@vess-id/ai-identity 0.14.0-alpha.1 → 0.14.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +16 -1
- package/dist/index.js +11 -1
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +10 -1
- package/dist/index.mjs.map +1 -1
- package/dist/registry/__tests__/reauth-constants.spec.d.ts +2 -0
- package/dist/registry/__tests__/reauth-constants.spec.d.ts.map +1 -0
- package/dist/registry/index.d.ts +1 -1
- package/dist/registry/index.d.ts.map +1 -1
- package/dist/registry/reauth-constants.d.ts +15 -0
- package/dist/registry/reauth-constants.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.d.mts
CHANGED
|
@@ -9076,6 +9076,14 @@ declare function normalizeMcpActionName(toolName: string, actionName: string): s
|
|
|
9076
9076
|
* as a normal error.
|
|
9077
9077
|
*/
|
|
9078
9078
|
declare const REAUTH_REQUIRED_ACTION: "reauth_required";
|
|
9079
|
+
/**
|
|
9080
|
+
* Value for `ToolInvokeResult.metadata.action` when an action needs RAR
|
|
9081
|
+
* approval (Cedar `RequireApproval`). Consumers (remote-mcp formatter)
|
|
9082
|
+
* branch on this to promote `{ approvalUrl, requestId }` into the MCP
|
|
9083
|
+
* `structuredContent` / `_meta.aidentity` channel so the URL reaches the
|
|
9084
|
+
* client on the FIRST call_tool, not only via a separate request_permission.
|
|
9085
|
+
*/
|
|
9086
|
+
declare const APPROVAL_REQUIRED_ACTION: "approval_required";
|
|
9079
9087
|
/**
|
|
9080
9088
|
* Error codes emitted by agentd's `gateway-client.invokeTool` to classify
|
|
9081
9089
|
* failure modes for the ExecutionEngine to branch on. Kept as a const object
|
|
@@ -9088,6 +9096,13 @@ declare const GATEWAY_ERROR_CODE: {
|
|
|
9088
9096
|
readonly CREDENTIAL_INVALID: "CREDENTIAL_INVALID";
|
|
9089
9097
|
/** VC allowed a different resource than the request targeted. Try a new approval. */
|
|
9090
9098
|
readonly RESOURCE_MISMATCH: "RESOURCE_MISMATCH";
|
|
9099
|
+
/**
|
|
9100
|
+
* Cedar `forbid` rule fired (HTTP 403 `policy_forbidden`) — a HARD deny that
|
|
9101
|
+
* approval CANNOT lift (e.g. a timeWindow forbid outside business hours).
|
|
9102
|
+
* The ExecutionEngine surfaces this as a TERMINAL denial with NO approval
|
|
9103
|
+
* prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
|
|
9104
|
+
*/
|
|
9105
|
+
readonly POLICY_FORBIDDEN: "POLICY_FORBIDDEN";
|
|
9091
9106
|
};
|
|
9092
9107
|
type GatewayErrorCode = (typeof GATEWAY_ERROR_CODE)[keyof typeof GATEWAY_ERROR_CODE];
|
|
9093
9108
|
|
|
@@ -10007,4 +10022,4 @@ declare function resolveActionRisk(action: string | undefined | null): ActionRis
|
|
|
10007
10022
|
|
|
10008
10023
|
declare const version = "0.0.1";
|
|
10009
10024
|
|
|
10010
|
-
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRisk, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type ApprovalContext, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CedarDecision, type CedarDecisionDiagnostic, type CedarDecisionValue, type CedarEngine, CedarEngineUnavailableError, type CedarEntitiesInput, type CedarEntity, type CedarEntityDescriptor, type CedarError, type CedarEvaluateRequest, CedarParseError, type CedarPolicySetHandle, type CedarSchema, type CedarSchemaHandle, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DECISION_VALUES, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type Decision, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluateInput, type EvaluateResult, type EvaluationContext, type ExternalActionRequest, FREEMAIL_DOMAINS, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueLink, type