governance-sdk 0.5.0

package/dist/agent-identity-ed25519.js

@@ -0,0 +1,134 @@
+/**
+ * governance-sdk — Ed25519 Cryptographic Agent Identity
+ *
+ * Public-key agent identity using Ed25519 via Web Crypto API.
+ * Zero dependencies. Supports key generation, action signing, verification,
+ * self-signed certificates, and capability-narrowing delegation.
+ *
+ * @example
+ * ```ts
+ * import { createEd25519Identity } from 'governance-sdk/agent-identity-ed25519';
+ *
+ * const identity = createEd25519Identity();
+ * const keyPair = await identity.generateKeyPair();
+ * const cert = await identity.createCertificate(keyPair.privateKey, {
+ *   agentId: 'bot-1', name: 'sales-bot', capabilities: ['search', 'email'],
+ * });
+ * const signature = await identity.signAction(keyPair.privateKey, { action: 'tool_call', tool: 'search' });
+ * const valid = await identity.verifyAction(keyPair.publicKey, { action: 'tool_call', tool: 'search' }, signature);
+ * ```
+ */
+import { deepSortKeys } from "./audit-integrity.js";
+// ─── Implementation ─────────────────────────────────────────
+export function createEd25519Identity(config = {}) {
+    const { certificateTtlMs = 86_400_000, maxDelegationDepth = 5 } = config;
+    return {
+        /** Generate a new Ed25519 key pair */
+        async generateKeyPair() {
+            const keyPair = await crypto.subtle.generateKey("Ed25519", true, ["sign", "verify"]);
+            const rawPublic = await crypto.subtle.exportKey("raw", keyPair.publicKey);
+            const publicKeyHex = bufToHex(new Uint8Array(rawPublic));
+            return { publicKey: keyPair.publicKey, privateKey: keyPair.privateKey, publicKeyHex };
+        },
+        /** Sign an action context with the agent's private key */
+        async signAction(privateKey, data) {
+            const canonical = JSON.stringify(deepSortKeys(data));
+            const encoded = new TextEncoder().encode(canonical);
+            const sig = await crypto.subtle.sign("Ed25519", privateKey, encoded.buffer);
+            return bufToHex(new Uint8Array(sig));
+        },
+        /** Verify an action signature with the agent's public key */
+        async verifyAction(publicKey, data, signature) {
+            const canonical = JSON.stringify(deepSortKeys(data));
+            const encoded = new TextEncoder().encode(canonical);
+            const sigBytes = hexToBuf(signature);
+            return crypto.subtle.verify("Ed25519", publicKey, sigBytes.buffer, encoded.buffer);
+        },
+        /** Create a self-signed agent certificate */
+        async createCertificate(privateKey, agent, issuer) {
+            const rawPublic = await crypto.subtle.exportKey("raw", await derivePublicKey(privateKey));
+            const publicKeyHex = bufToHex(new Uint8Array(rawPublic));
+            const cert = {
+                agentId: agent.agentId,
+                name: agent.name,
+                publicKeyHex,
+                capabilities: [...agent.capabilities].sort(),
+                issuedAt: new Date().toISOString(),
+                expiresAt: new Date(Date.now() + certificateTtlMs).toISOString(),
+                issuer: issuer ?? agent.agentId,
+                delegationDepth: 0,
+            };
+            const canonical = JSON.stringify(deepSortKeys(cert));
+            const encoded = new TextEncoder().encode(canonical);
+            const sig = await crypto.subtle.sign("Ed25519", privateKey, encoded.buffer);
+            return { ...cert, signature: bufToHex(new Uint8Array(sig)) };
+        },
+        /** Verify a certificate's signature and expiry */
+        async verifyCertificate(cert) {
+            if (cert.expiresAt && new Date(cert.expiresAt).getTime() < Date.now()) {
+                return { valid: false, reason: "Certificate has expired" };
+            }
+            const publicKey = await importPublicKey(cert.publicKeyHex);
+            const { signature, ...certData } = cert;
+            const canonical = JSON.stringify(deepSortKeys(certData));
+            const encoded = new TextEncoder().encode(canonical);
+            const sigBytes = hexToBuf(signature);
+            const valid = await crypto.subtle.verify("Ed25519", publicKey, sigBytes.buffer, encoded.buffer);
+            return valid ? { valid: true } : { valid: false, reason: "Invalid certificate signature" };
+        },
+        /**
+         * Delegate identity to a child agent with narrowed capabilities.
+         * Child capabilities must be a subset of parent capabilities.
+         */
+        async delegate(parentKey, parentCert, child) {
+            const depth = parentCert.delegationDepth + 1;
+            if (depth > maxDelegationDepth) {
+                throw new Error(`Delegation depth ${depth} exceeds maximum ${maxDelegationDepth}`);
+            }
+            const invalid = child.capabilities.filter((c) => !parentCert.capabilities.includes(c));
+            if (invalid.length > 0) {
+                throw new Error(`Cannot delegate capabilities not held by parent: ${invalid.join(", ")}`);
+            }
+            const childKeyPair = await this.generateKeyPair();
+            const cert = {
+                agentId: child.agentId,
+                name: child.name,
+                publicKeyHex: childKeyPair.publicKeyHex,
+                capabilities: [...child.capabilities].sort(),
+                issuedAt: new Date().toISOString(),
+                expiresAt: parentCert.expiresAt, // inherit parent expiry
+                issuer: parentCert.agentId,
+                delegationDepth: depth,
+            };
+            const canonical = JSON.stringify(deepSortKeys(cert));
+            const encoded = new TextEncoder().encode(canonical);
+            const sig = await crypto.subtle.sign("Ed25519", parentKey, encoded);
+            return { keyPair: childKeyPair, certificate: { ...cert, signature: bufToHex(new Uint8Array(sig)) } };
+        },
+        /** Import a public key from hex for verification */
+        importPublicKey,
+    };
+}
+// ─── Utilities ──────────────────────────────────────────────
+function bufToHex(buf) {
+    return Array.from(buf, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBuf(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+    }
+    return bytes;
+}
+async function importPublicKey(hex) {
+    const raw = hexToBuf(hex);
+    return crypto.subtle.importKey("raw", raw.buffer, "Ed25519", true, ["verify"]);
+}
+async function derivePublicKey(privateKey) {
+    // Export the private key as JWK, then import only the public component
+    const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+    delete jwk.d; // remove private component
+    jwk.key_ops = ["verify"];
+    return crypto.subtle.importKey("jwk", jwk, "Ed25519", true, ["verify"]);
+}
+//# sourceMappingURL=agent-identity-ed25519.js.map

