@pylabmit/agent-cmdb 1.5.0

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,mBAAmB,CAAC;AAClE,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;AACnG,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;AACvE,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AACnD,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAChD,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAC1F,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;AAElF,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,GAAG,UAAU,CAAC;IAChE,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,WAAW,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,UAAU,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,aAAa,GAAG,YAAY,GAAG,QAAQ,GAAG,WAAW,CAAC;IAC9E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,SAAS,EAAE,CAAC;IACrB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,QAAQ,EAAE,UAAU,EAAE,CAAC;IACvB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,aAAa,EAAE,YAAY,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,YAAY,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,SAAS,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,SAAS,EAAE,qBAAqB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,WAAW,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,YAAY,CAAC;IAC3B,IAAI,EAAE,UAAU,GAAG,SAAS,GAAG,YAAY,GAAG,UAAU,CAAC;CAC1D;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,UAAU,GAAG,SAAS,GAAG,YAAY,GAAG,UAAU,CAAC;IACzD,SAAS,EAAE,aAAa,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,aAAa,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAiB,SAAQ,aAAa;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,QAAQ,EAAE,cAAc,CAAC;IACzB,KAAK,CAAC,EAAE,mBAAmB,CAAC;IAC5B,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE;QACN,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,UAAU,EAAE;QACV,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;IACF,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,eAAe,EAAE,CAAC;KAC3B,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,UAAU,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,MAAM,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;AAEvD,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,UAAU,CAAC;IACvB,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;AAEnD,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,YAAY,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,eAAe,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,KAAK,EAAE,UAAU,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,WAAW,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,KAAK,EAAE;QACL,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,KAAK,EAAE;QACL,UAAU,EAAE,OAAO,CAAC;QACpB,aAAa,EAAE,OAAO,CAAC;QACvB,WAAW,EAAE,MAAM,CAAC;QACpB,gBAAgB,EAAE,MAAM,CAAC;QACzB,aAAa,EAAE,MAAM,EAAE,CAAC;KACzB,CAAC;CACH"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/validator.d.ts

@@ -0,0 +1,6 @@
+import type { AgentCmdbReport, CmdbObject, ControlPlane, ObjectQuery, ValidationIssue } from './types.js';
+export declare function listObjects(controlPlane: ControlPlane, query?: ObjectQuery): CmdbObject[];
+export declare function getObject(controlPlane: ControlPlane, objectId: string): CmdbObject;
+export declare function validateControlPlane(controlPlane: ControlPlane): ValidationIssue[];
+export declare function generateReadinessReport(controlPlane: ControlPlane): AgentCmdbReport;
+//# sourceMappingURL=validator.d.ts.map

package/dist/validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,eAAe,EACf,UAAU,EACV,YAAY,EACZ,WAAW,EACX,eAAe,EAChB,MAAM,YAAY,CAAC;AAEpB,wBAAgB,WAAW,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,GAAE,WAAgB,GAAG,UAAU,EAAE,CAS7F;AAED,wBAAgB,SAAS,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,CAOlF;AAED,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,YAAY,GAAG,eAAe,EAAE,CA6GlF;AAED,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,YAAY,GAAG,eAAe,CA6BnF"}

package/dist/validator.js

@@ -0,0 +1,165 @@
+import { ensureGraphNode } from './graph-engine.js';
+import { policiesConflict, policyShadows } from './policy-engine.js';
+import { parseDuration } from './duration.js';
+export function listObjects(controlPlane, query = {}) {
+    return controlPlane.objects.filter((object) => {
+        if (query.profile && object.profile && object.profile !== query.profile)
+            return false;
+        if (query.profile && !object.profile && object.kind !== 'profile')
+            return false;
+        if (query.kind && object.kind !== query.kind)
+            return false;
+        if (query.status && object.status !== query.status)
+            return false;
+        if (query.tag && !object.tags.includes(query.tag))
