@qmilab/lodestar-core 0.1.4 → 0.2.0

package/dist/index.d.ts

@@ -19,5 +19,11 @@ export * from "./schemas/decision.js";
 export * from "./schemas/action.js";
 export * from "./schemas/revision.js";
 export * from "./schemas/event.js";
+export * from "./schemas/reflection.js";
+export * from "./schemas/calibration.js";
+export * from "./schemas/probe-pack.js";
+export * from "./schemas/sentinel.js";
+export * from "./schemas/policy.js";
+export * from "./schemas/approval.js";
 export * as registry from "./registry.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,cAAc,qBAAqB,CAAA;AAGnC,cAAc,oBAAoB,CAAA;AAGlC,cAAc,0BAA0B,CAAA;AACxC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AACrC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AAGrC,cAAc,oBAAoB,CAAA;AAGlC,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,cAAc,qBAAqB,CAAA;AAGnC,cAAc,oBAAoB,CAAA;AAGlC,cAAc,0BAA0B,CAAA;AACxC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AACrC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AAGrC,cAAc,oBAAoB,CAAA;AAGlC,cAAc,yBAAyB,CAAA;AAGvC,cAAc,0BAA0B,CAAA;AAGxC,cAAc,yBAAyB,CAAA;AAGvC,cAAc,uBAAuB,CAAA;AAGrC,cAAc,qBAAqB,CAAA;AAGnC,cAAc,uBAAuB,CAAA;AAGrC,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAA"}

package/dist/index.js

@@ -23,6 +23,18 @@ export * from "./schemas/action.js";
 export * from "./schemas/revision.js";
 // Event log envelope
 export * from "./schemas/event.js";
+// Reflection (Batch 4) — proposals and the reflection.completed@1 payload
+export * from "./schemas/reflection.js";
+// Calibration — the report wire format + the calibration.computed@1 payload
+export * from "./schemas/calibration.js";
+// Probe pack format (Batch 4) — the lodestar.probe-pack.json manifest contract
+export * from "./schemas/probe-pack.js";
+// Sentinels (Batch 4) — the sentinel.alerted@1 alert wire format
+export * from "./schemas/sentinel.js";
+// Action policy (Policy Kernel) — the Policy / PolicyRule document wire format
+export * from "./schemas/policy.js";
+// Approval workflow (Policy Kernel) — ApprovalRequest + approval.* event payloads
+export * from "./schemas/approval.js";
 // Schema registry
 export * as registry from "./registry.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,SAAS;AACT,cAAc,qBAAqB,CAAA;AAEnC,WAAW;AACX,cAAc,oBAAoB,CAAA;AAElC,kBAAkB;AAClB,cAAc,0BAA0B,CAAA;AACxC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AACrC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AAErC,qBAAqB;AACrB,cAAc,oBAAoB,CAAA;AAElC,kBAAkB;AAClB,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,SAAS;AACT,cAAc,qBAAqB,CAAA;AAEnC,WAAW;AACX,cAAc,oBAAoB,CAAA;AAElC,kBAAkB;AAClB,cAAc,0BAA0B,CAAA;AACxC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AACrC,cAAc,qBAAqB,CAAA;AACnC,cAAc,uBAAuB,CAAA;AAErC,qBAAqB;AACrB,cAAc,oBAAoB,CAAA;AAElC,0EAA0E;AAC1E,cAAc,yBAAyB,CAAA;AAEvC,4EAA4E;AAC5E,cAAc,0BAA0B,CAAA;AAExC,+EAA+E;AAC/E,cAAc,yBAAyB,CAAA;AAEvC,iEAAiE;AACjE,cAAc,uBAAuB,CAAA;AAErC,+EAA+E;AAC/E,cAAc,qBAAqB,CAAA;AAEnC,kFAAkF;AAClF,cAAc,uBAAuB,CAAA;AAErC,kBAAkB;AAClB,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAA"}

