@vorionsys/security 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1843) hide show
  1. package/LICENSE +190 -0
  2. package/README.md +85 -0
  3. package/dist/aci-extensions/aci-string-extensions.d.ts +334 -0
  4. package/dist/aci-extensions/aci-string-extensions.d.ts.map +1 -0
  5. package/dist/aci-extensions/aci-string-extensions.js +435 -0
  6. package/dist/aci-extensions/aci-string-extensions.js.map +1 -0
  7. package/dist/aci-extensions/builtin-extensions/audit.d.ts +88 -0
  8. package/dist/aci-extensions/builtin-extensions/audit.d.ts.map +1 -0
  9. package/dist/aci-extensions/builtin-extensions/audit.js +444 -0
  10. package/dist/aci-extensions/builtin-extensions/audit.js.map +1 -0
  11. package/dist/aci-extensions/builtin-extensions/governance.d.ts +32 -0
  12. package/dist/aci-extensions/builtin-extensions/governance.d.ts.map +1 -0
  13. package/dist/aci-extensions/builtin-extensions/governance.js +533 -0
  14. package/dist/aci-extensions/builtin-extensions/governance.js.map +1 -0
  15. package/dist/aci-extensions/builtin-extensions/monitoring.d.ts +43 -0
  16. package/dist/aci-extensions/builtin-extensions/monitoring.d.ts.map +1 -0
  17. package/dist/aci-extensions/builtin-extensions/monitoring.js +416 -0
  18. package/dist/aci-extensions/builtin-extensions/monitoring.js.map +1 -0
  19. package/dist/aci-extensions/executor.d.ts +208 -0
  20. package/dist/aci-extensions/executor.d.ts.map +1 -0
  21. package/dist/aci-extensions/executor.js +789 -0
  22. package/dist/aci-extensions/executor.js.map +1 -0
  23. package/dist/aci-extensions/index.d.ts +6 -0
  24. package/dist/aci-extensions/index.d.ts.map +1 -0
  25. package/dist/aci-extensions/index.js +6 -0
  26. package/dist/aci-extensions/index.js.map +1 -0
  27. package/dist/aci-extensions/registry.d.ts +217 -0
  28. package/dist/aci-extensions/registry.d.ts.map +1 -0
  29. package/dist/aci-extensions/registry.js +443 -0
  30. package/dist/aci-extensions/registry.js.map +1 -0
  31. package/dist/aci-extensions/service.d.ts +220 -0
  32. package/dist/aci-extensions/service.d.ts.map +1 -0
  33. package/dist/aci-extensions/service.js +484 -0
  34. package/dist/aci-extensions/service.js.map +1 -0
  35. package/dist/aci-extensions/types.d.ts +2265 -0
  36. package/dist/aci-extensions/types.d.ts.map +1 -0
  37. package/dist/aci-extensions/types.js +389 -0
  38. package/dist/aci-extensions/types.js.map +1 -0
  39. package/dist/api/auth.d.ts +55 -0
  40. package/dist/api/auth.d.ts.map +1 -0
  41. package/dist/api/auth.js +306 -0
  42. package/dist/api/auth.js.map +1 -0
  43. package/dist/api/errors.d.ts +146 -0
  44. package/dist/api/errors.d.ts.map +1 -0
  45. package/dist/api/errors.js +464 -0
  46. package/dist/api/errors.js.map +1 -0
  47. package/dist/api/index.d.ts +16 -0
  48. package/dist/api/index.d.ts.map +1 -0
  49. package/dist/api/index.js +19 -0
  50. package/dist/api/index.js.map +1 -0
  51. package/dist/api/middleware/api-key-enforcement.d.ts +131 -0
  52. package/dist/api/middleware/api-key-enforcement.d.ts.map +1 -0
  53. package/dist/api/middleware/api-key-enforcement.js +674 -0
  54. package/dist/api/middleware/api-key-enforcement.js.map +1 -0
  55. package/dist/api/middleware/audit.d.ts +151 -0
  56. package/dist/api/middleware/audit.d.ts.map +1 -0
  57. package/dist/api/middleware/audit.js +384 -0
  58. package/dist/api/middleware/audit.js.map +1 -0
  59. package/dist/api/middleware/dpop-enforcement.d.ts +176 -0
  60. package/dist/api/middleware/dpop-enforcement.d.ts.map +1 -0
  61. package/dist/api/middleware/dpop-enforcement.js +596 -0
  62. package/dist/api/middleware/dpop-enforcement.js.map +1 -0
  63. package/dist/api/middleware/index.d.ts +23 -0
  64. package/dist/api/middleware/index.d.ts.map +1 -0
  65. package/dist/api/middleware/index.js +41 -0
  66. package/dist/api/middleware/index.js.map +1 -0
  67. package/dist/api/middleware/metrics.d.ts +41 -0
  68. package/dist/api/middleware/metrics.d.ts.map +1 -0
  69. package/dist/api/middleware/metrics.js +150 -0
  70. package/dist/api/middleware/metrics.js.map +1 -0
  71. package/dist/api/middleware/rate-limits.d.ts +224 -0
  72. package/dist/api/middleware/rate-limits.d.ts.map +1 -0
  73. package/dist/api/middleware/rate-limits.js +686 -0
  74. package/dist/api/middleware/rate-limits.js.map +1 -0
  75. package/dist/api/middleware/rateLimit.d.ts +165 -0
  76. package/dist/api/middleware/rateLimit.d.ts.map +1 -0
  77. package/dist/api/middleware/rateLimit.js +477 -0
  78. package/dist/api/middleware/rateLimit.js.map +1 -0
  79. package/dist/api/middleware/redis-rate-limiter.d.ts +279 -0
  80. package/dist/api/middleware/redis-rate-limiter.d.ts.map +1 -0
  81. package/dist/api/middleware/redis-rate-limiter.js +1074 -0
  82. package/dist/api/middleware/redis-rate-limiter.js.map +1 -0
  83. package/dist/api/middleware/security.d.ts +156 -0
  84. package/dist/api/middleware/security.d.ts.map +1 -0
  85. package/dist/api/middleware/security.js +412 -0
  86. package/dist/api/middleware/security.js.map +1 -0
  87. package/dist/api/middleware/validation.d.ts +132 -0
  88. package/dist/api/middleware/validation.d.ts.map +1 -0
  89. package/dist/api/middleware/validation.js +363 -0
  90. package/dist/api/middleware/validation.js.map +1 -0
  91. package/dist/api/middleware/webhook-verify.d.ts +130 -0
  92. package/dist/api/middleware/webhook-verify.d.ts.map +1 -0
  93. package/dist/api/middleware/webhook-verify.js +366 -0
  94. package/dist/api/middleware/webhook-verify.js.map +1 -0
  95. package/dist/api/rate-limit.d.ts +115 -0
  96. package/dist/api/rate-limit.d.ts.map +1 -0
  97. package/dist/api/rate-limit.js +335 -0
  98. package/dist/api/rate-limit.js.map +1 -0
  99. package/dist/api/routes/extensions.d.ts +40 -0
  100. package/dist/api/routes/extensions.d.ts.map +1 -0
  101. package/dist/api/routes/extensions.js +434 -0
  102. package/dist/api/routes/extensions.js.map +1 -0
  103. package/dist/api/routes/mfa.d.ts +44 -0
  104. package/dist/api/routes/mfa.d.ts.map +1 -0
  105. package/dist/api/routes/mfa.js +270 -0
  106. package/dist/api/routes/mfa.js.map +1 -0
  107. package/dist/api/server.d.ts +37 -0
  108. package/dist/api/server.d.ts.map +1 -0
  109. package/dist/api/server.js +1967 -0
  110. package/dist/api/server.js.map +1 -0
  111. package/dist/api/v1/admin.d.ts +11 -0
  112. package/dist/api/v1/admin.d.ts.map +1 -0
  113. package/dist/api/v1/admin.js +207 -0
  114. package/dist/api/v1/admin.js.map +1 -0
  115. package/dist/api/v1/audit.d.ts +14 -0
  116. package/dist/api/v1/audit.d.ts.map +1 -0
  117. package/dist/api/v1/audit.js +376 -0
  118. package/dist/api/v1/audit.js.map +1 -0
  119. package/dist/api/v1/auth.d.ts +17 -0
  120. package/dist/api/v1/auth.d.ts.map +1 -0
  121. package/dist/api/v1/auth.js +637 -0
  122. package/dist/api/v1/auth.js.map +1 -0
  123. package/dist/api/v1/compliance.d.ts +62 -0
  124. package/dist/api/v1/compliance.d.ts.map +1 -0
  125. package/dist/api/v1/compliance.js +858 -0
  126. package/dist/api/v1/compliance.js.map +1 -0
  127. package/dist/api/v1/constraints.d.ts +11 -0
  128. package/dist/api/v1/constraints.d.ts.map +1 -0
  129. package/dist/api/v1/constraints.js +71 -0
  130. package/dist/api/v1/constraints.js.map +1 -0
  131. package/dist/api/v1/dashboard.d.ts +224 -0
  132. package/dist/api/v1/dashboard.d.ts.map +1 -0
  133. package/dist/api/v1/dashboard.js +833 -0
  134. package/dist/api/v1/dashboard.js.map +1 -0
  135. package/dist/api/v1/docs.d.ts +11 -0
  136. package/dist/api/v1/docs.d.ts.map +1 -0
  137. package/dist/api/v1/docs.js +95 -0
  138. package/dist/api/v1/docs.js.map +1 -0
  139. package/dist/api/v1/escalations.d.ts +11 -0
  140. package/dist/api/v1/escalations.d.ts.map +1 -0
  141. package/dist/api/v1/escalations.js +857 -0
  142. package/dist/api/v1/escalations.js.map +1 -0
  143. package/dist/api/v1/gdpr.d.ts +11 -0
  144. package/dist/api/v1/gdpr.d.ts.map +1 -0
  145. package/dist/api/v1/gdpr.js +220 -0
  146. package/dist/api/v1/gdpr.js.map +1 -0
  147. package/dist/api/v1/health.d.ts +22 -0
  148. package/dist/api/v1/health.d.ts.map +1 -0
  149. package/dist/api/v1/health.js +512 -0
  150. package/dist/api/v1/health.js.map +1 -0
  151. package/dist/api/v1/index.d.ts +22 -0
  152. package/dist/api/v1/index.d.ts.map +1 -0
  153. package/dist/api/v1/index.js +81 -0
  154. package/dist/api/v1/index.js.map +1 -0
  155. package/dist/api/v1/intents.d.ts +11 -0
  156. package/dist/api/v1/intents.d.ts.map +1 -0
  157. package/dist/api/v1/intents.js +239 -0
  158. package/dist/api/v1/intents.js.map +1 -0
  159. package/dist/api/v1/operations.d.ts +21 -0
  160. package/dist/api/v1/operations.d.ts.map +1 -0
  161. package/dist/api/v1/operations.js +140 -0
  162. package/dist/api/v1/operations.js.map +1 -0
  163. package/dist/api/v1/policies.d.ts +11 -0
  164. package/dist/api/v1/policies.d.ts.map +1 -0
  165. package/dist/api/v1/policies.js +763 -0
  166. package/dist/api/v1/policies.js.map +1 -0
  167. package/dist/api/v1/proofs.d.ts +13 -0
  168. package/dist/api/v1/proofs.d.ts.map +1 -0
  169. package/dist/api/v1/proofs.js +239 -0
  170. package/dist/api/v1/proofs.js.map +1 -0
  171. package/dist/api/v1/security-dashboard.d.ts +1090 -0
  172. package/dist/api/v1/security-dashboard.d.ts.map +1 -0
  173. package/dist/api/v1/security-dashboard.js +755 -0
  174. package/dist/api/v1/security-dashboard.js.map +1 -0
  175. package/dist/api/v1/service-accounts.d.ts +16 -0
  176. package/dist/api/v1/service-accounts.d.ts.map +1 -0
  177. package/dist/api/v1/service-accounts.js +563 -0
  178. package/dist/api/v1/service-accounts.js.map +1 -0
  179. package/dist/api/v1/sessions.d.ts +36 -0
  180. package/dist/api/v1/sessions.d.ts.map +1 -0
  181. package/dist/api/v1/sessions.js +333 -0
  182. package/dist/api/v1/sessions.js.map +1 -0
  183. package/dist/api/v1/trust.d.ts +14 -0
  184. package/dist/api/v1/trust.d.ts.map +1 -0
  185. package/dist/api/v1/trust.js +578 -0
  186. package/dist/api/v1/trust.js.map +1 -0
  187. package/dist/api/v1/webhooks.d.ts +11 -0
  188. package/dist/api/v1/webhooks.d.ts.map +1 -0
  189. package/dist/api/v1/webhooks.js +250 -0
  190. package/dist/api/v1/webhooks.js.map +1 -0
  191. package/dist/api/v2/trust.d.ts +20 -0
  192. package/dist/api/v2/trust.d.ts.map +1 -0
  193. package/dist/api/v2/trust.js +362 -0
  194. package/dist/api/v2/trust.js.map +1 -0
  195. package/dist/api/validation.d.ts +243 -0
  196. package/dist/api/validation.d.ts.map +1 -0
  197. package/dist/api/validation.js +247 -0
  198. package/dist/api/validation.js.map +1 -0
  199. package/dist/api/versioning/backward-compat.d.ts +28 -0
  200. package/dist/api/versioning/backward-compat.d.ts.map +1 -0
  201. package/dist/api/versioning/backward-compat.js +161 -0
  202. package/dist/api/versioning/backward-compat.js.map +1 -0
  203. package/dist/api/versioning/index.d.ts +112 -0
  204. package/dist/api/versioning/index.d.ts.map +1 -0
  205. package/dist/api/versioning/index.js +199 -0
  206. package/dist/api/versioning/index.js.map +1 -0
  207. package/dist/audit/compliance-reporter.d.ts +271 -0
  208. package/dist/audit/compliance-reporter.d.ts.map +1 -0
  209. package/dist/audit/compliance-reporter.js +587 -0
  210. package/dist/audit/compliance-reporter.js.map +1 -0
  211. package/dist/audit/db-store.d.ts +689 -0
  212. package/dist/audit/db-store.d.ts.map +1 -0
  213. package/dist/audit/db-store.js +589 -0
  214. package/dist/audit/db-store.js.map +1 -0
  215. package/dist/audit/event-schema.d.ts +605 -0
  216. package/dist/audit/event-schema.d.ts.map +1 -0
  217. package/dist/audit/event-schema.js +566 -0
  218. package/dist/audit/event-schema.js.map +1 -0
  219. package/dist/audit/index.d.ts +16 -0
  220. package/dist/audit/index.d.ts.map +1 -0
  221. package/dist/audit/index.js +44 -0
  222. package/dist/audit/index.js.map +1 -0
  223. package/dist/audit/security-events.d.ts +1624 -0
  224. package/dist/audit/security-events.d.ts.map +1 -0
  225. package/dist/audit/security-events.js +775 -0
  226. package/dist/audit/security-events.js.map +1 -0
  227. package/dist/audit/security-logger.d.ts +288 -0
  228. package/dist/audit/security-logger.d.ts.map +1 -0
  229. package/dist/audit/security-logger.js +820 -0
  230. package/dist/audit/security-logger.js.map +1 -0
  231. package/dist/audit/service.d.ts +206 -0
  232. package/dist/audit/service.d.ts.map +1 -0
  233. package/dist/audit/service.js +756 -0
  234. package/dist/audit/service.js.map +1 -0
  235. package/dist/audit/siem/elastic.d.ts +94 -0
  236. package/dist/audit/siem/elastic.d.ts.map +1 -0
  237. package/dist/audit/siem/elastic.js +411 -0
  238. package/dist/audit/siem/elastic.js.map +1 -0
  239. package/dist/audit/siem/index.d.ts +179 -0
  240. package/dist/audit/siem/index.d.ts.map +1 -0
  241. package/dist/audit/siem/index.js +368 -0
  242. package/dist/audit/siem/index.js.map +1 -0
  243. package/dist/audit/siem/loki.d.ts +100 -0
  244. package/dist/audit/siem/loki.d.ts.map +1 -0
  245. package/dist/audit/siem/loki.js +405 -0
  246. package/dist/audit/siem/loki.js.map +1 -0
  247. package/dist/audit/siem/splunk.d.ts +91 -0
  248. package/dist/audit/siem/splunk.d.ts.map +1 -0
  249. package/dist/audit/siem/splunk.js +374 -0
  250. package/dist/audit/siem/splunk.js.map +1 -0
  251. package/dist/audit/siem/types.d.ts +547 -0
  252. package/dist/audit/siem/types.d.ts.map +1 -0
  253. package/dist/audit/siem/types.js +270 -0
  254. package/dist/audit/siem/types.js.map +1 -0
  255. package/dist/audit/types.d.ts +405 -0
  256. package/dist/audit/types.d.ts.map +1 -0
  257. package/dist/audit/types.js +121 -0
  258. package/dist/audit/types.js.map +1 -0
  259. package/dist/auth/mfa/index.d.ts +66 -0
  260. package/dist/auth/mfa/index.d.ts.map +1 -0
  261. package/dist/auth/mfa/index.js +15 -0
  262. package/dist/auth/mfa/index.js.map +1 -0
  263. package/dist/auth/mfa/totp.d.ts +221 -0
  264. package/dist/auth/mfa/totp.d.ts.map +1 -0
  265. package/dist/auth/mfa/totp.js +324 -0
  266. package/dist/auth/mfa/totp.js.map +1 -0
  267. package/dist/auth/mfa/webauthn.d.ts +224 -0
  268. package/dist/auth/mfa/webauthn.d.ts.map +1 -0
  269. package/dist/auth/mfa/webauthn.js +409 -0
  270. package/dist/auth/mfa/webauthn.js.map +1 -0
  271. package/dist/auth/sso/index.d.ts +247 -0
  272. package/dist/auth/sso/index.d.ts.map +1 -0
  273. package/dist/auth/sso/index.js +763 -0
  274. package/dist/auth/sso/index.js.map +1 -0
  275. package/dist/auth/sso/oidc-provider.d.ts +146 -0
  276. package/dist/auth/sso/oidc-provider.d.ts.map +1 -0
  277. package/dist/auth/sso/oidc-provider.js +589 -0
  278. package/dist/auth/sso/oidc-provider.js.map +1 -0
  279. package/dist/auth/sso/types.d.ts +488 -0
  280. package/dist/auth/sso/types.d.ts.map +1 -0
  281. package/dist/auth/sso/types.js +73 -0
  282. package/dist/auth/sso/types.js.map +1 -0
  283. package/dist/basis/evaluator.d.ts +70 -0
  284. package/dist/basis/evaluator.d.ts.map +1 -0
  285. package/dist/basis/evaluator.js +269 -0
  286. package/dist/basis/evaluator.js.map +1 -0
  287. package/dist/basis/expression-evaluator.d.ts +77 -0
  288. package/dist/basis/expression-evaluator.d.ts.map +1 -0
  289. package/dist/basis/expression-evaluator.js +826 -0
  290. package/dist/basis/expression-evaluator.js.map +1 -0
  291. package/dist/basis/index.d.ts +13 -0
  292. package/dist/basis/index.d.ts.map +1 -0
  293. package/dist/basis/index.js +13 -0
  294. package/dist/basis/index.js.map +1 -0
  295. package/dist/basis/parser.d.ts +376 -0
  296. package/dist/basis/parser.d.ts.map +1 -0
  297. package/dist/basis/parser.js +174 -0
  298. package/dist/basis/parser.js.map +1 -0
  299. package/dist/basis/types.d.ts +115 -0
  300. package/dist/basis/types.d.ts.map +1 -0
  301. package/dist/basis/types.js +5 -0
  302. package/dist/basis/types.js.map +1 -0
  303. package/dist/car-extensions/builtin-extensions/audit.d.ts +88 -0
  304. package/dist/car-extensions/builtin-extensions/audit.d.ts.map +1 -0
  305. package/dist/car-extensions/builtin-extensions/audit.js +444 -0
  306. package/dist/car-extensions/builtin-extensions/audit.js.map +1 -0
  307. package/dist/car-extensions/builtin-extensions/governance.d.ts +32 -0
  308. package/dist/car-extensions/builtin-extensions/governance.d.ts.map +1 -0
  309. package/dist/car-extensions/builtin-extensions/governance.js +533 -0
  310. package/dist/car-extensions/builtin-extensions/governance.js.map +1 -0
  311. package/dist/car-extensions/builtin-extensions/monitoring.d.ts +43 -0
  312. package/dist/car-extensions/builtin-extensions/monitoring.d.ts.map +1 -0
  313. package/dist/car-extensions/builtin-extensions/monitoring.js +416 -0
  314. package/dist/car-extensions/builtin-extensions/monitoring.js.map +1 -0
  315. package/dist/car-extensions/car-string-extensions.d.ts +334 -0
  316. package/dist/car-extensions/car-string-extensions.d.ts.map +1 -0
  317. package/dist/car-extensions/car-string-extensions.js +435 -0
  318. package/dist/car-extensions/car-string-extensions.js.map +1 -0
  319. package/dist/car-extensions/executor.d.ts +208 -0
  320. package/dist/car-extensions/executor.d.ts.map +1 -0
  321. package/dist/car-extensions/executor.js +789 -0
  322. package/dist/car-extensions/executor.js.map +1 -0
  323. package/dist/car-extensions/index.d.ts +94 -0
  324. package/dist/car-extensions/index.d.ts.map +1 -0
  325. package/dist/car-extensions/index.js +157 -0
  326. package/dist/car-extensions/index.js.map +1 -0
  327. package/dist/car-extensions/registry.d.ts +217 -0
  328. package/dist/car-extensions/registry.d.ts.map +1 -0
  329. package/dist/car-extensions/registry.js +443 -0
  330. package/dist/car-extensions/registry.js.map +1 -0
  331. package/dist/car-extensions/service.d.ts +220 -0
  332. package/dist/car-extensions/service.d.ts.map +1 -0
  333. package/dist/car-extensions/service.js +484 -0
  334. package/dist/car-extensions/service.js.map +1 -0
  335. package/dist/car-extensions/types.d.ts +2265 -0
  336. package/dist/car-extensions/types.d.ts.map +1 -0
  337. package/dist/car-extensions/types.js +389 -0
  338. package/dist/car-extensions/types.js.map +1 -0
  339. package/dist/cognigate/index.d.ts +139 -0
  340. package/dist/cognigate/index.d.ts.map +1 -0
  341. package/dist/cognigate/index.js +404 -0
  342. package/dist/cognigate/index.js.map +1 -0
  343. package/dist/cognigate/lua-scripts.d.ts +96 -0
  344. package/dist/cognigate/lua-scripts.d.ts.map +1 -0
  345. package/dist/cognigate/lua-scripts.js +264 -0
  346. package/dist/cognigate/lua-scripts.js.map +1 -0
  347. package/dist/cognigate/metrics.d.ts +112 -0
  348. package/dist/cognigate/metrics.d.ts.map +1 -0
  349. package/dist/cognigate/metrics.js +229 -0
  350. package/dist/cognigate/metrics.js.map +1 -0
  351. package/dist/cognigate/output-integration.d.ts +86 -0
  352. package/dist/cognigate/output-integration.d.ts.map +1 -0
  353. package/dist/cognigate/output-integration.js +184 -0
  354. package/dist/cognigate/output-integration.js.map +1 -0
  355. package/dist/cognigate/resource-interceptors.d.ts +77 -0
  356. package/dist/cognigate/resource-interceptors.d.ts.map +1 -0
  357. package/dist/cognigate/resource-interceptors.js +143 -0
  358. package/dist/cognigate/resource-interceptors.js.map +1 -0
  359. package/dist/cognigate/resource-state-provider.d.ts +103 -0
  360. package/dist/cognigate/resource-state-provider.d.ts.map +1 -0
  361. package/dist/cognigate/resource-state-provider.js +195 -0
  362. package/dist/cognigate/resource-state-provider.js.map +1 -0
  363. package/dist/cognigate/resource-tracker.d.ts +85 -0
  364. package/dist/cognigate/resource-tracker.d.ts.map +1 -0
  365. package/dist/cognigate/resource-tracker.js +216 -0
  366. package/dist/cognigate/resource-tracker.js.map +1 -0
  367. package/dist/cognigate/types.d.ts +199 -0
  368. package/dist/cognigate/types.d.ts.map +1 -0
  369. package/dist/cognigate/types.js +11 -0
  370. package/dist/cognigate/types.js.map +1 -0
  371. package/dist/common/adapters/index.d.ts +34 -0
  372. package/dist/common/adapters/index.d.ts.map +1 -0
  373. package/dist/common/adapters/index.js +46 -0
  374. package/dist/common/adapters/index.js.map +1 -0
  375. package/dist/common/adapters/memory-cache.d.ts +91 -0
  376. package/dist/common/adapters/memory-cache.d.ts.map +1 -0
  377. package/dist/common/adapters/memory-cache.js +201 -0
  378. package/dist/common/adapters/memory-cache.js.map +1 -0
  379. package/dist/common/adapters/memory-lock.d.ts +75 -0
  380. package/dist/common/adapters/memory-lock.d.ts.map +1 -0
  381. package/dist/common/adapters/memory-lock.js +219 -0
  382. package/dist/common/adapters/memory-lock.js.map +1 -0
  383. package/dist/common/adapters/memory-queue.d.ts +64 -0
  384. package/dist/common/adapters/memory-queue.d.ts.map +1 -0
  385. package/dist/common/adapters/memory-queue.js +233 -0
  386. package/dist/common/adapters/memory-queue.js.map +1 -0
  387. package/dist/common/adapters/memory-ratelimit.d.ts +78 -0
  388. package/dist/common/adapters/memory-ratelimit.d.ts.map +1 -0
  389. package/dist/common/adapters/memory-ratelimit.js +196 -0
  390. package/dist/common/adapters/memory-ratelimit.js.map +1 -0
  391. package/dist/common/adapters/memory-session.d.ts +105 -0
  392. package/dist/common/adapters/memory-session.d.ts.map +1 -0
  393. package/dist/common/adapters/memory-session.js +302 -0
  394. package/dist/common/adapters/memory-session.js.map +1 -0
  395. package/dist/common/adapters/provider.d.ts +47 -0
  396. package/dist/common/adapters/provider.d.ts.map +1 -0
  397. package/dist/common/adapters/provider.js +347 -0
  398. package/dist/common/adapters/provider.js.map +1 -0
  399. package/dist/common/adapters/types.d.ts +247 -0
  400. package/dist/common/adapters/types.d.ts.map +1 -0
  401. package/dist/common/adapters/types.js +11 -0
  402. package/dist/common/adapters/types.js.map +1 -0
  403. package/dist/common/authorization.d.ts +137 -0
  404. package/dist/common/authorization.d.ts.map +1 -0
  405. package/dist/common/authorization.js +270 -0
  406. package/dist/common/authorization.js.map +1 -0
  407. package/dist/common/canonical-bridge.d.ts +151 -0
  408. package/dist/common/canonical-bridge.d.ts.map +1 -0
  409. package/dist/common/canonical-bridge.js +231 -0
  410. package/dist/common/canonical-bridge.js.map +1 -0
  411. package/dist/common/canonical-json.d.ts +64 -0
  412. package/dist/common/canonical-json.d.ts.map +1 -0
  413. package/dist/common/canonical-json.js +95 -0
  414. package/dist/common/canonical-json.js.map +1 -0
  415. package/dist/common/circuit-breaker.d.ts +320 -0
  416. package/dist/common/circuit-breaker.d.ts.map +1 -0
  417. package/dist/common/circuit-breaker.js +850 -0
  418. package/dist/common/circuit-breaker.js.map +1 -0
  419. package/dist/common/config.d.ts +1678 -0
  420. package/dist/common/config.d.ts.map +1 -0
  421. package/dist/common/config.js +1057 -0
  422. package/dist/common/config.js.map +1 -0
  423. package/dist/common/contracts/index.d.ts +2 -0
