@agentbouncr/core 0.1.0

package/LICENSE

@@ -0,0 +1,93 @@
+Elastic License 2.0 (ELv2)
+
+Copyright 2026 Aventilis UG (haftungsbeschränkt) i.Gr.
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor's trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of legal
+claim.
+
+## Definitions
+
+The "licensor" is the entity offering these terms, and the "software" is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+"you" refers to the individual or entity agreeing to these terms.
+
+"your company" is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that organization.
+"control" means ownership of substantially all the assets of an entity, or the
+power to direct its management and policies by vote, contract, or otherwise.
+Control can be direct or indirect.
+
+"your licenses" are all the licenses granted to you for the software under
+these terms.
+
+"use" means anything you do with the software requiring one of your licenses.
+
+"trademark" means trademarks, service marks, and similar rights.

package/README.md

@@ -0,0 +1,47 @@
+# @agentbouncr/core
+
+The governance layer for AI agents. Policy Engine, Audit Trail, Kill-Switch, Event System, and Injection Detection.
+
+## Installation
+
+```bash
+npm install @agentbouncr/core
+```
+
+## Quick Start
+
+```typescript
+import { GovernanceMiddleware } from '@agentbouncr/core';
+
+const governance = new GovernanceMiddleware();
+
+governance.setPolicy({
+  name: 'basic-security',
+  version: '1.0',
+  rules: [
+    {
+      tool: 'file_write',
+      effect: 'deny',
+      condition: { path: { startsWith: '/etc/' } },
+      reason: 'Writing to /etc/ is not permitted',
+    },
+    { tool: '*', effect: 'allow' },
+  ],
+  createdAt: new Date().toISOString(),
+  updatedAt: new Date().toISOString(),
+});
+
+const result = await governance.evaluate({
+  agentId: 'my-agent',
+  tool: 'file_write',
+  params: { path: '/etc/passwd' },
+});
+
+console.log(result.allowed); // false
+```
+
+For full documentation, examples, and architecture overview, see the [main repository](https://github.com/agentbouncr/agentbouncr).
+
+## License
+
+Elastic License 2.0 (ELv2) — see [LICENSE](./LICENSE)

package/dist/audit/hash-chain.d.ts

@@ -0,0 +1,39 @@
+/**
+ * @agentbouncr/core — Audit Trail Hash-Chain
+ *
+ * SHA-256 Hash-Chain fuer manipulationssicheren Audit Trail.
+ * <100 LOC, keine externe Dependency — nur Node.js crypto.
+ *
+ * Jeder Eintrag enthaelt den Hash des vorherigen Eintrags.
+ * Erster Eintrag: previousHash = null → strukturell unterscheidbar.
+ *
+ * Serialisierung: JSON-Array (keine Delimiter-Injection moeglich).
+ * Timing-sicherer Vergleich via crypto.timingSafeEqual.
+ */
+export interface HashInput {
+    traceId: string;
+    timestamp: string;
+    agentId: string;
+    tool: string;
+    params?: Record<string, unknown>;
+    result: string;
+    reason?: string;
+    durationMs: number;
+    failureCategory?: string;
+    previousHash: string | null;
+}
+/**
+ * Compute SHA-256 hash for an audit event.
+ *
+ * Serialization: JSON array of all fields (no delimiter injection possible).
+ * First event uses ["GENESIS_NULL"] sentinel; chained events use ["CHAIN", hash].
+ */
+export declare function computeAuditHash(input: HashInput): string;
+/**
+ * Verify that an audit event's hash matches its content.
+ * Uses timing-safe comparison to prevent side-channel attacks.
+ */
+export declare function verifyAuditEventHash(event: HashInput & {
+    hash: string;
+}): boolean;
+//# sourceMappingURL=hash-chain.d.ts.map

package/dist/audit/hash-chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-chain.d.ts","sourceRoot":"","sources":["../../src/audit/hash-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAkBD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAgBzD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,SAAS,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAMjF"}

