npm - @reactive-agents/identity - Versions diffs - 0.1.0 - Mend

@reactive-agents/identity 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Tyler Buell
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,36 @@
+# @reactive-agents/identity
+Identity and access control for the [Reactive Agents](https://tylerjrbuell.github.io/reactive-agents-ts/) framework.
+Manages agent certificates and role-based access control (RBAC) so agents can safely act on behalf of users with well-defined permissions.
+## Installation
+```bash
+bun add @reactive-agents/identity effect
+```
+## Features
+- **Agent certificates** — cryptographically identified agent instances
+- **RBAC** — role and permission checks before privileged operations
+- **Identity context** — propagated through the execution engine
+## Usage
+```typescript
+import { ReactiveAgents } from "reactive-agents";
+const agent = await ReactiveAgents.create()
+  .withName("privileged-agent")
+  .withProvider("anthropic")
+  .withIdentity({
+    roles: ["reader", "writer"],
+    issuer: "my-org",
+  })
+  .build();
+```
+## Documentation
+Full documentation at [tylerjrbuell.github.io/reactive-agents-ts](https://tylerjrbuell.github.io/reactive-agents-ts/)

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,209 @@
+import { Schema, Effect, Context, Layer } from 'effect';
+import * as effect_Cause from 'effect/Cause';
+import * as effect_Types from 'effect/Types';
+import * as effect_Layer from 'effect/Layer';
+declare const AgentIdentitySchema: Schema.Struct<{
+    agentId: typeof Schema.String;
+    name: typeof Schema.String;
+    type: Schema.Literal<["primary", "worker", "orchestrator", "specialist"]>;
+    createdAt: typeof Schema.DateFromSelf;
+    metadata: Schema.optional<Schema.Record$<typeof Schema.String, typeof Schema.Unknown>>;
+}>;
+type AgentIdentity = typeof AgentIdentitySchema.Type;
+declare const CertificateSchema: Schema.Struct<{
+    serialNumber: typeof Schema.String;
+    agentId: typeof Schema.String;
+    issuedAt: typeof Schema.DateFromSelf;
+    expiresAt: typeof Schema.DateFromSelf;
+    publicKey: typeof Schema.String;
+    issuer: typeof Schema.String;
+    fingerprint: typeof Schema.String;
+    status: Schema.Literal<["active", "expired", "revoked"]>;
+}>;
+type Certificate = typeof CertificateSchema.Type;
+declare const AuthResultSchema: Schema.Struct<{
+    authenticated: typeof Schema.Boolean;
+    agentId: Schema.optional<typeof Schema.String>;
+    reason: Schema.optional<typeof Schema.String>;
+    expiresAt: Schema.optional<typeof Schema.DateFromSelf>;
+}>;
+type AuthResult = typeof AuthResultSchema.Type;
+declare const PermissionSchema: Schema.Struct<{
+    resource: typeof Schema.String;
+    actions: Schema.Array$<Schema.Literal<["read", "write", "execute", "delete", "admin"]>>;
+    expiresAt: Schema.optional<typeof Schema.DateFromSelf>;
+}>;
+type Permission = typeof PermissionSchema.Type;
+declare const RoleSchema: Schema.Struct<{
+    name: typeof Schema.String;
+    permissions: Schema.Array$<Schema.Struct<{
+        resource: typeof Schema.String;
+        actions: Schema.Array$<Schema.Literal<["read", "write", "execute", "delete", "admin"]>>;
+        expiresAt: Schema.optional<typeof Schema.DateFromSelf>;
+    }>>;
+    description: typeof Schema.String;
+}>;
+type Role = typeof RoleSchema.Type;
+declare const DefaultRoles: Record<string, Role>;
+declare const AuditEntrySchema: Schema.Struct<{
+    id: typeof Schema.String;
+    timestamp: typeof Schema.DateFromSelf;
+    agentId: typeof Schema.String;
+    sessionId: typeof Schema.String;
+    action: typeof Schema.String;
+    resource: Schema.optional<typeof Schema.String>;
+    result: Schema.Literal<["success", "failure", "denied"]>;
+    metadata: Schema.optional<Schema.Record$<typeof Schema.String, typeof Schema.Unknown>>;
+    parentAgentId: Schema.optional<typeof Schema.String>;
+    durationMs: Schema.optional<typeof Schema.Number>;
+}>;
+type AuditEntry = typeof AuditEntrySchema.Type;
+declare const DelegationSchema: Schema.Struct<{
+    id: typeof Schema.String;
+    fromAgentId: typeof Schema.String;
+    toAgentId: typeof Schema.String;
+    permissions: Schema.Array$<Schema.Struct<{
+        resource: typeof Schema.String;
+        actions: Schema.Array$<Schema.Literal<["read", "write", "execute", "delete", "admin"]>>;
+        expiresAt: Schema.optional<typeof Schema.DateFromSelf>;
+    }>>;
+    issuedAt: typeof Schema.DateFromSelf;
+    expiresAt: typeof Schema.DateFromSelf;
+    reason: typeof Schema.String;
+    status: Schema.Literal<["active", "expired", "revoked"]>;
+}>;
+type Delegation = typeof DelegationSchema.Type;
+declare const AuthzDecisionSchema: Schema.Struct<{
+    allowed: typeof Schema.Boolean;
+    resource: typeof Schema.String;
+    action: typeof Schema.String;
+    reason: Schema.optional<typeof Schema.String>;
+    matchedPermission: Schema.optional<Schema.Struct<{
+        resource: typeof Schema.String;
+        actions: Schema.Array$<Schema.Literal<["read", "write", "execute", "delete", "admin"]>>;
+        expiresAt: Schema.optional<typeof Schema.DateFromSelf>;
+    }>>;
+}>;
+type AuthzDecision = typeof AuthzDecisionSchema.Type;
+declare const AuthenticationError_base: new <A extends Record<string, any> = {}>(args: effect_Types.Equals<A, {}> extends true ? void : { readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }) => effect_Cause.YieldableError & {
+    readonly _tag: "AuthenticationError";
+} & Readonly<A>;
+declare class AuthenticationError extends AuthenticationError_base<{
+    readonly message: string;
+    readonly reason: "invalid-certificate" | "expired" | "revoked" | "unknown-agent";
+    readonly agentId?: string;
+}> {
+}
+declare const AuthorizationError_base: new <A extends Record<string, any> = {}>(args: effect_Types.Equals<A, {}> extends true ? void : { readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }) => effect_Cause.YieldableError & {
+    readonly _tag: "AuthorizationError";
+} & Readonly<A>;
+declare class AuthorizationError extends AuthorizationError_base<{
+    readonly message: string;
+    readonly agentId: string;
+    readonly resource: string;
+    readonly action: string;
+}> {
+}
+declare const AuditError_base: new <A extends Record<string, any> = {}>(args: effect_Types.Equals<A, {}> extends true ? void : { readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }) => effect_Cause.YieldableError & {
+    readonly _tag: "AuditError";
+} & Readonly<A>;
+declare class AuditError extends AuditError_base<{
+    readonly message: string;
+    readonly cause?: unknown;
+}> {
+}
+declare const DelegationError_base: new <A extends Record<string, any> = {}>(args: effect_Types.Equals<A, {}> extends true ? void : { readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }) => effect_Cause.YieldableError & {
+    readonly _tag: "DelegationError";
+} & Readonly<A>;
+declare class DelegationError extends DelegationError_base<{
+    readonly message: string;
+    readonly fromAgentId: string;
+    readonly toAgentId: string;
+}> {
+}
