Receive rust sidecar

.github/workflows/update-sidecar-binaries.yml

@@ -0,0 +1,184 @@
+name: Update Sidecar Binaries
+
+on:
+  repository_dispatch:
+    types: [sidecar-release]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Sidecar version tag (e.g., v0.1.0)'
+        required: true
+        type: string
+
+env:
+  SIDECAR_REPO: PredicateSystems/predicate-authority-sidecar
+
+jobs:
+  update-binaries:
+    name: Update ${{ matrix.platform }} binary
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - platform: darwin-arm64
+            artifact: predicate-authorityd-darwin-arm64.tar.gz
+            binary_name: predicate-authorityd
+          - platform: darwin-x64
+            artifact: predicate-authorityd-darwin-x64.tar.gz
+            binary_name: predicate-authorityd
+          - platform: linux-x64
+            artifact: predicate-authorityd-linux-x64.tar.gz
+            binary_name: predicate-authorityd
+          - platform: linux-arm64
+            artifact: predicate-authorityd-linux-arm64.tar.gz
+            binary_name: predicate-authorityd
+          - platform: win32-x64
+            artifact: predicate-authorityd-windows-x64.zip
+            binary_name: predicate-authorityd.exe
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
+            VERSION="${{ github.event.client_payload.version }}"
+          else
+            VERSION="${{ inputs.version }}"
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Using sidecar version: $VERSION"
+
+      - name: Download sidecar binary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          ARTIFACT="${{ matrix.artifact }}"
+          DOWNLOAD_URL="https://github.com/${{ env.SIDECAR_REPO }}/releases/download/${VERSION}/${ARTIFACT}"
+
+          echo "Downloading from: $DOWNLOAD_URL"
+          curl -fsSL -o "$ARTIFACT" "$DOWNLOAD_URL" || {
+            echo "Failed to download $ARTIFACT"
+            exit 1
+          }
+
+      - name: Extract and place binary
+        run: |
+          ARTIFACT="${{ matrix.artifact }}"
+          BINARY="${{ matrix.binary_name }}"
+          PLATFORM="${{ matrix.platform }}"
+          TARGET_DIR="packages/authorityd-${PLATFORM}/bin"
+
+          mkdir -p "$TARGET_DIR"
+
+          if [[ "$ARTIFACT" == *.tar.gz ]]; then
+            tar -xzf "$ARTIFACT"
+          else
+            unzip -o "$ARTIFACT"
+          fi
+
+          mv "$BINARY" "$TARGET_DIR/"
+          chmod +x "$TARGET_DIR/$BINARY" || true
+
+          echo "Binary placed at: $TARGET_DIR/$BINARY"
+          ls -la "$TARGET_DIR/"
+
+      - name: Upload platform artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: authorityd-${{ matrix.platform }}
+          path: packages/authorityd-${{ matrix.platform }}/bin/
+
+  publish-packages:
+    name: Publish npm packages
+    needs: update-binaries
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Download all platform binaries
+        uses: actions/download-artifact@v4
+        with:
+          path: downloaded-artifacts
+
+      - name: Place binaries in packages
+        run: |
+          for platform in darwin-arm64 darwin-x64 linux-x64 linux-arm64 win32-x64; do
+            mkdir -p "packages/authorityd-${platform}/bin"
+            cp -r "downloaded-artifacts/authorityd-${platform}/"* "packages/authorityd-${platform}/bin/" || true
+            ls -la "packages/authorityd-${platform}/bin/" || true
+          done
+
+      - name: Get version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
+            VERSION="${{ github.event.client_payload.version }}"
+          else
+            VERSION="${{ inputs.version }}"
+          fi
+          # Remove 'v' prefix if present
+          VERSION="${VERSION#v}"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Update package versions
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Update all authorityd package versions
+          for pkg in packages/authorityd packages/authorityd-darwin-arm64 packages/authorityd-darwin-x64 packages/authorityd-linux-x64 packages/authorityd-linux-arm64 packages/authorityd-win32-x64; do
+            if [ -f "$pkg/package.json" ]; then
+              jq --arg v "$VERSION" '.version = $v' "$pkg/package.json" > tmp.json && mv tmp.json "$pkg/package.json"
+              echo "Updated $pkg to version $VERSION"
+            fi
+          done
+
+          # Update optionalDependencies versions in main authorityd package
+          jq --arg v "$VERSION" '
+            .optionalDependencies |= with_entries(.value = $v)
+          ' packages/authorityd/package.json > tmp.json && mv tmp.json packages/authorityd/package.json
+
+      - name: Build main authorityd package
+        working-directory: packages/authorityd
+        run: |
+          npm install
+          npm run build
+
+      - name: Publish platform packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          for platform in darwin-arm64 darwin-x64 linux-x64 linux-arm64 win32-x64; do
+            pkg="packages/authorityd-${platform}"
+            if [ -f "$pkg/package.json" ]; then
+              echo "Publishing $pkg..."
+              cd "$pkg"
+              npm publish --access public --provenance || echo "Failed to publish $pkg (may already exist)"
+              cd ../..
+            fi
+          done
+
+      - name: Publish main authorityd package
+        working-directory: packages/authorityd
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance
+
+      - name: Create commit with updated versions
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add packages/*/package.json
+          git commit -m "chore: update sidecar packages to v${VERSION}" || echo "No changes to commit"
+          git push

