veto-sdk 1.9.0 → 1.10.0

package/dist/browser/index.d.ts

@@ -0,0 +1,13 @@
+import { Veto } from './veto.js';
+export { protect, type ProtectOptions, type ProtectMode, } from './protect.js';
+export { Veto };
+export type { VetoBrowserOptions, GuardResult, GuardContext, } from './types.js';
+export type { Rule, OutputRule, RuleCondition, RuleSeverity, RuleAction, } from '../rules/types.js';
+export type { OutputValidationResult } from '../core/output-validator.js';
+export { ToolCallDeniedError } from '../core/interceptor.js';
+export { OutputValidator } from '../core/output-validator.js';
+export { validateDeterministic } from '../deterministic/validator.js';
+export { evaluateConditionCollections } from '../rules/condition-evaluator.js';
+export declare function wrapAction<T>(veto: Veto, toolName: string, handler: (args: Record<string, unknown>) => T | Promise<T>): (args: Record<string, unknown>) => Promise<T>;
+export declare function wrapActions(veto: Veto, actions: Record<string, (args: Record<string, unknown>) => unknown>): Record<string, (args: Record<string, unknown>) => Promise<unknown>>;
+//# sourceMappingURL=index.d.ts.map

package/dist/browser/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/browser/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,OAAO,EACL,OAAO,EACP,KAAK,cAAc,EACnB,KAAK,WAAW,GACjB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,IAAI,EAAE,CAAC;AAChB,YAAY,EACV,kBAAkB,EAClB,WAAW,EACX,YAAY,GACb,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,IAAI,EACJ,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,GACX,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAoB/E,wBAAgB,UAAU,CAAC,CAAC,EAC1B,IAAI,EAAE,IAAI,EACV,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACzD,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAQ/C;AAED,wBAAgB,WAAW,CACzB,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,GAClE,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC,CAYrE"}

package/dist/browser/index.js

@@ -0,0 +1,39 @@
+import { Veto } from './veto.js';
+import { ToolCallDeniedError } from '../core/interceptor.js';
+export { protect, } from './protect.js';
+export { Veto };
+export { ToolCallDeniedError } from '../core/interceptor.js';
+export { OutputValidator } from '../core/output-validator.js';
+export { validateDeterministic } from '../deterministic/validator.js';
+export { evaluateConditionCollections } from '../rules/condition-evaluator.js';
+function toDeniedValidationResult(result) {
+    const decision = result.decision === 'require_approval'
+        ? 'require_approval'
+        : 'deny';
+    return {
+        decision,
+        reason: result.reason,
+        metadata: {
+            ruleId: result.ruleId,
+            severity: result.severity,
+            approvalId: result.approvalId,
+        },
+    };
+}
+export function wrapAction(veto, toolName, handler) {
+    return async (args) => {
+        const result = await veto.guard(toolName, args);
+        if (result.decision === 'deny' || result.decision === 'require_approval') {
+            throw new ToolCallDeniedError(toolName, 'guard', toDeniedValidationResult(result));
+        }
+        return await handler(args);
+    };
+}
+export function wrapActions(veto, actions) {
+    const wrapped = {};
+    for (const [name, handler] of Object.entries(actions)) {
+        wrapped[name] = wrapAction(veto, name, async (args) => await handler(args));
+    }
+    return wrapped;
+}
+//# sourceMappingURL=index.js.map

package/dist/browser/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/browser/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAE7D,OAAO,EACL,OAAO,GAGR,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,IAAI,EAAE,CAAC;AAchB,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACtE,OAAO,EAAE,4BAA4B,EAAE,MAAM,iCAAiC,CAAC;AAE/E,SAAS,wBAAwB,CAC/B,MAA0C;IAE1C,MAAM,QAAQ,GAAiC,MAAM,CAAC,QAAQ,KAAK,kBAAkB;QACnF,CAAC,CAAC,kBAAkB;QACpB,CAAC,CAAC,MAAM,CAAC;IAEX,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE;YACR,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,IAAU,EACV,QAAgB,EAChB,OAA0D;IAE1D,OAAO,KAAK,EAAE,IAAI,EAAE,EAAE;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,IAAI,MAAM,CAAC,QAAQ,KAAK,kBAAkB,EAAE,CAAC;YACzE,MAAM,IAAI,mBAAmB,CAAC,QAAQ,EAAE,OAAO,EAAE,wBAAwB,CAAC,MAAM,CAAC,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,IAAU,EACV,OAAmE;IAEnE,MAAM,OAAO,GAAwE,EAAE,CAAC;IAExF,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,GAAG,UAAU,CACxB,IAAI,EACJ,IAAI,EACJ,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CACpC,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/browser/protect.d.ts

