@voyantjs/action-ledger 0.52.2

package/dist/canary.d.ts

@@ -0,0 +1,17 @@
+import type { AnyDrizzleDb } from "@voyantjs/db";
+export interface RunActionLedgerCanaryInput {
+    organizationId?: string | null;
+    principalId?: string | null;
+    idempotencyKey?: string | null;
+    payloadRef?: string | null;
+    now?: Date;
+}
+export interface RunActionLedgerCanaryResult {
+    ok: boolean;
+    actionId: string;
+    replayed: boolean;
+    observedWrite: boolean;
+    observedRelay: boolean;
+}
+export declare function runActionLedgerCanary(db: AnyDrizzleDb, input?: RunActionLedgerCanaryInput): Promise<RunActionLedgerCanaryResult>;
+//# sourceMappingURL=canary.d.ts.map

package/dist/canary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canary.d.ts","sourceRoot":"","sources":["../src/canary.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAKhD,MAAM,WAAW,0BAA0B;IACzC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC3B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,GAAG,CAAC,EAAE,IAAI,CAAA;CACX;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,OAAO,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,aAAa,EAAE,OAAO,CAAA;CACvB;AAED,wBAAsB,qBAAqB,CACzC,EAAE,EAAE,YAAY,EAChB,KAAK,GAAE,0BAA+B,GACrC,OAAO,CAAC,2BAA2B,CAAC,CA8EtC"}

package/dist/canary.js

@@ -0,0 +1,77 @@
+import { buildIdempotencyFingerprint } from "./fingerprint.js";
+import { actionLedgerService } from "./service.js";
+export async function runActionLedgerCanary(db, input = {}) {
+    const now = input.now ?? new Date();
+    const idempotencyKey = input.idempotencyKey ?? `action-ledger-canary:${now.toISOString()}`;
+    const payloadRef = input.payloadRef ?? `action-ledger-canary:${idempotencyKey}`;
+    const idempotencyFingerprint = await buildIdempotencyFingerprint({
+        actionName: "action_ledger.canary.write",
+        actionVersion: "v1",
+        targetType: "action_ledger_canary",
+        targetId: idempotencyKey,
+        commandInput: { payloadRef },
+    });
+    const appendResult = await actionLedgerService.appendEntry(db, {
+        occurredAt: now,
+        actionName: "action_ledger.canary.write",
+        actionVersion: "v1",
+        actionKind: "execute",
+        status: "succeeded",
+        evaluatedRisk: "low",
+        actorType: "system",
+        principalType: "system",
+        principalId: input.principalId ?? "action-ledger-canary",
+        principalSubtype: null,
+        sessionId: null,
+        apiTokenId: null,
+        internalRequest: true,
+        delegatedByPrincipalType: null,
+        delegatedByPrincipalId: null,
+        delegationId: null,
+        callerType: "system",
+        organizationId: input.organizationId ?? null,
+        routeOrToolName: "action-ledger.canary",
+        workflowRunId: null,
+        workflowStepId: null,
+        correlationId: null,
+        causationActionId: null,
+        idempotencyScope: "action-ledger-canary",
+        idempotencyKey,
+        idempotencyFingerprint,
+        targetType: "action_ledger_canary",
+        targetId: idempotencyKey,
+        capabilityId: "action-ledger.canary",
+        capabilityVersion: "v1",
+        authorizationSource: "action-ledger.canary",
+        approvalId: null,
+        amendsActionId: null,
+        enqueueRelay: { payloadRef },
+        mutationDetail: {
+            commandInputRef: payloadRef,
+            commandResultRef: payloadRef,
+            summary: "Synthetic action ledger canary write",
+            reversalKind: "none",
+        },
+    });
+    const [entries, relay] = await Promise.all([
+        actionLedgerService.listEntries(db, {
+            targetType: "action_ledger_canary",
+            targetId: idempotencyKey,
+            actionName: "action_ledger.canary.write",
+            limit: 1,
+        }),
+        actionLedgerService.listRelayOutbox(db, {
+            actionId: appendResult.entry.id,
+            limit: 1,
+        }),
+    ]);
+    const observedWrite = entries.entries.some((entry) => entry.id === appendResult.entry.id);
+    const observedRelay = relay.rows.some((row) => row.actionId === appendResult.entry.id);
+    return {
+        ok: observedWrite && observedRelay,
+        actionId: appendResult.entry.id,
+        replayed: appendResult.replayed,
+        observedWrite,
+        observedRelay,
+    };
+}

