@vorionsys/a3i 0.1.0

package/dist/api/routes.d.ts

@@ -0,0 +1,41 @@
+/**
+ * API Routes - Route definitions for A3I HTTP API
+ */
+import { Hono } from 'hono';
+import { type ApiKeyConfig, type RateLimitConfig, type CorsConfig } from './middleware.js';
+import { type HandlerContext } from './handlers.js';
+/**
+ * API configuration options
+ */
+export interface ApiConfig {
+    /** API key configuration */
+    apiKey?: Partial<ApiKeyConfig>;
+    /** Rate limiting configuration */
+    rateLimit?: RateLimitConfig;
+    /** CORS configuration */
+    cors?: CorsConfig;
+    /** Maximum request body size in bytes */
+    maxBodySize?: number;
+    /** Handler context with services */
+    context?: Partial<HandlerContext>;
+    /** Base path for all routes (default: /api/v1) */
+    basePath?: string;
+}
+/**
+ * Default API configuration
+ */
+export declare const DEFAULT_API_CONFIG: Required<ApiConfig>;
+/**
+ * Create the A3I API application
+ */
+export declare function createApi(config?: ApiConfig): Hono;
+/**
+ * Create API with handler context (for testing)
+ */
+export declare function createApiWithContext(context: HandlerContext, config?: Omit<ApiConfig, 'context'>): Hono;
+/**
+ * Export types for consumers
+ */
+export type { HandlerContext };
+export { createHandlers, type Handlers } from './handlers.js';
+//# sourceMappingURL=routes.d.ts.map

package/dist/api/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../src/api/routes.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAQL,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAkB,KAAK,cAAc,EAAE,MAAM,eAAe,CAAC;AAIpE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,4BAA4B;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC/B,kCAAkC;IAClC,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,yBAAyB;IACzB,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,yCAAyC;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,OAAO,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IAClC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAkBlD,CAAC;AAEF;;GAEG;AACH,wBAAgB,SAAS,CAAC,MAAM,GAAE,SAAc,GAAG,IAAI,CA6DtD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,cAAc,EACvB,MAAM,GAAE,IAAI,CAAC,SAAS,EAAE,SAAS,CAAM,GACtC,IAAI,CAEN;AAED;;GAEG;AACH,YAAY,EAAE,cAAc,EAAE,CAAC;AAC/B,OAAO,EAAE,cAAc,EAAE,KAAK,QAAQ,EAAE,MAAM,eAAe,CAAC"}

package/dist/api/routes.js

@@ -0,0 +1,91 @@
+/**
+ * API Routes - Route definitions for A3I HTTP API
+ */
+import { Hono } from 'hono';
+import { apiKeyAuth, timing, requestId, errorHandler, rateLimit, cors, bodyLimit, } from './middleware.js';
+import { createHandlers } from './handlers.js';
+import { TrustProfileService } from '../trust/profile-service.js';
+import { AuthorizationEngine } from '../authorization/engine.js';
+/**
+ * Default API configuration
+ */
+export const DEFAULT_API_CONFIG = {
+    apiKey: {
+        headerName: 'X-API-Key',
+        validKeys: new Set(['development-key']),
+        allowUnauthenticated: true,
+    },
+    rateLimit: {
+        limit: 100,
+        windowMs: 60000, // 1 minute
+    },
+    cors: {
+        origin: '*',
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+        credentials: false,
+    },
+    maxBodySize: 1024 * 1024, // 1MB
+    context: {},
+    basePath: '/api/v1',
+};
+/**
+ * Create the A3I API application
+ */
+export function createApi(config = {}) {
+    const mergedConfig = {
+        ...DEFAULT_API_CONFIG,
+        ...config,
+        apiKey: { ...DEFAULT_API_CONFIG.apiKey, ...config.apiKey },
+        cors: { ...DEFAULT_API_CONFIG.cors, ...config.cors },
+    };
+    // Create services if not provided
+    const profileService = config.context?.profileService ?? new TrustProfileService();
+    const authEngine = config.context?.authEngine ?? new AuthorizationEngine({ profileService });
+    const context = {
+        profileService,
+        authEngine,
+    };
+    const handlers = createHandlers(context);
+    const app = new Hono();
+    // Apply global middleware
+    app.use('*', cors(mergedConfig.cors));
+    app.use('*', timing);
+    app.use('*', requestId);
+    app.use('*', errorHandler);
+    app.use('*', bodyLimit(mergedConfig.maxBodySize));
+    app.use('*', rateLimit(mergedConfig.rateLimit));
+    app.use('*', apiKeyAuth(mergedConfig.apiKey));
+    const basePath = mergedConfig.basePath;
+    // Health check (no auth required)
+    app.get(`${basePath}/health`, handlers.health);
+    // Service info
+    app.get(`${basePath}/info`, handlers.info);
+    // Authorization endpoint