@@ -0,0 +1,10 @@
+import type { ProtectOptions } from '../core/protect.js';
+export type { ProtectMode, ProtectOptions } from '../core/protect.js';
+export declare function protect<T extends {
+    name: string;
+}>(tools: T[], options?: ProtectOptions): Promise<T[]>;
+export declare function protect<T extends {
+    name: string;
+}>(tool: T, options?: ProtectOptions): Promise<T>;
+export declare function __resetProtectCacheForTests(): void;
+//# sourceMappingURL=protect.d.ts.map

package/dist/browser/protect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.d.ts","sourceRoot":"","sources":["../../src/browser/protect.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAe,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEtE,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAmMtE,wBAAsB,OAAO,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EACtD,KAAK,EAAE,CAAC,EAAE,EACV,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;AAChB,wBAAsB,OAAO,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EACtD,IAAI,EAAE,CAAC,EACP,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,CAAC,CAAC,CAAC;AAwBd,wBAAgB,2BAA2B,IAAI,IAAI,CAGlD"}

package/dist/browser/protect.js

@@ -0,0 +1,176 @@
+import { Veto } from './veto.js';
+const TOOL_PACK_HEURISTICS = [
+    {
+        patterns: ['transfer', 'payment', 'balance', 'withdraw', 'deposit', 'invoice'],
+        pack: '@veto/financial',
+    },
+    {
+        patterns: ['navigate', 'click', 'goto', 'browse', 'scroll', 'type_text'],
+        pack: '@veto/browser-automation',
+    },
+    {
+        patterns: ['query', 'sql', 'database', 'select', 'insert', 'table'],
+        pack: '@veto/data-access',
+    },
+    {
+        patterns: ['exec', 'shell', 'command', 'terminal', 'bash', 'run_code'],
+        pack: '@veto/coding-agent',
+    },
+];
+let _defaultInstance = null;
+const _instanceCache = new Map();
+function stableSerialize(value) {
+    if (value === null || typeof value !== 'object') {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableSerialize(item)).join(',')}]`;
+    }
+    const entries = Object.entries(value)
+        .sort(([a], [b]) => a.localeCompare(b))
+        .map(([key, item]) => `${JSON.stringify(key)}:${stableSerialize(item)}`);
+    return `{${entries.join(',')}}`;
+}
+function normalizeProtectMode(mode) {
+    if (mode === 'shadow') {
+        // TODO: PLW-94 true shadow mode behavior.
+        return 'log';
+    }
+    return mode;
+}
+function toToolsArray(input) {
+    return Array.isArray(input) ? input : [input];
+}
+function collectHeuristicPacks(tools) {
+    const packs = new Set();
+    for (const tool of tools) {
+        const name = tool.name.toLowerCase();
+        for (const heuristic of TOOL_PACK_HEURISTICS) {
+            if (heuristic.patterns.some((pattern) => name.includes(pattern))) {
+                packs.add(heuristic.pack);
+            }
+        }
+    }
+    return [...packs].sort((a, b) => a.localeCompare(b));
+}
+function buildInitDecision(tools, options) {
+    if (options.rules) {
+        return {
+            source: 'rules',
+            packs: [],
+            rules: options.rules,
+            outputRules: [],
+        };
+    }
+    if (options.apiKey) {
+        return {
+            source: 'apiKey',
+            packs: [],
+            rules: [],
+            outputRules: [],
+        };
+    }
+    return {
+        source: 'allow-all',
+        packs: collectHeuristicPacks(tools),
+        rules: [],
+        outputRules: [],
+    };
+}
+function createCacheKey(options, decision) {
+    return stableSerialize({
+        source: decision.source,
+        configDir: options.configDir,
+        pack: options.pack,
+        apiKey: options.apiKey,
+        endpoint: options.endpoint,
+        mode: normalizeProtectMode(options.mode),
+        logLevel: options.logLevel,
+        sessionId: options.sessionId,
+        agentId: options.agentId,
+        userId: options.userId,
+        role: options.role,
+        packs: decision.packs,
+        rulesFingerprint: stableSerialize(decision.rules),
+        outputRulesFingerprint: stableSerialize(decision.outputRules),
+        budget: options.budget,
+        costs: options.costs,
+    });
+}
+function createAllowAllInstance(options) {
+    return Veto.fromRules({
+        rules: [],
+        outputRules: [],
+        mode: normalizeProtectMode(options.mode),
+        logLevel: options.logLevel,
+        sessionId: options.sessionId,
+        agentId: options.agentId,
+        userId: options.userId,
+        role: options.role,
+        apiKey: options.apiKey,
+        endpoint: options.endpoint,
+        onApprovalRequired: options.onApprovalRequired,
+        budget: options.budget,
+        costs: options.costs,
+    });
+}
+async function initializeVeto(tools, options) {
+    const decision = buildInitDecision(tools, options);
+    const cacheKey = createCacheKey(options, decision);
+    const cached = _instanceCache.get(cacheKey);
+    if (cached) {
+        return cached;
+    }
+    let instance;
+    try {
+        if (decision.source === 'apiKey') {
+            instance = await Veto.fromCloud({
+                apiKey: options.apiKey,
+                endpoint: options.endpoint,
+            });
+        }
+        else {
+            instance = Veto.fromRules({
+                rules: decision.rules,
+                outputRules: decision.outputRules,
+                mode: normalizeProtectMode(options.mode),
+                logLevel: options.logLevel,
+                sessionId: options.sessionId,
+                agentId: options.agentId,
+                userId: options.userId,
+                role: options.role,
+                apiKey: options.apiKey,
+                endpoint: options.endpoint,
+                onApprovalRequired: options.onApprovalRequired,
+                budget: options.budget,
+                costs: options.costs,
+            });
+        }
+    }
+    catch {
+        instance = createAllowAllInstance(options);
+    }
+    _instanceCache.set(cacheKey, instance);
+    return instance;
+}
+export async function protect(input, options) {
+    if (options === undefined && _defaultInstance) {
+        return Array.isArray(input)
+            ? _defaultInstance.wrap(input)
+            : _defaultInstance.wrapTool(input);
+    }
+    const normalizedOptions = options ?? {};
+    const tools = toToolsArray(input);
+    const instance = await initializeVeto(tools, normalizedOptions);
+    if (options === undefined) {
+        _defaultInstance = instance;
+    }
+    return Array.isArray(input)
+        ? instance.wrap(input)
+        : instance.wrapTool(input);
+}
+export function __resetProtectCacheForTests() {
+    _defaultInstance = null;
+    _instanceCache.clear();
+}
+//# sourceMappingURL=protect.js.map

