agentfootprint 6.9.0 → 6.11.0

package/dist/types/events/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/events/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,KAAK,EACV,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,EAC5B,uBAAuB,EACvB,qBAAqB,EACrB,sBAAsB,EACtB,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,EACf,yBAAyB,EACzB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,2BAA2B,EAC3B,wCAAwC,EACxC,+BAA+B,EAC/B,0BAA0B,EAC1B,wBAAwB,EACxB,wBAAwB,EACxB,aAAa,EACb,eAAe,EACf,eAAe,EACf,wBAAwB,EACxB,yBAAyB,EACzB,qBAAqB,EACrB,qBAAqB,EACrB,4BAA4B,EAC5B,oBAAoB,EACpB,6BAA6B,EAC7B,wBAAwB,EACxB,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,2BAA2B,EAC3B,qBAAqB,EACrB,2BAA2B,EAC3B,0BAA0B,EAC1B,yBAAyB,EACzB,2BAA2B,EAC3B,kBAAkB,EAClB,qBAAqB,EACrB,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,4BAA4B,EAC5B,8BAA8B,EAC9B,2BAA2B,EAC3B,mBAAmB,EACnB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AAKvB,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4Fd,CAAC;AAKX,MAAM,WAAW,sBAAsB;IAErC,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IACF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,wBAAwB,CACzB,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,6BAA6B,CAC9B,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,uBAAuB,CACxB,CAAC;IACF,0CAA0C,EAAE,2BAA2B,CACrE,0CAA0C,EAC1C,8BAA8B,CAC/B,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,yBAAyB,CAC1B,CAAC;IACF,2CAA2C,EAAE,2BAA2B,CACtE,2CAA2C,EAC3C,wBAAwB,CACzB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,qBAAqB,CACtB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,mBAAmB,CACpB,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IACF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,sDAAsD,EAAE,2BAA2B,CACjF,sDAAsD,EACtD,wCAAwC,CACzC,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,+BAA+B,CAChC,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,eAAe,CAChB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,aAAa,CACd,CAAC;IACF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,eAAe,CAChB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,gBAAgB,CACjB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,cAAc,CACf,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IAEF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,oBAAoB,CACrB,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IACF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,0CAA0C,EAAE,2BAA2B,CACrE,0CAA0C,EAC1C,8BAA8B,CAC/B,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IAEF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IAEF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,kBAAkB,CACnB,CAAC;IACF,mCAAmC,EAAE,2BAA2B,CAC9D,mCAAmC,EACnC,wBAAwB,CACzB,CAAC;IAEF,0BAA0B,EAAE,2BAA2B,CACrD,0BAA0B,EAC1B,eAAe,CAChB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,mBAAmB,CACpB,CAAC;IAEF,2BAA2B,EAAE,2BAA2B,CACtD,2BAA2B,EAC3B,gBAAgB,CACjB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,4BAA4B,EAAE,2BAA2B,CACvD,4BAA4B,EAC5B,iBAAiB,CAClB,CAAC;IAEF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,yBAAyB,CAC1B,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,2BAA2B,CAC5B,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,kBAAkB,CACnB,CAAC;IAEF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,yBAAyB,CAC1B,CAAC;CACH;AAED,8EAA8E;AAC9E,MAAM,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,MAAM,sBAAsB,CAAC,CAAC;AAEvF,yEAAyE;AACzE,MAAM,MAAM,uBAAuB,GAAG,MAAM,sBAAsB,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,uBAAuB,EA4DpD,CAAC"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/events/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,KAAK,EACV,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,EAC5B,uBAAuB,EACvB,qBAAqB,EACrB,sBAAsB,EACtB,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,EACf,yBAAyB,EACzB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