predicate-claw 0.1.0

package/dist/src/openclaw-plugin-api.d.ts

@@ -0,0 +1,18 @@
+interface RegisteredTool {
+    name: string;
+    description?: string;
+    parameters?: unknown;
+    execute: (id: string, params: Record<string, unknown>) => Promise<unknown>;
+}
+interface OpenClawPluginApi {
+    registerTool(tool: RegisteredTool, options?: {
+        optional?: boolean;
+    }): void;
+}
+interface PredicateToolHandlers {
+    executeCmdRun(args: Record<string, unknown>): Promise<unknown>;
+    executeFsReadFile(args: Record<string, unknown>): Promise<unknown>;
+    executeHttpRequest(args: Record<string, unknown>): Promise<unknown>;
+}
+export declare function registerOpenClawPredicateTools(api: OpenClawPluginApi, handlers: PredicateToolHandlers): void;
+export {};

package/dist/src/openclaw-plugin-api.js

@@ -0,0 +1,17 @@
+export function registerOpenClawPredicateTools(api, handlers) {
+    api.registerTool({
+        name: "predicate_cmd_run",
+        description: "Guarded shell execution routed through Predicate Authority.",
+        execute: async (_id, params) => handlers.executeCmdRun(params),
+    }, { optional: true });
+    api.registerTool({
+        name: "predicate_fs_read_file",
+        description: "Guarded file read routed through Predicate Authority.",
+        execute: async (_id, params) => handlers.executeFsReadFile(params),
+    }, { optional: true });
+    api.registerTool({
+        name: "predicate_http_request",
+        description: "Guarded HTTP request routed through Predicate Authority.",
+        execute: async (_id, params) => handlers.executeHttpRequest(params),
+    }, { optional: true });
+}

package/dist/src/provider.d.ts

@@ -0,0 +1,48 @@
+import { type AuthorityAdapter } from "./authority-client.js";
+import { type ProviderConfig } from "./config.js";
+export interface GuardRequest {
+    action: string;
+    resource: string;
+    args: Record<string, unknown>;
+    context?: Record<string, unknown>;
+}
+export interface GuardedProviderOptions {
+    principal: string;
+    config?: Partial<ProviderConfig>;
+    authorityClient?: AuthorityAdapter;
+    telemetry?: GuardTelemetry;
+    auditExporter?: DecisionAuditExporter;
+}
+export interface DecisionTelemetryEvent {
+    principal: string;
+    action: string;
+    resource: string;
+    outcome: "allow" | "deny" | "error";
+    reason?: string;
+    mandateId?: string;
+    sessionId?: string;
+    tenantId?: string;
+    userId?: string;
+    traceId?: string;
+    source?: string;
+    timestamp: string;
+}
+export interface GuardTelemetry {
+    onDecision?(event: DecisionTelemetryEvent): void;
+}
+export interface DecisionAuditExporter {
+    exportDecision(event: DecisionTelemetryEvent): Promise<void> | void;
+}
+export declare class GuardedProvider {
+    private readonly principal;
+    private readonly config;
+    private readonly authorityClient;
+    private readonly telemetry?;
+    private readonly auditExporter?;
+    constructor(options: GuardedProviderOptions);
+    static intentHash(args: Record<string, unknown>): string;
+    authorize(request: GuardRequest): Promise<string | null>;
+    guardOrThrow(request: GuardRequest): Promise<string | null>;
+    private emitDecisionEvent;
+}
+export { ActionDeniedError, SidecarUnavailableError } from "./errors.js";

