@aporthq/aport-agent-guardrails 1.0.8

package/external/aport-policies/code.repository.merge.v1/express.example.js

@@ -0,0 +1,332 @@
+const express = require("express");
+const { requirePolicy } = require("@aporthq/middleware-express");
+
+const app = express();
+app.use(express.json());
+
+// Apply repo policy to PR creation routes
+app.post(
+  "/repo/pr",
+  requirePolicy("code.repository.merge.v1"),
+  async (req, res) => {
+    try {
+      const { repo, base_branch, head_branch, title, body, files_changed } =
+        req.body;
+      const passport = req.policyResult.passport;
+
+      // Check repository allowlist
+      const allowedRepos =
+        passport.capabilities.find((cap) => cap.id === "repo.pr.create")?.params
+          ?.allowed_repos || [];
+
+      if (allowedRepos.length > 0 && !allowedRepos.includes(repo)) {
+        return res.status(403).json({
+          error: "Repository not allowed",
+          allowed_repos: allowedRepos,
+          upgrade_instructions:
+            "Add repository to your passport's allowed_repos",
+        });
+      }
+
+      // Check base branch allowlist
+      const allowedBranches =
+        passport.capabilities.find((cap) => cap.id === "repo.pr.create")?.params
+          ?.allowed_base_branches || [];
+
+      if (
+        allowedBranches.length > 0 &&
+        !allowedBranches.includes(base_branch)
+      ) {
+        return res.status(403).json({
+          error: "Base branch not allowed",
+          allowed_branches: allowedBranches,
+        });
+      }
+
+      // Check file limits
+      const maxFiles =
+        passport.capabilities.find((cap) => cap.id === "repo.pr.create")?.params
+          ?.max_files_changed || Infinity;
+
+      if (files_changed && files_changed.length > maxFiles) {
+        return res.status(403).json({
+          error: "Too many files changed",
+          max_files: maxFiles,
+          requested: files_changed.length,
+        });
+      }
+
+      // Check total lines added
+      const totalLinesAdded =
+        files_changed?.reduce(
+          (sum, file) => sum + (file.lines_added || 0),
+          0
+        ) || 0;
+      const maxLines =
+        passport.capabilities.find((cap) => cap.id === "repo.pr.create")?.params
+          ?.max_total_added_lines || Infinity;
+
+      if (totalLinesAdded > maxLines) {
+        return res.status(403).json({
+          error: "Too many lines added",
+          max_lines: maxLines,
+          requested: totalLinesAdded,
+        });
+      }
+
+      // Check path allowlist
+      const pathAllowlist =
+        passport.capabilities.find((cap) => cap.id === "repo.pr.create")?.params
+          ?.path_allowlist || [];
+
+      if (pathAllowlist.length > 0 && files_changed) {
+        const disallowedFiles = files_changed.filter(
+          (file) =>
+            !pathAllowlist.some((pattern) =>
+              file.path.match(new RegExp(pattern))
+            )
+        );
+
+        if (disallowedFiles.length > 0) {
+          return res.status(403).json({
+            error: "Files outside allowed paths",
+            disallowed_files: disallowedFiles.map((f) => f.path),
+            path_allowlist: pathAllowlist,
+          });
+        }
+      }
+
+      // Check daily PR limit
+      const dailyUsage = await getDailyPRUsage(passport.agent_id);
+      if (dailyUsage >= passport.limits.max_prs_per_day) {
+        return res.status(403).json({
+          error: "Daily PR limit exceeded",
+          limit: passport.limits.max_prs_per_day,
+          current_usage: dailyUsage,
+        });
+      }
+
+      // Create PR using your Git service
+      const pr_id = await createPullRequest({
+        repo,
+        base_branch,
+        head_branch,
+        title,
+        body,
+        files_changed,
+        agent_id: passport.agent_id,
+        agent_name: passport.name,
+      });
+
+      // Record usage
+      await recordPRUsage(passport.agent_id);
+
+      // Log the PR creation
+      console.log(
+        `PR created: ${pr_id} in ${repo} by agent ${passport.agent_id}`
+      );
+
+      res.json({
+        success: true,
+        pr_id,
+        repo,
+        base_branch,
+        head_branch,
+        files_changed: files_changed?.length || 0,
+        lines_added: totalLinesAdded,
+        status: "created",
+      });
+    } catch (error) {
