@vess-id/vess 0.2.0-alpha.1

package/dist/adapter/mcp/mcp-adapter.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.McpAdapter = void 0;
+/**
+ * MCP Adapter — thin bridge between MCP protocol and agentd core.
+ *
+ * This adapter does NOT:
+ * - Evaluate policies
+ * - Acquire or verify VCs/VPs
+ * - Access credentials or tokens
+ * - Make Gateway API calls
+ * - Decide execution routing
+ *
+ * It ONLY:
+ * - Receives MCP tool calls
+ * - Normalizes action names (MCP-specific format quirks)
+ * - Passes action + input to ExecutionEngine
+ * - Returns the result
+ */
+const ai_identity_1 = require("@vess-id/ai-identity");
+class McpAdapter {
+    engine;
+    constructor(engine) {
+        this.engine = engine;
+    }
+    async callTool(args) {
+        const action = (0, ai_identity_1.normalizeMcpActionName)(args.tool, args.action);
+        return this.engine.execute({
+            action,
+            input: args.parameters || {},
+            approval: args.approval ? {
+                token: args.approval.token,
+                choice: args.approval.choice,
+                vcTTLMinutes: args.approval.vcTTLMinutes,
+            } : undefined,
+            pendingRequestId: args.pendingRequestId,
+        });
+    }
+    async issueToolPermission(args) {
+        const actions = args.actions.map(a => (0, ai_identity_1.normalizeMcpActionName)(args.tool, a));
+        return this.engine.requestPermissions(actions);
+    }
+    async listAvailableTools() {
+        return this.engine.listAvailableTools();
+    }
+}
+exports.McpAdapter = McpAdapter;
+//# sourceMappingURL=mcp-adapter.js.map

package/dist/adapter/mcp/mcp-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-adapter.js","sourceRoot":"","sources":["../../../src/adapter/mcp/mcp-adapter.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;GAeG;AACH,sDAA6D;AAK7D,MAAa,UAAU;IACQ;IAA7B,YAA6B,MAAuB;QAAvB,WAAM,GAAN,MAAM,CAAiB;IAAG,CAAC;IAExD,KAAK,CAAC,QAAQ,CAAC,IAMd;QACC,MAAM,MAAM,GAAG,IAAA,oCAAsB,EAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;QAC7D,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;YACzB,MAAM;YACN,KAAK,EAAE,IAAI,CAAC,UAAU,IAAI,EAAE;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACxB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK;gBAC1B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAwB;gBAC9C,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY;aACzC,CAAC,CAAC,CAAC,SAAS;YACb,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;SACxC,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,IAGzB;QACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,oCAAsB,EAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC3E,OAAO,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAA;IAChD,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAA;IACzC,CAAC;CACF;AAlCD,gCAkCC"}

package/dist/adapter/mcp/mcp-server.factory.d.ts

@@ -0,0 +1,35 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export interface MCPToolHandler {
+    callTool(args: {
+        tool: string;
+        action: string;
+        parameters?: Record<string, any>;
+        approval?: {
+            token: string;
+            choice: string;
+            vcTTLMinutes?: number;
+        };
+        pendingRequestId?: string;
+    }): Promise<{
+        success: boolean;
+        data?: any;
+        error?: string;
+        approvalRequired?: any;
+        waitingForApproval?: any;
+    }>;
+    issueToolPermission(args: {
+        tool: string;
+        actions: string[];
+    }): Promise<{
+        success: boolean;
+        data?: any;
+        error?: string;
+    }>;
+    listAvailableTools(): Promise<{
+        success: boolean;
+        data?: any;
+        error?: string;
+    }>;
+}
+export declare function createMcpServer(handler: MCPToolHandler): McpServer;
+//# sourceMappingURL=mcp-server.factory.d.ts.map

package/dist/adapter/mcp/mcp-server.factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.factory.d.ts","sourceRoot":"","sources":["../../../src/adapter/mcp/mcp-server.factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAA;AA6CnE,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE;QACb,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QAChC,QAAQ,CAAC,EAAE;YAAE,KAAK,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,YAAY,CAAC,EAAE,MAAM,CAAA;SAAE,CAAA;QACnE,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAC1B,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,gBAAgB,CAAC,EAAE,GAAG,CAAC;QAAC,kBAAkB,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC,CAAA;IAC/G,mBAAmB,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACzH,kBAAkB,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAChF;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,cAAc,GAAG,SAAS,CAyFlE"}