  424. package/dist/common/contracts/index.d.ts.map +1 -0
  425. package/dist/common/contracts/index.js +2 -0
  426. package/dist/common/contracts/index.js.map +1 -0
  427. package/dist/common/contracts/output.d.ts +81 -0
  428. package/dist/common/contracts/output.d.ts.map +1 -0
  429. package/dist/common/contracts/output.js +38 -0
  430. package/dist/common/contracts/output.js.map +1 -0
  431. package/dist/common/crypto.d.ts +70 -0
  432. package/dist/common/crypto.d.ts.map +1 -0
  433. package/dist/common/crypto.js +201 -0
  434. package/dist/common/crypto.js.map +1 -0
  435. package/dist/common/database-resilience.d.ts +156 -0
  436. package/dist/common/database-resilience.d.ts.map +1 -0
  437. package/dist/common/database-resilience.js +269 -0
  438. package/dist/common/database-resilience.js.map +1 -0
  439. package/dist/common/db-metrics.d.ts +90 -0
  440. package/dist/common/db-metrics.d.ts.map +1 -0
  441. package/dist/common/db-metrics.js +219 -0
  442. package/dist/common/db-metrics.js.map +1 -0
  443. package/dist/common/db-pool.d.ts +307 -0
  444. package/dist/common/db-pool.d.ts.map +1 -0
  445. package/dist/common/db-pool.js +879 -0
  446. package/dist/common/db-pool.js.map +1 -0
  447. package/dist/common/db.d.ts +105 -0
  448. package/dist/common/db.d.ts.map +1 -0
  449. package/dist/common/db.js +216 -0
  450. package/dist/common/db.js.map +1 -0
  451. package/dist/common/di.d.ts +202 -0
  452. package/dist/common/di.d.ts.map +1 -0
  453. package/dist/common/di.js +219 -0
  454. package/dist/common/di.js.map +1 -0
  455. package/dist/common/encryption.d.ts +131 -0
  456. package/dist/common/encryption.d.ts.map +1 -0
  457. package/dist/common/encryption.js +255 -0
  458. package/dist/common/encryption.js.map +1 -0
  459. package/dist/common/errors.d.ts +229 -0
  460. package/dist/common/errors.d.ts.map +1 -0
  461. package/dist/common/errors.js +349 -0
  462. package/dist/common/errors.js.map +1 -0
  463. package/dist/common/expression/evaluator.d.ts +58 -0
  464. package/dist/common/expression/evaluator.d.ts.map +1 -0
  465. package/dist/common/expression/evaluator.js +326 -0
  466. package/dist/common/expression/evaluator.js.map +1 -0
  467. package/dist/common/expression/index.d.ts +180 -0
  468. package/dist/common/expression/index.d.ts.map +1 -0
  469. package/dist/common/expression/index.js +198 -0
  470. package/dist/common/expression/index.js.map +1 -0
  471. package/dist/common/expression/lexer.d.ts +69 -0
  472. package/dist/common/expression/lexer.d.ts.map +1 -0
  473. package/dist/common/expression/lexer.js +255 -0
  474. package/dist/common/expression/lexer.js.map +1 -0
  475. package/dist/common/expression/parser.d.ts +133 -0
  476. package/dist/common/expression/parser.d.ts.map +1 -0
  477. package/dist/common/expression/parser.js +293 -0
  478. package/dist/common/expression/parser.js.map +1 -0
  479. package/dist/common/group-membership.d.ts +119 -0
  480. package/dist/common/group-membership.d.ts.map +1 -0
  481. package/dist/common/group-membership.js +250 -0
  482. package/dist/common/group-membership.js.map +1 -0
  483. package/dist/common/index.d.ts +14 -0
  484. package/dist/common/index.d.ts.map +1 -0
  485. package/dist/common/index.js +15 -0
  486. package/dist/common/index.js.map +1 -0
  487. package/dist/common/leader-election.d.ts +40 -0
  488. package/dist/common/leader-election.d.ts.map +1 -0
  489. package/dist/common/leader-election.js +232 -0
  490. package/dist/common/leader-election.js.map +1 -0
  491. package/dist/common/lock.d.ts +77 -0
  492. package/dist/common/lock.d.ts.map +1 -0
  493. package/dist/common/lock.js +167 -0
  494. package/dist/common/lock.js.map +1 -0
  495. package/dist/common/logger.d.ts +19 -0
  496. package/dist/common/logger.d.ts.map +1 -0
  497. package/dist/common/logger.js +80 -0
  498. package/dist/common/logger.js.map +1 -0
  499. package/dist/common/metrics-registry.d.ts +48 -0
  500. package/dist/common/metrics-registry.d.ts.map +1 -0
  501. package/dist/common/metrics-registry.js +77 -0
  502. package/dist/common/metrics-registry.js.map +1 -0
  503. package/dist/common/metrics.d.ts +227 -0
  504. package/dist/common/metrics.d.ts.map +1 -0
  505. package/dist/common/metrics.js +524 -0
  506. package/dist/common/metrics.js.map +1 -0
  507. package/dist/common/operation-tracker.d.ts +137 -0
  508. package/dist/common/operation-tracker.d.ts.map +1 -0
  509. package/dist/common/operation-tracker.js +366 -0
  510. package/dist/common/operation-tracker.js.map +1 -0
  511. package/dist/common/provenance/chain.d.ts +54 -0
  512. package/dist/common/provenance/chain.d.ts.map +1 -0
  513. package/dist/common/provenance/chain.js +252 -0
  514. package/dist/common/provenance/chain.js.map +1 -0
  515. package/dist/common/provenance/index.d.ts +14 -0
  516. package/dist/common/provenance/index.d.ts.map +1 -0
  517. package/dist/common/provenance/index.js +19 -0
  518. package/dist/common/provenance/index.js.map +1 -0
  519. package/dist/common/provenance/query.d.ts +111 -0
  520. package/dist/common/provenance/query.d.ts.map +1 -0
  521. package/dist/common/provenance/query.js +310 -0
  522. package/dist/common/provenance/query.js.map +1 -0
  523. package/dist/common/provenance/storage.d.ts +297 -0
  524. package/dist/common/provenance/storage.d.ts.map +1 -0
  525. package/dist/common/provenance/storage.js +436 -0
  526. package/dist/common/provenance/storage.js.map +1 -0
  527. package/dist/common/provenance/tracker.d.ts +57 -0
  528. package/dist/common/provenance/tracker.d.ts.map +1 -0
  529. package/dist/common/provenance/tracker.js +209 -0
  530. package/dist/common/provenance/tracker.js.map +1 -0
  531. package/dist/common/provenance/types.d.ts +146 -0
  532. package/dist/common/provenance/types.d.ts.map +1 -0
  533. package/dist/common/provenance/types.js +10 -0
  534. package/dist/common/provenance/types.js.map +1 -0
  535. package/dist/common/random.d.ts +84 -0
  536. package/dist/common/random.d.ts.map +1 -0
  537. package/dist/common/random.js +130 -0
  538. package/dist/common/random.js.map +1 -0
  539. package/dist/common/redaction.d.ts +49 -0
  540. package/dist/common/redaction.d.ts.map +1 -0
  541. package/dist/common/redaction.js +217 -0
  542. package/dist/common/redaction.js.map +1 -0
  543. package/dist/common/redis-cluster.d.ts +538 -0
  544. package/dist/common/redis-cluster.d.ts.map +1 -0
  545. package/dist/common/redis-cluster.js +1539 -0
  546. package/dist/common/redis-cluster.js.map +1 -0
  547. package/dist/common/redis-resilience.d.ts +270 -0
  548. package/dist/common/redis-resilience.d.ts.map +1 -0
  549. package/dist/common/redis-resilience.js +586 -0
  550. package/dist/common/redis-resilience.js.map +1 -0
  551. package/dist/common/redis.d.ts +19 -0
  552. package/dist/common/redis.d.ts.map +1 -0
  553. package/dist/common/redis.js +73 -0
  554. package/dist/common/redis.js.map +1 -0
  555. package/dist/common/secret-generator.d.ts +142 -0
  556. package/dist/common/secret-generator.d.ts.map +1 -0
  557. package/dist/common/secret-generator.js +286 -0
  558. package/dist/common/secret-generator.js.map +1 -0
  559. package/dist/common/security-mode.d.ts +101 -0
  560. package/dist/common/security-mode.d.ts.map +1 -0
  561. package/dist/common/security-mode.js +304 -0
  562. package/dist/common/security-mode.js.map +1 -0
  563. package/dist/common/telemetry/index.d.ts +82 -0
  564. package/dist/common/telemetry/index.d.ts.map +1 -0
  565. package/dist/common/telemetry/index.js +198 -0
  566. package/dist/common/telemetry/index.js.map +1 -0
  567. package/dist/common/telemetry/instrumentation.d.ts +167 -0
  568. package/dist/common/telemetry/instrumentation.d.ts.map +1 -0
  569. package/dist/common/telemetry/instrumentation.js +492 -0
  570. package/dist/common/telemetry/instrumentation.js.map +1 -0
  571. package/dist/common/telemetry/metrics-bridge.d.ts +227 -0
  572. package/dist/common/telemetry/metrics-bridge.d.ts.map +1 -0
  573. package/dist/common/telemetry/metrics-bridge.js +437 -0
  574. package/dist/common/telemetry/metrics-bridge.js.map +1 -0
  575. package/dist/common/telemetry/middleware.d.ts +114 -0
  576. package/dist/common/telemetry/middleware.d.ts.map +1 -0
  577. package/dist/common/telemetry/middleware.js +353 -0
  578. package/dist/common/telemetry/middleware.js.map +1 -0
  579. package/dist/common/telemetry/propagation.d.ts +221 -0
  580. package/dist/common/telemetry/propagation.d.ts.map +1 -0
  581. package/dist/common/telemetry/propagation.js +409 -0
  582. package/dist/common/telemetry/propagation.js.map +1 -0
  583. package/dist/common/telemetry/spans.d.ts +295 -0
  584. package/dist/common/telemetry/spans.d.ts.map +1 -0
  585. package/dist/common/telemetry/spans.js +439 -0
  586. package/dist/common/telemetry/spans.js.map +1 -0
  587. package/dist/common/telemetry/tracer.d.ts +155 -0
  588. package/dist/common/telemetry/tracer.d.ts.map +1 -0
  589. package/dist/common/telemetry/tracer.js +343 -0
  590. package/dist/common/telemetry/tracer.js.map +1 -0
  591. package/dist/common/telemetry.d.ts +15 -0
  592. package/dist/common/telemetry.d.ts.map +1 -0
  593. package/dist/common/telemetry.js +61 -0
  594. package/dist/common/telemetry.js.map +1 -0
  595. package/dist/common/tenant-verification.d.ts +86 -0
  596. package/dist/common/tenant-verification.d.ts.map +1 -0
  597. package/dist/common/tenant-verification.js +184 -0
  598. package/dist/common/tenant-verification.js.map +1 -0
  599. package/dist/common/timeout.d.ts +40 -0
  600. package/dist/common/timeout.d.ts.map +1 -0
  601. package/dist/common/timeout.js +82 -0
  602. package/dist/common/timeout.js.map +1 -0
  603. package/dist/common/token-revocation.d.ts +44 -0
  604. package/dist/common/token-revocation.d.ts.map +1 -0
  605. package/dist/common/token-revocation.js +169 -0
  606. package/dist/common/token-revocation.js.map +1 -0
  607. package/dist/common/trace.d.ts +149 -0
  608. package/dist/common/trace.d.ts.map +1 -0
  609. package/dist/common/trace.js +328 -0
  610. package/dist/common/trace.js.map +1 -0
  611. package/dist/common/trust-cache.d.ts +263 -0
  612. package/dist/common/trust-cache.d.ts.map +1 -0
  613. package/dist/common/trust-cache.js +670 -0
  614. package/dist/common/trust-cache.js.map +1 -0
  615. package/dist/common/types.d.ts +328 -0
  616. package/dist/common/types.d.ts.map +1 -0
  617. package/dist/common/types.js +55 -0
  618. package/dist/common/types.js.map +1 -0
  619. package/dist/common/validation.d.ts +113 -0
  620. package/dist/common/validation.d.ts.map +1 -0
  621. package/dist/common/validation.js +221 -0
  622. package/dist/common/validation.js.map +1 -0
  623. package/dist/compliance/export/evidence-collector.d.ts +252 -0
  624. package/dist/compliance/export/evidence-collector.d.ts.map +1 -0
  625. package/dist/compliance/export/evidence-collector.js +488 -0
  626. package/dist/compliance/export/evidence-collector.js.map +1 -0
  627. package/dist/compliance/export/hash-verifier.d.ts +181 -0
  628. package/dist/compliance/export/hash-verifier.d.ts.map +1 -0
  629. package/dist/compliance/export/hash-verifier.js +425 -0
  630. package/dist/compliance/export/hash-verifier.js.map +1 -0
  631. package/dist/compliance/export/index.d.ts +14 -0
  632. package/dist/compliance/export/index.d.ts.map +1 -0
  633. package/dist/compliance/export/index.js +41 -0
  634. package/dist/compliance/export/index.js.map +1 -0
  635. package/dist/compliance/export/report-generator.d.ts +264 -0
  636. package/dist/compliance/export/report-generator.d.ts.map +1 -0
  637. package/dist/compliance/export/report-generator.js +890 -0
  638. package/dist/compliance/export/report-generator.js.map +1 -0
  639. package/dist/compliance/export/scheduled-exports.d.ts +256 -0
  640. package/dist/compliance/export/scheduled-exports.d.ts.map +1 -0
  641. package/dist/compliance/export/scheduled-exports.js +545 -0
  642. package/dist/compliance/export/scheduled-exports.js.map +1 -0
  643. package/dist/compliance/export/service.d.ts +191 -0
  644. package/dist/compliance/export/service.d.ts.map +1 -0
  645. package/dist/compliance/export/service.js +382 -0
  646. package/dist/compliance/export/service.js.map +1 -0
  647. package/dist/compliance/fedramp/assessment.d.ts +654 -0
  648. package/dist/compliance/fedramp/assessment.d.ts.map +1 -0
  649. package/dist/compliance/fedramp/assessment.js +721 -0
  650. package/dist/compliance/fedramp/assessment.js.map +1 -0
  651. package/dist/compliance/fedramp/boundary.d.ts +932 -0
  652. package/dist/compliance/fedramp/boundary.d.ts.map +1 -0
  653. package/dist/compliance/fedramp/boundary.js +645 -0
  654. package/dist/compliance/fedramp/boundary.js.map +1 -0
  655. package/dist/compliance/fedramp/continuous-monitoring.d.ts +705 -0
  656. package/dist/compliance/fedramp/continuous-monitoring.d.ts.map +1 -0
  657. package/dist/compliance/fedramp/continuous-monitoring.js +616 -0
  658. package/dist/compliance/fedramp/continuous-monitoring.js.map +1 -0
  659. package/dist/compliance/fedramp/controls.d.ts +128 -0
  660. package/dist/compliance/fedramp/controls.d.ts.map +1 -0
  661. package/dist/compliance/fedramp/controls.js +1110 -0
  662. package/dist/compliance/fedramp/controls.js.map +1 -0
  663. package/dist/compliance/fedramp/incident-reporting.d.ts +1001 -0
  664. package/dist/compliance/fedramp/incident-reporting.d.ts.map +1 -0
  665. package/dist/compliance/fedramp/incident-reporting.js +764 -0
  666. package/dist/compliance/fedramp/incident-reporting.js.map +1 -0
  667. package/dist/compliance/fedramp/index.d.ts +87 -0
  668. package/dist/compliance/fedramp/index.d.ts.map +1 -0
  669. package/dist/compliance/fedramp/index.js +192 -0
  670. package/dist/compliance/fedramp/index.js.map +1 -0
  671. package/dist/compliance/fedramp/metrics.d.ts +288 -0
  672. package/dist/compliance/fedramp/metrics.d.ts.map +1 -0
  673. package/dist/compliance/fedramp/metrics.js +560 -0
  674. package/dist/compliance/fedramp/metrics.js.map +1 -0
  675. package/dist/compliance/fedramp/poam.d.ts +635 -0
  676. package/dist/compliance/fedramp/poam.d.ts.map +1 -0
  677. package/dist/compliance/fedramp/poam.js +602 -0
  678. package/dist/compliance/fedramp/poam.js.map +1 -0
  679. package/dist/compliance/fedramp/ssp-generator.d.ts +368 -0
  680. package/dist/compliance/fedramp/ssp-generator.d.ts.map +1 -0
  681. package/dist/compliance/fedramp/ssp-generator.js +543 -0
  682. package/dist/compliance/fedramp/ssp-generator.js.map +1 -0
  683. package/dist/compliance/frameworks/nist-800-53.d.ts +35 -0
  684. package/dist/compliance/frameworks/nist-800-53.d.ts.map +1 -0
  685. package/dist/compliance/frameworks/nist-800-53.js +892 -0
  686. package/dist/compliance/frameworks/nist-800-53.js.map +1 -0
  687. package/dist/compliance/frameworks/pci-dss.d.ts +407 -0
  688. package/dist/compliance/frameworks/pci-dss.d.ts.map +1 -0
  689. package/dist/compliance/frameworks/pci-dss.js +1873 -0
  690. package/dist/compliance/frameworks/pci-dss.js.map +1 -0
  691. package/dist/compliance/frameworks/soc2.d.ts +42 -0
  692. package/dist/compliance/frameworks/soc2.d.ts.map +1 -0
  693. package/dist/compliance/frameworks/soc2.js +669 -0
  694. package/dist/compliance/frameworks/soc2.js.map +1 -0
  695. package/dist/compliance/gdpr/data-transfers.d.ts +493 -0
  696. package/dist/compliance/gdpr/data-transfers.d.ts.map +1 -0
  697. package/dist/compliance/gdpr/data-transfers.js +1242 -0
  698. package/dist/compliance/gdpr/data-transfers.js.map +1 -0
  699. package/dist/compliance/gdpr/index.d.ts +7 -0
  700. package/dist/compliance/gdpr/index.d.ts.map +1 -0
  701. package/dist/compliance/gdpr/index.js +7 -0
  702. package/dist/compliance/gdpr/index.js.map +1 -0
  703. package/dist/compliance/index.d.ts +148 -0
  704. package/dist/compliance/index.d.ts.map +1 -0
  705. package/dist/compliance/index.js +532 -0
  706. package/dist/compliance/index.js.map +1 -0
  707. package/dist/compliance/reports.d.ts +141 -0
  708. package/dist/compliance/reports.d.ts.map +1 -0
  709. package/dist/compliance/reports.js +495 -0
  710. package/dist/compliance/reports.js.map +1 -0
  711. package/dist/compliance/retention/index.d.ts +19 -0
  712. package/dist/compliance/retention/index.d.ts.map +1 -0
  713. package/dist/compliance/retention/index.js +46 -0
  714. package/dist/compliance/retention/index.js.map +1 -0
  715. package/dist/compliance/retention/retention-enforcer.d.ts +128 -0
  716. package/dist/compliance/retention/retention-enforcer.d.ts.map +1 -0
  717. package/dist/compliance/retention/retention-enforcer.js +695 -0
  718. package/dist/compliance/retention/retention-enforcer.js.map +1 -0
  719. package/dist/compliance/retention/retention-policy.d.ts +307 -0
  720. package/dist/compliance/retention/retention-policy.d.ts.map +1 -0
  721. package/dist/compliance/retention/retention-policy.js +102 -0
  722. package/dist/compliance/retention/retention-policy.js.map +1 -0
  723. package/dist/compliance/retention/retention-scheduler.d.ts +124 -0
  724. package/dist/compliance/retention/retention-scheduler.d.ts.map +1 -0
  725. package/dist/compliance/retention/retention-scheduler.js +391 -0
  726. package/dist/compliance/retention/retention-scheduler.js.map +1 -0
  727. package/dist/compliance/types.d.ts +1162 -0
  728. package/dist/compliance/types.d.ts.map +1 -0
  729. package/dist/compliance/types.js +191 -0
  730. package/dist/compliance/types.js.map +1 -0
  731. package/dist/db/migration-checker.d.ts +183 -0
  732. package/dist/db/migration-checker.d.ts.map +1 -0
  733. package/dist/db/migration-checker.js +680 -0
  734. package/dist/db/migration-checker.js.map +1 -0
  735. package/dist/db/schema/api-keys.d.ts +506 -0
  736. package/dist/db/schema/api-keys.d.ts.map +1 -0
  737. package/dist/db/schema/api-keys.js +98 -0
  738. package/dist/db/schema/api-keys.js.map +1 -0
  739. package/dist/db/schema/escalations.d.ts +554 -0
  740. package/dist/db/schema/escalations.d.ts.map +1 -0
  741. package/dist/db/schema/escalations.js +97 -0
  742. package/dist/db/schema/escalations.js.map +1 -0
  743. package/dist/db/schema/index.d.ts +19 -0
  744. package/dist/db/schema/index.d.ts.map +1 -0
  745. package/dist/db/schema/index.js +19 -0
  746. package/dist/db/schema/index.js.map +1 -0
  747. package/dist/db/schema/intents.d.ts +535 -0
  748. package/dist/db/schema/intents.d.ts.map +1 -0
  749. package/dist/db/schema/intents.js +90 -0
  750. package/dist/db/schema/intents.js.map +1 -0
  751. package/dist/db/schema/merkle.d.ts +475 -0
  752. package/dist/db/schema/merkle.d.ts.map +1 -0
  753. package/dist/db/schema/merkle.js +100 -0
  754. package/dist/db/schema/merkle.js.map +1 -0
  755. package/dist/db/schema/operations.d.ts +256 -0
  756. package/dist/db/schema/operations.d.ts.map +1 -0
  757. package/dist/db/schema/operations.js +65 -0
  758. package/dist/db/schema/operations.js.map +1 -0
  759. package/dist/db/schema/policy-versions.d.ts +149 -0
  760. package/dist/db/schema/policy-versions.d.ts.map +1 -0
  761. package/dist/db/schema/policy-versions.js +40 -0
  762. package/dist/db/schema/policy-versions.js.map +1 -0
  763. package/dist/db/schema/proofs.d.ts +412 -0
  764. package/dist/db/schema/proofs.d.ts.map +1 -0
  765. package/dist/db/schema/proofs.js +63 -0
  766. package/dist/db/schema/proofs.js.map +1 -0
  767. package/dist/db/schema/service-accounts.d.ts +783 -0
  768. package/dist/db/schema/service-accounts.d.ts.map +1 -0
  769. package/dist/db/schema/service-accounts.js +176 -0
  770. package/dist/db/schema/service-accounts.js.map +1 -0
  771. package/dist/db/schema/trust.d.ts +593 -0
  772. package/dist/db/schema/trust.d.ts.map +1 -0
  773. package/dist/db/schema/trust.js +98 -0
  774. package/dist/db/schema/trust.js.map +1 -0
  775. package/dist/db/schema/users.d.ts +487 -0
  776. package/dist/db/schema/users.d.ts.map +1 -0
  777. package/dist/db/schema/users.js +133 -0
  778. package/dist/db/schema/users.js.map +1 -0
  779. package/dist/db/schema/webhooks.d.ts +382 -0
  780. package/dist/db/schema/webhooks.d.ts.map +1 -0
  781. package/dist/db/schema/webhooks.js +91 -0
  782. package/dist/db/schema/webhooks.js.map +1 -0
  783. package/dist/enforce/constraint-evaluator.d.ts +385 -0
  784. package/dist/enforce/constraint-evaluator.d.ts.map +1 -0
  785. package/dist/enforce/constraint-evaluator.js +648 -0
  786. package/dist/enforce/constraint-evaluator.js.map +1 -0
  787. package/dist/enforce/decision-aggregator.d.ts +269 -0
  788. package/dist/enforce/decision-aggregator.d.ts.map +1 -0
  789. package/dist/enforce/decision-aggregator.js +560 -0
  790. package/dist/enforce/decision-aggregator.js.map +1 -0
  791. package/dist/enforce/escalation-rules.d.ts +411 -0
  792. package/dist/enforce/escalation-rules.d.ts.map +1 -0
  793. package/dist/enforce/escalation-rules.js +681 -0
  794. package/dist/enforce/escalation-rules.js.map +1 -0
  795. package/dist/enforce/index.d.ts +175 -0
  796. package/dist/enforce/index.d.ts.map +1 -0
  797. package/dist/enforce/index.js +402 -0
  798. package/dist/enforce/index.js.map +1 -0
  799. package/dist/enforce/policy-engine.d.ts +390 -0
  800. package/dist/enforce/policy-engine.d.ts.map +1 -0
  801. package/dist/enforce/policy-engine.js +652 -0
  802. package/dist/enforce/policy-engine.js.map +1 -0
  803. package/dist/enforce/runtime-config.d.ts +387 -0
  804. package/dist/enforce/runtime-config.d.ts.map +1 -0
  805. package/dist/enforce/runtime-config.js +709 -0
  806. package/dist/enforce/runtime-config.js.map +1 -0
  807. package/dist/index.d.ts +63 -0
  808. package/dist/index.d.ts.map +1 -0
  809. package/dist/index.js +74 -0
  810. package/dist/index.js.map +1 -0
  811. package/dist/intent/audit.d.ts +119 -0
  812. package/dist/intent/audit.d.ts.map +1 -0
  813. package/dist/intent/audit.js +457 -0
  814. package/dist/intent/audit.js.map +1 -0
  815. package/dist/intent/classifier/index.d.ts +121 -0
  816. package/dist/intent/classifier/index.d.ts.map +1 -0
  817. package/dist/intent/classifier/index.js +232 -0
  818. package/dist/intent/classifier/index.js.map +1 -0
  819. package/dist/intent/classifier/patterns.d.ts +129 -0
  820. package/dist/intent/classifier/patterns.d.ts.map +1 -0
  821. package/dist/intent/classifier/patterns.js +471 -0
  822. package/dist/intent/classifier/patterns.js.map +1 -0
  823. package/dist/intent/classifier/risk.d.ts +177 -0
  824. package/dist/intent/classifier/risk.d.ts.map +1 -0
  825. package/dist/intent/classifier/risk.js +335 -0
  826. package/dist/intent/classifier/risk.js.map +1 -0
  827. package/dist/intent/cleanup.d.ts +24 -0
  828. package/dist/intent/cleanup.d.ts.map +1 -0
  829. package/dist/intent/cleanup.js +104 -0
  830. package/dist/intent/cleanup.js.map +1 -0
  831. package/dist/intent/consent.d.ts +238 -0
  832. package/dist/intent/consent.d.ts.map +1 -0
  833. package/dist/intent/consent.js +427 -0
  834. package/dist/intent/consent.js.map +1 -0
