network-ai 4.15.2 → 5.0.0

package/dist/lib/approval-inbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-inbox.d.ts","sourceRoot":"","sources":["../../lib/approval-inbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAgB,eAAe,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAE7E,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAM3F,kCAAkC;AAClC,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE3E,8BAA8B;AAC9B,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,oCAAoC;IACpC,OAAO,EAAE,eAAe,CAAC;IACzB,qBAAqB;IACrB,MAAM,EAAE,cAAc,CAAC;IACvB,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,oCAAoC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACnC,4EAA4E;IAC5E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,sBAAsB;AACtB,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEvE,wBAAwB;AACxB,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,cAAc,CAAC;IACrB,KAAK,EAAE,aAAa,CAAC;CACtB;AAED,qBAAqB;AACrB,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;;;;;;;;;;GAYG;AACH,qBAAa,aAAc,SAAQ,YAAY;IAC7C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAInB;IACL,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuB;IAC/C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA6B;IAExD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAGpC,OAAO,CAAC,aAAa,CAAK;IAC1B,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,YAAY,CAAK;gBAEb,OAAO,GAAE,oBAAyB;IAY9C;;;OAGG;IACH,QAAQ,IAAI,gBAAgB;IAM5B;;;OAGG;IACH,OAAO,CAAC,OAAO,EAAE,eAAe,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA2BhF;;;OAGG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAanF;;;OAGG;IACH,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAa/E,uDAAuD;IACvD,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAM1C,kDAAkD;IAClD,IAAI,CAAC,MAAM,GAAE,cAAc,GAAG,KAAiB,GAAG,aAAa,EAAE;IASjE,0BAA0B;IAC1B,KAAK,IAAI,UAAU;IAUnB,kCAAkC;IAClC,IAAI,YAAY,IAAI,MAAM,CAEzB;IAMD;;;;;;;;;;OAUG;IACH,WAAW,IAAI,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,KAAK,IAAI;IA2BlE;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,SAAc,GAAG,MAAM;IAWzD,sDAAsD;IACtD,OAAO,CAAC,YAAY;IAYpB,6BAA6B;IAC7B,OAAO,CAAC,YAAY;IAqBpB,OAAO,CAAC,OAAO;IAuBf,OAAO,CAAC,MAAM;IAYd,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,YAAY;IAuEpB,OAAO,CAAC,QAAQ;IAShB,OAAO,CAAC,QAAQ;CAiCjB"}

package/dist/lib/approval-inbox.js

@@ -0,0 +1,385 @@
+"use strict";
+/**
+ * ApprovalInbox — Web-accessible human-in-the-loop approval system
+ *
+ * Provides an HTTP API and SSE streaming for managing approval requests
+ * from AI agents. Designed to work as an ApprovalCallback for ApprovalGate
+ * while also exposing a REST-like HTTP interface.
+ *
+ * Features:
+ *   - Queues approval requests with unique IDs and optional timeouts
+ *   - REST API: list, get, approve, deny, stats
+ *   - SSE stream for real-time notifications
+ *   - Auto-expiry for stale requests
+ *   - Standalone HTTP server or mountable handler
+ *
+ * @module ApprovalInbox
+ * @version 1.0.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApprovalInbox = void 0;
+const events_1 = require("events");
+const http_1 = require("http");
+const crypto_1 = require("crypto");
+// ============================================================================
+// APPROVAL INBOX
+// ============================================================================
+/**
+ * Web-accessible approval inbox for human-in-the-loop agent workflows.
+ *
+ * Use `inbox.callback()` to get an ApprovalCallback for ApprovalGate,
+ * and `inbox.httpHandler()` to mount the HTTP API on a server.