package/dist/adapter/mcp/mcp-server.factory.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMcpServer = createMcpServer;
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const ai_identity_1 = require("@vess-id/ai-identity");
+const zod_1 = require("zod");
+/** Zod enum for tool names, derived from SDK (now includes 'os') */
+const toolEnum = zod_1.z.enum(ai_identity_1.VALID_MCP_TOOLS);
+/** Action format description with full valid action list */
+const ACTION_FORMAT_DESC = 'Action in provider.resource.operation format. Valid actions: ' +
+    (0, ai_identity_1.getAllValidMcpActionNames)().join(', ');
+const CALL_TOOL_DESCRIPTION = `Execute an action on an external service or local resource on behalf of the user.
+This is the PRIMARY tool — always use this to perform actions. Permission is handled automatically:
+- Read-type actions (low risk) are auto-approved and execute immediately.
+- Write-type actions that need approval will return an approval_required response. Re-call with the approval parameter to confirm or deny.
+Do NOT call aidentity_request_permission first; just call this tool directly.
+
+Supported tools and common actions:
+
+**os** — Read/write local secret files (.env, credentials, etc.)
+  Actions: os.secret.read, os.secret.write
+  Example: tool="os", action="os.secret.read", parameters={"file_path": "~/projects/app/.env"}
+
+**slack** — Post/read/update/delete messages, list channels, get user info.
+  Common actions: slack.message.post, slack.message.read, slack.channel.read, slack.batch.read
+  The "channel" parameter accepts channel ID (e.g. "C0A159PP6QM"), channel name (e.g. "general"), or #-prefixed name (e.g. "#general"). Responses are compact by default (essential fields only). Set compact=false for full Slack API response.
+  Example: tool="slack", action="slack.message.post", parameters={"channel": "C01ABCD2EFG", "text": "Hello!"}
+  Example: tool="slack", action="slack.message.read", parameters={"channel": "C01ABCD2EFG", "limit": 10}
+
+**github** — Create/read/update/list issues.
+  Common actions: github.issue.create, github.issue.list, github.issue.read
+  Example: tool="github", action="github.issue.create", parameters={"title": "Bug report", "body": "Details..."}
+
+**jira** — Manage issues, projects, boards, sprints.
+  Common actions: jira.issue.create, jira.issue.search, jira.project.read
+
+**gmail** — Search/read/send/delete emails.
+  Common actions: gmail.message.search, gmail.message.read, gmail.message.send
+
+**calendar** — List/create/update/delete Google Calendar events.
+  Common actions: calendar.event.list, calendar.event.create
+
+Call aidentity_list_available_tools for detailed parameter schemas of each action.`;
+function createMcpServer(handler) {
+    const server = new mcp_js_1.McpServer({
+        name: 'VESS',
+        version: '0.1.0',
+    });
+    const formatResult = (result) => {
+        if (result.waitingForApproval) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify(result.waitingForApproval, null, 2),
+                    }],
+                isError: false,
+            };
+        }
+        if (result.approvalRequired) {
+            return {
+                content: [{ type: 'text', text: JSON.stringify(result.approvalRequired, null, 2) }],
+                isError: false,
+            };
+        }
+        if (result.success) {
+            return {
+                content: [{ type: 'text', text: JSON.stringify(result.data, null, 2) }],
+            };
+        }
+        return {
+            content: [{ type: 'text', text: result.error || 'Unknown error' }],
+            isError: true,
+        };
+    };
+    server.tool('aidentity_call_tool', CALL_TOOL_DESCRIPTION, {
+        tool: toolEnum,
+        action: zod_1.z.string().describe(ACTION_FORMAT_DESC),
+        parameters: zod_1.z.record(zod_1.z.string(), zod_1.z.any()).optional().describe('Tool-specific parameters'),
+        approval: zod_1.z.object({
+            token: zod_1.z.string().describe('HMAC-signed approval token from a previous approval_required response'),
+            choice: zod_1.z.enum(['one_time', 'persistent', 'deny_once', 'deny_persistent']).describe('User approval choice'),
+            vcTTLMinutes: zod_1.z.number().min(5).max(1440).optional().describe('Custom VC TTL in minutes (5-1440)'),
+        }).optional().describe('Approval response — only provide when re-calling after an approval_required response'),
+        pendingRequestId: zod_1.z.string().optional()
+            .describe('Request ID from a previous waiting_for_approval response. Use to check if approval was completed.'),
+    }, async (args) => {
+        const result = await handler.callTool({
+            tool: args.tool,
+            action: args.action,
+            parameters: args.parameters,
+            approval: args.approval,
+            pendingRequestId: args.pendingRequestId,
+        });
+        return formatResult(result);
+    });
+    server.tool('aidentity_request_permission', 'OPTIONAL: Pre-request permission for multiple actions at once. ' +
+        'In most cases, use aidentity_call_tool directly instead — it handles permissions automatically.', {
+        tool: toolEnum,
+        actions: zod_1.z.array(zod_1.z.string().describe(ACTION_FORMAT_DESC))
+            .describe('One or more actions to request permission for'),
+    }, async (args) => {
+        const result = await handler.issueToolPermission({
+            tool: args.tool,
+            actions: args.actions,
+        });
+        return formatResult(result);
+    });
+    server.tool('aidentity_list_available_tools', 'List all available tools and their supported actions.', {}, async () => {
+        const result = await handler.listAvailableTools();
+        return formatResult(result);
+    });
+    return server;
+}
+//# sourceMappingURL=mcp-server.factory.js.map

