@xshieldai/aegis-suite 0.2.0

package/LICENSE

@@ -0,0 +1,31 @@
+GNU AFFERO GENERAL PUBLIC LICENSE
+Version 3, 19 November 2007
+
+Copyright (C) 2026 ANKR Labs / Capt. Anil Sharma
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+---
+
+The full text of the GNU Affero General Public License v3 is available at:
+https://www.gnu.org/licenses/agpl-3.0.txt
+
+ADDITIONAL TERMS (permitted under AGPL §7):
+
+If you run a modified version of this software as a network service,
+you must make the complete source code of the modified version available
+to all users of that service under the terms of this license.
+
+Commercial use, including SaaS deployments and enterprise integrations,
+requires a separate commercial license. Contact: captain@ankr.in

package/README.md

@@ -0,0 +1,276 @@
+# @rocketlang/aegis-suite
+
+**Meta-package.** Installs the full open-source AEGIS / KavachOS / xShieldAI agent governance stack in one shot.
+
+```bash
+npm install @rocketlang/aegis-suite
+# or
+bun add @rocketlang/aegis-suite
+```
+
+That's it. You now have all six primitives. Import from each sub-package by name (this meta-package does not re-export — keep your imports honest about which primitive you're using).
+
+## What's bundled (6 packages)
+
+| Package | Role | Phase |
+|---|---|---|
+| [`@rocketlang/aegis`](https://www.npmjs.com/package/@rocketlang/aegis) | Agent **spend** governance: budget caps, kill-switch, DAN gate, HanumanG 7-axis spawn check | v2.1.0 stable |
+| [`@rocketlang/kavachos`](https://www.npmjs.com/package/@rocketlang/kavachos) | Agent **behavior**: seccomp-bpf, Falco, syscall mediation, exec allowlist, egress firewall | v2.0.2 stable |
+| [`@rocketlang/aegis-guard`](https://www.npmjs.com/package/@rocketlang/aegis-guard) | Five Locks SDK: approval-token, nonce, idempotency, SENSE, quality-evidence | v0.1.0 |
+| [`@rocketlang/chitta-detect`](https://www.npmjs.com/package/@rocketlang/chitta-detect) | Memory poisoning detection: trust / imperative / tool-output / capability-expansion / fingerprint scanners | v0.1.0 |
+| [`@rocketlang/lakshmanrekha`](https://www.npmjs.com/package/@rocketlang/lakshmanrekha) | LLM endpoint probe suite: 8 deterministic attack probes + replayable refusal classifier + multi-provider runner | v0.1.0 |
+| [`@rocketlang/hanumang-mandate`](https://www.npmjs.com/package/@rocketlang/hanumang-mandate) | Mudrika delegation-credential verifier + 7-axis posture scorer | v0.1.0 |
+
+## Deliberately NOT bundled
+
+| Package | Why excluded |
+|---|---|
+| `@rocketlang/n8n-nodes-kavachos` | n8n-specific integration — `npm install @rocketlang/n8n-nodes-kavachos` separately if you use n8n. Excluded so non-n8n users don't pull n8n-shaped deps. |
+| `@rocketlang/kavachos-ee` | BSL-1.1 Enterprise Edition (PRAMANA Merkle ledger, HanumanG EE posture registry, dual-control approvals, multi-tenant isolation). Not published to npm. Contact [captain@ankr.in](mailto:captain@ankr.in) for design partner access. |
+
+## Why a meta-package and not a fused single package?
+
+The 6 primitives are **deliberately separate** — each addresses a different governance moment (spend / behavior / approval / memory / LLM probing / delegation). Forcing them into one fused package would:
+
+- Multiply per-primitive deps for users who only need one
+- Bundle SQLite + Postgres + fastify + bun-specific code for users running in browsers/edge
+- Conflate the "stop bad spend" concern with the "verify mandate credentials" concern when neither needs the other
+
+This meta-package is the **convenience installer**, not a re-architected mono-product. You get them all at once; you still import from each by name.
