@red-codes/agentguard 1.0.0

package/dist/kernel/blast-radius.d.ts

@@ -0,0 +1,60 @@
+import type { NormalizedIntent } from '../policy/evaluator.js';
+/** Weights applied to different action categories */
+export interface BlastRadiusWeights {
+    /** Multiplier for delete operations (default: 3.0) */
+    delete: number;
+    /** Multiplier for write operations (default: 1.5) */
+    write: number;
+    /** Multiplier for read operations (default: 0.1) */
+    read: number;
+    /** Multiplier for git operations (default: 2.0) */
+    git: number;
+    /** Multiplier for shell exec (default: 1.0) */
+    shell: number;
+    /** Multiplier for sensitive path matches (default: 5.0) */
+    sensitivePath: number;
+    /** Multiplier for config file matches (default: 2.0) */
+    configPath: number;
+}
+/** Result of blast radius computation */
+export interface BlastRadiusResult {
+    /** Raw count of files/entities affected */
+    rawCount: number;
+    /** Weighted score after applying action and path multipliers */
+    weightedScore: number;
+    /** Risk level derived from weighted score */
+    riskLevel: 'low' | 'medium' | 'high';
+    /** Which factors contributed to the score */
+    factors: BlastRadiusFactor[];
+    /** Whether the weighted score exceeds the given threshold */
+    exceeded: boolean;
+    /** The threshold that was checked against */
+    threshold: number;
+}
+/** A single factor contributing to the blast radius score */
+export interface BlastRadiusFactor {
+    name: string;
+    multiplier: number;
+    reason: string;
+}
+declare const DEFAULT_WEIGHTS: BlastRadiusWeights;
+declare const SENSITIVE_PATTERNS: string[];
+declare const CONFIG_PATTERNS: string[];
+/**
+ * Compute the blast radius for a normalized intent.
+ *
+ * The engine applies multipliers for:
+ *   - Action type (delete > write > git > shell > read)
+ *   - Path sensitivity (secrets, credentials)
+ *   - Config file impact (package.json, CI configs, etc.)
+ *
+ * The final weighted score is the raw file count multiplied by
+ * the highest applicable multiplier from each factor category.
+ *
+ * @param intent     The normalized action intent
+ * @param threshold  The policy limit to check against
+ * @param weights    Optional custom weights (defaults provided)
+ */
+export declare function computeBlastRadius(intent: NormalizedIntent, threshold: number, weights?: BlastRadiusWeights): BlastRadiusResult;
+export { DEFAULT_WEIGHTS, SENSITIVE_PATTERNS, CONFIG_PATTERNS };
+//# sourceMappingURL=blast-radius.d.ts.map

package/dist/kernel/blast-radius.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blast-radius.d.ts","sourceRoot":"","sources":["../../src/kernel/blast-radius.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE/D,qDAAqD;AACrD,MAAM,WAAW,kBAAkB;IACjC,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,KAAK,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,IAAI,EAAE,MAAM,CAAC;IACb,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IACZ,+CAA+C;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,yCAAyC;AACzC,MAAM,WAAW,iBAAiB;IAChC,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,aAAa,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,6CAA6C;IAC7C,OAAO,EAAE,iBAAiB,EAAE,CAAC;IAC7B,6DAA6D;IAC7D,QAAQ,EAAE,OAAO,CAAC;IAClB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,QAAA,MAAM,eAAe,EAAE,kBAQtB,CAAC;AAEF,QAAA,MAAM,kBAAkB,UAA0E,CAAC;AAEnG,QAAA,MAAM,eAAe,UAkBpB,CAAC;AAgFF;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,kBAAoC,GAC5C,iBAAiB,CA8BnB;AAED,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,eAAe,EAAE,CAAC"}