package/dist/src/provider.js

@@ -0,0 +1,154 @@
+import crypto from "node:crypto";
+import { createDefaultAuthorityAdapter, } from "./authority-client.js";
+import { defaultProviderConfig } from "./config.js";
+import { ActionDeniedError, SidecarUnavailableError } from "./errors.js";
+export class GuardedProvider {
+    principal;
+    config;
+    authorityClient;
+    telemetry;
+    auditExporter;
+    constructor(options) {
+        this.principal = options.principal;
+        this.config = { ...defaultProviderConfig, ...(options.config ?? {}) };
+        this.authorityClient =
+            options.authorityClient ?? createDefaultAuthorityAdapter(this.config);
+        this.telemetry = options.telemetry;
+        this.auditExporter = options.auditExporter;
+    }
+    static intentHash(args) {
+        const encoded = stableJson(args);
+        return crypto.createHash("sha256").update(encoded).digest("hex");
+    }
+    async authorize(request) {
+        const wireRequest = {
+            principal: this.principal,
+            action: request.action,
+            resource: request.resource,
+            intent_hash: GuardedProvider.intentHash(request.args),
+            labels: labelsFromContext(request.context),
+        };
+        try {
+            const decision = await this.authorityClient.authorize(wireRequest);
+            if (decision.allow) {
+                await this.emitDecisionEvent({
+                    principal: this.principal,
+                    action: request.action,
+                    resource: redactResource(request.action, request.resource),
+                    outcome: "allow",
+                    reason: decision.reason,
+                    mandateId: decision.mandateId,
+                    ...contextFields(request.context),
+                    timestamp: new Date().toISOString(),
+                });
+                return decision.mandateId ?? null;
+            }
+            await this.emitDecisionEvent({
+                principal: this.principal,
+                action: request.action,
+                resource: redactResource(request.action, request.resource),
+                outcome: "deny",
+                reason: decision.reason ?? "denied_by_policy",
+                mandateId: decision.mandateId,
+                ...contextFields(request.context),
+                timestamp: new Date().toISOString(),
+            });
+            throw new ActionDeniedError(decision.reason ?? "denied_by_policy");
+        }
+        catch (error) {
+            if (error instanceof ActionDeniedError) {
+                throw error;
+            }
+            if (error instanceof SidecarUnavailableError) {
+                await this.emitDecisionEvent({
+                    principal: this.principal,
+                    action: request.action,
+                    resource: redactResource(request.action, request.resource),
+                    outcome: "error",
+                    reason: error.message,
+                    ...contextFields(request.context),
+                    timestamp: new Date().toISOString(),
+                });
+                throw error;
+            }
+            await this.emitDecisionEvent({
+                principal: this.principal,
+                action: request.action,
+                resource: redactResource(request.action, request.resource),
+                outcome: "error",
+                reason: "Predicate sidecar unavailable",
+                ...contextFields(request.context),
+                timestamp: new Date().toISOString(),
+            });
+            throw new SidecarUnavailableError("Predicate sidecar unavailable");
+        }
+    }
+    async guardOrThrow(request) {
+        try {
+            return await this.authorize(request);
+        }
+        catch (error) {
+            if (error instanceof SidecarUnavailableError &&
+                this.config.failClosed === false) {
+                return null;
+            }
+            throw error;
+        }
+    }
+    async emitDecisionEvent(event) {
+        this.telemetry?.onDecision?.(event);
+        if (!this.auditExporter) {
+            return;
+        }
+        try {
+            await this.auditExporter.exportDecision(event);
+        }
+        catch {
+            // Best-effort export; authorization path must not fail on telemetry sink issues.
+        }
+    }
+}
+function labelsFromContext(context) {
+    if (!context)
+        return [];
+    const labels = [];
+    const source = context.source;
+    if (typeof source === "string" && source.length > 0) {
+        labels.push(`source:${source}`);
+    }
+    return labels;
+}
+function contextFields(context) {
+    return {
+        sessionId: typeof context?.session_id === "string" ? context.session_id : undefined,
+        tenantId: typeof context?.tenant_id === "string" ? context.tenant_id : undefined,
+        userId: typeof context?.user_id === "string" ? context.user_id : undefined,
+        traceId: typeof context?.trace_id === "string" ? context.trace_id : undefined,
+        source: typeof context?.source === "string" ? context.source : undefined,
+    };
+}
+function redactResource(action, resource) {
+    if (action === "fs.read" || action === "fs.write") {
+        const lowered = resource.toLowerCase();
+        if (lowered.includes("/.ssh/") ||
+            lowered.includes("/etc/") ||
+            lowered.includes("id_rsa") ||
+            lowered.includes("credentials")) {
+            return "[REDACTED]";
+        }
+    }
+    return resource;
+}
+function stableJson(value) {
+    if (Array.isArray(value)) {
+        return `[${value.map((v) => stableJson(v)).join(",")}]`;
+    }
+    if (value && typeof value === "object") {
+        const entries = Object.entries(value).sort(([a], [b]) => a.localeCompare(b));
+        return `{${entries
+            .map(([k, v]) => `${JSON.stringify(k)}:${stableJson(v)}`)
+            .join(",")}}`;
+    }
+    return JSON.stringify(value);
+}
+export { ActionDeniedError, SidecarUnavailableError } from "./errors.js";

