kavachos 0.0.4 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/a2a/index.d.ts +2340 -0
- package/dist/a2a/index.js +821 -0
- package/dist/a2a/index.js.map +1 -0
- package/dist/agent/index.d.ts +3 -4
- package/dist/agent/index.js +4 -3
- package/dist/audit/index.d.ts +2 -3
- package/dist/audit/index.js +3 -3
- package/dist/auth/index.d.ts +490 -93
- package/dist/auth/index.js +4 -3
- package/dist/{chunk-KL6XW4S4.js → chunk-FKVAXCNJ.js} +2375 -633
- package/dist/chunk-FKVAXCNJ.js.map +1 -0
- package/dist/{chunk-5DT4DN4Y.js → chunk-IKTOSJ4O.js} +13 -13
- package/dist/chunk-IKTOSJ4O.js.map +1 -0
- package/dist/{chunk-V66UUIA7.js → chunk-KDL6A76K.js} +93 -4
- package/dist/chunk-KDL6A76K.js.map +1 -0
- package/dist/chunk-NSBPE2FW.js +15 -0
- package/dist/{chunk-PZ5AY32C.js.map → chunk-NSBPE2FW.js.map} +1 -1
- package/dist/chunk-NSTER7KE.js +538 -0
- package/dist/chunk-NSTER7KE.js.map +1 -0
- package/dist/chunk-QCRHJMDX.js +186 -0
- package/dist/chunk-QCRHJMDX.js.map +1 -0
- package/dist/{chunk-OVGNZ5OX.js → chunk-VHKZARMM.js} +6 -6
- package/dist/chunk-VHKZARMM.js.map +1 -0
- package/dist/{chunk-SJGSPIAD.js → chunk-Y3OWAJHK.js} +3 -3
- package/dist/{chunk-SJGSPIAD.js.map → chunk-Y3OWAJHK.js.map} +1 -1
- package/dist/index.d.ts +138 -6
- package/dist/index.js +580 -35
- package/dist/index.js.map +1 -1
- package/dist/mcp/index.d.ts +2 -2
- package/dist/mcp/index.js +12 -16
- package/dist/mcp/index.js.map +1 -1
- package/dist/permission/index.d.ts +3 -4
- package/dist/permission/index.js +4 -3
- package/dist/{types-Xk83hv4O.d.ts → types-W8X0PXE7.d.ts} +1764 -99
- package/dist/vc/index.d.ts +800 -0
- package/dist/vc/index.js +5 -0
- package/dist/vc/index.js.map +1 -0
- package/package.json +17 -1
- package/dist/chunk-5DT4DN4Y.js.map +0 -1
- package/dist/chunk-KL6XW4S4.js.map +0 -1
- package/dist/chunk-OVGNZ5OX.js.map +0 -1
- package/dist/chunk-PZ5AY32C.js +0 -9
- package/dist/chunk-V66UUIA7.js.map +0 -1
- package/dist/{types-mwupB57A.d.ts → types-BuHrZcjE.d.ts} +2 -2
|
@@ -0,0 +1,186 @@
|
|
|
1
|
+
// src/crypto/web-crypto.ts
|
|
2
|
+
var HEX_CHARS = "0123456789abcdef";
|
|
3
|
+
function toHex(bytes) {
|
|
4
|
+
let hex = "";
|
|
5
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
6
|
+
const b = bytes[i];
|
|
7
|
+
hex += HEX_CHARS[b >> 4];
|
|
8
|
+
hex += HEX_CHARS[b & 15];
|
|
9
|
+
}
|
|
10
|
+
return hex;
|
|
11
|
+
}
|
|
12
|
+
function fromHex(hex) {
|
|
13
|
+
if (hex.length % 2 !== 0) {
|
|
14
|
+
throw new Error("fromHex: hex string must have even length");
|
|
15
|
+
}
|
|
16
|
+
const bytes = new Uint8Array(hex.length / 2);
|
|
17
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
18
|
+
const hi = parseInt(hex[i * 2], 16);
|
|
19
|
+
const lo = parseInt(hex[i * 2 + 1], 16);
|
|
20
|
+
if (Number.isNaN(hi) || Number.isNaN(lo)) {
|
|
21
|
+
throw new Error(`fromHex: invalid hex character at position ${i * 2}`);
|
|
22
|
+
}
|
|
23
|
+
bytes[i] = hi << 4 | lo;
|
|
24
|
+
}
|
|
25
|
+
return bytes;
|
|
26
|
+
}
|
|
27
|
+
function toBase64Url(bytes) {
|
|
28
|
+
let binary = "";
|
|
29
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
30
|
+
binary += String.fromCharCode(bytes[i]);
|
|
31
|
+
}
|
|
32
|
+
return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
33
|
+
}
|
|
34
|
+
function fromBase64Url(b64) {
|
|
35
|
+
let base64 = b64.replace(/-/g, "+").replace(/_/g, "/");
|
|
36
|
+
while (base64.length % 4 !== 0) {
|
|
37
|
+
base64 += "=";
|
|
38
|
+
}
|
|
39
|
+
const binary = atob(base64);
|
|
40
|
+
const bytes = new Uint8Array(binary.length);
|
|
41
|
+
for (let i = 0; i < binary.length; i++) {
|
|
42
|
+
bytes[i] = binary.charCodeAt(i);
|
|
43
|
+
}
|
|
44
|
+
return bytes;
|
|
45
|
+
}
|
|
46
|
+
function generateId() {
|
|
47
|
+
return globalThis.crypto.randomUUID();
|
|
48
|
+
}
|
|
49
|
+
function randomBytes(length) {
|
|
50
|
+
const bytes = new Uint8Array(length);
|
|
51
|
+
globalThis.crypto.getRandomValues(bytes);
|
|
52
|
+
return bytes;
|
|
53
|
+
}
|
|
54
|
+
function randomBytesHex(length) {
|
|
55
|
+
return toHex(randomBytes(length));
|
|
56
|
+
}
|
|
57
|
+
var TEXT_ENCODER = new TextEncoder();
|
|
58
|
+
function toBytes(data) {
|
|
59
|
+
if (typeof data === "string") {
|
|
60
|
+
const encoded = TEXT_ENCODER.encode(data);
|
|
61
|
+
return encoded.buffer.slice(
|
|
62
|
+
encoded.byteOffset,
|
|
63
|
+
encoded.byteOffset + encoded.byteLength
|
|
64
|
+
);
|
|
65
|
+
}
|
|
66
|
+
return data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
|
|
67
|
+
}
|
|
68
|
+
async function sha256(data) {
|
|
69
|
+
const digest = await globalThis.crypto.subtle.digest("SHA-256", toBytes(data));
|
|
70
|
+
return toHex(new Uint8Array(digest));
|
|
71
|
+
}
|
|
72
|
+
async function sha256Raw(data) {
|
|
73
|
+
const digest = await globalThis.crypto.subtle.digest("SHA-256", toBytes(data));
|
|
74
|
+
return new Uint8Array(digest);
|
|
75
|
+
}
|
|
76
|
+
async function sha1(data) {
|
|
77
|
+
const digest = await globalThis.crypto.subtle.digest("SHA-1", toBytes(data));
|
|
78
|
+
return toHex(new Uint8Array(digest));
|
|
79
|
+
}
|
|
80
|
+
async function importHmacKey(key, hash = "SHA-256") {
|
|
81
|
+
const keyData = typeof key === "string" ? TEXT_ENCODER.encode(key) : key;
|
|
82
|
+
return globalThis.crypto.subtle.importKey(
|
|
83
|
+
"raw",
|
|
84
|
+
keyData.buffer.slice(
|
|
85
|
+
keyData.byteOffset,
|
|
86
|
+
keyData.byteOffset + keyData.byteLength
|
|
87
|
+
),
|
|
88
|
+
{ name: "HMAC", hash: { name: hash } },
|
|
89
|
+
false,
|
|
90
|
+
["sign", "verify"]
|
|
91
|
+
);
|
|
92
|
+
}
|
|
93
|
+
async function hmacSha256(key, data) {
|
|
94
|
+
const cryptoKey = await importHmacKey(key, "SHA-256");
|
|
95
|
+
const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, toBytes(data));
|
|
96
|
+
return toHex(new Uint8Array(signature));
|
|
97
|
+
}
|
|
98
|
+
async function hmacSha256Raw(key, data) {
|
|
99
|
+
const cryptoKey = await importHmacKey(key, "SHA-256");
|
|
100
|
+
const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, toBytes(data));
|
|
101
|
+
return new Uint8Array(signature);
|
|
102
|
+
}
|
|
103
|
+
async function hmacSha1Raw(key, data) {
|
|
104
|
+
const cryptoKey = await importHmacKey(key, "SHA-1");
|
|
105
|
+
const buf = data.buffer.slice(
|
|
106
|
+
data.byteOffset,
|
|
107
|
+
data.byteOffset + data.byteLength
|
|
108
|
+
);
|
|
109
|
+
const signature = await globalThis.crypto.subtle.sign("HMAC", cryptoKey, buf);
|
|
110
|
+
return new Uint8Array(signature);
|
|
111
|
+
}
|
|
112
|
+
var PBKDF2_ITERATIONS = 1e5;
|
|
113
|
+
var PBKDF2_KEY_LENGTH = 64;
|
|
114
|
+
var PBKDF2_SALT_LENGTH = 32;
|
|
115
|
+
async function pbkdf2Hash(password, salt, iterations) {
|
|
116
|
+
const actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);
|
|
117
|
+
const actualIterations = iterations ?? PBKDF2_ITERATIONS;
|
|
118
|
+
const keyMaterial = await globalThis.crypto.subtle.importKey(
|
|
119
|
+
"raw",
|
|
120
|
+
TEXT_ENCODER.encode(password),
|
|
121
|
+
"PBKDF2",
|
|
122
|
+
false,
|
|
123
|
+
["deriveBits"]
|
|
124
|
+
);
|
|
125
|
+
const saltBuf = actualSalt.buffer.slice(
|
|
126
|
+
actualSalt.byteOffset,
|
|
127
|
+
actualSalt.byteOffset + actualSalt.byteLength
|
|
128
|
+
);
|
|
129
|
+
const derived = await globalThis.crypto.subtle.deriveBits(
|
|
130
|
+
{
|
|
131
|
+
name: "PBKDF2",
|
|
132
|
+
salt: saltBuf,
|
|
133
|
+
iterations: actualIterations,
|
|
134
|
+
hash: "SHA-256"
|
|
135
|
+
},
|
|
136
|
+
keyMaterial,
|
|
137
|
+
PBKDF2_KEY_LENGTH * 8
|
|
138
|
+
);
|
|
139
|
+
return `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;
|
|
140
|
+
}
|
|
141
|
+
async function pbkdf2Verify(password, stored) {
|
|
142
|
+
const parts = stored.split(":");
|
|
143
|
+
if (parts.length !== 4 || parts[0] !== "pbkdf2") {
|
|
144
|
+
return false;
