npm - @vess-id/ai-identity - Versions diffs - 0.12.0 → 0.14.0-alpha.1 - Mend

@vess-id/ai-identity 0.12.0 → 0.14.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/dist/index.d.mts +1252 -8
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +611 -27
package/dist/index.js.map +1 -1
package/dist/index.mjs +596 -27
package/dist/index.mjs.map +1 -1
package/dist/policy/__tests__/cedar-engine.spec.d.ts +17 -0
package/dist/policy/__tests__/cedar-engine.spec.d.ts.map +1 -0
package/dist/policy/__tests__/cedar-entities.spec.d.ts +14 -0
package/dist/policy/__tests__/cedar-entities.spec.d.ts.map +1 -0
package/dist/policy/__tests__/decision-enum.spec.d.ts +16 -0
package/dist/policy/__tests__/decision-enum.spec.d.ts.map +1 -0
package/dist/policy/cedar-engine.d.ts +334 -0
package/dist/policy/cedar-engine.d.ts.map +1 -0
package/dist/policy/cedar-entities.d.ts +59 -0
package/dist/policy/cedar-entities.d.ts.map +1 -0
package/dist/policy/decision.d.ts +46 -0
package/dist/policy/decision.d.ts.map +1 -0
package/dist/policy/index.d.ts +15 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/registry/__tests__/action-registry-validation.spec.d.ts +13 -0
package/dist/registry/__tests__/action-registry-validation.spec.d.ts.map +1 -0
package/dist/registry/__tests__/action-risk-registry-driven.spec.d.ts +15 -0
package/dist/registry/__tests__/action-risk-registry-driven.spec.d.ts.map +1 -0
package/dist/registry/__tests__/action-risk.spec.d.ts +17 -0
package/dist/registry/__tests__/action-risk.spec.d.ts.map +1 -0
package/dist/registry/action-registry-json.d.ts +398 -0
package/dist/registry/action-registry-json.d.ts.map +1 -1
package/dist/registry/action-registry.d.ts +1 -1
package/dist/registry/action-registry.d.ts.map +1 -1
package/dist/registry/action-risk.d.ts +47 -0
package/dist/registry/action-risk.d.ts.map +1 -0
package/dist/registry/action-summary.d.ts.map +1 -1
package/dist/types/__tests__/cedar-policy.spec.d.ts +8 -0
package/dist/types/__tests__/cedar-policy.spec.d.ts.map +1 -0
package/dist/types/__tests__/permission-vc-v3.spec.d.ts +9 -0
package/dist/types/__tests__/permission-vc-v3.spec.d.ts.map +1 -0
package/dist/types/__tests__/phase1-vc-factory.spec.d.ts +9 -0
package/dist/types/__tests__/phase1-vc-factory.spec.d.ts.map +1 -0
package/dist/types/__tests__/policy-ref.spec.d.ts +9 -0
package/dist/types/__tests__/policy-ref.spec.d.ts.map +1 -0
package/dist/types/cedar-policy.d.ts +60 -0
package/dist/types/cedar-policy.d.ts.map +1 -0
package/dist/types/grant.d.ts +69 -0
package/dist/types/grant.d.ts.map +1 -1
package/dist/types/index.d.ts +1 -0
package/dist/types/index.d.ts.map +1 -1
package/dist/types/jira.d.ts +57 -0
package/dist/types/jira.d.ts.map +1 -1
package/dist/types/permission-vc.d.ts +245 -6
package/dist/types/permission-vc.d.ts.map +1 -1
package/dist/types/tier.d.ts.map +1 -1
package/dist/utils/freemail-domains.d.ts +13 -0
package/dist/utils/freemail-domains.d.ts.map +1 -0
package/package.json +2 -1

package/dist/index.d.mts CHANGED Viewed

@@ -842,13 +842,85 @@ interface PermissionConstraints {
      */
     targets?: TargetConstraint[];
 }
+/**
+ * Inline policy mode — full Cedar policy embedded in the VC.
+ *
+ * Used for sub-agent re-delegation where the verifier cannot reach the
+ * Policy Registry over the network. The inline policy is authoritative;
+ * `policy_hash` is a sanity check for tamper-evidence.
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-23-cedar-rar-permission-redesign.md §3.2
+ */
+interface PolicyRefInline {
+    mode: 'inline';
+    /** Full Cedar policy source (PolicySet text, UTF-8). */
+    policy_inline: string;
+    /** sha256 of `policy_inline` (hex), prefixed `sha256-` for tamper-evidence. */
+    policy_hash: string;
+    /**
+     * Cedar schema fragment id. **Phase 1 unused** (Cedar wasm schema-less
+     * evaluation, Implementation plan §1.1). **Phase 2+ で per-policy schema
+     * 切替時に inline モードでは REQUIRED 化** (reference モードは Registry
+     * resolve で取得できるため optional のまま).
+     */
+    schema_id?: string;
+}
+/**
+ * Reference policy mode — policy lives in the Policy Registry.
+ *
+ * The verifier fetches `policy_uri` (must match the issuer's
+ * `/.well-known/policy-registry/:policy_id`), validates `policy_hash`,
+ * and evaluates the fetched Cedar policy.
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-23-cedar-rar-permission-redesign.md §3.2
+ */
+interface PolicyRefReference {
+    mode: 'reference';
+    /** Policy Registry id. Format: `pol_<project_id>_<uuidv7>`. */
+    policy_id: string;
+    /** Absolute URL to `/.well-known/policy-registry/:policy_id`. */
+    policy_uri: string;
+    /** sha256 of the served Cedar policy text (hex), prefixed `sha256-`. */
+    policy_hash: string;
+    /**
+     * Cedar schema fragment id. Phase 1 unused (Registry resolve で取得可能、
+     * schema-less evaluation を使う簡易構成)。Phase 2+ で per-policy schema を
+     * 導入したときも reference モードは引き続き OPTIONAL — VC payload に
+     * 同梱せず Registry 側で resolve する方針。
+     */
+    schema_id?: string;
+}
+/**
+ * Tagged union of policy reference shapes. Discriminator: `mode`.
+ *
+ * Use {@link isPolicyRefInline} / {@link isPolicyRefReference} for runtime
+ * narrowing.
+ */
+type PolicyRef = PolicyRefInline | PolicyRefReference;
+/** Type guard for {@link PolicyRefInline}. */
+declare function isPolicyRefInline(ref: PolicyRef): ref is PolicyRefInline;
+/** Type guard for {@link PolicyRefReference}. */
+declare function isPolicyRefReference(ref: PolicyRef): ref is PolicyRefReference;
 /**
  * Permission Rule - the atomic unit of authorization.
  *
  * Each rule grants specific actions on specific resources for a specific provider.
  * Rules are evaluated independently during policy evaluation.
  *
- * OPA mapping:
+ * Phase 1 (Cedar + RAR redesign) extensions:
+ * - `effect` widened from `'allow'` only to the 3-valued
+ *   `'allow' | 'deny' | 'require_approval'` (spec §5).
+ *   Existing call-sites that only used `'allow'` remain source-compatible.
+ * - `priority` field added (optional, used for deterministic ordering when
+ *   multiple rules match the same request).
+ * - `policy_ref` field added (optional in Phase 1 for backward-compat
+ *   during migration; Phase 2+ will bump the schema to v3.1 and make it
+ *   required — see spec §3.1 reconciliation note).
