@vorim/sdk 3.6.0 → 3.6.1

package/CHANGELOG.md

@@ -1,5 +1,40 @@
 # Changelog — @vorim/sdk
 
+## 3.6.1
+
+### Fixed
+
+- **Runtime `escalate` no longer fails closed silently.** The Vercel AI, OpenAI,
+  and Anthropic tool wrappers treated an `escalate` runtime verdict as a denial,
+  hard-failing every human-in-the-loop flow. They now resolve escalations via a
+  new `onEscalation` option:
+  - `wait` (default) — block and poll `waitForDecisionResolution`; proceed on a
+    human approval, fail **closed** on denial or timeout. Requires the
+    `runtime:decide` scope.
+  - `deny` — fail closed without waiting.
+  - `allow` — proceed (explicit fail-open; dev/trusted use only).
+  Add `escalationTimeoutMs` to bound the wait (default 300000).
+- **SIEM forwarder no longer crashes on a malformed `timestamp`.** A bad ISO
+  string previously threw `BigInt(NaN)` on the OTLP path (killing the batch) and
+  produced null/garbage timestamps on Splunk/Elasticsearch. All sinks now fall
+  back to `now()` on a missing/invalid timestamp.
+- **LangChain audit durability.** `emitAudit` honoured `asyncAudit` as a no-op
+  (always fire-and-forget); `asyncAudit: false` now actually awaits persistence.
+- SIEM `auditEventToOtel` substitutes placeholders instead of emitting
+  `undefined` in the log body when a direct caller omits required fields.
+
+## 3.6.0
+
+### Added — new framework integrations
+
+- **Vercel AI SDK** (`@vorim/sdk/integrations/vercel-ai`) — `wrapVercelTool` /
+  `wrapVercelTools` gate each tool call and sign the audit trail.
+- **LangGraph** (`@vorim/sdk/integrations/langgraph`) — `wrapGraphTool` /
+  `wrapGraphTools`, framework-tagged `langgraph`.
+- **SIEM forwarder** (`@vorim/sdk/integrations/siem`) — `createSiemForwarder`
+  ships audit events to OTLP/HTTP, Splunk HEC, or Elasticsearch.
+- LangChain wrapper gained a configurable `framework` tag.
+
 ## 3.5.0
 
 ### Added — Runtime Control (gate actions before they happen)

package/dist/_runtime-gate-DZQTkw4J.d.cts

@@ -0,0 +1,11 @@
+/**
+ * How a framework integration should treat a runtime `escalate` verdict.
+ * - `wait`  — block and poll {@link VorimSDK.waitForDecisionResolution} until a
+ *             human approves/denies (or the timeout elapses → deny). The correct
+ *             default for human-in-the-loop: an escalation means "ask a human".
+ * - `deny`  — treat escalate as a denial (fail closed without waiting).
+ * - `allow` — treat escalate as allowed (fail OPEN — only for trusted/dev use).
+ */
+type EscalationPolicy = 'wait' | 'deny' | 'allow';
+
+export type { EscalationPolicy as E };

package/dist/_runtime-gate-DZQTkw4J.d.ts

@@ -0,0 +1,11 @@
+/**
+ * How a framework integration should treat a runtime `escalate` verdict.
+ * - `wait`  — block and poll {@link VorimSDK.waitForDecisionResolution} until a
+ *             human approves/denies (or the timeout elapses → deny). The correct
+ *             default for human-in-the-loop: an escalation means "ask a human".
+ * - `deny`  — treat escalate as a denial (fail closed without waiting).
+ * - `allow` — treat escalate as allowed (fail OPEN — only for trusted/dev use).
+ */
+type EscalationPolicy = 'wait' | 'deny' | 'allow';
+
+export type { EscalationPolicy as E };