README.md

@@ -5,8 +5,7 @@
 [![License](https://img.shields.io/badge/License-MIT%2FApache--2.0-blue.svg)](LICENSE)
 [![npm](https://img.shields.io/npm/v/@predicatesystems/authority.svg)](https://www.npmjs.com/package/@predicatesystems/authority)
 
-`@predicatesystems/authority` is the TypeScript SDK companion to the Python
-`predicate-authorityd` sidecar from [predicate-authority (Python)](https://github.com/PredicateSystems/predicate-authority). It keeps authority
+`@predicatesystems/authority` is the TypeScript SDK for Predicate Authority. It keeps authority
 decisions in the sidecar and gives Node/TS runtimes a thin, typed client for
 fail-closed pre-execution checks.
 
@@ -33,38 +32,71 @@ This TS repository currently focuses on:
 Out of scope for this package:
 
 - re-implementing policy engine or mandate logic in TypeScript,
-- replacing Python sidecar/control-plane authority logic.
+- replacing sidecar/control-plane authority logic.
 
-## Known Python Parity Baseline
+## Installation
+
+```bash
+npm install @predicatesystems/authority
+```
 
-This package targets compatibility with the current Python authority baseline in
-[predicate-authority (Python)](https://github.com/PredicateSystems/predicate-authority):
+### Sidecar Prerequisite
 
-- sidecar authorize route: `POST /v1/authorize` (`/authorize` compat alias),
-- mandate/token baseline: ES256-default signing + standard JWT claim envelope,
-- revocation baseline: explicit cascade semantics and global kill-switch runtime behavior,
-- control-plane baseline: long-poll policy/revocation sync (runtime baseline),
-- control-plane write hardening: replay freshness headers/signature support on Python client paths.
+This SDK requires the **Predicate Authority Sidecar** daemon to be running. The sidecar is a lightweight Rust binary that handles policy evaluation and mandate signing.
 
-The TS SDK should preserve compatibility with these runtime behaviors before
-adding TS-specific extensions.
+| Resource | Link |
+|----------|------|
+| Sidecar Repository | [rust-predicate-authorityd](https://github.com/PredicateSystems/predicate-authority-sidecar) |
+| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
+| License | MIT / Apache 2.0 |
 
-## Installation
+### Quick Sidecar Setup
 
 ```bash
-npm install @predicatesystems/authority
+# Download the latest release for your platform
+# Linux x64, macOS x64/ARM64, Windows x64 available
+
+# Extract and run
+tar -xzf predicate-authorityd-*.tar.gz
+chmod +x predicate-authorityd
+
+# Start with a policy file (local mode)
+./predicate-authorityd run --port 8787 --mode local_only --policy-file policy.json
 ```
 
-### Sidecar Prerequisite
+### Cloud-connected sidecar (control-plane sync)
 
