@blokjs/runner 0.6.20 → 0.7.0

package/dist/security/ABAC.js

@@ -1,380 +0,0 @@
-/**
- * Attribute-Based Access Control (ABAC) for Blok
- *
- * Provides fine-grained, attribute-driven access control that complements RBAC:
- * - Policies evaluate attributes of subject, resource, action, and environment
- * - Supports logical operators (AND, OR, NOT) for complex conditions
- * - Supports comparison operators (equals, not_equals, in, not_in, contains, matches, gt, lt, gte, lte, between)
- * - Supports attribute-to-attribute comparison via `valueRef` (e.g., resource.owner == subject.sub)
- * - Integrates with AuthIdentity claims and RBAC roles
- * - JSON-serializable policies for persistence and external management
- *
- * @example
- * ```typescript
- * const engine = new ABACEngine();
- *
- * engine.addPolicy({
- *   id: "work-hours-only",
- *   description: "Allow workflow execution only during business hours",
- *   effect: "allow",
- *   target: {
- *     resource: "workflow",
- *     actions: ["execute"],
- *   },
- *   conditions: {
- *     all: [
- *       { attribute: "environment.hour", operator: "gte", value: 9 },
- *       { attribute: "environment.hour", operator: "lt", value: 17 },
- *       { attribute: "subject.department", operator: "equals", value: "engineering" },
- *     ],
- *   },
- * });
- *
- * const result = engine.evaluate({
- *   subject: { sub: "user-1", roles: ["developer"], department: "engineering" },
- *   resource: { type: "workflow", id: "/api/users" },
- *   action: "execute",
- *   environment: { hour: 14, ip: "10.0.0.1" },
- * });
- * ```
- */
-// ────────────────────────────── Engine ──────────────────────────────
-export class ABACEngine {
-    policies = new Map();
-    defaultEffect = "deny";
-    constructor(options) {
-        if (options?.defaultEffect) {
-            this.defaultEffect = options.defaultEffect;
-        }
-    }
-    /**
-     * Add or update a policy.
-     */
-    addPolicy(policy) {
-        this.policies.set(policy.id, policy);
-    }
-    /**
-     * Remove a policy by ID.
-     */
-    removePolicy(id) {
-        this.policies.delete(id);
-    }
-    /**
-     * Get a policy by ID.
-     */
-    getPolicy(id) {
-        return this.policies.get(id);
-    }
-    /**
-     * Get all policies, sorted by priority (highest first).
-     */
-    getPolicies() {
-        return Array.from(this.policies.values()).sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
-    }
-    /**
-     * Evaluate an access request against all policies.
-     *
-     * Policy evaluation order:
-     * 1. Policies are sorted by priority (highest first)
-     * 2. Only enabled policies are considered
-     * 3. Only policies whose target matches the request are considered
-     * 4. The first matching "deny" policy short-circuits with denial
-     * 5. Otherwise, at least one matching "allow" policy is required
-     * 6. If no policy matches, the default effect applies
-     */
-    evaluate(request) {
-        const sortedPolicies = this.getPolicies();
-        const evaluatedPolicies = [];
-        let hasAllow = false;
-        let allowPolicy;
-        for (const policy of sortedPolicies) {
-            // Skip disabled policies
-            if (policy.enabled === false)
-                continue;
-            // Check if policy target matches the request
-            if (!this.matchesTarget(policy.target, request)) {
-                evaluatedPolicies.push({ policyId: policy.id, effect: policy.effect, matched: false });
-                continue;
-            }
-            // Evaluate conditions
-            const conditionsMet = this.evaluateConditionGroup(policy.conditions, request);
-            evaluatedPolicies.push({ policyId: policy.id, effect: policy.effect, matched: conditionsMet });
-            if (conditionsMet) {
-                // Deny takes precedence — short-circuit
-                if (policy.effect === "deny") {
-                    return {
-                        allowed: false,
-                        matchedPolicy: policy,
-                        evaluatedPolicies,
-                        reason: `Denied by policy '${policy.id}'${policy.description ? `: ${policy.description}` : ""}`,
-                    };
-                }
-                // Track the first matching allow
-                if (!hasAllow) {
-                    hasAllow = true;
-                    allowPolicy = policy;
-                }
-            }
-        }
-        if (hasAllow && allowPolicy) {
-            return {
-                allowed: true,
-                matchedPolicy: allowPolicy,
-                evaluatedPolicies,
-                reason: `Allowed by policy '${allowPolicy.id}'${allowPolicy.description ? `: ${allowPolicy.description}` : ""}`,
-            };
-        }
-        // No matching policy — use default
-        const allowed = this.defaultEffect === "allow";
-        return {
-            allowed,
-            evaluatedPolicies,
-            reason: allowed ? "No matching policy; default effect is allow" : "No matching policy; default effect is deny",
-        };
-    }
-    /**
-     * Export all policies as JSON.