+declare const CredentialError_base: new <A extends Record<string, any> = {}>(args: effect_Types.Equals<A, {}> extends true ? void : { readonly [P in keyof A as P extends "_tag" ? never : P]: A[P]; }) => effect_Cause.YieldableError & {
+    readonly _tag: "CredentialError";
+} & Readonly<A>;
+declare class CredentialError extends CredentialError_base<{
+    readonly message: string;
+    readonly agentId: string;
+    readonly operation: "issue" | "rotate" | "revoke";
+}> {
+}
+interface CertificateAuth {
+    readonly authenticate: (cert: Certificate) => Effect.Effect<AuthResult, AuthenticationError>;
+    readonly issueCertificate: (agentId: string, ttlMs?: number) => Effect.Effect<Certificate, CredentialError>;
+    readonly rotateCertificate: (agentId: string) => Effect.Effect<Certificate, CredentialError>;
+    readonly revokeCertificate: (serialNumber: string) => Effect.Effect<void, CredentialError>;
+}
+declare const makeCertificateAuth: Effect.Effect<{
+    authenticate: (cert: Certificate) => Effect.Effect<AuthResult, AuthenticationError>;
+    issueCertificate: (agentId: string, ttlMs?: number) => Effect.Effect<Certificate, CredentialError>;
+    rotateCertificate: (agentId: string) => Effect.Effect<Certificate, CredentialError>;
+    revokeCertificate: (serialNumber: string) => Effect.Effect<void, CredentialError>;
+}, never, never>;
+interface PermissionManager {
+    readonly assignRole: (agentId: string, role: Role) => Effect.Effect<void, never>;
+    readonly getRoles: (agentId: string) => Effect.Effect<readonly Role[], never>;
+    readonly authorize: (agentId: string, resource: string, action: "read" | "write" | "execute" | "delete" | "admin") => Effect.Effect<AuthzDecision, AuthorizationError>;
+    readonly delegate: (fromAgentId: string, toAgentId: string, permissions: readonly Permission[], reason: string, durationMs: number) => Effect.Effect<Delegation, DelegationError>;
+    readonly revokeDelegation: (delegationId: string) => Effect.Effect<void, DelegationError>;
+}
+declare const makePermissionManager: Effect.Effect<{
+    assignRole: (agentId: string, role: Role) => Effect.Effect<void, never>;
+    getRoles: (agentId: string) => Effect.Effect<readonly Role[], never>;
+    authorize: (agentId: string, resource: string, action: "read" | "write" | "execute" | "delete" | "admin") => Effect.Effect<AuthzDecision, AuthorizationError>;
+    delegate: (fromAgentId: string, toAgentId: string, permissions: readonly Permission[], reason: string, durationMs: number) => Effect.Effect<Delegation, DelegationError>;
+    revokeDelegation: (delegationId: string) => Effect.Effect<void, DelegationError>;
+}, never, never>;
+interface AuditLogger {
+    readonly log: (entry: Omit<AuditEntry, "id" | "timestamp">) => Effect.Effect<void, AuditError>;
+    readonly query: (agentId: string, options?: {
+        startDate?: Date;
+        endDate?: Date;
+        action?: string;
+        limit?: number;
+    }) => Effect.Effect<readonly AuditEntry[], AuditError>;
+}
+declare const makeAuditLogger: Effect.Effect<{
+    log: (entry: Omit<AuditEntry, "id" | "timestamp">) => Effect.Effect<void, AuditError>;
+    query: (agentId: string, options?: {
+        startDate?: Date;
+        endDate?: Date;
+        action?: string;
+        limit?: number;
+    }) => Effect.Effect<readonly AuditEntry[], AuditError>;
+}, never, never>;
+declare const IdentityService_base: Context.TagClass<IdentityService, "IdentityService", {
+    readonly authenticate: (certificate: Certificate) => Effect.Effect<AuthResult, AuthenticationError>;
+    readonly authorize: (agentId: string, resource: string, action: "read" | "write" | "execute" | "delete" | "admin") => Effect.Effect<AuthzDecision, AuthorizationError>;
+    readonly assignRole: (agentId: string, role: Role) => Effect.Effect<void, never>;
+    readonly getRoles: (agentId: string) => Effect.Effect<readonly Role[], never>;
+    readonly audit: (entry: Omit<AuditEntry, "id" | "timestamp">) => Effect.Effect<void, AuditError>;
+    readonly queryAudit: (agentId: string, options?: {
+        startDate?: Date;
+        endDate?: Date;
+        action?: string;
+        limit?: number;
+    }) => Effect.Effect<readonly AuditEntry[], AuditError>;
+    readonly delegate: (fromAgentId: string, toAgentId: string, permissions: readonly Permission[], reason: string, durationMs: number) => Effect.Effect<Delegation, DelegationError>;
+    readonly revokeDelegation: (delegationId: string) => Effect.Effect<void, DelegationError>;
+    readonly issueCertificate: (agentId: string, ttlMs?: number) => Effect.Effect<Certificate, CredentialError>;
+    readonly rotateCertificate: (agentId: string) => Effect.Effect<Certificate, CredentialError>;
+    readonly getIdentity: (agentId: string) => Effect.Effect<AgentIdentity & {
+        roles: readonly Role[];
+    }, AuthenticationError>;
+}>;
+declare class IdentityService extends IdentityService_base {
+}
+declare const IdentityServiceLive: Layer.Layer<IdentityService, never, never>;
+declare const createIdentityLayer: () => effect_Layer.Layer<IdentityService, never, never>;
+export { type AgentIdentity, AgentIdentitySchema, type AuditEntry, AuditEntrySchema, AuditError, type AuditLogger, type AuthResult, AuthResultSchema, AuthenticationError, AuthorizationError, type AuthzDecision, AuthzDecisionSchema, type Certificate, type CertificateAuth, CertificateSchema, CredentialError, DefaultRoles, type Delegation, DelegationError, DelegationSchema, IdentityService, IdentityServiceLive, type Permission, type PermissionManager, PermissionSchema, type Role, RoleSchema, createIdentityLayer, makeAuditLogger, makeCertificateAuth, makePermissionManager };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,385 @@
+// src/types.ts
+import { Schema } from "effect";
+var AgentIdentitySchema = Schema.Struct({
+  agentId: Schema.String,
+  name: Schema.String,
+  type: Schema.Literal("primary", "worker", "orchestrator", "specialist"),
+  createdAt: Schema.DateFromSelf,
+  metadata: Schema.optional(Schema.Record({ key: Schema.String, value: Schema.Unknown }))
+});
+var CertificateSchema = Schema.Struct({
+  serialNumber: Schema.String,
+  agentId: Schema.String,
+  issuedAt: Schema.DateFromSelf,
+  expiresAt: Schema.DateFromSelf,
+  publicKey: Schema.String,
+  issuer: Schema.String,
+  fingerprint: Schema.String,
+  status: Schema.Literal("active", "expired", "revoked")
+});
+var AuthResultSchema = Schema.Struct({
+  authenticated: Schema.Boolean,
+  agentId: Schema.optional(Schema.String),
+  reason: Schema.optional(Schema.String),
+  expiresAt: Schema.optional(Schema.DateFromSelf)
+});
+var PermissionSchema = Schema.Struct({
+  resource: Schema.String,
+  actions: Schema.Array(Schema.Literal("read", "write", "execute", "delete", "admin")),
+  expiresAt: Schema.optional(Schema.DateFromSelf)
+});
+var RoleSchema = Schema.Struct({
+  name: Schema.String,
+  permissions: Schema.Array(PermissionSchema),
+  description: Schema.String
+});
+var DefaultRoles = {
+  "agent-basic": {
+    name: "agent-basic",
