@vorionsys/security 1.0.0

package/dist/common/adapters/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/common/adapters/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAGnF,YAAY,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;AAM5C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0DAA0D;IAC1D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,OAAO,CAAC,EAAE;QAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,GAAG,CAAC,CAAC,GAAG,OAAO;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,CAAC,CAAC;IACR,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,GAAG,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE1E;;OAEG;IACH,OAAO,CAAC,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAEzC;;OAEG;IACH,YAAY,IAAI,OAAO,CAAC,SAAS,CAAC,CAAC;IAEnC;;OAEG;IACH,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAEvC;;;OAGG;IACH,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElE;;OAEG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtC;;;OAGG;IACH,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CAC1C;AAMD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,oCAAoC;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAEjE;;;;;OAKG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvD;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7E;AAMD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpD;;;OAGG;IACH,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAEhD;;OAEG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE5C;;OAEG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE/E;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;CACrD;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAExF;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEvF;;OAEG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAMD;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE;QACL,SAAS,EAAE,OAAO,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,IAAI,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAAC;IAE7C;;OAEG;IACH,eAAe,IAAI,aAAa,CAAC;IAEjC;;OAEG;IACH,cAAc,IAAI,YAAY,CAAC;IAE/B;;OAEG;IACH,sBAAsB,IAAI,oBAAoB,CAAC;IAE/C;;OAEG;IACH,mBAAmB,IAAI,iBAAiB,CAAC;IAEzC;;OAEG;IACH,gBAAgB,IAAI,OAAO,CAAC;IAE5B;;OAEG;IACH,eAAe,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAC;CACjD"}

package/dist/common/adapters/types.js

@@ -0,0 +1,11 @@
+/**
+ * Adapter Interfaces for Redis Optionality
+ *
+ * These interfaces define contracts for queue, cache, lock, session,
+ * and rate limiting functionality. They can be implemented by either
+ * Redis-backed or in-memory backends, allowing Vorion to run without Redis.
+ *
+ * @packageDocumentation
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/common/adapters/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/common/adapters/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/common/authorization.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Authorization Utilities
+ *
+ * Provides role-based access control (RBAC) utilities for API endpoints.
+ * Includes comprehensive audit logging for access denial events.
+ *
+ * @packageDocumentation
+ */
+import type { FastifyRequest, FastifyReply } from 'fastify';
+import { AuthorizationResult as CanonicalAuthorizationResult, AuthorizationConstraints, GovernanceDenialReason, authorizationResultSchema, authorizationConstraintsSchema, governanceDenialReasonSchema } from '@vorionsys/contracts/canonical';
+export { CanonicalAuthorizationResult, AuthorizationConstraints, GovernanceDenialReason, authorizationResultSchema, authorizationConstraintsSchema, governanceDenialReasonSchema, };
+/**
+ * User payload extracted from JWT token
+ */
+export interface AuthUser {
+    sub?: string;
+    tenantId?: string;
+    roles?: string[];
+    groups?: string[];
+    [key: string]: unknown;
+}
+/**
+ * Authorization check result
+ *
+ * @deprecated Use `CanonicalAuthorizationResult` from `@vorion/contracts` for new code.
+ *             This interface is maintained for backwards compatibility and is a subset
+ *             of the canonical type. The canonical type includes additional fields for
+ *             denial reasons, permissions, constraints, and remediations.
