hedera-curb 0.4.0 → 0.4.2

package/dist/audit.d.ts

@@ -1,6 +1,6 @@
 import { Client } from '@hiero-ledger/sdk';
-import type { CurbConfig } from './config';
-import type { CurbRecord } from './records';
+import type { CurbConfig } from './config.js';
+import type { CurbRecord } from './records.js';
 /**
  * Create an immutable HCS audit topic. No admin key (config can't change) and no submit key
  * (records come from whichever client runs the hooks; junk writes are filtered on read by decode).

package/dist/build-hooks.d.ts

@@ -1,10 +1,10 @@
 import { RejectToolPolicy } from '@hashgraph/hedera-agent-kit/policies';
 import { HcsAuditTrailHook } from '@hashgraph/hedera-agent-kit/hooks';
-import { SpendLimitPolicy } from './policies/spend-limit';
-import { CounterpartyAllowlistPolicy } from './policies/counterparty-allowlist';
-import { ApprovalTierPolicy } from './policies/approval-tier';
-import { CurbAuditHook } from './hooks/curb-audit-hook';
-import type { CurbDeps } from './deps';
+import { SpendLimitPolicy } from './policies/spend-limit.js';
+import { CounterpartyAllowlistPolicy } from './policies/counterparty-allowlist.js';
+import { ApprovalTierPolicy } from './policies/approval-tier.js';
+import { CurbAuditHook } from './hooks/curb-audit-hook.js';
+import type { CurbDeps } from './deps.js';
 /**
  * The ordered Curb policy + audit stack, ready to drop into `configuration.context.hooks`.
  * Hard-disables account-mutating / allowance-granting tools, then governs every transfer

package/dist/build-hooks.js

@@ -1,11 +1,11 @@
 import { RejectToolPolicy } from '@hashgraph/hedera-agent-kit/policies';
 import { HcsAuditTrailHook } from '@hashgraph/hedera-agent-kit/hooks';
 import { coreAccountPluginToolNames } from '@hashgraph/hedera-agent-kit/plugins';
-import { GOVERNED_TRANSFER_TOOLS } from './tools';
-import { SpendLimitPolicy } from './policies/spend-limit';
-import { CounterpartyAllowlistPolicy } from './policies/counterparty-allowlist';
-import { ApprovalTierPolicy } from './policies/approval-tier';
-import { CurbAuditHook } from './hooks/curb-audit-hook';
+import { GOVERNED_TRANSFER_TOOLS } from './tools.js';
+import { SpendLimitPolicy } from './policies/spend-limit.js';
+import { CounterpartyAllowlistPolicy } from './policies/counterparty-allowlist.js';
+import { ApprovalTierPolicy } from './policies/approval-tier.js';
+import { CurbAuditHook } from './hooks/curb-audit-hook.js';
 /**
  * The ordered Curb policy + audit stack, ready to drop into `configuration.context.hooks`.
  * Hard-disables account-mutating / allowance-granting tools, then governs every transfer

package/dist/cli.js

@@ -6,9 +6,24 @@ import { createAuditTopic } from './audit.js';
 import { createPolicyRegistry, publishPolicyVersion } from './policy-registry.js';
 import { DEFAULT_CONFIG } from './config.js';
 const flag = (name) => {
-    const i = process.argv.indexOf(`--${name}`);
+    const eq = process.argv.find((a) => a.startsWith(`--${name}=`)); // support --name=value
+    if (eq)
+        return eq.slice(name.length + 3);
+    const i = process.argv.indexOf(`--${name}`); // and --name value
     return i >= 0 ? process.argv[i + 1] : undefined;
 };
+// a numeric flag must parse to a positive, finite number — otherwise we'd publish a garbage policy (NaN caps).
+const num = (name, def) => {
+    const raw = flag(name);
+    if (raw === undefined)
+        return def;
+    const n = Number(raw);
+    if (!Number.isFinite(n) || n <= 0) {
+        console.error(`Invalid --${name}: "${raw}" (expected a positive number).`);
+        process.exit(1);
+    }
+    return n;
+};
 function parseKey(s) {
     for (const parse of [PrivateKey.fromStringECDSA, PrivateKey.fromStringED25519, PrivateKey.fromStringDer]) {
         try {
@@ -29,6 +44,9 @@ async function init() {
         console.error('Missing credentials. Pass --account and --key, or set HEDERA_OPERATOR_ID / HEDERA_OPERATOR_KEY.');
         process.exit(1);
     }
+    // validate all input (flags + key) BEFORE any on-chain work, so bad input never creates topics
+    const perTask = num('per-task', DEFAULT_CONFIG.perTask);
+    const perDay = num('per-day', DEFAULT_CONFIG.perDay);
     console.log(`Provisioning Curb on ${network}…`);
     const client = Client.forName(network).setOperator(account, parseKey(key));
     const auditTopicId = await createAuditTopic(client);
@@ -37,8 +55,8 @@ async function init() {
         agentAccountId: agent,
         auditTopicId,
         ...DEFAULT_CONFIG,
-        perTask: Number(flag('per-task') ?? DEFAULT_CONFIG.perTask),
-        perDay: Number(flag('per-day') ?? DEFAULT_CONFIG.perDay),
+        perTask,
+        perDay,
     };
     await publishPolicyVersion(client, config, policyTopicId, 'initial policy').catch(() => { });
     console.log(`\n✓ Audit topic:  ${auditTopicId}`);