  835. package/dist/intent/escalation.d.ts +208 -0
  836. package/dist/intent/escalation.d.ts.map +1 -0
  837. package/dist/intent/escalation.js +550 -0
  838. package/dist/intent/escalation.js.map +1 -0
  839. package/dist/intent/gdpr.d.ts +245 -0
  840. package/dist/intent/gdpr.d.ts.map +1 -0
  841. package/dist/intent/gdpr.js +580 -0
  842. package/dist/intent/gdpr.js.map +1 -0
  843. package/dist/intent/health.d.ts +214 -0
  844. package/dist/intent/health.d.ts.map +1 -0
  845. package/dist/intent/health.js +526 -0
  846. package/dist/intent/health.js.map +1 -0
  847. package/dist/intent/index.d.ts +447 -0
  848. package/dist/intent/index.d.ts.map +1 -0
  849. package/dist/intent/index.js +685 -0
  850. package/dist/intent/index.js.map +1 -0
  851. package/dist/intent/metrics.d.ts +391 -0
  852. package/dist/intent/metrics.d.ts.map +1 -0
  853. package/dist/intent/metrics.js +885 -0
  854. package/dist/intent/metrics.js.map +1 -0
  855. package/dist/intent/openapi.d.ts +22 -0
  856. package/dist/intent/openapi.d.ts.map +1 -0
  857. package/dist/intent/openapi.js +1674 -0
  858. package/dist/intent/openapi.js.map +1 -0
  859. package/dist/intent/planner/dependency.d.ts +78 -0
  860. package/dist/intent/planner/dependency.d.ts.map +1 -0
  861. package/dist/intent/planner/dependency.js +334 -0
  862. package/dist/intent/planner/dependency.js.map +1 -0
  863. package/dist/intent/planner/index.d.ts +157 -0
  864. package/dist/intent/planner/index.d.ts.map +1 -0
  865. package/dist/intent/planner/index.js +372 -0
  866. package/dist/intent/planner/index.js.map +1 -0
  867. package/dist/intent/planner/rollback.d.ts +92 -0
  868. package/dist/intent/planner/rollback.d.ts.map +1 -0
  869. package/dist/intent/planner/rollback.js +326 -0
  870. package/dist/intent/planner/rollback.js.map +1 -0
  871. package/dist/intent/planner/templates.d.ts +81 -0
  872. package/dist/intent/planner/templates.d.ts.map +1 -0
  873. package/dist/intent/planner/templates.js +560 -0
  874. package/dist/intent/planner/templates.js.map +1 -0
  875. package/dist/intent/queue.d.ts +150 -0
  876. package/dist/intent/queue.d.ts.map +1 -0
  877. package/dist/intent/queue.js +339 -0
  878. package/dist/intent/queue.js.map +1 -0
  879. package/dist/intent/queues.d.ts +176 -0
  880. package/dist/intent/queues.d.ts.map +1 -0
  881. package/dist/intent/queues.js +1382 -0
  882. package/dist/intent/queues.js.map +1 -0
  883. package/dist/intent/ratelimit.d.ts +147 -0
  884. package/dist/intent/ratelimit.d.ts.map +1 -0
  885. package/dist/intent/ratelimit.js +301 -0
  886. package/dist/intent/ratelimit.js.map +1 -0
  887. package/dist/intent/replay/comparator.d.ts +148 -0
  888. package/dist/intent/replay/comparator.d.ts.map +1 -0
  889. package/dist/intent/replay/comparator.js +320 -0
  890. package/dist/intent/replay/comparator.js.map +1 -0
  891. package/dist/intent/replay/index.d.ts +159 -0
  892. package/dist/intent/replay/index.d.ts.map +1 -0
  893. package/dist/intent/replay/index.js +486 -0
  894. package/dist/intent/replay/index.js.map +1 -0
  895. package/dist/intent/replay/simulator.d.ts +184 -0
  896. package/dist/intent/replay/simulator.d.ts.map +1 -0
  897. package/dist/intent/replay/simulator.js +510 -0
  898. package/dist/intent/replay/simulator.js.map +1 -0
  899. package/dist/intent/replay/snapshot.d.ts +149 -0
  900. package/dist/intent/replay/snapshot.d.ts.map +1 -0
  901. package/dist/intent/replay/snapshot.js +245 -0
  902. package/dist/intent/replay/snapshot.js.map +1 -0
  903. package/dist/intent/repository.d.ts +198 -0
  904. package/dist/intent/repository.d.ts.map +1 -0
  905. package/dist/intent/repository.js +526 -0
  906. package/dist/intent/repository.js.map +1 -0
  907. package/dist/intent/response-middleware.d.ts +156 -0
  908. package/dist/intent/response-middleware.d.ts.map +1 -0
  909. package/dist/intent/response-middleware.js +337 -0
  910. package/dist/intent/response-middleware.js.map +1 -0
  911. package/dist/intent/response.d.ts +267 -0
  912. package/dist/intent/response.d.ts.map +1 -0
  913. package/dist/intent/response.js +402 -0
  914. package/dist/intent/response.js.map +1 -0
  915. package/dist/intent/routes.d.ts +35 -0
  916. package/dist/intent/routes.d.ts.map +1 -0
  917. package/dist/intent/routes.js +801 -0
  918. package/dist/intent/routes.js.map +1 -0
  919. package/dist/intent/scheduler.d.ts +45 -0
  920. package/dist/intent/scheduler.d.ts.map +1 -0
  921. package/dist/intent/scheduler.js +221 -0
  922. package/dist/intent/scheduler.js.map +1 -0
  923. package/dist/intent/schema.d.ts +2997 -0
  924. package/dist/intent/schema.d.ts.map +1 -0
  925. package/dist/intent/schema.js +447 -0
  926. package/dist/intent/schema.js.map +1 -0
  927. package/dist/intent/shutdown.d.ts +145 -0
  928. package/dist/intent/shutdown.d.ts.map +1 -0
  929. package/dist/intent/shutdown.js +468 -0
  930. package/dist/intent/shutdown.js.map +1 -0
  931. package/dist/intent/state-machine.d.ts +111 -0
  932. package/dist/intent/state-machine.d.ts.map +1 -0
  933. package/dist/intent/state-machine.js +242 -0
  934. package/dist/intent/state-machine.js.map +1 -0
  935. package/dist/intent/tracing.d.ts +152 -0
  936. package/dist/intent/tracing.d.ts.map +1 -0
  937. package/dist/intent/tracing.js +658 -0
  938. package/dist/intent/tracing.js.map +1 -0
  939. package/dist/intent/types.d.ts +175 -0
  940. package/dist/intent/types.d.ts.map +1 -0
  941. package/dist/intent/types.js +25 -0
  942. package/dist/intent/types.js.map +1 -0
  943. package/dist/intent/webhooks/delivery-repository.d.ts +80 -0
  944. package/dist/intent/webhooks/delivery-repository.d.ts.map +1 -0
  945. package/dist/intent/webhooks/delivery-repository.js +251 -0
  946. package/dist/intent/webhooks/delivery-repository.js.map +1 -0
  947. package/dist/intent/webhooks/dns-pinning.d.ts +30 -0
  948. package/dist/intent/webhooks/dns-pinning.d.ts.map +1 -0
  949. package/dist/intent/webhooks/dns-pinning.js +69 -0
  950. package/dist/intent/webhooks/dns-pinning.js.map +1 -0
  951. package/dist/intent/webhooks/index.d.ts +14 -0
  952. package/dist/intent/webhooks/index.d.ts.map +1 -0
  953. package/dist/intent/webhooks/index.js +17 -0
  954. package/dist/intent/webhooks/index.js.map +1 -0
  955. package/dist/intent/webhooks/signature.d.ts +47 -0
  956. package/dist/intent/webhooks/signature.d.ts.map +1 -0
  957. package/dist/intent/webhooks/signature.js +80 -0
  958. package/dist/intent/webhooks/signature.js.map +1 -0
  959. package/dist/intent/webhooks/ssrf-protection.d.ts +29 -0
  960. package/dist/intent/webhooks/ssrf-protection.d.ts.map +1 -0
  961. package/dist/intent/webhooks/ssrf-protection.js +161 -0
  962. package/dist/intent/webhooks/ssrf-protection.js.map +1 -0
  963. package/dist/intent/webhooks/types.d.ts +132 -0
  964. package/dist/intent/webhooks/types.d.ts.map +1 -0
  965. package/dist/intent/webhooks/types.js +14 -0
  966. package/dist/intent/webhooks/types.js.map +1 -0
  967. package/dist/intent/webhooks.d.ts +610 -0
  968. package/dist/intent/webhooks.d.ts.map +1 -0
  969. package/dist/intent/webhooks.js +1793 -0
  970. package/dist/intent/webhooks.js.map +1 -0
  971. package/dist/policy/diff.d.ts +88 -0
  972. package/dist/policy/diff.d.ts.map +1 -0
  973. package/dist/policy/diff.js +325 -0
  974. package/dist/policy/diff.js.map +1 -0
  975. package/dist/policy/evaluator.d.ts +102 -0
  976. package/dist/policy/evaluator.d.ts.map +1 -0
  977. package/dist/policy/evaluator.js +647 -0
  978. package/dist/policy/evaluator.js.map +1 -0
  979. package/dist/policy/index.d.ts +16 -0
  980. package/dist/policy/index.d.ts.map +1 -0
  981. package/dist/policy/index.js +19 -0
  982. package/dist/policy/index.js.map +1 -0
  983. package/dist/policy/loader.d.ts +63 -0
  984. package/dist/policy/loader.d.ts.map +1 -0
  985. package/dist/policy/loader.js +173 -0
  986. package/dist/policy/loader.js.map +1 -0
  987. package/dist/policy/service.d.ts +150 -0
  988. package/dist/policy/service.d.ts.map +1 -0
  989. package/dist/policy/service.js +782 -0
  990. package/dist/policy/service.js.map +1 -0
  991. package/dist/policy/types.d.ts +220 -0
  992. package/dist/policy/types.d.ts.map +1 -0
  993. package/dist/policy/types.js +36 -0
  994. package/dist/policy/types.js.map +1 -0
  995. package/dist/proof/hybrid-signing.d.ts +82 -0
  996. package/dist/proof/hybrid-signing.d.ts.map +1 -0
  997. package/dist/proof/hybrid-signing.js +239 -0
  998. package/dist/proof/hybrid-signing.js.map +1 -0
  999. package/dist/proof/index.d.ts +203 -0
  1000. package/dist/proof/index.d.ts.map +1 -0
  1001. package/dist/proof/index.js +610 -0
  1002. package/dist/proof/index.js.map +1 -0
  1003. package/dist/proof/merkle-service.d.ts +194 -0
  1004. package/dist/proof/merkle-service.d.ts.map +1 -0
  1005. package/dist/proof/merkle-service.js +463 -0
  1006. package/dist/proof/merkle-service.js.map +1 -0
  1007. package/dist/proof/merkle.d.ts +118 -0
  1008. package/dist/proof/merkle.d.ts.map +1 -0
  1009. package/dist/proof/merkle.js +265 -0
  1010. package/dist/proof/merkle.js.map +1 -0
  1011. package/dist/security/ai-governance/access-policy.d.ts +197 -0
  1012. package/dist/security/ai-governance/access-policy.d.ts.map +1 -0
  1013. package/dist/security/ai-governance/access-policy.js +522 -0
  1014. package/dist/security/ai-governance/access-policy.js.map +1 -0
  1015. package/dist/security/ai-governance/audit-trail.d.ts +241 -0
  1016. package/dist/security/ai-governance/audit-trail.d.ts.map +1 -0
  1017. package/dist/security/ai-governance/audit-trail.js +645 -0
  1018. package/dist/security/ai-governance/audit-trail.js.map +1 -0
  1019. package/dist/security/ai-governance/bias-detection.d.ts +221 -0
  1020. package/dist/security/ai-governance/bias-detection.d.ts.map +1 -0
  1021. package/dist/security/ai-governance/bias-detection.js +615 -0
  1022. package/dist/security/ai-governance/bias-detection.js.map +1 -0
  1023. package/dist/security/ai-governance/index.d.ts +92 -0
  1024. package/dist/security/ai-governance/index.d.ts.map +1 -0
  1025. package/dist/security/ai-governance/index.js +184 -0
  1026. package/dist/security/ai-governance/index.js.map +1 -0
  1027. package/dist/security/ai-governance/middleware.d.ts +110 -0
  1028. package/dist/security/ai-governance/middleware.d.ts.map +1 -0
  1029. package/dist/security/ai-governance/middleware.js +359 -0
  1030. package/dist/security/ai-governance/middleware.js.map +1 -0
  1031. package/dist/security/ai-governance/model-registry.d.ts +229 -0
  1032. package/dist/security/ai-governance/model-registry.d.ts.map +1 -0
  1033. package/dist/security/ai-governance/model-registry.js +535 -0
  1034. package/dist/security/ai-governance/model-registry.js.map +1 -0
  1035. package/dist/security/ai-governance/output-filter.d.ts +150 -0
  1036. package/dist/security/ai-governance/output-filter.d.ts.map +1 -0
  1037. package/dist/security/ai-governance/output-filter.js +561 -0
  1038. package/dist/security/ai-governance/output-filter.js.map +1 -0
  1039. package/dist/security/ai-governance/prompt-injection.d.ts +153 -0
  1040. package/dist/security/ai-governance/prompt-injection.d.ts.map +1 -0
  1041. package/dist/security/ai-governance/prompt-injection.js +614 -0
  1042. package/dist/security/ai-governance/prompt-injection.js.map +1 -0
  1043. package/dist/security/ai-governance/rate-limiter.d.ts +156 -0
  1044. package/dist/security/ai-governance/rate-limiter.d.ts.map +1 -0
  1045. package/dist/security/ai-governance/rate-limiter.js +541 -0
  1046. package/dist/security/ai-governance/rate-limiter.js.map +1 -0
  1047. package/dist/security/ai-governance/types.d.ts +594 -0
  1048. package/dist/security/ai-governance/types.d.ts.map +1 -0
  1049. package/dist/security/ai-governance/types.js +6 -0
  1050. package/dist/security/ai-governance/types.js.map +1 -0
  1051. package/dist/security/alerting/channels/base.d.ts +91 -0
  1052. package/dist/security/alerting/channels/base.d.ts.map +1 -0
  1053. package/dist/security/alerting/channels/base.js +128 -0
  1054. package/dist/security/alerting/channels/base.js.map +1 -0
  1055. package/dist/security/alerting/channels/email.d.ts +92 -0
  1056. package/dist/security/alerting/channels/email.d.ts.map +1 -0
  1057. package/dist/security/alerting/channels/email.js +418 -0
  1058. package/dist/security/alerting/channels/email.js.map +1 -0
  1059. package/dist/security/alerting/channels/http-base.d.ts +86 -0
  1060. package/dist/security/alerting/channels/http-base.d.ts.map +1 -0
  1061. package/dist/security/alerting/channels/http-base.js +133 -0
  1062. package/dist/security/alerting/channels/http-base.js.map +1 -0
  1063. package/dist/security/alerting/channels/index.d.ts +30 -0
  1064. package/dist/security/alerting/channels/index.d.ts.map +1 -0
  1065. package/dist/security/alerting/channels/index.js +22 -0
  1066. package/dist/security/alerting/channels/index.js.map +1 -0
  1067. package/dist/security/alerting/channels/pagerduty.d.ts +70 -0
  1068. package/dist/security/alerting/channels/pagerduty.d.ts.map +1 -0
  1069. package/dist/security/alerting/channels/pagerduty.js +248 -0
  1070. package/dist/security/alerting/channels/pagerduty.js.map +1 -0
  1071. package/dist/security/alerting/channels/slack.d.ts +55 -0
  1072. package/dist/security/alerting/channels/slack.d.ts.map +1 -0
  1073. package/dist/security/alerting/channels/slack.js +215 -0
  1074. package/dist/security/alerting/channels/slack.js.map +1 -0
  1075. package/dist/security/alerting/channels/sns.d.ts +87 -0
  1076. package/dist/security/alerting/channels/sns.d.ts.map +1 -0
  1077. package/dist/security/alerting/channels/sns.js +251 -0
  1078. package/dist/security/alerting/channels/sns.js.map +1 -0
  1079. package/dist/security/alerting/channels/webhook.d.ts +92 -0
  1080. package/dist/security/alerting/channels/webhook.d.ts.map +1 -0
  1081. package/dist/security/alerting/channels/webhook.js +203 -0
  1082. package/dist/security/alerting/channels/webhook.js.map +1 -0
  1083. package/dist/security/alerting/detector.d.ts +217 -0
  1084. package/dist/security/alerting/detector.d.ts.map +1 -0
  1085. package/dist/security/alerting/detector.js +725 -0
  1086. package/dist/security/alerting/detector.js.map +1 -0
  1087. package/dist/security/alerting/index.d.ts +57 -0
  1088. package/dist/security/alerting/index.d.ts.map +1 -0
  1089. package/dist/security/alerting/index.js +214 -0
  1090. package/dist/security/alerting/index.js.map +1 -0
  1091. package/dist/security/alerting/service.d.ts +190 -0
  1092. package/dist/security/alerting/service.d.ts.map +1 -0
  1093. package/dist/security/alerting/service.js +815 -0
  1094. package/dist/security/alerting/service.js.map +1 -0
  1095. package/dist/security/alerting/types.d.ts +2165 -0
  1096. package/dist/security/alerting/types.d.ts.map +1 -0
  1097. package/dist/security/alerting/types.js +278 -0
  1098. package/dist/security/alerting/types.js.map +1 -0
  1099. package/dist/security/anomaly/detectors/account-compromise.d.ts +198 -0
  1100. package/dist/security/anomaly/detectors/account-compromise.d.ts.map +1 -0
  1101. package/dist/security/anomaly/detectors/account-compromise.js +815 -0
  1102. package/dist/security/anomaly/detectors/account-compromise.js.map +1 -0
  1103. package/dist/security/anomaly/detectors/data-exfiltration.d.ts +175 -0
  1104. package/dist/security/anomaly/detectors/data-exfiltration.d.ts.map +1 -0
  1105. package/dist/security/anomaly/detectors/data-exfiltration.js +733 -0
  1106. package/dist/security/anomaly/detectors/data-exfiltration.js.map +1 -0
  1107. package/dist/security/anomaly/detectors/geographic.d.ts +100 -0
  1108. package/dist/security/anomaly/detectors/geographic.d.ts.map +1 -0
  1109. package/dist/security/anomaly/detectors/geographic.js +348 -0
  1110. package/dist/security/anomaly/detectors/geographic.js.map +1 -0
  1111. package/dist/security/anomaly/detectors/index.d.ts +86 -0
  1112. package/dist/security/anomaly/detectors/index.d.ts.map +1 -0
  1113. package/dist/security/anomaly/detectors/index.js +118 -0
  1114. package/dist/security/anomaly/detectors/index.js.map +1 -0
  1115. package/dist/security/anomaly/detectors/lateral-movement.d.ts +168 -0
  1116. package/dist/security/anomaly/detectors/lateral-movement.d.ts.map +1 -0
  1117. package/dist/security/anomaly/detectors/lateral-movement.js +795 -0
  1118. package/dist/security/anomaly/detectors/lateral-movement.js.map +1 -0
  1119. package/dist/security/anomaly/detectors/privilege-escalation.d.ts +177 -0
  1120. package/dist/security/anomaly/detectors/privilege-escalation.d.ts.map +1 -0
  1121. package/dist/security/anomaly/detectors/privilege-escalation.js +741 -0
  1122. package/dist/security/anomaly/detectors/privilege-escalation.js.map +1 -0
  1123. package/dist/security/anomaly/detectors/temporal.d.ts +71 -0
  1124. package/dist/security/anomaly/detectors/temporal.d.ts.map +1 -0
  1125. package/dist/security/anomaly/detectors/temporal.js +398 -0
  1126. package/dist/security/anomaly/detectors/temporal.js.map +1 -0
  1127. package/dist/security/anomaly/detectors/volume.d.ts +97 -0
  1128. package/dist/security/anomaly/detectors/volume.d.ts.map +1 -0
  1129. package/dist/security/anomaly/detectors/volume.js +424 -0
  1130. package/dist/security/anomaly/detectors/volume.js.map +1 -0
  1131. package/dist/security/anomaly/index.d.ts +128 -0
  1132. package/dist/security/anomaly/index.d.ts.map +1 -0
  1133. package/dist/security/anomaly/index.js +378 -0
  1134. package/dist/security/anomaly/index.js.map +1 -0
  1135. package/dist/security/anomaly/types.d.ts +1209 -0
  1136. package/dist/security/anomaly/types.d.ts.map +1 -0
  1137. package/dist/security/anomaly/types.js +193 -0
  1138. package/dist/security/anomaly/types.js.map +1 -0
  1139. package/dist/security/api-keys/cache.d.ts +255 -0
  1140. package/dist/security/api-keys/cache.d.ts.map +1 -0
  1141. package/dist/security/api-keys/cache.js +595 -0
  1142. package/dist/security/api-keys/cache.js.map +1 -0
  1143. package/dist/security/api-keys/db-store.d.ts +150 -0
  1144. package/dist/security/api-keys/db-store.d.ts.map +1 -0
  1145. package/dist/security/api-keys/db-store.js +694 -0
  1146. package/dist/security/api-keys/db-store.js.map +1 -0
  1147. package/dist/security/api-keys/index.d.ts +29 -0
  1148. package/dist/security/api-keys/index.d.ts.map +1 -0
  1149. package/dist/security/api-keys/index.js +81 -0
  1150. package/dist/security/api-keys/index.js.map +1 -0
  1151. package/dist/security/api-keys/middleware.d.ts +164 -0
  1152. package/dist/security/api-keys/middleware.d.ts.map +1 -0
  1153. package/dist/security/api-keys/middleware.js +392 -0
  1154. package/dist/security/api-keys/middleware.js.map +1 -0
  1155. package/dist/security/api-keys/service.d.ts +226 -0
  1156. package/dist/security/api-keys/service.d.ts.map +1 -0
  1157. package/dist/security/api-keys/service.js +861 -0
  1158. package/dist/security/api-keys/service.js.map +1 -0
  1159. package/dist/security/api-keys/store.d.ts +241 -0
  1160. package/dist/security/api-keys/store.d.ts.map +1 -0
  1161. package/dist/security/api-keys/store.js +360 -0
  1162. package/dist/security/api-keys/store.js.map +1 -0
  1163. package/dist/security/api-keys/types.d.ts +718 -0
  1164. package/dist/security/api-keys/types.d.ts.map +1 -0
  1165. package/dist/security/api-keys/types.js +162 -0
  1166. package/dist/security/api-keys/types.js.map +1 -0
  1167. package/dist/security/brute-force.d.ts +390 -0
  1168. package/dist/security/brute-force.d.ts.map +1 -0
  1169. package/dist/security/brute-force.js +677 -0
  1170. package/dist/security/brute-force.js.map +1 -0
  1171. package/dist/security/config-validator.d.ts +152 -0
  1172. package/dist/security/config-validator.d.ts.map +1 -0
  1173. package/dist/security/config-validator.js +667 -0
  1174. package/dist/security/config-validator.js.map +1 -0
  1175. package/dist/security/crypto/fips-mode.d.ts +772 -0
  1176. package/dist/security/crypto/fips-mode.d.ts.map +1 -0
  1177. package/dist/security/crypto/fips-mode.js +1363 -0
  1178. package/dist/security/crypto/fips-mode.js.map +1 -0
  1179. package/dist/security/crypto/index.d.ts +202 -0
  1180. package/dist/security/crypto/index.d.ts.map +1 -0
  1181. package/dist/security/crypto/index.js +292 -0
  1182. package/dist/security/crypto/index.js.map +1 -0
  1183. package/dist/security/crypto/post-quantum/benchmark.d.ts +125 -0
  1184. package/dist/security/crypto/post-quantum/benchmark.d.ts.map +1 -0
  1185. package/dist/security/crypto/post-quantum/benchmark.js +530 -0
  1186. package/dist/security/crypto/post-quantum/benchmark.js.map +1 -0
  1187. package/dist/security/crypto/post-quantum/dilithium.d.ts +144 -0
  1188. package/dist/security/crypto/post-quantum/dilithium.d.ts.map +1 -0
  1189. package/dist/security/crypto/post-quantum/dilithium.js +675 -0
  1190. package/dist/security/crypto/post-quantum/dilithium.js.map +1 -0
  1191. package/dist/security/crypto/post-quantum/hybrid.d.ts +267 -0
  1192. package/dist/security/crypto/post-quantum/hybrid.d.ts.map +1 -0
  1193. package/dist/security/crypto/post-quantum/hybrid.js +457 -0
  1194. package/dist/security/crypto/post-quantum/hybrid.js.map +1 -0
  1195. package/dist/security/crypto/post-quantum/index.d.ts +166 -0
  1196. package/dist/security/crypto/post-quantum/index.d.ts.map +1 -0
  1197. package/dist/security/crypto/post-quantum/index.js +236 -0
  1198. package/dist/security/crypto/post-quantum/index.js.map +1 -0
  1199. package/dist/security/crypto/post-quantum/kyber.d.ts +129 -0
  1200. package/dist/security/crypto/post-quantum/kyber.d.ts.map +1 -0
  1201. package/dist/security/crypto/post-quantum/kyber.js +649 -0
  1202. package/dist/security/crypto/post-quantum/kyber.js.map +1 -0
  1203. package/dist/security/crypto/post-quantum/migration.d.ts +230 -0
  1204. package/dist/security/crypto/post-quantum/migration.d.ts.map +1 -0
  1205. package/dist/security/crypto/post-quantum/migration.js +563 -0
  1206. package/dist/security/crypto/post-quantum/migration.js.map +1 -0
  1207. package/dist/security/crypto/post-quantum/types.d.ts +1056 -0
  1208. package/dist/security/crypto/post-quantum/types.d.ts.map +1 -0
  1209. package/dist/security/crypto/post-quantum/types.js +350 -0
  1210. package/dist/security/crypto/post-quantum/types.js.map +1 -0
  1211. package/dist/security/crypto/shamir/comparison.d.ts +128 -0
  1212. package/dist/security/crypto/shamir/comparison.d.ts.map +1 -0
  1213. package/dist/security/crypto/shamir/comparison.js +423 -0
  1214. package/dist/security/crypto/shamir/comparison.js.map +1 -0
  1215. package/dist/security/crypto/shamir/index.d.ts +76 -0
  1216. package/dist/security/crypto/shamir/index.d.ts.map +1 -0
  1217. package/dist/security/crypto/shamir/index.js +155 -0
  1218. package/dist/security/crypto/shamir/index.js.map +1 -0
  1219. package/dist/security/crypto/shamir/proofs.d.ts +259 -0
  1220. package/dist/security/crypto/shamir/proofs.d.ts.map +1 -0