package/dist/kernel/blast-radius.js

@@ -0,0 +1,146 @@
+// Blast radius computation engine — Phase 2 implementation.
+// Pure domain logic: computes a weighted blast radius score from action metadata.
+// No I/O, no Node.js-specific APIs. Suitable for use inside the synchronous authorize() flow.
+const DEFAULT_WEIGHTS = {
+    delete: 3.0,
+    write: 1.5,
+    read: 0.1,
+    git: 2.0,
+    shell: 1.0,
+    sensitivePath: 5.0,
+    configPath: 2.0,
+};
+const SENSITIVE_PATTERNS = ['.env', 'credentials', '.pem', '.key', 'secret', 'token', '.password'];
+const CONFIG_PATTERNS = [
+    'package.json',
+    'tsconfig.json',
+    'eslint',
+    '.prettierrc',
+    'webpack.config',
+    'vite.config',
+    'next.config',
+    'jest.config',
+    'vitest.config',
+    '.babelrc',
+    'babel.config',
+    'Dockerfile',
+    'docker-compose',
+    '.github/',
+    '.gitlab-ci',
+    'Jenkinsfile',
+    '.circleci/',
+];
+/** Determine the action weight multiplier based on action type */
+function getActionMultiplier(action, weights) {
+    if (action.startsWith('file.delete')) {
+        return { name: 'delete-action', multiplier: weights.delete, reason: 'File deletion' };
+    }
+    if (action.startsWith('file.write') || action === 'file.move') {
+        return { name: 'write-action', multiplier: weights.write, reason: 'File write/move' };
+    }
+    if (action.startsWith('file.read')) {
+        return { name: 'read-action', multiplier: weights.read, reason: 'File read (low impact)' };
+    }
+    if (action.startsWith('git.')) {
+        if (action === 'git.force-push') {
+            return {
+                name: 'force-push',
+                multiplier: weights.git * 2,
+                reason: 'Git force push (history rewrite)',
+            };
+        }
+        if (action === 'git.branch.delete') {
+            return {
+                name: 'branch-delete',
+                multiplier: weights.git * 1.5,
+                reason: 'Git branch deletion',
+            };
+        }
+        return { name: 'git-action', multiplier: weights.git, reason: `Git operation: ${action}` };
+    }
+    if (action === 'shell.exec') {
+        return { name: 'shell-exec', multiplier: weights.shell, reason: 'Shell execution' };
+    }
+    return null;
+}
+/** Check if the target path matches sensitive patterns */
+function getSensitivePathFactor(target, weights) {
+    if (!target)
+        return null;
+    const lower = target.toLowerCase();
+    if (SENSITIVE_PATTERNS.some((p) => lower.includes(p))) {
+        return {
+            name: 'sensitive-path',
+            multiplier: weights.sensitivePath,
+            reason: `Sensitive file path: ${target}`,
+        };
+    }
+    return null;
+}
+/** Check if the target path matches config file patterns */
+function getConfigPathFactor(target, weights) {
+    if (!target)
+        return null;
+    const lower = target.toLowerCase();
+    if (CONFIG_PATTERNS.some((p) => lower.includes(p))) {
+        return {
+            name: 'config-path',
+            multiplier: weights.configPath,
+            reason: `Config/CI file: ${target}`,
+        };
+    }
+    return null;
+}
+/** Derive risk level from a weighted score */
+function deriveRiskLevel(weightedScore) {
+    if (weightedScore >= 50)
+        return 'high';
+    if (weightedScore >= 15)
+        return 'medium';
+    return 'low';
+}
+/**
+ * Compute the blast radius for a normalized intent.
+ *
+ * The engine applies multipliers for:
+ *   - Action type (delete > write > git > shell > read)
+ *   - Path sensitivity (secrets, credentials)
+ *   - Config file impact (package.json, CI configs, etc.)
+ *
+ * The final weighted score is the raw file count multiplied by
+ * the highest applicable multiplier from each factor category.
+ *
+ * @param intent     The normalized action intent
+ * @param threshold  The policy limit to check against
+ * @param weights    Optional custom weights (defaults provided)
+ */
+export function computeBlastRadius(intent, threshold, weights = DEFAULT_WEIGHTS) {
+    const rawCount = intent.filesAffected ?? 1;
+    const factors = [];
+    // Collect applicable factors
+    const actionFactor = getActionMultiplier(intent.action, weights);
+    if (actionFactor)
+        factors.push(actionFactor);
+    const sensitiveFactor = getSensitivePathFactor(intent.target, weights);
+    if (sensitiveFactor)
+        factors.push(sensitiveFactor);
+    const configFactor = getConfigPathFactor(intent.target, weights);
+    if (configFactor)
+        factors.push(configFactor);
+    // Compute weighted score: raw count * product of all factor multipliers
+    // Each factor category contributes independently (multiplicative)
+    const totalMultiplier = factors.reduce((acc, f) => acc * f.multiplier, 1);
+    const weightedScore = Math.round(rawCount * totalMultiplier * 100) / 100;
+    const riskLevel = deriveRiskLevel(weightedScore);
+    const exceeded = weightedScore > threshold;
+    return {
+        rawCount,
+        weightedScore,
+        riskLevel,
+        factors,
+        exceeded,
+        threshold,
+    };
+}
+export { DEFAULT_WEIGHTS, SENSITIVE_PATTERNS, CONFIG_PATTERNS };
+//# sourceMappingURL=blast-radius.js.map

