npm - kavachos - Versions diffs - 0.0.1 - Mend

kavachos 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/LICENSE +21 -0
package/dist/agent/index.d.ts +32 -0
package/dist/agent/index.js +5 -0
package/dist/agent/index.js.map +1 -0
package/dist/audit/index.d.ts +19 -0
package/dist/audit/index.js +5 -0
package/dist/audit/index.js.map +1 -0
package/dist/auth/index.d.ts +2 -0
package/dist/auth/index.js +3 -0
package/dist/auth/index.js.map +1 -0
package/dist/chunk-D2LJLY7F.js +207 -0
package/dist/chunk-D2LJLY7F.js.map +1 -0
package/dist/chunk-DTCKF26N.js +208 -0
package/dist/chunk-DTCKF26N.js.map +1 -0
package/dist/chunk-PZ5AY32C.js +9 -0
package/dist/chunk-PZ5AY32C.js.map +1 -0
package/dist/chunk-XSYYQH75.js +153 -0
package/dist/chunk-XSYYQH75.js.map +1 -0
package/dist/chunk-XW2X3O53.js +92 -0
package/dist/chunk-XW2X3O53.js.map +1 -0
package/dist/index.d.ts +181 -0
package/dist/index.js +862 -0
package/dist/index.js.map +1 -0
package/dist/mcp/index.d.ts +222 -0
package/dist/mcp/index.js +1005 -0
package/dist/mcp/index.js.map +1 -0
package/dist/permission/index.d.ts +84 -0
package/dist/permission/index.js +5 -0
package/dist/permission/index.js.map +1 -0
package/dist/types-C5htunW6.d.ts +351 -0
package/dist/types-fHHAt3tt.d.ts +2127 -0
package/package.json +100 -0

