npm - palaryn - Versions diffs - 0.1.0 → 0.3.2 - Mend

palaryn 0.1.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (344) hide show

package/README.md +243 -588
package/dist/sdk/typescript/src/client.js +2 -2
package/dist/sdk/typescript/src/client.js.map +1 -1
package/dist/src/anomaly/detector.d.ts +7 -4
package/dist/src/anomaly/detector.d.ts.map +1 -1
package/dist/src/anomaly/detector.js +22 -12
package/dist/src/anomaly/detector.js.map +1 -1
package/dist/src/audit/logger.d.ts +10 -0
package/dist/src/audit/logger.d.ts.map +1 -1
package/dist/src/audit/logger.js +52 -38
package/dist/src/audit/logger.js.map +1 -1
package/dist/src/auth/routes.d.ts.map +1 -1
package/dist/src/auth/routes.js +35 -0
package/dist/src/auth/routes.js.map +1 -1
package/dist/src/budget/manager.d.ts +5 -0
package/dist/src/budget/manager.d.ts.map +1 -1
package/dist/src/budget/manager.js +32 -0
package/dist/src/budget/manager.js.map +1 -1
package/dist/src/budget/model-pricing.d.ts +20 -0
package/dist/src/budget/model-pricing.d.ts.map +1 -0
package/dist/src/budget/model-pricing.js +107 -0
package/dist/src/budget/model-pricing.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +3 -1
package/dist/src/budget/usage-extractor.d.ts.map +1 -1
package/dist/src/budget/usage-extractor.js +47 -3
package/dist/src/budget/usage-extractor.js.map +1 -1
package/dist/src/config/defaults.d.ts.map +1 -1
package/dist/src/config/defaults.js +65 -13
package/dist/src/config/defaults.js.map +1 -1
package/dist/src/dlp/tool-patterns.d.ts +7 -0
package/dist/src/dlp/tool-patterns.d.ts.map +1 -0
package/dist/src/dlp/tool-patterns.js +34 -0
package/dist/src/dlp/tool-patterns.js.map +1 -0
package/dist/src/executor/filesystem-executor.d.ts +28 -0
package/dist/src/executor/filesystem-executor.d.ts.map +1 -0
package/dist/src/executor/filesystem-executor.js +192 -0
package/dist/src/executor/filesystem-executor.js.map +1 -0
package/dist/src/executor/http-executor.d.ts.map +1 -1
package/dist/src/executor/http-executor.js +22 -2
package/dist/src/executor/http-executor.js.map +1 -1
package/dist/src/executor/index.d.ts +4 -0
package/dist/src/executor/index.d.ts.map +1 -1
package/dist/src/executor/index.js +9 -1
package/dist/src/executor/index.js.map +1 -1
package/dist/src/executor/shell-executor.d.ts +22 -0
package/dist/src/executor/shell-executor.d.ts.map +1 -0
package/dist/src/executor/shell-executor.js +119 -0
package/dist/src/executor/shell-executor.js.map +1 -0
package/dist/src/executor/sql-executor.d.ts +29 -0
package/dist/src/executor/sql-executor.d.ts.map +1 -0
package/dist/src/executor/sql-executor.js +114 -0
package/dist/src/executor/sql-executor.js.map +1 -0
package/dist/src/executor/websocket-executor.d.ts +26 -0
package/dist/src/executor/websocket-executor.d.ts.map +1 -0
package/dist/src/executor/websocket-executor.js +205 -0
package/dist/src/executor/websocket-executor.js.map +1 -0
package/dist/src/interceptor/index.d.ts +2 -0
package/dist/src/interceptor/index.d.ts.map +1 -0
package/dist/src/interceptor/index.js +6 -0
package/dist/src/interceptor/index.js.map +1 -0
package/dist/src/interceptor/provider-interceptor.d.ts +36 -0
package/dist/src/interceptor/provider-interceptor.d.ts.map +1 -0
package/dist/src/interceptor/provider-interceptor.js +302 -0
package/dist/src/interceptor/provider-interceptor.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -1
package/dist/src/mcp/auth-verifier.js +3 -2
package/dist/src/mcp/auth-verifier.js.map +1 -1
package/dist/src/mcp/bridge.d.ts +14 -10
package/dist/src/mcp/bridge.d.ts.map +1 -1
package/dist/src/mcp/bridge.js +51 -227
package/dist/src/mcp/bridge.js.map +1 -1
package/dist/src/mcp/http-transport.d.ts +2 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -1
