narai-primitives 2.0.0 → 2.1.1

package/dist/toolkit/policy/config.js

@@ -19,7 +19,6 @@ import * as yaml from "js-yaml";
 import { DEFAULT_POLICY, } from "./types.js";
 const VALID_RULES = new Set([
     "success",
-    "present",
     "escalate",
     "denied",
 ]);
@@ -79,7 +78,7 @@ function readYaml(filePath) {
 }
 function validateRule(field, value, restricted) {
     if (typeof value !== "string" || !VALID_RULES.has(value)) {
-        throw new Error(`${field}: expected one of [success, present, escalate, denied], got: ${JSON.stringify(value)}`);
+        throw new Error(`${field}: expected one of [success, escalate, denied], got: ${JSON.stringify(value)}`);
     }
     const rule = value;
     if (restricted && rule === "success") {

package/dist/toolkit/policy/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/toolkit/policy/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAChC,OAAO,EACL,cAAc,GAKf,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,GAAsB,IAAI,GAAG,CAAC;IAC7C,SAAS;IACT,SAAS;IACT,UAAU;IACV,QAAQ;CACT,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAA8B,IAAI,GAAG,CAAC;IAC9D,MAAM;IACN,cAAc;IACd,cAAc;IACd,gBAAgB;CACjB,CAAC,CAAC;AAyBH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAAe,EAAE,CAAC,OAAO,EAAE;IAE3B,MAAM,GAAG,GAAG,IAAI,IAAI,oBAAoB,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;IACjD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,OAAO,CAAC,KAAK,QAAQ;QACrB,CAAC,KAAK,IAAI;QACV,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAChB,CAA+B,CAAC,WAAW,KAAK,MAAM,CACxD,CAAC;AACJ,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,SAAS,CACvB,IAAO,EACP,OAAU;IAEV,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,aAAa,CAAC,CAAC,CAAC,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,GAAQ,CAAC;AAClB,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB;IAChC,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7D,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,MAAM,GAAG,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACvD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,kCAAkC,QAAQ,WACxC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,MAC1C,EAAE,CACH,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,YAAY,CACnB,KAAa,EACb,KAAc,EACd,UAAmB;IAEnB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAa,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,gEAAgE,IAAI,CAAC,SAAS,CACpF,KAAK,CACN,EAAE,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,KAAa,CAAC;IAC3B,IAAI,UAAU,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,+EAA+E,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CACpB,GAAY,EACZ,YAA+B;IAE/B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,GAAG,cAAc,EAAE,CAAC;IACpE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,GAAG,GAAgB,EAAE,GAAG,cAAc,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,QAAQ,CAAC,EAAE,CAAC;YACV,KAAK,MAAM;gBACT,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;gBACjD,MAAM;YACR,KAAK,OAAO;gBACV,GAAG,CAAC,KAAK,GAAG,YAAY,CAAC,cAAc,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;gBACnD,MAAM;YACR,KAAK,OAAO;gBACV,GAAG,CAAC,KAAK,GAAG,YAAY,CAAC,cAAc,EAAE,CAAC,EAAE,IAAI,CAAmB,CAAC;gBACpE,MAAM;YACR,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CACb,4CAA4C,OAAO,CAAC,EAAE,CACvD,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAyB,EAAE,CAAC;gBACzC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;gBACvC,KAAK,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/C,OAAO,CAAC,MAAM,CAAC,GAAG,YAAY,CAC5B,kBAAkB,MAAM,EAAE,EAC1B,IAAI,EACJ,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CACrB,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;gBACtB,MAAM;YACR,CAAC;YACD;gBACE,MAAM,IAAI,KAAK,CACb,wBAAwB,CAAC,2CAA2C,CACrE,CAAC;QACN,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACrD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAmB,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,2FAA2F,IAAI,CAAC,SAAS,CACvG,GAAG,CACJ,EAAE,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,GAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAY,EACZ,eAAkC,EAAE;IAEpC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,GAAG,EAAE,CAC9D,CAAC;IACJ,CAAC;IACD,OAAO;QACL,KAAK,EAAE,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,YAAY,CAAC;QACjD,aAAa,EAAE,oBAAoB,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;KAC1D,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAA6B;IAE7B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;IAEtC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEtE,IAAI,MAAM,GAA4B,EAAE,CAAC;IACzC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAE/E,OAAO,oBAAoB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC7C,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/toolkit/policy/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAChC,OAAO,EACL,cAAc,GAKf,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,GAAsB,IAAI,GAAG,CAAC;IAC7C,SAAS;IACT,UAAU;IACV,QAAQ;CACT,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAA8B,IAAI,GAAG,CAAC;IAC9D,MAAM;IACN,cAAc;IACd,cAAc;IACd,gBAAgB;CACjB,CAAC,CAAC;AAyBH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAAe,EAAE,CAAC,OAAO,EAAE;IAE3B,MAAM,GAAG,GAAG,IAAI,IAAI,oBAAoB,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;IACjD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,IAAI,GAAG,QAAQ,CAAC;IACjD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,OAAO,CACL,OAAO,CAAC,KAAK,QAAQ;QACrB,CAAC,KAAK,IAAI;QACV,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAChB,CAA+B,CAAC,WAAW,KAAK,MAAM,CACxD,CAAC;AACJ,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,SAAS,CACvB,IAAO,EACP,OAAU;IAEV,MAAM,GAAG,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;IACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,aAAa,CAAC,CAAC,CAAC,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,GAAQ,CAAC;AAClB,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB;IAChC,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7D,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,MAAM,GAAG,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACvD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,kCAAkC,QAAQ,WACxC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,MAC1C,EAAE,CACH,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,YAAY,CACnB,KAAa,EACb,KAAc,EACd,UAAmB;IAEnB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAa,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,uDAAuD,IAAI,CAAC,SAAS,CAC3E,KAAK,CACN,EAAE,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,KAAa,CAAC;IAC3B,IAAI,UAAU,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,+EAA+E,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CACpB,GAAY,EACZ,YAA+B;IAE/B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,EAAE,GAAG,cAAc,EAAE,CAAC;IACpE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,OAAO,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,GAAG,GAAgB,EAAE,GAAG,cAAc,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,QAAQ,CAAC,EAAE,CAAC;YACV,KAAK,MAAM;gBACT,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;gBACjD,MAAM;YACR,KAAK,OAAO;gBACV,GAAG,CAAC,KAAK,GAAG,YAAY,CAAC,cAAc,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;gBACnD,MAAM;YACR,KAAK,OAAO;gBACV,GAAG,CAAC,KAAK,GAAG,YAAY,CAAC,cAAc,EAAE,CAAC,EAAE,IAAI,CAAmB,CAAC;gBACpE,MAAM;YACR,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CACb,4CAA4C,OAAO,CAAC,EAAE,CACvD,CAAC;gBACJ,CAAC;gBACD,MAAM,OAAO,GAAyB,EAAE,CAAC;gBACzC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;gBACvC,KAAK,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/C,OAAO,CAAC,MAAM,CAAC,GAAG,YAAY,CAC5B,kBAAkB,MAAM,EAAE,EAC1B,IAAI,EACJ,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CACrB,CAAC;gBACJ,CAAC;gBACD,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;gBACtB,MAAM;YACR,CAAC;YACD;gBACE,MAAM,IAAI,KAAK,CACb,wBAAwB,CAAC,2CAA2C,CACrE,CAAC;QACN,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACrD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAmB,CAAC,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,2FAA2F,IAAI,CAAC,SAAS,CACvG,GAAG,CACJ,EAAE,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,GAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAY,EACZ,eAAkC,EAAE;IAEpC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,GAAG,EAAE,CAC9D,CAAC;IACJ,CAAC;IACD,OAAO;QACL,KAAK,EAAE,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,YAAY,CAAC;QACjD,aAAa,EAAE,oBAAoB,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;KAC1D,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAA6B;IAE7B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC;IAEtC,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,oBAAoB,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEtE,IAAI,MAAM,GAA4B,EAAE,CAAC;IACzC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAE/E,OAAO,oBAAoB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC7C,CAAC"}