-     */
-    toJSON() {
-        return {
-            policies: Array.from(this.policies.values()),
-            defaultEffect: this.defaultEffect,
-        };
-    }
-    /**
-     * Load policies from JSON (replaces all existing policies).
-     */
-    fromJSON(config) {
-        this.policies.clear();
-        for (const policy of config.policies) {
-            this.policies.set(policy.id, policy);
-        }
-        if (config.defaultEffect) {
-            this.defaultEffect = config.defaultEffect;
-        }
-    }
-    // ──────────────────── Target Matching ────────────────────
-    matchesTarget(target, request) {
-        if (!target)
-            return true;
-        // Check resource type
-        if (target.resource && target.resource !== "*") {
-            if (target.resource !== request.resource.type)
-                return false;
-        }
-        // Check resource pattern
-        if (target.resourcePattern) {
-            if (!this.matchesPattern(request.resource.id, target.resourcePattern))
-                return false;
-        }
-        // Check action
-        if (target.actions && target.actions.length > 0) {
-            if (!target.actions.includes(request.action) && !target.actions.includes("*"))
-                return false;
-        }
-        return true;
-    }
-    // ──────────────────── Condition Evaluation ────────────────────
-    evaluateConditionGroup(group, request) {
-        // A group with no clauses is treated as "always true"
-        const hasAny = group.all || group.any || group.none;
-        if (!hasAny)
-            return true;
-        // ALL: every item must be true
-        if (group.all) {
-            for (const item of group.all) {
-                if (!this.evaluateItem(item, request))
-                    return false;
-            }
-        }
-        // ANY: at least one must be true
-        if (group.any) {
-            let anyTrue = false;
-            for (const item of group.any) {
-                if (this.evaluateItem(item, request)) {
-                    anyTrue = true;
-                    break;
-                }
-            }
-            if (!anyTrue)
-                return false;
-        }
-        // NONE: no item may be true
-        if (group.none) {
-            for (const item of group.none) {
-                if (this.evaluateItem(item, request))
-                    return false;
-            }
-        }
-        return true;
-    }
-    evaluateItem(item, request) {
-        // Distinguish condition from group: conditions have "attribute"
-        if ("attribute" in item) {
-            return this.evaluateCondition(item, request);
-        }
-        return this.evaluateConditionGroup(item, request);
-    }
-    evaluateCondition(condition, request) {
-        const attributeValue = this.resolveAttribute(condition.attribute, request);
-        // If valueRef is set, resolve the comparison value from another attribute
-        const comparisonValue = condition.valueRef ? this.resolveAttribute(condition.valueRef, request) : condition.value;
-        return this.compare(attributeValue, condition.operator, comparisonValue);
-    }
-    // ──────────────────── Attribute Resolution ────────────────────
-    resolveAttribute(path, request) {
-        const segments = path.split(".");
-        if (segments.length === 0)
-            return undefined;
-        const root = segments[0];
-        const rest = segments.slice(1);
-        let obj;
-        switch (root) {
-            case "subject":
-                obj = request.subject;
-                break;
-            case "resource":
-                obj = request.resource;
-                break;
-            case "action":
-                // "action" with no sub-path resolves to the action string itself
-                return rest.length === 0 ? request.action : undefined;
-            case "environment":
-                obj = request.environment;
-                break;
-            default:
-                return undefined;
-        }
-        // Traverse the rest of the path
-        for (const segment of rest) {
-            if (obj === null || obj === undefined)
-                return undefined;
-            if (typeof obj === "object") {
-                obj = obj[segment];
-            }
-            else {
-                return undefined;
-            }
-        }
-        return obj;
-    }
-    // ──────────────────── Comparison Operators ────────────────────
-    compare(actual, operator, expected) {
-        switch (operator) {
-            case "equals":
-                return actual === expected;
-            case "not_equals":
-                return actual !== expected;
-            case "in":
-                return Array.isArray(expected) && expected.includes(actual);
-            case "not_in":