package/dist/kernel/blast-radius.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blast-radius.js","sourceRoot":"","sources":["../../src/kernel/blast-radius.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,kFAAkF;AAClF,8FAA8F;AA6C9F,MAAM,eAAe,GAAuB;IAC1C,MAAM,EAAE,GAAG;IACX,KAAK,EAAE,GAAG;IACV,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,GAAG;IACR,KAAK,EAAE,GAAG;IACV,aAAa,EAAE,GAAG;IAClB,UAAU,EAAE,GAAG;CAChB,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;AAEnG,MAAM,eAAe,GAAG;IACtB,cAAc;IACd,eAAe;IACf,QAAQ;IACR,aAAa;IACb,gBAAgB;IAChB,aAAa;IACb,aAAa;IACb,aAAa;IACb,eAAe;IACf,UAAU;IACV,cAAc;IACd,YAAY;IACZ,gBAAgB;IAChB,UAAU;IACV,YAAY;IACZ,aAAa;IACb,YAAY;CACb,CAAC;AAEF,kEAAkE;AAClE,SAAS,mBAAmB,CAC1B,MAAc,EACd,OAA2B;IAE3B,IAAI,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACxF,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAC9D,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACxF,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IAC7F,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;YAChC,OAAO;gBACL,IAAI,EAAE,YAAY;gBAClB,UAAU,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC;gBAC3B,MAAM,EAAE,kCAAkC;aAC3C,CAAC;QACJ,CAAC;QACD,IAAI,MAAM,KAAK,mBAAmB,EAAE,CAAC;YACnC,OAAO;gBACL,IAAI,EAAE,eAAe;gBACrB,UAAU,EAAE,OAAO,CAAC,GAAG,GAAG,GAAG;gBAC7B,MAAM,EAAE,qBAAqB;aAC9B,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,kBAAkB,MAAM,EAAE,EAAE,CAAC;IAC7F,CAAC;IACD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACtF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0DAA0D;AAC1D,SAAS,sBAAsB,CAC7B,MAAc,EACd,OAA2B;IAE3B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,OAAO;YACL,IAAI,EAAE,gBAAgB;YACtB,UAAU,EAAE,OAAO,CAAC,aAAa;YACjC,MAAM,EAAE,wBAAwB,MAAM,EAAE;SACzC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4DAA4D;AAC5D,SAAS,mBAAmB,CAC1B,MAAc,EACd,OAA2B;IAE3B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACnC,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,MAAM,EAAE,mBAAmB,MAAM,EAAE;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8CAA8C;AAC9C,SAAS,eAAe,CAAC,aAAqB;IAC5C,IAAI,aAAa,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IACvC,IAAI,aAAa,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAwB,EACxB,SAAiB,EACjB,UAA8B,eAAe;IAE7C,MAAM,QAAQ,GAAG,MAAM,CAAC,aAAa,IAAI,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,6BAA6B;IAC7B,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjE,IAAI,YAAY;QAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE7C,MAAM,eAAe,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvE,IAAI,eAAe;QAAE,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEnD,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjE,IAAI,YAAY;QAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE7C,wEAAwE;IACxE,kEAAkE;IAClE,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAC1E,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,eAAe,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC;IAEzE,MAAM,SAAS,GAAG,eAAe,CAAC,aAAa,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,aAAa,GAAG,SAAS,CAAC;IAE3C,OAAO;QACL,QAAQ;QACR,aAAa;QACb,SAAS;QACT,OAAO;QACP,QAAQ;QACR,SAAS;KACV,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,eAAe,EAAE,CAAC"}

package/dist/kernel/decision.d.ts

@@ -0,0 +1,40 @@
+import type { DomainEvent } from '../core/types.js';
+import type { RawAgentAction } from './aab.js';
+import type { NormalizedIntent, EvalResult } from '../policy/evaluator.js';
+import type { EvidencePack } from './evidence.js';
+import type { AgentGuardInvariant } from '../invariants/definitions.js';
+export declare const INTERVENTION: {
+    readonly DENY: "deny";
+    readonly ROLLBACK: "rollback";
+    readonly PAUSE: "pause";
+    readonly TEST_ONLY: "test-only";
+};
+export type InterventionType = (typeof INTERVENTION)[keyof typeof INTERVENTION];
+export interface EngineDecision {
+    allowed: boolean;
+    intent: NormalizedIntent;
+    decision: EvalResult;
+    violations: Array<{
+        invariantId: string;
+        name: string;
+        severity: number;
+        expected: string;
+        actual: string;
+    }>;
+    events: DomainEvent[];
+    evidencePack: EvidencePack | null;
+    intervention: InterventionType | null;
+}
+export interface EngineConfig {
+    policyDefs?: unknown[];
+    invariants?: AgentGuardInvariant[];
+    onEvent?: (event: DomainEvent) => void;
+}
+export interface Engine {
+    getPolicyErrors(): string[];
+    getPolicyCount(): number;
+    getInvariantCount(): number;
+    evaluate(rawAction: RawAgentAction | null, systemContext?: Record<string, unknown>): EngineDecision;
+}
+export declare function createEngine(config?: EngineConfig): Engine;
+//# sourceMappingURL=decision.d.ts.map