  1221. package/dist/security/crypto/shamir/proofs.js +605 -0
  1222. package/dist/security/crypto/shamir/proofs.js.map +1 -0
  1223. package/dist/security/crypto/shamir/property-tests.d.ts +104 -0
  1224. package/dist/security/crypto/shamir/property-tests.d.ts.map +1 -0
  1225. package/dist/security/crypto/shamir/property-tests.js +480 -0
  1226. package/dist/security/crypto/shamir/property-tests.js.map +1 -0
  1227. package/dist/security/crypto/shamir/security-analysis.d.ts +97 -0
  1228. package/dist/security/crypto/shamir/security-analysis.d.ts.map +1 -0
  1229. package/dist/security/crypto/shamir/security-analysis.js +503 -0
  1230. package/dist/security/crypto/shamir/security-analysis.js.map +1 -0
  1231. package/dist/security/crypto/shamir/test-vectors.d.ts +116 -0
  1232. package/dist/security/crypto/shamir/test-vectors.d.ts.map +1 -0
  1233. package/dist/security/crypto/shamir/test-vectors.js +377 -0
  1234. package/dist/security/crypto/shamir/test-vectors.js.map +1 -0
  1235. package/dist/security/crypto/shamir/types.d.ts +281 -0
  1236. package/dist/security/crypto/shamir/types.d.ts.map +1 -0
  1237. package/dist/security/crypto/shamir/types.js +82 -0
  1238. package/dist/security/crypto/shamir/types.js.map +1 -0
  1239. package/dist/security/crypto/shamir/verified-shamir.d.ts +170 -0
  1240. package/dist/security/crypto/shamir/verified-shamir.d.ts.map +1 -0
  1241. package/dist/security/crypto/shamir/verified-shamir.js +624 -0
  1242. package/dist/security/crypto/shamir/verified-shamir.js.map +1 -0
  1243. package/dist/security/csrf.d.ts +215 -0
  1244. package/dist/security/csrf.d.ts.map +1 -0
  1245. package/dist/security/csrf.js +467 -0
  1246. package/dist/security/csrf.js.map +1 -0
  1247. package/dist/security/distributed-state.d.ts +331 -0
  1248. package/dist/security/distributed-state.d.ts.map +1 -0
  1249. package/dist/security/distributed-state.js +768 -0
  1250. package/dist/security/distributed-state.js.map +1 -0
  1251. package/dist/security/dlp/index.d.ts +27 -0
  1252. package/dist/security/dlp/index.d.ts.map +1 -0
  1253. package/dist/security/dlp/index.js +54 -0
  1254. package/dist/security/dlp/index.js.map +1 -0
  1255. package/dist/security/dlp/scanner.d.ts +451 -0
  1256. package/dist/security/dlp/scanner.d.ts.map +1 -0
  1257. package/dist/security/dlp/scanner.js +1241 -0
  1258. package/dist/security/dlp/scanner.js.map +1 -0
  1259. package/dist/security/dpop.d.ts +260 -0
  1260. package/dist/security/dpop.d.ts.map +1 -0
  1261. package/dist/security/dpop.js +1058 -0
  1262. package/dist/security/dpop.js.map +1 -0
  1263. package/dist/security/encryption/decorators.d.ts +263 -0
  1264. package/dist/security/encryption/decorators.d.ts.map +1 -0
  1265. package/dist/security/encryption/decorators.js +359 -0
  1266. package/dist/security/encryption/decorators.js.map +1 -0
  1267. package/dist/security/encryption/index.d.ts +83 -0
  1268. package/dist/security/encryption/index.d.ts.map +1 -0
  1269. package/dist/security/encryption/index.js +140 -0
  1270. package/dist/security/encryption/index.js.map +1 -0
  1271. package/dist/security/encryption/key-provider.d.ts +335 -0
  1272. package/dist/security/encryption/key-provider.d.ts.map +1 -0
  1273. package/dist/security/encryption/key-provider.js +853 -0
  1274. package/dist/security/encryption/key-provider.js.map +1 -0
  1275. package/dist/security/encryption/middleware.d.ts +279 -0
  1276. package/dist/security/encryption/middleware.d.ts.map +1 -0
  1277. package/dist/security/encryption/middleware.js +493 -0
  1278. package/dist/security/encryption/middleware.js.map +1 -0
  1279. package/dist/security/encryption/service.d.ts +164 -0
  1280. package/dist/security/encryption/service.d.ts.map +1 -0
  1281. package/dist/security/encryption/service.js +623 -0
  1282. package/dist/security/encryption/service.js.map +1 -0
  1283. package/dist/security/encryption/types.d.ts +745 -0
  1284. package/dist/security/encryption/types.d.ts.map +1 -0
  1285. package/dist/security/encryption/types.js +229 -0
  1286. package/dist/security/encryption/types.js.map +1 -0
  1287. package/dist/security/error-sanitizer.d.ts +329 -0
  1288. package/dist/security/error-sanitizer.d.ts.map +1 -0
  1289. package/dist/security/error-sanitizer.js +693 -0
  1290. package/dist/security/error-sanitizer.js.map +1 -0
  1291. package/dist/security/fingerprint-service.d.ts +139 -0
  1292. package/dist/security/fingerprint-service.d.ts.map +1 -0
  1293. package/dist/security/fingerprint-service.js +240 -0
  1294. package/dist/security/fingerprint-service.js.map +1 -0
  1295. package/dist/security/headers/csp.d.ts +270 -0
  1296. package/dist/security/headers/csp.d.ts.map +1 -0
  1297. package/dist/security/headers/csp.js +655 -0
  1298. package/dist/security/headers/csp.js.map +1 -0
  1299. package/dist/security/headers/hsts.d.ts +161 -0
  1300. package/dist/security/headers/hsts.d.ts.map +1 -0
  1301. package/dist/security/headers/hsts.js +346 -0
  1302. package/dist/security/headers/hsts.js.map +1 -0
  1303. package/dist/security/headers/index.d.ts +47 -0
  1304. package/dist/security/headers/index.d.ts.map +1 -0
  1305. package/dist/security/headers/index.js +110 -0
  1306. package/dist/security/headers/index.js.map +1 -0
  1307. package/dist/security/headers/middleware.d.ts +70 -0
  1308. package/dist/security/headers/middleware.d.ts.map +1 -0
  1309. package/dist/security/headers/middleware.js +549 -0
  1310. package/dist/security/headers/middleware.js.map +1 -0
  1311. package/dist/security/headers/permissions-policy.d.ts +189 -0
  1312. package/dist/security/headers/permissions-policy.d.ts.map +1 -0
  1313. package/dist/security/headers/permissions-policy.js +508 -0
  1314. package/dist/security/headers/permissions-policy.js.map +1 -0
  1315. package/dist/security/headers/types.d.ts +1570 -0
  1316. package/dist/security/headers/types.d.ts.map +1 -0
  1317. package/dist/security/headers/types.js +281 -0
  1318. package/dist/security/headers/types.js.map +1 -0
  1319. package/dist/security/headers/validator.d.ts +36 -0
  1320. package/dist/security/headers/validator.d.ts.map +1 -0
  1321. package/dist/security/headers/validator.js +616 -0
  1322. package/dist/security/headers/validator.js.map +1 -0
  1323. package/dist/security/hsm/aws-cloudhsm.d.ts +157 -0
  1324. package/dist/security/hsm/aws-cloudhsm.d.ts.map +1 -0
  1325. package/dist/security/hsm/aws-cloudhsm.js +712 -0
  1326. package/dist/security/hsm/aws-cloudhsm.js.map +1 -0
  1327. package/dist/security/hsm/azure-hsm.d.ts +174 -0
  1328. package/dist/security/hsm/azure-hsm.d.ts.map +1 -0
  1329. package/dist/security/hsm/azure-hsm.js +792 -0
  1330. package/dist/security/hsm/azure-hsm.js.map +1 -0
  1331. package/dist/security/hsm/gcp-hsm.d.ts +184 -0
  1332. package/dist/security/hsm/gcp-hsm.d.ts.map +1 -0
  1333. package/dist/security/hsm/gcp-hsm.js +817 -0
  1334. package/dist/security/hsm/gcp-hsm.js.map +1 -0
  1335. package/dist/security/hsm/hsm-service.d.ts +264 -0
  1336. package/dist/security/hsm/hsm-service.d.ts.map +1 -0
  1337. package/dist/security/hsm/hsm-service.js +772 -0
  1338. package/dist/security/hsm/hsm-service.js.map +1 -0
  1339. package/dist/security/hsm/index.d.ts +132 -0
  1340. package/dist/security/hsm/index.d.ts.map +1 -0
  1341. package/dist/security/hsm/index.js +198 -0
  1342. package/dist/security/hsm/index.js.map +1 -0
  1343. package/dist/security/hsm/key-ceremony.d.ts +214 -0
  1344. package/dist/security/hsm/key-ceremony.d.ts.map +1 -0
  1345. package/dist/security/hsm/key-ceremony.js +636 -0
  1346. package/dist/security/hsm/key-ceremony.js.map +1 -0
  1347. package/dist/security/hsm/local-softHSM.d.ts +122 -0
  1348. package/dist/security/hsm/local-softHSM.d.ts.map +1 -0
  1349. package/dist/security/hsm/local-softHSM.js +786 -0
  1350. package/dist/security/hsm/local-softHSM.js.map +1 -0
  1351. package/dist/security/hsm/provider.d.ts +333 -0
  1352. package/dist/security/hsm/provider.d.ts.map +1 -0
  1353. package/dist/security/hsm/provider.js +264 -0
  1354. package/dist/security/hsm/provider.js.map +1 -0
  1355. package/dist/security/hsm/thales-luna.d.ts +209 -0
  1356. package/dist/security/hsm/thales-luna.d.ts.map +1 -0
  1357. package/dist/security/hsm/thales-luna.js +820 -0
  1358. package/dist/security/hsm/thales-luna.js.map +1 -0
  1359. package/dist/security/incident/actions/block-ip.d.ts +84 -0
  1360. package/dist/security/incident/actions/block-ip.d.ts.map +1 -0
  1361. package/dist/security/incident/actions/block-ip.js +464 -0
  1362. package/dist/security/incident/actions/block-ip.js.map +1 -0
  1363. package/dist/security/incident/actions/collect-evidence.d.ts +95 -0
  1364. package/dist/security/incident/actions/collect-evidence.d.ts.map +1 -0
  1365. package/dist/security/incident/actions/collect-evidence.js +458 -0
  1366. package/dist/security/incident/actions/collect-evidence.js.map +1 -0
  1367. package/dist/security/incident/actions/index.d.ts +39 -0
  1368. package/dist/security/incident/actions/index.d.ts.map +1 -0
  1369. package/dist/security/incident/actions/index.js +52 -0
  1370. package/dist/security/incident/actions/index.js.map +1 -0
  1371. package/dist/security/incident/actions/isolate-system.d.ts +63 -0
  1372. package/dist/security/incident/actions/isolate-system.d.ts.map +1 -0
  1373. package/dist/security/incident/actions/isolate-system.js +379 -0
  1374. package/dist/security/incident/actions/isolate-system.js.map +1 -0
  1375. package/dist/security/incident/actions/notify-stakeholders.d.ts +72 -0
  1376. package/dist/security/incident/actions/notify-stakeholders.d.ts.map +1 -0
  1377. package/dist/security/incident/actions/notify-stakeholders.js +387 -0
  1378. package/dist/security/incident/actions/notify-stakeholders.js.map +1 -0
  1379. package/dist/security/incident/actions/revoke-credentials.d.ts +77 -0
  1380. package/dist/security/incident/actions/revoke-credentials.d.ts.map +1 -0
  1381. package/dist/security/incident/actions/revoke-credentials.js +329 -0
  1382. package/dist/security/incident/actions/revoke-credentials.js.map +1 -0
  1383. package/dist/security/incident/actions/scale-monitoring.d.ts +90 -0
  1384. package/dist/security/incident/actions/scale-monitoring.d.ts.map +1 -0
  1385. package/dist/security/incident/actions/scale-monitoring.js +483 -0
  1386. package/dist/security/incident/actions/scale-monitoring.js.map +1 -0
  1387. package/dist/security/incident/executor.d.ts +128 -0
  1388. package/dist/security/incident/executor.d.ts.map +1 -0
  1389. package/dist/security/incident/executor.js +695 -0
  1390. package/dist/security/incident/executor.js.map +1 -0
  1391. package/dist/security/incident/index.d.ts +220 -0
  1392. package/dist/security/incident/index.d.ts.map +1 -0
  1393. package/dist/security/incident/index.js +1284 -0
  1394. package/dist/security/incident/index.js.map +1 -0
  1395. package/dist/security/incident/notification.d.ts +68 -0
  1396. package/dist/security/incident/notification.d.ts.map +1 -0
  1397. package/dist/security/incident/notification.js +512 -0
  1398. package/dist/security/incident/notification.js.map +1 -0
  1399. package/dist/security/incident/playbooks/account-compromise.d.ts +13 -0
  1400. package/dist/security/incident/playbooks/account-compromise.d.ts.map +1 -0
  1401. package/dist/security/incident/playbooks/account-compromise.js +379 -0
  1402. package/dist/security/incident/playbooks/account-compromise.js.map +1 -0
  1403. package/dist/security/incident/playbooks/configuration-error.d.ts +17 -0
  1404. package/dist/security/incident/playbooks/configuration-error.d.ts.map +1 -0
  1405. package/dist/security/incident/playbooks/configuration-error.js +340 -0
  1406. package/dist/security/incident/playbooks/configuration-error.js.map +1 -0
  1407. package/dist/security/incident/playbooks/data-breach.d.ts +13 -0
  1408. package/dist/security/incident/playbooks/data-breach.d.ts.map +1 -0
  1409. package/dist/security/incident/playbooks/data-breach.js +394 -0
  1410. package/dist/security/incident/playbooks/data-breach.js.map +1 -0
  1411. package/dist/security/incident/playbooks/denial-of-service.d.ts +13 -0
  1412. package/dist/security/incident/playbooks/denial-of-service.d.ts.map +1 -0
  1413. package/dist/security/incident/playbooks/denial-of-service.js +540 -0
  1414. package/dist/security/incident/playbooks/denial-of-service.js.map +1 -0
  1415. package/dist/security/incident/playbooks/index.d.ts +36 -0
  1416. package/dist/security/incident/playbooks/index.d.ts.map +1 -0
  1417. package/dist/security/incident/playbooks/index.js +56 -0
  1418. package/dist/security/incident/playbooks/index.js.map +1 -0
  1419. package/dist/security/incident/playbooks/insider-threat.d.ts +18 -0
  1420. package/dist/security/incident/playbooks/insider-threat.d.ts.map +1 -0
  1421. package/dist/security/incident/playbooks/insider-threat.js +600 -0
  1422. package/dist/security/incident/playbooks/insider-threat.js.map +1 -0
  1423. package/dist/security/incident/playbooks/malware.d.ts +13 -0
  1424. package/dist/security/incident/playbooks/malware.d.ts.map +1 -0
  1425. package/dist/security/incident/playbooks/malware.js +515 -0
  1426. package/dist/security/incident/playbooks/malware.js.map +1 -0
  1427. package/dist/security/incident/playbooks/ransomware.d.ts +14 -0
  1428. package/dist/security/incident/playbooks/ransomware.d.ts.map +1 -0
  1429. package/dist/security/incident/playbooks/ransomware.js +693 -0
  1430. package/dist/security/incident/playbooks/ransomware.js.map +1 -0
  1431. package/dist/security/incident/playbooks/unauthorized-access.d.ts +13 -0
  1432. package/dist/security/incident/playbooks/unauthorized-access.d.ts.map +1 -0
  1433. package/dist/security/incident/playbooks/unauthorized-access.js +412 -0
  1434. package/dist/security/incident/playbooks/unauthorized-access.js.map +1 -0
  1435. package/dist/security/incident/triggers.d.ts +120 -0
  1436. package/dist/security/incident/triggers.d.ts.map +1 -0
  1437. package/dist/security/incident/triggers.js +708 -0
  1438. package/dist/security/incident/triggers.js.map +1 -0
  1439. package/dist/security/incident/types.d.ts +1517 -0
  1440. package/dist/security/incident/types.d.ts.map +1 -0
  1441. package/dist/security/incident/types.js +222 -0
  1442. package/dist/security/incident/types.js.map +1 -0
  1443. package/dist/security/index.d.ts +56 -0
  1444. package/dist/security/index.d.ts.map +1 -0
  1445. package/dist/security/index.js +267 -0
  1446. package/dist/security/index.js.map +1 -0
  1447. package/dist/security/injection-detector.d.ts +375 -0
  1448. package/dist/security/injection-detector.d.ts.map +1 -0
  1449. package/dist/security/injection-detector.js +969 -0
  1450. package/dist/security/injection-detector.js.map +1 -0
  1451. package/dist/security/introspection.d.ts +137 -0
  1452. package/dist/security/introspection.d.ts.map +1 -0
  1453. package/dist/security/introspection.js +451 -0
  1454. package/dist/security/introspection.js.map +1 -0
  1455. package/dist/security/key-rotation.d.ts +213 -0
  1456. package/dist/security/key-rotation.d.ts.map +1 -0
  1457. package/dist/security/key-rotation.js +530 -0
  1458. package/dist/security/key-rotation.js.map +1 -0
  1459. package/dist/security/kms/aws-kms.d.ts +152 -0
  1460. package/dist/security/kms/aws-kms.d.ts.map +1 -0
  1461. package/dist/security/kms/aws-kms.js +808 -0
  1462. package/dist/security/kms/aws-kms.js.map +1 -0
  1463. package/dist/security/kms/index.d.ts +165 -0
  1464. package/dist/security/kms/index.d.ts.map +1 -0
  1465. package/dist/security/kms/index.js +351 -0
  1466. package/dist/security/kms/index.js.map +1 -0
  1467. package/dist/security/kms/local.d.ts +127 -0
  1468. package/dist/security/kms/local.d.ts.map +1 -0
  1469. package/dist/security/kms/local.js +682 -0
  1470. package/dist/security/kms/local.js.map +1 -0
  1471. package/dist/security/kms/types.d.ts +1000 -0
  1472. package/dist/security/kms/types.d.ts.map +1 -0
  1473. package/dist/security/kms/types.js +167 -0
  1474. package/dist/security/kms/types.js.map +1 -0
  1475. package/dist/security/kms/vault.d.ts +165 -0
  1476. package/dist/security/kms/vault.d.ts.map +1 -0
  1477. package/dist/security/kms/vault.js +820 -0
  1478. package/dist/security/kms/vault.js.map +1 -0
  1479. package/dist/security/mfa/index.d.ts +17 -0
  1480. package/dist/security/mfa/index.d.ts.map +1 -0
  1481. package/dist/security/mfa/index.js +37 -0
  1482. package/dist/security/mfa/index.js.map +1 -0
  1483. package/dist/security/mfa/mfa-middleware.d.ts +74 -0
  1484. package/dist/security/mfa/mfa-middleware.d.ts.map +1 -0
  1485. package/dist/security/mfa/mfa-middleware.js +244 -0
  1486. package/dist/security/mfa/mfa-middleware.js.map +1 -0
  1487. package/dist/security/mfa/mfa-service.d.ts +115 -0
  1488. package/dist/security/mfa/mfa-service.d.ts.map +1 -0
  1489. package/dist/security/mfa/mfa-service.js +508 -0
  1490. package/dist/security/mfa/mfa-service.js.map +1 -0
  1491. package/dist/security/mfa/mfa-store.d.ts +615 -0
  1492. package/dist/security/mfa/mfa-store.d.ts.map +1 -0
  1493. package/dist/security/mfa/mfa-store.js +431 -0
  1494. package/dist/security/mfa/mfa-store.js.map +1 -0
  1495. package/dist/security/mfa/types.d.ts +417 -0
  1496. package/dist/security/mfa/types.d.ts.map +1 -0
  1497. package/dist/security/mfa/types.js +123 -0
  1498. package/dist/security/mfa/types.js.map +1 -0
  1499. package/dist/security/middleware.d.ts +179 -0
  1500. package/dist/security/middleware.d.ts.map +1 -0
  1501. package/dist/security/middleware.js +534 -0
  1502. package/dist/security/middleware.js.map +1 -0
  1503. package/dist/security/pairwise-did.d.ts +157 -0
  1504. package/dist/security/pairwise-did.d.ts.map +1 -0
  1505. package/dist/security/pairwise-did.js +450 -0
  1506. package/dist/security/pairwise-did.js.map +1 -0
  1507. package/dist/security/pam/break-glass.d.ts +776 -0
  1508. package/dist/security/pam/break-glass.d.ts.map +1 -0
  1509. package/dist/security/pam/break-glass.js +1137 -0
  1510. package/dist/security/pam/break-glass.js.map +1 -0
  1511. package/dist/security/pam/index.d.ts +120 -0
  1512. package/dist/security/pam/index.d.ts.map +1 -0
  1513. package/dist/security/pam/index.js +179 -0
  1514. package/dist/security/pam/index.js.map +1 -0
  1515. package/dist/security/pam/jit-access.d.ts +482 -0
  1516. package/dist/security/pam/jit-access.d.ts.map +1 -0
  1517. package/dist/security/pam/jit-access.js +1030 -0
  1518. package/dist/security/pam/jit-access.js.map +1 -0
  1519. package/dist/security/pam/session-recording.d.ts +1007 -0
  1520. package/dist/security/pam/session-recording.d.ts.map +1 -0
  1521. package/dist/security/pam/session-recording.js +1047 -0
  1522. package/dist/security/pam/session-recording.js.map +1 -0
  1523. package/dist/security/password-hashing.d.ts +199 -0
  1524. package/dist/security/password-hashing.d.ts.map +1 -0
  1525. package/dist/security/password-hashing.js +366 -0
  1526. package/dist/security/password-hashing.js.map +1 -0
  1527. package/dist/security/password-policy.d.ts +304 -0
  1528. package/dist/security/password-policy.d.ts.map +1 -0
  1529. package/dist/security/password-policy.js +730 -0
  1530. package/dist/security/password-policy.js.map +1 -0
  1531. package/dist/security/policy-engine/atsf-adapter.d.ts +93 -0
  1532. package/dist/security/policy-engine/atsf-adapter.d.ts.map +1 -0
  1533. package/dist/security/policy-engine/atsf-adapter.js +265 -0
  1534. package/dist/security/policy-engine/atsf-adapter.js.map +1 -0
  1535. package/dist/security/policy-engine/built-in-policies.d.ts +90 -0
  1536. package/dist/security/policy-engine/built-in-policies.d.ts.map +1 -0
  1537. package/dist/security/policy-engine/built-in-policies.js +627 -0
  1538. package/dist/security/policy-engine/built-in-policies.js.map +1 -0
  1539. package/dist/security/policy-engine/condition-evaluator.d.ts +129 -0
  1540. package/dist/security/policy-engine/condition-evaluator.d.ts.map +1 -0
  1541. package/dist/security/policy-engine/condition-evaluator.js +647 -0
  1542. package/dist/security/policy-engine/condition-evaluator.js.map +1 -0
  1543. package/dist/security/policy-engine/engine.d.ts +200 -0
  1544. package/dist/security/policy-engine/engine.d.ts.map +1 -0
  1545. package/dist/security/policy-engine/engine.js +752 -0
  1546. package/dist/security/policy-engine/engine.js.map +1 -0
  1547. package/dist/security/policy-engine/index.d.ts +59 -0
  1548. package/dist/security/policy-engine/index.d.ts.map +1 -0
  1549. package/dist/security/policy-engine/index.js +84 -0
  1550. package/dist/security/policy-engine/index.js.map +1 -0
  1551. package/dist/security/policy-engine/middleware.d.ts +77 -0
  1552. package/dist/security/policy-engine/middleware.d.ts.map +1 -0
  1553. package/dist/security/policy-engine/middleware.js +375 -0
  1554. package/dist/security/policy-engine/middleware.js.map +1 -0
  1555. package/dist/security/policy-engine/rule-evaluator.d.ts +140 -0
  1556. package/dist/security/policy-engine/rule-evaluator.d.ts.map +1 -0
  1557. package/dist/security/policy-engine/rule-evaluator.js +593 -0
  1558. package/dist/security/policy-engine/rule-evaluator.js.map +1 -0
  1559. package/dist/security/policy-engine/types.d.ts +2855 -0
  1560. package/dist/security/policy-engine/types.d.ts.map +1 -0
  1561. package/dist/security/policy-engine/types.js +443 -0
  1562. package/dist/security/policy-engine/types.js.map +1 -0
  1563. package/dist/security/refresh-token.d.ts +305 -0
  1564. package/dist/security/refresh-token.d.ts.map +1 -0
  1565. package/dist/security/refresh-token.js +678 -0
  1566. package/dist/security/refresh-token.js.map +1 -0
  1567. package/dist/security/request-integrity.d.ts +289 -0
  1568. package/dist/security/request-integrity.d.ts.map +1 -0
  1569. package/dist/security/request-integrity.js +663 -0
  1570. package/dist/security/request-integrity.js.map +1 -0
  1571. package/dist/security/revocation-check.d.ts +188 -0
  1572. package/dist/security/revocation-check.d.ts.map +1 -0
  1573. package/dist/security/revocation-check.js +606 -0
  1574. package/dist/security/revocation-check.js.map +1 -0
  1575. package/dist/security/revocation.d.ts +191 -0
  1576. package/dist/security/revocation.d.ts.map +1 -0
  1577. package/dist/security/revocation.js +522 -0
  1578. package/dist/security/revocation.js.map +1 -0
  1579. package/dist/security/secrets-rotation.d.ts +501 -0
  1580. package/dist/security/secrets-rotation.d.ts.map +1 -0
  1581. package/dist/security/secrets-rotation.js +934 -0
  1582. package/dist/security/secrets-rotation.js.map +1 -0
  1583. package/dist/security/secure-memory.d.ts +325 -0
  1584. package/dist/security/secure-memory.d.ts.map +1 -0
  1585. package/dist/security/secure-memory.js +595 -0
  1586. package/dist/security/secure-memory.js.map +1 -0
  1587. package/dist/security/security-service.d.ts +186 -0
