npm - @vorim/sdk - Versions diffs - 3.5.0 → 3.6.1 - Mend

@vorim/sdk 3.5.0 → 3.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/CHANGELOG.md +35 -0
package/dist/_runtime-gate-DZQTkw4J.d.cts +11 -0
package/dist/_runtime-gate-DZQTkw4J.d.ts +11 -0
package/dist/index.cjs +13 -8
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +6 -233
package/dist/index.d.ts +6 -233
package/dist/index.js +13 -8
package/dist/index.js.map +1 -1
package/dist/integrations/anthropic.cjs +54 -5
package/dist/integrations/anthropic.cjs.map +1 -1
package/dist/integrations/anthropic.d.cts +30 -1
package/dist/integrations/anthropic.d.ts +30 -1
package/dist/integrations/anthropic.js +54 -5
package/dist/integrations/anthropic.js.map +1 -1
package/dist/integrations/crewai.d.cts +2 -1
package/dist/integrations/crewai.d.ts +2 -1
package/dist/integrations/langchain.cjs +12 -14
package/dist/integrations/langchain.cjs.map +1 -1
package/dist/integrations/langchain.d.cts +9 -1
package/dist/integrations/langchain.d.ts +9 -1
package/dist/integrations/langchain.js +12 -14
package/dist/integrations/langchain.js.map +1 -1
package/dist/integrations/langgraph.cjs +200 -0
package/dist/integrations/langgraph.cjs.map +1 -0
package/dist/integrations/langgraph.d.cts +20 -0
package/dist/integrations/langgraph.d.ts +20 -0
package/dist/integrations/langgraph.js +162 -0
package/dist/integrations/langgraph.js.map +1 -0
package/dist/integrations/llamaindex.cjs +3 -4
package/dist/integrations/llamaindex.cjs.map +1 -1
package/dist/integrations/llamaindex.d.cts +2 -1
package/dist/integrations/llamaindex.d.ts +2 -1
package/dist/integrations/llamaindex.js +3 -4
package/dist/integrations/llamaindex.js.map +1 -1
package/dist/integrations/openai.cjs +66 -11
package/dist/integrations/openai.cjs.map +1 -1
package/dist/integrations/openai.d.cts +37 -1
package/dist/integrations/openai.d.ts +37 -1
package/dist/integrations/openai.js +66 -11
package/dist/integrations/openai.js.map +1 -1
package/dist/integrations/siem.cjs +128 -0
package/dist/integrations/siem.cjs.map +1 -0
package/dist/integrations/siem.d.cts +57 -0
package/dist/integrations/siem.d.ts +57 -0
package/dist/integrations/siem.js +102 -0
package/dist/integrations/siem.js.map +1 -0
package/dist/integrations/stripe-acp.cjs +179 -0
package/dist/integrations/stripe-acp.cjs.map +1 -0
package/dist/integrations/stripe-acp.d.cts +69 -0
package/dist/integrations/stripe-acp.d.ts +69 -0
package/dist/integrations/stripe-acp.js +153 -0
package/dist/integrations/stripe-acp.js.map +1 -0
package/dist/integrations/vercel-ai.cjs +252 -0
package/dist/integrations/vercel-ai.cjs.map +1 -0
package/dist/integrations/vercel-ai.d.cts +67 -0
package/dist/integrations/vercel-ai.d.ts +67 -0
package/dist/integrations/vercel-ai.js +214 -0
package/dist/integrations/vercel-ai.js.map +1 -0
package/dist/types-B22WnXEW.d.cts +234 -0
package/dist/types-B22WnXEW.d.ts +234 -0
package/package.json +41 -1

package/dist/integrations/vercel-ai.d.cts ADDED Viewed

@@ -0,0 +1,67 @@
+import { VorimSDK, ReplayInputs } from '../index.cjs';
+import { P as PermissionScope } from '../types-B22WnXEW.cjs';
+import { E as EscalationPolicy } from '../_runtime-gate-DZQTkw4J.cjs';
+interface VercelTool {
+    description?: string;
+    parameters?: unknown;
+    inputSchema?: unknown;
+    execute?: (args: any, options?: any) => Promise<any> | any;
+    [k: string]: unknown;
+}
+interface VorimVercelConfig {
+    /** Vorim SDK instance. */
+    vorim: VorimSDK;
+    /** The Vorim agent_id (e.g. agid_acme_a1b2c3d4). */
+    agentId: string;
+    /** Per-tool permission scope override, keyed by tool name. */
+    permissionMap?: Record<string, PermissionScope>;
+    /** Default scope for tools without an entry in permissionMap. @default 'agent:execute' */
+    defaultPermission?: PermissionScope;
+    /** Emit audit events fire-and-forget. @default true */
+    asyncAudit?: boolean;
+    /**
+     * Gate each tool call through the runtime-control decision API
+     * (`beforeAction`) instead of the lightweight permission check. @default false
+     *
+     * When true, each call is evaluated against your live policy rules and the
+     * returned decisionId is linked onto every audit event's decision_id.
+     * Requires the runtime_control plan feature (Growth+) and consumes decision
+     * quota. When false (default) the fast permission check is used.
+     */
+    useRuntimeControl?: boolean;
+    /**
+     * What to do when a runtime decision returns `escalate` (a human must
+     * approve). Only applies when `useRuntimeControl` is true.
+     * - `wait`  (default) block and poll until a human approves/denies, or the
+     *           timeout elapses (→ deny). Requires the `runtime:decide` scope.
+     * - `deny`  fail closed without waiting.
+     * - `allow` proceed (fail OPEN — dev/trusted use only).
+     * @default 'wait'
+     */
+    onEscalation?: EscalationPolicy;
+    /** Timeout (ms) for `onEscalation: 'wait'`. @default 300000 */
+    escalationTimeoutMs?: number;
+    /**
+     * Replayable agent decision evidence (VAIP -02). When provided, the hashes
+     * are attached to every audit event. If `replay.tools` is not given, the
+     * wrapped tools' own catalogue is derived automatically.
+     */
+    replay?: ReplayInputs;
+}
+/**
+ * Wrap a single Vercel AI SDK tool so every execution is gated by a Vorim
+ * permission/runtime check and recorded in the signed audit trail. A denied
+ * call throws (so the AI SDK records a tool error) and is audited as `denied`.
+ * Tools with no `execute` (client-side / provider-executed tools) pass through
+ * unchanged.
+ */
+declare function wrapVercelTool(name: string, tool: VercelTool, config: VorimVercelConfig): VercelTool;
+/**
+ * Wrap the `tools` object you pass to generateText / streamText. Returns a new
+ * object with every executable tool guarded. If `replay.tools` was not provided,
+ * the tool catalogue is derived from these tools automatically.
+ */
+declare function wrapVercelTools(tools: Record<string, VercelTool>, config: VorimVercelConfig): Record<string, VercelTool>;
+export { type VorimVercelConfig, wrapVercelTool, wrapVercelTools };

package/dist/integrations/vercel-ai.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import { VorimSDK, ReplayInputs } from '../index.js';
+import { P as PermissionScope } from '../types-B22WnXEW.js';
+import { E as EscalationPolicy } from '../_runtime-gate-DZQTkw4J.js';
+interface VercelTool {
+    description?: string;
+    parameters?: unknown;
+    inputSchema?: unknown;
+    execute?: (args: any, options?: any) => Promise<any> | any;
+    [k: string]: unknown;
+}
+interface VorimVercelConfig {
+    /** Vorim SDK instance. */
+    vorim: VorimSDK;
+    /** The Vorim agent_id (e.g. agid_acme_a1b2c3d4). */
+    agentId: string;
+    /** Per-tool permission scope override, keyed by tool name. */
+    permissionMap?: Record<string, PermissionScope>;
+    /** Default scope for tools without an entry in permissionMap. @default 'agent:execute' */
+    defaultPermission?: PermissionScope;
+    /** Emit audit events fire-and-forget. @default true */
+    asyncAudit?: boolean;
+    /**
+     * Gate each tool call through the runtime-control decision API
+     * (`beforeAction`) instead of the lightweight permission check. @default false
+     *
+     * When true, each call is evaluated against your live policy rules and the
+     * returned decisionId is linked onto every audit event's decision_id.