package/dist/adapter/mcp/mcp-server.factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-server.factory.js","sourceRoot":"","sources":["../../../src/adapter/mcp/mcp-server.factory.ts"],"names":[],"mappings":";;AAyDA,0CAyFC;AAlJD,oEAAmE;AACnE,sDAAiF;AACjF,6BAAuB;AAEvB,oEAAoE;AACpE,MAAM,QAAQ,GAAG,OAAC,CAAC,IAAI,CAAC,6BAAwC,CAAC,CAAA;AAEjE,4DAA4D;AAC5D,MAAM,kBAAkB,GACtB,+DAA+D;IAC/D,IAAA,uCAAyB,GAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAExC,MAAM,qBAAqB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;mFA+BqD,CAAA;AAcnF,SAAgB,eAAe,CAAC,OAAuB;IACrD,MAAM,MAAM,GAAG,IAAI,kBAAS,CAAC;QAC3B,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,OAAO;KACjB,CAAC,CAAA;IAEF,MAAM,YAAY,GAAG,CAAC,MAA0G,EAAE,EAAE;QAClI,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,CAAC;wBACR,IAAI,EAAE,MAAe;wBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC;qBACzD,CAAC;gBACF,OAAO,EAAE,KAAK;aACf,CAAA;QACH,CAAC;QACD,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC5F,OAAO,EAAE,KAAK;aACf,CAAA;QACH,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aACjF,CAAA;QACH,CAAC;QACD,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,IAAI,eAAe,EAAE,CAAC;YAC3E,OAAO,EAAE,IAAI;SACd,CAAA;IACH,CAAC,CAAA;IAED,MAAM,CAAC,IAAI,CACT,qBAAqB,EACrB,qBAAqB,EACrB;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAC/C,UAAU,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC;QACzF,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC;YACjB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,uEAAuE,CAAC;YACnG,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC3G,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,mCAAmC,CAAC;SACnG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,sFAAsF,CAAC;QAC9G,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;aACpC,QAAQ,CAAC,mGAAmG,CAAC;KACjH,EACD,KAAK,EAAE,IAAS,EAAE,EAAE;QAClB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC;YACpC,IAAI,EAAE,IAAI,CAAC,IAAc;YACzB,MAAM,EAAE,IAAI,CAAC,MAAgB;YAC7B,UAAU,EAAE,IAAI,CAAC,UAA6C;YAC9D,QAAQ,EAAE,IAAI,CAAC,QAAgF;YAC/F,gBAAgB,EAAE,IAAI,CAAC,gBAAsC;SAC9D,CAAC,CAAA;QACF,OAAO,YAAY,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC,CACF,CAAA;IAED,MAAM,CAAC,IAAI,CACT,8BAA8B,EAC9B,iEAAiE;QACjE,iGAAiG,EACjG;QACE,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;aACtD,QAAQ,CAAC,+CAA+C,CAAC;KAC7D,EACD,KAAK,EAAE,IAAS,EAAE,EAAE;QAClB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC;YAC/C,IAAI,EAAE,IAAI,CAAC,IAAc;YACzB,OAAO,EAAE,IAAI,CAAC,OAAmB;SAClC,CAAC,CAAA;QACF,OAAO,YAAY,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC,CACF,CAAA;IAED,MAAM,CAAC,IAAI,CACT,gCAAgC,EAChC,uDAAuD,EACvD,EAAE,EACF,KAAK,IAAI,EAAE;QACT,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,kBAAkB,EAAE,CAAA;QACjD,OAAO,YAAY,CAAC,MAAM,CAAC,CAAA;IAC7B,CAAC,CACF,CAAA;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/adapter/mcp/stdio-transport.d.ts

@@ -0,0 +1,7 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+/**
+ * Connect MCP server via stdio transport.
+ * This is how AI clients (Claude Code, etc.) communicate with vess.
+ */
+export declare function connectStdioTransport(server: McpServer): Promise<void>;
+//# sourceMappingURL=stdio-transport.d.ts.map

package/dist/adapter/mcp/stdio-transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio-transport.d.ts","sourceRoot":"","sources":["../../../src/adapter/mcp/stdio-transport.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAA;AAEnE;;;GAGG;AACH,wBAAsB,qBAAqB,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAG5E"}

package/dist/adapter/mcp/stdio-transport.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.connectStdioTransport = connectStdioTransport;
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+/**
+ * Connect MCP server via stdio transport.
+ * This is how AI clients (Claude Code, etc.) communicate with vess.
+ */
+async function connectStdioTransport(server) {
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}
+//# sourceMappingURL=stdio-transport.js.map

package/dist/adapter/mcp/stdio-transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdio-transport.js","sourceRoot":"","sources":["../../../src/adapter/mcp/stdio-transport.ts"],"names":[],"mappings":";;AAOA,sDAGC;AAVD,wEAAgF;AAGhF;;;GAGG;AACI,KAAK,UAAU,qBAAqB,CAAC,MAAiB;IAC3D,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAA;IAC5C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;AACjC,CAAC"}

