kavachos 0.3.0 → 0.4.0

package/dist/{types-B02D3kZy.d.ts → types-RJPOU4un.d.ts}

@@ -1,6 +1,6 @@
 import * as drizzle_orm_sqlite_core from 'drizzle-orm/sqlite-core';
 import { BaseSQLiteDatabase } from 'drizzle-orm/sqlite-core';
-import { R as Result, f as McpConfig } from './types-BuHrZcjE.js';
+import { R as Result, f as McpConfig } from './types-BiUe9e8u.js';
 import { RedirectConfig } from './redirect/index.js';
 
 declare const users: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
@@ -971,6 +971,25 @@ declare const permissions: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
         }, {}, {
             $type: PermissionConstraintsRow;
         }>;
+        relation: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "relation";
+            tableName: "kavach_permissions";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
         createdAt: drizzle_orm_sqlite_core.SQLiteColumn<{
             name: "created_at";
             tableName: "kavach_permissions";
@@ -1403,6 +1422,23 @@ declare const auditLogs: drizzle_orm_sqlite_core.SQLiteTableWithColumns<{
         }, {}, {
             length: number | undefined;
         }>;
+        cacheHit: drizzle_orm_sqlite_core.SQLiteColumn<{
+            name: "cache_hit";
+            tableName: "kavach_audit_logs";
+            dataType: "boolean";
+            columnType: "SQLiteBoolean";
+            data: boolean;
+            driverParam: number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         timestamp: drizzle_orm_sqlite_core.SQLiteColumn<{
             name: "timestamp";
             tableName: "kavach_audit_logs";
@@ -9111,6 +9147,59 @@ interface PluginInitResult {
     context?: Record<string, unknown>;
 }
 
+type PolicyEffect = "permit" | "deny" | "indeterminate";
+interface PolicyDecisionSubject {
+    agentId?: string;
+    userId?: string;
+    orgId?: string;
+}
+interface PolicyEvaluationContext {
+    ip?: string;
+    arguments?: Record<string, unknown>;
+    timestamp?: Date;
+    [key: string]: unknown;
+}
+interface EvaluateInput {
+    subject: PolicyDecisionSubject;
+    action: string;
+    resource: string;
+    context?: PolicyEvaluationContext;
+}
+interface PolicyDecision {
+    allowed: boolean;
+    effect: PolicyEffect;
+    reason: string;
+    matchedPermissionId?: string;
+    matchedRelation?: string;
+    cacheHit: boolean;
+    durationMs: number;
+    auditId?: string;
+}
+interface PolicyCacheStats {
+    hits: number;
+    misses: number;
+    size: number;
+    evictions: number;
+}
+interface InvalidateScope {
+    agentId?: string;
+    userId?: string;
+    resource?: string;
+}
+type PolicyCombineStrategy = "deny-overrides" | "permit-overrides";
+interface PolicyCacheConfig {
+    maxEntries?: number;
+    ttlMs?: number;
+    enabled?: boolean;
+}
+interface PolicyEngineConfig {
+    cache?: PolicyCacheConfig;
+    combineStrategy?: PolicyCombineStrategy;
+    audit?: boolean;
+    /** Sample rate for audit row writes, 0.0 to 1.0. Defaults to 1.0. */
+    auditSampleRate?: number;
+}
+
 /**
  * Session freshness enforcement for KavachOS.
  *
@@ -9332,6 +9421,15 @@ interface KavachConfig {
      * to. Deliveries are fire-and-forget with exponential backoff retries.
      */
     webhooks?: WebhookConfig[];
+    /**
+     * Unified policy engine configuration.
+     *
+     * Controls the LRU cache (max entries, TTL), combining strategy
+     * (deny-overrides vs permit-overrides), audit emission, and audit
+     * sample rate. When omitted, the engine runs with safe defaults:
+     * cache enabled (10,000 entries, 60s TTL), deny-overrides, full audit.
+     */
+    policy?: PolicyEngineConfig;
     /**
      * Redirect chain configuration.