+ *
+ * @example
+ * ```ts
+ * const inbox = new ApprovalInbox();
+ * const gate = new ApprovalGate(inbox.callback());
+ * const server = inbox.createServer(3002);
+ * ```
+ */
+class ApprovalInbox extends events_1.EventEmitter {
+    pending = new Map();
+    history = [];
+    sseClients = new Set();
+    defaultTimeoutMs;
+    maxPending;
+    maxHistory;
+    pathPrefix;
+    // Counters for stats (history may be truncated)
+    approvedCount = 0;
+    deniedCount = 0;
+    expiredCount = 0;
+    constructor(options = {}) {
+        super();
+        this.defaultTimeoutMs = options.defaultTimeoutMs ?? 300_000;
+        this.maxPending = options.maxPending ?? 100;
+        this.maxHistory = options.maxHistory ?? 1000;
+        this.pathPrefix = (options.pathPrefix ?? '/approvals').replace(/\/$/, '');
+    }
+    // --------------------------------------------------------------------------
+    // CORE API
+    // --------------------------------------------------------------------------
+    /**
+     * Returns an ApprovalCallback suitable for ApprovalGate.
+     * Each call enqueues a pending approval and waits for resolution.
+     */
+    callback() {
+        return (request) => {
+            return this.enqueue(request);
+        };
+    }
+    /**
+     * Enqueue an approval request. Returns a promise that resolves when
+     * the request is approved, denied, or expires.
+     */
+    enqueue(request, timeoutMs) {
+        if (this.pending.size >= this.maxPending) {
+            return Promise.resolve({ approved: false, reason: 'Approval queue is full' });
+        }
+        const id = (0, crypto_1.randomBytes)(8).toString('hex');
+        const timeout = timeoutMs ?? this.defaultTimeoutMs;
+        const entry = {
+            id,
+            request,
+            status: 'pending',
+            createdAt: Date.now(),
+            timeoutMs: timeout,
+        };
+        return new Promise((resolve) => {
+            const timer = timeout > 0
+                ? setTimeout(() => this.expire(id), timeout)
+                : null;
+            this.pending.set(id, { entry, resolve, timer });
+            this.broadcastSSE({ type: 'new', entry });
+            this.emit('new', entry);
+        });
+    }
+    /**
+     * Approve a pending request.
+     * @returns The resolved entry, or undefined if not found/already resolved.
+     */
+    approve(id, approvedBy, reason) {
+        const record = this.pending.get(id);
+        if (!record)
+            return undefined;
+        const decision = {
+            approved: true,
+            approvedBy,
+            reason,
+        };
+        return this.resolve(id, 'approved', decision);
+    }
+    /**
+     * Deny a pending request.
+     * @returns The resolved entry, or undefined if not found/already resolved.
+     */
+    deny(id, deniedBy, reason) {
+        const record = this.pending.get(id);
+        if (!record)
+            return undefined;
+        const decision = {
+            approved: false,
+            approvedBy: deniedBy,
+            reason,
+        };
+        return this.resolve(id, 'denied', decision);
+    }
+    /** Get a single entry by ID (pending or historical) */
+    get(id) {
+        const record = this.pending.get(id);
+        if (record)
+            return { ...record.entry };
+        return this.history.find((e) => e.id === id);
+    }
+    /** List entries by status (default: 'pending') */
+    list(status = 'pending') {
+        if (status === 'pending' || status === 'all') {
+            const pendingEntries = Array.from(this.pending.values()).map((r) => ({ ...r.entry }));
+            if (status === 'pending')
+                return pendingEntries;
+            return [...pendingEntries, ...this.history];
+        }
+        return this.history.filter((e) => e.status === status);
+    }
+    /** Get aggregate stats */
+    stats() {
+        return {
+            pending: this.pending.size,
+            approved: this.approvedCount,
+            denied: this.deniedCount,
+            expired: this.expiredCount,
+            total: this.approvedCount + this.deniedCount + this.expiredCount + this.pending.size,
+        };
+    }
+    /** Number of pending approvals */
+    get pendingCount() {
+        return this.pending.size;
+    }
+    // --------------------------------------------------------------------------
+    // HTTP HANDLER
+    // --------------------------------------------------------------------------
+    /**
+     * Returns an HTTP request handler for the approval inbox API.
