@sentinel-atl/stepup 0.1.1

package/README.md

@@ -0,0 +1,56 @@
+# @sentinel-atl/stepup
+
+Step-up authentication — re-prompt humans for sensitive agent actions.
+
+## Features
+
+- **Policy-based triggers** — define when step-up auth is required (scope, risk, time-based)
+- **Challenge-response** — time-bounded, single-use approval tokens
+- **Multi-factor** — support for TOTP, biometric, and custom challenge types
+- **Audit integration** — all step-up events logged
+
+## Install
+
+```bash
+npm install @sentinel-atl/stepup
+```
+
+## Quick Start
+
+```ts
+import { StepUpManager } from '@sentinel-atl/stepup';
+
+const mgr = new StepUpManager({
+  auditLog,
+  policies: [
+    { trigger: 'scope', scopes: ['admin:*'], challengeType: 'totp' },
+    { trigger: 'risk_score', threshold: 0.8, challengeType: 'biometric' },
+  ],
+});
+
+// Check if step-up is needed
+const result = mgr.evaluate({
+  agentDid: 'did:key:z6Mk...',
+  requestedScopes: ['admin:delete'],
+});
+
+if (result.required) {
+  // Present challenge to human
+  const challenge = mgr.createChallenge(result);
+  // ... human responds ...
+  const approval = mgr.verifyResponse(challenge, response);
+}
+```
+
+## API
+
+| Method | Description |
+|---|---|
+| `new StepUpManager(config)` | Create manager with policies |
+| `evaluate(context)` | Check if step-up is required |
+| `createChallenge(result)` | Create a time-bounded challenge |
+| `verifyResponse(challenge, response)` | Verify human response |
+
+## License
+
+MIT

package/dist/__tests__/stepup.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=stepup.test.d.ts.map

package/dist/__tests__/stepup.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stepup.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/stepup.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/stepup.test.js

@@ -0,0 +1,137 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { StepUpManager } from '../index.js';
+import { InMemoryKeyProvider, publicKeyToDid } from '@sentinel-atl/core';
+async function makeIdentity(kp, name) {
+    await kp.generate(name);
+    const pubKey = await kp.getPublicKey(name);
+    return { keyId: name, did: publicKeyToDid(pubKey) };
+}
+describe('@sentinel-atl/stepup', () => {
+    let manager;
+    let principalKP;
+    let principal;
+    let agentKP;
+    let agent;
+    beforeEach(async () => {
+        principalKP = new InMemoryKeyProvider();
+        principal = await makeIdentity(principalKP, 'human');
+        agentKP = new InMemoryKeyProvider();
+        agent = await makeIdentity(agentKP, 'agent');
+        manager = new StepUpManager({
+            alwaysRequireActions: ['delete_account', 'transfer_funds'],
+            sensitivityLevels: ['high', 'critical'],
+            challengeTimeoutMs: 5 * 60_000,
+            maxPendingChallenges: 3,
+        });
+    });
+    // ─── requiresStepUp ────────────────────────────────────────────
+    describe('requiresStepUp', () => {
+        it('requires step-up for explicit actions', () => {
+            const result = manager.requiresStepUp('delete_account');
+            expect(result.required).toBe(true);
+            expect(result.trigger).toBe('policy_rule');
+        });
+        it('requires step-up for high sensitivity', () => {
+            const result = manager.requiresStepUp('some_action', 'high');
+            expect(result.required).toBe(true);
+            expect(result.trigger).toBe('sensitivity_high');
+        });
+        it('requires step-up for critical sensitivity', () => {
+            const result = manager.requiresStepUp('some_action', 'critical');
+            expect(result.required).toBe(true);
+            expect(result.trigger).toBe('sensitivity_critical');
+        });
+        it('does not require step-up for low sensitivity', () => {
+            const result = manager.requiresStepUp('read_email', 'low');
+            expect(result.required).toBe(false);
+        });
+        it('does not require step-up for unknown actions', () => {
+            const result = manager.requiresStepUp('read_email');
+            expect(result.required).toBe(false);
+        });
+    });
+    // ─── Challenge creation ────────────────────────────────────────
+    describe('challenges', () => {
+        it('creates a challenge', () => {
+            const challenge = manager.createChallenge(agent.did, principal.did, 'delete_account', ['admin:delete'], 'policy_rule', 'Delete user account #12345');
+            expect(challenge.challengeId).toMatch(/^stepup-/);
+            expect(challenge.agentDid).toBe(agent.did);