package/dist/audit/hash-chain.js

@@ -0,0 +1,63 @@
+/**
+ * @agentbouncr/core — Audit Trail Hash-Chain
+ *
+ * SHA-256 Hash-Chain fuer manipulationssicheren Audit Trail.
+ * <100 LOC, keine externe Dependency — nur Node.js crypto.
+ *
+ * Jeder Eintrag enthaelt den Hash des vorherigen Eintrags.
+ * Erster Eintrag: previousHash = null → strukturell unterscheidbar.
+ *
+ * Serialisierung: JSON-Array (keine Delimiter-Injection moeglich).
+ * Timing-sicherer Vergleich via crypto.timingSafeEqual.
+ */
+import { createHash, timingSafeEqual } from 'node:crypto';
+// --- Hash Functions ---
+/**
+ * Canonical JSON for params: sorted keys for determinism.
+ * Returns empty string for undefined/null.
+ */
+function canonicalParams(params) {
+    if (!params)
+        return '';
+    const keys = Object.keys(params).sort();
+    const sorted = {};
+    for (const key of keys) {
+        sorted[key] = params[key];
+    }
+    return JSON.stringify(sorted);
+}
+/**
+ * Compute SHA-256 hash for an audit event.
+ *
+ * Serialization: JSON array of all fields (no delimiter injection possible).
+ * First event uses ["GENESIS_NULL"] sentinel; chained events use ["CHAIN", hash].
+ */
+export function computeAuditHash(input) {
+    const fields = [
+        input.previousHash === null ? 'GENESIS_NULL' : `CHAIN:${input.previousHash}`,
+        input.traceId,
+        input.timestamp,
+        input.agentId,
+        input.tool,
+        canonicalParams(input.params),
+        input.result,
+        input.reason ?? '',
+        String(input.durationMs),
+        input.failureCategory ?? '',
+    ];
+    const payload = JSON.stringify(fields);
+    return createHash('sha256').update(payload).digest('hex');
+}
+/**
+ * Verify that an audit event's hash matches its content.
+ * Uses timing-safe comparison to prevent side-channel attacks.
+ */
+export function verifyAuditEventHash(event) {
+    const computed = computeAuditHash(event);
+    const computedBuf = Buffer.from(computed, 'hex');
+    const storedBuf = Buffer.from(event.hash, 'hex');
+    if (computedBuf.length !== storedBuf.length)
+        return false;
+    return timingSafeEqual(computedBuf, storedBuf);
+}
+//# sourceMappingURL=hash-chain.js.map

package/dist/audit/hash-chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-chain.js","sourceRoot":"","sources":["../../src/audit/hash-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAiB1D,yBAAyB;AAEzB;;;GAGG;AACH,SAAS,eAAe,CAAC,MAA2C;IAClE,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACxC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAgB;IAC/C,MAAM,MAAM,GAAG;QACb,KAAK,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,KAAK,CAAC,YAAY,EAAE;QAC5E,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,SAAS;QACf,KAAK,CAAC,OAAO;QACb,KAAK,CAAC,IAAI;QACV,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC;QAC7B,KAAK,CAAC,MAAM;QACZ,KAAK,CAAC,MAAM,IAAI,EAAE;QAClB,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC;QACxB,KAAK,CAAC,eAAe,IAAI,EAAE;KAC5B,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAmC;IACtE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACjD,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1D,OAAO,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AACjD,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,2 @@
+export { computeAuditHash, verifyAuditEventHash, type HashInput, } from './hash-chain.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,SAAS,GACf,MAAM,iBAAiB,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,2 @@
+export { computeAuditHash, verifyAuditEventHash, } from './hash-chain.js';
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,oBAAoB,GAErB,MAAM,iBAAiB,CAAC"}