+
+## The unified workflow (after install)
+
+### Day-1: Aegis CLI sets up the spend gate
+
+```bash
+# Installed globally via @rocketlang/aegis bin
+aegis init
+aegis-monitor &
+aegis-dashboard &
+# → http://localhost:4850 (KAVACH DAN Gate dashboard)
+```
+
+### Day-1: Probe your LLM endpoint with lakshmanrekha
+
+```typescript
+import { runAllProbes, computeRefusalRate } from '@rocketlang/lakshmanrekha';
+
+const results = await runAllProbes(
+  'https://api.openai.com/v1',
+  process.env.OPENAI_API_KEY!,
+  'openai',
+  { model: 'gpt-4o-mini' }
+);
+console.log(`Refusal rate: ${computeRefusalRate(results.map(r => r.verdict))}%`);
+```
+
+### Day-2: Scan persistent memory writes with chitta-detect
+
+```typescript
+import { scan } from '@rocketlang/chitta-detect';
+
+const result = scan.evaluate(suspiciousMemoryContent, { agent_id: 'agent-001' });
+if (result.verdict === 'BLOCK') {
+  throw new Error(`memory write blocked: ${result.rules_fired.join(', ')}`);
+}
+```
+
+### Day-3: Verify agent mandates with hanumang-mandate
+
+```typescript
+import { verifyMudrika, scoreAxis, computePostureScore } from '@rocketlang/hanumang-mandate';
+
+const mandate = verifyMudrika(receivedMudrika, expectedAgentId);
+if (mandate.outcome !== 'PASS') {
+  throw new Error(`mandate rejected: ${mandate.failure_reason}`);
+}
+```
+
+### Day-4: Wire Five Locks with aegis-guard
+
+```typescript
+import { verifyApprovalToken, emitAegisSenseEvent, checkIdempotency } from '@rocketlang/aegis-guard';
+
+// LOCK_1 — verify approval token before irreversible action
+const payload = verifyApprovalToken(token, 'my-service', 'settle', 'record_settle');
+
+// LOCK_3 — emit SENSE event with before/after delta
+emitAegisSenseEvent({ event_type: 'allowance.settle', /* ... */ });
+```
+
+### Day-N: Kernel-enforce behavior with kavachos (when ready)
+
+```bash
+# Installed via @rocketlang/kavachos bin (note: bin name collision with aegis's
+# bundled kavachos shim — use whichever is on your PATH first; both point at
+# the same kernel-enforcement primitives)
+kavachos audit ./my-agent.config.json
+kavachos generate seccomp ./policy.bpf
+```
+
+## Why this matters — the open primitive vs the hosted product
+
+[Fin Operator](https://www.fin.ai/) launched 2026-05-15 as a Pro-tier subscription product whose "proposal system" puts a human gate between AI agents and the systems they change. The same primitives — pull-request-shaped intercepts, agent-managing-agent, attestation chains — are open and self-hostable here. `aegis` was born 17 April 2026, about a month before Fin Operator's launch, from a real $200 incident with an unmonitored Claude Code session.
+
+| | Fin Operator (2026-05-15) | @rocketlang/aegis-suite (2026-05-16) |
+|---|---|---|
+| Distribution | Pro-tier subscription, vendor-hosted | `npm install @rocketlang/aegis-suite`, self-hosted |
+| License | Proprietary | AGPL-3.0-only (suite) + BSL-1.1 → AGPL-3.0 in 4 years (EE) |
+| Scope | Bound to the Fin platform | Vendor-neutral (Claude Code, OpenAI Codex, Cursor, custom) |
+| Self-host | No | Yes — local-first by default |
+| Audit | Trust the vendor | `grep -rn "fetch(" node_modules/@rocketlang/*/src/` |
+| Pricing | Pro tier + usage blocks | $0 OSS · BSL-1.1 EE free up to 3 concurrent sessions |
+
+## License
+
+AGPL-3.0-only (the meta-package itself + all 6 bundled packages). Any modified version run as a network service must publish source per AGPL clause 13.