+    app.post(`${basePath}/authorize`, handlers.authorize);
+    // Trust profile endpoints
+    app.get(`${basePath}/trust`, handlers.listTrustProfiles);
+    app.get(`${basePath}/trust/:agentId`, handlers.getTrustProfile);
+    app.get(`${basePath}/trust/:agentId/history`, handlers.getTrustHistory);
+    app.post(`${basePath}/trust/calculate`, handlers.calculateTrust);
+    app.delete(`${basePath}/trust/:agentId`, handlers.deleteTrustProfile);
+    // Band configuration
+    app.get(`${basePath}/bands`, handlers.getBands);
+    // 404 handler
+    app.notFound((c) => {
+        return c.json({
+            error: {
+                code: 'NOT_FOUND',
+                message: `Route ${c.req.method} ${c.req.path} not found`,
+            },
+        }, 404);
+    });
+    return app;
+}
+/**
+ * Create API with handler context (for testing)
+ */
+export function createApiWithContext(context, config = {}) {
+    return createApi({ ...config, context });
+}
+export { createHandlers } from './handlers.js';
+//# sourceMappingURL=routes.js.map

package/dist/api/routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/api/routes.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EACL,UAAU,EACV,MAAM,EACN,SAAS,EACT,YAAY,EACZ,SAAS,EACT,IAAI,EACJ,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,cAAc,EAAuB,MAAM,eAAe,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAoBjE;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAwB;IACrD,MAAM,EAAE;QACN,UAAU,EAAE,WAAW;QACvB,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACvC,oBAAoB,EAAE,IAAI;KAC3B;IACD,SAAS,EAAE;QACT,KAAK,EAAE,GAAG;QACV,QAAQ,EAAE,KAAK,EAAE,WAAW;KAC7B;IACD,IAAI,EAAE;QACJ,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,CAAC;QACpD,WAAW,EAAE,KAAK;KACnB;IACD,WAAW,EAAE,IAAI,GAAG,IAAI,EAAE,MAAM;IAChC,OAAO,EAAE,EAAE;IACX,QAAQ,EAAE,SAAS;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,SAAoB,EAAE;IAC9C,MAAM,YAAY,GAAG;QACnB,GAAG,kBAAkB;QACrB,GAAG,MAAM;QACT,MAAM,EAAE,EAAE,GAAG,kBAAkB,CAAC,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE;QAC1D,IAAI,EAAE,EAAE,GAAG,kBAAkB,CAAC,IAAI,EAAE,GAAG,MAAM,CAAC,IAAI,EAAE;KACrD,CAAC;IAEF,kCAAkC;IAClC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,EAAE,cAAc,IAAI,IAAI,mBAAmB,EAAE,CAAC;IACnF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,IAAI,mBAAmB,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC;IAE7F,MAAM,OAAO,GAAmB;QAC9B,cAAc;QACd,UAAU;KACX,CAAC;IAEF,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IAEvB,0BAA0B;IAC1B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACrB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACxB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC3B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC;IAClD,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC;IAChD,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,YAAY,CAAC,MAAsB,CAAC,CAAC,CAAC;IAE9D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC;IAEvC,kCAAkC;IAClC,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAE/C,eAAe;IACf,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IAE3C,yBAAyB;IACzB,GAAG,CAAC,IAAI,CAAC,GAAG,QAAQ,YAAY,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEtD,0BAA0B;IAC1B,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,QAAQ,EAAE,QAAQ,CAAC,iBAAiB,CAAC,CAAC;IACzD,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,iBAAiB,EAAE,QAAQ,CAAC,eAAe,CAAC,CAAC;IAChE,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,yBAAyB,EAAE,QAAQ,CAAC,eAAe,CAAC,CAAC;IACxE,GAAG,CAAC,IAAI,CAAC,GAAG,QAAQ,kBAAkB,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC;IACjE,GAAG,CAAC,MAAM,CAAC,GAAG,QAAQ,iBAAiB,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAAC;IAEtE,qBAAqB;IACrB,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEhD,cAAc;IACd,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QACjB,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,KAAK,EAAE;gBACL,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,SAAS,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,YAAY;aACzD;SACF,EAAE,GAAG,CAAC,CAAC;IACV,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAuB,EACvB,SAAqC,EAAE;IAEvC,OAAO,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC3C,CAAC;AAMD,OAAO,EAAE,cAAc,EAAiB,MAAM,eAAe,CAAC"}

package/dist/authorization/constraints.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Constraint Generation - Generate decision constraints based on trust level
+ *
+ * Constraints define what an agent can do when a request is permitted.
+ * Higher trust levels get more permissive constraints.