+ */
+export interface AuthorizationResult {
+    allowed: boolean;
+    reason?: string;
+    matchedRoles?: string[];
+}
+/**
+ * Policy endpoint role definitions
+ */
+export declare const POLICY_ROLES: {
+    /** Roles that can read policies */
+    readonly READ: readonly ["admin", "tenant:admin", "policy:admin", "policy_reader", "policy_writer"];
+    /** Roles that can create and update policies */
+    readonly WRITE: readonly ["admin", "tenant:admin", "policy:admin", "policy_writer"];
+    /** Roles that can delete policies */
+    readonly DELETE: readonly ["admin", "tenant:admin", "policy:admin"];
+};
+/**
+ * Check if user has any of the required roles
+ *
+ * @param userRoles - Array of roles the user has
+ * @param requiredRoles - Array of roles that would grant access
+ * @returns Authorization result with matched roles if allowed
+ */
+export declare function hasAnyRole(userRoles: string[] | undefined, requiredRoles: readonly string[]): AuthorizationResult;
+/**
+ * Check if user has all of the required roles
+ *
+ * @param userRoles - Array of roles the user has
+ * @param requiredRoles - Array of roles that are all required
+ * @returns Authorization result
+ */
+export declare function hasAllRoles(userRoles: string[] | undefined, requiredRoles: readonly string[]): AuthorizationResult;
+/**
+ * Extract user information from Fastify request
+ *
+ * @param request - Fastify request object (with JWT user property)
+ * @returns AuthUser extracted from JWT payload
+ */
+export declare function getAuthUser(request: FastifyRequest): AuthUser;
+/**
+ * Authorization error response structure
+ */
+export interface AuthorizationError {
+    code: 'FORBIDDEN';
+    message: string;
+    requiredRoles?: readonly string[];
+}
+/**
+ * Create a standard 403 Forbidden response
+ *
+ * @param reason - Reason for denial
+ * @param requiredRoles - Optional list of required roles to include in response
+ * @returns Formatted error response
+ */
+export declare function createForbiddenResponse(reason: string, requiredRoles?: readonly string[]): {
+    error: AuthorizationError;
+};
+/**
+ * Higher-order function to create an authorization guard for route handlers
+ *
+ * @param requiredRoles - Roles that grant access to this endpoint
+ * @param options - Additional options for the guard
+ * @returns A preHandler hook function for Fastify
+ *
+ * @example
+ * ```typescript
+ * api.get('/policies', {
+ *   preHandler: requireRoles(POLICY_ROLES.READ),
+ * }, async (request, reply) => {
+ *   // Handler code
+ * });
+ * ```
+ */
+export declare function requireRoles(requiredRoles: readonly string[], options?: {
+    /** Log authorization failures */
+    logFailures?: boolean;
+    /** Custom message for authorization failures */
+    customMessage?: string;
+    /** Record access denial in audit log (default: true) */
+    auditDenials?: boolean;
+}): (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * Inline authorization check for use within route handlers
+ * Returns true if authorized, sends 403 response and returns false if not
+ *
+ * @param request - Fastify request object
+ * @param reply - Fastify reply object
+ * @param requiredRoles - Roles that grant access
+ * @param options - Additional options
+ * @returns true if authorized, false if not (response already sent)
+ *
+ * @example
+ * ```typescript
+ * api.delete('/policies/:id', async (request, reply) => {
+ *   if (!await checkAuthorization(request, reply, POLICY_ROLES.DELETE)) {
+ *     return; // Response already sent
+ *   }
+ *   // Handler code
+ * });
+ * ```
+ */
+export declare function checkAuthorization(request: FastifyRequest, reply: FastifyReply, requiredRoles: readonly string[], options?: {
+    logFailures?: boolean;
+    customMessage?: string;
+    /** Record access denial in audit log (default: true) */
+    auditDenials?: boolean;
+}): Promise<boolean>;
+//# sourceMappingURL=authorization.d.ts.map

package/dist/common/authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["../../src/common/authorization.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAK5D,OAAO,EACL,mBAAmB,IAAI,4BAA4B,EACnD,wBAAwB,EACxB,sBAAsB,EACtB,yBAAyB,EACzB,8BAA8B,EAC9B,4BAA4B,EAC7B,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,sBAAsB,EACtB,yBAAyB,EACzB,8BAA8B,EAC9B,4BAA4B,GAC7B,CAAC;AAkEF;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,eAAO,MAAM,YAAY;IACvB,mCAAmC;;IAEnC,gDAAgD;;IAEhD,qCAAqC;;CAE7B,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,SAAS,EAAE,MAAM,EAAE,GAAG,SAAS,EAC/B,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,mBAAmB,CAuBrB;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,SAAS,EAAE,MAAM,EAAE,GAAG,SAAS,EAC/B,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,mBAAmB,CAuBrB;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,cAAc,GAAG,QAAQ,CAI7D;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,WAAW,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACnC;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,GAChC;IAAE,KAAK,EAAE,kBAAkB,CAAA;CAAE,CAW/B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,OAAO,GAAE;IACP,iCAAiC;IACjC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,YAAY,CAAC,EAAE,OAAO,CAAC;CACnB,GACL,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAgDjE;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,cAAc,EACvB,KAAK,EAAE,YAAY,EACnB,aAAa,EAAE,SAAS,MAAM,EAAE,EAChC,OAAO,GAAE;IACP,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,YAAY,CAAC,EAAE,OAAO,CAAC;CACnB,GACL,OAAO,CAAC,OAAO,CAAC,CA+ClB"}

package/dist/common/authorization.js

@@ -0,0 +1,270 @@
+/**
+ * Authorization Utilities
+ *
+ * Provides role-based access control (RBAC) utilities for API endpoints.