+     * Requires the runtime_control plan feature (Growth+) and consumes decision
+     * quota. When false (default) the fast permission check is used.
+     */
+    useRuntimeControl?: boolean;
+    /**
+     * What to do when a runtime decision returns `escalate` (a human must
+     * approve). Only applies when `useRuntimeControl` is true.
+     * - `wait`  (default) block and poll until a human approves/denies, or the
+     *           timeout elapses (→ deny). Requires the `runtime:decide` scope.
+     * - `deny`  fail closed without waiting.
+     * - `allow` proceed (fail OPEN — dev/trusted use only).
+     * @default 'wait'
+     */
+    onEscalation?: EscalationPolicy;
+    /** Timeout (ms) for `onEscalation: 'wait'`. @default 300000 */
+    escalationTimeoutMs?: number;
+    /**
+     * Replayable agent decision evidence (VAIP -02). When provided, the hashes
+     * are attached to every audit event. If `replay.tools` is not given, the
+     * wrapped tools' own catalogue is derived automatically.
+     */
+    replay?: ReplayInputs;
+}
+/**
+ * Wrap a single Vercel AI SDK tool so every execution is gated by a Vorim
+ * permission/runtime check and recorded in the signed audit trail. A denied
+ * call throws (so the AI SDK records a tool error) and is audited as `denied`.
+ * Tools with no `execute` (client-side / provider-executed tools) pass through
+ * unchanged.
+ */
+declare function wrapVercelTool(name: string, tool: VercelTool, config: VorimVercelConfig): VercelTool;
+/**
+ * Wrap the `tools` object you pass to generateText / streamText. Returns a new
+ * object with every executable tool guarded. If `replay.tools` was not provided,
+ * the tool catalogue is derived from these tools automatically.
+ */
+declare function wrapVercelTools(tools: Record<string, VercelTool>, config: VorimVercelConfig): Record<string, VercelTool>;
+export { type VorimVercelConfig, wrapVercelTool, wrapVercelTools };

package/dist/integrations/vercel-ai.js ADDED Viewed

@@ -0,0 +1,214 @@
+// src/integrations/_runtime-gate.ts
+function isAllowVerdict(decision) {
+  return decision === "allow" || decision === "modify" || decision === "fallback";
+}
+async function runtimeGate(vorim, agentId, actionTarget, scope, payload, opts = {}) {
+  const onEscalation = opts.onEscalation ?? "wait";
+  const d = await vorim.beforeAction(
+    { agentId, actionType: "tool_call", actionTarget, requiredScope: scope, payload },
+    { throwOnDeny: false }
+  );
+  if (d.decision !== "escalate") {
+    return { allowed: isAllowVerdict(d.decision), reason: d.reason, decisionId: d.decisionId || void 0 };
+  }
+  if (onEscalation === "allow") {
+    return { allowed: true, reason: d.reason ?? "escalated (auto-allowed)", decisionId: d.decisionId || void 0 };
+  }
+  if (onEscalation === "deny") {
+    return { allowed: false, reason: d.reason ?? "escalated (auto-denied \u2014 awaiting human)", decisionId: d.decisionId || void 0 };
+  }
+  if (!d.decisionId) {
+    return { allowed: false, reason: "escalated but no decisionId to poll", decisionId: void 0 };
+  }
+  try {
+    const resolved = await vorim.waitForDecisionResolution(d.decisionId, { timeoutMs: opts.escalationTimeoutMs });
+    return { allowed: isAllowVerdict(resolved.decision), reason: resolved.reason, decisionId: resolved.decisionId || d.decisionId };
+  } catch {
+    return { allowed: false, reason: "escalation not resolved before timeout", decisionId: d.decisionId };
+  }
+}
+// src/replay.ts
+function jcsCanonicalise(value) {
+  if (value === null) return "null";
+  if (value === true) return "true";
+  if (value === false) return "false";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error("jcsCanonicalise: NaN and Infinity are not JCS-valid");
+    }
+    return value.toString();
+  }
+  if (typeof value === "string") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map(jcsCanonicalise).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).filter((k) => obj[k] !== void 0).sort();
+    const parts = keys.map((k) => JSON.stringify(k) + ":" + jcsCanonicalise(obj[k]));
+    return "{" + parts.join(",") + "}";
+  }
+  throw new Error(`jcsCanonicalise: unsupported value type: ${typeof value}`);
+}
+async function sha256Hex(input) {
+  const bytes = typeof input === "string" ? new TextEncoder().encode(input) : input;
+  const subtle = globalThis.crypto?.subtle;
+  if (subtle) {
+    const buf = await subtle.digest("SHA-256", bytes);
+    return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  const nodeCrypto = await import("crypto");
+  return nodeCrypto.createHash("sha256").update(bytes).digest("hex");
+}
+async function hashTool(tool) {
+  const normalised = {
+    name: tool.name,
+    description: tool.description ?? "",
+    schema: tool.schema ?? {}
+  };
+  const hex = await sha256Hex(jcsCanonicalise(normalised));
+  return `sha256:${hex}`;
+}
+async function hashToolCatalogue(tools) {
+  if (tools.length === 0) {
+    return `sha256:${await sha256Hex("[]")}`;
+  }
+  const perTool = await Promise.all(tools.map(hashTool));
+  perTool.sort();
+  const hex = await sha256Hex(perTool.join(""));
+  return `sha256:${hex}`;
+}
+async function hashSystemPrompt(prompt) {
+  const hex = await sha256Hex(prompt);
+  return `sha256:${hex}`;
+}
+async function prepareReplayContext(inputs) {
+  const ctx = {};
+  if (inputs.modelVersion) ctx.model_version = inputs.modelVersion;
+  if (inputs.tools) ctx.tool_catalogue_hash = await hashToolCatalogue(inputs.tools);
+  if (inputs.systemPrompt) ctx.system_prompt_hash = await hashSystemPrompt(inputs.systemPrompt);
+  return ctx;
+}
+// src/integrations/vercel-ai.ts
+function truncate(s, max) {
+  return s.length > max ? s.slice(0, max) + "\u2026" : s;
+}
+async function gate(cfg, scope, actionTarget, payload) {
+  if (cfg.useRuntimeControl) {
+    return runtimeGate(cfg.vorim, cfg.agentId, actionTarget, scope, payload, {
+      onEscalation: cfg.onEscalation,
+      escalationTimeoutMs: cfg.escalationTimeoutMs
+    });
+  }
+  const { allowed, reason } = await cfg.vorim.check(cfg.agentId, scope);
+  return { allowed, reason };
+}
+function emitAudit(vorim, event, asyncAudit) {
+  if (asyncAudit) {
+    vorim.emit(event).catch(() => {
+    });
+    return;
+  }
+  return vorim.emit(event).then(() => void 0).catch(() => void 0);
+}
+function makeReplayGetter(replay) {
+  if (!replay) return async () => ({});
+  let cached = null;
+  return () => {
+    if (!cached) cached = prepareReplayContext(replay);
+    return cached;
+  };
+}
+function wrapVercelTool(name, tool, config) {