package/dist/capability.d.ts

@@ -0,0 +1,73 @@
+import type { ActionLedgerEntry } from "./schema.js";
+export declare const actionLedgerCapabilityLedgerPolicyValues: readonly ["none", "optional", "required"];
+export declare const actionLedgerCapabilityApprovalPolicyValues: readonly ["none", "conditional", "required"];
+export type ActionLedgerCapabilityRisk = ActionLedgerEntry["evaluatedRisk"];
+export type ActionLedgerCapabilityLedgerPolicy = (typeof actionLedgerCapabilityLedgerPolicyValues)[number];
+export type ActionLedgerCapabilityApprovalPolicy = (typeof actionLedgerCapabilityApprovalPolicyValues)[number];
+export interface ActionLedgerCapabilityGrant {
+    resource: string;
+    action: string;
+}
+export interface ActionLedgerCapabilityDefinition<TContext = unknown> {
+    id: string;
+    version: string;
+    resource: string;
+    action: string;
+    risk: ActionLedgerCapabilityRisk;
+    ledgerPolicy: ActionLedgerCapabilityLedgerPolicy;
+    approvalPolicy?: ActionLedgerCapabilityApprovalPolicy;
+    reversible?: boolean;
+    allowedActorTypes?: readonly string[];
+    requiredGrants?: readonly ActionLedgerCapabilityGrant[];
+    evaluateRisk?: (context: TContext) => ActionLedgerCapabilityRisk;
+}
+export interface ActionLedgerCapabilityRegistry<TDefinition extends ActionLedgerCapabilityDefinition = ActionLedgerCapabilityDefinition> {
+    definitions: readonly TDefinition[];
+    byKey: ReadonlyMap<string, TDefinition>;
+}
+export declare class ActionLedgerCapabilityRegistryError extends Error {
+    constructor(message: string);
+}
+export interface EvaluateActionLedgerCapabilityAccessInput<TContext = unknown> {
+    definition: ActionLedgerCapabilityDefinition<TContext>;
+    actor?: string | null;
+    callerType?: string | null;
+    scopes?: readonly string[] | null;
+    permissions?: Record<string, readonly string[]> | null;
+    isInternalRequest?: boolean | null;
+    riskContext?: TContext;
+}
+export type ActionLedgerCapabilityAccessReason = "internal_request" | "scope_grant" | "permission_grant" | "actor_allowed" | "actor_missing" | "actor_not_allowed" | "grant_missing";
+export interface ActionLedgerCapabilityAccessResult {
+    allowed: boolean;
+    reason: ActionLedgerCapabilityAccessReason;
+    capabilityId: string;
+    capabilityVersion: string;
+    evaluatedRisk: ActionLedgerCapabilityRisk;
+    ledgerPolicy: ActionLedgerCapabilityLedgerPolicy;
+    approvalPolicy: ActionLedgerCapabilityApprovalPolicy;
+    authorizationSource: string;
+    grant: ActionLedgerCapabilityGrant | null;
+}
+export type ActionLedgerApprovalRequirementReason = "access_denied" | "policy_none" | "policy_required" | "conditional_policy_required" | "conditional_policy_not_required";
+export interface EvaluateActionLedgerApprovalRequirementInput {
+    access: ActionLedgerCapabilityAccessResult;
+    conditionalApprovalRequired?: boolean | null;
+    reasonCode?: string | null;
+}
+export interface ActionLedgerApprovalRequirementResult {
+    required: boolean;
+    reason: ActionLedgerApprovalRequirementReason;
+    approvalPolicy: ActionLedgerCapabilityApprovalPolicy;
+    capabilityId: string;
+    capabilityVersion: string;
+    evaluatedRisk: ActionLedgerCapabilityRisk;
+    reasonCode: string | null;
+}
+export declare function createActionLedgerCapabilityRegistry<const TDefinition extends ActionLedgerCapabilityDefinition>(definitions: readonly TDefinition[]): ActionLedgerCapabilityRegistry<TDefinition>;
+export declare function getActionLedgerCapability<TDefinition extends ActionLedgerCapabilityDefinition>(registry: ActionLedgerCapabilityRegistry<TDefinition>, id: string, version: string): TDefinition | null;
+export declare function evaluateActionLedgerCapabilityRisk<TContext>(definition: ActionLedgerCapabilityDefinition<TContext>, context: TContext): ActionLedgerCapabilityRisk;
+export declare function evaluateActionLedgerCapabilityAccess<TContext = unknown>(input: EvaluateActionLedgerCapabilityAccessInput<TContext>): ActionLedgerCapabilityAccessResult;
+export declare function evaluateActionLedgerApprovalRequirement(input: EvaluateActionLedgerApprovalRequirementInput): ActionLedgerApprovalRequirementResult;
+export declare function actionLedgerCapabilityKey(id: string, version: string): string;
+//# sourceMappingURL=capability.d.ts.map

