@cloud-copilot/iam-simulate 0.1.106 → 0.1.108

package/dist/cjs/StatementAnalysis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AACrE,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAEpE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,SAAS,EAAE,SAAS,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,OAAO,EAAE,gBAAgB,CAAA;IAEzB;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAA;IAE/B;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAU7E;AAsBD,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAUnF;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,IAAI,CACZ,iBAAiB,EACjB,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CACtE,GACA,OAAO,CAST;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,GAAG,gBAAgB,GAAG,eAAe,CAAC,GACpF,OAAO,CAQT"}
+{"version":3,"file":"StatementAnalysis.d.ts","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AACpE,OAAO,EAAE,KAAK,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AACrE,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAEpE;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAEhB;;OAEG;IACH,SAAS,EAAE,SAAS,CAAA;IAEpB;;OAEG;IACH,aAAa,EAAE,OAAO,CAAA;IAEtB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,cAAc,EAAE,oBAAoB,CAAA;IAEpC;;OAEG;IACH,OAAO,EAAE,gBAAgB,CAAA;IAEzB;;OAEG;IACH,iBAAiB,CAAC,EAAE,SAAS,EAAE,CAAA;IAE/B;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAU7E;AAED,wBAAgB,6BAA6B,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAUnF;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,IAAI,CACZ,iBAAiB,EACjB,aAAa,GAAG,gBAAgB,GAAG,gBAAgB,GAAG,eAAe,CACtE,GACA,OAAO,CAST;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,GAAG,gBAAgB,GAAG,eAAe,CAAC,GACpF,OAAO,CAQT"}

package/dist/cjs/StatementAnalysis.js

@@ -19,24 +19,6 @@ function identityStatementAllows(statement) {
     }
     return false;
 }
-// export function identityStatementUknownAllow(statement: StatementAnalysis): boolean {
-//   if(statement.resourceMatch &&
-//     statement.actionMatch &&
-//     statement.conditionMatch === 'Unknown' &&
-//     statement.statement.effect() === 'Allow') {
-//       return true;
-//   }
-//   return false
-// }
-// export function identityStatementUknownDeny(statement: StatementAnalysis): boolean {
-//   if(statement.resourceMatch &&
-//     statement.actionMatch &&
-//     statement.conditionMatch === 'Unknown' &&
-//     statement.statement.effect() === 'Deny') {
-//       return true;
-//   }
-//   return false
-// }
 function identityStatementExplicitDeny(statement) {
     if (statement.resourceMatch &&
         statement.actionMatch &&

package/dist/cjs/StatementAnalysis.js.map

@@ -1 +1 @@
-{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":";;AA8DA,0DAUC;AAsBD,sEAUC;AAED,4CAcC;AAQD,0DAUC;AAlFD;;;;;GAKG;AACH,SAAgB,uBAAuB,CAAC,SAA4B;IAClE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EACxC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,wFAAwF;AACxF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,kDAAkD;AAClD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,uFAAuF;AACvF,kCAAkC;AAClC,+BAA+B;AAC/B,gDAAgD;AAChD,iDAAiD;AACjD,qBAAqB;AACrB,MAAM;AACN,iBAAiB;AACjB,IAAI;AAEJ,SAAgB,6BAA6B,CAAC,SAA4B;IACxE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EACvC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAgB,gBAAgB,CAC9B,QAGC;IAED,OAAO,CACL,QAAQ,CAAC,aAAa;QACtB,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,cAAc,KAAK,OAAO;QACnC,CAAC,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAC7E,QAAQ,CAAC,cAAc,CACxB,CACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CACrC,QAAqF;IAErF,OAAO,CACL,QAAQ,CAAC,aAAa;QACtB,QAAQ,CAAC,WAAW;QACpB,CAAC,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAC7E,QAAQ,CAAC,cAAc,CACxB,CACF,CAAA;AACH,CAAC"}
+{"version":3,"file":"StatementAnalysis.js","sourceRoot":"","sources":["../../src/StatementAnalysis.ts"],"names":[],"mappings":";;AA8DA,0DAUC;AAED,sEAUC;AAED,4CAcC;AAQD,0DAUC;AA9DD;;;;;GAKG;AACH,SAAgB,uBAAuB,CAAC,SAA4B;IAClE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,OAAO,EACxC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAgB,6BAA6B,CAAC,SAA4B;IACxE,IACE,SAAS,CAAC,aAAa;QACvB,SAAS,CAAC,WAAW;QACrB,SAAS,CAAC,cAAc,KAAK,OAAO;QACpC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,MAAM,EACvC,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAgB,gBAAgB,CAC9B,QAGC;IAED,OAAO,CACL,QAAQ,CAAC,aAAa;QACtB,QAAQ,CAAC,WAAW;QACpB,QAAQ,CAAC,cAAc,KAAK,OAAO;QACnC,CAAC,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAC7E,QAAQ,CAAC,cAAc,CACxB,CACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,uBAAuB,CACrC,QAAqF;IAErF,OAAO,CACL,QAAQ,CAAC,aAAa;QACtB,QAAQ,CAAC,WAAW;QACpB,CAAC,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAC7E,QAAQ,CAAC,cAAc,CACxB,CACF,CAAA;AACH,CAAC"}