package/dist/toolkit/policy/gate.d.ts

@@ -3,10 +3,12 @@
  * `./approval.ts` (the factory wires it up per connector invocation).
  *
  * Rule combination: kind rule is the base; each aspect rule (if declared)
- * applies on top via Rule strictness (denied > escalate > present > success).
- * Note: Rule "present" collapses to Decision "escalate" — extendDecision
- * hooks intercept escalate to emit ExtendedEnvelope.
- * Ties go to the first offender so the `reason` message is predictable.
+ * applies on top via Rule strictness (denied > escalate > success). Ties
+ * go to the first offender so the `reason` message is predictable.
+ *
+ * Connectors with custom rule values (e.g. db-agent's `"present"`) must
+ * translate them to base values before invoking `checkPolicy` — the gate
+ * is exhaustive over the base 3-rule set only.
  */
 import type { ApprovalMode, Classification, Decision, PolicyRules } from "./types.js";
 /** Minimal state needed for approval-mode resolution. Pure-data. */
@@ -19,7 +21,7 @@ export interface ApprovalState {
  * decision. No side effects — the caller is responsible for emitting audit
  * events (see `../audit/writer.ts`).
  */
-export declare function checkPolicy(classification: Classification, rules: PolicyRules, approvalMode: ApprovalMode, approvalState: ApprovalState): Decision;
+export declare function checkPolicy(classification: Classification, rules: PolicyRules<never>, approvalMode: ApprovalMode, approvalState: ApprovalState): Decision;
 /**
  * Combine multiple per-call decisions (e.g., db-agent classifies each SQL
  * statement separately). Strictest decision wins; ties by first occurrence.

package/dist/toolkit/policy/gate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../../src/toolkit/policy/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EACV,YAAY,EACZ,cAAc,EACd,QAAQ,EACR,WAAW,EAEZ,MAAM,YAAY,CAAC;AAWpB,oEAAoE;AACpE,MAAM,WAAW,aAAa;IAC5B,eAAe,EAAE,OAAO,CAAC;IACzB,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC;CAChD;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,cAAc,EAAE,cAAc,EAC9B,KAAK,EAAE,WAAW,EAClB,YAAY,EAAE,YAAY,EAC1B,aAAa,EAAE,aAAa,GAC3B,QAAQ,CA0CV;AAuCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,SAAS,QAAQ,EAAE,GAAG,QAAQ,CAYzE"}
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../../src/toolkit/policy/gate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EACV,YAAY,EACZ,cAAc,EACd,QAAQ,EACR,WAAW,EAEZ,MAAM,YAAY,CAAC;AAUpB,oEAAoE;AACpE,MAAM,WAAW,aAAa;IAC5B,eAAe,EAAE,OAAO,CAAC;IACzB,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC;CAChD;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,cAAc,EAAE,cAAc,EAC9B,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,EACzB,YAAY,EAAE,YAAY,EAC1B,aAAa,EAAE,aAAa,GAC3B,QAAQ,CAqCV;AAuCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,SAAS,QAAQ,EAAE,GAAG,QAAQ,CAYzE"}