package/dist/capability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../src/capability.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAEpD,eAAO,MAAM,wCAAwC,2CAA4C,CAAA;AACjG,eAAO,MAAM,0CAA0C,8CAI7C,CAAA;AAEV,MAAM,MAAM,0BAA0B,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAA;AAC3E,MAAM,MAAM,kCAAkC,GAC5C,CAAC,OAAO,wCAAwC,CAAC,CAAC,MAAM,CAAC,CAAA;AAC3D,MAAM,MAAM,oCAAoC,GAC9C,CAAC,OAAO,0CAA0C,CAAC,CAAC,MAAM,CAAC,CAAA;AAE7D,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,gCAAgC,CAAC,QAAQ,GAAG,OAAO;IAClE,EAAE,EAAE,MAAM,CAAA;IACV,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,0BAA0B,CAAA;IAChC,YAAY,EAAE,kCAAkC,CAAA;IAChD,cAAc,CAAC,EAAE,oCAAoC,CAAA;IACrD,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,iBAAiB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IACrC,cAAc,CAAC,EAAE,SAAS,2BAA2B,EAAE,CAAA;IACvD,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,QAAQ,KAAK,0BAA0B,CAAA;CACjE;AAED,MAAM,WAAW,8BAA8B,CAC7C,WAAW,SAAS,gCAAgC,GAAG,gCAAgC;IAEvF,WAAW,EAAE,SAAS,WAAW,EAAE,CAAA;IACnC,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;CACxC;AAED,qBAAa,mCAAoC,SAAQ,KAAK;gBAChD,OAAO,EAAE,MAAM;CAI5B;AAED,MAAM,WAAW,yCAAyC,CAAC,QAAQ,GAAG,OAAO;IAC3E,UAAU,EAAE,gCAAgC,CAAC,QAAQ,CAAC,CAAA;IACtD,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,GAAG,IAAI,CAAA;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,GAAG,IAAI,CAAA;IACtD,iBAAiB,CAAC,EAAE,OAAO,GAAG,IAAI,CAAA;IAClC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,MAAM,MAAM,kCAAkC,GAC1C,kBAAkB,GAClB,aAAa,GACb,kBAAkB,GAClB,eAAe,GACf,eAAe,GACf,mBAAmB,GACnB,eAAe,CAAA;AAEnB,MAAM,WAAW,kCAAkC;IACjD,OAAO,EAAE,OAAO,CAAA;IAChB,MAAM,EAAE,kCAAkC,CAAA;IAC1C,YAAY,EAAE,MAAM,CAAA;IACpB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,0BAA0B,CAAA;IACzC,YAAY,EAAE,kCAAkC,CAAA;IAChD,cAAc,EAAE,oCAAoC,CAAA;IACpD,mBAAmB,EAAE,MAAM,CAAA;IAC3B,KAAK,EAAE,2BAA2B,GAAG,IAAI,CAAA;CAC1C;AAED,MAAM,MAAM,qCAAqC,GAC7C,eAAe,GACf,aAAa,GACb,iBAAiB,GACjB,6BAA6B,GAC7B,iCAAiC,CAAA;AAErC,MAAM,WAAW,4CAA4C;IAC3D,MAAM,EAAE,kCAAkC,CAAA;IAC1C,2BAA2B,CAAC,EAAE,OAAO,GAAG,IAAI,CAAA;IAC5C,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CAC3B;AAED,MAAM,WAAW,qCAAqC;IACpD,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,qCAAqC,CAAA;IAC7C,cAAc,EAAE,oCAAoC,CAAA;IACpD,YAAY,EAAE,MAAM,CAAA;IACpB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,0BAA0B,CAAA;IACzC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAC1B;AASD,wBAAgB,oCAAoC,CAClD,KAAK,CAAC,WAAW,SAAS,gCAAgC,EAC1D,WAAW,EAAE,SAAS,WAAW,EAAE,GAAG,8BAA8B,CAAC,WAAW,CAAC,CAclF;AAED,wBAAgB,yBAAyB,CAAC,WAAW,SAAS,gCAAgC,EAC5F,QAAQ,EAAE,8BAA8B,CAAC,WAAW,CAAC,EACrD,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,GACd,WAAW,GAAG,IAAI,CAEpB;AAED,wBAAgB,kCAAkC,CAAC,QAAQ,EACzD,UAAU,EAAE,gCAAgC,CAAC,QAAQ,CAAC,EACtD,OAAO,EAAE,QAAQ,GAChB,0BAA0B,CAG5B;AAED,wBAAgB,oCAAoC,CAAC,QAAQ,GAAG,OAAO,EACrE,KAAK,EAAE,yCAAyC,CAAC,QAAQ,CAAC,GACzD,kCAAkC,CAuFpC;AAED,wBAAgB,uCAAuC,CACrD,KAAK,EAAE,4CAA4C,GAClD,qCAAqC,CAyCvC;AAED,wBAAgB,yBAAyB,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAE7E"}

