@agenticmail/enterprise 0.5.89 → 0.5.91

package/dist/chunk-T6FM7KNN.js

@@ -0,0 +1,384 @@
+import {
+  AGENTICMAIL_SKILL_DEFS,
+  ENTERPRISE_SKILL_DEFS,
+  GWS_SKILL_DEFS,
+  M365_SKILL_DEFS,
+  init_skills,
+  init_tool_catalog,
+  tool_catalog_exports
+} from "./chunk-MINPSFLF.js";
+import {
+  __toCommonJS
+} from "./chunk-KFQGP6VL.js";
+
+// src/engine/skills.ts
+init_skills();
+var SKILL_SUITES = [
+  {
+    id: "microsoft-365",
+    name: "Microsoft 365",
+    description: "Complete Microsoft 365 suite \u2014 Outlook, Teams, SharePoint, OneDrive, Word, Excel, PowerPoint, OneNote, Planner, Power BI, Power Automate, Forms, To Do, Bookings, Whiteboard, Admin Center, Copilot.",
+    icon: "\u{1F3E2}",
+    skills: [
+      "m365-outlook",
+      "m365-teams",
+      "m365-sharepoint",
+      "m365-onedrive",
+      "m365-word",
+      "m365-excel",
+      "m365-powerpoint",
+      "m365-onenote",
+      "m365-planner",
+      "m365-power-bi",
+      "m365-power-automate",
+      "m365-forms",
+      "m365-todo",
+      "m365-bookings",
+      "m365-whiteboard",
+      "m365-admin",
+      "m365-copilot"
+    ]
+  },
+  {
+    id: "google-workspace",
+    name: "Google Workspace",
+    description: "Complete Google Workspace suite \u2014 Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, Chat, Forms, Sites, Keep, Admin Console, Vault, Groups.",
+    icon: "\u{1F535}",
+    skills: [
+      "gws-gmail",
+      "gws-calendar",
+      "gws-drive",
+      "gws-docs",
+      "gws-sheets",
+      "gws-slides",
+      "gws-meet",
+      "gws-chat",
+      "gws-forms",
+      "gws-sites",
+      "gws-keep",
+      "gws-admin",
+      "gws-vault",
+      "gws-groups"
+    ]
+  },
+  {
+    id: "atlassian",
+    name: "Atlassian Suite",
+    description: "Jira, Confluence, Bitbucket, Trello, Statuspage, and Opsgenie.",
+    icon: "\u{1F537}",
+    skills: ["jira", "confluence", "bitbucket", "trello", "statuspage", "opsgenie"]
+  },
+  {
+    id: "aws",
+    name: "Amazon Web Services",
+    description: "AWS cloud infrastructure \u2014 S3, EC2, Lambda, RDS, CloudWatch, IAM, SES, SNS, SQS, DynamoDB, CloudFormation.",
+    icon: "\u2601\uFE0F",
+    skills: ["aws-s3", "aws-ec2", "aws-lambda", "aws-rds", "aws-cloudwatch", "aws-iam", "aws-ses", "aws-sns", "aws-sqs", "aws-dynamodb", "aws-cloudformation"]
+  },
+  {
+    id: "azure",
+    name: "Microsoft Azure",
+    description: "Azure cloud infrastructure \u2014 VMs, App Service, Functions, Storage, SQL, CosmosDB, DevOps, Active Directory.",
+    icon: "\u26C5",
+    skills: ["azure-vms", "azure-app-service", "azure-functions", "azure-storage", "azure-sql", "azure-cosmosdb", "azure-devops", "azure-ad"]
+  },
+  {
+    id: "gcp",
+    name: "Google Cloud Platform",
+    description: "GCP cloud infrastructure \u2014 Compute Engine, Cloud Functions, Cloud Storage, BigQuery, Cloud Run, Pub/Sub, Firestore.",
+    icon: "\u{1F324}\uFE0F",
+    skills: ["gcp-compute", "gcp-functions", "gcp-storage", "gcp-bigquery", "gcp-run", "gcp-pubsub", "gcp-firestore"]
+  },
+  {
+    id: "salesforce-suite",
+    name: "Salesforce Suite",
+    description: "Salesforce CRM, Service Cloud, Marketing Cloud, and Commerce Cloud.",
+    icon: "\u2601",
+    skills: ["salesforce", "salesforce-service", "salesforce-marketing", "salesforce-commerce"]
+  },
+  {
+    id: "hubspot-suite",
+    name: "HubSpot Suite",
+    description: "HubSpot CRM, Marketing Hub, Sales Hub, Service Hub, and CMS.",
+    icon: "\u{1F7E0}",
+    skills: ["hubspot-crm", "hubspot-marketing", "hubspot-sales", "hubspot-service"]
+  },
+  {
+    id: "adobe-creative",
+    name: "Adobe Creative Cloud",
+    description: "Adobe Photoshop, Illustrator, Premiere Pro, After Effects, InDesign, and XD.",
+    icon: "\u{1F3A8}",
+    skills: ["adobe-photoshop", "adobe-illustrator", "adobe-premiere", "adobe-after-effects", "adobe-indesign", "adobe-xd"]
+  },
+  {
+    id: "enterprise-utility",
+    name: "Enterprise Utility Tools",