package/dist/core/condition-evaluator.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @agentbouncr/core — Condition Evaluator
+ *
+ * Pure function. Evaluates a PolicyCondition against tool call params.
+ * 11 operators, deterministic, no external dependencies.
+ *
+ * Returns true if ALL conditions match (AND-logic across param keys,
+ * AND-logic across operators within a single param).
+ *
+ * Fail-Secure: missing param = false, type mismatch = false,
+ * unknown operator = false, invalid regex = false.
+ */
+import type { PolicyCondition } from '../types/index.js';
+/**
+ * Evaluate a condition against the provided params.
+ * Returns true if condition is undefined/empty (no condition = always matches).
+ * Returns false if a referenced param is missing from params (fail-secure).
+ */
+export declare function evaluateCondition(condition: PolicyCondition | undefined, params: Record<string, unknown> | undefined): boolean;
+//# sourceMappingURL=condition-evaluator.d.ts.map

package/dist/core/condition-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"condition-evaluator.d.ts","sourceRoot":"","sources":["../../src/core/condition-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAqB,MAAM,mBAAmB,CAAC;AAE5E;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,eAAe,GAAG,SAAS,EACtC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,GAC1C,OAAO,CAoBT"}

package/dist/core/condition-evaluator.js

@@ -0,0 +1,85 @@
+/**
+ * @agentbouncr/core — Condition Evaluator
+ *
+ * Pure function. Evaluates a PolicyCondition against tool call params.
+ * 11 operators, deterministic, no external dependencies.
+ *
+ * Returns true if ALL conditions match (AND-logic across param keys,
+ * AND-logic across operators within a single param).
+ *
+ * Fail-Secure: missing param = false, type mismatch = false,
+ * unknown operator = false, invalid regex = false.
+ */
+import safe from 'safe-regex2';
+/**
+ * Evaluate a condition against the provided params.
+ * Returns true if condition is undefined/empty (no condition = always matches).
+ * Returns false if a referenced param is missing from params (fail-secure).
+ */
+export function evaluateCondition(condition, params) {
+    if (!condition || Object.keys(condition).length === 0) {
+        return true;
+    }
+    if (!params) {
+        return false;
+    }
+    for (const [paramName, operators] of Object.entries(condition)) {
+        const paramValue = params[paramName];
+        for (const [op, operand] of Object.entries(operators)) {
+            if (!evaluateOperator(op, paramValue, operand)) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+function evaluateOperator(operator, paramValue, operand) {
+    switch (operator) {
+        case 'equals':
+            return paramValue === operand;
+        case 'notEquals':
+            if (paramValue === undefined)
+                return false;
+            return paramValue !== operand;
+        case 'startsWith':
+            return typeof paramValue === 'string' && typeof operand === 'string'
+                && paramValue.startsWith(operand);
+        case 'endsWith':
+            return typeof paramValue === 'string' && typeof operand === 'string'
+                && paramValue.endsWith(operand);
+        case 'contains':
+            return typeof paramValue === 'string' && typeof operand === 'string'
+                && paramValue.includes(operand);
+        case 'gt':
+            return typeof paramValue === 'number' && typeof operand === 'number'
+                && paramValue > operand;
+        case 'lt':
+            return typeof paramValue === 'number' && typeof operand === 'number'
+                && paramValue < operand;
+        case 'gte':
+            return typeof paramValue === 'number' && typeof operand === 'number'
+                && paramValue >= operand;
+        case 'lte':
+            return typeof paramValue === 'number' && typeof operand === 'number'
+                && paramValue <= operand;
+        case 'in':
+            return Array.isArray(operand) && operand.includes(paramValue);
+        case 'matches': {
+            if (typeof paramValue !== 'string' || typeof operand !== 'string')
+                return false;
+            if (operand.length > 200)
+                return false;
+            if (!safe(operand))
+                return false; // ReDoS protection: reject catastrophic backtracking patterns
+            try {
+                return new RegExp(operand).test(paramValue);
+            }
+            catch {
+                return false;
+            }
+        }
+        default:
+            return false;
+    }
+}
+//# sourceMappingURL=condition-evaluator.js.map