+ *
+ * OPA mapping (legacy `'allow'`-only path, still used while
+ * `CEDAR_POLICY_ENABLED != enforce`):
  * ```rego
  * allow {
  *   some rule in input.credentials.delegates
@@ -864,8 +936,19 @@ interface PermissionConstraints {
 interface PermissionRule {
     /** Rule identifier (for audit trail and matched_rule_id) */
     id?: string;
-    /** Effect: 'allow' only in MVP. Future: 'deny' for deny-override patterns. */
-    effect: 'allow';
+    /**
+     * Effect. Phase 1 widens this beyond legacy `'allow'`-only:
+     * - `'allow'`            — permit the action (legacy default).
+     * - `'deny'`             — explicit deny (override precedence over allow).
+     * - `'require_approval'` — pause and request human approval.
+     */
+    effect: 'allow' | 'deny' | 'require_approval';
+    /**
+     * Optional priority for deterministic ordering when multiple rules match.
+     * Higher priority wins. Phase 1 evaluator behaviour is unchanged when
+     * `priority` is absent.
+     */
+    priority?: number;
     /** Service provider */
     provider: Provider | string;
     /** Target resource */
@@ -874,20 +957,43 @@ interface PermissionRule {
     actions: string[];
     /** Rule-level constraints */
     constraints?: PermissionConstraints;
+    /**
+     * Cedar policy binding (Phase 1).
+     *
+     * When present, the policy engine evaluates this delegate via the
+     * referenced / inlined Cedar policy in addition to the static constraint
+     * check. Optional in Phase 1 for backward-compat during migration; Phase
+     * 2+ will bump the schema to v3.1 and make it required.
+     */
+    policy_ref?: PolicyRef;
+    /**
+     * Cedar policy bindings (複数) — 1 つの委任スコープに複数の policy が AND/OR
+     * で適用されるケース (例: calendarDomain 宛先制約 + timeWindow forbid)。
+     * 後方互換のため単数 `policy_ref` は維持し、発行時は `policy_refs[0]` を
+     * ミラーする。読み手は policy_refs を優先し、無ければ policy_ref を単要素配列に
+     * 正規化する。Cedar 評価では全 ref を 1 つの PolicySet に集約 (permit=OR,
+     * forbid=override で AND)。
+     */
+    policy_refs?: PolicyRef[];
 }
 /**
- * Permission VC Claims - the canonical credential claims format.
+ * Permission VC Claims v2 — the pre-Cedar canonical credential claims format.
  *
  * This is what gets signed into the SD-JWT VC. All VC issuance paths
  * (VCService, RemoteVCIssuerService, PermissionVCManager) MUST produce
- * claims conforming to this interface.
+ * claims conforming to either this interface or {@link PermissionVcClaims_V3}.
  *
  * The Grant → VC normalization layer converts:
  * - GrantResource[] + actions[] → PermissionRule[]
  * - GrantConstraints → PermissionConstraints (per-rule)
  * - Grant metadata → top-level claims fields
+ *
+ * @remarks Phase 1 Step 2 renamed the original `PermissionVcClaims` to
+ * `PermissionVcClaims_V2`. The exported alias {@link PermissionVcClaims}
+ * is now a union of V2 + {@link PermissionVcClaims_V3}, preserving
+ * existing import sites (they will accept both shapes).
  */
-interface PermissionVcClaims {
+interface PermissionVcClaims_V2 {
     /** Schema version */
     v: '2';
     /** Credential type discriminator */
@@ -930,6 +1036,86 @@ interface PermissionVcClaims {
     /** Delegated permission rules (the core authorization data) */
     delegates: PermissionRule[];
 }
+/**
+ * Permission VC Claims v3 — Cedar + RAR Phase 1 schema.
+ *
+ * Inherits all V2 fields and adds two Phase-1-aware extensions:
+ * - `cedar_schema_ref?` — pointer to the Cedar schema fragment the
+ *   delegates were authored against. **Phase 1 unused** (the SDK ships a
+ *   single global schema fragment generated by connector-plugin codegen,
+ *   per Implementation plan §1.1). Reserved for Phase 2+ per-policy schema
+ *   switching.
+ * - `layer?` — chain hierarchy layer. **Phase 2+ only**; Phase 1 issuance
+ *   pins this to `'agent_permission'` via {@link buildPhase1VcClaims}.
+ *   Direct assignment is discouraged (ESLint rule planned in Step 5).
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-23-cedar-rar-permission-redesign.md §3.1
+ * - docs/specs/2026-05-23-cedar-rar-implementation-plan-phase1.md Task 2.1 / 2.5
+ */
+/**
+ * Bug B 真因修正 (β, 2026-05-28) — VC=mandate semantic を invoke 時 Cedar も
+ * 信じるため、approval の事実 (誰がいつ何を approve したか) を VC に焼き込む
+ * signed self-attestation。SD-protected (`_sd` 経由 disclosure)、SD-JWT 署名で
+ * 改竄不可。invoke 時 Cedar context.approval の最優先 source として採用。
+ *
+ * Forward compat: A2A AP2 Mandate (IntentMandate / CartMandate / PaymentMandate)
+ * との projection は Phase 2 spec で別途定義。本 field 名は内部
+ * ApprovalContext (snake_case) と一貫。
+ *
+ * Spec ref: docs/superpowers/plans/2026-05-28-bug-b-fix-beta-vc-embed-approval.md
+ */
+interface VcApprovalClaim {
+    /** `req_<uuid>` — 元 approval-request id (claimVC 元 request の id)。 */
+    request_id: string;
+    /** `outcome_<uuid>` — APPROVAL_OUTCOME audit event id (§11.1 join key)。 */
+    outcome_id: string;
+    /** approver の user id、または 'system' (auto-approve 経路)。最大 128 chars。 */
+    granted_by: string;
+    /** ISO-8601 timestamp of the approval action. */
+    granted_at: string;
+}
+interface PermissionVcClaims_V3 extends Omit<PermissionVcClaims_V2, 'v'> {
+    /** Schema version — v3 adds Cedar policy_ref support and chain hierarchy fields. */
+    v: '3';
+    /**
+     * Cedar schema fragment reference (Phase 2+ per-policy schema switching).
+     * Phase 1: unused; SDK uses connector-plugin codegen global schema.
+     */
+    cedar_schema_ref?: {
+        /** e.g. `cedar_schema_2026_05_23_v1`. */
+        schema_id: string;
+        /** sha256 of the schema fragment (hex). */
+        schema_hash: string;
+    };
+    /**
+     * 4-layer chain (Org Policy → User Grant → Agent Permission → Sub-Agent Delegation).
+     * Phase 1 では `buildPhase1VcClaims()` factory 経由で `'agent_permission'` が固定セットされる。
+     * Phase 2+ では本フィールドを **required** に格上げする予定 (V3.1 schema)。
+     * 直接代入は禁止 (Phase 1 では factory を使うこと、Phase 2+ では ESLint rule で強制)。
+     * 詳細: design spec §3.1, §6.1 / Phase 1 plan Task 2.5。
+     */
+    layer?: 'org_policy' | 'user_grant' | 'agent_permission' | 'sub_agent_delegation';
+    /**
+     * Bug B 真因修正 (β, 2026-05-28) — approval メタを VC に焼き込む。
+     * VC=mandate なので「この VC が発行されたこと自体が approve の証拠」だが、
+     * invoke 時 Cedar に `context.approval.granted == true` を渡せるよう
+     * back-ref を明示。本 field 不在 = base path (legacy 互換、Cedar は token-
+     * ledger 経由 fallback)。{@link VcApprovalClaim} 参照。
+     */
+    approval?: VcApprovalClaim;
+}
+/**
+ * Permission VC Claims (canonical union of v2 + v3).