package/dist/cjs/analysis/analyzeResults.d.ts

@@ -1,4 +1,4 @@
-import { type RequestAnalysis } from '../evaluate.js';
+import { type BlockedReason, type RequestAnalysis } from '../evaluate.js';
 /**
  * Analyze a RequestAnalysis to see if the request was allowed by identity policies.
  *
@@ -6,15 +6,46 @@ import { type RequestAnalysis } from '../evaluate.js';
  * @returns true if the request was allowed by identity policies, false otherwise
  */
 export declare function isAllowedByIdentityPolicies(requestAnalysis: RequestAnalysis): boolean;
-export type DenialPolicyType = 'identity' | 'resource' | 'scp' | 'rcp' | 'permissionBoundary' | 'endpointPolicy';
+export type DenialPolicyType = BlockedReason;
 export type RequestDenial = {
+    /**
+     * The type of policy that caused the denial.
+     */
     policyType: DenialPolicyType;
+    /**
+     * This denial blocks a request that otherwise could have been allowed.
+     */
+    blocking?: true;
+    /**
+     * The identifier of the policy that caused the denial, if applicable. This could be a
+     * policy identifier or an organizational unit identifier for SCPs and RCPs.
+     */
     identifier?: string;
+    /**
+     * The type of denial.
+     */
     denialType: 'Implicit';
 } | {
+    /**
+     * The type of policy that caused the denial.
+     */
     policyType: DenialPolicyType;
+    /**
+     * This denial blocks a request that otherwise could have been allowed.
+     */
+    blocking?: true;
+    /**
+     * The identifier of the policy that caused the denial. May be undefined, for example
+     * in a resource policy.
+     */
     policyIdentifier?: string;
+    /**
+     * The statement ID (or index) of the denying statement, if applicable.
+     */
     statementId: string;
+    /**
+     * The type of denial.
+     */
     denialType: 'Explicit';
 };
 /**

package/dist/cjs/analysis/analyzeResults.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GACxB,UAAU,GACV,UAAU,GACV,KAAK,GACL,KAAK,GACL,oBAAoB,GACpB,gBAAgB,CAAA;AAEpB,MAAM,MAAM,aAAa,GACrB;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAiBlF"}
+{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAIlB,KAAK,eAAe,EAGrB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAAA;AAE5C,MAAM,MAAM,aAAa,GACrB;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE;;OAEG;IACH,UAAU,EAAE,gBAAgB,CAAA;IAE5B;;OAEG;IACH,QAAQ,CAAC,EAAE,IAAI,CAAA;IAEf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAqClF"}