package/dist/src/mcp/http-transport.js +117 -66
package/dist/src/mcp/http-transport.js.map +1 -1
package/dist/src/mcp/internal-auth.d.ts +13 -0
package/dist/src/mcp/internal-auth.d.ts.map +1 -0
package/dist/src/mcp/internal-auth.js +12 -0
package/dist/src/mcp/internal-auth.js.map +1 -0
package/dist/src/mcp/tool-definitions.d.ts +41 -0
package/dist/src/mcp/tool-definitions.d.ts.map +1 -0
package/dist/src/mcp/tool-definitions.js +491 -0
package/dist/src/mcp/tool-definitions.js.map +1 -0
package/dist/src/middleware/auth.js.map +1 -1
package/dist/src/middleware/session.js.map +1 -1
package/dist/src/middleware/validate.d.ts +8 -0
package/dist/src/middleware/validate.d.ts.map +1 -1
package/dist/src/middleware/validate.js +45 -0
package/dist/src/middleware/validate.js.map +1 -1
package/dist/src/policy/engine.d.ts +4 -0
package/dist/src/policy/engine.d.ts.map +1 -1
package/dist/src/policy/engine.js +117 -0
package/dist/src/policy/engine.js.map +1 -1
package/dist/src/saas/routes.d.ts.map +1 -1
package/dist/src/saas/routes.js +355 -22
package/dist/src/saas/routes.js.map +1 -1
package/dist/src/server/app.d.ts.map +1 -1
package/dist/src/server/app.js +24 -3
package/dist/src/server/app.js.map +1 -1
package/dist/src/server/gateway.d.ts.map +1 -1
package/dist/src/server/gateway.js +17 -0
package/dist/src/server/gateway.js.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/server/index.js +18 -0
package/dist/src/server/index.js.map +1 -1
package/dist/src/storage/interfaces.d.ts +14 -3
package/dist/src/storage/interfaces.d.ts.map +1 -1
package/dist/src/storage/memory.d.ts +2 -0
package/dist/src/storage/memory.d.ts.map +1 -1
package/dist/src/storage/memory.js +6 -0
package/dist/src/storage/memory.js.map +1 -1
package/dist/src/storage/postgres.d.ts +5 -0
package/dist/src/storage/postgres.d.ts.map +1 -1
package/dist/src/storage/postgres.js +16 -0
package/dist/src/storage/postgres.js.map +1 -1
package/dist/src/storage/redis.d.ts +10 -0
package/dist/src/storage/redis.d.ts.map +1 -1
package/dist/src/storage/redis.js +65 -0
package/dist/src/storage/redis.js.map +1 -1
package/dist/src/types/budget.d.ts +4 -0
package/dist/src/types/budget.d.ts.map +1 -1
package/dist/src/types/config.d.ts +58 -0
package/dist/src/types/config.d.ts.map +1 -1
package/dist/src/types/events.d.ts +1 -0
package/dist/src/types/events.d.ts.map +1 -1
package/dist/src/types/policy.d.ts +11 -1
package/dist/src/types/policy.d.ts.map +1 -1
package/dist/src/types/tool-result.d.ts +11 -0
package/dist/src/types/tool-result.d.ts.map +1 -1
package/dist/tests/unit/app-routes.test.d.ts +2 -0
package/dist/tests/unit/app-routes.test.d.ts.map +1 -0
package/dist/tests/unit/app-routes.test.js +715 -0
package/dist/tests/unit/app-routes.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.js +105 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -1
package/dist/tests/unit/auth-providers.test.d.ts +2 -0
package/dist/tests/unit/auth-providers.test.d.ts.map +1 -0
package/dist/tests/unit/auth-providers.test.js +279 -0
package/dist/tests/unit/auth-providers.test.js.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts +2 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.js +993 -0
package/dist/tests/unit/auth-routes-extended.test.js.map +1 -0
package/dist/tests/unit/auth-verifier.test.d.ts +2 -0
package/dist/tests/unit/auth-verifier.test.d.ts.map +1 -0
package/dist/tests/unit/auth-verifier.test.js +505 -0
package/dist/tests/unit/auth-verifier.test.js.map +1 -0
package/dist/tests/unit/billing-routes.test.d.ts +2 -0
package/dist/tests/unit/billing-routes.test.d.ts.map +1 -0
package/dist/tests/unit/billing-routes.test.js +432 -0
package/dist/tests/unit/billing-routes.test.js.map +1 -0
package/dist/tests/unit/config-defaults.test.d.ts +2 -0