+      console.error("PR creation error:", error);
+      res.status(500).json({ error: "Internal server error" });
+    }
+  }
+);
+
+// Apply repo policy to merge routes
+app.post(
+  "/repo/merge",
+  requirePolicy("code.repository.merge.v1"),
+  async (req, res) => {
+    try {
+      const { repo, pr_id, merge_method, delete_branch } = req.body;
+      const passport = req.policyResult.passport;
+
+      // Get PR details first
+      const prDetails = await getPRDetails(repo, pr_id);
+
+      // Check repository allowlist
+      const allowedRepos =
+        passport.capabilities.find((cap) => cap.id === "repo.merge")?.params
+          ?.allowed_repos || [];
+
+      if (allowedRepos.length > 0 && !allowedRepos.includes(repo)) {
+        return res.status(403).json({
+          error: "Repository not allowed for merging",
+          allowed_repos: allowedRepos,
+        });
+      }
+
+      // Check base branch allowlist
+      const allowedBranches =
+        passport.capabilities.find((cap) => cap.id === "repo.merge")?.params
+          ?.allowed_base_branches || [];
+
+      if (
+        allowedBranches.length > 0 &&
+        !allowedBranches.includes(prDetails.base_branch)
+      ) {
+        return res.status(403).json({
+          error: "Base branch not allowed for merging",
+          allowed_branches: allowedBranches,
+        });
+      }
+
+      // Check required labels
+      const requiredLabels =
+        passport.capabilities.find((cap) => cap.id === "repo.merge")?.params
+          ?.required_labels || [];
+
+      if (requiredLabels.length > 0) {
+        const missingLabels = requiredLabels.filter(
+          (label) => !prDetails.labels.includes(label)
+        );
+        if (missingLabels.length > 0) {
+          return res.status(403).json({
+            error: "Required labels missing",
+            missing_labels: missingLabels,
+            current_labels: prDetails.labels,
+          });
+        }
+      }
+
+      // Check required reviews
+      const requiredReviews =
+        passport.capabilities.find((cap) => cap.id === "repo.merge")?.params
+          ?.required_reviews || 0;
+
+      if (prDetails.approvals < requiredReviews) {
+        return res.status(403).json({
+          error: "Insufficient reviews",
+          required: requiredReviews,
+          current: prDetails.approvals,
+        });
+      }
+
+      // Check PR size limit
+      const prSizeKB = prDetails.size_kb;
+      if (prSizeKB > passport.limits.max_pr_size_kb) {
+        return res.status(403).json({
+          error: "PR size exceeds limit",
+          size_kb: prSizeKB,
+          limit_kb: passport.limits.max_pr_size_kb,
+        });
+      }
+
+      // Check daily merge limit
+      const dailyUsage = await getDailyMergeUsage(passport.agent_id);
+      if (dailyUsage >= passport.limits.max_merges_per_day) {
+        return res.status(403).json({
+          error: "Daily merge limit exceeded",
+          limit: passport.limits.max_merges_per_day,
+          current_usage: dailyUsage,
+        });
+      }
+
+      // Merge PR using your Git service
+      const merge_result = await mergePullRequest({
+        repo,
+        pr_id,
+        merge_method,
+        delete_branch,
+        agent_id: passport.agent_id,
+        agent_name: passport.name,
+      });
+
+      // Record usage
+      await recordMergeUsage(passport.agent_id);
+
+      // Log the merge
+      console.log(
+        `PR merged: ${pr_id} in ${repo} by agent ${passport.agent_id}`
+      );
+
+      res.json({
+        success: true,
+        pr_id,
+        repo,
+        merge_sha: merge_result.sha,
+        merge_method,
+        status: "merged",
+      });
+    } catch (error) {
+      console.error("PR merge error:", error);
+      res.status(500).json({ error: "Internal server error" });
+    }
+  }
+);
+
+// Mock functions (implement with your actual Git service)
+async function createPullRequest({
+  repo,
+  base_branch,
+  head_branch,
+  title,
+  body,
+  files_changed,
+  agent_id,
+  agent_name,
+}) {
+  // Simulate PR creation
+  await new Promise((resolve) => setTimeout(resolve, 200));
+  return `pr_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+}
+
+async function getPRDetails(repo, pr_id) {
+  // Mock PR details
+  return {
+    base_branch: "main",
+    labels: ["enhancement", "agent-created"],
+    approvals: 2,