package/dist/toolkit/policy/gate.js

@@ -2,9 +2,8 @@ import { DECISION_RANK } from "./types.js";
 /** Strictness rank for combining Rule values (same order as DECISION_RANK). */
 const RULE_RANK = {
     success: 0,
-    present: 1,
-    escalate: 2,
-    denied: 3,
+    escalate: 1,
+    denied: 2,
 };
 /**
  * Evaluate a classification against rules + approval mode, returning a
@@ -39,11 +38,6 @@ export function checkPolicy(classification, rules, approvalMode, approvalState)
                 status: "escalate",
                 reason: escalateReason(kind, strictestReasonSource, offendingAspect),
             };
-        // Rule "present" collapses to Decision "escalate" in toolkit 3.0;
-        // extendDecision hooks (e.g. db-agent) intercept escalate to emit
-        // a connector-specific ExtendedEnvelope.
-        case "present":
-            return { status: "escalate", reason: presentReason(kind, strictestReasonSource, offendingAspect) };
         case "success":
             // A "success" rule for reads still has to pass the approval mode gate.
             if (kind === "read") {
@@ -117,10 +111,4 @@ function escalateReason(kind, source, aspect) {
     }
     return `${kind} requires approval`;
 }
-function presentReason(kind, source, aspect) {
-    if (source === "aspect" && aspect !== null) {
-        return `${aspect} aspect is displayed but not executed`;
-    }
-    return `${kind} is displayed but not executed`;
-}
 //# sourceMappingURL=gate.js.map

package/dist/toolkit/policy/gate.js.map

@@ -1 +1 @@
-{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../../src/toolkit/policy/gate.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,+EAA+E;AAC/E,MAAM,SAAS,GAAyB;IACtC,OAAO,EAAE,CAAC;IACV,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,CAAC;IACX,MAAM,EAAE,CAAC;CACV,CAAC;AAQF;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,cAA8B,EAC9B,KAAkB,EAClB,YAA0B,EAC1B,aAA4B;IAE5B,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC;IACjC,MAAM,QAAQ,GAAS,KAAK,CAAC,IAAI,CAAC,CAAC;IAEnC,6DAA6D;IAC7D,IAAI,YAAY,GAAS,QAAQ,CAAC;IAClC,IAAI,qBAAqB,GAAsB,MAAM,CAAC;IACtD,IAAI,eAAe,GAAkB,IAAI,CAAC;IAE1C,IAAI,cAAc,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAC5C,KAAK,MAAM,MAAM,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;YAC5C,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,UAAU,KAAK,SAAS;gBAAE,SAAS;YACvC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBACpD,YAAY,GAAG,UAAU,CAAC;gBAC1B,qBAAqB,GAAG,QAAQ,CAAC;gBACjC,eAAe,GAAG,MAAM,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,QAAQ;YACX,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,qBAAqB,EAAE,eAAe,CAAC,EAAE,CAAC;QAChG,KAAK,UAAU;YACb,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,cAAc,CAAC,IAAI,EAAE,qBAAqB,EAAE,eAAe,CAAC;aACrE,CAAC;QACJ,kEAAkE;QAClE,kEAAkE;QAClE,yCAAyC;QACzC,KAAK,SAAS;YACZ,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,CAAC,IAAI,EAAE,qBAAqB,EAAE,eAAe,CAAC,EAAE,CAAC;QACrG,KAAK,SAAS;YACZ,uEAAuE;YACvE,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,mBAAmB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,oBAAoB,EAAE,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAC1B,IAAkB,EAClB,KAAoB;IAEpB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM;YACT,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACxD,KAAK,cAAc;YACjB,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;gBAC1B,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;YAC3D,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,iDAAiD;aAC1D,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,gDAAgD;aACzD,CAAC;QACJ,KAAK,gBAAgB;YACnB,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YAC5D,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAA8B;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,MAAM,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QACxB,IAAI,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,MAAM,GAAG,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,sEAAsE;AACtE,8EAA8E;AAE9E,SAAS,UAAU,CACjB,IAAY,EACZ,MAAyB,EACzB,MAAqB;IAErB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,GAAG,MAAM,6BAA6B,CAAC;IAChD,CAAC;IACD,OAAO,GAAG,IAAI,sBAAsB,CAAC;AACvC,CAAC;AAED,SAAS,cAAc,CACrB,IAAY,EACZ,MAAyB,EACzB,MAAqB;IAErB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,GAAG,MAAM,2BAA2B,CAAC;IAC9C,CAAC;IACD,OAAO,GAAG,IAAI,oBAAoB,CAAC;AACrC,CAAC;AAED,SAAS,aAAa,CACpB,IAAY,EACZ,MAAyB,EACzB,MAAqB;IAErB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,GAAG,MAAM,uCAAuC,CAAC;IAC1D,CAAC;IACD,OAAO,GAAG,IAAI,gCAAgC,CAAC;AACjD,CAAC"}
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../../src/toolkit/policy/gate.ts"],"names":[],"mappings":"AAmBA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,+EAA+E;AAC/E,MAAM,SAAS,GAAyB;IACtC,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,CAAC;IACX,MAAM,EAAE,CAAC;CACV,CAAC;AAQF;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,cAA8B,EAC9B,KAAyB,EACzB,YAA0B,EAC1B,aAA4B;IAE5B,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC;IACjC,MAAM,QAAQ,GAAS,KAAK,CAAC,IAAI,CAAC,CAAC;IAEnC,6DAA6D;IAC7D,IAAI,YAAY,GAAS,QAAQ,CAAC;IAClC,IAAI,qBAAqB,GAAsB,MAAM,CAAC;IACtD,IAAI,eAAe,GAAkB,IAAI,CAAC;IAE1C,IAAI,cAAc,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAC5C,KAAK,MAAM,MAAM,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;YAC5C,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,UAAU,KAAK,SAAS;gBAAE,SAAS;YACvC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBACpD,YAAY,GAAG,UAAU,CAAC;gBAC1B,qBAAqB,GAAG,QAAQ,CAAC;gBACjC,eAAe,GAAG,MAAM,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,QAAQ;YACX,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,EAAE,qBAAqB,EAAE,eAAe,CAAC,EAAE,CAAC;QAChG,KAAK,UAAU;YACb,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,cAAc,CAAC,IAAI,EAAE,qBAAqB,EAAE,eAAe,CAAC;aACrE,CAAC;QACJ,KAAK,SAAS;YACZ,uEAAuE;YACvE,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,mBAAmB,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,oBAAoB,EAAE,CAAC;IACtE,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAC1B,IAAkB,EAClB,KAAoB;IAEpB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM;YACT,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACxD,KAAK,cAAc;YACjB,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;gBAC1B,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;YAC3D,CAAC;YACD,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,iDAAiD;aAC1D,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,gDAAgD;aACzD,CAAC;QACJ,KAAK,gBAAgB;YACnB,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YAC5D,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAChE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAA8B;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,MAAM,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QACxB,IAAI,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,MAAM,GAAG,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,sEAAsE;AACtE,8EAA8E;AAE9E,SAAS,UAAU,CACjB,IAAY,EACZ,MAAyB,EACzB,MAAqB;IAErB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,GAAG,MAAM,6BAA6B,CAAC;IAChD,CAAC;IACD,OAAO,GAAG,IAAI,sBAAsB,CAAC;AACvC,CAAC;AAED,SAAS,cAAc,CACrB,IAAY,EACZ,MAAyB,EACzB,MAAqB;IAErB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,OAAO,GAAG,MAAM,2BAA2B,CAAC;IAC9C,CAAC;IACD,OAAO,GAAG,IAAI,oBAAoB,CAAC;AACrC,CAAC"}