|
|
145
|
+
}
|
|
146
|
+
const iterations = parseInt(parts[1], 10);
|
|
147
|
+
const salt = fromHex(parts[2]);
|
|
148
|
+
const storedHash = fromHex(parts[3]);
|
|
149
|
+
if (Number.isNaN(iterations)) return false;
|
|
150
|
+
const keyMaterial = await globalThis.crypto.subtle.importKey(
|
|
151
|
+
"raw",
|
|
152
|
+
TEXT_ENCODER.encode(password),
|
|
153
|
+
"PBKDF2",
|
|
154
|
+
false,
|
|
155
|
+
["deriveBits"]
|
|
156
|
+
);
|
|
157
|
+
const saltBuf = salt.buffer.slice(
|
|
158
|
+
salt.byteOffset,
|
|
159
|
+
salt.byteOffset + salt.byteLength
|
|
160
|
+
);
|
|
161
|
+
const derived = await globalThis.crypto.subtle.deriveBits(
|
|
162
|
+
{
|
|
163
|
+
name: "PBKDF2",
|
|
164
|
+
salt: saltBuf,
|
|
165
|
+
iterations,
|
|
166
|
+
hash: "SHA-256"
|
|
167
|
+
},
|
|
168
|
+
keyMaterial,
|
|
169
|
+
storedHash.length * 8
|
|
170
|
+
);
|
|
171
|
+
return constantTimeEqual(new Uint8Array(derived), storedHash);
|
|
172
|
+
}
|
|
173
|
+
function constantTimeEqual(a, b) {
|
|
174
|
+
if (a.byteLength !== b.byteLength) {
|
|
175
|
+
return false;
|
|
176
|
+
}
|
|
177
|
+
let diff = 0;
|
|
178
|
+
for (let i = 0; i < a.byteLength; i++) {
|
|
179
|
+
diff |= a[i] ^ b[i];
|
|
180
|
+
}
|
|
181
|
+
return diff === 0;
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
export { constantTimeEqual, fromBase64Url, fromHex, generateId, hmacSha1Raw, hmacSha256, hmacSha256Raw, importHmacKey, pbkdf2Hash, pbkdf2Verify, randomBytes, randomBytesHex, sha1, sha256, sha256Raw, toBase64Url, toHex };
|
|
185
|
+
//# sourceMappingURL=chunk-QCRHJMDX.js.map
|
|
186
|
+
//# sourceMappingURL=chunk-QCRHJMDX.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/crypto/web-crypto.ts"],"names":[],"mappings":";AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAGO,SAAS,QAAQ,GAAA,EAAyB;AAChD,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AACzB,IAAA,MAAM,IAAI,MAAM,2CAA2C,CAAA;AAAA,EAC5D;AACA,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAC5C,IAAA,MAAM,KAAK,QAAA,CAAS,GAAA,CAAI,IAAI,CAAA,GAAI,CAAC,GAAa,EAAE,CAAA;AAChD,IAAA,IAAI,OAAO,KAAA,CAAM,EAAE,KAAK,MAAA,CAAO,KAAA,CAAM,EAAE,CAAA,EAAG;AACzC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2CAAA,EAA8C,CAAA,GAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACtE;AACA,IAAA,KAAA,CAAM,CAAC,CAAA,GAAK,EAAA,IAAM,CAAA,GAAK,EAAA;AAAA,EACxB;AACA,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAGO,SAAS,cAAc,GAAA,EAAyB;AAEtD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC/B,IAAA,MAAA,IAAU,GAAA;AAAA,EACX;AACA,EAAA,MAAM,MAAA,GAAS,KAAK,MAAM,CAAA;AAC1B,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,KAAA;AACR;AAOO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAGO,SAAS,eAAe,MAAA,EAAwB;AACtD,EAAA,OAAO,KAAA,CAAM,WAAA,CAAY,MAAM,CAAC,CAAA;AACjC;AAMA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAGA,eAAsB,UAAU,IAAA,EAAgD;AAC/E,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC7B;AAGA,eAAsB,KAAK,IAAA,EAA4C;AACtE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,OAAA,EAAS,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC3E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AAOA,eAAsB,aAAA,CACrB,GAAA,EACA,IAAA,GAA4B,SAAA,EACP;AACrB,EAAA,MAAM,UAAU,OAAO,GAAA,KAAQ,WAAW,YAAA,CAAa,MAAA,CAAO,GAAG,CAAA,GAAI,GAAA;AACrE,EAAA,OAAO,UAAA,CAAW,OAAO,MAAA,CAAO,SAAA;AAAA,IAC/B,KAAA;AAAA,IACC,QAAQ,MAAA,CAAuB,KAAA;AAAA,MAC/B,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,EAAE,IAAA,EAAM,MAAK,EAAE;AAAA,IACrC,KAAA;AAAA,IACA,CAAC,QAAQ,QAAQ;AAAA,GAClB;AACD;AAGA,eAAsB,UAAA,CACrB,KACA,IAAA,EACkB;AAClB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AACvC;AAGA,eAAsB,aAAA,CACrB,KACA,IAAA,EACsB;AACtB,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,SAAS,CAAA;AACpD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,KAAK,MAAA,EAAQ,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AACtF,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAGA,eAAsB,WAAA,CAAY,KAAiB,IAAA,EAAuC;AACzF,EAAA,MAAM,SAAA,GAAY,MAAM,aAAA,CAAc,GAAA,EAAK,OAAO,CAAA;AAClD,EAAA,MAAM,GAAA,GAAO,KAAK,MAAA,CAAuB,KAAA;AAAA,IACxC,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,WAAW,GAAG,CAAA;AAC5E,EAAA,OAAO,IAAI,WAAW,SAAS,CAAA;AAChC;AAMA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,kBAAA,GAAqB,EAAA;AAQ3B,eAAsB,UAAA,CACrB,QAAA,EACA,IAAA,EACA,UAAA,EACkB;AAClB,EAAA,MAAM,UAAA,GAAa,IAAA,IAAQ,WAAA,CAAY,kBAAkB,CAAA;AACzD,EAAA,MAAM,mBAAmB,UAAA,IAAc,iBAAA;AAEvC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,WAAW,MAAA,CAAuB,KAAA;AAAA,IAClD,UAAA,CAAW,UAAA;AAAA,IACX,UAAA,CAAW,aAAa,UAAA,CAAW;AAAA,GACpC;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA,EAAY,gBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,iBAAA,GAAoB;AAAA,GACrB;AAEA,EAAA,OAAO,CAAA,OAAA,EAAU,gBAAgB,CAAA,CAAA,EAAI,KAAA,CAAM,UAAU,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,IAAI,UAAA,CAAW,OAAO,CAAC,CAAC,CAAA,CAAA;AACzF;AAOA,eAAsB,YAAA,CAAa,UAAkB,MAAA,EAAkC;AACtF,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AAC9B,EAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,MAAM,QAAA,EAAU;AAChD,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,MAAM,UAAA,GAAa,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AAClD,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AACvC,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAW,CAAA;AAE7C,EAAA,IAAI,MAAA,CAAO,KAAA,CAAM,UAAU,CAAA,EAAG,OAAO,KAAA;AAErC,EAAA,MAAM,WAAA,GAAc,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAClD,KAAA;AAAA,IACA,YAAA,CAAa,OAAO,QAAQ,CAAA;AAAA,IAC5B,QAAA;AAAA,IACA,KAAA;AAAA,IACA,CAAC,YAAY;AAAA,GACd;AAEA,EAAA,MAAM,OAAA,GAAW,KAAK,MAAA,CAAuB,KAAA;AAAA,IAC5C,IAAA,CAAK,UAAA;AAAA,IACL,IAAA,CAAK,aAAa,IAAA,CAAK;AAAA,GACxB;AACA,EAAA,MAAM,OAAA,GAAU,MAAM,UAAA,CAAW,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC9C;AAAA,MACC,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,UAAA;AAAA,MACA,IAAA,EAAM;AAAA,KACP;AAAA,IACA,WAAA;AAAA,IACA,WAAW,MAAA,GAAS;AAAA,GACrB;AAEA,EAAA,OAAO,iBAAA,CAAkB,IAAI,UAAA,CAAW,OAAO,GAAG,UAAU,CAAA;AAC7D;AAUO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACxE,EAAA,IAAI,CAAA,CAAE,UAAA,KAAe,CAAA,CAAE,UAAA,EAAY;AAClC,IAAA,OAAO,KAAA;AAAA,EACR;AACA,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,YAAY,CAAA,EAAA,EAAK;AACtC,IAAA,IAAA,IAAS,CAAA,CAAE,CAAC,CAAA,GAAgB,CAAA,CAAE,CAAC,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB","file":"chunk-QCRHJMDX.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n"]}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { auditLogs, rateLimits } from './chunk-
|
|
2
|
-
import {
|
|
1
|
+
import { auditLogs, rateLimits } from './chunk-KDL6A76K.js';
|
|
2
|
+
import { generateId } from './chunk-QCRHJMDX.js';
|
|
3
3
|
import { and, eq, gte } from 'drizzle-orm';
|
|
4
4
|
|
|
5
5
|
function matchResource(pattern, resource) {
|
|
@@ -80,7 +80,7 @@ async function checkRateLimit(db, agentId, resource, maxCallsPerHour) {
|
|
|
80
80
|
await db.update(rateLimits).set({ count: existing.count + 1 }).where(eq(rateLimits.id, existing.id));
|
|
81
81
|
} else {
|
|
82
82
|
await db.insert(rateLimits).values({
|
|
83
|
-
id:
|
|
83
|
+
id: generateId(),
|
|
84
84
|
agentId,
|
|
85
85
|
resource,
|
|
86
86
|
windowStart: currentWindow,
|
|
@@ -93,7 +93,7 @@ function createPermissionEngine(config) {
|
|
|
93
93
|
const { db, auditAll } = config;
|
|
94
94
|
async function authorize(agent, request) {
|
|
95
95
|
const startTime = performance.now();
|
|
96
|
-
const auditId =
|
|
96
|
+
const auditId = generateId();
|
|
97
97
|
const matchingPermission = agent.permissions.find(
|
|
98
98
|
(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action)
|
|
99
99
|
);
|
|
@@ -247,5 +247,5 @@ function getPermissionTemplate(name) {
|
|
|
247
247
|
}
|
|
248
248
|
|
|
249
249
|
export { createPermissionEngine, getPermissionTemplate, permissionTemplates };
|
|
250
|
-
//# sourceMappingURL=chunk-