+  const { vorim, defaultPermission = "agent:execute", permissionMap = {}, asyncAudit = true } = config;
+  if (typeof tool.execute !== "function") return tool;
+  const originalExecute = tool.execute.bind(tool);
+  const getReplay = makeReplayGetter(config.replay);
+  const scope = permissionMap[name] ?? defaultPermission;
+  const guarded = {
+    ...tool,
+    execute: async (args, options) => {
+      const { allowed, reason, decisionId } = await gate(config, scope, name, args);
+      const replayCtx = await getReplay();
+      const resource = truncate(safeJson(args), 500);
+      if (!allowed) {
+        await emitAudit(vorim, {
+          agent_id: config.agentId,
+          event_type: "tool_call",
+          action: name,
+          resource,
+          permission: scope,
+          result: "denied",
+          ...decisionId ? { decision_id: decisionId } : {},
+          metadata: { reason, framework: "vercel-ai" },
+          ...replayCtx
+        }, asyncAudit);
+        throw new Error(`Vorim: permission denied for "${name}" \u2014 scope "${scope}"${reason ? `: ${reason}` : ""}`);
+      }
+      const start = Date.now();
+      try {
+        const result = await originalExecute(args, options);
+        await emitAudit(vorim, {
+          agent_id: config.agentId,
+          event_type: "tool_call",
+          action: name,
+          resource,
+          permission: scope,
+          result: "success",
+          latency_ms: Date.now() - start,
+          ...decisionId ? { decision_id: decisionId } : {},
+          metadata: { framework: "vercel-ai" },
+          ...replayCtx
+        }, asyncAudit);
+        return result;
+      } catch (err) {
+        await emitAudit(vorim, {
+          agent_id: config.agentId,
+          event_type: "tool_call",
+          action: name,
+          resource,
+          permission: scope,
+          result: "error",
+          latency_ms: Date.now() - start,
+          error_code: err instanceof Error ? err.name : "UNKNOWN",
+          ...decisionId ? { decision_id: decisionId } : {},
+          metadata: { error: err instanceof Error ? err.message : String(err), framework: "vercel-ai" },
+          ...replayCtx
+        }, asyncAudit);
+        throw err;
+      }
+    }
+  };
+  return guarded;
+}
+function wrapVercelTools(tools, config) {
+  const cfg = config.replay && !config.replay.tools ? { ...config, replay: { ...config.replay, tools: deriveCatalogue(tools) } } : config;
+  const out = {};
+  for (const [name, tool] of Object.entries(tools)) {
+    out[name] = wrapVercelTool(name, tool, cfg);
+  }
+  return out;
+}
+function deriveCatalogue(tools) {
+  return Object.entries(tools).map(([name, t]) => ({
+    name,
+    description: typeof t.description === "string" ? t.description : "",
+    schema: t.inputSchema ?? t.parameters ?? {}
+  }));
+}
+function safeJson(v) {
+  try {
+    return JSON.stringify(v);
+  } catch {
+    return String(v);
+  }
+}
+export {
+  wrapVercelTool,
+  wrapVercelTools
+};
+//# sourceMappingURL=vercel-ai.js.map

package/dist/integrations/vercel-ai.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/integrations/_runtime-gate.ts","../../src/replay.ts","../../src/integrations/vercel-ai.ts"],"sourcesContent":["// ============================================================================\n// VORIM SDK — Shared runtime-gate helper for framework integrations\n//\n// All tool-wrapping integrations (Vercel, OpenAI, Anthropic, …) turn a\n// `beforeAction` runtime decision into a simple { allowed, reason, decisionId }\n// the wrapper can act on. The subtlety is the `escalate` verdict: it is NOT a\n// denial — it means a human must approve the action. Folding it into\n// `allowed=false` silently breaks every human-in-the-loop flow; folding it into\n// `allowed=true` is a fail-open security hole. So this helper resolves the\n// escalation explicitly, driven by the caller's `onEscalation` preference.\n// ============================================================================\n\nimport type { VorimSDK } from '../index.js';\nimport type { RuntimeDecision, PermissionScope } from '../types.js';\n\n/**\n * How a framework integration should treat a runtime `escalate` verdict.\n * - `wait` — block and poll {@link VorimSDK.waitForDecisionResolution} until a\n * human approves/denies (or the timeout elapses → deny). The correct\n * default for human-in-the-loop: an escalation means \"ask a human\".\n * - `deny` — treat escalate as a denial (fail closed without waiting).\n * - `allow` — treat escalate as allowed (fail OPEN — only for trusted/dev use).\n */\nexport type EscalationPolicy = 'wait' | 'deny' | 'allow';\n\nexport interface RuntimeGateOptions {\n /** What to do on an `escalate` verdict. @default 'wait' */\n onEscalation?: EscalationPolicy;\n /** Timeout (ms) for `onEscalation: 'wait'`. @default 300000 (5 min) */\n escalationTimeoutMs?: number;\n}\n\nexport interface GateResult {\n allowed: boolean;\n reason?: string;\n decisionId?: string;\n}\n\n/** True for verdicts that permit the action to proceed. `escalate` is handled separately. */\nfunction isAllowVerdict(decision: RuntimeDecision['decision']): boolean {\n return decision === 'allow' || decision === 'modify' || decision === 'fallback';\n}\n\n/**\n * Run a `beforeAction` runtime decision and collapse it to a {@link GateResult},\n * resolving `escalate` per {@link RuntimeGateOptions.onEscalation}.\n *\n * Requires (for `onEscalation: 'wait'`) an API key with the `runtime:decide`\n * scope — the same scope `beforeAction` itself uses.\n */\nexport async function runtimeGate(\n vorim: VorimSDK,\n agentId: string,\n actionTarget: string,\n scope: PermissionScope,\n payload: Record<string, unknown> | undefined,\n opts: RuntimeGateOptions = {},\n): Promise<GateResult> {\n const onEscalation = opts.onEscalation ?? 'wait';\n const d = await vorim.beforeAction(\n { agentId, actionType: 'tool_call', actionTarget, requiredScope: scope, payload },\n { throwOnDeny: false },\n );\n\n if (d.decision !== 'escalate') {\n return { allowed: isAllowVerdict(d.decision), reason: d.reason, decisionId: d.decisionId || undefined };\n }\n\n // escalate ── a human must decide.\n if (onEscalation === 'allow') {\n return { allowed: true, reason: d.reason ?? 'escalated (auto-allowed)', decisionId: d.decisionId || undefined };\n }\n if (onEscalation === 'deny') {\n return { allowed: false, reason: d.reason ?? 'escalated (auto-denied — awaiting human)', decisionId: d.decisionId || undefined };\n }\n // 'wait' — poll for the human decision. On timeout, fail closed (deny).