+    description: "Basic agent with limited tool access",
+    permissions: [
+      { resource: "memory/working", actions: ["read", "write"] },
+      { resource: "tools/basic/*", actions: ["execute"] },
+      { resource: "llm/haiku", actions: ["execute"] }
+    ]
+  },
+  "agent-standard": {
+    name: "agent-standard",
+    description: "Standard agent with full tool and memory access",
+    permissions: [
+      { resource: "memory/*", actions: ["read", "write"] },
+      { resource: "tools/*", actions: ["execute"] },
+      { resource: "llm/haiku", actions: ["execute"] },
+      { resource: "llm/sonnet", actions: ["execute"] }
+    ]
+  },
+  "agent-privileged": {
+    name: "agent-privileged",
+    description: "Privileged agent with full access including admin ops",
+    permissions: [
+      { resource: "*", actions: ["read", "write", "execute", "delete"] },
+      { resource: "llm/*", actions: ["execute"] }
+    ]
+  },
+  orchestrator: {
+    name: "orchestrator",
+    description: "Orchestrator with agent management and delegation rights",
+    permissions: [
+      { resource: "*", actions: ["read", "write", "execute", "delete", "admin"] },
+      { resource: "llm/*", actions: ["execute"] },
+      { resource: "agents/*", actions: ["read", "write", "execute", "admin"] }
+    ]
+  }
+};
+var AuditEntrySchema = Schema.Struct({
+  id: Schema.String,
+  timestamp: Schema.DateFromSelf,
+  agentId: Schema.String,
+  sessionId: Schema.String,
+  action: Schema.String,
+  resource: Schema.optional(Schema.String),
+  result: Schema.Literal("success", "failure", "denied"),
+  metadata: Schema.optional(Schema.Record({ key: Schema.String, value: Schema.Unknown })),
+  parentAgentId: Schema.optional(Schema.String),
+  durationMs: Schema.optional(Schema.Number)
+});
+var DelegationSchema = Schema.Struct({
+  id: Schema.String,
+  fromAgentId: Schema.String,
+  toAgentId: Schema.String,
+  permissions: Schema.Array(PermissionSchema),
+  issuedAt: Schema.DateFromSelf,
+  expiresAt: Schema.DateFromSelf,
+  reason: Schema.String,
+  status: Schema.Literal("active", "expired", "revoked")
+});
+var AuthzDecisionSchema = Schema.Struct({
+  allowed: Schema.Boolean,
+  resource: Schema.String,
+  action: Schema.String,
+  reason: Schema.optional(Schema.String),
+  matchedPermission: Schema.optional(PermissionSchema)
+});
+// src/errors.ts
+import { Data } from "effect";
+var AuthenticationError = class extends Data.TaggedError("AuthenticationError") {
+};
+var AuthorizationError = class extends Data.TaggedError("AuthorizationError") {
+};
+var AuditError = class extends Data.TaggedError("AuditError") {
+};
+var DelegationError = class extends Data.TaggedError("DelegationError") {
+};
+var CredentialError = class extends Data.TaggedError("CredentialError") {
+};
+// src/auth/certificate-auth.ts
+import { Effect, Ref } from "effect";
+var makeCertificateAuth = Effect.gen(function* () {
+  const certsRef = yield* Ref.make(/* @__PURE__ */ new Map());
+  const revokedRef = yield* Ref.make(/* @__PURE__ */ new Set());
+  const authenticate = (cert) => Effect.gen(function* () {
+    if (!cert.serialNumber || !cert.publicKey || !cert.fingerprint) {
+      return yield* Effect.fail(
+        new AuthenticationError({
+          message: `Invalid certificate for agent ${cert.agentId}`,
+          reason: "invalid-certificate",
+          agentId: cert.agentId
+        })
+      );
+    }
+    if (cert.expiresAt < /* @__PURE__ */ new Date()) {
+      return yield* Effect.fail(
+        new AuthenticationError({
+          message: `Certificate expired for agent ${cert.agentId}`,
+          reason: "expired",
+          agentId: cert.agentId
+        })
+      );
+    }
+    const revoked = yield* Ref.get(revokedRef);
+    if (revoked.has(cert.serialNumber)) {
+      return yield* Effect.fail(
+        new AuthenticationError({
+          message: `Certificate revoked for agent ${cert.agentId}`,
+          reason: "revoked",
+          agentId: cert.agentId
+        })
+      );
+    }
+    return {
+      authenticated: true,
+      agentId: cert.agentId,
+      expiresAt: cert.expiresAt
+    };
+  });
+  const issueCertificate = (agentId, ttlMs = 7 * 24 * 60 * 60 * 1e3) => Effect.try({
+    try: () => {
+      const now = /* @__PURE__ */ new Date();
+      const serialNumber = crypto.randomUUID();
+      const publicKey = `pk-${crypto.randomUUID()}`;
+      const fingerprint = `fp-${crypto.randomUUID().slice(0, 16)}`;
+      const cert = {
+        serialNumber,
+        agentId,
+        issuedAt: now,
+        expiresAt: new Date(now.getTime() + ttlMs),
+        publicKey,
+        issuer: "reactive-agents-ca",
+        fingerprint,
+        status: "active"
+      };
+      return cert;
+    },
+    catch: (e) => new CredentialError({
+      message: `Failed to issue certificate: ${e}`,
+      agentId,
+      operation: "issue"
+    })
+  }).pipe(
+    Effect.tap(
+      (cert) => Ref.update(certsRef, (certs) => {
+        const newCerts = new Map(certs);
+        newCerts.set(cert.serialNumber, cert);
+        return newCerts;
+      })
+    )
+  );
+  const rotateCertificate = (agentId) => Effect.gen(function* () {
+    const certs = yield* Ref.get(certsRef);
+    for (const [serial, cert] of certs) {
+      if (cert.agentId === agentId && cert.status === "active") {
+        yield* Ref.update(revokedRef, (revoked) => /* @__PURE__ */ new Set([...revoked, serial]));
+      }
+    }
+    return yield* issueCertificate(agentId);
+  });
+  const revokeCertificate = (serialNumber) => Ref.update(revokedRef, (revoked) => /* @__PURE__ */ new Set([...revoked, serialNumber])).pipe(
+    Effect.mapError(
+      () => new CredentialError({ message: "Revocation failed", agentId: "unknown", operation: "revoke" })
+    )
+  );
+  return { authenticate, issueCertificate, rotateCertificate, revokeCertificate };
+});
+// src/authz/permission-manager.ts
+import { Effect as Effect2, Ref as Ref2 } from "effect";
+var makePermissionManager = Effect2.gen(function* () {
+  const agentRolesRef = yield* Ref2.make(/* @__PURE__ */ new Map());
+  const delegationsRef = yield* Ref2.make([]);
+  const assignRole = (agentId, role) => Ref2.update(agentRolesRef, (map) => {
+    const newMap = new Map(map);
+    const existing = newMap.get(agentId) ?? [];
+    if (!existing.find((r) => r.name === role.name)) {
+      newMap.set(agentId, [...existing, role]);
+    }
+    return newMap;
+  });
+  const getRoles = (agentId) => Ref2.get(agentRolesRef).pipe(Effect2.map((map) => map.get(agentId) ?? []));
+  const authorize = (agentId, resource, action) => Effect2.gen(function* () {
+    const roles = yield* Ref2.get(agentRolesRef).pipe(
+      Effect2.map((map) => map.get(agentId) ?? [])
+    );
+    const delegations = yield* Ref2.get(delegationsRef).pipe(
+      Effect2.map(
+        (dels) => dels.filter(
+          (d) => d.toAgentId === agentId && d.status === "active" && d.expiresAt > /* @__PURE__ */ new Date()
+        )
+      )
+    );
+    const allPermissions = [
+      ...roles.flatMap((r) => r.permissions),