+    size_kb: 45,
+  };
+}
+
+async function mergePullRequest({
+  repo,
+  pr_id,
+  merge_method,
+  delete_branch,
+  agent_id,
+  agent_name,
+}) {
+  // Simulate PR merge
+  await new Promise((resolve) => setTimeout(resolve, 300));
+  return {
+    sha: `sha_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+  };
+}
+
+async function getDailyPRUsage(agent_id) {
+  // Get current daily PR usage
+  return 0; // Mock value
+}
+
+async function getDailyMergeUsage(agent_id) {
+  // Get current daily merge usage
+  return 0; // Mock value
+}
+
+async function recordPRUsage(agent_id) {
+  console.log(`Recorded PR creation for agent ${agent_id}`);
+}
+
+async function recordMergeUsage(agent_id) {
+  console.log(`Recorded PR merge for agent ${agent_id}`);
+}
+
+const PORT = process.env.PORT || 3000;
+app.listen(PORT, () => {
+  console.log(`Repository service running on port ${PORT}`);
+  console.log("Protected by APort code.repository.merge.v1 policy pack");
+});

package/external/aport-policies/code.repository.merge.v1/fastapi.example.py

@@ -0,0 +1,370 @@
+from fastapi import FastAPI, HTTPException, Request
+from pydantic import BaseModel, Field
+from typing import List, Optional, Dict, Any
+from aport.middleware import require_policy
+import asyncio
+import re
+
+app = FastAPI(title="Repository Service", version="1.0.0")
+
+class FileChange(BaseModel):
+    path: str
+    lines_added: Optional[int] = 0
+    lines_removed: Optional[int] = 0
+
+class PRRequest(BaseModel):
+    repo: str
+    base_branch: str
+    head_branch: str
+    title: str
+    body: Optional[str] = ""
+    files_changed: Optional[List[FileChange]] = []
+
+class MergeRequest(BaseModel):
+    repo: str
+    pr_id: str
+    merge_method: Optional[str] = "merge"
+    delete_branch: Optional[bool] = False
+
+@app.post("/repo/pr")
+@require_policy("code.repository.merge.v1")
+async def create_pull_request(request: Request, pr_data: PRRequest):
+    try:
+        passport = request.state.policy_result.passport
+        
+        # Get PR creation capability
+        pr_capability = next(
+            (cap for cap in passport.capabilities if cap.id == "repo.pr.create"), 
+            None
+        )
+        
+        # Check repository allowlist
+        allowed_repos = (
+            pr_capability.params.get("allowed_repos", [])
+            if pr_capability and pr_capability.params
+            else []
+        )
+        
+        if allowed_repos and pr_data.repo not in allowed_repos:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Repository not allowed",
+                    "allowed_repos": allowed_repos,
+                    "upgrade_instructions": "Add repository to your passport's allowed_repos"
+                }
+            )
+
+        # Check base branch allowlist
+        allowed_branches = (
+            pr_capability.params.get("allowed_base_branches", [])
+            if pr_capability and pr_capability.params
+            else []
+        )
+        
+        if allowed_branches and pr_data.base_branch not in allowed_branches:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Base branch not allowed",
+                    "allowed_branches": allowed_branches
+                }
+            )
+
+        # Check file limits
+        max_files = (
+            pr_capability.params.get("max_files_changed", float('inf'))
+            if pr_capability and pr_capability.params
+            else float('inf')
+        )
+        
+        if pr_data.files_changed and len(pr_data.files_changed) > max_files:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Too many files changed",
+                    "max_files": max_files,
+                    "requested": len(pr_data.files_changed)
+                }
+            )
+
+        # Check total lines added
+        total_lines_added = sum(
+            file.lines_added or 0 for file in (pr_data.files_changed or [])
+        )
+        max_lines = (
+            pr_capability.params.get("max_total_added_lines", float('inf'))
+            if pr_capability and pr_capability.params
+            else float('inf')
+        )
+        
+        if total_lines_added > max_lines:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Too many lines added",
+                    "max_lines": max_lines,
+                    "requested": total_lines_added
+                }
+            )
+