+ */
+import { TrustBand, ApprovalType, ActionType, DataSensitivity, type DecisionConstraints, type ApprovalRequirement, type RateLimit, type Intent } from '@vorionsys/contracts';
+/**
+ * Constraint preset for a trust band
+ */
+export interface ConstraintPreset {
+    /** Default allowed tools at this band */
+    defaultTools: string[];
+    /** Default data scopes at this band */
+    defaultDataScopes: string[];
+    /** Default rate limits */
+    defaultRateLimits: RateLimit[];
+    /** Maximum execution time in ms */
+    maxExecutionTimeMs: number;
+    /** Maximum retry attempts */
+    maxRetries: number;
+    /** Whether reversibility is required */
+    reversibilityRequired: boolean;
+}
+/**
+ * Default constraint presets by trust band
+ */
+export declare const BAND_CONSTRAINT_PRESETS: Record<TrustBand, ConstraintPreset>;
+/**
+ * Approval requirements by action risk level
+ */
+export interface ApprovalPolicy {
+    /** Minimum trust band that bypasses this approval */
+    bypassBand: TrustBand;
+    /** Approval type required below bypass band */
+    approvalType: ApprovalType;
+    /** Who needs to approve */
+    approverRole: string;
+    /** Timeout for approval in ms */
+    timeoutMs: number;
+    /** Reason message */
+    reason: string;
+}
+/**
+ * Default approval policies
+ */
+export declare const DEFAULT_APPROVAL_POLICIES: Record<string, ApprovalPolicy>;
+/**
+ * Options for constraint generation
+ */
+export interface ConstraintGenerationOptions {
+    /** Override default tools */
+    allowedTools?: string[];
+    /** Override default data scopes */
+    dataScopes?: string[];
+    /** Override rate limits */
+    rateLimits?: RateLimit[];
+    /** Additional approval requirements */
+    additionalApprovals?: ApprovalRequirement[];
+    /** Custom resource quotas */
+    resourceQuotas?: Record<string, number>;
+}
+/**
+ * Generate constraints for a decision based on trust band and intent
+ */
+export declare function generateConstraints(band: TrustBand, intent: Intent, options?: ConstraintGenerationOptions): DecisionConstraints;
+/**
+ * Check if constraints allow an action
+ */
+export declare function constraintsPermit(constraints: DecisionConstraints, actionType: ActionType, dataSensitivity: DataSensitivity): boolean;
+/**
+ * Merge two sets of constraints (more restrictive wins)
+ */
+export declare function mergeConstraints(a: DecisionConstraints, b: DecisionConstraints): DecisionConstraints;
+//# sourceMappingURL=constraints.d.ts.map

package/dist/authorization/constraints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constraints.d.ts","sourceRoot":"","sources":["../../src/authorization/constraints.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,UAAU,EACV,eAAe,EAEf,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,SAAS,EACd,KAAK,MAAM,EACZ,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yCAAyC;IACzC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,uCAAuC;IACvC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,0BAA0B;IAC1B,iBAAiB,EAAE,SAAS,EAAE,CAAC;IAC/B,mCAAmC;IACnC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,qBAAqB,EAAE,OAAO,CAAC;CAChC;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAAC,SAAS,EAAE,gBAAgB,CAiEvE,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,qDAAqD;IACrD,UAAU,EAAE,SAAS,CAAC;IACtB,+CAA+C;IAC/C,YAAY,EAAE,YAAY,CAAC;IAC3B,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,eAAO,MAAM,yBAAyB,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CA6BpE,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,6BAA6B;IAC7B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,2BAA2B;IAC3B,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC;IACzB,uCAAuC;IACvC,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;IAC5C,6BAA6B;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,SAAS,EACf,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,2BAAgC,GACxC,mBAAmB,CAiCrB;AA8ID;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,WAAW,EAAE,mBAAmB,EAChC,UAAU,EAAE,UAAU,EACtB,eAAe,EAAE,eAAe,GAC/B,OAAO,CAyBT;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,CAAC,EAAE,mBAAmB,EACtB,CAAC,EAAE,mBAAmB,GACrB,mBAAmB,CAgBrB"}

package/dist/authorization/constraints.js

@@ -0,0 +1,302 @@
+/**
+ * Constraint Generation - Generate decision constraints based on trust level
+ *
+ * Constraints define what an agent can do when a request is permitted.
+ * Higher trust levels get more permissive constraints.
+ */
+import { TrustBand, ApprovalType, ActionType, DataSensitivity, Reversibility, } from '@vorionsys/contracts';
+/**
+ * Default constraint presets by trust band
+ */
+export const BAND_CONSTRAINT_PRESETS = {
+    [TrustBand.T0_SANDBOX]: {
+        defaultTools: [],
+        defaultDataScopes: [],
+        defaultRateLimits: [{ resource: 'requests', limit: 0, windowSeconds: 60 }],
+        maxExecutionTimeMs: 0,
+        maxRetries: 0,
+        reversibilityRequired: true,
+    },
+    [TrustBand.T1_OBSERVED]: {
+        defaultTools: ['read_public'],
+        defaultDataScopes: ['public'],
+        defaultRateLimits: [{ resource: 'requests', limit: 10, windowSeconds: 60 }],
