npm - @aporthq/aport-agent-guardrails - Versions diffs - 1.0.8 - Mend

@aporthq/aport-agent-guardrails 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/external/aport-policies/governance.data.access.v1/tests/data-access-policy.test.js ADDED Viewed

@@ -0,0 +1,308 @@
+/**
+ * Test Suite: governance.data.access.v1 Policy
+ *
+ * Tests the data access governance policy with various scenarios
+ * including valid access, classification violations, and security controls.
+ */
+const fs = require("fs");
+const path = require("path");
+// Mock the policy evaluation function
+async function evaluateGovernanceDataAccessV1(passport, context) {
+  // Mock implementation based on the actual policy logic
+  const reasons = [];
+  let allow = true;
+  // Check agent status
+  if (passport.status === "suspended" || passport.status === "revoked") {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.passport_suspended",
+          message: `Agent is ${passport.status} and cannot perform operations`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check capabilities
+  const hasDataAccessCapability = passport.capabilities?.some(
+    (cap) => cap.id === "data.access"
+  );
+  if (!hasDataAccessCapability) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.unknown_capability",
+          message: "Agent does not have data.access capability",
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check assurance level
+  const requiredAssurance =
+    passport.limits?.data?.access?.require_assurance_at_least || "L3";
+  if (
+    passport.assurance_level !== requiredAssurance &&
+    passport.assurance_level !== "L4KYC" &&
+    passport.assurance_level !== "L4FIN"
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.assurance_insufficient",
+          message: `Assurance level ${passport.assurance_level} is insufficient, requires ${requiredAssurance}`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check required fields
+  const requiredFields = [
+    "data_classification",
+    "accessing_entity_id",
+    "accessing_entity_type",
+    "resource_id",
+  ];
+  const missingFields = requiredFields.filter((field) => !context[field]);
+  if (missingFields.length > 0) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.invalid_context",
+          message: `Missing required fields: ${missingFields.join(", ")}`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check data classification is allowed
+  const allowedClassifications =
+    passport.limits?.data?.access?.allowed_classifications || [];
+  if (
+    allowedClassifications.length > 0 &&
+    !allowedClassifications.includes(context.data_classification)
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.classification_forbidden",
+          message: `Data classification ${context.data_classification} is not allowed`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check entity type is allowed for the data classification
+  const permissions =
+    passport.limits?.data?.access?.permissions?.[context.data_classification];
+  if (
+    permissions?.allowed_entity_types &&
+    !permissions.allowed_entity_types.includes(context.accessing_entity_type)
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.entity_type_forbidden",
+          message: `Entity type ${context.accessing_entity_type} is not allowed for ${context.data_classification} data`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check jurisdiction is allowed
+  const allowedJurisdictions =
+    passport.limits?.data?.access?.allowed_jurisdictions || [];
+  if (
+    context.jurisdiction &&
+    allowedJurisdictions.length > 0 &&
+    !allowedJurisdictions.includes(context.jurisdiction)
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.jurisdiction_blocked",
+          message: `Jurisdiction ${context.jurisdiction} is not allowed`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check row limit for exports
+  const maxRowsPerExport = passport.limits?.data?.access?.max_rows_per_export;
+  if (
+    context.row_count &&
+    maxRowsPerExport &&
+    context.row_count > maxRowsPerExport
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.row_limit_exceeded",
+          message: `Row count ${context.row_count} exceeds maximum allowed ${maxRowsPerExport}`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check data locality (destination jurisdiction)
+  const allowedDestinationJurisdictions =
+    passport.limits?.data?.access?.allowed_destination_jurisdictions || [];
+  if (
+    context.destination_jurisdiction &&