|
|
251
|
-
//# sourceMappingURL=chunk-
|
|
250
|
+
//# sourceMappingURL=chunk-VHKZARMM.js.map
|
|
251
|
+
//# sourceMappingURL=chunk-VHKZARMM.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/permission/engine.ts","../src/permission/templates.ts"],"names":["result"],"mappings":";;;;AAwBA,SAAS,aAAA,CAAc,SAAiB,QAAA,EAA2B;AAClE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,IAAA,IAAI,IAAA,KAAS,KAAK,OAAO,IAAA;AACzB,IAAA,IAAI,IAAA,KAAS,aAAA,CAAc,CAAC,CAAA,EAAG,OAAO,KAAA;AAAA,EACvC;AAEA,EAAA,OAAO,YAAA,CAAa,WAAW,aAAA,CAAc,MAAA;AAC9C;AAKA,SAAS,WAAA,CAAY,gBAA0B,eAAA,EAAkC;AAChF,EAAA,OAAO,eAAe,QAAA,CAAS,eAAe,CAAA,IAAK,cAAA,CAAe,SAAS,GAAG,CAAA;AAC/E;AAKA,SAAS,UAAU,EAAA,EAA2B;AAC7C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC7B,IAAA,IAAI,MAAA,CAAO,MAAM,GAAG,CAAA,IAAK,MAAM,CAAA,IAAK,GAAA,GAAM,KAAK,OAAO,IAAA;AACtD,IAAA,MAAA,GAAU,UAAU,CAAA,GAAK,GAAA;AAAA,EAC1B;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACnB;AAMA,SAAS,cAAA,CAAe,OAAe,EAAA,EAAqB;AAC3D,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACpC,EAAA,IAAI,eAAe,EAAA,EAAI;AACtB,IAAA,OAAO,KAAA,KAAU,EAAA;AAAA,EAClB;AAEA,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA;AACxC,EAAA,MAAM,YAAY,QAAA,CAAS,KAAA,CAAM,MAAM,UAAA,GAAa,CAAC,GAAG,EAAE,CAAA;AAC1D,EAAA,IAAI,MAAA,CAAO,MAAM,SAAS,CAAA,IAAK,YAAY,CAAA,IAAK,SAAA,GAAY,IAAI,OAAO,KAAA;AAEvE,EAAA,MAAM,QAAA,GAAW,UAAU,MAAM,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,QAAA,KAAa,IAAA,IAAQ,KAAA,KAAU,IAAA,EAAM,OAAO,KAAA;AAEhD,EAAA,MAAM,OAAO,SAAA,KAAc,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,SAAA,KAAgB,CAAA;AAChE,EAAA,OAAA,CAAQ,QAAA,GAAW,WAAW,KAAA,GAAQ,IAAA,CAAA;AACvC;AAKA,SAAS,WAAA,CAAY,WAAqB,EAAA,EAAqB;AAC9D,EAAA,OAAO,UAAU,IAAA,CAAK,CAAC,UAAU,cAAA,CAAe,KAAA,EAAO,EAAE,CAAC,CAAA;AAC3D;AAKA,SAAS,mBAAA,CACR,UACA,IAAA,EACsC;AACtC,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAO,CAAA;AAEhC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAChD,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,EAAG;AACpD,QAAA,OAAO;AAAA,UACN,KAAA,EAAO,KAAA;AAAA,UACP,QAAQ,CAAA,UAAA,EAAa,GAAG,CAAA,SAAA,EAAY,KAAK,6BAA6B,OAAO,CAAA,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAKA,eAAe,cAAA,CACd,EAAA,EACA,OAAA,EACA,QAAA,EACA,eAAA,EACiD;AACjD,EAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEvD,EAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,UAAU,CAAA,CACf,KAAA;AAAA,IACA,GAAA;AAAA,MACC,EAAA,CAAG,UAAA,CAAW,OAAA,EAAS,OAAO,CAAA;AAAA,MAC9B,EAAA,CAAG,UAAA,CAAW,QAAA,EAAU,QAAQ,CAAA;AAAA,MAChC,GAAA,CAAI,UAAA,CAAW,WAAA,EAAa,UAAU;AAAA;AACvC,GACD;AAED,EAAA,MAAM,UAAA,GAAa,KAAK,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,KAAA,EAAO,CAAC,CAAA;AAE3D,EAAA,IAAI,cAAc,eAAA,EAAiB;AAClC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,QAAQ,CAAA,qBAAA,EAAwB,UAAU,CAAA,CAAA,EAAI,eAAe,iCAAiC,QAAQ,CAAA,CAAA;AAAA,KACvG;AAAA,EACD;AAGA,EAAA,MAAM,aAAA,GAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,IAAK,CAAA,GAAI,EAAA,GAAK,GAAA,CAAK,CAAA,IAAK,CAAA,GAAI,KAAK,GAAA,CAAK,CAAA;AACzF,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,OAAA,EAAQ,KAAM,aAAA,CAAc,OAAA,EAAS,CAAA;AAErF,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,GACJ,MAAA,CAAO,UAAU,EACjB,GAAA,CAAI,EAAE,OAAO,QAAA,CAAS,KAAA,GAAQ,CAAA,EAAG,EACjC,KAAA,CAAM,EAAA,CAAG,WAAW,EAAA,EAAI,QAAA,CAAS,EAAE,CAAC,CAAA;AAAA,EACvC,CAAA,MAAO;AACN,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,MAClC,IAAI,UAAA,EAAW;AAAA,MACf,OAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAA,EAAa,aAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACP,CAAA;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAKO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,EAAA,EAAI,QAAA,EAAS,GAAI,MAAA;AAMzB,EAAA,eAAe,SAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAU,UAAA,EAAW;AAG3B,IAAA,MAAM,kBAAA,GAAqB,MAAM,WAAA,CAAY,IAAA;AAAA,MAC5C,CAAC,CAAA,KAAM,aAAA,CAAc,CAAA,CAAE,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,OAAA,EAAS,OAAA,CAAQ,MAAM;AAAA,KAC5F;AAEA,IAAA,IAAI,CAAC,kBAAA,EAAoB;AACxB,MAAA,MAAMA,OAAAA,GAA0B;AAAA,QAC/B,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,+BAA+B,KAAA,CAAM,IAAI,gBAAgB,OAAA,CAAQ,MAAM,CAAA,MAAA,EAAS,OAAA,CAAQ,QAAQ,CAAA,CAAA,CAAA;AAAA,QACxG;AAAA,OACD;AACA,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,MACnE;AACA,MAAA,OAAOA,OAAAA;AAAA,IACR;AAGA,IAAA,IAAI,mBAAmB,WAAA,EAAa;AACnC,MAAA,MAAM,mBAAmB,MAAM,mBAAA;AAAA,QAC9B,EAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA;AAAA,QACA,kBAAA,CAAmB;AAAA,OACpB;AACA,MAAA,IAAI,CAAC,iBAAiB,OAAA,EAAS;AAC9B,QAAA,MAAMA,OAAAA,GAA0B;AAAA,UAC/B,OAAA,EAAS,KAAA;AAAA,UACT,QAAQ,gBAAA,CAAiB,MAAA;AAAA,UACzB;AAAA,SACD;AACA,QAAA,IAAI,QAAA,EAAU;AACb,UAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,QACnE;AACA,QAAA,OAAOA,OAAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAA0B,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA,EAAQ;AACzD,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAAS,MAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,IACnE;AACA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO,EAAE,SAAA,EAAU;AACpB;AAEA,eAAe,mBAAA,CACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,WAAA,EACiD;AAEjD,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,MAAM,aAAa,MAAM,cAAA;AAAA,MACxB,EAAA;AAAA,MACA,KAAA,CAAM,EAAA;AAAA,MACN,OAAA,CAAQ,QAAA;AAAA,MACR,WAAA,CAAY;AAAA,KACb;AACA,IAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,MAAA,OAAO,UAAA;AAAA,IACR;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,kBAAA,IAAsB,OAAA,CAAQ,SAAA,EAAW;AACxD,IAAA,MAAM,aAAA,GAAgB,mBAAA,CAAoB,WAAA,CAAY,kBAAA,EAAoB,QAAQ,SAAS,CAAA;AAC3F,IAAA,IAAI,CAAC,cAAc,KAAA,EAAO;AACzB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,cAAc,MAAA,EAAO;AAAA,IACvD;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,MAAA,EAAQ;AAAA,KACT;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAI,QAAA,EAAS;AAC3B,IAAA,MAAM,OAAA,GAAU,IAAI,UAAA,EAAW;AAC/B,IAAA,MAAM,cAAc,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA,EAAI,OAAO,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEzF,IAAA,IAAI,cAAc,WAAA,CAAY,UAAA,CAAW,SAAS,WAAA,GAAc,WAAA,CAAY,WAAW,GAAA,EAAK;AAC3F,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,kCAAkC,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA,KAAA,EAAQ,WAAA,CAAY,WAAW,GAAG,CAAA;AAAA,OACzG;AAAA,IACD;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,WAAA,IAAe,WAAA,CAAY,WAAA,CAAY,SAAS,CAAA,EAAG;AAClE,IAAA,IAAI,CAAC,QAAQ,EAAA,EAAI;AAChB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ;AAAA,OACT;AAAA,IACD;AACA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,CAAY,WAAA,EAAa,OAAA,CAAQ,EAAE,CAAA,EAAG;AACtD,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,CAAA,oBAAA,EAAuB,OAAA,CAAQ,EAAE,CAAA,2CAAA;AAAA,OAC1C;AAAA,IACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAEA,eAAe,cACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACA,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,GAAA,KAAQ,SAAS,CAAA;AAE3D,EAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,IACjC,EAAA,EAAI,OAAA;AAAA,IACJ,SAAS,KAAA,CAAM,EAAA;AAAA,IACf,QAAQ,KAAA,CAAM,OAAA;AAAA,IACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,UAAA,EAAY,OAAA,CAAQ,SAAA,IAAa,EAAC;AAAA,IAClC,MAAA,EAAQ,MAAA,CAAO,OAAA,GAAU,SAAA,GAAY,QAAA;AAAA,IACrC,MAAA,EAAQ,OAAO,MAAA,IAAU,IAAA;AAAA,IACzB,UAAA;AAAA,IACA,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,EAAA,EAAI,OAAA,CAAQ,OAAA,EAAS,EAAA,IAAM,IAAA;AAAA,IAC3B,SAAA,EAAW,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAa;AAAA,GACzC,CAAA;AACF;;;AC7TO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAElC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,MAAM,CAAA,EAAG,CAAA;AAAA;AAAA,EAG/C,SAAA,EAAW,CAAC,EAAE,QAAA,EAAU,GAAA,EAAK,SAAS,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzD,KAAA,EAAO,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,GAAG,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,SAAS,CAAC,MAAA,EAAQ,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAG9D,OAAA,EAAS,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAGtE,eAAA,EAAiB;AAAA,IAChB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAM,CAAA;AAAA,MAChB,WAAA,EAAa,EAAE,eAAA,EAAiB,GAAA;AAAI;AACrC,GACD;AAAA;AAAA,EAGA,gBAAA,EAAkB;AAAA,IACjB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,GAAG,CAAA;AAAA,MACb,WAAA,EAAa,EAAE,eAAA,EAAiB,IAAA;AAAK;AACtC,GACD;AAAA;AAAA,EAGA,aAAA,EAAe;AAAA,IACd;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA;AAAA,MACpC,WAAA,EAAa,EAAE,UAAA,EAAY,EAAE,OAAO,OAAA,EAAS,GAAA,EAAK,SAAQ;AAAE;AAC7D;AAEF;AAQO,SAAS,sBAAsB,IAAA,EAA4C;AACjF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,UAAU,mBAAA,CAAoB,IAAI,CAAC,CAAC,CAAA;AAC5D","file":"chunk-VHKZARMM.js","sourcesContent":["import { and, eq, gte } from \"drizzle-orm\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs, rateLimits } from \"../db/schema.js\";\nimport type {\n\tAgentIdentity,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tPermissionConstraints,\n} from \"../types.js\";\n\ninterface PermissionEngineConfig {\n\tdb: Database;\n\tauditAll: boolean;\n}\n\n/**\n * Match a resource pattern against a requested resource.\n *\n * Supports wildcards:\n * - \"mcp:github:*\" matches \"mcp:github:create_issue\"\n * - \"tool:*\" matches \"tool:file_read\"\n * - \"*\" matches everything\n */\nfunction matchResource(pattern: string, resource: string): boolean {\n\tif (pattern === \"*\") return true;\n\n\tconst patternParts = pattern.split(\":\");\n\tconst resourceParts = resource.split(\":\");\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst part = patternParts[i];\n\t\tif (part === \"*\") return true;\n\t\tif (part !== resourceParts[i]) return false;\n\t}\n\n\treturn patternParts.length === resourceParts.length;\n}\n\n/**\n * Check if an action is allowed by a permission's actions list.\n */\nfunction matchAction(allowedActions: string[], requestedAction: string): boolean {\n\treturn allowedActions.includes(requestedAction) || allowedActions.includes(\"*\");\n}\n\n/**\n * Parse an IPv4 address into a 32-bit integer.\n */\nfunction parseIPv4(ip: string): number | null {\n\tconst parts = ip.split(\".\");\n\tif (parts.length !== 4) return null;\n\tlet result = 0;\n\tfor (const part of parts) {\n\t\tconst num = parseInt(part, 10);\n\t\tif (Number.isNaN(num) || num < 0 || num > 255) return null;\n\t\tresult = (result << 8) | num;\n\t}\n\treturn result >>> 0;\n}\n\n/**\n * Check whether an IP matches a CIDR range or exact IP entry.\n * Supports both \"10.0.0.1\" and \"10.0.0.0/8\" notation (IPv4 only).\n */\nfunction matchesIPEntry(entry: string, ip: string): boolean {\n\tconst slashIndex = entry.indexOf(\"/\");\n\tif (slashIndex === -1) {\n\t\treturn entry === ip;\n\t}\n\n\tconst cidrIp = entry.slice(0, slashIndex);\n\tconst prefixLen = parseInt(entry.slice(slashIndex + 1), 10);\n\tif (Number.isNaN(prefixLen) || prefixLen < 0 || prefixLen > 32) return false;\n\n\tconst entryNum = parseIPv4(cidrIp);\n\tconst ipNum = parseIPv4(ip);\n\tif (entryNum === null || ipNum === null) return false;\n\n\tconst mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;\n\treturn (entryNum & mask) === (ipNum & mask);\n}\n\n/**\n * Check whether an IP is in the allowlist (exact IPs or CIDR ranges).\n */\nfunction isIPAllowed(allowlist: string[], ip: string): boolean {\n\treturn allowlist.some((entry) => matchesIPEntry(entry, ip));\n}\n\n/**\n * Validate argument patterns against the request arguments.\n */\nfunction validateArgPatterns(\n\tpatterns: string[],\n\targs: Record<string, unknown>,\n): { valid: boolean; reason?: string } {\n\tfor (const pattern of patterns) {\n\t\tconst regex = new RegExp(pattern);\n\t\t// Check all string arguments against the pattern\n\t\tfor (const [key, value] of Object.entries(args)) {\n\t\t\tif (typeof value === \"string\" && !regex.test(value)) {\n\t\t\t\treturn {\n\t\t\t\t\tvalid: false,\n\t\t\t\t\treason: `Argument \"${key}\" value \"${value}\" does not match pattern \"${pattern}\"`,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\treturn { valid: true };\n}\n\n/**\n * Check rate limits for an agent on a specific resource.\n */\nasync function checkRateLimit(\n\tdb: Database,\n\tagentId: string,\n\tresource: string,\n\tmaxCallsPerHour: number,\n): Promise<{ allowed: boolean; reason?: string }> {\n\tconst oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);\n\n\tconst rows = await db\n\t\t.select()\n\t\t.from(rateLimits)\n\t\t.where(\n\t\t\tand(\n\t\t\t\teq(rateLimits.agentId, agentId),\n\t\t\t\teq(rateLimits.resource, resource),\n\t\t\t\tgte(rateLimits.windowStart, oneHourAgo),\n\t\t\t),\n\t\t);\n\n\tconst totalCalls = rows.reduce((sum, r) => sum + r.count, 0);\n\n\tif (totalCalls >= maxCallsPerHour) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: `Rate limit exceeded: ${totalCalls}/${maxCallsPerHour} calls per hour for resource \"${resource}\"`,\n\t\t};\n\t}\n\n\t// Increment counter\n\tconst currentWindow = new Date(Math.floor(Date.now() / (5 * 60 * 1000)) * (5 * 60 * 1000)); // 5-min windows\n\tconst existing = rows.find((r) => r.windowStart.getTime() === currentWindow.getTime());\n\n\tif (existing) {\n\t\tawait db\n\t\t\t.update(rateLimits)\n\t\t\t.set({ count: existing.count + 1 })\n\t\t\t.where(eq(rateLimits.id, existing.id));\n\t} else {\n\t\tawait db.insert(rateLimits).values({\n\t\t\tid: generateId(),\n\t\t\tagentId,\n\t\t\tresource,\n\t\t\twindowStart: currentWindow,\n\t\t\tcount: 1,\n\t\t});\n\t}\n\n\treturn { allowed: true };\n}\n\n/**\n * Create the permission/authorization engine.\n */\nexport function createPermissionEngine(config: PermissionEngineConfig) {\n\tconst { db, auditAll } = config;\n\n\t/**\n\t * Check if an agent is authorized to perform an action.\n\t * This is the core authorization function.\n\t */\n\tasync function authorize(\n\t\tagent: AgentIdentity,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst startTime = performance.now();\n\t\tconst auditId = generateId();\n\n\t\t// Find matching permission\n\t\tconst matchingPermission = agent.permissions.find(\n\t\t\t(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action),\n\t\t);\n\n\t\tif (!matchingPermission) {\n\t\t\tconst result: AuthorizeResult = {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `No permission grants agent \"${agent.name}\" access to \"${request.action}\" on \"${request.resource}\"`,\n\t\t\t\tauditId,\n\t\t\t};\n\t\t\tif (auditAll) {\n\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\t// Check constraints\n\t\tif (matchingPermission.constraints) {\n\t\t\tconst constraintResult = await evaluateConstraints(\n\t\t\t\tdb,\n\t\t\t\tagent,\n\t\t\t\trequest,\n\t\t\t\tmatchingPermission.constraints,\n\t\t\t);\n\t\t\tif (!constraintResult.allowed) {\n\t\t\t\tconst result: AuthorizeResult = {\n\t\t\t\t\tallowed: false,\n\t\t\t\t\treason: constraintResult.reason,\n\t\t\t\t\tauditId,\n\t\t\t\t};\n\t\t\t\tif (auditAll) {\n\t\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t}\n\t\t}\n\n\t\tconst result: AuthorizeResult = { allowed: true, auditId };\n\t\tif (auditAll) {\n\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t}\n\t\treturn result;\n\t}\n\n\treturn { authorize };\n}\n\nasync function evaluateConstraints(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tconstraints: PermissionConstraints,\n): Promise<{ allowed: boolean; reason?: string }> {\n\t// Rate limit check\n\tif (constraints.maxCallsPerHour) {\n\t\tconst rateResult = await checkRateLimit(\n\t\t\tdb,\n\t\t\tagent.id,\n\t\t\trequest.resource,\n\t\t\tconstraints.maxCallsPerHour,\n\t\t);\n\t\tif (!rateResult.allowed) {\n\t\t\treturn rateResult;\n\t\t}\n\t}\n\n\t// Argument pattern check\n\tif (constraints.allowedArgPatterns && request.arguments) {\n\t\tconst