package/dist/toolkit/policy/types.d.ts

@@ -18,19 +18,41 @@ export interface Classification {
     kind: Kind;
     aspects?: readonly string[];
 }
-/** Wire rules operators set per classification. */
-export type Rule = "success" | "present" | "escalate" | "denied";
+/**
+ * Wire rules operators set per classification. The toolkit-level base set
+ * holds only `success | escalate | denied`. Connectors that need a custom
+ * rule (e.g. db-agent's `"present"` rule, which means "displayed but not
+ * executed") declare it locally and translate to a base rule at their own
+ * boundary before invoking `checkPolicy`. The wire envelope (`status` is
+ * `string`) and the `extendDecision` hook still let those connectors emit
+ * connector-specific outcomes.
+ */
+export type Rule = "success" | "escalate" | "denied";
 /** Rule without `"success"` — used for safety-floor slots (admin, ddl, privilege). */
 export type RestrictedRule = Exclude<Rule, "success">;
-export interface PolicyRules {
-    read: Rule;
-    write: Rule;
-    admin: RestrictedRule;
+/**
+ * The toolkit-level rules shape, keyed by classification kind. `TExtra`
+ * mirrors `PolicyMap`'s parameter, but the default is `never` (not `string`):
+ * the toolkit gate is the strict checkpoint, so unspecialized `PolicyRules`
+ * means "base rules only". Connectors with extra rule values declare them
+ * explicitly via `PolicyRules<"present">` etc., and translate to base
+ * before invoking `checkPolicy`.
+ */
+export interface PolicyRules<TExtra extends string = never> {
+    read: Rule | TExtra;
+    write: Rule | TExtra;
+    admin: RestrictedRule | TExtra;
     /** Per-aspect rule map. Absent aspects fall through to the kind's rule. */
-    aspects?: Record<string, Rule>;
+    aspects?: Record<string, Rule | TExtra>;
 }
 export type ApprovalMode = "auto" | "confirm_once" | "confirm_each" | "grant_required";
-/** Defaults matching db-agent's historical behavior, generalized to CRUD. */
+/**
+ * Connector-agnostic default rules. Writes escalate by default (operators
+ * may downgrade to `success` per connector); admin is the safety-floor
+ * default-deny. Connectors that historically used `"present"` for write
+ * (e.g. db-agent's "displayed but not executed") declare it in their own
+ * defaults and translate to `"escalate"` before reaching the toolkit gate.
+ */
 export declare const DEFAULT_POLICY: PolicyRules;
 /**
  * A gate decision. `extendDecision` hooks (e.g., db-agent's `present_only`)