  1588. package/dist/security/security-service.d.ts.map +1 -0
  1589. package/dist/security/security-service.js +531 -0
  1590. package/dist/security/security-service.js.map +1 -0
  1591. package/dist/security/service-auth/index.d.ts +20 -0
  1592. package/dist/security/service-auth/index.d.ts.map +1 -0
  1593. package/dist/security/service-auth/index.js +61 -0
  1594. package/dist/security/service-auth/index.js.map +1 -0
  1595. package/dist/security/service-auth/service-account.d.ts +357 -0
  1596. package/dist/security/service-auth/service-account.d.ts.map +1 -0
  1597. package/dist/security/service-auth/service-account.js +475 -0
  1598. package/dist/security/service-auth/service-account.js.map +1 -0
  1599. package/dist/security/service-auth/service-auth-middleware.d.ts +174 -0
  1600. package/dist/security/service-auth/service-auth-middleware.d.ts.map +1 -0
  1601. package/dist/security/service-auth/service-auth-middleware.js +461 -0
  1602. package/dist/security/service-auth/service-auth-middleware.js.map +1 -0
  1603. package/dist/security/service-auth/service-token.d.ts +391 -0
  1604. package/dist/security/service-auth/service-token.d.ts.map +1 -0
  1605. package/dist/security/service-auth/service-token.js +472 -0
  1606. package/dist/security/service-auth/service-token.js.map +1 -0
  1607. package/dist/security/session-manager.d.ts +177 -0
  1608. package/dist/security/session-manager.d.ts.map +1 -0
  1609. package/dist/security/session-manager.js +353 -0
  1610. package/dist/security/session-manager.js.map +1 -0
  1611. package/dist/security/session-store.d.ts +205 -0
  1612. package/dist/security/session-store.d.ts.map +1 -0
  1613. package/dist/security/session-store.js +581 -0
  1614. package/dist/security/session-store.js.map +1 -0
  1615. package/dist/security/siem/connector.d.ts +147 -0
  1616. package/dist/security/siem/connector.d.ts.map +1 -0
  1617. package/dist/security/siem/connector.js +254 -0
  1618. package/dist/security/siem/connector.js.map +1 -0
  1619. package/dist/security/siem/datadog.d.ts +81 -0
  1620. package/dist/security/siem/datadog.d.ts.map +1 -0
  1621. package/dist/security/siem/datadog.js +362 -0
  1622. package/dist/security/siem/datadog.js.map +1 -0
  1623. package/dist/security/siem/elastic.d.ts +83 -0
  1624. package/dist/security/siem/elastic.d.ts.map +1 -0
  1625. package/dist/security/siem/elastic.js +514 -0
  1626. package/dist/security/siem/elastic.js.map +1 -0
  1627. package/dist/security/siem/enrichment.d.ts +133 -0
  1628. package/dist/security/siem/enrichment.d.ts.map +1 -0
  1629. package/dist/security/siem/enrichment.js +434 -0
  1630. package/dist/security/siem/enrichment.js.map +1 -0
  1631. package/dist/security/siem/formatter.d.ts +118 -0
  1632. package/dist/security/siem/formatter.d.ts.map +1 -0
  1633. package/dist/security/siem/formatter.js +381 -0
  1634. package/dist/security/siem/formatter.js.map +1 -0
  1635. package/dist/security/siem/hooks.d.ts +107 -0
  1636. package/dist/security/siem/hooks.d.ts.map +1 -0
  1637. package/dist/security/siem/hooks.js +459 -0
  1638. package/dist/security/siem/hooks.js.map +1 -0
  1639. package/dist/security/siem/index.d.ts +83 -0
  1640. package/dist/security/siem/index.d.ts.map +1 -0
  1641. package/dist/security/siem/index.js +95 -0
  1642. package/dist/security/siem/index.js.map +1 -0
  1643. package/dist/security/siem/service.d.ts +153 -0
  1644. package/dist/security/siem/service.d.ts.map +1 -0
  1645. package/dist/security/siem/service.js +615 -0
  1646. package/dist/security/siem/service.js.map +1 -0
  1647. package/dist/security/siem/splunk.d.ts +76 -0
  1648. package/dist/security/siem/splunk.d.ts.map +1 -0
  1649. package/dist/security/siem/splunk.js +283 -0
  1650. package/dist/security/siem/splunk.js.map +1 -0
  1651. package/dist/security/siem/types.d.ts +1980 -0
  1652. package/dist/security/siem/types.d.ts.map +1 -0
  1653. package/dist/security/siem/types.js +268 -0
  1654. package/dist/security/siem/types.js.map +1 -0
  1655. package/dist/security/tee.d.ts +157 -0
  1656. package/dist/security/tee.d.ts.map +1 -0
  1657. package/dist/security/tee.js +1073 -0
  1658. package/dist/security/tee.js.map +1 -0
  1659. package/dist/security/threat-intel/bot-detection.d.ts +275 -0
  1660. package/dist/security/threat-intel/bot-detection.d.ts.map +1 -0
  1661. package/dist/security/threat-intel/bot-detection.js +890 -0
  1662. package/dist/security/threat-intel/bot-detection.js.map +1 -0
  1663. package/dist/security/threat-intel/credential-stuffing.d.ts +368 -0
  1664. package/dist/security/threat-intel/credential-stuffing.d.ts.map +1 -0
  1665. package/dist/security/threat-intel/credential-stuffing.js +957 -0
  1666. package/dist/security/threat-intel/credential-stuffing.js.map +1 -0
  1667. package/dist/security/threat-intel/index.d.ts +10 -0
  1668. package/dist/security/threat-intel/index.d.ts.map +1 -0
  1669. package/dist/security/threat-intel/index.js +18 -0
  1670. package/dist/security/threat-intel/index.js.map +1 -0
  1671. package/dist/security/threat-intel/ip-reputation.d.ts +323 -0
  1672. package/dist/security/threat-intel/ip-reputation.d.ts.map +1 -0
  1673. package/dist/security/threat-intel/ip-reputation.js +923 -0
  1674. package/dist/security/threat-intel/ip-reputation.js.map +1 -0
  1675. package/dist/security/token-lifecycle.d.ts +272 -0
  1676. package/dist/security/token-lifecycle.d.ts.map +1 -0
  1677. package/dist/security/token-lifecycle.js +732 -0
  1678. package/dist/security/token-lifecycle.js.map +1 -0
  1679. package/dist/security/token-lifetime.d.ts +206 -0
  1680. package/dist/security/token-lifetime.d.ts.map +1 -0
  1681. package/dist/security/token-lifetime.js +388 -0
  1682. package/dist/security/token-lifetime.js.map +1 -0
  1683. package/dist/security/trust-oracle/alerts.d.ts +202 -0
  1684. package/dist/security/trust-oracle/alerts.d.ts.map +1 -0
  1685. package/dist/security/trust-oracle/alerts.js +763 -0
  1686. package/dist/security/trust-oracle/alerts.js.map +1 -0
  1687. package/dist/security/trust-oracle/api.d.ts +116 -0
  1688. package/dist/security/trust-oracle/api.d.ts.map +1 -0
  1689. package/dist/security/trust-oracle/api.js +721 -0
  1690. package/dist/security/trust-oracle/api.js.map +1 -0
  1691. package/dist/security/trust-oracle/continuous-monitoring.d.ts +105 -0
  1692. package/dist/security/trust-oracle/continuous-monitoring.d.ts.map +1 -0
  1693. package/dist/security/trust-oracle/continuous-monitoring.js +710 -0
  1694. package/dist/security/trust-oracle/continuous-monitoring.js.map +1 -0
  1695. package/dist/security/trust-oracle/data-sources.d.ts +102 -0
  1696. package/dist/security/trust-oracle/data-sources.d.ts.map +1 -0
  1697. package/dist/security/trust-oracle/data-sources.js +794 -0
  1698. package/dist/security/trust-oracle/data-sources.js.map +1 -0
  1699. package/dist/security/trust-oracle/index.d.ts +79 -0
  1700. package/dist/security/trust-oracle/index.d.ts.map +1 -0
  1701. package/dist/security/trust-oracle/index.js +206 -0
  1702. package/dist/security/trust-oracle/index.js.map +1 -0
  1703. package/dist/security/trust-oracle/oracle.d.ts +125 -0
  1704. package/dist/security/trust-oracle/oracle.d.ts.map +1 -0
  1705. package/dist/security/trust-oracle/oracle.js +489 -0
  1706. package/dist/security/trust-oracle/oracle.js.map +1 -0
  1707. package/dist/security/trust-oracle/reporting.d.ts +145 -0
  1708. package/dist/security/trust-oracle/reporting.d.ts.map +1 -0
  1709. package/dist/security/trust-oracle/reporting.js +1098 -0
  1710. package/dist/security/trust-oracle/reporting.js.map +1 -0
  1711. package/dist/security/trust-oracle/risk-scorer.d.ts +207 -0
  1712. package/dist/security/trust-oracle/risk-scorer.d.ts.map +1 -0
  1713. package/dist/security/trust-oracle/risk-scorer.js +1033 -0
  1714. package/dist/security/trust-oracle/risk-scorer.js.map +1 -0
  1715. package/dist/security/trust-oracle/types.d.ts +444 -0
  1716. package/dist/security/trust-oracle/types.d.ts.map +1 -0
  1717. package/dist/security/trust-oracle/types.js +6 -0
  1718. package/dist/security/trust-oracle/types.js.map +1 -0
  1719. package/dist/security/trust-oracle/vendor-registry.d.ts +228 -0
  1720. package/dist/security/trust-oracle/vendor-registry.d.ts.map +1 -0
  1721. package/dist/security/trust-oracle/vendor-registry.js +727 -0
  1722. package/dist/security/trust-oracle/vendor-registry.js.map +1 -0
  1723. package/dist/security/types.d.ts +1796 -0
  1724. package/dist/security/types.d.ts.map +1 -0
  1725. package/dist/security/types.js +389 -0
  1726. package/dist/security/types.js.map +1 -0
  1727. package/dist/security/webauthn/index.d.ts +47 -0
  1728. package/dist/security/webauthn/index.d.ts.map +1 -0
  1729. package/dist/security/webauthn/index.js +48 -0
  1730. package/dist/security/webauthn/index.js.map +1 -0
  1731. package/dist/security/webauthn/middleware.d.ts +109 -0
  1732. package/dist/security/webauthn/middleware.d.ts.map +1 -0
  1733. package/dist/security/webauthn/middleware.js +629 -0
  1734. package/dist/security/webauthn/middleware.js.map +1 -0
  1735. package/dist/security/webauthn/service.d.ts +179 -0
  1736. package/dist/security/webauthn/service.d.ts.map +1 -0
  1737. package/dist/security/webauthn/service.js +757 -0
  1738. package/dist/security/webauthn/service.js.map +1 -0
  1739. package/dist/security/webauthn/store.d.ts +240 -0
  1740. package/dist/security/webauthn/store.d.ts.map +1 -0
  1741. package/dist/security/webauthn/store.js +505 -0
  1742. package/dist/security/webauthn/store.js.map +1 -0
  1743. package/dist/security/webauthn/types.d.ts +678 -0
  1744. package/dist/security/webauthn/types.d.ts.map +1 -0
  1745. package/dist/security/webauthn/types.js +176 -0
  1746. package/dist/security/webauthn/types.js.map +1 -0
  1747. package/dist/security/zkp/circuits.d.ts +296 -0
  1748. package/dist/security/zkp/circuits.d.ts.map +1 -0
  1749. package/dist/security/zkp/circuits.js +771 -0
  1750. package/dist/security/zkp/circuits.js.map +1 -0
  1751. package/dist/security/zkp/commitment.d.ts +319 -0
  1752. package/dist/security/zkp/commitment.d.ts.map +1 -0
  1753. package/dist/security/zkp/commitment.js +591 -0
  1754. package/dist/security/zkp/commitment.js.map +1 -0
  1755. package/dist/security/zkp/compliance.d.ts +251 -0
  1756. package/dist/security/zkp/compliance.d.ts.map +1 -0
  1757. package/dist/security/zkp/compliance.js +734 -0
  1758. package/dist/security/zkp/compliance.js.map +1 -0
  1759. package/dist/security/zkp/index.d.ts +184 -0
  1760. package/dist/security/zkp/index.d.ts.map +1 -0
  1761. package/dist/security/zkp/index.js +285 -0
  1762. package/dist/security/zkp/index.js.map +1 -0
  1763. package/dist/security/zkp/integration.d.ts +289 -0
  1764. package/dist/security/zkp/integration.d.ts.map +1 -0
  1765. package/dist/security/zkp/integration.js +571 -0
  1766. package/dist/security/zkp/integration.js.map +1 -0
  1767. package/dist/security/zkp/prover.d.ts +158 -0
  1768. package/dist/security/zkp/prover.d.ts.map +1 -0
  1769. package/dist/security/zkp/prover.js +465 -0
  1770. package/dist/security/zkp/prover.js.map +1 -0
  1771. package/dist/security/zkp/snark-utils.d.ts +321 -0
  1772. package/dist/security/zkp/snark-utils.d.ts.map +1 -0
  1773. package/dist/security/zkp/snark-utils.js +640 -0
  1774. package/dist/security/zkp/snark-utils.js.map +1 -0
  1775. package/dist/security/zkp/types.d.ts +1192 -0
  1776. package/dist/security/zkp/types.d.ts.map +1 -0
  1777. package/dist/security/zkp/types.js +264 -0
  1778. package/dist/security/zkp/types.js.map +1 -0
  1779. package/dist/security/zkp/verifier.d.ts +111 -0
  1780. package/dist/security/zkp/verifier.d.ts.map +1 -0
  1781. package/dist/security/zkp/verifier.js +554 -0
  1782. package/dist/security/zkp/verifier.js.map +1 -0
  1783. package/dist/semantic-governance/context-validator.d.ts +159 -0
  1784. package/dist/semantic-governance/context-validator.d.ts.map +1 -0
  1785. package/dist/semantic-governance/context-validator.js +599 -0
  1786. package/dist/semantic-governance/context-validator.js.map +1 -0
  1787. package/dist/semantic-governance/credential-manager.d.ts +156 -0
  1788. package/dist/semantic-governance/credential-manager.d.ts.map +1 -0
  1789. package/dist/semantic-governance/credential-manager.js +438 -0
  1790. package/dist/semantic-governance/credential-manager.js.map +1 -0
  1791. package/dist/semantic-governance/dual-channel.d.ts +138 -0
  1792. package/dist/semantic-governance/dual-channel.d.ts.map +1 -0
  1793. package/dist/semantic-governance/dual-channel.js +333 -0
  1794. package/dist/semantic-governance/dual-channel.js.map +1 -0
  1795. package/dist/semantic-governance/index.d.ts +107 -0
  1796. package/dist/semantic-governance/index.d.ts.map +1 -0
  1797. package/dist/semantic-governance/index.js +141 -0
  1798. package/dist/semantic-governance/index.js.map +1 -0
  1799. package/dist/semantic-governance/inference-validator.d.ts +114 -0
  1800. package/dist/semantic-governance/inference-validator.d.ts.map +1 -0
  1801. package/dist/semantic-governance/inference-validator.js +390 -0
  1802. package/dist/semantic-governance/inference-validator.js.map +1 -0
  1803. package/dist/semantic-governance/instruction-validator.d.ts +146 -0
  1804. package/dist/semantic-governance/instruction-validator.d.ts.map +1 -0
  1805. package/dist/semantic-governance/instruction-validator.js +357 -0
  1806. package/dist/semantic-governance/instruction-validator.js.map +1 -0
  1807. package/dist/semantic-governance/integration.d.ts +253 -0
  1808. package/dist/semantic-governance/integration.d.ts.map +1 -0
  1809. package/dist/semantic-governance/integration.js +657 -0
  1810. package/dist/semantic-governance/integration.js.map +1 -0
  1811. package/dist/semantic-governance/output-validator.d.ts +135 -0
  1812. package/dist/semantic-governance/output-validator.d.ts.map +1 -0
  1813. package/dist/semantic-governance/output-validator.js +442 -0
  1814. package/dist/semantic-governance/output-validator.js.map +1 -0
  1815. package/dist/semantic-governance/service.d.ts +120 -0
  1816. package/dist/semantic-governance/service.d.ts.map +1 -0
  1817. package/dist/semantic-governance/service.js +527 -0
  1818. package/dist/semantic-governance/service.js.map +1 -0
  1819. package/dist/semantic-governance/types.d.ts +3916 -0
  1820. package/dist/semantic-governance/types.d.ts.map +1 -0
  1821. package/dist/semantic-governance/types.js +462 -0
  1822. package/dist/semantic-governance/types.js.map +1 -0
  1823. package/dist/trust-engine/aci-integration.d.ts +6 -0
  1824. package/dist/trust-engine/aci-integration.d.ts.map +1 -0
  1825. package/dist/trust-engine/aci-integration.js +6 -0
  1826. package/dist/trust-engine/aci-integration.js.map +1 -0
  1827. package/dist/trust-engine/car-integration.d.ts +244 -0
  1828. package/dist/trust-engine/car-integration.d.ts.map +1 -0
  1829. package/dist/trust-engine/car-integration.js +332 -0
  1830. package/dist/trust-engine/car-integration.js.map +1 -0
  1831. package/dist/trust-engine/context.d.ts +197 -0
  1832. package/dist/trust-engine/context.d.ts.map +1 -0
  1833. package/dist/trust-engine/context.js +307 -0
  1834. package/dist/trust-engine/context.js.map +1 -0
  1835. package/dist/trust-engine/index.d.ts +410 -0
  1836. package/dist/trust-engine/index.d.ts.map +1 -0
  1837. package/dist/trust-engine/index.js +1221 -0
  1838. package/dist/trust-engine/index.js.map +1 -0
  1839. package/dist/trust-engine/observability.d.ts +175 -0
  1840. package/dist/trust-engine/observability.d.ts.map +1 -0
  1841. package/dist/trust-engine/observability.js +244 -0
  1842. package/dist/trust-engine/observability.js.map +1 -0
  1843. package/package.json +200 -0
package/dist/api/server.js ADDED
@@ -0,0 +1,1967 @@
1
+ /**
2
+ * API Server
3
+ *
4
+ * Fastify server providing REST API for Vorion platform.
5
+ *
6
+ * @packageDocumentation
7
+ */
8
+ import Fastify from 'fastify';
9
+ import cors from '@fastify/cors';
10
+ import helmet from '@fastify/helmet';
11
+ import rateLimit from '@fastify/rate-limit';
12
+ import fastifyJwt from '@fastify/jwt';
13
+ import { createLogger, logger } from '../common/logger.js';
14
+ import { getConfig } from '../common/config.js';
15
+ import { extractTraceFromHeaders, createTraceContext, } from '../common/trace.js';
16
+ // Note: Database and Redis health checks are now handled by globalHealthCheck/globalReadinessCheck
17
+ // in src/intent/health.ts which provides unified health monitoring
18
+ import { z } from 'zod';
19
+ import { createIntentService, intentSubmissionSchema, bulkIntentSubmissionSchema, PAYLOAD_LIMITS, } from '../intent/index.js';
20
+ import { createAuditService } from '../audit/service.js';
21
+ import { createPolicyService, getPolicyLoader, POLICY_STATUSES, } from '../policy/index.js';
22
+ import { PolicyValidationException } from '../policy/service.js';
23
+ import { registerIntentWorkers, retryDeadLetterJob, enqueueIntentSubmission, } from '../intent/queues.js';
24
+ import { isServerShuttingDown, shutdownRequestHook, shutdownResponseHook, registerShutdownHandlers, getActiveRequestCount, } from '../intent/shutdown.js';
25
+ import { createEscalationService } from '../intent/escalation.js';
26
+ import { createWebhookService } from '../intent/webhooks.js';
27
+ import { getMetrics, getMetricsContentType, tokenRevocationChecks } from '../intent/metrics.js';
28
+ import { startScheduler, getSchedulerStatus, runCleanupNow } from '../intent/scheduler.js';
29
+ import { livenessCheck as intentLivenessCheck, intentReadinessCheck as intentModuleReadinessCheck, validateStartupDependencies, globalHealthCheck, globalReadinessCheck, } from '../intent/health.js';
30
+ import { createGdprService, enqueueGdprExport, registerGdprWorker, } from '../intent/gdpr.js';
31
+ import { INTENT_STATUSES } from '../common/types.js';
32
+ import { createTokenRevocationService, validateJti, recordTokenRevocationAudit, } from '../common/token-revocation.js';
33
+ import { POLICY_ROLES, checkAuthorization, } from '../common/authorization.js';
34
+ import { ForbiddenError, } from '../common/errors.js';
35
+ import { createProofService } from '../proof/index.js';
36
+ import { createTrustEngine, TRUST_LEVEL_NAMES } from '../trust-engine/index.js';
37
+ import { validateRule } from '../basis/parser.js';
38
+ import { requireTenantMembership } from '../common/tenant-verification.js';
39
+ import { verifyGroupMembership, isAssignedApprover, assignApprover, removeApprover, listApprovers, } from '../common/group-membership.js';
40
+ import { CSRFProtection, } from '../security/index.js';
41
+ import { createStandardErrorHandler, sendSuccess, sendError, sendNotFound, sendCursorPaginated, } from '../intent/response-middleware.js';
42
+ import { HttpStatus } from '../intent/response.js';
43
+ import { registerExtensionRoutes } from './routes/extensions.js';
44
+ import { versioningPlugin, CURRENT_VERSION, getVersionedPrefix } from './versioning/index.js';
45
+ import { v1RoutesPlugin } from './v1/index.js';
46
+ import { backwardCompatPlugin } from './versioning/backward-compat.js';
47
+ import { apiKeyEnforcementPlugin } from './middleware/api-key-enforcement.js';
48
+ import { metricsMiddleware } from './middleware/metrics.js';
49
+ import { startMemoryMetricsCollection, } from '../common/metrics.js';
50
+ import { checkAndRunMigrations, PendingMigrationsError, CriticalSchemaDriftError, } from '../db/migration-checker.js';
51
+ const apiLogger = createLogger({ component: 'api' });
52
+ const intentService = createIntentService();
53
+ const escalationService = createEscalationService();
54
+ const auditService = createAuditService();
55
+ const policyService = createPolicyService();
56
+ const policyLoader = getPolicyLoader();
57
+ const webhookService = createWebhookService();
58
+ const tokenRevocationService = createTokenRevocationService();
59
+ const gdprService = createGdprService();
60
+ const proofService = createProofService();
61
+ const trustEngine = createTrustEngine();
62
+ const intentIdParamsSchema = z.object({
63
+ id: z.string().uuid(),
64
+ });
65
+ const intentListQuerySchema = z.object({
66
+ entityId: z.string().uuid().optional(),
67
+ status: z
68
+ .string()
69
+ .refine((value) => INTENT_STATUSES.includes(value), {
70
+ message: 'Invalid status',
71
+ })
72
+ .optional(),
73
+ limit: z.coerce.number().int().min(1).max(100).optional(),
74
+ cursor: z.string().uuid().optional(),
75
+ });
76
+ const intentCancelBodySchema = z.object({
77
+ reason: z.string().min(1).max(500),
78
+ });
79
+ const escalationIdParamsSchema = z.object({
80
+ id: z.string().uuid(),
81
+ });
82
+ const proofIdParamsSchema = z.object({
83
+ id: z.string().uuid(),
84
+ });
85
+ const trustEntityIdParamsSchema = z.object({
86
+ entityId: z.string().uuid(),
87
+ });
88
+ const constraintValidationBodySchema = z.object({
89
+ rule: z.object({
90
+ id: z.string(),
91
+ name: z.string(),
92
+ description: z.string().optional(),
93
+ priority: z.number().optional(),
94
+ enabled: z.boolean().optional(),
95
+ when: z.object({
96
+ intentType: z.union([z.string(), z.array(z.string())]).optional(),
97
+ entityType: z.union([z.string(), z.array(z.string())]).optional(),
98
+ conditions: z.array(z.object({
99
+ field: z.string(),
100
+ operator: z.enum([
101
+ 'equals', 'not_equals', 'greater_than', 'less_than',
102
+ 'greater_than_or_equal', 'less_than_or_equal',
103
+ 'in', 'not_in', 'contains', 'not_contains',
104
+ 'matches', 'exists', 'not_exists',
105
+ ]),
106
+ value: z.unknown(),
107
+ })).optional(),
108
+ }),
109
+ evaluate: z.array(z.object({
110
+ condition: z.string(),
111
+ result: z.enum(['allow', 'deny', 'escalate', 'limit', 'monitor', 'terminate']),
112
+ reason: z.string().optional(),
113
+ escalation: z.object({
114
+ to: z.string(),
115
+ timeout: z.string(),
116
+ requireJustification: z.boolean().optional(),
117
+ autoDenyOnTimeout: z.boolean().optional(),
118
+ }).optional(),
119
+ })),
120
+ metadata: z.record(z.unknown()).optional(),
121
+ }),
122
+ });
123
+ const escalationResolveBodySchema = z.object({
124
+ notes: z.string().max(1000).optional(),
125
+ });
126
+ /**
127
+ * SECURE Authorization helper: Check if user can resolve an escalation
128
+ *
129
+ * SECURITY FIX: This function now verifies group membership against the database,
130
+ * NOT trusting JWT claims which can be manipulated by attackers.
131
+ *
132
+ * Authorization is granted if ANY of the following are true:
133
+ * 1. User has admin role (verified from token, but roles are signed by auth server)
134
+ * 2. User is directly assigned as an approver for this escalation (database check)
135
+ * 3. User is the direct target of the escalation (escalatedTo === userId)
136
+ * 4. User has verified group membership matching escalatedTo (database check)
137
+ *
138
+ * All authorization decisions are logged for audit purposes.