package/dist/core/condition-evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"condition-evaluator.js","sourceRoot":"","sources":["../../src/core/condition-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,IAAI,MAAM,aAAa,CAAC;AAG/B;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAsC,EACtC,MAA2C;IAE3C,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAErC,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAmC,EAAE,CAAC;YACxF,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC/C,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CACvB,QAA2B,EAC3B,UAAmB,EACnB,OAAgB;IAEhB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,UAAU,KAAK,OAAO,CAAC;QAEhC,KAAK,WAAW;YACd,IAAI,UAAU,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC;YAC3C,OAAO,UAAU,KAAK,OAAO,CAAC;QAEhC,KAAK,YAAY;YACf,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAEtC,KAAK,UAAU;YACb,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAEpC,KAAK,UAAU;YACb,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAEpC,KAAK,IAAI;YACP,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,GAAG,OAAO,CAAC;QAE5B,KAAK,IAAI;YACP,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,GAAG,OAAO,CAAC;QAE5B,KAAK,KAAK;YACR,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,IAAI,OAAO,CAAC;QAE7B,KAAK,KAAK;YACR,OAAO,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;mBAC/D,UAAU,IAAI,OAAO,CAAC;QAE7B,KAAK,IAAI;YACP,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAK,OAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAE/E,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC;YAChF,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG;gBAAE,OAAO,KAAK,CAAC;YACvC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,8DAA8D;YAChG,IAAI,CAAC;gBACH,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC"}

package/dist/core/permission-layer.d.ts

@@ -0,0 +1,24 @@
+/**
+ * @agentbouncr/core — Permission Layer
+ *
+ * Checks before every tool call whether the agent has permission.
+ * Decisions are deterministic — no LLM involved.
+ * Uses dependency injection (ToolRegistry via constructor).
+ */
+import type pino from 'pino';
+import type { PermissionResult } from '../types/index.js';
+import type { ToolRegistry } from './tool-registry.js';
+export declare class PermissionLayer {
+    private readonly toolRegistry;
+    private readonly logger;
+    constructor(toolRegistry: ToolRegistry, logger: pino.Logger);
+    /**
+     * Check if an agent has permission to use a tool.
+     * Step 1: Tool must exist in registry.
+     * Step 2: Tool must be in the agent's allowed tools list.
+     *
+     * Fail-Secure: Any internal error results in denial (never pass-through).
+     */
+    checkPermission(agentId: string, toolName: string, agentToolsList: string[]): PermissionResult;
+}
+//# sourceMappingURL=permission-layer.d.ts.map

package/dist/core/permission-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-layer.d.ts","sourceRoot":"","sources":["../../src/core/permission-layer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,YAAY;IAC7B,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,IAAI,CAAC,MAAM;IAGtC;;;;;;OAMG;IACH,eAAe,CACb,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EAAE,GACvB,gBAAgB;CA6CpB"}