+    description: "Built-in enterprise productivity tools \u2014 database queries, spreadsheets, documents, calendar, knowledge search, web research, translation, logs, workflow, notifications, finance, HTTP, security scanning, code sandbox, diff, and vision.",
+    icon: "\u{1F3D7}\uFE0F",
+    skills: [
+      "enterprise-database",
+      "enterprise-spreadsheet",
+      "enterprise-documents",
+      "enterprise-calendar",
+      "enterprise-knowledge-search",
+      "enterprise-web-research",
+      "enterprise-translation",
+      "enterprise-logs",
+      "enterprise-workflow",
+      "enterprise-notifications",
+      "enterprise-finance",
+      "enterprise-http",
+      "enterprise-security-scan",
+      "enterprise-code-sandbox",
+      "enterprise-diff",
+      "enterprise-vision"
+    ]
+  }
+];
+var PRESET_PROFILES = [
+  {
+    name: "Research Assistant",
+    description: "Can search the web, read files, and summarize content. Cannot send messages, run code, or modify anything.",
+    skills: { mode: "allowlist", list: ["research", "summarize", "data-read"] },
+    tools: { blocked: ["exec", "write", "edit"], allowed: ["web_search", "web_fetch", "read", "memory_search", "memory_get"] },
+    maxRiskLevel: "low",
+    blockedSideEffects: ["sends-email", "sends-message", "sends-sms", "posts-social", "runs-code", "modifies-files", "deletes-data", "controls-device", "financial"],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 30, toolCallsPerHour: 500, toolCallsPerDay: 5e3, externalActionsPerHour: 0 },
+    constraints: { maxConcurrentTasks: 3, maxSessionDurationMinutes: 480, sandboxMode: false }
+  },
+  {
+    name: "Customer Support Agent",
+    description: "Can read/send emails, search knowledge base, and manage tickets. Cannot run code or access files.",
+    skills: { mode: "allowlist", list: ["communication", "research", "agenticmail", "m365-outlook", "m365-teams", "gws-gmail", "gws-calendar", "zendesk", "intercom"] },
+    tools: { blocked: ["exec", "browser", "write", "edit"], allowed: ["agenticmail_send", "agenticmail_reply", "agenticmail_inbox", "agenticmail_read", "agenticmail_search", "web_search", "web_fetch"] },
+    maxRiskLevel: "medium",
+    blockedSideEffects: ["runs-code", "modifies-files", "deletes-data", "controls-device", "financial", "posts-social"],
+    requireApproval: { enabled: true, forRiskLevels: ["high", "critical"], forSideEffects: ["sends-email"], approvers: [], timeoutMinutes: 60 },
+    rateLimits: { toolCallsPerMinute: 20, toolCallsPerHour: 300, toolCallsPerDay: 3e3, externalActionsPerHour: 50 },
+    constraints: { maxConcurrentTasks: 5, maxSessionDurationMinutes: 480, sandboxMode: false }
+  },
+  {
+    name: "Developer Assistant",
+    description: "Full development capabilities: code, git, GitHub, shell. Cannot send external messages or access smart home.",
+    skills: { mode: "allowlist", list: ["development", "github", "coding-agent", "research", "data", "docker", "github-actions", "jira", "linear", "slack"] },
+    tools: { blocked: ["agenticmail_send", "message", "tts", "nodes"], allowed: ["exec", "read", "write", "edit", "web_search", "web_fetch", "browser"] },
+    maxRiskLevel: "high",
+    blockedSideEffects: ["sends-email", "sends-message", "sends-sms", "posts-social", "controls-device", "financial"],
+    requireApproval: { enabled: true, forRiskLevels: ["critical"], forSideEffects: [], approvers: [], timeoutMinutes: 15 },
+    rateLimits: { toolCallsPerMinute: 60, toolCallsPerHour: 1e3, toolCallsPerDay: 1e4, externalActionsPerHour: 100 },
+    constraints: { maxConcurrentTasks: 3, maxSessionDurationMinutes: 720, sandboxMode: false }
+  },
+  {
+    name: "Full Access (Owner)",
+    description: "Unrestricted access to all skills and tools. Use with caution.",
+    skills: { mode: "blocklist", list: [] },
+    tools: { blocked: [], allowed: [] },
+    maxRiskLevel: "critical",
+    blockedSideEffects: [],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 120, toolCallsPerHour: 5e3, toolCallsPerDay: 5e4, externalActionsPerHour: 500 },