+ * Includes comprehensive audit logging for access denial events.
+ *
+ * @packageDocumentation
+ */
+import { createLogger } from './logger.js';
+import { createAuditService } from '../audit/service.js';
+// Import canonical types from @vorion/contracts
+import { GovernanceDenialReason, authorizationResultSchema, authorizationConstraintsSchema, governanceDenialReasonSchema, } from '@vorionsys/contracts/canonical';
+// Re-export canonical types for backwards compatibility
+export { GovernanceDenialReason, authorizationResultSchema, authorizationConstraintsSchema, governanceDenialReasonSchema, };
+const authzLogger = createLogger({ component: 'authorization' });
+// Lazy-initialized audit service for access denial logging
+let auditService = null;
+function getAuditService() {
+    if (!auditService) {
+        auditService = createAuditService();
+    }
+    return auditService;
+}
+/**
+ * Record an access denied audit event
+ * This is called whenever authorization fails to maintain a security audit trail
+ */
+async function recordAccessDeniedAudit(request, user, requiredRoles, reason) {
+    try {
+        const service = getAuditService();
+        const tenantId = user.tenantId;
+        // Even without tenant context, we should log the denial attempt
+        // Use a system tenant ID for cross-tenant/unauthenticated access attempts
+        const effectiveTenantId = tenantId || 'system';
+        await service.record({
+            tenantId: effectiveTenantId,
+            eventType: 'access.denied',
+            actor: {
+                type: 'user',
+                id: user.sub || 'unknown',
+                ip: request.ip,
+            },
+            target: {
+                type: 'system',
+                id: request.url,
+            },
+            action: 'access',
+            outcome: 'failure',
+            reason,
+            metadata: {
+                method: request.method,
+                path: request.url,
+                requiredRoles: [...requiredRoles],
+                userRoles: user.roles || [],
+                userAgent: request.headers['user-agent'],
+                referrer: request.headers['referer'],
+            },
+            requestId: request.id,
+        });
+    }
+    catch (error) {
+        // Don't let audit failures break the authorization flow
+        authzLogger.error({ error, path: request.url, method: request.method }, 'Failed to record access denied audit event');
+    }
+}
+/**
+ * Policy endpoint role definitions
+ */
+export const POLICY_ROLES = {
+    /** Roles that can read policies */
+    READ: ['admin', 'tenant:admin', 'policy:admin', 'policy_reader', 'policy_writer'],
+    /** Roles that can create and update policies */
+    WRITE: ['admin', 'tenant:admin', 'policy:admin', 'policy_writer'],
+    /** Roles that can delete policies */
+    DELETE: ['admin', 'tenant:admin', 'policy:admin'],
+};
+/**
+ * Check if user has any of the required roles
+ *
+ * @param userRoles - Array of roles the user has
+ * @param requiredRoles - Array of roles that would grant access
+ * @returns Authorization result with matched roles if allowed
+ */
+export function hasAnyRole(userRoles, requiredRoles) {
+    const roles = userRoles ?? [];
+    if (roles.length === 0) {
+        return {
+            allowed: false,
+            reason: 'No roles found in token',
+        };
+    }
+    const matchedRoles = roles.filter((role) => requiredRoles.includes(role));
+    if (matchedRoles.length > 0) {
+        return {
+            allowed: true,
+            matchedRoles,
+        };
+    }
+    return {
+        allowed: false,
+        reason: `Required roles: ${requiredRoles.join(', ')}. User roles: ${roles.join(', ')}`,
+    };
+}
+/**
+ * Check if user has all of the required roles
+ *
+ * @param userRoles - Array of roles the user has
+ * @param requiredRoles - Array of roles that are all required
+ * @returns Authorization result
+ */
+export function hasAllRoles(userRoles, requiredRoles) {
+    const roles = userRoles ?? [];
+    if (roles.length === 0) {
+        return {
+            allowed: false,
+            reason: 'No roles found in token',
+        };
+    }
