kavachos 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/dist/agent/index.d.ts +4 -5
  2. package/dist/agent/index.js +2 -2
  3. package/dist/audit/index.d.ts +3 -4
  4. package/dist/audit/index.js +2 -2
  5. package/dist/auth/index.d.ts +1719 -2
  6. package/dist/auth/index.js +2 -1
  7. package/dist/{chunk-I4J4KKKK.js → chunk-5DT4DN4Y.js} +9 -3
  8. package/dist/chunk-5DT4DN4Y.js.map +1 -0
  9. package/dist/chunk-KL6XW4S4.js +10774 -0
  10. package/dist/chunk-KL6XW4S4.js.map +1 -0
  11. package/dist/{chunk-DEVV32BE.js → chunk-OVGNZ5OX.js} +3 -3
  12. package/dist/{chunk-DEVV32BE.js.map → chunk-OVGNZ5OX.js.map} +1 -1
  13. package/dist/{chunk-N7VZO6SP.js → chunk-SJGSPIAD.js} +3 -3
  14. package/dist/{chunk-N7VZO6SP.js.map → chunk-SJGSPIAD.js.map} +1 -1
  15. package/dist/chunk-V66UUIA7.js +480 -0
  16. package/dist/chunk-V66UUIA7.js.map +1 -0
  17. package/dist/index.d.ts +1125 -14
  18. package/dist/index.js +2986 -111
  19. package/dist/index.js.map +1 -1
  20. package/dist/mcp/index.d.ts +2 -2
  21. package/dist/permission/index.d.ts +4 -5
  22. package/dist/permission/index.js +2 -2
  23. package/dist/types-Xk83hv4O.d.ts +7759 -0
  24. package/dist/{types-B4sQA44H.d.ts → types-mwupB57A.d.ts} +5 -5
  25. package/package.json +1 -1
  26. package/dist/chunk-7RKVTHFC.js +0 -96
  27. package/dist/chunk-7RKVTHFC.js.map +0 -1
  28. package/dist/chunk-I4J4KKKK.js.map +0 -1
  29. package/dist/chunk-UEE7OYLG.js +0 -161
  30. package/dist/chunk-UEE7OYLG.js.map +0 -1
  31. package/dist/types-WP-mKSdQ.d.ts +0 -2349
  32. package/dist/types-_7hIICee.d.ts +0 -52
package/dist/{types-B4sQA44H.d.ts → types-mwupB57A.d.ts} RENAMED
@@ -300,9 +300,9 @@ declare const McpClientRegistrationSchema: z.ZodObject<{
300
300
  client_uri?: string | undefined;
301
301
  grant_types?: ("authorization_code" | "refresh_token")[] | undefined;
302
302
  response_types?: "code"[] | undefined;
303
- token_endpoint_auth_method?: "client_secret_basic" | "none" | "client_secret_post" | undefined;
304
- logo_uri?: string | undefined;
303
+ token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "none" | undefined;
305
304
  scope?: string | undefined;
305
+ logo_uri?: string | undefined;
306
306
  contacts?: string[] | undefined;
307
307
  tos_uri?: string | undefined;
308
308
  policy_uri?: string | undefined;
@@ -314,9 +314,9 @@ declare const McpClientRegistrationSchema: z.ZodObject<{
314
314
  client_uri?: string | undefined;
315
315
  grant_types?: ("authorization_code" | "refresh_token")[] | undefined;
316
316
  response_types?: "code"[] | undefined;
317
- token_endpoint_auth_method?: "client_secret_basic" | "none" | "client_secret_post" | undefined;
318
- logo_uri?: string | undefined;
317
+ token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "none" | undefined;
319
318
  scope?: string | undefined;
319
+ logo_uri?: string | undefined;
320
320
  contacts?: string[] | undefined;
321
321
  tos_uri?: string | undefined;
322
322
  policy_uri?: string | undefined;
@@ -399,4 +399,4 @@ declare const McpTokenRequestSchema: z.ZodDiscriminatedUnion<"grant_type", [z.Zo
399
399
  }>]>;
400
400
  type McpTokenRequestParsed = z.infer<typeof McpTokenRequestSchema>;
401
401
 
402
- export { type ApproveConsentParams as A, type KavachError as K, type McpConfig as M, type Result as R, type McpAuthContext as a, type McpAuthorizeResult as b, type McpServerMetadata as c, type McpProtectedResourceMetadata as d, type McpClientRegistrationResponse as e, type McpSession as f, type McpAuthModule as g, type McpTokenResponse as h, type McpAccessToken as i, type McpAuthorizationCode as j, type McpAuthorizeRequest as k, McpAuthorizeRequestSchema as l, type McpClient as m, type McpClientRegistrationRequest as n, McpClientRegistrationSchema as o, type McpTokenPayload as p, type McpTokenRequest as q, type McpTokenRequestParsed as r, McpTokenRequestSchema as s };
402
+ export { type ApproveConsentParams as A, type KavachError as K, type McpAuthContext as M, type Result as R, type McpAuthorizeResult as a, type McpServerMetadata as b, type McpProtectedResourceMetadata as c, type McpClientRegistrationResponse as d, type McpSession as e, type McpConfig as f, type McpAuthModule as g, type McpTokenResponse as h, type McpAccessToken as i, type McpAuthorizationCode as j, type McpAuthorizeRequest as k, McpAuthorizeRequestSchema as l, type McpClient as m, type McpClientRegistrationRequest as n, McpClientRegistrationSchema as o, type McpTokenPayload as p, type McpTokenRequest as q, type McpTokenRequestParsed as r, McpTokenRequestSchema as s };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "kavachos",
3
- "version": "0.0.2",
3
+ "version": "0.0.3",
4
4
  "description": "The auth OS for AI agents - identity, permissions, delegation, and audit for the agentic era",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
package/dist/chunk-7RKVTHFC.js DELETED
@@ -1,96 +0,0 @@
1
- import { createSecretKey } from 'crypto';
2
- import { jwtVerify } from 'jose';
3
- import { z } from 'zod';
4
-
5
- // src/auth/adapters/bearer.ts
6
- var BearerAuthOptionsSchema = z.object({
7
- /**
8
- * Secret used to verify HS256/HS384/HS512 tokens.