+            return false;
+        return true;
+    });
+}
+export function getObject(controlPlane, objectId) {
+    const normalizedObjectId = requireNonEmptyString(objectId, 'CMDB object id');
+    const object = controlPlane.objects.find((candidate) => candidate.id === normalizedObjectId);
+    if (!object) {
+        throw new Error(`Unknown CMDB object: ${normalizedObjectId}.`);
+    }
+    return object;
+}
+export function validateControlPlane(controlPlane) {
+    const issues = [];
+    const sourceIds = new Set(controlPlane.sources.map((source) => source.id));
+    const profileIds = new Set(controlPlane.profiles.map((profile) => profile.id));
+    const policyIds = new Set();
+    for (const profile of controlPlane.profiles) {
+        for (const route of profile.routes) {
+            for (const sourceId of route.sources) {
+                if (!sourceIds.has(sourceId)) {
+                    issues.push({
+                        severity: 'error',
+                        code: 'route_unknown_source',
+                        message: `Route ${profile.id}/${route.intent} references unknown source ${sourceId}.`
+                    });
+                }
+            }
+        }
+    }
+    for (const source of controlPlane.sources) {
+        if (source.freshnessTtl) {
+            try {
+                parseDuration(source.freshnessTtl);
+            }
+            catch (error) {
+                issues.push({
+                    severity: 'error',
+                    code: 'source_invalid_freshness_ttl',
+                    message: `Source ${source.id} has invalid freshnessTtl ${source.freshnessTtl}: ${error instanceof Error ? error.message : String(error)}`
+                });
+            }
+        }
+    }
+    for (const policy of controlPlane.policies) {
+        if (policyIds.has(policy.id)) {
+            issues.push({
+                severity: 'error',
+                code: 'duplicate_policy_id',
+                message: `Duplicate policy id ${policy.id}.`
+            });
+        }
+        policyIds.add(policy.id);
+        for (const profileId of policy.profiles ?? []) {
+            if (profileId !== '*' && !profileIds.has(profileId)) {
+                issues.push({
+                    severity: 'error',
+                    code: 'policy_unknown_profile',
+                    message: `Policy ${policy.id} references unknown profile ${profileId}.`
+                });
+            }
+        }
+        for (const toolId of policy.tools ?? []) {
+            if (toolId !== '*' && !sourceIds.has(toolId)) {
+                issues.push({
+                    severity: 'error',
+                    code: 'policy_unknown_tool',
+                    message: `Policy ${policy.id} references unknown tool ${toolId}.`
+                });
+            }
+        }
+    }
+    for (let index = 1; index < controlPlane.policies.length; index += 1) {
+        const policy = controlPlane.policies[index];
+        const shadowingPolicy = controlPlane.policies
+            .slice(0, index)
+            .find((candidate) => policyShadows(candidate, policy));
+        if (shadowingPolicy) {
+            issues.push({
+                severity: 'warning',
+                code: 'policy_shadowed',
+                message: `Policy ${policy.id} is shadowed by earlier policy ${shadowingPolicy.id}.`
+            });
+        }
+    }
+    for (let leftIndex = 0; leftIndex < controlPlane.policies.length; leftIndex += 1) {
+        for (let rightIndex = leftIndex + 1; rightIndex < controlPlane.policies.length; rightIndex += 1) {
+            const left = controlPlane.policies[leftIndex];
+            const right = controlPlane.policies[rightIndex];
+            if (policiesConflict(left, right)) {
+                issues.push({
+                    severity: 'warning',
+                    code: 'policy_conflict',
+                    message: `Policy ${left.id} conflicts with policy ${right.id}; deny will win for overlapping requests.`
+                });
+            }
+        }
+    }
+    for (const relationship of controlPlane.relationships) {
+        for (const endpoint of [relationship.from, relationship.to]) {
+            try {
+                ensureGraphNode(controlPlane, endpoint);
+            }
+            catch {
+                issues.push({
+                    severity: 'error',
+                    code: 'relationship_unknown_node',
+                    message: `Relationship ${relationship.from} -> ${relationship.to} references unknown node ${endpoint}.`
+                });
+            }
+        }
+    }
+    return issues;
+}