package/dist/create-curb.d.ts

@@ -1,7 +1,7 @@
 import type { Client } from '@hiero-ledger/sdk';
-import { buildCurbHooks } from './build-hooks';
-import { type CurbStore } from './store';
-import { type CurbConfig, type Currency } from './config';
+import { buildCurbHooks } from './build-hooks.js';
+import { type CurbStore } from './store.js';
+import { type CurbConfig, type Currency } from './config.js';
 export interface CreateCurbOptions {
     /** Operator client — used to create topics and write the audit trail. */
     client: Client;

package/dist/create-curb.js

@@ -1,8 +1,8 @@
-import { buildCurbHooks } from './build-hooks';
-import { InMemoryCurbStore } from './store';
-import { createAuditTopic } from './audit';
-import { createPolicyRegistry, publishPolicyVersion } from './policy-registry';
-import { DEFAULT_CONFIG } from './config';
+import { buildCurbHooks } from './build-hooks.js';
+import { InMemoryCurbStore } from './store.js';
+import { createAuditTopic } from './audit.js';
+import { createPolicyRegistry, publishPolicyVersion } from './policy-registry.js';
+import { DEFAULT_CONFIG } from './config.js';
 /**
  * One-call setup for Curb. Auto-creates the audit topic (and an HCS-2 policy registry), defaults the
  * store to in-memory, publishes the initial policy version, and returns ready-to-use Agent Kit hooks.

package/dist/deps.d.ts

@@ -1,5 +1,5 @@
-import type { CurbConfig } from './config';
-import type { CurbStore } from './store';
+import type { CurbConfig } from './config.js';
+import type { CurbStore } from './store.js';
 /** Everything every Curb policy and hook needs at construction time. */
 export interface CurbDeps {
     cfg: CurbConfig;

package/dist/extract.js

@@ -1,6 +1,6 @@
 import crypto from 'node:crypto';
 import { Hbar } from '@hiero-ledger/sdk';
-import { GOVERNED_TRANSFER_TOOLS } from './tools';
+import { GOVERNED_TRANSFER_TOOLS } from './tools.js';
 /** Deterministic key for a payment (agent + recipient + amount) — used for spend holds and approvals. */
 export function paymentKey(agent, recipient, amount) {
     return crypto.createHash('sha256').update(`${agent}:${recipient}:${amount}`).digest('hex').slice(0, 16);

package/dist/hooks/curb-audit-hook.d.ts

@@ -1,5 +1,5 @@
 import { AbstractHook, type PostSecondaryActionParams } from '@hashgraph/hedera-agent-kit';
-import type { CurbDeps } from '../deps';
+import type { CurbDeps } from '../deps.js';
 /** Records every settled payment on HCS and advances the durable daily-spend counter. */
 export declare class CurbAuditHook extends AbstractHook {
     private d;

package/dist/hooks/curb-audit-hook.js

@@ -1,7 +1,7 @@
 import { AbstractHook } from '@hashgraph/hedera-agent-kit';
-import { GOVERNED_TRANSFER_TOOLS } from '../tools';
-import { extractPayment, paymentKey } from '../extract';
-import { writeRecord } from '../audit';
+import { GOVERNED_TRANSFER_TOOLS } from '../tools.js';
+import { extractPayment, paymentKey } from '../extract.js';
+import { writeRecord } from '../audit.js';
 // `toolResult` is typed `any` in the kit; these are the observed shapes for tx id.
 function extractTxId(toolResult) {
     return (toolResult?.raw?.transactionId ??

package/dist/index.d.ts

@@ -1,14 +1,14 @@
-export * from './config';
-export * from './records';
-export * from './store';
-export * from './deps';
-export * from './tools';
-export * from './extract';
-export * from './audit';
-export * from './policy-registry';
-export * from './policies/spend-limit';
-export * from './policies/counterparty-allowlist';
-export * from './policies/approval-tier';
-export * from './hooks/curb-audit-hook';
-export * from './build-hooks';
-export * from './create-curb';
+export * from './config.js';
+export * from './records.js';
+export * from './store.js';
+export * from './deps.js';
+export * from './tools.js';
+export * from './extract.js';
+export * from './audit.js';
+export * from './policy-registry.js';
+export * from './policies/spend-limit.js';
+export * from './policies/counterparty-allowlist.js';
+export * from './policies/approval-tier.js';
+export * from './hooks/curb-audit-hook.js';
+export * from './build-hooks.js';
+export * from './create-curb.js';