package/dist/index.cjs

@@ -117,7 +117,7 @@ async function prepareReplayContext(inputs) {
 }
 
 // src/index.ts
-var SDK_VERSION = true ? "3.6.0" : "0.0.0";
+var SDK_VERSION = true ? "3.6.1" : "0.0.0";
 var USER_AGENT = `vorim-sdk/${SDK_VERSION}`;
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));

package/dist/index.d.cts

@@ -1,235 +1,5 @@
-type AgentStatus = 'pending' | 'active' | 'suspended' | 'revoked' | 'expired';
-interface Agent {
-    id: string;
-    agent_id: string;
-    org_id: string;
-    owner_user_id: string;
-    name: string;
-    description?: string;
-    status: AgentStatus;
-    key_fingerprint: string;
-    trust_score: number;
-    capabilities: string[];
-    metadata: Record<string, unknown>;
-    expires_at?: string;
-    created_at: string;
-    updated_at: string;
-    revoked_at?: string;
-    revoked_by?: string;
-}
-interface AgentRegistrationInput {
-    name: string;
-    description?: string;
-    capabilities: string[];
-    scopes: PermissionScope[];
-}
-interface AgentRegistrationResult {
-    agent: Agent;
-    private_key: string;
-    public_key: string;
-    key_fingerprint: string;
-}
-type PermissionScope = 'agent:read' | 'agent:write' | 'agent:execute' | 'agent:transact' | 'agent:communicate' | 'agent:delegate' | 'agent:elevate';
-interface PermissionCheckResult {
-    allowed: boolean;
-    scope: PermissionScope;
-    agent_id: string;
-    reason?: string;
-    remaining_quota?: number;
-}
-type AuditEventType = 'tool_call' | 'api_request' | 'message_sent' | 'permission_change' | 'status_change' | 'key_rotation' | 'login' | 'export';
-type AuditResult = 'success' | 'denied' | 'error';
-interface AuditEventInput {
-    agent_id: string;
-    event_type: AuditEventType;
-    action: string;
-    resource?: string;
-    input_hash?: string;
-    output_hash?: string;
-    permission?: PermissionScope;
-    result: AuditResult;
-    latency_ms?: number;
-    error_code?: string;
-    signature?: string;
-    metadata?: Record<string, unknown>;
-    /**
-     * Replayable agent decision evidence (VAIP -02 schema fields).
-     *
-     * Stored and exported but NOT covered by the v0 canonical signature
-     * form. They will enter canonical bytes in v1 (RFC 8785 JCS) in a
-     * follow-up release. Until then, advisory.
-     *
-     * Use the helpers from this package to compute the hashes:
-     *   - {@link hashToolCatalogue}
-     *   - {@link hashSystemPrompt}
-     */
-    model_version?: string;
-    tool_catalogue_hash?: string;
-    system_prompt_hash?: string;
-    prev_event_hash?: string;
-    /**
-     * Canonical-form recipe the `signature` was computed over.
-     * Absent/null ↔ 'v0' (pipe-joined six-field form). Set to 'v1' for
-     * RFC 8785 JCS over the full event minus signature and canonical_form.
-     * The SDK sets this automatically when {@link VorimConfig.canonicalForm}
-     * is `"v1"`; you can also pass it on a per-event basis.
-     */
-    canonical_form?: 'v0' | 'v1';
-    /**
-     * Per-event delegation context (VAIP -02 § 6). Populated by the
-     * server when the emitting agent is acting via a delegation chain;
-     * callers may also set these manually for events recorded outside
-     * the standard delegation flow. v1 signatures cover these fields.
-     */
-    on_behalf_of?: string;
-    delegator_agent_id?: string;
-    delegation_chain_id?: string;
-    delegation_depth?: number;
-    /**
-     * Runtime-control linkage. When this action was gated through
-     * {@link VorimSDK.beforeAction} before being performed, pass the
-     * returned `decisionId` here (the SDK maps it to `decision_id` on the
-     * wire) so the audit event links back to the runtime decision that
-     * authorised it.
-     */
-    decision_id?: string;
-}
-/**
- * Claims structure for one VAIP -02 § 5 delegation link.
- *
- * Each delegation step in a chain is one of these objects, RFC 8785 JCS
- * canonicalised and Ed25519-signed by the delegator. Mirrors the same
- * type in `@vorim/shared-types`; duplicated here so the SDK ships zero
- * runtime dependencies. Byte-equivalence with the shared definition is
- * enforced by the cross-language parity script.
- */
-interface DelegationLinkClaims {
-    v: 0;
-    type: 'vaip-delegation-link';
-    chain_id: string;
-    depth: number;
-    delegator: string;
-    delegate: string;
-    scopes: string[];
-    max_chain_depth: number;
-    valid_from: string;
-    valid_until: string | null;
-    parent_link_hash: string | null;
-}
-/**
- * One step in an agent-to-agent identity delegation chain (VAIP -02 § 5).
- *
- * Returned by {@link VorimSDK.delegateToAgent} and the listing endpoints.
- */
-interface AgentDelegationRecord {
-    /** Internal row id. */
-    id: string;
-    /** Public chain identifier (format `chain_<32hex>`). Stamped on
-     *  every audit event in this chain. */
-    publicChainId: string;
-    /** Organisation id. */