patternResult = validateArgPatterns(constraints.allowedArgPatterns, request.arguments);\n\t\tif (!patternResult.valid) {\n\t\t\treturn { allowed: false, reason: patternResult.reason };\n\t\t}\n\t}\n\n\t// Human-in-the-loop check\n\tif (constraints.requireApproval) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: \"This action requires human approval before execution\",\n\t\t};\n\t}\n\n\t// Time window check\n\tif (constraints.timeWindow) {\n\t\tconst now = new Date();\n\t\tconst hours = now.getHours();\n\t\tconst minutes = now.getMinutes();\n\t\tconst currentTime = `${String(hours).padStart(2, \"0\")}:${String(minutes).padStart(2, \"0\")}`;\n\n\t\tif (currentTime < constraints.timeWindow.start || currentTime > constraints.timeWindow.end) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Action is only allowed between ${constraints.timeWindow.start} and ${constraints.timeWindow.end}`,\n\t\t\t};\n\t\t}\n\t}\n\n\t// IP allowlist check\n\tif (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {\n\t\tif (!request.ip) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match\",\n\t\t\t};\n\t\t}\n\t\tif (!isIPAllowed(constraints.ipAllowlist, request.ip)) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `IP_NOT_ALLOWED: IP \"${request.ip}\" is not in the allowlist for this resource`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn { allowed: true };\n}\n\nasync function writeAuditLog(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tresult: AuthorizeResult,\n\tstartTime: number,\n\tauditId: string,\n): Promise<void> {\n\tconst durationMs = Math.round(performance.now() - startTime);\n\n\tawait db.insert(auditLogs).values({\n\t\tid: auditId,\n\t\tagentId: agent.id,\n\t\tuserId: agent.ownerId,\n\t\taction: request.action,\n\t\tresource: request.resource,\n\t\tparameters: request.arguments ?? {},\n\t\tresult: result.allowed ? \"allowed\" : \"denied\",\n\t\treason: result.reason ?? null,\n\t\tdurationMs,\n\t\ttimestamp: new Date(),\n\t\tip: request.context?.ip ?? null,\n\t\tuserAgent: request.context?.userAgent ?? null,\n\t});\n}\n","import type { Permission } from \"../types.js\";\n\n/**\n * Pre-built permission templates for common access patterns.\n * Use these as starting points when creating agents.\n */\nexport const permissionTemplates = {\n\t/** Read-only access to all resources */\n\treadonly: [{ resource: \"*\", actions: [\"read\"] }] satisfies Permission[],\n\n\t/** Read and write access to all resources */\n\treadwrite: [{ resource: \"*\", actions: [\"read\", \"write\"] }] satisfies Permission[],\n\n\t/** Full access to all resources and actions */\n\tadmin: [{ resource: \"*\", actions: [\"*\"] }] satisfies Permission[],\n\n\t/** Standard MCP tool access - read + execute */\n\tmcpBasic: [{ resource: \"mcp:*\", actions: [\"read\", \"execute\"] }] satisfies Permission[],\n\n\t/** MCP tool access with write - read + write + execute */\n\tmcpFull: [{ resource: \"mcp:*\", actions: [\"read\", \"write\", \"execute\"] }] satisfies Permission[],\n\n\t/** Rate-limited read access (100 calls/hour) */\n\trateLimitedRead: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\"],\n\t\t\tconstraints: { maxCallsPerHour: 100 },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Approval-required access (human-in-the-loop for everything) */\n\tapprovalRequired: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"*\"],\n\t\t\tconstraints: { requireApproval: true },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Business hours only access (9am-5pm) */\n\tbusinessHours: [\n\t\t{\n\t\t\tresource: \"*\",\n\t\t\tactions: [\"read\", \"write\", \"execute\"],\n\t\t\tconstraints: { timeWindow: { start: \"09:00\", end: \"17:00\" } },\n\t\t},\n\t] satisfies Permission[],\n} as const;\n\nexport type PermissionTemplateName = keyof typeof permissionTemplates;\n\n/**\n * Get a permission template by name.\n * Returns a fresh copy of the permissions array.\n */\nexport function getPermissionTemplate(name: PermissionTemplateName): Permission[] {\n\treturn JSON.parse(JSON.stringify(permissionTemplates[name])) as Permission[];\n}\n"]}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { auditLogs } from './chunk-
|
|
1
|
+
import { auditLogs } from './chunk-KDL6A76K.js';
|
|
2
2
|
import { eq, gte, lte, desc, and, lt } from 'drizzle-orm';
|
|
3
3
|
|
|
4
4
|
function createAuditModule(config) {
|
|
@@ -97,5 +97,5 @@ function toAuditEntry(row) {
|
|
|
97
97
|
}
|
|
98
98
|
|
|
99
99
|
export { createAuditModule };
|
|
100
|
-
//# sourceMappingURL=chunk-
|
|
101
|
-
//# sourceMappingURL=chunk-
|
|
100
|
+
//# sourceMappingURL=chunk-Y3OWAJHK.js.map
|
|
101
|
+
//# sourceMappingURL=chunk-Y3OWAJHK.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-
|
|
1
|
+
{"version":3,"sources":["../src/audit/audit.ts"],"names":[],"mappings":";;;AAaO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,MAAM,MAAA,EAA4C;AAChE,IAAA,MAAM,aAAa,EAAC;AAEpB,IAAA,IAAI,MAAA,CAAO,SAAS,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,OAAA,EAAS,MAAA,CAAO,OAAO,CAAC,CAAA;AACzE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACtE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,OAAO,UAAA,CAAW,IAAA,CAAK,IAAI,SAAA,CAAU,SAAA,EAAW,MAAA,CAAO,KAAK,CAAC,CAAA;AACxE,IAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,SAAA,CAAU,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtE,IAAA,IAAI,CAAA,GAAI,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,EAAE,QAAA,EAAS;AAEhF,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,CAAA,GAAI,CAAA,CAAE,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,OAAO,MAAA,EAAQ;AAClB,MAAA,CAAA,GAAI,CAAA,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA;AAAA,IAC3B;AAEA,IAAA,MAAM,OAAO,MAAM,CAAA;AAEnB,IAAA,OAAO,IAAA,CACL,MAAA,CAAO,CAAC,GAAA,KAAQ;AAEhB,MAAA,IAAI,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AAChD,QAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,QAAA,CAAS,GAAA,CAAI,MAAM,CAAA;AAAA,MAC1C;AACA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA,CACA,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,eAAe,WAAW,OAAA,EAA8C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM;AAAA,MAC3B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,KAAA,EAAO;AAAA;AAAA,KACP,CAAA;AAED,IAAA,IAAI,OAAA,CAAQ,WAAW,MAAA,EAAQ;AAC9B,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAA;AAAA,IACvC;AAGA,IAAA,MAAM,OAAA,GAAU;AAAA,MACf,IAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,QAAA;AAAA,MACA,YAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,OAAA,GAAU,CAAC,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAC,CAAA;AAElC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC5B,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP;AAAA,UACC,KAAA,CAAM,EAAA;AAAA,UACN,KAAA,CAAM,OAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,KAAA,CAAM,QAAA;AAAA,UACN,KAAA,CAAM,MAAA;AAAA,UACN,CAAA,CAAA,EAAK,KAAA,CAA2C,MAAA,IAAU,EAAE,CAAA,CAAA,CAAA;AAAA,UAC5D,KAAA,CAAM,UAAA;AAAA,UACN,MAAM,UAAA,IAAc,EAAA;AAAA,UACpB,KAAA,CAAM,UAAU,WAAA;AAAY,SAC7B,CAAE,KAAK,GAAG;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,KAAK,IAAI,CAAA;AAAA,EACzB;AAMA,EAAA,eAAe,QAAQ,OAAA,EAAkE;AACxF,IAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,aAAA,GAAgB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAGhF,IAAA,MAAM,WAAW,MAAM,EAAA,CACrB,OAAO,EAAE,EAAA,EAAI,UAAU,EAAA,EAAI,CAAA,CAC3B,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AAC1B,MAAA,OAAO,EAAE,SAAS,CAAA,EAAE;AAAA,IACrB;AAEA,IAAA,MAAM,EAAA,CAAG,OAAO,SAAS,CAAA,CAAE,MAAM,EAAA,CAAG,SAAA,CAAU,SAAA,EAAW,MAAM,CAAC,CAAA;AAEhE,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,MAAA,EAAO;AAAA,EACnC;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAQ;AAC7C;AAEA,SAAS,aAAa,GAAA,EAAgD;AACrE,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,UAAA,EAAa,GAAA,CAAI,UAAA,IAA0C,EAAC;AAAA,IAC5D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,YAAY,GAAA,CAAI,UAAA;AAAA,IAChB,UAAA,EAAY,IAAI,UAAA,IAAc,MAAA;AAAA,IAC9B,WAAW,GAAA,CAAI;AAAA,GAChB;AACD","file":"chunk-Y3OWAJHK.js","sourcesContent":["import { and, desc, eq, gte, lt, lte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport type { AuditEntry, AuditExportOptions, AuditFilter } from \"../types.js\";\n\ninterface AuditModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Create the audit log module.