@runcore-sh/runcore 0.1.8 → 0.1.10

package/dist/tier/heartbeat.js

@@ -0,0 +1,128 @@
+/**
+ * Registry heartbeat — periodic check-in for tier >= byok.
+ *
+ * Reports: version, tier, uptime.
+ * Receives: token validity, freeze signals.
+ * Non-blocking, best-effort. Failures are logged, not fatal.
+ */
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+const REGISTRY_URL = "https://runcore.sh/api/registry";
+const HEARTBEAT_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6 hours
+const REVALIDATE_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+let heartbeatTimer = null;
+let revalidateTimer = null;
+let startedAt = Date.now();
+let frozen = false;
+let onFreeze = null;
+let onDowngrade = null;
+export function onFreezeSignal(handler) {
+    onFreeze = handler;
+}
+export function onTierDowngrade(handler) {
+    onDowngrade = handler;
+}
+export function isFrozen() {
+    return frozen;
+}
+function getVersion() {
+    try {
+        const pkg = JSON.parse(readFileSync(join(import.meta.dirname, "../../package.json"), "utf-8"));
+        return pkg.version ?? "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+async function sendHeartbeat(jwt, tier) {
+    try {
+        const res = await fetch(`${REGISTRY_URL}/heartbeat`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${jwt}`,
+            },
+            body: JSON.stringify({
+                version: getVersion(),
+                tier,
+                uptime: Math.floor((Date.now() - startedAt) / 1000),
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok)
+            return;
+        const data = (await res.json());
+        if (data.frozen && data.freeze) {
+            frozen = true;
+            onFreeze?.(data.freeze);
+        }
+        if (!data.valid) {
+            // Token revoked — downgrade to local
+            onDowngrade?.("local");
+        }
+        if (data.tier && data.tier !== tier) {
+            // Tier changed (upgrade or downgrade by admin)
+            onDowngrade?.(data.tier);
+        }
+    }
+    catch {
+        // Best effort — swallow network errors
+    }
+}
+async function revalidateToken(jwt) {
+    try {
+        const res = await fetch(`${REGISTRY_URL}/validate`, {
+            headers: { Authorization: `Bearer ${jwt}` },
+            signal: AbortSignal.timeout(10_000),
+        });
+        if (!res.ok)
+            return false;
+        const data = (await res.json());
+        return data.valid === true;
+    }
+    catch {
+        return true; // Assume valid if we can't reach registry (offline-first)
+    }
+}
+export function startHeartbeat(jwt, tier, root) {
+    startedAt = Date.now();
+    // Retry bond if not yet confirmed
+    if (root) {
+        retryBondIfNeeded(root, jwt).catch(() => { });
+    }
+    // Immediate first heartbeat
+    sendHeartbeat(jwt, tier);
+    heartbeatTimer = setInterval(() => sendHeartbeat(jwt, tier), HEARTBEAT_INTERVAL_MS);
+    heartbeatTimer.unref();
+    revalidateTimer = setInterval(async () => {
+        const valid = await revalidateToken(jwt);
+        if (!valid)
+            onDowngrade?.("local");
+    }, REVALIDATE_INTERVAL_MS);
+    revalidateTimer.unref();
+}
+/** Retry bond announcement if keys exist locally but registry hasn't confirmed. */
+async function retryBondIfNeeded(root, jwt) {
+    try {
+        const { loadBondKeys, bond } = await import("./bond.js");
+        const keys = await loadBondKeys(root);
+        if (!keys)
+            return; // No keys = not activated yet, nothing to retry
+        // Try to announce again — bond() handles the idempotency
+        const parts = jwt.split(".");
+        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+        await bond(root, jwt, payload.jti);
+    }
+    catch {
+        // Best effort
+    }
+}
+export function stopHeartbeat() {
+    if (heartbeatTimer)
+        clearInterval(heartbeatTimer);
+    if (revalidateTimer)
+        clearInterval(revalidateTimer);
+    heartbeatTimer = null;
+    revalidateTimer = null;
+}
+//# sourceMappingURL=heartbeat.js.map