+     *
+     * Routes (relative to pathPrefix):
+     *   GET  /           — List approvals (?status=pending|approved|denied|expired|all)
+     *   GET  /stats      — Aggregate stats
+     *   GET  /sse        — SSE event stream
+     *   GET  /:id        — Get single entry
+     *   POST /:id/approve — Approve (body: { approvedBy, reason? })
+     *   POST /:id/deny    — Deny (body: { deniedBy?, reason? })
+     */
+    httpHandler() {
+        return (req, res) => {
+            const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+            const path = url.pathname;
+            // CORS headers
+            res.setHeader('Access-Control-Allow-Origin', '*');
+            res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+            res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+            if (req.method === 'OPTIONS') {
+                res.writeHead(204);
+                res.end();
+                return;
+            }
+            // Strip prefix
+            if (!path.startsWith(this.pathPrefix)) {
+                this.sendJson(res, 404, { error: 'Not found' });
+                return;
+            }
+            const subPath = path.slice(this.pathPrefix.length) || '/';
+            this.routeRequest(req, res, subPath, url);
+        };
+    }
+    /**
+     * Create a standalone HTTP server for the inbox.
+     * @returns The HTTP server instance (already listening).
+     */
+    startServer(port, hostname = '127.0.0.1') {
+        const handler = this.httpHandler();
+        const server = (0, http_1.createServer)(handler);
+        server.listen(port, hostname);
+        return server;
+    }
+    // --------------------------------------------------------------------------
+    // SSE
+    // --------------------------------------------------------------------------
+    /** Broadcast an event to all connected SSE clients */
+    broadcastSSE(event) {
+        const data = JSON.stringify(event);
+        const message = `event: ${event.type}\ndata: ${data}\n\n`;
+        for (const client of this.sseClients) {
+            try {
+                client.write(message);
+            }
+            catch {
+                this.sseClients.delete(client);
+            }
+        }
+    }
+    /** Register an SSE client */
+    addSSEClient(res) {
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            Connection: 'keep-alive',
+            'Access-Control-Allow-Origin': '*',
+        });
+        res.write(`event: connected\ndata: ${JSON.stringify({ pending: this.pending.size })}\n\n`);
+        this.sseClients.add(res);
+        const onClose = () => {
+            this.sseClients.delete(res);
+        };
+        res.on('close', onClose);
+        res.on('error', onClose);
+    }
+    // --------------------------------------------------------------------------
+    // INTERNAL
+    // --------------------------------------------------------------------------
+    resolve(id, status, decision) {
+        const record = this.pending.get(id);
+        if (record.timer)
+            clearTimeout(record.timer);
+        record.entry.status = status;
+        record.entry.decision = decision;
+        record.entry.resolvedAt = Date.now();
+        this.pending.delete(id);
+        this.addToHistory(record.entry);
+        if (status === 'approved')
+            this.approvedCount++;
+        else if (status === 'denied')
+            this.deniedCount++;
+        else
+            this.expiredCount++;
+        const eventType = status;
+        this.broadcastSSE({ type: eventType, entry: record.entry });
+        this.emit(status, record.entry);
+        record.resolve(decision);
+        return { ...record.entry };
+    }
+    expire(id) {
+        const record = this.pending.get(id);
+        if (!record)
+            return;
+        const decision = {
+            approved: false,
+            reason: `Approval request expired after ${record.entry.timeoutMs}ms`,
+        };
+        this.resolve(id, 'expired', decision);
+    }
+    addToHistory(entry) {
+        this.history.push(entry);
+        if (this.history.length > this.maxHistory) {
+            this.history.splice(0, this.history.length - this.maxHistory);
+        }
+    }
+    routeRequest(req, res, subPath, url) {
+        // GET / — list
+        if (subPath === '/' && req.method === 'GET') {