package/dist/kernel/decision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.d.ts","sourceRoot":"","sources":["../../src/kernel/decision.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAI3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAExE,eAAO,MAAM,YAAY;;;;;CAKf,CAAC;AAEX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,OAAO,YAAY,CAAC,CAAC;AAEhF,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,UAAU,CAAC;IACrB,UAAU,EAAE,KAAK,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC;IAClC,YAAY,EAAE,gBAAgB,GAAG,IAAI,CAAC;CACvC;AAED,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC;IACvB,UAAU,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACnC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,IAAI,CAAC;CACxC;AAED,MAAM,WAAW,MAAM;IACrB,eAAe,IAAI,MAAM,EAAE,CAAC;IAC5B,cAAc,IAAI,MAAM,CAAC;IACzB,iBAAiB,IAAI,MAAM,CAAC;IAC5B,QAAQ,CACN,SAAS,EAAE,cAAc,GAAG,IAAI,EAChC,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACtC,cAAc,CAAC;CACnB;AAcD,wBAAgB,YAAY,CAAC,MAAM,GAAE,YAAiB,GAAG,MAAM,CAoF9D"}

package/dist/kernel/decision.js

@@ -0,0 +1,92 @@
+// Runtime Assurance Engine — the RTA decision switch.
+// Pure domain logic. No DOM, no Node.js-specific APIs.
+import { authorize } from './aab.js';
+import { checkAllInvariants, buildSystemState } from '../invariants/checker.js';
+import { createEvidencePack } from './evidence.js';
+import { loadPolicies } from '../policy/loader.js';
+import { DEFAULT_INVARIANTS } from '../invariants/definitions.js';
+export const INTERVENTION = {
+    DENY: 'deny',
+    ROLLBACK: 'rollback',
+    PAUSE: 'pause',
+    TEST_ONLY: 'test-only',
+};
+function selectIntervention(decision, violations) {
+    const maxSeverity = Math.max(decision.severity || 0, ...violations.map((v) => v.invariant?.severity || 0));
+    if (maxSeverity >= 5)
+        return INTERVENTION.DENY;
+    if (maxSeverity >= 4)
+        return INTERVENTION.PAUSE;
+    if (maxSeverity >= 3)
+        return INTERVENTION.ROLLBACK;
+    return INTERVENTION.TEST_ONLY;
+}
+export function createEngine(config = {}) {
+    const { policies, errors: policyErrors } = loadPolicies(config.policyDefs || []);
+    const invariants = config.invariants || DEFAULT_INVARIANTS;
+    const onEvent = config.onEvent || null;
+    function emitEvents(events) {
+        if (onEvent) {
+            for (const event of events) {
+                onEvent(event);
+            }
+        }
+    }
+    return {
+        getPolicyErrors() {
+            return [...policyErrors];
+        },
+        getPolicyCount() {
+            return policies.length;
+        },
+        getInvariantCount() {
+            return invariants.length;
+        },
+        evaluate(rawAction, systemContext = {}) {
+            const { intent, result: authResult, events: authEvents } = authorize(rawAction, policies);
+            const state = buildSystemState({
+                ...systemContext,
+                currentTarget: intent.target,
+                currentCommand: intent.command,
+                filesAffected: intent.filesAffected || systemContext.filesAffected,
+                targetBranch: intent.branch || systemContext.targetBranch,
+                forcePush: intent.action === 'git.force-push',
+                directPush: intent.action === 'git.push',
+                isPush: intent.action === 'git.push' || intent.action === 'git.force-push',
+            });
+            const { violations, events: invariantEvents, allHold, } = checkAllInvariants(invariants, state);
+            const allEvents = [...authEvents, ...invariantEvents];
+            const allowed = authResult.allowed && allHold;
+            const needsEvidence = !allowed || allEvents.length > 0;
+            let evidencePack = null;
+            if (needsEvidence && allEvents.length > 0) {
+                const { pack, event: packEvent } = createEvidencePack({
+                    intent,
+                    decision: authResult,
+                    violations,
+                    events: allEvents,
+                });
+                evidencePack = pack;
+                allEvents.push(packEvent);
+            }
+            const intervention = allowed ? null : selectIntervention(authResult, violations);
+            emitEvents(allEvents);
+            return {
+                allowed,
+                intent,
+                decision: authResult,
+                violations: violations.map((v) => ({
+                    invariantId: v.invariant.id,
+                    name: v.invariant.name,
+                    severity: v.invariant.severity,
+                    expected: v.result.expected,
+                    actual: v.result.actual,
+                })),
+                events: allEvents,
+                evidencePack,
+                intervention,
+            };
+        },
+    };
+}
+//# sourceMappingURL=decision.js.map

