@predicatesystems/authority 0.4.0 → 0.4.1

package/dist/verify/types.d.ts

@@ -0,0 +1,290 @@
+/**
+ * Types for post-execution verification.
+ *
+ * These types support verifying that actual operations match
+ * what was authorized via a mandate.
+ *
+ * The verification system uses discriminated unions to support different
+ * evidence schemas based on the action domain:
+ *
+ * - `file`: File system operations with content hashes
+ * - `cli`: Terminal/shell operations with transcript evidence
+ * - `browser`: Web operations with DOM/A11y state
+ * - `http`: HTTP requests with response evidence
+ * - `db`: Database operations with query evidence
+ */
+/**
+ * Evidence type discriminator.
+ */
+export type EvidenceType = "file" | "cli" | "browser" | "http" | "db" | "generic";
+/**
+ * Base interface for all evidence types.
+ */
+interface BaseEvidence {
+    /** Discriminator field for type narrowing */
+    type: EvidenceType;
+    /** The action that was actually performed (e.g., "fs.read", "cli.exec") */
+    action: string;
+    /** The resource that was accessed (path, URL, command, etc.) */
+    resource: string;
+    /** Timestamp when operation was executed (ISO 8601) */
+    executedAt?: string;
+}
+/**
+ * Evidence for file system operations (fs.read, fs.write, etc.)
+ */
+export interface FileEvidence extends BaseEvidence {
+    type: "file";
+    /** Hash of file content (SHA-256) */
+    contentHash?: string;
+    /** File size in bytes */
+    fileSize?: number;
+    /** File permissions (octal string, e.g., "644") */
+    permissions?: string;
+    /** Last modified timestamp (ISO 8601) */
+    modifiedAt?: string;
+}
+/**
+ * Evidence for terminal/CLI operations (cli.exec, cli.spawn, etc.)
+ */
+export interface CliEvidence extends BaseEvidence {
+    type: "cli";
+    /** The exact command that was executed */
+    command?: string;
+    /** Exit code of the process */
+    exitCode?: number;
+    /** Hash of stdout transcript */
+    stdoutHash?: string;
+    /** Hash of stderr transcript */
+    stderrHash?: string;
+    /** Combined transcript hash (stdout + stderr) */
+    transcriptHash?: string;
+    /** Working directory where command was executed */
+    cwd?: string;
+    /** Duration in milliseconds */
+    durationMs?: number;
+}
+/**
+ * Evidence for browser/web operations (browser.click, browser.navigate, etc.)
+ */
+export interface BrowserEvidence extends BaseEvidence {
+    type: "browser";
+    /** Final URL after navigation */
+    finalUrl?: string;
+    /** DOM selector that was interacted with */
+    selector?: string;
+    /** Hash of accessibility tree state */
+    a11yTreeHash?: string;
+    /** Hash of visible DOM state */
+    domStateHash?: string;
+    /** Screenshot hash (if captured) */
+    screenshotHash?: string;
+    /** Page title after operation */
+    pageTitle?: string;
+}
+/**
+ * Evidence for HTTP operations (http.get, http.post, etc.)
+ */
+export interface HttpEvidence extends BaseEvidence {
+    type: "http";
+    /** HTTP method used */
+    method?: string;
+    /** Response status code */
+    statusCode?: number;
+    /** Hash of response body */
+    responseBodyHash?: string;
+    /** Response content type */
+    contentType?: string;
+    /** Response size in bytes */
+    responseSize?: number;
+    /** Request duration in milliseconds */
+    durationMs?: number;
+}
+/**
+ * Evidence for database operations (db.query, db.insert, etc.)
+ */
+export interface DbEvidence extends BaseEvidence {
+    type: "db";
+    /** Hash of query/statement */
+    queryHash?: string;
+    /** Number of rows affected */
+    rowsAffected?: number;
+    /** Hash of result set (for queries) */
+    resultHash?: string;
+    /** Query duration in milliseconds */
+    durationMs?: number;
+}
+/**
+ * Generic evidence for unknown or custom action types.
+ */
+export interface GenericEvidence extends BaseEvidence {
+    type: "generic";
+    /** Arbitrary evidence hash */
+    evidenceHash?: string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Discriminated union of all evidence types.