package/dist/chunk-XSYYQH75.js ADDED Viewed

@@ -0,0 +1,153 @@
+import { __export } from './chunk-PZ5AY32C.js';
+import { sqliteTable, integer, text } from 'drizzle-orm/sqlite-core';
+// src/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  agents: () => agents,
+  auditLogs: () => auditLogs,
+  delegationChains: () => delegationChains,
+  mcpServers: () => mcpServers,
+  oauthAccessTokens: () => oauthAccessTokens,
+  oauthAuthorizationCodes: () => oauthAuthorizationCodes,
+  oauthClients: () => oauthClients,
+  permissions: () => permissions,
+  rateLimits: () => rateLimits,
+  users: () => users
+});
+var users = sqliteTable("kavach_users", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull().unique(),
+  name: text("name"),
+  externalId: text("external_id"),
+  // ID from external auth (better-auth, Auth.js, etc.)
+  externalProvider: text("external_provider"),
+  // "better-auth", "authjs", "clerk", etc.
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var agents = sqliteTable("kavach_agents", {
+  id: text("id").primaryKey(),
+  ownerId: text("owner_id").notNull().references(() => users.id),
+  name: text("name").notNull(),
+  type: text("type", { enum: ["autonomous", "delegated", "service"] }).notNull(),
+  status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
+  tokenHash: text("token_hash").notNull(),
+  // hashed agent token
+  tokenPrefix: text("token_prefix").notNull(),
+  // first 8 chars for identification
+  expiresAt: integer("expires_at", { mode: "timestamp" }),
+  lastActiveAt: integer("last_active_at", { mode: "timestamp" }),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var permissions = sqliteTable("kavach_permissions", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  resource: text("resource").notNull(),
+  // e.g. "mcp:github:*", "tool:file_read"
+  actions: text("actions", { mode: "json" }).notNull().$type(),
+  // ["read", "write", "execute"]
+  constraints: text("constraints", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+var delegationChains = sqliteTable("kavach_delegation_chains", {
+  id: text("id").primaryKey(),
+  fromAgentId: text("from_agent_id").notNull().references(() => agents.id),
+  toAgentId: text("to_agent_id").notNull().references(() => agents.id),
+  permissions: text("permissions", { mode: "json" }).notNull().$type(),
+  depth: integer("depth").notNull().default(1),
+  maxDepth: integer("max_depth").notNull().default(3),
+  status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+var auditLogs = sqliteTable("kavach_audit_logs", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id),
+  userId: text("user_id").notNull().references(() => users.id),
+  action: text("action").notNull(),
+  // "execute", "read", "write", "delete"
+  resource: text("resource").notNull(),
+  // "mcp:github:create_issue"
+  parameters: text("parameters", { mode: "json" }).$type(),
+  result: text("result", { enum: ["allowed", "denied", "rate_limited"] }).notNull(),
+  reason: text("reason"),
+  // why denied/rate_limited
+  durationMs: integer("duration_ms").notNull(),
+  tokensCost: integer("tokens_cost"),
+  ip: text("ip"),
+  userAgent: text("user_agent"),
+  timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
+});
+var rateLimits = sqliteTable("kavach_rate_limits", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  resource: text("resource").notNull(),
+  windowStart: integer("window_start", { mode: "timestamp" }).notNull(),
+  count: integer("count").notNull().default(0)
+});
+var mcpServers = sqliteTable("kavach_mcp_servers", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  endpoint: text("endpoint").notNull().unique(),
+  tools: text("tools", { mode: "json" }).notNull().$type(),
+  authRequired: integer("auth_required", { mode: "boolean" }).notNull().default(true),
+  rateLimitRpm: integer("rate_limit_rpm"),
+  status: text("status", { enum: ["active", "inactive"] }).notNull().default("active"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var oauthClients = sqliteTable("kavach_oauth_clients", {
+  id: text("id").primaryKey(),
+  clientId: text("client_id").notNull().unique(),
+  clientSecret: text("client_secret"),
+  // null for public clients
+  clientName: text("client_name"),
+  clientUri: text("client_uri"),
+  redirectUris: text("redirect_uris", { mode: "json" }).notNull().$type(),
+  grantTypes: text("grant_types", { mode: "json" }).notNull().$type().default(["authorization_code"]),
+  responseTypes: text("response_types", { mode: "json" }).notNull().$type().default(["code"]),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method").notNull().default("client_secret_basic"),
+  type: text("type", { enum: ["public", "confidential"] }).notNull().default("confidential"),
+  disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var oauthAccessTokens = sqliteTable("kavach_oauth_access_tokens", {
+  id: text("id").primaryKey(),
+  accessToken: text("access_token").notNull().unique(),
+  refreshToken: text("refresh_token").unique(),
+  clientId: text("client_id").notNull().references(() => oauthClients.clientId),
+  userId: text("user_id").notNull().references(() => users.id),
+  scopes: text("scopes").notNull(),
+  // space-separated
+  resource: text("resource"),
+  // RFC 8707 - audience binding
+  accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp" }).notNull(),
+  refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp" }),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+var oauthAuthorizationCodes = sqliteTable("kavach_oauth_authorization_codes", {
+  id: text("id").primaryKey(),
+  code: text("code").notNull().unique(),
+  clientId: text("client_id").notNull().references(() => oauthClients.clientId),
+  userId: text("user_id").notNull().references(() => users.id),
+  redirectUri: text("redirect_uri").notNull(),
+  scopes: text("scopes").notNull(),
+  codeChallenge: text("code_challenge"),
+  // PKCE
+  codeChallengeMethod: text("code_challenge_method"),
+  // "S256"
+  resource: text("resource"),
+  // RFC 8707
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+export { agents, auditLogs, delegationChains, mcpServers, oauthAccessTokens, oauthAuthorizationCodes, oauthClients, permissions, rateLimits, schema_exports, users };
+//# sourceMappingURL=chunk-XSYYQH75.js.map
+//# sourceMappingURL=chunk-XSYYQH75.js.map

package/dist/chunk-XSYYQH75.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/db/schema.ts"],"names":[],"mappings":";;;;AAAA,IAAA,cAAA,GAAA;AAAA,QAAA,CAAA,cAAA,EAAA;AAAA,EAAA,MAAA,EAAA,MAAA,MAAA;AAAA,EAAA,SAAA,EAAA,MAAA,SAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,uBAAA,EAAA,MAAA,uBAAA;AAAA,EAAA,YAAA,EAAA,MAAA,YAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,KAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAKO,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,WAAA,GAAc,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA,EACnF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAaM,IAAM,gBAAA,GAAmB,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,SAAA,GAAY,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,iBAAA,GAAoB,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,uBAAA,GAA0B,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC","file":"chunk-XSYYQH75.js","sourcesContent":["import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:*\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n"]}