-                return Array.isArray(expected) && !expected.includes(actual);
-            case "contains":
-                if (Array.isArray(actual))
-                    return actual.includes(expected);
-                if (typeof actual === "string" && typeof expected === "string")
-                    return actual.includes(expected);
-                return false;
-            case "not_contains":
-                if (Array.isArray(actual))
-                    return !actual.includes(expected);
-                if (typeof actual === "string" && typeof expected === "string")
-                    return !actual.includes(expected);
-                return true;
-            case "matches":
-                if (typeof actual !== "string" || typeof expected !== "string")
-                    return false;
-                try {
-                    return new RegExp(expected).test(actual);
-                }
-                catch {
-                    return false;
-                }
-            case "gt":
-                return typeof actual === "number" && typeof expected === "number" && actual > expected;
-            case "lt":
-                return typeof actual === "number" && typeof expected === "number" && actual < expected;
-            case "gte":
-                return typeof actual === "number" && typeof expected === "number" && actual >= expected;
-            case "lte":
-                return typeof actual === "number" && typeof expected === "number" && actual <= expected;
-            case "between": {
-                if (typeof actual !== "number")
-                    return false;
-                if (!Array.isArray(expected) || expected.length !== 2)
-                    return false;
-                const [low, high] = expected;
-                return typeof low === "number" && typeof high === "number" && actual >= low && actual <= high;
-            }
-            case "exists":
-                return actual !== undefined && actual !== null;
-            case "not_exists":
-                return actual === undefined || actual === null;
-            default:
-                return false;
-        }
-    }
-    // ──────────────────── Utility ────────────────────
-    matchesPattern(value, pattern) {
-        if (pattern === "*")
-            return true;
-        const regexStr = pattern.replace(/\*/g, ".*").replace(/\?/g, ".");
-        const regex = new RegExp(`^${regexStr}$`);
-        return regex.test(value);
-    }
-}
-/**
- * Create a preconfigured ABAC engine with common policies.
- */
-export function createDefaultABAC() {
-    const engine = new ABACEngine();
-    // Policy: Admin override — admins always get access
-    engine.addPolicy({
-        id: "admin-override",
-        description: "Admin role bypasses all attribute checks",
-        effect: "allow",
-        priority: 1000,
-        conditions: {
-            any: [{ attribute: "subject.roles", operator: "contains", value: "admin" }],
-        },
-    });
-    // Policy: Deny access from blocked IPs
-    engine.addPolicy({
-        id: "block-denied-ips",
-        description: "Deny access from blocked IP ranges",
-        effect: "deny",
-        priority: 900,
-        conditions: {
-            any: [{ attribute: "environment.blocked", operator: "equals", value: true }],
-        },
-    });
-    // Policy: Allow service accounts to execute workflows
-    engine.addPolicy({
-        id: "service-execute",
-        description: "Service accounts can execute workflows",
-        effect: "allow",
-        priority: 100,
-        target: {
-            resource: "workflow",
-            actions: ["execute"],
-        },
-        conditions: {
-            all: [{ attribute: "subject.roles", operator: "contains", value: "service" }],
-        },
-    });
-    // Policy: Resource owner full access (attribute-to-attribute comparison)
-    engine.addPolicy({
-        id: "resource-owner-access",
-        description: "Resource owners have full access to their resources",
-        effect: "allow",
-        priority: 500,
-        conditions: {
-            all: [
-                { attribute: "resource.owner", operator: "exists" },
-                { attribute: "resource.owner", operator: "equals", valueRef: "subject.sub" },
-            ],
-        },
-    });
-    return engine;
-}
-//# sourceMappingURL=ABAC.js.map