+
+EE packages (BSL-1.1) are separate — see boundary doc at [OPEN-CORE-BOUNDARY.md](https://github.com/rocketlang/aegis/blob/main/OPEN-CORE-BOUNDARY.md).
+
+For commercial dual-licensing: [captain@ankr.in](mailto:captain@ankr.in).
+
+---
+
+## v0.2.0 — `wireAllToBus()` + Agentic Control Center event bus
+
+Added 2026-05-17. One call wires all 4 OSS primitives (aegis-guard,
+chitta-detect, lakshmanrekha, hanumang-mandate) to a single event bus
++ persists every event to SQLite at `~/.aegis/acc-events.db`. The
+aegis dashboard (v2.2.0+, ships same release wave) reads from this
+file to render the **Agentic Control Center** page at
+`http://localhost:4850/control-center`.
+
+### Quick start
+
+```typescript
+import { wireAllToBus } from '@rocketlang/aegis-suite';
+
+// One call — wires all 4 primitives + sets up SQLite writer
+const handle = wireAllToBus();
+
+console.log('Events persisting to:', handle.sqlitePath);
+// → /home/you/.aegis/acc-events.db
+
+// Now use any of the @rocketlang primitives normally — every operation
+// emits a receipt that lands in the SQLite file:
+import { verifyApprovalToken } from '@rocketlang/aegis-guard';
+import { scan } from '@rocketlang/chitta-detect';
+
+verifyApprovalToken(token, 'svc', 'cap', 'op');     // → emits lock.approval.verified
+scan.evaluate(content, { agent_id: 'agent-1' });    // → emits scan.evaluated
+```
+
+### View live in the Agentic Control Center
+
+If you also have `@rocketlang/aegis` v2.2.0+ installed and the dashboard
+running (`aegis-dashboard &`), visit:
+
+- **`http://localhost:4850/control-center`** — single-page grid with 6
+  zones (one per primitive + PRAMANA panel)
+- **`http://localhost:4850/agent/:id`** — per-agent timeline across all
+  primitives, ordered by emission time
+- **`http://localhost:4850/api/acc/events`** — JSON query API
+- **`http://localhost:4850/api/acc/health`** — counts by primitive
+
+All routes are gated by the dashboard's session auth when
+`dashboard.auth.enabled: true` in `~/.aegis/config.json` (the default
+after `aegis init`).
+
+### Subscribe to events live (custom processing)
+
+```typescript
+const handle = wireAllToBus();
+const unsub = handle.subscribe!((receipt) => {
+  if (receipt.verdict === 'BLOCK' || receipt.verdict === 'FAIL') {
+    notifyOps(receipt);  // your custom alerting
+  }
+});
+// later: unsub() to detach
+```
+
+### Bring your own bus
+
+```typescript
+import type { EventBus, AccReceipt } from '@rocketlang/aegis-suite';
+
+const myBus: EventBus = {
+  emit: (r: AccReceipt) => sendToRedis(r),  // your transport
+};
+
+wireAllToBus({ bus: myBus });  // no SQLite, no in-memory fan-out — fully delegated
+```
+
+### Detach when done
+
+```typescript
+import { unwireAll } from '@rocketlang/aegis-suite';
+unwireAll();  // all 4 primitives revert to v0.1.0 (no emission)
+```
+
+### Architecture
+
+```
+consumer process
+  ├─ wireAllToBus() ──┬─ setEventBus on aegis-guard
+  │                   ├─ setEventBus on chitta-detect
+  │                   ├─ setEventBus on lakshmanrekha
+  │                   └─ setEventBus on hanumang-mandate
+  │
+  ├─ InMemoryBus ──┬─ fan-out to subscribers (your live listeners)
+  │                └─ SqliteEventWriter ──> ~/.aegis/acc-events.db
+  │
+  └─ (your code calls primitives normally)
+
+aegis-dashboard (separate process, v2.2.0+)
+  └─ reads ~/.aegis/acc-events.db
+     └─ /control-center, /agent/:id, /api/acc/*
+```
+
+### Phase-1 limits (v0.2.0)
+
+- **Same-process vs cross-process visibility.** When the consumer
+  process and dashboard process are different (typical: your app + the
+  aegis-dashboard service), the consumer writes to SQLite via WAL.