package/dist/chunk-XW2X3O53.js ADDED Viewed

@@ -0,0 +1,92 @@
+import { auditLogs } from './chunk-XSYYQH75.js';
+import { eq, gte, lte, desc, and } from 'drizzle-orm';
+function createAuditModule(config) {
+  const { db } = config;
+  async function query(filter) {
+    const conditions = [];
+    if (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));
+    if (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));
+    if (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));
+    if (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));
+    if (filter.result) conditions.push(eq(auditLogs.result, filter.result));
+    let q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();
+    if (conditions.length > 0) {
+      q = q.where(and(...conditions));
+    }
+    if (filter.limit) {
+      q = q.limit(filter.limit);
+    }
+    if (filter.offset) {
+      q = q.offset(filter.offset);
+    }
+    const rows = await q;
+    return rows.filter((row) => {
+      if (filter.actions && filter.actions.length > 0) {
+        return filter.actions.includes(row.action);
+      }
+      return true;
+    }).map(toAuditEntry);
+  }
+  async function exportLogs(options) {
+    const entries = await query({
+      since: options.since,
+      until: options.until,
+      limit: 1e4
+      // cap exports
+    });
+    if (options.format === "json") {
+      return JSON.stringify(entries, null, 2);
+    }
+    const headers = [
+      "id",
+      "agentId",
+      "userId",
+      "action",
+      "resource",
+      "result",
+      "reason",
+      "durationMs",
+      "tokensCost",
+      "timestamp"
+    ];
+    const csvRows = [headers.join(",")];
+    for (const entry of entries) {
+      csvRows.push(
+        [
+          entry.id,
+          entry.agentId,
+          entry.userId,
+          entry.action,
+          entry.resource,
+          entry.result,
+          `"${entry.reason ?? ""}"`,
+          entry.durationMs,
+          entry.tokensCost ?? "",
+          entry.timestamp.toISOString()
+        ].join(",")
+      );
+    }
+    return csvRows.join("\n");
+  }
+  return { query, export: exportLogs };
+}
+function toAuditEntry(row) {
+  return {
+    id: row.id,
+    agentId: row.agentId,
+    userId: row.userId,
+    action: row.action,
+    resource: row.resource,
+    parameters: row.parameters ?? {},
+    result: row.result,
+    reason: row.reason ?? void 0,
+    durationMs: row.durationMs,
+    tokensCost: row.tokensCost ?? void 0,
+    timestamp: row.timestamp
+  };
+}
+export { createAuditModule };
+//# sourceMappingURL=chunk-XW2X3O53.js.map
+//# sourceMappingURL=chunk-XW2X3O53.js.map