+export function generateReadinessReport(controlPlane) {
+    const issues = validateControlPlane(controlPlane);
+    const deniedActions = unique(controlPlane.policies
+        .filter((policy) => policy.effect === 'deny')
+        .flatMap((policy) => policy.actions));
+    return {
+        version: controlPlane.version,
+        updatedAt: controlPlane.updatedAt,
+        counts: {
+            profiles: controlPlane.profiles.length,
+            sources: controlPlane.sources.length,
+            policies: controlPlane.policies.length,
+            objects: controlPlane.objects.length,
+            relationships: controlPlane.relationships.length
+        },
+        guardrails: {
+            deniedActions,
+            pausedObjects: controlPlane.objects.filter((object) => object.status === 'paused').map((object) => object.id),
+            blockedObjects: controlPlane.objects.filter((object) => object.status === 'blocked').map((object) => object.id)
+        },
+        validation: {
+            errors: issues.filter((issue) => issue.severity === 'error').length,
+            warnings: issues.filter((issue) => issue.severity === 'warning').length,
+            issues
+        }
+    };
+}
+function unique(values) {
+    return [...new Set(values)];
+}
+function requireNonEmptyString(value, label) {
+    if (typeof value !== 'string' || value.trim().length === 0) {
+        throw new Error(`${label} must be a non-empty string.`);
+    }
+    return value;
+}
+//# sourceMappingURL=validator.js.map

package/dist/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAS9C,MAAM,UAAU,WAAW,CAAC,YAA0B,EAAE,QAAqB,EAAE;IAC7E,OAAO,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;QAC5C,IAAI,KAAK,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QACtF,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAChF,IAAI,KAAK,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAC3D,IAAI,KAAK,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACjE,IAAI,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,YAA0B,EAAE,QAAgB;IACpE,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;IAC7F,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,wBAAwB,kBAAkB,GAAG,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,YAA0B;IAC7D,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IAEpC,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC5C,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnC,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBACrC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7B,MAAM,CAAC,IAAI,CAAC;wBACV,QAAQ,EAAE,OAAO;wBACjB,IAAI,EAAE,sBAAsB;wBAC5B,OAAO,EAAE,SAAS,OAAO,CAAC,EAAE,IAAI,KAAK,CAAC,MAAM,8BAA8B,QAAQ,GAAG;qBACtF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QAC1C,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,aAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,8BAA8B;oBACpC,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,6BAA6B,MAAM,CAAC,YAAY,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;iBAC1I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC3C,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,QAAQ,EAAE,OAAO;gBACjB,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,uBAAuB,MAAM,CAAC,EAAE,GAAG;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAEzB,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YAC9C,IAAI,SAAS,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,+BAA+B,SAAS,GAAG;iBACxE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,4BAA4B,MAAM,GAAG;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACrE,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,eAAe,GAAG,YAAY,CAAC,QAAQ;aAC1C,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC;aACf,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;QAEzD,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,CAAC;gBACV,QAAQ,EAAE,SAAS;gBACnB,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,UAAU,MAAM,CAAC,EAAE,kCAAkC,eAAe,CAAC,EAAE,GAAG;aACpF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,SAAS,IAAI,CAAC,EAAE,CAAC;QACjF,KAAK,IAAI,UAAU,GAAG,SAAS,GAAG,CAAC,EAAE,UAAU,GAAG,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,IAAI,CAAC,EAAE,CAAC;YAChG,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAC9C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAChD,IAAI,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;gBAClC,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,SAAS;oBACnB,IAAI,EAAE,iBAAiB;oBACvB,OAAO,EAAE,UAAU,IAAI,CAAC,EAAE,0BAA0B,KAAK,CAAC,EAAE,2CAA2C;iBACxG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,YAAY,CAAC,aAAa,EAAE,CAAC;QACtD,KAAK,MAAM,QAAQ,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,eAAe,