package/dist/schemas/action.d.ts

@@ -105,8 +105,24 @@ export declare const ActionContractSchema: z.ZodObject<{
 export type ActionContract = z.infer<typeof ActionContractSchema>;
 /**
  * Phases an action passes through.
+ *
+ * `pending_approval` is the parked state: arbitration returned a `hold`
+ * (the Policy Kernel's three-valued verdict — see
+ * `docs/architecture/policy-kernel.md`), so the action is neither approved
+ * nor rejected. An `ApprovalRequest` is opened and the world stays
+ * untouched — the two-phase discipline forbids `execute()` from
+ * `pending_approval` exactly as it forbids it from `proposed`. Only an
+ * Action-Kernel `resolve()` un-parks it: `approval.granted` → `approved`
+ * (which then runs the normal `execute()` gate, so TOCTOU revalidation
+ * still fires), `approval.denied` / `approval.expired` → `rejected`.
+ *
+ * Distinct from `halted`, which is a *terminal* mid-execution stop
+ * (`executing → halted`); `pending_approval` is a *pre-execution* wait.
+ *
+ * Additive (ratified 2026-06-03, `policy-kernel.md`): existing logs
+ * without this value still parse; readers gain one case.
  */
-export declare const ActionPhaseSchema: z.ZodEnum<["proposed", "arbitrating", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
+export declare const ActionPhaseSchema: z.ZodEnum<["proposed", "arbitrating", "pending_approval", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
 export type ActionPhase = z.infer<typeof ActionPhaseSchema>;
 /**
  * Approval event from a human or policy reviewer.
@@ -132,19 +148,19 @@ export type ApprovalEvent = z.infer<typeof ApprovalEventSchema>;
  * Audit trail entry for an action.
  */
 export declare const AuditEventSchema: z.ZodObject<{
-    phase: z.ZodEnum<["proposed", "arbitrating", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
+    phase: z.ZodEnum<["proposed", "arbitrating", "pending_approval", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
     by_actor_id: z.ZodString;
     at: z.ZodString;
     detail: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     at: string;
     by_actor_id: string;
-    phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+    phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
     detail?: string | undefined;
 }, {
     at: string;
     by_actor_id: string;
-    phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+    phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
     detail?: string | undefined;
 }>;
 export type AuditEvent = z.infer<typeof AuditEventSchema>;
@@ -153,7 +169,9 @@ export type AuditEvent = z.infer<typeof AuditEventSchema>;
  *
  * Actions are the seventh link in the epistemic chain.
  * The phase field tracks the action through propose → arbitrate
- * → approved/rejected → executing → completed/failed/halted.
+ * → approved/rejected/pending_approval → executing
+ * → completed/failed/halted. A `pending_approval` action awaits an
+ * `ApprovalRequest` resolution before it can reach `approved`.
  *
  * Every Action carries an ActionContract. The Policy Kernel evaluates
  * the contract against current trust assignments and approval requirements
@@ -227,7 +245,7 @@ export declare const ActionSchema: z.ZodObject<{
             expected_at_approval?: unknown;
         }[];
     }>;
-    phase: z.ZodEnum<["proposed", "arbitrating", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
+    phase: z.ZodEnum<["proposed", "arbitrating", "pending_approval", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
     approval: z.ZodOptional<z.ZodObject<{
         approver_id: z.ZodString;
         approved: z.ZodBoolean;
@@ -245,19 +263,19 @@ export declare const ActionSchema: z.ZodObject<{
         reason?: string | undefined;
     }>>;
     audit: z.ZodArray<z.ZodObject<{
-        phase: z.ZodEnum<["proposed", "arbitrating", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
+        phase: z.ZodEnum<["proposed", "arbitrating", "pending_approval", "approved", "rejected", "executing", "completed", "failed", "halted"]>;
         by_actor_id: z.ZodString;
         at: z.ZodString;
         detail: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         at: string;
         by_actor_id: string;
-        phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+        phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
         detail?: string | undefined;
     }, {
         at: string;
         by_actor_id: string;
-        phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+        phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
         detail?: string | undefined;
     }>, "many">;
     outcome_id: z.ZodOptional<z.ZodString>;
@@ -266,7 +284,7 @@ export declare const ActionSchema: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     id: string;
     tool: string;
-    phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+    phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
     intent: string;
     contract: {
         scope: {
@@ -287,7 +305,7 @@ export declare const ActionSchema: z.ZodObject<{
     audit: {
         at: string;
         by_actor_id: string;
-        phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+        phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
         detail?: string | undefined;
     }[];
     proposed_at: string;
@@ -304,7 +322,7 @@ export declare const ActionSchema: z.ZodObject<{
 }, {
     id: string;
     tool: string;
-    phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+    phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
     intent: string;
     contract: {
         scope: {
@@ -325,7 +343,7 @@ export declare const ActionSchema: z.ZodObject<{
     audit: {
         at: string;
         by_actor_id: string;
-        phase: "rejected" | "proposed" | "arbitrating" | "approved" | "executing" | "completed" | "failed" | "halted";
+        phase: "rejected" | "proposed" | "arbitrating" | "pending_approval" | "approved" | "executing" | "completed" | "failed" | "halted";
         detail?: string | undefined;
     }[];
     proposed_at: string;