,EAChB,2BAA2B,EAC3B,wCAAwC,EACxC,+BAA+B,EAC/B,0BAA0B,EAC1B,wBAAwB,EACxB,wBAAwB,EACxB,aAAa,EACb,eAAe,EACf,eAAe,EACf,wBAAwB,EACxB,yBAAyB,EACzB,qBAAqB,EACrB,qBAAqB,EACrB,4BAA4B,EAC5B,oBAAoB,EACpB,6BAA6B,EAC7B,wBAAwB,EACxB,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,2BAA2B,EAC3B,qBAAqB,EACrB,2BAA2B,EAC3B,0BAA0B,EAC1B,yBAAyB,EACzB,sCAAsC,EACtC,uBAAuB,EACvB,0BAA0B,EAC1B,yBAAyB,EACzB,2BAA2B,EAC3B,kBAAkB,EAClB,qBAAqB,EACrB,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,4BAA4B,EAC5B,8BAA8B,EAC9B,2BAA2B,EAC3B,mBAAmB,EACnB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AAKvB,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkGd,CAAC;AAKX,MAAM,WAAW,sBAAsB;IAErC,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IACF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,wBAAwB,CACzB,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,6BAA6B,CAC9B,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,uBAAuB,CACxB,CAAC;IACF,0CAA0C,EAAE,2BAA2B,CACrE,0CAA0C,EAC1C,8BAA8B,CAC/B,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,yBAAyB,CAC1B,CAAC;IACF,2CAA2C,EAAE,2BAA2B,CACtE,2CAA2C,EAC3C,wBAAwB,CACzB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,qBAAqB,CACtB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,mBAAmB,CACpB,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IACF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,sDAAsD,EAAE,2BAA2B,CACjF,sDAAsD,EACtD,wCAAwC,CACzC,CAAC;IACF,4CAA4C,EAAE,2BAA2B,CACvE,4CAA4C,EAC5C,+BAA+B,CAChC,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,eAAe,CAChB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,aAAa,CACd,CAAC;IACF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,eAAe,CAChB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,gBAAgB,CACjB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,cAAc,CACf,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,wBAAwB,CACzB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IAEF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,oBAAoB,CACrB,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IACF,wCAAwC,EAAE,2BAA2B,CACnE,wCAAwC,EACxC,4BAA4B,CAC7B,CAAC;IACF,0CAA0C,EAAE,2BAA2B,CACrE,0CAA0C,EAC1C,8BAA8B,CAC/B,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IAEF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IAEF,iCAAiC,EAAE,2BAA2B,CAC5D,iCAAiC,EACjC,sBAAsB,CACvB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IAEF,qCAAqC,EAAE,2BAA2B,CAChE,qCAAqC,EACrC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,yBAAyB,CAC1B,CAAC;IACF,kDAAkD,EAAE,2BAA2B,CAC7E,kDAAkD,EAClD,sCAAsC,CACvC,CAAC;IACF,kCAAkC,EAAE,2BAA2B,CAC7D,kCAAkC,EAClC,uBAAuB,CACxB,CAAC;IAEF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,kBAAkB,CACnB,CAAC;IACF,mCAAmC,EAAE,2BAA2B,CAC9D,mCAAmC,EACnC,wBAAwB,CACzB,CAAC;IAEF,0BAA0B,EAAE,2BAA2B,CACrD,0BAA0B,EAC1B,eAAe,CAChB,CAAC;IACF,+BAA+B,EAAE,2BAA2B,CAC1D,+BAA+B,EAC/B,mBAAmB,CACpB,CAAC;IAEF,2BAA2B,EAAE,2BAA2B,CACtD,2BAA2B,EAC3B,gBAAgB,CACjB,CAAC;IACF,uCAAuC,EAAE,2BAA2B,CAClE,uCAAuC,EACvC,2BAA2B,CAC5B,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,gCAAgC,EAAE,2BAA2B,CAC3D,gCAAgC,EAChC,qBAAqB,CACtB,CAAC;IACF,4BAA4B,EAAE,2BAA2B,CACvD,4BAA4B,EAC5B,iBAAiB,CAClB,CAAC;IAEF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,0BAA0B,CAC3B,CAAC;IACF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,yBAAyB,CAC1B,CAAC;IACF,sCAAsC,EAAE,2BAA2B,CACjE,sCAAsC,EACtC,2BAA2B,CAC5B,CAAC;IAEF,8BAA8B,EAAE,2BAA2B,CACzD,8BAA8B,EAC9B,mBAAmB,CACpB,CAAC;IACF,6BAA6B,EAAE,2BAA2B,CACxD,6BAA6B,EAC7B,kBAAkB,CACnB,CAAC;IAEF,oCAAoC,EAAE,2BAA2B,CAC/D,oCAAoC,EACpC,yBAAyB,CAC1B,CAAC;CACH;AAED,8EAA8E;AAC9E,MAAM,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,MAAM,sBAAsB,CAAC,CAAC;AAEvF,yEAAyE;AACzE,MAAM,MAAM,uBAAuB,GAAG,MAAM,sBAAsB,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,uBAAuB,EAgEpD,CAAC"}