+    const missingRoles = requiredRoles.filter((role) => !roles.includes(role));
+    if (missingRoles.length === 0) {
+        return {
+            allowed: true,
+            matchedRoles: [...requiredRoles],
+        };
+    }
+    return {
+        allowed: false,
+        reason: `Missing required roles: ${missingRoles.join(', ')}`,
+    };
+}
+/**
+ * Extract user information from Fastify request
+ *
+ * @param request - Fastify request object (with JWT user property)
+ * @returns AuthUser extracted from JWT payload
+ */
+export function getAuthUser(request) {
+    // The JWT plugin adds the user property to the request
+    // Cast through unknown to avoid strict type checking
+    return request.user;
+}
+/**
+ * Create a standard 403 Forbidden response
+ *
+ * @param reason - Reason for denial
+ * @param requiredRoles - Optional list of required roles to include in response
+ * @returns Formatted error response
+ */
+export function createForbiddenResponse(reason, requiredRoles) {
+    const error = {
+        code: 'FORBIDDEN',
+        message: reason,
+    };
+    if (requiredRoles) {
+        error.requiredRoles = requiredRoles;
+    }
+    return { error };
+}
+/**
+ * Higher-order function to create an authorization guard for route handlers
+ *
+ * @param requiredRoles - Roles that grant access to this endpoint
+ * @param options - Additional options for the guard
+ * @returns A preHandler hook function for Fastify
+ *
+ * @example
+ * ```typescript
+ * api.get('/policies', {
+ *   preHandler: requireRoles(POLICY_ROLES.READ),
+ * }, async (request, reply) => {
+ *   // Handler code
+ * });
+ * ```
+ */
+export function requireRoles(requiredRoles, options = {}) {
+    const { logFailures = true, customMessage, auditDenials = true } = options;
+    return async (request, reply) => {
+        const user = getAuthUser(request);
+        const result = hasAnyRole(user.roles, requiredRoles);
+        if (!result.allowed) {
+            if (logFailures) {
+                authzLogger.warn({
+                    userId: user.sub,
+                    tenantId: user.tenantId,
+                    userRoles: user.roles,
+                    requiredRoles: [...requiredRoles],
+                    path: request.url,
+                    method: request.method,
+                    reason: result.reason,
+                }, 'Authorization denied');
+            }
+            // Record access denial in audit log for security compliance
+            if (auditDenials) {
+                const reason = result.reason ?? `Required roles: ${requiredRoles.join(', ')}`;
+                // Don't await - fire and forget to avoid blocking the response
+                recordAccessDeniedAudit(request, user, requiredRoles, reason).catch(() => {
+                    // Error already logged in recordAccessDeniedAudit
+                });
+            }
+            const message = customMessage ?? `Access denied: ${result.reason}`;
+            return reply.status(403).send(createForbiddenResponse(message, requiredRoles));
+        }
+        // Authorization passed - log at debug level for audit trail
+        authzLogger.debug({
+            userId: user.sub,
+            tenantId: user.tenantId,
+            matchedRoles: result.matchedRoles,
+            path: request.url,
+            method: request.method,
+        }, 'Authorization granted');
+    };
+}
+/**
+ * Inline authorization check for use within route handlers
+ * Returns true if authorized, sends 403 response and returns false if not
+ *
+ * @param request - Fastify request object
+ * @param reply - Fastify reply object
+ * @param requiredRoles - Roles that grant access
+ * @param options - Additional options
+ * @returns true if authorized, false if not (response already sent)
+ *
+ * @example
+ * ```typescript
+ * api.delete('/policies/:id', async (request, reply) => {
+ *   if (!await checkAuthorization(request, reply, POLICY_ROLES.DELETE)) {
+ *     return; // Response already sent
+ *   }
+ *   // Handler code
+ * });
+ * ```
+ */
+export async function checkAuthorization(request, reply, requiredRoles, options = {}) {
+    const { logFailures = true, customMessage, auditDenials = true } = options;