package/dist/agent-identity-ed25519.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity-ed25519.js","sourceRoot":"","sources":["../src/agent-identity-ed25519.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAmCpD,+DAA+D;AAE/D,MAAM,UAAU,qBAAqB,CAAC,SAAwB,EAAE;IAC9D,MAAM,EAAE,gBAAgB,GAAG,UAAU,EAAE,kBAAkB,GAAG,CAAC,EAAE,GAAG,MAAM,CAAC;IAEzE,OAAO;QACL,sCAAsC;QACtC,KAAK,CAAC,eAAe;YACnB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;YACrF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1E,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;YACzD,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;QACxF,CAAC;QAED,0DAA0D;QAC1D,KAAK,CAAC,UAAU,CAAC,UAAqB,EAAE,IAA6B;YACnE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,MAAqB,CAAC,CAAC;YAC3F,OAAO,QAAQ,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAED,6DAA6D;QAC7D,KAAK,CAAC,YAAY,CAAC,SAAoB,EAAE,IAA6B,EAAE,SAAiB;YACvF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;YACrC,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,MAAqB,EAAE,OAAO,CAAC,MAAqB,CAAC,CAAC;QACnH,CAAC;QAED,6CAA6C;QAC7C,KAAK,CAAC,iBAAiB,CACrB,UAAqB,EACrB,KAAgE,EAChE,MAAe;YAEf,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;YAC1F,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;YAEzD,MAAM,IAAI,GAAwC;gBAChD,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY;gBACZ,YAAY,EAAE,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE;gBAC5C,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAClC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,CAAC,CAAC,WAAW,EAAE;gBAChE,MAAM,EAAE,MAAM,IAAI,KAAK,CAAC,OAAO;gBAC/B,eAAe,EAAE,CAAC;aACnB,CAAC;YAEF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,MAAqB,CAAC,CAAC;YAE3F,OAAO,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAC/D,CAAC;QAED,kDAAkD;QAClD,KAAK,CAAC,iBAAiB,CAAC,IAAsB;YAC5C,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACtE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;YAC7D,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC3D,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,IAAI,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;YAErC,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,MAAqB,EAAE,OAAO,CAAC,MAAqB,CAAC,CAAC;YAC9H,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;QAC7F,CAAC;QAED;;;WAGG;QACH,KAAK,CAAC,QAAQ,CACZ,SAAoB,EACpB,UAA4B,EAC5B,KAAgE;YAEhE,MAAM,KAAK,GAAG,UAAU,CAAC,eAAe,GAAG,CAAC,CAAC;YAC7C,IAAI,KAAK,GAAG,kBAAkB,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,oBAAoB,KAAK,oBAAoB,kBAAkB,EAAE,CAAC,CAAC;YACrF,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACvF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,oDAAoD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC5F,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAElD,MAAM,IAAI,GAAwC;gBAChD,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,YAAY,EAAE,YAAY,CAAC,YAAY;gBACvC,YAAY,EAAE,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE;gBAC5C,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAClC,SAAS,EAAE,UAAU,CAAC,SAAS,EAAE,wBAAwB;gBACzD,MAAM,EAAE,UAAU,CAAC,OAAO;gBAC1B,eAAe,EAAE,KAAK;aACvB,CAAC;YAEF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;YAEpE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC;QACvG,CAAC;QAED,oDAAoD;QACpD,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,+DAA+D;AAE/D,SAAS,QAAQ,CAAC,GAAe;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,MAAqB,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,UAAqB;IAClD,uEAAuE;IACvE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC7D,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,2BAA2B;IACzC,GAAG,CAAC,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC1E,CAAC"}