      *
@@ -9347,6 +9445,18 @@ interface KavachConfig {
      * When omitted, defaults to 300 seconds (5 minutes).
      */
     sessionFreshness?: SessionFreshnessConfig;
+    /**
+     * Emit IETF agentic JWT claims on issued tokens.
+     *
+     * When true, tokens issued by the MCP token endpoint and the JWT session
+     * module include additional claims defined in draft-goswami-agentic-jwt-00
+     * and draft-liu-agent-operation-authorization-01, such as `agent_id`,
+     * `agent_type`, and `trust_tier`. Off by default to preserve backward
+     * compatibility with existing token consumers.
+     *
+     * @default false
+     */
+    emitAgenticJwtClaims?: boolean;
 }
 /**
  * The main KavachOS instance returned by createKavach()
@@ -9397,6 +9507,8 @@ interface Permission {
     resource: string;
     actions: string[];
     constraints?: PermissionConstraints;
+    /** Optional ReBAC relation. When set, the policy engine queries the relationship graph. */
+    relation?: string;
 }
 interface PermissionConstraints {
     maxCallsPerHour?: number;
@@ -9521,4 +9633,4 @@ interface TokenValidationResult {
 }
 type McpMiddleware = (request: Request) => Promise<Response | undefined>;
 
-export { type ApprovalConfig as $, type AgentIdentity as A, type SessionFreshnessModule as B, type CreateAgentInput as C, type Database as D, type EmailOtpModule as E, type PhoneAuthModule as F, type CaptchaModule as G, type PluginEndpoint as H, type EndpointContext as I, type KavachPlugin as J, type KavachConfig as K, type SessionConfig as L, type McpServerInput as M, type Session as N, type OrgModule as O, type Permission as P, type AdminConfig as Q, type RequestContext as R, type SignedPayload as S, type TotpModule as T, type UpdateAgentInput as U, type VerificationResult as V, type WebhookModule as W, type AdminUser as X, type AgentConfig as Y, type ApiKey as Z, type ApiKeyManagerConfig as _, type DatabaseConfig as a, createPhoneAuthModule as a$, type ApprovalModule as a0, type AuthAdapter as a1, type CaptchaConfig as a2, type CaptchaVerifyResult as a3, type CreateTokenInput as a4, type D1DatabaseBinding as a5, type EmailOtpConfig as a6, type EmailVerificationConfig as a7, type KavachHooks as a8, type KavachInstance as a9, type TokenValidationResult as aA, type TotpConfig as aB, type TotpSetup as aC, type UsernameAuthConfig as aD, type ValidateTokenResult as aE, type VerificationMethod as aF, agentCards as aG, agentDids as aH, agents as aI, apiKeys as aJ, approvalRequests as aK, auditLogs as aL, budgetPolicies as aM, classifyViolation as aN, createAdminModule as aO, createApiKeyManagerModule as aP, createApprovalModule as aQ, createCaptchaModule as aR, createDatabase as aS, createDatabaseSync as aT, createEmailOtpModule as aU, createEmailVerificationModule as aV, createMagicLinkModule as aW, createOneTimeTokenModule as aX, createOrgModule as aY, createPasskeyModule as aZ, createPasswordResetModule as a_, type MagicLinkConfig as aa, type McpMiddleware as ab, type OidcProvider as ac, type OneTimeTokenConfig as ad, type OneTimeTokenPurpose as ae, type OrgConfig as af, type OrgInvitation as ag, type OrgMember as ah, type OrgRole as ai, type Organization as aj, type PasskeyConfig as ak, type PasskeyCredential as al, type PasswordResetConfig as am, type PermissionConstraints as an, type PhoneAuthConfig as ao, type PluginContext as ap, type PluginInitResult as aq, type RevokeTokensResult as ar, SSO_ERROR as as, type SamlProvider as at, type ServiceEndpoint as au, type SessionFreshnessConfig as av, type SsoAuditEvent as aw, type SsoConfig as ax, type SsoConnection as ay, SsoError as az, type DelegateInput as b, createSessionFreshnessModule as b0, createSessionManager as b1, createSsoModule as b2, createTotpModule as b3, createUsernameAuthModule as b4, delegationChains as b5, emailOtps as b6, magicLinks as b7, mcpServers as b8, oauthAccessTokens as b9, oauthAuthorizationCodes as ba, oauthClients as bb, orgInvitations as bc, orgMembers as bd, orgRoles as be, organizations as bf, passkeyChallenges as bg, passkeyCredentials as bh, permissions as bi, rateLimits as bj, sessions as bk, ssoConnections as