package/dist/chunk-XW2X3O53.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAW;AACpC;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-XW2X3O53.js","sourcesContent":["import { and, desc, eq, gte, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\treturn { query, export: exportLogs };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,181 @@
+export { createAgentModule } from './agent/index.js';
+import { D as Database, a as DatabaseConfig, b as DelegateInput, P as Permission, c as DelegationChain, K as KavachConfig, C as CreateAgentInput, A as AgentIdentity, d as AgentFilter, U as UpdateAgentInput, e as AuthorizeRequest, f as AuthorizeResult, g as AuditFilter, h as AuditEntry, i as AuditExportOptions } from './types-fHHAt3tt.js';
+export { j as AgentConfig, k as DatabaseConfig, l as KavachInstance, M as McpMiddleware, m as McpServer, n as McpServerInput, o as PermissionConstraints, T as TokenValidationResult, p as agents, q as auditLogs, r as createDatabase, s as createDatabaseSync, t as delegationChains, u as mcpServers, v as oauthAccessTokens, w as oauthAuthorizationCodes, x as oauthClients, y as permissions, z as rateLimits, B as users } from './types-fHHAt3tt.js';
+export { createAuditModule } from './audit/index.js';
+export { PermissionTemplateName, createPermissionEngine, getPermissionTemplate, permissionTemplates } from './permission/index.js';
+import 'drizzle-orm/better-sqlite3';
+import 'drizzle-orm/sqlite-core';
+import './types-C5htunW6.js';
+import 'zod';
+/**
+ * Create all KavachOS tables if they do not already exist.
+ *
+ * Uses `CREATE TABLE IF NOT EXISTS` so it is safe to call on every startup.
+ * Tables are created in dependency order (no forward-reference FK issues).
+ *
+ * @param db       Drizzle database instance returned by `createDatabase()`.
+ * @param provider The database provider used to build the correct DDL syntax.
+ *
+ * @example
+ * ```typescript
+ * const db = await createDatabase({ provider: 'postgres', url: process.env.DATABASE_URL });
+ * await createTables(db, 'postgres');
+ * ```
+ */
+declare function createTables(db: Database, provider: DatabaseConfig["provider"]): Promise<void>;
+interface DelegationModuleConfig {
+    db: Database;
+}
+/**
+ * Create the delegation module.
+ * Handles agent-to-agent permission delegation with chain tracking.
+ */
+declare function createDelegationModule(config: DelegationModuleConfig): {
+    delegate: (input: DelegateInput, parentPermissions: Permission[]) => Promise<DelegationChain>;
+    revokeDelegation: (chainId: string) => Promise<void>;
+    getEffectivePermissions: (agentId: string) => Promise<Permission[]>;
+    listChains: (agentId: string) => Promise<DelegationChain[]>;
+};
+/**
+ * Create a KavachOS instance.
+ *
+ * The factory is **async** so it can open database connections for Postgres
+ * and MySQL (which require async driver initialisation) and optionally run
+ * `CREATE TABLE IF NOT EXISTS` for all schema tables.
+ *
+ * @example SQLite (simplest)
+ * ```typescript
+ * import { createKavach } from 'kavachos';
+ *
+ * const kavach = await createKavach({
+ *   database: { provider: 'sqlite', url: 'kavach.db' },
+ * });
+ * ```
+ *
+ * @example Postgres
+ * ```typescript
+ * const kavach = await createKavach({
+ *   database: { provider: 'postgres', url: process.env.DATABASE_URL },
+ * });
+ * ```
+ *
+ * @example MySQL – skip auto-migration (tables managed externally)
+ * ```typescript
+ * const kavach = await createKavach({
+ *   database: {
+ *     provider: 'mysql',
+ *     url: process.env.DATABASE_URL,
+ *     skipMigrations: true,
+ *   },
+ * });
+ * ```
+ */
+declare function createKavach(config: KavachConfig): Promise<{
+    agent: {
+        create: (input: CreateAgentInput) => Promise<AgentIdentity & {
+            token: string;
+        }>;
+        get: (agentId: string) => Promise<AgentIdentity | null>;
+        list: (filter?: AgentFilter) => Promise<AgentIdentity[]>;
+        update: (agentId: string, input: UpdateAgentInput) => Promise<AgentIdentity>;
+        revoke: (agentId: string) => Promise<void>;
+        rotate: (agentId: string) => Promise<AgentIdentity & {
+            token: string;
+        }>;
+        validateToken: (token: string) => Promise<AgentIdentity | null>;
+    };
+    authorize: (agentId: string, request: AuthorizeRequest) => Promise<AuthorizeResult>;
+    authorizeByToken: (token: string, request: AuthorizeRequest) => Promise<AuthorizeResult>;
+    delegate: (input: DelegateInput) => Promise<DelegationChain>;
+    delegation: {
+        revoke: (chainId: string) => Promise<void>;
+        getEffectivePermissions: (agentId: string) => Promise<Permission[]>;
+        listChains: (agentId: string) => Promise<DelegationChain[]>;
+    };
+    audit: {
+        query: (filter: AuditFilter) => Promise<AuditEntry[]>;
+        export: (options: AuditExportOptions) => Promise<string>;
+    };
+    /** Direct database access for advanced usage */
+    db: Database;
+}>;
+type Kavach = Awaited<ReturnType<typeof createKavach>>;
+/**
+ * OpenAPI 3.1 specification generator for KavachOS REST API.
+ *
+ * This generates the spec that enables auto-generated SDKs
+ * for Python, Go, Java, Rust, etc. via OpenAPI codegen tools.
+ */
+interface OpenAPISpec {
+    openapi: string;
+    info: {
+        title: string;
+        version: string;
+        description: string;
+    };
+    servers: Array<{
+        url: string;
+        description: string;
+    }>;
+    paths: Record<string, Record<string, PathOperation>>;
+    components: {
+        schemas: Record<string, SchemaObject>;
+        securitySchemes: Record<string, SecurityScheme>;
+    };
+}
+interface PathOperation {
+    summary: string;
+    operationId: string;
+    tags: string[];
+    security?: Array<Record<string, string[]>>;
+    parameters?: ParameterObject[];
+    requestBody?: {
+        required: boolean;
+        content: Record<string, {
+            schema: SchemaRef;
+        }>;
+    };
+    responses: Record<string, {
+        description: string;
+        content?: Record<string, {
+            schema: SchemaRef;
+        }>;
+    }>;
+}
+interface ParameterObject {
+    name: string;
+    in: "query" | "path" | "header";
+    required: boolean;
+    schema: SchemaRef;
+}
+interface SecurityScheme {
+    type: string;
+    scheme?: string;
+    bearerFormat?: string;
+}
+type SchemaRef = {
+    $ref: string;
+} | SchemaObject;
+interface SchemaObject {
+    type?: string;
+    properties?: Record<string, SchemaRef>;
+    required?: string[];
+    items?: SchemaRef;
+    enum?: string[];
+    description?: string;
+    format?: string;
+    nullable?: boolean;
+}
+/**
+ * Generate the full OpenAPI 3.1 specification for the KavachOS REST API.
+ */
+declare function generateOpenAPISpec(options?: {
+    baseUrl?: string;
+    version?: string;
+}): OpenAPISpec;
+export { AgentFilter, AgentIdentity, AuditEntry, AuditExportOptions, AuditFilter, AuthorizeRequest, AuthorizeResult, CreateAgentInput, Database, DelegateInput, DelegationChain, type Kavach, KavachConfig, Permission, UpdateAgentInput, createDelegationModule, createKavach, createTables, generateOpenAPISpec };