139
+ */
140
+ async function canResolveEscalation(user, escalation, userTenantId) {
141
+ const userId = user.sub;
142
+ const escalationId = escalation.id;
143
+ // Tenant isolation: user must belong to same tenant
144
+ if (userTenantId !== escalation.tenantId) {
145
+ apiLogger.warn({ userId, escalationId, userTenantId, escalationTenantId: escalation.tenantId }, 'Authorization denied: tenant mismatch');
146
+ return { allowed: false, reason: 'Escalation belongs to different tenant' };
147
+ }
148
+ // Admin override - roles in JWT are signed by auth server, so we trust them
149
+ // Note: For highest security, admin roles could also be verified against database
150
+ const roles = user.roles ?? [];
151
+ if (roles.includes('admin') || roles.includes('tenant:admin') || roles.includes('escalation:admin')) {
152
+ apiLogger.info({ userId, escalationId, authMethod: 'admin_role' }, 'Authorization granted: admin role');
153
+ return { allowed: true, authMethod: 'admin_role' };
154
+ }
155
+ // escalatedTo can be a user ID, role, or group name
156
+ const escalatedTo = escalation.escalatedTo;
157
+ // Direct user match - if escalation was assigned directly to this user
158
+ if (userId && escalatedTo === userId) {
159
+ apiLogger.info({ userId, escalationId, authMethod: 'direct_assignment' }, 'Authorization granted: direct user assignment');
160
+ return { allowed: true, authMethod: 'direct_assignment' };
161
+ }
162
+ // Check if user is explicitly assigned as an approver for this escalation
163
+ // This is a database check, not trusting JWT claims
164
+ if (userId) {
165
+ try {
166
+ const approverResult = await isAssignedApprover(escalationId, userId, userTenantId);
167
+ if (approverResult.isApprover) {
168
+ apiLogger.info({ userId, escalationId, authMethod: 'explicit_approver', assignedAt: approverResult.assignedAt }, 'Authorization granted: explicitly assigned approver');
169
+ return { allowed: true, authMethod: 'explicit_approver' };
170
+ }
171
+ }
172
+ catch (error) {
173
+ apiLogger.error({ error, userId, escalationId }, 'Error checking explicit approver assignment');
174
+ // Continue to other checks - don't fail open, but don't fail closed on DB errors
175
+ }
176
+ }
177
+ // SECURITY FIX: Verify group membership against database, NOT JWT claims
178
+ // The old code trusted user.groups from JWT which attackers could manipulate
179
+ if (userId) {
180
+ try {
181
+ const groupResult = await verifyGroupMembership(userId, escalatedTo, userTenantId);
182
+ if (groupResult.isMember) {
183
+ apiLogger.info({ userId, escalationId, groupName: escalatedTo, authMethod: 'verified_group_membership', source: groupResult.source }, 'Authorization granted: verified group membership');
184
+ return { allowed: true, authMethod: 'verified_group_membership' };
185
+ }
186
+ }
187
+ catch (error) {
188
+ apiLogger.error({ error, userId, escalationId, groupName: escalatedTo }, 'Error verifying group membership');
189
+ // Continue to denial - fail closed on DB errors for security
190
+ }
191
+ }
192
+ // Note: We no longer trust JWT group claims (user.groups) for authorization
193
+ // The following code has been removed as it was the source of the vulnerability:
194
+ // if (groups.includes(escalatedTo)) { return { allowed: true }; }
195
+ // Note: Generic approver roles are also no longer trusted from JWT
196
+ // If approver roles are needed, they should be verified against the database
197
+ // The following code has been removed:
198
+ // if (roles.includes('approver') || roles.includes('tenant:approver')) { return { allowed: true }; }
199
+ apiLogger.warn({ userId, escalationId, escalatedTo }, 'Authorization denied: no valid authorization method found');
200
+ return {
201
+ allowed: false,
202
+ reason: `User not authorized to resolve escalation (escalatedTo: ${escalatedTo}). Authorization requires: admin role, explicit approver assignment, or verified group membership.`,
203
+ };
204
+ }
205
+ const dlqRetryParamsSchema = z.object({
206
+ jobId: z.string(),
207
+ });
208
+ // ========== Audit Schemas ==========
209
+ const auditIdParamsSchema = z.object({
210
+ id: z.string().uuid(),
211
+ });
212
+ const auditQuerySchema = z.object({
213
+ eventType: z.string().optional(),
214
+ eventCategory: z.enum(['intent', 'policy', 'escalation', 'authentication', 'authorization', 'data', 'system', 'admin']).optional(),
215
+ severity: z.enum(['info', 'warning', 'error', 'critical']).optional(),
216
+ actorId: z.string().uuid().optional(),
217
+ targetId: z.string().uuid().optional(),
218
+ targetType: z.enum(['intent', 'policy', 'escalation', 'entity', 'tenant', 'user', 'system']).optional(),
219
+ startTime: z.string().datetime().optional(),
220
+ endTime: z.string().datetime().optional(),
221
+ limit: z.coerce.number().int().min(1).max(1000).optional(),
222
+ offset: z.coerce.number().int().min(0).optional(),
223
+ });
224
+ const auditTargetParamsSchema = z.object({
225
+ targetType: z.enum(['intent', 'policy', 'escalation', 'entity', 'tenant', 'user', 'system']),
226
+ targetId: z.string().uuid(),
227
+ });
228
+ const auditTargetQuerySchema = z.object({
229
+ limit: z.coerce.number().int().min(1).max(1000).optional(),
230
+ offset: z.coerce.number().int().min(0).optional(),
231
+ });
232
+ const auditTraceParamsSchema = z.object({
233
+ traceId: z.string(),
234
+ });
235
+ const auditStatsQuerySchema = z.object({
236
+ startTime: z.string().datetime().optional(),
237
+ endTime: z.string().datetime().optional(),
238
+ });
239
+ const auditVerifyBodySchema = z.object({
240
+ startSequence: z.number().int().min(0).optional(),
241
+ limit: z.number().int().min(1).max(100000).optional(),
242
+ });
243
+ // ========== Policy Schemas ==========
244
+ const policyIdParamsSchema = z.object({
245
+ id: z.string().uuid(),
246
+ });
247
+ const policyListQuerySchema = z.object({
248
+ namespace: z.string().optional(),
249
+ status: z
250
+ .string()
251
+ .refine((value) => POLICY_STATUSES.includes(value), {
252
+ message: 'Invalid policy status',
253
+ })
254
+ .optional(),
255
+ limit: z.coerce.number().int().min(1).max(100).optional(),
256
+ offset: z.coerce.number().int().min(0).optional(),
257
+ });
258
+ const policyCreateBodySchema = z.object({
259
+ name: z.string().min(1).max(255),
260
+ description: z.string().max(1000).optional(),
261
+ namespace: z.string().min(1).max(100).optional(),
262
+ definition: z.object({
263
+ version: z.literal('1.0'),
264
+ target: z.object({
265
+ intentTypes: z.array(z.string()).optional(),
266
+ entityTypes: z.array(z.string()).optional(),
267
+ trustLevels: z.array(z.number().int().min(0).max(4)).optional(),
268
+ namespaces: z.array(z.string()).optional(),
269
+ }).optional(),
270
+ rules: z.array(z.object({
271
+ id: z.string(),
272
+ name: z.string(),
273
+ description: z.string().optional(),
274
+ priority: z.number().int(),
275
+ enabled: z.boolean(),
276
+ when: z.unknown(), // Complex nested condition validation handled by PolicyService
277
+ then: z.object({
278
+ action: z.enum(['allow', 'deny', 'escalate', 'limit', 'monitor', 'terminate']),
279
+ reason: z.string().optional(),
280
+ escalation: z.object({
281
+ to: z.string(),
282
+ timeout: z.string(),
283
+ requireJustification: z.boolean().optional(),
284
+ autoDenyOnTimeout: z.boolean().optional(),
285
+ }).optional(),
286
+ constraints: z.record(z.unknown()).optional(),
287
+ }),
288
+ })),
289
+ defaultAction: z.enum(['allow', 'deny', 'escalate', 'limit', 'monitor', 'terminate']),
290
+ defaultReason: z.string().optional(),
291
+ metadata: z.record(z.unknown()).optional(),
292
+ }),
293
+ metadata: z.record(z.unknown()).optional(),
294
+ });
295
+ const policyUpdateBodySchema = z.object({
296
+ description: z.string().max(1000).optional(),
297
+ definition: policyCreateBodySchema.shape.definition.optional(),
298
+ changeSummary: z.string().max(500).optional(),
299
+ });
300
+ // ========== Webhook Schemas ==========
301
+ const WEBHOOK_EVENT_TYPES = [
302
+ 'escalation.created',
303
+ 'escalation.approved',
304
+ 'escalation.rejected',
305
+ 'escalation.timeout',
306
+ 'intent.approved',
307
+ 'intent.denied',
308
+ 'intent.completed',
309
+ ];
310
+ const webhookCreateBodySchema = z.object({
311
+ url: z.string().url(),
312
+ secret: z.string().min(16).max(256).optional(),
313
+ events: z.array(z.string().refine((value) => WEBHOOK_EVENT_TYPES.includes(value), {
314
+ message: 'Invalid webhook event type',
315
+ })).min(1),
316
+ enabled: z.boolean().optional().default(true),
317
+ });
318
+ const webhookIdParamsSchema = z.object({
319
+ id: z.string().uuid(),
320
+ });
321
+ const webhookDeliveriesQuerySchema = z.object({
322
+ limit: z.coerce.number().int().min(1).max(100).optional(),
323
+ });
324
+ // ========== Token Revocation Schemas ==========
325
+ const userIdParamsSchema = z.object({
326
+ userId: z.string().uuid(),
327
+ });
328
+ /**
329
+ * Extract and verify tenant ID from JWT token.
330
+ *
331
+ * SECURITY: This function verifies that the user (sub claim) is actually a member
332
+ * of the tenant specified in the tenantId claim. This prevents cross-tenant data
333
+ * exposure attacks where an attacker modifies JWT claims to access other tenants' data.
334
+ *
335
+ * @param request - The Fastify request object
336
+ * @returns The verified tenant ID
337
+ * @throws ForbiddenError if tenant context is missing or user is not a member
338
+ */
339
+ async function getTenantId(request) {
340
+ const payload = await request.jwtVerify();
341
+ if (!payload.tenantId) {
342
+ throw new ForbiddenError('Tenant context missing from token');
343
+ }
344
+ if (!payload.sub) {
345
+ throw new ForbiddenError('User identifier missing from token');
346
+ }
347
+ // CRITICAL SECURITY CHECK: Verify user is actually a member of the claimed tenant
348
+ // This prevents attackers from modifying JWT tenantId claims to access other tenants' data
349
+ await requireTenantMembership(payload.sub, payload.tenantId);
350
+ return payload.tenantId;
351
+ }
352
+ /**
353
+ * Create and configure the API server
354
+ */
355
+ export async function createServer() {
356
+ const config = getConfig();
357
+ const server = Fastify({
358
+ logger: logger,
359
+ requestIdHeader: 'x-request-id',
360
+ requestIdLogLabel: 'requestId',
361
+ // Enforce body size limit at HTTP layer (matches schema validation limit)
362
+ bodyLimit: PAYLOAD_LIMITS.MAX_PAYLOAD_SIZE_BYTES,
363
+ });
364
+ await server.register(fastifyJwt, {
365
+ secret: config.jwt.secret,
366
+ });
367
+ // Register plugins
368
+ await server.register(cors, {
369
+ origin: config.env === 'production' ? false : config.cors.allowedOrigins,
370
+ credentials: true,
371
+ });
372
+ await server.register(helmet, {
373
+ contentSecurityPolicy: config.env === 'production',
374
+ });
375
+ await server.register(rateLimit, {
376
+ max: config.api.rateLimit,
377
+ timeWindow: '1 minute',
378
+ });
379
+ // API metrics middleware - collects request duration, size, and error metrics
380
+ await server.register(metricsMiddleware, {
381
+ excludeRoutes: ['/health', '/ready', '/live', '/metrics', '/scheduler'],
382
+ collectRequestSize: true,
383
+ collectResponseSize: true,
384
+ });
385
+ apiLogger.info('API metrics middleware enabled');
386
+ // Start memory metrics collection
387
+ startMemoryMetricsCollection(10000); // Collect every 10 seconds
388
+ // CSRF Protection middleware
389
+ // Only enabled if csrf.enabled is true and a secret is configured
390
+ if (config.csrf.enabled) {
391
+ try {
392
+ // Generate or use configured secret
393
+ const csrfSecret = config.csrf.secret ?? process.env['VORION_CSRF_SECRET'];
394
+ if (csrfSecret && csrfSecret.length >= 32) {
395
+ const csrfProtection = new CSRFProtection({
396
+ secret: csrfSecret,
397
+ cookieName: config.csrf.cookieName,
398
+ headerName: config.csrf.headerName,
399
+ tokenTTL: config.csrf.tokenTTL,
400
+ excludePaths: config.csrf.excludePaths,
401
+ excludeMethods: config.csrf.excludeMethods,
402
+ cookieOptions: {
403
+ secure: config.env === 'production',
404
+ httpOnly: true,
405
+ sameSite: 'strict',
406
+ path: '/',
407
+ maxAge: Math.floor(config.csrf.tokenTTL / 1000), // Convert ms to seconds
408
+ },
409
+ });
410
+ server.addHook('preHandler', csrfProtection.createMiddleware());
411
+ apiLogger.info({
412
+ cookieName: config.csrf.cookieName,
413
+ headerName: config.csrf.headerName,
414
+ excludePaths: config.csrf.excludePaths,
415
+ excludeMethods: config.csrf.excludeMethods,
416
+ }, 'CSRF protection enabled');
417
+ }
418
+ else {
419
+ apiLogger.warn('CSRF protection enabled but no valid secret configured - CSRF middleware not registered');
420
+ }
421
+ }
422
+ catch (error) {
423
+ apiLogger.error({ error: error instanceof Error ? error.message : 'Unknown error' }, 'Failed to initialize CSRF protection');
424
+ }
425
+ }
426
+ else {
427
+ apiLogger.info('CSRF protection disabled by configuration');
428
+ }
429
+ // Trace context hook - extract or create trace context for each request
430
+ // Store trace context on request for later use
431
+ server.decorateRequest('traceContext', null);
432
+ server.addHook('onRequest', async (request, reply) => {
433
+ // Extract trace context from incoming headers or create new one
434
+ const headers = request.headers;
435
+ const extractedContext = extractTraceFromHeaders(headers);
436
+ const traceContext = extractedContext ?? createTraceContext();
437
+ // Store on request for later use
438
+ request.traceContext = traceContext;
439
+ // Add trace ID to reply headers for correlation
440
+ reply.header('x-trace-id', traceContext.traceId);
441
+ reply.header('traceparent', traceContext.traceparent);
442
+ });
443
+ // Content-Type validation for POST/PUT/PATCH requests
444
+ server.addHook('preHandler', async (request, reply) => {
445
+ const method = request.method.toUpperCase();
446
+ if (['POST', 'PUT', 'PATCH'].includes(method)) {
447
+ const contentType = request.headers['content-type'];
448
+ const hasBody = request.body !== undefined && request.body !== null;
449
+ if (hasBody && (!contentType || !contentType.includes('application/json'))) {
450
+ return reply.status(415).send({
451
+ error: {
452
+ code: 'UNSUPPORTED_MEDIA_TYPE',
453
+ message: 'Content-Type must be application/json',
454
+ },
455
+ });
456
+ }
457
+ }
458
+ });
459
+ // X-API-Version header on all responses
460
+ server.addHook('onSend', async (_request, reply) => {
461
+ reply.header('X-API-Version', 'v1');
462
+ });
463
+ // Graceful shutdown hooks - track active requests and reject new ones during shutdown
464
+ // This must run after trace context hook but before route handlers
465
+ server.addHook('onRequest', shutdownRequestHook);
466
+ server.addHook('onResponse', shutdownResponseHook);
467
+ // ==========================================================================
468
+ // Global Health Endpoints
469
+ // ==========================================================================
470
+ /**
471
+ * Global liveness check endpoint - Kubernetes livenessProbe
472
+ *
473
+ * Returns detailed component status including:
474
+ * - Memory usage and uptime
475
+ * - INTENT module health
476
+ * - Process information
477
+ *
478
+ * Returns 503 during shutdown or if critical components unhealthy
479
+ */
480
+ server.get('/health', async (_request, reply) => {
481
+ const shuttingDown = isServerShuttingDown();
482
+ const activeRequests = getActiveRequestCount();
483
+ try {
484
+ const healthStatus = await globalHealthCheck(activeRequests, shuttingDown);
485
+ // Return 503 for shutdown or unhealthy status
486
+ const statusCode = healthStatus.status === 'shutting_down' || healthStatus.status === 'unhealthy'
487
+ ? 503
488
+ : 200;
489
+ // Add Retry-After header during shutdown
490
+ if (healthStatus.status === 'shutting_down') {
491
+ reply.header('Retry-After', '5');
492
+ }
493
+ return reply.status(statusCode).send(healthStatus);
494
+ }
495
+ catch (error) {
496
+ apiLogger.warn({ error: error instanceof Error ? error.message : 'Unknown error' }, 'Global health check failed');
497
+ return reply.status(503).send({
498
+ status: 'unhealthy',
499
+ version: process.env['npm_package_version'] || '0.0.0',
500
+ environment: config.env,
501
+ error: error instanceof Error ? error.message : 'Unknown error',
502
+ timestamp: new Date().toISOString(),
503
+ });
504
+ }
505
+ });
506
+ /**
507
+ * Global readiness check endpoint - Kubernetes readinessProbe
508
+ *
509
+ * Checks all dependencies with timeouts:
510
+ * - Database connectivity and latency
511
+ * - Redis connectivity and latency
512
+ * - Queue health and job counts
513
+ * - INTENT module readiness (policies, queues)
514
+ *
515
+ * Returns structured response with component-level status
516
+ * Returns 503 if any critical component is unhealthy
517
+ */
518
+ server.get('/ready', async (_request, reply) => {
519
+ try {
520
+ const readinessStatus = await globalReadinessCheck();
521
+ // Return 503 for non-ready status
522
+ const statusCode = readinessStatus.status === 'ready' ? 200 : 503;
523
+ return reply.status(statusCode).send(readinessStatus);
524
+ }
525
+ catch (error) {
526
+ const errorMessage = error instanceof Error ? error.message : 'Unknown error';
527
+ apiLogger.warn({ error: errorMessage }, 'Global readiness check failed');
528
+ return reply.status(503).send({
529
+ status: 'unhealthy',
530
+ checks: {
531
+ database: { status: 'error', error: errorMessage },
532
+ redis: { status: 'error', error: errorMessage },
533
+ queues: { status: 'error', error: errorMessage },
534
+ intent: { status: 'error', error: errorMessage },
535
+ },
536
+ error: errorMessage,
537
+ timestamp: new Date().toISOString(),
538
+ });
539
+ }
540
+ });
541
+ // Metrics endpoint (Prometheus format)
542
+ server.get('/metrics', async (_request, reply) => {
543
+ const metrics = await getMetrics();
544
+ return reply
545
+ .header('Content-Type', getMetricsContentType())
546
+ .send(metrics);
547
+ });
548
+ // Scheduler status (no auth required for health monitoring)
549
+ server.get('/scheduler', async () => {
550
+ const schedulerStatus = getSchedulerStatus();
551
+ return {
552
+ status: schedulerStatus.isLeader ? 'leader' : 'standby',
553
+ isLeader: schedulerStatus.isLeader,
554
+ instanceId: schedulerStatus.instanceId,
555
+ tasks: schedulerStatus.tasks,
556
+ timestamp: new Date().toISOString(),
557
+ };
558
+ });
559
+ // ==========================================================================
560
+ // INTENT Module Health Endpoints (auto-registered at startup)
561
+ // ==========================================================================
562
+ /**
563
+ * INTENT module liveness check - Kubernetes livenessProbe for INTENT service
564
+ *
565
+ * Minimal self-check that returns quickly. Only fails if process is deadlocked.
566
+ * No external dependencies are checked.
567
+ */
568
+ server.get(`${config.api.basePath}/intent/health`, async (_request, reply) => {
569
+ const result = await intentLivenessCheck();
570
+ const statusCode = result.alive ? 200 : 503;
571
+ return reply.status(statusCode).send({
572
+ status: result.alive ? 'healthy' : 'unhealthy',
573
+ module: 'intent',
574
+ alive: result.alive,
575
+ timestamp: new Date().toISOString(),
576
+ });
577
+ });
578
+ /**
579
+ * INTENT module readiness check - Kubernetes readinessProbe for INTENT service
580
+ *
581
+ * Checks INTENT-specific dependencies:
582
+ * - Queue connectivity and health
583
+ * - Policy loader availability
584
+ *
585
+ * Returns 503 if INTENT module cannot handle requests
586
+ */
587
+ server.get(`${config.api.basePath}/intent/ready`, async (_request, reply) => {
588
+ const healthStatus = await intentModuleReadinessCheck();
589
+ const statusCode = healthStatus.status === 'healthy' ? 200 : 503;
590
+ return reply.status(statusCode).send({
591
+ ...healthStatus,
592
+ module: 'intent',
593
+ });
594
+ });
595
+ apiLogger.info({ healthEndpoint: '/health', readyEndpoint: '/ready', intentHealth: `${config.api.basePath}/intent/health`, intentReady: `${config.api.basePath}/intent/ready` }, 'Health check endpoints auto-registered');
596
+ // ==========================================================================
597
+ // API Versioning
598
+ // ==========================================================================
599
+ // Register versioning plugin for version extraction and deprecation headers
600
+ await server.register(versioningPlugin, {
601
+ defaultVersion: CURRENT_VERSION,
602
+ includeDeprecationHeaders: true,
603
+ basePath: '/api',
604
+ });
605
+ apiLogger.info({ currentVersion: CURRENT_VERSION, versionedPrefix: getVersionedPrefix(CURRENT_VERSION) }, 'API versioning enabled');
606
+ // ==========================================================================
607
+ // API Key Enforcement
608
+ // ==========================================================================
609
+ // Register API key enforcement plugin to enable API key authentication
610
+ // alongside JWT-based auth. This enforces rate limits from API keys and
611
+ // validates scopes based on route configuration.
612
+ await server.register(apiKeyEnforcementPlugin, {
613
+ defaultAuth: 'jwt_or_api_key',
614
+ enforceRateLimit: true,
615
+ logAuthDecisions: config.env !== 'production',
616
+ skipPaths: ['/health', '/ready', '/metrics', '/scheduler'],
617
+ });
618
+ apiLogger.info('API key enforcement enabled');
619
+ // ==========================================================================
620
+ // Versioned API Routes (v1)
621
+ // ==========================================================================
622
+ // Register v1 routes under /api/v1 prefix
623
+ server.register(async (v1Api) => {
624
+ // Token revocation check hook for v1 routes
625
+ // This hook only applies to JWT-authenticated requests.
626
+ // API key authenticated requests are handled by the API key enforcement plugin.
627
+ v1Api.addHook('preHandler', async (request, reply) => {
628
+ // Skip token revocation for logout endpoint
629
+ if (request.url.endsWith('/auth/logout')) {
630
+ return;
631
+ }
632
+ // Skip token revocation check for API key authenticated requests
633
+ // API keys have their own revocation mechanism handled by the API key service
634
+ if (request.authMethod === 'api_key') {
635
+ tokenRevocationChecks.inc({ result: 'api_key_auth' });
636
+ return;
637
+ }
638
+ // Skip for unauthenticated routes (handled by API key enforcement plugin)
639
+ if (request.authMethod === 'none') {
640
+ return;
641
+ }
642
+ try {
643
+ const payload = await request.jwtVerify();
644
+ const jtiValidation = validateJti(payload, config);
645
+ if (!jtiValidation.valid) {
646
+ tokenRevocationChecks.inc({ result: 'missing_jti' });
647
+ return reply.status(401).send({
648
+ error: { code: 'TOKEN_INVALID', message: jtiValidation.error },
649
+ });
650
+ }
651
+ if (!jtiValidation.jti) {
652
+ tokenRevocationChecks.inc({ result: 'missing_jti' });
653
+ return;
654
+ }
655
+ const isTokenRevoked = await tokenRevocationService.isRevoked(jtiValidation.jti);
656
+ if (isTokenRevoked) {
657
+ tokenRevocationChecks.inc({ result: 'revoked' });
658
+ apiLogger.info({ jti: jtiValidation.jti }, 'Revoked token used');
659
+ return reply.status(401).send({
660
+ error: { code: 'TOKEN_REVOKED', message: 'Token has been revoked' },
661
+ });
662
+ }
663
+ if (payload.sub && payload.iat) {
664
+ const issuedAt = new Date(payload.iat * 1000);
665
+ const isUserRevoked = await tokenRevocationService.isUserTokenRevoked(payload.sub, issuedAt);
666
+ if (isUserRevoked) {
667
+ tokenRevocationChecks.inc({ result: 'revoked' });
668
+ apiLogger.info({ userId: payload.sub, issuedAt: issuedAt.toISOString() }, 'User token revoked (all tokens for user)');
669
+ return reply.status(401).send({
670
+ error: { code: 'TOKEN_REVOKED', message: 'Token has been revoked' },
671
+ });
672
+ }
673
+ }
674
+ tokenRevocationChecks.inc({ result: 'valid' });
675
+ }
676
+ catch (error) {
677
+ // If JWT verification fails but request is already authenticated via API key,
678
+ // this is expected - don't throw
679
+ // Note: TypeScript flow analysis may not recognize this check is valid
680
+ const authMethod = request.authMethod;
681
+ if (authMethod === 'api_key') {
682
+ return;
683
+ }
684
+ throw error;
685
+ }
686
+ });
687
+ // Register all v1 routes
688
+ await v1Api.register(v1RoutesPlugin);
689
+ }, { prefix: getVersionedPrefix(CURRENT_VERSION) });
690
+ apiLogger.info('API v1 routes registered');
691
+ // ==========================================================================
692
+ // Backward Compatibility (Legacy Unversioned Routes)
693
+ // ==========================================================================
694
+ // Register backward compatibility redirects for legacy unversioned routes
695
+ // These will redirect /api/... to /api/v1/... with deprecation warnings
696
+ await server.register(backwardCompatPlugin, {
697
+ enableRedirects: true,
698
+ logLegacyUsage: true,
699
+ redirectStatusCode: 307,
700
+ legacyBasePath: '/api',
701
+ });
702
+ apiLogger.info('Backward compatibility redirects registered');
703
+ // ==========================================================================
704
+ // Legacy API Routes (kept for reference, will be removed in future versions)
705
+ // ==========================================================================
706
+ // API routes (legacy - these are now also available under /api/v1)
707
+ server.register(async (api) => {
708
+ // Token revocation check hook - runs after JWT verification
709
+ // This hook only applies to JWT-authenticated requests.
710
+ // API key authenticated requests are handled by the API key enforcement plugin.