+  Reader-side visibility lags slightly because WAL pages are not
+  automatically checkpointed back to the main DB file until
+  ~1000 writes accumulate. **If you want immediate cross-process
+  visibility, call `handle.checkpoint!()`** after a batch of activity
+  (e.g., end-of-request handler) or periodically (e.g., every 30s).
+  Single-process (consumer == dashboard) needs no checkpointing.
+- **`@rocketlang/aegis` v2.2.0 required for the cockpit UI.** The
+  dashboard at port 4850 needs aegis v2.2.0 (which ships in this same
+  release wave) to expose the `/control-center` route. Events still
+  persist to SQLite with any aegis version; only the rendering layer
+  needs v2.2.0.
+- **Default bus is in-process only.** Multi-process buses (Redis,
+  Kafka, NATS) are a consumer choice — implement the `EventBus`
+  interface and pass via `wireAllToBus({ bus: yourBus })`.
+- **WAL files (`-wal`, `-shm`) accompany `acc-events.db`.** If you
+  move/copy the SQLite file, take all three together or call
+  `checkpoint()` first to consolidate into the main file.
+- **`@rocketlang/n8n-nodes-kavachos` is NOT wired.** It's an n8n
+  integration, not a primitive — its event-bus story is the consumer's
+  n8n workflow, not `wireAllToBus`.
+
+### SQLite schema (for direct query access)
+
+```sql
+CREATE TABLE acc_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  receipt_id  TEXT NOT NULL,
+  primitive   TEXT NOT NULL,      -- 'aegis-guard' | 'chitta-detect' | etc.
+  event_type  TEXT NOT NULL,      -- 'lock.approval.verified' | 'scan.evaluated' | etc.
+  emitted_at  TEXT NOT NULL,      -- ISO 8601
+  agent_id    TEXT,
+  verdict     TEXT,               -- PASS | FAIL | BLOCK | etc.
+  rules_fired TEXT,               -- JSON array, e.g. '["AEG-E-016"]'
+  summary     TEXT,
+  payload     TEXT,               -- JSON object
+  ingested_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+-- Indexes on (primitive, emitted_at), (agent_id, emitted_at), event_type, id
+```
+
+Schema is forward-compatible-additive only (ACC-YK-006) — fields added,
+never removed or renamed. Direct SQL queries from external tools
+(Grafana, datadog-agent, custom scripts) are supported and stable.

package/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "@xshieldai/aegis-suite",
+  "version": "0.2.0",
+  "description": "Meta-package — installs the full xShieldAI Posture Suite (AEGIS + Agent Kernel + 4 primitives) in one shot + wireAllToBus() helper that connects all 4 primitives to a single SQLite event bus for the Agentic Control Center. Open-source counter to Fin Operator's hosted governance plane.",
+  "license": "AGPL-3.0-only",
+  "type": "module",
+  "author": "Capt. Anil Sharma <capt.anil.sharma@powerpbox.org>",
+  "homepage": "https://github.com/rocketlang/aegis/tree/main/packages/aegis-suite",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/rocketlang/aegis.git",
+    "directory": "packages/aegis-suite"
+  },
+  "bugs": {
+    "url": "https://github.com/rocketlang/aegis/issues"
+  },
+  "keywords": [
+    "aegis",
+    "aegis-suite",
+    "rocketlang",
+    "xshieldai",
+    "ai-governance",
+    "ai-agent-safety",
+    "agent-spend",
+    "agent-behavior",
+    "memory-poisoning",
+    "llm-redteam",
+    "agent-delegation",
+    "open-source",
+    "fin-operator-alternative"
+  ],
+  "exports": {
+    ".": {
+      "import": "./src/index.ts",
+      "types": "./src/index.ts"
+    }
+  },
+  "main": "./src/index.ts",
+  "files": [
+    "src/",
+    "README.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "@xshieldai/aegis": "^2.2.0",
+    "@xshieldai/agent-kernel": "^2.0.2",
+    "@xshieldai/aegis-guard": "^0.2.0",
+    "@xshieldai/chitta-detect": "^0.2.0",
+    "@xshieldai/lakshmanrekha": "^0.2.0",
+    "@xshieldai/hanumang-mandate": "^0.2.0"
+  },
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "@types/node": "^20.0.0"
+  },
+  "engines": {
+    "bun": ">=1.0.0",
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "aegis_suite": {
+    "purpose": "single-install bundle of the OSS half of the xShieldAI Posture Suite (AEGIS + Agent Kernel + primitives)",
+    "bundled_packages": 6,
+    "deliberately_excluded": [
+      "@xshieldai/n8n-nodes (n8n-specific integration, install separately if using n8n)"
+    ],
+    "not_bundled_because_ee": [
+      "@xshieldai/agent-kernel-ee (BSL-1.1, not on npm — contact captain@ankr.in)"
+    ]
+  }
+}

package/src/bus.ts

@@ -0,0 +1,167 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (c) 2026 Capt. Anil Sharma (rocketlang). All rights reserved.
+//
+// @rocketlang/aegis-suite — InMemoryBus + SqliteEventWriter (v0.2.0)
+//
+// Self-contained default bus implementation for wireAllToBus(). Writes to
+// ~/.aegis/acc-events.db using a forward-compatible-additive schema. The
+// aegis dashboard (v2.2.0+) reads from the same file using its own copy
+// of the same schema — both use CREATE IF NOT EXISTS so the file is
+// schema-idempotent regardless of which process writes first.
+//
+// @rule:ACC-005 — Black-box separation: separate from aegis.db / turn-store.db
+// @rule:ACC-011 — In-process / single-process default. Multi-process bus is
+//                  consumer choice.
+// @rule:ACC-YK-006 — Schema forward-compatible-additive only.
+
+import { Database } from 'bun:sqlite';
+import { mkdirSync, existsSync } from 'fs';
+import { dirname, join } from 'path';
+import { homedir } from 'os';
+import type { AccReceipt, EventBus } from './wire';
+
+export function defaultAccEventsDbPath(): string {
+  const aegisDir = process.env.AEGIS_DIR ?? join(homedir(), '.aegis');
+  if (!existsSync(aegisDir)) mkdirSync(aegisDir, { recursive: true });
+  return join(aegisDir, 'acc-events.db');
+}
+
+// ── InMemoryBus — fans events out to N subscribers in-process ────────────────
+
+export type Subscriber = (r: AccReceipt) => void;
+
+export class InMemoryBus implements EventBus {
+  private subscribers: Set<Subscriber> = new Set();
+
+  emit(receipt: AccReceipt): void {
+    for (const sub of Array.from(this.subscribers)) {
+      try {
+        sub(receipt);
+      } catch {
+        // never let one bad subscriber break others (ACC-YK-003)
+      }
+    }
+  }
+
+  subscribe(fn: Subscriber): () => void {
+    this.subscribers.add(fn);
+    return () => this.subscribers.delete(fn);
+  }
+
+  subscriberCount(): number {
+    return this.subscribers.size;
+  }
+}
+
+// ── SQLite schema — must match aegis core's reader schema ────────────────────
+// If you change this, also change /root/aegis/src/acc/bus.ts SCHEMA in aegis
+// core. Schema is CREATE IF NOT EXISTS so additions are safe; never remove or
+// rename columns (ACC-YK-006 forward-compatible-additive only).
