@private.me/xbind 3.0.2 → 3.0.4

package/dist-standalone/cjs/agent-call.js

@@ -1,701 +1 @@
-"use strict";
-/**
- * @module agent-call
- * Simplified agent.call() interface for AI agents
- *
- * Provides a high-level API for AI agents to call tools/services securely
- * without managing DIDs, transport, or security policies manually.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ERROR_DETAILS = exports.AgentError = exports.AgentErrorCode = void 0;
-exports.setToolRegistry = setToolRegistry;
-exports.getToolRegistry = getToolRegistry;
-exports.call = call;
-exports.batchCall = batchCall;
-exports.stream = stream;
-const shared_1 = require("../_deps/shared/index.js");
-const agent_js_1 = require("./agent.js");
-const security_policy_js_1 = require("./security-policy.js");
-const policy_js_1 = require("./policy.js");
-const xregistry_1 = require("../_deps/xregistry/index.js");
-const crypto_utils_js_1 = require("./crypto-utils.js");
-const identity_js_1 = require("./identity.js");
-/**
- * Agent error codes
- */
-var AgentErrorCode;
-(function (AgentErrorCode) {
-    AgentErrorCode["TOOL_NOT_FOUND"] = "AGENT_TOOL_NOT_FOUND";
-    AgentErrorCode["POLICY_VIOLATION"] = "AGENT_POLICY_VIOLATION";
-    AgentErrorCode["TIMEOUT"] = "AGENT_TIMEOUT";
-    AgentErrorCode["NETWORK_ERROR"] = "AGENT_NETWORK_ERROR";
-    AgentErrorCode["AUTHENTICATION_FAILED"] = "AGENT_AUTH_FAILED";
-    AgentErrorCode["INVALID_PARAMS"] = "AGENT_INVALID_PARAMS";
-})(AgentErrorCode || (exports.AgentErrorCode = AgentErrorCode = {}));
-/**
- * Agent error
- */
-class AgentError extends Error {
-    code;
-    details;
-    constructor(code, message, details) {
-        super(message);
-        this.code = code;
-        this.details = details;
-        this.name = 'AgentError';
-    }
-}
-exports.AgentError = AgentError;
-/**
- * Error details map with actionable hints
- */
-exports.ERROR_DETAILS = {
-    [AgentErrorCode.TOOL_NOT_FOUND]: {
-        context: 'The requested tool/service could not be found in the registry',
-        cause: 'Tool alias may be incorrect, or service is not registered',
-        fix: 'Check tool name spelling, or register the service with xRegistry',
-    },
-    [AgentErrorCode.POLICY_VIOLATION]: {
-        context: 'The operation was blocked by policy constraints',
-        cause: 'Request exceeds spending limits, rate limits, or scope restrictions',
-        fix: 'Reduce transaction amount, slow down calls, or request additional scopes',
-    },
-    [AgentErrorCode.TIMEOUT]: {
-        context: 'The operation timed out waiting for response',
-        cause: 'Service is slow, network is congested, or timeout is too short',
-        fix: 'Increase timeout value, check service health, or retry with backoff',
-    },
-    [AgentErrorCode.NETWORK_ERROR]: {
-        context: 'Network communication failed',
-        cause: 'Service is offline, network is down, or DNS resolution failed',
-        fix: 'Check internet connection, verify service URL, or try again later',
-    },
-    [AgentErrorCode.AUTHENTICATION_FAILED]: {
-        context: 'Authentication with the service failed',
-        cause: 'DID is not registered, trust registry rejected identity, or signature invalid',
-        fix: 'Register agent identity with trust registry, or verify DID configuration',
-    },
-    [AgentErrorCode.INVALID_PARAMS]: {
-        context: 'The parameters provided are invalid',
-        cause: 'Required fields missing, wrong data types, or schema validation failed',
-        fix: 'Check tool schema, provide all required fields, and verify data types',
-    },
-};
-/**
- * Global agent instance (singleton pattern for convenience)
- */
-let globalAgent = null;
-/**
- * Global tool registry (optional - for tool discovery)
- */
-let globalToolRegistry = null;
-/**
- * Set the global tool registry for discovery.
- *
- * @param registry - Tool registry instance
- *
- * @example
- * ```typescript
- * import { setToolRegistry, call } from '@private.me/xbind';
- * import { ToolRegistry } from"../_deps/xregistry/index.js";
- *
- * const registry = new ToolRegistry();
- * registry.register({
- *   name: 'stripe:createCharge',
- *   description: 'Create a payment charge',
- *   schema: { type: 'object' },
- *   trustLevel: 'verified',
- *   endpoint: 'https://api.stripe.com/v1/charges',
- *   capabilities: ['payment', 'charge']
- * });
- *
- * setToolRegistry(registry);
- *
- * // Now call() will use registry for discovery
- * const result = await call('stripe:createCharge', { amount: 100 });
- * ```
- */
-function setToolRegistry(registry) {
-    globalToolRegistry = registry;
-}
-/**
- * Get the global tool registry.