+        maxExecutionTimeMs: 5000,
+        maxRetries: 1,
+        reversibilityRequired: true,
+    },
+    [TrustBand.T2_PROVISIONAL]: {
+        defaultTools: ['read_public', 'read_internal', 'write_reversible'],
+        defaultDataScopes: ['public', 'internal'],
+        defaultRateLimits: [{ resource: 'requests', limit: 50, windowSeconds: 60 }],
+        maxExecutionTimeMs: 30000,
+        maxRetries: 2,
+        reversibilityRequired: true,
+    },
+    [TrustBand.T3_MONITORED]: {
+        defaultTools: ['read_public', 'read_internal', 'write_reversible', 'write_irreversible', 'execute_sandboxed'],
+        defaultDataScopes: ['public', 'internal', 'confidential'],
+        defaultRateLimits: [{ resource: 'requests', limit: 200, windowSeconds: 60 }],
+        maxExecutionTimeMs: 60000,
+        maxRetries: 3,
+        reversibilityRequired: false,
+    },
+    [TrustBand.T4_STANDARD]: {
+        defaultTools: ['read_public', 'read_internal', 'write_reversible', 'write_irreversible', 'execute_sandboxed', 'execute_production', 'communicate_internal', 'communicate_external'],
+        defaultDataScopes: ['public', 'internal', 'confidential', 'restricted'],
+        defaultRateLimits: [{ resource: 'requests', limit: 1000, windowSeconds: 60 }],
+        maxExecutionTimeMs: 300000,
+        maxRetries: 5,
+        reversibilityRequired: false,
+    },
+    [TrustBand.T5_TRUSTED]: {
+        defaultTools: ['*'],
+        defaultDataScopes: ['*'],
+        defaultRateLimits: [{ resource: 'requests', limit: 5000, windowSeconds: 60 }],
+        maxExecutionTimeMs: 600000,
+        maxRetries: 7,
+        reversibilityRequired: false,
+    },
+    [TrustBand.T6_CERTIFIED]: {
+        defaultTools: ['*'],
+        defaultDataScopes: ['*'],
+        defaultRateLimits: [{ resource: 'requests', limit: 10000, windowSeconds: 60 }],
+        maxExecutionTimeMs: 0, // No limit
+        maxRetries: 10,
+        reversibilityRequired: false,
+    },
+    [TrustBand.T7_AUTONOMOUS]: {
+        defaultTools: ['*'],
+        defaultDataScopes: ['*'],
+        defaultRateLimits: [], // No limits
+        maxExecutionTimeMs: 0, // No limit
+        maxRetries: 10,
+        reversibilityRequired: false,
+    },
+};
+/**
+ * Default approval policies
+ */
+export const DEFAULT_APPROVAL_POLICIES = {
+    irreversible_action: {
+        bypassBand: TrustBand.T3_MONITORED,
+        approvalType: ApprovalType.HUMAN_REVIEW,
+        approverRole: 'supervisor',
+        timeoutMs: 300000,
+        reason: 'Irreversible action requires human approval at this trust level',
+    },
+    restricted_data: {
+        bypassBand: TrustBand.T4_STANDARD,
+        approvalType: ApprovalType.MULTI_PARTY,
+        approverRole: 'data_owner',
+        timeoutMs: 600000,
+        reason: 'Access to restricted data requires multi-party approval',
+    },
+    external_communication: {
+        bypassBand: TrustBand.T3_MONITORED,
+        approvalType: ApprovalType.AUTOMATED_CHECK,
+        approverRole: 'system',
+        timeoutMs: 5000,
+        reason: 'External communication requires verification',
+    },
+    production_execution: {
+        bypassBand: TrustBand.T3_MONITORED,
+        approvalType: ApprovalType.HUMAN_REVIEW,
+        approverRole: 'operator',
+        timeoutMs: 300000,
+        reason: 'Production execution requires operator approval',
+    },
+};
+/**
+ * Generate constraints for a decision based on trust band and intent
+ */
+export function generateConstraints(band, intent, options = {}) {
+    const preset = BAND_CONSTRAINT_PRESETS[band];
+    // Determine required approvals
+    const requiredApprovals = determineApprovals(band, intent);
+    if (options.additionalApprovals) {
+        requiredApprovals.push(...options.additionalApprovals);
+    }
+    // Determine allowed tools
+    let allowedTools = options.allowedTools ?? [...preset.defaultTools];
+    allowedTools = filterToolsByIntent(allowedTools, intent);
+    // Determine data scopes
+    let dataScopes = options.dataScopes ?? [...preset.defaultDataScopes];
+    dataScopes = filterScopesByIntent(dataScopes, intent);
+    // Determine rate limits
+    const rateLimits = options.rateLimits ?? [...preset.defaultRateLimits];
+    // Determine reversibility requirement
+    const reversibilityRequired = determineReversibilityRequired(band, intent, preset);
+    return {
+        requiredApprovals,
+        allowedTools,
+        dataScopes,
+        rateLimits,
+        reversibilityRequired,
+        maxExecutionTimeMs: preset.maxExecutionTimeMs || undefined,
+        maxRetries: preset.maxRetries || undefined,
+        resourceQuotas: options.resourceQuotas,
+    };
+}
+/**
+ * Determine what approvals are required based on band and intent
+ */
+function determineApprovals(band, intent) {
+    const approvals = [];
+    // Check for irreversible actions
+    if (intent.reversibility === Reversibility.IRREVERSIBLE) {
+        const policy = DEFAULT_APPROVAL_POLICIES.irreversible_action;
+        if (band < policy.bypassBand) {
+            approvals.push({