+            const status = (url.searchParams.get('status') ?? 'pending');
+            this.sendJson(res, 200, this.list(status));
+            return;
+        }
+        // GET /stats
+        if (subPath === '/stats' && req.method === 'GET') {
+            this.sendJson(res, 200, this.stats());
+            return;
+        }
+        // GET /sse
+        if (subPath === '/sse' && req.method === 'GET') {
+            this.addSSEClient(res);
+            return;
+        }
+        // POST /:id/approve
+        const approveMatch = subPath.match(/^\/([a-f0-9]+)\/approve$/);
+        if (approveMatch && req.method === 'POST') {
+            this.readBody(req).then((body) => {
+                const approvedBy = typeof body.approvedBy === 'string' ? body.approvedBy : 'anonymous';
+                const reason = typeof body.reason === 'string' ? body.reason : undefined;
+                const entry = this.approve(approveMatch[1], approvedBy, reason);
+                if (!entry) {
+                    this.sendJson(res, 404, { error: 'Approval not found or already resolved' });
+                }
+                else {
+                    this.sendJson(res, 200, entry);
+                }
+            }).catch(() => {
+                this.sendJson(res, 400, { error: 'Invalid request body' });
+            });
+            return;
+        }
+        // POST /:id/deny
+        const denyMatch = subPath.match(/^\/([a-f0-9]+)\/deny$/);
+        if (denyMatch && req.method === 'POST') {
+            this.readBody(req).then((body) => {
+                const deniedBy = typeof body.deniedBy === 'string' ? body.deniedBy : undefined;
+                const reason = typeof body.reason === 'string' ? body.reason : undefined;
+                const entry = this.deny(denyMatch[1], deniedBy, reason);
+                if (!entry) {
+                    this.sendJson(res, 404, { error: 'Approval not found or already resolved' });
+                }
+                else {
+                    this.sendJson(res, 200, entry);
+                }
+            }).catch(() => {
+                this.sendJson(res, 400, { error: 'Invalid request body' });
+            });
+            return;
+        }
+        // GET /:id
+        const idMatch = subPath.match(/^\/([a-f0-9]+)$/);
+        if (idMatch && req.method === 'GET') {
+            const entry = this.get(idMatch[1]);
+            if (!entry) {
+                this.sendJson(res, 404, { error: 'Approval not found' });
+            }
+            else {
+                this.sendJson(res, 200, entry);
+            }
+            return;
+        }
+        this.sendJson(res, 404, { error: 'Not found' });
+    }
+    sendJson(res, status, data) {
+        const body = JSON.stringify(data);
+        res.writeHead(status, {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(body),
+        });
+        res.end(body);
+    }
+    readBody(req) {
+        return new Promise((resolve, reject) => {
+            const chunks = [];
+            let size = 0;
+            const maxSize = 16_384; // 16KB max
+            req.on('data', (chunk) => {
+                size += chunk.length;
+                if (size > maxSize) {
+                    req.destroy();
+                    reject(new Error('Request body too large'));
+                    return;
+                }
+                chunks.push(chunk);
+            });
+            req.on('end', () => {
+                try {
+                    const raw = Buffer.concat(chunks).toString('utf-8');
+                    const parsed = raw.length > 0 ? JSON.parse(raw) : {};
+                    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                        reject(new Error('Body must be a JSON object'));
+                    }
+                    else {
+                        resolve(parsed);
+                    }
+                }
+                catch {
+                    reject(new Error('Invalid JSON'));
+                }
+            });
+            req.on('error', reject);
+        });
+    }
+}
+exports.ApprovalInbox = ApprovalInbox;
+//# sourceMappingURL=approval-inbox.js.map

