@vess-id/ai-identity 0.14.0-alpha.3 → 0.14.0-alpha.4

package/dist/index.d.mts

@@ -9103,6 +9103,14 @@ declare const GATEWAY_ERROR_CODE: {
      * prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
      */
     readonly POLICY_FORBIDDEN: "POLICY_FORBIDDEN";
+    /**
+     * Cedar `RequireApproval` fired at invoke time (HTTP 202 `auth_required`) —
+     * the VC was already issued, but the per-request evaluation (e.g. a new
+     * recipient that fails the internal-domain fold) still needs approval. Unlike
+     * POLICY_FORBIDDEN this IS lift-able: the ExecutionEngine mints an OOB
+     * approval URL (`waitingForApproval`) so the user can approve and retry.
+     */
+    readonly APPROVAL_REQUIRED: "APPROVAL_REQUIRED";
 };
 type GatewayErrorCode = (typeof GATEWAY_ERROR_CODE)[keyof typeof GATEWAY_ERROR_CODE];
 

package/dist/index.js

@@ -5911,7 +5911,15 @@ var GATEWAY_ERROR_CODE = {
    * The ExecutionEngine surfaces this as a TERMINAL denial with NO approval
    * prompt, unlike CREDENTIAL_INVALID / RESOURCE_MISMATCH which re-request.
    */
-  POLICY_FORBIDDEN: "POLICY_FORBIDDEN"
+  POLICY_FORBIDDEN: "POLICY_FORBIDDEN",
+  /**
+   * Cedar `RequireApproval` fired at invoke time (HTTP 202 `auth_required`) —
+   * the VC was already issued, but the per-request evaluation (e.g. a new
+   * recipient that fails the internal-domain fold) still needs approval. Unlike
+   * POLICY_FORBIDDEN this IS lift-able: the ExecutionEngine mints an OOB
+   * approval URL (`waitingForApproval`) so the user can approve and retry.
+   */
+  APPROVAL_REQUIRED: "APPROVAL_REQUIRED"
 };
 
 // src/registry/action-summary.ts