npm - @vess-id/ai-identity - Versions diffs - 0.14.0-alpha.0 → 0.14.0-alpha.2 - Mend

@vess-id/ai-identity 0.14.0-alpha.0 → 0.14.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.d.mts +30 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +48 -1
package/dist/index.js.map +1 -1
package/dist/index.mjs +46 -1
package/dist/index.mjs.map +1 -1
package/dist/registry/reauth-constants.d.ts +7 -0
package/dist/registry/reauth-constants.d.ts.map +1 -1
package/dist/types/permission-vc.d.ts +9 -0
package/dist/types/permission-vc.d.ts.map +1 -1
package/dist/utils/freemail-domains.d.ts +13 -0
package/dist/utils/freemail-domains.d.ts.map +1 -0
package/package.json +1 -1

package/dist/index.d.mts CHANGED Viewed

@@ -966,6 +966,15 @@ interface PermissionRule {
      * 2+ will bump the schema to v3.1 and make it required.
      */
     policy_ref?: PolicyRef;
+    /**
+     * Cedar policy bindings (複数) — 1 つの委任スコープに複数の policy が AND/OR
+     * で適用されるケース (例: calendarDomain 宛先制約 + timeWindow forbid)。
+     * 後方互換のため単数 `policy_ref` は維持し、発行時は `policy_refs[0]` を
+     * ミラーする。読み手は policy_refs を優先し、無ければ policy_ref を単要素配列に
+     * 正規化する。Cedar 評価では全 ref を 1 つの PolicySet に集約 (permit=OR,
+     * forbid=override で AND)。
+     */
+    policy_refs?: PolicyRef[];
 }
 /**
  * Permission VC Claims v2 — the pre-Cedar canonical credential claims format.
@@ -9079,6 +9088,13 @@ declare const GATEWAY_ERROR_CODE: {
     readonly CREDENTIAL_INVALID: "CREDENTIAL_INVALID";
     /** VC allowed a different resource than the request targeted. Try a new approval. */
     readonly RESOURCE_MISMATCH: "RESOURCE_MISMATCH";
+    /**
+     * Cedar `forbid` rule fired (HTTP 403 `policy_forbidden`) — a HARD deny that
+     * approval CANNOT lift (e.g. a timeWindow forbid outside business hours).
+     * The ExecutionEngine surfaces this as a TERMINAL denial with NO approval
+     * prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
+     */
+    readonly POLICY_FORBIDDEN: "POLICY_FORBIDDEN";
 };
 type GatewayErrorCode = (typeof GATEWAY_ERROR_CODE)[keyof typeof GATEWAY_ERROR_CODE];
@@ -9419,6 +9435,19 @@ declare function resolveUserTier(tier: string | undefined | null): UserTier;
  */
 declare function getTierLimits(tier: string | undefined | null): TierLimits;
+/**
+ * フリーメール / コンシューマ向けメールドメインのリスト。
+ * grant の internalDomains で「ドメイン全体ワイルドカード (*@<freemail>)」を
+ * 許可することを禁止するために使う (個別アドレス x@gmail.com は許可)。
+ * 理由: *@gmail.com を「社内ドメイン」として自動許可すると、全 Gmail ユーザー
+ * 宛が無条件許可になり危険。
+ *
+ * 網羅性は完璧でなくてよい (主要なもの)。後から追加可能な Set 構造。
+ */
+declare const FREEMAIL_DOMAINS: ReadonlySet<string>;
+/** ドメインがフリーメールか判定 (小文字化して比較)。 */
+declare function isFreemailDomain(domain: string): boolean;
 /**
  * P1-A14a-1 / Threat Model S4 — canonical-string + signature-header
  * helpers for HMAC body signing of internal HTTP requests.
@@ -9985,4 +10014,4 @@ declare function resolveActionRisk(action: string | undefined | null): ActionRis
 declare const version = "0.0.1";
-export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRisk, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type ApprovalContext, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CedarDecision, type CedarDecisionDiagnostic, type CedarDecisionValue, type CedarEngine, CedarEngineUnavailableError, type CedarEntitiesInput, type CedarEntity, type CedarEntityDescriptor, type CedarError, type CedarEvaluateRequest, CedarParseError, type CedarPolicySetHandle, type CedarSchema, type CedarSchemaHandle, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DECISION_VALUES, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type Decision, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluateInput, type EvaluateResult, type EvaluationContext, type ExternalActionRequest, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueLink, type JiraIssueLinkType, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PHASE_1_VC_LAYER, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PermissionVcClaims_V2, type PermissionVcClaims_V3, type Phase1VcLayer, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRef, type PolicyRefInline, type PolicyRefReference, type PolicyRule, type PolicySetHandle, type PolicyTarget, type PolicyValidationError, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, type SchemaHandle, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VcApprovalClaim, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildCedarEntities, buildGrantIdFields, buildKbJwtPayload, buildPhase1VcClaims, buildValidationErrors, canonicalizeAction, checkPermissionWithVP, classifyCedarErrorMessage, configure, createAjv, createCedarEngine, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isDecision, isPolicyRefInline, isPolicyRefReference, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionRisk, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
+export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRisk, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type ApprovalContext, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CedarDecision, type CedarDecisionDiagnostic, type CedarDecisionValue, type CedarEngine, CedarEngineUnavailableError, type CedarEntitiesInput, type CedarEntity, type CedarEntityDescriptor, type CedarError, type CedarEvaluateRequest, CedarParseError, type CedarPolicySetHandle, type CedarSchema, type CedarSchemaHandle, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DECISION_VALUES, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type Decision, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluateInput, type EvaluateResult, type EvaluationContext, type ExternalActionRequest, FREEMAIL_DOMAINS, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueLink, type JiraIssueLinkType, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PHASE_1_VC_LAYER, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PermissionVcClaims_V2, type PermissionVcClaims_V3, type Phase1VcLayer, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRef, type PolicyRefInline, type PolicyRefReference, type PolicyRule, type PolicySetHandle, type PolicyTarget, type PolicyValidationError, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, type SchemaHandle, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VcApprovalClaim, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildCedarEntities, buildGrantIdFields, buildKbJwtPayload, buildPhase1VcClaims, buildValidationErrors, canonicalizeAction, checkPermissionWithVP, classifyCedarErrorMessage, configure, createAjv, createCedarEngine, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isDecision, isFreemailDomain, isPolicyRefInline, isPolicyRefReference, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionRisk, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };

package/dist/index.d.ts CHANGED Viewed

@@ -34,6 +34,7 @@ export { isPolicyRefInline, isPolicyRefReference, PHASE_1_VC_LAYER, buildPhase1V
 export type { CedarSchema, CedarPolicySetHandle, CedarSchemaHandle, CedarDecisionValue, CedarDecisionDiagnostic, } from './types/cedar-policy';
 export { isWriteAction, WRITE_ACTION_NAMES } from './utils/action-classifier';
 export { resolveUserTier, getTierLimits, isUnlimited } from './utils/tier-utils';
+export { FREEMAIL_DOMAINS, isFreemailDomain } from './utils/freemail-domains';
 export * from './internal-signature';
 export { createCedarEngine, CedarEngineUnavailableError, CedarParseError, } from './policy';
 export type { CedarEngine, CedarDecision, CedarEntity, CedarEvaluateRequest, EvaluateInput, EvaluateResult, CedarError, SchemaHandle, PolicySetHandle, } from './policy';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAKvB,YAAY,EACV,SAAS,EACT,eAAe,EACf,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,eAAe,GAChB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,WAAW,EACX,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;~~AAKhF~~,cAAc,sBAAsB,CAAA;AAGpC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,eAAe,GAChB,MAAM,UAAU,CAAA;AACjB,YAAY,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,UAAU,EACV,YAAY,EACZ,eAAe,GAChB,MAAM,UAAU,CAAA;AAKjB,OAAO,EACL,qBAAqB,EACrB,yBAAyB,GAC1B,MAAM,UAAU,CAAA;AACjB,YAAY,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAC1E,YAAY,EACV,kBAAkB,EAClB,qBAAqB,EACrB,QAAQ,GACT,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAGxD,eAAO,MAAM,OAAO,UAAU,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAA;AACrE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAA;AAC/E,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,4BAA4B,EAC5B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,kCAAkC,CAAA;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAA;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,+BAA+B,EAC/B,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAEjE,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,0BAA0B,EAC1B,mBAAmB,GACpB,MAAM,mCAAmC,CAAA;AAG1C,cAAc,WAAW,CAAA;AAGzB,YAAY,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAA;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACtE,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AACnD,YAAY,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAErD,cAAc,YAAY,CAAA;AAG1B,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAA;AACtH,YAAY,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAGnE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAGlD,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,uBAAuB,EACvB,aAAa,EACb,eAAe,EACf,eAAe,GAChB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9E,cAAc,SAAS,CAAA;AAKvB,YAAY,EACV,SAAS,EACT,eAAe,EACf,kBAAkB,EAClB,qBAAqB,EACrB,qBAAqB,EACrB,aAAa,EACb,eAAe,GAChB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,WAAW,EACX,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAG7E,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAIhF,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAK7E,cAAc,sBAAsB,CAAA;AAGpC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,eAAe,GAChB,MAAM,UAAU,CAAA;AACjB,YAAY,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,UAAU,EACV,YAAY,EACZ,eAAe,GAChB,MAAM,UAAU,CAAA;AAKjB,OAAO,EACL,qBAAqB,EACrB,yBAAyB,GAC1B,MAAM,UAAU,CAAA;AACjB,YAAY,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAA;AAGrD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAC1E,YAAY,EACV,kBAAkB,EAClB,qBAAqB,EACrB,QAAQ,GACT,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAGxD,eAAO,MAAM,OAAO,UAAU,CAAA"}

