@predicatesystems/authority 0.4.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +193 -26
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -1
- package/dist/verify/comparators.d.ts +52 -0
- package/dist/verify/comparators.d.ts.map +1 -0
- package/dist/verify/comparators.js +100 -0
- package/dist/verify/comparators.js.map +1 -0
- package/dist/verify/index.d.ts +34 -0
- package/dist/verify/index.d.ts.map +1 -0
- package/dist/verify/index.js +35 -0
- package/dist/verify/index.js.map +1 -0
- package/dist/verify/types.d.ts +290 -0
- package/dist/verify/types.d.ts.map +1 -0
- package/dist/verify/types.js +102 -0
- package/dist/verify/types.js.map +1 -0
- package/dist/verify/verifier.d.ts +102 -0
- package/dist/verify/verifier.d.ts.map +1 -0
- package/dist/verify/verifier.js +347 -0
- package/dist/verify/verifier.js.map +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -5,10 +5,29 @@
|
|
|
5
5
|
[](LICENSE)
|
|
6
6
|
[](https://www.npmjs.com/package/@predicatesystems/authority)
|
|
7
7
|
|
|
8
|
+
<table>
|
|
9
|
+
<tr>
|
|
10
|
+
<td width="50%" align="center">
|
|
11
|
+
<strong>OpenClaw Agent Tool Calls</strong><br>
|
|
12
|
+
<video src="https://github.com/user-attachments/assets/0fdf1ebb-6044-4288-9613-cd46f98cc284" autoplay loop muted playsinline></video>
|
|
13
|
+
</td>
|
|
14
|
+
<td width="50%" align="center">
|
|
15
|
+
<strong>Temporal Workflows</strong><br>
|
|
16
|
+
<video src="https://github.com/user-attachments/assets/511b6d38-90ab-413e-8af6-a89fc459eea5" autoplay loop muted playsinline></video>
|
|
17
|
+
</td>
|
|
18
|
+
</tr>
|
|
19
|
+
</table>
|
|
20
|
+
|
|
8
21
|
`@predicatesystems/authority` is the TypeScript SDK for Predicate Authority. It keeps authority
|
|
9
22
|
decisions in the sidecar and gives Node/TS runtimes a thin, typed client for
|
|
10
23
|
fail-closed pre-execution checks.
|
|
11
24
|
|
|
25
|
+
## 🛡️ Pre-Execution Authorization — Live in Your Terminal
|
|
26
|
+
|
|
27
|
+
Watch every ALLOW/DENY decision as it happens. No guesswork. No post-mortems. Real-time control over what your agent can and cannot do.
|
|
28
|
+
|
|
29
|
+
|
|
30
|
+
|
|
12
31
|
## Why Predicate Authority?
|
|
13
32
|
|
|
14
33
|
Most agent security failures come from over-broad delegated credentials and lack
|
|
@@ -48,55 +67,152 @@ This SDK requires the **Predicate Authority Sidecar** daemon to be running. The
|
|
|
48
67
|
|----------|------|
|
|
49
68
|
| Sidecar Repository | [predicate-authority-sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar) |
|
|
50
69
|
| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
|
|
70
|
+
| npm Package | [@predicatesystems/authorityd](https://www.npmjs.com/package/@predicatesystems/authorityd) |
|
|
51
71
|
| License | MIT / Apache 2.0 |
|
|
52
72
|
|
|
53
73
|
### Quick Sidecar Setup
|
|
54
74
|
|
|
75
|
+
**Option A: Install via npm (recommended)**
|
|
76
|
+
|
|
55
77
|
```bash
|
|
56
|
-
|
|
57
|
-
# Linux x64, macOS x64/ARM64, Windows x64 available
|
|
78
|
+
npm install @predicatesystems/authorityd
|
|
58
79
|
|
|
59
|
-
#
|
|
60
|
-
|
|
61
|
-
|
|
80
|
+
# The binary is automatically included for your platform
|
|
81
|
+
# Run with npx:
|
|
82
|
+
npx predicate-authorityd --help
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
**Option B: Manual download**
|
|
86
|
+
|
|
87
|
+
```bash
|
|
88
|
+
# Download from GitHub releases for your platform:
|
|
89
|
+
# https://github.com/PredicateSystems/predicate-authority-sidecar/releases
|
|
62
90
|
|
|
63
|
-
|
|
64
|
-
|
|
91
|
+
tar -xzf predicate-authorityd-darwin-arm64.tar.gz # or your platform
|
|
92
|
+
chmod +x predicate-authorityd
|
|
65
93
|
```
|
|
66
94
|
|
|
67
|
-
###
|
|
95
|
+
### Running the Sidecar
|
|
68
96
|
|
|
69
|
-
|
|
97
|
+
The Rust sidecar uses **global CLI arguments** (before the `run` subcommand) or a **TOML config file**.