-    orgId: string;
-    /** Internal DB id of the delegator agent. */
-    delegatorAgentId: string;
-    /** Internal DB id of the delegate agent. */
-    delegateAgentId: string;
-    /** Public agent_id of the delegator (e.g. agid_acme_abc). */
-    delegatorAgentPublicId: string;
-    /** Public agent_id of the delegate. */
-    delegateAgentPublicId: string;
-    /** Scopes the delegate may exercise. */
-    scopesDelegated: string[];
-    /** How many further hops the delegate is permitted. */
-    maxChainDepth: number;
-    /** This step's depth from the root (root delegator step = 1). */
-    currentDepth: number;
-    /** Active / suspended / revoked / expired. */
-    status: 'active' | 'suspended' | 'revoked' | 'expired';
-    /** Parent delegation row (null for the root of an identity chain). */
-    parentDelegationId: string | null;
-    /** Public agent_id of the root principal of this chain. */
-    onBehalfOf: string;
-    /** ISO8601 creation timestamp. */
-    createdAt: string;
-    /** Optional ISO8601 expiry. */
-    validUntil: string | null;
-}
-interface TrustRecord {
-    agent_id: string;
-    owner: {
-        org_name: string;
-        verified: boolean;
-    };
-    trust_score: number;
-    status: AgentStatus;
-    created_at: string;
-    active_scopes: PermissionScope[];
-    key_fingerprint: string;
-    revocation_status: boolean;
-    last_active?: string;
-}
-/**
- * The verdict a runtime decision can carry.
- *
- * - `allow`    — proceed with the action.
- * - `deny`     — do NOT perform the action. {@link VorimSDK.beforeAction}
- *                throws {@link VorimDeniedError} on this when `throwOnDeny`.
- * - `modify`   — proceed, but with `modifiedPayload` instead of the
- *                original payload (e.g. PII masked by a policy rule).
- * - `escalate` — a human must approve. Poll
- *                {@link VorimSDK.waitForDecisionResolution} for the outcome.
- * - `fallback` — the engine could not decide (timeout / error) and the
- *                org's fail-open/closed setting was applied. `isFallback`
- *                is true. The SDK also returns this shape locally when the
- *                decision API is unreachable and `runtimeFailOpen` is set.
- */
-type DecisionVerdict = 'allow' | 'deny' | 'modify' | 'escalate' | 'fallback';
-/** Input to {@link VorimSDK.beforeAction}. Always use the public `agid_*` id. */
-interface BeforeActionInput {
-    /** Public agent identifier (`agid_*`). UUIDs are accepted but discouraged. */
-    agentId: string;
-    /** Coarse action category, e.g. `tool_call`, `api_request`. */
-    actionType: string;
-    /** Specific target, e.g. the tool name `sendEmail`. */
-    actionTarget?: string;
-    /** The action's arguments. Capped at 64KB serialised by the server. */
-    payload?: Record<string, unknown>;
-    /** Free-form context the policy engine may match on. */
-    context?: Record<string, unknown>;
-    /** Permission scope the action requires; checked against the agent's grants. */
-    requiredScope?: string;
-    /**
-     * Idempotency key. Pass the SAME key when retrying a failed request so
-     * the server returns the original decision instead of creating a new one.
-     */
-    idempotencyKey?: string;
-}
-/** A runtime decision, as returned by {@link VorimSDK.beforeAction}. */
-interface RuntimeDecision {
-    /** Server-assigned id. Carry into {@link AuditEventInput.decision_id}. */
-    decisionId: string;
-    decision: DecisionVerdict;
-    reason: string;
-    /** The policy rule that produced this decision, or null for defaults. */
-    decisionRuleId: string | null;
-    /** Present (object) when `decision === 'modify'`; null otherwise. */
-    modifiedPayload: Record<string, unknown> | null;
-    /** ISO8601 — after this the decision is stale and should not be relied on. */
-    expiresAt: string;
-    latencyMs: number;
-    /** True when the engine fell back (timeout/error/unreachable). */
-    isFallback: boolean;
-    policyVersion: number;
-    /**
-     * The human verdict on an escalation, once resolved by an operator:
-     * `'approved'`, `'denied'`, or `null` if not (yet) an escalation outcome.
-     *
-     * When this is set, {@link decision} is already translated for you
-     * (`approved` → `'allow'`, `denied` → `'deny'`) so the normal verdict
-     * checks work — this field is the raw resolution for callers who want it.
-     */
-    escalationResolution: 'approved' | 'denied' | null;
-}
+import { R as RuntimeDecision, b as AgentRegistrationInput, A as AgentRegistrationResult, T as TrustRecord, c as Agent, P as PermissionScope, d as PermissionCheckResult, D as DelegationLinkClaims, e as AgentDelegationRecord, B as BeforeActionInput, a as AuditEventInput } from './types-B22WnXEW.cjs';
+export { f as AgentStatus, g as AuditEventType, h as AuditResult, i as DecisionVerdict } from './types-B22WnXEW.cjs';
 
