@vess-id/ai-identity 0.16.0-alpha.1 → 0.16.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -865,6 +865,14 @@ interface PolicyRefInline {
865
865
  * resolve で取得できるため optional のまま).
866
866
  */
867
867
  schema_id?: string;
868
+ /**
869
+ * Policy engine that authored / evaluates this document. Omitted ⇒ `cedar`
870
+ * (historical default — all pre-Plan-B refs are Cedar and MUST stay wire-
871
+ * identical). Corresponds to the Policy Registry `engine` column (Plan B
872
+ * Task 1). Non-cedar engines (e.g. `'scheduling-delegation/v1'`) carry a
873
+ * non-Cedar `policy_inline` body and skip Cedar lint.
874
+ */
875
+ engine?: string;
868
876
  }
869
877
  /**
870
878
  * Reference policy mode — policy lives in the Policy Registry.
@@ -891,6 +899,15 @@ interface PolicyRefReference {
891
899
  * 同梱せず Registry 側で resolve する方針。
892
900
  */
893
901
  schema_id?: string;
902
+ /**
903
+ * Policy engine that authored / evaluates the referenced document. Omitted ⇒
904
+ * `cedar` (historical default — all pre-Plan-B refs are Cedar and MUST stay
905
+ * wire-identical). Corresponds to the Policy Registry `engine` column (Plan B
906
+ * Task 1); the served `/.well-known/policy-registry/:id` document declares the
907
+ * same value. Non-cedar engines (e.g. `'scheduling-delegation/v1'`) resolve to
908
+ * a non-Cedar body and skip Cedar lint.
909
+ */
910
+ engine?: string;
894
911
  }
895
912
  /**
896
913
  * Tagged union of policy reference shapes. Discriminator: `mode`.
@@ -1141,6 +1158,31 @@ interface VcSchedulingDelegationClaim {
1141
1158
  * which negotiation the write was for.
1142
1159
  */
1143
1160
  itemId?: string;
1161
+ /**
1162
+ * Scheduling Phase 2 Plan B (Task 3 bakes this) — the Policy Registry id of
1163
+ * the signed delegation-policy document the auto-issuance relied on. Lets an
1164
+ * auditor fetch the exact JWS-signed `/.well-known/policy-registry/:id`
1165
+ * document that this snapshot was derived from, instead of trusting the
1166
+ * inline snapshot alone. ADDITIVE / OPTIONAL: absent on legacy rows minted
1167
+ * before Plan B (which have no registry document).
1168
+ *
1169
+ * AUDIT-ONLY, same principle as the rest of this claim: no enforcement gate
1170
+ * reads it. At invoke time the delegation is re-evaluated against the LIVE
1171
+ * policy row + actual request parameters — the VC claim is never trusted as
1172
+ * an authorization source (#884 canonical resource checks unchanged).
1173
+ */
1174
+ policyRegistryId?: string;
1175
+ /**
1176
+ * Scheduling Phase 2 Plan B (Task 3 bakes this) — `sha256-` prefixed hash of
1177
+ * the canonical policy body the {@link policyRegistryId} document was minted
1178
+ * with. Tamper-evidence linking this snapshot to that exact document version.
1179
+ * ADDITIVE / OPTIONAL: absent on legacy rows minted before Plan B.
1180
+ *
1181
+ * AUDIT-ONLY, same principle as the rest of this claim: no enforcement gate
1182
+ * reads it. Invoke-time evaluation trusts the live policy row + actual
1183
+ * parameters, never the VC claim (#884 unchanged).
1184
+ */
1185
+ policyHash?: string;
1144
1186
  }
1145
1187
  interface PermissionVcClaims_V3 extends Omit<PermissionVcClaims_V2, 'v'> {
1146
1188
  /** Schema version — v3 adds Cedar policy_ref support and chain hierarchy fields. */
@@ -28364,7 +28406,23 @@ declare function isDecision(value: unknown): value is Decision;
28364
28406
  * lookup (registry keys are all lowercase), so `gmail.message.TRASH` still
28365
28407
  * hits the registry `high` instead of mis-falling-back to the suffix value.
28366
28408
  */
28367
- type ActionRisk = 'low' | 'medium' | 'high';
28409
+ /**
28410
+ * Risk tiers an action can declare. Aligned with the registry JSON-schema
28411
+ * enum (`action-registry.ts` → `risk: ['low','medium','high','critical']`)
28412
+ * and the Cedar-facing `RiskLevel` (types/context.ts) — PR #931 review: the
28413
+ * previous 3-value union LIED about the runtime, because a registry entry
28414
+ * declaring `risk: 'critical'` flowed through the `as ActionRisk` cast below
28415
+ * and `resolveActionRisk` returned the string `'critical'` while its type
28416
+ * said it could not. Every STRICTNESS seam (Gate-2 strict arm, the
28417
+ * autoIssueVC permit-arm pin, `stripHighRiskWildcardActions`,
28418
+ * `validateHighRiskResources`, agentd's wildcard-approval refuse) must treat
28419
+ * `'critical'` at least as strictly as `'high'` — never compare
28420
+ * `=== 'high'` alone.
28421
+ *
28422
+ * The suffix heuristic never yields 'critical' (only a registry entry can
28423
+ * declare it); no registry action uses it yet as of 2026-07-05.
28424
+ */
28425
+ type ActionRisk = 'low' | 'medium' | 'high' | 'critical';
28368
28426
  /**
28369
28427
  * Resolve the risk level for a dotted action name.
28370
28428
  *