package/dist/security/ABAC.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ABAC.js","sourceRoot":"","sources":["../../src/security/ABAC.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAqJH,uEAAuE;AAEvE,MAAM,OAAO,UAAU;IACd,QAAQ,GAA4B,IAAI,GAAG,EAAE,CAAC;IAC9C,aAAa,GAAe,MAAM,CAAC;IAE3C,YAAY,OAAwC;QACnD,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC5C,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAAkB;QAC3B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,EAAU;QACtB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,EAAU;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,WAAW;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACjG,CAAC;IAED;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,OAAoB;QAC5B,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,iBAAiB,GAAoC,EAAE,CAAC;QAE9D,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,WAAmC,CAAC;QAExC,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACrC,yBAAyB;YACzB,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK;gBAAE,SAAS;YAEvC,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;gBACjD,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;gBACvF,SAAS;YACV,CAAC;YAED,sBAAsB;YACtB,MAAM,aAAa,GAAG,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC9E,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;YAE/F,IAAI,aAAa,EAAE,CAAC;gBACnB,wCAAwC;gBACxC,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC9B,OAAO;wBACN,OAAO,EAAE,KAAK;wBACd,aAAa,EAAE,MAAM;wBACrB,iBAAiB;wBACjB,MAAM,EAAE,qBAAqB,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;qBAC/F,CAAC;gBACH,CAAC;gBAED,iCAAiC;gBACjC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACf,QAAQ,GAAG,IAAI,CAAC;oBAChB,WAAW,GAAG,MAAM,CAAC;gBACtB,CAAC;YACF,CAAC;QACF,CAAC;QAED,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;YAC7B,OAAO;gBACN,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,WAAW;gBAC1B,iBAAiB;gBACjB,MAAM,EAAE,sBAAsB,WAAW,CAAC,EAAE,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;aAC/G,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,KAAK,OAAO,CAAC;QAC/C,OAAO;YACN,OAAO;YACP,iBAAiB;YACjB,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,6CAA6C,CAAC,CAAC,CAAC,4CAA4C;SAC9G,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM;QACL,OAAO;YACN,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5C,aAAa,EAAE,IAAI,CAAC,aAAa;SACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,MAA8D;QACtE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAC3C,CAAC;IACF,CAAC;IAED,4DAA4D;IAEpD,aAAa,CAAC,MAAoC,EAAE,OAAoB;QAC/E,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,sBAAsB;QACtB,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YAChD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;QAC7D,CAAC;QAED,yBAAyB;QACzB,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,eAAe,CAAC;gBAAE,OAAO,KAAK,CAAC;QACrF,CAAC;QAED,eAAe;QACf,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC7F,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAED,iEAAiE;IAEzD,sBAAsB,CAAC,KAAyB,EAAE,OAAoB;QAC7E,sDAAsD;QACtD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC;QACpD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,+BAA+B;QAC/B,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACf,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC;oBAAE,OAAO,KAAK,CAAC;YACrD,CAAC;QACF,CAAC;QAED,iCAAiC;QACjC,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACf,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACtC,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM;gBACP,CAAC;YACF,CAAC;YACD,IAAI,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;QAC5B,CAAC;QAED,4BAA4B;QAC5B,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YAChB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC/B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC;oBAAE,OAAO,KAAK,CAAC;YACpD,CAAC;QACF,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAEO,YAAY,CAAC,IAAwC,EAAE,OAAoB;QAClF,gEAAgE;QAChE,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAqB,EAAE,OAAO,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAA0B,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAEO,iBAAiB,CAAC,SAAwB,EAAE,OAAoB;QACvE,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC3E,0EAA0E;QAC1E,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;QAClH,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,CAAC;IAED,iEAAiE;IAEzD,gBAAgB,CAAC,IAAY,EAAE,OAAoB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAE5C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE/B,IAAI,GAAY,CAAC;QACjB,QAAQ,IAAI,EAAE,CAAC;YACd,KAAK,SAAS;gBACb,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;gBACtB,MAAM;YACP,KAAK,UAAU;gBACd,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;gBACvB,MAAM;YACP,KAAK,QAAQ;gBACZ,iEAAiE;gBACjE,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;YACvD,KAAK,aAAa;gBACjB,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;gBAC1B,MAAM;YACP;gBACC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,OAAO,IAAI,IAAI,EAAE,CAAC;YAC5B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;YACxD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC7B,GAAG,GAAI,GAA+B,CAAC,OAAO,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YAClB,CAAC;QACF,CAAC;QAED,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,iEAAiE;IAEzD,OAAO,CAAC,MAAe,EAAE,QAAsB,EAAE,QAAiB;QACzE,QAAQ,QAAQ,EAAE,CAAC;YAClB,KAAK,QAAQ;gBACZ,OAAO,MAAM,KAAK,QAAQ,CAAC;YAE5B,KAAK,YAAY;gBAChB,OAAO,MAAM,KAAK,QAAQ,CAAC;YAE5B,KAAK,IAAI;gBACR,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAE7D,KAAK,QAAQ;gBACZ,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAE9D,KAAK,UAAU;gBACd,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;oBAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YAEd,KAAK,cAAc;gBAClB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;oBAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC7D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAClG,OAAO,IAAI,CAAC;YAEb,KAAK,SAAS;gBACb,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBAC7E,IAAI,CAAC;oBACJ,OAAO,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAC1C,CAAC;gBAAC,MAAM,CAAC;oBACR,OAAO,KAAK,CAAC;gBACd,CAAC;YAEF,KAAK,IAAI;gBACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YAExF,KAAK,IAAI;gBACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YAExF,KAAK,KAAK;gBACT,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,IAAI,QAAQ,CAAC;YAEzF,KAAK,KAAK;gBACT,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,IAAI,QAAQ,CAAC;YAEzF,KAAK,SAAS,CAAC,CAAC,CAAC;gBAChB,IAAI,OAAO,MAAM,KAAK,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBAC7C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACpE,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,QAA4B,CAAC;gBACjD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,IAAI,IAAI,CAAC;YAC/F,CAAC;YAED,KAAK,QAAQ;gBACZ,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,CAAC;YAEhD,KAAK,YAAY;gBAChB,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,CAAC;YAEhD;gBACC,OAAO,KAAK,CAAC;QACf,CAAC;IACF,CAAC;IAED,oDAAoD;IAE5C,cAAc,CAAC,KAAa,EAAE,OAAe;QACpD,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACD;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAChC,MAAM,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;IAEhC,oDAAoD;IACpD,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,gBAAgB;QACpB,WAAW,EAAE,0CAA0C;QACvD,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SAC3E;KACD,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,kBAAkB;QACtB,WAAW,EAAE,oCAAoC;QACjD,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,GAAG;QACb,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,qBAAqB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;SAC5E;KACD,CAAC,CAAC;IAEH,sDAAsD;IACtD,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,iBAAiB;QACrB,WAAW,EAAE,wCAAwC;QACrD,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,GAAG;QACb,MAAM,EAAE;YACP,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,CAAC,SAAS,CAAC;SACpB;QACD,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;SAC7E;KACD,CAAC,CAAC;IAEH,yEAAyE;IACzE,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,uBAAuB;QAC3B,WAAW,EAAE,qDAAqD;QAClE,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,GAAG;QACb,UAAU,EAAE;YACX,GAAG,EAAE;gBACJ,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE;gBACnD,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE;aAC5E;SACD;KACD,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AACf,CAAC"}

package/dist/security/AuditLogger.d.ts

@@ -1,242 +0,0 @@
-/**
- * Audit Logger for Blok Framework
- *
- * Provides comprehensive audit logging for security and compliance:
- * - All authentication attempts (success and failure)
- * - Authorization decisions
- * - Workflow executions
- * - Node executions
- * - Configuration changes
- * - System events
- *
- * Supports multiple output destinations via AuditSink interface.
- *
- * @example
- * ```typescript
- * const audit = new AuditLogger({
- *   sinks: [
- *     new ConsoleAuditSink(),
- *     new FileAuditSink({ path: "./audit.log" }),
- *   ],
- *   includeTimestamp: true,
- *   includeRequestId: true,
- * });
- *
- * audit.logAuth({
- *   action: "login",
- *   success: true,
- *   identity: { sub: "user-123", provider: "jwt" },
- *   ip: "192.168.1.1",
- * });
- * ```
- */
-export type AuditCategory = "auth" | "authz" | "workflow" | "node" | "trigger" | "config" | "system" | "security";
-export type AuditSeverity = "info" | "warn" | "error" | "critical";
-export interface AuditEntry {
-    /** Unique entry ID */
-    id: string;
-    /** ISO 8601 timestamp */
-    timestamp: string;
-    /** Audit category */
-    category: AuditCategory;
-    /** Severity level */
-    severity: AuditSeverity;
-    /** Action performed */
-    action: string;
-    /** Whether the action succeeded */
-    success: boolean;
-    /** Actor who performed the action */
-    actor?: {
-        sub: string;
-        name?: string;
-        ip?: string;
-        userAgent?: string;
-        provider?: string;
-    };
-    /** Target resource */
-    resource?: {
-        type: string;
-        id: string;
-        name?: string;
-    };
-    /** Additional details */