package/dist/agent-identity.d.ts

@@ -0,0 +1,65 @@
+/**
+ * governance-sdk — Agent Identity Primitives
+ *
+ * Cryptographic agent identity using HMAC-SHA256 via Web Crypto API.
+ * Zero dependencies. Produces verifiable identity tokens and fingerprints.
+ *
+ * @example
+ * ```ts
+ * import { createAgentIdentity } from 'governance-sdk/agent-identity';
+ *
+ * const identity = createAgentIdentity('my-signing-key');
+ * const token = await identity.issueToken({ id: 'agent-1', name: 'sales-bot', owner: 'team-a' });
+ * const valid = await identity.verifyToken(token, { id: 'agent-1', name: 'sales-bot', owner: 'team-a' });
+ * const fingerprint = await identity.getFingerprint({ id: 'agent-1', name: 'sales-bot' });
+ * ```
+ */
+/** Minimal agent fields used for identity derivation */
+export interface AgentIdentityInput {
+    id: string;
+    name: string;
+    owner?: string;
+    version?: string;
+    framework?: string;
+}
+/** Issued identity token with metadata */
+export interface AgentIdentityToken {
+    /** HMAC-SHA256 hash of canonical agent identity */
+    signature: string;
+    /** Agent ID this token was issued for */
+    agentId: string;
+    /** ISO timestamp of token issuance */
+    issuedAt: string;
+    /** ISO timestamp of token expiry (if configured) */
+    expiresAt?: string;
+    /** Short fingerprint (first 16 hex chars of signature) */
+    fingerprint: string;
+}
+/** Verification result */
+export interface VerificationResult {
+    valid: boolean;
+    reason?: string;
+}
+/** Configuration for agent identity */
+export interface AgentIdentityConfig {
+    /** Token expiry duration in milliseconds (default: no expiry) */
+    tokenTtlMs?: number;
+}
+export declare function createAgentIdentity(signingKey: string, config?: AgentIdentityConfig): {
+    /**
+     * Issue a verifiable identity token for an agent.
+     * The token includes an HMAC signature derived from the agent's core identity fields.
+     */
+    issueToken(agent: AgentIdentityInput): Promise<AgentIdentityToken>;
+    /**
+     * Verify an identity token against an agent's current identity.
+     * Recomputes the HMAC and compares against the token signature.
+     */
+    verifyToken(token: AgentIdentityToken, agent: AgentIdentityInput): Promise<VerificationResult>;
+    /**
+     * Get a deterministic fingerprint for an agent (first 16 hex chars of identity hash).
+     * Useful for human-readable agent identification in logs and dashboards.
+     */
+    getFingerprint(agent: AgentIdentityInput): Promise<string>;
+};
+//# sourceMappingURL=agent-identity.d.ts.map

package/dist/agent-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.d.ts","sourceRoot":"","sources":["../src/agent-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH,wDAAwD;AACxD,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IACjC,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,0BAA0B;AAC1B,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,uCAAuC;AACvC,MAAM,WAAW,mBAAmB;IAClC,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,GAAE,mBAAwB;IAIpF;;;OAGG;sBACqB,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoBxE;;;OAGG;uBACsB,kBAAkB,SAAS,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoBpG;;;OAGG;0BACyB,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;EAMnE"}