package/dist/capability.js

@@ -0,0 +1,206 @@
+export const actionLedgerCapabilityLedgerPolicyValues = ["none", "optional", "required"];
+export const actionLedgerCapabilityApprovalPolicyValues = [
+    "none",
+    "conditional",
+    "required",
+];
+export class ActionLedgerCapabilityRegistryError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "ActionLedgerCapabilityRegistryError";
+    }
+}
+const riskRank = {
+    low: 0,
+    medium: 1,
+    high: 2,
+    critical: 3,
+};
+export function createActionLedgerCapabilityRegistry(definitions) {
+    const byKey = new Map();
+    for (const definition of definitions) {
+        const key = actionLedgerCapabilityKey(definition.id, definition.version);
+        if (byKey.has(key)) {
+            throw new ActionLedgerCapabilityRegistryError(`Duplicate action ledger capability ${definition.id}@${definition.version}`);
+        }
+        byKey.set(key, definition);
+    }
+    return { definitions, byKey };
+}
+export function getActionLedgerCapability(registry, id, version) {
+    return registry.byKey.get(actionLedgerCapabilityKey(id, version)) ?? null;
+}
+export function evaluateActionLedgerCapabilityRisk(definition, context) {
+    const evaluatedRisk = definition.evaluateRisk?.(context) ?? definition.risk;
+    return riskRank[evaluatedRisk] > riskRank[definition.risk] ? evaluatedRisk : definition.risk;
+}
+export function evaluateActionLedgerCapabilityAccess(input) {
+    const { definition } = input;
+    const evaluatedRisk = "riskContext" in input
+        ? evaluateActionLedgerCapabilityRisk(definition, input.riskContext)
+        : definition.risk;
+    const base = {
+        capabilityId: definition.id,
+        capabilityVersion: definition.version,
+        evaluatedRisk,
+        ledgerPolicy: definition.ledgerPolicy,
+        approvalPolicy: definition.approvalPolicy ?? "none",
+    };
+    if (input.isInternalRequest || input.callerType === "internal") {
+        return {
+            ...base,
+            allowed: true,
+            reason: "internal_request",
+            authorizationSource: "internal_request",
+            grant: null,
+        };
+    }
+    const grant = findSatisfiedGrant(definition, input);
+    if (grant) {
+        return {
+            ...base,
+            allowed: true,
+            reason: grant.source,
+            authorizationSource: grant.source === "scope_grant" ? "scope" : "api_token_permission",
+            grant: grant.grant,
+        };
+    }
+    if (definition.requiredGrants && definition.requiredGrants.length > 0) {
+        return {
+            ...base,
+            allowed: false,
+            reason: "grant_missing",
+            authorizationSource: input.callerType === "api_key" ? "api_token_permission" : "scope",
+            grant: null,
+        };
+    }
+    if (input.callerType === "api_key") {
+        return {
+            ...base,
+            allowed: false,
+            reason: "grant_missing",
+            authorizationSource: "api_token_permission",
+            grant: null,
+        };
+    }
+    const actor = normalizeNullableString(input.actor);
+    if (!actor) {
+        return {
+            ...base,
+            allowed: false,
+            reason: "actor_missing",
+            authorizationSource: "actor_context",
+            grant: null,
+        };
+    }
+    if (definition.allowedActorTypes &&
+        definition.allowedActorTypes.length > 0 &&
+        !definition.allowedActorTypes.includes(actor)) {
+        return {
+            ...base,
+            allowed: false,
+            reason: "actor_not_allowed",
+            authorizationSource: "actor_context",
+            grant: null,
+        };
+    }
+    return {
+        ...base,
+        allowed: true,
+        reason: "actor_allowed",
+        authorizationSource: "actor_context",
+        grant: null,
+    };
+}
+export function evaluateActionLedgerApprovalRequirement(input) {
+    const base = {
+        approvalPolicy: input.access.approvalPolicy,
+        capabilityId: input.access.capabilityId,
+        capabilityVersion: input.access.capabilityVersion,
+        evaluatedRisk: input.access.evaluatedRisk,
+        reasonCode: normalizeNullableString(input.reasonCode),
+    };
+    if (!input.access.allowed) {
+        return {
+            ...base,
+            required: false,
+            reason: "access_denied",
+        };
+    }
+    if (input.access.approvalPolicy === "required") {
+        return {
+            ...base,
+            required: true,
+            reason: "policy_required",
+        };
+    }
+    if (input.access.approvalPolicy === "conditional") {
+        return {
+            ...base,
+            required: input.conditionalApprovalRequired === true,
+            reason: input.conditionalApprovalRequired === true
+                ? "conditional_policy_required"
+                : "conditional_policy_not_required",
+        };
+    }
+    return {
+        ...base,
+        required: false,
+        reason: "policy_none",
+    };
+}
+export function actionLedgerCapabilityKey(id, version) {
+    return `${id}@${version}`;
+}
+function findSatisfiedGrant(definition, input) {
+    for (const grant of grantsForCapability(definition)) {
+        if (hasScopeGrant(input.scopes, grant)) {
+            return { source: "scope_grant", grant };
+        }
+        if (hasPermissionGrant(input.permissions, grant)) {
+            return { source: "permission_grant", grant };
+        }
+    }
+    return null;
+}
+function grantsForCapability(definition) {
+    if (definition.requiredGrants && definition.requiredGrants.length > 0) {
+        return definition.requiredGrants;
+    }
+    return [{ resource: definition.resource, action: definition.action }];
+}
+function hasPermissionGrant(permissions, grant) {
+    if (!permissions)
+        return false;
+    return hasGrant(permissions, grant);
+}
+function hasScopeGrant(scopes, grant) {
+    if (!scopes || scopes.length === 0)
+        return false;
+    const permissions = {};
+    for (const scope of scopes) {
+        const normalized = normalizeNullableString(scope);
+        if (!normalized)
+            continue;
+        if (normalized === "*") {
+            permissions["*"] = ["*"];
+            continue;
+        }
+        const [resource, action] = normalized.split(":", 2);
+        if (!resource || !action)
+            continue;
+        permissions[resource] = [...(permissions[resource] ?? []), action];
+    }
+    return hasGrant(permissions, grant);
+}
+function hasGrant(permissions, grant) {
+    return (permissions["*"]?.includes("*") === true ||
+        permissions["*"]?.includes(grant.action) === true ||
+        permissions[grant.resource]?.includes("*") === true ||
+        permissions[grant.resource]?.includes(grant.action) === true);
+}
+function normalizeNullableString(value) {
+    if (value === undefined || value === null || value === "")
+        return null;
+    return value;
+}

package/dist/fingerprint.d.ts

@@ -0,0 +1,26 @@
+import type { ActionLedgerCapabilityApprovalPolicy, ActionLedgerCapabilityRisk } from "./capability.js";
+export declare function canonicalize(value: unknown): unknown;
+export declare function canonicalJson(value: unknown): string;
+export declare function sha256(value: unknown): Promise<string>;
+export declare function buildIdempotencyFingerprint(input: {
+    actionName: string;
+    actionVersion: string;
+    targetType: string;
+    targetId: string;
+    commandInput?: unknown;
+    policyInputs?: unknown;
+}): Promise<string>;
+export interface BuildActionApprovalCommandFingerprintInput {
+    actionName: string;
+    actionVersion: string;
+    targetType: string;
+    targetId: string;
+    commandInput?: unknown;
+    approvalPolicy: ActionLedgerCapabilityApprovalPolicy;
+    capabilityId: string;
+    capabilityVersion: string;
+    evaluatedRisk: ActionLedgerCapabilityRisk;
+    reasonCode: string | null;
+}
+export declare function buildActionApprovalCommandFingerprint(input: BuildActionApprovalCommandFingerprintInput): Promise<string>;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../src/fingerprint.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,0BAA0B,EAC3B,MAAM,iBAAiB,CAAA;AAExB,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAUpD;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEpD;AAED,wBAAsB,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAK5D;AAED,wBAAsB,2BAA2B,CAAC,KAAK,EAAE;IACvD,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,EAAE,MAAM,CAAA;IACrB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB,GAAG,OAAO,CAAC,MAAM,CAAC,CAElB;AAED,MAAM,WAAW,0CAA0C;IACzD,UAAU,EAAE,MAAM,CAAA;IAClB,aAAa,EAAE,MAAM,CAAA;IACrB,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,cAAc,EAAE,oCAAoC,CAAA;IACpD,YAAY,EAAE,MAAM,CAAA;IACpB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,0BAA0B,CAAA;IACzC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAC1B;AAED,wBAAsB,qCAAqC,CACzD,KAAK,EAAE,0CAA0C,GAChD,OAAO,CAAC,MAAM,CAAC,CAejB"}