+      ...delegations.flatMap((d) => [...d.permissions])
+    ];
+    const matched = allPermissions.find((p) => {
+      const resourceMatch = matchWildcard(p.resource, resource);
+      const actionMatch = p.actions.includes(action) || p.actions.includes("admin");
+      const notExpired = !p.expiresAt || p.expiresAt > /* @__PURE__ */ new Date();
+      return resourceMatch && actionMatch && notExpired;
+    });
+    if (matched) {
+      return { allowed: true, resource, action, matchedPermission: matched };
+    }
+    return yield* Effect2.fail(
+      new AuthorizationError({
+        message: `Agent ${agentId} not authorized for ${action} on ${resource}`,
+        agentId,
+        resource,
+        action
+      })
+    );
+  });
+  const delegate = (fromAgentId, toAgentId, permissions, reason, durationMs) => Effect2.gen(function* () {
+    for (const perm of permissions) {
+      for (const action of perm.actions) {
+        yield* authorize(fromAgentId, perm.resource, action).pipe(
+          Effect2.mapError(
+            () => new DelegationError({
+              message: `Cannot delegate ${action} on ${perm.resource}: delegator lacks permission`,
+              fromAgentId,
+              toAgentId
+            })
+          )
+        );
+      }
+    }
+    const now = /* @__PURE__ */ new Date();
+    const delegation = {
+      id: crypto.randomUUID(),
+      fromAgentId,
+      toAgentId,
+      permissions: [...permissions],
+      issuedAt: now,
+      expiresAt: new Date(now.getTime() + durationMs),
+      reason,
+      status: "active"
+    };
+    yield* Ref2.update(delegationsRef, (dels) => [...dels, delegation]);
+    return delegation;
+  });
+  const revokeDelegation = (delegationId) => Ref2.update(
+    delegationsRef,
+    (dels) => dels.map((d) => d.id === delegationId ? { ...d, status: "revoked" } : d)
+  ).pipe(
+    Effect2.mapError(
+      () => new DelegationError({ message: "Revocation failed", fromAgentId: "", toAgentId: "" })
+    )
+  );
+  return { assignRole, getRoles, authorize, delegate, revokeDelegation };
+});
+function matchWildcard(pattern, value) {
+  if (pattern === "*") return true;
+  const regex = new RegExp("^" + pattern.replace(/\*/g, ".*").replace(/\?/g, ".") + "$");
+  return regex.test(value);
+}
+// src/audit/audit-logger.ts
+import { Effect as Effect3, Ref as Ref3 } from "effect";
+var makeAuditLogger = Effect3.gen(function* () {
+  const logRef = yield* Ref3.make([]);
+  const log = (entry) => Ref3.update(logRef, (entries) => [
+    ...entries,
+    { ...entry, id: crypto.randomUUID(), timestamp: /* @__PURE__ */ new Date() }
+  ]).pipe(
+    Effect3.mapError((e) => new AuditError({ message: "Audit logging failed", cause: e }))
+  );
+  const query = (agentId, options) => Effect3.gen(function* () {
+    const allEntries = yield* Ref3.get(logRef);
+    let filtered = allEntries.filter((e) => {
+      if (e.agentId !== agentId) return false;
+      if (options?.startDate && e.timestamp < options.startDate) return false;
+      if (options?.endDate && e.timestamp > options.endDate) return false;
+      if (options?.action && e.action !== options.action) return false;
+      return true;
+    });
+    if (options?.limit) {
+      filtered = filtered.slice(-options.limit);
+    }
+    return filtered;
+  }).pipe(
+    Effect3.mapError((e) => new AuditError({ message: "Audit query failed", cause: e }))
+  );
+  return { log, query };
+});
+// src/identity-service.ts
+import { Effect as Effect4, Context, Layer } from "effect";
+var IdentityService = class extends Context.Tag("IdentityService")() {
+};
+var IdentityServiceLive = Layer.effect(
+  IdentityService,
+  Effect4.gen(function* () {
+    const certAuth = yield* makeCertificateAuth;
+    const permissions = yield* makePermissionManager;
+    const auditLogger = yield* makeAuditLogger;
+    return {
+      authenticate: (cert) => certAuth.authenticate(cert),
+      authorize: (agentId, resource, action) => permissions.authorize(agentId, resource, action),
+      assignRole: (agentId, role) => permissions.assignRole(agentId, role),
+      getRoles: (agentId) => permissions.getRoles(agentId),
+      audit: (entry) => auditLogger.log(entry),
+      queryAudit: (agentId, options) => auditLogger.query(agentId, options),
+      delegate: (from, to, perms, reason, dur) => permissions.delegate(from, to, perms, reason, dur),
+      revokeDelegation: (id) => permissions.revokeDelegation(id),
+      issueCertificate: (agentId, ttlMs) => certAuth.issueCertificate(agentId, ttlMs),
+      rotateCertificate: (agentId) => certAuth.rotateCertificate(agentId),
+      getIdentity: (agentId) => Effect4.gen(function* () {
+        const roles = yield* permissions.getRoles(agentId);
+        return {
+          agentId,
+          name: agentId,
+          type: "primary",
+          createdAt: /* @__PURE__ */ new Date(),
+          roles: roles.length > 0 ? roles : [DefaultRoles["agent-standard"]]
+        };
+      })
+    };
+  })
+);
+// src/runtime.ts
+var createIdentityLayer = () => IdentityServiceLive;
+export {
+  AgentIdentitySchema,
+  AuditEntrySchema,
+  AuditError,
+  AuthResultSchema,
+  AuthenticationError,
+  AuthorizationError,
+  AuthzDecisionSchema,
+  CertificateSchema,
+  CredentialError,
+  DefaultRoles,
+  DelegationError,
+  DelegationSchema,
+  IdentityService,
+  IdentityServiceLive,
+  PermissionSchema,
+  RoleSchema,
+  createIdentityLayer,
+  makeAuditLogger,
+  makeCertificateAuth,
+  makePermissionManager
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/types.ts","../src/errors.ts","../src/auth/certificate-auth.ts","../src/authz/permission-manager.ts","../src/audit/audit-logger.ts","../src/identity-service.ts","../src/runtime.ts"],"sourcesContent":["import { Schema } from \"effect\";\n\n// ─── Agent Identity ───\n\nexport const AgentIdentitySchema = Schema.Struct({\n agentId: Schema.String,\n name: Schema.String,\n type: Schema.Literal(\"primary\", \"worker\", \"orchestrator\", \"specialist\"),\n createdAt: Schema.DateFromSelf,\n metadata: Schema.optional(Schema.Record({ key: Schema.String, value: Schema.Unknown })),\n});\nexport type AgentIdentity = typeof AgentIdentitySchema.Type;\n\n// ─── Certificate ───\n\nexport const CertificateSchema = Schema.Struct({\n serialNumber: Schema.String,\n agentId: Schema.String,\n issuedAt: Schema.DateFromSelf,\n expiresAt: Schema.DateFromSelf,\n publicKey: Schema.String,\n issuer: Schema.String,\n fingerprint: Schema.String,\n status: Schema.Literal(\"active\", \"expired\", \"revoked\"),\n});\nexport type Certificate = typeof CertificateSchema.Type;\n\n// ─── Authentication Result ───\n\nexport const AuthResultSchema = Schema.Struct({\n authenticated: Schema.Boolean,\n agentId: Schema.optional(Schema.String),\n reason: Schema.optional(Schema.String),\n expiresAt: Schema.optional(Schema.DateFromSelf),\n});\nexport type AuthResult = typeof AuthResultSchema.Type;\n\n// ─── Permission ───\n\nexport const PermissionSchema = Schema.Struct({\n resource: Schema.String,\n actions: Schema.Array(Schema.Literal(\"read\", \"write\", \"execute\", \"delete\", \"admin\")),\n