711
+ api.addHook('preHandler', async (request, reply) => {
712
+ // Skip revocation check for logout endpoint (allow logout with revoked token)
713
+ if (request.url.endsWith('/auth/logout')) {
714
+ return;
715
+ }
716
+ // Skip token revocation check for API key authenticated requests
717
+ // API keys have their own revocation mechanism handled by the API key service
718
+ if (request.authMethod === 'api_key') {
719
+ tokenRevocationChecks.inc({ result: 'api_key_auth' });
720
+ return;
721
+ }
722
+ // Skip for unauthenticated routes (handled by API key enforcement plugin)
723
+ if (request.authMethod === 'none') {
724
+ return;
725
+ }
726
+ try {
727
+ // First verify JWT to get payload
728
+ const payload = await request.jwtVerify();
729
+ // Validate jti claim
730
+ const jtiValidation = validateJti(payload, config);
731
+ if (!jtiValidation.valid) {
732
+ tokenRevocationChecks.inc({ result: 'missing_jti' });
733
+ return reply.status(401).send({
734
+ error: { code: 'TOKEN_INVALID', message: jtiValidation.error },
735
+ });
736
+ }
737
+ // If no jti, skip revocation check (handled by validateJti based on config)
738
+ if (!jtiValidation.jti) {
739
+ tokenRevocationChecks.inc({ result: 'missing_jti' });
740
+ return;
741
+ }
742
+ // Check if the specific token is revoked
743
+ const isTokenRevoked = await tokenRevocationService.isRevoked(jtiValidation.jti);
744
+ if (isTokenRevoked) {
745
+ tokenRevocationChecks.inc({ result: 'revoked' });
746
+ apiLogger.info({ jti: jtiValidation.jti }, 'Revoked token used');
747
+ return reply.status(401).send({
748
+ error: { code: 'TOKEN_REVOKED', message: 'Token has been revoked' },
749
+ });
750
+ }
751
+ // Check if all user tokens issued before a certain time are revoked
752
+ if (payload.sub && payload.iat) {
753
+ const issuedAt = new Date(payload.iat * 1000);
754
+ const isUserRevoked = await tokenRevocationService.isUserTokenRevoked(payload.sub, issuedAt);
755
+ if (isUserRevoked) {
756
+ tokenRevocationChecks.inc({ result: 'revoked' });
757
+ apiLogger.info({ userId: payload.sub, issuedAt: issuedAt.toISOString() }, 'User token revoked (all tokens for user)');
758
+ return reply.status(401).send({
759
+ error: { code: 'TOKEN_REVOKED', message: 'Token has been revoked' },
760
+ });
761
+ }
762
+ }
763
+ tokenRevocationChecks.inc({ result: 'valid' });
764
+ }
765
+ catch (error) {
766
+ // If JWT verification fails but request is already authenticated via API key,
767
+ // this is expected - don't throw
768
+ // Note: TypeScript flow analysis may not recognize this check is valid
769
+ const authMethod = request.authMethod;
770
+ if (authMethod === 'api_key') {
771
+ return;
772
+ }
773
+ // JWT verification failed - let Fastify handle JWT errors
774
+ throw error;
775
+ }
776
+ });
777
+ // ========== Auth Routes ==========
778
+ // Logout - revoke current token
779
+ api.post('/auth/logout', async (request, reply) => {
780
+ try {
781
+ const payload = await request.jwtVerify();
782
+ if (!payload.jti) {
783
+ apiLogger.warn('Logout attempted with token missing jti claim');
784
+ // Still return success - logout is idempotent
785
+ return reply.send({ message: 'Logged out successfully' });
786
+ }
787
+ if (!payload.exp) {
788
+ apiLogger.warn({ jti: payload.jti }, 'Logout attempted with token missing exp claim');
789
+ // Use default TTL of 1 hour if exp missing
790
+ const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
791
+ await tokenRevocationService.revokeToken(payload.jti, expiresAt);
792
+ }
793
+ else {
794
+ const expiresAt = new Date(payload.exp * 1000);
795
+ await tokenRevocationService.revokeToken(payload.jti, expiresAt);
796
+ }
797
+ // Record audit event
798
+ if (payload.tenantId && payload.sub) {
799
+ await recordTokenRevocationAudit(payload.tenantId, payload.sub, 'token.revoked', {
800
+ type: 'user',
801
+ id: payload.sub,
802
+ ip: request.ip,
803
+ }, { jti: payload.jti, reason: 'logout' });
804
+ }
805
+ apiLogger.info({ jti: payload.jti, userId: payload.sub }, 'User logged out');
806
+ return reply.send({ message: 'Logged out successfully' });
807
+ }
808
+ catch (error) {
809
+ // If JWT verification fails, user is effectively "logged out"
810
+ apiLogger.warn({ error }, 'Logout with invalid token');
811
+ return reply.send({ message: 'Logged out successfully' });
812
+ }
813
+ });
814
+ // Intent routes - using standardized API response envelope
815
+ api.post('/intents', async (request, reply) => {
816
+ const tenantId = await getTenantId(request);
817
+ const body = intentSubmissionSchema.parse(request.body ?? {});
818
+ const intent = await intentService.submit(body, { tenantId });
819
+ // Use sendSuccess with ACCEPTED status for async processing
820
+ return sendSuccess(reply, intent, HttpStatus.ACCEPTED, request);
821
+ });
822
+ /**
823
+ * Bulk create intents for batch processing efficiency.
824
+ *
825
+ * This endpoint allows submitting multiple intents in a single request.
826
+ * Each intent in the batch is processed individually, and the response
827
+ * includes details about successful and failed items.
828
+ *
829
+ * Rate limiting:
830
+ * - Separate rate limit for bulk operations (10 requests per minute by default)
831
+ * - This is lower than single intent submissions to prevent abuse
832
+ * - Each bulk request counts as 1 request regardless of item count
833
+ *
834
+ * Response status codes:
835
+ * - 202 Accepted: All items processed successfully
836
+ * - 207 Multi-Status: Some items succeeded, some failed
837
+ * - 400 Bad Request: All items failed
838
+ *
839
+ * @param intents - Array of 1-100 intent submissions
840
+ * @param options - Optional processing options (stopOnError, returnPartial)
841
+ */
842
+ api.post('/intents/bulk', {
843
+ config: {
844
+ rateLimit: {
845
+ max: config.api.bulkRateLimit ?? 10, // Default: 10 bulk requests per minute
846
+ timeWindow: '1 minute',
847
+ },
848
+ },
849
+ }, async (request, reply) => {
850
+ const tenantId = await getTenantId(request);
851
+ const body = bulkIntentSubmissionSchema.parse(request.body ?? {});
852
+ const result = await intentService.submitBulk(body.intents, {
853
+ tenantId,
854
+ stopOnError: body.options?.stopOnError ?? false,
855
+ });
856
+ // Determine appropriate HTTP status code:
857
+ // - 202 Accepted: All items processed successfully
858
+ // - 207 Multi-Status: Partial success (some succeeded, some failed)
859
+ // - 400 Bad Request: All items failed
860
+ let status;
861
+ if (result.stats.failed === 0) {
862
+ status = HttpStatus.ACCEPTED;
863
+ }
864
+ else if (result.stats.succeeded > 0) {
865
+ status = 207; // Multi-Status
866
+ }
867
+ else {
868
+ status = HttpStatus.BAD_REQUEST;
869
+ }
870
+ return reply.status(status).send({
871
+ data: result,
872
+ meta: {
873
+ requestId: request.id,
874
+ timestamp: new Date().toISOString(),
875
+ },
876
+ });
877
+ });
878
+ api.get('/intents/:id', async (request, reply) => {
879
+ const tenantId = await getTenantId(request);
880
+ const params = intentIdParamsSchema.parse(request.params ?? {});
881
+ const result = await intentService.getWithEvents(params.id, tenantId);
882
+ if (!result) {
883
+ // Use standardized not found response
884
+ return sendNotFound(reply, 'Intent', request);
885
+ }
886
+ // Use standardized success response
887
+ return sendSuccess(reply, {
888
+ ...result.intent,
889
+ events: result.events,
890
+ evaluations: result.evaluations ?? [],
891
+ }, HttpStatus.OK, request);
892
+ });
893
+ api.get('/intents', async (request, reply) => {
894
+ const tenantId = await getTenantId(request);
895
+ const query = intentListQuerySchema.parse(request.query ?? {});
896
+ const listOptions = { tenantId };
897
+ if (query.entityId)
898
+ listOptions.entityId = query.entityId;
899
+ if (query.status)
900
+ listOptions.status = query.status;
901
+ if (query.limit)
902
+ listOptions.limit = query.limit;
903
+ if (query.cursor)
904
+ listOptions.cursor = query.cursor;
905
+ const result = await intentService.list(listOptions);
906
+ // Use standardized cursor pagination response with PaginatedResult
907
+ return sendCursorPaginated(reply, result.items, {
908
+ nextCursor: result.nextCursor,
909
+ hasMore: result.hasMore,
910
+ }, request);
911
+ });
912
+ // Cancel an intent - using standardized API response envelope
913
+ api.post('/intents/:id/cancel', async (request, reply) => {
914
+ const tenantId = await getTenantId(request);
915
+ const params = intentIdParamsSchema.parse(request.params ?? {});
916
+ const body = intentCancelBodySchema.parse(request.body ?? {});
917
+ const cancelledBy = request.user?.sub;
918
+ const intent = await intentService.cancel(params.id, cancelledBy
919
+ ? { tenantId, reason: body.reason, cancelledBy }
920
+ : { tenantId, reason: body.reason });
921
+ if (!intent) {
922
+ // Use standardized error response
923
+ return sendError(reply, 'INTENT_NOT_FOUND_OR_NOT_CANCELLABLE', 'Intent not found or cannot be cancelled in current state', HttpStatus.NOT_FOUND, undefined, request);
924
+ }
925
+ return sendSuccess(reply, intent, HttpStatus.OK, request);
926
+ });
927
+ // Soft delete an intent (GDPR)
928
+ api.delete('/intents/:id', async (request, reply) => {
929
+ const tenantId = await getTenantId(request);
930
+ const params = intentIdParamsSchema.parse(request.params ?? {});
931
+ const intent = await intentService.delete(params.id, tenantId);
932
+ if (!intent) {
933
+ return reply.status(404).send({
934
+ error: { code: 'INTENT_NOT_FOUND', message: 'Intent not found' },
935
+ });
936
+ }
937
+ return reply.status(204).send();
938
+ });
939
+ // Verify event chain integrity
940
+ api.get('/intents/:id/verify', async (request, reply) => {
941
+ const tenantId = await getTenantId(request);
942
+ const params = intentIdParamsSchema.parse(request.params ?? {});
943
+ // First check intent exists
944
+ const intent = await intentService.get(params.id, tenantId);
945
+ if (!intent) {
946
+ return reply.status(404).send({
947
+ error: { code: 'INTENT_NOT_FOUND', message: 'Intent not found' },
948
+ });
949
+ }
950
+ const verification = await intentService.verifyEventChain(params.id);
951
+ return reply.send(verification);
952
+ });
953
+ // Proof routes
954
+ api.get('/proofs/:id', async (request, reply) => {
955
+ const params = proofIdParamsSchema.parse(request.params ?? {});
956
+ const proof = await proofService.get(params.id);
957
+ if (!proof) {
958
+ return reply.status(404).send({
959
+ success: false,
960
+ error: { code: 'PROOF_NOT_FOUND', message: 'Proof not found' },
961
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
962
+ });
963
+ }
964
+ return reply.send({
965
+ success: true,
966
+ data: {
967
+ id: proof.id,
968
+ intentId: proof.intentId,
969
+ entityId: proof.entityId,
970
+ chainPosition: proof.chainPosition,
971
+ decision: proof.decision,
972
+ inputs: proof.inputs,
973
+ outputs: proof.outputs,
974
+ hash: proof.hash,
975
+ previousHash: proof.previousHash,
976
+ signature: proof.signature,
977
+ signatureData: proof.signatureData,
978
+ createdAt: proof.createdAt,
979
+ },
980
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
981
+ });
982
+ });
983
+ api.post('/proofs/:id/verify', async (request, reply) => {
984
+ const params = proofIdParamsSchema.parse(request.params ?? {});
985
+ const verificationResult = await proofService.verify(params.id);
986
+ return reply.send({
987
+ success: true,
988
+ data: {
989
+ valid: verificationResult.valid,
990
+ proofId: verificationResult.proofId,
991
+ chainPosition: verificationResult.chainPosition,
992
+ issues: verificationResult.issues,
993
+ verifiedAt: verificationResult.verifiedAt,
994
+ },
995
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
996
+ });
997
+ });
998
+ // Trust routes
999
+ api.get('/trust/:entityId', async (request, reply) => {
1000
+ const params = trustEntityIdParamsSchema.parse(request.params ?? {});
1001
+ const trustRecord = await trustEngine.getScore(params.entityId);
1002
+ if (!trustRecord) {
1003
+ return reply.status(404).send({
1004
+ success: false,
1005
+ error: { code: 'ENTITY_NOT_FOUND', message: 'Entity trust record not found' },
1006
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
1007
+ });
1008
+ }
1009
+ return reply.send({
1010
+ success: true,
1011
+ data: {
1012
+ entityId: trustRecord.entityId,
1013
+ score: trustRecord.score,
1014
+ level: trustRecord.level,
1015
+ tierName: TRUST_LEVEL_NAMES[trustRecord.level],
1016
+ components: trustRecord.components,
1017
+ decay: {
1018
+ applied: trustRecord.decayApplied,
1019
+ multiplier: trustRecord.decayMultiplier,
1020
+ baseScore: trustRecord.baseScore,
1021
+ nextMilestone: trustRecord.nextMilestone,
1022
+ },
1023
+ lastActivityAt: trustRecord.lastActivityAt,
1024
+ lastCalculatedAt: trustRecord.lastCalculatedAt,
1025
+ },
1026
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
1027
+ });
1028
+ });
1029
+ // Constraint routes
1030
+ api.post('/constraints/validate', async (request, reply) => {
1031
+ const body = constraintValidationBodySchema.parse(request.body ?? {});
1032
+ const validationResult = validateRule(body.rule);
1033
+ return reply.send({
1034
+ success: true,
1035
+ data: {
1036
+ valid: validationResult.valid,
1037
+ errors: validationResult.errors,
1038
+ rule: validationResult.valid ? {
1039
+ id: body.rule.id,
1040
+ name: body.rule.name,
1041
+ description: body.rule.description,
1042
+ priority: body.rule.priority ?? 100,
1043
+ enabled: body.rule.enabled ?? true,
1044
+ } : undefined,
1045
+ },
1046
+ meta: { requestId: request.id, timestamp: new Date().toISOString() },
1047
+ });
1048
+ });
1049
+ // ========== Escalation Routes ==========
1050
+ // List pending escalations for tenant
1051
+ api.get('/escalations', async (request, reply) => {
1052
+ const tenantId = await getTenantId(request);
1053
+ const escalations = await escalationService.listPending(tenantId);
1054
+ return reply.send({ data: escalations });
1055
+ });
1056
+ // Get escalation by ID
1057
+ api.get('/escalations/:id', async (request, reply) => {
1058
+ const tenantId = await getTenantId(request);
1059
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1060
+ // Pass tenantId for built-in tenant isolation
1061
+ const escalation = await escalationService.get(params.id, tenantId);
1062
+ if (!escalation) {
1063
+ return reply.status(404).send({
1064
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1065
+ });
1066
+ }
1067
+ return reply.send(escalation);
1068
+ });
1069
+ // Get escalation for an intent
1070
+ api.get('/intents/:id/escalation', async (request, reply) => {
1071
+ const tenantId = await getTenantId(request);
1072
+ const params = intentIdParamsSchema.parse(request.params ?? {});
1073
+ const intent = await intentService.get(params.id, tenantId);
1074
+ if (!intent) {
1075
+ return reply.status(404).send({
1076
+ error: { code: 'INTENT_NOT_FOUND', message: 'Intent not found' },
1077
+ });
1078
+ }
1079
+ const escalation = await escalationService.getByIntentId(params.id, tenantId);
1080
+ if (!escalation) {
1081
+ return reply.status(404).send({
1082
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'No escalation for this intent' },
1083
+ });
1084
+ }
1085
+ return reply.send(escalation);
1086
+ });
1087
+ // Acknowledge an escalation (SLA tracking)
1088
+ api.post('/escalations/:id/acknowledge', async (request, reply) => {
1089
+ const tenantId = await getTenantId(request);
1090
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1091
+ const user = request.user;
1092
+ const escalation = await escalationService.acknowledge(params.id, tenantId, user.sub ?? 'unknown');
1093
+ if (!escalation) {
1094
+ return reply.status(404).send({
1095
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1096
+ });
1097
+ }
1098
+ return reply.send(escalation);
1099
+ });
1100
+ // Approve an escalation
1101
+ api.post('/escalations/:id/approve', async (request, reply) => {
1102
+ const tenantId = await getTenantId(request);
1103
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1104
+ const body = escalationResolveBodySchema.parse(request.body ?? {});
1105
+ const user = request.user;
1106
+ // First get the escalation to check authorization
1107
+ const escalationToCheck = await escalationService.get(params.id);
1108
+ if (!escalationToCheck) {
1109
+ return reply.status(404).send({
1110
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1111
+ });
1112
+ }
1113
+ // Authorization check - now async with database verification
1114
+ const authResult = await canResolveEscalation(user, escalationToCheck, tenantId);
1115
+ if (!authResult.allowed) {
1116
+ apiLogger.warn({ escalationId: params.id, userId: user.sub, reason: authResult.reason }, 'Unauthorized escalation approval attempt');
1117
+ return reply.status(403).send({
1118
+ error: {
1119
+ code: 'FORBIDDEN',
1120
+ message: authResult.reason ?? 'Not authorized to approve this escalation',
1121
+ },
1122
+ });
1123
+ }
1124
+ const resolveOptions = body.notes
1125
+ ? { resolvedBy: user.sub ?? 'unknown', notes: body.notes }
1126
+ : { resolvedBy: user.sub ?? 'unknown' };
1127
+ const escalation = await escalationService.approve(params.id, tenantId, resolveOptions);
1128
+ if (!escalation) {
1129
+ return reply.status(404).send({
1130
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1131
+ });
1132
+ }
1133
+ // Update intent status to approved if escalation approved
1134
+ if (escalation.status === 'approved') {
1135
+ await intentService.updateStatus(escalation.intentId, escalation.tenantId, 'approved', 'escalated');
1136
+ }
1137
+ return reply.send(escalation);
1138
+ });
1139
+ // Reject an escalation
1140
+ api.post('/escalations/:id/reject', async (request, reply) => {
1141
+ const tenantId = await getTenantId(request);
1142
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1143
+ const body = escalationResolveBodySchema.parse(request.body ?? {});
1144
+ const user = request.user;
1145
+ // First get the escalation to check authorization
1146
+ const escalationToCheck = await escalationService.get(params.id);
1147
+ if (!escalationToCheck) {
1148
+ return reply.status(404).send({
1149
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1150
+ });
1151
+ }
1152
+ // Authorization check - now async with database verification
1153
+ const authResult = await canResolveEscalation(user, escalationToCheck, tenantId);
1154
+ if (!authResult.allowed) {
1155
+ apiLogger.warn({ escalationId: params.id, userId: user.sub, reason: authResult.reason }, 'Unauthorized escalation rejection attempt');
1156
+ return reply.status(403).send({
1157
+ error: {
1158
+ code: 'FORBIDDEN',
1159
+ message: authResult.reason ?? 'Not authorized to reject this escalation',
1160
+ },
1161
+ });
1162
+ }
1163
+ const rejectOptions = body.notes
1164
+ ? { resolvedBy: user.sub ?? 'unknown', notes: body.notes }
1165
+ : { resolvedBy: user.sub ?? 'unknown' };
1166
+ const escalation = await escalationService.reject(params.id, tenantId, rejectOptions);
1167
+ if (!escalation) {
1168
+ return reply.status(404).send({
1169
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1170
+ });
1171
+ }
1172
+ // Update intent status to denied if escalation rejected
1173
+ if (escalation.status === 'rejected') {
1174
+ await intentService.updateStatus(escalation.intentId, escalation.tenantId, 'denied', 'escalated');
1175
+ }
1176
+ return reply.send(escalation);
1177
+ });
1178
+ // ========== Escalation Approver Management ==========
1179
+ // Schema for assigning approvers
1180
+ const assignApproverBodySchema = z.object({
1181
+ userId: z.string().min(1).max(255),
1182
+ });
1183
+ // Assign an approver to an escalation
1184
+ api.post('/escalations/:id/assign', async (request, reply) => {
1185
+ const tenantId = await getTenantId(request);
1186
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1187
+ const body = assignApproverBodySchema.parse(request.body ?? {});
1188
+ const user = request.user;
1189
+ // Only admins or the escalation creator can assign approvers
1190
+ const roles = user.roles ?? [];
1191
+ const isAdmin = roles.includes('admin') || roles.includes('tenant:admin') || roles.includes('escalation:admin');
1192
+ if (!isAdmin) {
1193
+ return reply.status(403).send({
1194
+ error: {
1195
+ code: 'FORBIDDEN',
1196
+ message: 'Only administrators can assign approvers to escalations',
1197
+ },
1198
+ });
1199
+ }
1200
+ // Verify escalation exists and belongs to tenant
1201
+ const escalation = await escalationService.get(params.id, tenantId);
1202
+ if (!escalation) {
1203
+ return reply.status(404).send({
1204
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1205
+ });
1206
+ }
1207
+ // Escalation must be pending or acknowledged to assign approvers
1208
+ if (!['pending', 'acknowledged'].includes(escalation.status)) {
1209
+ return reply.status(400).send({
1210
+ error: {
1211
+ code: 'INVALID_STATE',
1212
+ message: `Cannot assign approvers to escalation in ${escalation.status} status`,
1213
+ },
1214
+ });
1215
+ }
1216
+ try {
1217
+ const assignment = await assignApprover({
1218
+ escalationId: params.id,
1219
+ userId: body.userId,
1220
+ tenantId,
1221
+ assignedBy: user.sub ?? 'unknown',
1222
+ });
1223
+ apiLogger.info({ escalationId: params.id, assignedUserId: body.userId, assignedBy: user.sub }, 'Approver assigned to escalation');
1224
+ return reply.status(201).send({
1225
+ id: assignment.id,
1226
+ escalationId: params.id,
1227
+ userId: body.userId,
1228
+ assignedAt: assignment.assignedAt,
1229
+ assignedBy: user.sub,
1230
+ });
1231
+ }
1232
+ catch (error) {
1233
+ apiLogger.error({ error, escalationId: params.id, userId: body.userId }, 'Failed to assign approver');
1234
+ throw error;
1235
+ }
1236
+ });
1237
+ // Remove an approver from an escalation
1238
+ api.delete('/escalations/:id/assign/:userId', async (request, reply) => {
1239
+ const tenantId = await getTenantId(request);
1240
+ const params = z.object({
1241
+ id: z.string().uuid(),
1242
+ userId: z.string().min(1),
1243
+ }).parse(request.params ?? {});
1244
+ const user = request.user;
1245
+ // Only admins can remove approvers
1246
+ const roles = user.roles ?? [];
1247
+ const isAdmin = roles.includes('admin') || roles.includes('tenant:admin') || roles.includes('escalation:admin');
1248
+ if (!isAdmin) {
1249
+ return reply.status(403).send({
1250
+ error: {
1251
+ code: 'FORBIDDEN',
1252
+ message: 'Only administrators can remove approvers from escalations',
1253
+ },
1254
+ });
1255
+ }
1256
+ // Verify escalation exists and belongs to tenant
1257
+ const escalation = await escalationService.get(params.id, tenantId);
1258
+ if (!escalation) {
1259
+ return reply.status(404).send({
1260
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1261
+ });
1262
+ }
1263
+ const removed = await removeApprover(params.id, params.userId, tenantId);
1264
+ if (!removed) {
1265
+ return reply.status(404).send({
1266
+ error: { code: 'APPROVER_NOT_FOUND', message: 'Approver assignment not found' },
1267
+ });
1268
+ }
1269
+ apiLogger.info({ escalationId: params.id, removedUserId: params.userId, removedBy: user.sub }, 'Approver removed from escalation');
1270
+ return reply.status(204).send();
1271
+ });
1272
+ // List approvers for an escalation
1273
+ api.get('/escalations/:id/approvers', async (request, reply) => {
1274
+ const tenantId = await getTenantId(request);
1275
+ const params = escalationIdParamsSchema.parse(request.params ?? {});
1276
+ // Verify escalation exists and belongs to tenant
1277
+ const escalation = await escalationService.get(params.id, tenantId);
1278
+ if (!escalation) {
1279
+ return reply.status(404).send({
1280
+ error: { code: 'ESCALATION_NOT_FOUND', message: 'Escalation not found' },
1281
+ });
1282
+ }
1283
+ const approvers = await listApprovers(params.id, tenantId);
1284
+ return reply.send({
1285
+ data: approvers,
1286
+ escalationId: params.id,
1287
+ });
1288
+ });
1289
+ // ========== Intent Replay ==========
1290
+ // Replay an intent (re-enqueue for processing)
1291
+ api.post('/intents/:id/replay', async (request, reply) => {
1292
+ const tenantId = await getTenantId(request);
1293
+ const params = intentIdParamsSchema.parse(request.params ?? {});
1294
+ const intent = await intentService.get(params.id, tenantId);
1295
+ if (!intent) {
1296
+ return reply.status(404).send({
1297
+ error: { code: 'INTENT_NOT_FOUND', message: 'Intent not found' },
1298
+ });
1299
+ }
1300
+ // Only replay failed or denied intents
1301
+ if (!['failed', 'denied'].includes(intent.status)) {
1302
+ return reply.status(400).send({
1303
+ error: {
1304
+ code: 'INVALID_STATE',
1305
+ message: `Cannot replay intent in ${intent.status} status`,
1306
+ },
1307
+ });
1308
+ }
1309
+ // Reset status and re-enqueue
1310
+ await intentService.updateStatus(params.id, tenantId, 'pending', intent.status);
1311
+ const enqueueOptions = intent.intentType
1312
+ ? { namespace: intent.intentType }
1313
+ : {};
1314
+ await enqueueIntentSubmission(intent, enqueueOptions);
1315
+ return reply.send({
1316
+ message: 'Intent queued for replay',
1317
+ intentId: params.id,
1318
+ });
1319
+ });
1320
+ // ========== Admin Operations ==========
1321
+ // Trigger cleanup job manually
1322
+ api.post('/admin/cleanup', async (request, reply) => {
1323
+ const user = request.user;
1324
+ const roles = user.roles ?? [];
1325
+ // Require admin role
1326
+ if (!roles.includes('admin') && !roles.includes('tenant:admin') && !roles.includes('system:admin')) {
1327
+ apiLogger.warn({ userId: user.sub }, 'Unauthorized cleanup attempt');
1328
+ return reply.status(403).send({
1329
+ error: { code: 'FORBIDDEN', message: 'Admin role required' },
1330
+ });
1331
+ }
1332
+ apiLogger.info({ userId: user.sub }, 'Manual cleanup triggered');