\n * Provides query and export capabilities for the immutable audit trail.\n */\nexport function createAuditModule(config: AuditModuleConfig) {\n\tconst { db } = config;\n\n\tasync function query(filter: AuditFilter): Promise<AuditEntry[]> {\n\t\tconst conditions = [];\n\n\t\tif (filter.agentId) conditions.push(eq(auditLogs.agentId, filter.agentId));\n\t\tif (filter.userId) conditions.push(eq(auditLogs.userId, filter.userId));\n\t\tif (filter.since) conditions.push(gte(auditLogs.timestamp, filter.since));\n\t\tif (filter.until) conditions.push(lte(auditLogs.timestamp, filter.until));\n\t\tif (filter.result) conditions.push(eq(auditLogs.result, filter.result));\n\n\t\tlet q = db.select().from(auditLogs).orderBy(desc(auditLogs.timestamp)).$dynamic();\n\n\t\tif (conditions.length > 0) {\n\t\t\tq = q.where(and(...conditions));\n\t\t}\n\n\t\tif (filter.limit) {\n\t\t\tq = q.limit(filter.limit);\n\t\t}\n\t\tif (filter.offset) {\n\t\t\tq = q.offset(filter.offset);\n\t\t}\n\n\t\tconst rows = await q;\n\n\t\treturn rows\n\t\t\t.filter((row) => {\n\t\t\t\t// Filter by actions if specified\n\t\t\t\tif (filter.actions && filter.actions.length > 0) {\n\t\t\t\t\treturn filter.actions.includes(row.action);\n\t\t\t\t}\n\t\t\t\treturn true;\n\t\t\t})\n\t\t\t.map(toAuditEntry);\n\t}\n\n\tasync function exportLogs(options: AuditExportOptions): Promise<string> {\n\t\tconst entries = await query({\n\t\t\tsince: options.since,\n\t\t\tuntil: options.until,\n\t\t\tlimit: 10000, // cap exports\n\t\t});\n\n\t\tif (options.format === \"json\") {\n\t\t\treturn JSON.stringify(entries, null, 2);\n\t\t}\n\n\t\t// CSV format\n\t\tconst headers = [\n\t\t\t\"id\",\n\t\t\t\"agentId\",\n\t\t\t\"userId\",\n\t\t\t\"action\",\n\t\t\t\"resource\",\n\t\t\t\"result\",\n\t\t\t\"reason\",\n\t\t\t\"durationMs\",\n\t\t\t\"tokensCost\",\n\t\t\t\"timestamp\",\n\t\t];\n\t\tconst csvRows = [headers.join(\",\")];\n\n\t\tfor (const entry of entries) {\n\t\t\tcsvRows.push(\n\t\t\t\t[\n\t\t\t\t\tentry.id,\n\t\t\t\t\tentry.agentId,\n\t\t\t\t\tentry.userId,\n\t\t\t\t\tentry.action,\n\t\t\t\t\tentry.resource,\n\t\t\t\t\tentry.result,\n\t\t\t\t\t`\"${(entry as AuditEntry & { reason?: string }).reason ?? \"\"}\"`,\n\t\t\t\t\tentry.durationMs,\n\t\t\t\t\tentry.tokensCost ?? \"\",\n\t\t\t\t\tentry.timestamp.toISOString(),\n\t\t\t\t].join(\",\"),\n\t\t\t);\n\t\t}\n\n\t\treturn csvRows.join(\"\\n\");\n\t}\n\n\t/**\n\t * Delete audit log entries older than the specified retention period.\n\t * Returns the count of deleted rows.\n\t */\n\tasync function cleanup(options: { retentionDays: number }): Promise<{ deleted: number }> {\n\t\tconst cutoff = new Date(Date.now() - options.retentionDays * 24 * 60 * 60 * 1000);\n\n\t\t// Count rows to be deleted before removing them\n\t\tconst toDelete = await db\n\t\t\t.select({ id: auditLogs.id })\n\t\t\t.from(auditLogs)\n\t\t\t.where(lt(auditLogs.timestamp, cutoff));\n\n\t\tif (toDelete.length === 0) {\n\t\t\treturn { deleted: 0 };\n\t\t}\n\n\t\tawait db.delete(auditLogs).where(lt(auditLogs.timestamp, cutoff));\n\n\t\treturn { deleted: toDelete.length };\n\t}\n\n\treturn { query, export: exportLogs, cleanup };\n}\n\nfunction toAuditEntry(row: typeof auditLogs.$inferSelect): AuditEntry {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\tparameters: (row.parameters as Record<string, unknown>) ?? {},\n\t\tresult: row.result as AuditEntry[\"result\"],\n\t\treason: row.reason ?? undefined,\n\t\tdurationMs: row.durationMs,\n\t\ttokensCost: row.tokensCost ?? undefined,\n\t\ttimestamp: row.timestamp,\n\t};\n}\n"]}
|
package/dist/index.d.ts
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
export { createAgentModule } from './agent/index.js';
|
|
2
|
-
import { D as Database, a as DatabaseConfig, b as DelegateInput, P as Permission, c as DelegationChain, d as DidDocument, e as DidKeyPair, f as DidWebConfig,
|
|
3
|
-
export {
|
|
2
|
+
import { D as Database, a as DatabaseConfig, b as DelegateInput, P as Permission, c as DelegationChain, d as DidDocument, e as DidKeyPair, f as DidWebConfig, g as AgentDid, S as SignedPayload, V as VerificationResult, K as KavachConfig, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput, i as AuthorizeRequest, R as RequestContext, j as AuthorizeResult, k as AuditFilter, l as AuditEntry, m as AuditExportOptions, M as McpServerInput, n as McpServer, o as ResolvedUser, p as SessionManager, q as ApprovalRequest, r as MagicLinkModule, E as EmailOtpModule, T as TotpModule, s as PasskeyModule, O as OrgModule, t as SsoModule, u as AdminModule, v as ApiKeyManagerModule, w as UsernameAuthModule, x as PasswordResetModule, y as EmailVerificationModule, z as OneTimeTokenModule, B as SessionFreshnessModule, F as PhoneAuthModule, G as CaptchaModule, W as WebhookModule$1, H as RedirectChainManager, I as PluginEndpoint, J as EndpointContext, L as KavachPlugin, N as SessionConfig, Q as Session } from './types-W8X0PXE7.js';
|
|
3
|
+
export { X as AdminConfig, Y as AdminUser, Z as AgentConfig, _ as ApiKey, $ as ApiKeyManagerConfig, a0 as ApprovalConfig, a1 as ApprovalModule, a2 as AuthAdapter, a3 as CaptchaConfig, a4 as CaptchaVerifyResult, a5 as CreateTokenInput, a6 as D1DatabaseBinding, a7 as EmailOtpConfig, a8 as EmailVerificationConfig, a9 as KavachHooks, aa as KavachInstance, ab as MagicLinkConfig, ac as McpMiddleware, ad as OidcProvider, ae as OneTimeTokenConfig, af as OneTimeTokenPurpose, ag as OrgConfig, ah as OrgInvitation, ai as OrgMember, aj as OrgRole, ak as Organization, al as PasskeyConfig, am as PasskeyCredential, an as PasswordResetConfig, ao as PermissionConstraints, ap as PhoneAuthConfig, aq as PluginContext, ar as PluginInitResult, as as RedirectChainState, at as RedirectConfig, au as RedirectEntry, av as RevokeTokensResult, aw as SSO_ERROR, ax as SamlProvider, ay as ServiceEndpoint, az as SessionFreshnessConfig, aA as SsoAuditEvent, aB as SsoConfig, aC as SsoConnection, aD as SsoError, aE as TokenValidationResult, aF as TotpConfig, aG as TotpSetup, aH as UsernameAuthConfig, aI as ValidateTokenResult, aJ as VerificationMethod, aK as agentCards, aL as agentDids, aM as agents, aN as apiKeysTable, aO as approvalRequests, aP as auditLogs, aQ as budgetPolicies, aR as classifyViolation, aS as createAdminModule, aT as createApiKeyManagerModule, aU as createApprovalModule, aV as createCaptchaModule, aW as createDatabase, aX as createDatabaseSync, aY as createEmailOtpModule, aZ as createEmailVerificationModule, a_ as createMagicLinkModule, a$ as createOneTimeTokenModule, b0 as createOrgModule, b1 as createPasskeyModule, b2 as createPasswordResetModule, b3 as createPhoneAuthModule, b4 as createRedirectChain, b5 as createSessionFreshnessModule, b6 as createSessionManager, b7 as createSsoModule, b8 as createTotpModule, b9 as createUsernameAuthModule, ba as delegationChains, bb as emailOtps, bc as magicLinks, bd as mcpServers, be as oauthAccessTokens, bf as oauthAuthorizationCodes, bg as oauthClients, bh as orgInvitations, bi as orgMembers, bj as orgRoles, bk as organizations, bl as passkeyChallenges, bm as passkeyCredentials, bn as permissions, bo as rateLimits, bp as sessions, bq as ssoConnections, br as tenants, bs as totpRecords, bt as trustScores, bu as users } from './types-W8X0PXE7.js';
|
|
4
4
|
export { createAuditModule } from './audit/index.js';