+ *
+ * Use the `type` field to narrow to a specific evidence type:
+ *
+ * @example
+ * ```typescript
+ * function processEvidence(evidence: ExecutionEvidence) {
+ *   switch (evidence.type) {
+ *     case "file":
+ *       console.log("File hash:", evidence.contentHash);
+ *       break;
+ *     case "cli":
+ *       console.log("Exit code:", evidence.exitCode);
+ *       break;
+ *     case "browser":
+ *       console.log("Final URL:", evidence.finalUrl);
+ *       break;
+ *   }
+ * }
+ * ```
+ */
+export type ExecutionEvidence = FileEvidence | CliEvidence | BrowserEvidence | HttpEvidence | DbEvidence | GenericEvidence;
+/**
+ * Extract the domain from an action string.
+ *
+ * @example
+ * getActionDomain("fs.read") // => "file"
+ * getActionDomain("cli.exec") // => "cli"
+ * getActionDomain("browser.click") // => "browser"
+ * getActionDomain("custom.action") // => "generic"
+ */
+export declare function getEvidenceType(action: string): EvidenceType;
+/**
+ * Type guard for FileEvidence.
+ */
+export declare function isFileEvidence(evidence: ExecutionEvidence): evidence is FileEvidence;
+/**
+ * Type guard for CliEvidence.
+ */
+export declare function isCliEvidence(evidence: ExecutionEvidence): evidence is CliEvidence;
+/**
+ * Type guard for BrowserEvidence.
+ */
+export declare function isBrowserEvidence(evidence: ExecutionEvidence): evidence is BrowserEvidence;
+/**
+ * Type guard for HttpEvidence.
+ */
+export declare function isHttpEvidence(evidence: ExecutionEvidence): evidence is HttpEvidence;
+/**
+ * Type guard for DbEvidence.
+ */
+export declare function isDbEvidence(evidence: ExecutionEvidence): evidence is DbEvidence;
+/**
+ * Reason codes for verification failure.
+ */
+export type VerificationFailureReason = "resource_mismatch" | "action_mismatch" | "mandate_expired" | "mandate_not_found" | "evidence_mismatch";
+/**
+ * Details about an authorized operation from a mandate.
+ */
+export interface AuthorizedOperation {
+    action: string;
+    resource: string;
+}
+/**
+ * Legacy ActualOperation interface for backward compatibility.
+ *
+ * @deprecated Use ExecutionEvidence discriminated union instead.
+ */
+export interface ActualOperation {
+    /** The action that was actually performed */
+    action: string;
+    /** The resource that was actually accessed */
+    resource: string;
+    /** Timestamp when operation was executed (ISO 8601) */
+    executedAt?: string;
+    /** @deprecated Use FileEvidence.contentHash instead */
+    contentHash?: string;
+    /** @deprecated Use CliEvidence.transcriptHash instead */
+    transcriptHash?: string;
+}
+/**
+ * Request to verify an operation against its mandate.
+ *
+ * Supports both the legacy ActualOperation format and the new
+ * discriminated union ExecutionEvidence format.
+ */
+export interface VerifyRequest {
+    /** Mandate ID from the authorization decision */
+    mandateId: string;
+    /**
+     * The actual operation that was performed.
+     *
+     * Can be either:
+     * - ExecutionEvidence (discriminated union with `type` field) - recommended
+     * - ActualOperation (legacy format without `type` field) - deprecated
+     */
+    actual: ExecutionEvidence | ActualOperation;
+}
+/**
+ * Result of verification.
+ */
+export interface VerifyResult {
+    /** Whether the operation matched the authorization */
+    verified: boolean;
+    /** Reason for verification failure (if verified is false) */
+    reason?: VerificationFailureReason;
+    /** Details about the mismatch (if verification failed) */
+    details?: {
+        authorized: AuthorizedOperation;
+        actual: ExecutionEvidence | ActualOperation;
+    };
+    /** Audit trail ID from the sidecar (if verification succeeded) */
+    auditId?: string;
+}
+/**
+ * Mandate details retrieved from the sidecar.