package/dist/schemas/action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../../src/schemas/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAcvB,eAAO,MAAM,gBAAgB,aAAiC,CAAA;AAC9D,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,iBAAiB,uDAAqD,CAAA;AACnF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D,eAAO,MAAM,mBAAmB,0DAAwD,CAAA;AACxF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D,eAAO,MAAM,8BAA8B,4CAA0C,CAAA;AACrF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAA;AAErF;;;;;;;;;GASG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO/B,CAAA;AACF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE;;GAEG;AACH,eAAO,MAAM,iBAAiB,8GAS5B,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;EAK3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAavB,CAAA;AACF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAMjD,eAAO,MAAM,mBAAmB,yDAAuD,CAAA;AACvF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;EAQxB,CAAA;AACF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAA"}
+{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../../src/schemas/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAcvB,eAAO,MAAM,gBAAgB,aAAiC,CAAA;AAC9D,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,iBAAiB,uDAAqD,CAAA;AACnF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D,eAAO,MAAM,mBAAmB,0DAAwD,CAAA;AACxF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D,eAAO,MAAM,8BAA8B,4CAA0C,CAAA;AACrF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAA;AAErF;;;;;;;;;GASG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAA;AACF,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAO/B,CAAA;AACF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,kIAU5B,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;EAK3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAavB,CAAA;AACF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAMjD,eAAO,MAAM,mBAAmB,yDAAuD,CAAA;AACvF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;EAQxB,CAAA;AACF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAA"}

package/dist/schemas/action.js

@@ -46,10 +46,27 @@ export const ActionContractSchema = z.object({
 });
 /**
  * Phases an action passes through.
+ *
+ * `pending_approval` is the parked state: arbitration returned a `hold`
+ * (the Policy Kernel's three-valued verdict — see
+ * `docs/architecture/policy-kernel.md`), so the action is neither approved
+ * nor rejected. An `ApprovalRequest` is opened and the world stays
+ * untouched — the two-phase discipline forbids `execute()` from
+ * `pending_approval` exactly as it forbids it from `proposed`. Only an
+ * Action-Kernel `resolve()` un-parks it: `approval.granted` → `approved`
+ * (which then runs the normal `execute()` gate, so TOCTOU revalidation
+ * still fires), `approval.denied` / `approval.expired` → `rejected`.
+ *
+ * Distinct from `halted`, which is a *terminal* mid-execution stop
+ * (`executing → halted`); `pending_approval` is a *pre-execution* wait.
+ *
+ * Additive (ratified 2026-06-03, `policy-kernel.md`): existing logs
+ * without this value still parse; readers gain one case.
  */
 export const ActionPhaseSchema = z.enum([
     "proposed",
     "arbitrating",
+    "pending_approval",
     "approved",
     "rejected",
     "executing",
@@ -80,7 +97,9 @@ export const AuditEventSchema = z.object({
  *
  * Actions are the seventh link in the epistemic chain.
  * The phase field tracks the action through propose → arbitrate
- * → approved/rejected → executing → completed/failed/halted.
+ * → approved/rejected/pending_approval → executing
+ * → completed/failed/halted. A `pending_approval` action awaits an
+ * `ApprovalRequest` resolution before it can reach `approved`.
  *
  * Every Action carries an ActionContract. The Policy Kernel evaluates
  * the contract against current trust assignments and approval requirements