package/dist/fingerprint.js

@@ -0,0 +1,55 @@
+export function canonicalize(value) {
+    if (value === undefined)
+        return null;
+    if (value === null || typeof value !== "object")
+        return value;
+    if (Array.isArray(value))
+        return value.map(canonicalize);
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+        sorted[key] = canonicalize(value[key]);
+    }
+    return sorted;
+}
+export function canonicalJson(value) {
+    return JSON.stringify(canonicalize(value));
+}
+export async function sha256(value) {
+    const text = canonicalJson(value);
+    const bytes = new TextEncoder().encode(text);
+    const digest = await getCrypto().subtle.digest("SHA-256", bytes);
+    return bytesToHex(new Uint8Array(digest));
+}
+export async function buildIdempotencyFingerprint(input) {
+    return `sha256:${await sha256(input)}`;
+}
+export async function buildActionApprovalCommandFingerprint(input) {
+    return buildIdempotencyFingerprint({
+        actionName: input.actionName,
+        actionVersion: input.actionVersion,
+        targetType: input.targetType,
+        targetId: input.targetId,
+        commandInput: input.commandInput ?? null,
+        policyInputs: {
+            approvalPolicy: input.approvalPolicy,
+            capabilityId: input.capabilityId,
+            capabilityVersion: input.capabilityVersion,
+            evaluatedRisk: input.evaluatedRisk,
+            reasonCode: input.reasonCode,
+        },
+    });
+}
+function getCrypto() {
+    const crypto = globalThis.crypto;
+    if (!crypto?.subtle) {
+        throw new Error("@voyantjs/action-ledger: globalThis.crypto.subtle is required for idempotency fingerprints.");
+    }
+    return crypto;
+}
+function bytesToHex(bytes) {
+    let out = "";
+    for (const byte of bytes) {
+        out += byte.toString(16).padStart(2, "0");
+    }
+    return out;
+}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export { type RunActionLedgerCanaryInput, type RunActionLedgerCanaryResult, runActionLedgerCanary, } from "./canary.js";
+export { type ActionLedgerApprovalRequirementReason, type ActionLedgerApprovalRequirementResult, type ActionLedgerCapabilityAccessReason, type ActionLedgerCapabilityAccessResult, type ActionLedgerCapabilityApprovalPolicy, type ActionLedgerCapabilityDefinition, type ActionLedgerCapabilityGrant, type ActionLedgerCapabilityLedgerPolicy, type ActionLedgerCapabilityRegistry, ActionLedgerCapabilityRegistryError, type ActionLedgerCapabilityRisk, actionLedgerCapabilityApprovalPolicyValues, actionLedgerCapabilityKey, actionLedgerCapabilityLedgerPolicyValues, createActionLedgerCapabilityRegistry, type EvaluateActionLedgerApprovalRequirementInput, type EvaluateActionLedgerCapabilityAccessInput, evaluateActionLedgerApprovalRequirement, evaluateActionLedgerCapabilityAccess, evaluateActionLedgerCapabilityRisk, getActionLedgerCapability, } from "./capability.js";
+export { type BuildActionApprovalCommandFingerprintInput, buildActionApprovalCommandFingerprint, buildIdempotencyFingerprint, canonicalize, canonicalJson, sha256, } from "./fingerprint.js";
+export { ACTION_LEDGER_APPROVAL_ID_HEADER, type ActionLedgerActorFields, type ActionLedgerApprovedExecutionFields, type ActionLedgerRequestContextValues, type ActionLedgerRequestMappingOptions, appendActionLedgerMutation, appendActionLedgerSensitiveRead, type BuildActionLedgerApprovalDecisionInput, type BuildActionLedgerApprovalRequestInput, type BuildActionLedgerApprovedExecutionFieldsInput, type BuildActionLedgerMutationInput, type BuildActionLedgerSensitiveReadInput, type BuildActionLedgerSensitiveReadInputForValue, buildActionLedgerApprovalDecisionInput, buildActionLedgerApprovalRequestInput, buildActionLedgerApprovedExecutionFields, buildActionLedgerMutationEntryInput, buildActionLedgerSensitiveReadEntryInput, decideActionLedgerApproval, ledgerSensitiveRead, mapActionLedgerRequestContext, requestActionLedgerApproval, } from "./request-context.js";