+            expect(challenge.principalDid).toBe(principal.did);
+            expect(challenge.action).toBe('delete_account');
+            expect(challenge.nonce).toBeDefined();
+            expect(challenge.expiresAt).toBeDefined();
+            expect(manager.getPendingCount()).toBe(1);
+        });
+        it('enforces max pending challenges', () => {
+            for (let i = 0; i < 3; i++) {
+                manager.createChallenge(agent.did, principal.did, `action_${i}`, [], 'policy_rule', `Action ${i}`);
+            }
+            expect(() => {
+                manager.createChallenge(agent.did, principal.did, 'action_4', [], 'policy_rule', 'Action 4');
+            }).toThrow('Max pending challenges');
+        });
+        it('cancels a challenge', () => {
+            const challenge = manager.createChallenge(agent.did, principal.did, 'test', [], 'policy_rule', 'Test');
+            expect(manager.getPendingCount()).toBe(1);
+            manager.cancelChallenge(challenge.challengeId);
+            expect(manager.getPendingCount()).toBe(0);
+        });
+    });
+    // ─── Approval flow ─────────────────────────────────────────────
+    describe('approval flow', () => {
+        let challenge;
+        beforeEach(() => {
+            challenge = manager.createChallenge(agent.did, principal.did, 'transfer_funds', ['payment:transfer'], 'sensitivity_high', 'Transfer $5,000 to vendor');
+        });
+        it('approves with valid principal signature', async () => {
+            const approval = await manager.signApproval(principalKP, principal.keyId, challenge, 'approved');
+            const result = await manager.verifyApproval(approval);
+            expect(result.approved).toBe(true);
+            expect(result.challengeId).toBe(challenge.challengeId);
+        });
+        it('handles denial', async () => {
+            const approval = await manager.signApproval(principalKP, principal.keyId, challenge, 'denied');
+            const result = await manager.verifyApproval(approval);
+            expect(result.approved).toBe(false);
+            expect(result.error).toContain('Denied by principal');
+        });
+        it('rejects wrong signer', async () => {
+            // Agent tries to approve instead of principal
+            const fakeApproval = await manager.signApproval(agentKP, agent.keyId, challenge, 'approved');
+            // Override the principalDid to match challenge (spoofing attempt)
+            // The signature won't match principal's key
+            const result = await manager.verifyApproval(fakeApproval);
+            expect(result.approved).toBe(false);
+        });
+        it('prevents replay (second use of same challenge)', async () => {
+            const approval = await manager.signApproval(principalKP, principal.keyId, challenge, 'approved');
+            // First use succeeds
+            const r1 = await manager.verifyApproval(approval);
+            expect(r1.approved).toBe(true);
+            // Replay fails (challenge consumed)
+            const r2 = await manager.verifyApproval(approval);
+            expect(r2.approved).toBe(false);
+            expect(r2.error).toContain('not found or already consumed');
+        });
+        it('rejects expired challenge', async () => {
+            // Create manager with 0ms timeout
+            const fastManager = new StepUpManager({ challengeTimeoutMs: 0 });
+            const expiredChallenge = fastManager.createChallenge(agent.did, principal.did, 'test', [], 'policy_rule', 'Expired test');
+            // Wait a tick for expiry
+            await new Promise(r => setTimeout(r, 5));
+            const approval = await fastManager.signApproval(principalKP, principal.keyId, expiredChallenge, 'approved');
+            const result = await fastManager.verifyApproval(approval);
+            expect(result.approved).toBe(false);
+            expect(result.error).toContain('expired');
+        });
+        it('rejects principal DID mismatch', async () => {
+            const approval = await manager.signApproval(principalKP, principal.keyId, challenge, 'approved');
+            // Tamper with the principal DID
+            approval.principalDid = agent.did;
+            const result = await manager.verifyApproval(approval);
+            expect(result.approved).toBe(false);
+            expect(result.error).toContain('mismatch');
+        });
+    });
+});
+//# sourceMappingURL=stepup.test.js.map