expiresAt: Schema.optional(Schema.DateFromSelf),\n});\nexport type Permission = typeof PermissionSchema.Type;\n\n// ─── Role ───\n\nexport const RoleSchema = Schema.Struct({\n name: Schema.String,\n permissions: Schema.Array(PermissionSchema),\n description: Schema.String,\n});\nexport type Role = typeof RoleSchema.Type;\n\n// ─── Pre-defined Roles ───\n\nexport const DefaultRoles: Record<string, Role> = {\n \"agent-basic\": {\n name: \"agent-basic\",\n description: \"Basic agent with limited tool access\",\n permissions: [\n { resource: \"memory/working\", actions: [\"read\", \"write\"] },\n { resource: \"tools/basic/*\", actions: [\"execute\"] },\n { resource: \"llm/haiku\", actions: [\"execute\"] },\n ],\n },\n \"agent-standard\": {\n name: \"agent-standard\",\n description: \"Standard agent with full tool and memory access\",\n permissions: [\n { resource: \"memory/*\", actions: [\"read\", \"write\"] },\n { resource: \"tools/*\", actions: [\"execute\"] },\n { resource: \"llm/haiku\", actions: [\"execute\"] },\n { resource: \"llm/sonnet\", actions: [\"execute\"] },\n ],\n },\n \"agent-privileged\": {\n name: \"agent-privileged\",\n description: \"Privileged agent with full access including admin ops\",\n permissions: [\n { resource: \"*\", actions: [\"read\", \"write\", \"execute\", \"delete\"] },\n { resource: \"llm/*\", actions: [\"execute\"] },\n ],\n },\n orchestrator: {\n name: \"orchestrator\",\n description: \"Orchestrator with agent management and delegation rights\",\n permissions: [\n { resource: \"*\", actions: [\"read\", \"write\", \"execute\", \"delete\", \"admin\"] },\n { resource: \"llm/*\", actions: [\"execute\"] },\n { resource: \"agents/*\", actions: [\"read\", \"write\", \"execute\", \"admin\"] },\n ],\n },\n};\n\n// ─── Audit Entry ───\n\nexport const AuditEntrySchema = Schema.Struct({\n id: Schema.String,\n timestamp: Schema.DateFromSelf,\n agentId: Schema.String,\n sessionId: Schema.String,\n action: Schema.String,\n resource: Schema.optional(Schema.String),\n result: Schema.Literal(\"success\", \"failure\", \"denied\"),\n metadata: Schema.optional(Schema.Record({ key: Schema.String, value: Schema.Unknown })),\n parentAgentId: Schema.optional(Schema.String),\n durationMs: Schema.optional(Schema.Number),\n});\nexport type AuditEntry = typeof AuditEntrySchema.Type;\n\n// ─── Delegation ───\n\nexport const DelegationSchema = Schema.Struct({\n id: Schema.String,\n fromAgentId: Schema.String,\n toAgentId: Schema.String,\n permissions: Schema.Array(PermissionSchema),\n issuedAt: Schema.DateFromSelf,\n expiresAt: Schema.DateFromSelf,\n reason: Schema.String,\n status: Schema.Literal(\"active\", \"expired\", \"revoked\"),\n});\nexport type Delegation = typeof DelegationSchema.Type;\n\n// ─── Authorization Decision ───\n\nexport const AuthzDecisionSchema = Schema.Struct({\n allowed: Schema.Boolean,\n resource: Schema.String,\n action: Schema.String,\n reason: Schema.optional(Schema.String),\n matchedPermission: Schema.optional(PermissionSchema),\n});\nexport type AuthzDecision = typeof AuthzDecisionSchema.Type;\n","import { Data } from \"effect\";\n\nexport class AuthenticationError extends Data.TaggedError(\"AuthenticationError\")<{\n readonly message: string;\n readonly reason: \"invalid-certificate\" | \"expired\" | \"revoked\" | \"unknown-agent\";\n readonly agentId?: string;\n}> {}\n\nexport class AuthorizationError extends Data.TaggedError(\"AuthorizationError\")<{\n readonly message: string;\n readonly agentId: string;\n readonly resource: string;\n readonly action: string;\n}> {}\n\nexport class AuditError extends Data.TaggedError(\"AuditError\")<{\n readonly message: string;\n readonly cause?: unknown;\n}> {}\n\nexport class DelegationError extends Data.TaggedError(\"DelegationError\")<{\n readonly message: string;\n readonly fromAgentId: string;\n readonly toAgentId: string;\n}> {}\n\nexport class CredentialError extends Data.TaggedError(\"CredentialError\")<{\n readonly message: string;\n readonly agentId: string;\n readonly operation: \"issue\" | \"rotate\" | \"revoke\";\n}> {}\n","import { Effect, Ref } from \"effect\";\nimport type { Certificate, AuthResult } from \"../types.js\";\nimport { AuthenticationError, CredentialError } from \"../errors.js\";\n\nexport interface CertificateAuth {\n readonly authenticate: (cert: Certificate) => Effect.Effect<AuthResult, AuthenticationError>;\n readonly issueCertificate: (agentId: string, ttlMs?: number) => Effect.Effect<Certificate, CredentialError>;\n readonly rotateCertificate: (agentId: string) => Effect.Effect<Certificate, CredentialError>;\n readonly revokeCertificate: (serialNumber: string) => Effect.Effect<void, CredentialError>;\n}\n\nexport const makeCertificateAuth = Effect.gen(function* () {\n const certsRef = yield* Ref.make<Map<string, Certificate>>(new Map());\n const revokedRef = yield* Ref.make<Set<string>>(new Set());\n\n const authenticate = (\n cert: Certificate,\n ): Effect.Effect<AuthResult, AuthenticationError> =>\n Effect.gen(function* () {\n // Verify certificate format\n if (!cert.serialNumber || !cert.publicKey || !cert.fingerprint) {\n return yield* Effect.fail(\n new AuthenticationError({\n message: `Invalid certificate for agent ${cert.agentId}`,\n reason: \"invalid-certificate\",\n agentId: cert.agentId,\n }),\n );\n }\n\n // Check expiration\n if (cert.expiresAt < new Date()) {\n return yield* Effect.fail(\n new AuthenticationError({\n message: `Certificate expired for agent ${cert.agentId}`,\n reason: \"expired\",\n agentId: cert.agentId,\n }),\n );\n }\n\n // Check revocation\n const revoked = yield* Ref.get(revokedRef);\n if (revoked.has(cert.serialNumber)) {\n return yield* Effect.fail(\n new AuthenticationError({\n message: `Certificate revoked for agent ${cert.agentId}`,\n reason: \"revoked\",\n agentId: cert.agentId,\n }),\n );\n }\n\n return {\n authenticated: true,\n agentId: cert.agentId,\n expiresAt: cert.expiresAt,\n };\n });\n\n const issueCertificate = (\n agentId: string,\n ttlMs: number = 7 * 24 * 60 * 60 * 1000,\n ): Effect.Effect<Certificate, CredentialError> =>\n Effect.try({\n try: () => {\n const now = new Date();\n const serialNumber = crypto.randomUUID();\n const publicKey = `pk-${crypto.randomUUID()}`;\n const fingerprint = `fp-${crypto.randomUUID().slice(0, 16)}`;\n\n const cert: Certificate = {\n serialNumber,\n agentId,\n issuedAt: now,\n expiresAt: new Date(now.getTime() + ttlMs),\n publicKey,\n issuer: \"reactive-agents-ca\",\n fingerprint,\n status: \"active\",\n };\n\n return cert;\n },\n catch: (e) =>\n new CredentialError({\n message: `Failed to issue certificate: ${e}`,\n agentId,\n operation: \"issue\",\n }),\n }).pipe(\n Effect.tap((cert) =>\n Ref.update(certsRef, (certs) => {\n const newCerts = new Map(certs);\n newCerts.set(cert.serialNumber, cert);\n return newCerts;\n }),\n ),\n );\n\n const rotateCertificate = (\n agentId: string,\n ): Effect.Effect<Certificate, CredentialError> =>\n Effect.gen(function* () {\n // Revoke all existing certificates for this agent\n const certs = yield* Ref.get(certsRef);\n for (const [serial, cert] of certs) {\n if (cert.agentId === agentId && cert.status === \"active\") {\n yield* Ref.update(revokedRef, (revoked) => new Set([...revoked, serial]));\n }\n }\n // Issue new certificate\n return yield* issueCertificate(agentId);\n });\n\n const revokeCertificate = (\n serialNumber: string,\n ): Effect.Effect<void, CredentialError> =>\n Ref.update(revokedRef, (revoked) => new Set([...revoked, serialNumber])).pipe(\n Effect.mapError(\n () => new CredentialError({ message: \"Revocation failed\", agentId: \"unknown\", operation: \"revoke\" }),\n ),\n );\n\n return { authenticate, issueCertificate, rotateCertificate, revokeCertificate } satisfies CertificateAuth;\n});\n","import { Effect, Ref } from \"effect\";\nimport type { Role, Permission, AuthzDecision, Delegation } from \"../types.js\";\nimport { AuthorizationError, DelegationError } from \"../errors.js\";\n\nexport interface PermissionManager {\n readonly assignRole: (agentId: string, role: Role) => Effect.Effect<void, never>;\n readonly getRoles: (agentId: string) => Effect.Effect<readonly Role[], never>;\n readonly authorize: (agentId: string, resource: string, action: \"read\" | \"write\" | \"execute\" | \"delete\" | \"admin\") => Effect.Effect<AuthzDecision, AuthorizationError>;\n readonly delegate: (fromAgentId: string, toAgentId: string, permissions: readonly Permission[], reason: string, durationMs: number) => Effect.Effect<Delegation, DelegationError>;\n readonly revokeDelegation: (delegationId: string) => Effect.Effect<void, DelegationError>;\n}\n\nexport const makePermissionManager = Effect.gen(function* () {\n const agentRolesRef = yield* Ref.make<Map<string, Role[]>>(new Map());\n const delegationsRef = yield* Ref.make<Delegation[]>([]);\n\n const assignRole = (agentId: string, role: Role): Effect.Effect<void, never> =>\n Ref.update(agentRolesRef, (map) => {\n const newMap = new Map(map);\n const existing = newMap.get(agentId) ?? [];\n // Don't add duplicate roles\n if (!existing.find((r) => r.name === role.name)) {\n newMap.set(agentId, [...existing, role]);\n }\n return newMap;\n });\n\n const getRoles = (agentId: string): Effect.Effect<readonly Role[], never> =>\n Ref.get(agentRolesRef).pipe(Effect.map((map) => map.get(agentId) ?? []));\n\n const authorize = (\n agentId: string,\n resource: string,\n action: \"read\" | \"write\" | \"execute\" | \"delete\" | \"admin\",\n ): Effect.Effect<AuthzDecision, AuthorizationError> =>\n Effect.gen(function* () {\n const roles = yield* Ref.get(agentRolesRef).pipe(\n Effect.map((map) => map.get(agentId) ?? []),\n );\n\n const delegations = yield* Ref.get(delegationsRef).pipe(\n Effect.map((dels) =>\n dels.filter(\n (d) => d.toAgentId === agentId && d.status === \"active\" && d.expiresAt > new Date(),\n ),\n ),\n );\n\n const allPermissions: Permission[] = [\n ...roles.flatMap((r) => r.permissions),\n ...delegations.flatMap((d) => [...d.permissions]),\n ];\n\n const matched = allPermissions.find((p) => {\n const resourceMatch = matchWildcard(p.resource, resource);\n const actionMatch = p.actions.includes(action) || p.actions.includes(\"admin\");\n const notExpired = !p.expiresAt || p.expiresAt > new Date();\n return resourceMatch && actionMatch && notExpired;\n });\n\n if (matched) {\n return { allowed: true, resource, action, matchedPermission: matched };\n }\n\n return yield* Effect.fail(\n new AuthorizationError({\n message: `Agent ${agentId} not authorized for ${action} on ${resource}`,\n agentId,\n resource,\n action,\n }),\n );\n });\n\n const delegate = (\n fromAgentId: string,\n toAgentId: string,\n permissions: readonly Permission[],\n reason: string,\n durationMs: number,\n ): Effect.Effect<Delegation, DelegationError> =>\n Effect.gen(function* () {\n // Verify delegator has the permissions they're delegating\n for (const perm of permissions) {\n for (const action of perm.actions) {\n yield* authorize(fromAgentId, perm.resource, action).pipe(\n Effect.mapError(\n () =>\n new DelegationError({\n message: `Cannot delegate ${action} on ${perm.resource}: delegator lacks permission`,\n fromAgentId,\n toAgentId,\n }),\n ),\n );\n }\n }\n\n const now = new Date();\n const delegation: Delegation = {\n id: crypto.randomUUID(),\n fromAgentId,\n toAgentId,\n permissions: [...permissions],\n issuedAt: now,\n expiresAt: new Date(now.getTime() + durationMs),\n reason,\n status: \"active\",\n };\n\n yield* Ref.update(delegationsRef, (dels) => [...dels, delegation]);\n return delegation;\n });\n\n const revokeDelegation = (delegationId: string): Effect.Effect<void, DelegationError> =>\n Ref.update(delegationsRef, (dels) =>\n dels.map((d) => (d.id === delegationId ? { ...d, status: \"revoked\" as const } : d)),\n ).pipe(\n Effect.mapError(\n () => new DelegationError({ message: \"Revocation failed\", fromAgentId: \"\", toAgentId: \"\" }),\n ),\n );\n\n return { assignRole, getRoles, authorize, delegate, revokeDelegation } satisfies PermissionManager;\n});\n\nfunction matchWildcard(pattern: string, value: string): boolean {\n if (pattern === \"*\") return true;\n const regex = new RegExp(\"^\" + pattern.replace(/\\*/g, \".*\").replace(/\\?/g, \".\") + \"$\");\n return regex.test(value);\n}\n","import { Effect, Ref } from \"effect\";\nimport type { AuditEntry } from \"../types.js\";\nimport { AuditError } from \"../errors.js\";\n\nexport interface AuditLogger {\n readonly log: (entry: Omit<AuditEntry, \"id\" | \"timestamp\">) => Effect.Effect<void, AuditError>;\n readonly query: (agentId: string, options?: { startDate?: Date; endDate?: Date; action?: string; limit?: number }) => Effect.Effect<readonly AuditEntry[], AuditError>;\n}\n\nexport const makeAuditLogger = Effect.gen(function* () {\n const logRef = yield* Ref.make<AuditEntry[]>([]);\n\n const log = (\n entry: Omit<AuditEntry, \"id\" | \"timestamp\">,\n ): Effect.Effect<void, AuditError> =>\n Ref.update(logRef, (entries) => [\n ...entries,\n { ...entry, id: crypto.randomUUID(), timestamp: new Date() },\n ]).pipe(\n Effect.mapError((e) => new AuditError({ message: \"Audit logging failed\", cause: e })),\n );\n\n const query = (\n agentId: string,\n options?: { startDate?: Date; endDate?: Date; action?: string; limit?: number },\n ): Effect.Effect<readonly AuditEntry[], AuditError> =>\n Effect.gen(function* () {\n const allEntries = yield* Ref.get(logRef);\n\n let filtered = allEntries.filter((e) => {\n if (e.agentId !== agentId) return false;\n if (options?.startDate && e.timestamp < options.startDate) return false;\n if (options?.endDate && e.timestamp > options.endDate) return false;\n if (options?.action && e.action !