JiraIssueLinkType, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PHASE_1_VC_LAYER, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PermissionVcClaims_V2, type PermissionVcClaims_V3, type Phase1VcLayer, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRef, type PolicyRefInline, type PolicyRefReference, type PolicyRule, type PolicySetHandle, type PolicyTarget, type PolicyValidationError, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, type SchemaHandle, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VcApprovalClaim, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildCedarEntities, buildGrantIdFields, buildKbJwtPayload, buildPhase1VcClaims, buildValidationErrors, canonicalizeAction, checkPermissionWithVP, classifyCedarErrorMessage, configure, createAjv, createCedarEngine, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isDecision, isFreemailDomain, isPolicyRefInline, isPolicyRefReference, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionRisk, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
|
|
10025
|
+
export { type ABACPolicyEngine, ACTION_PARAMS_MAX_SIZE, ACTION_PREFIXES, ACTION_REGISTRY, AIdentityClient, type AIdentityConfig, AIdentityError, type APIAgent, type APICredential, APIVCManager, APPROVAL_REQUIRED_ACTION, type AbacDecision, type AbacInput, type AcceptInvitationRequest, type AckEventResponse, type ActionInputSchema, type ActionMapping, type ActionMeta, type ActionParamDisplay, type ActionRegistry, type ActionRisk, type ActionRiskLevel, type Agent, type AgentCreateOptions, type AgentDIDConfig, AgentDIDManager, AgentManager, AgentStatus, AgentType, type AgentWithId, AllowAllAbac, type AnyProvider, type ApiKeyValidationResult, type ApprovalContext, type AuditEvent, type AuditQuery, AuthProvider, type AuthState, AuthenticationError, type AutoApproveConfig, type BindingSource, type BuildKbJwtPayloadArgs, type BuildKbJwtPayloadDeps, CANONICAL_PROVIDERS, type CanonicalProvider, type CapabilityMeta, type CedarDecision, type CedarDecisionDiagnostic, type CedarDecisionValue, type CedarEngine, CedarEngineUnavailableError, type CedarEntitiesInput, type CedarEntity, type CedarEntityDescriptor, type CedarError, type CedarEvaluateRequest, CedarParseError, type CedarPolicySetHandle, type CedarSchema, type CedarSchemaHandle, type CheckGrantPermissionRequest, type CheckGrantPermissionResult, type CheckPermissionInput, type CheckPermissionResult, type CollectContextRequest, type ConfirmGrantSuggestionRequest, type ConnectorAction, type ConnectorConfig, type ConnectorExecutionContext, type ConnectorResponse, type ConnectorResponseMetadata, type ConnectorTokenConfig, type ConstraintEvaluationResult, ConstraintEvaluator, type ConstraintEvaluatorOptions, type ConstraintViolation, type ConstraintWarning, type ContextBindingSource, type ContextProvider, type CreateGrantRequest, type CreateInvitationRequest, type CreateReceiptRequest, type CredentialRef, CredentialStatus, type CredentialStore, CredentialType, DECISION_VALUES, DEFAULT_CONSTRAINTS_BY_RISK, type DIDDocument, type DataAccessVC, type Decision, type DecisionTrace, type DelegationVC, DeviceEnrollManager, type DeviceEnrollPollResult, type DeviceEnrollServerSideParams, type DeviceEnrollStartParams, type DeviceEnrollStartResult, type DisclosureFields, DummyCreds, DummyVpVerifier, type EmployeeVPRequest, type EvaluateInput, type EvaluateResult, type EvaluationContext, type