+                type: policy.approvalType,
+                approver: policy.approverRole,
+                timeoutMs: policy.timeoutMs,
+                reason: policy.reason,
+            });
+        }
+    }
+    // Check for restricted data
+    if (intent.dataSensitivity === DataSensitivity.RESTRICTED) {
+        const policy = DEFAULT_APPROVAL_POLICIES.restricted_data;
+        if (band < policy.bypassBand) {
+            approvals.push({
+                type: policy.approvalType,
+                approver: policy.approverRole,
+                timeoutMs: policy.timeoutMs,
+                reason: policy.reason,
+            });
+        }
+    }
+    // Check for external communication
+    if (intent.actionType === ActionType.COMMUNICATE && intent.context?.metadata?.external) {
+        const policy = DEFAULT_APPROVAL_POLICIES.external_communication;
+        if (band < policy.bypassBand) {
+            approvals.push({
+                type: policy.approvalType,
+                approver: policy.approverRole,
+                timeoutMs: policy.timeoutMs,
+                reason: policy.reason,
+            });
+        }
+    }
+    // Check for production execution
+    if (intent.actionType === ActionType.EXECUTE &&
+        intent.context?.environment === 'production') {
+        const policy = DEFAULT_APPROVAL_POLICIES.production_execution;
+        if (band < policy.bypassBand) {
+            approvals.push({
+                type: policy.approvalType,
+                approver: policy.approverRole,
+                timeoutMs: policy.timeoutMs,
+                reason: policy.reason,
+            });
+        }
+    }
+    return approvals;
+}
+/**
+ * Filter tools based on intent action type
+ */
+function filterToolsByIntent(tools, intent) {
+    // Allow all if wildcard
+    if (tools.includes('*')) {
+        return ['*'];
+    }
+    // Filter based on action type
+    switch (intent.actionType) {
+        case ActionType.READ:
+            return tools.filter((t) => t.startsWith('read_'));
+        case ActionType.WRITE:
+            return tools.filter((t) => t.startsWith('write_') || t.startsWith('read_'));
+        case ActionType.DELETE:
+            return tools.filter((t) => t.startsWith('write_') || t.startsWith('delete_') || t.startsWith('read_'));
+        case ActionType.EXECUTE:
+            return tools.filter((t) => t.startsWith('execute_') || t.startsWith('read_'));
+        case ActionType.COMMUNICATE:
+            return tools.filter((t) => t.startsWith('communicate_') || t.startsWith('read_'));
+        case ActionType.TRANSFER:
+            return tools.filter((t) => t.startsWith('transfer_') || t.startsWith('read_'));
+        default:
+            return tools;
+    }
+}
+/**
+ * Filter data scopes based on intent sensitivity
+ */
+function filterScopesByIntent(scopes, intent) {
+    // Allow all if wildcard
+    if (scopes.includes('*')) {
+        return ['*'];
+    }
+    const sensitivityOrder = [
+        DataSensitivity.PUBLIC,
+        DataSensitivity.INTERNAL,
+        DataSensitivity.CONFIDENTIAL,
+        DataSensitivity.RESTRICTED,
+    ];
+    const scopeOrder = ['public', 'internal', 'confidential', 'restricted'];
+    const intentLevel = sensitivityOrder.indexOf(intent.dataSensitivity);
+    if (intentLevel === -1)
+        return scopes;
+    // Filter to scopes at or below the intent's sensitivity
+    return scopes.filter((scope) => {
+        const scopeLevel = scopeOrder.indexOf(scope);
+        return scopeLevel !== -1 && scopeLevel <= intentLevel;
+    });
+}
+/**
+ * Determine if reversibility is required
+ */
+function determineReversibilityRequired(band, intent, preset) {
+    // If intent is already reversible, no requirement needed
+    if (intent.reversibility === Reversibility.REVERSIBLE) {
+        return false;
+    }
+    // Higher trust bands don't require reversibility
+    if (band >= TrustBand.T3_MONITORED) {
+        return false;
+    }
+    return preset.reversibilityRequired;
+}
+/**
+ * Check if constraints allow an action
+ */
+export function constraintsPermit(constraints, actionType, dataSensitivity) {
+    // Check if tools allow the action type
+    const toolPrefix = actionType.toLowerCase();
+    const hasMatchingTool = constraints.allowedTools.includes('*') ||
+        constraints.allowedTools.some((t) => t.startsWith(toolPrefix) || t.startsWith('read_'));
+    if (!hasMatchingTool) {
+        return false;
+    }
+    // Check data scope
+    const sensitivityToScope = {
+        [DataSensitivity.PUBLIC]: 'public',
+        [DataSensitivity.INTERNAL]: 'internal',
+        [DataSensitivity.CONFIDENTIAL]: 'confidential',
+        [DataSensitivity.RESTRICTED]: 'restricted',
+    };
+    const requiredScope = sensitivityToScope[dataSensitivity];
+    const hasScopeAccess = constraints.dataScopes.includes('*') ||
+        constraints.dataScopes.includes(requiredScope);
+    return hasScopeAccess;
+}
+/**
+ * Merge two sets of constraints (more restrictive wins)
+ */
+export function mergeConstraints(a, b) {
+    return {