 /**
  * Replayable agent decision evidence helpers.
@@ -931,4 +701,4 @@ declare class VorimDeniedError extends VorimError {
 }
 declare function createVorim(config: VorimConfig): VorimSDK;
 
-export { type Agent, type AgentDelegationRecord, type AgentRegistrationInput, type AgentRegistrationResult, type AgentStatus, type AuditEventInput, type AuditEventType, type AuditResult, type BeforeActionInput, CANONICAL_TOOL_CATALOGUE_VERSION, type CatalogueTool, type DecisionVerdict, type DelegationLinkClaims, type PermissionCheckResult, type PermissionScope, type ReplayContext, type ReplayInputs, type RuntimeDecision, type TrustRecord, type VorimConfig, VorimDeniedError, VorimError, VorimSDK, canonicalPayloadV0, canonicalPayloadV1, createVorim as default, hashPreviousEvent, hashSystemPrompt, hashTool, hashToolCatalogue, jcsCanonicalise, prepareReplayContext };
+export { Agent, AgentDelegationRecord, AgentRegistrationInput, AgentRegistrationResult, AuditEventInput, BeforeActionInput, CANONICAL_TOOL_CATALOGUE_VERSION, type CatalogueTool, DelegationLinkClaims, PermissionCheckResult, PermissionScope, type ReplayContext, type ReplayInputs, RuntimeDecision, TrustRecord, type VorimConfig, VorimDeniedError, VorimError, VorimSDK, canonicalPayloadV0, canonicalPayloadV1, createVorim as default, hashPreviousEvent, hashSystemPrompt, hashTool, hashToolCatalogue, jcsCanonicalise, prepareReplayContext };