package/dist/schemas/action.js.map

@@ -1 +1 @@
-{"version":3,"file":"action.js","sourceRoot":"","sources":["../../src/schemas/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAElE,gFAAgF;AAChF,eAAe;AACf,EAAE;AACF,wDAAwD;AACxD,kEAAkE;AAClE,yEAAyE;AACzE,gEAAgE;AAChE,+EAA+E;AAC/E,oDAAoD;AACpD,gFAAgF;AAEhF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AAG9D,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAA;AAGnF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAA;AAGxF,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;AAGrF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IAC1D,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE;IACvB,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE;IACjC,4BAA4B,EAAE,CAAC,CAAC,OAAO,EAAE;CAC1C,CAAC,CAAA;AAGF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,iBAAiB;IAC/B,aAAa,EAAE,mBAAmB;IAClC,KAAK,EAAE,mBAAmB;IAC1B,gBAAgB,EAAE,8BAA8B;IAChD,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,wBAAwB,CAAC;CACjD,CAAC,CAAA;AAGF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC;IACtC,UAAU;IACV,aAAa;IACb,UAAU;IACV,UAAU;IACV,WAAW;IACX,WAAW;IACX,QAAQ;IACR,QAAQ;CACT,CAAC,CAAA;AAGF;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE;IACrB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,EAAE,EAAE,eAAe;CACpB,CAAC,CAAA;AAGF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,iBAAiB;IACxB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,EAAE,EAAE,eAAe;IACnB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAA;AAGF;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IACpF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IAC/D,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IACzE,QAAQ,EAAE,oBAAoB;IAC9B,KAAK,EAAE,iBAAiB;IACxB,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,EAAE;IACxC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IAChC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,eAAe;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;CAC7C,CAAC,CAAA;AAGF,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;AAGvF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,MAAM,EAAE,mBAAmB;IAC3B,sBAAsB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IACzF,qBAAqB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;IAC3C,WAAW,EAAE,eAAe;CAC7B,CAAC,CAAA"}
+{"version":3,"file":"action.js","sourceRoot":"","sources":["../../src/schemas/action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAElE,gFAAgF;AAChF,eAAe;AACf,EAAE;AACF,wDAAwD;AACxD,kEAAkE;AAClE,yEAAyE;AACzE,gEAAgE;AAChE,+EAA+E;AAC/E,oDAAoD;AACpD,gFAAgF;AAEhF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AAG9D,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAA;AAGnF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAA;AAGxF,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAA;AAGrF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IAC1D,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE;IACvB,oBAAoB,EAAE,CAAC,CAAC,OAAO,EAAE;IACjC,4BAA4B,EAAE,CAAC,CAAC,OAAO,EAAE;CAC1C,CAAC,CAAA;AAGF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,cAAc,EAAE,gBAAgB;IAChC,YAAY,EAAE,iBAAiB;IAC/B,aAAa,EAAE,mBAAmB;IAClC,KAAK,EAAE,mBAAmB;IAC1B,gBAAgB,EAAE,8BAA8B;IAChD,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,wBAAwB,CAAC;CACjD,CAAC,CAAA;AAGF;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC;IACtC,UAAU;IACV,aAAa;IACb,kBAAkB;IAClB,UAAU;IACV,UAAU;IACV,WAAW;IACX,WAAW;IACX,QAAQ;IACR,QAAQ;CACT,CAAC,CAAA;AAGF;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;IAC5C,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE;IACrB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,EAAE,EAAE,eAAe;CACpB,CAAC,CAAA;AAGF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,iBAAiB;IACxB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,EAAE,EAAE,eAAe;IACnB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAA;AAGF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IACpF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IAC/D,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;IACzE,QAAQ,EAAE,oBAAoB;IAC9B,KAAK,EAAE,iBAAiB;IACxB,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,EAAE;IACxC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IAChC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,eAAe;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;CAC7C,CAAC,CAAA;AAGF,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;AAGvF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,MAAM,EAAE,mBAAmB;IAC3B,sBAAsB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IACzF,qBAAqB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1C,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;IAC3C,WAAW,EAAE,eAAe;CAC7B,CAAC,CAAA"}

