgB,wCAAwC,CACtD,QAAQ,EAAE,mBAAmB,EAC7B,OAAO,CAAC,EAAE,IAAI,CAAC,uBAAuB,EAAE,UAAU,GAAG,YAAY,CAAC,GACjE,aAAa,CASf"}

package/dist/src/evidence/web-state.js

@@ -0,0 +1,58 @@
+export function buildWebStateEvidence(options) {
+    const stateHash = options.stateHash ?? hashWebSnapshotMaterial(materializeSnapshot(options.snapshot), options.hasher);
+    return {
+        source: "browser",
+        state_hash: stateHash,
+        schema_version: options.schemaVersion ?? "web-v1",
+        confidence: options.confidence ?? options.snapshot.confidence,
+    };
+}
+export function webStateSnapshotFromRuntimeSnapshot(snapshot) {
+    return {
+        url: snapshot.url,
+        observed_at: snapshot.timestamp,
+        snapshot_timestamp: snapshot.timestamp,
+        dominant_group_key: snapshot.dominant_group_key,
+        confidence: snapshot.diagnostics?.confidence ?? undefined,
+        confidence_reasons: snapshot.diagnostics?.reasons,
+    };
+}
+export function buildWebStateEvidenceFromRuntimeSnapshot(snapshot, options) {
+    const mapped = webStateSnapshotFromRuntimeSnapshot(snapshot);
+    return buildWebStateEvidence({
+        snapshot: mapped,
+        stateHash: options?.stateHash,
+        schemaVersion: options?.schemaVersion,
+        hasher: options?.hasher,
+        confidence: mapped.confidence,
+    });
+}
+function materializeSnapshot(snapshot) {
+    return JSON.stringify({
+        confidence: snapshot.confidence ?? "",
+        confidence_reasons: snapshot.confidence_reasons ?? [],
+        dom_hash: snapshot.dom_hash ?? "",
+        dominant_group_key: snapshot.dominant_group_key ?? "",
+        event_id: snapshot.event_id ?? "",
+        observed_at: snapshot.observed_at ?? "",
+        snapshot_timestamp: snapshot.snapshot_timestamp ?? "",
+        title: snapshot.title ?? "",
+        url: snapshot.url ?? "",
+        visible_text_hash: snapshot.visible_text_hash ?? "",
+    });
+}
+function hashWebSnapshotMaterial(material, hasher) {
+    if (hasher) {
+        return hasher(material);
+    }
+    return `sh_${fnv1a32Hex(material)}`;
+}
+function fnv1a32Hex(input) {
+    let hash = 0x811c9dc5;
+    for (let i = 0; i < input.length; i += 1) {
+        hash ^= input.charCodeAt(i);
+        hash = Math.imul(hash, 0x01000193);
+    }
+    return (hash >>> 0).toString(16).padStart(8, "0");
+}
+//# sourceMappingURL=web-state.js.map

package/dist/src/evidence/web-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-state.js","sourceRoot":"","sources":["../../../src/evidence/web-state.ts"],"names":[],"mappings":"AAiCA,MAAM,UAAU,qBAAqB,CAAC,OAAgC;IACpE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,uBAAuB,CAAC,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACtH,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,UAAU,EAAE,SAAS;QACrB,cAAc,EAAE,OAAO,CAAC,aAAa,IAAI,QAAQ;QACjD,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mCAAmC,CAAC,QAA6B;IAC/E,OAAO;QACL,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,WAAW,EAAE,QAAQ,CAAC,SAAS;QAC/B,kBAAkB,EAAE,QAAQ,CAAC,SAAS;QACtC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB;QAC/C,UAAU,EAAE,QAAQ,CAAC,WAAW,EAAE,UAAU,IAAI,SAAS;QACzD,kBAAkB,EAAE,QAAQ,CAAC,WAAW,EAAE,OAAO;KAClD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wCAAwC,CACtD,QAA6B,EAC7B,OAAkE;IAElE,MAAM,MAAM,GAAG,mCAAmC,CAAC,QAAQ,CAAC,CAAC;IAC7D,OAAO,qBAAqB,CAAC;QAC3B,QAAQ,EAAE,MAAM;QAChB,SAAS,EAAE,OAAO,EAAE,SAAS;QAC7B,aAAa,EAAE,OAAO,EAAE,aAAa;QACrC,MAAM,EAAE,OAAO,EAAE,MAAM;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,QAA0B;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,UAAU,EAAE,QAAQ,CAAC,UAAU,IAAI,EAAE;QACrC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB,IAAI,EAAE;QACrD,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,EAAE;QACjC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB,IAAI,EAAE;QACrD,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,EAAE;QACjC,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,EAAE;QACvC,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB,IAAI,EAAE;QACrD,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,EAAE;QAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG,IAAI,EAAE;QACvB,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB,IAAI,EAAE;KACpD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB,EAAE,MAAqC;IACtF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,IAAI,GAAG,UAAU,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,IAAI,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACpD,CAAC"}