package/dist/tier/heartbeat.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"heartbeat.js","sourceRoot":"","sources":["../../src/tier/heartbeat.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,YAAY,GAAG,iCAAiC,CAAC;AACvD,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAC5D,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAE/D,IAAI,cAAc,GAA0C,IAAI,CAAC;AACjE,IAAI,eAAe,GAA0C,IAAI,CAAC;AAClE,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AAC3B,IAAI,MAAM,GAAG,KAAK,CAAC;AAYnB,IAAI,QAAQ,GAAyB,IAAI,CAAC;AAC1C,IAAI,WAAW,GAA4B,IAAI,CAAC;AAEhD,MAAM,UAAU,cAAc,CAAC,OAAsB;IACnD,QAAQ,GAAG,OAAO,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAyB;IACvD,WAAW,GAAG,OAAO,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,QAAQ;IACtB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,OAAO,CAAC,CACvE,CAAC;QACF,OAAO,GAAG,CAAC,OAAO,IAAI,SAAS,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,IAAc;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,YAAY,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,GAAG,EAAE;aAC/B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,OAAO,EAAE,UAAU,EAAE;gBACrB,IAAI;gBACJ,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC;aACpD,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO;QAEpB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsB,CAAC;QAErD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,GAAG,IAAI,CAAC;YACd,QAAQ,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,qCAAqC;YACrC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACpC,+CAA+C;YAC/C,WAAW,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,WAAW,EAAE;YAClD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,EAAE,EAAE;YAC3C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAC;QACtD,OAAO,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,0DAA0D;IACzE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,IAAc,EAAE,IAAa;IACvE,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,kCAAkC;IAClC,IAAI,IAAI,EAAE,CAAC;QACT,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,4BAA4B;IAC5B,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAEzB,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,qBAAqB,CAAC,CAAC;IACpF,cAAc,CAAC,KAAK,EAAE,CAAC;IAEvB,eAAe,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE;QACvC,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK;YAAE,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC,EAAE,sBAAsB,CAAC,CAAC;IAC3B,eAAe,CAAC,KAAK,EAAE,CAAC;AAC1B,CAAC;AAED,mFAAmF;AACnF,KAAK,UAAU,iBAAiB,CAAC,IAAY,EAAE,GAAW;IACxD,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI;YAAE,OAAO,CAAC,gDAAgD;QAEnE,yDAAyD;QACzD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACjF,MAAM,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,IAAI,cAAc;QAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAClD,IAAI,eAAe;QAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IACpD,cAAc,GAAG,IAAI,CAAC;IACtB,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC"}

package/dist/tier/token.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Activation token — Ed25519 signed JWT, offline-verifiable.
+ *
+ * Private key lives in the registry backend (Dash's dead drop / Cloudflare Worker).
+ * Public key ships in this package. Tokens validate without network.
+ * Revocation is checked periodically (24h) via registry heartbeat.
+ */
+import { type ActivationToken, type TierName } from "./types.js";
+/** Sign a JWT with Ed25519 private key (used by Dash / registry backend) */
+export declare function signToken(payload: ActivationToken, privateKeyPem: string): string;
+/** Load and validate the local activation token. Returns null if none or invalid. */
+export declare function loadActivationToken(root: string): Promise<{
+    token: ActivationToken;
+    raw: string;
+} | null>;
+/** Store an activation token to disk */
+export declare function saveActivationToken(root: string, jwt: string): Promise<ActivationToken>;
+/** Get the current tier from the stored token, defaulting to "local" */
+export declare function currentTier(root: string): Promise<TierName>;
+/** Set a custom public key (for testing or key rotation) */
+export declare function setPublicKey(pem: string): void;
+//# sourceMappingURL=token.d.ts.map

package/dist/tier/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/tier/token.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,KAAK,eAAe,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,CAAC;AAsCjE,4EAA4E;AAC5E,wBAAgB,SAAS,CACvB,OAAO,EAAE,eAAe,EACxB,aAAa,EAAE,MAAM,GACpB,MAAM,CAUR;AAED,qFAAqF;AACrF,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;IAAE,KAAK,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAqBzD;AAED,wCAAwC;AACxC,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,eAAe,CAAC,CAU1B;AAED,wEAAwE;AACxE,wBAAsB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAGjE;AAED,4DAA4D;AAC5D,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAG9C"}