ExternalActionRequest, FREEMAIL_DOMAINS, FilesystemKeyStorage, GATEWAY_ERROR_CODE, GatewayClient, GatewayError, type GatewayErrorCode, type GatewayEvent, type GetEventsOptions, type GetEventsResponse, type GitHubConfig, type GoogleConfig, type Grant, type GrantConstraints, type GrantResource, GrantResourceType, GrantScope, GrantStatus, type GrantUsage, type IConnectorService, type IStateStore, type Intent, type IntentEvaluationResult, type IntentObligation, type IntentResource, type InternalHmacSignerKey, InvalidVPError, type Invitation, type InvitationRole, InvitationStatus, type IssueSDJWTVCRequest, type IssueSDJWTVCResult, type JiraBoard, type JiraConfig, type JiraIssue, type JiraIssueLink, type JiraIssueLinkType, type JiraIssueType, type JiraProject, type JiraSprint, type JiraStatus, type JiraUser, type JiraWorklog, type JsonSchema, JsonStateStore, KB_JWT_DEFAULT_LIFETIME_SECONDS, type KbJwtPayload, KeyManager, type KeyPairGenerationResult, type KeyStorageConfig, type KeyStorageProvider, LEGACY_RESOURCE_TYPE_MAP, MIN_SIGNER_KEY_BYTES, MemoryKeyStorage, NetworkError, type NormalizeIntentRequest, type NormalizedIntent, type OAuthAuthorizeRequest, type OAuthCallbackParams, type OAuthConnection, OAuthProvider, type OAuthToken, type OrganizationConfig, type OrganizationPermission, type OrganizationPolicy, type OrganizationVC, PHASE_1_VC_LAYER, PROVIDER_ALIASES, type ParamBindingSource, type ParsedResourceType, type ParsedSignature, type PermissionConstraints, type PermissionMode, type PermissionResource, type PermissionRule, type PermissionTimeConstraint, type PermissionVcClaims, type PermissionVcClaims_V2, type PermissionVcClaims_V3, type Phase1VcLayer, type PlanDelegationInput, type PlanDelegationResult, type PolicyCondition, type PolicyEvaluationResult, type PolicyInput, type PolicyRef, type PolicyRefInline, type PolicyRefReference, type PolicyRule, type PolicySetHandle, type PolicyTarget, type PolicyValidationError, type Provider, REAUTH_REQUIRED_ACTION, RESOURCE_TYPES, type ReBACChecker, type Receipt, type ReceiptListResult, type ReceiptOutcome, type ReceiptSearchQuery, ReceiptStatus, type Relation, type ResolvedTargets, type ResourceIdBinding, type ResourceRef, type ResourceScope, type ResourceType, type RiskAssessmentResult, type RiskFactor, type RiskLevel, SDJwtClient, SIGNATURE_HEADER, SIGNATURE_VERSION_PREFIX, type SchemaHandle, ScopeUnmatchedError, type SecondaryBinding, type SignRequestArgs, SimpleRebac, type SlackConfig, StandardActionCategory, type SuggestGrantRequest, type SuggestedAction, type SuggestedConstraints, type SuggestedGrant, type SuggestedResource, type SuggestionRiskLevel, TIER_LIMITS, type TargetBindings, type TargetConstraint, TargetResolver, type TierLimits, type TimeWindowCheckResult, type TimeWindowConstraint, type ToolDefinition, type ToolInvocation, ToolManager, type ToolPermissionRequest, type ToolPermissionVC, type UnifiedResourceType, type UpdateGrantRequest, type UserIdentity, type UserIdentityConfig, type UserIdentityCreateOptions, UserIdentityManager, UserKeyPairManager, type UserTier, VALID_MCP_ACTIONS, VALID_MCP_TOOLS, VCExpiredError, VCManager, VCRevokedError, VCStatus, type VCTemplate, VCType, VPManager, type VPRequest, type VcApprovalClaim, type VerifiablePresentation, type VerificationMethod, type VerifiedVcClaims, type VerifyInvitationResponse, type VerifyReceiptRequest, type VerifyReceiptResult, type VerifySDJWTVCResult, type VpVerifier, WRITE_ACTION_NAMES, type WeeklyReportData, type