package/dist/adapter/mcp/transport.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Transport layer re-exports.
+ *
+ * - stdio: for single-client mode (used internally by MCP)
+ * - http: for multi-client daemon mode (vess daemon start)
+ */
+export { connectStdioTransport } from './stdio-transport';
+export { startHttpTransport } from './http-transport';
+export type { HttpTransportHandle } from './http-transport';
+//# sourceMappingURL=transport.d.ts.map

package/dist/adapter/mcp/transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.d.ts","sourceRoot":"","sources":["../../../src/adapter/mcp/transport.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAA;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAA"}

package/dist/adapter/mcp/transport.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startHttpTransport = exports.connectStdioTransport = void 0;
+/**
+ * Transport layer re-exports.
+ *
+ * - stdio: for single-client mode (used internally by MCP)
+ * - http: for multi-client daemon mode (vess daemon start)
+ */
+var stdio_transport_1 = require("./stdio-transport");
+Object.defineProperty(exports, "connectStdioTransport", { enumerable: true, get: function () { return stdio_transport_1.connectStdioTransport; } });
+var http_transport_1 = require("./http-transport");
+Object.defineProperty(exports, "startHttpTransport", { enumerable: true, get: function () { return http_transport_1.startHttpTransport; } });
+//# sourceMappingURL=transport.js.map

package/dist/adapter/mcp/transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.js","sourceRoot":"","sources":["../../../src/adapter/mcp/transport.ts"],"names":[],"mappings":";;;AAAA;;;;;GAKG;AACH,qDAAyD;AAAhD,wHAAA,qBAAqB,OAAA;AAC9B,mDAAqD;AAA5C,oHAAA,kBAAkB,OAAA"}

package/dist/approval/approval-token.d.ts

@@ -0,0 +1,23 @@
+interface GenerateParams {
+    action: string;
+    scope: string;
+    resource?: string;
+    context: 'new_approval' | 'reconfirmation';
+}
+interface VerifyResult {
+    valid: boolean;
+    nonce?: string;
+    context?: 'new_approval' | 'reconfirmation';
+    error?: string;
+}
+export declare class ApprovalTokenService {
+    private static readonly MAX_NONCES;
+    private readonly secret;
+    private readonly ttlSeconds;
+    private readonly usedNonces;
+    constructor(ttlSeconds?: number);
+    generate(params: GenerateParams): string;
+    verify(token: string, expectedAction: string, expectedResource?: string): VerifyResult;
+}
+export {};
+//# sourceMappingURL=approval-token.d.ts.map

package/dist/approval/approval-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-token.d.ts","sourceRoot":"","sources":["../../src/approval/approval-token.ts"],"names":[],"mappings":"AAEA,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,cAAc,GAAG,gBAAgB,CAAA;CAC3C;AAED,UAAU,YAAY;IACpB,KAAK,EAAE,OAAO,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,cAAc,GAAG,gBAAgB,CAAA;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAID,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAS;IAE3C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAQ;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAQ;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA4B;gBAE3C,UAAU,GAAE,MAA4B;IAKpD,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM;IAkBxC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,YAAY;CAyDvF"}

package/dist/approval/approval-token.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApprovalTokenService = void 0;
+const crypto_1 = require("crypto");
+const DEFAULT_TTL_SECONDS = 300;
+class ApprovalTokenService {
+    static MAX_NONCES = 10_000;
+    secret;
+    ttlSeconds;
+    usedNonces = new Map();
+    constructor(ttlSeconds = DEFAULT_TTL_SECONDS) {
+        this.secret = (0, crypto_1.randomBytes)(32);
+        this.ttlSeconds = ttlSeconds;
+    }
+    generate(params) {
+        const now = Math.floor(Date.now() / 1000);
+        const payload = {
+            v: 1,
+            action: params.action,
+            scope: params.scope,
+            resource: params.resource,
+            nonce: (0, crypto_1.randomUUID)(),
+            iat: now,
+            exp: now + this.ttlSeconds,
+            ctx: params.context,
+        };
+        const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+        const signature = (0, crypto_1.createHmac)('sha256', this.secret).update(payloadB64).digest('base64url');
+        return `${payloadB64}.${signature}`;
+    }
+    verify(token, expectedAction, expectedResource) {
+        const now = Date.now();
+        for (const [nonce, expiry] of this.usedNonces) {
+            if (expiry < now)
+                this.usedNonces.delete(nonce);
+        }
+        const parts = token.split('.');
+        if (parts.length !== 2) {
+            return { valid: false, error: 'Malformed token: expected payload.signature' };
+        }
+        const [payloadB64, signatureB64] = parts;
+        const expectedSig = (0, crypto_1.createHmac)('sha256', this.secret).update(payloadB64).digest('base64url');
+        const expectedBuf = Buffer.from(expectedSig);
+        const actualBuf = Buffer.from(signatureB64);
+        if (expectedBuf.length !== actualBuf.length || !(0, crypto_1.timingSafeEqual)(expectedBuf, actualBuf)) {
+            return { valid: false, error: 'Invalid token signature' };
+        }
+        let payload;
+        try {
+            payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+        }
+        catch {
+            return { valid: false, error: 'Invalid token payload' };
+        }
+        const nowSec = Math.floor(Date.now() / 1000);
+        if (payload.exp <= nowSec) {
+            return { valid: false, error: 'Token expired' };
+        }
+        if (payload.action !== expectedAction) {
+            return { valid: false, error: `Token action mismatch: expected ${expectedAction}, got ${payload.action}` };
+        }
+        // Check resource binding
+        if (expectedResource !== undefined && payload.resource !== expectedResource) {
+            return { valid: false, error: `Token resource mismatch: expected ${expectedResource}, got ${payload.resource}` };
+        }
+        if (this.usedNonces.has(payload.nonce)) {
+            return { valid: false, error: 'Token nonce already used (replay detected)' };
+        }
+        if (this.usedNonces.size >= ApprovalTokenService.MAX_NONCES) {
+            return { valid: false, error: 'Nonce store capacity exceeded — try again shortly' };
+        }
+        this.usedNonces.set(payload.nonce, payload.exp * 1000);
+        return {
+            valid: true,
+            nonce: payload.nonce,
+            context: payload.ctx,
+        };
+    }
+}
+exports.ApprovalTokenService = ApprovalTokenService;
+//# sourceMappingURL=approval-token.js.map