package/dist/src/runtime-integration.d.ts

@@ -0,0 +1,20 @@
+import { HookEnvelope, type OpenClawHooks } from "./openclaw-hooks.js";
+type ToolHandler = (args: Record<string, unknown>) => Promise<unknown>;
+export interface ToolRegistry {
+    get(toolName: string): ToolHandler;
+    set(toolName: string, handler: ToolHandler): void;
+}
+export interface RuntimeIntegratorOptions {
+    hooks: Pick<OpenClawHooks, "onCmdRun" | "onFsRead" | "onHttpRequest">;
+    contextBuilder?: (toolName: string, args: Record<string, unknown>) => HookEnvelope;
+}
+export declare class OpenClawRuntimeIntegrator {
+    private readonly hooks;
+    private readonly contextBuilder;
+    constructor(options: RuntimeIntegratorOptions);
+    register(registry: ToolRegistry): void;
+    private wrapCmdRun;
+    private wrapFsRead;
+    private wrapHttpRequest;
+}
+export {};

package/dist/src/runtime-integration.js

@@ -0,0 +1,43 @@
+import { HookEnvelope } from "./openclaw-hooks.js";
+export class OpenClawRuntimeIntegrator {
+    hooks;
+    contextBuilder;
+    constructor(options) {
+        this.hooks = options.hooks;
+        this.contextBuilder = options.contextBuilder ?? defaultContextBuilder;
+    }
+    register(registry) {
+        this.wrapCmdRun(registry);
+        this.wrapFsRead(registry);
+        this.wrapHttpRequest(registry);
+    }
+    wrapCmdRun(registry) {
+        const original = registry.get("cmd.run");
+        registry.set("cmd.run", async (args) => {
+            const envelope = this.contextBuilder("cmd.run", args);
+            return this.hooks.onCmdRun(envelope, original);
+        });
+    }
+    wrapFsRead(registry) {
+        const original = registry.get("fs.readFile");
+        registry.set("fs.readFile", async (args) => {
+            const envelope = this.contextBuilder("fs.readFile", args);
+            return this.hooks.onFsRead(envelope, original);
+        });
+    }
+    wrapHttpRequest(registry) {
+        const original = registry.get("http.request");
+        registry.set("http.request", async (args) => {
+            const envelope = this.contextBuilder("http.request", args);
+            return this.hooks.onHttpRequest(envelope, original);
+        });
+    }
+}
+function defaultContextBuilder(toolName, args) {
+    return new HookEnvelope({
+        toolName,
+        args,
+        sessionId: "unknown-session",
+        source: "unknown-source",
+    });
+}

package/dist/src/web-evidence.d.ts

@@ -0,0 +1,48 @@
+import { type RuntimeSnapshotLike, type StateEvidence, type WebStateSnapshot } from "@predicatesystems/authority";
+/**
+ * Runtime context captured from OpenClaw web agent execution environment.
+ * Maps to ts-predicate-authority WebStateSnapshot contract.
+ */
+export interface WebRuntimeContext {
+    url?: string;
+    title?: string;
+    domHtml?: string;
+    domHash?: string;
+    visibleText?: string;
+    visibleTextHash?: string;
+    eventId?: string;
+    observedAt?: string;
+    dominantGroupKey?: string;
+    snapshotTimestamp?: string;
+    confidence?: number;
+    confidenceReasons?: string[];
+}
+/**
+ * Provider interface for web state evidence capture.
+ * Implementations should capture browser/DOM state from the agent runtime.
+ */
+export interface WebEvidenceProvider {
+    captureWebSnapshot(): Promise<WebStateSnapshot>;
+}
+/**
+ * OpenClaw-specific web evidence provider.
+ * Captures web state from the agent runtime and maps to TS SDK contract.
+ */
+export declare class OpenClawWebEvidenceProvider implements WebEvidenceProvider {
+    private readonly capture;
+    constructor(capture: () => Promise<WebRuntimeContext> | WebRuntimeContext);
+    captureWebSnapshot(): Promise<WebStateSnapshot>;
+}
+/**
+ * Build StateEvidence from an OpenClaw web evidence provider.
+ */
+export declare function buildWebEvidenceFromProvider(provider: WebEvidenceProvider, options?: {
+    schemaVersion?: string;
+}): Promise<StateEvidence>;
+/**
+ * Convenience adapter for predicate-runtime snapshot output.
+ * Maps RuntimeSnapshotLike to StateEvidence directly.
+ */
+export declare function buildWebEvidenceFromRuntimeSnapshot(snapshot: RuntimeSnapshotLike, options?: {
+    schemaVersion?: string;
+}): StateEvidence;