+ */
+export interface MandateDetails {
+    /** Unique mandate identifier */
+    mandate_id: string;
+    /** Principal that was granted authorization */
+    principal: string;
+    /** Action that was authorized */
+    action: string;
+    /** Resource that was authorized */
+    resource: string;
+    /** Hash of the stated intent */
+    intent_hash: string;
+    /** When the mandate was issued (ISO 8601) */
+    issued_at: string;
+    /** When the mandate expires (ISO 8601) */
+    expires_at: string;
+}
+/**
+ * Type guard for MandateDetails.
+ */
+export declare function isMandateDetails(value: unknown): value is MandateDetails;
+/**
+ * Request to record a verification in the audit log.
+ */
+export interface RecordVerificationRequest {
+    /** Mandate ID that was verified */
+    mandateId: string;
+    /** Whether verification succeeded */
+    verified: boolean;
+    /** The actual operation details */
+    actual: ExecutionEvidence | ActualOperation;
+    /** Reason for failure (if verified is false) */
+    reason?: VerificationFailureReason;
+}
+/**
+ * Response from recording a verification.
+ */
+export interface RecordVerificationResponse {
+    /** Audit trail ID */
+    audit_id: string;
+}
+/**
+ * Type guard for RecordVerificationResponse.
+ */
+export declare function isRecordVerificationResponse(value: unknown): value is RecordVerificationResponse;
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/verify/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/verify/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAMH;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;AAElF;;GAEG;AACH,UAAU,YAAY;IACpB,6CAA6C;IAC7C,IAAI,EAAE,YAAY,CAAC;IAEnB,2EAA2E;IAC3E,MAAM,EAAE,MAAM,CAAC;IAEf,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IAEjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,YAAa,SAAQ,YAAY;IAChD,IAAI,EAAE,MAAM,CAAC;IAEb,qCAAqC;IACrC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,yBAAyB;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,WAAY,SAAQ,YAAY;IAC/C,IAAI,EAAE,KAAK,CAAC;IAEZ,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,mDAAmD;IACnD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,+BAA+B;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,eAAgB,SAAQ,YAAY;IACnD,IAAI,EAAE,SAAS,CAAC;IAEhB,iCAAiC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,gCAAgC;IAChC,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,oCAAoC;IACpC,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,iCAAiC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,YAAa,SAAQ,YAAY;IAChD,IAAI,EAAE,MAAM,CAAC;IAEb,uBAAuB;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,2BAA2B;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,4BAA4B;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,6BAA6B;IAC7B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,UAAW,SAAQ,YAAY;IAC9C,IAAI,EAAE,IAAI,CAAC;IAEX,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,eAAgB,SAAQ,YAAY;IACnD,IAAI,EAAE,SAAS,CAAC;IAEhB,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,WAAW,GACX,eAAe,GACf,YAAY,GACZ,UAAU,GACV,eAAe,CAAC;AAMpB;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAiB5D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,IAAI,YAAY,CAEpF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,IAAI,WAAW,CAElF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,IAAI,eAAe,CAE1F;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,IAAI,YAAY,CAEpF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,iBAAiB,GAAG,QAAQ,IAAI,UAAU,CAEhF;AAMD;;GAEG;AACH,MAAM,MAAM,yBAAyB,GACjC,mBAAmB,GACnB,iBAAiB,GACjB,iBAAiB,GACjB,mBAAmB,GACnB,mBAAmB,CAAC;AAExB;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;IAEf,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAC;IAEjB,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,uDAAuD;IACvD,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,yDAAyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAElB;;;;;;OAMG;IACH,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,QAAQ,EAAE,OAAO,CAAC;IAElB,6DAA6D;IAC7D,MAAM,CAAC,EAAE,yBAAyB,CAAC;IAEnC,0DAA0D;IAC1D,OAAO,CAAC,EAAE;QACR,UAAU,EAAE,mBAAmB,CAAC;QAChC,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;KAC7C,CAAC;IAEF,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAElB,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IAEf,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;IAEjB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IAEpB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,cAAc,CAcxE;AAMD;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAElB,qCAAqC;IACrC,QAAQ,EAAE,OAAO,CAAC;IAElB,mCAAmC;IACnC,MAAM,EAAE,iBAAiB,GAAG,eAAe,CAAC;IAE5C,gDAAgD;IAChD,MAAM,CAAC,EAAE,yBAAyB,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,qBAAqB;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,0BAA0B,CAMrC"}

package/dist/verify/types.js

@@ -0,0 +1,102 @@
+/**
+ * Types for post-execution verification.