package/dist/toolkit/policy/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/toolkit/policy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,8DAA8D;AAC9D,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,IAAI,CAAC;IACX,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC7B;AAMD,mDAAmD;AACnD,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEjE,sFAAsF;AACtF,MAAM,MAAM,cAAc,GAAG,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;AAEtD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,IAAI,CAAC;IACX,KAAK,EAAE,IAAI,CAAC;IACZ,KAAK,EAAE,cAAc,CAAC;IACtB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;CAChC;AAED,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,cAAc,GACd,cAAc,GACd,gBAAgB,CAAC;AAErB,6EAA6E;AAC7E,eAAO,MAAM,cAAc,EAAE,WAK5B,CAAC;AAMF;;;;GAIG;AACH,MAAM,MAAM,QAAQ,GAChB;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,sEAAsE;AACtE,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAI5D,CAAC;AAMF,mEAAmE;AACnE,MAAM,MAAM,SAAS,GACjB,YAAY,GACZ,WAAW,GACX,cAAc,GACd,SAAS,GACT,kBAAkB,GAClB,cAAc,GACd,kBAAkB,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC5B;AAED,0BAA0B;AAC1B,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,QAAQ,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,8BAA8B;AAC9B,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,8BAA8B;AAC9B,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,SAAS,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,MAAM,MAAM,QAAQ,GAChB,eAAe,GACf,cAAc,GACd,gBAAgB,GAChB,aAAa,GACb,gBAAgB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/toolkit/policy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,8DAA8D;AAC9D,MAAM,MAAM,IAAI,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,IAAI,CAAC;IACX,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC7B;AAMD;;;;;;;;GAQG;AACH,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAErD,sFAAsF;AACtF,MAAM,MAAM,cAAc,GAAG,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;AAEtD;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW,CAAC,MAAM,SAAS,MAAM,GAAG,KAAK;IACxD,IAAI,EAAE,IAAI,GAAG,MAAM,CAAC;IACpB,KAAK,EAAE,IAAI,GAAG,MAAM,CAAC;IACrB,KAAK,EAAE,cAAc,GAAG,MAAM,CAAC;IAC/B,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,GAAG,MAAM,CAAC,CAAC;CACzC;AAED,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,cAAc,GACd,cAAc,GACd,gBAAgB,CAAC;AAErB;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,EAAE,WAK5B,CAAC;AAMF;;;;GAIG;AACH,MAAM,MAAM,QAAQ,GAChB;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,MAAM,EAAE,UAAU,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE3C,sEAAsE;AACtE,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAI5D,CAAC;AAMF,mEAAmE;AACnE,MAAM,MAAM,SAAS,GACjB,YAAY,GACZ,WAAW,GACX,cAAc,GACd,SAAS,GACT,kBAAkB,GAClB,cAAc,GACd,kBAAkB,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,SAAS,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/B;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC5B;AAED,0BAA0B;AAC1B,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,QAAQ,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,8BAA8B;AAC9B,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,8BAA8B;AAC9B,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,SAAS,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,eAAe,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,MAAM,MAAM,QAAQ,GAChB,eAAe,GACf,cAAc,GACd,gBAAgB,GAChB,aAAa,GACb,gBAAgB,CAAC"}

package/dist/toolkit/policy/types.js

@@ -6,10 +6,16 @@
  * | error`; connectors MAY extend with custom status values via the
  * `extendDecision` hook on `createConnector` (db-agent uses `present_only`).
  */
-/** Defaults matching db-agent's historical behavior, generalized to CRUD. */
+/**
+ * Connector-agnostic default rules. Writes escalate by default (operators
+ * may downgrade to `success` per connector); admin is the safety-floor
+ * default-deny. Connectors that historically used `"present"` for write
+ * (e.g. db-agent's "displayed but not executed") declare it in their own
+ * defaults and translate to `"escalate"` before reaching the toolkit gate.
+ */
 export const DEFAULT_POLICY = {
     read: "success",
-    write: "present",
+    write: "escalate",
     admin: "denied",
     aspects: {},
 };