+ *
+ * All existing import sites referencing `PermissionVcClaims` continue to
+ * compile because:
+ * - Code that only produced V2 still produces a value assignable to the
+ *   union.
+ * - Code that consumes the union can narrow on `claims.v === '3'` to
+ *   access V3-only fields.
+ */
+type PermissionVcClaims = PermissionVcClaims_V2 | PermissionVcClaims_V3;
 /**
  * Build synchronized grant_id / grant_ids fields for PermissionVcClaims.
  * Guarantees grant_id === grant_ids[0].
@@ -1088,6 +1274,59 @@ declare function parseGrantAction(grantAction: string): {
     provider: string;
     action: string;
 };
+/**
+ * The single layer value Phase 1 VC issuance is allowed to emit.
+ *
+ * companion design spec §3.1 defines a 4-layer enum
+ * (`'org_policy' | 'user_grant' | 'agent_permission' | 'sub_agent_delegation'`),
+ * but Phase 1 only issues at the `agent_permission` layer. The other 3
+ * layers unlock in Phase 2+.
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-23-cedar-rar-implementation-plan-phase1.md Task 2.5 (rev 5)
+ * - docs/specs/2026-05-23-cedar-rar-permission-redesign.md §3.1 Phase 1 layer 固定 note
+ */
+declare const PHASE_1_VC_LAYER: "agent_permission";
+/** Literal type of {@link PHASE_1_VC_LAYER}. */
+type Phase1VcLayer = typeof PHASE_1_VC_LAYER;
+/**
+ * Build a {@link PermissionVcClaims_V3} object with `layer` pinned to
+ * {@link PHASE_1_VC_LAYER} (`'agent_permission'`).
+ *
+ * **This factory is mandatory for Phase 1 VC issuance.** Direct assignment
+ * of `layer` on a V3 claims literal is discouraged and will be guarded by
+ * an ESLint rule once Step 5 wires usage in
+ * `packages/api/src/grant/services/remote-vc-issuer.service.ts`. Phase 2+
+ * will relax or delete this factory when the other 3 layers unlock.
+ *
+ * The input `base` type explicitly omits `layer` so passing it is a
+ * compile-time error — guaranteeing call-sites cannot accidentally
+ * smuggle a non-Phase-1 layer value through.
+ *
+ * @example
+ * ```ts
+ * import { buildPhase1VcClaims } from '@vess-id/ai-identity'
+ *
+ * const claims = buildPhase1VcClaims({
+ *   v: '3',
+ *   type: 'PermissionCredential',
+ *   iss: userDid,
+ *   sub: agentDid,
+ *   iat: now,
+ *   exp: now + 3600,
+ *   jti,
+ *   project_id,
+ *   grant_ids,
+ *   grant_id,
+ *   session_id,
+ *   delegates,
+ * })
+ * // claims.layer is type-narrowed to 'agent_permission'
+ * ```
+ */
+declare function buildPhase1VcClaims(base: Omit<PermissionVcClaims_V3, 'layer'>): PermissionVcClaims_V3 & {
+    layer: Phase1VcLayer;
+};
 /**
  * Grant（許可）関連の型定義
@@ -1345,6 +1584,27 @@ interface GrantConstraints {
     targets?: TargetConstraint[];
     /** 自動承認設定 */
     autoApprove?: AutoApproveConfig;
+    /**
+     * Cedar 一元化 Step 4 — data-in-policy 許可パターン (Cedar `like` wildcard).
+     *
+     * 例: `["*@vess.id", "*@vesslabs.ai"]` → 各 recipient.address に対し
+     * `like "*@vess.id" || like "*@vesslabs.ai"` の Cedar permit rule が emit される.
+     *
+     * Spec: docs/specs/2026-05-24-cedar-unification-design.md §4.1 / §13 Step 4
+     *
+     * Phase 1 では primarily Gmail recipient address のために使う (recipient.address).
+     * Phase 2+ で per-target-binding な格納先 (channel.id 等) に拡張する.
+     */
+    allow_patterns?: string[];
+    /**
+     * Cedar 一元化 Step 4 — data-in-policy 拒否パターン (Cedar `like` wildcard).
+     *
+     * 例: `["*@competitor.com"]` → 該当 recipient で Cedar `forbid` rule が emit される.
+     * Cedar forbid-overrides-permit semantics により approval があっても denied.
+     *
+     * Spec: docs/specs/2026-05-24-cedar-unification-design.md §4.1 / §4.2 / §13 Step 4
+     */
+    deny_patterns?: string[];
 }
 /**
  * Grant作成リクエスト
@@ -1523,6 +1783,54 @@ declare function grantConstraintsToPermissionConstraints(constraints: GrantConst
  * ```
  */
 declare function grantToPermissionRules(resources: GrantResource[], actions: string[], constraints: GrantConstraints, grantId?: string): PermissionRule[];
+/**
+ * ApprovalContext — Cedar 一元化 Step 3.5.
+ *
+ * Spec refs:
+ *   - docs/specs/2026-05-24-cedar-unification-design.md §6 (approvalContext
+ *     DTO + token ledger)
+ *   - docs/specs/2026-05-24-cedar-unification-design.md §7.2 (Cedar
+ *     context.approval shape)
+ *   - docs/specs/2026-05-24-cedar-unification-design.md §11.1
+ *     (`via_approval` event lifecycle)
+ *
+ * Carried in the body of the VC issuance API on the **retry path** (i.e.
+ * after a user clicked 承認 in the approval UI). The server consumes the
+ * single-use `token` against the approval-token ledger atomically and then
+ * injects `{ granted: true, request_id, outcome_id }` into the Cedar
+ * `context.approval` so a policy that previously returned `auth_required`
+ * now returns `permit`.
+ *
+ * Identifier formats (canonical, enforced upstream):
+ *   - `request_id`  : `'req_' + uuid`
+ *   - `outcome_id`  : `'outcome_' + uuid`
+ *   - `token`       : `'tok_' + uuid`
+ *   - `granted_at`  : ISO-8601 timestamp
+ *   - `granted_by`  : user id, or the literal `'system'` for auto-approve
+ *
+ * Replay protection invariant (spec §6):
+ *   The `token` is **single-use**. Once consumed by the ledger, a second
+ *   submission MUST be rejected as `denied_by_user` (ephemeral — does not
+ *   poison subsequent fresh requests; §5.1 OpenQ-D1 resolution).
