@tenova/swt3-ai 0.5.1 → 0.5.3

package/LICENSE

@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2025-2026 Tenable Nova LLC
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -3,6 +3,7 @@ Witness your AI. Prove it followed the rules. Cryptographic accountability for e
 [![npm](https://img.shields.io/npm/v/@tenova/swt3-ai)](https://www.npmjs.com/package/@tenova/swt3-ai)
 [![Downloads](https://img.shields.io/npm/dm/@tenova/swt3-ai)](https://www.npmjs.com/package/@tenova/swt3-ai)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/tenova-labs/swt3-ai/blob/main/LICENSE)
+[![MCP Registry](https://img.shields.io/badge/MCP_Registry-io.tenova%2Fswt3--witness-blue)](https://www.npmjs.com/package/@tenova/swt3-mcp)
 
 # @tenova/swt3-ai
 
@@ -12,6 +13,72 @@ Works with OpenAI, Anthropic, AWS Bedrock, Vercel AI SDK, and any OpenAI-compati
 
 GPAI transparency obligations are enforceable now. EU AI Act high-risk enforcement begins **December 2, 2027**. This SDK gives you the evidence chain.
 
+## MCP Server -- Official Registry
+
+`@tenova/swt3-mcp` is listed on the official Model Context Protocol Registry as `io.tenova/swt3-witness`. Zero-config compliance governance for Claude Code, Cursor, Windsurf, and any MCP-compatible host.
+
+```json
+{
+  "mcpServers": {
+    "swt3-witness": {
+      "command": "npx",
+      "args": ["@tenova/swt3-mcp"]
+    }
+  }
+}
+```
+
+Every tool call your agent makes is witnessed, Merkle-accumulated, and trust-evaluated. No code changes required. [Quick Start](https://www.npmjs.com/package/@tenova/swt3-mcp)
+
+## Secure Agent-to-Agent Communication
+
+The SWT3 Trust Mesh enables mutual cryptographic verification between AI agents before they exchange data, invoke tools, or share context. When you adopt SWT3, every partner, vendor, and downstream agent that wants to interact with yours must adopt it too. Compliance becomes the connection protocol. Every agent in the mesh strengthens the network.
+
+**You run Agent A. Your partner runs Agent B. Both install @tenova/swt3-ai:**
+
+```typescript
+// === Your side (Agent A) ===
+const witnessA = new Witness({
+  endpoint: "...", apiKey: "axm_...", tenantId: "YOUR_TENANT",
+  agentId: "agent-alpha", signingKey: "swt3_sk_your_key",
+});
+witnessA.trustRegistry.trustTenant("PARTNER_B_TENANT");
+witnessA.trustRegistry.registerSigningKey("agent-beta", process.env.PARTNER_B_KEY!);
+
+// === Partner's side (Agent B) ===
+const witnessB = new Witness({
+  endpoint: "...", apiKey: "axm_...", tenantId: "PARTNER_B_TENANT",
+  agentId: "agent-beta", signingKey: "swt3_sk_partner_key",
+});
+witnessB.trustRegistry.trustTenant("YOUR_TENANT");
+witnessB.trustRegistry.registerSigningKey("agent-alpha", process.env.YOUR_KEY!);
+
+// === Handshake (both directions) ===
+const credA = witnessA.presentCredential();
+const resultB = witnessB.verifyTrust(credA);       // B verifies A
+if (resultB.granted) {
+  const credB = witnessB.presentCredential();
+  const resultA = witnessA.verifyTrust(credB);      // A verifies B
+  if (resultA.granted) {
+    // Bidirectional trust established. Exchange data.
+  }
+}
+```
+
+Configure trust boundaries declaratively in `.swt3.yaml`:
+
+```yaml
+trust_mesh:
+  mode: strict
+  min_trust_level: 2
+  require_signature: true
+  freshness_window: 3600
+  trusted_tenants: ["PARTNER_B_TENANT"]
+  deny_agents: ["revoked-agent-id"]
+```
+
+All verification is local. Zero cloud overhead. No data exchanged until both agents clear the trust gate. Unsigned agents are capped at TRUST_BASIC (level 1). Add signing keys for verified trust. Add hardware attestation for sovereign trust.
