@axiastudio/aioc 0.1.0-alpha.0

package/dist/examples/onboarding-governance-smoke.js

@@ -0,0 +1,477 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const strict_1 = __importDefault(require("node:assert/strict"));
+const zod_1 = require("zod");
+const index_1 = require("../index");
+const POLICY_VERSION = "onboarding-policy.v1";
+// Deterministic provider used to script each turn without relying on an external LLM.
+class SequencedProvider {
+    turns;
+    index = 0;
+    constructor(turns) {
+        this.turns = turns;
+    }
+    async *stream(_request) {
+        void _request;
+        const events = this.turns[this.index] ?? [];
+        this.index += 1;
+        for (const event of events) {
+            yield event;
+        }
+    }
+}
+function asObject(value) {
+    if (typeof value !== "object" || value === null) {
+        return {};
+    }
+    return value;
+}
+function asString(value, fallback = "") {
+    return typeof value === "string" ? value : fallback;
+}
+function asBoolean(value, fallback = false) {
+    return typeof value === "boolean" ? value : fallback;
+}
+function allow(reason, metadata) {
+    return (0, index_1.allow)(reason, {
+        policyVersion: POLICY_VERSION,
+        metadata,
+    });
+}
+function deny(reason, metadata) {
+    return (0, index_1.deny)(reason, {
+        policyVersion: POLICY_VERSION,
+        metadata,
+    });
+}
+function createPolicies() {
+    // Tool policy is the enforcement point: only explicit allow can execute tools.
+    const toolPolicy = ({ toolName, parsedArguments, runContext, }) => {
+        const context = runContext.context;
+        const args = asObject(parsedArguments);
+        const app = asString(args.app);
+        const privileged = asBoolean(args.privileged);
+        if (toolName === "create_corporate_identity") {
+            if (!context.actor.groups.includes("onboarding-admin")) {
+                return deny("deny_missing_onboarding_admin_group");
+            }
+            return allow("allow_onboarding_admin_identity_creation");
+        }
+        if (toolName === "activate_access") {
+            if (!context.compliance.mandatoryTrainingCompleted) {
+                return deny("deny_missing_compliance_training", {
+                    requiredTraining: "SEC-101",
+                });
+            }
+            if (privileged && !context.approvals.securityApproved) {
+                return deny("deny_missing_security_approval");
+            }
+            return allow("allow_access_activation_requirements_met", {
+                app,
+                privileged,
+            });
+        }
+        if (toolName === "request_app_access") {
+            if (app.startsWith("CRM") && !context.actor.groups.includes("sales")) {
+                return deny("deny_actor_group_mismatch", {
+                    requiredGroup: "sales",
+                    app,
+                });
+            }
+            return allow("allow_department_scope_match", {
+                app,
+            });
+        }
+        return deny("deny_tool_not_allowlisted");
+    };
+    // Handoff policy separately controls inter-agent transitions.
+    const handoffPolicy = ({ fromAgentName, toAgentName, handoffPayload, runContext, }) => {
+        const context = runContext.context;
+        const payload = asObject(handoffPayload);
+        const privileged = asBoolean(payload.privileged);
+        if (fromAgentName !== "Onboarding Coordinator" ||
+            toAgentName !== "Security Agent") {
+            return deny("deny_handoff_not_allowlisted");
+        }
+        if (privileged && !context.approvals.managerApproved) {
+            return deny("deny_missing_manager_approval");
+        }
+        if (privileged && !context.approvals.securityApproved) {
+            return deny("deny_missing_security_approval");
+        }
+        return allow("allow_privileged_escalation_path", {
+            privileged,
+        });
+    };
+    return {
+        toolPolicy,
+        handoffPolicy,
+    };
+}
+function maskEmail(email) {
+    const [local, domain] = email.split("@");
+    if (!domain) {
+        return "[REDACTED]";
+    }
+    if (local.length < 2) {
+        return `*@${domain}`;
+    }
+    return `${local[0]}***${local[local.length - 1]}@${domain}`;
+}
+function redactContext(context) {
+    // Persist only sanitized data in RunRecord snapshots.
+    return {
+        contextSnapshot: {
+            ...context,
+            actor: {
+                ...context.actor,
+                email: maskEmail(context.actor.email),
+            },
+            pii: {
+                taxId: "[REDACTED]",
+                personalPhone: "[REDACTED]",
+            },
+        },
+        contextRedacted: true,
+    };
+}
+function createContext(input) {
+    return {
+        tenantId: "corp-acme",
+        employeeId: input.employeeId,
+        requestedRole: input.requestedRole,
+        actor: {
+            userId: "hr-ops-01",
+            department: input.actorDepartment,
+            groups: [...input.actorGroups],
+            email: "hr.ops@corp.example",
+        },
+        compliance: {
+            mandatoryTrainingCompleted: input.mandatoryTrainingCompleted,
+        },
+        approvals: {
+            managerApproved: input.managerApproved,
+            securityApproved: input.securityApproved,
+        },
+        runtimeState: {
+            identityCreated: false,
+            accessActivated: false,
+            accessRequests: [],
+        },
+        pii: {
+            taxId: "AAABBB99C99Z999Z",
+            personalPhone: "+39-555-123-456",
+        },
+    };
+}
+function createAgentGraph() {
+    const createCorporateIdentity = (0, index_1.tool)({
+        name: "create_corporate_identity",
+        description: "Create identity in the enterprise IAM.",
+        parameters: zod_1.z.object({}),
+        execute: (_input, runContext) => {
+            if (runContext) {
+                runContext.context.runtimeState.identityCreated = true;
+            }
+            return {
+                identityCreated: true,
+            };
+        },
+    });
+    const activateAccess = (0, index_1.tool)({
+        name: "activate_access",
+        description: "Activate application access for the employee.",
+        parameters: zod_1.z.object({
+            app: zod_1.z.string(),
+            privileged: zod_1.z.boolean().default(false),
+        }),
+        execute: (input, runContext) => {
+            if (runContext) {
+                runContext.context.runtimeState.accessActivated = true;
+            }
+            return {
+                activated: true,
+                app: input.app,
+                privileged: input.privileged,
+            };
+        },
+    });
+    const requestAppAccess = (0, index_1.tool)({
+        name: "request_app_access",
+        description: "Register a request for app access.",
+        parameters: zod_1.z.object({
+            app: zod_1.z.string(),
+            privileged: zod_1.z.boolean().default(false),
+        }),
+        execute: (input, runContext) => {
+            if (runContext) {
+                runContext.context.runtimeState.accessRequests.push(input.app);
+            }
+            return {
+                requested: true,
+                app: input.app,
+                privileged: input.privileged,
+            };
+        },
+    });
+    const securityAgent = new index_1.Agent({
+        name: "Security Agent",
+        model: "fake-model",
+        tools: [activateAccess],
+    });
+    const coordinatorAgent = new index_1.Agent({
+        name: "Onboarding Coordinator",
+        model: "fake-model",
+        tools: [createCorporateIdentity, activateAccess, requestAppAccess],
+        // Handoffs are exposed as synthetic tools and evaluated by handoffPolicy.
+        handoffs: [securityAgent],
+    });
+    return {
+        coordinatorAgent,
+        securityAgent,
+    };
+}
+function createRunOptions(context, records, scenario) {
+    return {
+        context,
+        policies: createPolicies(),
+        record: {
+            metadata: {
+                scenario,
+            },
+            contextRedactor: redactContext,
+            sink: (record) => {
+                records.push(record);
+            },
+        },
+    };
+}
+async function runHappyPathScenario() {
+    // Happy path: tool allow + handoff allow + privileged activation allow.