package/dist/index.d.ts

@@ -1,235 +1,5 @@
-type AgentStatus = 'pending' | 'active' | 'suspended' | 'revoked' | 'expired';
-interface Agent {
-    id: string;
-    agent_id: string;
-    org_id: string;
-    owner_user_id: string;
-    name: string;
-    description?: string;
-    status: AgentStatus;
-    key_fingerprint: string;
-    trust_score: number;
-    capabilities: string[];
-    metadata: Record<string, unknown>;
-    expires_at?: string;
-    created_at: string;
-    updated_at: string;
-    revoked_at?: string;
-    revoked_by?: string;
-}
-interface AgentRegistrationInput {
-    name: string;
-    description?: string;
-    capabilities: string[];
-    scopes: PermissionScope[];
-}
-interface AgentRegistrationResult {
-    agent: Agent;
-    private_key: string;
-    public_key: string;
-    key_fingerprint: string;
-}
-type PermissionScope = 'agent:read' | 'agent:write' | 'agent:execute' | 'agent:transact' | 'agent:communicate' | 'agent:delegate' | 'agent:elevate';
-interface PermissionCheckResult {
-    allowed: boolean;
-    scope: PermissionScope;
-    agent_id: string;
-    reason?: string;
-    remaining_quota?: number;
-}
-type AuditEventType = 'tool_call' | 'api_request' | 'message_sent' | 'permission_change' | 'status_change' | 'key_rotation' | 'login' | 'export';
-type AuditResult = 'success' | 'denied' | 'error';
-interface AuditEventInput {
-    agent_id: string;
-    event_type: AuditEventType;
-    action: string;
-    resource?: string;
-    input_hash?: string;
-    output_hash?: string;
-    permission?: PermissionScope;
-    result: AuditResult;
-    latency_ms?: number;
-    error_code?: string;
-    signature?: string;
-    metadata?: Record<string, unknown>;
-    /**
-     * Replayable agent decision evidence (VAIP -02 schema fields).
-     *
-     * Stored and exported but NOT covered by the v0 canonical signature
-     * form. They will enter canonical bytes in v1 (RFC 8785 JCS) in a
-     * follow-up release. Until then, advisory.
-     *
-     * Use the helpers from this package to compute the hashes:
-     *   - {@link hashToolCatalogue}
-     *   - {@link hashSystemPrompt}
-     */
-    model_version?: string;
-    tool_catalogue_hash?: string;
-    system_prompt_hash?: string;
-    prev_event_hash?: string;
-    /**
-     * Canonical-form recipe the `signature` was computed over.
-     * Absent/null ↔ 'v0' (pipe-joined six-field form). Set to 'v1' for
-     * RFC 8785 JCS over the full event minus signature and canonical_form.
-     * The SDK sets this automatically when {@link VorimConfig.canonicalForm}
-     * is `"v1"`; you can also pass it on a per-event basis.
-     */
-    canonical_form?: 'v0' | 'v1';
-    /**
-     * Per-event delegation context (VAIP -02 § 6). Populated by the
-     * server when the emitting agent is acting via a delegation chain;
-     * callers may also set these manually for events recorded outside
-     * the standard delegation flow. v1 signatures cover these fields.
-     */
-    on_behalf_of?: string;
-    delegator_agent_id?: string;
-    delegation_chain_id?: string;
-    delegation_depth?: number;
-    /**
-     * Runtime-control linkage. When this action was gated through
-     * {@link VorimSDK.beforeAction} before being performed, pass the
-     * returned `decisionId` here (the SDK maps it to `decision_id` on the
-     * wire) so the audit event links back to the runtime decision that
-     * authorised it.
-     */
-    decision_id?: string;
-}
-/**
- * Claims structure for one VAIP -02 § 5 delegation link.
- *
- * Each delegation step in a chain is one of these objects, RFC 8785 JCS
- * canonicalised and Ed25519-signed by the delegator. Mirrors the same
- * type in `@vorim/shared-types`; duplicated here so the SDK ships zero
- * runtime dependencies. Byte-equivalence with the shared definition is
- * enforced by the cross-language parity script.
- */
-interface DelegationLinkClaims {
-    v: 0;
-    type: 'vaip-delegation-link';
-    chain_id: string;
-    depth: number;
-    delegator: string;
-    delegate: string;
-    scopes: string[];
-    max_chain_depth: number;
-    valid_from: string;
-    valid_until: string | null;
-    parent_link_hash: string | null;
-}
-/**
- * One step in an agent-to-agent identity delegation chain (VAIP -02 § 5).
- *
- * Returned by {@link VorimSDK.delegateToAgent} and the listing endpoints.
- */
-interface AgentDelegationRecord {
-    /** Internal row id. */
-    id: string;
-    /** Public chain identifier (format `chain_<32hex>`). Stamped on
-     *  every audit event in this chain. */
-    publicChainId: string;
-    /** Organisation id. */
-    orgId: string;
-    /** Internal DB id of the delegator agent. */
-    delegatorAgentId: string;
-    /** Internal DB id of the delegate agent. */