9
- * Must be at least 32 characters.
10
- */
11
- secret: z.string().min(1, "secret is required"),
12
- /** Expected `iss` claim. Omit to skip issuer validation. */
13
- issuer: z.string().optional(),
14
- /** Expected `aud` claim. Omit to skip audience validation. */
15
- audience: z.string().optional()
16
- });
17
- var JwtPayloadSchema = z.object({
18
- sub: z.string(),
19
- email: z.string().optional(),
20
- name: z.string().optional(),
21
- // Both `picture` (OIDC) and `image` (custom) are accepted.
22
- picture: z.string().optional(),
23
- image: z.string().optional()
24
- });
25
- function bearerAuth(options) {
26
- const parsed = BearerAuthOptionsSchema.parse(options);
27
- const keyObject = createSecretKey(Buffer.from(parsed.secret, "utf-8"));
28
- return {
29
- async resolveUser(request) {
30
- const authHeader = request.headers.get("authorization");
31
- if (!authHeader) return null;
32
- const [scheme, token] = authHeader.split(" ");
33
- if (scheme?.toLowerCase() !== "bearer" || !token) return null;
34
- try {
35
- const { payload } = await jwtVerify(token, keyObject, {
36
- issuer: parsed.issuer,
37
- audience: parsed.audience
38
- });
39
- const claims = JwtPayloadSchema.safeParse(payload);
40
- if (!claims.success) return null;
41
- const { sub, email, name, picture, image } = claims.data;
42
- const metadata = {};
43
- for (const [k, v] of Object.entries(payload)) {
44
- if (![
45
- "sub",
46
- "email",
47
- "name",
48
- "picture",
49
- "image",
50
- "iat",
51
- "exp",
52
- "iss",
53
- "aud",
54
- "nbf",
55
- "jti"
56
- ].includes(k)) {
57
- metadata[k] = v;
58
- }
59
- }
60
- return {
61
- id: sub,
62
- ...email !== void 0 && { email },
63
- ...name !== void 0 && { name },
64
- ...picture !== void 0 || image !== void 0 ? { image: picture ?? image } : {},
65
- ...Object.keys(metadata).length > 0 && { metadata }
66
- };
67
- } catch {
68
- return null;
69
- }
70
- }
71
- };
72
- }
73
-
74
- // src/auth/adapters/custom.ts
75
- function customAuth(resolver) {
76
- return {
77
- resolveUser: resolver
78
- };
79
- }
80
-
81
- // src/auth/adapters/header.ts
82
- function headerAuth(options) {
83
- const headerName = options?.header ?? "X-User-Id";
84
- const normalised = headerName.toLowerCase();
85
- return {
86
- async resolveUser(request) {
87
- const value = request.headers.get(normalised);
88
- if (!value || value.trim() === "") return null;
89
- return { id: value.trim() };
90
- }
91
- };
92
- }
93
-
94
- export { bearerAuth, customAuth, headerAuth };
95
- //# sourceMappingURL=chunk-7RKVTHFC.js.map
96
- //# sourceMappingURL=chunk-7RKVTHFC.js.map
package/dist/chunk-7RKVTHFC.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/auth/adapters/bearer.ts","../src/auth/adapters/custom.ts","../src/auth/adapters/header.ts"],"names":[],"mappings":";;;;;AA4BA,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA;AAAA;AAAA;AAAA;AAAA,EAKxC,QAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,GAAG,oBAAoB,CAAA;AAAA;AAAA,EAE9C,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACtB,CAAC,CAAA;AAQD,IAAM,gBAAA,GAAmB,EAAE,MAAA,CAAO;AAAA,EACjC,GAAA,EAAK,EAAE,MAAA,EAAO;AAAA,EACd,KAAA,EAAO,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC3B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA;AAAA,EAE1B,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,KAAA,EAAO,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACnB,CAAC,CAAA;AAgBM,SAAS,WAAW,OAAA,EAAyC;AACnE,EAAA,MAAM,MAAA,GAAS,uBAAA,CAAwB,KAAA,CAAM,OAAO,CAAA;AAGpD,EAAA,MAAM,YAAY,eAAA,CAAgB,MAAA,CAAO,KAAK,MAAA,CAAO,MAAA,EAAQ,OAAO,CAAC,CAAA;AAErE,EAAA,OAAO;AAAA,IACN,MAAM,YAAY,OAAA,EAAgD;AACjE,MAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,MAAA,IAAI,CAAC,YAAY,OAAO,IAAA;AAExB,MAAA,MAAM,CAAC,MAAA,EAAQ,KAAK,CAAA,GAAI,UAAA,CAAW,MAAM,GAAG,CAAA;AAC5C,MAAA,IAAI,QAAQ,WAAA,EAAY,KAAM,QAAA,IAAY,CAAC,OAAO,OAAO,IAAA;AAEzD,MAAA,IAAI;AACH,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,OAAO,SAAA,EAAW;AAAA,UACrD,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,UAAU,MAAA,CAAO;AAAA,SACjB,CAAA;AAED,QAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,SAAA,CAAU,OAAO,CAAA;AACjD,QAAA,IAAI,CAAC,MAAA,CAAO,OAAA,EAAS,OAAO,IAAA;AAE5B,QAAA,MAAM,EAAE,GAAA,EAAK,KAAA,EAAO,MAAM,OAAA,EAAS,KAAA,KAAU,MAAA,CAAO,IAAA;AAGpD,QAAA,MAAM,WAAoC,EAAC;AAC3C,QAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAC7C,UAAA,IACC,CAAC;AAAA,YACA,KAAA;AAAA,YACA,OAAA;AAAA,YACA,MAAA;AAAA,YACA,SAAA;AAAA,YACA,OAAA;AAAA,YACA,KAAA;AAAA,YACA,KAAA;AAAA,YACA,KAAA;AAAA,YACA,KAAA;AAAA,YACA,KAAA;AAAA,YACA;AAAA,WACD,CAAE,QAAA,CAAS,CAAC,CAAA,EACX;AACD,YAAA,QAAA,CAAS,CAAC,CAAA,GAAI,CAAA;AAAA,UACf;AAAA,QACD;AAEA,QAAA,OAAO;AAAA,UACN,EAAA,EAAI,GAAA;AAAA,UACJ,GAAI,KAAA,KAAU,KAAA,CAAA,IAAa,EAAE,KAAA,EAAM;AAAA,UACnC,GAAI,IAAA,KAAS,KAAA,CAAA,IAAa,EAAE,IAAA,EAAK;AAAA,UACjC,GAAI,OAAA,KAAY,KAAA,CAAA,IAAa,KAAA,KAAU,KAAA,CAAA,GAAY,EAAE,KAAA,EAAO,OAAA,IAAW,KAAA,EAAM,GAAI,EAAC;AAAA,UAClF,GAAI,OAAO,IAAA,CAAK,QAAQ,EAAE,MAAA,GAAS,CAAA,IAAK,EAAE,QAAA;AAAS,SACpD;AAAA,MACD,CAAA,CAAA,MAAQ;AAEP,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,IACD;AAAA,GACD;AACD;;;AC9EO,SAAS,WACf,QAAA,EACc;AACd,EAAA,OAAO;AAAA,IACN,WAAA,EAAa;AAAA,GACd;AACD;;;ACnBO,SAAS,WAAW,OAAA,EAA0C;AACpE,EAAA,MAAM,UAAA,GAAa,SAAS,MAAA,IAAU,WAAA;AAEtC,EAAA,MAAM,UAAA,GAAa,WAAW,WAAA,EAAY;AAE1C,EAAA,OAAO;AAAA,IACN,MAAM,YAAY,OAAA,EAAgD;AACjE,MAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC5C,MAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,IAAA,EAAK,KAAM,IAAI,OAAO,IAAA;AAE1C,MAAA,OAAO,EAAE,EAAA,EAAI,KAAA,CAAM,IAAA,EAAK,EAAE;AAAA,IAC3B;AAAA,GACD;AACD","file":"chunk-7RKVTHFC.js","sourcesContent":["/**\n * JWT bearer-token auth adapter.