== options.action) return false;\n return true;\n });\n\n if (options?.limit) {\n filtered = filtered.slice(-options.limit);\n }\n\n return filtered;\n }).pipe(\n Effect.mapError((e) => new AuditError({ message: \"Audit query failed\", cause: e })),\n );\n\n return { log, query } satisfies AuditLogger;\n});\n","import { Effect, Context, Layer } from \"effect\";\nimport type { Certificate, AuthResult, Permission, Role, AuditEntry, Delegation, AuthzDecision, AgentIdentity } from \"./types.js\";\nimport { DefaultRoles } from \"./types.js\";\nimport type { AuthenticationError, AuthorizationError, AuditError, DelegationError, CredentialError } from \"./errors.js\";\nimport { makeCertificateAuth } from \"./auth/certificate-auth.js\";\nimport { makePermissionManager } from \"./authz/permission-manager.js\";\nimport { makeAuditLogger } from \"./audit/audit-logger.js\";\n\n// ─── Service Tag ───\n\nexport class IdentityService extends Context.Tag(\"IdentityService\")<\n IdentityService,\n {\n readonly authenticate: (certificate: Certificate) => Effect.Effect<AuthResult, AuthenticationError>;\n readonly authorize: (agentId: string, resource: string, action: \"read\" | \"write\" | \"execute\" | \"delete\" | \"admin\") => Effect.Effect<AuthzDecision, AuthorizationError>;\n readonly assignRole: (agentId: string, role: Role) => Effect.Effect<void, never>;\n readonly getRoles: (agentId: string) => Effect.Effect<readonly Role[], never>;\n readonly audit: (entry: Omit<AuditEntry, \"id\" | \"timestamp\">) => Effect.Effect<void, AuditError>;\n readonly queryAudit: (agentId: string, options?: { startDate?: Date; endDate?: Date; action?: string; limit?: number }) => Effect.Effect<readonly AuditEntry[], AuditError>;\n readonly delegate: (fromAgentId: string, toAgentId: string, permissions: readonly Permission[], reason: string, durationMs: number) => Effect.Effect<Delegation, DelegationError>;\n readonly revokeDelegation: (delegationId: string) => Effect.Effect<void, DelegationError>;\n readonly issueCertificate: (agentId: string, ttlMs?: number) => Effect.Effect<Certificate, CredentialError>;\n readonly rotateCertificate: (agentId: string) => Effect.Effect<Certificate, CredentialError>;\n readonly getIdentity: (agentId: string) => Effect.Effect<AgentIdentity & { roles: readonly Role[] }, AuthenticationError>;\n }\n>() {}\n\n// ─── Live Implementation ───\n\nexport const IdentityServiceLive = Layer.effect(\n IdentityService,\n Effect.gen(function* () {\n const certAuth = yield* makeCertificateAuth;\n const permissions = yield* makePermissionManager;\n const auditLogger = yield* makeAuditLogger;\n\n return {\n authenticate: (cert) => certAuth.authenticate(cert),\n authorize: (agentId, resource, action) => permissions.authorize(agentId, resource, action),\n assignRole: (agentId, role) => permissions.assignRole(agentId, role),\n getRoles: (agentId) => permissions.getRoles(agentId),\n audit: (entry) => auditLogger.log(entry),\n queryAudit: (agentId, options) => auditLogger.query(agentId, options),\n delegate: (from, to, perms, reason, dur) => permissions.delegate(from, to, perms, reason, dur),\n revokeDelegation: (id) => permissions.revokeDelegation(id),\n issueCertificate: (agentId, ttlMs) => certAuth.issueCertificate(agentId, ttlMs),\n rotateCertificate: (agentId) => certAuth.rotateCertificate(agentId),\n getIdentity: (agentId) =>\n Effect.gen(function* () {\n const roles = yield* permissions.getRoles(agentId);\n return {\n agentId,\n name: agentId,\n type: \"primary\" as const,\n createdAt: new Date(),\n roles: roles.length > 0 ? roles : [DefaultRoles[\"agent-standard\"]!],\n };\n }),\n };\n }),\n);\n","import { IdentityServiceLive } from \"./identity-service.js\";\n\nexport const createIdentityLayer = () => IdentityServiceLive;\n"],"mappings":";AAAA,SAAS,cAAc;AAIhB,IAAM,sBAAsB,OAAO,OAAO;AAAA,EAC/C,SAAS,OAAO;AAAA,EAChB,MAAM,OAAO;AAAA,EACb,MAAM,OAAO,QAAQ,WAAW,UAAU,gBAAgB,YAAY;AAAA,EACtE,WAAW,OAAO;AAAA,EAClB,UAAU,OAAO,SAAS,OAAO,OAAO,EAAE,KAAK,OAAO,QAAQ,OAAO,OAAO,QAAQ,CAAC,CAAC;AACxF,CAAC;AAKM,IAAM,oBAAoB,OAAO,OAAO;AAAA,EAC7C,cAAc,OAAO;AAAA,EACrB,SAAS,OAAO;AAAA,EAChB,UAAU,OAAO;AAAA,EACjB,WAAW,OAAO;AAAA,EAClB,WAAW,OAAO;AAAA,EAClB,QAAQ,OAAO;AAAA,EACf,aAAa,OAAO;AAAA,EACpB,QAAQ,OAAO,QAAQ,UAAU,WAAW,SAAS;AACvD,CAAC;AAKM,IAAM,mBAAmB,OAAO,OAAO;AAAA,EAC5C,eAAe,OAAO;AAAA,EACtB,SAAS,OAAO,SAAS,OAAO,MAAM;AAAA,EACtC,QAAQ,OAAO,SAAS,OAAO,MAAM;AAAA,EACrC,WAAW,OAAO,SAAS,OAAO,YAAY;AAChD,CAAC;AAKM,IAAM,mBAAmB,OAAO,OAAO;AAAA,EAC5C,UAAU,OAAO;AAAA,EACjB,SAAS,OAAO,MAAM,OAAO,QAAQ,QAAQ,SAAS,WAAW,UAAU,OAAO,CAAC;AAAA,EACnF,WAAW,OAAO,SAAS,OAAO,YAAY;AAChD,CAAC;AAKM,IAAM,aAAa,OAAO,OAAO;AAAA,EACtC,MAAM,OAAO;AAAA,EACb,aAAa,OAAO,MAAM,gBAAgB;AAAA,EAC1C,aAAa,OAAO;AACtB,CAAC;AAKM,IAAM,eAAqC;AAAA,EAChD,eAAe;AAAA,IACb,MAAM;AAAA,IACN,aAAa;AAAA,IACb,aAAa;AAAA,MACX,EAAE,UAAU,kBAAkB,SAAS,CAAC,QAAQ,OAAO,EAAE;AAAA,MACzD,EAAE,UAAU,iBAAiB,SAAS,CAAC,SAAS,EAAE;AAAA,MAClD,EAAE,UAAU,aAAa,SAAS,CAAC,SAAS,EAAE;AAAA,IAChD;AAAA,EACF;AAAA,EACA,kBAAkB;AAAA,IAChB,MAAM;AAAA,IACN,aAAa;AAAA,IACb,aAAa;AAAA,MACX,EAAE,UAAU,YAAY,SAAS,CAAC,QAAQ,OAAO,EAAE;AAAA,MACnD,EAAE,UAAU,WAAW,SAAS,CAAC,SAAS,EAAE;AAAA,MAC5C,EAAE,UAAU,aAAa,SAAS,CAAC,SAAS,EAAE;AAAA,MAC9C,EAAE,UAAU,cAAc,SAAS,CAAC,SAAS,EAAE;AAAA,IACjD;AAAA,EACF;AAAA,EACA,oBAAoB;AAAA,IAClB,MAAM;AAAA,IACN,aAAa;AAAA,IACb,aAAa;AAAA,MACX,EAAE,UAAU,KAAK,SAAS,CAAC,QAAQ,SAAS,WAAW,QAAQ,EAAE;AAAA,MACjE,EAAE,UAAU,SAAS,SAAS,CAAC,SAAS,EAAE;AAAA,IAC5C;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,aAAa;AAAA,IACb,aAAa;AAAA,MACX,EAAE,UAAU,KAAK,SAAS,CAAC,QAAQ,SAAS,WAAW,UAAU,OAAO,EAAE;AAAA,MAC1E,EAAE,UAAU,SAAS,SAAS,CAAC,SAAS,EAAE;AAAA,MAC1C,EAAE,UAAU,YAAY,SAAS,CAAC,QAAQ,SAAS,WAAW,OAAO,EAAE;AAAA,IACzE;AAAA,EACF;AACF;AAIO,IAAM,mBAAmB,OAAO,OAAO;AAAA,EAC5C,IAAI,OAAO;AAAA,EACX,WAAW,OAAO;AAAA,EAClB,SAAS,OAAO;AAAA,EAChB,WAAW,OAAO;AAAA,EAClB,QAAQ,OAAO;AAAA,EACf,UAAU,OAAO,SAAS,OAAO,MAAM;AAAA,EACvC,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ;AAAA,EACrD,UAAU,OAAO,SAAS,OAAO,OAAO,EAAE,KAAK,OAAO,QAAQ,OAAO,OAAO,QAAQ,CAAC,CAAC;AAAA,EACtF,eAAe,OAAO,SAAS,OAAO,MAAM;AAAA,EAC5C,YAAY,OAAO,SAAS,OAAO,MAAM;AAC3C,CAAC;AAKM,IAAM,mBAAmB,OAAO,OAAO;AAAA,EAC5C,IAAI,OAAO;AAAA,EACX,aAAa,OAAO;AAAA,EACpB,WAAW,OAAO;AAAA,EAClB,aAAa,OAAO,MAAM,gBAAgB;AAAA,EAC1C,UAAU,OAAO;AAAA,EACjB,WAAW,OAAO;AAAA,EAClB,QAAQ,OAAO;AAAA,EACf,QAAQ,OAAO,QAAQ,UAAU,WAAW,SAAS;AACvD,CAAC;AAKM,IAAM,sBAAsB,OAAO,OAAO;AAAA,EAC/C,SAAS,OAAO;AAAA,EAChB,UAAU,OAAO;AAAA,EACjB,QAAQ,OAAO;AAAA,EACf,QAAQ,OAAO,SAAS,OAAO,MAAM;AAAA,EACrC,mBAAmB,OAAO,SAAS,gBAAgB;AACrD,CAAC;;;ACtID,SAAS,YAAY;AAEd,IAAM,sBAAN,cAAkC,KAAK,YAAY,qBAAqB,EAI5E;AAAC;AAEG,IAAM,qBAAN,cAAiC,KAAK,YAAY,oBAAoB,EAK1E;AAAC;AAEG,IAAM,aAAN,cAAyB,KAAK,YAAY,YAAY,EAG1D;AAAC;AAEG,IAAM,kBAAN,cAA8B,KAAK,YAAY,iBAAiB,EAIpE;AAAC;AAEG,IAAM,kBAAN,cAA8B,KAAK,YAAY,iBAAiB,EAIpE;AAAC;;;AC9BJ,SAAS,QAAQ,WAAW;AAWrB,IAAM,sBAAsB,OAAO,IAAI,aAAa;AACzD,QAAM,WAAW,OAAO,IAAI,KAA+B,oBAAI,IAAI,CAAC;AACpE,QAAM,aAAa,OAAO,IAAI,KAAkB,oBAAI,IAAI,CAAC;AAEzD,QAAM,eAAe,CACnB,SAEA,OAAO,IAAI,aAAa;AAEtB,QAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,aAAa,CAAC,KAAK,aAAa;AAC9D,aAAO,OAAO,OAAO;AAAA,QACnB,IAAI,oBAAoB;AAAA,UACtB,SAAS,iCAAiC,KAAK,OAAO;AAAA,UACtD,QAAQ;AAAA,UACR,SAAS,KAAK;AAAA,QAChB,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,KAAK,YAAY,oBAAI,KAAK,GAAG;AAC/B,aAAO,OAAO,OAAO;AAAA,QACnB,IAAI,oBAAoB;AAAA,UACtB,SAAS,iCAAiC,KAAK,OAAO;AAAA,UACtD,QAAQ;AAAA,UACR,SAAS,KAAK;AAAA,QAChB,CAAC;AAAA,MACH;AAAA,IACF;AAGA,UAAM,UAAU,OAAO,IAAI,IAAI,UAAU;AACzC,QAAI,QAAQ,IAAI,KAAK,YAAY,GAAG;AAClC,aAAO,OAAO,OAAO;AAAA,QACnB,IAAI,oBAAoB;AAAA,UACtB,SAAS,iCAAiC,KAAK,OAAO;AAAA,UACtD,QAAQ;AAAA,UACR,SAAS,KAAK;AAAA,QAChB,CAAC;AAAA,MACH;AAAA,IACF;AAEA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,SAAS,KAAK;AAAA,MACd,WAAW,KAAK;AAAA,IAClB;AAAA,EACF,CAAC;AAEH,QAAM,mBAAmB,CACvB,SACA,QAAgB,IAAI,KAAK,KAAK,KAAK,QAEnC,OAAO,IAAI;AAAA,IACT,KAAK,MAAM;AACT,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,eAAe,OAAO,WAAW;AACvC,YAAM,YAAY,MAAM,OAAO,WAAW,CAAC;AAC3C,YAAM,cAAc,MAAM,OAAO,WAAW,EAAE,MAAM,GAAG,EAAE,CAAC;AAE1D,YAAM,OAAoB;AAAA,QACxB;AAAA,QACA;AAAA,QACA,UAAU;AAAA,QACV,WAAW,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK;AAAA,QACzC;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,MACV;AAEA,aAAO;AAAA,IACT;AAAA,IACA,OAAO,CAAC,MACN,IAAI,gBAAgB;AAAA,MAClB,SAAS,gCAAgC,CAAC;AAAA,MAC1C;AAAA,MACA,WAAW;AAAA,IACb,CAAC;AAAA,EACL,CAAC,EAAE;AAAA,IACD,OAAO;AAAA,MAAI,CAAC,SACV,IAAI,OAAO,UAAU,CAAC,UAAU;AAC9B,cAAM,WAAW,IAAI,IAAI,KAAK;AAC9B,iBAAS,IAAI,KAAK,cAAc,IAAI;AACpC,eAAO;AAAA,MACT,CAAC;AAAA,IACH;AAAA,EACF;AAEF,QAAM,oBAAoB,CACxB,YAEA,OAAO,IAAI,aAAa;AAEtB,UAAM,QAAQ,OAAO,IAAI,IAAI,QAAQ;AACrC,eAAW,CAAC,QAAQ,IAAI,KAAK,OAAO;AAClC,UAAI,KAAK,YAAY,WAAW,KAAK,WAAW,UAAU;AACxD,eAAO,IAAI,OAAO,YAAY,CAAC,YAAY,oBAAI,IAAI,CAAC,GAAG,SAAS,MAAM,CAAC,CAAC;AAAA,MAC1E;AAAA,IACF;AAEA,WAAO,OAAO,iBAAiB,OAAO;AAAA,EACxC,CAAC;AAEH,QAAM,oBAAoB,CACxB,iBAEA,IAAI,OAAO,YAAY,CAAC,YAAY,oBAAI,IAAI,CAAC,GAAG,SAAS,YAAY,CAAC,CAAC,EAAE;AAAA,IACvE,OAAO;AAAA,MACL,MAAM,IAAI,gBAAgB,EAAE,SAAS,qBAAqB,SAAS,WAAW,WAAW,SAAS,CAAC;AAAA,IACrG;AAAA,EACF;AAEF,SAAO,EAAE,cAAc,kBAAkB,mBAAmB,kBAAkB;AAChF,CAAC;;;AC7HD,SAAS,UAAAA,SAAQ,OAAAC,YAAW;AAYrB,IAAM,wBAAwBC,QAAO,IAAI,aAAa;AAC3D,QAAM,gBAAgB,OAAOC,KAAI,KAA0B,oBAAI,IAAI,CAAC;AACpE,QAAM,iBAAiB,OAAOA,KAAI,KAAmB,CAAC,CAAC;AAEvD,QAAM,aAAa,CAAC,SAAiB,SACnCA,KAAI,OAAO,eAAe,CAAC,QAAQ;AACjC,UAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,UAAM,WAAW,OAAO,IAAI,OAAO,KAAK,CAAC;AAEzC,QAAI,CAAC,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,IAAI,GAAG;AAC/C,aAAO,IAAI,SAAS,CAAC,GAAG,UAAU,IAAI,CAAC;AAAA,IACzC;AACA,WAAO;AAAA,EACT,CAAC;AAEH,QAAM,WAAW,CAAC,YAChBA,KAAI,IAAI,aAAa,EAAE,KAAKD,QAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC;AAEzE,QAAM,YAAY,CAChB,SACA,UACA,WAEAA,QAAO,IAAI,aAAa;AACtB,UAAM,QAAQ,OAAOC,KAAI,IAAI,aAAa,EAAE;AAAA,MAC1CD,QAAO,IAAI,CAAC,QAAQ,IAAI,IAAI,OAAO,KAAK,CAAC,CAAC;AAAA,IAC5C;AAEA,UAAM,cAAc,OAAOC,KAAI,IAAI,cAAc,EAAE;AAAA,MACjDD,QAAO;AAAA,QAAI,CAAC,SACV,KAAK;AAAA,UACH,CAAC,MAAM,EAAE,cAAc,WAAW,EAAE,WAAW,YAAY,EAAE,YAAY,oBAAI,KAAK;AAAA,QACpF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,iBAA+B;AAAA,MACnC,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,WAAW;AAAA,MACrC,GAAG,YAAY,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC;AAAA,IAClD;AAEA,UAAM,UAAU,eAAe,KAAK,CAAC,MAAM;AACzC,YAAM,gBAAgB,cAAc,EAAE,UAAU,QAAQ;AACxD,YAAM,cAAc,EAAE,QAAQ,SAAS,MAAM,KAAK,EAAE,QAAQ,SAAS,OAAO;AAC5E,YAAM,aAAa,CAAC,EAAE,aAAa,EAAE,YAAY,oBAAI,KAAK;AAC1D,aAAO,iBAAiB,eAAe;AAAA,IACzC,CAAC;AAED,QAAI,SAAS;AACX,aAAO,EAAE,SAAS,MAAM,UAAU,QAAQ,mBAAmB,QAAQ;AAAA,IACvE;AAEA,WAAO,OAAOA,QAAO;AAAA,MACnB,IAAI,mBAAmB;AAAA,QACrB,SAAS,SAAS,OAAO,uBAAuB,MAAM,OAAO,QAAQ;AAAA,QACrE;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AAEH,QAAM,WAAW,CACf,aACA,WACA,aACA,QACA,eAEAA,QAAO,IAAI,aAAa;AAEtB,eAAW,QAAQ,aAAa;AAC9B,iBAAW,UAAU,KAAK,SAAS;AACjC,eAAO,UAAU,aAAa,KAAK,UAAU,MAAM,EAAE;AAAA,UACnDA,QAAO;AAAA,YACL,MACE,IAAI,gBAAgB;AAAA,cAClB,SAAS,mBAAmB,MAAM,OAAO,KAAK,QAAQ;AAAA,cACtD;AAAA,cACA;AAAA,YACF,CAAC;AAAA,UACL;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,aAAyB;AAAA,MAC7B,IAAI,OAAO,WAAW;AAAA,MACtB;AAAA,MACA;AAAA,MACA,aAAa,CAAC,GAAG,WAAW;AAAA,MAC5B,UAAU;AAAA,MACV,WAAW,IAAI,KAAK,IAAI,QAAQ,IAAI,UAAU;AAAA,MAC9C;AAAA,MACA,QAAQ;AAAA,IACV;AAEA,WAAOC,KAAI,OAAO,gBAAgB,CAAC,SAAS,CAAC,GAAG,MAAM,UAAU,CAAC;AACjE,WAAO;AAAA,EACT,CAAC;AAEH,QAAM,mBAAmB,CAAC,iBACxBA,KAAI;AAAA,IAAO;AAAA,IAAgB,CAAC,SAC1B,KAAK,IAAI,CAAC,MAAO,EAAE,OAAO,eAAe,EAAE,GAAG,GAAG,QAAQ,UAAmB,IAAI,CAAE;AAAA,EACpF,EAAE;AAAA,IACAD,QAAO;AAAA,MACL,MAAM,IAAI,gBAAgB,EAAE,SAAS,qBAAqB,aAAa,IAAI,WAAW,GAAG,CAAC;AAAA,IAC5F;AAAA,EACF;AAEF,SAAO,EAAE,YAAY,UAAU,WAAW,UAAU,iBAAiB;AACvE,CAAC;AAED,SAAS,cAAc,SAAiB,OAAwB;AAC9D,MAAI,YAAY,IAAK,QAAO;AAC5B,QAAM,QAAQ,IAAI,OAAO,MAAM,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,OAAO,GAAG,IAAI,GAAG;AACrF,SAAO,MAAM,KAAK,KAAK;AACzB;;;AClIA,SAAS,UAAAE,SAAQ,OAAAC,YAAW;AASrB,IAAM,kBAAkBC,QAAO,IAAI,aAAa;AACrD,QAAM,SAAS,OAAOC,KAAI,KAAmB,CAAC,CAAC;AAE/C,QAAM,MAAM,CACV,UAEAA,KAAI,OAAO,QAAQ,CAAC,YAAY;AAAA,IAC9B,GAAG;AAAA,IACH,EAAE,GAAG,OAAO,IAAI,OAAO,WAAW,GAAG,WAAW,oBAAI,KAAK,EAAE;AAAA,EAC7D,CAAC,EAAE;AAAA,IACDD,QAAO,SAAS,CAAC,MAAM,IAAI,WAAW,EAAE,SAAS,wBAAwB,OAAO,EAAE,CAAC,CAAC;AAAA,EACtF;AAEF,QAAM,QAAQ,CACZ,SACA,YAEAA,QAAO,IAAI,aAAa;AACtB,UAAM,aAAa,OAAOC,KAAI,IAAI,MAAM;AAExC,QAAI,WAAW,WAAW,OAAO,CAAC,MAAM;AACtC,UAAI,EAAE,YAAY,QAAS,QAAO;AAClC,UAAI,SAAS,aAAa,EAAE,YAAY,QAAQ,UAAW,QAAO;AAClE,UAAI,SAAS,WAAW,EAAE,YAAY,QAAQ,QAAS,QAAO;AAC9D,UAAI,SAAS,UAAU,EAAE,WAAW,QAAQ,OAAQ,QAAO;AAC3D,aAAO;AAAA,IACT,CAAC;AAED,QAAI,SAAS,OAAO;AAClB,iBAAW,SAAS,MAAM,CAAC,QAAQ,KAAK;AAAA,IAC1C;AAEA,WAAO;AAAA,EACT,CAAC,EAAE;AAAA,IACDD,QAAO,SAAS,CAAC,MAAM,IAAI,WAAW,EAAE,SAAS,sBAAsB,OAAO,EAAE,CAAC,CAAC;AAAA,EACpF;AAEF,SAAO,EAAE,KAAK,MAAM;AACtB,CAAC;;;AC/CD,SAAS,UAAAE,SAAQ,SAAS,aAAa;AAUhC,IAAM,kBAAN,cAA8B,QAAQ,IAAI,iBAAiB,EAehE,EAAE;AAAC;AAIE,IAAM,sBAAsB,MAAM;AAAA,EACvC;AAAA,EACAC,QAAO,IAAI,aAAa;AACtB,UAAM,WAAW,OAAO;AACxB,UAAM,cAAc,OAAO;AAC3B,UAAM,cAAc,OAAO;AAE3B,WAAO;AAAA,MACL,cAAc,CAAC,SAAS,SAAS,aAAa,IAAI;AAAA,MAClD,WAAW,CAAC,SAAS,UAAU,WAAW,YAAY,UAAU,SAAS,UAAU,MAAM;AAAA,MACzF,YAAY,CAAC,SAAS,SAAS,YAAY,WAAW,SAAS,IAAI;AAAA,MACnE,UAAU,CAAC,YAAY,YAAY,SAAS,OAAO;AAAA,MACnD,OAAO,CAAC,UAAU,YAAY,IAAI,KAAK;AAAA,MACvC,YAAY,CAAC,SAAS,YAAY,YAAY,MAAM,SAAS,OAAO;AAAA,MACpE,UAAU,CAAC,MAAM,IAAI,OAAO,QAAQ,QAAQ,YAAY,SAAS,MAAM,IAAI,OAAO,QAAQ,GAAG;AAAA,MAC7F,kBAAkB,CAAC,OAAO,YAAY,iBAAiB,EAAE;AAAA,MACzD,kBAAkB,CAAC,SAAS,UAAU,SAAS,iBAAiB,SAAS,KAAK;AAAA,MAC9E,mBAAmB,CAAC,YAAY,SAAS,kBAAkB,OAAO;AAAA,MAClE,aAAa,CAAC,YACZA,QAAO,IAAI,aAAa;AACtB,cAAM,QAAQ,OAAO,YAAY,SAAS,OAAO;AACjD,eAAO;AAAA,UACL;AAAA,UACA,MAAM;AAAA,UACN,MAAM;AAAA,UACN,WAAW,oBAAI,KAAK;AAAA,UACpB,OAAO,MAAM,SAAS,IAAI,QAAQ,CAAC,aAAa,gBAAgB,CAAE;AAAA,QACpE;AAAA,MACF,CAAC;AAAA,IACL;AAAA,EACF,CAAC;AACH;;;AC1DO,IAAM,sBAAsB,MAAM;","names":["Effect","Ref","Effect","Ref","Effect","Ref","Effect","Ref","Effect","Effect"]}

package/package.json ADDED Viewed

@@ -0,0 +1,48 @@
+{
+  "name": "@reactive-agents/identity",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsup --config ../../tsup.config.base.ts",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test",
+    "test:watch": "bun test --watch"
+  },
+  "dependencies": {
+    "effect": "^3.10.0",
+    "@reactive-agents/core": "0.1.0",
+    "@noble/ed25519": "^2.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "bun-types": "latest"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tylerjrbuell/reactive-agents-ts.git",
+    "directory": "packages/identity"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "description": "Identity and access control for Reactive Agents — agent certificates and RBAC",
+  "homepage": "https://tylerjrbuell.github.io/reactive-agents-ts/",
+  "bugs": {
+    "url": "https://github.com/tylerjrbuell/reactive-agents-ts/issues"
+  }
+}