package/dist/schemas/approval.d.ts

@@ -0,0 +1,271 @@
+import { z } from "zod";
+/**
+ * The approval workflow wire formats — the first-class record of an action
+ * parked at `pending_approval` and the events that resolve it.
+ *
+ * Design lock: `docs/architecture/policy-kernel.md`, "The approval workflow".
+ * The discipline mirrors the sentinel / reflection governance events:
+ *
+ * - These are governance events, NOT Observations. Like `sentinel.alerted@1`,
+ *   each payload is the event payload directly and is NOT registered in the
+ *   observation schema registry.
+ * - Grant and deny are *distinct event types*, not one event with an
+ *   `approved` flag. The type *is* the verdict, so a redundant boolean (which
+ *   could disagree with the type on re-read) is omitted. When the resolution
+ *   folds back into the action via the Action Kernel's `resolve()`, it lands
+ *   in the action's existing `approval` field (`ApprovalEvent`), where a
+ *   single boolean is the natural shape — so the stream view
+ *   (type-discriminated) and the single-action view agree without duplicating
+ *   the verdict on the wire.
+ * - No optional field is ever set to `undefined` — it is omitted entirely when
+ *   unset (`deadline` and `reason` in particular), so the event-log writer's
+ *   `canonicalHash` (undefined → null) and `JSON.stringify` (drops the key)
+ *   cannot disagree on re-read.
+ *
+ * Core owns the wire format only. The lifecycle manager — opening a request on
+ * a hold, matching a resolution against `required_authority`, driving the
+ * Action-Kernel `resolve()` transition — lives in
+ * `@qmilab/lodestar-policy-kernel`.
+ */
+/**
+ * The payload of an `approval.requested@1` event: a parked action awaiting a
+ * human (or auto-rule) verdict. `reason` is the matched rule's reason,
+ * verbatim. `required_authority` says what an approver must be (checked
+ * against the resolver's `Actor`); an empty object means any configured
+ * resolver may approve.
+ *
+ * `deadline` is the proxy's hold timeout (the MCP path cannot hold a
+ * `tools/call` open indefinitely without tripping client timeouts); it is
+ * *omitted entirely* in the in-process `guard.wrap()` path, where a hold can
+ * simply await the resolver — never set to `undefined`.
+ */
+export declare const ApprovalRequestSchema: z.ZodObject<{
+    request_id: z.ZodString;
+    action_id: z.ZodString;
+    reason: z.ZodString;
+    required_authority: z.ZodObject<{
+        min_trust_baseline: z.ZodOptional<z.ZodNumber>;
+        sensitivity_clearance: z.ZodOptional<z.ZodEnum<["public", "internal", "confidential", "secret"]>>;
+        scope: z.ZodOptional<z.ZodObject<{
+            level: z.ZodEnum<["global", "organization", "user", "project", "repo", "session"]>;
+            identifier: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        }, {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        sensitivity_clearance?: "public" | "internal" | "confidential" | "secret" | undefined;
+        scope?: {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        } | undefined;
+        min_trust_baseline?: number | undefined;
+    }, {
+        sensitivity_clearance?: "public" | "internal" | "confidential" | "secret" | undefined;
+        scope?: {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        } | undefined;
+        min_trust_baseline?: number | undefined;
+    }>;
+    requested_at: z.ZodString;
+    deadline: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    reason: string;
+    action_id: string;
+    required_authority: {
+        sensitivity_clearance?: "public" | "internal" | "confidential" | "secret" | undefined;
+        scope?: {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        } | undefined;
+        min_trust_baseline?: number | undefined;
+    };
+    request_id: string;
+    requested_at: string;
+    deadline?: string | undefined;
+}, {
+    reason: string;
+    action_id: string;
+    required_authority: {
+        sensitivity_clearance?: "public" | "internal" | "confidential" | "secret" | undefined;
+        scope?: {
+            level: "global" | "organization" | "user" | "project" | "repo" | "session";
+            identifier: string;
+        } | undefined;
+        min_trust_baseline?: number | undefined;
+    };
+    request_id: string;
+    requested_at: string;
+    deadline?: string | undefined;
+}>;
+export type ApprovalRequest = z.infer<typeof ApprovalRequestSchema>;
+/**
+ * The payload of an `approval.granted@1` event. The event *type* is the
+ * verdict — there is no `approved` boolean. `reason` (the approver's note) is
+ * omitted entirely when unset.
+ *
+ * `signature` is an optional Ed25519 signature over the canonical resolution
+ * document (`{ request_id, action_id, kind, approver_id, reason?, at }`),
+ * produced by the approver's private key. When present it makes the granted