package/dist/tests/unit/config-defaults.test.d.ts.map +1 -0
package/dist/tests/unit/config-defaults.test.js +119 -0
package/dist/tests/unit/config-defaults.test.js.map +1 -0
package/dist/tests/unit/defaults.test.js +0 -10
package/dist/tests/unit/defaults.test.js.map +1 -1
package/dist/tests/unit/filesystem-executor.test.d.ts +2 -0
package/dist/tests/unit/filesystem-executor.test.d.ts.map +1 -0
package/dist/tests/unit/filesystem-executor.test.js +280 -0
package/dist/tests/unit/filesystem-executor.test.js.map +1 -0
package/dist/tests/unit/gateway-branches.test.d.ts +2 -0
package/dist/tests/unit/gateway-branches.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-branches.test.js +1039 -0
package/dist/tests/unit/gateway-branches.test.js.map +1 -0
package/dist/tests/unit/http-executor-branches.test.d.ts +2 -0
package/dist/tests/unit/http-executor-branches.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor-branches.test.js +495 -0
package/dist/tests/unit/http-executor-branches.test.js.map +1 -0
package/dist/tests/unit/logger.test.d.ts +2 -0
package/dist/tests/unit/logger.test.d.ts.map +1 -0
package/dist/tests/unit/logger.test.js +97 -0
package/dist/tests/unit/logger.test.js.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts +2 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.js +445 -0
package/dist/tests/unit/mcp-internal-auth.test.js.map +1 -0
package/dist/tests/unit/metrics.test.js +102 -0
package/dist/tests/unit/metrics.test.js.map +1 -1
package/dist/tests/unit/model-pricing.test.d.ts +2 -0
package/dist/tests/unit/model-pricing.test.d.ts.map +1 -0
package/dist/tests/unit/model-pricing.test.js +87 -0
package/dist/tests/unit/model-pricing.test.js.map +1 -0
package/dist/tests/unit/oauth-stores.test.d.ts +2 -0
package/dist/tests/unit/oauth-stores.test.d.ts.map +1 -0
package/dist/tests/unit/oauth-stores.test.js +260 -0
package/dist/tests/unit/oauth-stores.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.js +466 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -1
package/dist/tests/unit/provider-interceptor.test.d.ts +2 -0
package/dist/tests/unit/provider-interceptor.test.d.ts.map +1 -0
package/dist/tests/unit/provider-interceptor.test.js +472 -0
package/dist/tests/unit/provider-interceptor.test.js.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.js +2165 -0
package/dist/tests/unit/saas-routes-branches.test.js.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.js +332 -0
package/dist/tests/unit/saas-routes-crud.test.js.map +1 -0
package/dist/tests/unit/saas-routes-data.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-data.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-data.test.js +405 -0
package/dist/tests/unit/saas-routes-data.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.js +3 -3
package/dist/tests/unit/saas-routes.test.js.map +1 -1
package/dist/tests/unit/shell-executor.test.d.ts +2 -0
package/dist/tests/unit/shell-executor.test.d.ts.map +1 -0
package/dist/tests/unit/shell-executor.test.js +145 -0
package/dist/tests/unit/shell-executor.test.js.map +1 -0
package/dist/tests/unit/sql-executor.test.d.ts +2 -0
package/dist/tests/unit/sql-executor.test.d.ts.map +1 -0
package/dist/tests/unit/sql-executor.test.js +177 -0
package/dist/tests/unit/sql-executor.test.js.map +1 -0
package/dist/tests/unit/stream-proxy.test.d.ts +2 -0
package/dist/tests/unit/stream-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/stream-proxy.test.js +147 -0
package/dist/tests/unit/stream-proxy.test.js.map +1 -0
package/dist/tests/unit/tool-definitions.test.d.ts +2 -0
package/dist/tests/unit/tool-definitions.test.d.ts.map +1 -0
package/dist/tests/unit/tool-definitions.test.js +184 -0
package/dist/tests/unit/tool-definitions.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +140 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -1