+
 ## See It Work (No Account Needed)
 
 ```bash
@@ -216,6 +283,26 @@ witness.witnessQuantization("gptq", { bits: 4, groupSize: 128 });
 
 Maps to: EU AI Act Art. 15(4) (resilience against modification), Art. 12(2)(b) (version logging).
 
+## TPM Platform Attestation (AI-HW.3)
+
+Prove host firmware integrity via TPM 2.0. Reads PCR registers 0-7 and mints a hardware root-of-trust anchor. All raw values are SHA-256 hashed before leaving the module:
+
+```typescript
+// Auto-detect: reads /dev/tpm0 via tpm2-tools
+witness.witnessTPMAttestation();
+
+// Or provide a pre-computed snapshot
+import { queryTPM } from "@tenova/swt3-ai";
+const snapshot = queryTPM();
+witness.witnessTPMAttestation({ snapshot });
+```
+
+If no TPM is available (cloud VM, dev machine), returns a valid anchor with factor_a=0. No crash, no error. Graceful degradation by design.
+
+Use case: sovereign/air-gapped deployments where you must prove the host was not tampered with. Combined with AI-HW.1 (GPU inventory), gives full hardware root-of-trust from silicon to model.
+
+Maps to: NIST 800-53 SC-12 (cryptographic key establishment). Patent pending.
+
 ## Environmental Attestation (Residential and Edge AI)
 
 Witness the physical compute environment for distributed, edge-deployed, or residential AI nodes. Proves the hardware operated within safe thermal and power bounds during inference:
@@ -363,13 +450,108 @@ witnessB.trustRegistry.registerSigningKey("agent-alpha", process.env.AGENT_A_KEY
 
 **Zero-friction path:** Trust mesh works without signing keys. Agents without keys get TRUST_BASIC (level 1), which is sufficient for non-sensitive coordination. Add keys when you need verified or attested trust.
 
-**Credential auto-population:** `presentCredential()` automatically includes which procedures the agent has witnessed and whether hardware attestation (AI-HW.1) has been performed. No manual tracking needed.
+**Credential auto-population:** `presentCredential()` automatically includes which procedures the agent has witnessed and whether hardware attestation (AI-HW.1 or AI-HW.3) has been performed. No manual tracking needed.
 
 Every verification (pass or fail) mints AI-TRUST.1 + AI-TRUST.2 anchors. Denials produce evidence too.
 
 Maps to: EU AI Act Art. 14 (human oversight and mutual accountability between AI systems).
 
-## Gatekeeper Mode (Pre-Call Enforcement)
+## Policy-as-Code (swt3.yaml)
+
+New in v0.5.2. Define your entire witnessing policy in a YAML file instead of passing 25+ constructor parameters:
+
+```bash
+npx swt3 init          # interactive profile picker
+npx swt3 init --profile eu-ai-act-high-risk --tenant ACME
+```
+
+This generates a `swt3.yaml` file. Then load it:
+
+```typescript
+const witness = Witness.fromConfig();              // auto-finds swt3.yaml
+const witness = Witness.fromConfig("prod.yaml");   // explicit path
+```
+
+### File Composition (extends)
+
+Layer configs for environment-specific overrides:
+
+```yaml
+# prod.yaml
+extends: base.yaml
+clearing_level: 2
+signing_key_env: SWT3_SIGNING_KEY
+```
+
+Supports single files or chains (`extends: [base.yaml, team.yaml]`). Merge order: extends < profile < explicit config. Cycle detection and depth limit (10) built in.