\n *\n * Verifies a JWT from the `Authorization: Bearer <token>` header using a\n * symmetric secret (HS256/HS384/HS512). Extracts `sub`, `email`, `name`, and\n * `picture` from the payload and returns them as a `ResolvedUser`.\n *\n * @example\n * ```typescript\n * import { bearerAuth } from 'kavachos/auth';\n *\n * const adapter = bearerAuth({\n * secret: process.env.JWT_SECRET,\n * issuer: 'https://my-app.example.com',\n * audience: 'kavachos',\n * });\n * ```\n */\n\nimport { createSecretKey } from \"node:crypto\";\nimport { jwtVerify } from \"jose\";\nimport { z } from \"zod\";\nimport type { AuthAdapter, ResolvedUser } from \"../types.js\";\n\n// ---------------------------------------------------------------------------\n// Options schema\n// ---------------------------------------------------------------------------\n\nconst BearerAuthOptionsSchema = z.object({\n\t/**\n\t * Secret used to verify HS256/HS384/HS512 tokens.\n\t * Must be at least 32 characters.\n\t */\n\tsecret: z.string().min(1, \"secret is required\"),\n\t/** Expected `iss` claim. Omit to skip issuer validation. */\n\tissuer: z.string().optional(),\n\t/** Expected `aud` claim. Omit to skip audience validation. */\n\taudience: z.string().optional(),\n});\n\nexport type BearerAuthOptions = z.infer<typeof BearerAuthOptionsSchema>;\n\n// ---------------------------------------------------------------------------\n// Payload schema – only the fields KavachOS cares about\n// ---------------------------------------------------------------------------\n\nconst JwtPayloadSchema = z.object({\n\tsub: z.string(),\n\temail: z.string().optional(),\n\tname: z.string().optional(),\n\t// Both `picture` (OIDC) and `image` (custom) are accepted.\n\tpicture: z.string().optional(),\n\timage: z.string().optional(),\n});\n\n// ---------------------------------------------------------------------------\n// Factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create an `AuthAdapter` that validates a JWT from the `Authorization: Bearer`\n * header and maps its claims to a `ResolvedUser`.\n *\n * Returns `null` when:\n * - No `Authorization` header is present\n * - The header does not use the `Bearer` scheme\n * - The JWT signature is invalid, the token is expired, or claims do not match\n * the configured `issuer` / `audience`\n */\nexport function bearerAuth(options: BearerAuthOptions): AuthAdapter {\n\tconst parsed = BearerAuthOptionsSchema.parse(options);\n\n\t// Pre-compute the KeyObject once so we don't recreate it per request.\n\tconst keyObject = createSecretKey(Buffer.from(parsed.secret, \"utf-8\"));\n\n\treturn {\n\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\tconst authHeader = request.headers.get(\"authorization\");\n\t\t\tif (!authHeader) return null;\n\n\t\t\tconst [scheme, token] = authHeader.split(\" \");\n\t\t\tif (scheme?.toLowerCase() !== \"bearer\" || !token) return null;\n\n\t\t\ttry {\n\t\t\t\tconst { payload } = await jwtVerify(token, keyObject, {\n\t\t\t\t\tissuer: parsed.issuer,\n\t\t\t\t\taudience: parsed.audience,\n\t\t\t\t});\n\n\t\t\t\tconst claims = JwtPayloadSchema.safeParse(payload);\n\t\t\t\tif (!claims.success) return null;\n\n\t\t\t\tconst { sub, email, name, picture, image } = claims.data;\n\n\t\t\t\t// Strip undefined fields from metadata so callers get a clean object.\n\t\t\t\tconst metadata: Record<string, unknown> = {};\n\t\t\t\tfor (const [k, v] of Object.entries(payload)) {\n\t\t\t\t\tif (\n\t\t\t\t\t\t![\n\t\t\t\t\t\t\t\"sub\",\n\t\t\t\t\t\t\t\"email\",\n\t\t\t\t\t\t\t\"name\",\n\t\t\t\t\t\t\t\"picture\",\n\t\t\t\t\t\t\t\"image\",\n\t\t\t\t\t\t\t\"iat\",\n\t\t\t\t\t\t\t\"exp\",\n\t\t\t\t\t\t\t\"iss\",\n\t\t\t\t\t\t\t\"aud\",\n\t\t\t\t\t\t\t\"nbf\",\n\t\t\t\t\t\t\t\"jti\",\n\t\t\t\t\t\t].includes(k)\n\t\t\t\t\t) {\n\t\t\t\t\t\tmetadata[k] = v;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\treturn {\n\t\t\t\t\tid: sub,\n\t\t\t\t\t...(email !== undefined && { email }),\n\t\t\t\t\t...(name !== undefined && { name }),\n\t\t\t\t\t...(picture !== undefined || image !== undefined ? { image: picture ?? image } : {}),\n\t\t\t\t\t...(Object.keys(metadata).length > 0 && { metadata }),\n\t\t\t\t};\n\t\t\t} catch {\n\t\t\t\t// Token verification failed (expired, bad signature, wrong issuer, etc.)\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\t};\n}\n","/**\n * Custom resolver auth adapter.\n *\n * Wraps an arbitrary resolver function as an `AuthAdapter`. Use this when\n * you need to integrate with an auth provider that does not have a built-in\n * adapter (e.g. better-auth, Auth.js, Clerk, Supabase Auth, etc.).