package/dist/kernel/decision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.js","sourceRoot":"","sources":["../../src/kernel/decision.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,uDAAuD;AAGvD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAGrC,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEhF,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGlE,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,MAAM;IACZ,QAAQ,EAAE,UAAU;IACpB,KAAK,EAAE,OAAO;IACd,SAAS,EAAE,WAAW;CACd,CAAC;AAoCX,SAAS,kBAAkB,CAAC,QAAoB,EAAE,UAA4B;IAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAC1B,QAAQ,CAAC,QAAQ,IAAI,CAAC,EACtB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,QAAQ,IAAI,CAAC,CAAC,CACrD,CAAC;IAEF,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO,YAAY,CAAC,IAAI,CAAC;IAC/C,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC;IAChD,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO,YAAY,CAAC,QAAQ,CAAC;IACnD,OAAO,YAAY,CAAC,SAAS,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAuB,EAAE;IACpD,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,kBAAkB,CAAC;IAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC;IAEvC,SAAS,UAAU,CAAC,MAAqB;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,eAAe;YACb,OAAO,CAAC,GAAG,YAAY,CAAC,CAAC;QAC3B,CAAC;QAED,cAAc;YACZ,OAAO,QAAQ,CAAC,MAAM,CAAC;QACzB,CAAC;QAED,iBAAiB;YACf,OAAO,UAAU,CAAC,MAAM,CAAC;QAC3B,CAAC;QAED,QAAQ,CAAC,SAAS,EAAE,aAAa,GAAG,EAAE;YACpC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAE1F,MAAM,KAAK,GAAG,gBAAgB,CAAC;gBAC7B,GAAG,aAAa;gBAChB,aAAa,EAAE,MAAM,CAAC,MAAM;gBAC5B,cAAc,EAAE,MAAM,CAAC,OAAO;gBAC9B,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,aAAa,CAAC,aAAa;gBAClE,YAAY,EAAE,MAAM,CAAC,MAAM,IAAI,aAAa,CAAC,YAAY;gBACzD,SAAS,EAAE,MAAM,CAAC,MAAM,KAAK,gBAAgB;gBAC7C,UAAU,EAAE,MAAM,CAAC,MAAM,KAAK,UAAU;gBACxC,MAAM,EAAE,MAAM,CAAC,MAAM,KAAK,UAAU,IAAI,MAAM,CAAC,MAAM,KAAK,gBAAgB;aAC3E,CAAC,CAAC;YAEH,MAAM,EACJ,UAAU,EACV,MAAM,EAAE,eAAe,EACvB,OAAO,GACR,GAAG,kBAAkB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAE1C,MAAM,SAAS,GAAkB,CAAC,GAAG,UAAU,EAAE,GAAG,eAAe,CAAC,CAAC;YAErE,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,IAAI,OAAO,CAAC;YAC9C,MAAM,aAAa,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;YAEvD,IAAI,YAAY,GAAwB,IAAI,CAAC;YAC7C,IAAI,aAAa,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC;oBACpD,MAAM;oBACN,QAAQ,EAAE,UAAU;oBACpB,UAAU;oBACV,MAAM,EAAE,SAAS;iBAClB,CAAC,CAAC;gBACH,YAAY,GAAG,IAAI,CAAC;gBACpB,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC5B,CAAC;YAED,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YAEjF,UAAU,CAAC,SAAS,CAAC,CAAC;YAEtB,OAAO;gBACL,OAAO;gBACP,MAAM;gBACN,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACjC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE;oBAC3B,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI;oBACtB,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ;oBAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;oBAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM;iBACxB,CAAC,CAAC;gBACH,MAAM,EAAE,SAAS;gBACjB,YAAY;gBACZ,YAAY;aACb,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/decisions/factory.d.ts