package/dist/index.js CHANGED Viewed

@@ -54,6 +54,7 @@ __export(index_exports, {
   DeviceEnrollManager: () => DeviceEnrollManager,
   DummyCreds: () => DummyCreds,
   DummyVpVerifier: () => DummyVpVerifier,
+  FREEMAIL_DOMAINS: () => FREEMAIL_DOMAINS,
   FilesystemKeyStorage: () => FilesystemKeyStorage,
   GATEWAY_ERROR_CODE: () => GATEWAY_ERROR_CODE,
   GatewayClient: () => GatewayClient,
@@ -137,6 +138,7 @@ __export(index_exports, {
   isActionEquivalent: () => isActionEquivalent,
   isCanonicalProvider: () => isCanonicalProvider,
   isDecision: () => isDecision,
+  isFreemailDomain: () => isFreemailDomain,
   isPolicyRefInline: () => isPolicyRefInline,
   isPolicyRefReference: () => isPolicyRefReference,
   isUnlimited: () => isUnlimited,
@@ -5900,7 +5902,14 @@ var GATEWAY_ERROR_CODE = {
   /** Local VC/VP is invalid (expired, malformed, signature mismatch). Try VC reissuance. */
   CREDENTIAL_INVALID: "CREDENTIAL_INVALID",
   /** VC allowed a different resource than the request targeted. Try a new approval. */
-  RESOURCE_MISMATCH: "RESOURCE_MISMATCH"
+  RESOURCE_MISMATCH: "RESOURCE_MISMATCH",
+  /**
+   * Cedar `forbid` rule fired (HTTP 403 `policy_forbidden`) — a HARD deny that
+   * approval CANNOT lift (e.g. a timeWindow forbid outside business hours).
+   * The ExecutionEngine surfaces this as a TERMINAL denial with NO approval
+   * prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
+   */
+  POLICY_FORBIDDEN: "POLICY_FORBIDDEN"
 };
 // src/registry/action-summary.ts
@@ -6300,6 +6309,42 @@ function getTierLimits(tier) {
   return TIER_LIMITS[resolveUserTier(tier)];
 }
+// src/utils/freemail-domains.ts
+var FREEMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "gmail.com",
+  "googlemail.com",
+  "outlook.com",
+  "hotmail.com",
+  "live.com",
+  "yahoo.com",
+  "yahoo.co.jp",
+  "ymail.com",
+  "icloud.com",
+  "me.com",
+  "mac.com",
+  "aol.com",
+  "protonmail.com",
+  "proton.me",
+  "pm.me",
+  "gmx.com",
+  "gmx.net",
+  "mail.com",
+  "zoho.com",
+  "yandex.com",
+  // 日本の主要キャリア/フリーメール
+  "docomo.ne.jp",
+  "ezweb.ne.jp",
+  "au.com",
+  "softbank.ne.jp",
+  "i.softbank.jp",
+  "nifty.com",
+  "so-net.ne.jp",
+  "biglobe.ne.jp"
+]);
+function isFreemailDomain(domain) {
+  return FREEMAIL_DOMAINS.has(domain.trim().toLowerCase());
+}
 // src/internal-signature/canonical.ts
 var import_crypto3 = require("crypto");
 var SIGNATURE_HEADER = "x-internal-signature";
@@ -6671,6 +6716,7 @@ var version = "0.0.1";
   DeviceEnrollManager,
   DummyCreds,
   DummyVpVerifier,
+  FREEMAIL_DOMAINS,
   FilesystemKeyStorage,
   GATEWAY_ERROR_CODE,
   GatewayClient,
@@ -6754,6 +6800,7 @@ var version = "0.0.1";
   isActionEquivalent,
   isCanonicalProvider,
   isDecision,
+  isFreemailDomain,
   isPolicyRefInline,
   isPolicyRefReference,
   isUnlimited,