-This SDK requires the Predicate Authority sidecar running locally. Install and start it:
+Connect the sidecar to Predicate Authority control-plane for policy sync, revocation push, and audit forwarding:
 
 ```bash
-# Install via pip (requires Python 3.11+)
-pip install predicate-authority
+export PREDICATE_API_KEY="your-api-key"
+
+./predicate-authorityd run \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode cloud_connected \
+  --control-plane-url https://api.predicatesystems.dev \
+  --tenant-id your-tenant \
+  --project-id your-project \
+  --predicate-api-key $PREDICATE_API_KEY \
+  --sync-enabled
+```
 
-# Start the sidecar
-predicate-authorityd --port 8787
+### Local IdP mode (development/air-gapped)
+
+For development or air-gapped environments without external IdP:
+
+```bash
+export LOCAL_IDP_SIGNING_KEY="replace-with-strong-secret"
+
+./predicate-authorityd run \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode local_only \
+  --policy-file policy.json \
+  --identity-mode local-idp \
+  --local-idp-issuer "http://localhost/predicate-local-idp" \
+  --local-idp-audience "api://predicate-authority"
 ```
 
 ## Quick Start

packages/authorityd-darwin-arm64/bin/.gitkeep

@@ -0,0 +1 @@
+# Binary placeholder - populated by CI from rust-predicate-authorityd releases

packages/authorityd-darwin-arm64/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@predicatesystems/authorityd-darwin-arm64",
+  "version": "0.1.0",
+  "description": "Predicate Authority Sidecar binary for macOS ARM64 (Apple Silicon)",
+  "license": "(MIT OR Apache-2.0)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PredicateSystems/ts-predicate-authority.git",
+    "directory": "packages/authorityd-darwin-arm64"
+  },
+  "os": ["darwin"],
+  "cpu": ["arm64"],
+  "files": ["bin"],
+  "preferUnplugged": true,
+  "publishConfig": {
+    "access": "public"
+  }
+}

packages/authorityd-darwin-x64/bin/.gitkeep

@@ -0,0 +1 @@
+# Binary placeholder - populated by CI from rust-predicate-authorityd releases

packages/authorityd-darwin-x64/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@predicatesystems/authorityd-darwin-x64",
+  "version": "0.1.0",
+  "description": "Predicate Authority Sidecar binary for macOS x64 (Intel)",
+  "license": "(MIT OR Apache-2.0)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PredicateSystems/ts-predicate-authority.git",
+    "directory": "packages/authorityd-darwin-x64"
+  },
+  "os": ["darwin"],
+  "cpu": ["x64"],
+  "files": ["bin"],
+  "preferUnplugged": true,
+  "publishConfig": {
+    "access": "public"
+  }
+}

packages/authorityd-linux-arm64/bin/.gitkeep

@@ -0,0 +1 @@
+# Binary placeholder - populated by CI from rust-predicate-authorityd releases

packages/authorityd-linux-arm64/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@predicatesystems/authorityd-linux-arm64",
+  "version": "0.1.0",
+  "description": "Predicate Authority Sidecar binary for Linux ARM64",
+  "license": "(MIT OR Apache-2.0)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PredicateSystems/ts-predicate-authority.git",
+    "directory": "packages/authorityd-linux-arm64"
+  },
+  "os": ["linux"],
+  "cpu": ["arm64"],
+  "files": ["bin"],
+  "preferUnplugged": true,
+  "publishConfig": {
+    "access": "public"
+  }
+}

packages/authorityd-linux-x64/bin/.gitkeep

@@ -0,0 +1 @@
+# Binary placeholder - populated by CI from rust-predicate-authorityd releases

packages/authorityd-linux-x64/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@predicatesystems/authorityd-linux-x64",
+  "version": "0.1.0",
+  "description": "Predicate Authority Sidecar binary for Linux x64",
+  "license": "(MIT OR Apache-2.0)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PredicateSystems/ts-predicate-authority.git",
+    "directory": "packages/authorityd-linux-x64"
+  },
+  "os": ["linux"],
+  "cpu": ["x64"],
+  "files": ["bin"],
+  "preferUnplugged": true,
+  "publishConfig": {
+    "access": "public"
+  }
+}

packages/authorityd-win32-x64/bin/.gitkeep

@@ -0,0 +1 @@
+# Binary placeholder - populated by CI from rust-predicate-authorityd releases

packages/authorityd-win32-x64/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "@predicatesystems/authorityd-win32-x64",
+  "version": "0.1.0",
+  "description": "Predicate Authority Sidecar binary for Windows x64",
+  "license": "(MIT OR Apache-2.0)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PredicateSystems/ts-predicate-authority.git",
+    "directory": "packages/authorityd-win32-x64"
+  },
+  "os": ["win32"],
+  "cpu": ["x64"],
+  "files": ["bin"],
+  "preferUnplugged": true,
+  "publishConfig": {
+    "access": "public"
+  }
+}