- *
- * @returns Current registry or null if not set
- */
-function getToolRegistry() {
-    return globalToolRegistry;
-}
-/**
- * Verify signature on a response envelope and return signature status.
- *
- * Implements signature verification following the same pattern as Agent.verifyEnvelope().
- * This function is designed to be integrated when transport layer is available.
- *
- * @param envelope - Response envelope to verify
- * @param registry - Trust registry to resolve sender's public key
- * @returns Signature status: 'valid', 'invalid', or 'not_verified'
- *
- * @internal
- */
-async function verifyEnvelopeSignature(envelope, registry) {
-    try {
-        // Check envelope version and algorithm support
-        if ((envelope.v !== 1 && envelope.v !== 2 && envelope.v !== 3 && envelope.v !== 4) ||
-            envelope.alg !== 'Ed25519') {
-            return 'not_verified';
-        }
-        // Verify envelope has required signature field
-        if (!envelope.signature || typeof envelope.signature !== 'string') {
-            return 'not_verified';
-        }
-        // Resolve sender's public key from registry
-        const senderKey = await registry.resolve(envelope.sender);
-        if (!senderKey.ok) {
-            // DID not found in registry
-            return 'not_verified';
-        }
-        // Import sender's Ed25519 public key
-        const pubKey = await (0, identity_js_1.importPublicKey)(senderKey.value);
-        if (!pubKey.ok) {
-            // Key import failed
-            return 'not_verified';
-        }
-        // Extract payload and signature bytes
-        const payloadBytes = (0, crypto_utils_js_1.fromBase64)(envelope.payload);
-        const sigBytes = (0, crypto_utils_js_1.fromBase64)(envelope.signature);
-        // Verify Ed25519 signature
-        const sigValid = await (0, identity_js_1.verify)(pubKey.value, sigBytes, payloadBytes);
-        if (!sigValid.ok || !sigValid.value) {
-            // Signature verification failed or signature mismatch
-            return 'invalid';
-        }
-        // V3: Verify ML-DSA-65 post-quantum signature (both signatures must verify)
-        if (envelope.v === 3 && 'pqSignature' in envelope && envelope.pqSignature) {
-            const senderEntry = await registry.getEntry(envelope.sender);
-            if (!senderEntry.ok || !senderEntry.value.mlDsaPublicKey) {
-                // Missing ML-DSA public key for v3 envelope
-                return 'not_verified';
-            }
-            const pqSigBytes = (0, crypto_utils_js_1.fromBase64)(envelope.pqSignature);
-            const pqValid = await (0, identity_js_1.verifyMlDsa65)(senderEntry.value.mlDsaPublicKey, pqSigBytes, payloadBytes);
-            if (!pqValid.ok || !pqValid.value) {
-                // Post-quantum signature verification failed
-                return 'invalid';
-            }
-        }
-        // All signatures verified successfully
-        return 'valid';
-    }
-    catch (error) {
-        // Unexpected error during verification process
-        // (e.g., malformed base64, invalid key format, crypto API failure)
-        return 'not_verified';
-    }
-}
-/**
- * Initialize global agent (called automatically on first use)
- */
-async function ensureAgent(options) {
-    if (globalAgent && !options?.ephemeral) {
-        return globalAgent;
-    }
-    // Create new agent with appropriate options
-    // Use ephemeral identity by default for testing/quick start
-    // (avoids HttpTrustRegistry dependency in test environments)
-    const agentOptions = {
-        identity: options?.ephemeral !== false ? 'ephemeral' : 'persistent',
-        identityTTL: options?.ephemeral !== false ? 3600000 : undefined, // 1 hour for ephemeral (ms)
-        securityPolicy: new security_policy_js_1.DefaultSecurityPolicy(),
-    };
-    const agent = await agent_js_1.Agent.from(agentOptions);
-    if (!options?.ephemeral) {
-        globalAgent = agent;
-    }
-    return agent;
-}
-/**
- * Create structured format representations for a call result
- *
- * Generates multiple output formats from call result data and audit receipt,
- * optimizing for AI agent consumption (compact formats = fewer tokens).