\n if (!d.decisionId) {\n return { allowed: false, reason: 'escalated but no decisionId to poll', decisionId: undefined };\n }\n try {\n const resolved = await vorim.waitForDecisionResolution(d.decisionId, { timeoutMs: opts.escalationTimeoutMs });\n return { allowed: isAllowVerdict(resolved.decision), reason: resolved.reason, decisionId: resolved.decisionId || d.decisionId };\n } catch {\n // ESCALATION_TIMEOUT (or any poll error) → fail closed.\n return { allowed: false, reason: 'escalation not resolved before timeout', decisionId: d.decisionId };\n }\n}\n","/**\n * Replayable agent decision evidence helpers.\n *\n * Canonical-form hashing for the VAIP -02 schema fields that the SDK\n * attaches to audit events. The hashes recorded in audit_events.tool_catalogue_hash\n * and audit_events.system_prompt_hash use these functions, so the bytes\n * an auditor or counterparty reconstructs must match what the SDK produced.\n *\n * These helpers are intentionally separate from the signing path. The\n * v0 canonical signature form (event_type|action|resource|input_hash|\n * output_hash|result) does NOT cover model_version, tool_catalogue_hash,\n * or system_prompt_hash. They will enter the canonical bytes in v1\n * (RFC 8785 JCS) in a follow-up release.\n *\n * Stable across SDK versions: the canonical-form version is documented\n * in CANONICAL_TOOL_CATALOGUE_VERSION. Future changes get a v2 etc;\n * never edit the existing v1 logic, or already-recorded hashes lose\n * their meaning.\n */\n\n// ─── Versioning ───────────────────────────────────────────────────────────\n\n/**\n * Canonical-form version for tool catalogue hashes produced by this SDK.\n * Recorded in tool_catalogue_canon_version on the event metadata (when\n * the metadata field is used) so verifiers know which hash recipe to\n * reproduce. Increment ONLY if the algorithm changes in a way that\n * would change the hash for the same logical catalogue.\n */\nexport const CANONICAL_TOOL_CATALOGUE_VERSION = 'v1' as const;\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/**\n * Minimum shape a tool needs for catalogue hashing. The framework\n * integrations adapt their native tool objects to this shape before\n * calling hashToolCatalogue.\n */\nexport interface CatalogueTool {\n /** The name the model sees and calls. Required. */\n name: string;\n /** Human-readable description shown to the model. Optional; absent ↔ empty string. */\n description?: string;\n /**\n * JSON Schema describing the tool's input parameters. Optional;\n * absent ↔ empty object `{}`. The schema gets RFC 8785 JCS-canonicalised\n * before hashing so semantically-equivalent variations (key order,\n * whitespace) produce the same hash.\n */\n schema?: Record<string, unknown> | null;\n}\n\n// ─── RFC 8785 JCS subset ──────────────────────────────────────────────────\n\n/**\n * RFC 8785 JSON Canonicalization Scheme, sufficient subset for tool\n * catalogue values.\n *\n * Rules:\n * - Object keys sorted lexicographically by UTF-16 code units (which\n * is what JS string comparison does naturally).\n * - No whitespace between tokens.\n * - Numbers: integers as integers, finite floats per ECMAScript\n * Number.prototype.toString. JCS forbids NaN and Infinity.\n * - Strings: JSON-escape using minimal set per RFC 8259 § 7.\n * - null, true, false, arrays: as JSON.stringify produces them, since\n * JSON.stringify already produces the canonical form for these.\n *\n * Not vendoring a full library because tool schemas don't carry\n * non-integer numbers in practice and the JS spec for Number.toString\n * happens to coincide with JCS § 3.2.2.2 for the integer case.\n */\nexport function jcsCanonicalise(value: unknown): string {\n if (value === null) return 'null';\n if (value === true) return 'true';\n if (value === false) return 'false';\n\n if (typeof value === 'number') {\n if (!Number.isFinite(value)) {\n throw new Error('jcsCanonicalise: NaN and Infinity are not JCS-valid');\n }\n // For integers in safe range, .toString() matches JCS. For\n // non-integer floats, .toString() also matches in modern JS\n // engines (V8, JavaScriptCore, SpiderMonkey all use the shortest\n // round-trip representation, which is what JCS § 3.2.2.2 requires).\n return value.toString();\n }\n\n if (typeof value === 'string') {\n return JSON.stringify(value);\n }\n\n if (Array.isArray(value)) {\n return '[' + value.map(jcsCanonicalise).join(',') + ']';\n }\n\n if (typeof value === 'object') {\n const obj = value as Record<string, unknown>;\n // Filter undefined-valued fields, matching @vorim/verify and\n // @vorim/shared-types. Without this the SDK throws on { a: 1, b: undefined }\n // while the verifier silently drops b — a cross-module canonical-form\n // divergence that would break signature verification on such events.\n const keys = Object.keys(obj).filter(k => obj[k] !== undefined).sort();\n const parts = keys.map(k => JSON.stringify(k) + ':' + jcsCanonicalise(obj[k]));\n return '{' + parts.join(',') + '}';\n }\n\n // undefined, function, symbol, bigint — not JSON-representable\n throw new Error(`jcsCanonicalise: unsupported value type: ${typeof value}`);\n}\n\n// ─── SHA-256 ──────────────────────────────────────────────────────────────\n\nasync function sha256Hex(input: string | Uint8Array): Promise<string> {\n const bytes = typeof input === 'string' ? new TextEncoder().encode(input) : input;\n\n // Node.js Web Crypto (Node 18+) supports digest. Browser Web Crypto does too.\n // Fall back to node:crypto if Web Crypto is unavailable.\n const subtle = (globalThis as any).crypto?.subtle;\n if (subtle) {\n const buf = await subtle.digest('SHA-256', bytes);\n return Array.from(new Uint8Array(buf))\n .map(b => b.toString(16).padStart(2, '0'))\n .join('');\n }\n\n // Node fallback\n const nodeCrypto = await import('node:crypto');\n return nodeCrypto.createHash('sha256').update(bytes).digest('hex');\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Hash a single tool definition. Returns `sha256:<hex>`.\n *\n * Canonical form (v1):\n * JCS-canonicalised JSON of `{name, description, schema}` where\n * absent fields substitute `description: \"\"` and `schema: {}`.\n */\nexport async function hashTool(tool: CatalogueTool): Promise<string> {\n const normalised = {\n name: tool.name,\n description: tool.description ?? '',\n schema: tool.schema ?? {},\n };\n const hex = await sha256Hex(jcsCanonicalise(normalised));\n return `sha256:${hex}`;\n}\n\n/**\n * Hash an entire tool catalogue. Returns `sha256:<hex>`.