package/dist/types/identity/kinds.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Built-in credential kinds — small strategies implementing the {@link Credential}
+ * protocol. Each is a factory returning `{ kind, ...rawFields, toHeaders() }`.
+ *
+ * The framework + tools only ever call `cred.toHeaders()` (generic — no `kind`
+ * switching); the raw fields are there for the rare non-HTTP case. A custom kind
+ * is any object implementing `Credential` — no library change needed.
+ */
+import type { Credential } from './types.js';
+export interface BearerCredential extends Credential {
+    readonly kind: 'bearer';
+    readonly token: string;
+}
+/** OAuth / bearer token → `Authorization: Bearer <token>`. */
+export declare function bearer(token: string): BearerCredential;
+export interface ApiKeyCredential extends Credential {
+    readonly kind: 'apiKey';
+    readonly key: string;
+    readonly headerName: string;
+}
+/** API key → a single header (default `x-api-key`). */
+export declare function apiKey(key: string, headerName?: string): ApiKeyCredential;
+export interface BasicCredential extends Credential {
+    readonly kind: 'basic';
+    readonly username: string;
+    readonly password: string;
+}
+/** HTTP Basic auth → `Authorization: Basic base64(user:pass)`. */
+export declare function basic(username: string, password: string): BasicCredential;
+export interface HeadersCredential extends Credential {
+    readonly kind: 'headers';
+    readonly headers: Readonly<Record<string, string>>;
+}
+/** The universal escape: arbitrary auth headers. Any scheme reduces to this, so
+ *  a provider with no matching typed kind can always return `headers(...)`. */
+export declare function headers(map: Readonly<Record<string, string>>): HeadersCredential;
+//# sourceMappingURL=kinds.d.ts.map

package/dist/types/identity/kinds.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kinds.d.ts","sourceRoot":"","sources":["../../../src/identity/kinds.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAgC7C,MAAM,WAAW,gBAAiB,SAAQ,UAAU;IAClD,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AACD,8DAA8D;AAC9D,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CAKtD;AAED,MAAM,WAAW,gBAAiB,SAAQ,UAAU;IAClD,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AACD,uDAAuD;AACvD,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,SAAc,GAAG,gBAAgB,CAK9E;AAED,MAAM,WAAW,eAAgB,SAAQ,UAAU;IACjD,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AACD,kEAAkE;AAClE,wBAAgB,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,eAAe,CAWzE;AAED,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACpD;AACD;+EAC+E;AAC/E,wBAAgB,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,iBAAiB,CAMhF"}