package/dist/lib/approval-inbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-inbox.js","sourceRoot":"","sources":["../../lib/approval-inbox.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;GAgBG;;;AAEH,mCAAsC;AACtC,+BAA6E;AAC7E,mCAAqC;AA0DrC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;;;;;GAYG;AACH,MAAa,aAAc,SAAQ,qBAAY;IAC5B,OAAO,GAAG,IAAI,GAAG,EAI9B,CAAC;IACY,OAAO,GAAoB,EAAE,CAAC;IAC9B,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEvC,gBAAgB,CAAS;IACzB,UAAU,CAAS;IACnB,UAAU,CAAS;IACnB,UAAU,CAAS;IAEpC,gDAAgD;IACxC,aAAa,GAAG,CAAC,CAAC;IAClB,WAAW,GAAG,CAAC,CAAC;IAChB,YAAY,GAAG,CAAC,CAAC;IAEzB,YAAY,UAAgC,EAAE;QAC5C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC;QAC5D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC;QAC7C,IAAI,CAAC,UAAU,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,6EAA6E;IAC7E,WAAW;IACX,6EAA6E;IAE7E;;;OAGG;IACH,QAAQ;QACN,OAAO,CAAC,OAAwB,EAA6B,EAAE;YAC7D,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,OAAwB,EAAE,SAAkB;QAClD,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;QAEnD,MAAM,KAAK,GAAkB;YAC3B,EAAE;YACF,OAAO;YACP,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,OAAO;SACnB,CAAC;QAEF,OAAO,IAAI,OAAO,CAAmB,CAAC,OAAO,EAAE,EAAE;YAC/C,MAAM,KAAK,GAAG,OAAO,GAAG,CAAC;gBACvB,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC;gBAC5C,CAAC,CAAC,IAAI,CAAC;YAET,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;YAC1C,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,EAAU,EAAE,UAAkB,EAAE,MAAe;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,MAAM,QAAQ,GAAqB;YACjC,QAAQ,EAAE,IAAI;YACd,UAAU;YACV,MAAM;SACP,CAAC;QAEF,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,IAAI,CAAC,EAAU,EAAE,QAAiB,EAAE,MAAe;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAC;QAE9B,MAAM,QAAQ,GAAqB;YACjC,QAAQ,EAAE,KAAK;YACf,UAAU,EAAE,QAAQ;YACpB,MAAM;SACP,CAAC;QAEF,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,uDAAuD;IACvD,GAAG,CAAC,EAAU;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,MAAM;YAAE,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,kDAAkD;IAClD,IAAI,CAAC,SAAiC,SAAS;QAC7C,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC7C,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YACtF,IAAI,MAAM,KAAK,SAAS;gBAAE,OAAO,cAAc,CAAC;YAChD,OAAO,CAAC,GAAG,cAAc,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IACzD,CAAC;IAED,0BAA0B;IAC1B,KAAK;QACH,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI;YAC1B,QAAQ,EAAE,IAAI,CAAC,aAAa;YAC5B,MAAM,EAAE,IAAI,CAAC,WAAW;YACxB,OAAO,EAAE,IAAI,CAAC,YAAY;YAC1B,KAAK,EAAE,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI;SACrF,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAC7E,eAAe;IACf,6EAA6E;IAE7E;;;;;;;;;;OAUG;IACH,WAAW;QACT,OAAO,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACnD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;YACjF,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;YAE1B,eAAe;YACf,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAClD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,oBAAoB,CAAC,CAAC;YACpE,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,cAAc,CAAC,CAAC;YAE9D,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YAED,eAAe;YACf,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBAChD,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;YAE1D,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC5C,CAAC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,IAAY,EAAE,QAAQ,GAAG,WAAW;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,OAAO,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC9B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAC7E,MAAM;IACN,6EAA6E;IAE7E,sDAAsD;IAC9C,YAAY,CAAC,KAAiB;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,UAAU,KAAK,CAAC,IAAI,WAAW,IAAI,MAAM,CAAC;QAC1D,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAED,6BAA6B;IACrB,YAAY,CAAC,GAAmB;QACtC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,cAAc,EAAE,mBAAmB;YACnC,eAAe,EAAE,UAAU;YAC3B,UAAU,EAAE,YAAY;YACxB,6BAA6B,EAAE,GAAG;SACnC,CAAC,CAAC;QACH,GAAG,CAAC,KAAK,CAAC,2BAA2B,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC3F,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEzB,MAAM,OAAO,GAAG,GAAS,EAAE;YACzB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,CAAC,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACzB,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAC7E,WAAW;IACX,6EAA6E;IAErE,OAAO,CAAC,EAAU,EAAE,MAAyC,EAAE,QAA0B;QAC/F,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;QACrC,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE7C,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;QAC7B,MAAM,CAAC,KAAK,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAErC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACxB,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEhC,IAAI,MAAM,KAAK,UAAU;YAAE,IAAI,CAAC,aAAa,EAAE,CAAC;aAC3C,IAAI,MAAM,KAAK,QAAQ;YAAE,IAAI,CAAC,WAAW,EAAE,CAAC;;YAC5C,IAAI,CAAC,YAAY,EAAE,CAAC;QAEzB,MAAM,SAAS,GAAG,MAAwB,CAAC;QAC3C,IAAI,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAEzB,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAEO,MAAM,CAAC,EAAU;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO;QAEpB,MAAM,QAAQ,GAAqB;YACjC,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,kCAAkC,MAAM,CAAC,KAAK,CAAC,SAAS,IAAI;SACrE,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACxC,CAAC;IAEO,YAAY,CAAC,KAAoB;QACvC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAAoB,EAAE,GAAmB,EAAE,OAAe,EAAE,GAAQ;QACvF,eAAe;QACf,IAAI,OAAO,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAA2B,CAAC;YACvF,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,aAAa;QACb,IAAI,OAAO,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACjD,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QAED,WAAW;QACX,IAAI,OAAO,KAAK,MAAM,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YAC/C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO;QACT,CAAC;QAED,oBAAoB;QACpB,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC/D,IAAI,YAAY,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC/B,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC;gBACvF,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;gBACzE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;gBAChE,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC,CAAC;gBAC/E,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;gBACjC,CAAC;YACH,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,iBAAiB;QACjB,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACzD,IAAI,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACvC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC/B,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC/E,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;gBACzE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACxD,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC,CAAC;gBAC/E,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;gBACjC,CAAC;YACH,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,WAAW;QACX,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACjD,IAAI,OAAO,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YACjC,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IAClD,CAAC;IAEO,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;QACjE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;YACpB,cAAc,EAAE,kBAAkB;YAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;SAC1C,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IAEO,QAAQ,CAAC,GAAoB;QACnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;YACb,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,WAAW;YAEnC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBAC/B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;gBACrB,IAAI,IAAI,GAAG,OAAO,EAAE,CAAC;oBACnB,GAAG,CAAC,OAAO,EAAE,CAAC;oBACd,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;oBAC5C,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBACpD,MAAM,MAAM,GAAY,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC9D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC3E,MAAM,CAAC,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC,CAAC;oBAClD,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,MAAiC,CAAC,CAAC;oBAC7C,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAlYD,sCAkYC"}

package/dist/lib/auth-guardian.d.ts

@@ -0,0 +1,170 @@
+/**
+ * Universal permission wall for multi-agent systems.
+ *
+ * Evaluates permission requests using a weighted formula of justification
+ * quality (40%), agent trust level (30%), and risk score (30%).
+ * Resource types, risk profiles, trust levels, and restrictions are all
+ * configurable — works for coding, finance, DevOps, or any domain.
+ *
+ * @module AuthGuardian
+ */
+import type { ActiveGrant, PermissionGrant, ResourceProfile, AgentTrustConfig } from './orchestrator-types';
+/**
+ * Universal permission wall for multi-agent systems.
+ *
+ * Evaluates permission requests using a weighted formula of justification
+ * quality (40%), agent trust level (30%), and risk score (30%).
+ * Resource types, risk profiles, trust levels, and restrictions are all
+ * configurable — works for coding, finance, DevOps, or any domain.