+ * event **self-verifying in the log**: a reader can later re-check the grant
+ * came from an operator-pinned approver key, not merely trust that the proxy
+ * verified it at promotion time. Its `signer_id` equals `approver_id` (the same
+ * actor that resolved). Omitted entirely when unset (never `undefined`), so the
+ * canonical-hash discipline above carries through; the cross-process proxy path
+ * requires it (a forged side-channel grant cannot un-park an action), while the
+ * in-process resolver path may omit it (same trusted process, no forgery
+ * surface). Hash + verification live in `@qmilab/lodestar-policy-kernel`.
+ */
+export declare const ApprovalGrantedPayloadSchema: z.ZodObject<{
+    request_id: z.ZodString;
+    action_id: z.ZodString;
+    approver_id: z.ZodString;
+    reason: z.ZodOptional<z.ZodString>;
+    at: z.ZodString;
+    signature: z.ZodOptional<z.ZodObject<{
+        signer_id: z.ZodString;
+        payload_hash: z.ZodString;
+        algorithm: z.ZodLiteral<"ed25519">;
+        signature: z.ZodString;
+        at: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    }, {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    at: string;
+    approver_id: string;
+    action_id: string;
+    request_id: string;
+    signature?: {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    } | undefined;
+    reason?: string | undefined;
+}, {
+    at: string;
+    approver_id: string;
+    action_id: string;
+    request_id: string;
+    signature?: {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    } | undefined;
+    reason?: string | undefined;
+}>;
+export type ApprovalGrantedPayload = z.infer<typeof ApprovalGrantedPayloadSchema>;
+/**
+ * The payload of an `approval.denied@1` event. Identical shape to
+ * `approval.granted@1` — the verdict is carried by the event type, not a
+ * field. Defined as its own schema (rather than re-exporting one shared
+ * object) so the two event types stay independently evolvable. `signature`
+ * follows the same contract as the grant payload (a denial is also authority-
+ * bearing — it must not be forgeable into un-holding via a later grant either).
+ */
+export declare const ApprovalDeniedPayloadSchema: z.ZodObject<{
+    request_id: z.ZodString;
+    action_id: z.ZodString;
+    approver_id: z.ZodString;
+    reason: z.ZodOptional<z.ZodString>;
+    at: z.ZodString;
+    signature: z.ZodOptional<z.ZodObject<{
+        signer_id: z.ZodString;
+        payload_hash: z.ZodString;
+        algorithm: z.ZodLiteral<"ed25519">;
+        signature: z.ZodString;
+        at: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    }, {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    at: string;
+    approver_id: string;
+    action_id: string;
+    request_id: string;
+    signature?: {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    } | undefined;
+    reason?: string | undefined;
+}, {
+    at: string;
+    approver_id: string;
+    action_id: string;
+    request_id: string;
+    signature?: {
+        at: string;
+        signer_id: string;
+        payload_hash: string;
+        algorithm: "ed25519";
+        signature: string;
+    } | undefined;
+    reason?: string | undefined;
+}>;
+export type ApprovalDeniedPayload = z.infer<typeof ApprovalDeniedPayloadSchema>;
+/**
+ * The payload of an `approval.expired@1` event: the deadline passed with no
+ * human resolution. Carries no `approver_id` — no actor resolved it; the
+ * passage of the deadline did. The Action Kernel transitions the parked action
+ * to `rejected` on receipt (a timed-out hold is a soft denial the agent
+ * re-proposes; durable resume is deferred — `policy-kernel.md`).
+ */
+export declare const ApprovalExpiredPayloadSchema: z.ZodObject<{
+    request_id: z.ZodString;
+    action_id: z.ZodString;
+    at: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    at: string;
+    action_id: string;
+    request_id: string;
+}, {
+    at: string;
+    action_id: string;
+    request_id: string;
+}>;
+export type ApprovalExpiredPayload = z.infer<typeof ApprovalExpiredPayloadSchema>;
+/**
+ * Event-type literals and versions. Use the constants rather than the bare
+ * strings so a future rename is grep-safe — same convention as
+ * `SENTINEL_ALERTED_EVENT_TYPE` and `REFLECTION_COMPLETED_EVENT_TYPE`.
+ */
+export declare const APPROVAL_REQUESTED_EVENT_TYPE: "approval.requested";
+export declare const APPROVAL_REQUESTED_SCHEMA_VERSION: "1";
+export declare const APPROVAL_GRANTED_EVENT_TYPE: "approval.granted";
+export declare const APPROVAL_GRANTED_SCHEMA_VERSION: "1";
+export declare const APPROVAL_DENIED_EVENT_TYPE: "approval.denied";
+export declare const APPROVAL_DENIED_SCHEMA_VERSION: "1";
+export declare const APPROVAL_EXPIRED_EVENT_TYPE: "approval.expired";
+export declare const APPROVAL_EXPIRED_SCHEMA_VERSION: "1";
+//# sourceMappingURL=approval.d.ts.map