package/dist/tier/token.js

@@ -0,0 +1,100 @@
+/**
+ * Activation token — Ed25519 signed JWT, offline-verifiable.
+ *
+ * Private key lives in the registry backend (Dash's dead drop / Cloudflare Worker).
+ * Public key ships in this package. Tokens validate without network.
+ * Revocation is checked periodically (24h) via registry heartbeat.
+ */
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { createVerify, createSign } from "node:crypto";
+// Ed25519 public key — embedded in package, used for offline token verification.
+// Replace with real key after generating the keypair.
+const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAPLACENTER_REAL_KEY_HERE_AFTER_KEYGEN=
+-----END PUBLIC KEY-----`;
+const TOKEN_DIR = ".core";
+const TOKEN_FILE = "activation.json";
+function tokenPath(root) {
+    return join(root, "brain", TOKEN_DIR, TOKEN_FILE);
+}
+/** Decode a compact JWT (header.payload.signature) without verification */
+function decodePayload(jwt) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        throw new Error("Invalid token format");
+    const payload = Buffer.from(parts[1], "base64url").toString("utf-8");
+    return JSON.parse(payload);
+}
+/** Verify Ed25519 signature on a JWT */
+function verifySignature(jwt, publicKey) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        return false;
+    const data = `${parts[0]}.${parts[1]}`;
+    const signature = Buffer.from(parts[2], "base64url");
+    const verifier = createVerify("Ed25519");
+    verifier.update(data);
+    try {
+        return verifier.verify(publicKey, signature);
+    }
+    catch {
+        return false;
+    }
+}
+/** Sign a JWT with Ed25519 private key (used by Dash / registry backend) */
+export function signToken(payload, privateKeyPem) {
+    const header = Buffer.from(JSON.stringify({ alg: "EdDSA", typ: "JWT" })).toString("base64url");
+    const body = Buffer.from(JSON.stringify(payload)).toString("base64url");
+    const data = `${header}.${body}`;
+    const signer = createSign("Ed25519");
+    signer.update(data);
+    const signature = signer.sign(privateKeyPem, "base64url");
+    return `${data}.${signature}`;
+}
+/** Load and validate the local activation token. Returns null if none or invalid. */
+export async function loadActivationToken(root) {
+    try {
+        const raw = (await readFile(tokenPath(root), "utf-8")).trim();
+        if (!raw)
+            return null;
+        if (!verifySignature(raw, PUBLIC_KEY_PEM)) {
+            console.warn("  Activation token has invalid signature — ignoring.");
+            return null;
+        }
+        const token = decodePayload(raw);
+        if (new Date(token.expires) < new Date()) {
+            console.warn("  Activation token expired — running as Local tier.");
+            return null;
+        }
+        return { token, raw };
+    }
+    catch {
+        return null;
+    }
+}
+/** Store an activation token to disk */
+export async function saveActivationToken(root, jwt) {
+    if (!verifySignature(jwt, PUBLIC_KEY_PEM)) {
+        throw new Error("Token signature verification failed. Token not saved.");
+    }
+    const token = decodePayload(jwt);
+    const dir = join(root, "brain", TOKEN_DIR);
+    await mkdir(dir, { recursive: true });
+    await writeFile(tokenPath(root), jwt, "utf-8");
+    return token;
+}
+/** Get the current tier from the stored token, defaulting to "local" */
+export async function currentTier(root) {
+    const result = await loadActivationToken(root);
+    return result?.token.tier ?? "local";
+}
+/** Set a custom public key (for testing or key rotation) */
+export function setPublicKey(pem) {
+    // Only used in test — production uses the embedded key
+    globalThis.__CORE_TIER_PUBKEY = pem;
+}
+function getPublicKey() {
+    return globalThis.__CORE_TIER_PUBKEY ?? PUBLIC_KEY_PEM;
+}
+//# sourceMappingURL=token.js.map