+    const user = getAuthUser(request);
+    const result = hasAnyRole(user.roles, requiredRoles);
+    if (!result.allowed) {
+        if (logFailures) {
+            authzLogger.warn({
+                userId: user.sub,
+                tenantId: user.tenantId,
+                userRoles: user.roles,
+                requiredRoles: [...requiredRoles],
+                path: request.url,
+                method: request.method,
+                reason: result.reason,
+            }, 'Authorization denied');
+        }
+        // Record access denial in audit log for security compliance
+        if (auditDenials) {
+            const reason = result.reason ?? `Required roles: ${requiredRoles.join(', ')}`;
+            // Don't await - fire and forget to avoid blocking the response
+            recordAccessDeniedAudit(request, user, requiredRoles, reason).catch(() => {
+                // Error already logged in recordAccessDeniedAudit
+            });
+        }
+        const message = customMessage ?? `Access denied: ${result.reason}`;
+        await reply.status(403).send(createForbiddenResponse(message, requiredRoles));
+        return false;
+    }
+    authzLogger.debug({
+        userId: user.sub,
+        tenantId: user.tenantId,
+        matchedRoles: result.matchedRoles,
+        path: request.url,
+        method: request.method,
+    }, 'Authorization granted');
+    return true;
+}
+//# sourceMappingURL=authorization.js.map

package/dist/common/authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.js","sourceRoot":"","sources":["../../src/common/authorization.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAqB,MAAM,qBAAqB,CAAC;AAE5E,gDAAgD;AAChD,OAAO,EAGL,sBAAsB,EACtB,yBAAyB,EACzB,8BAA8B,EAC9B,4BAA4B,GAC7B,MAAM,gCAAgC,CAAC;AAExC,wDAAwD;AACxD,OAAO,EAGL,sBAAsB,EACtB,yBAAyB,EACzB,8BAA8B,EAC9B,4BAA4B,GAC7B,CAAC;AAEF,MAAM,WAAW,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;AAEjE,2DAA2D;AAC3D,IAAI,YAAY,GAAwB,IAAI,CAAC;AAE7C,SAAS,eAAe;IACtB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,kBAAkB,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,uBAAuB,CACpC,OAAuB,EACvB,IAAc,EACd,aAAgC,EAChC,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAE/B,gEAAgE;QAChE,0EAA0E;QAC1E,MAAM,iBAAiB,GAAG,QAAQ,IAAI,QAAQ,CAAC;QAE/C,MAAM,OAAO,CAAC,MAAM,CAAC;YACnB,QAAQ,EAAE,iBAAiB;YAC3B,SAAS,EAAE,eAAe;YAC1B,KAAK,EAAE;gBACL,IAAI,EAAE,MAAM;gBACZ,EAAE,EAAE,IAAI,CAAC,GAAG,IAAI,SAAS;gBACzB,EAAE,EAAE,OAAO,CAAC,EAAE;aACf;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,QAAQ;gBACd,EAAE,EAAE,OAAO,CAAC,GAAG;aAChB;YACD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,SAAS;YAClB,MAAM;YACN,QAAQ,EAAE;gBACR,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,IAAI,EAAE,OAAO,CAAC,GAAG;gBACjB,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC;gBACjC,SAAS,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;gBAC3B,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;gBACxC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;aACrC;YACD,SAAS,EAAE,OAAO,CAAC,EAAE;SACtB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,wDAAwD;QACxD,WAAW,CAAC,KAAK,CACf,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EACpD,4CAA4C,CAC7C,CAAC;IACJ,CAAC;AACH,CAAC;AA2BD;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,mCAAmC;IACnC,IAAI,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC;IACjF,gDAAgD;IAChD,KAAK,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,CAAC;IACjE,qCAAqC;IACrC,MAAM,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,cAAc,CAAC;CACzC,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CACxB,SAA+B,EAC/B,aAAgC;IAEhC,MAAM,KAAK,GAAG,SAAS,IAAI,EAAE,CAAC;IAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,yBAAyB;SAClC,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAE1E,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL,OAAO,EAAE,IAAI;YACb,YAAY;SACb,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KACvF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,SAA+B,EAC/B,aAAgC;IAEhC,MAAM,KAAK,GAAG,SAAS,IAAI,EAAE,CAAC;IAE9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,yBAAyB;SAClC,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAE3E,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE,IAAI;YACb,YAAY,EAAE,CAAC,GAAG,aAAa,CAAC;SACjC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,2BAA2B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KAC7D,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,OAAuB;IACjD,uDAAuD;IACvD,qDAAqD;IACrD,OAAQ,OAAyC,CAAC,IAAI,CAAC;AACzD,CAAC;AAWD;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,aAAiC;IAEjC,MAAM,KAAK,GAAuB;QAChC,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,MAAM;KAChB,CAAC;IAEF,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,CAAC,aAAa,GAAG,aAAa,CAAC;IACtC,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,YAAY,CAC1B,aAAgC,EAChC,UAOI,EAAE;IAEN,MAAM,EAAE,WAAW,GAAG,IAAI,EAAE,aAAa,EAAE,YAAY,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAE3E,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QAC3E,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QAErD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,IAAI,WAAW,EAAE,CAAC;gBAChB,WAAW,CAAC,IAAI,CACd;oBACE,MAAM,EAAE,IAAI,CAAC,GAAG;oBAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,SAAS,EAAE,IAAI,CAAC,KAAK;oBACrB,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC;oBACjC,IAAI,EAAE,OAAO,CAAC,GAAG;oBACjB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,EACD,sBAAsB,CACvB,CAAC;YACJ,CAAC;YAED,4DAA4D;YAC5D,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9E,+DAA+D;gBAC/D,uBAAuB,CAAC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;oBACvE,kDAAkD;gBACpD,CAAC,CAAC,CAAC;YACL,CAAC;YAED,MAAM,OAAO,GAAG,aAAa,IAAI,kBAAkB,MAAM,CAAC,MAAM,EAAE,CAAC;YACnE,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;QACjF,CAAC;QAED,4DAA4D;QAC5D,WAAW,CAAC,KAAK,CACf;YACE,MAAM,EAAE,IAAI,CAAC,GAAG;YAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,IAAI,EAAE,OAAO,CAAC,GAAG;YACjB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,EACD,uBAAuB,CACxB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAuB,EACvB,KAAmB,EACnB,aAAgC,EAChC,UAKI,EAAE;IAEN,MAAM,EAAE,WAAW,GAAG,IAAI,EAAE,aAAa,EAAE,YAAY,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAC3E,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;IAErD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,IAAI,WAAW,EAAE,CAAC;YAChB,WAAW,CAAC,IAAI,CACd;gBACE,MAAM,EAAE,IAAI,CAAC,GAAG;gBAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC;gBACjC,IAAI,EAAE,OAAO,CAAC,GAAG;gBACjB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,EACD,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9E,+DAA+D;YAC/D,uBAAuB,CAAC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACvE,kDAAkD;YACpD,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,OAAO,GAAG,aAAa,IAAI,kBAAkB,MAAM,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;QAC9E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,WAAW,CAAC,KAAK,CACf;QACE,MAAM,EAAE,IAAI,CAAC,GAAG;QAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,IAAI,EAAE,OAAO,CAAC,GAAG;QACjB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,EACD,uBAAuB,CACxB,CAAC;IAEF,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/common/canonical-bridge.d.ts

@@ -0,0 +1,151 @@
+/**
+ * Canonical Bridge - Re-exports canonical types from @vorion/contracts
+ *
+ * This module provides a bridge between legacy types in src/common/types.ts
+ * and the canonical types defined in packages/contracts/src/v2/.
+ *
+ * USAGE:
+ * - For NEW code: Import canonical types directly from this module
+ * - For EXISTING code: Continue using legacy types from ./types.ts
+ * - For MIGRATIONS: Use adapter functions to convert between formats
+ *
+ * @packageDocumentation
+ */
+export { TrustBand, ObservationTier, OBSERVATION_CEILINGS, DataSensitivity, Reversibility, ActionType, ProofEventType, ComponentType, ComponentStatus, ApprovalType, } from '@vorionsys/contracts/v2';
+export type { TrustFactorScores, TrustEvidence, TrustProfile, TrustProfileSummary, TrustCalculationRequest, BandThresholds, BandingConfig, TrustDynamicsConfig, CooldownState, DirectionChange, TrustDynamicsState, ProvisionalOutcome, } from '@vorionsys/contracts/v2';
+export { DEFAULT_BAND_THRESHOLDS, DEFAULT_BANDING_CONFIG, RiskProfile, RISK_PROFILE_WINDOWS, DEFAULT_TRUST_DYNAMICS, } from '@vorionsys/contracts/v2';
+export type { Intent as CanonicalIntent, IntentContext as CanonicalIntentContext, IntentSummary, CreateIntentRequest, } from '@vorionsys/contracts/v2';