+
+const SCHEMA = `
+CREATE TABLE IF NOT EXISTS acc_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  receipt_id TEXT NOT NULL,
+  primitive TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  emitted_at TEXT NOT NULL,
+  agent_id TEXT,
+  verdict TEXT,
+  rules_fired TEXT,
+  summary TEXT,
+  payload TEXT,
+  ingested_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_acc_primitive_emitted ON acc_events (primitive, emitted_at);
+CREATE INDEX IF NOT EXISTS idx_acc_agent_emitted     ON acc_events (agent_id, emitted_at);
+CREATE INDEX IF NOT EXISTS idx_acc_event_type        ON acc_events (event_type);
+CREATE INDEX IF NOT EXISTS idx_acc_id                ON acc_events (id);
+`;
+
+export interface SqliteEventWriterOpts {
+  path?: string;
+}
+
+export class SqliteEventWriter {
+  private db: Database;
+  private insertStmt: ReturnType<Database['query']>;
+  public readonly path: string;
+
+  constructor(opts: SqliteEventWriterOpts = {}) {
+    this.path = opts.path ?? defaultAccEventsDbPath();
+    mkdirSync(dirname(this.path), { recursive: true });
+    this.db = new Database(this.path);
+    this.db.exec('PRAGMA journal_mode = WAL;');
+    this.db.exec(SCHEMA);
+    this.insertStmt = this.db.query(`
+      INSERT INTO acc_events
+        (receipt_id, primitive, event_type, emitted_at, agent_id, verdict, rules_fired, summary, payload)
+      VALUES
+        (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+  }
+
+  write(receipt: AccReceipt): void {
+    try {
+      this.insertStmt.run(
+        receipt.receipt_id,
+        receipt.primitive,
+        receipt.event_type,
+        receipt.emitted_at,
+        receipt.agent_id ?? null,
+        receipt.verdict ?? null,
+        receipt.rules_fired ? JSON.stringify(receipt.rules_fired) : null,
+        receipt.summary ?? null,
+        receipt.payload ? JSON.stringify(receipt.payload) : null,
+      );
+    } catch {
+      // never throw — preserves ACC-YK-003 stateless-primitive contract
+    }
+  }
+
+  /** Force a WAL checkpoint so writes from this process are visible to readers
+   *  in other processes (e.g., the aegis dashboard in a separate process). */
+  checkpoint(): void {
+    try {
+      this.db.exec('PRAGMA wal_checkpoint(TRUNCATE);');
+    } catch {
+      // checkpoint failure non-fatal
+    }
+  }
+
+  /** Total event count — for health checks. */
+  totalCount(): number {
+    try {
+      const row = this.db.query('SELECT COUNT(*) AS n FROM acc_events').get() as { n: number };
+      return row.n;
+    } catch {
+      return 0;
+    }
+  }
+
+  close(): void {
+    try { this.db.close(); } catch { /* */ }
+  }
+}
+
+// ── Convenience constructor ──────────────────────────────────────────────────
+
+export interface DefaultBusOpts {
+  sqlitePath?: string;
+  persist?: boolean;
+}
+
+export interface DefaultBusHandle {
+  bus: InMemoryBus;
+  writer: SqliteEventWriter | null;
+}
+
+export function createDefaultBus(opts: DefaultBusOpts = {}): DefaultBusHandle {
+  const bus = new InMemoryBus();
+  let writer: SqliteEventWriter | null = null;
+  if (opts.persist !== false) {
+    writer = new SqliteEventWriter({ path: opts.sqlitePath });
+    bus.subscribe((r) => writer!.write(r));
+  }
+  return { bus, writer };
+}

package/src/index.ts

@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (c) 2026 Capt. Anil Sharma (rocketlang). All rights reserved.