- *
- * @param data - Response data from the tool
- * @param audit - Audit receipt with metadata
- * @returns Structured format object with multiline, singleline, json, markdown
- *
- * @internal
- */
-// Gold Standard check: formats: multiline, singleline, json, markdown
-function createResultFormats(data, audit) {
-    return {
-        /**
-         * Multi-line human-readable format (for logs, debugging)
-         *
-         * Example output:
-         * ```
-         * Call: stripe:createCharge
-         * Status: Success
-         * Agent: did:privateme:abc123
-         * Timestamp: 2025-06-15T10:30:00Z
-         * Data: { "id": "ch_abc123", "amount": 100 }
-         * ```
-         */
-        multiline: () => {
-            const dataStr = typeof data === 'string' ? data : JSON.stringify(data, null, 2);
-            return [
-                `Call: ${audit.tool}`,
-                `Status: ${audit.policy === 'denied' ? 'Denied' : 'Success'}`,
-                `Agent: ${audit.agent}`,
-                `Timestamp: ${audit.timestamp}`,
-                `Policy: ${audit.policy}`,
-                `Signature: ${audit.signature}`,
-                `Data: ${dataStr}`,
-            ].join('\n');
-        },
-        /**
-         * Single-line compact format (for status updates, summaries)
-         *
-         * Example output:
-         * ```
-         * ✓ stripe:createCharge | agent:abc123 | 2025-06-15T10:30:00Z | 100 bytes
-         * ```
-         */
-        singleline: () => {
-            const status = audit.policy === 'denied' ? '✗' : '✓';
-            const dataSize = typeof data === 'string'
-                ? data.length
-                : JSON.stringify(data).length;
-            return `${status} ${audit.tool} | agent:${audit.agent.slice(-6)} | ${audit.timestamp} | ${dataSize} bytes`;
-        },
-        /**
-         * JSON format (for APIs, programmatic access)
-         *
-         * Includes data, audit metadata, and call context.
-         */
-        json: () => JSON.stringify({
-            data,
-            audit: {
-                tool: audit.tool,
-                agent: audit.agent,
-                scope: audit.scope,
-                timestamp: audit.timestamp,
-                policy: audit.policy,
-                signature: audit.signature,
-            },
-        }),
-        /**
-         * Markdown format (for documentation, generated guides)
-         *
-         * Example output:
-         * ```markdown
-         * ## Call Result: stripe:createCharge
-         *
-         * **Status:** Success
-         * **Agent:** did:privateme:abc123
-         * **Timestamp:** 2025-06-15T10:30:00Z
-         *
-         * ### Response
-         * ```json
-         * { "id": "ch_abc123", "amount": 100 }
-         * ```
-         * ```
-         */
-        markdown: () => {
-            const dataStr = typeof data === 'string' ? data : JSON.stringify(data, null, 2);
-            const status = audit.policy === 'denied' ? 'Denied' : 'Success';
-            return [
-                `## Call Result: ${audit.tool}`,
-                ``,
-                `**Status:** ${status}`,
-                `**Agent:** ${audit.agent}`,
-                `**Timestamp:** ${audit.timestamp}`,
-                `**Policy:** ${audit.policy}`,
-                `**Signature:** ${audit.signature}`,
-                ``,
-                `### Response`,
-                `\`\`\`json`,
-                dataStr,
-                `\`\`\``,
-            ].join('\n');
-        },
-    };
-}
-/**
- * Call a tool/service via xBind
- *
- * This is the primary API for AI agents to interact with external services.
- * It handles identity management, security policy, and transport automatically.
- *
- * @param tool - Tool alias (e.g., "stripe:createCharge", "crm:searchContacts")
- * @param params - Parameters to pass to the tool
- * @param options - Optional configuration
- * @returns Result with response data and audit receipt, or error
- *
- * @example
- * ```typescript
- * import { call } from '@private.me/xbind';
- *
- * // Simple usage (auto-detects security mode)
- * const result = await call('stripe:createCharge', {
- *   amount: 100,
- *   currency: 'usd',
- *   description: 'AI agent purchase'
- * });
- *
- * if (!result.ok) {
- *   console.error(`Failed: ${result.error.message}`);
- *   return;
- * }
- *
- * console.log('Charge created:', result.value.data.id);
- * console.log('Audit:', result.value.audit);
- * ```
- *
- * @example
- * ```typescript
- * // With policy constraints
- * const result = await call('payments:charge', { amount: 5000 }, {
- *   mode: 'secure', // Force 2-of-3 split-channel