package/dist/schemas/approval.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.d.ts","sourceRoot":"","sources":["../../src/schemas/approval.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWhC,CAAA;AACF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAStC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;EAIvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,sBAAgC,CAAA;AAC1E,eAAO,MAAM,iCAAiC,KAAe,CAAA;AAC7D,eAAO,MAAM,2BAA2B,oBAA8B,CAAA;AACtE,eAAO,MAAM,+BAA+B,KAAe,CAAA;AAC3D,eAAO,MAAM,0BAA0B,mBAA6B,CAAA;AACpE,eAAO,MAAM,8BAA8B,KAAe,CAAA;AAC1D,eAAO,MAAM,2BAA2B,oBAA8B,CAAA;AACtE,eAAO,MAAM,+BAA+B,KAAe,CAAA"}

package/dist/schemas/approval.js

@@ -0,0 +1,119 @@
+import { z } from "zod";
+import { SignatureSchema } from "./actor.js";
+import { TimestampSchema } from "./common.js";
+import { RequiredAuthoritySchema } from "./policy.js";
+/**
+ * The approval workflow wire formats — the first-class record of an action
+ * parked at `pending_approval` and the events that resolve it.
+ *
+ * Design lock: `docs/architecture/policy-kernel.md`, "The approval workflow".
+ * The discipline mirrors the sentinel / reflection governance events:
+ *
+ * - These are governance events, NOT Observations. Like `sentinel.alerted@1`,
+ *   each payload is the event payload directly and is NOT registered in the
+ *   observation schema registry.
+ * - Grant and deny are *distinct event types*, not one event with an
+ *   `approved` flag. The type *is* the verdict, so a redundant boolean (which
+ *   could disagree with the type on re-read) is omitted. When the resolution
+ *   folds back into the action via the Action Kernel's `resolve()`, it lands
+ *   in the action's existing `approval` field (`ApprovalEvent`), where a
+ *   single boolean is the natural shape — so the stream view
+ *   (type-discriminated) and the single-action view agree without duplicating
+ *   the verdict on the wire.
+ * - No optional field is ever set to `undefined` — it is omitted entirely when
+ *   unset (`deadline` and `reason` in particular), so the event-log writer's
+ *   `canonicalHash` (undefined → null) and `JSON.stringify` (drops the key)
+ *   cannot disagree on re-read.
+ *
+ * Core owns the wire format only. The lifecycle manager — opening a request on
+ * a hold, matching a resolution against `required_authority`, driving the
+ * Action-Kernel `resolve()` transition — lives in
+ * `@qmilab/lodestar-policy-kernel`.
+ */
+/**
+ * The payload of an `approval.requested@1` event: a parked action awaiting a
+ * human (or auto-rule) verdict. `reason` is the matched rule's reason,
+ * verbatim. `required_authority` says what an approver must be (checked
+ * against the resolver's `Actor`); an empty object means any configured
+ * resolver may approve.
+ *
+ * `deadline` is the proxy's hold timeout (the MCP path cannot hold a
+ * `tools/call` open indefinitely without tripping client timeouts); it is
+ * *omitted entirely* in the in-process `guard.wrap()` path, where a hold can
+ * simply await the resolver — never set to `undefined`.
+ */
+export const ApprovalRequestSchema = z.object({
+    request_id: z.string().min(1),
+    action_id: z.string().min(1).describe("the parked action, at phase pending_approval"),
+    reason: z.string().min(1).describe("the matched rule's reason, verbatim"),
+    required_authority: RequiredAuthoritySchema.describe("what an approver must be; checked against the resolver's Actor. Empty object = any configured resolver"),
+    requested_at: TimestampSchema,
+    deadline: TimestampSchema.optional().describe("ISO 8601 hold timeout (proxy path); omitted entirely in-process, never undefined"),
+});
+/**
+ * The payload of an `approval.granted@1` event. The event *type* is the
+ * verdict — there is no `approved` boolean. `reason` (the approver's note) is
+ * omitted entirely when unset.
+ *
+ * `signature` is an optional Ed25519 signature over the canonical resolution
+ * document (`{ request_id, action_id, kind, approver_id, reason?, at }`),
+ * produced by the approver's private key. When present it makes the granted
+ * event **self-verifying in the log**: a reader can later re-check the grant
+ * came from an operator-pinned approver key, not merely trust that the proxy
+ * verified it at promotion time. Its `signer_id` equals `approver_id` (the same
+ * actor that resolved). Omitted entirely when unset (never `undefined`), so the
+ * canonical-hash discipline above carries through; the cross-process proxy path
+ * requires it (a forged side-channel grant cannot un-park an action), while the
+ * in-process resolver path may omit it (same trusted process, no forgery
+ * surface). Hash + verification live in `@qmilab/lodestar-policy-kernel`.
+ */
+export const ApprovalGrantedPayloadSchema = z.object({
+    request_id: z.string().min(1),
+    action_id: z.string().min(1),
+    approver_id: z.string().min(1).describe("actor_id of the resolver"),
+    reason: z.string().min(1).optional().describe("approver's note; omitted entirely when unset"),
+    at: TimestampSchema,
+    signature: SignatureSchema.optional().describe("Ed25519 signature over the canonical resolution; signer_id === approver_id; omitted entirely when unset"),
+});
+/**
+ * The payload of an `approval.denied@1` event. Identical shape to
+ * `approval.granted@1` — the verdict is carried by the event type, not a
+ * field. Defined as its own schema (rather than re-exporting one shared
+ * object) so the two event types stay independently evolvable. `signature`
+ * follows the same contract as the grant payload (a denial is also authority-
+ * bearing — it must not be forgeable into un-holding via a later grant either).
+ */
+export const ApprovalDeniedPayloadSchema = z.object({
+    request_id: z.string().min(1),
+    action_id: z.string().min(1),
+    approver_id: z.string().min(1).describe("actor_id of the resolver"),
+    reason: z.string().min(1).optional().describe("approver's note; omitted entirely when unset"),
+    at: TimestampSchema,
+    signature: SignatureSchema.optional().describe("Ed25519 signature over the canonical resolution; signer_id === approver_id; omitted entirely when unset"),
+});
+/**
+ * The payload of an `approval.expired@1` event: the deadline passed with no
+ * human resolution. Carries no `approver_id` — no actor resolved it; the
+ * passage of the deadline did. The Action Kernel transitions the parked action
+ * to `rejected` on receipt (a timed-out hold is a soft denial the agent
+ * re-proposes; durable resume is deferred — `policy-kernel.md`).
+ */
+export const ApprovalExpiredPayloadSchema = z.object({
+    request_id: z.string().min(1),
+    action_id: z.string().min(1),
+    at: TimestampSchema,
+});
+/**
+ * Event-type literals and versions. Use the constants rather than the bare
+ * strings so a future rename is grep-safe — same convention as
+ * `SENTINEL_ALERTED_EVENT_TYPE` and `REFLECTION_COMPLETED_EVENT_TYPE`.
+ */
+export const APPROVAL_REQUESTED_EVENT_TYPE = "approval.requested";
+export const APPROVAL_REQUESTED_SCHEMA_VERSION = "1";
+export const APPROVAL_GRANTED_EVENT_TYPE = "approval.granted";
+export const APPROVAL_GRANTED_SCHEMA_VERSION = "1";
+export const APPROVAL_DENIED_EVENT_TYPE = "approval.denied";
+export const APPROVAL_DENIED_SCHEMA_VERSION = "1";
+export const APPROVAL_EXPIRED_EVENT_TYPE = "approval.expired";
+export const APPROVAL_EXPIRED_SCHEMA_VERSION = "1";
+//# sourceMappingURL=approval.js.map