\n *\n * @example Clerk session cookie\n * ```typescript\n * import { customAuth } from 'kavachos/auth';\n * import { clerkClient } from '@clerk/clerk-sdk-node';\n *\n * const adapter = customAuth(async (request) => {\n * const sessionToken = request.headers.get('cookie')\n * ?.split('; ')\n * .find(c => c.startsWith('__session='))\n * ?.split('=')[1];\n *\n * if (!sessionToken) return null;\n *\n * const session = await clerkClient.sessions.verifySession('', sessionToken);\n * return { id: session.userId };\n * });\n * ```\n *\n * @example better-auth\n * ```typescript\n * import { customAuth } from 'kavachos/auth';\n * import { auth } from './lib/auth'; // your better-auth instance\n *\n * const adapter = customAuth(async (request) => {\n * const session = await auth.api.getSession({ headers: request.headers });\n * if (!session?.user) return null;\n * return {\n * id: session.user.id,\n * email: session.user.email ?? undefined,\n * name: session.user.name ?? undefined,\n * image: session.user.image ?? undefined,\n * };\n * });\n * ```\n */\n\nimport type { AuthAdapter, ResolvedUser } from \"../types.js\";\n\n/**\n * Create an `AuthAdapter` from a custom resolver function.\n *\n * The resolver receives the raw `Request` and must return either a\n * `ResolvedUser` or `null` (unauthenticated).\n */\nexport function customAuth(\n\tresolver: (request: Request) => Promise<ResolvedUser | null>,\n): AuthAdapter {\n\treturn {\n\t\tresolveUser: resolver,\n\t};\n}\n","/**\n * Header-based auth adapter.\n *\n * Extracts the user ID from a trusted request header. Designed for services\n * deployed behind an auth proxy (e.g. Nginx, Cloudflare Access, AWS ALB) that\n * injects a verified user-identity header before forwarding requests.\n *\n * @example Default header (`X-User-Id`)\n * ```typescript\n * import { headerAuth } from 'kavachos/auth';\n *\n * const adapter = headerAuth();\n * ```\n *\n * @example Custom header\n * ```typescript\n * const adapter = headerAuth({ header: 'X-Authenticated-User' });\n * ```\n *\n * IMPORTANT: Only use this adapter when the header cannot be forged by the\n * client (i.e. the upstream proxy strips or overrides it).\n */\n\nimport type { AuthAdapter, ResolvedUser } from \"../types.js\";\n\nexport interface HeaderAuthOptions {\n\t/**\n\t * Name of the HTTP header that carries the user ID.\n\t * Defaults to `X-User-Id`.\n\t */\n\theader?: string;\n}\n\n/**\n * Create an `AuthAdapter` that extracts the user identity from a request header.\n *\n * Returns `null` when the header is absent or its value is empty.\n */\nexport function headerAuth(options?: HeaderAuthOptions): AuthAdapter {\n\tconst headerName = options?.header ?? \"X-User-Id\";\n\t// Normalise to lower-case for case-insensitive lookup via the Headers API.\n\tconst normalised = headerName.toLowerCase();\n\n\treturn {\n\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\tconst value = request.headers.get(normalised);\n\t\t\tif (!value || value.trim() === \"\") return null;\n\n\t\t\treturn { id: value.trim() };\n\t\t},\n\t};\n}\n"]}
package/dist/chunk-I4J4KKKK.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/agent/agent.ts"],"names":[],"mappings":";;;;AA0BA,SAAS,kBAAA,GAAsE;AAC9E,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,CAAA,GAAA,EAAM,UAAA,CAAW,QAAA,CAAS,WAAW,CAAC,CAAA,CAAA;AACpD,EAAA,MAAM,IAAA,GAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,KAAK,CAAA,CAAE,OAAO,KAAK,CAAA;AAC5D,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAChC,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO;AAC9B;AAEA,SAAS,iBAAiB,MAAA,EAAsB;AAC/C,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,MAAM,CAAA,qCAAA,CAAuC,CAAA;AAAA,EAC9F;AACA,EAAA,MAAM,QAAQ,MAAA,CAAO,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AACpD,EAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,EAAA,MAAM,WAAA,GAAsC;AAAA,IAC3C,CAAA,EAAG,GAAA;AAAA,IACH,GAAG,EAAA,GAAK,GAAA;AAAA,IACR,CAAA,EAAG,KAAK,EAAA,GAAK,GAAA;AAAA,IACb,CAAA,EAAG,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK;AAAA,GACnB;AACA,EAAA,OAAO,IAAI,IAAA,CAAK,GAAA,GAAM,SAAS,WAAA,CAAY,IAAc,KAAK,CAAA,CAAE,CAAA;AACjE;AAMO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,EAAA,EAAI,UAAA,EAAY,WAAA,EAAY,GAAI,MAAA;AAExC,EAAA,eAAe,OAAO,KAAA,EAAqE;AAE1F,IAAA,MAAM,QAAA,GAAW,MAAM,EAAA,CACrB,MAAA,GACA,IAAA,CAAK,MAAM,EACX,KAAA,CAAM,GAAA,CAAI,GAAG,MAAA,CAAO,OAAA,EAAS,MAAM,OAAO,CAAA,EAAG,GAAG,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAE3E,IAAA,IAAI,QAAA,CAAS,UAAU,UAAA,EAAY;AAClC,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,KAAA,EAAQ,KAAA,CAAM,OAAO,CAAA,4BAAA,EAA+B,UAAU,CAAA,eAAA;AAAA,OAC/D;AAAA,IACD;AAEA,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,KAAW,kBAAA,EAAmB;AACnD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,SAAA,IAAa,gBAAA,CAAiB,WAAW,CAAA;AAG/D,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,MAAM,CAAA,CAAE,MAAA,CAAO;AAAA,MAC9B,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,MAAA;AAAA,MACb,SAAA,EAAW,OAAA;AAAA,MACX,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,EAAC;AAAA,MAC7B,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACX,CAAA;AAGD,IAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,QAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,UAC7B,IAAI,UAAA,EAAW;AAAA,UACf,OAAA,EAAS,EAAA;AAAA,UACT,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,SAAS,CAAA,CAAE,OAAA;AAAA,UACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,UAC9B,SAAA,EAAW;AAAA,SACZ,CAAE;AAAA,OACH;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA;AAAA,MACA,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,OAAA;AAAA,MACX,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAEA,EAAA,eAAe,IAAI,OAAA,EAAgD;AAClE,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,OAAO,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACjF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AAExF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