package/dist/src/guard/action-guard.d.ts

@@ -0,0 +1,24 @@
+import type { ActionRequest } from "../contracts/action-request.js";
+import type { PolicyEngine } from "../policy/engine.js";
+import type { AuthorizationDecision, SignedMandate } from "../types.js";
+export declare class AuthorizationDeniedError extends Error {
+    readonly decision: AuthorizationDecision;
+    constructor(decision: AuthorizationDecision);
+}
+export interface ActionExecutionResult<T> {
+    value: T;
+    decision: AuthorizationDecision;
+    mandate: SignedMandate | null;
+}
+export interface ActionGuardOptions {
+    policyEngine: PolicyEngine;
+    mandateIssuer?: (request: ActionRequest) => SignedMandate;
+}
+export declare class ActionGuard {
+    private readonly policyEngine;
+    private readonly mandateIssuer?;
+    constructor(options: ActionGuardOptions);
+    authorize(request: ActionRequest, delegationDepth?: number): AuthorizationDecision;
+    enforce<T>(action: () => T, request: ActionRequest, delegationDepth?: number): ActionExecutionResult<T>;
+}
+//# sourceMappingURL=action-guard.d.ts.map

package/dist/src/guard/action-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-guard.d.ts","sourceRoot":"","sources":["../../../src/guard/action-guard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAExE,qBAAa,wBAAyB,SAAQ,KAAK;IACjD,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;gBAE7B,QAAQ,EAAE,qBAAqB;CAK5C;AAED,MAAM,WAAW,qBAAqB,CAAC,CAAC;IACtC,KAAK,EAAE,CAAC,CAAC;IACT,QAAQ,EAAE,qBAAqB,CAAC;IAChC,OAAO,EAAE,aAAa,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,YAAY,CAAC;IAC3B,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,aAAa,KAAK,aAAa,CAAC;CAC3D;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAA4C;gBAE/D,OAAO,EAAE,kBAAkB;IAKvC,SAAS,CAAC,OAAO,EAAE,aAAa,EAAE,eAAe,SAAI,GAAG,qBAAqB;IAsB7E,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,eAAe,SAAI,GAAG,qBAAqB,CAAC,CAAC,CAAC;CAYnG"}

package/dist/src/guard/action-guard.js

@@ -0,0 +1,49 @@
+export class AuthorizationDeniedError extends Error {
+    decision;
+    constructor(decision) {
+        super(`authority denied: ${decision.reason}`);
+        this.name = "AuthorizationDeniedError";
+        this.decision = decision;
+    }
+}
+export class ActionGuard {
+    policyEngine;
+    mandateIssuer;
+    constructor(options) {
+        this.policyEngine = options.policyEngine;
+        this.mandateIssuer = options.mandateIssuer;
+    }
+    authorize(request, delegationDepth = 0) {
+        const evaluation = this.policyEngine.evaluate(request, delegationDepth);
+        if (!evaluation.allowed) {
+            return {
+                allowed: false,
+                reason: evaluation.reason,
+                violated_rule: evaluation.matched_rule ?? null,
+                missing_labels: evaluation.missing_labels ?? [],
+                mandate: null,
+            };
+        }
+        const mandate = this.mandateIssuer ? this.mandateIssuer(request) : null;
+        return {
+            allowed: true,
+            reason: "allowed",
+            violated_rule: evaluation.matched_rule ?? null,
+            missing_labels: [],
+            mandate,
+        };
+    }
+    enforce(action, request, delegationDepth = 0) {
+        const decision = this.authorize(request, delegationDepth);
+        if (!decision.allowed) {
+            throw new AuthorizationDeniedError(decision);
+        }
+        const value = action();
+        return {
+            value,
+            decision,
+            mandate: decision.mandate ?? null,
+        };
+    }
+}
+//# sourceMappingURL=action-guard.js.map