@@ -0,0 +1,12 @@
+import type { GovernanceDecisionRecord, SimulationSummary } from './types.js';
+import type { MonitorDecision } from '../monitor.js';
+import type { ExecutionResult } from '../../core/types.js';
+export interface DecisionFactoryInput {
+    runId: string;
+    decision: MonitorDecision;
+    execution: ExecutionResult | null;
+    executionDurationMs: number | null;
+    simulation: SimulationSummary | null;
+}
+export declare function buildDecisionRecord(input: DecisionFactoryInput): GovernanceDecisionRecord;
+//# sourceMappingURL=factory.d.ts.map

package/dist/kernel/decisions/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../../src/kernel/decisions/factory.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAG3D,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,eAAe,CAAC;IAC1B,SAAS,EAAE,eAAe,GAAG,IAAI,CAAC;IAClC,mBAAmB,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,UAAU,EAAE,iBAAiB,GAAG,IAAI,CAAC;CACtC;AAOD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,oBAAoB,GAAG,wBAAwB,CAgDzF"}

package/dist/kernel/decisions/factory.js

@@ -0,0 +1,56 @@
+// Decision record factory — builds GovernanceDecisionRecord from kernel data.
+// Pure logic. Combines MonitorDecision + execution result into a single record.
+import { simpleHash } from '../../core/hash.js';
+function generateRecordId(timestamp, runId, action) {
+    const content = `${timestamp}:${runId}:${action}`;
+    return `dec_${timestamp}_${simpleHash(content)}`;
+}
+export function buildDecisionRecord(input) {
+    const { runId, decision, execution, executionDurationMs, simulation } = input;
+    const timestamp = Date.now();
+    const intent = decision.intent;
+    return {
+        recordId: generateRecordId(timestamp, runId, intent.action),
+        runId,
+        timestamp,
+        action: {
+            type: intent.action,
+            target: intent.target,
+            agent: intent.agent,
+            destructive: intent.destructive,
+            command: intent.command,
+        },
+        outcome: decision.allowed ? 'allow' : 'deny',
+        reason: decision.decision.reason,
+        intervention: decision.intervention,
+        policy: {
+            matchedPolicyId: decision.decision.matchedPolicy?.id ?? null,
+            matchedPolicyName: decision.decision.matchedPolicy?.name ?? null,
+            severity: decision.decision.severity,
+        },
+        invariants: {
+            allHold: decision.violations.length === 0,
+            violations: decision.violations.map((v) => ({
+                invariantId: v.invariantId,
+                name: v.name,
+                severity: v.severity,
+                expected: v.expected,
+                actual: v.actual,
+            })),
+        },
+        simulation,
+        evidencePackId: decision.evidencePack?.packId ?? null,
+        monitor: {
+            escalationLevel: decision.monitor.escalationLevel,
+            totalEvaluations: decision.monitor.totalEvaluations,
+            totalDenials: decision.monitor.totalDenials,
+        },
+        execution: {
+            executed: execution !== null,
+            success: execution?.success ?? null,
+            durationMs: executionDurationMs,
+            error: execution?.error ?? null,
+        },
+    };
+}
+//# sourceMappingURL=factory.js.map

package/dist/kernel/decisions/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../../src/kernel/decisions/factory.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,gFAAgF;AAKhF,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAUhD,SAAS,gBAAgB,CAAC,SAAiB,EAAE,KAAa,EAAE,MAAc;IACxE,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;IAClD,OAAO,OAAO,SAAS,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAA2B;IAC7D,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,mBAAmB,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC;IAC9E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IAE/B,OAAO;QACL,QAAQ,EAAE,gBAAgB,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC;QAC3D,KAAK;QACL,SAAS;QACT,MAAM,EAAE;YACN,IAAI,EAAE,MAAM,CAAC,MAAM;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB;QACD,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;QAC5C,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC,MAAM;QAChC,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,MAAM,EAAE;YACN,eAAe,EAAE,QAAQ,CAAC,QAAQ,CAAC,aAAa,EAAE,EAAE,IAAI,IAAI;YAC5D,iBAAiB,EAAE,QAAQ,CAAC,QAAQ,CAAC,aAAa,EAAE,IAAI,IAAI,IAAI;YAChE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,QAAQ;SACrC;QACD,UAAU,EAAE;YACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC;YACzC,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC1C,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC,CAAC;SACJ;QACD,UAAU;QACV,cAAc,EAAE,QAAQ,CAAC,YAAY,EAAE,MAAM,IAAI,IAAI;QACrD,OAAO,EAAE;YACP,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,eAAe;YACjD,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,gBAAgB;YACnD,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,YAAY;SAC5C;QACD,SAAS,EAAE;YACT,QAAQ,EAAE,SAAS,KAAK,IAAI;YAC5B,OAAO,EAAE,SAAS,EAAE,OAAO,IAAI,IAAI;YACnC,UAAU,EAAE,mBAAmB;YAC/B,KAAK,EAAE,SAAS,EAAE,KAAK,IAAI,IAAI;SAChC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/decisions/types.d.ts