|
|
70
98
|
|
|
71
|
-
|
|
72
|
-
export PREDICATE_API_KEY="your-api-key"
|
|
99
|
+
**Basic local mode:**
|
|
73
100
|
|
|
74
|
-
|
|
101
|
+
```bash
|
|
102
|
+
./predicate-authorityd \
|
|
75
103
|
--host 127.0.0.1 \
|
|
76
104
|
--port 8787 \
|
|
77
|
-
--mode
|
|
78
|
-
--
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
105
|
+
--mode local_only \
|
|
106
|
+
--policy-file policy.json \
|
|
107
|
+
run
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
**Using environment variables:**
|
|
111
|
+
|
|
112
|
+
```bash
|
|
113
|
+
export PREDICATE_HOST=127.0.0.1
|
|
114
|
+
export PREDICATE_PORT=8787
|
|
115
|
+
export PREDICATE_MODE=local_only
|
|
116
|
+
export PREDICATE_POLICY_FILE=policy.json
|
|
117
|
+
|
|
118
|
+
./predicate-authorityd run
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
**Using a config file:**
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
# Generate example config
|
|
125
|
+
./predicate-authorityd init-config --output config.toml
|
|
126
|
+
|
|
127
|
+
# Run with config
|
|
128
|
+
./predicate-authorityd --config config.toml run
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### Sidecar CLI Reference
|
|
132
|
+
|
|
133
|
+
```
|
|
134
|
+
GLOBAL OPTIONS (use before 'run'):
|
|
135
|
+
-c, --config <FILE> Path to TOML config file [env: PREDICATE_CONFIG]
|
|
136
|
+
--host <HOST> Host to bind to [env: PREDICATE_HOST] [default: 127.0.0.1]
|
|
137
|
+
--port <PORT> Port to bind to [env: PREDICATE_PORT] [default: 8787]
|
|
138
|
+
--mode <MODE> local_only or cloud_connected [env: PREDICATE_MODE]
|
|
139
|
+
--policy-file <PATH> Path to policy JSON [env: PREDICATE_POLICY_FILE]
|
|
140
|
+
--identity-file <PATH> Path to local identity registry [env: PREDICATE_IDENTITY_FILE]
|
|
141
|
+
--log-level <LEVEL> trace, debug, info, warn, error [env: PREDICATE_LOG_LEVEL]
|
|
142
|
+
--control-plane-url <URL> Control-plane URL [env: PREDICATE_CONTROL_PLANE_URL]
|
|
143
|
+
--tenant-id <ID> Tenant ID [env: PREDICATE_TENANT_ID]
|
|
144
|
+
--project-id <ID> Project ID [env: PREDICATE_PROJECT_ID]
|
|
145
|
+
--predicate-api-key <KEY> API key [env: PREDICATE_API_KEY]
|
|
146
|
+
--sync-enabled Enable control-plane sync [env: PREDICATE_SYNC_ENABLED]
|
|
147
|
+
--fail-open Fail open if control-plane unreachable [env: PREDICATE_FAIL_OPEN]
|
|
148
|
+
|
|
149
|
+
IDENTITY PROVIDER OPTIONS:
|
|
150
|
+
--identity-mode <MODE> local, local-idp, oidc, entra, or okta [env: PREDICATE_IDENTITY_MODE]
|
|
151
|
+
--allow-local-fallback Allow local/local-idp in cloud_connected mode
|
|
152
|
+
--idp-token-ttl-s <SECS> IdP token TTL seconds [default: 300]
|
|
153
|
+
--mandate-ttl-s <SECS> Mandate TTL seconds [default: 300]
|
|
154
|
+
|
|
155
|
+
LOCAL IDP OPTIONS (for identity-mode=local-idp):
|
|
156
|
+
--local-idp-issuer <URL> Issuer URL [env: LOCAL_IDP_ISSUER]
|
|
157
|
+
--local-idp-audience <AUD> Audience [env: LOCAL_IDP_AUDIENCE]
|
|
158
|
+
--local-idp-signing-key-env <VAR> Env var for signing key [default: LOCAL_IDP_SIGNING_KEY]
|
|
159
|
+
|
|
160
|
+
OIDC OPTIONS (for identity-mode=oidc):
|
|
161
|
+
--oidc-issuer <URL> Issuer URL [env: OIDC_ISSUER]
|
|
162
|
+
--oidc-client-id <ID> Client ID [env: OIDC_CLIENT_ID]
|
|
163
|
+
--oidc-audience <AUD> Audience [env: OIDC_AUDIENCE]