package/dist/tier/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/tier/token.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGvD,iFAAiF;AACjF,sDAAsD;AACtD,MAAM,cAAc,GAAG;;yBAEE,CAAC;AAE1B,MAAM,SAAS,GAAG,OAAO,CAAC;AAC1B,MAAM,UAAU,GAAG,iBAAiB,CAAC;AAErC,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACpD,CAAC;AAED,2EAA2E;AAC3E,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED,wCAAwC;AACxC,SAAS,eAAe,CAAC,GAAW,EAAE,SAAiB;IACrD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,IAAI,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,SAAS,CACvB,OAAwB,EACxB,aAAqB;IAErB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CACxB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAC7C,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,IAAI,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAC1D,OAAO,GAAG,IAAI,IAAI,SAAS,EAAE,CAAC;AAChC,CAAC;AAED,qFAAqF;AACrF,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY;IAEZ,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9D,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACrE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;QAEjC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,wCAAwC;AACxC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY,EACZ,GAAW;IAEX,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC3C,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO,MAAM,EAAE,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC;AACvC,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,uDAAuD;IACtD,UAAkB,CAAC,kBAAkB,GAAG,GAAG,CAAC;AAC/C,CAAC;AAED,SAAS,YAAY;IACnB,OAAQ,UAAkB,CAAC,kBAAkB,IAAI,cAAc,CAAC;AAClE,CAAC"}

package/dist/tier/types.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Tier system — capability levels gated by trust.
+ *
+ * Level 1: Local    — brain + Ollama, zero network
+ * Level 2: BYOK     — full server/UI/mesh, your keys
+ * Level 3: Spawn    — agent spawning + multi-agent orchestration
+ * Level 4: Hosted   — runs on Herrman Group infrastructure
+ */
+export type TierName = "local" | "byok" | "spawn" | "hosted";
+export declare const TIER_LEVEL: Record<TierName, number>;
+export interface TierCapabilities {
+    brain: boolean;
+    memory: boolean;
+    ollama: boolean;
+    server: boolean;
+    ui: boolean;
+    mesh: boolean;
+    alerting: boolean;
+    spawning: boolean;
+    governance: boolean;
+}
+export declare const TIER_CAPS: Record<TierName, TierCapabilities>;
+export interface ActivationToken {
+    /** Unique token ID — used for revocation checks */
+    jti: string;
+    tier: TierName;
+    org: string;
+    email: string;
+    issued: string;
+    expires: string;
+}
+export interface RegistrationRequest {
+    name: string;
+    email: string;
+    instanceId: string;
+    requestedAt: string;
+}
+export interface FreezeSignal {
+    jti: string;
+    reason: string;
+    issuedBy: string;
+    issuedAt: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/tier/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/tier/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAE7D,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAK/C,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CA6CxD,CAAC;AAEF,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,QAAQ,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/tier/types.js

@@ -0,0 +1,61 @@
+/**
+ * Tier system — capability levels gated by trust.
+ *
+ * Level 1: Local    — brain + Ollama, zero network
+ * Level 2: BYOK     — full server/UI/mesh, your keys
+ * Level 3: Spawn    — agent spawning + multi-agent orchestration
+ * Level 4: Hosted   — runs on Herrman Group infrastructure
+ */
+export const TIER_LEVEL = {
+    local: 1,
+    byok: 2,
+    spawn: 3,
+    hosted: 4,
+};
+export const TIER_CAPS = {
+    local: {
+        brain: true,
+        memory: true,
+        ollama: true,
+        server: false,
+        ui: false,
+        mesh: false,
+        alerting: false,
+        spawning: false,
+        governance: false,
+    },
+    byok: {
+        brain: true,
+        memory: true,
+        ollama: true,
+        server: true,
+        ui: true,
+        mesh: true,
+        alerting: true,
+        spawning: false,
+        governance: false,
+    },
+    spawn: {
+        brain: true,
+        memory: true,
+        ollama: true,
+        server: true,
+        ui: true,
+        mesh: true,
+        alerting: true,
+        spawning: true,
+        governance: true,
+    },
+    hosted: {
+        brain: true,
+        memory: true,
+        ollama: true,
+        server: true,
+        ui: true,
+        mesh: true,
+        alerting: true,
+        spawning: true,
+        governance: true,
+    },
+};
+//# sourceMappingURL=types.js.map