package/dist/__tests__/stepup.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stepup.test.js","sourceRoot":"","sources":["../../src/__tests__/stepup.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAwB,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzE,KAAK,UAAU,YAAY,CAAC,EAAuB,EAAE,IAAY;IAC/D,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAC3C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;AACtD,CAAC;AAED,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,IAAI,OAAsB,CAAC;IAC3B,IAAI,WAAgC,CAAC;IACrC,IAAI,SAAyC,CAAC;IAC9C,IAAI,OAA4B,CAAC;IACjC,IAAI,KAAqC,CAAC;IAE1C,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,WAAW,GAAG,IAAI,mBAAmB,EAAE,CAAC;QACxC,SAAS,GAAG,MAAM,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACrD,OAAO,GAAG,IAAI,mBAAmB,EAAE,CAAC;QACpC,KAAK,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7C,OAAO,GAAG,IAAI,aAAa,CAAC;YAC1B,oBAAoB,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;YAC1D,iBAAiB,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;YACvC,kBAAkB,EAAE,CAAC,GAAG,MAAM;YAC9B,oBAAoB,EAAE,CAAC;SACxB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kEAAkE;IAElE,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;YAC7D,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kEAAkE;IAElE,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;YAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CACvC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,gBAAgB,EAAE,CAAC,cAAc,CAAC,EAClC,aAAa,EAAE,4BAA4B,CAC5C,CAAC;YAEF,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3C,MAAM,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAChD,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;YACtC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3B,OAAO,CAAC,eAAe,CACrB,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,UAAU,CAAC,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,UAAU,CAAC,EAAE,CAChD,CAAC;YACJ,CAAC;YAED,MAAM,CAAC,GAAG,EAAE;gBACV,OAAO,CAAC,eAAe,CACrB,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,UAAU,EAAE,EAAE,EAAE,aAAa,EAAE,UAAU,CAC1C,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;YAC7B,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CACvC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,MAAM,EAAE,EAAE,EAAE,aAAa,EAAE,MAAM,CAClC,CAAC;YACF,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC1C,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kEAAkE;IAElE,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,IAAI,SAA0B,CAAC;QAE/B,UAAU,CAAC,GAAG,EAAE;YACd,SAAS,GAAG,OAAO,CAAC,eAAe,CACjC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,gBAAgB,EAAE,CAAC,kBAAkB,CAAC,EACtC,kBAAkB,EAAE,2BAA2B,CAChD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CACzC,WAAW,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CACpD,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gBAAgB,EAAE,KAAK,IAAI,EAAE;YAC9B,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CACzC,WAAW,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,CAClD,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;YACpC,8CAA8C;YAC9C,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,YAAY,CAC7C,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CAC5C,CAAC;YACF,kEAAkE;YAClE,4CAA4C;YAC5C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;YAC1D,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CACzC,WAAW,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CACpD,CAAC;YAEF,qBAAqB;YACrB,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE/B,oCAAoC;YACpC,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;YACzC,kCAAkC;YAClC,MAAM,WAAW,GAAG,IAAI,aAAa,CAAC,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC,CAAC;YACjE,MAAM,gBAAgB,GAAG,WAAW,CAAC,eAAe,CAClD,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EACxB,MAAM,EAAE,EAAE,EAAE,aAAa,EAAE,cAAc,CAC1C,CAAC;YAEF,yBAAyB;YACzB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAEzC,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,YAAY,CAC7C,WAAW,EAAE,SAAS,CAAC,KAAK,EAAE,gBAAgB,EAAE,UAAU,CAC3D,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC1D,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CACzC,WAAW,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE,UAAU,CACpD,CAAC;YACF,gCAAgC;YAChC,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC;YAElC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;YACtD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,113 @@
+/**
+ * @sentinel-atl/stepup — Step-Up Authentication for Sensitive Actions
+ *
+ * When an agent is about to do something high-sensitivity — authorize a
+ * large payment, delete data, modify permissions — the trust pipeline
+ * should PAUSE and ask the human principal to re-confirm.