package/dist/cjs/analysis/analyzeResults.js

@@ -34,28 +34,38 @@ function isAllowedByIdentityPolicies(requestAnalysis) {
 function getDenialReasons(requestAnalysis) {
     const denials = [];
     const overallResult = requestAnalysis.result;
-    addSimplePolicyDenials(requestAnalysis.identityAnalysis, 'identity', overallResult, denials);
-    addSimplePolicyDenials(requestAnalysis.resourceAnalysis, 'resource', overallResult, denials);
-    addOuPolicyDenials(requestAnalysis.scpAnalysis, 'scp', overallResult, denials);
-    addOuPolicyDenials(requestAnalysis.rcpAnalysis, 'rcp', overallResult, denials);
-    addSimplePolicyDenials(requestAnalysis.permissionBoundaryAnalysis, 'permissionBoundary', overallResult, denials);
-    addSimplePolicyDenials(requestAnalysis.endpointAnalysis, 'endpointPolicy', overallResult, denials);
+    const blockedBy = new Set(requestAnalysis.blockedBy ?? []);
+    addSimplePolicyDenials(requestAnalysis.identityAnalysis, 'identity', overallResult, blockedBy, denials);
+    addSimplePolicyDenials(requestAnalysis.resourceAnalysis, 'resource', overallResult, blockedBy, denials);
+    addOuPolicyDenials(requestAnalysis.scpAnalysis, 'scp', overallResult, blockedBy, denials);
+    addOuPolicyDenials(requestAnalysis.rcpAnalysis, 'rcp', overallResult, blockedBy, denials);
+    addSimplePolicyDenials(requestAnalysis.permissionBoundaryAnalysis, 'pb', overallResult, blockedBy, denials);
+    addSimplePolicyDenials(requestAnalysis.endpointAnalysis, 'vpce', overallResult, blockedBy, denials);
     return denials;
 }
 /**
  * Helper for identity-style policies (identity, resource, permissionBoundary, endpoint).
  * Adds denial reasons from a simple policy analysis.
  */
-function addSimplePolicyDenials(analysis, policyType, overallResult, denials) {
+function addSimplePolicyDenials(analysis, policyType, overallResult, blockedBy, denials) {
     if (!analysis)
         return;
-    if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
-        denials.push({ policyType, denialType: 'Implicit' });
+    const isBlocking = blockedBy.has(policyType);
+    const blocking = isBlocking ? { blocking: true } : {};
+    if (analysis.result === 'ImplicitlyDenied' &&
+        (isBlocking || overallResult === 'ImplicitlyDenied')) {
+        denials.push({
+            policyType,
+            denialType: 'Implicit',
+            ...blocking
+        });
     }
-    else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
+    else if (analysis.result === 'ExplicitlyDenied' &&
+        (isBlocking || overallResult === 'ExplicitlyDenied')) {
         for (const stmt of analysis.denyStatements) {
             denials.push({
                 policyType,
+                ...blocking,
                 policyIdentifier: stmt.policyId,
                 statementId: stmt.statement.sid() || stmt.statement.index().toString(),
                 denialType: 'Explicit'
@@ -67,17 +77,26 @@ function addSimplePolicyDenials(analysis, policyType, overallResult, denials) {
  * Helper for OU-based policies (scp, rcp).
  * Adds denial reasons from an organizational policy analysis.
  */
-function addOuPolicyDenials(analysis, policyType, overallResult, denials) {
+function addOuPolicyDenials(analysis, policyType, overallResult, blockedBy, denials) {
     if (!analysis)
         return;
-    if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
+    const isBlocking = blockedBy.has(policyType);
+    const blocking = isBlocking ? { blocking: true } : {};
+    if (analysis.result === 'ImplicitlyDenied' &&
+        (isBlocking || overallResult === 'ImplicitlyDenied')) {
         for (const ou of analysis.ouAnalysis) {
             if (ou.result === 'ImplicitlyDenied') {
-                denials.push({ policyType, identifier: ou.orgIdentifier, denialType: 'Implicit' });
+                denials.push({
+                    policyType,
+                    identifier: ou.orgIdentifier,
+                    denialType: 'Implicit',
+                    ...blocking
+                });
             }
         }
     }
-    else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
+    else if (analysis.result === 'ExplicitlyDenied' &&
+        (isBlocking || overallResult === 'ExplicitlyDenied')) {
         for (const ou of analysis.ouAnalysis) {
             if (ou.result === 'ExplicitlyDenied') {
                 for (const stmt of ou.denyStatements) {
@@ -85,7 +104,8 @@ function addOuPolicyDenials(analysis, policyType, overallResult, denials) {
                         policyType,
                         policyIdentifier: stmt.policyId,
                         statementId: stmt.statement.sid() || stmt.statement.index().toString(),
-                        denialType: 'Explicit'
+                        denialType: 'Explicit',
+                        ...blocking
                     });
                 }
             }

