Control Plane Contracts
@stendar/policy-contracts is the public package for SDK-safe trust contracts. It contains redacted summaries and validation schemas that can cross package and documentation boundaries without exposing private local-runtime or hosted-runtime DTOs.
What Is Public
Section titled “What Is Public”The package exports a versioned manifest:
import { DEFAULT_PUBLIC_TRUST_CONTRACT_MANIFEST, PublicTrustContractManifestSchema,} from '@stendar/policy-contracts';
const manifest = PublicTrustContractManifestSchema.parse(DEFAULT_PUBLIC_TRUST_CONTRACT_MANIFEST);Every manifest entry is public-only and disallows private DTOs. The default manifest covers these domains:
- policy
- action lifecycle
- audit verification
- controlled module/sandbox
- execution boundary
- governance
- wallet signing
- official package channel
- remote MCP
The public schemas are designed around summaries, hashes, readiness status, reason codes, public IDs, and sync-safe metadata.
What Stays Private
Section titled “What Stays Private”@stendar/control-plane, local-runtime shared packages, hosted service internals, raw wallet payloads, secret references, bearer credentials, private keys, local filesystem paths, and execution request internals are not public contracts.
The canonical private fixture example remains internal/examples/financial-agent-control-plane. Use it to understand local-runtime flow shape, not as a public SDK dependency.
Manifest Safety
Section titled “Manifest Safety”PublicTrustContractManifestSchema rejects duplicate schema IDs and duplicate export names. It also validates manifest text and metadata using the same sync-safe metadata patterns used by the package’s public schemas.
This makes the manifest useful for docs generation, public example smoke tests, and downstream SDK allowlists without turning private implementation objects into public API.