package/dist/tests/unit/webhook-handler.test.d.ts +2 -0
package/dist/tests/unit/webhook-handler.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-handler.test.js +453 -0
package/dist/tests/unit/webhook-handler.test.js.map +1 -0
package/dist/tests/unit/webhook-routes.test.d.ts +2 -0
package/dist/tests/unit/webhook-routes.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-routes.test.js +69 -0
package/dist/tests/unit/webhook-routes.test.js.map +1 -0
package/dist/tests/unit/websocket-executor.test.d.ts +2 -0
package/dist/tests/unit/websocket-executor.test.d.ts.map +1 -0
package/dist/tests/unit/websocket-executor.test.js +121 -0
package/dist/tests/unit/websocket-executor.test.js.map +1 -0
package/package.json +8 -2
package/policy-packs/demo_fail.yaml +41 -0
package/policy-packs/full_tools.yaml +136 -0
package/src/admin/index.ts +1 -0
package/src/admin/routes.ts +509 -0
package/src/admin/templates.ts +572 -0
package/src/anomaly/detector.ts +730 -0
package/src/anomaly/index.ts +1 -0
package/src/approval/manager.ts +569 -0
package/src/approval/webhook.ts +133 -0
package/src/audit/logger.ts +490 -0
package/src/auth/index.ts +5 -0
package/src/auth/password.ts +21 -0
package/src/auth/pkce.ts +22 -0
package/src/auth/providers.ts +208 -0
package/src/auth/routes.ts +561 -0
package/src/auth/session.ts +84 -0
package/src/billing/index.ts +6 -0
package/src/billing/plan-enforcer.ts +135 -0
package/src/billing/routes.ts +229 -0
package/src/billing/stripe-client.ts +58 -0
package/src/billing/webhook-handler.ts +182 -0
package/src/billing/webhook-routes.ts +28 -0
package/src/budget/manager.ts +679 -0
package/src/budget/model-pricing.ts +119 -0
package/src/budget/usage-extractor.ts +214 -0
package/src/cli.ts +91 -0
package/src/config/defaults.ts +261 -0
package/src/config/validate.ts +88 -0
package/src/dlp/composite-scanner.ts +213 -0
package/src/dlp/index.ts +9 -0
package/src/dlp/interfaces.ts +34 -0
package/src/dlp/patterns.ts +30 -0
package/src/dlp/prompt-injection-backend.ts +181 -0
package/src/dlp/prompt-injection-patterns.ts +302 -0
package/src/dlp/regex-backend.ts +181 -0
package/src/dlp/scanner.ts +502 -0
package/src/dlp/text-normalizer.ts +225 -0
package/src/dlp/tool-patterns.ts +35 -0
package/src/dlp/trufflehog-backend.ts +190 -0
package/src/executor/filesystem-executor.ts +196 -0
package/src/executor/http-executor.ts +349 -0
package/src/executor/index.ts +9 -0
package/src/executor/interfaces.ts +11 -0
package/src/executor/noop-executor.ts +23 -0
package/src/executor/registry.ts +64 -0
package/src/executor/shell-executor.ts +148 -0
package/src/executor/slack-executor.ts +176 -0
package/src/executor/sql-executor.ts +146 -0
package/src/executor/websocket-executor.ts +211 -0
package/src/index.ts +24 -0
package/src/interceptor/index.ts +1 -0
package/src/interceptor/provider-interceptor.ts +315 -0
package/src/mcp/auth-verifier.ts +152 -0
package/src/mcp/bridge.ts +703 -0
package/src/mcp/http-transport.ts +698 -0
package/src/mcp/index.ts +9 -0
package/src/mcp/internal-auth.ts +14 -0
package/src/mcp/oauth-pages.ts +139 -0
package/src/mcp/oauth-postgres-stores.ts +278 -0
package/src/mcp/oauth-provider.ts +536 -0
package/src/mcp/oauth-stores.ts +202 -0
package/src/mcp/server.ts +55 -0
package/src/mcp/tool-definitions.ts +562 -0
package/src/metrics/collector.ts +357 -0
package/src/metrics/index.ts +1 -0
package/src/middleware/auth.ts +814 -0
package/src/middleware/session.ts +85 -0
package/src/middleware/validate.ts +130 -0
package/src/policy/engine.ts +815 -0
package/src/policy/index.ts +2 -0
package/src/policy/opa-engine.ts +829 -0
package/src/proxy/forward-proxy.ts +649 -0
package/src/proxy/index.ts +1 -0