package/dist/browser/protect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.js","sourceRoot":"","sources":["../../src/browser/protect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAWjC,MAAM,oBAAoB,GAAiC;IACzD;QACE,QAAQ,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,CAAC;QAC9E,IAAI,EAAE,iBAAiB;KACxB;IACD;QACE,QAAQ,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC;QACxE,IAAI,EAAE,0BAA0B;KACjC;IACD;QACE,QAAQ,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;QACnE,IAAI,EAAE,mBAAmB;KAC1B;IACD;QACE,QAAQ,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC;QACtE,IAAI,EAAE,oBAAoB;KAC3B;CACF,CAAC;AAWF,IAAI,gBAAgB,GAAgB,IAAI,CAAC;AACzC,MAAM,cAAc,GAAG,IAAI,GAAG,EAAgB,CAAC;AAE/C,SAAS,eAAe,CAAC,KAAc;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACrE,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SAC7D,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;SACtC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAE3E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAClC,CAAC;AAED,SAAS,oBAAoB,CAAC,IAA6B;IACzD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,0CAA0C;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAA6B,KAAc;IAC9D,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,qBAAqB,CAA6B,KAAmB;IAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAErC,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;YAC7C,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACjE,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAmB,EACnB,OAAuB;IAEvB,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO;YACL,MAAM,EAAE,OAAO;YACf,KAAK,EAAE,EAAE;YACT,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,WAAW,EAAE,EAAE;SAChB,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE,EAAE;YACT,KAAK,EAAE,EAAE;YACT,WAAW,EAAE,EAAE;SAChB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,KAAK,EAAE,qBAAqB,CAAC,KAAK,CAAC;QACnC,KAAK,EAAE,EAAE;QACT,WAAW,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,OAAuB,EAAE,QAA6B;IAC5E,OAAO,eAAe,CAAC;QACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,IAAI,EAAE,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC;QACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,gBAAgB,EAAE,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC;QACjD,sBAAsB,EAAE,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7D,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;KACrB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAuB;IACrD,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,KAAK,EAAE,EAAE;QACT,WAAW,EAAE,EAAE;QACf,IAAI,EAAE,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC;QACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;KACrB,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,cAAc,CAA6B,KAAmB,EAAE,OAAuB;IACpG,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEnD,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,QAAc,CAAC;IAEnB,IAAI,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACjC,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC;gBAC9B,MAAM,EAAE,OAAO,CAAC,MAAO;gBACvB,QAAQ,EAAE,OAAO,CAAC,QAAQ;aAC3B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBACxB,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,IAAI,EAAE,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC;gBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;gBAC9C,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;IAED,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAEvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAUD,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,KAAc,EACd,OAAwB;IAExB,IAAI,OAAO,KAAK,SAAS,IAAI,gBAAgB,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YACzB,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;IAEhE,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,gBAAgB,GAAG,QAAQ,CAAC;IAC9B,CAAC;IAED,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACzB,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC;QACtB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,gBAAgB,GAAG,IAAI,CAAC;IACxB,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/dist/browser/types.d.ts