package/dist/agent-identity.js

@@ -0,0 +1,85 @@
+/**
+ * governance-sdk — Agent Identity Primitives
+ *
+ * Cryptographic agent identity using HMAC-SHA256 via Web Crypto API.
+ * Zero dependencies. Produces verifiable identity tokens and fingerprints.
+ *
+ * @example
+ * ```ts
+ * import { createAgentIdentity } from 'governance-sdk/agent-identity';
+ *
+ * const identity = createAgentIdentity('my-signing-key');
+ * const token = await identity.issueToken({ id: 'agent-1', name: 'sales-bot', owner: 'team-a' });
+ * const valid = await identity.verifyToken(token, { id: 'agent-1', name: 'sales-bot', owner: 'team-a' });
+ * const fingerprint = await identity.getFingerprint({ id: 'agent-1', name: 'sales-bot' });
+ * ```
+ */
+import { hmacSha256, deepSortKeys } from "./audit-integrity.js";
+// ─── Implementation ─────────────────────────────────────────
+export function createAgentIdentity(signingKey, config = {}) {
+    if (!signingKey)
+        throw new Error("Signing key is required for agent identity");
+    return {
+        /**
+         * Issue a verifiable identity token for an agent.
+         * The token includes an HMAC signature derived from the agent's core identity fields.
+         */
+        async issueToken(agent) {
+            const canonical = canonicalizeAgent(agent);
+            const issuedAt = new Date().toISOString();
+            const data = `${canonical}|${issuedAt}`;
+            const signature = await hmacSha256(signingKey, data);
+            const token = {
+                signature,
+                agentId: agent.id,
+                issuedAt,
+                fingerprint: signature.slice(0, 16),
+            };
+            if (config.tokenTtlMs) {
+                token.expiresAt = new Date(Date.now() + config.tokenTtlMs).toISOString();
+            }
+            return token;
+        },
+        /**
+         * Verify an identity token against an agent's current identity.
+         * Recomputes the HMAC and compares against the token signature.
+         */
+        async verifyToken(token, agent) {
+            if (token.agentId !== agent.id) {
+                return { valid: false, reason: "Token agent ID does not match" };
+            }
+            if (token.expiresAt && new Date(token.expiresAt).getTime() < Date.now()) {
+                return { valid: false, reason: "Token has expired" };
+            }
+            const canonical = canonicalizeAgent(agent);
+            const data = `${canonical}|${token.issuedAt}`;
+            const expectedSignature = await hmacSha256(signingKey, data);
+            if (expectedSignature !== token.signature) {
+                return { valid: false, reason: "Signature mismatch — agent identity may have been tampered with" };
+            }
+            return { valid: true };
+        },
+        /**
+         * Get a deterministic fingerprint for an agent (first 16 hex chars of identity hash).
+         * Useful for human-readable agent identification in logs and dashboards.
+         */
+        async getFingerprint(agent) {
+            const canonical = canonicalizeAgent(agent);
+            const hash = await hmacSha256(signingKey, canonical);
+            return hash.slice(0, 16);
+        },
+    };
+}
+// ─── Utilities ──────────────────────────────────────────────
+/** Canonical serialization of agent identity fields (deterministic, sorted) */
+function canonicalizeAgent(agent) {
+    const identity = deepSortKeys({
+        id: agent.id,
+        name: agent.name,
+        owner: agent.owner ?? "",
+        version: agent.version ?? "",
+        framework: agent.framework ?? "",
+    });
+    return JSON.stringify(identity);
+}
+//# sourceMappingURL=agent-identity.js.map

package/dist/agent-identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-identity.js","sourceRoot":"","sources":["../src/agent-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAuChE,+DAA+D;AAE/D,MAAM,UAAU,mBAAmB,CAAC,UAAkB,EAAE,SAA8B,EAAE;IACtF,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAE/E,OAAO;QACL;;;WAGG;QACH,KAAK,CAAC,UAAU,CAAC,KAAyB;YACxC,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,QAAQ,EAAE,CAAC;YACxC,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YAErD,MAAM,KAAK,GAAuB;gBAChC,SAAS;gBACT,OAAO,EAAE,KAAK,CAAC,EAAE;gBACjB,QAAQ;gBACR,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACpC,CAAC;YAEF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,KAAK,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YAC3E,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED;;;WAGG;QACH,KAAK,CAAC,WAAW,CAAC,KAAyB,EAAE,KAAyB;YACpE,IAAI,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC,EAAE,EAAE,CAAC;gBAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;YACnE,CAAC;YAED,IAAI,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACxE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YACvD,CAAC;YAED,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,SAAS,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC9C,MAAM,iBAAiB,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YAE7D,IAAI,iBAAiB,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iEAAiE,EAAE,CAAC;YACrG,CAAC;YAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED;;;WAGG;QACH,KAAK,CAAC,cAAc,CAAC,KAAyB;YAC5C,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YACrD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3B,CAAC;KACF,CAAC;AACJ,CAAC;AAED,+DAA+D;AAE/D,+EAA+E;AAC/E,SAAS,iBAAiB,CAAC,KAAyB;IAClD,MAAM,QAAQ,GAAG,YAAY,CAAC;QAC5B,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,EAAE;QACxB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,EAAE;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,EAAE;KACjC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC"}