\n *\n * Reordering tools does NOT change the hash (tool hashes sorted\n * lexicographically before concatenation). Adding, removing, or\n * modifying a tool DOES change the hash.\n *\n * Per-tool hashing first means a verifier comparing two catalogue\n * hashes that differ can also be given the per-tool hashes to\n * identify which specific tool changed.\n */\nexport async function hashToolCatalogue(tools: CatalogueTool[]): Promise<string> {\n if (tools.length === 0) {\n // Empty catalogue has a deterministic, stable hash distinct from \"no field\"\n return `sha256:${await sha256Hex('[]')}`;\n }\n const perTool = await Promise.all(tools.map(hashTool));\n perTool.sort();\n const hex = await sha256Hex(perTool.join(''));\n return `sha256:${hex}`;\n}\n\n/**\n * Hash a system prompt. Returns `sha256:<hex>`.\n *\n * The prompt is UTF-8 encoded and hashed verbatim — no normalisation.\n * If a caller wants to ignore whitespace or comment differences, they\n * should normalise before calling. The intent here is deterministic\n * reproducibility, not semantic equivalence.\n */\nexport async function hashSystemPrompt(prompt: string): Promise<string> {\n const hex = await sha256Hex(prompt);\n return `sha256:${hex}`;\n}\n\n/**\n * Convenience: hash the previous event's canonical bytes for use in\n * the prev_event_hash field of hash-chained ingest. Caller provides\n * the canonical bytes (use canonicalPayloadV0 from the main module).\n */\nexport async function hashPreviousEvent(canonicalBytes: string): Promise<string> {\n const hex = await sha256Hex(canonicalBytes);\n return `sha256:${hex}`;\n}\n\n// ─── Replay context — framework integration helper ────────────────────────\n\n/**\n * Raw inputs the integration captures from the framework. Set by the\n * integration's config; turned into hashes by {@link prepareReplayContext}.\n */\nexport interface ReplayInputs {\n /** Stable identifier for the model. E.g. `\"anthropic:claude-opus-4-8\"`. */\n modelVersion?: string;\n /** Tools available to the agent at call time. Hashed via {@link hashToolCatalogue}. */\n tools?: CatalogueTool[];\n /** System prompt active at call time. Hashed via {@link hashSystemPrompt}. */\n systemPrompt?: string;\n}\n\n/**\n * Pre-computed hashes ready to attach to audit events. The three keys\n * match the audit_events column names.\n */\nexport interface ReplayContext {\n model_version?: string;\n tool_catalogue_hash?: string;\n system_prompt_hash?: string;\n}\n\n/**\n * Compute replay context once from raw inputs. Use at integration\n * setup time so each emit can attach the hashes without re-hashing.\n *\n * Returns an object suitable for spreading into an AuditEventInput:\n * `await vorim.emit({ ...event, ...replayContext })`\n *\n * If a field is absent in the inputs, it is absent in the result\n * (not the empty string). That keeps the event lean.\n */\nexport async function prepareReplayContext(\n inputs: ReplayInputs,\n): Promise<ReplayContext> {\n const ctx: ReplayContext = {};\n if (inputs.modelVersion) ctx.model_version = inputs.modelVersion;\n if (inputs.tools) ctx.tool_catalogue_hash = await hashToolCatalogue(inputs.tools);\n if (inputs.systemPrompt) ctx.system_prompt_hash = await hashSystemPrompt(inputs.systemPrompt);\n return ctx;\n}\n","// ============================================================================\n// VORIM SDK — Vercel AI SDK Integration\n// Wraps Vercel AI SDK tools with Vorim permission checks, runtime control,\n// and signed audit trails. Works with the `tool()` helper from the `ai`\n// package (v3/v4): each tool is an object with an async `execute(args, opts)`.\n//\n// Peer dependency: ai >=3.0.0\n//\n// Usage:\n// import { tool } from 'ai';\n// import createVorim from '@vorim/sdk';\n// import { wrapVercelTools } from '@vorim/sdk/integrations/vercel-ai';\n//\n// const vorim = createVorim({ apiKey: 'agid_sk_live_...' });\n//\n// const tools = wrapVercelTools(\n// {\n// searchDocs: tool({ description: '...', parameters: z.object({...}), execute: async ({ query }) => ... }),\n// sendEmail: tool({ description: '...', parameters: z.object({...}), execute: async ({ to }) => ... }),\n// },\n// { vorim, agentId: 'agid_acme_a1b2c3d4', permissionMap: { sendEmail: 'agent:communicate' } },\n// );\n//\n// const result = await generateText({ model, tools, prompt });\n// ============================================================================\n\nimport type { VorimSDK } from '../index.js';\nimport type { PermissionScope, AuditEventInput } from '../types.js';\nimport { runtimeGate, type EscalationPolicy } from './_runtime-gate.js';\nimport {\n prepareReplayContext,\n type ReplayInputs,\n type ReplayContext,\n type CatalogueTool,\n} from '../replay.js';\n\n// ─── Re-declared Vercel AI SDK shape (peer dependency — not bundled) ───────\n//\n// A Vercel `tool()` result. We only touch `execute`; everything else\n// (description, parameters/inputSchema) is passed through untouched, so this\n// stays compatible across AI SDK minor versions that rename schema fields.\ninterface VercelTool {\n description?: string;\n parameters?: unknown; // AI SDK v3/early v4\n inputSchema?: unknown; // AI SDK v4+\n execute?: (args: any, options?: any) => Promise<any> | any;\n [k: string]: unknown;\n}\n\n// ─── Configuration ──────────────────────────────────────────────────────────\n\nexport interface VorimVercelConfig {\n /** Vorim SDK instance. */\n vorim: VorimSDK;\n /** The Vorim agent_id (e.g. agid_acme_a1b2c3d4). */\n agentId: string;\n /** Per-tool permission scope override, keyed by tool name. */\n permissionMap?: Record<string, PermissionScope>;\n /** Default scope for tools without an entry in permissionMap. @default 'agent:execute' */\n defaultPermission?: PermissionScope;\n /** Emit audit events fire-and-forget. @default true */\n asyncAudit?: boolean;\n /**\n * Gate each tool call through the runtime-control decision API\n * (`beforeAction`) instead of the lightweight permission check. @default false\n *\n * When true, each call is evaluated against your live policy rules and the\n * returned decisionId is linked onto every audit event's decision_id.\n * Requires the runtime_control plan feature (Growth+) and consumes decision\n * quota. When false (default) the fast permission check is used.\n */\n useRuntimeControl?: boolean;\n /**\n * What to do when a runtime decision returns `escalate` (a human must\n * approve). Only applies when `useRuntimeControl` is true.\n * - `wait` (default) block and poll until a human approves/denies, or the\n * timeout elapses (→ deny). Requires the `runtime:decide` scope.