+ *
+ * These types support verifying that actual operations match
+ * what was authorized via a mandate.
+ *
+ * The verification system uses discriminated unions to support different
+ * evidence schemas based on the action domain:
+ *
+ * - `file`: File system operations with content hashes
+ * - `cli`: Terminal/shell operations with transcript evidence
+ * - `browser`: Web operations with DOM/A11y state
+ * - `http`: HTTP requests with response evidence
+ * - `db`: Database operations with query evidence
+ */
+// =============================================================================
+// Helper Functions
+// =============================================================================
+/**
+ * Extract the domain from an action string.
+ *
+ * @example
+ * getActionDomain("fs.read") // => "file"
+ * getActionDomain("cli.exec") // => "cli"
+ * getActionDomain("browser.click") // => "browser"
+ * getActionDomain("custom.action") // => "generic"
+ */
+export function getEvidenceType(action) {
+    const prefix = action.split(".")[0];
+    const domainMap = {
+        fs: "file",
+        file: "file",
+        cli: "cli",
+        shell: "cli",
+        terminal: "cli",
+        browser: "browser",
+        web: "browser",
+        http: "http",
+        https: "http",
+        db: "db",
+        database: "db",
+        sql: "db",
+    };
+    return domainMap[prefix] ?? "generic";
+}
+/**
+ * Type guard for FileEvidence.
+ */
+export function isFileEvidence(evidence) {
+    return evidence.type === "file";
+}
+/**
+ * Type guard for CliEvidence.
+ */
+export function isCliEvidence(evidence) {
+    return evidence.type === "cli";
+}
+/**
+ * Type guard for BrowserEvidence.
+ */
+export function isBrowserEvidence(evidence) {
+    return evidence.type === "browser";
+}
+/**
+ * Type guard for HttpEvidence.
+ */
+export function isHttpEvidence(evidence) {
+    return evidence.type === "http";
+}
+/**
+ * Type guard for DbEvidence.
+ */
+export function isDbEvidence(evidence) {
+    return evidence.type === "db";
+}
+/**
+ * Type guard for MandateDetails.
+ */
+export function isMandateDetails(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.mandate_id === "string" &&
+        typeof obj.principal === "string" &&
+        typeof obj.action === "string" &&
+        typeof obj.resource === "string" &&
+        typeof obj.intent_hash === "string" &&
+        typeof obj.issued_at === "string" &&
+        typeof obj.expires_at === "string");
+}
+/**
+ * Type guard for RecordVerificationResponse.
+ */
+export function isRecordVerificationResponse(value) {
+    if (typeof value !== "object" || value === null) {
+        return false;
+    }
+    const obj = value;
+    return typeof obj.audit_id === "string";
+}
+//# sourceMappingURL=types.js.map

package/dist/verify/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/verify/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA2LH,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,SAAS,GAAiC;QAC9C,EAAE,EAAE,MAAM;QACV,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,SAAS;QAClB,GAAG,EAAE,SAAS;QACd,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,MAAM;QACb,EAAE,EAAE,IAAI;QACR,QAAQ,EAAE,IAAI;QACd,GAAG,EAAE,IAAI;KACV,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,QAA2B;IACvD,OAAO,QAAQ,CAAC,IAAI,KAAK,KAAK,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAA2B;IAC3D,OAAO,QAAQ,CAAC,IAAI,KAAK,SAAS,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAA2B;IACxD,OAAO,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,QAA2B;IACtD,OAAO,QAAQ,CAAC,IAAI,KAAK,IAAI,CAAC;AAChC,CAAC;AAoHD;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,CACL,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ;QAClC,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;QAC9B,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAChC,OAAO,GAAG,CAAC,WAAW,KAAK,QAAQ;QACnC,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CACnC,CAAC;AACJ,CAAC;AA+BD;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,KAAc;IAEd,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,OAAO,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;AAC1C,CAAC"}

package/dist/verify/verifier.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Post-execution verification module.