+export type { Decision as CanonicalDecision, DecisionSummary, DecisionConstraints, RateLimit, ApprovalRequirement, AuthorizationRequest, AuthorizationResponse, } from '@vorionsys/contracts/v2';
+export { DenialReason } from '@vorionsys/contracts/v2';
+export type { AuthorizationResult, AuthorizationConstraints, AuthContext, HierarchyLevel, HierarchyLevelConfig, AuthorityScopeType, AuthorityScope, AuthorityScopeTimeRestriction, Authority, AuthorityAudit, AuthorityType, Permission, GovernanceRole, ControlAction as GovernanceControlAction, } from '@vorionsys/contracts/canonical';
+export { GovernanceDenialReason, HIERARCHY_TIERS, HIERARCHY_ORDER, HIERARCHY_LEVELS, getHierarchyTier, getHierarchyLevelConfig, isHigherAuthority, canDelegate, getReportingChain, meetsMinimumTrust, createAllowedResult, createDeniedResult, createGovernanceDeniedResult, isHierarchyLevel, isAuthorityScopeType, governanceDenialReasonSchema, authorizationConstraintsSchema, authorizationResultSchema, governanceRoleSchema, hierarchyLevelSchema, hierarchyLevelConfigSchema, authorityScopeTypeSchema, controlActionSchema, authorityScopeTimeRestrictionSchema, authorityScopeSchema, authorityTypeSchema, permissionSchema, authorityAuditSchema, authoritySchema, authContextSchema, } from '@vorionsys/contracts/canonical';
+import type { ID, TrustLevel, TrustScore, Intent, TrustSignal } from './types.js';
+import { TrustBand } from '@vorionsys/contracts/v2';
+import type { Intent as CanonicalIntent } from '@vorionsys/contracts/v2';
+import type { TrustEvidence } from '@vorionsys/contracts/v2';
+/**
+ * Convert legacy TrustLevel (0-5) to canonical TrustBand enum
+ *
+ * @param level - Legacy trust level (0-5)
+ * @returns Canonical TrustBand enum value
+ */
+export declare function trustLevelToTrustBand(level: TrustLevel): TrustBand;
+/**
+ * Convert canonical TrustBand enum to legacy TrustLevel (0-5)
+ *
+ * @param band - Canonical TrustBand enum value
+ * @returns Legacy trust level (0-5)
+ */
+export declare function trustBandToTrustLevel(band: TrustBand): TrustLevel;
+/**
+ * @deprecated No longer needed - trust-profile.ts now uses 0-1000 scale
+ *
+ * Convert trust score (0-1000) to legacy dimension score (0-100)
+ * This is provided for backwards compatibility with older code that
+ * expected 0-100 scale dimensions.
+ *
+ * @param score - Trust score on 0-1000 scale
+ * @returns Score on 0-100 scale
+ */
+export declare function trustScoreToDimensionScore(score: TrustScore): number;
+/**
+ * @deprecated No longer needed - trust-profile.ts now uses 0-1000 scale
+ *
+ * Convert legacy dimension score (0-100) to trust score (0-1000)
+ * This is provided for backwards compatibility with older code that
+ * used 0-100 scale dimensions.
+ *
+ * @param dimensionScore - Score on 0-100 scale
+ * @returns Trust score on 0-1000 scale
+ */
+export declare function dimensionScoreToTrustScore(dimensionScore: number): TrustScore;
+/**
+ * Calculate TrustBand from a TrustScore (0-1000)
+ *
+ * Band thresholds (0-1000 scale):
+ * - T0: 0-200
+ * - T1: 201-400
+ * - T2: 401-550
+ * - T3: 551-700
+ * - T4: 701-850
+ * - T5: 851-1000
+ *
+ * @param score - Trust score on 0-1000 scale
+ * @returns Corresponding TrustBand
+ */
+export declare function trustScoreToTrustBand(score: TrustScore): TrustBand;
+/**
+ * Convert legacy TrustSignal to canonical TrustEvidence
+ *
+ * @param signal - Legacy TrustSignal
+ * @param dimension - Which trust dimension this evidence affects
+ * @returns Canonical TrustEvidence
+ */
+export declare function trustSignalToEvidence(signal: TrustSignal, factorCode?: string): TrustEvidence;
+/**
+ * Convert canonical TrustEvidence to legacy TrustSignal
+ *
+ * @param evidence - Canonical TrustEvidence
+ * @param entityId - Entity ID (required for legacy format)
+ * @returns Legacy TrustSignal
+ */
+export declare function evidenceToTrustSignal(evidence: TrustEvidence, entityId: ID): TrustSignal;
+/**
+ * Convert legacy Intent to canonical Intent format
+ *
+ * Note: Some fields may require additional context that isn't available
+ * in the legacy format. These are marked as optional in the canonical type.