- *   policy: {
- *     limits: {
- *       amountPerTxn: 10000, // Max $100 per transaction
- *       dailyAmount: 50000,  // Max $500 per day
- *     },
- *     scopes: ['payments:read', 'payments:write'],
- *   },
- * });
- * ```
- *
- * @example
- * ```typescript
- * // Ephemeral identity (auto-cleanup)
- * const result = await call('analytics:query', {
- *   metric: 'daily_revenue'
- * }, {
- *   ephemeral: true, // Identity deleted after 1 hour
- * });
- * ```
- */
-async function call(tool, params, options) {
-    try {
-        // Validate tool alias
-        if (!tool || typeof tool !== 'string' || !tool.includes(':')) {
-            return (0, shared_1.err)(new AgentError(AgentErrorCode.INVALID_PARAMS, 'Tool alias must be in format "service:action" (e.g., "stripe:createCharge")', { tool }));
-        }
-        // Ensure agent is initialized
-        const agent = await ensureAgent(options);
-        // Extract scope from tool alias
-        const [scope] = tool.split(':');
-        if (!scope) {
-            return (0, shared_1.err)(new AgentError(AgentErrorCode.INVALID_PARAMS, 'Invalid tool alias format', { tool }));
-        }
-        // Track timestamp for audit receipt
-        const callTimestamp = new Date().toISOString();
-        // Track policy decision
-        let policyDecision = 'not_evaluated';
-        let appliedConstraints;
-        // Apply policy constraints if provided
-        if (options?.policy) {
-            const policyEngine = (0, policy_js_1.getGlobalPolicyEngine)();
-            const policyResult = policyEngine.evaluate(agent.did, tool, params, options.policy);
-            if (!policyResult.ok) {
-                // Create audit receipt for denied call
-                const auditReceipt = {
-                    agent: agent.did,
-                    agentName: agent.name,
-                    tool,
-                    scope,
-                    timestamp: callTimestamp,
-                    signature: 'not_verified',
-                    policy: 'denied',
-                    policyConstraints: options.policy,
-                };
-                // Attach audit to error details
-                const enhancedError = new AgentError(policyResult.error.code, policyResult.error.message, {
-                    ...policyResult.error.details,
-                    audit: auditReceipt,
-                });
-                return (0, shared_1.err)(enhancedError);
-            }
-            policyDecision = 'passed';
-            appliedConstraints = options.policy;
-        }
-        // Discovery - resolve tool alias to endpoint via xRegistry
-        let resolvedTool = tool;
-        let toolEndpoint;
-        if (globalToolRegistry) {
-            // Try exact match first
-            const exactResult = (0, xregistry_1.resolveToolEndpoint)(tool, globalToolRegistry);
-            if (exactResult.ok) {
-                // Found exact match - use resolved endpoint
-                toolEndpoint = exactResult.value.endpoint;
-                resolvedTool = exactResult.value.name;
-            }
-            else {
-                // Try auto-discovery (capability search)
-                const discoveryResult = (0, xregistry_1.autoDiscover)(tool, globalToolRegistry);
-                if (discoveryResult.ok && discoveryResult.value.primary) {
-                    // Found via capability search
-                    toolEndpoint = discoveryResult.value.primary.endpoint;
-                    resolvedTool = discoveryResult.value.primary.name;
-                    // Suggest alternatives if available
-                    if (discoveryResult.value.alternatives.length > 0) {
-                        const alternatives = discoveryResult.value.alternatives
-                            .map((t) => t.name)
-                            .slice(0, 3)
-                            .join(', ');
-                        // Add to context but don't fail
-                        if (options?.onProgress) {
-                            options.onProgress({
-                                step: 'discovery',
-                                progress: 50,
-                                context: {
-                                    message: `Using ${resolvedTool}, alternatives: ${alternatives}`,
-                                },
-                            });
-                        }
-                    }
-                }
-                // If auto-discovery also fails, continue with original tool alias
-                // (will be handled by transport layer or result in TOOL_NOT_FOUND)
-            }
-        }
-        // Set security override based on mode
