/** * aps.txt — Site-Wide Governance Declaration * * Like robots.txt but for AI governance. A file at yourdomain.com/aps.txt * declares site-wide governance: publisher identity, default terms, * revocation endpoint, and MCP upgrade path. * * Any agent visiting any page on the domain checks aps.txt first. * One file governs the entire site. * * Format: JSON, signed with Ed25519, served at /.well-known/aps.txt or /aps.txt */ import type { GovernanceTerms, RevocationPolicy } from './governance-block.js'; export interface ApsTxt { /** APS protocol identifier */ '@context': 'https://aeoess.com/governance/v1'; '@type': 'ApsTxt'; /** Domain this declaration covers */ domain: string; /** Publisher's DID */ publisher_did: string; /** Publisher name (human-readable) */ publisher_name: string; /** Default terms for all content on this domain */ default_terms: GovernanceTerms; /** Default revocation policy */ default_revocation_policy: RevocationPolicy; /** URL for revocation status checks */ revocation_endpoint?: string; /** MCP endpoint for full enforcement channel */ mcp_endpoint?: string; /** Per-path overrides (e.g. /api/* has different terms than /blog/*) */ path_overrides?: PathOverride[]; /** When this declaration was generated */ generated_at: string; /** Ed25519 signature */ signature: string; } export interface PathOverride { /** Glob pattern (e.g. "/api/*", "/blog/*", "/data/**") */ pattern: string; /** Terms override for this path */ terms: GovernanceTerms; /** Optional revocation policy override */ revocation_policy?: RevocationPolicy; /** Optional DID pattern for agent-specific terms (e.g. "did:meeet:*", "did:aps:*", "did:*") * Source: alxvasilevvv on openclaw#49971 — 1,020 MEEET agents need method-level matching */ user_agent?: string; } export interface GenerateApsTxtInput { domain: string; publisherName: string; publicKey: string; privateKey: string; defaultTerms: GovernanceTerms; defaultRevocationPolicy?: RevocationPolicy; revocationEndpoint?: string; mcpEndpoint?: string; pathOverrides?: PathOverride[]; } export declare function generateApsTxt(input: GenerateApsTxtInput): ApsTxt; export interface VerifyApsTxtOptions { /** When true, unsigned or unverifiable aps.txt returns { valid: false, reason: 'UNSIGNED' } */ strict?: boolean; } export interface VerifyApsTxtResult { valid: boolean; errors: string[]; /** Set when strict mode rejects an unsigned/unverifiable document */ reason?: 'UNSIGNED'; } export declare function verifyApsTxt(doc: ApsTxt, publicKey?: string, options?: VerifyApsTxtOptions): VerifyApsTxtResult; /** * Resolve terms for a specific path using aps.txt path overrides. * Falls back to default_terms if no override matches. */ export declare function resolveTermsForPath(doc: ApsTxt, path: string, agentDid?: string): GovernanceTerms; /** * Serialize aps.txt to a JSON string ready to serve as a file. */ export declare function serializeApsTxt(doc: ApsTxt): string; /** * Parse an aps.txt JSON string back to an object. */ export declare function parseApsTxt(content: string): ApsTxt | null; import type { GovernanceBlock } from './governance-block.js'; /** * Generate HTTP response headers for governance. * Works for ANY response type — HTML, JSON, images, PDFs. */ export declare function governanceHeaders(block: GovernanceBlock): Record; /** * Parse governance from HTTP response headers. */ export declare function parseGovernanceHeaders(headers: Record): GovernanceBlock | null; export interface ChainedGovernanceBlock extends GovernanceBlock { /** Reference to the parent governance block this is derived from */ parent_block_hash: string; /** What type of derivation (summary, embedding, rag_chunk, etc.) */ derivation_type: string; /** The derivative agent's DID (different from original publisher) */ derivative_agent_did: string; } /** * Create a chained governance block for derivative content. * The derivative carries its own governance AND the chain back to the source. */ export declare function createChainedGovernanceBlock(input: { /** The derivative content */ content: string; /** The derivative agent's keys */ publicKey: string; privateKey: string; /** Terms the derivative is published under */ terms: GovernanceTerms; /** The original governance block this derives from */ parentBlock: GovernanceBlock; /** Type of derivation */ derivationType: string; revocationPolicy?: RevocationPolicy; }): ChainedGovernanceBlock; /** * Verify a chained governance block, including parent hash consistency. */ export declare function verifyChainedBlock(chain: ChainedGovernanceBlock, content: string, derivativePublicKey: string, parentBlock?: GovernanceBlock): { valid: boolean; chainValid: boolean; errors: string[]; }; /** * AV-2 Fix: Strict aps.txt enforcement. * Verifies signature before resolving path terms. * unsigned aps.txt → warning or block depending on mode. * * Source: MoltyCel on qntm#7 — unsigned aps.txt can be replaced * by a compromised repo. DID-signed aps.txt prevents this. */ export type ApsTxtEnforcementMode = 'permissive' | 'warn' | 'strict'; export interface ApsTxtEnforcementResult { /** Whether the agent should proceed */ allowed: boolean; /** Resolved governance terms for the requested path */ terms: GovernanceTerms | null; /** Warning if aps.txt is unsigned or unverifiable */ warning?: string; /** Error if strict mode blocks access */ error?: string; /** Whether the aps.txt signature was verified */ signatureVerified: boolean; } export declare function enforceApsTxt(doc: ApsTxt, path: string, opts?: { /** Publisher's public key for signature verification */ publisherPublicKey?: string; /** Enforcement mode: permissive (allow unsigned), warn (allow with warning), strict (block unsigned) */ mode?: ApsTxtEnforcementMode; /** Trust threshold (0-1). Below this, restrictive aps.txt produces warning instead of block (AV-4 DoS fix) */ trustThreshold?: number; /** Publisher's trust score (0-1). If below trustThreshold, warn instead of block */ publisherTrustScore?: number; }): ApsTxtEnforcementResult; export type ApsTxtRiskLevel = 'low' | 'medium' | 'high'; export interface ApsTxtRiskResult { risk: ApsTxtRiskLevel; warnings: string[]; } /** * Evaluate the risk level of an aps.txt document. * Flags suspicious patterns that may indicate DoS or manipulation. * * - Blanket block (all usage prohibited for wildcard agents) → high risk * - Unsigned restrictive rules → medium risk * - Unknown author with restrictive rules → medium risk * - Signed, non-restrictive → low risk */ export declare function evaluateApsTxtRisk(doc: ApsTxt, opts?: { /** Publisher's public key for signature verification */ publisherPublicKey?: string; }): ApsTxtRiskResult; //# sourceMappingURL=aps-txt.d.ts.map