package/dist/cjs/analysis/analyzeResults.js.map

@@ -1 +1 @@
-{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAeA,kEAOC;AAuCD,4CAiBC;AArED;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAuBD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAE5C,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,oBAAoB,EACpB,aAAa,EACb,OAAO,CACR,CAAA;IACD,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAElG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;IACtD,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;gBACtE,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;YACpF,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;wBACtE,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAgBA,kEAOC;AAuED,4CAqCC;AAzHD;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAuDD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE1D,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,UAAU,EACV,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IACzF,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,IAAI,EACJ,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IACD,sBAAsB,CACpB,eAAe,CAAC,gBAAgB,EAChC,MAAM,EACN,aAAa,EACb,SAAS,EACT,OAAO,CACR,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,UAAU;YACV,UAAU,EAAE,UAAU;YACtB,GAAG,QAAQ;SACZ,CAAC,CAAA;IACJ,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,GAAG,QAAQ;gBACX,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;gBACtE,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,SAA6B,EAC7B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAC5C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAE9D,IACE,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC;oBACX,UAAU;oBACV,UAAU,EAAE,EAAE,CAAC,aAAa;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,QAAQ;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IACL,QAAQ,CAAC,MAAM,KAAK,kBAAkB;QACtC,CAAC,UAAU,IAAI,aAAa,KAAK,kBAAkB,CAAC,EACpD,CAAC;QACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;wBACtE,UAAU,EAAE,UAAU;wBACtB,GAAG,QAAQ;qBACZ,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/cjs/evaluate.d.ts

@@ -1,6 +1,7 @@
 import { type StatementAnalysis } from './StatementAnalysis.js';
 export type EvaluationResult = 'Allowed' | 'ExplicitlyDenied' | 'ImplicitlyDenied';
 export type ResourceEvaluationResult = 'NotApplicable' | 'Allowed' | 'ExplicitlyDenied' | 'AllowedForAccount' | 'DeniedForAccount' | 'ImplicitlyDenied';
+export type BlockedReason = 'scp' | 'rcp' | 'vpce' | 'identity' | 'resource' | 'pb';
 export interface IdentityAnalysis {
     result: EvaluationResult;
     denyStatements: StatementAnalysis[];
@@ -127,5 +128,21 @@ export interface RequestAnalysis {
      * If the role session name was ignored during discovery mode.
      */
     ignoredRoleSessionName?: boolean;
+    /**
+     * If the request has policies to allow the request in session, identity, and/or resource policies required, but was blocked
+     * by another policy, this includes the policy types that blocked the request.
+     *
+     * It is possible for a request to have been allowed by the identity policy but blocked by the resource policy and vice versa.
+     *
+     * If this array is undefined or empty, it means that the core session, identity, and/or resource policies did
+     * not grant permission. It does not mean that there are no guardrails in place, just that the request was
+     * not allowed by the core policies, so there is no need to look for guardrails that block an otherwise allowed request.
+     *
+     * "Allowed by core policies" means that it would have been allowed if not for the policies identified in `blockedBy`. So
+     * by removing the policies identified in `blockedBy`, the request would be allowed.
+     *
+     * Use this to discover what guardrails are in place that might block access even if it may be allowed by other policies.
+     */
+    blockedBy?: BlockedReason[];
 }
 //# sourceMappingURL=evaluate.d.ts.map