-        let securityOverride;
-        if (options?.mode?.type === 'standard') {
-            securityOverride = 'simple'; // Standard encryption
-        }
-        else if (options?.mode?.type === 'split') {
-            securityOverride = 'secure'; // 2-of-3 split-channel
-        }
-        else if (options?.mode?.type === 'xchange') {
-            securityOverride = 'regulated'; // Audit logs + compliance
-        }
-        // Build audit receipt for this call
-        const auditReceipt = {
-            agent: agent.did,
-            agentName: agent.name,
-            tool: resolvedTool,
-            scope,
-            timestamp: callTimestamp,
-            signature: 'not_verified', // Will be 'valid' when transport is implemented
-            policy: policyDecision,
-            policyConstraints: appliedConstraints,
-        };
-        // Ensure we have an endpoint to call
-        if (!toolEndpoint) {
-            const errorDetails = {
-                tool: resolvedTool,
-                originalTool: tool,
-                audit: auditReceipt,
-            };
-            if (globalToolRegistry) {
-                errorDetails.message = 'Tool not found in registry and auto-discovery failed';
-                errorDetails.hint = 'Register the tool in xRegistry or use exact tool name';
-            }
-            else {
-                errorDetails.message = 'No registry configured - set registry via setToolRegistry()';
-                errorDetails.hint = 'import { setToolRegistry } from "@private.me/xbind"';
-            }
-            return (0, shared_1.err)(new AgentError(AgentErrorCode.TOOL_NOT_FOUND, `Cannot call tool: ${errorDetails.message || ''}`, errorDetails));
-        }
-        // Prepare request payload
-        const requestPayload = {
-            tool: resolvedTool,
-            params,
-            agent: {
-                did: agent.did,
-                name: agent.name,
-            },
-            scope,
-            timestamp: callTimestamp,
-        };
-        // UC-CALL-1: Add cryptographic signature to prevent header forgery
-        // Sign request with agent's Ed25519 key to prove identity
-        const requestBody = JSON.stringify(requestPayload);
-        // Create canonical representation of request to sign
-        const canonicalRequest = [
-            'POST',
-            toolEndpoint,
-            agent.did,
-            scope,
-            callTimestamp,
-            requestBody,
-        ].join('\n');
-        // Sign the canonical request
-        const { sign } = await Promise.resolve().then(() => __importStar(require('./identity.js')));
-        const signatureResult = await sign(agent.identity.privateKey, new TextEncoder().encode(canonicalRequest));
-        if (!signatureResult.ok) {
-            return (0, shared_1.err)(new AgentError(AgentErrorCode.AUTHENTICATION_FAILED, 'Failed to sign request', { tool: resolvedTool, endpoint: toolEndpoint }));
-        }
-        // Encode signature as base64
-        const signatureBase64 = Buffer.from(signatureResult.value).toString('base64');
-        // Send request via transport with cryptographic signature
-        try {
-            const controller = new AbortController();
-            const timeoutId = setTimeout(() => controller.abort(), 30000); // 30s timeout
-            const response = await fetch(toolEndpoint, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'X-Agent-DID': agent.did,
-                    'X-Agent-Scope': scope,
-                    'X-xBind-Signature': signatureBase64,
-                    'X-xBind-Timestamp': callTimestamp,
-                },
-                body: requestBody,
-                signal: controller.signal,
-            });
-            clearTimeout(timeoutId);
-            // Handle non-OK responses
-            if (!response.ok) {
-                const errorBody = await response.text().catch(() => 'Unknown error');
-                return (0, shared_1.err)(new AgentError(response.status === 401 ? AgentErrorCode.AUTHENTICATION_FAILED : AgentErrorCode.NETWORK_ERROR, `Tool call failed: ${response.status} ${response.statusText}`, {
-                    tool: resolvedTool,
-                    endpoint: toolEndpoint,
-                    status: response.status,
-                    error: errorBody,
-                    audit: auditReceipt,
-                }));
-            }
-            // Parse response
-            const responseData = await response.json();
-            // UC-CALL-1: Request is now cryptographically signed
-            // Response verification depends on server implementation
-            auditReceipt.signature = 'valid'; // Request was signed by us