package/dist/core/permission-layer.js

@@ -0,0 +1,58 @@
+/**
+ * @agentbouncr/core — Permission Layer
+ *
+ * Checks before every tool call whether the agent has permission.
+ * Decisions are deterministic — no LLM involved.
+ * Uses dependency injection (ToolRegistry via constructor).
+ */
+export class PermissionLayer {
+    toolRegistry;
+    logger;
+    constructor(toolRegistry, logger) {
+        this.toolRegistry = toolRegistry;
+        this.logger = logger;
+    }
+    /**
+     * Check if an agent has permission to use a tool.
+     * Step 1: Tool must exist in registry.
+     * Step 2: Tool must be in the agent's allowed tools list.
+     *
+     * Fail-Secure: Any internal error results in denial (never pass-through).
+     */
+    checkPermission(agentId, toolName, agentToolsList) {
+        try {
+            // Step 1: Does the tool exist in the registry?
+            if (!this.toolRegistry.has(toolName)) {
+                this.logger.warn({ agentId, toolName, event: 'tool_not_found' }, 'Tool call denied: tool not registered');
+                return {
+                    allowed: false,
+                    reason: `Tool '${toolName}' is not registered`,
+                    toolName,
+                    agentId,
+                };
+            }
+            // Step 2: Is the tool in the agent's allowed tools list?
+            if (!agentToolsList.includes(toolName)) {
+                this.logger.warn({ agentId, toolName, event: 'permission_denied' }, 'Tool call denied: not in agent permissions');
+                return {
+                    allowed: false,
+                    reason: `Agent '${agentId}' is not permitted to use '${toolName}'`,
+                    toolName,
+                    agentId,
+                };
+            }
+            return { allowed: true, toolName, agentId };
+        }
+        catch (err) {
+            // Fail-Secure: internal error = deny
+            this.logger.error({ agentId, toolName, error: String(err), event: 'permission_check_error' }, 'Permission check failed — denying (fail-secure)');
+            return {
+                allowed: false,
+                reason: `Permission check failed: ${String(err)}`,
+                toolName,
+                agentId,
+            };
+        }
+    }
+}
+//# sourceMappingURL=permission-layer.js.map

package/dist/core/permission-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-layer.js","sourceRoot":"","sources":["../../src/core/permission-layer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,OAAO,eAAe;IAEP;IACA;IAFnB,YACmB,YAA0B,EAC1B,MAAmB;QADnB,iBAAY,GAAZ,YAAY,CAAc;QAC1B,WAAM,GAAN,MAAM,CAAa;IACnC,CAAC;IAEJ;;;;;;OAMG;IACH,eAAe,CACb,OAAe,EACf,QAAgB,EAChB,cAAwB;QAExB,IAAI,CAAC;YACH,+CAA+C;YAC/C,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAC9C,uCAAuC,CACxC,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,SAAS,QAAQ,qBAAqB;oBAC9C,QAAQ;oBACR,OAAO;iBACR,CAAC;YACJ,CAAC;YAED,yDAAyD;YACzD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,mBAAmB,EAAE,EACjD,4CAA4C,CAC7C,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,UAAU,OAAO,8BAA8B,QAAQ,GAAG;oBAClE,QAAQ;oBACR,OAAO;iBACR,CAAC;YACJ,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,qCAAqC;YACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAC1E,iDAAiD,CAClD,CAAC;YACF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,4BAA4B,MAAM,CAAC,GAAG,CAAC,EAAE;gBACjD,QAAQ;gBACR,OAAO;aACR,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/core/policy-engine.d.ts

@@ -0,0 +1,35 @@
+/**
+ * @agentbouncr/core — Policy Engine
+ *
+ * Evaluates tool-call requests against JSON policies.
+ * Deterministic — no LLM, no randomness.
+ * Fail-Secure — errors result in denial.
+ *
+ * Priority: tool+condition > tool-only > wildcard(*)
+ * Tiebreaker: deny before allow at equal specificity.
+ *
+ * rateLimit field is accepted but NOT evaluated in Stufe 1.
+ * requireApproval is surfaced in appliedRules for GovernanceMiddleware.
+ */
+import type pino from 'pino';
+import type { Policy, EvaluateRequest, EvaluateResult } from '../types/index.js';
+export declare class PolicyEngine {
+    private readonly logger;
+    constructor(logger: pino.Logger);
+    /**
+     * Evaluate a tool-call request against a policy.
+     *
+     * No policy = deny (fail-secure).
+     * No matching rules = deny (fail-secure).
+     * Internal error = deny (fail-secure).
+     */
+    evaluate(request: EvaluateRequest, policy: Policy | null): EvaluateResult;
+    private findMatchingRules;
+    private computeSpecificity;
+    /**
+     * Sort: highest specificity first.
+     * At equal specificity: deny before allow (fail-secure).
+     */
+    private sortByPriority;
+}
+//# sourceMappingURL=policy-engine.d.ts.map