package/dist/audit-integrity.d.ts

@@ -0,0 +1,78 @@
+/**
+ * governance-sdk — Tamper-Evident Audit Logging
+ *
+ * HMAC-SHA256 hash chaining for audit events. Each event's hash includes
+ * the previous hash, making tampering immediately detectable.
+ * EU AI Act Article 12 compliant.
+ */
+import type { AuditEvent, AuditQueryFilters, GovernanceInstance } from "./index.js";
+/** Integrity metadata attached to each audit event */
+export interface AuditIntegrity {
+    /** HMAC-SHA256 hash of this event (including previousHash) */
+    hash: string;
+    /** Hash of the previous event in the chain */
+    previousHash: string;
+    /** Sequence number in the chain (1-indexed) */
+    sequence: number;
+    /** ISO timestamp when the hash was computed */
+    signedAt: string;
+}
+/** An audit event with tamper-evident integrity */
+export interface IntegrityAuditEvent extends AuditEvent {
+    integrity: AuditIntegrity;
+}
+/** Configuration for integrity audit */
+export interface IntegrityAuditConfig {
+    /** HMAC signing key — keep this secret */
+    signingKey: string;
+    /** Algorithm label (default: "hmac-sha256") */
+    algorithm?: string;
+}
+/** Result of verifying the audit chain */
+export interface ChainVerificationResult {
+    /** Whether the entire chain is valid */
+    valid: boolean;
+    /** Number of events verified */
+    eventsVerified: number;
+    /** Total events in the chain */
+    totalEvents: number;
+    /** Index of first broken link (null if valid) */
+    brokenAt: number | null;
+    /** Details of the break (null if valid) */
+    breakDetail: string | null;
+    /** When the verification was performed */
+    verifiedAt: string;
+}
+/** Integrity audit interface */
+export interface IntegrityAudit {
+    /** Log an event with tamper-evident hash chaining */
+    log: (event: Omit<AuditEvent, "id" | "createdAt">) => Promise<IntegrityAuditEvent>;
+    /** Verify the entire audit chain */
+    verify: (filters?: AuditQueryFilters) => Promise<ChainVerificationResult>;
+    /** Export the chain for external audit */
+    export: (filters?: AuditQueryFilters) => Promise<IntegrityAuditEvent[]>;
+    /** Get chain statistics */
+    stats: () => Promise<{
+        totalEvents: number;
+        latestSequence: number;
+        latestHash: string;
+        algorithm: string;
+    }>;
+}
+export declare function hmacSha256(key: string, data: string): Promise<string>;
+/** Deep-sort all object keys for deterministic serialization */
+export declare function deepSortKeys(value: unknown): unknown;
+/** Compute the canonical string representation of an audit event for hashing */
+export declare function canonicalize(event: AuditEvent, previousHash: string, sequence: number): string;
+export declare const GENESIS_HASH: string;
+/**
+ * Create a tamper-evident audit trail on top of a governance instance.
+ *
+ * Wraps the governance audit system with HMAC-SHA256 hash chaining.
+ * Each event's hash includes the previous event's hash, creating
+ * an immutable chain. Any tampering is immediately detectable.
+ *
+ * Satisfies EU AI Act Article 12 logging integrity requirements.
+ */
+export declare function createIntegrityAudit(governance: GovernanceInstance, config: IntegrityAuditConfig): IntegrityAudit;
+//# sourceMappingURL=audit-integrity.d.ts.map

package/dist/audit-integrity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-integrity.d.ts","sourceRoot":"","sources":["../src/audit-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAIpF,sDAAsD;AACtD,MAAM,WAAW,cAAc;IAC7B,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAC;IACb,8CAA8C;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,mDAAmD;AACnD,MAAM,WAAW,mBAAoB,SAAQ,UAAU;IACrD,SAAS,EAAE,cAAc,CAAC;CAC3B;AAED,wCAAwC;AACxC,MAAM,WAAW,oBAAoB;IACnC,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,0CAA0C;AAC1C,MAAM,WAAW,uBAAuB;IACtC,wCAAwC;IACxC,KAAK,EAAE,OAAO,CAAC;IACf,gCAAgC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,2CAA2C;IAC3C,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,gCAAgC;AAChC,MAAM,WAAW,cAAc;IAC7B,qDAAqD;IACrD,GAAG,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,GAAG,WAAW,CAAC,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACnF,oCAAoC;IACpC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC1E,0CAA0C;IAC1C,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC;IACxE,2BAA2B;IAC3B,KAAK,EAAE,MAAM,OAAO,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;CACJ;AAKD,wBAAsB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAgB3E;AAED,gEAAgE;AAChE,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQpD;AAED,gFAAgF;AAChF,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgB9F;AAID,eAAO,MAAM,YAAY,QAAiB,CAAC;AAE3C;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,kBAAkB,EAC9B,MAAM,EAAE,oBAAoB,GAC3B,cAAc,CAmJhB"}