package/dist/index.js

@@ -1,14 +1,14 @@
-export * from './config';
-export * from './records';
-export * from './store';
-export * from './deps';
-export * from './tools';
-export * from './extract';
-export * from './audit';
-export * from './policy-registry';
-export * from './policies/spend-limit';
-export * from './policies/counterparty-allowlist';
-export * from './policies/approval-tier';
-export * from './hooks/curb-audit-hook';
-export * from './build-hooks';
-export * from './create-curb';
+export * from './config.js';
+export * from './records.js';
+export * from './store.js';
+export * from './deps.js';
+export * from './tools.js';
+export * from './extract.js';
+export * from './audit.js';
+export * from './policy-registry.js';
+export * from './policies/spend-limit.js';
+export * from './policies/counterparty-allowlist.js';
+export * from './policies/approval-tier.js';
+export * from './hooks/curb-audit-hook.js';
+export * from './build-hooks.js';
+export * from './create-curb.js';

package/dist/policies/approval-tier.d.ts

@@ -1,5 +1,5 @@
 import { AbstractPolicy, type PostParamsNormalizationParams } from '@hashgraph/hedera-agent-kit';
-import type { CurbDeps } from '../deps';
+import type { CurbDeps } from '../deps.js';
 /**
  * Tiered human-in-the-loop:
  *  - below `autoUnder`  → auto-approve

package/dist/policies/approval-tier.js

@@ -1,8 +1,8 @@
 import crypto from 'node:crypto';
 import { AbstractPolicy } from '@hashgraph/hedera-agent-kit';
-import { GOVERNED_TRANSFER_TOOLS } from '../tools';
-import { extractPayment } from '../extract';
-import { writeRecord } from '../audit';
+import { GOVERNED_TRANSFER_TOOLS } from '../tools.js';
+import { extractPayment } from '../extract.js';
+import { writeRecord } from '../audit.js';
 /**
  * Tiered human-in-the-loop:
  *  - below `autoUnder`  → auto-approve

package/dist/policies/counterparty-allowlist.d.ts

@@ -1,5 +1,5 @@
 import { AbstractPolicy, type PostParamsNormalizationParams } from '@hashgraph/hedera-agent-kit';
-import type { CurbDeps } from '../deps';
+import type { CurbDeps } from '../deps.js';
 /** Blocks payments to any account not on the allowlist. */
 export declare class CounterpartyAllowlistPolicy extends AbstractPolicy {
     private d;

package/dist/policies/counterparty-allowlist.js

@@ -1,7 +1,7 @@
 import { AbstractPolicy } from '@hashgraph/hedera-agent-kit';
-import { GOVERNED_TRANSFER_TOOLS } from '../tools';
-import { extractPayment } from '../extract';
-import { writeRecord } from '../audit';
+import { GOVERNED_TRANSFER_TOOLS } from '../tools.js';
+import { extractPayment } from '../extract.js';
+import { writeRecord } from '../audit.js';
 /** Blocks payments to any account not on the allowlist. */
 export class CounterpartyAllowlistPolicy extends AbstractPolicy {
     d;

package/dist/policies/spend-limit.d.ts

@@ -1,5 +1,5 @@
 import { AbstractPolicy, type PostParamsNormalizationParams } from '@hashgraph/hedera-agent-kit';
-import type { CurbDeps } from '../deps';
+import type { CurbDeps } from '../deps.js';
 /**
  * Blocks a payment that would breach the per-task or rolling daily budget.
  * The daily check is an **atomic reserve** (a short-lived hold) so two concurrent payments can't both

package/dist/policies/spend-limit.js

@@ -1,7 +1,7 @@
 import { AbstractPolicy } from '@hashgraph/hedera-agent-kit';
-import { GOVERNED_TRANSFER_TOOLS } from '../tools';
-import { extractPayment, paymentKey } from '../extract';
-import { writeRecord } from '../audit';
+import { GOVERNED_TRANSFER_TOOLS } from '../tools.js';
+import { extractPayment, paymentKey } from '../extract.js';
+import { writeRecord } from '../audit.js';
 /**
  * Blocks a payment that would breach the per-task or rolling daily budget.
  * The daily check is an **atomic reserve** (a short-lived hold) so two concurrent payments can't both

package/dist/policy-registry.d.ts

@@ -1,5 +1,5 @@
 import { Client } from '@hiero-ledger/sdk';
-import type { CurbConfig } from './config';
+import type { CurbConfig } from './config.js';
 /** The policy fields that are versioned on-chain. */
 export interface PolicySnapshot {
     currency: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hedera-curb",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Verifiable spend-control policies for Hedera AI agents — drop-in Hedera Agent Kit hooks for budgets, allowlists, human approval, and an immutable HCS audit trail.",
   "license": "MIT",
   "type": "module",
@@ -14,7 +14,8 @@
     ".": {
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
-    }
+    },
+    "./package.json": "./package.json"
   },
   "files": ["dist", "README.md"],
   "sideEffects": false,