package/dist/core/policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../../src/core/policy-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EACV,MAAM,EAEN,eAAe,EACf,cAAc,EAEf,MAAM,mBAAmB,CAAC;AAoB3B,qBAAa,YAAY;IACX,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,IAAI,CAAC,MAAM;IAEhD;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,cAAc;IA6EzE,OAAO,CAAC,iBAAiB;IAmBzB,OAAO,CAAC,kBAAkB;IAW1B;;;OAGG;IACH,OAAO,CAAC,cAAc;CAWvB"}

package/dist/core/policy-engine.js

@@ -0,0 +1,131 @@
+/**
+ * @agentbouncr/core — Policy Engine
+ *
+ * Evaluates tool-call requests against JSON policies.
+ * Deterministic — no LLM, no randomness.
+ * Fail-Secure — errors result in denial.
+ *
+ * Priority: tool+condition > tool-only > wildcard(*)
+ * Tiebreaker: deny before allow at equal specificity.
+ *
+ * rateLimit field is accepted but NOT evaluated in Stufe 1.
+ * requireApproval is surfaced in appliedRules for GovernanceMiddleware.
+ */
+import { evaluateCondition } from './condition-evaluator.js';
+import { generateTraceId } from '../tracing/trace-context.js';
+// --- Specificity Tiers ---
+const SPECIFICITY_WILDCARD = 0;
+const SPECIFICITY_TOOL_ONLY = 1;
+const SPECIFICITY_TOOL_CONDITION = 2;
+// --- Policy Engine ---
+export class PolicyEngine {
+    logger;
+    constructor(logger) {
+        this.logger = logger;
+    }
+    /**
+     * Evaluate a tool-call request against a policy.
+     *
+     * No policy = deny (fail-secure).
+     * No matching rules = deny (fail-secure).
+     * Internal error = deny (fail-secure).
+     */
+    evaluate(request, policy) {
+        const traceId = request.traceId ?? generateTraceId();
+        try {
+            if (!policy) {
+                this.logger.warn({ agentId: request.agentId, tool: request.tool, traceId }, 'No policy found — denying (fail-secure)');
+                return {
+                    allowed: false,
+                    traceId,
+                    reason: `No policy found for agent '${request.agentId}'`,
+                    appliedRules: [],
+                };
+            }
+            const matches = this.findMatchingRules(policy, request);
+            if (matches.length === 0) {
+                this.logger.info({ agentId: request.agentId, tool: request.tool, policyName: policy.name, traceId }, 'No matching rules — denying (fail-secure)');
+                return {
+                    allowed: false,
+                    traceId,
+                    reason: `No matching rule for tool '${request.tool}' in policy '${policy.name}'`,
+                    appliedRules: [],
+                };
+            }
+            const sorted = this.sortByPriority(matches);
+            const winner = sorted[0];
+            const allowed = winner.rule.effect === 'allow';
+            const appliedRules = sorted.map((m) => ({
+                policyName: m.policyName,
+                ruleName: m.rule.name,
+                effect: m.rule.effect,
+                requireApproval: m.rule.requireApproval,
+            }));
+            if (allowed) {
+                this.logger.info({ agentId: request.agentId, tool: request.tool, policyName: policy.name, traceId }, 'Tool call allowed by policy');
+            }
+            else {
+                this.logger.warn({
+                    agentId: request.agentId,
+                    tool: request.tool,
+                    policyName: policy.name,
+                    ruleName: winner.rule.name,
+                    reason: winner.rule.reason,
+                    traceId,
+                }, 'Tool call denied by policy');
+            }
+            return { allowed, traceId, reason: winner.rule.reason, appliedRules };
+        }
+        catch (err) {
+            this.logger.error({ agentId: request.agentId, tool: request.tool, error: String(err), traceId }, 'Policy evaluation failed — denying (fail-secure)');
+            return {
+                allowed: false,
+                traceId,
+                reason: `Policy evaluation failed: ${String(err)}`,
+                appliedRules: [],
+            };
+        }
+    }
+    findMatchingRules(policy, request) {
+        const matches = [];
+        for (const rule of policy.rules) {
+            const toolMatches = rule.tool === request.tool || rule.tool === '*';
+            if (!toolMatches)
+                continue;