|
|
5
|
-
export { AccessTokenClaims, AdditionalFieldsConfig, AdditionalFieldsModule, AnonymousAuthConfig, AnonymousAuthModule, AuthorizeParams, BearerAuthOptions, CheckoutOptions,
|
|
5
|
+
export { AccessTokenClaims, AdditionalFieldsConfig, AdditionalFieldsModule, AnonymousAuthConfig, AnonymousAuthModule, AuthorizeParams, BearerAuthOptions, BudgetCheckResult, CheckParams, CheckResult, CheckoutOptions, CostAlert, CostAttributionConfig, CostAttributionModule, CostReport, CreateEphemeralSessionInput, CustomSessionConfig, CustomSessionModule, DeleteOptions, DeleteResult, DeviceAuthConfig, DeviceAuthModule, DeviceAuthStatus, DeviceCodeResponse, EVENT_TYPES, EndpointGroup, EphemeralSession, EphemeralSessionConfig, EphemeralSessionModule, EphemeralSessionValidateResult, EventStreamConfig, EventStreamModule, EventType, ExpandParams, FederatedAgent, FederationConfig, FederationModule, FederationToken, FederationWellKnown, FieldDefinition, GdprModule, GetUserClaimsFn, GoogleUser, HeaderAuthOptions, HibpApiError, HibpBreachedError, HibpConfig, HibpModule, InstanceIdentity, IssueFederationTokenInput, JsonWebKeySet, JwtSessionConfig, JwtSessionModule, LastLoginConfig, LastLoginModule, ListObjectsParams, ListSubjectsParams, LoginEvent, LoginMethod, OAuthProxyConfig, OAuthProxyError, OAuthProxyModule, OAuthProxyPluginConfig, OidcClient, OidcDiscoveryDocument, OidcProviderConfig, OidcProviderModule, OneTapConfig, OneTapModule, OneTapVerifyError, OpenApiComponents, OpenApiConfig, OpenApiDocument, OpenApiInfo, OpenApiMediaType, OpenApiModule, OpenApiOperation, OpenApiParameter, OpenApiPathItem, OpenApiRequestBody, OpenApiResponse, OpenApiSchema, OpenApiSecurityRequirement, OpenApiSecurityScheme, OpenApiServer, PermissionRuleSet, PolarConfig, PolarModule, PolarSubscription, ProxyTokens, RateLimitConfig, RateLimitMiddlewareOptions, RateLimitResult, RateLimiter, ReBACConfig, ReBACModule, RecordCostInput, RecordLoginInput, RegisterClientInput, Relationship, ResourceNode, ScimConfig, ScimGroup, ScimModule, ScimUser, SessionTokens, SessionUser, SiweConfig, SiweModule, SiweVerifyResult, StreamEvent, StripeConfig, StripeModule, SubscriptionInfo, TokenParams, TokenResponse, TrustLevel, TrustedDevice, TrustedDeviceConfig, TrustedDeviceModule, TrustedInstance, TwoFactorConfig, UserDataExport, UserInfoClaims, ValidationResult, VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAnonymousAuthModule, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createHibpModule, createJwtSessionModule, createLastLoginModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOpenApiModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createStripeModule, createTrustedDeviceModule, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, magicLink, oauthProxy, oneTap, organization, passkey, polar, scim, siwe, stripe, twoFactor, withRateLimit } from './auth/index.js';
|
|
6
6
|
export { PermissionTemplateName, createPermissionEngine, getPermissionTemplate, permissionTemplates } from './permission/index.js';
|
|
7
|
-
|
|
7
|
+
export { CredentialFormat, CredentialStatus, CredentialStatusSchema, CredentialSubject, CredentialSubjectSchema, DelegationLink, ExtractedPermissions, IssueAgentCredentialInput, IssueDelegationCredentialInput, IssuePermissionCredentialInput, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, Proof, ProofSchema, VCIssuer, VCIssuerConfig, VCJwtPayload, VCVerifier, VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredential, VerifiableCredentialSchema, VerifiablePresentation, VerifiablePresentationSchema, VerifiedCredential, VerifiedPresentation, createVCIssuer, createVCVerifier } from './vc/index.js';
|
|
8
8
|
import 'drizzle-orm/sqlite-core';
|
|
9
|
-
import './types-
|
|
9
|
+
import './types-BuHrZcjE.js';
|
|
10
10
|
import 'zod';
|
|
11
11
|
import 'jose';
|
|
12
12
|
|
|
@@ -55,6 +55,60 @@ declare function createPrivilegeAnalyzer(db: Database): {
|
|
|
55
55
|
};
|
|
56
56
|
type PrivilegeAnalyzer = ReturnType<typeof createPrivilegeAnalyzer>;
|
|
57
57
|
|
|
58
|
+
/**
|
|
59
|
+
* Web Crypto API utilities for KavachOS.
|
|
60
|
+
*
|
|
61
|
+
* This module uses ONLY the Web Crypto API (globalThis.crypto) which is
|
|
62
|
+
* available natively in Cloudflare Workers, Deno, Bun, and Node 20+.
|
|
63
|
+
* No `node:crypto` imports are used, making the core package edge-compatible.
|
|
64
|
+
*/
|
|
65
|
+
/** Encode a Uint8Array as a lowercase hex string. */
|
|
66
|
+
declare function toHex(bytes: Uint8Array): string;
|
|
67
|
+
/** Decode a hex string into a Uint8Array. */
|
|
68
|
+
declare function fromHex(hex: string): Uint8Array;
|
|
69
|
+
/** Encode a Uint8Array as a base64url string (no padding). */
|
|
70
|
+
declare function toBase64Url(bytes: Uint8Array): string;
|
|
71
|
+
/** Decode a base64url string into a Uint8Array. */
|
|
72
|
+
declare function fromBase64Url(b64: string): Uint8Array;
|
|
73
|
+
/** Generate a v4 UUID using the globally available crypto.randomUUID(). */
|
|
74
|
+
declare function generateId(): string;
|
|
75
|
+
/** Generate cryptographically secure random bytes as a Uint8Array. */
|
|
76
|
+
declare function randomBytes(length: number): Uint8Array;
|
|
77
|
+
/** Generate cryptographically secure random bytes as a hex string. */
|
|
78
|
+
declare function randomBytesHex(length: number): string;
|
|
79
|
+
/** SHA-256 hash, returns hex string. */
|
|
80
|
+
declare function sha256(data: string | Uint8Array): Promise<string>;
|
|
81
|
+
/** SHA-256 hash, returns Uint8Array. */
|
|
82
|
+
declare function sha256Raw(data: string | Uint8Array): Promise<Uint8Array>;
|
|
83
|
+
/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */
|
|
84
|
+
declare function sha1(data: string | Uint8Array): Promise<string>;
|
|
85
|
+
/** Import a secret key for HMAC operations. */
|
|
86
|
+
declare function importHmacKey(key: string | Uint8Array, hash?: "SHA-256" | "SHA-1"): Promise<CryptoKey>;
|
|
87
|
+
/** HMAC-SHA256 sign, returns hex string. */
|
|
88
|
+
declare function hmacSha256(key: string | Uint8Array, data: string | Uint8Array): Promise<string>;
|
|
89
|
+
/** HMAC-SHA256 sign, returns Uint8Array. */
|
|
90
|
+
declare function hmacSha256Raw(key: string | Uint8Array, data: string | Uint8Array): Promise<Uint8Array>;
|
|
91
|
+
/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */
|
|
92
|
+
declare function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
|
|
93
|
+
/**
|
|
94
|
+
* Hash a password using PBKDF2-SHA256.
|
|
95
|
+
*
|
|
96
|
+
* Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`
|
|
97
|
+
* which is safe to store in the database.
|
|
98
|
+
*/
|
|
99
|
+
declare function pbkdf2Hash(password: string, salt?: Uint8Array, iterations?: number): Promise<string>;
|
|
100
|
+
/**
|
|
101
|
+
* Verify a password against a stored PBKDF2 hash.
|
|
102
|
+
*
|
|
103
|
+
* Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.
|
|
104
|
+
*/
|
|
105
|
+
declare function pbkdf2Verify(password: string, stored: string): Promise<boolean>;
|
|
106
|
+
/**
|
|
107
|
+
* Constant-time comparison of two Uint8Arrays.
|
|
108
|
+
* Returns false immediately if lengths differ (length is not secret).
|
|
109
|
+
*/
|
|
110
|
+
declare function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean;
|
|
111
|
+
|
|
58
112
|
/**
|
|
59
113
|
* Create all KavachOS tables if they do not already exist.
|
|
60
114
|
*
|
|
@@ -660,6 +714,63 @@ declare function createKavach(config: KavachConfig): Promise<{
|
|
|
660
714
|
* ```
|
|
661
715
|
*/
|
|
662
716
|
username: UsernameAuthModule | null;
|
|
717
|
+
/**
|
|
718
|
+
* Password reset (forgot password + reset password).
|
|
719
|
+
*
|
|
720
|
+
* Null when `passwordReset` config was not provided or `auth.session`
|
|
721
|
+
* is not configured.