+ */
+interface ApprovalContext {
+    /** `req_<uuid>` — the approval-request id embedded in the initial
+     *  `auth_required` audit event. Used to reverse-link the outcome to the
+     *  triggering invocation. */
+    request_id: string;
+    /** `outcome_<uuid>` — the approval_outcome event id (Step 6 surfaces this
+     *  as a first-class row, Step 3.5 only carries it through the ledger). */
+    outcome_id: string;
+    /** `tok_<uuid>` — single-use token. Consumed atomically. */
+    token: string;
+    /** True for 承認, false for 拒否. Step 3.5 only honors `true` (the `false`
+     *  path is handled by emitting `denied_by_user` directly in the UI). */
+    granted: boolean;
+    /** ISO-8601 timestamp of the approval action. */
+    granted_at: string;
+    /** user id or `'system'` for auto-approve. */
+    granted_by: string;
+}
 /**
  * Receipt（証跡）関連の型定義
@@ -2212,6 +2520,63 @@ interface JiraIssue {
         };
     };
 }
+/**
+ * Jira 課題リンク種別 (issueLinkType)
+ *
+ * 例: Blocks (inward: "is blocked by", outward: "blocks"),
+ *     Relates (inward/outward: "relates to"),
+ *     Cloners (inward: "is cloned by", outward: "clones")
+ *
+ * Jira REST API v3: GET /rest/api/3/issueLinkType で取得される。
+ */
+interface JiraIssueLinkType {
+    /** リンク種別の内部 ID */
+    id: string;
+    /** リンク種別の名前 (例: "Blocks") */
+    name: string;
+    /** リンク先 → 自分 方向の表示文字列 (例: "is blocked by") */
+    inward: string;
+    /** 自分 → リンク先 方向の表示文字列 (例: "blocks") */
+    outward: string;
+    /** REST API self URL */
+    self?: string;
+}
+/**
+ * Jira 課題間リンク (issueLink)
+ *
+ * Jira REST API v3 の課題 read で `fields.issuelinks[]` として返る形式に対応。
+ * delete 時はこの `id` を渡す。
+ */
+interface JiraIssueLink {
+    /** リンクの内部 ID (delete 時に必要) */
+    id: string;
+    /** リンク種別 */
+    type: JiraIssueLinkType;
+    /** inward 方向のリンク先 (自分が「is blocked by other」のとき、other がここに入る) */
+    inwardIssue?: {
+        id: string;
+        key: string;
+        self?: string;
+        fields?: {
+            summary?: string;
+            status?: JiraStatus;
+            issuetype?: JiraIssueType;
+        };
+    };
+    /** outward 方向のリンク先 (自分が「blocks other」のとき、other がここに入る) */
+    outwardIssue?: {
+        id: string;
+        key: string;
+        self?: string;
+        fields?: {
+            summary?: string;
+            status?: JiraStatus;
+            issuetype?: JiraIssueType;
+        };
+    };
+    /** REST API self URL */
+    self?: string;
+}
 /**
  * JIRA作業ログ
  */
@@ -2724,6 +3089,66 @@ interface ConfirmGrantSuggestionRequest {
  */
 declare const DEFAULT_CONSTRAINTS_BY_RISK: Record<SuggestionRiskLevel, SuggestedConstraints>;
+/**
+ * Cedar-specific schema / policy / decision wire types.
+ *
+ * Phase 1 Step 2: Type-only declarations. The actual Cedar engine wrapper
+ * lives in Step 1's lane (`packages/sdk/src/policy/cedar-engine.ts` — not
+ * touched here). This module exposes the opaque handle types that other
+ * services (PEP, decision audit, policy registry) use to communicate
+ * *about* Cedar without depending on cedar-wasm internals.
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-23-cedar-rar-implementation-plan-phase1.md Task 2.2
+ * - docs/specs/2026-05-23-cedar-rar-permission-redesign.md §3.3 (Cedar schema)
+ */
+/**
+ * Cedar schema (entity types + actions + context shapes).
+ *
+ * Opaque to AIdentity at the type level — the concrete JSON shape follows
+ * the Cedar spec and is produced by `connector-plugin` codegen. Treat
+ * instances as black-box payloads that round-trip through the Cedar engine.
+ */
+interface CedarSchema {
+}
+/**
+ * Opaque handle returned by the Cedar engine after parsing / compiling a
+ * PolicySet. Implementations may store wasm pointers, validation state, etc.
+ * Consumers MUST NOT introspect the shape.
+ */
+interface CedarPolicySetHandle {
+}
+/**
+ * Opaque handle returned by the Cedar engine after parsing / compiling a
+ * Schema. See {@link CedarPolicySetHandle} for usage notes.
+ */
+interface CedarSchemaHandle {
+}
+/**
+ * 3-valued decision returned by the AIdentity Decision Service after the
+ * 2-phase Cedar evaluation.
+ *
+ * Mapping:
+ * - `Permit`           → Cedar Permit && no constraints failed
+ * - `Forbid`           → Cedar Forbid OR no matching permit
+ * - `RequireApproval`  → AIdentity-specific intermediate state (e.g.,
+ *                        high-risk action that needs human approval).
+ *                        Cedar itself only emits Permit / Forbid; the
+ *                        decision service derives `RequireApproval` from
+ *                        annotated policies or constraint-level escalation.
+ */
+type CedarDecisionValue = 'Permit' | 'Forbid' | 'RequireApproval';
+/**
+ * Diagnostic information accompanying a Cedar decision. Surfaced to audit
+ * logs and (in shadow mode) to legacy/Cedar parity checks.