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC;oBACV,QAAQ,EAAE,OAAO;oBACjB,IAAI,EAAE,2BAA2B;oBACjC,OAAO,EAAE,gBAAgB,YAAY,CAAC,IAAI,OAAO,YAAY,CAAC,EAAE,4BAA4B,QAAQ,GAAG;iBACxG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,YAA0B;IAChE,MAAM,MAAM,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,MAAM,CAC1B,YAAY,CAAC,QAAQ;SAClB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC;SAC5C,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CACvC,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,YAAY,CAAC,OAAO;QAC7B,SAAS,EAAE,YAAY,CAAC,SAAS;QACjC,MAAM,EAAE;YACN,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,MAAM;YACtC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM;YACpC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,MAAM;YACtC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM;YACpC,aAAa,EAAE,YAAY,CAAC,aAAa,CAAC,MAAM;SACjD;QACD,UAAU,EAAE;YACV,aAAa;YACb,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7G,cAAc,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;SAChH;QACD,UAAU,EAAE;YACV,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM;YACnE,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,MAAM;YACvE,MAAM;SACP;KACF,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,MAAgB;IAC9B,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc,EAAE,KAAa;IAC1D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,8BAA8B,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/examples/basic/control-plane.yaml

@@ -0,0 +1,122 @@
+version: "1.0"
+updatedAt: "2026-05-25"
+
+sources:
+  - id: serpapi
+    label: SerpAPI Web Search
+    kind: tool
+    readOnly: true
+
+  - id: openai-api
+    label: OpenAI API
+    kind: tool
+    readOnly: false
+
+  - id: local-docs
+    label: Local Documentation
+    kind: wiki
+    readOnly: true
+    freshnessTtl: 7d
+    brainEntityId: agent-security
+
+profiles:
+  - id: research-agent
+    name: Research Agent
+    purpose: Web research and summarization
+    guardrails:
+      - Do not make purchases or financial transactions
+      - Do not post to social media
+      - Prefer local documentation before external search
+    routes:
+      - intent: web_research
+        sources:
+          - local-docs
+          - serpapi
+        notes: Check local docs first, then search the web
+      - intent: code_generation
+        sources:
+          - local-docs
+          - openai-api
+
+policies:
+  - id: deny-social-posting
+    effect: deny
+    actions:
+      - social_post
+      - social_reply
+      - social_dm
+    reason: Social media posting is disabled for all agents
+    code: social_actions_disabled
+    canEscalate: false
+    suggestedAlternative: Draft the post for a human to review.
+
+  - id: deny-financial
+    effect: deny
+    actions:
+      - purchase
+      - transfer
+      - payment
+    reason: Financial transactions require human approval
+    code: financial_actions_require_human
+    canEscalate: true
+    suggestedAlternative: Ask a human operator to approve or execute the transaction.
+
+  - id: allow-research
+    effect: allow
+    profiles:
+      - research-agent
+    actions:
+      - web_search
+      - summarize
+      - extract
+    tools:
+      - serpapi
+      - local-docs
+    reason: Research agent can search and summarize read-only sources
+    code: research_agent_readonly_allowed
+    canEscalate: false
+
+objects:
+  - id: profile.research-agent
+    kind: profile
+    label: Research Agent
+    status: active
+    profile: research-agent
+    tags:
+      - agent
+      - research
+
+  - id: source.local-docs
+    kind: source
+    label: Local Documentation
+    status: active
+    profile: research-agent
+    tags:
+      - docs
+      - read-only
+
+  - id: source.serpapi
+    kind: source
+    label: SerpAPI Web Search
+    status: active
+    profile: research-agent
+    tags:
+      - web
+      - read-only
+
+  - id: tool.openai-api
+    kind: tool
+    label: OpenAI API
+    status: active
+    tags:
+      - llm
+      - generation
+
+relationships:
+  - from: profile.research-agent
+    to: source.local-docs
+    type: uses
+
+  - from: profile.research-agent
+    to: source.serpapi
+    type: uses

package/examples/multi-agent/control-plane.yaml

@@ -0,0 +1,352 @@
+version: "agent-cmdb-v2"
+updatedAt: "2026-05-25"
+
+sources:
+  - id: web-search-api
+    label: Web Search API
+    kind: oauth
+    readOnly: true
+    notes: Read-only external research source.
+    freshnessTtl: 2h
+    brainEntityId: web-research
+
+  - id: recent-history-cache
+    label: Recent History Cache
+    kind: memory
+    readOnly: true
+    notes: Local record of recent findings.