+        requiredApprovals: [...a.requiredApprovals, ...b.requiredApprovals],
+        allowedTools: a.allowedTools.filter((t) => b.allowedTools.includes(t) || t === '*'),
+        dataScopes: a.dataScopes.filter((s) => b.dataScopes.includes(s) || s === '*'),
+        rateLimits: [...a.rateLimits, ...b.rateLimits],
+        reversibilityRequired: a.reversibilityRequired || b.reversibilityRequired,
+        maxExecutionTimeMs: a.maxExecutionTimeMs && b.maxExecutionTimeMs
+            ? Math.min(a.maxExecutionTimeMs, b.maxExecutionTimeMs)
+            : a.maxExecutionTimeMs ?? b.maxExecutionTimeMs,
+        maxRetries: a.maxRetries !== undefined && b.maxRetries !== undefined
+            ? Math.min(a.maxRetries, b.maxRetries)
+            : a.maxRetries ?? b.maxRetries,
+    };
+}
+//# sourceMappingURL=constraints.js.map

package/dist/authorization/constraints.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constraints.js","sourceRoot":"","sources":["../../src/authorization/constraints.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,UAAU,EACV,eAAe,EACf,aAAa,GAKd,MAAM,sBAAsB,CAAC;AAoB9B;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAwC;IAC1E,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE;QACtB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,EAAE;QACrB,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC1E,kBAAkB,EAAE,CAAC;QACrB,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,IAAI;KAC5B;IACD,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE;QACvB,YAAY,EAAE,CAAC,aAAa,CAAC;QAC7B,iBAAiB,EAAE,CAAC,QAAQ,CAAC;QAC7B,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC3E,kBAAkB,EAAE,IAAI;QACxB,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,IAAI;KAC5B;IACD,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE;QAC1B,YAAY,EAAE,CAAC,aAAa,EAAE,eAAe,EAAE,kBAAkB,CAAC;QAClE,iBAAiB,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;QACzC,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC3E,kBAAkB,EAAE,KAAK;QACzB,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,IAAI;KAC5B;IACD,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;QACxB,YAAY,EAAE,CAAC,aAAa,EAAE,eAAe,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,mBAAmB,CAAC;QAC7G,iBAAiB,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC;QACzD,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC5E,kBAAkB,EAAE,KAAK;QACzB,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,KAAK;KAC7B;IACD,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE;QACvB,YAAY,EAAE,CAAC,aAAa,EAAE,eAAe,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,sBAAsB,CAAC;QACnL,iBAAiB,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,CAAC;QACvE,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC7E,kBAAkB,EAAE,MAAM;QAC1B,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,KAAK;KAC7B;IACD,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE;QACtB,YAAY,EAAE,CAAC,GAAG,CAAC;QACnB,iBAAiB,EAAE,CAAC,GAAG,CAAC;QACxB,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC7E,kBAAkB,EAAE,MAAM;QAC1B,UAAU,EAAE,CAAC;QACb,qBAAqB,EAAE,KAAK;KAC7B;IACD,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;QACxB,YAAY,EAAE,CAAC,GAAG,CAAC;QACnB,iBAAiB,EAAE,CAAC,GAAG,CAAC;QACxB,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;QAC9E,kBAAkB,EAAE,CAAC,EAAE,WAAW;QAClC,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,KAAK;KAC7B;IACD,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE;QACzB,YAAY,EAAE,CAAC,GAAG,CAAC;QACnB,iBAAiB,EAAE,CAAC,GAAG,CAAC;QACxB,iBAAiB,EAAE,EAAE,EAAE,YAAY;QACnC,kBAAkB,EAAE,CAAC,EAAE,WAAW;QAClC,UAAU,EAAE,EAAE;QACd,qBAAqB,EAAE,KAAK;KAC7B;CACF,CAAC;AAkBF;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAmC;IACvE,mBAAmB,EAAE;QACnB,UAAU,EAAE,SAAS,CAAC,YAAY;QAClC,YAAY,EAAE,YAAY,CAAC,YAAY;QACvC,YAAY,EAAE,YAAY;QAC1B,SAAS,EAAE,MAAM;QACjB,MAAM,EAAE,iEAAiE;KAC1E;IACD,eAAe,EAAE;QACf,UAAU,EAAE,SAAS,CAAC,WAAW;QACjC,YAAY,EAAE,YAAY,CAAC,WAAW;QACtC,YAAY,EAAE,YAAY;QAC1B,SAAS,EAAE,MAAM;QACjB,MAAM,EAAE,yDAAyD;KAClE;IACD,sBAAsB,EAAE;QACtB,UAAU,EAAE,SAAS,CAAC,YAAY;QAClC,YAAY,EAAE,YAAY,CAAC,eAAe;QAC1C,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,8CAA8C;KACvD;IACD,oBAAoB,EAAE;QACpB,UAAU,EAAE,SAAS,CAAC,YAAY;QAClC,YAAY,EAAE,YAAY,CAAC,YAAY;QACvC,YAAY,EAAE,UAAU;QACxB,SAAS,EAAE,MAAM;QACjB,MAAM,EAAE,iDAAiD;KAC1D;CACF,CAAC;AAkBF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAe,EACf,MAAc,EACd,UAAuC,EAAE;IAEzC,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAE7C,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC3D,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;QAChC,iBAAiB,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzD,CAAC;IAED,0BAA0B;IAC1B,IAAI,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IACpE,YAAY,GAAG,mBAAmB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAEzD,wBAAwB;IACxB,IAAI,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,GAAG,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACrE,UAAU,GAAG,oBAAoB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAEtD,wBAAwB;IACxB,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,GAAG,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAEvE,sCAAsC;IACtC,MAAM,qBAAqB,GAAG,8BAA8B,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAEnF,OAAO;QACL,iBAAiB;QACjB,YAAY;QACZ,UAAU;QACV,UAAU;QACV,qBAAqB;QACrB,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,SAAS;QAC1D,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;QAC1C,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAe,EAAE,MAAc;IACzD,MAAM,SAAS,GAA0B,EAAE,CAAC;IAE5C,iCAAiC;IACjC,IAAI,MAAM,CAAC,aAAa,KAAK,aAAa,CAAC,YAAY,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,yBAAyB,CAAC,mBAAoB,CAAC;QAC9D,IAAI,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,MAAM,CAAC,YAAY;gBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;gBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,IAAI,MAAM,CAAC,eAAe,KAAK,eAAe,CAAC,UAAU,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,yBAAyB,CAAC,eAAgB,CAAC;QAC1D,IAAI,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,MAAM,CAAC,YAAY;gBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;gBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,UAAU,KAAK,UAAU,CAAC,WAAW,IAAI,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,yBAAyB,CAAC,sBAAuB,CAAC;QACjE,IAAI,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,MAAM,CAAC,YAAY;gBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;gBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,IACE,MAAM,CAAC,UAAU,KAAK,UAAU,CAAC,OAAO;QACxC,MAAM,CAAC,OAAO,EAAE,WAAW,KAAK,YAAY,EAC5C,CAAC;QACD,MAAM,MAAM,GAAG,yBAAyB,CAAC,oBAAqB,CAAC;QAC/D,IAAI,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAE,MAAM,CAAC,YAAY;gBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;gBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,KAAe,EAAE,MAAc;IAC1D,wBAAwB;IACxB,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,8BAA8B;IAC9B,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC;QAC1B,KAAK,UAAU,CAAC,IAAI;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,KAAK,UAAU,CAAC,KAAK;YACnB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9E,KAAK,UAAU,CAAC,MAAM;YACpB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACzG,KAAK,UAAU,CAAC,OAAO;YACrB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QAChF,KAAK,UAAU,CAAC,WAAW;YACzB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACpF,KAAK,UAAU,CAAC,QAAQ;YACtB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACjF;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,MAAgB,EAAE,MAAc;IAC5D,wBAAwB;IACxB,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,MAAM,gBAAgB,GAAG;QACvB,eAAe,CAAC,MAAM;QACtB,eAAe,CAAC,QAAQ;QACxB,eAAe,CAAC,YAAY;QAC5B,eAAe,CAAC,UAAU;KAC3B,CAAC;IACF,MAAM,UAAU,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;IAExE,MAAM,WAAW,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACrE,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAEtC,wDAAwD;IACxD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7B,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,UAAU,KAAK,CAAC,CAAC,IAAI,UAAU,IAAI,WAAW,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,8BAA8B,CACrC,IAAe,EACf,MAAc,EACd,MAAwB;IAExB,yDAAyD;IACzD,IAAI,MAAM,CAAC,aAAa,KAAK,aAAa,CAAC,UAAU,EAAE,CAAC;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iDAAiD;IACjD,IAAI,IAAI,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,qBAAqB,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,WAAgC,EAChC,UAAsB,EACtB,eAAgC;IAEhC,uCAAuC;IACvC,MAAM,UAAU,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAC5C,MAAM,eAAe,GACnB,WAAW,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;QACtC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAE1F,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mBAAmB;IACnB,MAAM,kBAAkB,GAAoC;QAC1D,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,QAAQ;QAClC,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,UAAU;QACtC,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,cAAc;QAC9C,CAAC,eAAe,CAAC,UAAU,CAAC,EAAE,YAAY;KAC3C,CAAC;IACF,MAAM,aAAa,GAAG,kBAAkB,CAAC,eAAe,CAAC,CAAC;IAE1D,MAAM,cAAc,GAClB,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;QACpC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IAEjD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,CAAsB,EACtB,CAAsB;IAEtB,OAAO;QACL,iBAAiB,EAAE,CAAC,GAAG,CAAC,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,iBAAiB,CAAC;QACnE,YAAY,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC;QACnF,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC;QAC7E,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC;QAC9C,qBAAqB,EAAE,CAAC,CAAC,qBAAqB,IAAI,CAAC,CAAC,qBAAqB;QACzE,kBAAkB,EAChB,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,kBAAkB;YAC1C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC,kBAAkB,CAAC;YACtD,CAAC,CAAC,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,kBAAkB;QAClD,UAAU,EACR,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS;YACtD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC;YACtC,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU;KACnC,CAAC;AACJ,CAAC"}

package/dist/authorization/decision.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Decision Builder - Construct authorization decisions
+ *
+ * Provides utilities for creating Decision objects with proper
+ * validation and structure.