+        # Check path allowlist
+        path_allowlist = (
+            pr_capability.params.get("path_allowlist", [])
+            if pr_capability and pr_capability.params
+            else []
+        )
+        
+        if path_allowlist and pr_data.files_changed:
+            disallowed_files = [
+                file for file in pr_data.files_changed
+                if not any(re.match(pattern, file.path) for pattern in path_allowlist)
+            ]
+            
+            if disallowed_files:
+                raise HTTPException(
+                    status_code=403,
+                    detail={
+                        "error": "Files outside allowed paths",
+                        "disallowed_files": [f.path for f in disallowed_files],
+                        "path_allowlist": path_allowlist
+                    }
+                )
+
+        # Check daily PR limit
+        daily_usage = await get_daily_pr_usage(passport.agent_id)
+        pr_limit = passport.limits.get("max_prs_per_day", float('inf'))
+        
+        if daily_usage >= pr_limit:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Daily PR limit exceeded",
+                    "limit": pr_limit,
+                    "current_usage": daily_usage
+                }
+            )
+
+        # Create PR using your Git service
+        pr_id = await create_pull_request_service({
+            "repo": pr_data.repo,
+            "base_branch": pr_data.base_branch,
+            "head_branch": pr_data.head_branch,
+            "title": pr_data.title,
+            "body": pr_data.body,
+            "files_changed": pr_data.files_changed,
+            "agent_id": passport.agent_id,
+            "agent_name": passport.name,
+        })
+
+        # Record usage
+        await record_pr_usage(passport.agent_id)
+
+        # Log the PR creation
+        print(f"PR created: {pr_id} in {pr_data.repo} by agent {passport.agent_id}")
+
+        return {
+            "success": True,
+            "pr_id": pr_id,
+            "repo": pr_data.repo,
+            "base_branch": pr_data.base_branch,
+            "head_branch": pr_data.head_branch,
+            "files_changed": len(pr_data.files_changed or []),
+            "lines_added": total_lines_added,
+            "status": "created",
+        }
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        print(f"PR creation error: {e}")
+        raise HTTPException(status_code=500, detail="Internal server error")
+
+@app.post("/repo/merge")
+@require_policy("code.repository.merge.v1")
+async def merge_pull_request(request: Request, merge_data: MergeRequest):
+    try:
+        passport = request.state.policy_result.passport
+
+        # Get PR details first
+        pr_details = await get_pr_details(merge_data.repo, merge_data.pr_id)
+        
+        # Get merge capability
+        merge_capability = next(
+            (cap for cap in passport.capabilities if cap.id == "repo.merge"), 
+            None
+        )
+        
+        # Check repository allowlist
+        allowed_repos = (
+            merge_capability.params.get("allowed_repos", [])
+            if merge_capability and merge_capability.params
+            else []
+        )
+        
+        if allowed_repos and merge_data.repo not in allowed_repos:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Repository not allowed for merging",
+                    "allowed_repos": allowed_repos
+                }
+            )
+
+        # Check base branch allowlist
+        allowed_branches = (
+            merge_capability.params.get("allowed_base_branches", [])
+            if merge_capability and merge_capability.params
+            else []
+        )
+        
+        if allowed_branches and pr_details["base_branch"] not in allowed_branches:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Base branch not allowed for merging",
+                    "allowed_branches": allowed_branches
+                }
+            )
+
+        # Check required labels
+        required_labels = (
+            merge_capability.params.get("required_labels", [])
+            if merge_capability and merge_capability.params
+            else []
+        )
+        
+        if required_labels:
+            missing_labels = [
+                label for label in required_labels 
+                if label not in pr_details["labels"]
+            ]
