@predicatesystems/authority 0.3.3 → 0.4.1

package/README.md

@@ -5,11 +5,29 @@
 [![License](https://img.shields.io/badge/License-MIT%2FApache--2.0-blue.svg)](LICENSE)
 [![npm](https://img.shields.io/npm/v/@predicatesystems/authority.svg)](https://www.npmjs.com/package/@predicatesystems/authority)
 
-`@predicatesystems/authority` is the TypeScript SDK companion to the Python
-`predicate-authorityd` sidecar from [predicate-authority (Python)](https://github.com/PredicateSystems/predicate-authority). It keeps authority
+<table>
+<tr>
+<td width="50%" align="center">
+<strong>OpenClaw Agent Tool Calls</strong><br>
+<video src="https://github.com/user-attachments/assets/0fdf1ebb-6044-4288-9613-cd46f98cc284" autoplay loop muted playsinline></video>
+</td>
+<td width="50%" align="center">
+<strong>Temporal Workflows</strong><br>
+<video src="https://github.com/user-attachments/assets/511b6d38-90ab-413e-8af6-a89fc459eea5" autoplay loop muted playsinline></video>
+</td>
+</tr>
+</table>
+
+`@predicatesystems/authority` is the TypeScript SDK for Predicate Authority. It keeps authority
 decisions in the sidecar and gives Node/TS runtimes a thin, typed client for
 fail-closed pre-execution checks.
 
+## 🛡️ Pre-Execution Authorization — Live in Your Terminal
+
+Watch every ALLOW/DENY decision as it happens. No guesswork. No post-mortems. Real-time control over what your agent can and cannot do.
+
+![TUI Dashboard](docs/assets/tui.gif)
+
 ## Why Predicate Authority?
 
 Most agent security failures come from over-broad delegated credentials and lack
@@ -33,26 +51,168 @@ This TS repository currently focuses on:
 Out of scope for this package:
 
 - re-implementing policy engine or mandate logic in TypeScript,
-- replacing Python sidecar/control-plane authority logic.
+- replacing sidecar/control-plane authority logic.
+
+## Installation
+
+```bash
+npm install @predicatesystems/authority
+```
 
-## Known Python Parity Baseline
+### Sidecar Prerequisite
 
-This package targets compatibility with the current Python authority baseline in
-[predicate-authority (Python)](https://github.com/PredicateSystems/predicate-authority):
+This SDK requires the **Predicate Authority Sidecar** daemon to be running. The sidecar is a lightweight Rust binary that handles policy evaluation and mandate signing.
 
-- sidecar authorize route: `POST /v1/authorize` (`/authorize` compat alias),
-- mandate/token baseline: ES256-default signing + standard JWT claim envelope,
-- revocation baseline: explicit cascade semantics and global kill-switch runtime behavior,
-- control-plane baseline: long-poll policy/revocation sync (runtime baseline),
-- control-plane write hardening: replay freshness headers/signature support on Python client paths.
+| Resource | Link |
+|----------|------|
+| Sidecar Repository | [predicate-authority-sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar) |
+| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
+| npm Package | [@predicatesystems/authorityd](https://www.npmjs.com/package/@predicatesystems/authorityd) |
+| License | MIT / Apache 2.0 |
 
-The TS SDK should preserve compatibility with these runtime behaviors before
-adding TS-specific extensions.
+### Quick Sidecar Setup
 
-## Installation
+**Option A: Install via npm (recommended)**
 
 ```bash
-npm install @predicatesystems/authority
+npm install @predicatesystems/authorityd
+
+# The binary is automatically included for your platform
+# Run with npx:
+npx predicate-authorityd --help
+```
+
+**Option B: Manual download**
+
+```bash
+# Download from GitHub releases for your platform:
+# https://github.com/PredicateSystems/predicate-authority-sidecar/releases
+
+tar -xzf predicate-authorityd-darwin-arm64.tar.gz  # or your platform
+chmod +x predicate-authorityd
+```
+
+### Running the Sidecar
+
+The Rust sidecar uses **global CLI arguments** (before the `run` subcommand) or a **TOML config file**.
+
+**Basic local mode:**
+
+```bash
+./predicate-authorityd \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode local_only \
+  --policy-file policy.json \
+  run
+```
+
+**Using environment variables:**
+
+```bash
+export PREDICATE_HOST=127.0.0.1
+export PREDICATE_PORT=8787
+export PREDICATE_MODE=local_only
+export PREDICATE_POLICY_FILE=policy.json
+
+./predicate-authorityd run
+```
+
+**Using a config file:**
+
+```bash
+# Generate example config
+./predicate-authorityd init-config --output config.toml
+
+# Run with config
+./predicate-authorityd --config config.toml run
+```
+
+### Sidecar CLI Reference
+
+```
+GLOBAL OPTIONS (use before 'run'):
+  -c, --config <FILE>           Path to TOML config file [env: PREDICATE_CONFIG]
+      --host <HOST>             Host to bind to [env: PREDICATE_HOST] [default: 127.0.0.1]
+      --port <PORT>             Port to bind to [env: PREDICATE_PORT] [default: 8787]
+      --mode <MODE>             local_only or cloud_connected [env: PREDICATE_MODE]
+      --policy-file <PATH>      Path to policy JSON [env: PREDICATE_POLICY_FILE]
+      --identity-file <PATH>    Path to local identity registry [env: PREDICATE_IDENTITY_FILE]
+      --log-level <LEVEL>       trace, debug, info, warn, error [env: PREDICATE_LOG_LEVEL]
+      --control-plane-url <URL> Control-plane URL [env: PREDICATE_CONTROL_PLANE_URL]
+      --tenant-id <ID>          Tenant ID [env: PREDICATE_TENANT_ID]
+      --project-id <ID>         Project ID [env: PREDICATE_PROJECT_ID]
+      --predicate-api-key <KEY> API key [env: PREDICATE_API_KEY]
+      --sync-enabled            Enable control-plane sync [env: PREDICATE_SYNC_ENABLED]
+      --fail-open               Fail open if control-plane unreachable [env: PREDICATE_FAIL_OPEN]
+
+IDENTITY PROVIDER OPTIONS:
+      --identity-mode <MODE>    local, local-idp, oidc, entra, or okta [env: PREDICATE_IDENTITY_MODE]
+      --allow-local-fallback    Allow local/local-idp in cloud_connected mode
+      --idp-token-ttl-s <SECS>  IdP token TTL seconds [default: 300]
+      --mandate-ttl-s <SECS>    Mandate TTL seconds [default: 300]
+
+LOCAL IDP OPTIONS (for identity-mode=local-idp):
+      --local-idp-issuer <URL>  Issuer URL [env: LOCAL_IDP_ISSUER]
+      --local-idp-audience <AUD> Audience [env: LOCAL_IDP_AUDIENCE]
+      --local-idp-signing-key-env <VAR> Env var for signing key [default: LOCAL_IDP_SIGNING_KEY]
+
+OIDC OPTIONS (for identity-mode=oidc):
+      --oidc-issuer <URL>       Issuer URL [env: OIDC_ISSUER]
+      --oidc-client-id <ID>     Client ID [env: OIDC_CLIENT_ID]
+      --oidc-audience <AUD>     Audience [env: OIDC_AUDIENCE]
+
+ENTRA OPTIONS (for identity-mode=entra):
+      --entra-tenant-id <ID>    Tenant ID [env: ENTRA_TENANT_ID]
+      --entra-client-id <ID>    Client ID [env: ENTRA_CLIENT_ID]
+      --entra-audience <AUD>    Audience [env: ENTRA_AUDIENCE]
+
+OKTA OPTIONS (for identity-mode=okta):
+      --okta-issuer <URL>       Issuer URL [env: OKTA_ISSUER]
+      --okta-client-id <ID>     Client ID [env: OKTA_CLIENT_ID]
+      --okta-audience <AUD>     Audience [env: OKTA_AUDIENCE]
+      --okta-required-claims    Required claims (comma-separated)
+      --okta-required-scopes    Required scopes (comma-separated)
+      --okta-required-roles     Required roles/groups (comma-separated)
+      --okta-allowed-tenants    Allowed tenant IDs (comma-separated)
+
+COMMANDS:
+  run          Start the daemon (default)
+  init-config  Generate example config file
+  check-config Validate config file
+  version      Show version info
+```
+
+### Identity Provider Modes
+
+The sidecar supports multiple identity modes for token validation:
+
+- **local** (default): No token validation. Suitable for development.
+- **local-idp**: Self-issued JWT tokens for ephemeral task identities.
+- **oidc**: Generic OIDC provider integration.
+- **entra**: Microsoft Entra ID (Azure AD) integration.
+- **okta**: Enterprise Okta integration with JWKS validation.
+
+**Safety notes:**
+- `idp-token-ttl-s` must be >= `mandate-ttl-s` (enforced at startup)
+- In `cloud_connected` mode, `local` or `local-idp` requires `--allow-local-fallback`
+
+### Cloud-connected sidecar (control-plane sync)
+
+```bash
+export PREDICATE_API_KEY="your-api-key"
+
+./predicate-authorityd \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode cloud_connected \
+  --policy-file policy.json \
+  --control-plane-url https://api.predicatesystems.dev \
+  --tenant-id your-tenant \
+  --project-id your-project \
+  --predicate-api-key "$PREDICATE_API_KEY" \
+  --sync-enabled \
+  run
 ```
 
 ## Quick Start
@@ -255,6 +415,57 @@ Common failure modes and first checks:
 - Frequent retries before success
   - tune `maxRetries` and `backoffInitialMs`; investigate sidecar/host resource pressure.
 
+## Audit Vault and Control Plane
+
+The Predicate sidecar and SDKs are 100% open-source and free for local development and single-agent deployments.
+
+However, when deploying a fleet of AI agents in regulated environments (FinTech, Healthcare, Security), security teams cannot manage scattered YAML files or local SQLite databases. For production fleets, we offer the **Predicate Control Plane** and **Audit Vault**.
+
+<table>
+<tr>
+<td width="50%" align="center">
+<img src="docs/images/overview.png" alt="Control Plane Overview" width="100%">
+<br><em>Real-time dashboard with authorization metrics</em>
+</td>
+<td width="50%" align="center">
+<img src="docs/images/fleet_management.png" alt="Fleet Management" width="100%">
+<br><em>Fleet management across all sidecars</em>
+</td>
+</tr>
+<tr>
+<td width="50%" align="center">
+<img src="docs/images/audit_compliance.png" alt="Audit & Compliance" width="100%">
+<br><em>WORM-ready audit ledger with 7-year retention</em>
+</td>
+<td width="50%" align="center">
+<img src="docs/images/policies.png" alt="Policy Management" width="100%">
+<br><em>Centralized policy editor</em>
+</td>
+</tr>
+<tr>
+<td width="50%" align="center">
+<img src="docs/images/revocations.png" alt="Revocations" width="100%">
+<br><em>Global kill-switches and revocations</em>
+</td>
+<td width="50%" align="center">
+<img src="docs/images/siem_integrations.png" alt="SIEM Integrations" width="100%">
+<br><em>SIEM integrations (Splunk, Datadog, Sentinel)</em>
+</td>
+</tr>
+</table>
+
+**Control Plane Features:**
+
+* **Global Kill-Switches:** Instantly revoke a compromised agent's `principal` or `intent_hash`. The revocation syncs to all connected sidecars in milliseconds.
+* **Immutable Audit Vault (WORM):** Every authorized mandate and blocked action is cryptographically signed and stored in a 7-year, WORM-ready ledger. Prove to SOC2 auditors exactly *what* your agents did and *why* they were authorized.
+* **Fleet Management:** Manage your fleet of agents with total control
+* **SIEM Integrations:** Stream authorization events and security alerts directly to Datadog, Splunk, or your existing security dashboard.
+* **Centralized Policy Management:** Update and publish access policies across your entire fleet without redeploying agent code.
+
+**[Learn more about Predicate Systems](https://www.predicatesystems.ai)**
+
+---
+
 ## License
 
 Dual-licensed under **MIT** and **Apache 2.0**:

package/dist/index.d.ts

@@ -8,6 +8,7 @@ export { ActionGuard, AuthorizationDeniedError, type ActionExecutionResult, type
 export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, type GuardedFileReadOptions, type GuardedFileWriteOptions, type GuardedHttpOptions, type GuardedShellOptions, } from "./wrappers/sensitive-operations.js";
 export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, type RuntimeSnapshotLike, type WebStateEvidenceOptions, type WebStateSnapshot, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
 export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, type DesktopAccessibilityEvidenceProvider, type DesktopAccessibilitySnapshot, type DesktopStateEvidenceOptions, type EvidenceHasher, type TerminalEvidenceProvider, type TerminalSessionSnapshot, type TerminalStateEvidenceOptions, type VerificationSignalProvider, } from "./evidence/non-web.js";
+export { type EvidenceType, type ExecutionEvidence, type FileEvidence, type CliEvidence, type BrowserEvidence, type HttpEvidence, type DbEvidence, type GenericEvidence, type ActualOperation, type AuthorizedOperation, type MandateDetails, type RecordVerificationRequest, type RecordVerificationResponse, type VerificationFailureReason, type VerifyRequest, type VerifyResult, type ResourceMatchOptions, type MandateProvider, type VerifierOptions, getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, actionsMatch, normalizeResource, resourcesMatch, Verifier, } from "./verify/index.js";
 export { type Platform, type TerminalSessionSnapshot as CanonicalTerminalInput, type CanonicalTerminalSnapshot, type AccessibilityNode, type DesktopAccessibilitySnapshot as CanonicalDesktopInput, type CanonicalAccessibilityNode, type CanonicalDesktopSnapshot, normalizeText, normalizeCommand, stripAnsi, normalizeTimestamps, normalizeTranscript, normalizePath, isSecretKey, hashEnvironment, sha256, canonicalizeTerminalSnapshot, computeTerminalStateHash, TERMINAL_SCHEMA_VERSION, canonicalizeAccessibilityNode, buildFocusedPath, canonicalizeDesktopSnapshot, computeDesktopStateHash, DESKTOP_SCHEMA_VERSION, } from "./canonicalization/index.js";
 export interface AuthorityClientOptions {
     baseUrl: string;

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,UAAU,EACV,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,UAAU,EACV,uBAAuB,EACvB,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,KAAK,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,uBAAuB,IAAI,sBAAsB,EACtD,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,4BAA4B,IAAI,qBAAqB,EAC1D,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,EAE7B,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM,EAEN,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB,EAEvB,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,eAAe,GAAG,YAAY,CAAC;CAC/C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;gBAElD,OAAO,EAAE,sBAAsB;IAQrC,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAoE3E"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,UAAU,EACV,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,UAAU,EACV,uBAAuB,EACvB,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,KAAK,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,KAAK,eAAe,EAEpB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,yBAAyB,EAC9B,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,eAAe,EAEpB,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,EAEZ,YAAY,EACZ,iBAAiB,EACjB,cAAc,EAEd,QAAQ,GACT,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,uBAAuB,IAAI,sBAAsB,EACtD,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,4BAA4B,IAAI,qBAAqB,EAC1D,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,EAE7B,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM,EAEN,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB,EAEvB,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,eAAe,GAAG,YAAY,CAAC;CAC/C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;gBAElD,OAAO,EAAE,sBAAsB;IAQrC,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAoE3E"}

package/dist/index.js

@@ -8,6 +8,14 @@ export { ActionGuard, AuthorizationDeniedError, } from "./guard/action-guard.js"
 export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, } from "./wrappers/sensitive-operations.js";
 export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
 export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, } from "./evidence/non-web.js";
+// Post-execution verification module
+export { 
+// Type guards and helpers
+getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, 
+// Comparators
+actionsMatch, normalizeResource, resourcesMatch, 
+// Verifier class
+Verifier, } from "./verify/index.js";
 // Canonicalization module for reproducible state hashes
 export { 
 // Utility functions

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAGL,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAsBpB,OAAO,EAAE,oBAAoB,EAAiC,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAA0B,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,GAGzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,GAKb,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC;AAE/B,wDAAwD;AACxD,OAAO;AASL,oBAAoB;AACpB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM;AACN,4BAA4B;AAC5B,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB;AACvB,2BAA2B;AAC3B,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAUrC,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IACzB,YAAY,CAAiC;IAE9D,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBACH,IAAI,QAAkB,CAAC;gBACvB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE;wBAC5D,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;wBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1D,MAAM,IAAI,oBAAoB,CAAC,6BAA6B,EAAE;4BAC5D,IAAI,EAAE,SAAS;4BACf,KAAK,EAAE,KAAK;yBACb,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;wBACzE,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,KAAK;qBACb,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;gBAEhD,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChE,OAAO,OAAO,CAAC;gBACjB,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBACxD,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,MAAM,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,EAAE;wBACnE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,OAAO;qBACjB,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB;IAC/C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,OAAgB;IACpD,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,oBAAoB,MAAM,EAAE,CAAC;IAC7E,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7D,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAGL,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAsBpB,OAAO,EAAE,oBAAoB,EAAiC,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAA0B,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,GAGzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,GAKb,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC;AAE/B,qCAAqC;AACrC,OAAO;AAsBL,0BAA0B;AAC1B,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY;AACZ,cAAc;AACd,YAAY,EACZ,iBAAiB,EACjB,cAAc;AACd,iBAAiB;AACjB,QAAQ,GACT,MAAM,mBAAmB,CAAC;AAE3B,wDAAwD;AACxD,OAAO;AASL,oBAAoB;AACpB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM;AACN,4BAA4B;AAC5B,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB;AACvB,2BAA2B;AAC3B,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAUrC,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IACzB,YAAY,CAAiC;IAE9D,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBACH,IAAI,QAAkB,CAAC;gBACvB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE;wBAC5D,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;wBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1D,MAAM,IAAI,oBAAoB,CAAC,6BAA6B,EAAE;4BAC5D,IAAI,EAAE,SAAS;4BACf,KAAK,EAAE,KAAK;yBACb,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;wBACzE,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,KAAK;qBACb,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;gBAEhD,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChE,OAAO,OAAO,CAAC;gBACjB,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBACxD,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,MAAM,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,EAAE;wBACnE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,OAAO;qBACjB,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB;IAC/C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,OAAgB;IACpD,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,oBAAoB,MAAM,EAAE,CAAC;IAC7E,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7D,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/verify/comparators.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Resource comparison functions for post-execution verification.
+ *
+ * These functions compare authorized resources against actual resources,
+ * handling path normalization and glob pattern matching.
+ */
+/**
+ * Options for resource matching.
+ */
+export interface ResourceMatchOptions {
+    /** Enable glob pattern matching for authorized resource */
+    allowGlob?: boolean;
+}
+/**
+ * Normalize a resource path for comparison.
+ *
+ * Applies the following transformations:
+ * - Expands ~ to home directory
+ * - Collapses multiple slashes
+ * - Removes ./ segments
+ * - Removes trailing slashes
+ * - Resolves . and ..
+ *
+ * @param resource - Resource path to normalize
+ * @returns Normalized path
+ */
+export declare function normalizeResource(resource: string): string;
+/**
+ * Check if an actual resource matches an authorized resource.
+ *
+ * Handles:
+ * - Path normalization (~ expansion, . and .., etc.)
+ * - Optional glob pattern matching (* wildcards)
+ *
+ * @param authorized - Resource from the mandate (may contain glob patterns)
+ * @param actual - Resource that was actually accessed
+ * @param options - Matching options
+ * @returns True if resources match
+ */
+export declare function resourcesMatch(authorized: string, actual: string, options?: ResourceMatchOptions): boolean;
+/**
+ * Check if an actual action matches an authorized action.
+ *
+ * Actions are compared case-sensitively after trimming whitespace.
+ * Supports glob patterns in the authorized action.
+ *
+ * @param authorized - Action from the mandate (may contain glob patterns)
+ * @param actual - Action that was actually performed
+ * @returns True if actions match
+ */
+export declare function actionsMatch(authorized: string, actual: string): boolean;
+//# sourceMappingURL=comparators.d.ts.map

package/dist/verify/comparators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"comparators.d.ts","sourceRoot":"","sources":["../../src/verify/comparators.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,2DAA2D;IAC3D,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA+B1D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAkBT;AAED;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAexE"}

package/dist/verify/comparators.js

@@ -0,0 +1,100 @@
+/**
+ * Resource comparison functions for post-execution verification.
+ *
+ * These functions compare authorized resources against actual resources,
+ * handling path normalization and glob pattern matching.
+ */
+import { normalizePath } from "../canonicalization/utils.js";
+import { globMatch } from "../policy/matching.js";
+/**
+ * Normalize a resource path for comparison.
+ *
+ * Applies the following transformations:
+ * - Expands ~ to home directory
+ * - Collapses multiple slashes
+ * - Removes ./ segments
+ * - Removes trailing slashes
+ * - Resolves . and ..
+ *
+ * @param resource - Resource path to normalize
+ * @returns Normalized path
+ */
+export function normalizeResource(resource) {
+    // Use existing normalizePath for filesystem paths
+    if (resource.startsWith("/") || resource.startsWith("~") || resource.startsWith(".")) {
+        let normalized = normalizePath(resource);
+        // normalizePath doesn't strip trailing slashes, so we do it here
+        if (normalized.length > 1 && normalized.endsWith("/")) {
+            normalized = normalized.slice(0, -1);
+        }
+        return normalized;
+    }
+    // For URLs, handle protocol specially
+    const urlMatch = resource.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    if (urlMatch) {
+        const protocol = urlMatch[1]; // e.g., "https://"
+        const rest = resource.slice(protocol.length);
+        // Normalize the rest (collapse slashes, remove ./, remove trailing /)
+        const normalized = rest
+            .replace(/\/+/g, "/") // Collapse multiple slashes
+            .replace(/\/\.\//g, "/") // Remove ./
+            .replace(/\/$/g, ""); // Remove trailing slash
+        return protocol + normalized;
+    }
+    // For other non-path resources, do basic cleanup
+    return resource
+        .replace(/\/+/g, "/") // Collapse multiple slashes
+        .replace(/\/\.\//g, "/") // Remove ./
+        .replace(/\/$/g, ""); // Remove trailing slash
+}
+/**
+ * Check if an actual resource matches an authorized resource.
+ *
+ * Handles:
+ * - Path normalization (~ expansion, . and .., etc.)
+ * - Optional glob pattern matching (* wildcards)
+ *
+ * @param authorized - Resource from the mandate (may contain glob patterns)
+ * @param actual - Resource that was actually accessed
+ * @param options - Matching options
+ * @returns True if resources match
+ */
+export function resourcesMatch(authorized, actual, options = {}) {
+    const { allowGlob = true } = options;
+    // Normalize both resources
+    const normalizedAuth = normalizeResource(authorized);
+    const normalizedActual = normalizeResource(actual);
+    // Exact match after normalization
+    if (normalizedAuth === normalizedActual) {
+        return true;
+    }
+    // Glob pattern match (if enabled and authorized resource contains wildcards)
+    if (allowGlob && authorized.includes("*")) {
+        return globMatch(normalizedActual, authorized);
+    }
+    return false;
+}
+/**
+ * Check if an actual action matches an authorized action.
+ *
+ * Actions are compared case-sensitively after trimming whitespace.
+ * Supports glob patterns in the authorized action.
+ *
+ * @param authorized - Action from the mandate (may contain glob patterns)
+ * @param actual - Action that was actually performed
+ * @returns True if actions match
+ */
+export function actionsMatch(authorized, actual) {
+    const normalizedAuth = authorized.trim();
+    const normalizedActual = actual.trim();
+    // Exact match
+    if (normalizedAuth === normalizedActual) {
+        return true;
+    }
+    // Glob pattern match (e.g., "fs.*" matches "fs.read")
+    if (authorized.includes("*")) {
+        return globMatch(normalizedActual, authorized);
+    }
+    return false;
+}
+//# sourceMappingURL=comparators.js.map

package/dist/verify/comparators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"comparators.js","sourceRoot":"","sources":["../../src/verify/comparators.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAUlD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,kDAAkD;IAClD,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrF,IAAI,UAAU,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,iEAAiE;QACjE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACtD,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,sCAAsC;IACtC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACnE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;QACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAE7C,sEAAsE;QACtE,MAAM,UAAU,GAAG,IAAI;aACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,4BAA4B;aACjD,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,YAAY;aACpC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAEhD,OAAO,QAAQ,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,iDAAiD;IACjD,OAAO,QAAQ;SACZ,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,4BAA4B;SACjD,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,YAAY;SACpC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;AAClD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,UAAkB,EAClB,MAAc,EACd,UAAgC,EAAE;IAElC,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAErC,2BAA2B;IAC3B,MAAM,cAAc,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACrD,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAEnD,kCAAkC;IAClC,IAAI,cAAc,KAAK,gBAAgB,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6EAA6E;IAC7E,IAAI,SAAS,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB,EAAE,MAAc;IAC7D,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAEvC,cAAc;IACd,IAAI,cAAc,KAAK,gBAAgB,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/verify/index.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Post-execution verification module.
+ *
+ * This module provides verification capability to compare actual operations
+ * against what was authorized via a mandate, detecting unauthorized deviations.
+ *
+ * @example
+ * ```typescript
+ * import { Verifier } from '@predicatesystems/authority';
+ *
+ * const verifier = new Verifier({ baseUrl: 'http://127.0.0.1:8787' });
+ *
+ * // After executing an authorized operation
+ * const result = await verifier.verify({
+ *   mandateId: decision.mandate_id,
+ *   actual: {
+ *     action: 'fs.read',
+ *     resource: '/src/index.ts',
+ *   },
+ * });
+ *
+ * if (!result.verified) {
+ *   console.error('Operation mismatch:', result.reason, result.details);
+ * }
+ * ```
+ *
+ * @module verify
+ */
+export type { EvidenceType, ExecutionEvidence, FileEvidence, CliEvidence, BrowserEvidence, HttpEvidence, DbEvidence, GenericEvidence, } from "./types.js";
+export type { ActualOperation, AuthorizedOperation, MandateDetails, RecordVerificationRequest, RecordVerificationResponse, VerificationFailureReason, VerifyRequest, VerifyResult, } from "./types.js";
+export { getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, } from "./types.js";
+export { actionsMatch, normalizeResource, resourcesMatch, type ResourceMatchOptions, } from "./comparators.js";
+export { Verifier, type MandateProvider, type VerifierOptions } from "./verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/verify/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/verify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,WAAW,EACX,eAAe,EACf,YAAY,EACZ,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,eAAe,EACf,mBAAmB,EACnB,cAAc,EACd,yBAAyB,EACzB,0BAA0B,EAC1B,yBAAyB,EACzB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,KAAK,eAAe,EAAE,MAAM,eAAe,CAAC"}

package/dist/verify/index.js

@@ -0,0 +1,35 @@
+/**
+ * Post-execution verification module.
+ *
+ * This module provides verification capability to compare actual operations
+ * against what was authorized via a mandate, detecting unauthorized deviations.
+ *
+ * @example
+ * ```typescript
+ * import { Verifier } from '@predicatesystems/authority';
+ *
+ * const verifier = new Verifier({ baseUrl: 'http://127.0.0.1:8787' });
+ *
+ * // After executing an authorized operation
+ * const result = await verifier.verify({
+ *   mandateId: decision.mandate_id,
+ *   actual: {
+ *     action: 'fs.read',
+ *     resource: '/src/index.ts',
+ *   },
+ * });
+ *
+ * if (!result.verified) {
+ *   console.error('Operation mismatch:', result.reason, result.details);
+ * }
+ * ```
+ *
+ * @module verify
+ */
+// Type guards and helpers
+export { getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, } from "./types.js";
+// Comparators
+export { actionsMatch, normalizeResource, resourcesMatch, } from "./comparators.js";
+// Verifier
+export { Verifier } from "./verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/verify/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/verify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA0BH,0BAA0B;AAC1B,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB,cAAc;AACd,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,cAAc,GAEf,MAAM,kBAAkB,CAAC;AAE1B,WAAW;AACX,OAAO,EAAE,QAAQ,EAA8C,MAAM,eAAe,CAAC"}