+
+### Built-in Profiles
+
+Seven profiles ship with the SDK:
+
+| Profile | Use Case |
+|---------|----------|
+| `eu-ai-act-high-risk` | EU AI Act high-risk: clearing 2, signing required, jurisdiction required |
+| `nist-ai-rmf` | NIST AI RMF: full procedure coverage, moderate policy |
+| `cost-conscious` | Token budget governance: 25K/session ceiling, cost attribution |
+| `owasp-agentic-top10` | OWASP Agentic Top 10: fail-closed, 100K tokens, depth 8 |
+| `mythos-defense` | Exploit chain containment: clearing 3, strict trust, depth 5 |
+| `granite-sovereign` | IBM Granite on-prem: air-gap ready, hardware attestation |
+| `minimal` | Development: clearing 0, no policy enforcement |
+
+### Diagnostics
+
+```bash
+npx swt3 doctor        # 8 checks: YAML, env vars, profile, extends, sections
+npx swt3 doctor --json  # machine-readable for CI/CD
+```
+
+### Schema Validation
+
+Validate config files programmatically:
+
+```typescript
+import { validateSchema } from "@tenova/swt3-ai";
+
+const result = validateSchema(parsedYaml);
+if (!result.valid) {
+  console.error(result.errors);
+}
+```
+
+## Merkle Accumulator (Session-Level Integrity)
+
+New in v0.5.2. Compute Merkle roots over batches of anchors for tamper-evident session integrity:
+
+```typescript
+import { MerkleAccumulator, verifyMerkleProof } from "@tenova/swt3-ai";
+
+const acc = new MerkleAccumulator({ tenantId: "ACME" });
+
+// Accumulate fingerprints as anchors are minted
+acc.add("abc123def456");
+acc.add("789012345678");
+
+// Compute session root (persisted to JSONL automatically)
+const session = acc.flush();
+console.log(session.root);  // 64-char hex Merkle root
+
+// Generate an inclusion proof for any fingerprint
+const proof = acc.prove("abc123def456");
+console.log(verifyMerkleProof("abc123def456", proof));  // true
+```
+
+Enable via config:
+
+```yaml
+merkle:
+  enabled: true
+  accumulator_interval: 0  # 0 = compute on every flush
+```
+
+Cross-language parity with Python SDK. Domain-separated (SWT3:LEAF: / SWT3:NODE:) to prevent second-preimage attacks.
+
+## Gatekeeper Mode (Pre-Call Attestation)
 
 New in v0.3.4. Require guardrails to be active *before* the model is called, not just observed after:
 
@@ -407,6 +589,35 @@ Gatekeeper mode mints an **AI-GRD.3** anchor with:
 - **factor_b** = actual guardrail count
 - **factor_c** = 1 if gate passed, 0 if blocked
 
+## Agent Cost Governance
+
+Every inference witnessed by the SDK captures prompt and completion token counts from the API response. Combined with `max_tokens_per_session`, this gives you a per-agent, per-session cost ceiling with a complete audit trail.
+
+```yaml
+# .swt3.yaml
+profile: cost-conscious        # Built-in budget profile (25K tokens)
+
+mcp_policy:
+  max_tokens_per_session: 25000  # Hard cutoff per session
+  fail_secure: true              # Halt and record on budget exceeded
+```
+
+```typescript
+import { Witness } from "@tenova/swt3-ai";
+
+const witness = new Witness({ /* ... */ });
+const client = witness.wrap(new OpenAI()) as OpenAI;
+
+// Every call through the wrapped client automatically tracks tokens.
+// When the session budget is exhausted, the chain enforcer halts
+// further calls and mints a token_budget violation anchor.
+
+// Manual token recording (for custom pipelines):
+witness.recordSessionTokens(1500);
+```
+
+Token usage flows into the witness ledger alongside every other anchor. Your auditor sees what the agent did, whether it complied, and what it cost -- in one export.
+
 ## Multi-Agent Chain Linking
 
 New in v0.3.4. Link anchors across agents in a multi-step pipeline using `cycleId`:
@@ -456,7 +667,7 @@ Each inference produces anchors for these checks. Every check maps to a regulati
 
 ### EU AI Act Article Mapping
 
-All 42 SWT3 AI witnessing procedures map to specific EU AI Act obligations:
+All 47 SWT3 AI witnessing procedures map to specific EU AI Act obligations:
 
 | Procedure | EU AI Act Article | Obligation | Demo | Production |
 |-----------|-------------------|------------|------|------------|
@@ -473,7 +684,7 @@ All 42 SWT3 AI witnessing procedures map to specific EU AI Act obligations:
 | AI-EXPL.1 | Art. 13(1) | Transparency & Explainability | -| ✓ |
 | AI-EXPL.2 | Art. 13(3b) | Confidence Calibration | -| ✓ |
 
-The demo demonstrates 5 procedures using simulated data. All 42 are available in production with real inference data. 36 cross-language test vectors ensure fingerprint parity across Python, TypeScript, Rust, C#, and Ruby. [See live conformity →](https://sovereign.tenova.io/audit/axm_audit_demo_eu_ai_act_public)
+The demo demonstrates 5 procedures using simulated data. All 47 are available in production with real inference data. 40 cross-language test vectors ensure fingerprint parity across Python, TypeScript, Rust, C#, and Ruby. [See live conformity →](https://sovereign.tenova.io/audit/axm_audit_demo_eu_ai_act_public)
 
 ## How Verdicts Work
 
@@ -718,15 +929,21 @@ Your prompts and responses **never leave your infrastructure**. The SDK computes
 
 ---
 
-## Upgrading to v0.5.1
+## Upgrading to v0.5.2
+
+**Policy-as-Code (new):** `swt3 init`, `swt3 doctor`, `extends:` composition, profile templates, YAML schema validator. No breaking changes.
+
+**Merkle Accumulator (new):** `MerkleAccumulator` class for session-level integrity proofs. `merkle:` config section. No breaking changes.
+
+**Trust Mesh (v0.5.0):** `presentCredential()` and `verifyTrust()`. No breaking changes for existing code.
 
-**Trust Mesh (new):** `presentCredential()` and `verifyTrust()` are new methods. No breaking changes for existing code.
+**Credential signing (behavioral change):** If your Witness has a `signingKey`, credentials are now HMAC-signed automatically. Counterpart agents must register your key via `trustRegistry.registerSigningKey()` to verify the signature. Without key registration, signed credentials are denied with `signature_unverifiable`.
 
-**Credential signing (behavioral change):** If your Witness has a `signingKey`, credentials are now HMAC-signed automatically. Counterpart agents must register your key via `trustRegistry.registerSigningKey()` to verify the signature. Without key registration, signed credentials are denied with `signature_unverifiable`. If you were using trust mesh in v0.5.0 without signing keys, credentials are now capped at TRUST_BASIC (level 1). To restore full trust levels, both sides must exchange and register signing keys.
+**TPM attestation (v0.5.2):** `witnessTPMAttestation()` for AI-HW.3. Reads PCR registers via tpm2-tools. Graceful degradation without TPM. No breaking changes.
 
-**Environmental attestation (new):** `witnessEnvironment()` and `witnessEnergyDraw()` are new methods for AI-ENV.1/AI-ENV.2. No breaking changes.
+**Environmental attestation (v0.5.0):** `witnessEnvironment()` and `witnessEnergyDraw()` for AI-ENV.1/AI-ENV.2. No breaking changes.
 
-**MCP server:** 16 procedure keyword suggestions (was 8). No breaking changes.
+**MCP server:** 16 procedure keyword suggestions (was 8). MCP policy section in swt3.yaml. No breaking changes.
 
 ---
 
@@ -736,7 +953,7 @@ Your prompts and responses **never leave your infrastructure**. The SDK computes
 - [10-Minute Quickstart](https://sovereign.tenova.io/guides/ai-witness-quickstart.html) -- from install to first anchor
 - [SWT3 Protocol Spec](https://sovereign.tenova.io/guides/swt3-protocol.html) -- formal specification with ABNF grammar
 - [Design Rationale](https://sovereign.tenova.io/guides/swt3-design-rationale.html) -- why every protocol decision was made
-- [UCT Registry](https://sovereign.tenova.io/registry) -- 162 procedures, full factor definitions
+- [UCT Registry](https://sovereign.tenova.io/registry) -- full procedure catalog with factor definitions
 - [Anchor Verifier](https://sovereign.tenova.io/verify) -- verify any anchor, zero server calls
 - [EU AI Act Regulatory Architecture](https://sovereign.tenova.io/guides/futurium-submission.html) -- VI+CJT+ALF+LAVR framework mapping for conformity assessment bodies
 - [Five Eyes Agentic AI Overlay](https://sovereign.tenova.io/guides/five-eyes-overlay.html) -- CISA/NSA guidance mapped to SWT3 procedures

package/dist/buffer.d.ts

@@ -10,6 +10,7 @@
  * prevents unbounded memory growth.
  */
 import type { WitnessConfig, WitnessPayload, WitnessReceipt } from "./types.js";
+import type { WriteAheadLog } from "./wal.js";
 export declare class WitnessBuffer {
     private config;
     private queue;
@@ -20,8 +21,13 @@ export declare class WitnessBuffer {
     private stopped;
     private consecutiveFailures;
     private ctaShown;
+    private tokenAccumulator;
     private onFlush?;
-    constructor(config: WitnessConfig, maxRetryBuffer?: number);
+    private wal;
+    private walSeqMap;
+    constructor(config: WitnessConfig, maxRetryBuffer?: number, wal?: WriteAheadLog);
+    /** Cumulative tokens accumulated since last flush (for token_budget monitoring). */
+    get tokensSinceFlush(): number;
     /** Add a single payload to the buffer. */
     enqueue(payload: WitnessPayload): void;
     /** Add multiple payloads. */

package/dist/buffer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"buffer.d.ts","sourceRoot":"","sources":["../src/buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,cAAc,EAAiB,MAAM,YAAY,CAAC;AAI/F,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,KAAK,CAAwB;IACrC,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,WAAW,CAAwB;IAC3C,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,OAAO,CAAC,CAAmE;gBAEvE,MAAM,EAAE,aAAa,EAAE,cAAc,SAA2B;IAO5E,0CAA0C;IAC1C,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI;IAQtC,6BAA6B;IAC7B,WAAW,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI;IAI7C,yCAAyC;IACnC,KAAK,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAIxC,oDAAoD;IAC9C,IAAI,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAgBvC,yDAAyD;IACzD,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,oDAAoD;IACpD,IAAI,eAAe,IAAI,MAAM,CAE5B;IAED,2CAA2C;IAC3C,IAAI,QAAQ,IAAI,cAAc,EAAE,CAE/B;IAED,OAAO,CAAC,UAAU;YAYJ,aAAa;YAWb,SAAS;CAmGxB"}
+{"version":3,"file":"buffer.d.ts","sourceRoot":"","sources":["../src/buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,cAAc,EAAiB,MAAM,YAAY,CAAC;AAC/F,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAI9C,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,KAAK,CAAwB;IACrC,OAAO,CAAC,UAAU,CAAwB;IAC1C,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,WAAW,CAAwB;IAC3C,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,gBAAgB,CAAK;IAC7B,OAAO,CAAC,OAAO,CAAC,CAAmE;IACnF,OAAO,CAAC,GAAG,CAA8B;IACzC,OAAO,CAAC,SAAS,CAA0C;gBAE/C,MAAM,EAAE,aAAa,EAAE,cAAc,SAA2B,EAAE,GAAG,CAAC,EAAE,aAAa;IAQjG,oFAAoF;IACpF,IAAI,gBAAgB,IAAI,MAAM,CAE7B;IAED,0CAA0C;IAC1C,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI;IAuBtC,6BAA6B;IAC7B,WAAW,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI;IAI7C,yCAAyC;IACnC,KAAK,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAIxC,oDAAoD;IAC9C,IAAI,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;IAgBvC,yDAAyD;IACzD,IAAI,OAAO,IAAI,MAAM,CAEpB;IAED,oDAAoD;IACpD,IAAI,eAAe,IAAI,MAAM,CAE5B;IAED,2CAA2C;IAC3C,IAAI,QAAQ,IAAI,cAAc,EAAE,CAE/B;IAED,OAAO,CAAC,UAAU;YAYJ,aAAa;YAYb,SAAS;CA8GxB"}

package/dist/buffer.js

@@ -20,19 +20,41 @@ export class WitnessBuffer {
     stopped = false;
     consecutiveFailures = 0;
     ctaShown = false;
+    tokenAccumulator = 0;
     onFlush;
-    constructor(config, maxRetryBuffer = DEFAULT_MAX_RETRY_BUFFER) {
+    wal = null;
+    walSeqMap = new Map();
+    constructor(config, maxRetryBuffer = DEFAULT_MAX_RETRY_BUFFER, wal) {
         this.config = config;
         this.maxRetryBuffer = maxRetryBuffer;
         this.onFlush = config.onFlush;
+        this.wal = wal ?? null;
         this.startTimer();
     }
+    /** Cumulative tokens accumulated since last flush (for token_budget monitoring). */
+    get tokensSinceFlush() {
+        return this.tokenAccumulator;
+    }
     /** Add a single payload to the buffer. */
     enqueue(payload) {
         if (this.stopped)
             return;
+        // WAL: replay protection (reject duplicates) + persist to disk
+        if (this.wal) {
+            const seq = this.wal.append(payload);
+            if (seq === -1) {
+                // Duplicate fingerprint -- silently skip
+                return;
+            }
+            this.walSeqMap.set(payload, seq);
+        }
+        // Track token accumulation for tokenBudget flush trigger
+        const tokens = (payload.ai_input_tokens ?? 0) + (payload.ai_output_tokens ?? 0);