@@ -0,0 +1,59 @@
+import type { LogLevel, NamedValidator, ValidationContext, Validator } from '../types/config.js';
+import type { OutputRule, Rule, RuleSeverity } from '../rules/types.js';
+import type { BudgetConfig, ToolCostMap } from '../core/budget.js';
+export type VetoMode = 'strict' | 'log';
+export interface GuardContext {
+    sessionId?: string;
+    agentId?: string;
+    userId?: string;
+    role?: string;
+}
+export interface GuardResult {
+    decision: 'allow' | 'deny' | 'require_approval';
+    reason?: string;
+    ruleId?: string;
+    severity?: RuleSeverity;
+    approvalId?: string;
+}
+export interface BrowserCloudPoliciesResponse {
+    policies: Rule[];
+    outputRules?: OutputRule[];
+}
+export interface BrowserCloudDecisionRequest {
+    tool_name: string;
+    arguments: Record<string, unknown>;
+    decision: 'allow' | 'deny';
+    reason?: string;
+    mode: 'deterministic';
+    latency_ms: number;
+    source: 'client';
+    context?: Record<string, unknown>;
+}
+export interface BrowserCloudClient {
+    fetchPolicies: () => Promise<BrowserCloudPoliciesResponse>;
+    logDecision: (request: BrowserCloudDecisionRequest) => void | Promise<void>;
+    dispose?: () => void;
+}
+export interface VetoBrowserOptions<TCloudClient = BrowserCloudClient> {
+    rules: Rule[];
+    outputRules?: OutputRule[];
+    mode?: VetoMode;
+    logLevel?: LogLevel;
+    sessionId?: string;
+    agentId?: string;
+    userId?: string;
+    role?: string;
+    validators?: (Validator | NamedValidator)[];
+    apiKey?: string;
+    endpoint?: string;
+    cloudClient?: TCloudClient;
+    onApprovalRequired?: (context: ValidationContext, approvalId: string) => void | Promise<void>;
+    budget?: BudgetConfig;
+    costs?: ToolCostMap;
+}
+export interface VetoFromCloudOptions {
+    apiKey: string;
+    endpoint?: string;
+    refreshIntervalMs?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/browser/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/browser/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,SAAS,EACV,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACxE,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEnE,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,KAAK,CAAC;AAExC,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,kBAAkB,CAAC;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,2BAA2B;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,eAAe,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,QAAQ,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,OAAO,CAAC,4BAA4B,CAAC,CAAC;IAC3D,WAAW,EAAE,CAAC,OAAO,EAAE,2BAA2B,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5E,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB,CAAC,YAAY,GAAG,kBAAkB;IACnE,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,IAAI,CAAC,EAAE,QAAQ,CAAC;IAChB,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,CAAC,SAAS,GAAG,cAAc,CAAC,EAAE,CAAC;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,kBAAkB,CAAC,EAAE,CACnB,OAAO,EAAE,iBAAiB,EAC1B,UAAU,EAAE,MAAM,KACf,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B"}

package/dist/browser/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/browser/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/browser/types.ts"],"names":[],"mappings":""}