bl, tenants as bm, totpRecords as bn, trustScores as bo, users as bp, type WebhookConfig as bq, type WebhookEvent as br, createWebhookModule as bs, type DelegationChain as c, type DidDocument as d, type DidKeyPair as e, type DidWebConfig as f, type AgentDid as g, type AgentFilter as h, type AuthorizeRequest as i, type AuthorizeResult as j, type AuditFilter as k, type AuditEntry as l, type AuditExportOptions as m, type McpServer as n, type ResolvedUser as o, type SessionManager as p, type ApprovalRequest as q, type MagicLinkModule as r, type PasskeyModule as s, type SsoModule as t, type AdminModule as u, type ApiKeyManagerModule as v, type UsernameAuthModule as w, type PasswordResetModule as x, type EmailVerificationModule as y, type OneTimeTokenModule as z };
+export { type AdminUser as $, type AgentIdentity as A, type SessionFreshnessModule as B, type CreateAgentInput as C, type Database as D, type EmailOtpModule as E, type PhoneAuthModule as F, type CaptchaModule as G, type EvaluateInput as H, type PolicyDecision as I, type InvalidateScope as J, type KavachConfig as K, type PolicyCacheStats as L, type McpServerInput as M, type PluginEndpoint as N, type OrgModule as O, type Permission as P, type EndpointContext as Q, type RequestContext as R, type SignedPayload as S, type TotpModule as T, type UpdateAgentInput as U, type VerificationResult as V, type WebhookModule as W, type KavachPlugin as X, type SessionConfig as Y, type Session as Z, type AdminConfig as _, type DatabaseConfig as a, createOneTimeTokenModule as a$, type AgentConfig as a0, type ApiKey as a1, type ApiKeyManagerConfig as a2, type ApprovalConfig as a3, type ApprovalModule as a4, type AuthAdapter as a5, type CaptchaConfig as a6, type CaptchaVerifyResult as a7, type CreateTokenInput as a8, type D1DatabaseBinding as a9, type SsoAuditEvent as aA, type SsoConfig as aB, type SsoConnection as aC, SsoError as aD, type TokenValidationResult as aE, type TotpConfig as aF, type TotpSetup as aG, type UsernameAuthConfig as aH, type ValidateTokenResult as aI, type VerificationMethod as aJ, agentCards as aK, agentDids as aL, agents as aM, apiKeys as aN, approvalRequests as aO, auditLogs as aP, budgetPolicies as aQ, classifyViolation as aR, createAdminModule as aS, createApiKeyManagerModule as aT, createApprovalModule as aU, createCaptchaModule as aV, createDatabase as aW, createDatabaseSync as aX, createEmailOtpModule as aY, createEmailVerificationModule as aZ, createMagicLinkModule as a_, type EmailOtpConfig as aa, type EmailVerificationConfig as ab, type KavachHooks as ac, type KavachInstance as ad, type MagicLinkConfig as ae, type McpMiddleware as af, type OidcProvider as ag, type OneTimeTokenConfig as ah, type OneTimeTokenPurpose as ai, type OrgConfig as aj, type OrgInvitation as ak, type OrgMember as al, type OrgRole as am, type Organization as an, type PasskeyConfig as ao, type PasskeyCredential as ap, type PasswordResetConfig as aq, type PermissionConstraints as ar, type PhoneAuthConfig as as, type PluginContext as at, type PluginInitResult as au, type RevokeTokensResult as av, SSO_ERROR as aw, type SamlProvider as ax, type ServiceEndpoint as ay, type SessionFreshnessConfig as az, type DelegateInput as b, createOrgModule as b0, createPasskeyModule as b1, createPasswordResetModule as b2, createPhoneAuthModule as b3, createSessionFreshnessModule as b4, createSessionManager as b5, createSsoModule as b6, createTotpModule as b7, createUsernameAuthModule as b8, delegationChains as b9, emailOtps as ba, magicLinks as bb, mcpServers as bc, oauthAccessTokens as bd, oauthAuthorizationCodes as be, oauthClients as bf, orgInvitations as bg, orgMembers as bh, orgRoles as bi, organizations as bj, passkeyChallenges as bk, passkeyCredentials as bl, permissions as bm, rateLimits as bn, sessions as bo, ssoConnections as bp, tenants as bq, totpRecords as br, trustScores as bs, users as bt, type WebhookConfig as bu, type WebhookEvent as bv, createWebhookModule as bw, type DelegationChain as c, type DidDocument as d, type DidKeyPair as e, type DidWebConfig as f, type AgentDid as g, type AgentFilter as h, type AuthorizeRequest as i, type AuthorizeResult as j, type AuditFilter as k, type AuditEntry as l, type AuditExportOptions as m, type McpServer as n, type ResolvedUser as o, type SessionManager as p, type ApprovalRequest as q, type MagicLinkModule as r, type PasskeyModule as s, type SsoModule as t, type AdminModule as u, type ApiKeyManagerModule as v, type UsernameAuthModule as w, type PasswordResetModule as x, type EmailVerificationModule as y, type OneTimeTokenModule as z };