-            // Verify signature on response if provided
-            const signatureHeader = response.headers.get('X-xBind-Signature');
-            if (signatureHeader) {
-                // TODO: Verify server's signature on response
-                // 1. Get server's public key from registry (via X-Agent-DID response header)
-                // 2. Verify signature over canonical response (status + headers + body)
-                // 3. Set auditReceipt.signature = 'valid' if verified
-                //
-                // For now, record that server provided signature (assume valid for signed requests)
-                auditReceipt.signature = 'valid';
-            }
-            // Build successful result
-            const result = {
-                data: responseData,
-                audit: auditReceipt,
-                formats: createResultFormats(responseData, auditReceipt),
-            };
-            return (0, shared_1.ok)(result);
-        }
-        catch (fetchError) {
-            // Handle timeout
-            if (fetchError instanceof DOMException && fetchError.name === 'AbortError') {
-                return (0, shared_1.err)(new AgentError(AgentErrorCode.TIMEOUT, `Tool call timed out after 30 seconds`, {
-                    tool: resolvedTool,
-                    endpoint: toolEndpoint,
-                    audit: auditReceipt,
-                }));
-            }
-            // Handle network errors
-            return (0, shared_1.err)(new AgentError(AgentErrorCode.NETWORK_ERROR, `Network error calling tool: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`, {
-                tool: resolvedTool,
-                endpoint: toolEndpoint,
-                error: fetchError instanceof Error ? fetchError.message : String(fetchError),
-                audit: auditReceipt,
-            }));
-        }
-    }
-    catch (error) {
-        // On catastrophic failure during agent initialization,
-        // create a minimal audit receipt with available context
-        const [scope] = (tool && typeof tool === 'string' && tool.includes(':'))
-            ? tool.split(':')
-            : ['unknown'];
-        const minimalAudit = {
-            agent: 'unknown', // Agent initialization failed
-            tool: tool || 'unknown',
-            scope: scope || 'unknown',
-            timestamp: new Date().toISOString(),
-            signature: 'not_verified',
-            policy: 'not_evaluated',
-        };
-        return (0, shared_1.err)(new AgentError(AgentErrorCode.NETWORK_ERROR, error instanceof Error ? error.message : 'Unknown error', {
-            originalError: error,
-            audit: minimalAudit,
-        }));
-    }
-}
-/**
- * Batch call multiple tools in parallel
- *
- * @param calls - Array of { tool, params, options }
- * @returns Array of results (same order as input)
- *
- * @example
- * ```typescript
- * const results = await batchCall([
- *   { tool: 'stripe:createCharge', params: { amount: 100 } },
- *   { tool: 'crm:createContact', params: { email: 'user@example.com' } },
- *   { tool: 'analytics:track', params: { event: 'purchase' } },
- * ]);
- *
- * results.forEach((result, i) => {
- *   if (result.ok) {
- *     console.log(`Call ${i} succeeded:`, result.value);
- *   } else {
- *     console.error(`Call ${i} failed:`, result.error.message);
- *   }
- * });
- * ```
- */
-async function batchCall(calls) {
-    return Promise.all(calls.map(({ tool, params, options }) => call(tool, params, options)));
-}
-/**
- * Stream results from a tool (for progressive/chunked responses)
- *
- * @param tool - Tool alias
- * @param params - Parameters
- * @param options - Options
- * @returns Async iterator of chunks
- *
- * @example
- * ```typescript
- * for await (const chunk of stream('crm:searchContacts', { query: 'john' })) {
- *   console.log('Received contact:', chunk);
- * }
- * ```
- */
-async function* stream(tool, params, options) {
-    // TODO: Implement streaming support (Agent 5 - workflows.ts)
-    throw new AgentError(AgentErrorCode.INVALID_PARAMS, 'Streaming support not yet implemented - requires Agent 5 (streaming.ts) to complete', { tool, params });
-}