package/dist/toolkit/policy/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/toolkit/policy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA4CH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,cAAc,GAAgB;IACzC,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,QAAQ;IACf,OAAO,EAAE,EAAE;CACZ,CAAC;AAgBF,sEAAsE;AACtE,MAAM,CAAC,MAAM,aAAa,GAAuC;IAC/D,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,CAAC;IACX,MAAM,EAAE,CAAC;CACV,CAAC"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/toolkit/policy/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA4DH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,cAAc,GAAgB;IACzC,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,UAAU;IACjB,KAAK,EAAE,QAAQ;IACf,OAAO,EAAE,EAAE;CACZ,CAAC;AAgBF,sEAAsE;AACtE,MAAM,CAAC,MAAM,aAAa,GAAuC;IAC/D,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,CAAC;IACX,MAAM,EAAE,CAAC;CACV,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "narai-primitives",
-  "version": "2.0.0",
-  "description": "Read-only connectors + planning hub + connector framework, in one package. Bundles what was @narai/connector-toolkit, @narai/connector-config, @narai/connector-hub, and the seven @narai/<svc>-agent-connector packages.",
+  "version": "2.1.1",
+  "description": "Read-only connectors + planning hub + connector framework + credential resolution, in one package. Bundles what was @narai/connector-toolkit, @narai/connector-config, @narai/connector-hub, the seven @narai/<svc>-agent-connector packages, and @narai/credential-providers.",
   "type": "module",
   "main": "./dist/hub/index.js",
   "types": "./dist/hub/index.d.ts",
@@ -22,6 +22,10 @@
       "types": "./dist/config/index.d.ts",
       "import": "./dist/config/index.js"
     },
+    "./credentials": {
+      "types": "./dist/credentials/index.d.ts",
+      "import": "./dist/credentials/index.js"
+    },
     "./aws": {
       "types": "./dist/connectors/aws/index.d.ts",
       "import": "./dist/connectors/aws/index.js"
@@ -34,6 +38,18 @@
       "types": "./dist/connectors/db/index.d.ts",
       "import": "./dist/connectors/db/index.js"
     },
+    "./db/policy": {
+      "types": "./dist/connectors/db/lib/policy.d.ts",
+      "import": "./dist/connectors/db/lib/policy.js"
+    },
+    "./db/schema": {
+      "types": "./dist/connectors/db/lib/schema.d.ts",
+      "import": "./dist/connectors/db/lib/schema.js"
+    },
+    "./db/plugin-config": {
+      "types": "./dist/connectors/db/lib/plugin_config.d.ts",
+      "import": "./dist/connectors/db/lib/plugin_config.js"
+    },
     "./gcp": {
       "types": "./dist/connectors/gcp/index.d.ts",
       "import": "./dist/connectors/gcp/index.js"
@@ -92,7 +108,6 @@
   },
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "^0.2.119",
-    "@narai/credential-providers": "^0.2.1",
     "better-sqlite3": "^12.9.0",
     "js-yaml": "^4.1.1",
     "zod": "^3.23.0"
@@ -103,7 +118,10 @@
     "@aws-sdk/client-lambda": "^3.1030.0",
     "@aws-sdk/client-rds": "^3.1030.0",
     "@aws-sdk/client-s3": "^3.1030.0",
+    "@aws-sdk/client-secrets-manager": "^3.1030.0",
     "@aws-sdk/client-sts": "^3.1030.0",
+    "@azure/keyvault-secrets": "^4.10.0",
+    "@google-cloud/secret-manager": "^6.0.0",
     "gpt-tokenizer": "^2.5.0",
     "mongodb": "^7.1.1",
     "mssql": "^12.2.1",

package/plugins/aws-agent/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-agent-plugin",
-  "version": "1.0.0",
-  "description": "Read-only AWS connector for Claude Code. Wraps @narai/aws-agent-connector. Lambda, RDS, S3, CloudWatch.",
+  "version": "1.1.0",
+  "description": "Read-only AWS connector for Claude Code. Built on narai-primitives (subpath ./aws). Lambda, RDS, S3, CloudWatch.",
   "author": "narai"
 }

package/plugins/aws-agent/README.md

@@ -1,6 +1,6 @@
 # aws-agent-plugin
 
-Claude Code plugin that wraps [`@narai/aws-agent-connector`](https://www.npmjs.com/package/@narai/aws-agent-connector) as a read-only AWS skill and slash command.
+Claude Code plugin that wraps [`narai-primitives/aws`](https://www.npmjs.com/package/narai-primitives) as a read-only AWS skill and slash command.
 
 ## What it adds
 
@@ -21,7 +21,7 @@ hook in `hooks/hooks.json`:
    next session.
 
 After a successful install,
-`${CLAUDE_PLUGIN_DATA}/node_modules/@narai/aws-agent-connector/dist/cli.js`
+`${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/dist/connectors/aws/cli.js`
 exists and `bin/aws-agent` can exec it.
 
 ## Usage

package/plugins/aws-agent/bin/aws-agent

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# aws-agent — thin shim over @narai/aws-agent-connector.
+# aws-agent — thin shim over narai-primitives (CLI at dist/connectors/aws).
 #
 # The SessionStart hook in hooks/hooks.json installs the npm package into
 # ${CLAUDE_PLUGIN_DATA}/node_modules on first session. This shim exec's
@@ -11,7 +11,7 @@ if [ -z "${CLAUDE_PLUGIN_DATA:-}" ]; then
   exit 2
 fi
 
-CLI="${CLAUDE_PLUGIN_DATA}/node_modules/@narai/aws-agent-connector/dist/cli.js"
+CLI="${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/dist/connectors/aws/cli.js"
 
 if [ ! -f "$CLI" ]; then
   echo "aws-agent: connector CLI not found at $CLI" >&2

package/plugins/aws-agent/hooks/hooks.json

@@ -9,11 +9,11 @@
           },
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/plugin/hooks/reminder.mjs\" 2>/dev/null || true"
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/hooks/reminder.mjs\" 2>/dev/null || true"
           },
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
             "env": { "USAGE_CONNECTOR_NAME": "aws" }
           }
         ]
@@ -25,10 +25,10 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
             "env": {
               "USAGE_CONNECTOR_NAME": "aws",
-              "USAGE_BIN_HINT": "@narai/aws-agent-connector"
+              "USAGE_BIN_HINT": "narai-primitives/dist/connectors/aws"
             }
           }
         ]
@@ -39,7 +39,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
             "env": { "USAGE_CONNECTOR_NAME": "aws" }
           }
         ]