package/dist/types/identity/staticTokens.d.ts

@@ -0,0 +1,29 @@
+/**
+ * staticTokens — a dev/test {@link CredentialProvider} backed by canned credentials.
+ *
+ * No network, no SDK. Use it to develop tools that need credentials without
+ * standing up AgentCore Identity (or any IdP). Production swaps it for
+ * `agentCoreIdentity()` — the tool code never changes.
+ *
+ *   // a plain string is treated as a bearer token (the common case):
+ *   const credentials = staticTokens({ github: 'ghp_dev_xxx' });
+ *   // …or give an explicit kind:
+ *   const credentials = staticTokens({ internal: apiKey('k', 'x-internal-key') });
+ *
+ *   const r = await credentials.getCredential({ service: 'github' });
+ *   if (isCredentialIssued(r)) callGithub({ headers: r.credential.toHeaders() });
+ */
+import type { Credential, CredentialProvider } from './types.js';
+export interface StaticTokensOptions {
+    /** Optional id (defaults to 'static-tokens'). */
+    readonly id?: string;
+    /** Optional fixed expiry (unix seconds) applied to every credential. */
+    readonly expiresAt?: number;
+}
+/**
+ * Build a {@link CredentialProvider} from a `service → credential` map. A plain
+ * string value is treated as a bearer token; a {@link Credential} is used as-is.
+ * Always 2-legged (issues directly); throws if a requested service has none.
+ */
+export declare function staticTokens(creds: Readonly<Record<string, string | Credential>>, options?: StaticTokensOptions): CredentialProvider;
+//# sourceMappingURL=staticTokens.d.ts.map

package/dist/types/identity/staticTokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"staticTokens.d.ts","sourceRoot":"","sources":["../../../src/identity/staticTokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAoB,MAAM,YAAY,CAAC;AAGnF,MAAM,WAAW,mBAAmB;IAClC,iDAAiD;IACjD,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC;IACrB,wEAAwE;IACxE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC,EACpD,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAqBpB"}