package/src/ratelimit/limiter.ts +196 -0
package/src/replay/engine.ts +142 -0
package/src/replay/index.ts +1 -0
package/src/saas/index.ts +1 -0
package/src/saas/routes.ts +2178 -0
package/src/server/app.ts +985 -0
package/src/server/errors.ts +49 -0
package/src/server/gateway.ts +1130 -0
package/src/server/index.ts +307 -0
package/src/server/logger.ts +255 -0
package/src/server/stream-proxy.ts +202 -0
package/src/storage/file-persistence.ts +315 -0
package/src/storage/index.ts +4 -0
package/src/storage/interfaces.ts +287 -0
package/src/storage/memory.ts +686 -0
package/src/storage/postgres.ts +1831 -0
package/src/storage/redis.ts +835 -0
package/src/tracing/index.ts +1 -0
package/src/tracing/provider.ts +100 -0
package/src/trust/calculator.ts +141 -0
package/src/trust/index.ts +7 -0
package/src/types/budget.ts +36 -0
package/src/types/config.ts +278 -0
package/src/types/events.ts +41 -0
package/src/types/express.d.ts +14 -0
package/src/types/index.ts +7 -0
package/src/types/policy.ts +83 -0
package/src/types/stripe-config.ts +11 -0
package/src/types/subscription.ts +59 -0
package/src/types/tool-call.ts +47 -0
package/src/types/tool-result.ts +82 -0
package/src/types/user.ts +125 -0
package/tsconfig.json +24 -0

package/src/storage/interfaces.ts ADDED Viewed

@@ -0,0 +1,287 @@
+import { BudgetState } from '../types/budget';
+import { AuditEvent, EventType } from '../types/events';
+import { PolicyPack } from '../types/policy';
+import {
+  User,
+  OAuthAccount,
+  OAuthProvider,
+  Workspace,
+  WorkspaceMember,
+  Session,
+  UserApiKey,
+} from '../types/user';
+import { Subscription } from '../types/subscription';
+import { ToolResult } from '../types/tool-result';
+/**
+ * Record stored by the ApprovalStore. Mirrors the shape created by ApprovalManager.
+ */
+export interface ApprovalRecord {
+  approval_id: string;
+  tool_call_id: string;
+  task_id: string;
+  workspace_id: string;
+  actor_id: string;
+  requesting_api_key_id?: string;
+  tool_name: string;
+  tool_capability: string;
+  args_summary: string;
+  scope: string;
+  reason: string;
+  token_hash: string;
+  status: 'pending' | 'approved' | 'denied' | 'expired';
+  created_at: string;
+  expires_at: string;
+  resolved_at?: string;
+  resolved_by?: string;
+  denial_reason?: string;
+}
+/**
+ * Storage interface for budget state.
+ * Implementations: InMemoryBudgetStore, PostgresBudgetStore, RedisBudgetStore
+ */
+export interface BudgetStore {
+  getTaskState(taskId: string): BudgetState | undefined;
+  setTaskState(taskId: string, state: BudgetState): void;
+  getCounter(key: string): number;
+  incrementCounter(key: string, amount: number): void;
+  getRetryCount(toolCallId: string): number;
+  incrementRetryCount(toolCallId: string): number;
+  /** Enumerate all task states (for BudgetManager hydration). */
+  getAllTaskStates?(): Map<string, BudgetState>;
+  /** Enumerate all counters (for BudgetManager hydration). */
+  getAllCounters?(): Map<string, number>;
+  /** Enumerate all retry counts (for BudgetManager hydration). */
+  getAllRetryCounts?(): Map<string, number>;
+  /** Wait for all pending async writes to complete. */
+  flush?(): Promise<void>;
+  reset(): void;
+}
+/**
+ * Storage interface for audit events.
+ * Implementations: InMemoryAuditStore, PostgresAuditStore, RedisAuditStore
+ */
+export interface AuditStore {
+  append(event: AuditEvent): void;
+  getByTaskId(taskId: string): AuditEvent[];
+  getByToolCallId(toolCallId: string): AuditEvent[];
+  getByEventType(eventType: EventType): AuditEvent[];
+  getAll(): AuditEvent[];
+  deleteByTaskId(taskId: string): void;
+  deleteBySessionId(sessionId: string): void;
+  clear(): void;
+}
+/**
+ * Storage interface for approval records.