package/dist/approval/approval-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-token.js","sourceRoot":"","sources":["../../src/approval/approval-token.ts"],"names":[],"mappings":";;;AAAA,mCAA6E;AAgB7E,MAAM,mBAAmB,GAAG,GAAG,CAAA;AAE/B,MAAa,oBAAoB;IACvB,MAAM,CAAU,UAAU,GAAG,MAAM,CAAA;IAE1B,MAAM,CAAQ;IACd,UAAU,CAAQ;IAClB,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAA;IAEvD,YAAY,aAAqB,mBAAmB;QAClD,IAAI,CAAC,MAAM,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAA;QAC7B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAA;IAC9B,CAAC;IAED,QAAQ,CAAC,MAAsB;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QACzC,MAAM,OAAO,GAAG;YACd,CAAC,EAAE,CAAC;YACJ,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,IAAA,mBAAU,GAAE;YACnB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC,UAAU;YAC1B,GAAG,EAAE,MAAM,CAAC,OAAO;SACpB,CAAA;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAC7E,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;QAC1F,OAAO,GAAG,UAAU,IAAI,SAAS,EAAE,CAAA;IACrC,CAAC;IAED,MAAM,CAAC,KAAa,EAAE,cAAsB,EAAE,gBAAyB;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC9C,IAAI,MAAM,GAAG,GAAG;gBAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACjD,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAA;QAC/E,CAAC;QAED,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAA;QAExC,MAAM,WAAW,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;QAC5F,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC3C,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM,IAAI,CAAC,IAAA,wBAAe,EAAC,WAAW,EAAE,SAAS,CAAC,EAAE,CAAC;YACxF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAA;QAC3D,CAAC;QAED,IAAI,OAAY,CAAA;QAChB,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;QACvE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAA;QACzD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAC5C,IAAI,OAAO,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAA;QACjD,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mCAAmC,cAAc,SAAS,OAAO,CAAC,MAAM,EAAE,EAAE,CAAA;QAC5G,CAAC;QAED,yBAAyB;QACzB,IAAI,gBAAgB,KAAK,SAAS,IAAI,OAAO,CAAC,QAAQ,KAAK,gBAAgB,EAAE,CAAC;YAC5E,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,gBAAgB,SAAS,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAA;QAClH,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4CAA4C,EAAE,CAAA;QAC9E,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,oBAAoB,CAAC,UAAU,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mDAAmD,EAAE,CAAA;QACrF,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;QAEtD,OAAO;YACL,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,OAAO,EAAE,OAAO,CAAC,GAAG;SACrB,CAAA;IACH,CAAC;;AAtFH,oDAuFC"}

package/dist/audit/audit-dto-mapper.d.ts

@@ -0,0 +1,29 @@
+import { AuditEntry } from './audit-logger';
+/**
+ * Event type constants matching API's AuditEventType enum.
+ * Defined locally to avoid cross-package dependency.
+ * @see packages/api/src/audit/entities/audit-event.entity.ts
+ */
+export declare const AUDIT_EVENT_TYPE: {
+    readonly TOOL_INVOCATION: "tool_invocation";
+    readonly GATEWAY_EXECUTE: "gateway_execute";
+};
+/**
+ * Severity constants matching API's AuditEventSeverity enum.
+ */
+export declare const AUDIT_SEVERITY: {
+    readonly LOW: "low";
+    readonly MEDIUM: "medium";
+};
+/**
+ * Transform agentd's AuditEntry into the API's CreateAuditEventDto format.
+ *
+ * Key mappings:
+ * - enforcementType/decisionSource → metadata (agentd-specific context)
+ * - agentDid → namespace (required by API DTO)
+ * - (derived) → eventType (TOOL_INVOCATION for agentd events)
+ */
+export declare function auditEntryToApiDto(e: AuditEntry & {
+    id: string;
+}): Record<string, unknown>;
+//# sourceMappingURL=audit-dto-mapper.d.ts.map