package/dist/tier/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/tier/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,MAAM,CAAC,MAAM,UAAU,GAA6B;IAClD,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,CAAC;CACV,CAAC;AAcF,MAAM,CAAC,MAAM,SAAS,GAAuC;IAC3D,KAAK,EAAE;QACL,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,KAAK;QACb,EAAE,EAAE,KAAK;QACT,IAAI,EAAE,KAAK;QACX,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,KAAK;KAClB;IACD,IAAI,EAAE;QACJ,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,EAAE,EAAE,IAAI;QACR,IAAI,EAAE,IAAI;QACV,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,KAAK;KAClB;IACD,KAAK,EAAE;QACL,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,EAAE,EAAE,IAAI;QACR,IAAI,EAAE,IAAI;QACV,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;IACD,MAAM,EAAE;QACN,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,MAAM,EAAE,IAAI;QACZ,EAAE,EAAE,IAAI;QACR,IAAI,EAAE,IAAI;QACV,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,IAAI;KACjB;CACF,CAAC"}

package/dist/updater.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Auto-updater — silent updates for non-UI changes, human approval for UI changes.
+ *
+ * Rule: if the human can't see it, feel it, or interact with it differently, ship it.
+ * Only gate on changes that affect the human's experience.
+ *
+ * Semver contract:
+ *   patch (0.0.x) — silent. Bug fixes, security, scoring geometry.
+ *   minor (0.x.0) — silent. New capabilities activate automatically.
+ *   major (x.0.0) — ask. UI/nerve/contract changes. Human decides.
+ */
+interface VersionInfo {
+    current: string;
+    latest: string;
+    updateType: "patch" | "minor" | "major" | "none";
+    requiresApproval: boolean;
+}
+/** Check for updates and return version info. */
+export declare function checkUpdate(): Promise<VersionInfo | null>;
+/**
+ * Run the auto-update cycle. Called after server is running.
+ *
+ * - patch/minor: apply silently, restart
+ * - major: return info for nerve state to surface to human
+ */
+export declare function autoUpdate(): Promise<VersionInfo | null>;
+/**
+ * Accept a pending major update. Called when human approves via UI.
+ */
+export declare function acceptMajorUpdate(): Promise<void>;
+export {};
+//# sourceMappingURL=updater.d.ts.map

package/dist/updater.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"updater.d.ts","sourceRoot":"","sources":["../src/updater.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,UAAU,WAAW;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,MAAM,CAAC;IACjD,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA2CD,iDAAiD;AACjD,wBAAsB,WAAW,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAc/D;AAuCD;;;;;GAKG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAqB9D;AAED;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CASvD"}