+    constraints: { maxConcurrentTasks: 10, maxSessionDurationMinutes: 1440, sandboxMode: false }
+  },
+  {
+    name: "Sandbox (Testing)",
+    description: "All tools available but in simulation mode. No real external actions are taken.",
+    skills: { mode: "blocklist", list: [] },
+    tools: { blocked: [], allowed: [] },
+    maxRiskLevel: "critical",
+    blockedSideEffects: [],
+    requireApproval: { enabled: false, forRiskLevels: [], forSideEffects: [], approvers: [], timeoutMinutes: 30 },
+    rateLimits: { toolCallsPerMinute: 60, toolCallsPerHour: 1e3, toolCallsPerDay: 1e4, externalActionsPerHour: 500 },
+    constraints: { maxConcurrentTasks: 5, maxSessionDurationMinutes: 480, sandboxMode: true }
+  }
+];
+var BUILTIN_SKILLS = [
+  // ═══ AgenticMail — Core Product (always available) ═══
+  ...AGENTICMAIL_SKILL_DEFS,
+  // ═══ Microsoft 365 Suite ═══
+  ...M365_SKILL_DEFS,
+  // ═══ Google Workspace Suite ═══
+  ...GWS_SKILL_DEFS,
+  // ═══ Enterprise Utility Tools ═══
+  ...ENTERPRISE_SKILL_DEFS
+];
+var PermissionEngine = class {
+  skills = /* @__PURE__ */ new Map();
+  profiles = /* @__PURE__ */ new Map();
+  engineDb;
+  constructor(skills) {
+    if (skills) {
+      for (const s of skills) this.skills.set(s.id, s);
+    }
+  }
+  /**
+   * Set the database adapter and load existing profiles from DB
+   */
+  async setDb(db) {
+    this.engineDb = db;
+    try {
+      const profiles = await db.getAllPermissionProfiles();
+      for (const profile of profiles) {
+        if (profile && profile.id) {
+          this.profiles.set(profile.id, profile);
+        }
+      }
+      if (profiles.length > 0) console.log(`[permissions] Loaded ${profiles.length} permission profiles from DB`);
+    } catch {
+    }
+  }
+  registerSkill(skill) {
+    this.skills.set(skill.id, skill);
+  }
+  setProfile(agentId, profile, orgId) {
+    this.profiles.set(agentId, profile);
+    if (this.engineDb && orgId) {
+      this.engineDb.upsertPermissionProfile(orgId, profile).catch((err) => {
+        console.error(`[permissions] Failed to persist profile for agent ${agentId}:`, err);
+      });
+    }
+  }
+  getProfile(agentId) {
+    return this.profiles.get(agentId);
+  }
+  /**
+   * Core permission check: Can this agent use this tool right now?
+   * Returns { allowed, reason, requiresApproval }
+   */
+  checkPermission(agentId, toolId, context) {
+    const profile = this.profiles.get(agentId);
+    if (!profile) {
+      return { allowed: false, reason: "No permission profile assigned", requiresApproval: false };
+    }
+    if (profile.constraints.sandboxMode) {
+      return { allowed: true, reason: "Sandbox mode \u2014 action will be simulated", requiresApproval: false, sandbox: true };
+    }
+    if (profile.constraints.allowedWorkingHours) {
+      const now = context?.timestamp || /* @__PURE__ */ new Date();
+      const { start, end, timezone } = profile.constraints.allowedWorkingHours;
+      const hour = parseInt(new Intl.DateTimeFormat("en-US", { hour: "numeric", hour12: false, timeZone: timezone }).format(now));
+      const startHour = parseInt(start.split(":")[0]);
+      const endHour = parseInt(end.split(":")[0]);
+      if (hour < startHour || hour >= endHour) {
+        return { allowed: false, reason: `Outside working hours (${start}-${end} ${timezone})`, requiresApproval: false };
+      }
+    }
+    if (profile.constraints.allowedIPs?.length && context?.ip) {
+      if (!profile.constraints.allowedIPs.includes(context.ip)) {
+        return { allowed: false, reason: `IP ${context.ip} not in allowlist`, requiresApproval: false };
+      }
+    }
+    if (profile.tools.blocked.includes(toolId)) {
+      return { allowed: false, reason: `Tool "${toolId}" is explicitly blocked`, requiresApproval: false };
+    }
+    if (profile.tools.allowed.includes(toolId)) {
+      return this._checkApproval(profile, toolId);
+    }
+    const tool = this._findTool(toolId);