package/dist/audit/audit-dto-mapper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-dto-mapper.d.ts","sourceRoot":"","sources":["../../src/audit/audit-dto-mapper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAE3C;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;;;CAGnB,CAAA;AAEV;;GAEG;AACH,eAAO,MAAM,cAAc;;;CAGjB,CAAA;AAEV;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,UAAU,GAAG;IAAE,EAAE,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAkC1F"}

package/dist/audit/audit-dto-mapper.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUDIT_SEVERITY = exports.AUDIT_EVENT_TYPE = void 0;
+exports.auditEntryToApiDto = auditEntryToApiDto;
+/**
+ * Event type constants matching API's AuditEventType enum.
+ * Defined locally to avoid cross-package dependency.
+ * @see packages/api/src/audit/entities/audit-event.entity.ts
+ */
+exports.AUDIT_EVENT_TYPE = {
+    TOOL_INVOCATION: 'tool_invocation',
+    GATEWAY_EXECUTE: 'gateway_execute',
+};
+/**
+ * Severity constants matching API's AuditEventSeverity enum.
+ */
+exports.AUDIT_SEVERITY = {
+    LOW: 'low',
+    MEDIUM: 'medium',
+};
+/**
+ * Transform agentd's AuditEntry into the API's CreateAuditEventDto format.
+ *
+ * Key mappings:
+ * - enforcementType/decisionSource → metadata (agentd-specific context)
+ * - agentDid → namespace (required by API DTO)
+ * - (derived) → eventType (TOOL_INVOCATION for agentd events)
+ */
+function auditEntryToApiDto(e) {
+    if (!e.agentDid) {
+        console.warn(`[AuditSync] Audit event missing agentDid, using fallback namespace: action=${e.action}`);
+    }
+    return {
+        eventType: exports.AUDIT_EVENT_TYPE.TOOL_INVOCATION,
+        namespace: e.agentDid || e.rootDid || 'unknown',
+        action: e.action,
+        decision: e.decision,
+        severity: e.decision === 'deny' ? exports.AUDIT_SEVERITY.MEDIUM : exports.AUDIT_SEVERITY.LOW,
+        agentDid: e.agentDid,
+        ownerDid: e.rootDid,
+        projectId: e.projectId,
+        provider: e.provider,
+        executionType: e.executionType,
+        reason: e.decisionReason,
+        correlationId: e.id,
+        credentialIds: e.credentialId ? [e.credentialId] : undefined,
+        resource: e.normalizedResource || e.requestedResource,
+        resourceType: e.provider ? `${e.provider}:*` : undefined,
+        metadata: Object.fromEntries(Object.entries({
+            enforcementType: e.enforcementType,
+            decisionSource: e.decisionSource,
+            grantId: e.grantId,
+            approvalMode: e.approvalMode,
+            approvalNonce: e.approvalNonce,
+            resourceFingerprint: e.resourceFingerprint,
+            presenterDid: e.presenterDid,
+            ...(e.metadata || {}),
+        }).filter(([, v]) => v !== undefined)),
+    };
+}
+//# sourceMappingURL=audit-dto-mapper.js.map

package/dist/audit/audit-dto-mapper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-dto-mapper.js","sourceRoot":"","sources":["../../src/audit/audit-dto-mapper.ts"],"names":[],"mappings":";;;AA4BA,gDAkCC;AA5DD;;;;GAIG;AACU,QAAA,gBAAgB,GAAG;IAC9B,eAAe,EAAE,iBAAiB;IAClC,eAAe,EAAE,iBAAiB;CAC1B,CAAA;AAEV;;GAEG;AACU,QAAA,cAAc,GAAG;IAC5B,GAAG,EAAE,KAAK;IACV,MAAM,EAAE,QAAQ;CACR,CAAA;AAEV;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAAC,CAA8B;IAC/D,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;IACxG,CAAC;IAED,OAAO;QACL,SAAS,EAAE,wBAAgB,CAAC,eAAe;QAC3C,SAAS,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,OAAO,IAAI,SAAS;QAC/C,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,sBAAc,CAAC,MAAM,CAAC,CAAC,CAAC,sBAAc,CAAC,GAAG;QAC5E,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,CAAC,CAAC,OAAO;QACnB,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,aAAa,EAAE,CAAC,CAAC,aAAa;QAC9B,MAAM,EAAE,CAAC,CAAC,cAAc;QACxB,aAAa,EAAE,CAAC,CAAC,EAAE;QACnB,aAAa,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;QAC5D,QAAQ,EAAE,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,iBAAiB;QACrD,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,SAAS;QACxD,QAAQ,EAAE,MAAM,CAAC,WAAW,CAC1B,MAAM,CAAC,OAAO,CAAC;YACb,eAAe,EAAE,CAAC,CAAC,eAAe;YAClC,cAAc,EAAE,CAAC,CAAC,cAAc;YAChC,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,mBAAmB,EAAE,CAAC,CAAC,mBAAmB;YAC1C,YAAY,EAAE,CAAC,CAAC,YAAY;YAC5B,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC;SACtB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CACtC;KACF,CAAA;AACH,CAAC"}