@@ -0,0 +1,70 @@
+export interface GovernanceDecisionRecord {
+    /** Unique record ID: "dec_<timestamp>_<hash>" */
+    recordId: string;
+    /** Kernel run ID this decision belongs to */
+    runId: string;
+    /** When the decision was made */
+    timestamp: number;
+    /** The action that was evaluated */
+    action: {
+        type: string;
+        target: string;
+        agent: string;
+        destructive: boolean;
+        command?: string;
+    };
+    /** Final governance outcome */
+    outcome: 'allow' | 'deny';
+    /** Human-readable reason for the outcome */
+    reason: string;
+    /** Intervention type if denied (deny, rollback, pause, test-only) */
+    intervention: string | null;
+    /** Policy matching details */
+    policy: {
+        matchedPolicyId: string | null;
+        matchedPolicyName: string | null;
+        severity: number;
+    };
+    /** Invariant evaluation results */
+    invariants: {
+        allHold: boolean;
+        violations: Array<{
+            invariantId: string;
+            name: string;
+            severity: number;
+            expected: string;
+            actual: string;
+        }>;
+    };
+    /** Pre-execution simulation results (Phase 2 integration point) */
+    simulation: SimulationSummary | null;
+    /** Evidence pack ID if generated */
+    evidencePackId: string | null;
+    /** Monitor state at decision time */
+    monitor: {
+        escalationLevel: number;
+        totalEvaluations: number;
+        totalDenials: number;
+    };
+    /** Execution results (null if denied or dry-run) */
+    execution: {
+        executed: boolean;
+        success: boolean | null;
+        durationMs: number | null;
+        error: string | null;
+    };
+}
+/** Placeholder for Phase 2 simulation integration */
+export interface SimulationSummary {
+    predictedChanges: string[];
+    blastRadius: number;
+    riskLevel: 'low' | 'medium' | 'high';
+    simulatorId: string;
+    durationMs: number;
+}
+/** Sink interface for decision records (mirrors EventSink pattern) */
+export interface DecisionSink {
+    write(record: GovernanceDecisionRecord): void;
+    flush?(): void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/kernel/decisions/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/kernel/decisions/types.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,wBAAwB;IACvC,iDAAiD;IACjD,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,KAAK,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,OAAO,CAAC;QACrB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,+BAA+B;IAC/B,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,8BAA8B;IAC9B,MAAM,EAAE;QACN,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,mCAAmC;IACnC,UAAU,EAAE;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,EAAE,KAAK,CAAC;YAChB,WAAW,EAAE,MAAM,CAAC;YACpB,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,EAAE,MAAM,CAAC;YACjB,QAAQ,EAAE,MAAM,CAAC;YACjB,MAAM,EAAE,MAAM,CAAC;SAChB,CAAC,CAAC;KACJ,CAAC;IACF,mEAAmE;IACnE,UAAU,EAAE,iBAAiB,GAAG,IAAI,CAAC;IACrC,oCAAoC;IACpC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,qCAAqC;IACrC,OAAO,EAAE;QACP,eAAe,EAAE,MAAM,CAAC;QACxB,gBAAgB,EAAE,MAAM,CAAC;QACzB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,oDAAoD;IACpD,SAAS,EAAE;QACT,QAAQ,EAAE,OAAO,CAAC;QAClB,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB,CAAC;CACH;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAiB;IAChC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,sEAAsE;AACtE,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,MAAM,EAAE,wBAAwB,GAAG,IAAI,CAAC;IAC9C,KAAK,CAAC,IAAI,IAAI,CAAC;CAChB"}

package/dist/kernel/decisions/types.js

@@ -0,0 +1,5 @@
+// Governance Decision Record — first-class audit artifact.
+// Aggregates monitor decision, execution data, and evidence into
+// a single persisted, queryable record per agent action.
+export {};
+//# sourceMappingURL=types.js.map

package/dist/kernel/decisions/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/kernel/decisions/types.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,iEAAiE;AACjE,yDAAyD"}

package/dist/kernel/evidence.d.ts

@@ -0,0 +1,29 @@
+import type { DomainEvent } from '../core/types.js';
+import type { NormalizedIntent, EvalResult } from '../policy/evaluator.js';
+import type { InvariantCheck } from '../invariants/checker.js';
+export interface EvidencePack {
+    packId: string;
+    timestamp: number;
+    intent: NormalizedIntent;
+    decision: EvalResult;
+    violations: Array<{
+        invariantId: string;
+        name: string;
+        severity: number;
+        expected: string;
+        actual: string;
+    }>;
+    events: string[];
+    summary: string;
+    severity: number;
+}
+export declare function createEvidencePack(params: {
+    intent: NormalizedIntent;
+    decision: EvalResult;
+    violations?: InvariantCheck[];
+    events?: DomainEvent[];
+}): {
+    pack: EvidencePack;
+    event: DomainEvent;
+};
+//# sourceMappingURL=evidence.d.ts.map