package/dist/types/identity/types.d.ts

@@ -0,0 +1,114 @@
+/**
+ * agentfootprint/identity — the CredentialProvider port.
+ *
+ * OUTBOUND auth: vend a credential/token so a tool can call a downstream service
+ * (GitHub, Slack, Google…) on behalf of the agent or the end user. This is
+ * DISTINCT from `agentfootprint/security` (authorization — "is this tool
+ * allowed"); identity answers "get me a token to call X".
+ *
+ * Pattern: Port (Hexagonal). Vendors plug in as adapters:
+ *   - `agentCoreIdentity()` — AWS Bedrock AgentCore Identity (token vault + OAuth)
+ *   - `staticTokens()`      — dev/test (canned tokens, no network)
+ *
+ * Two flows, mirroring OAuth (and AgentCore's `M2M` vs `USER_FEDERATION`):
+ *   - `mode: 'machine'` (2-legged) — client-credentials; returns a token directly.
+ *   - `mode: 'user'`    (3-legged) — user-delegated; may need consent. When it
+ *     does, the provider returns `authorization-required` with a URL; the agent
+ *     surfaces it to the human (e.g. via pause/resume) and retries after consent.
+ *     (Most calls skip consent — providers cache refresh tokens.)
+ *
+ * **Security invariant:** a vended token is a SECRET. Callers MUST use it locally
+ * (e.g. as an HTTP header inside a tool's `execute`) and MUST NOT write it to
+ * tracked scope (`setValue`) — tracked writes flow to the commit log, recorders,
+ * and observability exporters, which would leak the token into the trace. Pair
+ * with `RedactionPolicy` for defence in depth.
+ */
+/** What a tool/agent asks for. `service` ↔ the provider's downstream service id. */
+export interface CredentialRequest {
+    /** Downstream service id, e.g. 'github', 'slack', 'google'. */
+    readonly service: string;
+    /** OAuth scopes to request. */
+    readonly scopes?: readonly string[];
+    /** `machine` = 2-legged (M2M); `user` = 3-legged (on behalf of a user). Default `machine`. */
+    readonly mode?: 'machine' | 'user';
+    /** The principal/tenant the token is for (the agent + end-user identity). */
+    readonly identity?: {
+        readonly principal?: string;
+        readonly tenant?: string;
+    };
+    /** Force a fresh authorization, bypassing any cached/refresh token. */
+    readonly forceReauth?: boolean;
+}
+/**
+ * A credential, ready to apply to a downstream request. It carries its `kind`
+ * (so you can read the raw value when you must) AND a **universal applicator**
+ * `toHeaders()` — the way to USE it without switching on `kind`. Built-in kinds
+ * (`bearer`/`apiKey`/`basic`/`headers`) live in `./kinds`; a custom kind is any
+ * object implementing this protocol — so new credential types plug in with no
+ * library change.
+ *
+ * **SECRET.** Use it locally (e.g. `headers: cred.toHeaders()`) inside a tool;
+ * never write it to tracked scope. It is a live object (carries `toHeaders`),
+ * so it is intentionally NOT serializable — credentials are used immediately
+ * and never persisted/traced.
+ */
+export interface Credential {
+    /** Discriminator: 'bearer' | 'apiKey' | 'basic' | 'headers' | <your kind>. */
+    readonly kind: string;
+    /** The auth header(s) to add to a downstream HTTP request. Universal across kinds. */
+    toHeaders(): Record<string, string>;
+}
+/** The provider issued a credential (the 2-legged / refreshed-3-legged happy path). */
+export interface CredentialIssued {
+    readonly status: 'issued';
+    readonly credential: Credential;
+    /** Unix seconds when it expires, if known. */
+    readonly expiresAt?: number;
+}
+/** 3-legged consent is required: surface `authorizationUrl` to the user, then
+ *  retry `getCredential` after they authorize (`sessionId` correlates the flow). */
+export interface CredentialAuthorizationRequired {
+    readonly status: 'authorization-required';
+    readonly authorizationUrl: string;
+    readonly sessionId: string;
+}
+export type CredentialResult = CredentialIssued | CredentialAuthorizationRequired;
+/**
+ * The port. An adapter implements this against a specific identity backend.
+ *
+ * **Security contract for implementers:** a thrown error's `message` is surfaced
+ * to the LLM (as the tool result) AND emitted on `agentfootprint.credential.failed`
+ * — so a provider MUST NOT include the secret/token (or an `Authorization` header)
+ * in thrown error messages. (Some OAuth/HTTP SDKs echo request details into 401/403
+ * text — scrub those before throwing.) Defence in depth: consumers can also apply
+ * footprintjs `RedactionPolicy.emitPatterns: [/credential\.failed/]`.
+ */
+export interface CredentialProvider {
+    /** Stable id (for logging / "which provider vended this"). */
+    readonly id: string;
+    getCredential(req: CredentialRequest): Promise<CredentialResult>;
+}
+/** Narrow a {@link CredentialResult} to the issued-credential branch. */
+export declare function isCredentialIssued(r: CredentialResult): r is CredentialIssued;
+/**
+ * What a tool DECLARES it needs (declare-and-push). The framework resolves this
+ * with the attached provider BEFORE invoking the tool, and injects the result as
+ * `ctx.credential`. `credential` is the service id the provider understands.
+ */
+export interface CredentialNeed {
+    readonly credential: string;
+    readonly scopes?: readonly string[];
+    /** `machine` = 2-legged/M2M; `user` = 3-legged on-behalf-of-user (consent).
+     *  **Omitted → `machine`** — declare `mode: 'user'` explicitly for delegated
+     *  access, or you'll silently get a machine token. */
+    readonly mode?: 'machine' | 'user';
+}
+/**
+ * A fail-closed {@link CredentialProvider} used when none is attached. Every call
+ * throws loudly — so `ctx.credentials` is never `undefined` (no silent
+ * optional-chaining bypass), and a tool that needs a credential without one
+ * configured fails LOUD, not open. Use `ctx.hasCredentials` to branch when a tool
+ * intentionally supports a no-credential (degraded) mode.
+ */
+export declare function unconfiguredCredentialProvider(): CredentialProvider;
+//# sourceMappingURL=types.d.ts.map