package/dist/vc/index.d.ts

@@ -1,5 +1,8 @@
-import { R as Result } from '../types-BuHrZcjE.js';
+import { l as AuditEntry } from '../types-RJPOU4un.js';
 import { z } from 'zod';
+import { R as Result } from '../types-BiUe9e8u.js';
+import 'drizzle-orm/sqlite-core';
+import '../redirect/index.js';
 
 /**
  * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.
@@ -84,35 +87,55 @@ declare const CredentialSubjectSchema: z.ZodObject<{
     }>, "many">>;
     name: z.ZodOptional<z.ZodString>;
     type: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    name?: string | undefined;
-    id?: string | undefined;
-    type?: string | undefined;
-    agentId?: string | undefined;
-    permissions?: string[] | undefined;
-    trustLevel?: number | undefined;
-    delegationScope?: string[] | undefined;
-    delegationChain?: {
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    id: z.ZodOptional<z.ZodString>;
+    agentId: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    trustLevel: z.ZodOptional<z.ZodNumber>;
+    delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        delegator: z.ZodString;
+        delegatee: z.ZodString;
+        permissions: z.ZodArray<z.ZodString, "many">;
+        createdAt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
         createdAt: string;
         permissions: string[];
         delegator: string;
         delegatee: string;
-    }[] | undefined;
-}, {
-    name?: string | undefined;
-    id?: string | undefined;
-    type?: string | undefined;
-    agentId?: string | undefined;
-    permissions?: string[] | undefined;
-    trustLevel?: number | undefined;
-    delegationScope?: string[] | undefined;
-    delegationChain?: {
+    }, {
         createdAt: string;
         permissions: string[];
         delegator: string;
         delegatee: string;
-    }[] | undefined;
-}>;
+    }>, "many">>;
+    name: z.ZodOptional<z.ZodString>;
+    type: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    id: z.ZodOptional<z.ZodString>;
+    agentId: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    trustLevel: z.ZodOptional<z.ZodNumber>;
+    delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        delegator: z.ZodString;
+        delegatee: z.ZodString;
+        permissions: z.ZodArray<z.ZodString, "many">;
+        createdAt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        createdAt: string;
+        permissions: string[];
+        delegator: string;
+        delegatee: string;
+    }, {
+        createdAt: string;
+        permissions: string[];
+        delegator: string;
+        delegatee: string;
+    }>, "many">>;
+    name: z.ZodOptional<z.ZodString>;
+    type: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
 type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;
 declare const VerifiableCredentialSchema: z.ZodObject<{
     "@context": z.ZodArray<z.ZodString, "many">;
@@ -154,35 +177,55 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
         }>, "many">>;
         name: z.ZodOptional<z.ZodString>;
         type: z.ZodOptional<z.ZodString>;
-    }, "strip", z.ZodTypeAny, {
-        name?: string | undefined;
-        id?: string | undefined;
-        type?: string | undefined;
-        agentId?: string | undefined;
-        permissions?: string[] | undefined;
-        trustLevel?: number | undefined;
-        delegationScope?: string[] | undefined;
-        delegationChain?: {
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        id: z.ZodOptional<z.ZodString>;
+        agentId: z.ZodOptional<z.ZodString>;
+        permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        trustLevel: z.ZodOptional<z.ZodNumber>;
