kavachos 0.3.0 → 0.4.1

package/dist/index.d.ts

@@ -1,17 +1,18 @@
 export { and, eq, like } from 'drizzle-orm';
 export { createAgentModule } from './agent/index.js';
-import { D as Database, a as DatabaseConfig, K as KavachConfig, b as DelegateInput, P as Permission, c as DelegationChain, d as DidDocument, e as DidKeyPair, f as DidWebConfig, g as AgentDid, S as SignedPayload, V as VerificationResult, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput, i as AuthorizeRequest, R as RequestContext, j as AuthorizeResult, k as AuditFilter, l as AuditEntry, m as AuditExportOptions, M as McpServerInput, n as McpServer, o as ResolvedUser, p as SessionManager, q as ApprovalRequest, r as MagicLinkModule, E as EmailOtpModule, T as TotpModule, s as PasskeyModule, O as OrgModule, t as SsoModule, u as AdminModule, v as ApiKeyManagerModule, w as UsernameAuthModule, x as PasswordResetModule, y as EmailVerificationModule, z as OneTimeTokenModule, B as SessionFreshnessModule, F as PhoneAuthModule, G as CaptchaModule, W as WebhookModule$1, H as PluginEndpoint, I as EndpointContext, J as KavachPlugin, L as SessionConfig, N as Session } from './types-B02D3kZy.js';
-export { Q as AdminConfig, X as AdminUser, Y as AgentConfig, Z as ApiKey, _ as ApiKeyManagerConfig, $ as ApprovalConfig, a0 as ApprovalModule, a1 as AuthAdapter, a2 as CaptchaConfig, a3 as CaptchaVerifyResult, a4 as CreateTokenInput, a5 as D1DatabaseBinding, a6 as EmailOtpConfig, a7 as EmailVerificationConfig, a8 as KavachHooks, a9 as KavachInstance, aa as MagicLinkConfig, ab as McpMiddleware, ac as OidcProvider, ad as OneTimeTokenConfig, ae as OneTimeTokenPurpose, af as OrgConfig, ag as OrgInvitation, ah as OrgMember, ai as OrgRole, aj as Organization, ak as PasskeyConfig, al as PasskeyCredential, am as PasswordResetConfig, an as PermissionConstraints, ao as PhoneAuthConfig, ap as PluginContext, aq as PluginInitResult, ar as RevokeTokensResult, as as SSO_ERROR, at as SamlProvider, au as ServiceEndpoint, av as SessionFreshnessConfig, aw as SsoAuditEvent, ax as SsoConfig, ay as SsoConnection, az as SsoError, aA as TokenValidationResult, aB as TotpConfig, aC as TotpSetup, aD as UsernameAuthConfig, aE as ValidateTokenResult, aF as VerificationMethod, aG as agentCards, aH as agentDids, aI as agents, aJ as apiKeysTable, aK as approvalRequests, aL as auditLogs, aM as budgetPolicies, aN as classifyViolation, aO as createAdminModule, aP as createApiKeyManagerModule, aQ as createApprovalModule, aR as createCaptchaModule, aS as createDatabase, aT as createDatabaseSync, aU as createEmailOtpModule, aV as createEmailVerificationModule, aW as createMagicLinkModule, aX as createOneTimeTokenModule, aY as createOrgModule, aZ as createPasskeyModule, a_ as createPasswordResetModule, a$ as createPhoneAuthModule, b0 as createSessionFreshnessModule, b1 as createSessionManager, b2 as createSsoModule, b3 as createTotpModule, b4 as createUsernameAuthModule, b5 as delegationChains, b6 as emailOtps, b7 as magicLinks, b8 as mcpServers, b9 as oauthAccessTokens, ba as oauthAuthorizationCodes, bb as oauthClients, bc as orgInvitations, bd as orgMembers, be as orgRoles, bf as organizations, bg as passkeyChallenges, bh as passkeyCredentials, bi as permissions, bj as rateLimits, bk as sessions, bl as ssoConnections, bm as tenants, bn as totpRecords, bo as trustScores, bp as users } from './types-B02D3kZy.js';