package/dist/src/web-evidence.js

@@ -0,0 +1,49 @@
+import crypto from "node:crypto";
+import { buildWebStateEvidence, buildWebStateEvidenceFromRuntimeSnapshot, } from "@predicatesystems/authority";
+/**
+ * OpenClaw-specific web evidence provider.
+ * Captures web state from the agent runtime and maps to TS SDK contract.
+ */
+export class OpenClawWebEvidenceProvider {
+    capture;
+    constructor(capture) {
+        this.capture = capture;
+    }
+    async captureWebSnapshot() {
+        const runtime = await this.capture();
+        return {
+            url: runtime.url,
+            title: runtime.title,
+            dom_hash: runtime.domHash ?? sha256(runtime.domHtml ?? ""),
+            visible_text_hash: runtime.visibleTextHash ?? sha256(runtime.visibleText ?? ""),
+            event_id: runtime.eventId,
+            observed_at: runtime.observedAt ?? new Date().toISOString(),
+            dominant_group_key: runtime.dominantGroupKey,
+            snapshot_timestamp: runtime.snapshotTimestamp,
+            confidence: runtime.confidence,
+            confidence_reasons: runtime.confidenceReasons,
+        };
+    }
+}
+/**
+ * Build StateEvidence from an OpenClaw web evidence provider.
+ */
+export async function buildWebEvidenceFromProvider(provider, options) {
+    const snapshot = await provider.captureWebSnapshot();
+    return buildWebStateEvidence({
+        snapshot,
+        schemaVersion: options?.schemaVersion ?? "v1",
+    });
+}
+/**
+ * Convenience adapter for predicate-runtime snapshot output.
+ * Maps RuntimeSnapshotLike to StateEvidence directly.
+ */
+export function buildWebEvidenceFromRuntimeSnapshot(snapshot, options) {
+    return buildWebStateEvidenceFromRuntimeSnapshot(snapshot, {
+        schemaVersion: options?.schemaVersion ?? "v1",
+    });
+}
+function sha256(input) {
+    return crypto.createHash("sha256").update(input).digest("hex");
+}

package/dist/tests/adapter.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/adapter.test.js

@@ -0,0 +1,63 @@
+import { describe, expect, it } from "vitest";
+import { ToolAdapter } from "../src/adapter.js";
+import { ActionDeniedError } from "../src/errors.js";
+describe("ToolAdapter", () => {
+    it("maps cmd.run to shell.execute", async () => {
+        const seen = [];
+        const adapter = new ToolAdapter({
+            guardOrThrow: async ({ action, resource }) => {
+                seen.push({ action, resource });
+                return "mnd_test";
+            },
+        });
+        const result = await adapter.runShell({
+            args: { command: "echo hi" },
+            context: { source: "trusted_ui" },
+            execute: async (args) => args,
+        });
+        expect(result).toEqual({ command: "echo hi" });
+        expect(seen).toEqual([{ action: "shell.execute", resource: "echo hi" }]);
+    });
+    it("bubbles deny errors", async () => {
+        const adapter = new ToolAdapter({
+            guardOrThrow: async () => {
+                throw new ActionDeniedError("denied_by_policy");
+            },
+        });
+        await expect(adapter.readFile({
+            args: { path: "/etc/passwd" },
+            context: { source: "untrusted_dm" },
+            execute: async (args) => args,
+        })).rejects.toBeInstanceOf(ActionDeniedError);
+    });
+    it("maps fs.readFile to fs.read", async () => {
+        const seen = [];
+        const adapter = new ToolAdapter({
+            guardOrThrow: async ({ action, resource }) => {
+                seen.push({ action, resource });
+                return "mnd_test";
+            },
+        });
+        await adapter.readFile({
+            args: { path: "/tmp/demo.txt" },
+            context: { source: "trusted_ui" },
+            execute: async (args) => args,
+        });
+        expect(seen).toEqual([{ action: "fs.read", resource: "/tmp/demo.txt" }]);
+    });
+    it("maps http.request to net.http", async () => {
+        const seen = [];
+        const adapter = new ToolAdapter({
+            guardOrThrow: async ({ action, resource }) => {
+                seen.push({ action, resource });
+                return "mnd_test";
+            },
+        });
+        await adapter.httpRequest({
+            args: { url: "https://example.com" },
+            context: { source: "trusted_ui" },
+            execute: async (args) => args,
+        });
+        expect(seen).toEqual([{ action: "net.http", resource: "https://example.com" }]);
+    });
+});