+        delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            delegator: z.ZodString;
+            delegatee: z.ZodString;
+            permissions: z.ZodArray<z.ZodString, "many">;
+            createdAt: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
             createdAt: string;
             permissions: string[];
             delegator: string;
             delegatee: string;
-        }[] | undefined;
-    }, {
-        name?: string | undefined;
-        id?: string | undefined;
-        type?: string | undefined;
-        agentId?: string | undefined;
-        permissions?: string[] | undefined;
-        trustLevel?: number | undefined;
-        delegationScope?: string[] | undefined;
-        delegationChain?: {
+        }, {
             createdAt: string;
             permissions: string[];
             delegator: string;
             delegatee: string;
-        }[] | undefined;
-    }>;
+        }>, "many">>;
+        name: z.ZodOptional<z.ZodString>;
+        type: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        id: z.ZodOptional<z.ZodString>;
+        agentId: z.ZodOptional<z.ZodString>;
+        permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        trustLevel: z.ZodOptional<z.ZodNumber>;
+        delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            delegator: z.ZodString;
+            delegatee: z.ZodString;
+            permissions: z.ZodArray<z.ZodString, "many">;
+            createdAt: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            createdAt: string;
+            permissions: string[];
+            delegator: string;
+            delegatee: string;
+        }, {
+            createdAt: string;
+            permissions: string[];
+            delegator: string;
+            delegatee: string;
+        }>, "many">>;
+        name: z.ZodOptional<z.ZodString>;
+        type: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>;
     credentialStatus: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
@@ -246,6 +289,8 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
             delegator: string;
             delegatee: string;
         }[] | undefined;
+    } & {
+        [k: string]: unknown;
     };
     id?: string | undefined;
     expirationDate?: string | undefined;
@@ -286,6 +331,8 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
             delegator: string;
             delegatee: string;
         }[] | undefined;
+    } & {
+        [k: string]: unknown;
     };
     id?: string | undefined;
     expirationDate?: string | undefined;
@@ -351,35 +398,55 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
             }>, "many">>;
             name: z.ZodOptional<z.ZodString>;
             type: z.ZodOptional<z.ZodString>;
-        }, "strip", z.ZodTypeAny, {
-            name?: string | undefined;
-            id?: string | undefined;
-            type?: string | undefined;
-            agentId?: string | undefined;
-            permissions?: string[] | undefined;
-            trustLevel?: number | undefined;
-            delegationScope?: string[] | undefined;
-            delegationChain?: {
+        }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+            id: z.ZodOptional<z.ZodString>;
+            agentId: z.ZodOptional<z.ZodString>;
+            permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            trustLevel: z.ZodOptional<z.ZodNumber>;
+            delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+                delegator: z.ZodString;
+                delegatee: z.ZodString;
+                permissions: z.ZodArray<z.ZodString, "many">;
+                createdAt: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
                 createdAt: string;
                 permissions: string[];
                 delegator: string;
                 delegatee: string;
-            }[] | undefined;
-        }, {
-            name?: string | undefined;
-            id?: string | undefined;
-            type?: string | undefined;
-            agentId?: string | undefined;
-            permissions?: string[] | undefined;
-            trustLevel?: number | undefined;
-            delegationScope?: string[] | undefined;
-            delegationChain?: {
+            }, {
                 createdAt: string;
                 permissions: string[];
                 delegator: string;
                 delegatee: string;
-            }[] | undefined;
-        }>;
+            }>, "many">>;
+            name: z.ZodOptional<z.ZodString>;
+            type: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+            id: z.ZodOptional<z.ZodString>;
+            agentId: z.ZodOptional<z.ZodString>;
+            permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            trustLevel: z.ZodOptional<z.ZodNumber>;
+            delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+                delegator: z.ZodString;
+                delegatee: z.ZodString;
+                permissions: z.ZodArray<z.ZodString, "many">;
+                createdAt: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
+                createdAt: string;
+                permissions: string[];
+                delegator: string;
+                delegatee: string;
+            }, {
+                createdAt: string;
+                permissions: string[];
+                delegator: string;
+                delegatee: string;
+            }>, "many">>;
+            name: z.ZodOptional<z.ZodString>;
+            type: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">>;
         credentialStatus: z.ZodOptional<z.ZodObject<{
             id: z.ZodString;
             type: z.ZodString;
@@ -443,6 +510,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -483,6 +552,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -549,6 +620,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -603,6 +676,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -691,6 +766,120 @@ interface ExtractedPermissions {
     delegationScope: string[];
 }
 
+/**
+ * Export audit records as W3C Verifiable Credentials.
+ *
+ * Takes a time range of audit log entries and returns either individual
+ * credentials per record or a single Verifiable Presentation wrapping
+ * all of them. Useful for compliance exports that must be
+ * cryptographically verifiable (EU AI Act Article 12, SOC 2 CC7).
+ *
+ * Context URL: https://kavachos.com/contexts/audit/v1.jsonld
+ * This context is defined locally — the URL does not need to resolve at
+ * runtime. It serves as a stable identifier for the credential schema.
+ */
+
+declare const KAVACHOS_AUDIT_CREDENTIAL = "KavachosAuditCredential";
+/**
+ * Context URL for KavachosAuditCredential.
+ * Defined locally — the URL does not need to resolve at runtime.
+ */
+declare const KAVACHOS_AUDIT_CONTEXT = "https://kavachos.com/contexts/audit/v1.jsonld";
+/** AuditRecord is an alias for AuditEntry used in the VC export surface. */
+type AuditRecord = AuditEntry;
+/** Options passed to `exportAuditAsVC`. */
+interface ExportAuditOptions {
+    /** Start of the time range (inclusive). */
+    since: Date;
+    /** End of the time range (inclusive). */
+    until: Date;
+    /**
+     * DID of the issuer signing the credentials.
+     * Must match the keypair in `issuerConfig`.
+     */
+    issuerDid: string;
+    /** Private/public keypair config for signing. */
+    issuerConfig: VCIssuerConfig;
+    /** Output format. Default: `"ldp_vc"` (JSON-LD with embedded proof). */
+    format?: "ldp_vc" | "jwt_vc";
+    /** Output structure. Default: `"individual"` (one VC per record). */
+    output?: "individual" | "presentation";
+    /** Optional filter applied after the time range query. */
+    filter?: (record: AuditRecord) => boolean;
+    /** Records to export. Pass the results of `listAuditRecords` or `kavach.audit.query()`. */
+    records: AuditRecord[];
+}
+/** The result of `exportAuditAsVC`. */
+interface AuditExportResult {
+    /**
+     * Individual credentials — one per audit record.
+     * When `output === "presentation"`, these are also embedded in `presentation`.
+     */
+    credentials: VerifiableCredential[];
+    /**
+     * JWT strings when `format === "jwt_vc"`. Parallel to `credentials`.
+     * Pass these to `verifyCredential()` instead of the credential objects.