+export { type ActionApprovalDecisionResponse, type ActionApprovalDetailResponse, type ActionApprovalGetResponse, type ActionApprovalListResponse, type ActionApprovalRequestResponse, type ActionApprovalResponse, type ActionDelegationGetResponse, type ActionDelegationListResponse, type ActionDelegationResponse, type ActionLedgerAdminRoutes, type ActionLedgerEntryDetailResponse, type ActionLedgerEntryResponse, type ActionLedgerGetResponse, type ActionLedgerListResponse, type ActionLedgerPayloadResponse, type ActionLedgerRelayOutboxListResponse, type ActionLedgerRelayOutboxResponse, type ActionLedgerReversalResponse, actionLedgerAdminRoutes, actionLedgerHonoModule, actionLedgerModule, } from "./routes.js";
+export { type ActionApproval, type ActionDelegation, type ActionLedgerEntry, type ActionLedgerPayload, type ActionLedgerRelayOutbox, type ActionMutationDetail, type ActionSensitiveReadDetail, actionApprovals, actionDelegations, actionLedgerActionKindEnum, actionLedgerApprovalStatusEnum, actionLedgerEntries, actionLedgerPayloads, actionLedgerPrincipalTypeEnum, actionLedgerRedactionStatusEnum, actionLedgerRelayOutbox, actionLedgerRelayStatusEnum, actionLedgerReversalKindEnum, actionLedgerReversalOutcomeEnum, actionLedgerReversalStateEnum, actionLedgerRiskEnum, actionLedgerStatusEnum, actionMutationDetails, actionSensitiveReadDetails, type NewActionApproval, type NewActionDelegation, type NewActionLedgerEntry, type NewActionLedgerPayload, type NewActionLedgerRelayOutbox, type NewActionMutationDetail, type NewActionSensitiveReadDetail, } from "./schema.js";
+export { ActionApprovalDecisionConflictError, ActionApprovalDecisionStatusError, type ActionApprovalListCursor, type ActionDelegationListCursor, ActionLedgerIdempotencyConflictError, type ActionLedgerListCursor, type ActionLedgerRelayOutboxListCursor, ActionLedgerReversalTargetError, type AppendActionLedgerEntryInput, type AppendActionLedgerEntryResult, actionLedgerService, type ClaimActionLedgerRelayOutboxInput, type ClaimActionLedgerRelayOutboxResult, type DecideActionApprovalInput, type DecideActionApprovalResult, type GetActionApprovalResult, type GetActionDelegationResult, type GetActionLedgerEntryResult, type ListActionApprovalsInput, type ListActionApprovalsResult, type ListActionDelegationsInput, type ListActionDelegationsResult, type ListActionLedgerEntriesInput, type ListActionLedgerEntriesResult, type ListActionLedgerRelayOutboxInput, type ListActionLedgerRelayOutboxResult, type MarkActionLedgerRelayOutboxFailedInput, type MarkActionLedgerRelayOutboxSucceededInput, type RecordActionLedgerReversalInput, type RecordActionLedgerReversalResult, type RequestActionApprovalInput, type RequestActionApprovalResult, type ValidateApprovedActionFailureReason, type ValidateApprovedActionInput, type ValidateApprovedActionResult, } from "./service.js";
+export { type ActionLedgerSerializedEntry, type ActionLedgerTargetTimelineEntry, type ActionLedgerTargetTimelinePage, type ActionLedgerTargetTimelineQuery, type ActionLedgerTimelineCursor, actionLedgerTargetTimelineQuerySchema, buildActionLedgerTargetTimelinePage, serializeActionLedgerDate, serializeActionLedgerEntry, sortActionLedgerTimelineEntries, toActionLedgerTimelineCursor, } from "./timeline.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,2BAA2B,EAChC,qBAAqB,GACtB,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,KAAK,qCAAqC,EAC1C,KAAK,qCAAqC,EAC1C,KAAK,kCAAkC,EACvC,KAAK,kCAAkC,EACvC,KAAK,oCAAoC,EACzC,KAAK,gCAAgC,EACrC,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,8BAA8B,EACnC,mCAAmC,EACnC,KAAK,0BAA0B,EAC/B,0CAA0C,EAC1C,yBAAyB,EACzB,wCAAwC,EACxC,oCAAoC,EACpC,KAAK,4CAA4C,EACjD,KAAK,yCAAyC,EAC9C,uCAAuC,EACvC,oCAAoC,EACpC,kCAAkC,EAClC,yBAAyB,GAC1B,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,KAAK,0CAA0C,EAC/C,qCAAqC,EACrC,2BAA2B,EAC3B,YAAY,EACZ,aAAa,EACb,MAAM,GACP,MAAM,kBAAkB,CAAA;AACzB,OAAO,EACL,gCAAgC,EAChC,KAAK,uBAAuB,EAC5B,KAAK,mCAAmC,EACxC,KAAK,gCAAgC,EACrC,KAAK,iCAAiC,EACtC,0BAA0B,EAC1B,+BAA+B,EAC/B,KAAK,sCAAsC,EAC3C,KAAK,qCAAqC,EAC1C,KAAK,6CAA6C,EAClD,KAAK,8BAA8B,EACnC,KAAK,mCAAmC,EACxC,KAAK,2CAA2C,EAChD,sCAAsC,EACtC,qCAAqC,EACrC,wCAAwC,EACxC,mCAAmC,EACnC,wCAAwC,EACxC,0BAA0B,EAC1B,mBAAmB,EACnB,6BAA6B,EAC7B,2BAA2B,GAC5B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,8BAA8B,EACnC,KAAK,4BAA4B,EACjC,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,EAC3B,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,EACjC,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,+BAA+B,EACpC,KAAK,yBAAyB,EAC9B,KAAK,uBAAuB,EAC5B,KAAK,wBAAwB,EAC7B,KAAK,2BAA2B,EAChC,KAAK,mCAAmC,EACxC,KAAK,+BAA+B,EACpC,KAAK,4BAA4B,EACjC,uBAAuB,EACvB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,eAAe,EACf,iBAAiB,EACjB,0BAA0B,EAC1B,8BAA8B,EAC9B,mBAAmB,EACnB,oBAAoB,EACpB,6BAA6B,EAC7B,+BAA+B,EAC/B,uBAAuB,EACvB,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,EAC/B,6BAA6B,EAC7B,oBAAoB,EACpB,sBAAsB,EACtB,qBAAqB,EACrB,0BAA0B,EAC1B,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,GAClC,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,mCAAmC,EACnC,iCAAiC,EACjC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,EAC/B,oCAAoC,EACpC,KAAK,sBAAsB,EAC3B,KAAK,iCAAiC,EACtC,+BAA+B,EAC/B,KAAK,4BAA4B,EACjC,KAAK,6BAA6B,EAClC,mBAAmB,EACnB,KAAK,iCAAiC,EACtC,KAAK,kCAAkC,EACvC,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAC/B,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,EACjC,KAAK,6BAA6B,EAClC,KAAK,gCAAgC,EACrC,KAAK,iCAAiC,EACtC,KAAK,sCAAsC,EAC3C,KAAK,yCAAyC,EAC9C,KAAK,+BAA+B,EACpC,KAAK,gCAAgC,EACrC,KAAK,0BAA0B,EAC/B,KAAK,2BAA2B,EAChC,KAAK,mCAAmC,EACxC,KAAK,2BAA2B,EAChC,KAAK,4BAA4B,GAClC,MAAM,cAAc,CAAA;AACrB,OAAO,EACL,KAAK,2BAA2B,EAChC,KAAK,+BAA+B,EACpC,KAAK,8BAA8B,EACnC,KAAK,+BAA+B,EACpC,KAAK,0BAA0B,EAC/B,qCAAqC,EACrC,mCAAmC,EACnC,yBAAyB,EACzB,0BAA0B,EAC1B,+BAA+B,EAC/B,4BAA4B,GAC7B,MAAM,eAAe,CAAA"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export { runActionLedgerCanary, } from "./canary.js";
+export { ActionLedgerCapabilityRegistryError, actionLedgerCapabilityApprovalPolicyValues, actionLedgerCapabilityKey, actionLedgerCapabilityLedgerPolicyValues, createActionLedgerCapabilityRegistry, evaluateActionLedgerApprovalRequirement, evaluateActionLedgerCapabilityAccess, evaluateActionLedgerCapabilityRisk, getActionLedgerCapability, } from "./capability.js";
+export { buildActionApprovalCommandFingerprint, buildIdempotencyFingerprint, canonicalize, canonicalJson, sha256, } from "./fingerprint.js";
+export { ACTION_LEDGER_APPROVAL_ID_HEADER, appendActionLedgerMutation, appendActionLedgerSensitiveRead, buildActionLedgerApprovalDecisionInput, buildActionLedgerApprovalRequestInput, buildActionLedgerApprovedExecutionFields, buildActionLedgerMutationEntryInput, buildActionLedgerSensitiveReadEntryInput, decideActionLedgerApproval, ledgerSensitiveRead, mapActionLedgerRequestContext, requestActionLedgerApproval, } from "./request-context.js";
+export { actionLedgerAdminRoutes, actionLedgerHonoModule, actionLedgerModule, } from "./routes.js";
+export { actionApprovals, actionDelegations, actionLedgerActionKindEnum, actionLedgerApprovalStatusEnum, actionLedgerEntries, actionLedgerPayloads, actionLedgerPrincipalTypeEnum, actionLedgerRedactionStatusEnum, actionLedgerRelayOutbox, actionLedgerRelayStatusEnum, actionLedgerReversalKindEnum, actionLedgerReversalOutcomeEnum, actionLedgerReversalStateEnum, actionLedgerRiskEnum, actionLedgerStatusEnum, actionMutationDetails, actionSensitiveReadDetails, } from "./schema.js";
+export { ActionApprovalDecisionConflictError, ActionApprovalDecisionStatusError, ActionLedgerIdempotencyConflictError, ActionLedgerReversalTargetError, actionLedgerService, } from "./service.js";
+export { actionLedgerTargetTimelineQuerySchema, buildActionLedgerTargetTimelinePage, serializeActionLedgerDate, serializeActionLedgerEntry, sortActionLedgerTimelineEntries, toActionLedgerTimelineCursor, } from "./timeline.js";