,eAAe,KAAK,MAAA,EAAgD;AACnE,IAAA,IAAI,QAAQ,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,MAAM,EAAE,QAAA,EAAS;AAE9C,IAAA,MAAM,aAAa,EAAC;AACpB,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,OAAA,EAAS,MAAA,CAAO,MAAM,CAAC,CAAA;AACrE,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACpE,IAAA,IAAI,MAAA,EAAQ,MAAM,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,IAAA,EAAM,MAAA,CAAO,IAAI,CAAC,CAAA;AAE9D,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IACvC;AAEA,IAAA,MAAM,OAAO,MAAM,KAAA;AAGnB,IAAA,MAAM,WAAW,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;AACrC,IAAA,MAAM,YAAA,uBAAmB,GAAA,EAA0B;AACnD,IAAA,KAAA,MAAW,MAAM,QAAA,EAAU;AAC1B,MAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,EAAE,CAAC,CAAA;AACnF,MAAA,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAA,CAAI,YAAY,CAAC,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,KAAA,MAAW;AAAA,MAC3B,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,aAAa,YAAA,CAAa,GAAA,CAAI,KAAA,CAAM,EAAE,KAAK,EAAC;AAAA,MAC5C,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,eAAe,MAAA,CAAO,SAAiB,KAAA,EAAiD;AACvF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,MAAM,CAAA,CACb,GAAA,CAAI;AAAA,MACJ,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,QAAA,CAAS,IAAA;AAAA,MAC7B,SAAA,EAAW,KAAA,CAAM,SAAA,IAAa,QAAA,CAAS,SAAA;AAAA,MACvC,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,SAAA,EAAW;AAAA,KACX,CAAA,CACA,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAG9B,IAAA,IAAI,MAAM,WAAA,EAAa;AACtB,MAAA,MAAM,EAAA,CAAG,OAAO,WAAW,CAAA,CAAE,MAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AACnE,MAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,QAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,UAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,YAC7B,IAAI,UAAA,EAAW;AAAA,YACf,OAAA;AAAA,YACA,UAAU,CAAA,CAAE,QAAA;AAAA,YACZ,SAAS,CAAA,CAAE,OAAA;AAAA,YACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,YAC9B,SAAA,EAAW;AAAA,WACZ,CAAE;AAAA,SACH;AAAA,MACD;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,OAAO,CAAA;AACjC,IAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,0BAAA,CAA4B,CAAA;AAC1E,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,OAAO,OAAA,EAAgC;AACrD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,QAAQ,SAAA,EAAW,SAAA,sBAAe,IAAA,EAAK,EAAG,CAAA,CAChD,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,EAC/B;AAEA,EAAA,eAAe,OAAO,OAAA,EAA6D;AAClF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAC5D,IAAA,IAAI,SAAS,MAAA,KAAW,QAAA;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,QAAA,CAAS,MAAM,CAAA,OAAA,CAAS,CAAA;AAEpE,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,KAAW,kBAAA,EAAmB;AACnD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,QAAQ,SAAA,EAAW,GAAA,EAAK,CAAA,CAC5D,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAE9B,IAAA,OAAO,EAAE,GAAG,QAAA,EAAU,KAAA,EAAO,WAAW,GAAA,EAAI;AAAA,EAC7C;AAMA,EAAA,eAAe,cAAc,KAAA,EAA8C;AAC1E,IAAA,MAAM,IAAA,GAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,KAAK,CAAA,CAAE,OAAO,KAAK,CAAA;AAC5D,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,SAAA,EAAW,IAAI,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACrF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,QAAA,EAAU,OAAO,IAAA;AAGtC,IAAA,IAAI,MAAM,SAAA,IAAa,KAAA,CAAM,SAAA,mBAAY,IAAI,MAAK,EAAG;AACpD,MAAA,MAAM,EAAA,CACJ,OAAO,MAAM,CAAA,CACb,IAAI,EAAE,MAAA,EAAQ,WAAW,SAAA,kBAAW,IAAI,MAAK,EAAG,EAChD,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAC/B,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,MAAM,GAAG,MAAA,CAAO,MAAM,EAAE,GAAA,CAAI,EAAE,8BAAc,IAAI,IAAA,EAAK,EAAG,EAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAEvF,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,KAAA,CAAM,EAAE,CAAC,CAAA;AAEzF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAM,MAAA,EAAQ,MAAA,EAAQ,QAAQ,aAAA,EAAc;AACnE;AAEA,SAAS,aAAa,GAAA,EAIP;AACd,EAAA,OAAO;AAAA,IACN,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,WAAA,EAAc,IAAI,WAAA,IAA6C;AAAA,GAChE;AACD","file":"chunk-I4J4KKKK.js","sourcesContent":["import { createHash, randomBytes, randomUUID } from \"node:crypto\";\nimport { and, eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { agents, permissions } from \"../db/schema.js\";\nimport type {\n\tAgentFilter,\n\tAgentIdentity,\n\tCreateAgentInput,\n\tPermission,\n\tUpdateAgentInput,\n} from \"../types.js\";\n\ninterface AgentModuleConfig {\n\tdb: Database;\n\tmaxPerUser: number;\n\tdefaultPermissions: string[];\n\ttokenExpiry: string;\n}\n\n/**\n * Generate a secure agent token.\n * Returns { token, hash, prefix } where:\n * - token: the full token (given to the agent, never stored)\n * - hash: SHA-256 hash (stored in DB)\n * - prefix: first 8 chars (for identification in logs/UI)\n */\nfunction generateAgentToken(): { token: string; hash: string; prefix: string } {\n\tconst tokenBytes = randomBytes(32);\n\tconst token = `kv_${tokenBytes.toString(\"base64url\")}`;\n\tconst hash = createHash(\"sha256\").update(token).digest(\"hex\");\n\tconst prefix = token.slice(0, 11); // \"kv_\" + 8 chars\n\treturn { token, hash, prefix };\n}\n\nfunction parseTokenExpiry(expiry: string): Date {\n\tconst now = Date.now();\n\tconst match = expiry.match(/^(\\d+)([smhd])$/);\n\tif (!match) {\n\t\tthrow new Error(`Invalid token expiry format: ${expiry}. Use format like \"24h\", \"7d\", \"30m\".`);\n\t}\n\tconst value = Number.parseInt(match[1] as string, 10);\n\tconst unit = match[2];\n\tconst multipliers: Record<string, number> = {\n\t\ts: 1000,\n\t\tm: 60 * 1000,\n\t\th: 60 * 60 * 1000,\n\t\td: 24 * 60 * 60 * 1000,\n\t};\n\treturn new Date(now + value * (multipliers[unit as string] ?? 0));\n}\n\n/**\n * Create the agent identity module.\n * Handles CRUD operations for AI agent identities.\n */\nexport function createAgentModule(config: AgentModuleConfig) {\n\tconst { db, maxPerUser, tokenExpiry } = config;\n\n\tasync function create(input: CreateAgentInput): Promise<AgentIdentity & { token: string }> {\n\t\t// Check max agents per user\n\t\tconst existing = await db\n\t\t\t.select()\n\t\t\t.from(agents)\n\t\t\t.where(and(eq(agents.ownerId, input.ownerId), eq(agents.status, \"active\")));\n\n\t\tif (existing.length >= maxPerUser) {\n\t\t\tthrow new Error(\n\t\t\t\t`User ${input.ownerId} has reached the maximum of ${maxPerUser} active agents.`,\n\t\t\t);\n\t\t}\n\n\t\tconst id = randomUUID();\n\t\tconst { token, hash, prefix } = generateAgentToken();\n\t\tconst now = new Date();\n\t\tconst expires = input.expiresAt ?? parseTokenExpiry(tokenExpiry);\n\n\t\t// Insert agent\n\t\tawait db.insert(agents).values({\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\tstatus: \"active\",\n\t\t\ttokenHash: hash,\n\t\t\ttokenPrefix: prefix,\n\t\t\texpiresAt: expires,\n\t\t\tmetadata: input.metadata ?? {},\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t});\n\n\t\t// Insert permissions\n\t\tif (input.permissions.length > 0) {\n\t\t\tawait db.insert(permissions).values(\n\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\tid: randomUUID(),\n\t\t\t\t\tagentId: id,\n\t\t\t\t\tresource: p.resource,\n\t\t\t\t\tactions: p.actions,\n\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\tcreatedAt: now,\n\t\t\t\t})),\n\t\t\t);\n\t\t}\n\n\t\treturn {\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\ttoken,\n\t\t\tpermissions: input.permissions,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: expires,\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t};\n\t}\n\n\tasync function get(agentId: string): Promise<AgentIdentity | null> {\n\t\tconst rows = await db.select().from(agents).where(eq(agents.id, agentId)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agentId));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\", // never return token after creation\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\tasync function list(filter?: AgentFilter): Promise<AgentIdentity[]> {\n\t\tlet query = db.select().from(agents).$dynamic();\n\n\t\tconst conditions = [];\n\t\tif (filter?.userId) conditions.push(eq(agents.ownerId, filter.userId));\n\t\tif (filter?.status) conditions.push(eq(agents.status, filter.status));\n\t\tif (filter?.type) conditions.push(eq(agents.type, filter.type));\n\n\t\tif (conditions.length > 0) {\n\t\t\tquery = query.where(and(...conditions));\n\t\t}\n\n\t\tconst rows = await query;\n\n\t\t// Load permissions for all agents\n\t\tconst agentIds = rows.map((r) => r.id);\n\t\tconst permsByAgent = new Map<string, Permission[]>();\n\t\tfor (const id of agentIds) {\n\t\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, id));\n\t\t\tpermsByAgent.set(id, perms.map(toPermission));\n\t\t}\n\n\t\treturn rows.map((agent) => ({\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: permsByAgent.get(agent.id) ?? [],\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t}));\n\t}\n\n\tasync function update(agentId: string, input: UpdateAgentInput): Promise<AgentIdentity> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({\n\t\t\t\tname: input.name ?? existing.name,\n\t\t\t\texpiresAt: input.expiresAt ?? existing.expiresAt,\n\t\t\t\tmetadata: input.metadata,\n\t\t\t\tupdatedAt: now,\n\t\t\t})\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\t// Replace permissions if provided\n\t\tif (input.permissions) {\n\t\t\tawait db.delete(permissions).where(eq(permissions.agentId, agentId));\n\t\t\tif (input.permissions.length > 0) {\n\t\t\t\tawait db.insert(permissions).values(\n\t\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\t\tid: randomUUID(),\n\t\t\t\t\t\tagentId,\n\t\t\t\t\t\tresource: p.resource,\n\t\t\t\t\t\tactions: p.actions,\n\t\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\t\tcreatedAt: now,\n\t\t\t\t\t})),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tconst updated = await get(agentId);\n\t\tif (!updated) throw new Error(`Agent ${agentId} disappeared after update.`);\n\t\treturn updated;\n\t}\n\n\tasync function revoke(agentId: string): Promise<void> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ status: \"revoked\", updatedAt: new Date() })\n\t\t\t.where(eq(agents.id, agentId));\n\t}\n\n\tasync function rotate(agentId: string): Promise<AgentIdentity & { token: string }> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\t\tif (existing.status !== \"active\")\n\t\t\tthrow new Error(`Cannot rotate token for ${existing.status} agent.`);\n\n\t\tconst { token, hash, prefix } = generateAgentToken();\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ tokenHash: hash, tokenPrefix: prefix, updatedAt: now })\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\treturn { ...existing, token, updatedAt: now };\n\t}\n\n\t/**\n\t * Validate an agent token and return the agent identity.\n\t * Used internally by the authorization engine.