package/plugins/aws-agent/hooks/reminder.mjs

@@ -5,7 +5,7 @@
 try {
   const data = process.env.CLAUDE_PLUGIN_DATA;
   if (!data) process.exit(0);
-  const toolkitEntry = `${data}/node_modules/@narai/connector-toolkit/dist/plugin/reminder.js`;
+  const toolkitEntry = `${data}/node_modules/narai-primitives/dist/toolkit/plugin/reminder.js`;
   const mod = await import(toolkitEntry);
   const decision = mod.evaluateNudge({ connectors: ["aws"] });
   if (decision.nudge) {

package/plugins/aws-agent/package.json

@@ -4,6 +4,6 @@
   "private": true,
   "description": "Runtime manifest for aws-agent-plugin. The SessionStart hook runs `npm install` on this manifest into ${CLAUDE_PLUGIN_DATA}.",
   "dependencies": {
-    "@narai/aws-agent-connector": "file:.."
+    "narai-primitives": "^2.0.0"
   }
 }

package/plugins/aws-agent/skills/aws-agent/SKILL.md

@@ -11,7 +11,7 @@ context: fork
 # AWS Agent
 
 Answer the user's question by invoking the `aws-agent` binary exposed by
-this plugin. It delegates to `@narai/aws-agent-connector`, which speaks to
+this plugin. It delegates to `narai-primitives/aws`, which speaks to
 AWS via the read-only SDK v3 surface.
 
 ## Invocation

package/plugins/confluence-agent/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "confluence-agent-plugin",
-  "version": "1.0.0",
-  "description": "Read-only Confluence connector for Claude Code. Wraps @narai/confluence-agent-connector.",
+  "version": "1.1.0",
+  "description": "Read-only Confluence connector for Claude Code. Built on narai-primitives (subpath ./confluence).",
   "author": "narai"
 }

package/plugins/confluence-agent/README.md

@@ -1,6 +1,6 @@
 # confluence-agent-plugin
 
-Claude Code plugin that wraps `@narai/confluence-agent-connector` as a read-only Confluence skill and slash command. Same layout as aws/gcp/notion-agent-plugin.
+Claude Code plugin that wraps `narai-primitives/confluence` as a read-only Confluence skill and slash command. Same layout as aws/gcp/notion-agent-plugin.
 
 ## Credentials
 

package/plugins/confluence-agent/bin/confluence-agent

@@ -6,7 +6,7 @@ if [ -z "${CLAUDE_PLUGIN_DATA:-}" ]; then
   exit 2
 fi
 
-CLI="${CLAUDE_PLUGIN_DATA}/node_modules/@narai/confluence-agent-connector/dist/cli.js"
+CLI="${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/dist/connectors/confluence/cli.js"
 
 if [ ! -f "$CLI" ]; then
   echo "confluence-agent: connector CLI not found at $CLI" >&2

package/plugins/confluence-agent/hooks/hooks.json

@@ -9,11 +9,11 @@
           },
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/plugin/hooks/reminder.mjs\" 2>/dev/null || true"
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/hooks/reminder.mjs\" 2>/dev/null || true"
           },
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
             "env": { "USAGE_CONNECTOR_NAME": "confluence" }
           }
         ]
@@ -25,10 +25,10 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
             "env": {
               "USAGE_CONNECTOR_NAME": "confluence",
-              "USAGE_BIN_HINT": "@narai/confluence-agent-connector"
+              "USAGE_BIN_HINT": "narai-primitives/dist/connectors/confluence"
             }
           }
         ]
@@ -39,7 +39,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
+            "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
             "env": { "USAGE_CONNECTOR_NAME": "confluence" }
           }
         ]

package/plugins/confluence-agent/hooks/reminder.mjs

@@ -14,7 +14,7 @@
 try {
   const data = process.env.CLAUDE_PLUGIN_DATA;
   if (!data) process.exit(0);
-  const toolkitEntry = `${data}/node_modules/@narai/connector-toolkit/dist/plugin/reminder.js`;
+  const toolkitEntry = `${data}/node_modules/narai-primitives/dist/toolkit/plugin/reminder.js`;
   const mod = await import(toolkitEntry);
   const decision = mod.evaluateNudge({ connectors: ["confluence"] });
   if (decision.nudge) {

package/plugins/confluence-agent/package.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "private": true,
   "dependencies": {
-    "@narai/confluence-agent-connector": "file:.."
+    "narai-primitives": "^2.0.0"
   }
 }

package/plugins/confluence-agent/skills/confluence-agent/SKILL.md

@@ -11,7 +11,7 @@ context: fork
 
 Answer the user's question by invoking the `confluence-agent` binary
 exposed by this plugin. It delegates to
-`@narai/confluence-agent-connector` via Atlassian's Confluence REST v1.
+`narai-primitives/confluence` via Atlassian's Confluence REST v1.
 