+    allowedDestinationJurisdictions.length > 0 &&
+    !allowedDestinationJurisdictions.includes(context.destination_jurisdiction)
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.jurisdiction_blocked",
+          message: `Destination jurisdiction ${context.destination_jurisdiction} is not allowed`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check balance inquiry limit
+  const balanceInquiryCap =
+    passport.limits?.data?.access?.balance_inquiry_cap_usd;
+  if (
+    context.resource_attributes?.account_balance_usd &&
+    balanceInquiryCap &&
+    context.resource_attributes.account_balance_usd >= balanceInquiryCap
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.balance_inquiry_forbidden",
+          message: `Account balance ${context.resource_attributes.account_balance_usd} exceeds inquiry cap ${balanceInquiryCap}`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // Check action type is allowed
+  if (
+    context.action_type &&
+    permissions?.allowed_actions &&
+    !permissions.allowed_actions.includes(context.action_type)
+  ) {
+    return {
+      allow: false,
+      reasons: [
+        {
+          code: "oap.action_forbidden",
+          message: `Action type ${context.action_type} is not allowed for ${context.data_classification} data`,
+          severity: "error",
+        },
+      ],
+    };
+  }
+  // If all checks pass, allow the data access
+  return {
+    allow: true,
+    reasons: [
+      {
+        code: "oap.allowed",
+        message: "Data access within limits and policy requirements",
+        severity: "info",
+      },
+    ],
+  };
+}
+// Test runner
+async function runTests() {
+  console.log("🧪 Running governance.data.access.v1 Policy Tests\n");
+  // Load test data
+  const passportPath = path.join(__dirname, "passport.instance.json");
+  const contextsPath = path.join(__dirname, "contexts.jsonl");
+  const expectedPath = path.join(__dirname, "expected.jsonl");
+  const passport = JSON.parse(fs.readFileSync(passportPath, "utf8"));
+  const contexts = fs
+    .readFileSync(contextsPath, "utf8")
+    .trim()
+    .split("\n")
+    .map((line) => JSON.parse(line));
+  const expected = fs
+    .readFileSync(expectedPath, "utf8")
+    .trim()
+    .split("\n")
+    .map((line) => JSON.parse(line));
+  let passed = 0;
+  let failed = 0;
+  for (let i = 0; i < contexts.length; i++) {
+    const testCase = contexts[i];
+    const expectedResult = expected[i];
+    try {
+      const result = await evaluateGovernanceDataAccessV1(
+        passport,
+        testCase.context
+      );
+      // Compare results
+      const allowMatch = result.allow === expectedResult.expected.allow;
+      const reasonsMatch =
+        JSON.stringify(result.reasons) ===
+        JSON.stringify(expectedResult.expected.reasons);
+      if (allowMatch && reasonsMatch) {
+        console.log(`✅ ${testCase.name}: PASS`);
+        passed++;
+      } else {
+        console.log(`❌ ${testCase.name}: FAIL`);
+        console.log(`   Expected: ${JSON.stringify(expectedResult.expected)}`);
+        console.log(`   Got: ${JSON.stringify(result)}`);
+        failed++;
+      }
+    } catch (error) {
+      console.log(`❌ ${testCase.name}: ERROR - ${error.message}`);
+      failed++;
+    }
+  }
+  console.log(`\n📊 Test Results: ${passed} passed, ${failed} failed`);
+  if (failed === 0) {
+    console.log("🎉 All tests passed!");
+    process.exit(0);
+  } else {
+    console.log("💥 Some tests failed!");
+    process.exit(1);
+  }
+}
+// Run tests if this file is executed directly
+if (require.main === module) {
+  runTests().catch(console.error);
+}
+module.exports = { evaluateGovernanceDataAccessV1, runTests };

package/external/aport-policies/governance.data.access.v1/tests/expected.jsonl ADDED Viewed

@@ -0,0 +1,12 @@
+{"name":"allow_pii_read_employee","expected":{"allow":true,"reasons":[{"code":"oap.allowed","message":"Data access within limits and policy requirements","severity":"info"}]}}
+{"name":"deny_classification_forbidden","expected":{"allow":false,"reasons":[{"code":"oap.classification_forbidden","message":"Data classification Sensitive is not allowed","severity":"error"}]}}
+{"name":"deny_entity_type_forbidden","expected":{"allow":false,"reasons":[{"code":"oap.entity_type_forbidden","message":"Entity type client is not allowed for HR data","severity":"error"}]}}
+{"name":"deny_jurisdiction_blocked","expected":{"allow":false,"reasons":[{"code":"oap.jurisdiction_blocked","message":"Jurisdiction CN is not allowed","severity":"error"}]}}