package/dist/audit-integrity.js

@@ -0,0 +1,173 @@
+/**
+ * governance-sdk — Tamper-Evident Audit Logging
+ *
+ * HMAC-SHA256 hash chaining for audit events. Each event's hash includes
+ * the previous hash, making tampering immediately detectable.
+ * EU AI Act Article 12 compliant.
+ */
+// ─── HMAC-SHA256 Implementation ─────────────────────────────
+// Uses Web Crypto API (available in Node 18+ and all modern browsers)
+export async function hmacSha256(key, data) {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(key);
+    const msgData = encoder.encode(data);
+    const cryptoKey = await crypto.subtle.importKey("raw", keyData, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await crypto.subtle.sign("HMAC", cryptoKey, msgData);
+    const hashArray = Array.from(new Uint8Array(signature));
+    return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+/** Deep-sort all object keys for deterministic serialization */
+export function deepSortKeys(value) {
+    if (value === null || value === undefined || typeof value !== "object")
+        return value;
+    if (Array.isArray(value))
+        return value.map(deepSortKeys);
+    const sorted = {};
+    for (const key of Object.keys(value).sort()) {
+        sorted[key] = deepSortKeys(value[key]);
+    }
+    return sorted;
+}
+/** Compute the canonical string representation of an audit event for hashing */
+export function canonicalize(event, previousHash, sequence) {
+    // Deterministic serialization: ALL keys sorted recursively (including nested detail)
+    const canonical = deepSortKeys({
+        agentId: event.agentId,
+        createdAt: event.createdAt,
+        detail: event.detail ?? null,
+        eventType: event.eventType,
+        id: event.id,
+        outcome: event.outcome,
+        policyRuleId: event.policyRuleId ?? null,
+        previousHash,
+        sequence,
+        severity: event.severity,
+    });
+    return JSON.stringify(canonical);
+}
+// ─── Create Integrity Audit ─────────────────────────────────
+export const GENESIS_HASH = "0".repeat(64); // Initial chain hash
+/**
+ * Create a tamper-evident audit trail on top of a governance instance.
+ *
+ * Wraps the governance audit system with HMAC-SHA256 hash chaining.
+ * Each event's hash includes the previous event's hash, creating
+ * an immutable chain. Any tampering is immediately detectable.
+ *
+ * Satisfies EU AI Act Article 12 logging integrity requirements.
+ */
+export function createIntegrityAudit(governance, config) {
+    const algorithm = config.algorithm ?? "hmac-sha256";
+    // Chain state
+    let lastHash = GENESIS_HASH;
+    let sequence = 0;
+    const integrityMap = new Map();
+    // Serialization queue — prevents concurrent log() calls from forking the chain
+    let chainLock = Promise.resolve();
+    async function log(eventInput) {
+        // Chain operations serially to prevent hash fork from concurrent calls
+        const result = chainLock.then(async () => {
+            const event = await governance.audit.log(eventInput);
+            sequence++;
+            const previousHash = lastHash;
+            const canonical = canonicalize(event, previousHash, sequence);
+            const hash = await hmacSha256(config.signingKey, canonical);
+            const integrity = {
+                hash,
+                previousHash,
+                sequence,
+                signedAt: new Date().toISOString(),
+            };
+            lastHash = hash;
+            integrityMap.set(event.id, integrity);
+            return { ...event, integrity };
+        });
+        // Update lock — next caller waits for this one to finish
+        chainLock = result.catch(() => { });
+        return result;
+    }
+    async function verify(filters) {
+        const events = await governance.audit.query({
+            ...filters,
+            limit: undefined,
+            offset: undefined,
+        });
+        // Sort by creation time (oldest first)
+        const sorted = [...events].sort((a, b) => a.createdAt.localeCompare(b.createdAt));
+        let currentPreviousHash = GENESIS_HASH;
+        let seq = 0;
+        for (let i = 0; i < sorted.length; i++) {
+            const event = sorted[i];
+            const integrity = integrityMap.get(event.id);
+            if (!integrity) {
+                return {
+                    valid: false,
+                    eventsVerified: i,
+                    totalEvents: sorted.length,
+                    brokenAt: i,
+                    breakDetail: `Event ${event.id} has no integrity record — possible insertion`,
+                    verifiedAt: new Date().toISOString(),
+                };
+            }
+            // Verify chain continuity
+            if (integrity.previousHash !== currentPreviousHash) {
+                return {
+                    valid: false,
+                    eventsVerified: i,
+                    totalEvents: sorted.length,
+                    brokenAt: i,
+                    breakDetail: `Chain break at sequence ${integrity.sequence}: expected previousHash ${currentPreviousHash.slice(0, 12)}..., got ${integrity.previousHash.slice(0, 12)}...`,
+                    verifiedAt: new Date().toISOString(),
+                };
+            }
+            // Recompute hash to verify content integrity
+            seq++;
+            const canonical = canonicalize(event, currentPreviousHash, seq);
+            const expectedHash = await hmacSha256(config.signingKey, canonical);
+            if (expectedHash !== integrity.hash) {
+                return {
+                    valid: false,
+                    eventsVerified: i,
+                    totalEvents: sorted.length,
+                    brokenAt: i,
+                    breakDetail: `Hash mismatch at sequence ${seq}: event ${event.id} has been modified`,
+                    verifiedAt: new Date().toISOString(),
+                };
+            }
+            currentPreviousHash = integrity.hash;
+        }
+        return {
+            valid: true,
+            eventsVerified: sorted.length,
+            totalEvents: sorted.length,
+            brokenAt: null,
+            breakDetail: null,
+            verifiedAt: new Date().toISOString(),
+        };
+    }
+    async function exportChain(filters) {
+        const events = await governance.audit.query({
+            ...filters,
+            limit: undefined,
+            offset: undefined,
+        });
+        const sorted = [...events].sort((a, b) => a.createdAt.localeCompare(b.createdAt));
+        return sorted
+            .filter((e) => integrityMap.has(e.id))
+            .map((e) => ({
+            ...e,
+            integrity: integrityMap.get(e.id),
+        }));
+    }
+    async function stats() {
+        const total = await governance.audit.count();
+        return {
+            totalEvents: total,
+            latestSequence: sequence,
+            latestHash: lastHash,
+            algorithm,
+        };
+    }
+    return { log, verify, export: exportChain, stats };
+}
+//# sourceMappingURL=audit-integrity.js.map