+     */
+    jwts?: string[];
+    /** Present only when `output === "presentation"`. */
+    presentation?: VerifiablePresentation;
+    /** The format used. */
+    format: "ldp_vc" | "jwt_vc";
+    /** Timestamp of the export run. */
+    issuedAt: Date;
+    /** Number of credentials produced. */
+    count: number;
+}
+/** The credentialSubject for a KavachosAuditCredential. */
+interface AuditCredentialSubject {
+    id: string;
+    agentId: string;
+    principalId?: string;
+    operation: string;
+    target: string;
+    decision: "allow" | "deny" | "approval_required";
+    policyName?: string;
+    timestamp: string;
+    traceId?: string;
+    kavachosVersion: string;
+}
+/**
+ * Export a set of audit records as Verifiable Credentials.
+ *
+ * Pass `records` from `kavach.audit.query()` or `listAuditRecords`.
+ * The function applies the optional `filter`, signs each record with
+ * the issuer keypair, and returns either individual VCs or a single
+ * Verifiable Presentation.
+ *
+ * ```ts
+ * const result = await exportAuditAsVC({
+ *   since: new Date('2025-01-01'),
+ *   until: new Date('2025-01-31'),
+ *   issuerDid: keyPair.did,
+ *   issuerConfig: {
+ *     issuerDid: keyPair.did,
+ *     privateKeyJwk: keyPair.privateKeyJwk,
+ *     publicKeyJwk: keyPair.publicKeyJwk,
+ *   },
+ *   records,
+ * });
+ * console.log(result.count); // 42
+ * ```
+ */
+declare function exportAuditAsVC(options: ExportAuditOptions): Promise<AuditExportResult>;
+/**
+ * Filter audit records by time range with an optional predicate.
+ *
+ * Convenience helper for callers that already have records in memory
+ * and want to slice them before passing to `exportAuditAsVC`.
+ *
+ * ```ts
+ * const records = await kavach.audit.query({ since, until });
+ * const denyRecords = listAuditRecords(records, since, until, r => r.result === 'denied');
+ * ```
+ */
+declare function listAuditRecords(records: AuditRecord[], since: Date, until: Date, filter?: (record: AuditRecord) => boolean): AuditRecord[];
+
 /**
  * W3C Verifiable Credential issuance for KavachOS.
  *
@@ -797,4 +986,4 @@ interface VCVerifier {
  */
 declare function createVCVerifier(config?: VCVerifierConfig): VCVerifier;
 
-export { type CredentialFormat, type CredentialStatus, CredentialStatusSchema, type CredentialSubject, CredentialSubjectSchema, type DelegationLink, type ExtractedPermissions, type IssueAgentCredentialInput, type IssueDelegationCredentialInput, type IssuePermissionCredentialInput, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, type Proof, ProofSchema, type VCIssuer, type VCIssuerConfig, type VCJwtPayload, type VCVerifier, type VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, type VerifiableCredential, VerifiableCredentialSchema, type VerifiablePresentation, VerifiablePresentationSchema, type VerifiedCredential, type VerifiedPresentation, createVCIssuer, createVCVerifier };
+export { type AuditCredentialSubject, type AuditExportResult, type AuditRecord, type CredentialFormat, type CredentialStatus, CredentialStatusSchema, type CredentialSubject, CredentialSubjectSchema, type DelegationLink, type ExportAuditOptions, type ExtractedPermissions, type IssueAgentCredentialInput, type IssueDelegationCredentialInput, type IssuePermissionCredentialInput, KAVACHOS_AUDIT_CONTEXT, KAVACHOS_AUDIT_CREDENTIAL, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, type Proof, ProofSchema, type VCIssuer, type VCIssuerConfig, type VCJwtPayload, type VCVerifier, type VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, type VerifiableCredential, VerifiableCredentialSchema, type VerifiablePresentation, VerifiablePresentationSchema, type VerifiedCredential, type VerifiedPresentation, createVCIssuer, createVCVerifier, exportAuditAsVC, listAuditRecords };