package/dist/cjs/evaluate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE/D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE;QACR,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,GAAG,CAAC,EAAE;QACJ,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,GAAG,CAAC,EAAE;QACJ,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,kBAAkB,CAAC,EAAE;QACnB,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,cAAc,CAAC,EAAE;QACf,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,eAAe,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAE9C;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAEzD;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAE/C;;OAEG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IAErC;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;CACjC"}
+{"version":3,"file":"evaluate.d.ts","sourceRoot":"","sources":["../../src/evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAE/D,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,kBAAkB,GAAG,kBAAkB,CAAA;AAClF,MAAM,MAAM,wBAAwB,GAChC,eAAe,GACf,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,CAAA;AAEtB,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,UAAU,GAAG,IAAI,CAAA;AAEnF,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,wBAAwB,CAAA;IAChC,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,aAAa;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,MAAM,EAAE,gBAAgB,CAAA;IACxB,cAAc,EAAE,iBAAiB,EAAE,CAAA;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAA;IACpC,mBAAmB,EAAE,iBAAiB,EAAE,CAAA;CACzC;AAED,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IACxB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE;QACR,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,GAAG,CAAC,EAAE;QACJ,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,GAAG,CAAC,EAAE;QACJ,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,QAAQ,CAAC,EAAE;QACT,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,kBAAkB,CAAC,EAAE;QACnB,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;IACD,cAAc,CAAC,EAAE;QACf,KAAK,CAAC,EAAE,gBAAgB,EAAE,CAAA;QAC1B,IAAI,CAAC,EAAE,gBAAgB,EAAE,CAAA;KAC1B,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,MAAM,EAAE,gBAAgB,CAAA;IAExB;;OAEG;IACH,WAAW,EAAE,OAAO,CAAA;IAEpB;;OAEG;IACH,eAAe,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAE9C;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IAEnC;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAA;IAEzB;;OAEG;IACH,0BAA0B,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAEzD;;OAEG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,GAAG,SAAS,CAAA;IAE/C;;OAEG;IACH,iBAAiB,CAAC,EAAE,iBAAiB,CAAA;IAErC;;OAEG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAA;IAEhC;;;;;;;;;;;;;;OAcG;IACH,SAAS,CAAC,EAAE,aAAa,EAAE,CAAA;CAC5B"}

package/dist/cjs/index.d.ts

@@ -1,9 +1,9 @@
 export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
 export { typeForContextKey } from './context_keys/contextKeys.js';
-export { type BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
+export { isConditionKeyArray, type BaseConditionKeyType, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
 export { findContextKeys } from './context_keys/findContextKeys.js';
 export type { SimulationMode } from './core_engine/CoreSimulatorEngine.js';
-export type { EvaluationResult, IgnoredCondition, IgnoredConditions, RequestAnalysis } from './evaluate.js';
+export type { BlockedReason, EvaluationResult, IgnoredCondition, IgnoredConditions, RequestAnalysis } from './evaluate.js';
 export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPrincipalMatch, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
 export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
 export type { Simulation, SimulationIdentityPolicy, SimulationOrgPolicies } from './simulation_engine/simulation.js';

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,KAAK,oBAAoB,EACzB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,mBAAmB,EACnB,KAAK,oBAAoB,EACzB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,8BAA8B,EAC9B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,yCAAyC,CAAA;AAChD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAIqC;AAHnC,qHAAA,gBAAgB,OAAA;AAIlB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAiBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAatB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAIqC;AAHnC,qHAAA,gBAAgB,OAAA;AAIlB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAHxC,yHAAA,mBAAmB,OAAA;AAIrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAkBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAatB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts

@@ -20,5 +20,21 @@ export declare class DefaultServiceAuthorizer implements ServiceAuthorizer {
      * @returns true if the service trusts the principal's account IAM policies
      */
     serviceTrustsPrincipalAccount(sameAccount: boolean, resourceAnalysis: ResourceAnalysis, resource: RequestResource): boolean;
+    /**
+     * Evaluations whether the minimum requirements for the request to be allowed are met based on the core policies
+     *   - Identity
+     *   - Resource
+     *   - Session
+     *
+     * Depending on the service, and whether the principal and resources are in the same account, the requirements may differ.
+     * For same account requests, for most services an Allow in the resource policy or the identity policy is sufficient to
+     * allow the request, so this function will return 'Allowed'. If there is an explicit deny elsewhere, that is not considered.
+     * This function only determines if there are enough core policies to allow the request, and final determination of the
+     * request is done elsewhere.
+     *
+     * @param request the service authorization request containing all analyses
+     * @returns 'Allowed' if the core policies allow the request, otherwise may return 'ImplicitlyDenied' or 'ExplicitlyDenied' depending on the analyses
+     */
+    private initialEvaluationResult;
 }
 //# sourceMappingURL=DefaultServiceAuthorizer.d.ts.map

package/dist/cjs/services/DefaultServiceAuthorizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,KAAK,eAAe,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AAC5E,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IA+NvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;CASX"}
+{"version":3,"file":"DefaultServiceAuthorizer.d.ts","sourceRoot":"","sources":["../../../src/services/DefaultServiceAuthorizer.ts"],"names":[],"mappings":"AAOA,OAAO,EAGL,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACtB,MAAM,gBAAgB,CAAA;AACvB,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,+BAA+B,CAAA;AACpE,OAAO,EAAE,KAAK,2BAA2B,EAAE,KAAK,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAuEjG;;GAEG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,2BAA2B,GAAG,eAAe;IAuIvE;;;;;;OAMG;IACH,6BAA6B,CAC3B,WAAW,EAAE,OAAO,EACpB,gBAAgB,EAAE,gBAAgB,EAClC,QAAQ,EAAE,eAAe,GACxB,OAAO;IAUV;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,uBAAuB;CA+ChC"}