\n * - `deny` fail closed without waiting.\n * - `allow` proceed (fail OPEN — dev/trusted use only).\n * @default 'wait'\n */\n onEscalation?: EscalationPolicy;\n /** Timeout (ms) for `onEscalation: 'wait'`. @default 300000 */\n escalationTimeoutMs?: number;\n /**\n * Replayable agent decision evidence (VAIP -02). When provided, the hashes\n * are attached to every audit event. If `replay.tools` is not given, the\n * wrapped tools' own catalogue is derived automatically.\n */\n replay?: ReplayInputs;\n}\n\nfunction truncate(s: string, max: number): string {\n return s.length > max ? s.slice(0, max) + '…' : s;\n}\n\nasync function gate(\n cfg: VorimVercelConfig,\n scope: PermissionScope,\n actionTarget: string,\n payload?: Record<string, unknown>,\n): Promise<{ allowed: boolean; reason?: string; decisionId?: string }> {\n if (cfg.useRuntimeControl) {\n return runtimeGate(cfg.vorim, cfg.agentId, actionTarget, scope, payload, {\n onEscalation: cfg.onEscalation,\n escalationTimeoutMs: cfg.escalationTimeoutMs,\n });\n }\n const { allowed, reason } = await cfg.vorim.check(cfg.agentId, scope);\n return { allowed, reason };\n}\n\nfunction emitAudit(vorim: VorimSDK, event: AuditEventInput, asyncAudit: boolean): Promise<void> | void {\n if (asyncAudit) {\n vorim.emit(event).catch(() => {});\n return;\n }\n return vorim.emit(event).then(() => undefined).catch(() => undefined);\n}\n\n/** Lazy replay-context getter — computes hashes once, reuses thereafter. */\nfunction makeReplayGetter(replay: ReplayInputs | undefined): () => Promise<ReplayContext> {\n if (!replay) return async () => ({});\n let cached: Promise<ReplayContext> | null = null;\n return () => {\n if (!cached) cached = prepareReplayContext(replay);\n return cached;\n };\n}\n\n// ─── Wrappers ────────────────────────────────────────────────────────────────\n\n/**\n * Wrap a single Vercel AI SDK tool so every execution is gated by a Vorim\n * permission/runtime check and recorded in the signed audit trail. A denied\n * call throws (so the AI SDK records a tool error) and is audited as `denied`.\n * Tools with no `execute` (client-side / provider-executed tools) pass through\n * unchanged.\n */\nexport function wrapVercelTool(name: string, tool: VercelTool, config: VorimVercelConfig): VercelTool {\n const { vorim, defaultPermission = 'agent:execute', permissionMap = {}, asyncAudit = true } = config;\n if (typeof tool.execute !== 'function') return tool; // nothing to guard\n\n const originalExecute = tool.execute.bind(tool);\n const getReplay = makeReplayGetter(config.replay);\n const scope = permissionMap[name] ?? defaultPermission;\n\n const guarded: VercelTool = {\n ...tool,\n execute: async (args: any, options?: any): Promise<any> => {\n const { allowed, reason, decisionId } = await gate(config, scope, name, args as Record<string, unknown>);\n const replayCtx = await getReplay();\n const resource = truncate(safeJson(args), 500);\n\n if (!allowed) {\n await emitAudit(vorim, {\n agent_id: config.agentId,\n event_type: 'tool_call',\n action: name,\n resource,\n permission: scope,\n result: 'denied',\n ...(decisionId ? { decision_id: decisionId } : {}),\n metadata: { reason, framework: 'vercel-ai' },\n ...replayCtx,\n }, asyncAudit);\n throw new Error(`Vorim: permission denied for \"${name}\" — scope \"${scope}\"${reason ? `: ${reason}` : ''}`);\n }\n\n const start = Date.now();\n try {\n const result = await originalExecute(args, options);\n await emitAudit(vorim, {\n agent_id: config.agentId,\n event_type: 'tool_call',\n action: name,\n resource,\n permission: scope,\n result: 'success',\n latency_ms: Date.now() - start,\n ...(decisionId ? { decision_id: decisionId } : {}),\n metadata: { framework: 'vercel-ai' },\n ...replayCtx,\n }, asyncAudit);\n return result;\n } catch (err) {\n await emitAudit(vorim, {\n agent_id: config.agentId,\n event_type: 'tool_call',\n action: name,\n resource,\n permission: scope,\n result: 'error',\n latency_ms: Date.now() - start,\n error_code: err instanceof Error ? err.name : 'UNKNOWN',\n ...(decisionId ? { decision_id: decisionId } : {}),\n metadata: { error: err instanceof Error ? err.message : String(err), framework: 'vercel-ai' },\n ...replayCtx,\n }, asyncAudit);\n throw err;\n }\n },\n };\n\n return guarded;\n}\n\n/**\n * Wrap the `tools` object you pass to generateText / streamText. Returns a new\n * object with every executable tool guarded. If `replay.tools` was not provided,\n * the tool catalogue is derived from these tools automatically.\n */\nexport function wrapVercelTools(\n tools: Record<string, VercelTool>,\n config: VorimVercelConfig,\n): Record<string, VercelTool> {\n // Auto-derive the replay tool catalogue from the tools when not supplied.\n const cfg: VorimVercelConfig =\n config.replay && !config.replay.tools\n ? { ...config, replay: { ...config.replay, tools: deriveCatalogue(tools) } }\n : config;\n\n const out: Record<string, VercelTool> = {};\n for (const [name, tool] of Object.entries(tools)) {\n out[name] = wrapVercelTool(name, tool, cfg);\n }\n return out;\n}\n\nfunction deriveCatalogue(tools: Record<string, VercelTool>): CatalogueTool[] {\n return Object.entries(tools).map(([name, t]) => ({\n name,\n description: typeof t.description === 'string' ? t.description : '',\n schema: (t.inputSchema ?? t.parameters ?? {}) as Record<string, unknown>,\n }));\n}\n\nfunction safeJson(v: unknown): string {\n try {\n return JSON.stringify(v);\n } catch {\n return String(v);\n }\n}\n"],"mappings":";AAuCA,SAAS,eAAe,UAAgD;AACtE,SAAO,aAAa,WAAW,aAAa,YAAY,aAAa;AACvE;AASA,eAAsB,YACpB,OACA,SACA,cACA,OACA,SACA,OAA2B,CAAC,GACP;AACrB,QAAM,eAAe,KAAK,gBAAgB;AAC1C,QAAM,IAAI,MAAM,MAAM;AAAA,IACpB,EAAE,SAAS,YAAY,aAAa,cAAc,eAAe,OAAO,QAAQ;AAAA,IAChF,EAAE,aAAa,MAAM;AAAA,EACvB;AAEA,MAAI,EAAE,aAAa,YAAY;AAC7B,WAAO,EAAE,SAAS,eAAe,EAAE,QAAQ,GAAG,QAAQ,EAAE,QAAQ,YAAY,EAAE,cAAc,OAAU;AAAA,EACxG;AAGA,MAAI,iBAAiB,SAAS;AAC5B,WAAO,EAAE,SAAS,MAAM,QAAQ,EAAE,UAAU,4BAA4B,YAAY,EAAE,cAAc,OAAU;AAAA,EAChH;AACA,MAAI,iBAAiB,QAAQ;AAC3B,WAAO,EAAE,SAAS,OAAO,QAAQ,EAAE,UAAU,iDAA4C,YAAY,EAAE,cAAc,OAAU;AAAA,EACjI;AAEA,MAAI,CAAC,EAAE,YAAY;AACjB,WAAO,EAAE,SAAS,OAAO,QAAQ,uCAAuC,YAAY,OAAU;AAAA,EAChG;AACA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,0BAA0B,EAAE,YAAY,EAAE,WAAW,KAAK,oBAAoB,CAAC;AAC5G,WAAO,EAAE,SAAS,eAAe,SAAS,QAAQ,GAAG,QAAQ,SAAS,QAAQ,YAAY,SAAS,cAAc,EAAE,WAAW;AAAA,EAChI,QAAQ;AAEN,WAAO,EAAE,SAAS,OAAO,QAAQ,0CAA0C,YAAY,EAAE,WAAW;AAAA,EACtG;AACF;;;ACdO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,UAAU,MAAO,QAAO;AAE5B,