+import { D as Database, a as DatabaseConfig, K as KavachConfig, b as DelegateInput, P as Permission, c as DelegationChain, d as DidDocument, e as DidKeyPair, f as DidWebConfig, g as AgentDid, S as SignedPayload, V as VerificationResult, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput, i as AuthorizeRequest, R as RequestContext, j as AuthorizeResult, k as AuditFilter, l as AuditEntry, m as AuditExportOptions, M as McpServerInput, n as McpServer, o as ResolvedUser, p as SessionManager, q as ApprovalRequest, r as MagicLinkModule, E as EmailOtpModule, T as TotpModule, s as PasskeyModule, O as OrgModule, t as SsoModule, u as AdminModule, v as ApiKeyManagerModule, w as UsernameAuthModule, x as PasswordResetModule, y as EmailVerificationModule, z as OneTimeTokenModule, B as SessionFreshnessModule, F as PhoneAuthModule, G as CaptchaModule, W as WebhookModule$1, H as EvaluateInput, I as PolicyDecision, J as InvalidateScope, L as PolicyCacheStats, N as PluginEndpoint, Q as EndpointContext, X as KavachPlugin, Y as SessionConfig, Z as Session } from './types-RJPOU4un.js';
+export { _ as AdminConfig, $ as AdminUser, a0 as AgentConfig, a1 as ApiKey, a2 as ApiKeyManagerConfig, a3 as ApprovalConfig, a4 as ApprovalModule, a5 as AuthAdapter, a6 as CaptchaConfig, a7 as CaptchaVerifyResult, a8 as CreateTokenInput, a9 as D1DatabaseBinding, aa as EmailOtpConfig, ab as EmailVerificationConfig, ac as KavachHooks, ad as KavachInstance, ae as MagicLinkConfig, af as McpMiddleware, ag as OidcProvider, ah as OneTimeTokenConfig, ai as OneTimeTokenPurpose, aj as OrgConfig, ak as OrgInvitation, al as OrgMember, am as OrgRole, an as Organization, ao as PasskeyConfig, ap as PasskeyCredential, aq as PasswordResetConfig, ar as PermissionConstraints, as as PhoneAuthConfig, at as PluginContext, au as PluginInitResult, av as RevokeTokensResult, aw as SSO_ERROR, ax as SamlProvider, ay as ServiceEndpoint, az as SessionFreshnessConfig, aA as SsoAuditEvent, aB as SsoConfig, aC as SsoConnection, aD as SsoError, aE as TokenValidationResult, aF as TotpConfig, aG as TotpSetup, aH as UsernameAuthConfig, aI as ValidateTokenResult, aJ as VerificationMethod, aK as agentCards, aL as agentDids, aM as agents, aN as apiKeysTable, aO as approvalRequests, aP as auditLogs, aQ as budgetPolicies, aR as classifyViolation, aS as createAdminModule, aT as createApiKeyManagerModule, aU as createApprovalModule, aV as createCaptchaModule, aW as createDatabase, aX as createDatabaseSync, aY as createEmailOtpModule, aZ as createEmailVerificationModule, a_ as createMagicLinkModule, a$ as createOneTimeTokenModule, b0 as createOrgModule, b1 as createPasskeyModule, b2 as createPasswordResetModule, b3 as createPhoneAuthModule, b4 as createSessionFreshnessModule, b5 as createSessionManager, b6 as createSsoModule, b7 as createTotpModule, b8 as createUsernameAuthModule, b9 as delegationChains, ba as emailOtps, bb as magicLinks, bc as mcpServers, bd as oauthAccessTokens, be as oauthAuthorizationCodes, bf as oauthClients, bg as orgInvitations, bh as orgMembers, bi as orgRoles, bj as organizations, bk as passkeyChallenges, bl as passkeyCredentials, bm as permissions, bn as rateLimits, bo as sessions, bp as ssoConnections, bq as tenants, br as totpRecords, bs as trustScores, bt as users } from './types-RJPOU4un.js';
 export { createAuditModule } from './audit/index.js';
 export { AccessTokenClaims, AdditionalFieldsConfig, AdditionalFieldsModule, AnonymousAuthConfig, AnonymousAuthModule, AuthorizeParams, BearerAuthOptions, BudgetCheckResult, CheckParams, CheckResult, CheckoutOptions, CostAlert, CostAttributionConfig, CostAttributionModule, CostReport, CreateEphemeralSessionInput, CustomSessionConfig, CustomSessionModule, DeleteOptions, DeleteResult, DeviceAuthConfig, DeviceAuthModule, DeviceAuthStatus, DeviceCodeResponse, EVENT_TYPES, EndpointGroup, EndpointLimit, EphemeralSession, EphemeralSessionConfig, EphemeralSessionModule, EphemeralSessionValidateResult, EventStreamConfig, EventStreamModule, EventType, ExpandParams, FederatedAgent, FederationConfig, FederationModule, FederationToken, FederationWellKnown, FieldDefinition, GdprModule, GetUserClaimsFn, GoogleUser, HeaderAuthOptions, HibpApiError, HibpBreachedError, HibpConfig, HibpModule, InstanceIdentity, IssueFederationTokenInput, JsonWebKeySet, JwtSessionConfig, JwtSessionModule, KVNamespace, KVStore, LastLoginConfig, LastLoginModule, ListObjectsParams, ListSubjectsParams, LoginEvent, LoginMethod, MemoryStore, OAuthAccount, OAuthCallbackResult, OAuthModule, OAuthModuleConfig, OAuthPluginConfig, OAuthProvider, OAuthProviderConfig, OAuthProxyConfig, OAuthProxyError, OAuthProxyModule, OAuthProxyPluginConfig, OAuthTokens, OAuthUserInfo, OidcClient, OidcDiscoveryDocument, OidcProviderConfig, OidcProviderModule, OneTapConfig, OneTapModule, OneTapVerifyError, OpenApiComponents, OpenApiConfig, OpenApiDocument, OpenApiInfo, OpenApiMediaType, OpenApiModule, OpenApiOperation, OpenApiParameter, OpenApiPathItem, OpenApiRequestBody, OpenApiResponse, OpenApiSchema, OpenApiSecurityRequirement, OpenApiSecurityScheme, OpenApiServer, PermissionRuleSet, PolarConfig, PolarModule, PolarSubscription, ProxyTokens, RateLimitConfig, RateLimitMiddlewareOptions, RateLimitPluginConfig, RateLimitResult, RateLimitStore, RateLimiter, ReBACConfig, ReBACModule, RecordCostInput, RecordLoginInput, RegisterClientInput, Relationship, ResourceNode, ScimConfig, ScimGroup, ScimModule, ScimUser, SessionTokens, SessionUser, SiweConfig, SiweModule, SiweVerifyResult, StreamEvent, StripeConfig, StripeModule, SubscriptionInfo, TokenParams, TokenResponse, TrustLevel, TrustedDevice, TrustedDeviceConfig, TrustedDeviceModule, TrustedInstance, TwoFactorConfig, UserDataExport, UserInfoClaims, ValidationResult, VerifiedSession, additionalFields, admin, anonymousAuth, apiKeys, bearerAuth, createAdditionalFieldsModule, createAnonymousAuthModule, createAppleProvider, createCostAttributionModule, createCustomSessionModule, createDeviceAuthModule, createDiscordProvider, createEphemeralSessionModule, createEventStreamModule, createFederationModule, createGdprModule, createGithubProvider, createGitlabProvider, createGoogleProvider, createHibpModule, createJwtSessionModule, createLastLoginModule, createLinkedInProvider, createMicrosoftProvider, createOAuthModule, createOAuthProxyModule, createOidcProviderModule, createOneTapModule, createOpenApiModule, createPolarModule, createRateLimiter, createReBACModule, createScimModule, createSiweModule, createSlackProvider, createStripeModule, createTrustedDeviceModule, createTwitterProvider, customAuth, customSession, deviceAuth, deviceLabelFromRequest, emailOtp, gdpr, headerAuth, kvStore, magicLink, oauth, oauthProxy, oneTap, organization, passkey, polar, rateLimit, scim, siwe, stripe, twoFactor, withRateLimit } from './auth/index.js';