+ *
+ * @example
+ * ```typescript
+ * const guardian = new AuthGuardian({
+ *   trustLevels: [{ agentId: 'analyst', trustLevel: 0.8 }],
+ *   resourceProfiles: { CUSTOM_API: { baseRisk: 0.5, defaultRestrictions: ['audit_required'] } },
+ * });
+ *
+ * const grant = await guardian.requestPermission(
+ *   'analyst', 'CUSTOM_API', 'Need to fetch Q4 revenue data for report', 'read'
+ * );
+ * if (grant.granted) {
+ *   // Use grant.grantToken to prove authorization
+ * }
+ * ```
+ */
+export declare class AuthGuardian {
+    private activeGrants;
+    private agentTrustLevels;
+    private agentTrustConfigs;
+    private resourceProfiles;
+    private auditLog;
+    private auditLogPath;
+    private trustConfigPath;
+    private readonly signingAlgorithm;
+    private readonly hmacSecret;
+    private readonly ed25519PrivateKey;
+    private readonly ed25519PublicKey;
+    constructor(options?: {
+        trustLevels?: AgentTrustConfig[];
+        resourceProfiles?: Record<string, ResourceProfile>;
+        auditLogPath?: string;
+        trustConfigPath?: string;
+        /** Signing algorithm for grant tokens. Default: 'hmac-sha256'. */
+        algorithm?: 'hmac-sha256' | 'ed25519';
+        /** HMAC secret (only used when algorithm is 'hmac-sha256'). Auto-generated if omitted. */
+        hmacSecret?: string;
+    });
+    /**
+     * Register a new resource type at runtime.
+     * Makes the system extensible for any domain.
+     */
+    registerResourceType(name: string, profile: ResourceProfile): void;
+    /**
+     * Register or update an agent's trust configuration at runtime.
+     */
+    registerAgentTrust(config: AgentTrustConfig): void;
+    /**
+     * Request permission to access a resource.
+     * resourceType is now a free string -- validated against registered profiles.
+     */
+    requestPermission(agentId: string, resourceType: string, justification: string, scope?: string): Promise<PermissionGrant>;
+    /**
+     * Validate a grant token and return `true` if it is active and not expired.
+     *
+     * @param token - The grant token to validate
+     * @returns `true` if the token is valid, `false` otherwise
+     */
+    validateToken(token: string): boolean;
+    /**
+     * Validate a token and return the full grant object (including restrictions
+     * and scope) for point-of-use enforcement.
+     *
+     * @param token - The grant token to validate
+     * @returns The grant details, or `null` if invalid/expired
+     */
+    validateTokenWithGrant(token: string): ActiveGrant | null;
+    /**
+     * Enforce restrictions on an operation. Returns an error string if
+     * the operation violates any restriction, or `null` if all restrictions pass.
+     *
+     * @param grantToken  - The grant token authorizing the operation
+     * @param operation   - Description of the operation to check against restrictions
+     * @returns Error message string if a restriction is violated, or `null` if allowed
+     */
+    enforceRestrictions(grantToken: string, operation: {
+        type?: string;
+        recordCount?: number;
+        hasAttachments?: boolean;
+        targetPath?: string;
+        command?: string;
+    }): string | null;
+    /**
+     * Revoke a grant token, immediately invalidating it.
+     * Silently no-ops if the token doesn't exist.
+     *
+     * @param token - The grant token to revoke
+     */
+    revokeToken(token: string): void;
+    private evaluateRequest;
+    /**
+     * Improved justification scoring with resource-relevance checking.
+     * Prevents trivial gaming by verifying the justification mentions
+     * concepts relevant to the requested resource.
+     */
+    private scoreJustification;
+    private assessRisk;
+    private generateGrantToken;
+    /**
+     * Verify a grant token's cryptographic signature.
+     * For Ed25519 tokens, this can be done by any party holding the public key.
+     * For HMAC tokens, only the issuing AuthGuardian can verify.
+     *
+     * @param token - The grant token to verify
+     * @returns `true` if the signature is valid
+     */
+    verifyTokenSignature(token: string): boolean;
+    /**
+     * Get the signing algorithm used by this AuthGuardian instance.
