@synoi/gap 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +195 -0
- package/README.md +223 -0
- package/dist/canonicalize.d.ts +19 -0
- package/dist/canonicalize.d.ts.map +1 -0
- package/dist/canonicalize.js +36 -0
- package/dist/canonicalize.js.map +1 -0
- package/dist/capabilities.d.ts +605 -0
- package/dist/capabilities.d.ts.map +1 -0
- package/dist/capabilities.js +53 -0
- package/dist/capabilities.js.map +1 -0
- package/dist/cdro.d.ts +63 -0
- package/dist/cdro.d.ts.map +1 -0
- package/dist/cdro.js +16 -0
- package/dist/cdro.js.map +1 -0
- package/dist/channels.d.ts +107 -0
- package/dist/channels.d.ts.map +1 -0
- package/dist/channels.js +29 -0
- package/dist/channels.js.map +1 -0
- package/dist/constants.d.ts +32 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/constants.js +36 -0
- package/dist/constants.js.map +1 -0
- package/dist/index.d.ts +28 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +35 -0
- package/dist/index.js.map +1 -0
- package/dist/oid.d.ts +28 -0
- package/dist/oid.d.ts.map +1 -0
- package/dist/oid.js +68 -0
- package/dist/oid.js.map +1 -0
- package/dist/receipts.d.ts +128 -0
- package/dist/receipts.d.ts.map +1 -0
- package/dist/receipts.js +14 -0
- package/dist/receipts.js.map +1 -0
- package/dist/revocations.d.ts +65 -0
- package/dist/revocations.d.ts.map +1 -0
- package/dist/revocations.js +22 -0
- package/dist/revocations.js.map +1 -0
- package/dist/validate.d.ts +59 -0
- package/dist/validate.d.ts.map +1 -0
- package/dist/validate.js +835 -0
- package/dist/validate.js.map +1 -0
- package/dist/workflows.d.ts +186 -0
- package/dist/workflows.d.ts.map +1 -0
- package/dist/workflows.js +14 -0
- package/dist/workflows.js.map +1 -0
- package/package.json +55 -0
- package/src/canonicalize.ts +38 -0
- package/src/capabilities.ts +711 -0
- package/src/cdro.ts +92 -0
- package/src/channels.ts +183 -0
- package/src/constants.ts +46 -0
- package/src/index.ts +180 -0
- package/src/oid.ts +71 -0
- package/src/receipts.ts +169 -0
- package/src/revocations.ts +90 -0
- package/src/validate.ts +1008 -0
- package/src/workflows.ts +241 -0
package/dist/receipts.js
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* receipts.ts -- GAP Decision Receipts.
|
|
3
|
+
*
|
|
4
|
+
* Every gate decision (capability invocation, workflow transition, grant
|
|
5
|
+
* issuance/revocation, federation handshake (reserved for GAP 1.1), provisional block) produces
|
|
6
|
+
* an immutable Decision Receipt. These are the audit trail of the agent
|
|
7
|
+
* platform -- what was allowed, what was denied, when, and by whom.
|
|
8
|
+
*
|
|
9
|
+
* Mirrors GAP_SPEC §8.
|
|
10
|
+
*/
|
|
11
|
+
export function isGapFailure(r) {
|
|
12
|
+
return typeof r === 'object' && r !== null && 'reason' in r;
|
|
13
|
+
}
|
|
14
|
+
//# sourceMappingURL=receipts.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"receipts.js","sourceRoot":"","sources":["../src/receipts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA6JH,MAAM,UAAU,YAAY,CAAI,CAAiB;IAC/C,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,QAAQ,IAAK,CAA6B,CAAA;AAC1F,CAAC"}
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* revocations.ts -- RevocationEvent CDRO.
|
|
3
|
+
*
|
|
4
|
+
* Revocation in GAP is leveled (L1 / L2 / L3) per GAP_SPEC §7. V1 gateway
|
|
5
|
+
* scope is L1 only; L2/L3 fields are tracked here for forward compatibility.
|
|
6
|
+
*
|
|
7
|
+
* Targets include declarations, grants, workflow definitions, workflow
|
|
8
|
+
* instances, and whole skills. A revocation can be provisional (immediately
|
|
9
|
+
* blocks but pending finalization) or final.
