/** * Per-koi world-model: structured context the koi reads on every model call so * it can reason about resource ownership before acting. * * Motivation: kois have full tool access (exec, AWS CLI, SSH, curl). Without an * explicit ownership model they cannot tell their own runtime instance from the * user's production. Cross-account / cross-tenant action incidents are the * direct consequence. The world-model gives the koi a stable, queryable answer * to "is this target self / user / unknown?" before any tool call. * * The renderer emits this as a JSON block inside `...` * tags injected into the system prompt. The koi's behavior contract (in the * system prompt) tells it to consult the world-model before acting. */ export type ConsentState = "single_use_granted" | "shared_for_diagnostic_only" | "persistent_with_consent" | "revoked"; export type CredentialKind = "github_pat" | "ssh_private_key" | "db_password" | "api_key" | "aws_keys" | "oauth_token" | "other"; export type ResourceKind = "ec2" | "s3_bucket" | "github_repo" | "postgres" | "domain" | "api_endpoint" | "aws_account" | "other"; export type Criticality = "PRODUCTION" | "STAGING" | "DEV" | "UNKNOWN"; export type SelfRuntime = { instance_id?: string; instance_type?: string; public_ip?: string; aws_account?: string; iam_role?: string; uptime_started?: string; ephemeral?: boolean; owned_by?: string; }; export type SelfPolicy = { may_modify_self: boolean; must_confirm_before: string[]; default_for_unknown_target: "ask_user" | "skip" | "proceed"; }; export type Self = { koi_id?: string; org_id?: string; plan?: string; model?: string; runtime?: SelfRuntime; policy: SelfPolicy; }; export type UserPresence = { last_user_message_at?: string; minutes_since_last_message?: number; currently_active?: boolean; channel?: string; }; export type User = { id?: string; external_id?: string; display_name?: string; email?: string; github?: string; language?: string; locale?: string; timezone?: string; country?: string; company?: string; project?: string; role_at_company?: string; presence?: UserPresence; }; export type TimeBlock = { now_utc: string; user_local_time?: string; user_local_dow?: string; is_user_business_hours?: boolean; is_user_quiet_hours?: boolean; }; export type UserResource = { label?: string; kind: ResourceKind; host?: string; url?: string; aws_account?: string; account_owner?: string; criticality?: Criticality; owned_by_koi?: boolean; koi_has_credentials?: boolean; discovered_via?: string; last_verified?: string; notes?: string; }; export type CredentialEntry = { id: string; kind: CredentialKind; owner: "user" | "platform" | "third_party"; scope?: string; received_at?: string; consent_state: ConsentState; may_reuse_without_asking: boolean; may_use_for_writes: boolean; expires_at?: string | null; }; export type DestructiveActionEntry = { at: string; action: string; target_owned_by: "self" | "user" | "unknown"; had_explicit_consent: boolean; }; export type SessionBlock = { open_threads?: Array<{ id: string; status: string; owner: "user" | "koi" | "blocked"; }>; user_pending_questions_to_koi?: Array<{ asked_at: string; text: string; }>; koi_pending_questions_to_user?: Array<{ asked_at: string; text: string; answered: boolean; }>; last_destructive_actions?: DestructiveActionEntry[]; }; export type HeartbeatBlock = { enabled: boolean; interval_minutes?: number; scope: "self_workspace_only_when_user_idle" | "full" | "off"; may_touch_user_resources_without_user_present: boolean; }; export type WorldModel = { schema_version: 1; rendered_at: string; self: Self; user?: User; time: TimeBlock; user_resources: UserResource[]; credentials_in_scope: CredentialEntry[]; session?: SessionBlock; heartbeat?: HeartbeatBlock; }; /** * Default policy applied to every koi unless explicitly overridden by config. * Captures the "default-deny on anything not self-owned" stance. */ export declare const DEFAULT_SELF_POLICY: SelfPolicy;