+ * Implementations: InMemoryApprovalStore, PostgresApprovalStore, RedisApprovalStore
+ */
+export interface ApprovalStore {
+  save(approvalId: string, approval: ApprovalRecord): void;
+  getById(approvalId: string): ApprovalRecord | undefined;
+  /** Look up an approval by token hash (SHA-256 hex digest). */
+  getByToken(tokenHash: string): ApprovalRecord | undefined;
+  getByToolCallId(toolCallId: string): ApprovalRecord | undefined;
+  /** Find an approved approval for the given task + actor + tool combination. */
+  findApproved?(taskId: string, actorId: string, toolName: string, capability: string): ApprovalRecord | undefined;
+  findPending(workspaceId?: string): ApprovalRecord[];
+  /** Index a token hash to an approval ID for reverse lookup. */
+  indexToken(tokenHash: string, approvalId: string): void;
+  /**
+   * Atomically update an approval only if its current status matches expectedStatus.
+   * Returns true if the update succeeded, false if the status had already changed.
+   * Used to prevent race conditions where two concurrent callers both approve/deny.
+   */
+  compareAndSetStatus?(approvalId: string, expectedStatus: string, approval: ApprovalRecord): boolean | Promise<boolean>;
+  /** Wait for all pending async writes to complete. */
+  flush?(): Promise<void>;
+  clear(): void;
+}
+/**
+ * Storage interface for idempotency deduplication.
+ * Stores tool_call_id -> ToolResult mappings for dedup.
+ */
+export interface IdempotencyStore {
+  get(toolCallId: string): ToolResult | undefined | Promise<ToolResult | undefined>;
+  set(toolCallId: string, result: ToolResult, ttlMs: number): void;
+  has(toolCallId: string): boolean | Promise<boolean>;
+  /** Wait for all pending async writes to complete. */
+  flush?(): Promise<void>;
+  clear(): void;
+}
+/**
+ * Storage interface for rate limiting.
+ */
+export interface RateLimitStore {
+  /**
+   * Record a hit and check if the rate limit is exceeded.
+   * @param key - Rate limit key (e.g., "actor:agent-001" or "workspace:ws-001")
+   * @param windowMs - Time window in milliseconds
+   * @param maxRequests - Maximum requests allowed in the window
+   * @returns { allowed: boolean, current: number, limit: number, resetAt: number }
+   */
+  hit(key: string, windowMs: number, maxRequests: number): {
+    allowed: boolean;
+    current: number;
+    limit: number;
+    resetAt: number;
+  };
+  /** Bulk-hydrate local cache from persistent backend (e.g. Redis). */
+  hydrateAll?(): Promise<void>;
+  reset(): void;
+}
+// ---------------------------------------------------------------------------
+// SaaS Store Interfaces
+// ---------------------------------------------------------------------------
+/**
+ * Storage interface for user accounts.
+ */
+export interface UserStore {
+  create(user: User): void;
+  getById(id: string): User | undefined;
+  getByEmail(email: string): User | undefined;
+  update(id: string, updates: Partial<Pick<User, 'display_name' | 'avatar_url' | 'password_hash' | 'status' | 'onboarding_completed' | 'updated_at'>>): User | undefined;
+  delete(id: string): boolean;
+  list(): User[];
+}
+/**
+ * Storage interface for OAuth accounts (provider links).
+ */
+export interface OAuthAccountStore {
+  create(account: OAuthAccount): void;
+  getById(id: string): OAuthAccount | undefined;
+  getByProvider(provider: OAuthProvider, providerUserId: string): OAuthAccount | undefined;
+  getByUserId(userId: string): OAuthAccount[];
+  update(id: string, updates: Partial<Pick<OAuthAccount, 'access_token_encrypted' | 'refresh_token_encrypted' | 'token_expires_at' | 'updated_at'>>): OAuthAccount | undefined;
+  delete(id: string): boolean;
+}
+/**
+ * Storage interface for workspaces.
+ */
+export interface WorkspaceStore {
+  create(workspace: Workspace): void;
+  getById(id: string): Workspace | undefined;
+  getBySlug(slug: string): Workspace | undefined;
+  getByOwner(userId: string): Workspace[];
+  update(id: string, updates: Partial<Pick<Workspace, 'name' | 'slug' | 'plan' | 'settings' | 'updated_at'>>): Workspace | undefined;
+  delete(id: string): boolean;
+  list(): Workspace[];
+}
+/**
+ * Storage interface for workspace membership.