+//
+// @rocketlang/aegis-suite — meta-package. The value of this package is its
+// dependency list (installs all 6 OSS @rocketlang governance primitives in
+// one shot). Import from the sub-packages by name:
+//
+//   import { runProbe } from '@rocketlang/lakshmanrekha';
+//   import { trust, scan } from '@rocketlang/chitta-detect';
+//   import { verifyMudrika, scoreAxis } from '@rocketlang/hanumang-mandate';
+//   import { verifyApprovalToken } from '@rocketlang/aegis-guard';
+//
+// The `aegis` and `kavachos` CLIs ship as bin entries in those packages.
+// See README for the unified workflow.
+
+export const AEGIS_SUITE_VERSION = '0.2.0';
+export const AEGIS_SUITE_BUNDLED_PACKAGES = [
+  '@rocketlang/aegis',
+  '@rocketlang/kavachos',
+  '@rocketlang/aegis-guard',
+  '@rocketlang/chitta-detect',
+  '@rocketlang/lakshmanrekha',
+  '@rocketlang/hanumang-mandate',
+] as const;
+
+export interface SuiteManifest {
+  version: typeof AEGIS_SUITE_VERSION;
+  bundled_packages: typeof AEGIS_SUITE_BUNDLED_PACKAGES;
+  excluded: { package: string; reason: string }[];
+}
+
+// @rule:ACC-003 — wireAllToBus helper (v0.2.0+)
+export { wireAllToBus, unwireAll, getWiredHandle } from './wire.js';
+export type { EventBus, AccReceipt, WireHandle, WireAllOpts } from './wire.js';
+
+export const SUITE_MANIFEST: SuiteManifest = {
+  version: AEGIS_SUITE_VERSION,
+  bundled_packages: AEGIS_SUITE_BUNDLED_PACKAGES,
+  excluded: [
+    { package: '@rocketlang/n8n-nodes-kavachos', reason: 'n8n-specific integration — install separately if using n8n' },
+    { package: '@rocketlang/kavachos-ee', reason: 'BSL-1.1 EE, not on npm — contact captain@ankr.in' },
+  ],
+};

package/src/wire.ts

@@ -0,0 +1,145 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (c) 2026 Capt. Anil Sharma (rocketlang). All rights reserved.
+//
+// @rocketlang/aegis-suite — wireAllToBus helper (v0.2.0)
+//
+// One-call setup that wires all 4 OSS primitive packages to a single
+// EventBus + persists to ~/.aegis/acc-events.db. The Agentic Control
+// Center (in aegis dashboard v2.2.0+) reads from the same SQLite file.
+//
+// @rule:ACC-003 — Opt-in. Without wireAllToBus, primitives behave
+//                  identically to their v0.1.0 (no emission).
+// @rule:ACC-005 — SQLite file at ~/.aegis/acc-events.db, separate from
+//                  aegis.db and turn-store.db.
+
+import { setEventBus as setAegisGuardBus } from '@rocketlang/aegis-guard';
+import { setEventBus as setChittaBus } from '@rocketlang/chitta-detect';
+import { setEventBus as setLakshmanBus } from '@rocketlang/lakshmanrekha';
+import { setEventBus as setHanumangBus } from '@rocketlang/hanumang-mandate';
+import { createDefaultBus, type InMemoryBus, type SqliteEventWriter } from './bus.js';
+
+// ── Canonical receipt + bus types ────────────────────────────────────────────
+//
+// Defined locally to avoid pulling any primitive's copy as the canonical one.
+// All 4 primitives have structurally compatible local copies; TypeScript
+// structural typing makes the wiring work.