-    delegateAgentId: string;
-    /** Public agent_id of the delegator (e.g. agid_acme_abc). */
-    delegatorAgentPublicId: string;
-    /** Public agent_id of the delegate. */
-    delegateAgentPublicId: string;
-    /** Scopes the delegate may exercise. */
-    scopesDelegated: string[];
-    /** How many further hops the delegate is permitted. */
-    maxChainDepth: number;
-    /** This step's depth from the root (root delegator step = 1). */
-    currentDepth: number;
-    /** Active / suspended / revoked / expired. */
-    status: 'active' | 'suspended' | 'revoked' | 'expired';
-    /** Parent delegation row (null for the root of an identity chain). */
-    parentDelegationId: string | null;
-    /** Public agent_id of the root principal of this chain. */
-    onBehalfOf: string;
-    /** ISO8601 creation timestamp. */
-    createdAt: string;
-    /** Optional ISO8601 expiry. */
-    validUntil: string | null;
-}
-interface TrustRecord {
-    agent_id: string;
-    owner: {
-        org_name: string;
-        verified: boolean;
-    };
-    trust_score: number;
-    status: AgentStatus;
-    created_at: string;
-    active_scopes: PermissionScope[];
-    key_fingerprint: string;
-    revocation_status: boolean;
-    last_active?: string;
-}
-/**
- * The verdict a runtime decision can carry.
- *
- * - `allow`    — proceed with the action.
- * - `deny`     — do NOT perform the action. {@link VorimSDK.beforeAction}
- *                throws {@link VorimDeniedError} on this when `throwOnDeny`.
- * - `modify`   — proceed, but with `modifiedPayload` instead of the
- *                original payload (e.g. PII masked by a policy rule).
- * - `escalate` — a human must approve. Poll
- *                {@link VorimSDK.waitForDecisionResolution} for the outcome.
- * - `fallback` — the engine could not decide (timeout / error) and the
- *                org's fail-open/closed setting was applied. `isFallback`
- *                is true. The SDK also returns this shape locally when the
- *                decision API is unreachable and `runtimeFailOpen` is set.
- */
-type DecisionVerdict = 'allow' | 'deny' | 'modify' | 'escalate' | 'fallback';
-/** Input to {@link VorimSDK.beforeAction}. Always use the public `agid_*` id. */
-interface BeforeActionInput {
-    /** Public agent identifier (`agid_*`). UUIDs are accepted but discouraged. */
-    agentId: string;
-    /** Coarse action category, e.g. `tool_call`, `api_request`. */
-    actionType: string;
-    /** Specific target, e.g. the tool name `sendEmail`. */
-    actionTarget?: string;
-    /** The action's arguments. Capped at 64KB serialised by the server. */
-    payload?: Record<string, unknown>;
-    /** Free-form context the policy engine may match on. */
-    context?: Record<string, unknown>;
-    /** Permission scope the action requires; checked against the agent's grants. */
-    requiredScope?: string;
-    /**
-     * Idempotency key. Pass the SAME key when retrying a failed request so
-     * the server returns the original decision instead of creating a new one.
-     */
-    idempotencyKey?: string;
-}
-/** A runtime decision, as returned by {@link VorimSDK.beforeAction}. */
-interface RuntimeDecision {
-    /** Server-assigned id. Carry into {@link AuditEventInput.decision_id}. */
-    decisionId: string;
-    decision: DecisionVerdict;
-    reason: string;
-    /** The policy rule that produced this decision, or null for defaults. */
-    decisionRuleId: string | null;
-    /** Present (object) when `decision === 'modify'`; null otherwise. */
-    modifiedPayload: Record<string, unknown> | null;
-    /** ISO8601 — after this the decision is stale and should not be relied on. */
-    expiresAt: string;
-    latencyMs: number;
-    /** True when the engine fell back (timeout/error/unreachable). */
-    isFallback: boolean;
-    policyVersion: number;
-    /**
-     * The human verdict on an escalation, once resolved by an operator:
-     * `'approved'`, `'denied'`, or `null` if not (yet) an escalation outcome.
-     *
-     * When this is set, {@link decision} is already translated for you
-     * (`approved` → `'allow'`, `denied` → `'deny'`) so the normal verdict
-     * checks work — this field is the raw resolution for callers who want it.
-     */
-    escalationResolution: 'approved' | 'denied' | null;
-}
+import { R as RuntimeDecision, b as AgentRegistrationInput, A as AgentRegistrationResult, T as TrustRecord, c as Agent, P as PermissionScope, d as PermissionCheckResult, D as DelegationLinkClaims, e as AgentDelegationRecord, B as BeforeActionInput, a as AuditEventInput } from './types-B22WnXEW.js';
+export { f as AgentStatus, g as AuditEventType, h as AuditResult, i as DecisionVerdict } from './types-B22WnXEW.js';
 