|
|
164
|
+
|
|
165
|
+
ENTRA OPTIONS (for identity-mode=entra):
|
|
166
|
+
--entra-tenant-id <ID> Tenant ID [env: ENTRA_TENANT_ID]
|
|
167
|
+
--entra-client-id <ID> Client ID [env: ENTRA_CLIENT_ID]
|
|
168
|
+
--entra-audience <AUD> Audience [env: ENTRA_AUDIENCE]
|
|
169
|
+
|
|
170
|
+
OKTA OPTIONS (for identity-mode=okta):
|
|
171
|
+
--okta-issuer <URL> Issuer URL [env: OKTA_ISSUER]
|
|
172
|
+
--okta-client-id <ID> Client ID [env: OKTA_CLIENT_ID]
|
|
173
|
+
--okta-audience <AUD> Audience [env: OKTA_AUDIENCE]
|
|
174
|
+
--okta-required-claims Required claims (comma-separated)
|
|
175
|
+
--okta-required-scopes Required scopes (comma-separated)
|
|
176
|
+
--okta-required-roles Required roles/groups (comma-separated)
|
|
177
|
+
--okta-allowed-tenants Allowed tenant IDs (comma-separated)
|
|
178
|
+
|
|
179
|
+
COMMANDS:
|
|
180
|
+
run Start the daemon (default)
|
|
181
|
+
init-config Generate example config file
|
|
182
|
+
check-config Validate config file
|
|
183
|
+
version Show version info
|
|
83
184
|
```
|
|
84
185
|
|
|
85
|
-
###
|
|
186
|
+
### Identity Provider Modes
|
|
187
|
+
|
|
188
|
+
The sidecar supports multiple identity modes for token validation:
|
|
86
189
|
|
|
87
|
-
|
|
190
|
+
- **local** (default): No token validation. Suitable for development.
|
|
191
|
+
- **local-idp**: Self-issued JWT tokens for ephemeral task identities.
|
|
192
|
+
- **oidc**: Generic OIDC provider integration.
|
|
193
|
+
- **entra**: Microsoft Entra ID (Azure AD) integration.
|
|
194
|
+
- **okta**: Enterprise Okta integration with JWKS validation.
|
|
195
|
+
|
|
196
|
+
**Safety notes:**
|
|
197
|
+
- `idp-token-ttl-s` must be >= `mandate-ttl-s` (enforced at startup)
|
|
198
|
+
- In `cloud_connected` mode, `local` or `local-idp` requires `--allow-local-fallback`
|
|
199
|
+
|
|
200
|
+
### Cloud-connected sidecar (control-plane sync)
|
|
88
201
|
|
|
89
202
|
```bash
|
|
90
|
-
export
|
|
203
|
+
export PREDICATE_API_KEY="your-api-key"
|
|
91
204
|
|
|
92
|
-
./predicate-authorityd
|
|
205
|
+
./predicate-authorityd \
|
|
93
206
|
--host 127.0.0.1 \
|
|
94
207
|
--port 8787 \
|
|
95
|
-
--mode
|
|
208
|
+
--mode cloud_connected \
|
|
96
209
|
--policy-file policy.json \
|
|
97
|
-
--
|
|
98
|
-
--
|
|
99
|
-
--
|
|
210
|
+
--control-plane-url https://api.predicatesystems.dev \
|
|
211
|
+
--tenant-id your-tenant \
|
|
212
|
+
--project-id your-project \
|
|
213
|
+
--predicate-api-key "$PREDICATE_API_KEY" \
|
|
214
|
+
--sync-enabled \
|
|
215
|
+
run
|
|
100
216
|
```
|
|
101
217
|
|
|
102
218
|
## Quick Start
|
|
@@ -299,6 +415,57 @@ Common failure modes and first checks:
|
|
|
299
415
|
- Frequent retries before success
|
|
300
416
|
- tune `maxRetries` and `backoffInitialMs`; investigate sidecar/host resource pressure.
|
|
301
417
|
|
|
418
|
+
## Audit Vault and Control Plane
|
|
419
|
+
|
|
420
|
+
The Predicate sidecar and SDKs are 100% open-source and free for local development and single-agent deployments.
|
|
421
|
+
|
|
422
|
+
However, when deploying a fleet of AI agents in regulated environments (FinTech, Healthcare, Security), security teams cannot manage scattered YAML files or local SQLite databases. For production fleets, we offer the **Predicate Control Plane** and **Audit Vault**.