+ */
+export interface WorkspaceMemberStore {
+  create(member: WorkspaceMember): void;
+  getById(id: string): WorkspaceMember | undefined;
+  getByWorkspace(workspaceId: string): WorkspaceMember[];
+  getByUser(userId: string): WorkspaceMember[];
+  getByWorkspaceAndUser(workspaceId: string, userId: string): WorkspaceMember | undefined;
+  update(id: string, updates: Partial<Pick<WorkspaceMember, 'role'>>): WorkspaceMember | undefined;
+  delete(id: string): boolean;
+}
+/**
+ * Storage interface for sessions.
+ */
+export interface SessionStore {
+  create(session: Session): void;
+  getById(id: string): Session | undefined;
+  getByUserId(userId: string): Session[];
+  update(id: string, updates: Partial<Pick<Session, 'workspace_id' | 'last_active_at'>>): Session | undefined;
+  delete(id: string): boolean;
+  deleteExpired(): number;
+  deleteByUserId(userId: string): number;
+}
+/**
+ * Storage interface for user-generated API keys.
+ */
+export interface UserApiKeyStore {
+  create(apiKey: UserApiKey): void;
+  getById(id: string): UserApiKey | undefined;
+  getByKeyHash(keyHash: string): UserApiKey | undefined;
+  /** Verify a raw token against all stored keys (supports salted and unsalted hashes) */
+  verifyToken?(token: string): UserApiKey | undefined;
+  getByWorkspace(workspaceId: string): UserApiKey[];
+  getByUser(userId: string): UserApiKey[];
+  update(id: string, updates: Partial<Pick<UserApiKey, 'name' | 'roles' | 'tags' | 'revoked' | 'last_used_at'>>): UserApiKey | undefined;
+  delete(id: string): boolean;
+}
+/**
+ * Storage interface for subscriptions (Stripe billing).
+ */
+export interface SubscriptionStore {
+  create(subscription: Subscription): void;
+  getById(id: string): Subscription | undefined;
+  getByWorkspace(workspaceId: string): Subscription | undefined;
+  getByStripeCustomerId(customerId: string): Subscription | undefined;
+  getByStripeSubscriptionId(subscriptionId: string): Subscription | undefined;
+  update(id: string, updates: Partial<Subscription>): Subscription | undefined;
+  delete(id: string): boolean;
+  list(): Subscription[];
+}
+/**
+ * Storage interface for workspace policy packs.
+ */
+export interface PolicyStore {
+  getByWorkspaceId(workspaceId: string): PolicyPack | undefined;
+  set(workspaceId: string, policy: PolicyPack): void;
+  delete(workspaceId: string): boolean;
+  list(): Map<string, PolicyPack>;
+  clear(): void;
+}
+// ---------------------------------------------------------------------------
+// Per-Workspace Rate Limit & Budget Configuration
+// ---------------------------------------------------------------------------
+export interface WorkspaceRateLimitConfig {
+  actor_max_per_window?: number;
+  workspace_max_per_window?: number;
+  window_ms?: number;
+}
+export interface WorkspaceBudgetConfig {
+  task_budget_usd?: number;
+  user_daily_budget_usd?: number;
+  user_monthly_budget_usd?: number;
+  workspace_daily_budget_usd?: number;
+  workspace_monthly_budget_usd?: number;
+  max_steps_per_task?: number;
+  max_retries_per_call?: number;
+  max_wall_clock_ms?: number;
+  token_pricing?: Record<string, import('../types/budget').TokenPricing>;
+}
+export interface RateLimitConfigStore {
+  getByWorkspaceId(workspaceId: string): WorkspaceRateLimitConfig | undefined;
+  set(workspaceId: string, config: WorkspaceRateLimitConfig): void;
+  delete(workspaceId: string): boolean;
+  list(): Map<string, WorkspaceRateLimitConfig>;
+  clear(): void;
+}
+export interface BudgetConfigStore {
+  getByWorkspaceId(workspaceId: string): WorkspaceBudgetConfig | undefined;
+  set(workspaceId: string, config: WorkspaceBudgetConfig): void;
+  delete(workspaceId: string): boolean;
+  list(): Map<string, WorkspaceBudgetConfig>;
+  clear(): void;
+}