package/dist/audit/audit-logger.d.ts

@@ -0,0 +1,35 @@
+import Database from 'better-sqlite3';
+export interface AuditEntry {
+    id?: string;
+    timestamp?: number;
+    projectId?: string;
+    rootDid?: string;
+    agentDid?: string;
+    presenterDid?: string;
+    action: string;
+    provider?: string;
+    enforcementType?: 'local' | 'gateway_verified_local' | 'cached_verified_local' | 'gateway';
+    decisionSource?: 'local_policy' | 'org_policy' | 'cached_vc' | 'new_vc_from_quick_approve' | 'gateway_execution';
+    executionType: 'gateway' | 'local';
+    decision: 'allow' | 'deny';
+    decisionReason?: string;
+    requestedResource?: string;
+    normalizedResource?: string;
+    resourceFingerprint?: string;
+    grantId?: string;
+    credentialId?: string;
+    approvalMode?: 'one_time' | 'persistent';
+    approvalNonce?: string;
+    metadata?: Record<string, unknown>;
+}
+export declare class AuditLogger {
+    private readonly db;
+    constructor(db: Database.Database);
+    logEvent(entry: AuditEntry): string;
+    getPendingEvents(limit?: number): (AuditEntry & {
+        id: string;
+    })[];
+    markSynced(ids: string[]): void;
+    private rowToEntry;
+}
+//# sourceMappingURL=audit-logger.d.ts.map

package/dist/audit/audit-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../src/audit/audit-logger.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAA;AAGrC,MAAM,WAAW,UAAU;IACzB,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,eAAe,CAAC,EAAE,OAAO,GAAG,wBAAwB,GAAG,uBAAuB,GAAG,SAAS,CAAA;IAC1F,cAAc,CAAC,EAAE,cAAc,GAAG,YAAY,GAAG,WAAW,GAAG,2BAA2B,GAAG,mBAAmB,CAAA;IAChH,aAAa,EAAE,SAAS,GAAG,OAAO,CAAA;IAClC,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAA;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,YAAY,CAAC,EAAE,UAAU,GAAG,YAAY,CAAA;IACxC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED,qBAAa,WAAW;IACV,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAElD,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM;IAwCnC,gBAAgB,CAAC,KAAK,GAAE,MAAY,GAAG,CAAC,UAAU,GAAG;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE;IAQtE,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI;IAW/B,OAAO,CAAC,UAAU;CAyBnB"}

package/dist/audit/audit-logger.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+const crypto_1 = require("crypto");
+class AuditLogger {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    logEvent(entry) {
+        const id = entry.id || (0, crypto_1.randomUUID)();
+        const timestamp = entry.timestamp || Date.now();
+        this.db.prepare(`
+      INSERT INTO audit_log (
+        id, timestamp, project_id, root_did, agent_did, presenter_did,
+        action, provider, enforcement_type, decision_source,
+        execution_type, decision, decision_reason,
+        requested_resource, normalized_resource, resource_fingerprint,
+        grant_id, credential_id, approval_mode, approval_nonce,
+        metadata, synced_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(id, timestamp, entry.projectId ?? null, entry.rootDid ?? null, entry.agentDid ?? null, entry.presenterDid ?? null, entry.action, entry.provider ?? null, entry.enforcementType ?? null, entry.decisionSource ?? null, entry.executionType, entry.decision, entry.decisionReason ?? null, entry.requestedResource ?? null, entry.normalizedResource ?? null, entry.resourceFingerprint ?? null, entry.grantId ?? null, entry.credentialId ?? null, entry.approvalMode ?? null, entry.approvalNonce ?? null, entry.metadata ? JSON.stringify(entry.metadata) : null, null // synced_at = NULL (not yet synced)
+        );
+        return id;
+    }
+    getPendingEvents(limit = 100) {
+        const rows = this.db.prepare('SELECT * FROM audit_log WHERE synced_at IS NULL ORDER BY timestamp ASC LIMIT ?').all(limit);
+        return rows.map(r => this.rowToEntry(r));
+    }
+    markSynced(ids) {
+        const now = Date.now();
+        const stmt = this.db.prepare('UPDATE audit_log SET synced_at = ? WHERE id = ?');
+        const transaction = this.db.transaction((eventIds) => {
+            for (const id of eventIds) {
+                stmt.run(now, id);
+            }
+        });
+        transaction(ids);
+    }
+    rowToEntry(row) {
+        return {
+            id: row.id,
+            timestamp: row.timestamp,
+            projectId: row.project_id ?? undefined,
+            rootDid: row.root_did ?? undefined,
+            agentDid: row.agent_did ?? undefined,
+            presenterDid: row.presenter_did ?? undefined,
+            action: row.action,
+            provider: row.provider ?? undefined,
+            enforcementType: row.enforcement_type ?? undefined,
+            decisionSource: row.decision_source ?? undefined,
+            executionType: row.execution_type,
+            decision: row.decision,
+            decisionReason: row.decision_reason ?? undefined,
+            requestedResource: row.requested_resource ?? undefined,
+            normalizedResource: row.normalized_resource ?? undefined,
+            resourceFingerprint: row.resource_fingerprint ?? undefined,
+            grantId: row.grant_id ?? undefined,
+            credentialId: row.credential_id ?? undefined,
+            approvalMode: row.approval_mode ?? undefined,
+            approvalNonce: row.approval_nonce ?? undefined,
+            metadata: row.metadata ? JSON.parse(row.metadata) : undefined,
+        };
+    }
+}
+exports.AuditLogger = AuditLogger;
+//# sourceMappingURL=audit-logger.js.map