package/dist/updater.js

@@ -0,0 +1,145 @@
+/**
+ * Auto-updater — silent updates for non-UI changes, human approval for UI changes.
+ *
+ * Rule: if the human can't see it, feel it, or interact with it differently, ship it.
+ * Only gate on changes that affect the human's experience.
+ *
+ * Semver contract:
+ *   patch (0.0.x) — silent. Bug fixes, security, scoring geometry.
+ *   minor (0.x.0) — silent. New capabilities activate automatically.
+ *   major (x.0.0) — ask. UI/nerve/contract changes. Human decides.
+ */
+import { exec, spawn } from "node:child_process";
+import { readFile } from "node:fs/promises";
+import { createLogger } from "./utils/logger.js";
+const log = createLogger("updater");
+const PKG_NAME = "@runcore-sh/runcore";
+/** Parse semver into [major, minor, patch]. */
+function parseSemver(v) {
+    const parts = v.replace(/^v/, "").split(".").map(Number);
+    return [parts[0] ?? 0, parts[1] ?? 0, parts[2] ?? 0];
+}
+/** Determine update type between two versions. */
+function compareVersions(current, latest) {
+    const [cMaj, cMin, cPat] = parseSemver(current);
+    const [lMaj, lMin, lPat] = parseSemver(latest);
+    if (lMaj > cMaj)
+        return "major";
+    if (lMaj === cMaj && lMin > cMin)
+        return "minor";
+    if (lMaj === cMaj && lMin === cMin && lPat > cPat)
+        return "patch";
+    return "none";
+}
+/** Read current version from package.json. */
+async function getCurrentVersion() {
+    try {
+        const pkg = JSON.parse(await readFile(new URL("../package.json", import.meta.url), "utf-8"));
+        return pkg.version ?? "0.0.0";
+    }
+    catch {
+        return "0.0.0";
+    }
+}
+/** Fetch latest version from npm registry. */
+async function fetchLatestVersion() {
+    try {
+        const res = await fetch(`https://registry.npmjs.org/${PKG_NAME}/latest`, {
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        return data.version ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Check for updates and return version info. */
+export async function checkUpdate() {
+    const current = await getCurrentVersion();
+    const latest = await fetchLatestVersion();
+    if (!latest)
+        return null;
+    const updateType = compareVersions(current, latest);
+    if (updateType === "none")
+        return null;
+    return {
+        current,
+        latest,
+        updateType,
+        requiresApproval: updateType === "major",
+    };
+}
+/** Apply update — runs npm update, then restarts the process. */
+function applyUpdate(latest) {
+    return new Promise((resolve, reject) => {
+        log.info(`Applying update to v${latest}...`);
+        // Detect if globally installed or local
+        const isGlobal = process.argv[1]?.includes("node_modules/.bin") === false;
+        const cmd = isGlobal
+            ? `npm i -g ${PKG_NAME}@${latest}`
+            : `npm update ${PKG_NAME}`;
+        exec(cmd, { timeout: 120_000 }, (err) => {
+            if (err) {
+                log.warn(`Update failed: ${err.message}`);
+                reject(err);
+                return;
+            }
+            log.info(`Updated to v${latest}`);
+            resolve();
+        });
+    });
+}
+/** Restart the current process with the same arguments. */
+function restart() {
+    const args = process.argv.slice(1);
+    log.info("Restarting...");
+    const child = spawn(process.execPath, args, {
+        stdio: "inherit",
+        detached: true,
+    });
+    child.unref();
+    process.exit(0);
+}
+/**
+ * Run the auto-update cycle. Called after server is running.
+ *
+ * - patch/minor: apply silently, restart
+ * - major: return info for nerve state to surface to human
+ */
+export async function autoUpdate() {
+    const info = await checkUpdate();
+    if (!info)
+        return null;
+    if (info.requiresApproval) {
+        // Major update — don't touch anything. Surface through nerve state.
+        log.info(`Major update available: v${info.current} → v${info.latest} (requires approval)`);
+        return info;
+    }
+    // Patch or minor — silent update
+    log.info(`Auto-updating: v${info.current} → v${info.latest} (${info.updateType})`);
+    try {
+        await applyUpdate(info.latest);
+        restart();
+    }
+    catch {
+        // Update failed — not critical, try again next boot
+        log.warn("Auto-update failed, will retry next startup");
+    }
+    return null;
+}
+/**
+ * Accept a pending major update. Called when human approves via UI.
+ */
+export async function acceptMajorUpdate() {
+    const info = await checkUpdate();
+    if (!info || info.updateType !== "major") {
+        log.info("No major update pending");
+        return;
+    }
+    await applyUpdate(info.latest);
+    restart();
+}
+//# sourceMappingURL=updater.js.map