+ *
+ * This is the "Are you sure?" for AI agents, but cryptographically backed.
+ *
+ * How it works:
+ *
+ * 1. Agent detects a sensitive action (via VC sensitivity level or policy rules)
+ * 2. Agent creates a `StepUpChallenge` describing what it wants to do
+ * 3. Challenge is sent to the human principal
+ * 4. Human signs an `StepUpApproval` (proving they reviewed + approved)
+ * 5. Agent proceeds only if the approval signature is valid and timely
+ *
+ * The challenge is time-bounded and single-use to prevent replay.
+ */
+import { type KeyProvider, type SensitivityLevel } from '@sentinel-atl/core';
+import { AuditLog } from '@sentinel-atl/audit';
+export interface StepUpChallenge {
+    /** Unique challenge ID */
+    challengeId: string;
+    /** The agent requesting approval */
+    agentDid: string;
+    /** The human principal being asked to approve */
+    principalDid: string;
+    /** Human-readable description of the action */
+    actionDescription: string;
+    /** Machine-readable action identifier */
+    action: string;
+    /** Scope being requested */
+    scope: string[];
+    /** Why step-up was triggered */
+    triggerReason: StepUpTrigger;
+    /** When the challenge expires (ISO 8601) */
+    expiresAt: string;
+    /** One-time nonce */
+    nonce: string;
+    /** Created timestamp */
+    createdAt: string;
+}
+export interface StepUpApproval {
+    /** The challenge being approved */
+    challengeId: string;
+    /** The principal who approved it */
+    principalDid: string;
+    /** Approval or denial */
+    decision: 'approved' | 'denied';
+    /** When the decision was made */
+    decidedAt: string;
+    /** Ed25519 signature over the approval data (base64url) */
+    signature: string;
+}
+export type StepUpTrigger = 'sensitivity_high' | 'sensitivity_critical' | 'amount_threshold' | 'scope_escalation' | 'first_use' | 'anomaly_detected' | 'policy_rule';
+export interface StepUpPolicy {
+    /** Actions that always require step-up */
+    alwaysRequireActions?: string[];
+    /** Sensitivity levels that trigger step-up (default: ['high', 'critical']) */
+    sensitivityLevels?: SensitivityLevel[];
+    /** Challenge timeout in ms (default: 5 minutes) */
+    challengeTimeoutMs?: number;
+    /** Maximum pending challenges per agent */
+    maxPendingChallenges?: number;
+}
+export interface StepUpResult {
+    approved: boolean;
+    error?: string;
+    challengeId?: string;
+}
+export declare class StepUpManager {
+    private pendingChallenges;
+    private usedNonces;
+    private policy;
+    private auditLog?;
+    constructor(policy?: StepUpPolicy, auditLog?: AuditLog);
+    /**
+     * Check if an action requires step-up authentication.
+     */
+    requiresStepUp(action: string, sensitivityLevel?: SensitivityLevel): {
+        required: boolean;
+        trigger?: StepUpTrigger;
+    };
+    /**
+     * Create a step-up challenge for the human principal to approve.
+     */
+    createChallenge(agentDid: string, principalDid: string, action: string, scope: string[], trigger: StepUpTrigger, actionDescription: string): StepUpChallenge;
+    /**
+     * Principal signs an approval for a challenge.
+     */
+    signApproval(keyProvider: KeyProvider, principalKeyId: string, challenge: StepUpChallenge, decision: 'approved' | 'denied'): Promise<StepUpApproval>;
+    /**
+     * Verify a step-up approval and consume the challenge.
+     *
+     * This is the critical gate: if the approval is invalid, expired,
+     * or replayed, the action MUST NOT proceed.
+     */
+    verifyApproval(approval: StepUpApproval): Promise<StepUpResult>;
+    /**
+     * Get a pending challenge by ID.
+     */
+    getChallenge(challengeId: string): StepUpChallenge | undefined;
+    /**
+     * Get count of pending challenges.
+     */
+    getPendingCount(): number;
+    /**
+     * Cancel a pending challenge.
+     */
+    cancelChallenge(challengeId: string): boolean;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAUL,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACtB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAI/C,MAAM,WAAW,eAAe;IAC9B,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,iDAAiD;IACjD,YAAY,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,yCAAyC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,gCAAgC;IAChC,aAAa,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,yBAAyB;IACzB,QAAQ,EAAE,UAAU,GAAG,QAAQ,CAAC;IAChC,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,aAAa,GACrB,kBAAkB,GAClB,sBAAsB,GACtB,kBAAkB,GAClB,kBAAkB,GAClB,WAAW,GACX,kBAAkB,GAClB,aAAa,CAAC;AAElB,MAAM,WAAW,YAAY;IAC3B,0CAA0C;IAC1C,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,8EAA8E;IAC9E,iBAAiB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACvC,mDAAmD;IACnD,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,2CAA2C;IAC3C,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAYD,qBAAa,aAAa;IACxB,OAAO,CAAC,iBAAiB,CAAsC;IAC/D,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,MAAM,CAAyB;IACvC,OAAO,CAAC,QAAQ,CAAC,CAAW;gBAG1B,MAAM,GAAE,YAAiB,EACzB,QAAQ,CAAC,EAAE,QAAQ;IAWrB;;OAEG;IACH,cAAc,CACZ,MAAM,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,gBAAgB,GAClC;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,aAAa,CAAA;KAAE;IAmBjD;;OAEG;IACH,eAAe,CACb,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,aAAa,EACtB,iBAAiB,EAAE,MAAM,GACxB,eAAe;IA6BlB;;OAEG;IACG,YAAY,CAChB,WAAW,EAAE,WAAW,EACxB,cAAc,EAAE,MAAM,EACtB,SAAS,EAAE,eAAe,EAC1B,QAAQ,EAAE,UAAU,GAAG,QAAQ,GAC9B,OAAO,CAAC,cAAc,CAAC;IAe1B;;;;;OAKG;IACG,cAAc,CAAC,QAAQ,EAAE,cAAc,GAAG,OAAO,CAAC,YAAY,CAAC;IA0ErE;;OAEG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAI9D;;OAEG;IACH,eAAe,IAAI,MAAM;IAIzB;;OAEG;IACH,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO;CAG9C"}

package/dist/index.js

@@ -0,0 +1,186 @@
+/**
+ * @sentinel-atl/stepup — Step-Up Authentication for Sensitive Actions
+ *
+ * When an agent is about to do something high-sensitivity — authorize a
+ * large payment, delete data, modify permissions — the trust pipeline
+ * should PAUSE and ask the human principal to re-confirm.
+ *
+ * This is the "Are you sure?" for AI agents, but cryptographically backed.
+ *
+ * How it works:
+ *
+ * 1. Agent detects a sensitive action (via VC sensitivity level or policy rules)
+ * 2. Agent creates a `StepUpChallenge` describing what it wants to do
+ * 3. Challenge is sent to the human principal
+ * 4. Human signs an `StepUpApproval` (proving they reviewed + approved)
+ * 5. Agent proceeds only if the approval signature is valid and timely
+ *
+ * The challenge is time-bounded and single-use to prevent replay.