|
|
722
|
+
*
|
|
723
|
+
* @example
|
|
724
|
+
* ```typescript
|
|
725
|
+
* // In your route handler
|
|
726
|
+
* const response = await kavach.passwordReset?.handleRequest(request);
|
|
727
|
+
* if (response) return response;
|
|
728
|
+
*
|
|
729
|
+
* // Or programmatically
|
|
730
|
+
* await kavach.passwordReset?.requestReset('alice@example.com');
|
|
731
|
+
* await kavach.passwordReset?.resetPassword(token, 'new-password');
|
|
732
|
+
* ```
|
|
733
|
+
*/
|
|
734
|
+
passwordReset: PasswordResetModule | null;
|
|
735
|
+
/**
|
|
736
|
+
* Email address verification.
|
|
737
|
+
*
|
|
738
|
+
* Null when `emailVerification` config was not provided.
|
|
739
|
+
*
|
|
740
|
+
* @example
|
|
741
|
+
* ```typescript
|
|
742
|
+
* // Send a verification email after sign-up
|
|
743
|
+
* await kavach.emailVerification?.sendVerification(userId, email);
|
|
744
|
+
*
|
|
745
|
+
* // Confirm from the link in the email
|
|
746
|
+
* const result = await kavach.emailVerification?.verify(token);
|
|
747
|
+
*
|
|
748
|
+
* // Check status
|
|
749
|
+
* const verified = await kavach.emailVerification?.isVerified(userId);
|
|
750
|
+
* ```
|
|
751
|
+
*/
|
|
752
|
+
emailVerification: EmailVerificationModule | null;
|
|
753
|
+
/**
|
|
754
|
+
* One-time tokens (email verify, password reset, invitations, custom).
|
|
755
|
+
*
|
|
756
|
+
* Always available. Used internally by password reset but exposed for
|
|
757
|
+
* custom flows (email verification, invitation links, etc.).
|
|
758
|
+
*/
|
|
759
|
+
oneTimeTokens: OneTimeTokenModule;
|
|
760
|
+
/**
|
|
761
|
+
* Session freshness enforcement for sensitive operations.
|
|
762
|
+
*
|
|
763
|
+
* Use as middleware before password changes, passkey registration,
|
|
764
|
+
* billing updates, or any action that requires a recently-authenticated
|
|
765
|
+
* session rather than an auto-refreshed one.
|
|
766
|
+
*
|
|
767
|
+
* @example
|
|
768
|
+
* ```typescript
|
|
769
|
+
* const stale = kavach.sessionFreshness.guard(session);
|
|
770
|
+
* if (stale) return stale; // 403 SESSION_NOT_FRESH
|
|
771
|
+
* ```
|
|
772
|
+
*/
|
|
773
|
+
sessionFreshness: SessionFreshnessModule;
|
|
663
774
|
/**
|
|
664
775
|
* Phone number (SMS OTP) authentication.
|
|
665
776
|
*
|
|
@@ -696,6 +807,27 @@ declare function createKavach(config: KavachConfig): Promise<{
|
|
|
696
807
|
* ```
|
|
697
808
|
*/
|
|
698
809
|
webhooks: WebhookModule$1 | null;
|
|
810
|
+
/**
|
|
811
|
+
* Redirect chain manager.
|
|
812
|
+
*
|
|
813
|
+
* Capture the user's original destination before auth redirects, push
|
|
814
|
+
* intermediate steps (onboarding, email verification), and pop them
|
|
815
|
+
* back in order. Cookie-based, works across page transitions and tabs.
|
|
816
|
+
*
|
|
817
|
+
* @example
|
|
818
|
+
* ```typescript
|
|
819
|
+
* // In auth middleware — save where the user was going
|
|
820
|
+
* const setCookie = kavach.redirects.capture(request);
|
|
821
|
+
* return new Response(null, { status: 302, headers: { Location: '/sign-in', 'Set-Cookie': setCookie } });
|
|
822
|
+
*
|
|
823
|
+
* // After sign-in — send user to their original destination
|
|
824
|
+
* const { url, clearCookie } = kavach.redirects.pop(request);
|
|
825
|
+
* const headers: Record<string, string> = { Location: url };
|
|
826
|
+
* if (clearCookie) headers['Set-Cookie'] = clearCookie;
|
|
827
|
+
* return new Response(null, { status: 302, headers });
|
|
828
|
+
* ```
|
|
829
|
+
*/
|
|
830
|
+
redirects: RedirectChainManager;
|
|
699
831
|
/**
|
|
700
832
|
* Plugin system.
|
|
701
833
|
*
|
|
@@ -1348,4 +1480,4 @@ declare function createWebhookModule(config: WebhookConfig): WebhookModule;
|
|
|
1348
1480
|
*/
|
|
1349
1481
|
declare function verifyWebhookSignature(secret: string, rawBody: string, signature: string): Promise<boolean>;
|
|
1350
1482
|
|
|
1351
|
-
export { AdminModule, AgentDid, AgentFilter, AgentIdentity, ApiKeyManagerModule, ApprovalRequest, AuditEntry, AuditExportOptions, AuditFilter, AuthorizeRequest, AuthorizeResult, type BudgetLimits, type BudgetPolicy, type BudgetUsage, CaptchaModule, type CookieOptions, type CookieSessionConfig, type CookieSessionManager, CreateAgentInput, type CreatePolicyInput, type CreateSessionResult, type CreateTenantInput, type CsrfValidationResult, Database, DelegateInput, DelegationChain, DidDocument, DidKeyPair, type DidModule, DidWebConfig, EmailOtpModule, type EmailTemplate, type EmailTemplateConfig, type EmailTemplateName, type EmailTemplates, EndpointContext, type I18nConfig, type I18nModule, type Kavach, KavachConfig, KavachPlugin, MagicLinkModule, McpServer, McpServerInput, type MultiSessionConfig, MultiSessionLimitError, type MultiSessionModule, OrgModule, PasskeyModule, Permission, PhoneAuthModule, PluginEndpoint, type PluginRegistry, type PolicyFilters, type PrivilegeAnalysis, type PrivilegeAnalyzer, type PrivilegeFinding, type PrivilegeSummary, ResolvedUser, type SameSite, Session, SessionConfig, type SessionInfo, SessionManager, SignedPayload, SsoModule, type Tenant, type TenantSettings, TotpModule, type TranslationKeys, type TrustConfig, type TrustModule, type TrustScore, UpdateAgentInput, UsernameAuthModule, type ValidateSessionResult, VerificationResult, type WebhookConfig, type WebhookEvent, type WebhookModule, type WebhookSubscription, buildDidDocument, buildSessionMetadata, createCookieSessionManager, createDelegationModule, createDidModule, createEmailTemplates, createI18n, createKavach, createMultiSessionModule, createPluginRouter, createPolicyModule, createPresentation, createPrivilegeAnalyzer, createTables, createTenantModule, createTrustModule, createWebhookModule, de, en, es, fr, generateCsrfToken, generateDidKey, generateDidWeb, generateOpenAPISpec, getCookie, getDidWebUrl, initializePlugins, ja, parseCookies, parseCookiesFromRequest, resolveDidKey, resolveDidWeb, serializeCookie, serializeCookieDeletion, signPayload, validateCsrfToken, validateOrigin, verifyPayload, verifyPresentation, verifyWebhookSignature, zh };
|
|
1483
|
+
export { AdminModule, AgentDid, AgentFilter, AgentIdentity, ApiKeyManagerModule, ApprovalRequest, AuditEntry, AuditExportOptions, AuditFilter, AuthorizeRequest, AuthorizeResult, type BudgetLimits, type BudgetPolicy, type BudgetUsage, CaptchaModule, type CookieOptions, type CookieSessionConfig, type CookieSessionManager, CreateAgentInput, type CreatePolicyInput, type CreateSessionResult, type CreateTenantInput, type CsrfValidationResult, Database, DatabaseConfig, DelegateInput, DelegationChain, DidDocument, DidKeyPair, type DidModule, DidWebConfig, EmailOtpModule, type EmailTemplate, type EmailTemplateConfig, type EmailTemplateName, type EmailTemplates, EmailVerificationModule, EndpointContext, type I18nConfig, type I18nModule, type Kavach, KavachConfig, KavachPlugin, MagicLinkModule, McpServer, McpServerInput, type MultiSessionConfig, MultiSessionLimitError, type MultiSessionModule, OneTimeTokenModule, OrgModule, PasskeyModule, PasswordResetModule, Permission, PhoneAuthModule, PluginEndpoint, type PluginRegistry, type PolicyFilters, type PrivilegeAnalysis, type PrivilegeAnalyzer, type PrivilegeFinding, type PrivilegeSummary, RedirectChainManager, ResolvedUser, type SameSite, Session, SessionConfig, SessionFreshnessModule, type SessionInfo, SessionManager, SignedPayload, SsoModule, type Tenant, type TenantSettings, TotpModule, type TranslationKeys, type TrustConfig, type TrustModule, type TrustScore, UpdateAgentInput, UsernameAuthModule, type ValidateSessionResult, VerificationResult, type WebhookConfig, type WebhookEvent, type WebhookModule, type WebhookSubscription, buildDidDocument, buildSessionMetadata, constantTimeEqual, createCookieSessionManager, createDelegationModule, createDidModule, createEmailTemplates, createI18n, createKavach, createMultiSessionModule, createPluginRouter, createPolicyModule, createPresentation, createPrivilegeAnalyzer, createTables, createTenantModule, createTrustModule, createWebhookModule, de, en, es, fr, fromBase64Url, fromHex, generateCsrfToken, generateDidKey, generateDidWeb, generateId, generateOpenAPISpec, getCookie, getDidWebUrl, hmacSha1Raw, hmacSha256, hmacSha256Raw, importHmacKey, initializePlugins, ja, parseCookies, parseCookiesFromRequest, pbkdf2Hash, pbkdf2Verify, randomBytes, randomBytesHex, resolveDidKey, resolveDidWeb, serializeCookie, serializeCookieDeletion, sha1, sha256, sha256Raw, signPayload, toBase64Url, toHex, validateCsrfToken, validateOrigin, verifyPayload, verifyPresentation, verifyWebhookSignature, zh };
|