+ */
+interface CedarDecisionDiagnostic {
+    /** IDs of the Cedar policies that matched the request (in evaluation order). */
+    matched_policy_ids: string[];
+    /** Cedar diagnostics passthrough (parse / validation errors, if any). */
+    errors: string[];
+}
 type UserTier = 'free' | 'pro' | 'team';
 interface TierLimits {
     maxProjects: number;
@@ -3920,7 +4345,7 @@ interface ActionMeta {
     input_schema?: JsonSchema;
     constraints?: Record<string, unknown>;
     effects?: string[];
-    risk?: RiskLevel;
+    risk: RiskLevel;
     target_bindings?: TargetBindings;
     version: string;
 }
@@ -4276,6 +4701,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4372,6 +4802,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4471,6 +4906,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4580,6 +5020,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4686,6 +5131,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4789,6 +5239,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4895,6 +5350,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -4997,6 +5457,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5109,6 +5574,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5224,6 +5694,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5323,6 +5798,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5441,6 +5921,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5545,6 +6030,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5644,6 +6134,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5759,6 +6254,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5870,6 +6370,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -5980,6 +6485,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6083,6 +6593,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6237,6 +6752,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6402,6 +6922,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6512,6 +7037,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6610,6 +7140,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6710,6 +7245,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6812,6 +7352,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -6916,6 +7461,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7023,6 +7573,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7122,6 +7677,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7241,6 +7801,11 @@ declare const ACTION_REGISTRY: {
                 startAt?: undefined;
                 issueIdOrKey?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7356,6 +7921,11 @@ declare const ACTION_REGISTRY: {
                 projectKey?: undefined;
                 issueTypeName?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7455,6 +8025,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7557,6 +8132,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7659,6 +8239,11 @@ declare const ACTION_REGISTRY: {
                 issueTypeName?: undefined;
                 priority?: undefined;
                 assigneeAccountId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7766,6 +8351,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
                 command?: undefined;
@@ -7796,6 +8386,224 @@ declare const ACTION_REGISTRY: {
             secondary?: undefined;
         };
         version: string;
+    } | {
+        action: string;
+        resource_type: string;
+        required_relations: string[];
+        required_scopes: string[];
+        capability: string;
+        input_schema: {
+            type: string;
+            properties: {
+                typeName: {
+                    type: string;
+                    minLength: number;
+                    description: string;
+                };
+                inwardIssueKey: {
+                    type: string;
+                    minLength: number;
+                };
+                outwardIssueKey: {
+                    type: string;
+                    minLength: number;
+                };
+                commentBody: {
+                    type: string;
+                };
+                channel?: undefined;
+                text?: undefined;
+                thread_ts?: undefined;
+                username?: undefined;
+                icon_emoji?: undefined;
+                blocks?: undefined;
+                userId?: undefined;
+                latest?: undefined;
+                oldest?: undefined;
+                limit?: undefined;
+                inclusive?: undefined;
+                cursor?: undefined;
+                ts?: undefined;
+                title?: undefined;
+                body?: undefined;
+                labels?: undefined;
+                assignees?: undefined;
+                state?: undefined;
+                sort?: undefined;
+                direction?: undefined;
+                per_page?: undefined;
+                page?: undefined;
+                issue_number?: undefined;
+                query?: undefined;
+                maxResults?: undefined;
+                messageId?: undefined;
+                to?: undefined;
+                subject?: undefined;
+                cc?: undefined;
+                bcc?: undefined;
+                threadId?: undefined;
+                inReplyTo?: undefined;
+                references?: undefined;
+                messageIds?: undefined;
+                calendarId?: undefined;
+                timeMin?: undefined;
+                timeMax?: undefined;
+                eventId?: undefined;
+                summary?: undefined;
+                description?: undefined;
+                start?: undefined;
+                end?: undefined;
+                attendees?: undefined;
+                location?: undefined;
+                recent?: undefined;
+                projectKeyOrId?: undefined;
+                type?: undefined;
+                boardId?: undefined;
+                sprintId?: undefined;
+                jql?: undefined;
+                startAt?: undefined;
+                issueIdOrKey?: undefined;
+                projectKey?: undefined;
+                issueTypeName?: undefined;
+                priority?: undefined;
+                assigneeAccountId?: undefined;
+                transitionId?: undefined;
+                linkId?: undefined;
+                file_path?: undefined;
+                content?: undefined;
+                command?: undefined;
+                working_directory?: undefined;
+                env_profile?: undefined;
+                timeout_seconds?: undefined;
+            };
+            required: string[];
+            additionalProperties: boolean;
+        };
+        constraints: {
+            rate_bucket: string;
+        };
+        effects: string[];
+        risk: string;
+        target_bindings: {
+            resource_id: {
+                source: "param";
+                param: string;
+                derive: "project_key";
+                required?: undefined;
+                key?: undefined;
+                multi?: undefined;
+                separator?: undefined;
+                default?: undefined;
+                fallback_param?: undefined;
+            };
+            secondary?: undefined;
+        };
+        version: string;
+    } | {
+        action: string;
+        resource_type: string;
+        required_relations: string[];
+        required_scopes: string[];
+        capability: string;
+        input_schema: {
+            type: string;
+            properties: {
+                linkId: {
+                    type: string;
+                    minLength: number;
+                    description: string;
+                };
+                channel?: undefined;
+                text?: undefined;
+                thread_ts?: undefined;
+                username?: undefined;
+                icon_emoji?: undefined;
+                blocks?: undefined;
+                userId?: undefined;
+                latest?: undefined;
+                oldest?: undefined;
+                limit?: undefined;
+                inclusive?: undefined;
+                cursor?: undefined;
+                ts?: undefined;
+                title?: undefined;
+                body?: undefined;
+                labels?: undefined;
+                assignees?: undefined;
+                state?: undefined;
+                sort?: undefined;
+                direction?: undefined;
+                per_page?: undefined;
+                page?: undefined;
+                issue_number?: undefined;
+                query?: undefined;
+                maxResults?: undefined;
+                messageId?: undefined;
+                to?: undefined;
+                subject?: undefined;
+                cc?: undefined;
+                bcc?: undefined;
+                threadId?: undefined;
+                inReplyTo?: undefined;
+                references?: undefined;
+                messageIds?: undefined;
+                calendarId?: undefined;
+                timeMin?: undefined;
+                timeMax?: undefined;
+                eventId?: undefined;
+                summary?: undefined;
+                description?: undefined;
+                start?: undefined;
+                end?: undefined;
+                attendees?: undefined;
+                location?: undefined;
+                recent?: undefined;
+                projectKeyOrId?: undefined;
+                type?: undefined;
+                boardId?: undefined;
+                sprintId?: undefined;
+                jql?: undefined;
+                startAt?: undefined;
+                issueIdOrKey?: undefined;
+                projectKey?: undefined;
+                issueTypeName?: undefined;
+                priority?: undefined;
+                assigneeAccountId?: undefined;
+                transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                file_path?: undefined;
+                content?: undefined;
+                command?: undefined;
+                working_directory?: undefined;
+                env_profile?: undefined;
+                timeout_seconds?: undefined;
+            };
+            required: string[];
+            additionalProperties: boolean;
+        };
+        constraints: {
+            rate_bucket: string;
+        };
+        effects: string[];
+        risk: string;
+        target_bindings: {
+            resource_id: {
+                source: "param";
+                param: string;
+                required?: undefined;
+                key?: undefined;
+                multi?: undefined;
+                separator?: undefined;
+                default?: undefined;
+                fallback_param?: undefined;
+                derive?: undefined;
+            };
+            secondary?: undefined;
+        };
+        version: string;
     } | {
         action: string;
         resource_type: string;
@@ -7865,6 +8673,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 content?: undefined;
                 command?: undefined;
                 working_directory?: undefined;
@@ -7966,6 +8779,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 command?: undefined;
                 working_directory?: undefined;
                 env_profile?: undefined;
@@ -8077,6 +8895,11 @@ declare const ACTION_REGISTRY: {
                 priority?: undefined;
                 assigneeAccountId?: undefined;
                 transitionId?: undefined;
+                typeName?: undefined;
+                inwardIssueKey?: undefined;
+                outwardIssueKey?: undefined;
+                commentBody?: undefined;
+                linkId?: undefined;
                 file_path?: undefined;
                 content?: undefined;
             };
@@ -8605,6 +9428,19 @@ declare function resolveUserTier(tier: string | undefined | null): UserTier;
  */
 declare function getTierLimits(tier: string | undefined | null): TierLimits;
+/**
+ * フリーメール / コンシューマ向けメールドメインのリスト。
+ * grant の internalDomains で「ドメイン全体ワイルドカード (*@<freemail>)」を
+ * 許可することを禁止するために使う (個別アドレス x@gmail.com は許可)。
+ * 理由: *@gmail.com を「社内ドメイン」として自動許可すると、全 Gmail ユーザー
+ * 宛が無条件許可になり危険。
+ *
+ * 網羅性は完璧でなくてよい (主要なもの)。後から追加可能な Set 構造。
+ */
+declare const FREEMAIL_DOMAINS: ReadonlySet<string>;
+/** ドメインがフリーメールか判定 (小文字化して比較)。 */
+declare function isFreemailDomain(domain: string): boolean;
 /**
  * P1-A14a-1 / Threat Model S4 — canonical-string + signature-header
  * helpers for HMAC body signing of internal HTTP requests.