package/dist/updater.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"updater.js","sourceRoot":"","sources":["../src/updater.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;AACpC,MAAM,QAAQ,GAAG,qBAAqB,CAAC;AASvC,+CAA+C;AAC/C,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzD,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,kDAAkD;AAClD,SAAS,eAAe,CAAC,OAAe,EAAE,MAAc;IACtD,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAE/C,IAAI,IAAI,GAAG,IAAI;QAAE,OAAO,OAAO,CAAC;IAChC,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG,IAAI;QAAE,OAAO,OAAO,CAAC;IACjD,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG,IAAI;QAAE,OAAO,OAAO,CAAC;IAClE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8CAA8C;AAC9C,KAAK,UAAU,iBAAiB;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAC7F,OAAO,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,8CAA8C;AAC9C,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,QAAQ,SAAS,EAAE;YACvE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAwB,CAAC;QACvD,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,OAAO,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpD,IAAI,UAAU,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEvC,OAAO;QACL,OAAO;QACP,MAAM;QACN,UAAU;QACV,gBAAgB,EAAE,UAAU,KAAK,OAAO;KACzC,CAAC;AACJ,CAAC;AAED,iEAAiE;AACjE,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,GAAG,CAAC,IAAI,CAAC,uBAAuB,MAAM,KAAK,CAAC,CAAC;QAE7C,wCAAwC;QACxC,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,mBAAmB,CAAC,KAAK,KAAK,CAAC;QAC1E,MAAM,GAAG,GAAG,QAAQ;YAClB,CAAC,CAAC,YAAY,QAAQ,IAAI,MAAM,EAAE;YAClC,CAAC,CAAC,cAAc,QAAQ,EAAE,CAAC;QAE7B,IAAI,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;YACtC,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,IAAI,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC1C,MAAM,CAAC,GAAG,CAAC,CAAC;gBACZ,OAAO;YACT,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,eAAe,MAAM,EAAE,CAAC,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,2DAA2D;AAC3D,SAAS,OAAO;IACd,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAE1B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE;QAC1C,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC;IAEH,KAAK,CAAC,KAAK,EAAE,CAAC;IACd,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,IAAI,GAAG,MAAM,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1B,oEAAoE;QACpE,GAAG,CAAC,IAAI,CAAC,4BAA4B,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,MAAM,sBAAsB,CAAC,CAAC;QAC3F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iCAAiC;IACjC,GAAG,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IACnF,IAAI,CAAC;QACH,MAAM,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;QACpD,GAAG,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,IAAI,GAAG,MAAM,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACpC,OAAO;IACT,CAAC;IAED,MAAM,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/vault/policy.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Vault Policy Loader — classifies brain paths into access tiers.
+ *
+ * Reads brain/vault.policy.yaml and caches on first load.
+ * Tiers: open | community | secured. Default from `default_tier` field.
+ *
+ * Hand-rolled YAML parser (no external deps). Reuses pattern from
+ * sensitive-registry.ts.
+ */
+export type VaultTier = "open" | "community" | "secured";
+export interface VaultPolicy {
+    owner: string;
+    tiers: {
+        open: string[];
+        community: string[];
+        secured: string[];
+    };
+    defaultTier: VaultTier;
+}
+/**
+ * Load and cache the vault policy. Returns cached on subsequent calls.
+ */
+export declare function loadVaultPolicy(): Promise<VaultPolicy>;
+/**
+ * Synchronous load — for use where async is not available.
+ */
+export declare function loadVaultPolicySync(): VaultPolicy;
+/**
+ * Get the cached policy (loads synchronously if not yet cached).
+ */
+export declare function getVaultPolicy(): VaultPolicy;
+/**
+ * Classify a brain-relative path into a vault tier.
+ * Checks secured first (most restrictive), then open, then community.
+ * Falls back to default_tier if no pattern matches.
+ */
+export declare function classifyPath(relPath: string): VaultTier;
+/**
+ * Force reload of vault policy (e.g. after policy file changes).
+ */
+export declare function reloadVaultPolicy(): Promise<VaultPolicy>;
+//# sourceMappingURL=policy.d.ts.map

package/dist/vault/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/vault/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;AAEzD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,SAAS,EAAE,MAAM,EAAE,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,WAAW,EAAE,SAAS,CAAC;CACxB;AA6ED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,WAAW,CAAC,CAoB5D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,WAAW,CAajD;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,WAAW,CAG5C;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CASvD;AAED;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,WAAW,CAAC,CAG9D"}