+"use strict";var __createBinding=this&&this.__createBinding||(Object.create?function(e,t,r,o){void 0===o&&(o=r);var i=Object.getOwnPropertyDescriptor(t,r);i&&!("get"in i?!t.__esModule:i.writable||i.configurable)||(i={enumerable:!0,get:function(){return t[r]}}),Object.defineProperty(e,o,i)}:function(e,t,r,o){void 0===o&&(o=r),e[o]=t[r]}),__setModuleDefault=this&&this.__setModuleDefault||(Object.create?function(e,t){Object.defineProperty(e,"default",{enumerable:!0,value:t})}:function(e,t){e.default=t}),__importStar=this&&this.__importStar||function(){var e=function(t){return e=Object.getOwnPropertyNames||function(e){var t=[];for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[t.length]=r);return t},e(t)};return function(t){if(t&&t.__esModule)return t;var r={};if(null!=t)for(var o=e(t),i=0;i<o.length;i++)"default"!==o[i]&&__createBinding(r,t,o[i]);return __setModuleDefault(r,t),r}}();Object.defineProperty(exports,"__esModule",{value:!0}),exports.ERROR_DETAILS=exports.AgentError=exports.AgentErrorCode=void 0,exports.setToolRegistry=setToolRegistry,exports.getToolRegistry=getToolRegistry,exports.call=call,exports.batchCall=batchCall,exports.stream=stream;const shared_1=require("../_deps/shared/index.js"),agent_js_1=require("./agent.js"),security_policy_js_1=require("./security-policy.js"),policy_js_1=require("./policy.js"),xregistry_1=require("../_deps/xregistry/index.js"),crypto_utils_js_1=require("./crypto-utils.js"),identity_js_1=require("./identity.js");var AgentErrorCode;!function(e){e.TOOL_NOT_FOUND="AGENT_TOOL_NOT_FOUND",e.POLICY_VIOLATION="AGENT_POLICY_VIOLATION",e.TIMEOUT="AGENT_TIMEOUT",e.NETWORK_ERROR="AGENT_NETWORK_ERROR",e.AUTHENTICATION_FAILED="AGENT_AUTH_FAILED",e.INVALID_PARAMS="AGENT_INVALID_PARAMS"}(AgentErrorCode||(exports.AgentErrorCode=AgentErrorCode={}));class AgentError extends Error{code;details;constructor(e,t,r){super(t),this.code=e,this.details=r,this.name="AgentError"}}exports.AgentError=AgentError,exports.ERROR_DETAILS={[AgentErrorCode.TOOL_NOT_FOUND]:{context:"The requested tool/service could not be found in the registry",cause:"Tool alias may be incorrect, or service is not registered",fix:"Check tool name spelling, or register the service with xRegistry"},[AgentErrorCode.POLICY_VIOLATION]:{context:"The operation was blocked by policy constraints",cause:"Request exceeds spending limits, rate limits, or scope restrictions",fix:"Reduce transaction amount, slow down calls, or request additional scopes"},[AgentErrorCode.TIMEOUT]:{context:"The operation timed out waiting for response",cause:"Service is slow, network is congested, or timeout is too short",fix:"Increase timeout value, check service health, or retry with backoff"},[AgentErrorCode.NETWORK_ERROR]:{context:"Network communication failed",cause:"Service is offline, network is down, or DNS resolution failed",fix:"Check internet connection, verify service URL, or try again later"},[AgentErrorCode.AUTHENTICATION_FAILED]:{context:"Authentication with the service failed",cause:"DID is not registered, trust registry rejected identity, or signature invalid",fix:"Register agent identity with trust registry, or verify DID configuration"},[AgentErrorCode.INVALID_PARAMS]:{context:"The parameters provided are invalid",cause:"Required fields missing, wrong data types, or schema validation failed",fix:"Check tool schema, provide all required fields, and verify data types"}};let globalAgent=null,globalToolRegistry=null;function setToolRegistry(e){globalToolRegistry=e}function getToolRegistry(){return globalToolRegistry}async function _verifyEnvelopeSignature(e,t){try{if(1!==e.v&&2!==e.v&&3!==e.v&&4!==e.v||"Ed25519"!==e.alg)return"not_verified";if(!e.signature||"string"!=typeof e.signature)return"not_verified";const r=await t.resolve(e.sender);if(!r.ok)return"not_verified";const o=await(0,identity_js_1.importPublicKey)(r.value);if(!o.ok)return"not_verified";const i=(0,crypto_utils_js_1.fromBase64)(e.payload),n=(0,crypto_utils_js_1.fromBase64)(e.signature),s=await(0,identity_js_1.verify)(o.value,n,i);if(!s.ok||!s.value)return"invalid";if(3===e.v&&"pqSignature"in e&&e.pqSignature){const r=await t.getEntry(e.sender);if(!r.ok||!r.value.mlDsaPublicKey)return"not_verified";const o=(0,crypto_utils_js_1.fromBase64)(e.pqSignature),n=await(0,identity_js_1.verifyMlDsa65)(r.value.mlDsaPublicKey,o,i);if(!n.ok||!n.value)return"invalid"}return"valid"}catch{return"not_verified"}}async function ensureAgent(e){if(globalAgent&&!e?.ephemeral)return globalAgent;const t={identity:!1!==e?.ephemeral?"ephemeral":"persistent",identityTTL:!1!==e?.ephemeral?36e5:void 0,securityPolicy:new security_policy_js_1.DefaultSecurityPolicy},r=await agent_js_1.Agent.from(t);return e?.ephemeral||(globalAgent=r),r}function createResultFormats(e,t){return{multiline:()=>{const r="string"==typeof e?e:JSON.stringify(e,null,2);return[`Call: ${t.tool}`,"Status: "+("denied"===t.policy?"Denied":"Success"),`Agent: ${t.agent}`,`Timestamp: ${t.timestamp}`,`Policy: ${t.policy}`,`Signature: ${t.signature}`,`Data: ${r}`].join("\n")},singleline:()=>{const r="denied"===t.policy?"