 ## Invocation
 

package/plugins/db-agent/.claude-plugin/plugin.json

@@ -1,13 +1,13 @@
 {
   "name": "db-agent-plugin",
-  "version": "1.0.0",
-  "description": "Safe, read-only database query agent for Claude Code. Wraps @narai/db-agent-connector. Every statement passes the policy gate before any driver loads or any connection is opened.",
+  "version": "1.1.0",
+  "description": "Safe, read-only database query agent for Claude Code. Built on narai-primitives (subpath ./db). Every statement passes the policy gate before any driver loads or any connection is opened.",
   "author": {
     "name": "Narai Labs",
     "url": "https://github.com/narailabs"
   },
-  "homepage": "https://github.com/narailabs/db-agent-connector",
-  "repository": "https://github.com/narailabs/db-agent-connector",
+  "homepage": "https://github.com/narailabs/narai-primitives/tree/main/plugins/db-agent",
+  "repository": "https://github.com/narailabs/narai-primitives",
   "license": "MIT",
   "keywords": ["database", "sql", "postgresql", "mysql", "sqlite", "policy-gate"],
   "userConfig": {

package/plugins/db-agent/README.md

@@ -1,6 +1,6 @@
 # db-agent-plugin
 
-Claude Code plugin that wraps [`@narai/db-agent-connector`](https://www.npmjs.com/package/@narai/db-agent-connector).
+Claude Code plugin that wraps [`narai-primitives/db`](https://www.npmjs.com/package/narai-primitives).
 
 Exposes the `db-agent` skill. Every query passes through the policy gate before any driver loads or any connection opens. V2.0 vocab and defaults:
 
@@ -10,4 +10,4 @@ Exposes the `db-agent` skill. Every query passes through the policy gate before
 - `admin` (CREATE/DROP/ALTER/RENAME) → returned as formatted SQL, never executed
 - `privilege` (GRANT/REVOKE) → hard-denied
 
-Install via Claude Code's plugin marketplace. The `SessionStart` hook installs `@narai/db-agent-connector` into the plugin's data directory on first use.
+Install via Claude Code's plugin marketplace. The `SessionStart` hook installs `narai-primitives` into the plugin's data directory on first use.

package/plugins/db-agent/bin/db-agent

@@ -6,7 +6,7 @@ if [ -z "${CLAUDE_PLUGIN_DATA:-}" ]; then
   exit 2
 fi
 
-CLI="${CLAUDE_PLUGIN_DATA}/node_modules/@narai/db-agent-connector/dist/cli.js"
+CLI="${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/dist/connectors/db/cli.js"
 
 if [ ! -f "$CLI" ]; then
   echo "db-agent: connector CLI not found at $CLI" >&2

package/plugins/db-agent/hooks/hooks.json

@@ -8,11 +8,11 @@
         },
         {
           "type": "command",
-          "command": "node \"${CLAUDE_PLUGIN_ROOT}/plugin/hooks/reminder.mjs\" 2>/dev/null || true"
+          "command": "node \"${CLAUDE_PLUGIN_ROOT}/hooks/reminder.mjs\" 2>/dev/null || true"
         },
         {
           "type": "command",
-          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
+          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/stale-summarize.mjs\" 2>/dev/null || true",
           "env": { "USAGE_CONNECTOR_NAME": "db" }
         }
       ]
@@ -24,7 +24,7 @@
       "hooks": [
         {
           "type": "command",
-          "command": "node ${CLAUDE_PLUGIN_ROOT}/plugin/hooks/db-guard.mjs",
+          "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/db-guard.mjs",
           "env": {
             "DB_AGENT_GUARDRAILS": "${user_config.install_guardrails}"
           }
@@ -38,10 +38,10 @@
       "hooks": [
         {
           "type": "command",
-          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
+          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/usage-record.mjs\" 2>/dev/null || true",
           "env": {
             "USAGE_CONNECTOR_NAME": "db",
-            "USAGE_BIN_HINT": "@narai/db-agent-connector"
+            "USAGE_BIN_HINT": "narai-primitives/dist/connectors/db"
           }
         }
       ]
@@ -52,7 +52,7 @@
       "hooks": [
         {
           "type": "command",
-          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/@narai/connector-toolkit/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
+          "command": "node \"${CLAUDE_PLUGIN_DATA}/node_modules/narai-primitives/plugin-hooks/session-summary.mjs\" 2>/dev/null || true",
           "env": { "USAGE_CONNECTOR_NAME": "db" }
         }
       ]

package/plugins/db-agent/hooks/reminder.mjs

@@ -5,7 +5,7 @@
 try {
   const data = process.env.CLAUDE_PLUGIN_DATA;
   if (!data) process.exit(0);
-  const toolkitEntry = `${data}/node_modules/@narai/connector-toolkit/dist/plugin/reminder.js`;
+  const toolkitEntry = `${data}/node_modules/narai-primitives/dist/toolkit/plugin/reminder.js`;
   const mod = await import(toolkitEntry);
   const decision = mod.evaluateNudge({ connectors: ["db"] });
   if (decision.nudge) {

package/plugins/db-agent/package.json

@@ -3,6 +3,6 @@
   "version": "1.0.0",
   "private": true,
   "dependencies": {
-    "@narai/db-agent-connector": "file:.."
+    "narai-primitives": "^2.0.0"
   }
 }

package/plugins/db-agent/skills/db-agent/SKILL.md

@@ -14,7 +14,7 @@ context: fork
 # Database Agent
 
 Answer the user's question by invoking the `db-agent` binary exposed by this
-plugin. It delegates to `@narai/db-agent-connector`, which enforces the
+plugin. It delegates to `narai-primitives/db`, which enforces the
 policy gate before any backend is touched.
 
 ## Invocation