|
|
423
|
+
|
|
424
|
+
<table>
|
|
425
|
+
<tr>
|
|
426
|
+
<td width="50%" align="center">
|
|
427
|
+
<img src="docs/images/overview.png" alt="Control Plane Overview" width="100%">
|
|
428
|
+
<br><em>Real-time dashboard with authorization metrics</em>
|
|
429
|
+
</td>
|
|
430
|
+
<td width="50%" align="center">
|
|
431
|
+
<img src="docs/images/fleet_management.png" alt="Fleet Management" width="100%">
|
|
432
|
+
<br><em>Fleet management across all sidecars</em>
|
|
433
|
+
</td>
|
|
434
|
+
</tr>
|
|
435
|
+
<tr>
|
|
436
|
+
<td width="50%" align="center">
|
|
437
|
+
<img src="docs/images/audit_compliance.png" alt="Audit & Compliance" width="100%">
|
|
438
|
+
<br><em>WORM-ready audit ledger with 7-year retention</em>
|
|
439
|
+
</td>
|
|
440
|
+
<td width="50%" align="center">
|
|
441
|
+
<img src="docs/images/policies.png" alt="Policy Management" width="100%">
|
|
442
|
+
<br><em>Centralized policy editor</em>
|
|
443
|
+
</td>
|
|
444
|
+
</tr>
|
|
445
|
+
<tr>
|
|
446
|
+
<td width="50%" align="center">
|
|
447
|
+
<img src="docs/images/revocations.png" alt="Revocations" width="100%">
|
|
448
|
+
<br><em>Global kill-switches and revocations</em>
|
|
449
|
+
</td>
|
|
450
|
+
<td width="50%" align="center">
|
|
451
|
+
<img src="docs/images/siem_integrations.png" alt="SIEM Integrations" width="100%">
|
|
452
|
+
<br><em>SIEM integrations (Splunk, Datadog, Sentinel)</em>
|
|
453
|
+
</td>
|
|
454
|
+
</tr>
|
|
455
|
+
</table>
|
|
456
|
+
|
|
457
|
+
**Control Plane Features:**
|
|
458
|
+
|
|
459
|
+
* **Global Kill-Switches:** Instantly revoke a compromised agent's `principal` or `intent_hash`. The revocation syncs to all connected sidecars in milliseconds.
|
|
460
|
+
* **Immutable Audit Vault (WORM):** Every authorized mandate and blocked action is cryptographically signed and stored in a 7-year, WORM-ready ledger. Prove to SOC2 auditors exactly *what* your agents did and *why* they were authorized.
|
|
461
|
+
* **Fleet Management:** Manage your fleet of agents with total control
|
|
462
|
+
* **SIEM Integrations:** Stream authorization events and security alerts directly to Datadog, Splunk, or your existing security dashboard.
|
|
463
|
+
* **Centralized Policy Management:** Update and publish access policies across your entire fleet without redeploying agent code.
|
|
464
|
+
|
|
465
|
+
**[Learn more about Predicate Systems](https://www.predicatesystems.ai)**
|
|
466
|
+
|
|
467
|
+
---
|
|
468
|
+
|
|
302
469
|
## License
|
|
303
470
|
|
|
304
471
|
Dual-licensed under **MIT** and **Apache 2.0**:
|
package/dist/index.d.ts
CHANGED
|
@@ -8,6 +8,7 @@ export { ActionGuard, AuthorizationDeniedError, type ActionExecutionResult, type
|
|
|
8
8
|
export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, type GuardedFileReadOptions, type GuardedFileWriteOptions, type GuardedHttpOptions, type GuardedShellOptions, } from "./wrappers/sensitive-operations.js";
|
|
9
9
|
export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, type RuntimeSnapshotLike, type WebStateEvidenceOptions, type WebStateSnapshot, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
|
|
10
10
|
export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, type DesktopAccessibilityEvidenceProvider, type DesktopAccessibilitySnapshot, type DesktopStateEvidenceOptions, type EvidenceHasher, type TerminalEvidenceProvider, type TerminalSessionSnapshot, type TerminalStateEvidenceOptions, type VerificationSignalProvider, } from "./evidence/non-web.js";
|
|
11
|
+
export { type EvidenceType, type ExecutionEvidence, type FileEvidence, type CliEvidence, type BrowserEvidence, type HttpEvidence, type DbEvidence, type GenericEvidence, type ActualOperation, type AuthorizedOperation, type MandateDetails, type RecordVerificationRequest, type RecordVerificationResponse, type VerificationFailureReason, type VerifyRequest, type VerifyResult, type ResourceMatchOptions, type MandateProvider, type VerifierOptions, getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, actionsMatch, normalizeResource, resourcesMatch, Verifier, } from "./verify/index.js";
|
|
11
12
|
export { type Platform, type TerminalSessionSnapshot as CanonicalTerminalInput, type CanonicalTerminalSnapshot, type AccessibilityNode, type DesktopAccessibilitySnapshot as CanonicalDesktopInput, type CanonicalAccessibilityNode, type CanonicalDesktopSnapshot, normalizeText, normalizeCommand, stripAnsi, normalizeTimestamps, normalizeTranscript, normalizePath, isSecretKey, hashEnvironment, sha256, canonicalizeTerminalSnapshot, computeTerminalStateHash, TERMINAL_SCHEMA_VERSION, canonicalizeAccessibilityNode, buildFocusedPath, canonicalizeDesktopSnapshot, computeDesktopStateHash, DESKTOP_SCHEMA_VERSION, } from "./canonicalization/index.js";
|
|
12
13
|
export interface AuthorityClientOptions {
|
|
13
14
|
baseUrl: string;
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,UAAU,EACV,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,UAAU,EACV,uBAAuB,EACvB,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,KAAK,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,uBAAuB,IAAI,sBAAsB,EACtD,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,4BAA4B,IAAI,qBAAqB,EAC1D,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,EAE7B,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM,EAEN,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB,EAEvB,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,eAAe,GAAG,YAAY,CAAC;CAC/C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;gBAElD,OAAO,EAAE,sBAAsB;IAQrC,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAoE3E"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,UAAU,EACV,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,UAAU,EACV,uBAAuB,EACvB,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,KAAK,