@@ -8761,6 +9597,414 @@ interface SignRequestArgs {
  */
 declare function signRequest(key: InternalHmacSignerKey, args: SignRequestArgs): string;
+/**
+ * CedarEngine — minimal wrapper around `@cedar-policy/cedar-wasm/nodejs`.
+ *
+ * Phase 1 Step 1 scope (server-side / Node-runtime only):
+ *   - preparseSchema   : ingest Cedar schema text → opaque SchemaHandle
+ *   - preparsePolicySet: ingest Cedar PolicySet text → opaque PolicySetHandle
+ *   - evaluate         : run statefulIsAuthorized against preparsed handles
+ *
+ * Browser callers receive `CedarEngineUnavailableError` because the
+ * `/nodejs` subpath depends on Node `fs` to instantiate the wasm.
+ *
+ * Performance notes (companion design spec Appendix C, PoC 2026-05-23):
+ *   - statefulIsAuthorized + preparsed cache: p50 0.067ms / p99 0.076ms
+ *     (~9x faster than re-parsing every call). The wasm caches preparsed
+ *     handles internally keyed by string name/id, so the opaque handles
+ *     we expose are thin wrappers around an auto-generated id.
+ *
+ * Concurrency / TOCTOU (Cedar design spec rev 5/6, fix C3):
+ *   - `createCedarEngine()` caches the in-flight Promise (not the resolved
+ *     engine). Two parallel callers therefore share the same load — no
+ *     duplicated dynamic import of the 4.1 MB wasm.
+ *   - On load failure the cached promise is cleared so the next caller can
+ *     retry. This avoids permanently poisoning the module after a transient
+ *     failure (e.g. wasm streaming compile blip).
+ *
+ * Design ref: docs/specs/2026-05-23-cedar-rar-permission-redesign.md
+ * Plan ref:   docs/specs/2026-05-23-cedar-rar-implementation-plan-phase1.md
+ */
+/**
+ * Decision domain exposed by the wrapper. Cedar's wasm uses lowercase
+ * `'allow' | 'deny'`; we normalize to the spec's casing so callers can
+ * pattern-match on a single canonical form across the codebase.
+ */
+type CedarDecision = 'Allow' | 'Deny';
+/**
+ * Structured error returned for evaluation-time problems (policy execution
+ * errors). Parse / schema errors are surfaced at preparse time as thrown
+ * `CedarParseError`s instead.
+ */
+interface CedarError {
+    /** Policy id that errored, if attributable. */
+    policyId?: string;
+    /** Human-readable message from Cedar. */
+    message: string;
+    /** Optional structured diagnostic code from Cedar. */
+    code?: string;
+}
+/**
+ * Phase 2-1-H — structured policy validation error surfaced by
+ * `CedarParseError.validationErrors` (and re-exported as a public type
+ * so API / UI callers don't have to re-implement source-location math).
+ *
+ * One `PolicyValidationError` entry corresponds to one cedar-wasm
+ * diagnostic (top-level `errors[]` entries + their `related[]`
+ * descendants are flattened into a single list, since callers always
+ * want to render every diagnostic — the related chain is metadata about
+ * the top-level failure, not a separate parse).
+ *
+ * Fields:
+ *   - `code` — machine-readable classification, snake_case. Phase 1
+ *     surface: `'parse_error'` (default). Future cedar-wasm releases
+ *     ship structured codes; the classifier here uses message-pattern
+ *     heuristics until then (see `classifyCedarErrorMessage`).
+ *   - `message` — cedar-wasm's human-readable English. UI is
+ *     responsible for i18n / templating; we don't translate here.
+ *   - `line` / `column` — 1-based caret. Computed from the byte
+ *     `start` offset in cedar-wasm's `sourceLocations[]` against the
+ *     ORIGINAL policy text, so the caret matches what the user sees
+ *     in the textarea / editor.
+ *   - `context` — the offending byte slice (max 200 chars, truncated
+ *     with an ellipsis). Lets UIs render an inline highlight without
+ *     a second round trip.
+ *   - `offset` — 0-based byte offset (for editors that prefer offsets
+ *     to line/column; line/column is provided as a convenience).
+ */
+interface PolicyValidationError {
+    /**
+     * Machine-readable code, snake_case. Currently a small set:
+     *   - `'parse_error'` — syntax / grammar failure (default)
+     *   - `'unexpected_end_of_input'` — incomplete policy
+     *   - `'unexpected_token'` — token didn't match expected production
+     *   - `'unknown_extension'` — referenced an unknown extension fn
+     *   - `'unknown'` — fallback when no heuristic matches
+     * Callers that switch on this string MUST default to a generic
+     * branch — the set will grow as cedar-wasm exposes structured codes.
+     */
+    code: string;
+    /** Cedar's human-readable English diagnostic. */
+    message: string;
+    /** 1-based line in the original policy text where the error starts. */
+    line?: number;
+    /** 1-based column in the line (counts UTF-16 code units, matching JS String). */
+    column?: number;
+    /**
+     * The raw policy slice that triggered the error, truncated to 200
+     * chars with a trailing ellipsis when longer. Useful for UIs to
+     * highlight the offending span without re-computing offsets.
+     */
+    context?: string;
+    /** 0-based byte offset into the policy text (when known). */
+    offset?: number;
+}
+/**
+ * Opaque handle to a Cedar schema that has been parsed and cached
+ * inside the wasm. Returned by `preparseSchema`; pass to `evaluate`.
+ *
+ * The wasm caches by string name, so the handle carries the auto-generated
+ * id. Callers must treat the type as opaque.
+ */
+interface SchemaHandle {
+    readonly __cedar: 'schema';
+    readonly name: string;
+}
+/** Opaque handle to a Cedar PolicySet. Returned by `preparsePolicySet`. */
+interface PolicySetHandle {
+    readonly __cedar: 'policySet';
+    readonly id: string;
+}
+/**
+ * A Cedar entity in the JSON shape expected by the wasm.
+ *
+ * We keep this as `Record<string, unknown>` rather than importing the
+ * detailed `EntityJson` type from `@cedar-policy/cedar-wasm` because the
+ * SDK is consumed by browser bundlers; pulling in the d.ts would force
+ * the wasm typings into browser builds (the runtime is still lazy-loaded).
+ * Callers cast as needed; runtime validation is delegated to the wasm.
+ */
+type CedarEntity = Record<string, unknown>;
+interface CedarEvaluateRequest {
+    /** Cedar entity-uid expression, e.g. `Agent::"agent-1"`. */
+    principal: string;
+    /** Cedar entity-uid expression, e.g. `Action::"gmail.message.send"`. */
+    action: string;
+    /** Cedar entity-uid expression, e.g. `GmailThread::"thread-1"`. */
+    resource: string;
+    /** Free-form context dict (must match the schema's context shape). */
+    context: Record<string, unknown>;
+}
+interface EvaluateInput {
+    policySetHandle: PolicySetHandle;
+    schemaHandle?: SchemaHandle;
+    entities: ReadonlyArray<CedarEntity>;
+    request: CedarEvaluateRequest;
+}
+interface EvaluateResult {
+    decision: CedarDecision;
+    /** Policy ids that determined the decision (Cedar's `diagnostics.reason`). */
+    reasons: string[];
+    /** Evaluation-time errors, if any. Empty array on success. */
+    errors: CedarError[];
+}
+interface CedarEngine {
+    preparseSchema(schemaText: string): SchemaHandle;
+    preparsePolicySet(cedarText: string): PolicySetHandle;
+    evaluate(input: EvaluateInput): EvaluateResult;
+}
+/**
+ * Thrown when the Cedar wasm module cannot be loaded — typically because
+ * the wrapper is running in a browser (the `/nodejs` subpath requires Node
+ * `fs`), but also raised for any unexpected load-time failure.