|
|
10
|
+
*/
|
|
11
|
+
import type { GapCdroEnvelope } from './cdro.js';
|
|
12
|
+
export type RevocationTargetKind = 'capability_declaration' | 'capability_grant' | 'workflow_definition' | 'workflow_instance' | 'skill';
|
|
13
|
+
export interface RevocationEventBody {
|
|
14
|
+
target_kind: RevocationTargetKind;
|
|
15
|
+
target_oid: string;
|
|
16
|
+
reason: string;
|
|
17
|
+
evidence_oids?: string[];
|
|
18
|
+
required_level: 1 | 2 | 3;
|
|
19
|
+
provisional: boolean;
|
|
20
|
+
approvers: Array<{
|
|
21
|
+
actor_oid: string;
|
|
22
|
+
approved_at_ms: number;
|
|
23
|
+
cooling_off_satisfied: boolean;
|
|
24
|
+
attestation_oid?: string;
|
|
25
|
+
}>;
|
|
26
|
+
public_notice_started_at_ms?: number;
|
|
27
|
+
public_notice_window_ms?: number;
|
|
28
|
+
effective_at_ms: number | null;
|
|
29
|
+
lifted_at_ms?: number | null;
|
|
30
|
+
/**
|
|
31
|
+
* Controls what happens when a provisional block's TTL expires without the
|
|
32
|
+
* required L3 quorum completing:
|
|
33
|
+
* 'renew' -- the block auto-renews (fail-closed). Default, and MUST be
|
|
34
|
+
* the behavior when any targeted grant covers a capability
|
|
35
|
+
* with physical_safety=true or safety_class='C'.
|
|
36
|
+
* 'revert' -- the block expires and the target is re-enabled. Only
|
|
37
|
+
* permissible for safety_class A/B capabilities with explicit
|
|
38
|
+
* operator override.
|
|
39
|
+
*
|
|
40
|
+
* Absent defaults to 'renew' for physical safety targets, 'revert' for
|
|
41
|
+
* others (legacy behavior). Gateways MUST treat absent-for-physical-safety
|
|
42
|
+
* as 'renew'.
|
|
43
|
+
*/
|
|
44
|
+
provisional_block_policy?: {
|
|
45
|
+
on_expiry_without_quorum: 'renew' | 'revert';
|
|
46
|
+
/**
|
|
47
|
+
* M-5: Operator override for the provisional block TTL. Defaults to 72
|
|
48
|
+
* hours (259_200_000 ms). Minimum: 1 hour (3_600_000 ms). For
|
|
49
|
+
* safety_class C capabilities with on_expiry_without_quorum='renew', the
|
|
50
|
+
* renewal cycle period equals this value.
|
|
51
|
+
*/
|
|
52
|
+
provisional_block_ttl_ms?: number;
|
|
53
|
+
};
|
|
54
|
+
/**
|
|
55
|
+
* Minimum number of distinct approvers required to make `effective_at_ms`
|
|
56
|
+
* non-null. Default: 1 for L2, gateway-configured for L3 (recommended >= 2).
|
|
57
|
+
* The gateway MUST reject a duplicate approval from the same actor_oid.
|
|
58
|
+
* Self-approval (approver actor_oid === revocation event created_by) MUST
|
|
59
|
+
* be rejected.