package/dist/request-context.d.ts

@@ -0,0 +1,136 @@
+import type { AnyDrizzleDb } from "@voyantjs/db";
+import type { ActionApproval, ActionLedgerEntry, NewActionMutationDetail } from "./schema.js";
+import type { AppendActionLedgerEntryInput, AppendActionLedgerEntryResult, DecideActionApprovalInput, DecideActionApprovalResult, RequestActionApprovalInput, RequestActionApprovalResult } from "./service.js";
+export declare const ACTION_LEDGER_APPROVAL_ID_HEADER = "action-approval-id";
+export interface ActionLedgerRequestContextValues {
+    userId?: string | null;
+    agentId?: string | null;
+    workflowPrincipalId?: string | null;
+    principalSubtype?: string | null;
+    sessionId?: string | null;
+    apiTokenId?: string | null;
+    apiKeyId?: string | null;
+    callerType?: string | null;
+    actor?: string | null;
+    isInternalRequest?: boolean | null;
+    organizationId?: string | null;
+    workflowRunId?: string | null;
+    workflowStepId?: string | null;
+    correlationId?: string | null;
+}
+export interface ActionLedgerActorFields {
+    actorType: string | null;
+    principalType: ActionLedgerEntry["principalType"];
+    principalId: string;
+    principalSubtype: string | null;
+    sessionId: string | null;
+    apiTokenId: string | null;
+    internalRequest: boolean;
+    callerType: string | null;
+    organizationId: string | null;
+    workflowRunId: string | null;
+    workflowStepId: string | null;
+    correlationId: string | null;
+}
+export interface ActionLedgerRequestMappingOptions {
+    fallbackPrincipalId?: string;
+}
+export interface BuildActionLedgerSensitiveReadInput extends CommonActionLedgerRouteInput, ActionLedgerRequestMappingOptions {
+    status?: Extract<ActionLedgerEntry["status"], "succeeded" | "denied" | "failed">;
+    reasonCode?: string | null;
+    disclosedFieldSet?: string[] | null;
+    disclosureSummary?: string | null;
+    decisionPolicy?: string | null;
+}
+export type BuildActionLedgerSensitiveReadInputForValue<T> = BuildActionLedgerSensitiveReadInput | ((value: T) => BuildActionLedgerSensitiveReadInput);
+export interface BuildActionLedgerMutationInput extends CommonActionLedgerRouteInput, ActionLedgerRequestMappingOptions {
+    actionKind: Extract<ActionLedgerEntry["actionKind"], "create" | "update" | "delete" | "execute">;
+    status?: ActionLedgerEntry["status"];
+    mutationDetail?: Omit<NewActionMutationDetail, "actionId">;
+}
+export interface BuildActionLedgerApprovalRequestInput extends Omit<BuildActionLedgerMutationInput, "status"> {
+    approval: {
+        requestedByPrincipalId?: string | null;
+        assignedToPrincipalId?: string | null;
+        delegatedFromPrincipalId?: string | null;
+        policyName: string;
+        policyVersion: string;
+        targetSnapshotRef?: string | null;
+        riskSnapshot?: ActionApproval["riskSnapshot"] | null;
+        reasonCode?: string | null;
+        expiresAt?: Date | string | null;
+    };
+}
+export interface BuildActionLedgerApprovalDecisionInput extends ActionLedgerRequestMappingOptions {
+    context: ActionLedgerRequestContextValues;
+    id: string;
+    status: Exclude<ActionApproval["status"], "pending">;
+    decidedByPrincipalId?: string | null;
+    decidedAt?: Date | string | null;
+    actionName: string;
+    actionVersion?: string;
+    evaluatedRisk?: ActionLedgerEntry["evaluatedRisk"];
+    targetType?: string;
+    targetId?: string;
+    routeOrToolName?: string | null;
+    capabilityId?: string | null;
+    capabilityVersion?: string | null;
+    authorizationSource?: string | null;
+    idempotencyScope?: string | null;
+    idempotencyKey?: string | null;
+    idempotencyFingerprint?: string | null;
+    payloads?: AppendActionLedgerEntryInput["payloads"];
+    enqueueRelay?: AppendActionLedgerEntryInput["enqueueRelay"];
+    organizationId?: string | null;
+    workflowRunId?: string | null;
+    workflowStepId?: string | null;
+    correlationId?: string | null;
+}
+export interface BuildActionLedgerApprovedExecutionFieldsInput {
+    requestedActionId: string;
+    approvalId: string;
+    idempotencyFingerprint: string;
+}
+export interface ActionLedgerApprovedExecutionFields {
+    causationActionId: string;
+    approvalId: string;
+    idempotencyScope: string;
+    idempotencyKey: string;
+    idempotencyFingerprint: string;
+}
+interface CommonActionLedgerRouteInput {
+    context: ActionLedgerRequestContextValues;
+    actionName: string;
+    actionVersion?: string;
+    evaluatedRisk?: ActionLedgerEntry["evaluatedRisk"];
+    targetType: string;
+    targetId: string;
+    routeOrToolName?: string | null;
+    capabilityId?: string | null;
+    capabilityVersion?: string | null;
+    authorizationSource?: string | null;
+    causationActionId?: string | null;
+    approvalId?: string | null;
+    idempotencyScope?: string | null;
+    idempotencyKey?: string | null;
+    idempotencyFingerprint?: string | null;
+    payloads?: AppendActionLedgerEntryInput["payloads"];
+    enqueueRelay?: AppendActionLedgerEntryInput["enqueueRelay"];
+    organizationId?: string | null;
+    workflowRunId?: string | null;
+    workflowStepId?: string | null;
+    correlationId?: string | null;
+}
+export declare function mapActionLedgerRequestContext(context: ActionLedgerRequestContextValues, options?: ActionLedgerRequestMappingOptions): ActionLedgerActorFields;
+export declare function buildActionLedgerSensitiveReadEntryInput(input: BuildActionLedgerSensitiveReadInput): AppendActionLedgerEntryInput;
+export declare function appendActionLedgerSensitiveRead(db: AnyDrizzleDb, input: BuildActionLedgerSensitiveReadInput): Promise<AppendActionLedgerEntryResult>;
+export declare function ledgerSensitiveRead<T>(db: AnyDrizzleDb, input: BuildActionLedgerSensitiveReadInputForValue<T>, read: () => T | Promise<T>): Promise<T>;
+export declare function buildActionLedgerMutationEntryInput(input: BuildActionLedgerMutationInput): AppendActionLedgerEntryInput;
+export declare function appendActionLedgerMutation(db: AnyDrizzleDb, input: BuildActionLedgerMutationInput): Promise<AppendActionLedgerEntryResult>;
+export declare function buildActionLedgerApprovalRequestInput(input: BuildActionLedgerApprovalRequestInput): RequestActionApprovalInput;
+export declare function requestActionLedgerApproval(db: AnyDrizzleDb, input: BuildActionLedgerApprovalRequestInput): Promise<RequestActionApprovalResult>;
+export declare function buildActionLedgerApprovalDecisionInput(input: BuildActionLedgerApprovalDecisionInput): DecideActionApprovalInput;
+export declare function decideActionLedgerApproval(db: AnyDrizzleDb, input: BuildActionLedgerApprovalDecisionInput): Promise<DecideActionApprovalResult | null>;
+export declare function buildActionLedgerApprovedExecutionFields(input: BuildActionLedgerApprovedExecutionFieldsInput): ActionLedgerApprovedExecutionFields;
+export {};
+//# sourceMappingURL=request-context.d.ts.map