/** * IBAC Adapter — Intent-Based Access Control Bridge * * Bridges Ken Huang's IBAC framework (CSA MAESTRO, OWASP AIVSS, ITU ANS) * into APS enforcement. IBAC defines the intent. APS proves it was enforced. * * Pipeline: Intent → Scope mapping → Delegation check → Signed receipt */ import type { Delegation, ActionReceipt, SignedPassport } from '../types/passport.js'; export interface IBACIntent { task: string; subject: { id: string; role?: string; }; actions: IBACAction[]; constraints?: Record; timestamp: string; } export interface IBACAction { verb: string; resource: string; constraints?: Record; } export interface IBACTuple { principal: string; action: string; resource: string; constraints?: Record; } export interface IBACEvaluationResult { intent: IBACIntent; delegation: Delegation; tupleResults: Array<{ tuple: IBACTuple; authorized: boolean; scope: string; reason: string; }>; receipt: ActionReceipt; } /** * Convert IBAC intent to APS delegation scope strings. * Maps verb+resource to hierarchical scope: `prefix:resource` */ export declare function ibacIntentToScope(intent: IBACIntent): string[]; /** * Convert IBAC tuples to an APS delegation. * Each tuple becomes a scope entry in the delegation. */ export declare function ibacTuplesToDelegation(tuples: IBACTuple[], principalKey: string, agentKey: string, privateKey: string, opts?: { expiresInHours?: number; spendLimit?: number; }): Delegation; /** * Evaluate IBAC tuples against an existing APS delegation. * Returns per-tuple authorized/denied with reason. */ export declare function evaluateIBACTuples(tuples: IBACTuple[], delegation: Delegation): { tupleResults: Array<{ tuple: IBACTuple; authorized: boolean; scope: string; reason: string; }>; }; /** * Full pipeline: intent → scope mapping → evaluation → signed receipt. * IBAC defines the intent. APS proves it was enforced. */ export declare function governIBACIntent(intent: IBACIntent, config: { passport: SignedPassport; delegation: Delegation; privateKey: string; onReceipt?: (r: ActionReceipt) => void; }): IBACEvaluationResult; //# sourceMappingURL=ibac.d.ts.map