|
|
60
|
+
*/
|
|
61
|
+
min_approvers?: number;
|
|
62
|
+
}
|
|
63
|
+
export type RevocationEvent = GapCdroEnvelope<RevocationEventBody>;
|
|
64
|
+
export declare function revokeGapObject(target_kind: RevocationTargetKind, target_oid: string, reason: string, required_level: 1 | 2 | 3, provisional: boolean): RevocationEventBody;
|
|
65
|
+
//# sourceMappingURL=revocations.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocations.d.ts","sourceRoot":"","sources":["../src/revocations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAEhD,MAAM,MAAM,oBAAoB,GAC5B,wBAAwB,GACxB,kBAAkB,GAClB,qBAAqB,GACrB,mBAAmB,GACnB,OAAO,CAAA;AAEX,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,oBAAoB,CAAA;IACjC,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,CAAA;IACd,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACzB,WAAW,EAAE,OAAO,CAAA;IACpB,SAAS,EAAE,KAAK,CAAC;QACf,SAAS,EAAE,MAAM,CAAA;QACjB,cAAc,EAAE,MAAM,CAAA;QACtB,qBAAqB,EAAE,OAAO,CAAA;QAC9B,eAAe,CAAC,EAAE,MAAM,CAAA;KACzB,CAAC,CAAA;IACF,2BAA2B,CAAC,EAAE,MAAM,CAAA;IACpC,uBAAuB,CAAC,EAAE,MAAM,CAAA;IAChC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B;;;;;;;;;;;;;OAaG;IACH,wBAAwB,CAAC,EAAE;QACzB,wBAAwB,EAAE,OAAO,GAAG,QAAQ,CAAA;QAC5C;;;;;WAKG;QACH,wBAAwB,CAAC,EAAE,MAAM,CAAA;KAClC,CAAA;IACD;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,MAAM,eAAe,GAAG,eAAe,CAAC,mBAAmB,CAAC,CAAA;AAElE,wBAAgB,eAAe,CAC7B,WAAW,EAAE,oBAAoB,EACjC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,EACzB,WAAW,EAAE,OAAO,GACnB,mBAAmB,CAUrB"}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* revocations.ts -- RevocationEvent CDRO.
|
|
3
|
+
*
|
|
4
|
+
* Revocation in GAP is leveled (L1 / L2 / L3) per GAP_SPEC §7. V1 gateway
|
|
5
|
+
* scope is L1 only; L2/L3 fields are tracked here for forward compatibility.
|
|
6
|
+
*
|
|
7
|
+
* Targets include declarations, grants, workflow definitions, workflow
|
|
8
|
+
* instances, and whole skills. A revocation can be provisional (immediately
|
|
9
|
+
* blocks but pending finalization) or final.
|
|
10
|
+
*/
|
|
11
|
+
export function revokeGapObject(target_kind, target_oid, reason, required_level, provisional) {
|
|
12
|
+
return {
|
|
13
|
+
target_kind,
|
|
14
|
+
target_oid,
|
|
15
|
+
reason,
|
|
16
|
+
required_level,
|
|
17
|
+
provisional,
|
|
18
|
+
approvers: [],
|
|
19
|
+
effective_at_ms: null,
|
|
20
|
+
};
|
|
21
|
+
}
|
|
22
|
+
//# sourceMappingURL=revocations.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revocations.js","sourceRoot":"","sources":["../src/revocations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAgEH,MAAM,UAAU,eAAe,CAC7B,WAAiC,EACjC,UAAkB,EAClB,MAAc,EACd,cAAyB,EACzB,WAAoB;IAEpB,OAAO;QACL,WAAW;QACX,UAAU;QACV,MAAM;QACN,cAAc;QACd,WAAW;QACX,SAAS,EAAE,EAAE;QACb,eAAe,EAAE,IAAI;KACtB,CAAA;AACH,CAAC"}
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* validate.ts -- hand-rolled runtime validators for GAP CDROs.
|
|
3
|
+
*
|
|
4
|
+
* Design: every validator returns `{ ok, errors }`. `ok` is true iff `errors`
|
|
5
|
+
* is empty. Validators are non-throwing. They check shape (type + required
|
|
6
|
+
* fields) without semantic validation (a grant with `expires_at_ms` in the
|
|
7
|
+
* past is "shape-valid" -- separate runtime check rejects it).
|
|
8
|
+
*
|
|
9
|
+
* No zod / no io-ts. The style mirrors synoi-mcp-server/src/tools.ts:
|
|
10
|
+
* minimal, predictable, and easy to debug.
|
|
11
|
+
*
|
|
12
|
+
* Round-trip property: any envelope produced by these types, run through
|
|
13
|
+
* JSON.stringify -> JSON.parse -> validate*, produces ok=true with the same
|
|
14
|
+
* top-level keys + values.
|
|
15
|
+
*/
|
|
16
|
+
export interface ValidationResult {
|
|
17
|
+
ok: boolean;
|
|
18
|
+
errors: string[];
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* [DESIGN] Validates a gap:orchestration_chain body. Returns error
|
|
22
|
+
* 'delegation_depth_exceeded' when steps.length > 10.