+    if (!tool) {
+      return { allowed: false, reason: `Unknown tool "${toolId}"`, requiresApproval: false };
+    }
+    const skillAllowed = profile.skills.mode === "allowlist" ? profile.skills.list.includes(tool.skillId) : !profile.skills.list.includes(tool.skillId);
+    if (!skillAllowed) {
+      return { allowed: false, reason: `Skill "${tool.skillId}" is not permitted`, requiresApproval: false };
+    }
+    const riskOrder = ["low", "medium", "high", "critical"];
+    const toolRiskIdx = riskOrder.indexOf(tool.risk);
+    const maxRiskIdx = riskOrder.indexOf(profile.maxRiskLevel);
+    if (toolRiskIdx > maxRiskIdx) {
+      return { allowed: false, reason: `Tool risk "${tool.risk}" exceeds max allowed "${profile.maxRiskLevel}"`, requiresApproval: false };
+    }
+    for (const effect of tool.sideEffects) {
+      if (profile.blockedSideEffects.includes(effect)) {
+        return { allowed: false, reason: `Side effect "${effect}" is blocked`, requiresApproval: false };
+      }
+    }
+    return this._checkApproval(profile, toolId, tool);
+  }
+  _checkApproval(profile, toolId, tool) {
+    if (!profile.requireApproval.enabled) {
+      return { allowed: true, reason: "Permitted", requiresApproval: false };
+    }
+    if (tool) {
+      if (profile.requireApproval.forRiskLevels.includes(tool.risk)) {
+        return { allowed: true, reason: "Requires human approval (risk level)", requiresApproval: true };
+      }
+      for (const effect of tool.sideEffects) {
+        if (profile.requireApproval.forSideEffects.includes(effect)) {
+          return { allowed: true, reason: `Requires human approval (${effect})`, requiresApproval: true };
+        }
+      }
+    }
+    return { allowed: true, reason: "Permitted", requiresApproval: false };
+  }
+  _findTool(toolId) {
+    for (const skill of this.skills.values()) {
+      const tool = skill.tools.find((t) => t.id === toolId);
+      if (tool) return tool;
+    }
+    try {
+      const { TOOL_INDEX } = (init_tool_catalog(), __toCommonJS(tool_catalog_exports));
+      return TOOL_INDEX.get(toolId);
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Get the full resolved tool list for an agent — what they can actually use
+   */
+  getAvailableTools(agentId) {
+    const result = [];
+    for (const skill of this.skills.values()) {
+      for (const tool of skill.tools) {
+        const perm = this.checkPermission(agentId, tool.id);
+        if (perm.allowed) {
+          result.push({
+            tool,
+            status: perm.sandbox ? "sandbox" : perm.requiresApproval ? "approval-required" : "allowed"
+          });
+        }
+      }
+    }
+    return result;
+  }
+  /**
+   * Generate the tool policy config for an agent based on their profile
+   */
+  generateToolPolicy(agentId) {
+    const profile = this.profiles.get(agentId);
+    if (!profile) return { allowedTools: [], blockedTools: [], approvalRequired: [], rateLimits: { toolCallsPerMinute: 10, toolCallsPerHour: 100, toolCallsPerDay: 1e3, externalActionsPerHour: 10 } };
+    const allowed = [];
+    const blocked = [];
+    const approval = [];
+    for (const skill of this.skills.values()) {
+      for (const tool of skill.tools) {
+        const perm = this.checkPermission(agentId, tool.id);
+        if (perm.allowed) {
+          allowed.push(tool.id);
+          if (perm.requiresApproval) approval.push(tool.id);
+        } else {
+          blocked.push(tool.id);
+        }
+      }
+    }
+    return { allowedTools: allowed, blockedTools: blocked, approvalRequired: approval, rateLimits: profile.rateLimits };
+  }
+  getAllSkills() {
+    return Array.from(this.skills.values());
+  }
+  getSkillsByCategory() {
+    const result = {};
+    for (const skill of this.skills.values()) {
+      if (!result[skill.category]) result[skill.category] = [];
+      result[skill.category].push(skill);
+    }
+    return result;
+  }
+};
+
+export {
+  SKILL_SUITES,
+  PRESET_PROFILES,
+  BUILTIN_SKILLS,
+  PermissionEngine
+};