+            if missing_labels:
+                raise HTTPException(
+                    status_code=403,
+                    detail={
+                        "error": "Required labels missing",
+                        "missing_labels": missing_labels,
+                        "current_labels": pr_details["labels"]
+                    }
+                )
+
+        # Check required reviews
+        required_reviews = (
+            merge_capability.params.get("required_reviews", 0)
+            if merge_capability and merge_capability.params
+            else 0
+        )
+        
+        if pr_details["approvals"] < required_reviews:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Insufficient reviews",
+                    "required": required_reviews,
+                    "current": pr_details["approvals"]
+                }
+            )
+
+        # Check PR size limit
+        pr_size_kb = pr_details["size_kb"]
+        size_limit = passport.limits.get("max_pr_size_kb", float('inf'))
+        
+        if pr_size_kb > size_limit:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "PR size exceeds limit",
+                    "size_kb": pr_size_kb,
+                    "limit_kb": size_limit
+                }
+            )
+
+        # Check daily merge limit
+        daily_usage = await get_daily_merge_usage(passport.agent_id)
+        merge_limit = passport.limits.get("max_merges_per_day", float('inf'))
+        
+        if daily_usage >= merge_limit:
+            raise HTTPException(
+                status_code=403,
+                detail={
+                    "error": "Daily merge limit exceeded",
+                    "limit": merge_limit,
+                    "current_usage": daily_usage
+                }
+            )
+
+        # Merge PR using your Git service
+        merge_result = await merge_pull_request_service({
+            "repo": merge_data.repo,
+            "pr_id": merge_data.pr_id,
+            "merge_method": merge_data.merge_method,
+            "delete_branch": merge_data.delete_branch,
+            "agent_id": passport.agent_id,
+            "agent_name": passport.name,
+        })
+
+        # Record usage
+        await record_merge_usage(passport.agent_id)
+
+        # Log the merge
+        print(f"PR merged: {merge_data.pr_id} in {merge_data.repo} by agent {passport.agent_id}")
+
+        return {
+            "success": True,
+            "pr_id": merge_data.pr_id,
+            "repo": merge_data.repo,
+            "merge_sha": merge_result["sha"],
+            "merge_method": merge_data.merge_method,
+            "status": "merged",
+        }
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        print(f"PR merge error: {e}")
+        raise HTTPException(status_code=500, detail="Internal server error")
+
+# Mock functions (implement with your actual Git service)
+async def create_pull_request_service(pr_data: dict) -> str:
+    """Mock PR creation function"""
+    await asyncio.sleep(0.2)  # Simulate API call
+    return f"pr_{asyncio.get_event_loop().time()}_{hash(str(pr_data)) % 1000000}"
+
+async def get_pr_details(repo: str, pr_id: str) -> Dict[str, Any]:
+    """Mock PR details retrieval"""
+    return {
+        "base_branch": "main",
+        "labels": ["enhancement", "agent-created"],
+        "approvals": 2,
+        "size_kb": 45
+    }
+
+async def merge_pull_request_service(merge_data: dict) -> Dict[str, str]:
+    """Mock PR merge function"""
+    await asyncio.sleep(0.3)  # Simulate API call
+    return {
+        "sha": f"sha_{asyncio.get_event_loop().time()}_{hash(str(merge_data)) % 1000000}"
+    }
+
+async def get_daily_pr_usage(agent_id: str) -> int:
+    """Get current daily PR usage"""
+    return 0  # Mock value
+
+async def get_daily_merge_usage(agent_id: str) -> int:
+    """Get current daily merge usage"""
+    return 0  # Mock value
+
+async def record_pr_usage(agent_id: str) -> None:
+    """Record PR creation usage"""
+    print(f"Recorded PR creation for agent {agent_id}")
+
+async def record_merge_usage(agent_id: str) -> None:
+    """Record PR merge usage"""
+    print(f"Recorded PR merge for agent {agent_id}")
+
+if __name__ == "__main__":
+    import uvicorn
+    print("Repository service starting...")
+    print("Protected by APort code.repository.merge.v1 policy pack")
+    uvicorn.run(app, host="0.0.0.0", port=8000)