+
+export interface AccReceipt {
+  receipt_id: string;
+  primitive: string;
+  event_type: string;
+  emitted_at: string;
+  agent_id?: string;
+  verdict?: string;
+  rules_fired?: string[];
+  summary?: string;
+  payload?: Record<string, unknown>;
+}
+
+export interface EventBus {
+  emit(receipt: AccReceipt): void;
+}
+
+// ── State ────────────────────────────────────────────────────────────────────
+
+let _busHandle: WireHandle | null = null;
+
+export interface WireHandle {
+  bus: EventBus;
+  /** Subscribe to live events. Returns an unsubscribe function. */
+  subscribe?: (fn: (r: AccReceipt) => void) => () => void;
+  /** SQLite path actually in use, or undefined if persistence disabled. */
+  sqlitePath?: string;
+  /** Total receipts written so far (cumulative across this process). */
+  receivedCount(): number;
+  /** Force WAL checkpoint so writes become visible to readers in other
+   *  processes (the aegis dashboard reads from the same file). */
+  checkpoint?: () => void;
+}
+
+export interface WireAllOpts {
+  /** Provide your own bus instead of the default in-memory + SQLite. */
+  bus?: EventBus;
+  /** Override SQLite path (default ~/.aegis/acc-events.db). */
+  sqlitePath?: string;
+  /** Set false to skip SQLite persistence (memory only). Default true. */
+  persist?: boolean;
+}
+
+// ── wireAllToBus ─────────────────────────────────────────────────────────────
+
+/**
+ * Wire all 4 OSS primitive packages (aegis-guard, chitta-detect,
+ * lakshmanrekha, hanumang-mandate) to a single event bus.
+ *
+ * Without `opts.bus`, creates a default in-memory bus that persists
+ * every event to SQLite at ~/.aegis/acc-events.db. The aegis dashboard
+ * (v2.2.0+) reads from this file to render the Agentic Control Center
+ * page at `/control-center`.
+ *
+ * Returns a handle so the caller can subscribe to live events or force
+ * WAL checkpoints for cross-process visibility.
+ */
+export function wireAllToBus(opts: WireAllOpts = {}): WireHandle {
+  if (opts.bus) {
+    // Caller supplied their own bus
+    let count = 0;
+    const userBus = opts.bus;
+    const wrappedBus: EventBus = {
+      emit: (r) => {
+        count++;
+        userBus.emit(r);
+      },
+    };
+    setAegisGuardBus(wrappedBus as unknown as Parameters<typeof setAegisGuardBus>[0]);
+    setChittaBus(wrappedBus as unknown as Parameters<typeof setChittaBus>[0]);
+    setLakshmanBus(wrappedBus as unknown as Parameters<typeof setLakshmanBus>[0]);
+    setHanumangBus(wrappedBus as unknown as Parameters<typeof setHanumangBus>[0]);
+    _busHandle = {
+      bus: wrappedBus,
+      receivedCount: () => count,
+    };
+    return _busHandle;
+  }
+
+  // Default path — in-memory bus + SQLite writer
+  const { bus, writer } = createDefaultBus({
+    sqlitePath: opts.sqlitePath,
+    persist: opts.persist !== false,
+  });
+
+  let count = 0;
+  const wrappedBus: EventBus = {
+    emit: (r) => {
+      count++;
+      bus.emit(r);
+    },
+  };
+
+  setAegisGuardBus(wrappedBus as unknown as Parameters<typeof setAegisGuardBus>[0]);
+  setChittaBus(wrappedBus as unknown as Parameters<typeof setChittaBus>[0]);
+  setLakshmanBus(wrappedBus as unknown as Parameters<typeof setLakshmanBus>[0]);
+  setHanumangBus(wrappedBus as unknown as Parameters<typeof setHanumangBus>[0]);
+
+  _busHandle = {
+    bus: wrappedBus,
+    subscribe: (fn) => (bus as InMemoryBus).subscribe(fn),
+    sqlitePath: writer?.path,
+    receivedCount: () => count,
+    checkpoint: writer ? () => (writer as SqliteEventWriter).checkpoint() : undefined,
+  };
+  return _busHandle;
+}
+
+/** Detach the bus from all 4 primitives. Primitives revert to v0.1.0 behaviour. */
+export function unwireAll(): void {
+  setAegisGuardBus(null);
+  setChittaBus(null);
+  setLakshmanBus(null);
+  setHanumangBus(null);
+  _busHandle = null;
+}
+
+export function getWiredHandle(): WireHandle | null {
+  return _busHandle;
+}