WeeklyReportSummary, buildCanonicalString, buildCedarEntities, buildGrantIdFields, buildKbJwtPayload, buildPhase1VcClaims, buildValidationErrors, canonicalizeAction, checkPermissionWithVP, classifyCedarErrorMessage, configure, createAjv, createCedarEngine, createDidJwk, credentialStatusToVCStatus, defaultConstraintEvaluator, evaluateConstraints, extractProjectKey, extractPublicKey, extractPublicKeyFromDid, formatSignatureHeader, generateActionParamsDisplay, generateActionSummary, generateKeyPair, generateNonce, getActionAliases, getAllActionForms, getAllValidMcpActionNames, getClient, getDefaultDisclosureFields, getKeyIdFromDid, getRequiredRelations, getRequiredScopes, getTierLimits, getValidMcpActionNames, grantConstraintsToPermissionConstraints, grantToPermissionRules, indexActions, indexCapabilities, isActionEquivalent, isCanonicalProvider, isDecision, isFreemailDomain, isPolicyRefInline, isPolicyRefReference, isUnlimited, isValidDidJwk, isValidProvider, isWriteAction, loadActionRegistryFromFile, loadActionRegistryFromObject, normalizeDomain, normalizeMcpActionName, parseGrantAction, parseGrantResourceType, parseSignatureHeader, planDelegationForVC, publicKeysMatch, readVcExpSeconds, resolveActionRisk, resolveActionsFromSelection, resolveProvider, resolveResourceType, resolveUserTier, sha256Hex, signJWT, signRequest, validateRegistryObject, vcStatusToCredentialStatus, verifyJWT, version };
|
package/dist/index.js
CHANGED
|
@@ -36,6 +36,7 @@ __export(index_exports, {
|
|
|
36
36
|
AIdentityClient: () => AIdentityClient,
|
|
37
37
|
AIdentityError: () => AIdentityError,
|
|
38
38
|
APIVCManager: () => APIVCManager,
|
|
39
|
+
APPROVAL_REQUIRED_ACTION: () => APPROVAL_REQUIRED_ACTION,
|
|
39
40
|
AgentDIDManager: () => AgentDIDManager,
|
|
40
41
|
AgentManager: () => AgentManager,
|
|
41
42
|
AgentStatus: () => AgentStatus,
|
|
@@ -5896,13 +5897,21 @@ function normalizeMcpActionName(toolName, actionName) {
|
|
|
5896
5897
|
|
|
5897
5898
|
// src/registry/reauth-constants.ts
|
|
5898
5899
|
var REAUTH_REQUIRED_ACTION = "reauth_required";
|
|
5900
|
+
var APPROVAL_REQUIRED_ACTION = "approval_required";
|
|
5899
5901
|
var GATEWAY_ERROR_CODE = {
|
|
5900
5902
|
/** Upstream OAuth token is revoked — the user must re-auth at the SaaS provider. */
|
|
5901
5903
|
REAUTH_REQUIRED: "REAUTH_REQUIRED",
|
|
5902
5904
|
/** Local VC/VP is invalid (expired, malformed, signature mismatch). Try VC reissuance. */
|
|
5903
5905
|
CREDENTIAL_INVALID: "CREDENTIAL_INVALID",
|
|
5904
5906
|
/** VC allowed a different resource than the request targeted. Try a new approval. */
|
|
5905
|
-
RESOURCE_MISMATCH: "RESOURCE_MISMATCH"
|
|
5907
|
+
RESOURCE_MISMATCH: "RESOURCE_MISMATCH",
|
|
5908
|
+
/**
|
|
5909
|
+
* Cedar `forbid` rule fired (HTTP 403 `policy_forbidden`) — a HARD deny that
|
|
5910
|
+
* approval CANNOT lift (e.g. a timeWindow forbid outside business hours).
|
|
5911
|
+
* The ExecutionEngine surfaces this as a TERMINAL denial with NO approval
|
|
5912
|
+
* prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
|
|
5913
|
+
*/
|
|
5914
|
+
POLICY_FORBIDDEN: "POLICY_FORBIDDEN"
|
|
5906
5915
|
};
|
|
5907
5916
|
|
|
5908
5917
|
// src/registry/action-summary.ts
|
|
@@ -6691,6 +6700,7 @@ var version = "0.0.1";
|
|
|
6691
6700
|
AIdentityClient,
|
|
6692
6701
|
AIdentityError,
|
|
6693
6702
|
APIVCManager,
|
|
6703
|
+
APPROVAL_REQUIRED_ACTION,
|
|
6694
6704
|
AgentDIDManager,
|
|
6695
6705
|
AgentManager,
|
|
6696
6706
|
AgentStatus,
|