+ */
+declare class CedarEngineUnavailableError extends Error {
+    readonly name = "CedarEngineUnavailableError";
+    constructor(cause: unknown);
+}
+/**
+ * Thrown by `preparseSchema` / `preparsePolicySet` when Cedar reports a
+ * structured `{ type: 'failure', errors: [...] }` answer. Callers (e.g.
+ * the Policy Registry lint) can inspect `errors` for diagnostics.
+ *
+ * Phase 2-1-H — `validationErrors` is a parallel, richer view of the
+ * same failures with line / column / context derived against the
+ * original policy text. The legacy `errors` field is preserved as-is
+ * so call sites that only need the message text don't need to change.
+ */
+declare class CedarParseError extends Error {
+    readonly name = "CedarParseError";
+    readonly errors: CedarError[];
+    /**
+     * Structured diagnostics with `{ code, message, line, column, context,
+     * offset }`. Always non-empty when the throw is from cedar-wasm; may
+     * be empty when constructed from a non-cedar-wasm path (e.g. when an
+     * upstream caller wraps an unexpected throw).
+     */
+    readonly validationErrors: PolicyValidationError[];
+    constructor(message: string, errors: CedarError[], validationErrors?: PolicyValidationError[]);
+}
+interface CedarDetailedError {
+    message: string;
+    code?: string | null;
+    /**
+     * Source spans reported by cedar-wasm's miette-backed diagnostic
+     * pipeline. `start` / `end` are 0-based byte offsets into the policy
+     * text. `label` is a short hint about what was expected. We type only
+     * the subset we use; cedar-wasm may include additional fields.
+     */
+    sourceLocations?: ReadonlyArray<{
+        start?: number;
+        end?: number;
+        label?: string | null;
+    }> | null;
+    /** Cascaded diagnostics — same shape as the top-level error. */
+    related?: ReadonlyArray<CedarDetailedError> | null;
+}
+/**
+ * Create (or reuse) the singleton Cedar engine.
+ *
+ * - First call performs the dynamic import of cedar-wasm.
+ * - Subsequent calls return the cached Promise — TOCTOU-safe.
+ * - If the in-flight load rejects, the cache is cleared so retries work.
+ */
+declare function createCedarEngine(): Promise<CedarEngine>;
+/**
+ * Phase 2-1-H — flatten cedar-wasm's `{ message, sourceLocations[],
+ * related[] }` tree into a list of `PolicyValidationError` entries
+ * with line/column derived against the original policy text.
+ *
+ * `related[]` entries are walked recursively and emitted as siblings
+ * of the top-level error (cedar-wasm uses `related` for "and also..."
+ * style cascade diagnostics — UIs typically render all of them, not
+ * just the head).
+ *
+ * If cedar-wasm returns no `sourceLocations`, we still emit an entry
+ * (without line/column) so the caller always sees at least one error
+ * per failure path.
+ *
+ * @internal — Phase 2-1-H heuristic implementation. Exported for cross-package
+ * reuse (API + agentd / remote-mcp future surfaces) and unit tests, but NOT a
+ * stable public API. Will be replaced once cedar-wasm exposes structured
+ * diagnostic codes upstream (tracked as Phase 2-2-I). Semver of `@vess-id/ai-identity`
+ * may remove or rename this function without a major bump.
+ */
+declare function buildValidationErrors(errors: ReadonlyArray<CedarDetailedError>, sourceText: string): PolicyValidationError[];
+/**
+ * Heuristic classifier mapping cedar-wasm's English message text to a
+ * stable snake_case code. cedar-wasm@4.11.0 does not yet expose a
+ * structured `code` field (the `code` slot in `CedarDetailedError` is
+ * always `null` for parse failures), so we match on substring patterns
+ * that have proven stable across recent releases.
+ *
+ * If `cedarCode` is supplied (future cedar-wasm release) it wins.
+ *
+ * Returned codes (must stay in sync with the JSDoc on
+ * `PolicyValidationError.code`):
+ *   - `parse_error`              — generic parse failure (fallback)
+ *   - `unexpected_end_of_input`  — incomplete policy
+ *   - `unexpected_token`         — token didn't match expected production
+ *   - `unknown_extension`        — referenced unknown extension fn
+ *   - `unknown`                  — message didn't match any pattern
+ *
+ * @internal — Phase 2-1-H heuristic implementation, same caveat as
+ * `buildValidationErrors`. Will be replaced once cedar-wasm exposes structured
+ * diagnostic codes upstream (Phase 2-2-I).
+ */
+declare function classifyCedarErrorMessage(message: string, cedarCode?: string): string;
+/**
+ * buildCedarEntities — Cedar entity-list builder (Cedar unification Step 1).
+ *
+ * Spec ref:
+ * - docs/specs/2026-05-24-cedar-unification-design.md §7.1
+ *   Phase 1 採用方針: entity attribute と context の **二重 bind**。本 helper は
+ *   entity 側のみを組み立て、`context.action.risk_level` は呼び出し側
+ *   (`CedarDecisionService.buildCedarEvaluateRequest`) が context にも別途
+ *   注入する。これは Cedar 4.11.0 が schema-less な entity attribute 直参照を
+ *   policy text 内では制限するため、policy 内では `context.action.risk_level`
+ *   経由を Phase 1 で採用するという rev 3 C1 で確定した設計判断による。
+ *
+ * Action entity の `attrs.risk_level` は本 helper の責務、
+ * `context.action.risk_level` は CedarDecisionService の責務。
+ * Phase 2+ で Cedar schema 導入時に context 側を撤去し entity 直参照に統一する。
+ */
+/**
+ * Principal or resource descriptor accepted by {@link buildCedarEntities}.
+ * `type` is the Cedar entity-type name (e.g., `Agent`, `User`, `GmailThread`).
+ * `attrs` defaults to `{}` if omitted. `parents` is always `[]` in Phase 1
+ * (entity hierarchy is reserved for Phase 2 schema work).
+ */
+interface CedarEntityDescriptor {
+    type: string;
+    id: string;
+    attrs?: Record<string, unknown>;
+}
+/**
+ * Input contract for {@link buildCedarEntities}. `action` is the dotted
+ * action name (e.g., `'gmail.message.send'`); the helper looks up the
+ * Phase 1 risk level via {@link resolveActionRisk} and binds it as
+ * `Action::"<id>".attrs.risk_level`.
+ *
+ * Context (including `context.action.risk_level`, `context.approval.granted`,
+ * `context.environment.*`) is **not** built here — the caller (typically
+ * `CedarDecisionService`) builds context separately because the same entities
+ * are reused across Phase A / Phase B (approval=false / approval=true)
+ * evaluations.