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,KAAK,eAAe,EAEpB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,yBAAyB,EAC9B,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,eAAe,EAEpB,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,EAEZ,YAAY,EACZ,iBAAiB,EACjB,cAAc,EAEd,QAAQ,GACT,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAEL,KAAK,QAAQ,EACb,KAAK,uBAAuB,IAAI,sBAAsB,EACtD,KAAK,yBAAyB,EAC9B,KAAK,iBAAiB,EACtB,KAAK,4BAA4B,IAAI,qBAAqB,EAC1D,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,EAE7B,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM,EAEN,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB,EAEvB,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAErC,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,eAAe,GAAG,YAAY,CAAC;CAC/C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;gBAElD,OAAO,EAAE,sBAAsB;IAQrC,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAoE3E"}
|
package/dist/index.js
CHANGED
|
@@ -8,6 +8,14 @@ export { ActionGuard, AuthorizationDeniedError, } from "./guard/action-guard.js"
|
|
|
8
8
|
export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, } from "./wrappers/sensitive-operations.js";
|
|
9
9
|
export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
|
|
10
10
|
export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, } from "./evidence/non-web.js";
|
|
11
|
+
// Post-execution verification module
|
|
12
|
+
export {
|
|
13
|
+
// Type guards and helpers
|
|
14
|
+
getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence,
|
|
15
|
+
// Comparators
|
|
16
|
+
actionsMatch, normalizeResource, resourcesMatch,
|
|
17
|
+
// Verifier class
|
|
18
|
+
Verifier, } from "./verify/index.js";
|
|
11
19
|
// Canonicalization module for reproducible state hashes
|
|
12
20
|
export {
|
|
13
21
|
// Utility functions
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAGL,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAsBpB,OAAO,EAAE,oBAAoB,EAAiC,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAA0B,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,GAGzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,GAKb,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC;AAE/B,wDAAwD;AACxD,OAAO;AASL,oBAAoB;AACpB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM;AACN,4BAA4B;AAC5B,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB;AACvB,2BAA2B;AAC3B,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAUrC,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IACzB,YAAY,CAAiC;IAE9D,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBACH,IAAI,QAAkB,CAAC;gBACvB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE;wBAC5D,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;wBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1D,MAAM,IAAI,oBAAoB,CAAC,6BAA6B,EAAE;4BAC5D,IAAI,EAAE,SAAS;4BACf,KAAK,EAAE,KAAK;yBACb,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;wBACzE,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,KAAK;qBACb,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;gBAEhD,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChE,OAAO,OAAO,CAAC;gBACjB,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBACxD,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,MAAM,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,EAAE;wBACnE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,OAAO;qBACjB,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB;IAC/C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,OAAgB;IACpD,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,oBAAoB,MAAM,EAAE,CAAC;IAC7E,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7D,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAGL,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAsBpB,OAAO,EAAE,oBAAoB,EAAiC,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAA0B,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,GAGzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,GAKb,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC;AAE/B,qCAAqC;AACrC,OAAO;AAsBL,0BAA0B;AAC1B,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY;AACZ,cAAc;AACd,YAAY,EACZ,iBAAiB,EACjB,cAAc;AACd,iBAAiB;AACjB,QAAQ,GACT,MAAM,mBAAmB,CAAC;AAE3B,wDAAwD;AACxD,OAAO;AASL,oBAAoB;AACpB,aAAa,EACb,gBAAgB,EAChB,SAAS,EACT,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,WAAW,EACX,eAAe,EACf,MAAM;AACN,4BAA4B;AAC5B,4BAA4B,EAC5B,wBAAwB,EACxB,uBAAuB;AACvB,2BAA2B;AAC3B,6BAA6B,EAC7B,gBAAgB,EAChB,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,6BAA6B,CAAC;AAUrC,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IACzB,YAAY,CAAiC;IAE9D,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBACH,IAAI,QAAkB,CAAC;gBACvB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE;wBAC5D,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;wBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1D,MAAM,IAAI,oBAAoB,CAAC,6BAA6B,EAAE;4BAC5D,IAAI,EAAE,SAAS;4BACf,KAAK,EAAE,KAAK;yBACb,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;wBACzE,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,KAAK;qBACb,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;gBAEhD,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChE,OAAO,OAAO,CAAC;gBACjB,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBACxD,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,MAAM,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,EAAE;wBACnE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,OAAO;qBACjB,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB;IAC/C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,OAAgB;IACpD,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,oBAAoB,MAAM,EAAE,CAAC;IAC7E,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7D,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resource comparison functions for post-execution verification.