package/dist/kernel/evidence.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.d.ts","sourceRoot":"","sources":["../../src/kernel/evidence.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAGpD,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,UAAU,CAAC;IACrB,UAAU,EAAE,KAAK,CAAC;QAChB,WAAW,EAAE,MAAM,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC,CAAC;IACH,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAyCD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE;IACzC,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,UAAU,CAAC;IACrB,UAAU,CAAC,EAAE,cAAc,EAAE,CAAC;IAC9B,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC;CACxB,GAAG;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAgC7C"}

package/dist/kernel/evidence.js

@@ -0,0 +1,61 @@
+// Evidence pack generator — creates structured audit records.
+// Pure domain logic. No DOM, no Node.js-specific APIs.
+import { createEvent, EVIDENCE_PACK_GENERATED } from '../events/schema.js';
+import { simpleHash } from '../core/hash.js';
+function generatePackId(timestamp, intent) {
+    const content = `${timestamp}:${intent.action}:${intent.target}:${intent.agent}`;
+    return `pack_${simpleHash(content)}`;
+}
+function computeMaxSeverity(decision, violations) {
+    let maxSeverity = decision.severity || 0;
+    for (const v of violations) {
+        if (v.invariant && v.invariant.severity > maxSeverity) {
+            maxSeverity = v.invariant.severity;
+        }
+    }
+    return maxSeverity;
+}
+function generateSummary(intent, decision, violations) {
+    const parts = [];
+    parts.push(`Action: ${intent.action} on ${intent.target || 'unknown'}`);
+    parts.push(`Decision: ${decision.decision.toUpperCase()}`);
+    if (decision.reason) {
+        parts.push(`Reason: ${decision.reason}`);
+    }
+    if (violations.length > 0) {
+        const names = violations.map((v) => v.invariant.name);
+        parts.push(`Violations: ${names.join(', ')}`);
+    }
+    return parts.join(' | ');
+}
+export function createEvidencePack(params) {
+    const { intent, decision, violations = [], events = [] } = params;
+    const timestamp = Date.now();
+    const packId = generatePackId(timestamp, intent);
+    const severity = computeMaxSeverity(decision, violations);
+    const summary = generateSummary(intent, decision, violations);
+    const pack = {
+        packId,
+        timestamp,
+        intent,
+        decision,
+        violations: violations.map((v) => ({
+            invariantId: v.invariant.id,
+            name: v.invariant.name,
+            severity: v.invariant.severity,
+            expected: v.result.expected,
+            actual: v.result.actual,
+        })),
+        events: events.map((e) => e.id),
+        summary,
+        severity,
+    };
+    const event = createEvent(EVIDENCE_PACK_GENERATED, {
+        packId,
+        eventIds: events.map((e) => e.id),
+        summary,
+        metadata: { severity, violationCount: violations.length },
+    });
+    return { pack, event };
+}
+//# sourceMappingURL=evidence.js.map

package/dist/kernel/evidence.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evidence.js","sourceRoot":"","sources":["../../src/kernel/evidence.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,uDAAuD;AAGvD,OAAO,EAAE,WAAW,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAC3E,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAqB7C,SAAS,cAAc,CAAC,SAAiB,EAAE,MAAwB;IACjE,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;IACjF,OAAO,QAAQ,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;AACvC,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAoB,EAAE,UAA4B;IAC5E,IAAI,WAAW,GAAG,QAAQ,CAAC,QAAQ,IAAI,CAAC,CAAC;IAEzC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,CAAC,QAAQ,GAAG,WAAW,EAAE,CAAC;YACtD,WAAW,GAAG,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,eAAe,CACtB,MAAwB,EACxB,QAAoB,EACpB,UAA4B;IAE5B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,MAAM,OAAO,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACxE,KAAK,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAE3D,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,eAAe,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAKlC;IACC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,GAAG,EAAE,EAAE,MAAM,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC;IAClE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;IAE9D,MAAM,IAAI,GAAiB;QACzB,MAAM;QACN,SAAS;QACT,MAAM;QACN,QAAQ;QACR,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE;YAC3B,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,IAAI;YACtB,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ;YAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;YAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM;SACxB,CAAC,CAAC;QACH,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/B,OAAO;QACP,QAAQ;KACT,CAAC;IAEF,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE;QACjD,MAAM;QACN,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjC,OAAO;QACP,QAAQ,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,UAAU,CAAC,MAAM,EAAE;KAC1D,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC"}