+    const records = [];
+    const context = createContext({
+        employeeId: "E-100",
+        requestedRole: "finance_admin",
+        actorDepartment: "HR",
+        actorGroups: ["onboarding-admin"],
+        mandatoryTrainingCompleted: true,
+        managerApproved: true,
+        securityApproved: true,
+    });
+    const { coordinatorAgent } = createAgentGraph();
+    (0, index_1.setDefaultProvider)(new SequencedProvider([
+        [
+            {
+                type: "tool_call",
+                callId: "call-1",
+                name: "create_corporate_identity",
+                arguments: "{}",
+            },
+        ],
+        [
+            {
+                type: "tool_call",
+                callId: "call-2",
+                name: "handoff_to_security_agent",
+                arguments: JSON.stringify({
+                    privileged: true,
+                    app: "ERP_FINANCE",
+                }),
+            },
+        ],
+        [
+            {
+                type: "tool_call",
+                callId: "call-3",
+                name: "activate_access",
+                arguments: JSON.stringify({
+                    privileged: true,
+                    app: "ERP_FINANCE",
+                }),
+            },
+        ],
+        [
+            {
+                type: "completed",
+                message: "Onboarding completed: identity and privileged access are active.",
+            },
+        ],
+    ]));
+    const result = await (0, index_1.run)(coordinatorAgent, "Onboard employee E-100 with privileged ERP access.", createRunOptions(context, records, "happy_path"));
+    strict_1.default.equal(result.finalOutput, "Onboarding completed: identity and privileged access are active.");
+    strict_1.default.equal(result.lastAgent.name, "Security Agent");
+    strict_1.default.equal(context.runtimeState.identityCreated, true);
+    strict_1.default.equal(context.runtimeState.accessActivated, true);
+    strict_1.default.equal(records.length, 1);
+    strict_1.default.equal(records[0]?.status, "completed");
+    strict_1.default.equal(records[0]?.contextRedacted, true);
+    strict_1.default.equal(records[0]?.contextSnapshot.pii.taxId, "[REDACTED]");
+    strict_1.default.deepEqual(records[0]?.policyDecisions.map((decision) => decision.reason), [
+        "allow_onboarding_admin_identity_creation",
+        "allow_privileged_escalation_path",
+        "allow_access_activation_requirements_met",
+    ]);
+}
+async function runComplianceDenyScenario() {
+    // Deny because compliance training is missing before activation.
+    const records = [];
+    const context = createContext({
+        employeeId: "E-101",
+        requestedRole: "standard_employee",
+        actorDepartment: "HR",
+        actorGroups: ["onboarding-admin"],
+        mandatoryTrainingCompleted: false,
+        managerApproved: true,
+        securityApproved: true,
+    });
+    const { coordinatorAgent } = createAgentGraph();
+    (0, index_1.setDefaultProvider)(new SequencedProvider([
+        [
+            {
+                type: "tool_call",
+                callId: "call-1",
+                name: "create_corporate_identity",
+                arguments: "{}",
+            },
+        ],
+        [
+            {
+                type: "tool_call",
+                callId: "call-2",
+                name: "activate_access",
+                arguments: JSON.stringify({
+                    privileged: false,
+                    app: "INTRANET",
+                }),
+            },
+        ],
+    ]));
+    await strict_1.default.rejects(() => (0, index_1.run)(coordinatorAgent, "Onboard employee E-101 and activate intranet access.", createRunOptions(context, records, "deny_missing_training")), (error) => {
+        strict_1.default.ok(error instanceof index_1.ToolCallPolicyDeniedError);
+        strict_1.default.equal(error.result.policyResult.reason, "deny_missing_compliance_training");
+        return true;
+    });
+    strict_1.default.equal(context.runtimeState.identityCreated, true);
+    strict_1.default.equal(context.runtimeState.accessActivated, false);
+    strict_1.default.equal(records.length, 1);
+    strict_1.default.equal(records[0]?.status, "failed");
+    strict_1.default.equal(records[0]?.errorName, "ToolCallPolicyDeniedError");
+    strict_1.default.equal(records[0]?.policyDecisions.at(-1)?.reason, "deny_missing_compliance_training");
+}
+async function runApprovalDenyHandoffScenario() {
+    // Deny because privileged handoff requires manager approval.
+    const records = [];
+    const context = createContext({
+        employeeId: "E-102",
+        requestedRole: "payroll_admin",
+        actorDepartment: "HR",
+        actorGroups: ["onboarding-admin"],
+        mandatoryTrainingCompleted: true,
+        managerApproved: false,
+        securityApproved: true,
+    });
+    const { coordinatorAgent } = createAgentGraph();
+    (0, index_1.setDefaultProvider)(new SequencedProvider([
+        [
+            {
+                type: "tool_call",
+                callId: "call-1",
+                name: "handoff_to_security_agent",
+                arguments: JSON.stringify({
+                    privileged: true,
+                    app: "PAYROLL_ADMIN",
+                }),
+            },
+        ],
+    ]));
+    await strict_1.default.rejects(() => (0, index_1.run)(coordinatorAgent, "Onboard employee E-102 for payroll admin access.", createRunOptions(context, records, "deny_missing_manager_approval")), (error) => {
+        strict_1.default.ok(error instanceof index_1.HandoffPolicyDeniedError);
+        strict_1.default.equal(error.result.policyResult.reason, "deny_missing_manager_approval");
+        return true;
+    });
+    strict_1.default.equal(records.length, 1);
+    strict_1.default.equal(records[0]?.status, "failed");
+    strict_1.default.equal(records[0]?.errorName, "HandoffPolicyDeniedError");
+    strict_1.default.equal(records[0]?.policyDecisions.length, 1);
+    strict_1.default.equal(records[0]?.policyDecisions[0]?.resource.kind, "handoff");
+    strict_1.default.equal(records[0]?.policyDecisions[0]?.reason, "deny_missing_manager_approval");
+}
+async function runAccessDriftScenario() {
+    // Same action across t0/t1: authorization drifts when group membership changes.
+    const allowRecords = [];
+    const denyRecords = [];
+    const { coordinatorAgent } = createAgentGraph();
+    (0, index_1.setDefaultProvider)(new SequencedProvider([
+        [
+            {
+                type: "tool_call",
+                callId: "call-1",
+                name: "request_app_access",
+                arguments: JSON.stringify({
+                    app: "CRM_SALES",
+                    privileged: false,
+                }),
+            },
+        ],
+        [{ type: "completed", message: "Access request registered." }],
+    ]));
+    const contextAtT0 = createContext({
+        employeeId: "E-103",
+        requestedRole: "sales_rep",
+        actorDepartment: "Sales",
+        actorGroups: ["sales"],
+        mandatoryTrainingCompleted: true,
+        managerApproved: true,
+        securityApproved: true,
+    });
+    const resultAtT0 = await (0, index_1.run)(coordinatorAgent, "Request CRM access for employee E-103.", createRunOptions(contextAtT0, allowRecords, "drift_t0_allow"));
+    strict_1.default.equal(resultAtT0.finalOutput, "Access request registered.");
+    strict_1.default.equal(contextAtT0.runtimeState.accessRequests.length, 1);
+    strict_1.default.equal(allowRecords[0]?.policyDecisions[0]?.reason, "allow_department_scope_match");
+    (0, index_1.setDefaultProvider)(new SequencedProvider([
+        [
+            {
+                type: "tool_call",
+                callId: "call-1",
+                name: "request_app_access",
+                arguments: JSON.stringify({
+                    app: "CRM_SALES",
+                    privileged: false,
+                }),
+            },
+        ],
+        [{ type: "completed", message: "Access request registered." }],
+    ]));
+    const contextAtT1 = createContext({
+        employeeId: "E-103",
+        requestedRole: "sales_rep",
+        actorDepartment: "Sales",
+        actorGroups: [],
+        mandatoryTrainingCompleted: true,
+        managerApproved: true,
+        securityApproved: true,
+    });
+    await strict_1.default.rejects(() => (0, index_1.run)(coordinatorAgent, "Request CRM access for employee E-103.", createRunOptions(contextAtT1, denyRecords, "drift_t1_deny")), (error) => {
+        strict_1.default.ok(error instanceof index_1.ToolCallPolicyDeniedError);
+        strict_1.default.equal(error.result.policyResult.reason, "deny_actor_group_mismatch");
+        return true;
+    });
+    strict_1.default.equal(contextAtT1.runtimeState.accessRequests.length, 0);
+    strict_1.default.equal(denyRecords[0]?.policyDecisions[0]?.reason, "deny_actor_group_mismatch");
+    strict_1.default.equal(denyRecords[0]?.status, "failed");
+}
+async function main() {
+    await runHappyPathScenario();
+    await runComplianceDenyScenario();
+    await runApprovalDenyHandoffScenario();
+    await runAccessDriftScenario();
+    process.stdout.write("Onboarding governance smoke passed.\n");
+}
+main().catch((error) => {
+    const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+    process.stderr.write(`${message}\n`);
+    process.exit(1);
+});

package/dist/examples/onboarding-governance-tutorial.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=onboarding-governance-tutorial.d.ts.map

package/dist/examples/onboarding-governance-tutorial.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"onboarding-governance-tutorial.d.ts","sourceRoot":"","sources":["../../src/examples/onboarding-governance-tutorial.ts"],"names":[],"mappings":""}