+     */
+    getSigningAlgorithm(): 'hmac-sha256' | 'ed25519';
+    /**
+     * Export the Ed25519 public key in PEM format for third-party verification.
+     * Returns `null` if the instance uses HMAC signing.
+     */
+    exportPublicKey(): string | null;
+    private log;
+    /**
+     * Get all active (non-expired) permission grants.
+     * Automatically cleans up expired grants before returning.
+     */
+    getActiveGrants(): ActiveGrant[];
+    /**
+     * Get the full audit log of permission decisions.
+     * Returns a defensive copy.
+     */
+    getAuditLog(): typeof this.auditLog;
+    /**
+     * Get all registered resource profiles.
+     */
+    getResourceProfiles(): Record<string, ResourceProfile>;
+    /**
+     * Get the allowed namespaces for an agent (used by blackboard scoping).
+     */
+    getAgentNamespaces(agentId: string): string[];
+    /** Path for the resource profiles policy file. */
+    private get resourceProfilesPath();
+    /**
+     * Load resource profiles from `data/resource-profiles.json` if it exists.
+     * Expected format: `{ "PROFILE_NAME": { baseRisk, defaultRestrictions, description? } }`
+     */
+    private loadResourceProfilesFromDisk;
+    /**
+     * Persist the current resource profiles to `data/resource-profiles.json`.
+     * Useful after calling registerResourceType() at runtime.
+     */
+    persistResourceProfiles(): void;
+    private loadTrustFromDisk;
+    private persistTrustToDisk;
+    private loadAuditFromDisk;
+}
+//# sourceMappingURL=auth-guardian.d.ts.map

package/dist/lib/auth-guardian.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guardian.d.ts","sourceRoot":"","sources":["../../lib/auth-guardian.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAYH,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,eAAe,EACf,gBAAgB,EACjB,MAAM,sBAAsB,CAAC;AAE9B;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,YAAY,CAAuC;IAC3D,OAAO,CAAC,gBAAgB,CAAkC;IAC1D,OAAO,CAAC,iBAAiB,CAA4C;IACrE,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,QAAQ,CAAsE;IACtF,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4B;IAC7D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAmB;IACrD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;gBAExC,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QACnD,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,kEAAkE;QAClE,SAAS,CAAC,EAAE,aAAa,GAAG,SAAS,CAAC;QACtC,0FAA0F;QAC1F,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB;IAkCD;;;OAGG;IACH,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,IAAI;IAgBlE;;OAEG;IACH,kBAAkB,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAelD;;;OAGG;IACG,iBAAiB,CACrB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,EACrB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC;IA4E3B;;;;;OAKG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAarC;;;;;;OAMG;IACH,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAazD;;;;;;;OAOG;IACH,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE;QACjD,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,GAAG,MAAM,GAAG,IAAI;IA2DjB;;;;;OAKG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAKhC,OAAO,CAAC,eAAe;IAqDvB;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAmD1B,OAAO,CAAC,UAAU;IAkBlB,OAAO,CAAC,kBAAkB;IAY1B;;;;;;;OAOG;IACH,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAsB5C;;OAEG;IACH,mBAAmB,IAAI,aAAa,GAAG,SAAS;IAIhD;;;OAGG;IACH,eAAe,IAAI,MAAM,GAAG,IAAI;IAKhC,OAAO,CAAC,GAAG;IAoBX;;;OAGG;IACH,eAAe,IAAI,WAAW,EAAE;IAWhC;;;OAGG;IACH,WAAW,IAAI,OAAO,IAAI,CAAC,QAAQ;IAInC;;OAEG;IACH,mBAAmB,IAAI,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC;IAItD;;OAEG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE;IAQ7C,kDAAkD;IAClD,OAAO,KAAK,oBAAoB,GAE/B;IAED;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IAapC;;;OAGG;IACH,uBAAuB,IAAI,IAAI;IAgB/B,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,iBAAiB;CAa1B"}