+ */
+import { toBase64Url, fromBase64Url, textToBytes, secureRandom, verify, toHex, didToPublicKey, } from '@sentinel-atl/core';
+// ─── Canonicalization ────────────────────────────────────────────────
+function canonicalizeChallenge(challenge) {
+    return textToBytes(`stepup:${challenge.challengeId}:${challenge.agentDid}:${challenge.principalDid}:${challenge.action}:${challenge.nonce}:${challenge.expiresAt}`);
+}
+// ─── Step-Up Manager ─────────────────────────────────────────────────
+export class StepUpManager {
+    pendingChallenges = new Map();
+    usedNonces = new Set();
+    policy;
+    auditLog;
+    constructor(policy = {}, auditLog) {
+        this.policy = {
+            alwaysRequireActions: policy.alwaysRequireActions ?? [],
+            sensitivityLevels: policy.sensitivityLevels ?? ['high', 'critical'],
+            challengeTimeoutMs: policy.challengeTimeoutMs ?? 5 * 60_000,
+            maxPendingChallenges: policy.maxPendingChallenges ?? 10,
+        };
+        this.auditLog = auditLog;
+    }
+    /**
+     * Check if an action requires step-up authentication.
+     */
+    requiresStepUp(action, sensitivityLevel) {
+        // Check explicit action list
+        if (this.policy.alwaysRequireActions.includes(action)) {
+            return { required: true, trigger: 'policy_rule' };
+        }
+        // Check sensitivity level
+        if (sensitivityLevel &&
+            this.policy.sensitivityLevels.includes(sensitivityLevel)) {
+            const trigger = sensitivityLevel === 'critical' ? 'sensitivity_critical' : 'sensitivity_high';
+            return { required: true, trigger };
+        }
+        return { required: false };
+    }
+    /**
+     * Create a step-up challenge for the human principal to approve.
+     */
+    createChallenge(agentDid, principalDid, action, scope, trigger, actionDescription) {
+        // Enforce max pending limit
+        const agentPending = Array.from(this.pendingChallenges.values())
+            .filter(c => c.agentDid === agentDid).length;
+        if (agentPending >= this.policy.maxPendingChallenges) {
+            throw new Error(`Max pending challenges (${this.policy.maxPendingChallenges}) reached for agent`);
+        }
+        const nonce = toHex(secureRandom(16));
+        const challengeId = `stepup-${toHex(secureRandom(8))}`;
+        const now = new Date();
+        const challenge = {
+            challengeId,
+            agentDid,
+            principalDid,
+            actionDescription,
+            action,
+            scope,
+            triggerReason: trigger,
+            expiresAt: new Date(now.getTime() + this.policy.challengeTimeoutMs).toISOString(),
+            nonce,
+            createdAt: now.toISOString(),
+        };
+        this.pendingChallenges.set(challengeId, challenge);
+        return challenge;
+    }
+    /**
+     * Principal signs an approval for a challenge.
+     */
+    async signApproval(keyProvider, principalKeyId, challenge, decision) {
+        const approvalData = textToBytes(`stepup-approval:${challenge.challengeId}:${challenge.principalDid}:${decision}:${challenge.nonce}`);
+        const sig = await keyProvider.sign(principalKeyId, approvalData);
+        return {
+            challengeId: challenge.challengeId,
+            principalDid: challenge.principalDid,
+            decision,
+            decidedAt: new Date().toISOString(),
+            signature: toBase64Url(sig),
+        };
+    }
+    /**
+     * Verify a step-up approval and consume the challenge.
+     *
+     * This is the critical gate: if the approval is invalid, expired,
+     * or replayed, the action MUST NOT proceed.