package/dist/tests/audit-event-e2e.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/audit-event-e2e.test.js

@@ -0,0 +1,209 @@
+import { describe, expect, it, vi } from "vitest";
+import { GuardedProvider, ActionDeniedError, } from "../src/provider.js";
+/**
+ * End-to-end audit event visibility tests.
+ *
+ * These tests verify that decision events flow correctly from the provider
+ * through to audit exporters in a format compatible with control-plane
+ * audit pipelines.
+ */
+describe("audit event visibility (e2e)", () => {
+    it("exports allow decisions with full context to audit sink", async () => {
+        const exportedEvents = [];
+        const mockClient = {
+            authorize: vi.fn().mockResolvedValue({
+                allow: true,
+                reason: "policy_matched",
+                mandateId: "mandate-12345",
+            }),
+        };
+        const auditExporter = {
+            exportDecision: async (event) => {
+                exportedEvents.push(event);
+            },
+        };
+        const provider = new GuardedProvider({
+            principal: "agent:e2e-test-agent",
+            authorityClient: mockClient,
+            auditExporter,
+        });
+        await provider.authorize({
+            action: "shell.execute",
+            resource: "npm install lodash",
+            args: { cmd: "npm install lodash" },
+            context: {
+                tenant_id: "tenant-prod",
+                session_id: "sess-e2e-001",
+                user_id: "user-developer",
+                trace_id: "trace-e2e-xyz",
+                source: "trusted_ui",
+            },
+        });
+        // Verify event was exported
+        expect(exportedEvents).toHaveLength(1);
+        const event = exportedEvents[0];
+        // Verify control-plane compatible fields
+        expect(event.principal).toBe("agent:e2e-test-agent");
+        expect(event.action).toBe("shell.execute");
+        expect(event.resource).toBe("npm install lodash");
+        expect(event.outcome).toBe("allow");
+        expect(event.reason).toBe("policy_matched");
+        expect(event.mandateId).toBe("mandate-12345");
+        // Verify tenant/session context
+        expect(event.tenantId).toBe("tenant-prod");
+        expect(event.sessionId).toBe("sess-e2e-001");
+        expect(event.userId).toBe("user-developer");
+        expect(event.traceId).toBe("trace-e2e-xyz");
+        expect(event.source).toBe("trusted_ui");
+        // Verify timestamp is ISO format
+        expect(event.timestamp).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+    });
+    it("exports deny decisions with redacted sensitive resources", async () => {
+        const exportedEvents = [];
+        const mockClient = {
+            authorize: vi.fn().mockResolvedValue({
+                allow: false,
+                reason: "sensitive_path_blocked",
+            }),
+        };
+        const auditExporter = {
+            exportDecision: async (event) => {
+                exportedEvents.push(event);
+            },
+        };
+        const provider = new GuardedProvider({
+            principal: "agent:sensitive-test",
+            authorityClient: mockClient,
+            auditExporter,
+        });
+        await expect(provider.authorize({
+            action: "fs.read",
+            resource: "/home/user/.ssh/id_rsa",
+            args: { path: "/home/user/.ssh/id_rsa" },
+            context: { tenant_id: "tenant-sec" },
+        })).rejects.toThrow(ActionDeniedError);
+        expect(exportedEvents).toHaveLength(1);
+        const event = exportedEvents[0];
+        expect(event.outcome).toBe("deny");
+        expect(event.reason).toBe("sensitive_path_blocked");
+        // Resource should be redacted for sensitive paths
+        expect(event.resource).toBe("[REDACTED]");
+    });
+    it("exports error events when sidecar is unavailable", async () => {
+        const exportedEvents = [];
+        const mockClient = {
+            authorize: vi.fn().mockRejectedValue(new Error("Connection refused")),
+        };
+        const auditExporter = {
+            exportDecision: async (event) => {
+                exportedEvents.push(event);
+            },
+        };
+        const provider = new GuardedProvider({