\n\t */\n\tasync function validateToken(token: string): Promise<AgentIdentity | null> {\n\t\tconst hash = createHash(\"sha256\").update(token).digest(\"hex\");\n\t\tconst rows = await db.select().from(agents).where(eq(agents.tokenHash, hash)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\t// Check status\n\t\tif (agent.status !== \"active\") return null;\n\n\t\t// Check expiry\n\t\tif (agent.expiresAt && agent.expiresAt < new Date()) {\n\t\t\tawait db\n\t\t\t\t.update(agents)\n\t\t\t\t.set({ status: \"expired\", updatedAt: new Date() })\n\t\t\t\t.where(eq(agents.id, agent.id));\n\t\t\treturn null;\n\t\t}\n\n\t\t// Update last active\n\t\tawait db.update(agents).set({ lastActiveAt: new Date() }).where(eq(agents.id, agent.id));\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agent.id));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\treturn { create, get, list, update, revoke, rotate, validateToken };\n}\n\nfunction toPermission(row: {\n\tresource: string;\n\tactions: string[];\n\tconstraints: unknown;\n}): Permission {\n\treturn {\n\t\tresource: row.resource,\n\t\tactions: row.actions,\n\t\tconstraints: (row.constraints as Permission[\"constraints\"]) ?? undefined,\n\t};\n}\n"]}
package/dist/chunk-UEE7OYLG.js DELETED
@@ -1,161 +0,0 @@
1
- import { __export } from './chunk-PZ5AY32C.js';
2
- import { sqliteTable, integer, text } from 'drizzle-orm/sqlite-core';
3
-
4
- // src/db/schema.ts
5
- var schema_exports = {};
6
- __export(schema_exports, {
7
- agents: () => agents,
8
- auditLogs: () => auditLogs,
9
- delegationChains: () => delegationChains,
10
- mcpServers: () => mcpServers,
11
- oauthAccessTokens: () => oauthAccessTokens,
12
- oauthAuthorizationCodes: () => oauthAuthorizationCodes,
13
- oauthClients: () => oauthClients,
14
- permissions: () => permissions,
15
- rateLimits: () => rateLimits,
16
- sessions: () => sessions,
17
- users: () => users
18
- });
19
- var users = sqliteTable("kavach_users", {
20
- id: text("id").primaryKey(),
21
- email: text("email").notNull().unique(),
22
- name: text("name"),
23
- externalId: text("external_id"),
24
- // ID from external auth (better-auth, Auth.js, etc.)
25
- externalProvider: text("external_provider"),
26
- // "better-auth", "authjs", "clerk", etc.
27
- metadata: text("metadata", { mode: "json" }).$type(),
28
- createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
29
- updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
30
- });
31
- var agents = sqliteTable("kavach_agents", {
32
- id: text("id").primaryKey(),
33
- ownerId: text("owner_id").notNull().references(() => users.id),
34
- name: text("name").notNull(),
35
- type: text("type", { enum: ["autonomous", "delegated", "service"] }).notNull(),
36
- status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
37
- tokenHash: text("token_hash").notNull(),
38
- // hashed agent token
39
- tokenPrefix: text("token_prefix").notNull(),
40
- // first 8 chars for identification
41
- expiresAt: integer("expires_at", { mode: "timestamp" }),
42
- lastActiveAt: integer("last_active_at", { mode: "timestamp" }),
43
- metadata: text("metadata", { mode: "json" }).$type(),
44
- createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
45
- updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
46
- });
47
- var permissions = sqliteTable("kavach_permissions", {
48
- id: text("id").primaryKey(),
49
- agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
50
- resource: text("resource").notNull(),
51
- // e.g. "mcp:github:*", "tool:file_read"
52
- actions: text("actions", { mode: "json" }).notNull().$type(),
53
- // ["read", "write", "execute"]
54
- constraints: text("constraints", { mode: "json" }).$type(),
55
- createdAt: integer("created_at", { mode: "timestamp" }).notNull()
56
- });
57
- var delegationChains = sqliteTable("kavach_delegation_chains", {
58
- id: text("id").primaryKey(),
59
- fromAgentId: text("from_agent_id").notNull().references(() => agents.id),
60
- toAgentId: text("to_agent_id").notNull().references(() => agents.id),
61
- permissions: text("permissions", { mode: "json" }).notNull().$type(),
62
- depth: integer("depth").notNull().default(1),
63
- maxDepth: integer("max_depth").notNull().default(3),
64
- status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
65
- expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
66
- createdAt: integer("created_at", { mode: "timestamp" }).notNull()
67
- });
68
- var auditLogs = sqliteTable("kavach_audit_logs", {
69
- id: text("id").primaryKey(),
70
- agentId: text("agent_id").notNull().references(() => agents.id),
71
- userId: text("user_id").notNull().references(() => users.id),
72
- action: text("action").notNull(),
73
- // "execute", "read", "write", "delete"
74
- resource: text("resource").notNull(),
75
- // "mcp:github:create_issue"
76
- parameters: text("parameters", { mode: "json" }).$type(),
77
- result: text("result", { enum: ["allowed", "denied", "rate_limited"] }).notNull(),
78
- reason: text("reason"),
79
- // why denied/rate_limited
80
- durationMs: integer("duration_ms").notNull(),
81
- tokensCost: integer("tokens_cost"),
82
- ip: text("ip"),
83
- userAgent: text("user_agent"),
84
- timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
85
- });
86
- var rateLimits = sqliteTable("kavach_rate_limits", {
87
- id: text("id").primaryKey(),
88
- agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