|
|
3
|
+
*
|
|
4
|
+
* These functions compare authorized resources against actual resources,
|
|
5
|
+
* handling path normalization and glob pattern matching.
|
|
6
|
+
*/
|
|
7
|
+
/**
|
|
8
|
+
* Options for resource matching.
|
|
9
|
+
*/
|
|
10
|
+
export interface ResourceMatchOptions {
|
|
11
|
+
/** Enable glob pattern matching for authorized resource */
|
|
12
|
+
allowGlob?: boolean;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Normalize a resource path for comparison.
|
|
16
|
+
*
|
|
17
|
+
* Applies the following transformations:
|
|
18
|
+
* - Expands ~ to home directory
|
|
19
|
+
* - Collapses multiple slashes
|
|
20
|
+
* - Removes ./ segments
|
|
21
|
+
* - Removes trailing slashes
|
|
22
|
+
* - Resolves . and ..
|
|
23
|
+
*
|
|
24
|
+
* @param resource - Resource path to normalize
|
|
25
|
+
* @returns Normalized path
|
|
26
|
+
*/
|
|
27
|
+
export declare function normalizeResource(resource: string): string;
|
|
28
|
+
/**
|
|
29
|
+
* Check if an actual resource matches an authorized resource.
|
|
30
|
+
*
|
|
31
|
+
* Handles:
|
|
32
|
+
* - Path normalization (~ expansion, . and .., etc.)
|
|
33
|
+
* - Optional glob pattern matching (* wildcards)
|
|
34
|
+
*
|
|
35
|
+
* @param authorized - Resource from the mandate (may contain glob patterns)
|
|
36
|
+
* @param actual - Resource that was actually accessed
|
|
37
|
+
* @param options - Matching options
|
|
38
|
+
* @returns True if resources match
|
|
39
|
+
*/
|
|
40
|
+
export declare function resourcesMatch(authorized: string, actual: string, options?: ResourceMatchOptions): boolean;
|
|
41
|
+
/**
|
|
42
|
+
* Check if an actual action matches an authorized action.
|
|
43
|
+
*
|
|
44
|
+
* Actions are compared case-sensitively after trimming whitespace.
|
|
45
|
+
* Supports glob patterns in the authorized action.
|
|
46
|
+
*
|
|
47
|
+
* @param authorized - Action from the mandate (may contain glob patterns)
|
|
48
|
+
* @param actual - Action that was actually performed
|
|
49
|
+
* @returns True if actions match
|
|
50
|
+
*/
|
|
51
|
+
export declare function actionsMatch(authorized: string, actual: string): boolean;
|
|
52
|
+
//# sourceMappingURL=comparators.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"comparators.d.ts","sourceRoot":"","sources":["../../src/verify/comparators.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,2DAA2D;IAC3D,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA+B1D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAkBT;AAED;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAexE"}
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resource comparison functions for post-execution verification.
|
|
3
|
+
*
|
|
4
|
+
* These functions compare authorized resources against actual resources,
|
|
5
|
+
* handling path normalization and glob pattern matching.
|
|
6
|
+
*/
|
|
7
|
+
import { normalizePath } from "../canonicalization/utils.js";
|
|
8
|
+
import { globMatch } from "../policy/matching.js";
|
|
9
|
+
/**
|
|
10
|
+
* Normalize a resource path for comparison.
|
|
11
|
+
*
|
|
12
|
+
* Applies the following transformations:
|
|
13
|
+
* - Expands ~ to home directory
|
|
14
|
+
* - Collapses multiple slashes
|
|
15
|
+
* - Removes ./ segments
|
|
16
|
+
* - Removes trailing slashes
|
|
17
|
+
* - Resolves . and ..