package/dist/audit-integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-integrity.js","sourceRoot":"","sources":["../src/audit-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgEH,+DAA+D;AAC/D,sEAAsE;AAEtE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAW,EAAE,IAAY;IACxD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;IACxD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrF,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzD,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAgC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QACvE,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAE,KAAiC,CAAC,GAAG,CAAC,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,YAAY,CAAC,KAAiB,EAAE,YAAoB,EAAE,QAAgB;IACpF,qFAAqF;IACrF,MAAM,SAAS,GAAG,YAAY,CAAC;QAC7B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,EAAE,EAAE,KAAK,CAAC,EAAE;QACZ,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,IAAI;QACxC,YAAY;QACZ,QAAQ;QACR,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC,CAAC;IAEH,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED,+DAA+D;AAE/D,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,qBAAqB;AAEjE;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAA8B,EAC9B,MAA4B;IAE5B,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,aAAa,CAAC;IAEpD,cAAc;IACd,IAAI,QAAQ,GAAG,YAAY,CAAC;IAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,MAAM,YAAY,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEvD,+EAA+E;IAC/E,IAAI,SAAS,GAAqB,OAAO,CAAC,OAAO,EAAE,CAAC;IAEpD,KAAK,UAAU,GAAG,CAChB,UAAgD;QAEhD,uEAAuE;QACvE,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;YACvC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAErD,QAAQ,EAAE,CAAC;YACX,MAAM,YAAY,GAAG,QAAQ,CAAC;YAC9B,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAC9D,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAE5D,MAAM,SAAS,GAAmB;gBAChC,IAAI;gBACJ,YAAY;gBACZ,QAAQ;gBACR,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACnC,CAAC;YAEF,QAAQ,GAAG,IAAI,CAAC;YAChB,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;YAEtC,OAAO,EAAE,GAAG,KAAK,EAAE,SAAS,EAAyB,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,yDAAyD;QACzD,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,GAA2C,CAAC,CAAC,CAAC;QAE5E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,UAAU,MAAM,CACnB,OAA2B;QAE3B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC;YAC1C,GAAG,OAAO;YACV,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QAEH,uCAAuC;QACvC,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACvC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CACvC,CAAC;QAEF,IAAI,mBAAmB,GAAG,YAAY,CAAC;QACvC,IAAI,GAAG,GAAG,CAAC,CAAC;QAEZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAE7C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,cAAc,EAAE,CAAC;oBACjB,WAAW,EAAE,MAAM,CAAC,MAAM;oBAC1B,QAAQ,EAAE,CAAC;oBACX,WAAW,EAAE,SAAS,KAAK,CAAC,EAAE,+CAA+C;oBAC7E,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACrC,CAAC;YACJ,CAAC;YAED,0BAA0B;YAC1B,IAAI,SAAS,CAAC,YAAY,KAAK,mBAAmB,EAAE,CAAC;gBACnD,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,cAAc,EAAE,CAAC;oBACjB,WAAW,EAAE,MAAM,CAAC,MAAM;oBAC1B,QAAQ,EAAE,CAAC;oBACX,WAAW,EAAE,2BAA2B,SAAS,CAAC,QAAQ,2BAA2B,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK;oBACzK,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACrC,CAAC;YACJ,CAAC;YAED,6CAA6C;YAC7C,GAAG,EAAE,CAAC;YACN,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;YAChE,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YAEpE,IAAI,YAAY,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,cAAc,EAAE,CAAC;oBACjB,WAAW,EAAE,MAAM,CAAC,MAAM;oBAC1B,QAAQ,EAAE,CAAC;oBACX,WAAW,EAAE,6BAA6B,GAAG,WAAW,KAAK,CAAC,EAAE,oBAAoB;oBACpF,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACrC,CAAC;YACJ,CAAC;YAED,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC;QACvC,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,cAAc,EAAE,MAAM,CAAC,MAAM;YAC7B,WAAW,EAAE,MAAM,CAAC,MAAM;YAC1B,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC;IACJ,CAAC;IAED,KAAK,UAAU,WAAW,CACxB,OAA2B;QAE3B,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC;YAC1C,GAAG,OAAO;YACV,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACvC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CACvC,CAAC;QAEF,OAAO,MAAM;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;aACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACX,GAAG,CAAC;YACJ,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAE;SACnC,CAAC,CAAC,CAAC;IACR,CAAC;IAED,KAAK,UAAU,KAAK;QAClB,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QAC7C,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,cAAc,EAAE,QAAQ;YACxB,UAAU,EAAE,QAAQ;YACpB,SAAS;SACV,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;AACrD,CAAC"}