package/dist/schemas/approval.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval.js","sourceRoot":"","sources":["../../src/schemas/approval.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC7C,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAA;AAErD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,8CAA8C,CAAC;IACrF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,qCAAqC,CAAC;IACzE,kBAAkB,EAAE,uBAAuB,CAAC,QAAQ,CAClD,wGAAwG,CACzG;IACD,YAAY,EAAE,eAAe;IAC7B,QAAQ,EAAE,eAAe,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAC3C,kFAAkF,CACnF;CACF,CAAC,CAAA;AAGF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IACnE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;IAC7F,EAAE,EAAE,eAAe;IACnB,SAAS,EAAE,eAAe,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAC5C,yGAAyG,CAC1G;CACF,CAAC,CAAA;AAGF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IACnE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;IAC7F,EAAE,EAAE,eAAe;IACnB,SAAS,EAAE,eAAe,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAC5C,yGAAyG,CAC1G;CACF,CAAC,CAAA;AAGF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,EAAE,EAAE,eAAe;CACpB,CAAC,CAAA;AAGF;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG,oBAA6B,CAAA;AAC1E,MAAM,CAAC,MAAM,iCAAiC,GAAG,GAAY,CAAA;AAC7D,MAAM,CAAC,MAAM,2BAA2B,GAAG,kBAA2B,CAAA;AACtE,MAAM,CAAC,MAAM,+BAA+B,GAAG,GAAY,CAAA;AAC3D,MAAM,CAAC,MAAM,0BAA0B,GAAG,iBAA0B,CAAA;AACpE,MAAM,CAAC,MAAM,8BAA8B,GAAG,GAAY,CAAA;AAC1D,MAAM,CAAC,MAAM,2BAA2B,GAAG,kBAA2B,CAAA;AACtE,MAAM,CAAC,MAAM,+BAA+B,GAAG,GAAY,CAAA"}

package/dist/schemas/belief.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"belief.d.ts","sourceRoot":"","sources":["../../src/schemas/belief.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAkBvB,eAAO,MAAM,iBAAiB,sEAAoE,CAAA;AAClG,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D,eAAO,MAAM,qBAAqB,6EAA2E,CAAA;AAC7G,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE,eAAO,MAAM,oBAAoB,gEAA8D,CAAA;AAC/F,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,qBAAqB,0CAAwC,CAAA;AAC1E,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,kGAOhC,CAAA;AACF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBvB,CAAA;AACF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAWjD,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoB9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAWpC,CAAA"}
+{"version":3,"file":"belief.d.ts","sourceRoot":"","sources":["../../src/schemas/belief.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAkBvB,eAAO,MAAM,iBAAiB,sEAAoE,CAAA;AAClG,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA;AAE3D,eAAO,MAAM,qBAAqB,6EAMhC,CAAA;AACF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE,eAAO,MAAM,oBAAoB,gEAA8D,CAAA;AAC/F,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AAEjE,eAAO,MAAM,qBAAqB,0CAAwC,CAAA;AAC1E,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,kGAOhC,CAAA;AACF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AAEnE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBvB,CAAA;AACF,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA;AAWjD,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoB9B,CAAA;AACF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAE/D;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAWpC,CAAA"}