+ */
+interface CedarEntitiesInput {
+    principal: CedarEntityDescriptor;
+    action: string;
+    resource: CedarEntityDescriptor;
+}
+/**
+ * Build the Cedar entity list (principal + action + resource) for a single
+ * authorization evaluation.
+ *
+ * Returns exactly 3 entities, in stable order [principal, action, resource].
+ * The Action entity gets `attrs.risk_level` populated from
+ * {@link resolveActionRisk}. principal / resource pass through `attrs`
+ * unchanged (defaulting to `{}` when omitted).
+ *
+ * Entity hierarchy (`parents`) is intentionally empty in Phase 1 — Phase 2
+ * will introduce schema-driven parents (e.g., GmailThread → GmailLabel).
+ */
+declare function buildCedarEntities(input: CedarEntitiesInput): CedarEntity[];
+/**
+ * Decision 7-value enum — A2A / AP2 aligned (Cedar unification Step 1).
+ *
+ * Spec ref:
+ * - docs/specs/2026-05-24-cedar-unification-design.md §3
+ * - decision #9 (Locked Decisions §2): A2A 互換 7 値、後方互換破壊 OK
+ *
+ * HTTP mapping (spec §3, line 169):
+ *   - `permit`         → 200
+ *   - `auth_required`  → 202 (replaces legacy `RequireApproval`)
+ *   - `input_required` → reserved for Phase 2+
+ *   - `denied`         → 403 (explicit forbid policy match)
+ *   - `denied_default` → 403 (no permit policy matched)
+ *   - `denied_by_user` → 403 (HITL UI rejection)
+ *   - `indeterminate`  → 500 (Cedar evaluation error, fail-closed)
+ *
+ * Phase 1 Step 1 scope: SDK enum + runtime guard only.
+ * Step 2 (API layer) will rewire `CedarDecisionService` to emit these values
+ * and replace the legacy 3-value `CedarDecisionValue` (`Permit | Forbid |
+ * RequireApproval`) over the wire. Both types coexist during the transition.
+ */
+/**
+ * The 7 decision states a permission evaluator may emit. Lowercase + snake_case
+ * to match A2A protocol naming conventions.
+ */
+type Decision = 'permit' | 'auth_required' | 'input_required' | 'denied' | 'denied_default' | 'denied_by_user' | 'indeterminate';
+/**
+ * Frozen ordered tuple of every {@link Decision} value. Useful for `it.each`
+ * test enumeration, exhaustiveness assertions, and audit-log validation.
+ *
+ * The order is **stable** and is the canonical iteration order (permit first,
+ * then approval gate, then input gate, then the 3 denied variants, then the
+ * fail-closed indeterminate). Do not rely on alphabetic order.
+ */
+declare const DECISION_VALUES: readonly ["permit", "auth_required", "input_required", "denied", "denied_default", "denied_by_user", "indeterminate"];
+/**
+ * Runtime type guard for {@link Decision}. Returns `true` only if `value` is
+ * one of the 7 canonical literals. Use this when validating wire payloads
+ * (audit log rows, HTTP bodies, IPC) before narrowing to `Decision`.
+ *
+ * Legacy 3-value capitalized literals (`Permit`, `Forbid`, `RequireApproval`)
+ * are **not** accepted; callers that still need to handle the old wire format
+ * must do their own translation (Step 2 will provide the migration helper).
+ */
+declare function isDecision(value: unknown): value is Decision;
+/**
+ * Action risk-level resolver — registry-driven (OpenQ-5 root fix).
+ *
+ * Spec refs:
+ * - docs/specs/2026-05-27-action-risk-registry-driven.md §3
+ * - docs/specs/2026-05-24-cedar-unification-design.md §7.2 (original Phase 1
+ *   suffix heuristic, now retained only as a fallback)
+ *
+ * Resolution order:
+ *   1. If the action exists in ACTION_REGISTRY and declares a `risk`, return
+ *      that value — ACTION_REGISTRY is the single source of truth (matching
+ *      CLAUDE.md). This is what Cedar `context.action.risk_level` binds to,
+ *      so a developer's hand-curated `risk: 'high'` is now authoritative.
+ *   2. Otherwise (unknown / not-yet-registered action) fall back to the
+ *      deterministic suffix heuristic below:
+ *        - write/send/delete-class suffixes → 'high'
+ *        - read/list/get-class suffixes     → 'low'
+ *        - everything else                  → 'medium' (fail-safe)
+ *
+ * The suffix heuristic classifies by the **last dotted segment** of the
+ * action name (e.g., `gmail.message.send` → `send` → 'high').
+ *
+ * Lookup is case-insensitive: input is lowercased before the registry Map
+ * lookup (registry keys are all lowercase), so `gmail.message.TRASH` still
+ * hits the registry `high` instead of mis-falling-back to the suffix value.
+ */
+type ActionRisk = 'low' | 'medium' | 'high';
+/**
+ * Resolve the risk level for a dotted action name.
+ *
+ * Registry-driven: a registered action returns its declared `risk`
+ * (authoritative); unknown actions fall back to the suffix heuristic.
+ *
+ * Examples:
+ *   resolveActionRisk('os.secret.read')           → 'high'  (registry)
+ *   resolveActionRisk('gmail.message.trash')      → 'high'  (registry)
+ *   resolveActionRisk('jira.issue.transition')    → 'high'  (registry)
+ *   resolveActionRisk('unknown.connector.send')   → 'high'  (suffix fallback)
+ *   resolveActionRisk('unknown.connector.read')   → 'low'   (suffix fallback)
+ *   resolveActionRisk('unknown.connector.sync')   → 'medium'(suffix fallback)
+ *
+ * Defensive defaults:
+ *   - empty / falsy input → 'medium' (fail-safe; never throws)
+ *   - unknown suffix      → 'medium'
+ */
+declare function resolveActionRisk(action: string | undefined | null): ActionRisk;
 declare const version = "0.0.1";
-export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRule, type PolicyTarget, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildGrantIdFields, buildKbJwtPayload, canonicalizeAction, checkPermissionWithVP, configure, createAjv, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
+export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRisk, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type ApprovalContext, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CedarDecision, type CedarDecisionDiagnostic, type CedarDecisionValue, type CedarEngine, CedarEngineUnavailableError, type CedarEntitiesInput, type CedarEntity, type CedarEntityDescriptor, type CedarError, type CedarEvaluateRequest, CedarParseError, type CedarPolicySetHandle, type CedarSchema, type CedarSchemaHandle, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DECISION_VALUES, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type Decision, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluateInput, type EvaluateResult, type EvaluationContext, type ExternalActionRequest, FREEMAIL_DOMAINS, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueLink, type JiraIssueLinkType, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PHASE_1_VC_LAYER, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PermissionVcClaims_V2, type PermissionVcClaims_V3, type Phase1VcLayer, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRef, type PolicyRefInline, type PolicyRefReference, type PolicyRule, type PolicySetHandle, type PolicyTarget, type PolicyValidationError, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, type SchemaHandle, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VcApprovalClaim, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildCedarEntities, buildGrantIdFields, buildKbJwtPayload, buildPhase1VcClaims, buildValidationErrors, canonicalizeAction, checkPermissionWithVP, classifyCedarErrorMessage, configure, createAjv, createCedarEngine, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isDecision, isFreemailDomain, isPolicyRefInline, isPolicyRefReference, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionRisk, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };