meshguard 0.1.0

package/dist/cjs/langchain.js

@@ -0,0 +1,157 @@
+"use strict";
+/**
+ * MeshGuard LangChain.js Integration
+ *
+ * Provides wrappers for governing LangChain tools with MeshGuard policy.
+ *
+ * @example
+ * ```ts
+ * import { MeshGuardClient } from "meshguard";
+ * import { GovernedTool, GovernedToolkit } from "meshguard/langchain";
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GovernedToolkit = exports.GovernedTool = void 0;
+exports.governedTool = governedTool;
+const exceptions_js_1 = require("./exceptions.js");
+// ---------------------------------------------------------------------------
+// governedTool — functional wrapper
+// ---------------------------------------------------------------------------
+/**
+ * Wrap a LangChain tool so every invocation is governed by MeshGuard policy.
+ *
+ * @example
+ * ```ts
+ * import { DuckDuckGoSearch } from "@langchain/community/tools/duckduckgo";
+ * import { MeshGuardClient } from "meshguard";
+ * import { governedTool } from "meshguard/langchain";
+ *
+ * const client = new MeshGuardClient();
+ * const search = governedTool("read:web_search", client, new DuckDuckGoSearch());
+ *
+ * const result = await search.invoke("TypeScript SDK patterns");
+ * ```
+ */
+function governedTool(action, client, tool, onDeny) {
+    // Create a proxy that intercepts invoke / call
+    return new Proxy(tool, {
+        get(target, prop, receiver) {
+            if (prop === "invoke" || prop === "call") {
+                return async (...args) => {
+                    try {
+                        await client.enforce(action);
+                        const fn = Reflect.get(target, prop, receiver);
+                        return fn.apply(target, args);
+                    }
+                    catch (err) {
+                        if (err instanceof exceptions_js_1.PolicyDeniedError && onDeny) {
+                            return onDeny(err, ...args);
+                        }
+                        throw err;
+                    }
+                };
+            }
+            return Reflect.get(target, prop, receiver);
+        },
+    });
+}
+// ---------------------------------------------------------------------------
+// GovernedTool — class wrapper (mirrors Python GovernedTool)
+// ---------------------------------------------------------------------------
+/**
+ * Wraps an existing LangChain tool with MeshGuard governance.
+ *
+ * @example
+ * ```ts
+ * const governed = new GovernedTool({
+ *   tool: myTool,
+ *   action: "read:web_search",
+ *   client,
+ * });
+ * const result = await governed.invoke("query");
+ * ```
+ */
+class GovernedTool {
+    name;
+    description;
+    action;
+    tool;
+    client;
+    onDeny;
+    constructor(options) {
+        this.tool = options.tool;
+        this.action = options.action;
+        this.client = options.client;
+        this.onDeny = options.onDeny;
+        this.name = this.tool.name;
+        this.description = this.tool.description;
+    }
+    /** Invoke the tool with governance. */
+    async invoke(input, config) {
+        try {
+            await this.client.enforce(this.action);
+            return this.tool.invoke(input, config);
+        }
+        catch (err) {
+            if (err instanceof exceptions_js_1.PolicyDeniedError && this.onDeny) {
+                return this.onDeny(err, input, config);
+            }
+            throw err;
+        }
+    }
+    /** Legacy call method. */
+    async call(input, config) {
+        return this.invoke(input, config);
+    }
+}
+exports.GovernedTool = GovernedTool;
+// ---------------------------------------------------------------------------
+// GovernedToolkit — govern multiple tools at once
+// ---------------------------------------------------------------------------
+/**
+ * Govern a collection of LangChain tools with MeshGuard policies.
+ *
+ * @example
+ * ```ts
+ * const toolkit = new GovernedToolkit({
+ *   tools: [searchTool, calcTool],
+ *   client,
+ *   actionMap: {
+ *     "search": "read:web_search",
+ *     "calculator": "execute:math",
+ *   },
+ *   defaultAction: "execute:tool",
+ * });
+ *
+ * const governedTools = toolkit.getTools();
+ * ```
+ */
+class GovernedToolkit {
+    tools;
+    client;
+    actionMap;
+    defaultAction;
+    onDeny;
+    constructor(options) {
+        this.tools = options.tools;
+        this.client = options.client;
+        this.actionMap = options.actionMap ?? {};
+        this.defaultAction = options.defaultAction ?? "execute:tool";
+        this.onDeny = options.onDeny;
+    }
+    /** Get the MeshGuard action for a tool. */
+    getAction(tool) {
+        return this.actionMap[tool.name] ?? this.defaultAction;
+    }
+    /** Return governed versions of all tools. */
+    getTools() {
+        return this.tools.map((tool) => new GovernedTool({
+            tool,
+            action: this.getAction(tool),
+            client: this.client,
+            onDeny: this.onDeny,
+        }));
+    }
+}
+exports.GovernedToolkit = GovernedToolkit;
+//# sourceMappingURL=langchain.js.map

package/dist/cjs/langchain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"langchain.js","sourceRoot":"","sources":["../../src/langchain.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AA0CH,oCA4BC;AAnED,mDAAoD;AAoBpD,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,SAAgB,YAAY,CAC1B,MAAc,EACd,MAAuB,EACvB,IAAO,EACP,MAAoB;IAEpB,+CAA+C;IAC/C,OAAO,IAAI,KAAK,CAAC,IAAI,EAAE;QACrB,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ;YACxB,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACzC,OAAO,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;oBAClC,IAAI,CAAC;wBACH,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;wBAC7B,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAExB,CAAC;wBACtB,OAAO,EAAE,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBAChC,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,IAAI,GAAG,YAAY,iCAAiB,IAAI,MAAM,EAAE,CAAC;4BAC/C,OAAO,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;wBAC9B,CAAC;wBACD,MAAM,GAAG,CAAC;oBACZ,CAAC;gBACH,CAAC,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAa,YAAY;IACd,IAAI,CAAS;IACb,WAAW,CAAS;IACpB,MAAM,CAAS;IAEP,IAAI,CAAgB;IACpB,MAAM,CAAkB;IACxB,MAAM,CAAe;IAEtC,YAAY,OAKX;QACC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE7B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QAC3B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC3C,CAAC;IAED,uCAAuC;IACvC,KAAK,CAAC,MAAM,CAAC,KAAc,EAAE,MAAgB;QAC3C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,iCAAiB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBACpD,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACzC,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAc,EAAE,MAAgB;QACzC,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;CACF;AAzCD,oCAyCC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAa,eAAe;IACT,KAAK,CAAkB;IACvB,MAAM,CAAkB;IACxB,SAAS,CAAyB;IAClC,aAAa,CAAS;IACtB,MAAM,CAAe;IAEtC,YAAY,OAMX;QACC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,cAAc,CAAC;QAC7D,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAED,2CAA2C;IAC3C,SAAS,CAAC,IAAmB;QAC3B,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC;IACzD,CAAC;IAED,6CAA6C;IAC7C,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CACnB,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,YAAY,CAAC;YACf,IAAI;YACJ,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CACL,CAAC;IACJ,CAAC;CACF;AAtCD,0CAsCC"}

package/dist/cjs/package.json

@@ -0,0 +1 @@
+{"type":"commonjs"}

package/dist/cjs/types.d.ts

@@ -0,0 +1,91 @@
+/**
+ * MeshGuard TypeScript Types
+ */
+/** Configuration options for the MeshGuard client. */
+export interface MeshGuardOptions {
+    /** MeshGuard gateway URL. Falls back to MESHGUARD_GATEWAY_URL env var. */
+    gatewayUrl?: string;
+    /** Agent JWT token. Falls back to MESHGUARD_AGENT_TOKEN env var. */
+    agentToken?: string;
+    /** Admin token for management APIs. Falls back to MESHGUARD_ADMIN_TOKEN env var. */
+    adminToken?: string;
+    /** Request timeout in milliseconds. Default: 30000. */
+    timeout?: number;
+    /** Optional trace ID for request correlation. Auto-generated if omitted. */
+    traceId?: string;
+}
+/** Result of a policy evaluation. */
+export interface PolicyDecision {
+    /** Whether the action is allowed. */
+    allowed: boolean;
+    /** The action that was checked. */
+    action: string;
+    /** The decision result: "allow" or "deny". */
+    decision: "allow" | "deny";
+    /** The policy that produced this decision. */
+    policy?: string;
+    /** The specific rule that matched. */
+    rule?: string;
+    /** Human-readable reason for the decision. */
+    reason?: string;
+    /** Trace ID for request correlation. */
+    traceId?: string;
+}
+/** A MeshGuard agent identity. */
+export interface Agent {
+    /** Unique agent identifier. */
+    id: string;
+    /** Display name. */
+    name: string;
+    /** Trust tier (e.g., "verified", "untrusted"). */
+    trustTier: string;
+    /** Tags associated with this agent. */
+    tags: string[];
+    /** Organization ID. */
+    orgId?: string;
+}
+/** Options for creating an agent. */
+export interface CreateAgentOptions {
+    /** Agent display name. */
+    name: string;
+    /** Trust tier. Default: "verified". */
+    trustTier?: string;
+    /** Tags to assign. */
+    tags?: string[];
+}
+/** An entry in the audit log. */
+export interface AuditEntry {
+    /** Unique entry ID. */
+    id: string;
+    /** Timestamp of the entry. */
+    timestamp: string;
+    /** The action that was evaluated. */
+    action: string;
+    /** The decision: "allow" or "deny". */
+    decision: string;
+    /** Agent ID that performed the action. */
+    agentId?: string;
+    /** Policy that was evaluated. */
+    policy?: string;
+    /** Additional metadata. */
+    [key: string]: unknown;
+}
+/** Options for querying the audit log. */
+export interface AuditLogOptions {
+    /** Maximum number of entries to return. Default: 50. */
+    limit?: number;
+    /** Filter by decision ("allow" or "deny"). */
+    decision?: string;
+}
+/** Gateway health status. */
+export interface HealthStatus {
+    status: string;
+    [key: string]: unknown;
+}
+/** A policy definition. */
+export interface Policy {
+    id: string;
+    name: string;
+    [key: string]: unknown;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/cjs/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,sDAAsD;AACtD,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4EAA4E;IAC5E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,cAAc;IAC7B,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,mCAAmC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,kCAAkC;AAClC,MAAM,WAAW,KAAK;IACpB,+BAA+B;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,uBAAuB;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qCAAqC;AACrC,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB;IACtB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,iCAAiC;AACjC,MAAM,WAAW,UAAU;IACzB,uBAAuB;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,0CAA0C;AAC1C,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,6BAA6B;AAC7B,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,2BAA2B;AAC3B,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/cjs/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * MeshGuard TypeScript Types
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/cjs/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":";AAAA;;GAEG"}

package/dist/esm/client.d.ts

@@ -0,0 +1,92 @@
+/**
+ * MeshGuard Client
+ *
+ * Core client for interacting with the MeshGuard gateway.
+ */
+import type { MeshGuardOptions, PolicyDecision, Agent, CreateAgentOptions, AuditEntry, AuditLogOptions, HealthStatus, Policy } from "./types.js";
+/**
+ * Client for the MeshGuard governance gateway.
+ *
+ * @example
+ * ```ts
+ * const client = new MeshGuardClient({
+ *   gatewayUrl: "https://dashboard.meshguard.app",
+ *   agentToken: "your-agent-token",
+ * });
+ *
+ * // Check if an action is allowed
+ * const decision = await client.check("read:contacts");
+ * if (decision.allowed) {
+ *   // proceed
+ * }
+ *
+ * // Or enforce (throws on deny)
+ * await client.enforce("read:contacts");
+ *
+ * // Or govern a function
+ * const result = await client.govern("read:contacts", async () => {
+ *   return fetchContacts();
+ * });
+ * ```
+ */
+export declare class MeshGuardClient {
+    readonly gatewayUrl: string;
+    readonly agentToken?: string;
+    readonly adminToken?: string;
+    readonly timeout: number;
+    readonly traceId: string;
+    constructor(options?: MeshGuardOptions);
+    private headers;
+    private adminHeaders;
+    private handleResponse;
+    private safeJson;
+    private fetch;
+    /**
+     * Check if an action is allowed by policy.
+     *
+     * Returns a {@link PolicyDecision} — never throws on deny.
+     */
+    check(action: string, resource?: string): Promise<PolicyDecision>;
+    /**
+     * Enforce policy — throws {@link PolicyDeniedError} if the action is denied.
+     */
+    enforce(action: string, resource?: string): Promise<PolicyDecision>;
+    /**
+     * Execute a function only if the action is allowed by policy.
+     *
+     * @example
+     * ```ts
+     * const contacts = await client.govern("read:contacts", async () => {
+     *   return db.contacts.findAll();
+     * });
+     * ```
+     */
+    govern<T>(action: string, fn: () => T | Promise<T>, resource?: string): Promise<T>;
+    /**
+     * Make a governed request through the MeshGuard proxy.
+     */
+    request(method: string, path: string, action: string, init?: RequestInit): Promise<Response>;
+    /** GET through the governance proxy. */
+    get(path: string, action: string, init?: RequestInit): Promise<Response>;
+    /** POST through the governance proxy. */
+    post(path: string, action: string, init?: RequestInit): Promise<Response>;
+    /** PUT through the governance proxy. */
+    put(path: string, action: string, init?: RequestInit): Promise<Response>;
+    /** DELETE through the governance proxy. */
+    delete(path: string, action: string, init?: RequestInit): Promise<Response>;
+    /** Check gateway health. */
+    health(): Promise<HealthStatus>;
+    /** Quick boolean health check. */
+    isHealthy(): Promise<boolean>;
+    /** List all agents (requires admin token). */
+    listAgents(): Promise<Agent[]>;
+    /** Create a new agent (requires admin token). */
+    createAgent(options: CreateAgentOptions): Promise<Record<string, unknown>>;
+    /** Revoke an agent (requires admin token). */
+    revokeAgent(agentId: string): Promise<void>;
+    /** List all policies (requires admin token). */
+    listPolicies(): Promise<Policy[]>;
+    /** Get audit log entries (requires admin token). */
+    getAuditLog(options?: AuditLogOptions): Promise<AuditEntry[]>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/esm/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,gBAAgB,EAChB,cAAc,EACd,KAAK,EACL,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,YAAY,CAAC;AASpB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,eAAe;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBAEb,OAAO,GAAE,gBAAqB;IAmB1C,OAAO,CAAC,OAAO;IAUf,OAAO,CAAC,YAAY;YAUN,cAAc;YAuBd,QAAQ;YAUR,KAAK;IAiBnB;;;;OAIG;IACG,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAgDvE;;OAEG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAazE;;;;;;;;;OASG;IACG,MAAM,CAAC,CAAC,EACZ,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,EACxB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,CAAC,CAAC;IASb;;OAEG;IACG,OAAO,CACX,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,IAAI,GAAE,WAAgB,GACrB,OAAO,CAAC,QAAQ,CAAC;IAwBpB,wCAAwC;IAClC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI9E,yCAAyC;IACnC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI/E,wCAAwC;IAClC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI9E,2CAA2C;IACrC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAQjF,4BAA4B;IACtB,MAAM,IAAI,OAAO,CAAC,YAAY,CAAC;IAKrC,kCAAkC;IAC5B,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAanC,8CAA8C;IACxC,UAAU,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;IAepC,iDAAiD;IAC3C,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAgBhF,8CAA8C;IACxC,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjD,gDAAgD;IAC1C,YAAY,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAQvC,oDAAoD;IAC9C,WAAW,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;CAYxE"}

package/dist/esm/client.js

@@ -0,0 +1,310 @@
+/**
+ * MeshGuard Client
+ *
+ * Core client for interacting with the MeshGuard gateway.
+ */
+import { MeshGuardError, AuthenticationError, PolicyDeniedError, RateLimitError, } from "./exceptions.js";
+/**
+ * Client for the MeshGuard governance gateway.
+ *
+ * @example
+ * ```ts
+ * const client = new MeshGuardClient({
+ *   gatewayUrl: "https://dashboard.meshguard.app",
+ *   agentToken: "your-agent-token",
+ * });
+ *
+ * // Check if an action is allowed
+ * const decision = await client.check("read:contacts");
+ * if (decision.allowed) {
+ *   // proceed
+ * }
+ *
+ * // Or enforce (throws on deny)
+ * await client.enforce("read:contacts");
+ *
+ * // Or govern a function
+ * const result = await client.govern("read:contacts", async () => {
+ *   return fetchContacts();
+ * });
+ * ```
+ */
+export class MeshGuardClient {
+    gatewayUrl;
+    agentToken;
+    adminToken;
+    timeout;
+    traceId;
+    constructor(options = {}) {
+        this.gatewayUrl = (options.gatewayUrl ??
+            process.env.MESHGUARD_GATEWAY_URL ??
+            "http://localhost:3100").replace(/\/+$/, "");
+        this.agentToken =
+            options.agentToken ?? process.env.MESHGUARD_AGENT_TOKEN;
+        this.adminToken =
+            options.adminToken ?? process.env.MESHGUARD_ADMIN_TOKEN;
+        this.timeout = options.timeout ?? 30_000;
+        this.traceId = options.traceId ?? crypto.randomUUID();
+    }
+    // ---------------------------------------------------------------------------
+    // Internal helpers
+    // ---------------------------------------------------------------------------
+    headers(includeAuth = true) {
+        const h = {
+            "X-MeshGuard-Trace-ID": this.traceId,
+        };
+        if (includeAuth && this.agentToken) {
+            h["Authorization"] = `Bearer ${this.agentToken}`;
+        }
+        return h;
+    }
+    adminHeaders() {
+        if (!this.adminToken) {
+            throw new AuthenticationError("Admin token required for this operation");
+        }
+        return {
+            "X-Admin-Token": this.adminToken,
+            "X-MeshGuard-Trace-ID": this.traceId,
+        };
+    }
+    async handleResponse(response) {
+        if (response.status === 401) {
+            throw new AuthenticationError("Invalid or expired token");
+        }
+        if (response.status === 403) {
+            const data = await this.safeJson(response);
+            throw new PolicyDeniedError({
+                action: data.action ?? "unknown",
+                policy: data.policy,
+                rule: data.rule,
+                reason: data.message ?? "Access denied by policy",
+            });
+        }
+        if (response.status === 429) {
+            throw new RateLimitError("Rate limit exceeded");
+        }
+        if (response.status >= 400) {
+            const text = await response.text();
+            throw new MeshGuardError(`Request failed: ${response.status} ${text}`);
+        }
+        return this.safeJson(response);
+    }
+    async safeJson(response) {
+        const text = await response.text();
+        if (!text)
+            return {};
+        try {
+            return JSON.parse(text);
+        }
+        catch {
+            return {};
+        }
+    }
+    async fetch(url, init = {}) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), this.timeout);
+        try {
+            return await fetch(url, { ...init, signal: controller.signal });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Core Governance
+    // ---------------------------------------------------------------------------
+    /**
+     * Check if an action is allowed by policy.
+     *
+     * Returns a {@link PolicyDecision} — never throws on deny.
+     */
+    async check(action, resource) {
+        const h = this.headers();
+        h["X-MeshGuard-Action"] = action;
+        if (resource)
+            h["X-MeshGuard-Resource"] = resource;
+        try {
+            const response = await this.fetch(`${this.gatewayUrl}/proxy/check`, {
+                method: "GET",
+                headers: h,
+            });
+            if (response.status === 403) {
+                const data = await this.safeJson(response);
+                return {
+                    allowed: false,
+                    action,
+                    decision: "deny",
+                    policy: data.policy,
+                    rule: data.rule,
+                    reason: data.message,
+                    traceId: this.traceId,
+                };
+            }
+            const data = await this.handleResponse(response);
+            return {
+                allowed: true,
+                action,
+                decision: "allow",
+                policy: data.policy,
+                traceId: this.traceId,
+            };
+        }
+        catch (err) {
+            if (err instanceof PolicyDeniedError) {
+                return {
+                    allowed: false,
+                    action,
+                    decision: "deny",
+                    policy: err.policy,
+                    rule: err.rule,
+                    reason: err.reason,
+                    traceId: this.traceId,
+                };
+            }
+            throw err;
+        }
+    }
+    /**
+     * Enforce policy — throws {@link PolicyDeniedError} if the action is denied.
+     */
+    async enforce(action, resource) {
+        const decision = await this.check(action, resource);
+        if (!decision.allowed) {
+            throw new PolicyDeniedError({
+                action,
+                policy: decision.policy,
+                rule: decision.rule,
+                reason: decision.reason,
+            });
+        }
+        return decision;
+    }
+    /**
+     * Execute a function only if the action is allowed by policy.
+     *
+     * @example
+     * ```ts
+     * const contacts = await client.govern("read:contacts", async () => {
+     *   return db.contacts.findAll();
+     * });
+     * ```
+     */
+    async govern(action, fn, resource) {
+        await this.enforce(action, resource);
+        return fn();
+    }
+    // ---------------------------------------------------------------------------
+    // Proxy Requests
+    // ---------------------------------------------------------------------------
+    /**
+     * Make a governed request through the MeshGuard proxy.
+     */
+    async request(method, path, action, init = {}) {
+        const h = {
+            ...this.headers(),
+            "X-MeshGuard-Action": action,
+        };
+        // Merge any caller-provided headers
+        if (init.headers) {
+            const extra = init.headers instanceof Headers
+                ? Object.fromEntries(init.headers.entries())
+                : init.headers;
+            Object.assign(h, extra);
+        }
+        const response = await this.fetch(`${this.gatewayUrl}/proxy/${path.replace(/^\/+/, "")}`, { ...init, method, headers: h });
+        await this.handleResponse(response);
+        return response;
+    }
+    /** GET through the governance proxy. */
+    async get(path, action, init) {
+        return this.request("GET", path, action, init);
+    }
+    /** POST through the governance proxy. */
+    async post(path, action, init) {
+        return this.request("POST", path, action, init);
+    }
+    /** PUT through the governance proxy. */
+    async put(path, action, init) {
+        return this.request("PUT", path, action, init);
+    }
+    /** DELETE through the governance proxy. */
+    async delete(path, action, init) {
+        return this.request("DELETE", path, action, init);
+    }
+    // ---------------------------------------------------------------------------
+    // Health & Info
+    // ---------------------------------------------------------------------------
+    /** Check gateway health. */
+    async health() {
+        const response = await this.fetch(`${this.gatewayUrl}/health`);
+        return (await response.json());
+    }
+    /** Quick boolean health check. */
+    async isHealthy() {
+        try {
+            const h = await this.health();
+            return h.status === "healthy";
+        }
+        catch {
+            return false;
+        }
+    }
+    // ---------------------------------------------------------------------------
+    // Admin Operations
+    // ---------------------------------------------------------------------------
+    /** List all agents (requires admin token). */
+    async listAgents() {
+        const response = await this.fetch(`${this.gatewayUrl}/admin/agents`, {
+            headers: this.adminHeaders(),
+        });
+        const data = await this.handleResponse(response);
+        const agents = data.agents ?? [];
+        return agents.map((a) => ({
+            id: a.id,
+            name: a.name,
+            trustTier: a.trustTier,
+            tags: a.tags ?? [],
+            orgId: a.orgId,
+        }));
+    }
+    /** Create a new agent (requires admin token). */
+    async createAgent(options) {
+        const response = await this.fetch(`${this.gatewayUrl}/admin/agents`, {
+            method: "POST",
+            headers: {
+                ...this.adminHeaders(),
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                name: options.name,
+                trustTier: options.trustTier ?? "verified",
+                tags: options.tags ?? [],
+            }),
+        });
+        return this.handleResponse(response);
+    }
+    /** Revoke an agent (requires admin token). */
+    async revokeAgent(agentId) {
+        const response = await this.fetch(`${this.gatewayUrl}/admin/agents/${agentId}`, { method: "DELETE", headers: this.adminHeaders() });
+        await this.handleResponse(response);
+    }
+    /** List all policies (requires admin token). */
+    async listPolicies() {
+        const response = await this.fetch(`${this.gatewayUrl}/admin/policies`, {
+            headers: this.adminHeaders(),
+        });
+        const data = await this.handleResponse(response);
+        return data.policies ?? [];
+    }
+    /** Get audit log entries (requires admin token). */
+    async getAuditLog(options = {}) {
+        const params = new URLSearchParams();
+        params.set("limit", String(options.limit ?? 50));
+        if (options.decision)
+            params.set("decision", options.decision);
+        const response = await this.fetch(`${this.gatewayUrl}/admin/audit?${params}`, { headers: this.adminHeaders() });
+        const data = await this.handleResponse(response);
+        return data.entries ?? [];
+    }
+}
+//# sourceMappingURL=client.js.map