+        if (tokens > 0)
+            this.tokenAccumulator += tokens;
         this.queue.push(payload);
-        if (this.queue.length >= this.config.bufferSize) {
+        const tokenBudgetHit = this.config.tokenBudget != null && this.tokenAccumulator >= this.config.tokenBudget;
+        if (this.queue.length >= this.config.bufferSize || tokenBudgetHit) {
             this.flushInternal();
         }
     }
@@ -89,6 +111,7 @@ export class WitnessBuffer {
         const payloads = [...this.deadLetter, ...this.queue];
         this.deadLetter = [];
         this.queue = [];
+        this.tokenAccumulator = 0;
         if (payloads.length === 0)
             return [];
         return this.sendBatch(payloads);
@@ -118,7 +141,7 @@ export class WitnessBuffer {
                     // Client error — don't retry, don't dead-letter
                     const text = await resp.text();
                     // Scrub any key material that might appear in error response body
-                    const safe = text.replace(/(?:Bearer|Authorization|api[_-]?key|signing[_-]?key)[^\s,;"]*/gi, "[REDACTED]");
+                    const safe = text.replace(/(?:Bearer|Authorization|api[_-]?key|signing[_-]?key)\s*[^\s,;"]{4,}/gi, "[REDACTED]");
                     console.error(`[swt3-ai] Batch flush failed (${resp.status}): ${safe.slice(0, 200)}`);
                     return [];
                 }
@@ -126,6 +149,18 @@ export class WitnessBuffer {
                 const receipts = result.receipts ?? [];
                 this.allReceipts.push(...receipts);
                 this.consecutiveFailures = 0;
+                // WAL: mark flushed entries
+                if (this.wal) {
+                    let maxSeq = 0;
+                    for (const p of payloads) {
+                        const s = this.walSeqMap.get(p);
+                        if (s !== undefined && s > maxSeq)
+                            maxSeq = s;
+                        this.walSeqMap.delete(p);
+                    }
+                    if (maxSeq > 0)
+                        this.wal.markFlushed(maxSeq);
+                }
                 if (result.rejected > 0) {
                     console.warn(`[swt3-ai] Batch flush: ${result.accepted} accepted, ${result.rejected} rejected`);
                 }

package/dist/buffer.js.map

@@ -1 +1 @@
-{"version":3,"file":"buffer.js","sourceRoot":"","sources":["../src/buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,wBAAwB,GAAG,IAAI,CAAC;AAEtC,MAAM,OAAO,aAAa;IAChB,MAAM,CAAgB;IACtB,KAAK,GAAqB,EAAE,CAAC;IAC7B,UAAU,GAAqB,EAAE,CAAC;IAClC,cAAc,CAAS;IACvB,WAAW,GAAqB,EAAE,CAAC;IACnC,KAAK,GAAyC,IAAI,CAAC;IACnD,OAAO,GAAG,KAAK,CAAC;IAChB,mBAAmB,GAAG,CAAC,CAAC;IACxB,QAAQ,GAAG,KAAK,CAAC;IACjB,OAAO,CAAoE;IAEnF,YAAY,MAAqB,EAAE,cAAc,GAAG,wBAAwB;QAC1E,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED,0CAA0C;IAC1C,OAAO,CAAC,OAAuB;QAC7B,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAChD,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,WAAW,CAAC,QAA0B;QACpC,KAAK,MAAM,CAAC,IAAI,QAAQ;YAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,KAAK;QACT,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;IAC9B,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC5C,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CACV,iCAAiC,IAAI,CAAC,UAAU,CAAC,MAAM,gCAAgC,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;IACpD,CAAC;IAED,oDAAoD;IACpD,IAAI,eAAe;QACjB,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;IAChC,CAAC;IAED,2CAA2C;IAC3C,IAAI,QAAQ;QACV,OAAO,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/B,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC3B,IAAI,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrC,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;QACrC,oDAAoD;QACpD,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC3D,IAAI,CAAC,KAAwB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,cAAc;QACd,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAEhB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAErC,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,QAA0B;QAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAErC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,uBAAuB,CAAC;QAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;QACrD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;SAC9C,CAAC;QAEF,IAAI,SAAS,GAAkB,IAAI,CAAC;QAEpC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YAClE,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAE5E,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAC5B,MAAM,EAAE,MAAM;oBACd,OAAO;oBACP,IAAI;oBACJ,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,SAAS,CAAC,CAAC;gBAExB,IAAI,IAAI,CAAC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBAC5C,gDAAgD;oBAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC/B,kEAAkE;oBAClE,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,iEAAiE,EAAE,YAAY,CAAC,CAAC;oBAC3G,OAAO,CAAC,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;oBACtF,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAkB,CAAC;gBAEpD,MAAM,QAAQ,GAAqB,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;gBACzD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBACnC,IAAI,CAAC,mBAAmB,GAAG,CAAC,CAAC;gBAE7B,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;oBACxB,OAAO,CAAC,IAAI,CACV,0BAA0B,MAAM,CAAC,QAAQ,cAAc,MAAM,CAAC,QAAQ,WAAW,CAClF,CAAC;gBACJ,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;oBACrB,OAAO,CAAC,IAAI,CACV,cAAc,MAAM,CAAC,QAAQ,yBAAyB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;wBAC5E,wFAAwF;wBACxF,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBAED,0EAA0E;gBAC1E,IAAI,IAAI,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACxC,IAAI,CAAC;wBACH,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACnC,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,OAAO,CAAC,IAAI,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;oBACvE,CAAC;gBACH,CAAC;gBAED,OAAO,QAAQ,CAAC;YAClB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,OAAO,CAAC,IAAI,CACV,iCAAiC,OAAO,GAAG,CAAC,YAAY,SAAS,EAAE,CACpE,CAAC;gBAEF,kCAAkC;gBAClC,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;oBACzC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,IAAI,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QAElC,4BAA4B;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;YAC7D,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACjD,OAAO,CAAC,KAAK,CACX,qCAAqC,OAAO,kCAAkC,IAAI,CAAC,cAAc,GAAG,CACrG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CACV,oCAAoC,QAAQ,CAAC,MAAM,0CAA0C,IAAI,CAAC,UAAU,CAAC,MAAM,aAAa,SAAS,EAAE,CAC5I,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}
+{"version":3,"file":"buffer.js","sourceRoot":"","sources":["../src/buffer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,MAAM,wBAAwB,GAAG,IAAI,CAAC;AAEtC,MAAM,OAAO,aAAa;IAChB,MAAM,CAAgB;IACtB,KAAK,GAAqB,EAAE,CAAC;IAC7B,UAAU,GAAqB,EAAE,CAAC;IAClC,cAAc,CAAS;IACvB,WAAW,GAAqB,EAAE,CAAC;IACnC,KAAK,GAAyC,IAAI,CAAC;IACnD,OAAO,GAAG,KAAK,CAAC;IAChB,mBAAmB,GAAG,CAAC,CAAC;IACxB,QAAQ,GAAG,KAAK,CAAC;IACjB,gBAAgB,GAAG,CAAC,CAAC;IACrB,OAAO,CAAoE;IAC3E,GAAG,GAAyB,IAAI,CAAC;IACjC,SAAS,GAAgC,IAAI,GAAG,EAAE,CAAC;IAE3D,YAAY,MAAqB,EAAE,cAAc,GAAG,wBAAwB,EAAE,GAAmB;QAC/F,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,IAAI,IAAI,CAAC;QACvB,IAAI,CAAC,UAAU,EAAE,CAAC;IACpB,CAAC;IAED,oFAAoF;IACpF,IAAI,gBAAgB;QAClB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED,0CAA0C;IAC1C,OAAO,CAAC,OAAuB;QAC7B,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QAEzB,+DAA+D;QAC/D,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;gBACf,yCAAyC;gBACzC,OAAO;YACT,CAAC;YACD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC;QAED,yDAAyD;QACzD,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,CAAC,CAAC,CAAC;QAChF,IAAI,MAAM,GAAG,CAAC;YAAE,IAAI,CAAC,gBAAgB,IAAI,MAAM,CAAC;QAChD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QAC3G,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,cAAc,EAAE,CAAC;YAClE,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,WAAW,CAAC,QAA0B;QACpC,KAAK,MAAM,CAAC,IAAI,QAAQ;YAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,KAAK;QACT,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;IAC9B,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,IAAI;QACR,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC5C,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,IAAI,CACV,iCAAiC,IAAI,CAAC,UAAU,CAAC,MAAM,gCAAgC,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;IACpD,CAAC;IAED,oDAAoD;IACpD,IAAI,eAAe;QACjB,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;IAChC,CAAC;IAED,2CAA2C;IAC3C,IAAI,QAAQ;QACV,OAAO,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/B,CAAC;IAEO,UAAU;QAChB,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO;QACzB,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC3B,IAAI,CAAC,aAAa,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACrC,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;QACrC,oDAAoD;QACpD,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC3D,IAAI,CAAC,KAAwB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,cAAc;QACd,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,gBAAgB,GAAG,CAAC,CAAC;QAE1B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAErC,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,QAA0B;QAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAErC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,uBAAuB,CAAC;QAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;QACrD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;SAC9C,CAAC;QAEF,IAAI,SAAS,GAAkB,IAAI,CAAC;QAEpC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YAClE,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAE5E,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAC5B,MAAM,EAAE,MAAM;oBACd,OAAO;oBACP,IAAI;oBACJ,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,SAAS,CAAC,CAAC;gBAExB,IAAI,IAAI,CAAC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBAC5C,gDAAgD;oBAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC/B,kEAAkE;oBAClE,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,uEAAuE,EAAE,YAAY,CAAC,CAAC;oBACjH,OAAO,CAAC,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;oBACtF,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAkB,CAAC;gBAEpD,MAAM,QAAQ,GAAqB,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;gBACzD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBACnC,IAAI,CAAC,mBAAmB,GAAG,CAAC,CAAC;gBAE7B,4BAA4B;gBAC5B,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;oBACb,IAAI,MAAM,GAAG,CAAC,CAAC;oBACf,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;wBACzB,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;wBAChC,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,GAAG,MAAM;4BAAE,MAAM,GAAG,CAAC,CAAC;wBAC9C,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;oBAC3B,CAAC;oBACD,IAAI,MAAM,GAAG,CAAC;wBAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;oBACxB,OAAO,CAAC,IAAI,CACV,0BAA0B,MAAM,CAAC,QAAQ,cAAc,MAAM,CAAC,QAAQ,WAAW,CAClF,CAAC;gBACJ,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;oBACrB,OAAO,CAAC,IAAI,CACV,cAAc,MAAM,CAAC,QAAQ,yBAAyB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;wBAC5E,wFAAwF;wBACxF,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBAED,0EAA0E;gBAC1E,IAAI,IAAI,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACxC,IAAI,CAAC;wBACH,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;oBACnC,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,OAAO,CAAC,IAAI,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;oBACvE,CAAC;gBACH,CAAC;gBAED,OAAO,QAAQ,CAAC;YAClB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,OAAO,CAAC,IAAI,CACV,iCAAiC,OAAO,GAAG,CAAC,YAAY,SAAS,EAAE,CACpE,CAAC;gBAEF,kCAAkC;gBAClC,IAAI,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;oBACzC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,IAAI,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;gBAC/D,CAAC;YACH,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QAElC,4BAA4B;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;YAC7D,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACjD,OAAO,CAAC,KAAK,CACX,qCAAqC,OAAO,kCAAkC,IAAI,CAAC,cAAc,GAAG,CACrG,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CACV,oCAAoC,QAAQ,CAAC,MAAM,0CAA0C,IAAI,CAAC,UAAU,CAAC,MAAM,aAAa,SAAS,EAAE,CAC5I,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;CACF"}

package/dist/cli.d.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * SWT3 CLI -- governance tooling for AI systems.
+ *
+ * Commands:
+ *   swt3 init              Interactive governance setup
+ *   swt3 init --profile X  Non-interactive (CI/CD friendly)
+ *   swt3 demo              Run the zero-friction demo
+ *   swt3 doctor            Diagnose config health
+ *   swt3 help              Show usage
+ */
+export declare function generateInitYaml(profile: string, tenantId: string, agentId: string): string;
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AA4CH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAoB3F"}