+     */
+    async verifyApproval(approval) {
+        // Find the pending challenge
+        const challenge = this.pendingChallenges.get(approval.challengeId);
+        if (!challenge) {
+            return { approved: false, error: 'Challenge not found or already consumed' };
+        }
+        // Check nonce replay
+        if (this.usedNonces.has(challenge.nonce)) {
+            return { approved: false, error: 'Challenge nonce already used (replay)' };
+        }
+        // Check expiry
+        if (new Date(challenge.expiresAt) < new Date()) {
+            this.pendingChallenges.delete(approval.challengeId);
+            return { approved: false, error: 'Challenge expired' };
+        }
+        // Check principal matches
+        if (approval.principalDid !== challenge.principalDid) {
+            return { approved: false, error: 'Principal DID mismatch' };
+        }
+        // Verify signature
+        try {
+            const publicKey = didToPublicKey(approval.principalDid);
+            const approvalData = textToBytes(`stepup-approval:${challenge.challengeId}:${challenge.principalDid}:${approval.decision}:${challenge.nonce}`);
+            const sig = fromBase64Url(approval.signature);
+            const valid = await verify(sig, approvalData, publicKey);
+            if (!valid) {
+                return { approved: false, error: 'Invalid approval signature' };
+            }
+        }
+        catch (e) {
+            return { approved: false, error: `Signature verification failed: ${e.message}` };
+        }
+        // Consume the challenge (single-use)
+        this.pendingChallenges.delete(approval.challengeId);
+        this.usedNonces.add(challenge.nonce);
+        // Check the decision
+        if (approval.decision === 'denied') {
+            await this.auditLog?.log({
+                eventType: 'intent_rejected',
+                actorDid: approval.principalDid,
+                targetDid: challenge.agentDid,
+                result: 'failure',
+                reason: 'Step-up denied by principal',
+                metadata: {
+                    challengeId: approval.challengeId,
+                    action: challenge.action,
+                },
+            });
+            return { approved: false, error: 'Denied by principal', challengeId: approval.challengeId };
+        }
+        await this.auditLog?.log({
+            eventType: 'intent_validated',
+            actorDid: approval.principalDid,
+            targetDid: challenge.agentDid,
+            result: 'success',
+            metadata: {
+                type: 'step_up_approval',
+                challengeId: approval.challengeId,
+                action: challenge.action,
+            },
+        });
+        return { approved: true, challengeId: approval.challengeId };
+    }
+    /**
+     * Get a pending challenge by ID.
+     */
+    getChallenge(challengeId) {
+        return this.pendingChallenges.get(challengeId);
+    }
+    /**
+     * Get count of pending challenges.
+     */
+    getPendingCount() {
+        return this.pendingChallenges.size;
+    }
+    /**
+     * Cancel a pending challenge.
+     */
+    cancelChallenge(challengeId) {
+        return this.pendingChallenges.delete(challengeId);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,WAAW,EACX,aAAa,EACb,WAAW,EACX,YAAY,EAEZ,MAAM,EACN,KAAK,EAEL,cAAc,GAGf,MAAM,oBAAoB,CAAC;AAmE5B,wEAAwE;AAExE,SAAS,qBAAqB,CAAC,SAA0B;IACvD,OAAO,WAAW,CAChB,UAAU,SAAS,CAAC,WAAW,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,SAAS,EAAE,CAChJ,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,MAAM,OAAO,aAAa;IAChB,iBAAiB,GAAG,IAAI,GAAG,EAA2B,CAAC;IACvD,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,CAAyB;IAC/B,QAAQ,CAAY;IAE5B,YACE,SAAuB,EAAE,EACzB,QAAmB;QAEnB,IAAI,CAAC,MAAM,GAAG;YACZ,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,EAAE;YACvD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC;YACnE,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,CAAC,GAAG,MAAM;YAC3D,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,IAAI,EAAE;SACxD,CAAC;QACF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,cAAc,CACZ,MAAc,EACd,gBAAmC;QAEnC,6BAA6B;QAC7B,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACtD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;QACpD,CAAC;QAED,0BAA0B;QAC1B,IACE,gBAAgB;YAChB,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EACxD,CAAC;YACD,MAAM,OAAO,GACX,gBAAgB,KAAK,UAAU,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,kBAAkB,CAAC;YAChF,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACrC,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,eAAe,CACb,QAAgB,EAChB,YAAoB,EACpB,MAAc,EACd,KAAe,EACf,OAAsB,EACtB,iBAAyB;QAEzB,4BAA4B;QAC5B,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC;aAC7D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;QAC/C,IAAI,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,MAAM,CAAC,oBAAoB,qBAAqB,CAAC,CAAC;QACpG,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC;QACtC,MAAM,WAAW,GAAG,UAAU,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,MAAM,SAAS,GAAoB;YACjC,WAAW;YACX,QAAQ;YACR,YAAY;YACZ,iBAAiB;YACjB,MAAM;YACN,KAAK;YACL,aAAa,EAAE,OAAO;YACtB,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,WAAW,EAAE;YACjF,KAAK;YACL,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;SAC7B,CAAC;QAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QACnD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,WAAwB,EACxB,cAAsB,EACtB,SAA0B,EAC1B,QAA+B;QAE/B,MAAM,YAAY,GAAG,WAAW,CAC9B,mBAAmB,SAAS,CAAC,WAAW,IAAI,SAAS,CAAC,YAAY,IAAI,QAAQ,IAAI,SAAS,CAAC,KAAK,EAAE,CACpG,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QAEjE,OAAO;YACL,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,YAAY,EAAE,SAAS,CAAC,YAAY;YACpC,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC;SAC5B,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,QAAwB;QAC3C,6BAA6B;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACnE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC;QAC/E,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC;QAC7E,CAAC;QAED,eAAe;QACf,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAC/C,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACpD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACzD,CAAC;QAED,0BAA0B;QAC1B,IAAI,QAAQ,CAAC,YAAY,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;YACrD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;QAC9D,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACxD,MAAM,YAAY,GAAG,WAAW,CAC9B,mBAAmB,SAAS,CAAC,WAAW,IAAI,SAAS,CAAC,YAAY,IAAI,QAAQ,CAAC,QAAQ,IAAI,SAAS,CAAC,KAAK,EAAE,CAC7G,CAAC;YACF,MAAM,GAAG,GAAG,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAC9C,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,GAAG,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;YAEzD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;YAClE,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAmC,CAAW,CAAC,OAAO,EAAE,EAAE,CAAC;QAC9F,CAAC;QAED,qCAAqC;QACrC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAErC,qBAAqB;QACrB,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC;gBACvB,SAAS,EAAE,iBAAiB;gBAC5B,QAAQ,EAAE,QAAQ,CAAC,YAAY;gBAC/B,SAAS,EAAE,SAAS,CAAC,QAAQ;gBAC7B,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,6BAA6B;gBACrC,QAAQ,EAAE;oBACR,WAAW,EAAE,QAAQ,CAAC,WAAW;oBACjC,MAAM,EAAE,SAAS,CAAC,MAAM;iBACzB;aACF,CAAC,CAAC;YACH,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC9F,CAAC;QAED,MAAM,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC;YACvB,SAAS,EAAE,kBAAkB;YAC7B,QAAQ,EAAE,QAAQ,CAAC,YAAY;YAC/B,SAAS,EAAE,SAAS,CAAC,QAAQ;YAC7B,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,IAAI,EAAE,kBAAkB;gBACxB,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,MAAM,EAAE,SAAS,CAAC,MAAM;aACzB;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,WAAmB;QAC9B,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,WAAmB;QACjC,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;CACF"}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@sentinel-atl/stepup",
+  "version": "0.1.1",
+  "description": "Step-up authentication — re-prompt humans for sensitive agent actions",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "lint": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@sentinel-atl/core": "*",
+    "@sentinel-atl/audit": "*"
+  },
+  "devDependencies": {
+    "vitest": "^3.2.4",
+    "typescript": "^5.7.0"
+  },
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sentinel-atl/project-sentinel.git",
+    "directory": "packages/stepup"
+  },
+  "keywords": [
+    "ai-agent",
+    "trust",
+    "identity",
+    "did",
+    "verifiable-credentials",
+    "mcp",
+    "security"
+  ],
+  "homepage": "https://github.com/sentinel-atl/project-sentinel#readme",
+  "bugs": {
+    "url": "https://github.com/sentinel-atl/project-sentinel/issues"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ]
+}