-    details?: Record<string, unknown>;
-    /** Request ID for correlation */
-    requestId?: string;
-    /** Duration in ms (for execution events) */
-    durationMs?: number;
-    /** Error information if action failed */
-    error?: {
-        message: string;
-        code?: string | number;
-    };
-}
-/**
- * Interface for audit log output destinations
- */
-export interface AuditSink {
-    /** Unique name for this sink */
-    readonly name: string;
-    /** Write an audit entry */
-    write(entry: AuditEntry): Promise<void> | void;
-    /** Flush any buffered entries */
-    flush?(): Promise<void>;
-    /** Close the sink */
-    close?(): Promise<void>;
-}
-export interface AuditLoggerConfig {
-    /** Output sinks for audit entries */
-    sinks: AuditSink[];
-    /** Include request ID in entries (default: true) */
-    includeRequestId?: boolean;
-    /** Minimum severity to log (default: "info") */
-    minSeverity?: AuditSeverity;
-    /** Buffer size before flushing (default: 100) */
-    bufferSize?: number;
-    /** Auto-flush interval in ms (default: 5000) */
-    flushIntervalMs?: number;
-    /** Service name for identification */
-    serviceName?: string;
-}
-export declare class AuditLogger {
-    private config;
-    private buffer;
-    private flushTimer;
-    private entryCounter;
-    private pendingFlush;
-    constructor(config: AuditLoggerConfig);
-    /**
-     * Log an authentication event
-     */
-    logAuth(params: {
-        action: "login" | "logout" | "token_refresh" | "api_key_verify";
-        success: boolean;
-        identity?: {
-            sub: string;
-            provider?: string;
-            name?: string;
-        };
-        ip?: string;
-        userAgent?: string;
-        error?: string;
-        requestId?: string;
-    }): void;
-    /**
-     * Log an authorization event
-     */
-    logAuthz(params: {
-        action: string;
-        resource: {
-            type: string;
-            id: string;
-            name?: string;
-        };
-        roles: string[];
-        allowed: boolean;
-        actor: {
-            sub: string;
-            name?: string;
-            ip?: string;
-        };
-        requestId?: string;
-    }): void;
-    /**
-     * Log a workflow execution event
-     */
-    logWorkflowExecution(params: {
-        workflowName: string;
-        workflowPath: string;
-        success: boolean;
-        durationMs: number;
-        actor?: {
-            sub: string;
-            ip?: string;
-        };
-        error?: string;
-        requestId?: string;
-    }): void;
-    /**
-     * Log a configuration change event
-     */
-    logConfigChange(params: {
-        action: "create" | "update" | "delete";
-        resourceType: string;
-        resourceId: string;
-        actor: {
-            sub: string;
-            name?: string;
-        };
-        details?: Record<string, unknown>;
-    }): void;
-    /**
-     * Log a security event
-     */
-    logSecurityEvent(params: {
-        action: string;
-        severity: AuditSeverity;
-        details: Record<string, unknown>;
-        actor?: {
-            sub: string;
-            ip?: string;
-        };
-        requestId?: string;
-    }): void;
-    /**
-     * Core logging method
-     */
-    log(params: Omit<AuditEntry, "id" | "timestamp">): void;
-    /**
-     * Flush buffered entries to all sinks
-     */
-    flush(): Promise<void>;
-    /**
-     * Close the audit logger and flush remaining entries
-     */
-    close(): Promise<void>;
-    /**
-     * Get entry count since creation
-     */
-    getEntryCount(): number;
-}
-/**
- * Console audit sink - outputs audit entries to stdout as JSON
- */
-export declare class ConsoleAuditSink implements AuditSink {
-    readonly name = "console";
-    write(entry: AuditEntry): void;
-}
-/**
- * File audit sink - appends audit entries as JSONL to a file
- */
-export declare class FileAuditSink implements AuditSink {
-    readonly name = "file";
-    private filePath;
-    private buffer;
-    private initialized;
-    constructor(config: {
-        path: string;
-    });
-    write(entry: AuditEntry): Promise<void>;
-    flush(): Promise<void>;
-    close(): Promise<void>;
-}
-/**
- * In-memory audit sink - stores entries in memory (useful for testing)
- */
-export declare class InMemoryAuditSink implements AuditSink {
-    readonly name = "memory";
-    private entries;
-    private maxEntries;
-    constructor(maxEntries?: number);
-    write(entry: AuditEntry): void;
-    getEntries(): AuditEntry[];
-    query(filter: {
-        category?: AuditCategory;
-        severity?: AuditSeverity;
-        actorSub?: string;
-        action?: string;
-        since?: string;
-        limit?: number;
-    }): AuditEntry[];
-    clear(): void;
-}