package/dist/behavioral-scorer.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Behavioral Scoring — adjusts governance scores using observed audit data.
+ *
+ * Three signal categories:
+ * 1. Enforcement signals — block rate, approval rate, rule triggers
+ * 2. Activity signals — event volume, tool diversity, injection hits
+ * 3. Drift signals — declared vs observed tool usage
+ *
+ * Returns per-dimension adjustments (-20 to +20) and evidence.
+ */
+import type { ScoreDimension, DimensionResult } from "./types.js";
+import type { AuditEvent } from "./storage.js";
+/** Tuning parameters for behavioral scoring — configurable per org. */
+export interface BehavioralConfig {
+    /**
+     * Block rate below this threshold is considered "clean" — no penalty.
+     * Default: 0.05 (5%). A fintech org might set 0.01 (1%), a sandbox 0.2 (20%).
+     */
+    blockRateThreshold?: number;
+    /**
+     * How much to weight recent events vs old events (0-1).
+     * 0 = all events weighted equally. 1 = only most recent events matter.
+     * Default: 0.7 (recent-heavy).
+     */
+    recencyBias?: number;
+    /**
+     * Maximum number of recent events to consider for scoring.
+     * Older events beyond this window are ignored.
+     * Default: 200.
+     */
+    windowSize?: number;
+}
+/** Behavioral analysis input — raw audit events for one agent */
+export interface BehavioralInput {
+    events: AuditEvent[];
+    /** Tools the agent declared at registration */
+    declaredTools: string[];
+    /** Org-level tuning (optional — sensible defaults applied) */
+    config?: BehavioralConfig;
+}
+/** Per-dimension adjustment from behavioral analysis */
+export interface BehavioralAdjustment {
+    dimension: ScoreDimension;
+    adjustment: number;
+    evidence: Record<string, boolean | number | string>;
+}
+/** Full behavioral assessment result */
+export interface BehavioralAssessment {
+    adjustments: BehavioralAdjustment[];
+    signals: BehavioralSignals;
+}
+/** Computed behavioral signals — useful for UI display */
+export interface BehavioralSignals {
+    totalEvents: number;
+    blockRate: number;
+    approvalRate: number;
+    injectionHits: number;
+    uniqueToolsObserved: string[];
+    undeclaredTools: string[];
+    eventFrequency: number;
+    lastActivityAt: string | null;
+}
+/**
+ * Extract behavioral signals from audit events.
+ * Uses recency-weighted block rate: recent events count more than old ones.
+ */
+export declare function computeSignals(input: BehavioralInput): BehavioralSignals;
+/** Compute per-dimension behavioral adjustments from audit signals. */
+export declare function computeBehavioralAdjustments(input: BehavioralInput): BehavioralAssessment;
+/** Apply behavioral adjustments to base dimension scores. */
+export declare function applyBehavioralAdjustments(baseDimensions: DimensionResult[], adjustments: BehavioralAdjustment[]): DimensionResult[];
+//# sourceMappingURL=behavioral-scorer.d.ts.map

package/dist/behavioral-scorer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"behavioral-scorer.d.ts","sourceRoot":"","sources":["../src/behavioral-scorer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE/C,uEAAuE;AACvE,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,iEAAiE;AACjE,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,UAAU,EAAE,CAAC;IACrB,+CAA+C;IAC/C,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,gBAAgB,CAAC;CAC3B;AAED,wDAAwD;AACxD,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,cAAc,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC,CAAC;CACrD;AAED,wCAAwC;AACxC,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,oBAAoB,EAAE,CAAC;IACpC,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED,0DAA0D;AAC1D,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AASD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,CAiExE;AAED,uEAAuE;AACvE,wBAAgB,4BAA4B,CAC1C,KAAK,EAAE,eAAe,GACrB,oBAAoB,CA0HtB;AAED,6DAA6D;AAC7D,wBAAgB,0BAA0B,CACxC,cAAc,EAAE,eAAe,EAAE,EACjC,WAAW,EAAE,oBAAoB,EAAE,GAClC,eAAe,EAAE,CAoBnB"}