+ *
+ * The Verifier class compares actual operations against what was
+ * authorized via a mandate, detecting unauthorized deviations.
+ */
+import { type MandateDetails, type RecordVerificationRequest, type VerifyRequest, type VerifyResult } from "./types.js";
+/**
+ * Interface for mandate retrieval.
+ *
+ * Can be implemented by AuthorityClient or a custom provider.
+ */
+export interface MandateProvider {
+    /**
+     * Retrieve mandate details by ID.
+     * @param mandateId - The mandate ID to look up
+     * @returns Mandate details or null if not found
+     */
+    getMandate(mandateId: string): Promise<MandateDetails | null>;
+    /**
+     * Record a verification result in the audit log.
+     * @param request - Verification details to record
+     * @returns Audit trail ID
+     */
+    recordVerification(request: RecordVerificationRequest): Promise<string>;
+}
+/**
+ * Options for creating a Verifier.
+ */
+export interface VerifierOptions {
+    /** Base URL of the sidecar */
+    baseUrl: string;
+    /** Request timeout in milliseconds */
+    timeoutMs?: number;
+}
+/**
+ * Verifier for post-execution authorization checks.
+ *
+ * Compares actual operations against mandates to detect unauthorized
+ * deviations from what was authorized.
+ *
+ * @example
+ * ```typescript
+ * const verifier = new Verifier({ baseUrl: 'http://127.0.0.1:8787' });
+ *
+ * const result = await verifier.verify({
+ *   mandateId: decision.mandate_id,
+ *   actual: {
+ *     action: 'fs.read',
+ *     resource: '/src/index.ts',
+ *   },
+ * });
+ *
+ * if (!result.verified) {
+ *   console.error('Operation mismatch:', result.reason);
+ * }
+ * ```
+ */
+export declare class Verifier implements MandateProvider {
+    private readonly baseUrl;
+    private readonly timeoutMs;
+    constructor(options: VerifierOptions);
+    /**
+     * Verify that an actual operation matches its mandate.
+     *
+     * @param request - Verification request with mandate ID and actual operation
+     * @returns Verification result
+     */
+    verify(request: VerifyRequest): Promise<VerifyResult>;
+    /**
+     * Verify an operation locally without sidecar communication.
+     *
+     * Use this when the sidecar endpoints are not available yet (Phase 2).
+     * This performs the same matching logic but skips mandate retrieval
+     * and audit logging.
+     *
+     * @param mandate - Known mandate details
+     * @param request - Verification request
+     * @returns Verification result (without auditId)
+     */
+    verifyLocal(mandate: MandateDetails, request: VerifyRequest): VerifyResult;
+    /**
+     * Retrieve mandate details from the sidecar.
+     *
+     * @param mandateId - Mandate ID to look up
+     * @returns Mandate details or null if not found
+     */
+    getMandate(mandateId: string): Promise<MandateDetails | null>;
+    /**
+     * Record a verification result in the sidecar's audit log.
+     *
+     * @param request - Verification details to record
+     * @returns Audit trail ID
+     */
+    recordVerification(request: RecordVerificationRequest): Promise<string>;
+    /**
+     * Build the actual operation payload for the verification request.
+     * Handles the discriminated union by extracting type-specific fields.
+     */
+    private buildActualPayload;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verify/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/verify/verifier.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAIL,KAAK,cAAc,EACnB,KAAK,yBAAyB,EAC9B,KAAK,aAAa,EAClB,KAAK,YAAY,EAQlB,MAAM,YAAY,CAAC;AAEpB;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B;;;;OAIG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAE9D;;;;OAIG;IACH,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACzE;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,OAAO,EAAE,MAAM,CAAC;IAEhB,sCAAsC;IACtC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,QAAS,YAAW,eAAe;IAC9C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,OAAO,EAAE,eAAe;IAKpC;;;;;OAKG;IACG,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IAmF3D;;;;;;;;;;OAUG;IACH,WAAW,CAAC,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,GAAG,YAAY;IA2C1E;;;;;OAKG;IACG,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAsDnE;;;;;OAKG;IACG,kBAAkB,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,MAAM,CAAC;IAwD7E;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CA6D3B"}