+
+  - id: news-aggregator
+    label: News Aggregator
+    kind: tool
+    readOnly: true
+    notes: Curated startup and technology news source.
+
+  - id: tech-forum
+    label: Technical Forum
+    kind: web
+    readOnly: true
+    notes: Community technology discussion source.
+
+  - id: vulnerability-scanner
+    label: Vulnerability Scanner
+    kind: tool
+    readOnly: true
+    notes: Public vulnerability and security advisory lookup.
+
+  - id: local-knowledge-base
+    label: Local Knowledge Base
+    kind: wiki
+    readOnly: true
+    notes: Human-maintained local project knowledge.
+    freshnessTtl: 7d
+    brainEntityId: local-knowledge
+
+  - id: weather-api
+    label: Weather API
+    kind: tool
+    readOnly: true
+    notes: Primary weather signal source.
+
+  - id: weather-backup
+    label: Weather Backup
+    kind: tool
+    readOnly: true
+    notes: Secondary weather signal source.
+
+  - id: video-summary-tool
+    label: Video Summary Tool
+    kind: tool
+    readOnly: true
+    notes: Read-only video summary source.
+
+  - id: podcast-summary-tool
+    label: Podcast Summary Tool
+    kind: tool
+    readOnly: true
+    notes: Read-only podcast summary source.
+
+  - id: social-media-tool
+    label: Social Media Tool
+    kind: tool
+    readOnly: false
+    notes: Account-mutation tool disabled by default policy.
+
+profiles:
+  - id: research-agent
+    name: Research Agent
+    purpose: Read-only agent research, market scans, and security summaries.
+    guardrails:
+      - Use read-only sources for research.
+      - Do not mutate social accounts.
+      - Log policy denials and source decisions.
+    routes:
+      - intent: web_research
+        sources:
+          - web-search-api
+          - recent-history-cache
+          - news-aggregator
+          - tech-forum
+        notes: Prefer read-only research and recent local context.
+      - intent: security_research
+        sources:
+          - vulnerability-scanner
+          - web-search-api
+          - news-aggregator
+          - tech-forum
+        notes: Check vulnerability sources before broader web context.
+
+  - id: content-agent
+    name: Content Agent
+    purpose: Read-only content research with local knowledge as primary truth.
+    guardrails:
+      - Prefer local knowledge before external sources.
+      - Draft content only.
+      - Do not mutate social accounts.
+    routes:
+      - intent: weather
+        sources:
+          - local-knowledge-base
+          - weather-api
+          - weather-backup
+        notes: Start from local knowledge, then verify live weather.
+      - intent: content_research
+        sources:
+          - local-knowledge-base
+          - video-summary-tool
+          - podcast-summary-tool
+        notes: Use local knowledge before external media summaries.
+
+  - id: support-agent
+    name: Support Agent
+    purpose: Customer-support lookup and draft generation.
+    guardrails:
+      - Draft responses only.
+      - Do not send direct messages.
+      - Escalate unknown customer-impacting actions.
+    routes:
+      - intent: support_lookup
+        sources:
+          - local-knowledge-base
+          - recent-history-cache
+
+policies:
+  - id: global-deny-social-media-tool-account-actions
+    effect: deny
+    actions:
+      - social_post
+      - social_reply
+      - social_like
+      - social_bookmark
+      - social_dm
+      - media_upload
+    tools:
+      - social-media-tool
+    reason: The social-media-tool source is disabled for account mutations.
+    code: social_media_tool_account_actions_disabled
+    canEscalate: false
+    suggestedAlternative: Use read-only research sources and prepare a draft for review.
+
+  - id: global-deny-social-account-actions
+    effect: deny
+    actions:
+      - social_post
+      - social_reply
+      - social_like
+      - social_bookmark
+      - social_dm
+      - media_upload
+    reason: Social account actions are disabled for this example control plane.
+    code: social_account_actions_disabled
+    canEscalate: false
+    suggestedAlternative: Draft the action for a human operator or use read-only research sources.
+
+  - id: global-deny-bot-ops-status
+    effect: deny
+    actions:
+      - send_bot_ops_status
+    reason: Internal bot operations status messages are disabled in user-facing channels.