+{"name":"deny_row_limit_exceeded","expected":{"allow":false,"reasons":[{"code":"oap.row_limit_exceeded","message":"Row count 15000 exceeds maximum allowed 10000","severity":"error"}]}}
+{"name":"deny_destination_jurisdiction_blocked","expected":{"allow":false,"reasons":[{"code":"oap.jurisdiction_blocked","message":"Destination jurisdiction CN is not allowed","severity":"error"}]}}
+{"name":"deny_balance_inquiry_forbidden","expected":{"allow":false,"reasons":[{"code":"oap.balance_inquiry_forbidden","message":"Account balance 150000 exceeds inquiry cap 100000","severity":"error"}]}}
+{"name":"allow_financial_export_system_agent","expected":{"allow":true,"reasons":[{"code":"oap.allowed","message":"Data access within limits and policy requirements","severity":"info"}]}}
+{"name":"allow_client_tier1_read","expected":{"allow":true,"reasons":[{"code":"oap.allowed","message":"Data access within limits and policy requirements","severity":"info"}]}}
+{"name":"deny_action_forbidden","expected":{"allow":false,"reasons":[{"code":"oap.action_forbidden","message":"Action type delete is not allowed for HR data","severity":"error"}]}}
+{"name":"allow_hr_read_employee","expected":{"allow":true,"reasons":[{"code":"oap.allowed","message":"Data access within limits and policy requirements","severity":"info"}]}}
+{"name":"deny_missing_required_fields","expected":{"allow":false,"reasons":[{"code":"oap.invalid_context","message":"Missing required fields: accessing_entity_type, resource_id","severity":"error"}]}}

package/external/aport-policies/governance.data.access.v1/tests/passport.instance.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "passport_id": "ap_a2d10232c6534523812423eec8a1425c45679",
+  "kind": "instance",
+  "spec_version": "oap/1.0",
+  "owner_id": "org_demo_co",
+  "owner_type": "org",
+  "assurance_level": "L3",
+  "status": "active",
+  "capabilities": [
+    {
+      "id": "data.access",
+      "params": {
+        "max_classifications": 5,
+        "max_rows_per_export": 10000
+      }
+    }
+  ],
+  "limits": {
+    "data.access": {
+      "allowed_classifications": ["PII", "Financial", "HR", "ClientTier1"],
+      "permissions": {
+        "PII": {
+          "allowed_entity_types": ["employee", "system_agent"],
+          "allowed_actions": ["read", "export"]
+        },
+        "Financial": {
+          "allowed_entity_types": ["employee", "system_agent"],
+          "allowed_actions": ["read", "export"]
+        },
+        "HR": {
+          "allowed_entity_types": ["employee"],
+          "allowed_actions": ["read"]
+        },
+        "ClientTier1": {
+          "allowed_entity_types": ["employee", "client"],
+          "allowed_actions": ["read", "export"]
+        }
+      },
+      "allowed_jurisdictions": ["US", "CA", "EU"],
+      "max_rows_per_export": 10000,
+      "allowed_destination_jurisdictions": ["US", "CA", "EU"],
+      "balance_inquiry_cap_usd": 100000,
+      "max_access_attempts_per_hour": 100,
+      "max_data_age_seconds": 86400,
+      "require_assurance_at_least": "L3"
+    }
+  },
+  "regions": ["US", "CA", "EU"],
+  "metadata": {
+    "template_name": "Demo Data Access Agent",
+    "description": "Instance for data access governance operations"
+  },
+  "created_at": "2025-01-30T00:00:00Z",
+  "updated_at": "2025-01-30T00:00:00Z",
+  "version": "1.0.0"
+}

package/external/aport-policies/governance.data.access.v1/tests/passport.template.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "passport_id": "550e8400-e29b-41d4-a716-446655440002",
+  "kind": "template",
+  "spec_version": "oap/1.0",
+  "owner_id": "org_demo_co",
+  "owner_type": "org",
+  "assurance_level": "L3",
+  "status": "active",
+  "capabilities": [
+    {
+      "id": "data.access",
+      "params": {
+        "max_classifications": 5,
+        "max_rows_per_export": 10000
+      }
+    }
+  ],
+  "limits": {
+    "data.access": {
+      "allowed_classifications": ["PII", "Financial", "HR", "ClientTier1"],
+      "permissions": {
+        "PII": {
+          "allowed_entity_types": ["employee", "system_agent"],
+          "allowed_actions": ["read", "export"]
+        },
+        "Financial": {
+          "allowed_entity_types": ["employee", "system_agent"],
+          "allowed_actions": ["read", "export"]
+        },
+        "HR": {
+          "allowed_entity_types": ["employee"],
+          "allowed_actions": ["read"]
+        },
+        "ClientTier1": {
+          "allowed_entity_types": ["employee", "client"],
+          "allowed_actions": ["read", "export"]
+        }
+      },
+      "allowed_jurisdictions": ["US", "CA", "EU"],
+      "max_rows_per_export": 10000,
+      "allowed_destination_jurisdictions": ["US", "CA", "EU"],
+      "balance_inquiry_cap_usd": 100000,
+      "max_access_attempts_per_hour": 100,
+      "max_data_age_seconds": 86400,
+      "require_assurance_at_least": "L3"
+    }
+  },
+  "regions": ["US", "CA", "EU"],
+  "metadata": {
+    "template_name": "Demo Data Access Template",
+    "description": "Template for data access governance operations"
+  },
+  "created_at": "2025-01-30T00:00:00Z",
+  "updated_at": "2025-01-30T00:00:00Z",
+  "version": "1.0.0"
+}

package/external/aport-policies/governance.data.access.v1/tests/test_data_access_policy.py ADDED Viewed

@@ -0,0 +1,214 @@
+"""
+Test Suite: governance.data.access.v1 Policy
+Tests the data access governance policy with various scenarios
+including valid access, classification violations, and security controls.
+"""
+import json
+import os
+from typing import Dict, Any, List
+def evaluate_governance_data_access_v1(passport: Dict[str, Any], context: Dict[str, Any]) -> Dict[str, Any]:
+    """Mock implementation of the governance.data.access.v1 policy evaluation"""
+    reasons = []
+    allow = True
+    # Check agent status
+    if passport.get("status") in ["suspended", "revoked"]:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.passport_suspended",
+                "message": f"Agent is {passport.get('status')} and cannot perform operations",
+                "severity": "error"
+            }]
+        }
+    # Check capabilities
+    capabilities = passport.get("capabilities", [])
+    has_data_access_capability = any(
+        cap.get("id") == "data.access" for cap in capabilities
+    )
+    if not has_data_access_capability:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.unknown_capability",
+                "message": "Agent does not have data.access capability",
+                "severity": "error"
+            }]
+        }
+    # Check assurance level
+    required_assurance = passport.get("limits", {}).get("data", {}).get("access", {}).get("require_assurance_at_least", "L3")
+    assurance_level = passport.get("assurance_level")
+    if assurance_level not in [required_assurance, "L4KYC", "L4FIN"]:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.assurance_insufficient",
+                "message": f"Assurance level {assurance_level} is insufficient, requires {required_assurance}",
+                "severity": "error"
+            }]
+        }
+    # Check required fields
+    required_fields = ["data_classification", "accessing_entity_id", "accessing_entity_type", "resource_id"]
+    missing_fields = [field for field in required_fields if not context.get(field)]
+    if missing_fields:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.invalid_context",
+                "message": f"Missing required fields: {', '.join(missing_fields)}",
+                "severity": "error"
+            }]
+        }
+    # Check data classification is allowed
+    allowed_classifications = passport.get("limits", {}).get("data", {}).get("access", {}).get("allowed_classifications", [])
+    if allowed_classifications and context.get("data_classification") not in allowed_classifications:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.classification_forbidden",
+                "message": f"Data classification {context.get('data_classification')} is not allowed",
+                "severity": "error"
+            }]
+        }
+    # Check entity type is allowed for the data classification
+    permissions = passport.get("limits", {}).get("data", {}).get("access", {}).get("permissions", {}).get(context.get("data_classification"), {})
+    if permissions.get("allowed_entity_types") and context.get("accessing_entity_type") not in permissions["allowed_entity_types"]:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.entity_type_forbidden",
+                "message": f"Entity type {context.get('accessing_entity_type')} is not allowed for {context.get('data_classification')} data",
+                "severity": "error"
+            }]
+        }
+    # Check jurisdiction is allowed
+    allowed_jurisdictions = passport.get("limits", {}).get("data", {}).get("access", {}).get("allowed_jurisdictions", [])
+    if context.get("jurisdiction") and allowed_jurisdictions and context.get("jurisdiction") not in allowed_jurisdictions:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.jurisdiction_blocked",