|
|
23
|
+
*/
|
|
24
|
+
export declare function validateOrchestrationChainBody(x: unknown): ValidationResult;
|
|
25
|
+
/**
|
|
26
|
+
* [DESIGN] Validates a TokenConsumption object from a receipt body.
|
|
27
|
+
*/
|
|
28
|
+
export declare function validateTokenConsumption(x: unknown): ValidationResult;
|
|
29
|
+
/**
|
|
30
|
+
* [DESIGN] Validates a gap:consent_record body. consented MUST be boolean;
|
|
31
|
+
* actor_oid and context are required.
|
|
32
|
+
*/
|
|
33
|
+
export declare function validateConsentRecordBody(x: unknown): ValidationResult;
|
|
34
|
+
/**
|
|
35
|
+
* [DESIGN] Validates a gap:pip_response body.
|
|
36
|
+
*/
|
|
37
|
+
export declare function validatePipResponseBody(x: unknown): ValidationResult;
|
|
38
|
+
export declare function validateCapabilityDeclarationBody(x: unknown): ValidationResult;
|
|
39
|
+
export declare function validateCapabilityGrantBody(x: unknown): ValidationResult;
|
|
40
|
+
export declare function validateCapabilityInvocationBody(x: unknown): ValidationResult;
|
|
41
|
+
export declare function validateWorkflowDefinitionBody(x: unknown): ValidationResult;
|
|
42
|
+
export declare function validateWorkflowInstanceBody(x: unknown): ValidationResult;
|
|
43
|
+
export declare function validateStageTransitionBody(x: unknown): ValidationResult;
|
|
44
|
+
export declare function validateChannelEventBody(x: unknown): ValidationResult;
|
|
45
|
+
export declare function validateGapDecisionReceiptBody(x: unknown): ValidationResult;
|
|
46
|
+
export declare function validateRevocationEventBody(x: unknown): ValidationResult;
|
|
47
|
+
export declare function validateCapabilityDeclaration(x: unknown): ValidationResult;
|
|
48
|
+
export declare function validateCapabilityGrant(x: unknown): ValidationResult;
|
|
49
|
+
export declare function validateCapabilityInvocation(x: unknown): ValidationResult;
|
|
50
|
+
export declare function validateWorkflowDefinition(x: unknown): ValidationResult;
|
|
51
|
+
export declare function validateWorkflowInstance(x: unknown): ValidationResult;
|
|
52
|
+
export declare function validateStageTransition(x: unknown): ValidationResult;
|
|
53
|
+
export declare function validateChannelEvent(x: unknown): ValidationResult;
|
|
54
|
+
export declare function validateGapDecisionReceipt(x: unknown): ValidationResult;
|
|
55
|
+
export declare function validateRevocationEvent(x: unknown): ValidationResult;
|
|
56
|
+
export declare function validateOrchestrationChain(x: unknown): ValidationResult;
|
|
57
|
+
export declare function validateConsentRecord(x: unknown): ValidationResult;
|
|
58
|
+
export declare function validatePipResponse(x: unknown): ValidationResult;
|
|
59
|
+
//# sourceMappingURL=validate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../src/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAiDH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAqLD;;;GAGG;AACH,wBAAgB,8BAA8B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAkB3E;AAqBD;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAWrE;AAID;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAYtE;AAyCD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAYpE;AAID,wBAAgB,iCAAiC,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CA+C9E;AAED,wBAAgB,2BAA2B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAyHxE;AAED,wBAAgB,gCAAgC,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAmE7E;AAED,wBAAgB,8BAA8B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CA2C3E;AAED,wBAAgB,4BAA4B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAwCzE;AAED,wBAAgB,2BAA2B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CA6BxE;AAED,wBAAgB,wBAAwB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAerE;AAED,wBAAgB,8BAA8B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAiE3E;AAED,wBAAgB,2BAA2B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAkExE;AAID,wBAAgB,6BAA6B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAI1E;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIpE;AAED,wBAAgB,4BAA4B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIzE;AAED,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIvE;AAED,wBAAgB,wBAAwB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIrE;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIpE;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIjE;AAED,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIvE;AAED,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIpE;AAID,wBAAgB,0BAA0B,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIvE;AAED,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIlE;AAED,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAIhE"}
|