|
|
18
|
+
*
|
|
19
|
+
* @param resource - Resource path to normalize
|
|
20
|
+
* @returns Normalized path
|
|
21
|
+
*/
|
|
22
|
+
export function normalizeResource(resource) {
|
|
23
|
+
// Use existing normalizePath for filesystem paths
|
|
24
|
+
if (resource.startsWith("/") || resource.startsWith("~") || resource.startsWith(".")) {
|
|
25
|
+
let normalized = normalizePath(resource);
|
|
26
|
+
// normalizePath doesn't strip trailing slashes, so we do it here
|
|
27
|
+
if (normalized.length > 1 && normalized.endsWith("/")) {
|
|
28
|
+
normalized = normalized.slice(0, -1);
|
|
29
|
+
}
|
|
30
|
+
return normalized;
|
|
31
|
+
}
|
|
32
|
+
// For URLs, handle protocol specially
|
|
33
|
+
const urlMatch = resource.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
|
|
34
|
+
if (urlMatch) {
|
|
35
|
+
const protocol = urlMatch[1]; // e.g., "https://"
|
|
36
|
+
const rest = resource.slice(protocol.length);
|
|
37
|
+
// Normalize the rest (collapse slashes, remove ./, remove trailing /)
|
|
38
|
+
const normalized = rest
|
|
39
|
+
.replace(/\/+/g, "/") // Collapse multiple slashes
|
|
40
|
+
.replace(/\/\.\//g, "/") // Remove ./
|
|
41
|
+
.replace(/\/$/g, ""); // Remove trailing slash
|
|
42
|
+
return protocol + normalized;
|
|
43
|
+
}
|
|
44
|
+
// For other non-path resources, do basic cleanup
|
|
45
|
+
return resource
|
|
46
|
+
.replace(/\/+/g, "/") // Collapse multiple slashes
|
|
47
|
+
.replace(/\/\.\//g, "/") // Remove ./
|
|
48
|
+
.replace(/\/$/g, ""); // Remove trailing slash
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* Check if an actual resource matches an authorized resource.
|
|
52
|
+
*
|
|
53
|
+
* Handles:
|
|
54
|
+
* - Path normalization (~ expansion, . and .., etc.)
|
|
55
|
+
* - Optional glob pattern matching (* wildcards)
|
|
56
|
+
*
|
|
57
|
+
* @param authorized - Resource from the mandate (may contain glob patterns)
|
|
58
|
+
* @param actual - Resource that was actually accessed
|
|
59
|
+
* @param options - Matching options
|
|
60
|
+
* @returns True if resources match
|
|
61
|
+
*/
|
|
62
|
+
export function resourcesMatch(authorized, actual, options = {}) {
|
|
63
|
+
const { allowGlob = true } = options;
|
|
64
|
+
// Normalize both resources
|
|
65
|
+
const normalizedAuth = normalizeResource(authorized);
|
|
66
|
+
const normalizedActual = normalizeResource(actual);
|
|
67
|
+
// Exact match after normalization
|
|
68
|
+
if (normalizedAuth === normalizedActual) {
|
|
69
|
+
return true;
|
|
70
|
+
}
|
|
71
|
+
// Glob pattern match (if enabled and authorized resource contains wildcards)
|
|
72
|
+
if (allowGlob && authorized.includes("*")) {
|
|
73
|
+
return globMatch(normalizedActual, authorized);
|
|
74
|
+
}
|
|
75
|
+
return false;
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Check if an actual action matches an authorized action.
|
|
79
|
+
*
|
|
80
|
+
* Actions are compared case-sensitively after trimming whitespace.
|
|
81
|
+
* Supports glob patterns in the authorized action.
|
|
82
|
+
*
|
|
83
|
+
* @param authorized - Action from the mandate (may contain glob patterns)
|
|
84
|
+
* @param actual - Action that was actually performed
|
|
85
|
+
* @returns True if actions match
|
|
86
|
+
*/
|
|
87
|
+
export function actionsMatch(authorized, actual) {
|
|
88
|
+
const normalizedAuth = authorized.trim();
|
|
89
|
+
const normalizedActual = actual.trim();
|
|
90
|
+
// Exact match
|
|
91
|
+
if (normalizedAuth === normalizedActual) {
|
|
92
|
+
return true;
|
|
93
|
+
}
|
|
94
|
+
// Glob pattern match (e.g., "fs.*" matches "fs.read")
|
|
95
|
+
if (authorized.includes("*")) {
|
|
96
|
+
return globMatch(normalizedActual, authorized);
|
|
97
|
+
}
|
|
98
|
+
return false;
|
|
99
|
+
}
|
|
100
|
+
//# sourceMappingURL=comparators.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"comparators.js","sourceRoot":"","sources":["../../src/verify/comparators.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAUlD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,kDAAkD;IAClD,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrF,IAAI,UAAU,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACzC,iEAAiE;QACjE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACtD,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACvC,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,sCAAsC;IACtC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACnE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;QACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAE7C,sEAAsE;QACtE,MAAM,UAAU,GAAG,IAAI;aACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,4BAA4B;aACjD,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,YAAY;aACpC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAEhD,OAAO,QAAQ,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,iDAAiD;IACjD,OAAO,QAAQ;SACZ,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,4BAA4B;SACjD,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,YAAY;SACpC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;AAClD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAC5B,UAAkB,EAClB,MAAc,EACd,UAAgC,EAAE;IAElC,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAErC,2BAA2B;IAC3B,MAAM,cAAc,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACrD,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAEnD,kCAAkC;IAClC,IAAI,cAAc,KAAK,gBAAgB,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6EAA6E;IAC7E,IAAI,SAAS,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,YAAY,CAAC,UAAkB,EAAE,MAAc;IAC7D,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAEvC,cAAc;IACd,IAAI,cAAc,KAAK,gBAAgB,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Post-execution verification module.