package/dist/src/guard/action-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-guard.js","sourceRoot":"","sources":["../../../src/guard/action-guard.ts"],"names":[],"mappings":"AAIA,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACxC,QAAQ,CAAwB;IAEzC,YAAY,QAA+B;QACzC,KAAK,CAAC,qBAAqB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AAaD,MAAM,OAAO,WAAW;IACL,YAAY,CAAe;IAC3B,aAAa,CAA6C;IAE3E,YAAY,OAA2B;QACrC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACzC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAED,SAAS,CAAC,OAAsB,EAAE,eAAe,GAAG,CAAC;QACnD,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACxE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,aAAa,EAAE,UAAU,CAAC,YAAY,IAAI,IAAI;gBAC9C,cAAc,EAAE,UAAU,CAAC,cAAc,IAAI,EAAE;gBAC/C,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACxE,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,SAAS;YACjB,aAAa,EAAE,UAAU,CAAC,YAAY,IAAI,IAAI;YAC9C,cAAc,EAAE,EAAE;YAClB,OAAO;SACR,CAAC;IACJ,CAAC;IAED,OAAO,CAAI,MAAe,EAAE,OAAsB,EAAE,eAAe,GAAG,CAAC;QACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtB,MAAM,IAAI,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC;QACvB,OAAO;YACL,KAAK;YACL,QAAQ;YACR,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;SAClC,CAAC;IACJ,CAAC;CACF"}

package/dist/src/index.d.ts

@@ -0,0 +1,27 @@
+import { type AuthorizationResponse, type AuthorizeRequest } from "./types.js";
+export type { ActionRequest, ActionSpec, AuthorizationDecision, AuthorizationRequest, AuthorizationReason, AuthorizeRequest, AuthorizationResponse, MandateClaims, PolicyEffect, PolicyRule, PrincipalRef, ProofEvent, SidecarAuthorizeRequest, SignedMandate, StateEvidence, VerificationEvidence, VerificationSignal, VerificationStatus, } from "./types.js";
+export { AuthorityClientError, type AuthorityClientErrorCode } from "./errors.js";
+export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES, isAuthorizationDecision, isMandateClaims, isLabelPassed, isPolicyRule, isProofEvent, passedLabels, isSignedMandate, toSidecarAuthorizeRequest, } from "./types.js";
+export { effectiveMaxDelegationDepth, globMatch, matchesRule } from "./policy/matching.js";
+export { PolicyEngine, type PolicyMatchResult } from "./policy/engine.js";
+export { ActionGuard, AuthorizationDeniedError, type ActionExecutionResult, type ActionGuardOptions, } from "./guard/action-guard.js";
+export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, type GuardedFileReadOptions, type GuardedFileWriteOptions, type GuardedHttpOptions, type GuardedShellOptions, } from "./wrappers/sensitive-operations.js";
+export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, type RuntimeSnapshotLike, type WebStateEvidenceOptions, type WebStateSnapshot, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
+export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, type DesktopAccessibilityEvidenceProvider, type DesktopAccessibilitySnapshot, type DesktopStateEvidenceOptions, type EvidenceHasher, type TerminalEvidenceProvider, type TerminalSessionSnapshot, type TerminalStateEvidenceOptions, type VerificationSignalProvider, } from "./evidence/non-web.js";
+export interface AuthorityClientOptions {
+    baseUrl: string;
+    timeoutMs?: number;
+    maxRetries?: number;
+    backoffInitialMs?: number;
+    endpointPath?: "/v1/authorize" | "/authorize";
+}
+export declare class AuthorityClient {
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    private readonly maxRetries;
+    private readonly backoffInitialMs;
+    private readonly endpointPath;
+    constructor(options: AuthorityClientOptions);
+    authorize(request: AuthorizeRequest): Promise<AuthorizationResponse>;
+}
+//# sourceMappingURL=index.d.ts.map