1333
+ const result = await runCleanupNow();
1334
+ return reply.send(result);
1335
+ });
1336
+ // Retry a job from DLQ (moved to admin section)
1337
+ api.post('/admin/dlq/:jobId/retry', async (request, reply) => {
1338
+ const user = request.user;
1339
+ const roles = user.roles ?? [];
1340
+ // Require admin role
1341
+ if (!roles.includes('admin') && !roles.includes('tenant:admin') && !roles.includes('system:admin')) {
1342
+ apiLogger.warn({ userId: user.sub }, 'Unauthorized DLQ retry attempt');
1343
+ return reply.status(403).send({
1344
+ error: { code: 'FORBIDDEN', message: 'Admin role required' },
1345
+ });
1346
+ }
1347
+ const params = dlqRetryParamsSchema.parse(request.params ?? {});
1348
+ apiLogger.info({ userId: user.sub, jobId: params.jobId }, 'DLQ retry triggered');
1349
+ const success = await retryDeadLetterJob(params.jobId);
1350
+ if (!success) {
1351
+ return reply.status(404).send({
1352
+ error: { code: 'JOB_NOT_FOUND', message: 'Dead letter job not found' },
1353
+ });
1354
+ }
1355
+ return reply.send({ message: 'Job retried successfully', jobId: params.jobId });
1356
+ });
1357
+ // Revoke all tokens for a user (security incident response)
1358
+ api.post('/admin/users/:userId/revoke-tokens', async (request, reply) => {
1359
+ const tenantId = await getTenantId(request);
1360
+ const user = request.user;
1361
+ const roles = user.roles ?? [];
1362
+ // Require admin role
1363
+ if (!roles.includes('admin') && !roles.includes('tenant:admin') && !roles.includes('system:admin') && !roles.includes('security:admin')) {
1364
+ apiLogger.warn({ userId: user.sub }, 'Unauthorized token revocation attempt');
1365
+ return reply.status(403).send({
1366
+ error: { code: 'FORBIDDEN', message: 'Admin role required' },
1367
+ });
1368
+ }
1369
+ const params = userIdParamsSchema.parse(request.params ?? {});
1370
+ const revokeTime = new Date();
1371
+ await tokenRevocationService.revokeAllForUser(params.userId, revokeTime);
1372
+ // Record audit event
1373
+ await recordTokenRevocationAudit(tenantId, params.userId, 'token.user_all_revoked', {
1374
+ type: 'user',
1375
+ id: user.sub ?? 'unknown',
1376
+ ip: request.ip,
1377
+ }, {
1378
+ targetUserId: params.userId,
1379
+ revokedBefore: revokeTime.toISOString(),
1380
+ reason: 'admin_revoke_all',
1381
+ });
1382
+ apiLogger.info({ targetUserId: params.userId, adminUserId: user.sub, revokeTime: revokeTime.toISOString() }, 'All tokens revoked for user');
1383
+ return reply.send({
1384
+ message: 'All tokens revoked for user',
1385
+ userId: params.userId,
1386
+ revokedBefore: revokeTime.toISOString(),
1387
+ });
1388
+ });
1389
+ // ========== Audit Routes ==========
1390
+ // Query audit records
1391
+ api.get('/audit', async (request, reply) => {
1392
+ const tenantId = await getTenantId(request);
1393
+ const query = auditQuerySchema.parse(request.query ?? {});
1394
+ const result = await auditService.query({
1395
+ tenantId,
1396
+ eventType: query.eventType,
1397
+ eventCategory: query.eventCategory,
1398
+ severity: query.severity,
1399
+ actorId: query.actorId,
1400
+ targetId: query.targetId,
1401
+ targetType: query.targetType,
1402
+ startTime: query.startTime,
1403
+ endTime: query.endTime,
1404
+ limit: query.limit,
1405
+ offset: query.offset,
1406
+ });
1407
+ return reply.send({
1408
+ data: result.records,
1409
+ pagination: {
1410
+ total: result.total,
1411
+ hasMore: result.hasMore,
1412
+ },
1413
+ });
1414
+ });
1415
+ // Get audit record by ID
1416
+ api.get('/audit/:id', async (request, reply) => {
1417
+ const tenantId = await getTenantId(request);
1418
+ const params = auditIdParamsSchema.parse(request.params ?? {});
1419
+ const record = await auditService.findById(params.id, tenantId);
1420
+ if (!record) {
1421
+ return reply.status(404).send({
1422
+ error: { code: 'AUDIT_RECORD_NOT_FOUND', message: 'Audit record not found' },
1423
+ });
1424
+ }
1425
+ return reply.send(record);
1426
+ });
1427
+ // Get audit trail for a target
1428
+ api.get('/audit/target/:targetType/:targetId', async (request, reply) => {
1429
+ const tenantId = await getTenantId(request);
1430
+ const params = auditTargetParamsSchema.parse(request.params ?? {});
1431
+ const query = auditTargetQuerySchema.parse(request.query ?? {});
1432
+ const records = await auditService.getForTarget(tenantId, params.targetType, params.targetId, { limit: query.limit, offset: query.offset });
1433
+ return reply.send({ data: records });
1434
+ });
1435
+ // Get all audit records for a trace
1436
+ api.get('/audit/trace/:traceId', async (request, reply) => {
1437
+ const tenantId = await getTenantId(request);
1438
+ const params = auditTraceParamsSchema.parse(request.params ?? {});
1439
+ const records = await auditService.getByTrace(tenantId, params.traceId);
1440
+ return reply.send({ data: records });
1441
+ });
1442
+ // Get audit statistics
1443
+ api.get('/audit/stats', async (request, reply) => {
1444
+ const tenantId = await getTenantId(request);
1445
+ const query = auditStatsQuerySchema.parse(request.query ?? {});
1446
+ const stats = await auditService.getStats(tenantId, {
1447
+ startTime: query.startTime,
1448
+ endTime: query.endTime,
1449
+ });
1450
+ return reply.send(stats);
1451
+ });
1452
+ // Verify audit chain integrity (admin-only)
1453
+ api.post('/audit/verify', async (request, reply) => {
1454
+ const tenantId = await getTenantId(request);
1455
+ const user = request.user;
1456
+ const roles = user.roles ?? [];
1457
+ // Require admin role
1458
+ if (!roles.includes('admin') && !roles.includes('tenant:admin') && !roles.includes('system:admin') && !roles.includes('audit:admin')) {
1459
+ apiLogger.warn({ userId: user.sub }, 'Unauthorized audit verify attempt');
1460
+ return reply.status(403).send({
1461
+ error: { code: 'FORBIDDEN', message: 'Admin role required' },
1462
+ });
1463
+ }
1464
+ const body = auditVerifyBodySchema.parse(request.body ?? {});
1465
+ const result = await auditService.verifyChainIntegrity(tenantId, {
1466
+ startSequence: body.startSequence,
1467
+ limit: body.limit,
1468
+ });
1469
+ return reply.send(result);
1470
+ });
1471
+ // ========== Policy Routes ==========
1472
+ // Create a new policy
1473
+ api.post('/policies', async (request, reply) => {
1474
+ // Authorization: admin and policy_writer roles
1475
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.WRITE)) {
1476
+ return;
1477
+ }
1478
+ const tenantId = await getTenantId(request);
1479
+ const user = request.user;
1480
+ const body = policyCreateBodySchema.parse(request.body ?? {});
1481
+ try {
1482
+ const createInput = {
1483
+ name: body.name,
1484
+ definition: body.definition,
1485
+ };
1486
+ if (body.description !== undefined)
1487
+ createInput.description = body.description;
1488
+ if (body.namespace !== undefined)
1489
+ createInput.namespace = body.namespace;
1490
+ if (user.sub !== undefined)
1491
+ createInput.createdBy = user.sub;
1492
+ const policy = await policyService.create(tenantId, createInput);
1493
+ apiLogger.info({ policyId: policy.id, name: policy.name, tenantId }, 'Policy created');
1494
+ return reply.code(201).send(policy);
1495
+ }
1496
+ catch (error) {
1497
+ if (error instanceof PolicyValidationException) {
1498
+ return reply.status(400).send({
1499
+ error: {
1500
+ code: 'POLICY_VALIDATION_ERROR',
1501
+ message: error.message,
1502
+ details: error.errors,
1503
+ },
1504
+ });
1505
+ }
1506
+ throw error;
1507
+ }
1508
+ });
1509
+ // List policies for tenant
1510
+ api.get('/policies', async (request, reply) => {
1511
+ // Authorization: admin and policy_reader roles
1512
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.READ)) {
1513
+ return;
1514
+ }
1515
+ const tenantId = await getTenantId(request);
1516
+ const query = policyListQuerySchema.parse(request.query ?? {});
1517
+ const limit = query.limit ?? 50;
1518
+ const offset = query.offset ?? 0;
1519
+ const listFilters = {
1520
+ tenantId,
1521
+ limit: limit + 1, // Fetch one extra to determine hasMore
1522
+ offset,
1523
+ };
1524
+ if (query.namespace)
1525
+ listFilters.namespace = query.namespace;
1526
+ if (query.status)
1527
+ listFilters.status = query.status;
1528
+ const policies = await policyService.list(listFilters);
1529
+ const hasMore = policies.length > limit;
1530
+ const data = hasMore ? policies.slice(0, limit) : policies;
1531
+ return reply.send({
1532
+ data,
1533
+ pagination: {
1534
+ total: data.length + offset,
1535
+ hasMore,
1536
+ },
1537
+ });
1538
+ });
1539
+ // Get policy by ID
1540
+ api.get('/policies/:id', async (request, reply) => {
1541
+ // Authorization: admin and policy_reader roles
1542
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.READ)) {
1543
+ return;
1544
+ }
1545
+ const tenantId = await getTenantId(request);
1546
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1547
+ const policy = await policyService.findById(params.id, tenantId);
1548
+ if (!policy) {
1549
+ return reply.status(404).send({
1550
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1551
+ });
1552
+ }
1553
+ return reply.send(policy);
1554
+ });
1555
+ // Update policy definition
1556
+ api.put('/policies/:id', async (request, reply) => {
1557
+ // Authorization: admin and policy_writer roles
1558
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.WRITE)) {
1559
+ return;
1560
+ }
1561
+ const tenantId = await getTenantId(request);
1562
+ const user = request.user;
1563
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1564
+ const body = policyUpdateBodySchema.parse(request.body ?? {});
1565
+ try {
1566
+ const updateInput = {};
1567
+ if (body.description !== undefined)
1568
+ updateInput.description = body.description;
1569
+ if (body.definition !== undefined)
1570
+ updateInput.definition = body.definition;
1571
+ if (body.changeSummary !== undefined)
1572
+ updateInput.changeSummary = body.changeSummary;
1573
+ if (user.sub !== undefined)
1574
+ updateInput.updatedBy = user.sub;
1575
+ const policy = await policyService.update(params.id, tenantId, updateInput);
1576
+ if (!policy) {
1577
+ return reply.status(404).send({
1578
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1579
+ });
1580
+ }
1581
+ // Invalidate cache after policy update
1582
+ await policyLoader.invalidateCache(tenantId, policy.namespace);
1583
+ apiLogger.info({ policyId: policy.id, version: policy.version, tenantId }, 'Policy updated');
1584
+ return reply.send(policy);
1585
+ }
1586
+ catch (error) {
1587
+ if (error instanceof PolicyValidationException) {
1588
+ return reply.status(400).send({
1589
+ error: {
1590
+ code: 'POLICY_VALIDATION_ERROR',
1591
+ message: error.message,
1592
+ details: error.errors,
1593
+ },
1594
+ });
1595
+ }
1596
+ throw error;
1597
+ }
1598
+ });
1599
+ // Publish a draft policy
1600
+ api.post('/policies/:id/publish', async (request, reply) => {
1601
+ // Authorization: admin and policy_writer roles
1602
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.WRITE)) {
1603
+ return;
1604
+ }
1605
+ const tenantId = await getTenantId(request);
1606
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1607
+ const policy = await policyService.publish(params.id, tenantId);
1608
+ if (!policy) {
1609
+ return reply.status(404).send({
1610
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1611
+ });
1612
+ }
1613
+ // Invalidate cache after policy is published
1614
+ await policyLoader.invalidateCache(tenantId, policy.namespace);
1615
+ apiLogger.info({ policyId: policy.id, name: policy.name, tenantId }, 'Policy published');
1616
+ return reply.send(policy);
1617
+ });
1618
+ // Deprecate a policy
1619
+ api.post('/policies/:id/deprecate', async (request, reply) => {
1620
+ // Authorization: admin and policy_writer roles
1621
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.WRITE)) {
1622
+ return;
1623
+ }
1624
+ const tenantId = await getTenantId(request);
1625
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1626
+ const policy = await policyService.deprecate(params.id, tenantId);
1627
+ if (!policy) {
1628
+ return reply.status(404).send({
1629
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1630
+ });
1631
+ }
1632
+ // Invalidate cache after policy is deprecated
1633
+ await policyLoader.invalidateCache(tenantId, policy.namespace);
1634
+ apiLogger.info({ policyId: policy.id, name: policy.name, tenantId }, 'Policy deprecated');
1635
+ return reply.send(policy);
1636
+ });
1637
+ // Archive a policy
1638
+ api.post('/policies/:id/archive', async (request, reply) => {
1639
+ // Authorization: admin and policy_writer roles
1640
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.WRITE)) {
1641
+ return;
1642
+ }
1643
+ const tenantId = await getTenantId(request);
1644
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1645
+ const policy = await policyService.archive(params.id, tenantId);
1646
+ if (!policy) {
1647
+ return reply.status(404).send({
1648
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1649
+ });
1650
+ }
1651
+ // Invalidate cache after policy is archived
1652
+ await policyLoader.invalidateCache(tenantId, policy.namespace);
1653
+ apiLogger.info({ policyId: policy.id, name: policy.name, tenantId }, 'Policy archived');
1654
+ return reply.send(policy);
1655
+ });
1656
+ // Delete a policy (only if draft)
1657
+ api.delete('/policies/:id', async (request, reply) => {
1658
+ // Authorization: admin only
1659
+ if (!await checkAuthorization(request, reply, POLICY_ROLES.DELETE)) {
1660
+ return;
1661
+ }
1662
+ const tenantId = await getTenantId(request);
1663
+ const params = policyIdParamsSchema.parse(request.params ?? {});
1664
+ // First check if the policy exists and is a draft
1665
+ const policy = await policyService.findById(params.id, tenantId);
1666
+ if (!policy) {
1667
+ return reply.status(404).send({
1668
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1669
+ });
1670
+ }
1671
+ if (policy.status !== 'draft') {
1672
+ return reply.status(400).send({
1673
+ error: {
1674
+ code: 'POLICY_NOT_DRAFT',
1675
+ message: 'Only draft policies can be deleted. Use archive for published policies.',
1676
+ },
1677
+ });
1678
+ }
1679
+ const deleted = await policyService.delete(params.id, tenantId);
1680
+ if (!deleted) {
1681
+ return reply.status(404).send({
1682
+ error: { code: 'POLICY_NOT_FOUND', message: 'Policy not found' },
1683
+ });
1684
+ }
1685
+ // Invalidate cache after policy deletion
1686
+ await policyLoader.invalidateCache(tenantId, policy.namespace);
1687
+ apiLogger.info({ policyId: params.id, tenantId }, 'Policy deleted');
1688
+ return reply.status(204).send();
1689
+ });
1690
+ // ========== Webhook Routes ==========
1691
+ // Register a webhook
1692
+ api.post('/webhooks', async (request, reply) => {
1693
+ const tenantId = await getTenantId(request);
1694
+ const body = webhookCreateBodySchema.parse(request.body ?? {});
1695
+ try {
1696
+ const webhookId = await webhookService.registerWebhook(tenantId, {
1697
+ url: body.url,
1698
+ secret: body.secret,
1699
+ events: body.events,
1700
+ enabled: body.enabled ?? true,
1701
+ });
1702
+ const webhooks = await webhookService.getWebhooks(tenantId);
1703
+ const webhook = webhooks.find((w) => w.id === webhookId);
1704
+ apiLogger.info({ webhookId, tenantId, url: body.url }, 'Webhook registered');
1705
+ return reply.code(201).send({
1706
+ id: webhookId,
1707
+ config: webhook?.config,
1708
+ });
1709
+ }
1710
+ catch (error) {
1711
+ if (error instanceof Error && error.message.startsWith('Invalid webhook URL')) {
1712
+ return reply.status(400).send({
1713
+ error: {
1714
+ code: 'INVALID_WEBHOOK_URL',
1715
+ message: error.message,
1716
+ },
1717
+ });
1718
+ }
1719
+ throw error;
1720
+ }
1721
+ });
1722
+ // List webhooks for tenant
1723
+ api.get('/webhooks', async (request, reply) => {
1724
+ const tenantId = await getTenantId(request);
1725
+ const webhooks = await webhookService.getWebhooks(tenantId);
1726
+ return reply.send({
1727
+ data: webhooks.map((w) => ({
1728
+ id: w.id,
1729
+ config: w.config,
1730
+ })),
1731
+ });
1732
+ });
1733
+ // Unregister a webhook
1734
+ api.delete('/webhooks/:id', async (request, reply) => {
1735
+ const tenantId = await getTenantId(request);
1736
+ const params = webhookIdParamsSchema.parse(request.params ?? {});
1737
+ const deleted = await webhookService.unregisterWebhook(tenantId, params.id);
1738
+ if (!deleted) {
1739
+ return reply.status(404).send({
1740
+ error: { code: 'WEBHOOK_NOT_FOUND', message: 'Webhook not found' },
1741
+ });
1742
+ }
1743
+ apiLogger.info({ webhookId: params.id, tenantId }, 'Webhook unregistered');
1744
+ return reply.status(204).send();
1745
+ });
1746
+ // Get recent deliveries for a webhook
1747
+ api.get('/webhooks/:id/deliveries', async (request, reply) => {
1748
+ const tenantId = await getTenantId(request);
1749
+ const params = webhookIdParamsSchema.parse(request.params ?? {});
1750
+ const query = webhookDeliveriesQuerySchema.parse(request.query ?? {});
1751
+ // First check if the webhook exists
1752
+ const webhooks = await webhookService.getWebhooks(tenantId);
1753
+ const webhook = webhooks.find((w) => w.id === params.id);
1754
+ if (!webhook) {
1755
+ return reply.status(404).send({
1756
+ error: { code: 'WEBHOOK_NOT_FOUND', message: 'Webhook not found' },
1757
+ });
1758
+ }
1759
+ const deliveries = await webhookService.getDeliveries(tenantId, params.id, query.limit ?? 100);
1760
+ return reply.send({
1761
+ data: deliveries.map((d) => ({
1762
+ id: d.id,
1763
+ result: d.result,
1764
+ })),
1765
+ });
1766
+ });
1767
+ // ========== GDPR Routes ==========
1768
+ // Schema for GDPR export request
1769
+ const gdprExportBodySchema = z.object({
1770
+ userId: z.string().uuid(),
1771
+ });
1772
+ const gdprRequestIdParamsSchema = z.object({
1773
+ requestId: z.string().uuid(),
1774
+ });
1775
+ // Initiate GDPR data export (async job)
1776
+ api.post('/intent/gdpr/export', async (request, reply) => {
1777
+ const tenantId = await getTenantId(request);
1778
+ const user = request.user;
1779
+ const body = gdprExportBodySchema.parse(request.body ?? {});
1780
+ // Create export request
1781
+ const exportRequest = await gdprService.createExportRequest(body.userId, tenantId, user.sub ?? 'unknown');
1782
+ // Queue the export job
1783
+ await enqueueGdprExport(exportRequest.id, body.userId, tenantId);
1784
+ apiLogger.info({ requestId: exportRequest.id, userId: body.userId, tenantId }, 'GDPR export initiated');
1785
+ return reply.code(202).send({
1786
+ requestId: exportRequest.id,
1787
+ status: exportRequest.status,
1788
+ message: 'Export request queued. Use the requestId to check status.',
1789
+ expiresAt: exportRequest.expiresAt,
1790
+ });
1791
+ });
1792
+ // Get GDPR export status
1793
+ api.get('/intent/gdpr/export/:requestId', async (request, reply) => {
1794
+ const tenantId = await getTenantId(request);
1795
+ const params = gdprRequestIdParamsSchema.parse(request.params ?? {});
1796
+ const exportRequest = await gdprService.getExportRequest(params.requestId, tenantId);
1797
+ if (!exportRequest) {
1798
+ return reply.status(404).send({
1799
+ error: {
1800
+ code: 'EXPORT_REQUEST_NOT_FOUND',
1801
+ message: 'Export request not found or expired',
1802
+ },
1803
+ });
1804
+ }
1805
+ return reply.send({
1806
+ requestId: exportRequest.id,
1807
+ userId: exportRequest.userId,
1808
+ status: exportRequest.status,
1809
+ requestedAt: exportRequest.requestedAt,
1810
+ completedAt: exportRequest.completedAt,
1811
+ expiresAt: exportRequest.expiresAt,
1812
+ downloadUrl: exportRequest.downloadUrl,
1813
+ error: exportRequest.error,
1814
+ });
1815
+ });
1816
+ // Download GDPR export data
1817
+ api.get('/intent/gdpr/export/:requestId/download', async (request, reply) => {
1818
+ const tenantId = await getTenantId(request);
1819
+ const params = gdprRequestIdParamsSchema.parse(request.params ?? {});
1820
+ const exportData = await gdprService.getExportData(params.requestId, tenantId);
1821
+ if (!exportData) {
1822
+ return reply.status(404).send({
1823
+ error: {
1824
+ code: 'EXPORT_DATA_NOT_FOUND',
1825
+ message: 'Export data not found, not ready, or expired',
1826
+ },
1827
+ });
1828
+ }
1829
+ // Return as JSON file download
1830
+ return reply
1831
+ .header('Content-Type', 'application/json')
1832
+ .header('Content-Disposition', `attachment; filename="gdpr-export-${exportData.userId}-${exportData.exportTimestamp.split('T')[0]}.json"`)
1833
+ .send(exportData);
1834
+ });
1835
+ // GDPR right to erasure (soft delete user data)
1836
+ api.delete('/intent/gdpr/data', async (request, reply) => {
1837
+ const tenantId = await getTenantId(request);
1838
+ const user = request.user;
1839
+ const body = gdprExportBodySchema.parse(request.body ?? {});
1840
+ // Require admin role or self-request for erasure
1841
+ const roles = user.roles ?? [];
1842
+ const isAdmin = roles.includes('admin') || roles.includes('tenant:admin') || roles.includes('gdpr:admin');
1843
+ const isSelfRequest = user.sub === body.userId;
1844
+ if (!isAdmin && !isSelfRequest) {
1845
+ return reply.status(403).send({
1846
+ error: {
1847
+ code: 'FORBIDDEN',
1848
+ message: 'Only administrators or the data subject can request data erasure',
1849
+ },
1850
+ });
1851
+ }
1852
+ const result = await gdprService.eraseUserData(body.userId, tenantId, user.sub ?? 'unknown');
1853
+ apiLogger.info({ userId: body.userId, tenantId, erasedBy: user.sub, counts: result.counts }, 'GDPR data erasure completed');
1854
+ return reply.send({
1855
+ message: 'User data has been erased in compliance with GDPR Article 17',
1856
+ userId: result.userId,
1857
+ erasedAt: result.erasedAt,
1858
+ counts: result.counts,
1859
+ });
1860
+ });
1861
+ // ========== CAR ID Extension Routes ==========
1862
+ await registerExtensionRoutes(api);
1863
+ }, { prefix: config.api.basePath });
1864
+ // Error handler - uses standardized API response envelope
1865
+ // The createStandardErrorHandler provides consistent error formatting with:
1866
+ // - Proper HTTP status code mapping for VorionError types
1867
+ // - Trace ID inclusion for debugging
1868
+ // - Error detail sanitization in production
1869
+ // - Zod validation error handling
1870
+ server.setErrorHandler(createStandardErrorHandler(config.env));
1871
+ return server;
1872
+ }
1873
+ /**
1874
+ * Start the API server
1875
+ */
1876
+ export async function startServer() {
1877
+ const config = getConfig();
1878
+ // Validate startup dependencies before accepting requests
1879
+ // If DB or Redis connectivity fails, exit with code 1
1880
+ try {
1881
+ await validateStartupDependencies();
1882
+ }
1883
+ catch (error) {
1884
+ apiLogger.error({ error }, 'Startup validation failed - exiting');
1885
+ process.exit(1);
1886
+ }
1887
+ // Check and optionally run database migrations
1888
+ // Controlled by VORION_AUTO_MIGRATE environment variable
1889
+ try {
1890
+ const migrationResult = await checkAndRunMigrations({
1891
+ autoMigrate: process.env['VORION_AUTO_MIGRATE'] === 'true',
1892
+ validateAfterMigrate: true,
1893
+ checkDrift: true,
1894
+ blockOnCriticalDrift: true,
1895
+ });
1896
+ apiLogger.info({
1897
+ schemaVersion: migrationResult.migrationStatus.schemaVersion,
1898
+ migrationsRun: migrationResult.migrationsRun,
1899
+ appliedCount: migrationResult.migrationStatus.appliedMigrations.length,
1900
+ schemaValid: migrationResult.validationResult?.valid,
1901
+ hasDrift: migrationResult.driftResult?.hasDrift,
1902
+ }, 'Database migration check completed');
1903
+ }
1904
+ catch (error) {
1905
+ if (error instanceof PendingMigrationsError) {
1906
+ apiLogger.error({
1907
+ pendingCount: error.pendingCount,
1908
+ pendingMigrations: error.pendingMigrations,
1909
+ }, 'Pending migrations detected - startup blocked');
1910
+ apiLogger.error('Set VORION_AUTO_MIGRATE=true to run automatically, or run "vorion migrate up" manually');
1911
+ }
1912
+ else if (error instanceof CriticalSchemaDriftError) {
1913
+ apiLogger.error({
1914
+ driftCount: error.drifts.length,
1915
+ drifts: error.drifts.map(d => d.description),
1916
+ }, 'Critical schema drift detected - startup blocked');
1917
+ }
1918
+ else {
1919
+ apiLogger.error({ error }, 'Migration check failed - exiting');
1920
+ }
1921
+ process.exit(1);
1922
+ }
1923
+ const server = await createServer();
1924
+ // Register graceful shutdown handlers using the centralized shutdown module
1925
+ // This handles SIGTERM (Kubernetes) and SIGINT (Ctrl+C) signals
1926
+ // and coordinates shutdown of HTTP server, workers, database, and Redis
1927
+ registerShutdownHandlers(server, {
1928
+ timeoutMs: config.intent.shutdownTimeoutMs ?? 30000,
1929
+ });
1930
+ try {
1931
+ await server.listen({
1932
+ port: config.api.port,
1933
+ host: config.api.host,
1934
+ });
1935
+ try {
1936
+ registerIntentWorkers(intentService);
1937
+ apiLogger.info('Intent workers started');
1938
+ }
1939
+ catch (error) {
1940
+ apiLogger.error({ error }, 'Failed to start intent workers');
1941
+ }
1942
+ try {
1943
+ await startScheduler();
1944
+ apiLogger.info('Scheduler started');
1945
+ }
1946
+ catch (error) {
1947
+ apiLogger.error({ error }, 'Failed to start scheduler');
1948
+ }
1949
+ try {
1950
+ registerGdprWorker();
1951
+ apiLogger.info('GDPR workers started');
1952
+ }
1953
+ catch (error) {
1954
+ apiLogger.error({ error }, 'Failed to start GDPR workers');
1955
+ }
1956
+ apiLogger.info({
1957
+ port: config.api.port,
1958
+ host: config.api.host,
1959
+ environment: config.env,
1960
+ }, 'Server started');
1961
+ }
1962
+ catch (error) {
1963
+ apiLogger.error({ error }, 'Failed to start server');
1964
+ process.exit(1);
1965
+ }
1966
+ }
1967
+ //# sourceMappingURL=server.js.map