+            if (!evaluateCondition(rule.condition, request.params))
+                continue;
+            matches.push({
+                rule,
+                policyName: policy.name,
+                specificity: this.computeSpecificity(rule),
+            });
+        }
+        return matches;
+    }
+    computeSpecificity(rule) {
+        if (rule.tool === '*')
+            return SPECIFICITY_WILDCARD;
+        if (rule.condition && Object.keys(rule.condition).length > 0) {
+            const hasOperators = Object.values(rule.condition).some((ops) => Object.keys(ops).length > 0);
+            if (hasOperators)
+                return SPECIFICITY_TOOL_CONDITION;
+        }
+        return SPECIFICITY_TOOL_ONLY;
+    }
+    /**
+     * Sort: highest specificity first.
+     * At equal specificity: deny before allow (fail-secure).
+     */
+    sortByPriority(matches) {
+        return [...matches].sort((a, b) => {
+            if (a.specificity !== b.specificity) {
+                return b.specificity - a.specificity;
+            }
+            if (a.rule.effect !== b.rule.effect) {
+                return a.rule.effect === 'deny' ? -1 : 1;
+            }
+            return 0;
+        });
+    }
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/core/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/core/policy-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAUH,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,4BAA4B;AAE5B,MAAM,oBAAoB,GAAG,CAAC,CAAC;AAC/B,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAChC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAUrC,wBAAwB;AAExB,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,MAAmB;QAAnB,WAAM,GAAN,MAAM,CAAa;IAAG,CAAC;IAEpD;;;;;;OAMG;IACH,QAAQ,CAAC,OAAwB,EAAE,MAAqB;QACtD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,eAAe,EAAE,CAAC;QAErD,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,EACzD,yCAAyC,CAC1C,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,OAAO;oBACP,MAAM,EAAE,8BAA8B,OAAO,CAAC,OAAO,GAAG;oBACxD,YAAY,EAAE,EAAE;iBACjB,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAExD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,EAClF,2CAA2C,CAC5C,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,OAAO;oBACP,MAAM,EAAE,8BAA8B,OAAO,CAAC,IAAI,gBAAgB,MAAM,CAAC,IAAI,GAAG;oBAChF,YAAY,EAAE,EAAE;iBACjB,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC;YAE/C,MAAM,YAAY,GAAkB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACrD,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI;gBACrB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM;gBACrB,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe;aACxC,CAAC,CAAC,CAAC;YAEJ,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,EAClF,6BAA6B,CAC9B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;oBACE,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;oBAC1B,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM;oBAC1B,OAAO;iBACR,EACD,4BAA4B,CAC7B,CAAC;YACJ,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC;QACxE,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,EAC7E,kDAAkD,CACnD,CAAC;YACF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO;gBACP,MAAM,EAAE,6BAA6B,MAAM,CAAC,GAAG,CAAC,EAAE;gBAClD,YAAY,EAAE,EAAE;aACjB,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,MAAc,EAAE,OAAwB;QAChE,MAAM,OAAO,GAAgB,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC;YACpE,IAAI,CAAC,WAAW;gBAAE,SAAS;YAE3B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC;gBAAE,SAAS;YAEjE,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI;gBACJ,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,WAAW,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,kBAAkB,CAAC,IAAgB;QACzC,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG;YAAE,OAAO,oBAAoB,CAAC;QACnD,IAAI,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7D,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CACrD,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,YAAY;gBAAE,OAAO,0BAA0B,CAAC;QACtD,CAAC;QACD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,OAAoB;QACzC,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAChC,IAAI,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;gBACpC,OAAO,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC;YACvC,CAAC;YACD,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACpC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}