package/dist/types/identity/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/identity/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,oFAAoF;AACpF,MAAM,WAAW,iBAAiB;IAChC,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,+BAA+B;IAC/B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,8FAA8F;IAC9F,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;IACnC,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,CAAC,EAAE;QAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9E,uEAAuE;IACvE,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,UAAU;IACzB,8EAA8E;IAC9E,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sFAAsF;IACtF,SAAS,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACrC;AAED,uFAAuF;AACvF,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,8CAA8C;IAC9C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;oFACoF;AACpF,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,MAAM,EAAE,wBAAwB,CAAC;IAC1C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,MAAM,gBAAgB,GAAG,gBAAgB,GAAG,+BAA+B,CAAC;AAElF;;;;;;;;;GASG;AACH,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;CAClE;AAED,yEAAyE;AACzE,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,gBAAgB,GAAG,CAAC,IAAI,gBAAgB,CAE7E;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;0DAEsD;IACtD,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CACpC;AAED;;;;;;GAMG;AACH,wBAAgB,8BAA8B,IAAI,kBAAkB,CAanE"}

package/dist/types/identity.d.ts

@@ -0,0 +1,31 @@
+/**
+ * agentfootprint/identity — outbound credential vending for agent tools.
+ *
+ * The {@link CredentialProvider} port + adapters. A tool calls
+ * `provider.getCredential({ service })` to get a token for a downstream service;
+ * `agentCoreIdentity()` backs it with AWS Bedrock AgentCore Identity, or
+ * `staticTokens()` for dev/test.
+ *
+ * SECURITY: a vended token is a secret — use it locally inside a tool's
+ * `execute` (e.g. an HTTP header); never write it to tracked scope. See
+ * `./identity/types` for the full invariant.
+ *
+ * @example
+ * ```ts
+ * import { agentCoreIdentity } from 'agentfootprint/identity';
+ *
+ * const credentials = agentCoreIdentity({ region: 'us-east-1' });
+ * const r = await credentials.getCredential({ service: 'github', mode: 'user', scopes: ['repo'] });
+ * if (r.status === 'authorization-required') {
+ *   // surface r.authorizationUrl to the user (e.g. pause the run), then retry.
+ * } else {
+ *   callGitHub({ headers: r.credential.toHeaders() }); // universal applicator
+ * }
+ * ```
+ */
+export type { Credential, CredentialProvider, CredentialRequest, CredentialResult, CredentialIssued, CredentialAuthorizationRequired, CredentialNeed, } from './identity/types.js';
+export { isCredentialIssued, unconfiguredCredentialProvider } from './identity/types.js';
+export { bearer, apiKey, basic, headers, type BearerCredential, type ApiKeyCredential, type BasicCredential, type HeadersCredential, } from './identity/kinds.js';
+export { staticTokens, type StaticTokensOptions } from './identity/staticTokens.js';
+export { agentCoreIdentity, type AgentCoreIdentityOptions, type AgentCoreIdentityClientLike, type AgentCoreOauthResponse, } from './adapters/identity/agentcore.js';
+//# sourceMappingURL=identity.d.ts.map

package/dist/types/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,YAAY,EACV,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,+BAA+B,EAC/B,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,8BAA8B,EAAE,MAAM,qBAAqB,CAAC;AACzF,OAAO,EACL,MAAM,EACN,MAAM,EACN,KAAK,EACL,OAAO,EACP,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,iBAAiB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,KAAK,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACpF,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,EAC7B,KAAK,2BAA2B,EAChC,KAAK,sBAAsB,GAC5B,MAAM,kCAAkC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentfootprint",
-  "version": "6.9.0",
+  "version": "6.11.0",
   "description": "The explainable agent framework — build AI agents you can explain, audit, and trust. Built on footprintjs.",
   "license": "MIT",
   "author": "Sanjay Krishna Anbalagan",
@@ -145,6 +145,11 @@
       "import": "./dist/esm/security/index.js",
       "require": "./dist/security/index.js"
     },
+    "./identity": {
+      "types": "./dist/types/identity.d.ts",
+      "import": "./dist/esm/identity.js",
+      "require": "./dist/identity.js"
+    },
     "./reliability": {
       "types": "./dist/types/reliability/index.d.ts",
       "import": "./dist/esm/reliability/index.js",