package/dist/audit/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/audit/audit-logger.ts"],"names":[],"mappings":";;;AACA,mCAAmC;AA0BnC,MAAa,WAAW;IACO;IAA7B,YAA6B,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAEtD,QAAQ,CAAC,KAAiB;QACxB,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,IAAI,IAAA,mBAAU,GAAE,CAAA;QACnC,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;QAE/C,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;KASf,CAAC,CAAC,GAAG,CACJ,EAAE,EAAE,SAAS,EACb,KAAK,CAAC,SAAS,IAAI,IAAI,EACvB,KAAK,CAAC,OAAO,IAAI,IAAI,EACrB,KAAK,CAAC,QAAQ,IAAI,IAAI,EACtB,KAAK,CAAC,YAAY,IAAI,IAAI,EAC1B,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,QAAQ,IAAI,IAAI,EACtB,KAAK,CAAC,eAAe,IAAI,IAAI,EAC7B,KAAK,CAAC,cAAc,IAAI,IAAI,EAC5B,KAAK,CAAC,aAAa,EACnB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,cAAc,IAAI,IAAI,EAC5B,KAAK,CAAC,iBAAiB,IAAI,IAAI,EAC/B,KAAK,CAAC,kBAAkB,IAAI,IAAI,EAChC,KAAK,CAAC,mBAAmB,IAAI,IAAI,EACjC,KAAK,CAAC,OAAO,IAAI,IAAI,EACrB,KAAK,CAAC,YAAY,IAAI,IAAI,EAC1B,KAAK,CAAC,YAAY,IAAI,IAAI,EAC1B,KAAK,CAAC,aAAa,IAAI,IAAI,EAC3B,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EACtD,IAAI,CAAC,oCAAoC;SAC1C,CAAA;QAED,OAAO,EAAE,CAAA;IACX,CAAC;IAED,gBAAgB,CAAC,QAAgB,GAAG;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,gFAAgF,CACjF,CAAC,GAAG,CAAC,KAAK,CAAU,CAAA;QAErB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,UAAU,CAAC,GAAa;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,iDAAiD,CAAC,CAAA;QAC/E,MAAM,WAAW,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,QAAkB,EAAE,EAAE;YAC7D,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;gBAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;YACnB,CAAC;QACH,CAAC,CAAC,CAAA;QACF,WAAW,CAAC,GAAG,CAAC,CAAA;IAClB,CAAC;IAEO,UAAU,CAAC,GAAQ;QACzB,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;YACtC,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;YAClC,QAAQ,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;YACpC,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;YACnC,eAAe,EAAE,GAAG,CAAC,gBAAgB,IAAI,SAAS;YAClD,cAAc,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS;YAChD,aAAa,EAAE,GAAG,CAAC,cAAc;YACjC,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,cAAc,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS;YAChD,iBAAiB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS;YACtD,kBAAkB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS;YACxD,mBAAmB,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS;YAC1D,OAAO,EAAE,GAAG,CAAC,QAAQ,IAAI,SAAS;YAClC,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,aAAa,EAAE,GAAG,CAAC,cAAc,IAAI,SAAS;YAC9C,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;SAC9D,CAAA;IACH,CAAC;CACF;AAvFD,kCAuFC"}

package/dist/audit/audit-sync.d.ts

@@ -0,0 +1,12 @@
+import { AuditLogger } from './audit-logger';
+export declare class AuditSync {
+    private readonly auditLogger;
+    private readonly gatewayUrl;
+    private readonly sessionToken;
+    constructor(auditLogger: AuditLogger, gatewayUrl: string, sessionToken: string);
+    syncPendingEvents(batchSize?: number): Promise<{
+        synced: number;
+        failed: number;
+    }>;
+}
+//# sourceMappingURL=audit-sync.d.ts.map

package/dist/audit/audit-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-sync.d.ts","sourceRoot":"","sources":["../../src/audit/audit-sync.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAY5C,qBAAa,SAAS;IAElB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,YAAY;gBAFZ,WAAW,EAAE,WAAW,EACxB,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM;IAGjC,iBAAiB,CAAC,SAAS,GAAE,MAAsC,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CA+CxH"}