|
|
3
|
+
*
|
|
4
|
+
* This module provides verification capability to compare actual operations
|
|
5
|
+
* against what was authorized via a mandate, detecting unauthorized deviations.
|
|
6
|
+
*
|
|
7
|
+
* @example
|
|
8
|
+
* ```typescript
|
|
9
|
+
* import { Verifier } from '@predicatesystems/authority';
|
|
10
|
+
*
|
|
11
|
+
* const verifier = new Verifier({ baseUrl: 'http://127.0.0.1:8787' });
|
|
12
|
+
*
|
|
13
|
+
* // After executing an authorized operation
|
|
14
|
+
* const result = await verifier.verify({
|
|
15
|
+
* mandateId: decision.mandate_id,
|
|
16
|
+
* actual: {
|
|
17
|
+
* action: 'fs.read',
|
|
18
|
+
* resource: '/src/index.ts',
|
|
19
|
+
* },
|
|
20
|
+
* });
|
|
21
|
+
*
|
|
22
|
+
* if (!result.verified) {
|
|
23
|
+
* console.error('Operation mismatch:', result.reason, result.details);
|
|
24
|
+
* }
|
|
25
|
+
* ```
|
|
26
|
+
*
|
|
27
|
+
* @module verify
|
|
28
|
+
*/
|
|
29
|
+
export type { EvidenceType, ExecutionEvidence, FileEvidence, CliEvidence, BrowserEvidence, HttpEvidence, DbEvidence, GenericEvidence, } from "./types.js";
|
|
30
|
+
export type { ActualOperation, AuthorizedOperation, MandateDetails, RecordVerificationRequest, RecordVerificationResponse, VerificationFailureReason, VerifyRequest, VerifyResult, } from "./types.js";
|
|
31
|
+
export { getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, } from "./types.js";
|
|
32
|
+
export { actionsMatch, normalizeResource, resourcesMatch, type ResourceMatchOptions, } from "./comparators.js";
|
|
33
|
+
export { Verifier, type MandateProvider, type VerifierOptions } from "./verifier.js";
|
|
34
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/verify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,WAAW,EACX,eAAe,EACf,YAAY,EACZ,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,eAAe,EACf,mBAAmB,EACnB,cAAc,EACd,yBAAyB,EACzB,0BAA0B,EAC1B,yBAAyB,EACzB,aAAa,EACb,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,GACb,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,KAAK,eAAe,EAAE,MAAM,eAAe,CAAC"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Post-execution verification module.
|
|
3
|
+
*
|
|
4
|
+
* This module provides verification capability to compare actual operations
|
|
5
|
+
* against what was authorized via a mandate, detecting unauthorized deviations.
|
|
6
|
+
*
|
|
7
|
+
* @example
|
|
8
|
+
* ```typescript
|
|
9
|
+
* import { Verifier } from '@predicatesystems/authority';
|
|
10
|
+
*
|
|
11
|
+
* const verifier = new Verifier({ baseUrl: 'http://127.0.0.1:8787' });
|
|
12
|
+
*
|
|
13
|
+
* // After executing an authorized operation
|
|
14
|
+
* const result = await verifier.verify({
|
|
15
|
+
* mandateId: decision.mandate_id,
|
|
16
|
+
* actual: {
|
|
17
|
+
* action: 'fs.read',
|
|
18
|
+
* resource: '/src/index.ts',
|
|
19
|
+
* },
|
|
20
|
+
* });
|
|
21
|
+
*
|
|
22
|
+
* if (!result.verified) {
|
|
23
|
+
* console.error('Operation mismatch:', result.reason, result.details);
|
|
24
|
+
* }
|
|
25
|
+
* ```
|
|
26
|
+
*
|
|
27
|
+
* @module verify
|
|
28
|
+
*/
|
|
29
|
+
// Type guards and helpers
|
|
30
|
+
export { getEvidenceType, isMandateDetails, isRecordVerificationResponse, isFileEvidence, isCliEvidence, isBrowserEvidence, isHttpEvidence, isDbEvidence, } from "./types.js";
|
|
31
|
+
// Comparators
|
|
32
|
+
export { actionsMatch, normalizeResource, resourcesMatch, } from "./comparators.js";
|
|
33
|
+
// Verifier
|
|
34
|
+
export { Verifier } from "./verifier.js";
|
|
35
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/verify/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA0BH,0BAA0B;AAC1B,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,4BAA4B,EAC5B,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB,cAAc;AACd,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,cAAc,GAEf,MAAM,kBAAkB,CAAC;AAE1B,WAAW;AACX,OAAO,EAAE,QAAQ,EAA8C,MAAM,eAAe,CAAC"}
|