+                "message": f"Jurisdiction {context.get('jurisdiction')} is not allowed",
+                "severity": "error"
+            }]
+        }
+    # Check row limit for exports
+    max_rows_per_export = passport.get("limits", {}).get("data", {}).get("access", {}).get("max_rows_per_export")
+    if context.get("row_count") and max_rows_per_export and context.get("row_count") > max_rows_per_export:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.row_limit_exceeded",
+                "message": f"Row count {context.get('row_count')} exceeds maximum allowed {max_rows_per_export}",
+                "severity": "error"
+            }]
+        }
+    # Check data locality (destination jurisdiction)
+    allowed_destination_jurisdictions = passport.get("limits", {}).get("data", {}).get("access", {}).get("allowed_destination_jurisdictions", [])
+    if context.get("destination_jurisdiction") and allowed_destination_jurisdictions and context.get("destination_jurisdiction") not in allowed_destination_jurisdictions:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.jurisdiction_blocked",
+                "message": f"Destination jurisdiction {context.get('destination_jurisdiction')} is not allowed",
+                "severity": "error"
+            }]
+        }
+    # Check balance inquiry limit
+    balance_inquiry_cap = passport.get("limits", {}).get("data", {}).get("access", {}).get("balance_inquiry_cap_usd")
+    if context.get("resource_attributes", {}).get("account_balance_usd") and balance_inquiry_cap and context.get("resource_attributes", {}).get("account_balance_usd") >= balance_inquiry_cap:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.balance_inquiry_forbidden",
+                "message": f"Account balance {context.get('resource_attributes', {}).get('account_balance_usd')} exceeds inquiry cap {balance_inquiry_cap}",
+                "severity": "error"
+            }]
+        }
+    # Check action type is allowed
+    if context.get("action_type") and permissions.get("allowed_actions") and context.get("action_type") not in permissions["allowed_actions"]:
+        return {
+            "allow": False,
+            "reasons": [{
+                "code": "oap.action_forbidden",
+                "message": f"Action type {context.get('action_type')} is not allowed for {context.get('data_classification')} data",
+                "severity": "error"
+            }]
+        }
+    # If all checks pass, allow the data access
+    return {
+        "allow": True,
+        "reasons": [{
+            "code": "oap.allowed",
+            "message": "Data access within limits and policy requirements",
+            "severity": "info"
+        }]
+    }
+def run_tests():
+    """Run the test suite"""
+    print("🧪 Running governance.data.access.v1 Policy Tests\n")
+    # Load test data
+    test_dir = os.path.dirname(os.path.abspath(__file__))
+    with open(os.path.join(test_dir, "passport.instance.json"), "r") as f:
+        passport = json.load(f)
+    with open(os.path.join(test_dir, "contexts.jsonl"), "r") as f:
+        contexts = [json.loads(line) for line in f.read().strip().split("\n")]
+    with open(os.path.join(test_dir, "expected.jsonl"), "r") as f:
+        expected = [json.loads(line) for line in f.read().strip().split("\n")]
+    passed = 0
+    failed = 0
+    for i, test_case in enumerate(contexts):
+        expected_result = expected[i]
+        try:
+            result = evaluate_governance_data_access_v1(passport, test_case["context"])
+            # Compare results
+            allow_match = result["allow"] == expected_result["expected"]["allow"]
+            reasons_match = json.dumps(result["reasons"]) == json.dumps(expected_result["expected"]["reasons"])
+            if allow_match and reasons_match:
+                print(f"✅ {test_case['name']}: PASS")
+                passed += 1
+            else:
+                print(f"❌ {test_case['name']}: FAIL")
+                print(f"   Expected: {json.dumps(expected_result['expected'])}")
+                print(f"   Got: {json.dumps(result)}")
+                failed += 1
+        except Exception as error:
+            print(f"❌ {test_case['name']}: ERROR - {str(error)}")
+            failed += 1
+    print(f"\n📊 Test Results: {passed} passed, {failed} failed")
+    if failed == 0:
+        print("🎉 All tests passed!")
+        return True
+    else:
+        print("💥 Some tests failed!")
+        return False
+if __name__ == "__main__":
+    success = run_tests()
+    exit(0 if success else 1)