+ *
+ * @param intent - Legacy Intent
+ * @param actionType - ActionType (required for canonical, defaults to 'execute')
+ * @returns Partial canonical Intent (missing some required fields)
+ */
+export declare function legacyIntentToCanonical(intent: Intent, actionType?: 'read' | 'write' | 'delete' | 'execute' | 'communicate' | 'transfer'): Partial<CanonicalIntent>;
+/**
+ * Trust band thresholds on 0-1000 scale
+ *
+ * These are the canonical thresholds that should be used for API responses
+ * and trust calculations. All trust dimensions and composite scores now
+ * use the unified 0-1000 scale.
+ */
+export declare const TRUST_BAND_THRESHOLDS_1000: {
+    readonly T0: {
+        readonly min: 0;
+        readonly max: 166;
+    };
+    readonly T1: {
+        readonly min: 167;
+        readonly max: 332;
+    };
+    readonly T2: {
+        readonly min: 333;
+        readonly max: 499;
+    };
+    readonly T3: {
+        readonly min: 500;
+        readonly max: 665;
+    };
+    readonly T4: {
+        readonly min: 666;
+        readonly max: 832;
+    };
+    readonly T5: {
+        readonly min: 833;
+        readonly max: 1000;
+    };
+};
+/**
+ * Get the minimum trust score required for a given TrustBand (0-1000 scale)
+ *
+ * @param band - Target TrustBand
+ * @returns Minimum score required
+ */
+export declare function getMinScoreForBand(band: TrustBand): TrustScore;
+/**
+ * Get the maximum trust score for a given TrustBand (0-1000 scale)
+ *
+ * @param band - Target TrustBand
+ * @returns Maximum score for the band
+ */
+export declare function getMaxScoreForBand(band: TrustBand): TrustScore;
+//# sourceMappingURL=canonical-bridge.d.ts.map

package/dist/common/canonical-bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical-bridge.d.ts","sourceRoot":"","sources":["../../src/common/canonical-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,EACL,SAAS,EACT,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,EACb,eAAe,EACf,YAAY,GACb,MAAM,yBAAyB,CAAC;AAGjC,YAAY,EACV,iBAAiB,EACjB,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,uBAAuB,EACvB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,WAAW,EACX,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,yBAAyB,CAAC;AAGjC,YAAY,EACV,MAAM,IAAI,eAAe,EACzB,aAAa,IAAI,sBAAsB,EACvC,aAAa,EACb,mBAAmB,GACpB,MAAM,yBAAyB,CAAC;AAGjC,YAAY,EACV,QAAQ,IAAI,iBAAiB,EAC7B,eAAe,EACf,mBAAmB,EACnB,SAAS,EACT,mBAAmB,EACnB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAGvD,YAAY,EACV,mBAAmB,EACnB,wBAAwB,EACxB,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,kBAAkB,EAClB,cAAc,EACd,6BAA6B,EAC7B,SAAS,EACT,cAAc,EACd,aAAa,EACb,UAAU,EACV,cAAc,EACd,aAAa,IAAI,uBAAuB,GACzC,MAAM,gCAAgC,CAAC;AAExC,OAAO,EACL,sBAAsB,EACtB,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,uBAAuB,EACvB,iBAAiB,EACjB,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,4BAA4B,EAC5B,gBAAgB,EAChB,oBAAoB,EAEpB,4BAA4B,EAC5B,8BAA8B,EAC9B,yBAAyB,EACzB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,wBAAwB,EACxB,mBAAmB,EACnB,mCAAmC,EACnC,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,eAAe,EACf,iBAAiB,GAClB,MAAM,gCAAgC,CAAC;AAMxC,OAAO,KAAK,EAAE,EAAE,EAAa,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC7F,OAAO,EAAE,SAAS,EAAc,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,MAAM,IAAI,eAAe,EAAE,MAAM,yBAAyB,CAAC;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAM7D;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,UAAU,GAAG,SAAS,CAkBlE;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,SAAS,GAAG,UAAU,CAGjE;AAED;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEpE;AAED;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CAAC,cAAc,EAAE,MAAM,GAAG,UAAU,CAE7E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,UAAU,GAAG,SAAS,CAUlE;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,WAAW,EACnB,UAAU,GAAE,MAAiB,GAC5B,aAAa,CASf;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,EAAE,GACX,WAAW,CAWb;AAcD;;;;;;;;;GASG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,UAAU,GAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAsB,GAC3F,OAAO,CAAC,eAAe,CAAC,CAc1B;AAMD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;CAO7B,CAAC;AAEX;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,SAAS,GAAG,UAAU,CAG9D;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,SAAS,GAAG,UAAU,CAG9D"}