+ */
+import { TrustBand, DenialReason, type Decision, type DecisionConstraints, type Intent, type TrustProfile } from '@vorionsys/contracts';
+/**
+ * Options for building a decision
+ */
+export interface DecisionBuildOptions {
+    /** Override decision ID */
+    decisionId?: string;
+    /** Policy set that was used */
+    policySetId?: string;
+    /** Decision validity duration in ms (default: 5 minutes) */
+    validityDurationMs?: number;
+    /** Current time for calculation */
+    now?: Date;
+}
+/**
+ * Result of a permit decision
+ */
+export interface PermitResult {
+    type: 'permit';
+    reasoning: string[];
+    constraints: DecisionConstraints;
+}
+/**
+ * Result of a deny decision
+ */
+export interface DenyResult {
+    type: 'deny';
+    reason: DenialReason;
+    reasoning: string[];
+    remediations?: string[];
+}
+/**
+ * Union type for authorization results
+ */
+export type AuthorizationResult = PermitResult | DenyResult;
+/**
+ * Build a permit decision
+ */
+export declare function buildPermitDecision(intent: Intent, profile: TrustProfile, constraints: DecisionConstraints, reasoning: string[], options?: DecisionBuildOptions): Decision;
+/**
+ * Build a deny decision
+ */
+export declare function buildDenyDecision(intent: Intent, profile: TrustProfile | null, _reason: DenialReason, // Reserved for future denialReason field in Decision
+reasoning: string[], options?: DecisionBuildOptions): Decision;
+/**
+ * Get remediation suggestions for a denial reason
+ */
+export declare function getRemediations(reason: DenialReason, _context?: Record<string, unknown>): string[];
+/**
+ * Determine the denial reason based on evaluation context
+ */
+export declare function determineDenialReason(profile: TrustProfile | null, _intent: Intent, // Reserved for future intent-specific denial logic
+minRequiredBand: TrustBand, checks: {
+    intentExpired?: boolean;
+    rateLimitExceeded?: boolean;
+    resourceRestricted?: boolean;
+    policyViolation?: boolean;
+    contextMismatch?: boolean;
+}): DenialReason;
+/**
+ * Create decision summary for logging
+ */
+export declare function summarizeDecision(decision: Decision): string;
+/**
+ * Check if a decision is still valid
+ */
+export declare function isDecisionValid(decision: Decision, now?: Date): boolean;
+/**
+ * Decision builder class for fluent API
+ */
+export declare class DecisionBuilder {
+    private intent;
+    private profile;
+    private permitted;
+    private constraints;
+    private reasoning;
+    private denialReason;
+    private options;
+    constructor(intent: Intent);
+    withProfile(profile: TrustProfile): this;
+    permit(): this;
+    deny(reason: DenialReason): this;
+    withConstraints(constraints: DecisionConstraints): this;
+    addReasoning(...reasons: string[]): this;
+    withOptions(options: DecisionBuildOptions): this;
+    build(): Decision;
+    /**
+     * Static factory for creating builders
+     */
+    static for(intent: Intent): DecisionBuilder;
+}
+//# sourceMappingURL=decision.d.ts.map

package/dist/authorization/decision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decision.d.ts","sourceRoot":"","sources":["../../src/authorization/decision.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,KAAK,QAAQ,EACb,KAAK,mBAAmB,EACxB,KAAK,MAAM,EACX,KAAK,YAAY,EAClB,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,2BAA2B;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4DAA4D;IAC5D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mCAAmC;IACnC,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,WAAW,EAAE,mBAAmB,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,UAAU,CAAC;AAE5D;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,mBAAmB,EAChC,SAAS,EAAE,MAAM,EAAE,EACnB,OAAO,GAAE,oBAAyB,GACjC,QAAQ,CAoBV;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,YAAY,GAAG,IAAI,EAC5B,OAAO,EAAE,YAAY,EAAE,qDAAqD;AAC5E,SAAS,EAAE,MAAM,EAAE,EACnB,OAAO,GAAE,oBAAyB,GACjC,QAAQ,CAoBV;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAiDlG;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,YAAY,GAAG,IAAI,EAC5B,OAAO,EAAE,MAAM,EAAE,mDAAmD;AACpE,eAAe,EAAE,SAAS,EAC1B,MAAM,EAAE;IACN,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B,GACA,YAAY,CAoBd;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAI5D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,GAAE,IAAiB,GAAG,OAAO,CAEnF;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,OAAO,CAA6B;IAC5C,OAAO,CAAC,SAAS,CAAkB;IACnC,OAAO,CAAC,WAAW,CAAkC;IACrD,OAAO,CAAC,SAAS,CAAgB;IACjC,OAAO,CAAC,YAAY,CAA2B;IAC/C,OAAO,CAAC,OAAO,CAA4B;gBAE/B,MAAM,EAAE,MAAM;IAI1B,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI;IAKxC,MAAM,IAAI,IAAI;IAKd,IAAI,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAMhC,eAAe,CAAC,WAAW,EAAE,mBAAmB,GAAG,IAAI;IAKvD,YAAY,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI;IAKxC,WAAW,CAAC,OAAO,EAAE,oBAAoB,GAAG,IAAI;IAKhD,KAAK,IAAI,QAAQ;IAoBjB;;OAEG;IACH,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe;CAG5C"}