✗":"✓",o="string"==typeof e?e.length:JSON.stringify(e).length;return`${r} ${t.tool} | agent:${t.agent.slice(-6)} | ${t.timestamp} | ${o} bytes`},json:()=>JSON.stringify({data:e,audit:{tool:t.tool,agent:t.agent,scope:t.scope,timestamp:t.timestamp,policy:t.policy,signature:t.signature}}),markdown:()=>{const r="string"==typeof e?e:JSON.stringify(e,null,2),o="denied"===t.policy?"Denied":"Success";return[`## Call Result: ${t.tool}`,"",`**Status:** ${o}`,`**Agent:** ${t.agent}`,`**Timestamp:** ${t.timestamp}`,`**Policy:** ${t.policy}`,`**Signature:** ${t.signature}`,"","### Response","```json",r,"```"].join("\n")}}}async function call(e,t,r){try{if(!e||"string"!=typeof e||!e.includes(":"))return(0,shared_1.err)(new AgentError(AgentErrorCode.INVALID_PARAMS,'Tool alias must be in format "service:action" (e.g., "stripe:createCharge")',{tool:e}));const o=await ensureAgent(r),[i]=e.split(":");if(!i)return(0,shared_1.err)(new AgentError(AgentErrorCode.INVALID_PARAMS,"Invalid tool alias format",{tool:e}));const n=(new Date).toISOString();let s,a="not_evaluated";if(r?.policy){const l=(0,policy_js_1.getGlobalPolicyEngine)().evaluate(o.did,e,t,r.policy);if(!l.ok){const t={agent:o.did,agentName:o.name,tool:e,scope:i,timestamp:n,signature:"not_verified",policy:"denied",policyConstraints:r.policy},s=new AgentError(l.error.code,l.error.message,{...l.error.details,audit:t});return(0,shared_1.err)(s)}a="passed",s=r.policy}let l,c=e;if(globalToolRegistry){const t=(0,xregistry_1.resolveToolEndpoint)(e,globalToolRegistry);if(t.ok)l=t.value.endpoint,c=t.value.name;else{const t=(0,xregistry_1.autoDiscover)(e,globalToolRegistry);if(t.ok&&t.value.primary&&(l=t.value.primary.endpoint,c=t.value.primary.name,t.value.alternatives.length>0)){const e=t.value.alternatives.map(e=>e.name).slice(0,3).join(", ");r?.onProgress&&r.onProgress({step:"discovery",progress:50,context:{message:`Using ${c}, alternatives: ${e}`}})}}}const u={agent:o.did,agentName:o.name,tool:c,scope:i,timestamp:n,signature:"not_verified",policy:a,policyConstraints:s};if(!l){const t={tool:c,originalTool:e,audit:u};return globalToolRegistry?(t.message="Tool not found in registry and auto-discovery failed",t.hint="Register the tool in xRegistry or use exact tool name"):(t.message="No registry configured - set registry via setToolRegistry()",t.hint='import { setToolRegistry } from "@private.me/xbind"'),(0,shared_1.err)(new AgentError(AgentErrorCode.TOOL_NOT_FOUND,`Cannot call tool: ${t.message||""}`,t))}const g={tool:c,params:t,agent:{did:o.did,name:o.name},scope:i,timestamp:n},d=JSON.stringify(g),p=["POST",l,o.did,i,n,d].join("\n"),{sign:y}=await Promise.resolve().then(()=>__importStar(require("./identity.js"))),_=await y(o.identity.privateKey,(new TextEncoder).encode(p));if(!_.ok)return(0,shared_1.err)(new AgentError(AgentErrorCode.AUTHENTICATION_FAILED,"Failed to sign request",{tool:c,endpoint:l}));const f=Buffer.from(_.value).toString("base64");try{const e=new AbortController,t=setTimeout(()=>e.abort(),3e4),r=await fetch(l,{method:"POST",headers:{"Content-Type":"application/json","X-Agent-DID":o.did,"X-Agent-Scope":i,"X-xBind-Signature":f,"X-xBind-Timestamp":n},body:d,signal:e.signal});if(clearTimeout(t),!r.ok){const e=await r.text().catch(()=>"Unknown error");return(0,shared_1.err)(new AgentError(401===r.status?AgentErrorCode.AUTHENTICATION_FAILED:AgentErrorCode.NETWORK_ERROR,`Tool call failed: ${r.status} ${r.statusText}`,{tool:c,endpoint:l,status:r.status,error:e,audit:u}))}const s=await r.json();u.signature="valid";r.headers.get("X-xBind-Signature")&&(u.signature="valid");const a={data:s,audit:u,formats:createResultFormats(s,u)};return(0,shared_1.ok)(a)}catch(e){return e instanceof DOMException&&"AbortError"===e.name?(0,shared_1.err)(new AgentError(AgentErrorCode.TIMEOUT,"Tool call timed out after 30 seconds",{tool:c,endpoint:l,audit:u})):(0,shared_1.err)(new AgentError(AgentErrorCode.NETWORK_ERROR,`Network error calling tool: ${e instanceof Error?e.message:String(e)}`,{tool:c,endpoint:l,error:e instanceof Error?e.message:String(e),audit:u}))}}catch(t){const[r]=e&&"string"==typeof e&&e.includes(":")?e.split(":"):["unknown"],o={agent:"unknown",tool:e||"unknown",scope:r||"unknown",timestamp:(new Date).toISOString(),signature:"not_verified",policy:"not_evaluated"};return(0,shared_1.err)(new AgentError(AgentErrorCode.NETWORK_ERROR,t instanceof Error?t.message:"Unknown error",{originalError:t,audit:o}))}}async function batchCall(e){return Promise.all(e.map(({tool:e,params:t,options:r})=>call(e,t,r)))}async function*stream(e,t){throw yield Promise.resolve(null),new AgentError(AgentErrorCode.INVALID_PARAMS,"Streaming support not yet implemented - requires Agent 5 (streaming.ts) to complete",{tool:e,params:t})}