 /**
  * Replayable agent decision evidence helpers.
@@ -931,4 +701,4 @@ declare class VorimDeniedError extends VorimError {
 }
 declare function createVorim(config: VorimConfig): VorimSDK;
 
-export { type Agent, type AgentDelegationRecord, type AgentRegistrationInput, type AgentRegistrationResult, type AgentStatus, type AuditEventInput, type AuditEventType, type AuditResult, type BeforeActionInput, CANONICAL_TOOL_CATALOGUE_VERSION, type CatalogueTool, type DecisionVerdict, type DelegationLinkClaims, type PermissionCheckResult, type PermissionScope, type ReplayContext, type ReplayInputs, type RuntimeDecision, type TrustRecord, type VorimConfig, VorimDeniedError, VorimError, VorimSDK, canonicalPayloadV0, canonicalPayloadV1, createVorim as default, hashPreviousEvent, hashSystemPrompt, hashTool, hashToolCatalogue, jcsCanonicalise, prepareReplayContext };
+export { Agent, AgentDelegationRecord, AgentRegistrationInput, AgentRegistrationResult, AuditEventInput, BeforeActionInput, CANONICAL_TOOL_CATALOGUE_VERSION, type CatalogueTool, DelegationLinkClaims, PermissionCheckResult, PermissionScope, type ReplayContext, type ReplayInputs, RuntimeDecision, TrustRecord, type VorimConfig, VorimDeniedError, VorimError, VorimSDK, canonicalPayloadV0, canonicalPayloadV1, createVorim as default, hashPreviousEvent, hashSystemPrompt, hashTool, hashToolCatalogue, jcsCanonicalise, prepareReplayContext };

package/dist/index.js

@@ -69,7 +69,7 @@ async function prepareReplayContext(inputs) {
 }
 
 // src/index.ts
-var SDK_VERSION = true ? "3.6.0" : "0.0.0";
+var SDK_VERSION = true ? "3.6.1" : "0.0.0";
 var USER_AGENT = `vorim-sdk/${SDK_VERSION}`;
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));

package/dist/integrations/anthropic.cjs

@@ -36,6 +36,36 @@ __export(anthropic_exports, {
 });
 module.exports = __toCommonJS(anthropic_exports);
 