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACvE;AAKA,WAAO,MAAM,SAAS;AAAA,EACxB;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,eAAe,EAAE,KAAK,GAAG,IAAI;AAAA,EACtD;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AAKZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,OAAO,OAAK,IAAI,CAAC,MAAM,MAAS,EAAE,KAAK;AACrE,UAAM,QAAQ,KAAK,IAAI,OAAK,KAAK,UAAU,CAAC,IAAI,MAAM,gBAAgB,IAAI,CAAC,CAAC,CAAC;AAC7E,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AAGA,QAAM,IAAI,MAAM,4CAA4C,OAAO,KAAK,EAAE;AAC5E;AAIA,eAAe,UAAU,OAA6C;AACpE,QAAM,QAAQ,OAAO,UAAU,WAAW,IAAI,YAAY,EAAE,OAAO,KAAK,IAAI;AAI5E,QAAM,SAAU,WAAmB,QAAQ;AAC3C,MAAI,QAAQ;AACV,UAAM,MAAM,MAAM,OAAO,OAAO,WAAW,KAAK;AAChD,WAAO,MAAM,KAAK,IAAI,WAAW,GAAG,CAAC,EAClC,IAAI,OAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EACxC,KAAK,EAAE;AAAA,EACZ;AAGA,QAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,SAAO,WAAW,WAAW,QAAQ,EAAE,OAAO,KAAK,EAAE,OAAO,KAAK;AACnE;AAWA,eAAsB,SAAS,MAAsC;AACnE,QAAM,aAAa;AAAA,IACjB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK,eAAe;AAAA,IACjC,QAAQ,KAAK,UAAU,CAAC;AAAA,EAC1B;AACA,QAAM,MAAM,MAAM,UAAU,gBAAgB,UAAU,CAAC;AACvD,SAAO,UAAU,GAAG;AACtB;AAaA,eAAsB,kBAAkB,OAAyC;AAC/E,MAAI,MAAM,WAAW,GAAG;AAEtB,WAAO,UAAU,MAAM,UAAU,IAAI,CAAC;AAAA,EACxC;AACA,QAAM,UAAU,MAAM,QAAQ,IAAI,MAAM,IAAI,QAAQ,CAAC;AACrD,UAAQ,KAAK;AACb,QAAM,MAAM,MAAM,UAAU,QAAQ,KAAK,EAAE,CAAC;AAC5C,SAAO,UAAU,GAAG;AACtB;AAUA,eAAsB,iBAAiB,QAAiC;AACtE,QAAM,MAAM,MAAM,UAAU,MAAM;AAClC,SAAO,UAAU,GAAG;AACtB;AA+CA,eAAsB,qBACpB,QACwB;AACxB,QAAM,MAAqB,CAAC;AAC5B,MAAI,OAAO,aAAc,KAAI,gBAAgB,OAAO;AACpD,MAAI,OAAO,MAAO,KAAI,sBAAsB,MAAM,kBAAkB,OAAO,KAAK;AAChF,MAAI,OAAO,aAAc,KAAI,qBAAqB,MAAM,iBAAiB,OAAO,YAAY;AAC5F,SAAO;AACT;;;AClJA,SAAS,SAAS,GAAW,KAAqB;AAChD,SAAO,EAAE,SAAS,MAAM,EAAE,MAAM,GAAG,GAAG,IAAI,WAAM;AAClD;AAEA,eAAe,KACb,KACA,OACA,cACA,SACqE;AACrE,MAAI,IAAI,mBAAmB;AACzB,WAAO,YAAY,IAAI,OAAO,IAAI,SAAS,cAAc,OAAO,SAAS;AAAA,MACvE,cAAc,IAAI;AAAA,MAClB,qBAAqB,IAAI;AAAA,IAC3B,CAAC;AAAA,EACH;AACA,QAAM,EAAE,SAAS,OAAO,IAAI,MAAM,IAAI,MAAM,MAAM,IAAI,SAAS,KAAK;AACpE,SAAO,EAAE,SAAS,OAAO;AAC3B;AAEA,SAAS,UAAU,OAAiB,OAAwB,YAA2C;AACrG,MAAI,YAAY;AACd,UAAM,KAAK,KAAK,EAAE,MAAM,MAAM;AAAA,IAAC,CAAC;AAChC;AAAA,EACF;AACA,SAAO,MAAM,KAAK,KAAK,EAAE,KAAK,MAAM,MAAS,EAAE,MAAM,MAAM,MAAS;AACtE;AAGA,SAAS,iBAAiB,QAAgE;AACxF,MAAI,CAAC,OAAQ,QAAO,aAAa,CAAC;AAClC,MAAI,SAAwC;AAC5C,SAAO,MAAM;AACX,QAAI,CAAC,OAAQ,UAAS,qBAAqB,MAAM;AACjD,WAAO;AAAA,EACT;AACF;AAWO,SAAS,eAAe,MAAc,MAAkB,QAAuC;AACpG,QAAM,EAAE,OAAO,oBAAoB,iBAAiB,gBAAgB,CAAC,GAAG,aAAa,KAAK,IAAI;AAC9F,MAAI,OAAO,KAAK,YAAY,WAAY,QAAO;AAE/C,QAAM,kBAAkB,KAAK,QAAQ,KAAK,IAAI;AAC9C,QAAM,YAAY,iBAAiB,OAAO,MAAM;AAChD,QAAM,QAAQ,cAAc,IAAI,KAAK;AAErC,QAAM,UAAsB;AAAA,IAC1B,GAAG;AAAA,IACH,SAAS,OAAO,MAAW,YAAgC;AACzD,YAAM,EAAE,SAAS,QAAQ,WAAW,IAAI,MAAM,KAAK,QAAQ,OAAO,MAAM,IAA+B;AACvG,YAAM,YAAY,MAAM,UAAU;AAClC,YAAM,WAAW,SAAS,SAAS,IAAI,GAAG,GAAG;AAE7C,UAAI,CAAC,SAAS;AACZ,cAAM,UAAU,OAAO;AAAA,UACrB,UAAU,OAAO;AAAA,UACjB,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR;AAAA,UACA,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR,GAAI,aAAa,EAAE,aAAa,WAAW,IAAI,CAAC;AAAA,UAChD,UAAU,EAAE,QAAQ,WAAW,YAAY;AAAA,UAC3C,GAAG;AAAA,QACL,GAAG,UAAU;AACb,cAAM,IAAI,MAAM,iCAAiC,IAAI,mBAAc,KAAK,IAAI,SAAS,KAAK,MAAM,KAAK,EAAE,EAAE;AAAA,MAC3G;AAEA,YAAM,QAAQ,KAAK,IAAI;AACvB,UAAI;AACF,cAAM,SAAS,MAAM,gBAAgB,MAAM,OAAO;AAClD,cAAM,UAAU,OAAO;AAAA,UACrB,UAAU,OAAO;AAAA,UACjB,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR;AAAA,UACA,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR,YAAY,KAAK,IAAI,IAAI;AAAA,UACzB,GAAI,aAAa,EAAE,aAAa,WAAW,IAAI,CAAC;AAAA,UAChD,UAAU,EAAE,WAAW,YAAY;AAAA,UACnC,GAAG;AAAA,QACL,GAAG,UAAU;AACb,eAAO;AAAA,MACT,SAAS,KAAK;AACZ,cAAM,UAAU,OAAO;AAAA,UACrB,UAAU,OAAO;AAAA,UACjB,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR;AAAA,UACA,YAAY;AAAA,UACZ,QAAQ;AAAA,UACR,YAAY,KAAK,IAAI,IAAI;AAAA,UACzB,YAAY,eAAe,QAAQ,IAAI,OAAO;AAAA,UAC9C,GAAI,aAAa,EAAE,aAAa,WAAW,IAAI,CAAC;AAAA,UAChD,UAAU,EAAE,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,GAAG,WAAW,YAAY;AAAA,UAC5F,GAAG;AAAA,QACL,GAAG,UAAU;AACb,cAAM;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,gBACd,OACA,QAC4B;AAE5B,QAAM,MACJ,OAAO,UAAU,CAAC,OAAO,OAAO,QAC5B,EAAE,GAAG,QAAQ,QAAQ,EAAE,GAAG,OAAO,QAAQ,OAAO,gBAAgB,KAAK,EAAE,EAAE,IACzE;AAEN,QAAM,MAAkC,CAAC;AACzC,aAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,KAAK,GAAG;AAChD,QAAI,IAAI,IAAI,eAAe,MAAM,MAAM,GAAG;AAAA,EAC5C;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAAoD;AAC3E,SAAO,OAAO,QAAQ,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO;AAAA,IAC/C;AAAA,IACA,aAAa,OAAO,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,IACjE,QAAS,EAAE,eAAe,EAAE,cAAc,CAAC;AAAA,EAC7C,EAAE;AACJ;AAEA,SAAS,SAAS,GAAoB;AACpC,MAAI;AACF,WAAO,KAAK,UAAU,CAAC;AAAA,EACzB,QAAQ;AACN,WAAO,OAAO,CAAC;AAAA,EACjB;AACF;","names":[]}

package/dist/types-B22WnXEW.d.cts ADDED Viewed

@@ -0,0 +1,234 @@
+type AgentStatus = 'pending' | 'active' | 'suspended' | 'revoked' | 'expired';
+interface Agent {
+    id: string;
+    agent_id: string;
+    org_id: string;
+    owner_user_id: string;
+    name: string;
+    description?: string;
+    status: AgentStatus;
+    key_fingerprint: string;
+    trust_score: number;
+    capabilities: string[];
+    metadata: Record<string, unknown>;
+    expires_at?: string;
+    created_at: string;
+    updated_at: string;
+    revoked_at?: string;
+    revoked_by?: string;
+}
+interface AgentRegistrationInput {
+    name: string;
+    description?: string;
+    capabilities: string[];
+    scopes: PermissionScope[];
+}
+interface AgentRegistrationResult {
+    agent: Agent;
+    private_key: string;
+    public_key: string;
+    key_fingerprint: string;
+}
+type PermissionScope = 'agent:read' | 'agent:write' | 'agent:execute' | 'agent:transact' | 'agent:communicate' | 'agent:delegate' | 'agent:elevate';
+interface PermissionCheckResult {
+    allowed: boolean;
+    scope: PermissionScope;
+    agent_id: string;
+    reason?: string;
+    remaining_quota?: number;
+}
+type AuditEventType = 'tool_call' | 'api_request' | 'message_sent' | 'permission_change' | 'status_change' | 'key_rotation' | 'login' | 'export';
+type AuditResult = 'success' | 'denied' | 'error';
+interface AuditEventInput {
+    agent_id: string;
+    event_type: AuditEventType;
+    action: string;
+    resource?: string;
+    input_hash?: string;
+    output_hash?: string;
+    permission?: PermissionScope;
+    result: AuditResult;
+    latency_ms?: number;
+    error_code?: string;
+    signature?: string;
+    metadata?: Record<string, unknown>;
+    /**
+     * Replayable agent decision evidence (VAIP -02 schema fields).