+            principal: "agent:error-test",
+            authorityClient: mockClient,
+            auditExporter,
+        });
+        await expect(provider.authorize({
+            action: "net.http",
+            resource: "https://api.example.com",
+            args: { url: "https://api.example.com" },
+            context: { tenant_id: "tenant-error" },
+        })).rejects.toThrow();
+        expect(exportedEvents).toHaveLength(1);
+        const event = exportedEvents[0];
+        expect(event.outcome).toBe("error");
+        expect(event.tenantId).toBe("tenant-error");
+    });
+    it("handles audit exporter failures gracefully (best-effort)", async () => {
+        let callCount = 0;
+        const mockClient = {
+            authorize: vi.fn().mockResolvedValue({ allow: true }),
+        };
+        const failingExporter = {
+            exportDecision: async () => {
+                callCount++;
+                throw new Error("Audit sink unavailable");
+            },
+        };
+        const provider = new GuardedProvider({
+            principal: "agent:failing-audit",
+            authorityClient: mockClient,
+            auditExporter: failingExporter,
+        });
+        // Should not throw even though exporter fails
+        const result = await provider.authorize({
+            action: "fs.read",
+            resource: "/workspace/safe-file.txt",
+            args: { path: "/workspace/safe-file.txt" },
+        });
+        // Authorization should succeed despite audit failure
+        expect(result).toBeNull(); // No mandate ID returned in this case
+        expect(callCount).toBe(1); // Exporter was called
+    });
+    it("chains multiple decision events with consistent trace context", async () => {
+        const exportedEvents = [];
+        const mockClient = {
+            authorize: vi
+                .fn()
+                .mockResolvedValueOnce({ allow: true, mandateId: "m1" })
+                .mockResolvedValueOnce({ allow: true, mandateId: "m2" })
+                .mockResolvedValueOnce({ allow: false, reason: "rate_limited" }),
+        };
+        const auditExporter = {
+            exportDecision: async (event) => {
+                exportedEvents.push(event);
+            },
+        };
+        const provider = new GuardedProvider({
+            principal: "agent:chained-ops",
+            authorityClient: mockClient,
+            auditExporter,
+        });
+        const sharedContext = {
+            tenant_id: "tenant-chain",
+            session_id: "sess-chain",
+            trace_id: "trace-chain-root",
+        };
+        // First operation - allowed
+        await provider.authorize({
+            action: "fs.read",
+            resource: "/workspace/config.json",
+            args: { path: "/workspace/config.json" },
+            context: sharedContext,
+        });
+        // Second operation - allowed
+        await provider.authorize({
+            action: "net.http",
+            resource: "https://api.internal/fetch",
+            args: { url: "https://api.internal/fetch" },
+            context: sharedContext,
+        });
+        // Third operation - denied
+        try {
+            await provider.authorize({
+                action: "shell.execute",
+                resource: "curl external.com",
+                args: { cmd: "curl external.com" },
+                context: sharedContext,
+            });
+        }
+        catch {
+            // Expected denial
+        }
+        expect(exportedEvents).toHaveLength(3);
+        // All events should share the same trace context
+        for (const event of exportedEvents) {
+            expect(event.tenantId).toBe("tenant-chain");
+            expect(event.sessionId).toBe("sess-chain");
+            expect(event.traceId).toBe("trace-chain-root");
+        }
+        // Verify outcomes
+        expect(exportedEvents[0].outcome).toBe("allow");
+        expect(exportedEvents[0].mandateId).toBe("m1");
+        expect(exportedEvents[1].outcome).toBe("allow");
+        expect(exportedEvents[1].mandateId).toBe("m2");
+        expect(exportedEvents[2].outcome).toBe("deny");
+        expect(exportedEvents[2].reason).toBe("rate_limited");
+    });
+});

package/dist/tests/authority-client.test.d.ts

@@ -0,0 +1 @@
+export {};