package/dist/browser/veto.d.ts

@@ -0,0 +1,74 @@
+import type { ValidationResult } from '../types/config.js';
+import { type HistoryStats } from '../core/history.js';
+import { type BudgetStatus } from '../core/budget.js';
+import { type OutputValidationResult } from '../core/output-validator.js';
+import { ToolCallDeniedError } from '../core/interceptor.js';
+import type { GuardContext, GuardResult, VetoBrowserOptions, VetoFromCloudOptions } from './types.js';
+export declare class Veto {
+    private readonly logger;
+    private readonly mode;
+    private readonly sessionId?;
+    private readonly agentId?;
+    private readonly userId?;
+    private readonly role?;
+    private readonly validators;
+    private readonly historyTracker;
+    private readonly budgetTracker;
+    private readonly outputValidator;
+    private readonly cloudClient;
+    private readonly onApprovalRequired?;
+    private rulesState;
+    private readonly compiledExpressionCache;
+    private refreshIntervalId;
+    private constructor();
+    static fromRules(options: VetoBrowserOptions): Veto;
+    static fromCloud(options: VetoFromCloudOptions): Promise<Veto>;
+    private setRefreshInterval;
+    private getRulesForTool;
+    private getOutputRulesForTool;
+    private resolveSessionId;
+    private resolveAgentId;
+    private resolveUserId;
+    private resolveRole;
+    private shouldApplyLogOverride;
+    private toRuleMetadata;
+    private normalizeAgentScope;
+    private matchesRuleAgents;
+    private evaluateExpression;
+    private buildEvaluationContext;
+    private validateLocal;
+    private runValidators;
+    private toGuardResult;
+    private reportDecision;
+    guard(toolName: string, args: Record<string, unknown>, context?: GuardContext): Promise<GuardResult>;
+    validateToolCall(call: {
+        id?: string;
+        name: string;
+        arguments: Record<string, unknown>;
+    }): Promise<{
+        allowed: boolean;
+        validationResult: ValidationResult;
+        originalCall: {
+            id?: string;
+            name: string;
+            arguments: Record<string, unknown>;
+        };
+        finalArguments: Record<string, unknown>;
+    }>;
+    private denyWithApprovalHook;
+    wrap<T extends {
+        name: string;
+    }>(tools: T[]): T[];
+    wrapTool<T extends {
+        name: string;
+    }>(tool: T): T;
+    validateOutput(toolName: string, output: unknown): OutputValidationResult;
+    refreshRules(): Promise<void>;
+    getHistoryStats(): HistoryStats;
+    clearHistory(): void;
+    getBudgetStatus(): BudgetStatus | null;
+    resetBudget(): void;
+    dispose(): void;
+}
+export { ToolCallDeniedError };
+//# sourceMappingURL=veto.d.ts.map

package/dist/browser/veto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"veto.d.ts","sourceRoot":"","sources":["../../src/browser/veto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAGV,gBAAgB,EAEjB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvE,OAAO,EAAiB,KAAK,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAmB,KAAK,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAC3F,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAIV,YAAY,EACZ,WAAW,EACX,kBAAkB,EAClB,oBAAoB,EAErB,MAAM,YAAY,CAAC;AAmOpB,qBAAa,IAAI;IACf,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAW;IAChC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAmB;IAC9C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAChD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAuB;IACrD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;IACxD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAGV;IAE1B,OAAO,CAAC,UAAU,CAAmB;IACrC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAA8B;IACtE,OAAO,CAAC,iBAAiB,CAA+C;IAExE,OAAO;IAmCP,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI;WAKtC,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBpE,OAAO,CAAC,kBAAkB;IAmB1B,OAAO,CAAC,eAAe;IAKvB,OAAO,CAAC,qBAAqB;IAK7B,OAAO,CAAC,gBAAgB;IAIxB,OAAO,CAAC,cAAc;IAItB,OAAO,CAAC,aAAa;IAIrB,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,sBAAsB;IAI9B,OAAO,CAAC,cAAc;IAStB,OAAO,CAAC,mBAAmB;IAI3B,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,kBAAkB;IAsB1B,OAAO,CAAC,sBAAsB;IAgB9B,OAAO,CAAC,aAAa;YA+FP,aAAa;IAmB3B,OAAO,CAAC,aAAa;IAiCrB,OAAO,CAAC,cAAc;IA0BhB,KAAK,CACT,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,GAAE,YAAiB,GACzB,OAAO,CAAC,WAAW,CAAC;IA4BjB,gBAAgB,CAAC,IAAI,EAAE;QAC3B,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,OAAO,CAAC;QACV,OAAO,EAAE,OAAO,CAAC;QACjB,gBAAgB,EAAE,gBAAgB,CAAC;QACnC,YAAY,EAAE;YAAE,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;SAAE,CAAC;QAChF,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACzC,CAAC;YAsBY,oBAAoB;IAqBlC,IAAI,CAAC,CAAC,SAAS;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE;IAIjD,QAAQ,CAAC,CAAC,SAAS;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;IA8EhD,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,sBAAsB;IAInE,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAUnC,eAAe,IAAI,YAAY;IAI/B,YAAY,IAAI,IAAI;IAIpB,eAAe,IAAI,YAAY,GAAG,IAAI;IAItC,WAAW,IAAI,IAAI;IAInB,OAAO,IAAI,IAAI;CAQhB;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}