+     *
+     * Stored and exported but NOT covered by the v0 canonical signature
+     * form. They will enter canonical bytes in v1 (RFC 8785 JCS) in a
+     * follow-up release. Until then, advisory.
+     *
+     * Use the helpers from this package to compute the hashes:
+     *   - {@link hashToolCatalogue}
+     *   - {@link hashSystemPrompt}
+     */
+    model_version?: string;
+    tool_catalogue_hash?: string;
+    system_prompt_hash?: string;
+    prev_event_hash?: string;
+    /**
+     * Canonical-form recipe the `signature` was computed over.
+     * Absent/null ↔ 'v0' (pipe-joined six-field form). Set to 'v1' for
+     * RFC 8785 JCS over the full event minus signature and canonical_form.
+     * The SDK sets this automatically when {@link VorimConfig.canonicalForm}
+     * is `"v1"`; you can also pass it on a per-event basis.
+     */
+    canonical_form?: 'v0' | 'v1';
+    /**
+     * Per-event delegation context (VAIP -02 § 6). Populated by the
+     * server when the emitting agent is acting via a delegation chain;
+     * callers may also set these manually for events recorded outside
+     * the standard delegation flow. v1 signatures cover these fields.
+     */
+    on_behalf_of?: string;
+    delegator_agent_id?: string;
+    delegation_chain_id?: string;
+    delegation_depth?: number;
+    /**
+     * Runtime-control linkage. When this action was gated through
+     * {@link VorimSDK.beforeAction} before being performed, pass the
+     * returned `decisionId` here (the SDK maps it to `decision_id` on the
+     * wire) so the audit event links back to the runtime decision that
+     * authorised it.
+     */
+    decision_id?: string;
+}
+/**
+ * Claims structure for one VAIP -02 § 5 delegation link.
+ *
+ * Each delegation step in a chain is one of these objects, RFC 8785 JCS
+ * canonicalised and Ed25519-signed by the delegator. Mirrors the same
+ * type in `@vorim/shared-types`; duplicated here so the SDK ships zero
+ * runtime dependencies. Byte-equivalence with the shared definition is
+ * enforced by the cross-language parity script.
+ */
+interface DelegationLinkClaims {
+    v: 0;
+    type: 'vaip-delegation-link';
+    chain_id: string;
+    depth: number;
+    delegator: string;
+    delegate: string;
+    scopes: string[];
+    max_chain_depth: number;
+    valid_from: string;
+    valid_until: string | null;
+    parent_link_hash: string | null;
+}
+/**
+ * One step in an agent-to-agent identity delegation chain (VAIP -02 § 5).
+ *
+ * Returned by {@link VorimSDK.delegateToAgent} and the listing endpoints.
+ */
+interface AgentDelegationRecord {
+    /** Internal row id. */
+    id: string;
+    /** Public chain identifier (format `chain_<32hex>`). Stamped on
+     *  every audit event in this chain. */
+    publicChainId: string;
+    /** Organisation id. */
+    orgId: string;
+    /** Internal DB id of the delegator agent. */
+    delegatorAgentId: string;
+    /** Internal DB id of the delegate agent. */
+    delegateAgentId: string;
+    /** Public agent_id of the delegator (e.g. agid_acme_abc). */
+    delegatorAgentPublicId: string;
+    /** Public agent_id of the delegate. */
+    delegateAgentPublicId: string;
+    /** Scopes the delegate may exercise. */
+    scopesDelegated: string[];
+    /** How many further hops the delegate is permitted. */
+    maxChainDepth: number;
+    /** This step's depth from the root (root delegator step = 1). */
+    currentDepth: number;
+    /** Active / suspended / revoked / expired. */
+    status: 'active' | 'suspended' | 'revoked' | 'expired';
+    /** Parent delegation row (null for the root of an identity chain). */
+    parentDelegationId: string | null;
+    /** Public agent_id of the root principal of this chain. */
+    onBehalfOf: string;
+    /** ISO8601 creation timestamp. */
+    createdAt: string;
+    /** Optional ISO8601 expiry. */
+    validUntil: string | null;
+}
+interface TrustRecord {
+    agent_id: string;
+    owner: {
+        org_name: string;
+        verified: boolean;
+    };
+    trust_score: number;
+    status: AgentStatus;
+    created_at: string;
+    active_scopes: PermissionScope[];
+    key_fingerprint: string;
+    revocation_status: boolean;
+    last_active?: string;
+}
+/**
+ * The verdict a runtime decision can carry.
+ *
+ * - `allow`    — proceed with the action.
+ * - `deny`     — do NOT perform the action. {@link VorimSDK.beforeAction}
+ *                throws {@link VorimDeniedError} on this when `throwOnDeny`.
+ * - `modify`   — proceed, but with `modifiedPayload` instead of the
+ *                original payload (e.g. PII masked by a policy rule).
+ * - `escalate` — a human must approve. Poll
+ *                {@link VorimSDK.waitForDecisionResolution} for the outcome.
+ * - `fallback` — the engine could not decide (timeout / error) and the
+ *                org's fail-open/closed setting was applied. `isFallback`
+ *                is true. The SDK also returns this shape locally when the
+ *                decision API is unreachable and `runtimeFailOpen` is set.
+ */
+type DecisionVerdict = 'allow' | 'deny' | 'modify' | 'escalate' | 'fallback';
+/** Input to {@link VorimSDK.beforeAction}. Always use the public `agid_*` id. */
+interface BeforeActionInput {
+    /** Public agent identifier (`agid_*`). UUIDs are accepted but discouraged. */
+    agentId: string;
+    /** Coarse action category, e.g. `tool_call`, `api_request`. */
+    actionType: string;
+    /** Specific target, e.g. the tool name `sendEmail`. */
+    actionTarget?: string;
+    /** The action's arguments. Capped at 64KB serialised by the server. */
+    payload?: Record<string, unknown>;
+    /** Free-form context the policy engine may match on. */
+    context?: Record<string, unknown>;
+    /** Permission scope the action requires; checked against the agent's grants. */
+    requiredScope?: string;
+    /**
+     * Idempotency key. Pass the SAME key when retrying a failed request so
+     * the server returns the original decision instead of creating a new one.
+     */
+    idempotencyKey?: string;
+}
+/** A runtime decision, as returned by {@link VorimSDK.beforeAction}. */
+interface RuntimeDecision {
+    /** Server-assigned id. Carry into {@link AuditEventInput.decision_id}. */
+    decisionId: string;
+    decision: DecisionVerdict;
+    reason: string;
+    /** The policy rule that produced this decision, or null for defaults. */
+    decisionRuleId: string | null;
+    /** Present (object) when `decision === 'modify'`; null otherwise. */
+    modifiedPayload: Record<string, unknown> | null;
+    /** ISO8601 — after this the decision is stale and should not be relied on. */
+    expiresAt: string;
+    latencyMs: number;
+    /** True when the engine fell back (timeout/error/unreachable). */
+    isFallback: boolean;
+    policyVersion: number;
+    /**
+     * The human verdict on an escalation, once resolved by an operator:
+     * `'approved'`, `'denied'`, or `null` if not (yet) an escalation outcome.
+     *
+     * When this is set, {@link decision} is already translated for you
+     * (`approved` → `'allow'`, `denied` → `'deny'`) so the normal verdict
+     * checks work — this field is the raw resolution for callers who want it.
+     */
+    escalationResolution: 'approved' | 'denied' | null;
+}
+export type { AgentRegistrationResult as A, BeforeActionInput as B, DelegationLinkClaims as D, PermissionScope as P, RuntimeDecision as R, TrustRecord as T, AuditEventInput as a, AgentRegistrationInput as b, Agent as c, PermissionCheckResult as d, AgentDelegationRecord as e, AgentStatus as f, AuditEventType as g, AuditResult as h, DecisionVerdict as i };