+    code: bot_ops_status_disabled
+    canEscalate: false
+    suggestedAlternative: Write operational status to logs or an internal dashboard.
+
+  - id: research-allow-readonly-research
+    effect: allow
+    profiles:
+      - research-agent
+    actions:
+      - web_research
+      - summarize
+      - security_research
+    tools:
+      - web-search-api
+      - recent-history-cache
+      - news-aggregator
+      - tech-forum
+      - vulnerability-scanner
+    reason: Research agent can use read-only research sources.
+    code: research_readonly_allowed
+    canEscalate: false
+
+  - id: content-allow-readonly-research
+    effect: allow
+    profiles:
+      - content-agent
+    actions:
+      - weather_lookup
+      - content_research
+      - summarize
+    tools:
+      - local-knowledge-base
+      - weather-api
+      - weather-backup
+      - video-summary-tool
+      - podcast-summary-tool
+    reason: Content agent can use read-only knowledge and media sources.
+    code: content_readonly_allowed
+    canEscalate: false
+
+  - id: support-allow-lookup
+    effect: allow
+    profiles:
+      - support-agent
+    actions:
+      - support_lookup
+      - summarize
+    tools:
+      - local-knowledge-base
+      - recent-history-cache
+    reason: Support agent can look up local support context.
+    code: support_lookup_allowed
+    canEscalate: false
+
+objects:
+  - id: profile.research-agent
+    kind: profile
+    label: Research Agent Profile
+    status: active
+    profile: research-agent
+    tags:
+      - agent
+      - research
+
+  - id: profile.content-agent
+    kind: profile
+    label: Content Agent Profile
+    status: active
+    profile: content-agent
+    tags:
+      - agent
+      - content
+
+  - id: profile.support-agent
+    kind: profile
+    label: Support Agent Profile
+    status: active
+    profile: support-agent
+    tags:
+      - agent
+      - support
+
+  - id: source.web-search-api
+    kind: source
+    label: Web Search API
+    status: active
+    profile: research-agent
+    tags:
+      - research
+      - read-only
+
+  - id: source.local-knowledge-base
+    kind: source
+    label: Local Knowledge Base
+    status: active
+    profile: content-agent
+    tags:
+      - knowledge
+      - read-only
+
+  - id: source.news-aggregator
+    kind: source
+    label: News Aggregator
+    status: active
+    profile: research-agent
+    tags:
+      - news
+      - read-only
+
+  - id: source.weather-api
+    kind: source
+    label: Weather API
+    status: active
+    profile: content-agent
+    tags:
+      - weather
+      - read-only
+
+  - id: tool.social-media-tool
+    kind: tool
+    label: Social Media Tool
+    status: blocked
+    tags:
+      - social
+      - mutation
+
+  - id: memory.local-brain
+    kind: memory
+    label: Local Brain
+    status: paused
+    tags:
+      - memory
+      - optional
+    notes: Optional local markdown memory is disabled until a brain directory is configured.
+
+  - id: job.research-radar
+    kind: job
+    label: Research Radar Job
+    status: active
+    profile: research-agent
+    tags:
+      - scheduled
+      - research
+
+  - id: job.content-brief
+    kind: job
+    label: Content Brief Job
+    status: active
+    profile: content-agent
+    tags:
+      - scheduled
+      - content
+
+  - id: policy.global-deny-social-media-tool-account-actions
+    kind: policy
+    label: Deny Social Media Tool Account Actions
+    status: active
+    tags:
+      - policy
+      - deny
+
+relationships:
+  - from: profile.research-agent
+    to: source.web-search-api
+    type: uses
+    notes: Research agent uses read-only web search.
+
+  - from: profile.research-agent
+    to: job.research-radar
+    type: owns
+
+  - from: profile.content-agent
+    to: source.local-knowledge-base
+    type: uses
+    notes: Content agent starts from local knowledge.
+
+  - from: profile.content-agent
+    to: job.content-brief
+    type: owns
+
+  - from: tool.social-media-tool
+    to: policy.global-deny-social-media-tool-account-actions
+    type: governed_by
+    notes: Account mutation tool is blocked by policy.