 export { constantTimeEqual, fromBase64Url, fromHex, generateId, hmacSha1Raw, hmacSha256, hmacSha256Raw, importHmacKey, pbkdf2Hash, pbkdf2Verify, randomBytes, randomBytesHex, sha1, sha256, sha256Raw, toBase64Url, toHex } from './crypto/index.js';
 import { RedirectChainManager } from './redirect/index.js';
 export { RedirectChainState, RedirectConfig, RedirectEntry, createRedirectChain } from './redirect/index.js';
 export { PermissionTemplateName, createPermissionEngine, getPermissionTemplate, permissionTemplates } from './permission/index.js';
-export { CredentialFormat, CredentialStatus, CredentialStatusSchema, CredentialSubject, CredentialSubjectSchema, DelegationLink, ExtractedPermissions, IssueAgentCredentialInput, IssueDelegationCredentialInput, IssuePermissionCredentialInput, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, Proof, ProofSchema, VCIssuer, VCIssuerConfig, VCJwtPayload, VCVerifier, VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredential, VerifiableCredentialSchema, VerifiablePresentation, VerifiablePresentationSchema, VerifiedCredential, VerifiedPresentation, createVCIssuer, createVCVerifier } from './vc/index.js';
+export { AuditCredentialSubject, AuditExportResult, AuditRecord, CredentialFormat, CredentialStatus, CredentialStatusSchema, CredentialSubject, CredentialSubjectSchema, DelegationLink, ExportAuditOptions, ExtractedPermissions, IssueAgentCredentialInput, IssueDelegationCredentialInput, IssuePermissionCredentialInput, KAVACHOS_AUDIT_CONTEXT, KAVACHOS_AUDIT_CREDENTIAL, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, Proof, ProofSchema, VCIssuer, VCIssuerConfig, VCJwtPayload, VCVerifier, VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredential, VerifiableCredentialSchema, VerifiablePresentation, VerifiablePresentationSchema, VerifiedCredential, VerifiedPresentation, createVCIssuer, createVCVerifier, exportAuditAsVC, listAuditRecords } from './vc/index.js';
 import 'drizzle-orm/sqlite-core';
-import './types-BuHrZcjE.js';
+import './types-BiUe9e8u.js';
 import 'zod';
+import './standards/index.js';
 import 'jose';
 
 interface PrivilegeFinding {
@@ -784,6 +785,34 @@ declare function createKavach(config: KavachConfig): Promise<{
      * ```
      */
     redirects: RedirectChainManager;
+    /**
+     * Unified policy engine.
+     *
+     * Single decision point that combines RBAC role expansion, ABAC constraint
+     * evaluation, and ReBAC graph queries. Backed by a process-local LRU cache
+     * with deterministic invalidation.
+     *
+     * @example
+     * ```typescript
+     * const decision = await kavach.policy.evaluate({
+     *   subject: { agentId: 'agent-abc' },
+     *   action: 'read',
+     *   resource: 'tool:github:list_issues',
+     * });
+     * if (!decision.allowed) throw new Error(decision.reason);
+     *
+     * // Flush cached decisions after a permission change
+     * kavach.policy.invalidate({ agentId: 'agent-abc' });
+     *
+     * // Inspect cache health
+     * const { hits, misses, size, evictions } = kavach.policy.stats();
+     * ```
+     */
+    policy: {
+        evaluate: (input: EvaluateInput) => Promise<PolicyDecision>;
+        invalidate: (scope: InvalidateScope) => void;
+        stats: () => PolicyCacheStats;
+    };
     /**
      * Plugin system.
      *