89
- resource: text("resource").notNull(),
90
- windowStart: integer("window_start", { mode: "timestamp" }).notNull(),
91
- count: integer("count").notNull().default(0)
92
- });
93
- var mcpServers = sqliteTable("kavach_mcp_servers", {
94
- id: text("id").primaryKey(),
95
- name: text("name").notNull(),
96
- endpoint: text("endpoint").notNull().unique(),
97
- tools: text("tools", { mode: "json" }).notNull().$type(),
98
- authRequired: integer("auth_required", { mode: "boolean" }).notNull().default(true),
99
- rateLimitRpm: integer("rate_limit_rpm"),
100
- status: text("status", { enum: ["active", "inactive"] }).notNull().default("active"),
101
- createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
102
- updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
103
- });
104
- var sessions = sqliteTable("kavach_sessions", {
105
- id: text("id").primaryKey(),
106
- userId: text("user_id").notNull().references(() => users.id),
107
- expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
108
- metadata: text("metadata", { mode: "json" }).$type(),
109
- createdAt: integer("created_at", { mode: "timestamp" }).notNull()
110
- });
111
- var oauthClients = sqliteTable("kavach_oauth_clients", {
112
- id: text("id").primaryKey(),
113
- clientId: text("client_id").notNull().unique(),
114
- clientSecret: text("client_secret"),
115
- // null for public clients
116
- clientName: text("client_name"),
117
- clientUri: text("client_uri"),
118
- redirectUris: text("redirect_uris", { mode: "json" }).notNull().$type(),
119
- grantTypes: text("grant_types", { mode: "json" }).notNull().$type().default(["authorization_code"]),
120
- responseTypes: text("response_types", { mode: "json" }).notNull().$type().default(["code"]),
121
- tokenEndpointAuthMethod: text("token_endpoint_auth_method").notNull().default("client_secret_basic"),
122
- type: text("type", { enum: ["public", "confidential"] }).notNull().default("confidential"),
123
- disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
124
- metadata: text("metadata", { mode: "json" }).$type(),
125
- createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
126
- updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
127
- });
128
- var oauthAccessTokens = sqliteTable("kavach_oauth_access_tokens", {
129
- id: text("id").primaryKey(),
130
- accessToken: text("access_token").notNull().unique(),
131
- refreshToken: text("refresh_token").unique(),
132
- clientId: text("client_id").notNull().references(() => oauthClients.clientId),
133
- userId: text("user_id").notNull().references(() => users.id),
134
- scopes: text("scopes").notNull(),
135
- // space-separated
136
- resource: text("resource"),
137
- // RFC 8707 - audience binding
138
- accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp" }).notNull(),
139
- refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp" }),
140
- createdAt: integer("created_at", { mode: "timestamp" }).notNull()
141
- });
142
- var oauthAuthorizationCodes = sqliteTable("kavach_oauth_authorization_codes", {
143
- id: text("id").primaryKey(),
144
- code: text("code").notNull().unique(),
145
- clientId: text("client_id").notNull().references(() => oauthClients.clientId),
146
- userId: text("user_id").notNull().references(() => users.id),
147
- redirectUri: text("redirect_uri").notNull(),
148
- scopes: text("scopes").notNull(),
149
- codeChallenge: text("code_challenge"),
150
- // PKCE
151
- codeChallengeMethod: text("code_challenge_method"),
152
- // "S256"
153
- resource: text("resource"),
154
- // RFC 8707
155
- expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
156
- createdAt: integer("created_at", { mode: "timestamp" }).notNull()
157
- });
158
-
159
- export { agents, auditLogs, delegationChains, mcpServers, oauthAccessTokens, oauthAuthorizationCodes, oauthClients, permissions, rateLimits, schema_exports, sessions, users };
160
- //# sourceMappingURL=chunk-UEE7OYLG.js.map
161
- //# sourceMappingURL=chunk-UEE7OYLG.js.map
package/dist/chunk-UEE7OYLG.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/db/schema.ts"],"names":[],"mappings":";;;;AAAA,IAAA,cAAA,GAAA;AAAA,QAAA,CAAA,cAAA,EAAA;AAAA,EAAA,MAAA,EAAA,MAAA,MAAA;AAAA,EAAA,SAAA,EAAA,MAAA,SAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,uBAAA,EAAA,MAAA,uBAAA;AAAA,EAAA,YAAA,EAAA,MAAA,YAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,QAAA,EAAA,MAAA,QAAA;AAAA,EAAA,KAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAKO,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,WAAA,GAAc,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA,EACnF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAaM,IAAM,gBAAA,GAAmB,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,SAAA,GAAY,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,QAAA,GAAW,YAAY,iBAAA,EAAmB;AAAA,EACtD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,iBAAA,GAAoB,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,uBAAA,GAA0B,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC","file":"chunk-UEE7OYLG.js","sourcesContent":["import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:*\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Sessions (human user sessions managed by KavachOS)\n// ============================================================\nexport const sessions = sqliteTable(\"kavach_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n"]}