+// src/integrations/_runtime-gate.ts
+function isAllowVerdict(decision) {
+  return decision === "allow" || decision === "modify" || decision === "fallback";
+}
+async function runtimeGate(vorim, agentId, actionTarget, scope, payload, opts = {}) {
+  const onEscalation = opts.onEscalation ?? "wait";
+  const d = await vorim.beforeAction(
+    { agentId, actionType: "tool_call", actionTarget, requiredScope: scope, payload },
+    { throwOnDeny: false }
+  );
+  if (d.decision !== "escalate") {
+    return { allowed: isAllowVerdict(d.decision), reason: d.reason, decisionId: d.decisionId || void 0 };
+  }
+  if (onEscalation === "allow") {
+    return { allowed: true, reason: d.reason ?? "escalated (auto-allowed)", decisionId: d.decisionId || void 0 };
+  }
+  if (onEscalation === "deny") {
+    return { allowed: false, reason: d.reason ?? "escalated (auto-denied \u2014 awaiting human)", decisionId: d.decisionId || void 0 };
+  }
+  if (!d.decisionId) {
+    return { allowed: false, reason: "escalated but no decisionId to poll", decisionId: void 0 };
+  }
+  try {
+    const resolved = await vorim.waitForDecisionResolution(d.decisionId, { timeoutMs: opts.escalationTimeoutMs });
+    return { allowed: isAllowVerdict(resolved.decision), reason: resolved.reason, decisionId: resolved.decisionId || d.decisionId };
+  } catch {
+    return { allowed: false, reason: "escalation not resolved before timeout", decisionId: d.decisionId };
+  }
+}
+
 // src/replay.ts
 function jcsCanonicalise(value) {
   if (value === null) return "null";
@@ -108,6 +138,8 @@ var VorimToolRegistry = class {
   defaultPermission;
   asyncAudit;
   useRuntimeControl;
+  onEscalation;
+  escalationTimeoutMs;
   tools = /* @__PURE__ */ new Map();
   replayInputs;
   replayCache = null;
@@ -117,20 +149,17 @@ var VorimToolRegistry = class {
     this.defaultPermission = config.defaultPermission ?? "agent:execute";
     this.asyncAudit = config.asyncAudit ?? true;
     this.useRuntimeControl = config.useRuntimeControl ?? false;
+    this.onEscalation = config.onEscalation;
+    this.escalationTimeoutMs = config.escalationTimeoutMs;
     this.replayInputs = config.replay;
   }
   /** Gate a tool call: runtime decision (with decisionId) or permission check. */
   async gate(scope, actionTarget, payload) {
     if (this.useRuntimeControl) {
-      const d = await this.vorim.beforeAction(
-        { agentId: this.agentId, actionType: "tool_call", actionTarget, requiredScope: scope, payload },
-        { throwOnDeny: false }
-      );
-      return {
-        allowed: d.decision === "allow" || d.decision === "modify" || d.decision === "fallback",
-        reason: d.reason,
-        decisionId: d.decisionId || void 0
-      };
+      return runtimeGate(this.vorim, this.agentId, actionTarget, scope, payload, {
+        onEscalation: this.onEscalation,
+        escalationTimeoutMs: this.escalationTimeoutMs
+      });
     }
     const { allowed, reason } = await this.vorim.check(this.agentId, scope);
     return { allowed, reason };