package/dist/cjs/services/DefaultServiceAuthorizer.js

@@ -2,6 +2,71 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DefaultServiceAuthorizer = void 0;
 const iam_utils_1 = require("@cloud-copilot/iam-utils");
+/**
+ * This helper class keeps track of which factors are blocking a request and what the overall result is
+ * based on those blocks.
+ */
+class BlockedByLog {
+    coreResult;
+    blockedBy = new Set();
+    result;
+    /**
+     * Create the BlockedByLog
+     *
+     * @param coreResult the core result of the authorization. Is the request allowed or denied based on the core policies (identity, resource, session).
+     */
+    constructor(coreResult) {
+        this.coreResult = coreResult;
+        this.result = coreResult;
+    }
+    /**
+     * Add a blocking factor to the log and update the overall result accordingly.
+     *
+     * @param reason the reason for the block.
+     * @param result the result of the block (ImplicitlyDenied, ExplicitlyDenied)
+     */
+    add(reason, result) {
+        if (this.coreResult === 'Allowed' && result !== 'Allowed') {
+            this.blockedBy.add(reason);
+        }
+        this.setResult(result);
+    }
+    /**
+     * Calculates and sets the new overall result based on the new block reason and the previous result.
+     *
+     * The result can only be modified down so Allowed -> ImplicitlyDenied -> ExplicitlyDenied.
+     *
+     * @param newResult the result of the new block reason being added.
+     */
+    setResult(newResult) {
+        // Explicit denies override everything
+        if (this.result === 'ExplicitlyDenied') {
+            return;
+        }
+        if (newResult === 'ExplicitlyDenied') {
+            this.result = 'ExplicitlyDenied';
+        }
+        else if (newResult === 'ImplicitlyDenied') {
+            this.result = 'ImplicitlyDenied';
+        }
+    }
+    /**
+     * Get the overall result after all blocks (if any) have been added.
+     *
+     * @returns the overall result after all blocks (if any) have been added.
+     */
+    getResult() {
+        return this.result;
+    }
+    /**
+     * Get the list of reasons that are blocking the request after the core result.
+     *
+     * @returns an array of reasons that are blocking the request after the core result.
+     */
+    getBlockedBy() {
+        return Array.from(this.blockedBy);
+    }
+}
 /**
  * The default authorizer for services.
  */
@@ -15,7 +80,6 @@ class DefaultServiceAuthorizer {
     authorize(request) {
         const scpResult = request.scpAnalysis.result;
         const rcpResult = request.rcpAnalysis.result;
-        const sessionResult = request.sessionAnalysis?.result;
         const identityStatementResult = request.identityAnalysis.result;
         const resourcePolicyResult = request.resourceAnalysis?.result;
         const permissionBoundaryResult = request.permissionBoundaryAnalysis?.result;
@@ -33,66 +97,26 @@ class DefaultServiceAuthorizer {
             permissionBoundaryAnalysis: request.permissionBoundaryAnalysis,
             endpointAnalysis: request.endpointAnalysis
         };
-        if (scpResult !== 'Allowed') {
-            return {
-                result: scpResult,
-                ...baseResult
-            };
-        }
-        if (rcpResult !== 'Allowed') {
-            return {
-                result: rcpResult,
-                ...baseResult
-            };
-        }
-        if (sessionResult && sessionResult !== 'Allowed') {
-            return {
-                result: sessionResult,
-                ...baseResult
-            };
-        }
+        const coreResult = this.initialEvaluationResult(request);
+        const blockedByLog = new BlockedByLog(coreResult);
+        blockedByLog.add('scp', scpResult);
+        blockedByLog.add('rcp', rcpResult);
         if (endpointPolicyResult === 'ExplicitlyDenied' ||
             endpointPolicyResult === 'ImplicitlyDenied') {
-            return {
-                result: endpointPolicyResult,
-                ...baseResult
-            };
+            blockedByLog.add('vpce', endpointPolicyResult);
         }
         if (resourcePolicyResult === 'ExplicitlyDenied' ||
             resourcePolicyResult === 'DeniedForAccount') {
-            return {
-                result: 'ExplicitlyDenied',
-                ...baseResult
-            };
+            blockedByLog.add('resource', 'ExplicitlyDenied');
         }
         if (identityStatementResult === 'ExplicitlyDenied') {
-            return {
-                result: 'ExplicitlyDenied',
-                ...baseResult
-            };
+            blockedByLog.add('identity', 'ExplicitlyDenied');
         }
         if (permissionBoundaryResult === 'ExplicitlyDenied') {
-            return {
-                result: 'ExplicitlyDenied',
-                ...baseResult
-            };
-        }
-        // Service Principals
-        if ((0, iam_utils_1.isServicePrincipal)(request.request.principal.value())) {
-            // Service principals are allowed if the resource policy allows them
-            if (resourcePolicyResult === 'Allowed') {
-                return {
-                    result: 'Allowed',
-                    ...baseResult
-                };
-            }
-            return {
-                result: 'ImplicitlyDenied',
-                ...baseResult
-            };
+            blockedByLog.add('pb', 'ExplicitlyDenied');
         }
         //Same Account
-        if (principalAccount === resourceAccount) {
+        if (sameAccount) {
             if (permissionBoundaryResult === 'ImplicitlyDenied') {
                 /**
                  * If the permission boundary is an implicit deny
@@ -106,80 +130,48 @@ class DefaultServiceAuthorizer {
                     const principal = request.request.principal.value();
                     if ((0, iam_utils_1.isIamRoleArn)(principal) &&
                         request.simulationParameters.simulationMode === 'Discovery') {
-                        if (request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' && statement.ignoredRoleSessionName)) {
-                            return {
-                                result: 'Allowed',
-                                ...baseResult
-                            };
+                        // Principal is a role and may match a session. Check since we are in Discovery mode.
+                        if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match' && statement.ignoredRoleSessionName)) {
+                            blockedByLog.add('pb', 'ImplicitlyDenied');
                         }
                     }
-                    if ((0, iam_utils_1.isAssumedRoleArn)(principal) ||
+                    else if ((0, iam_utils_1.isAssumedRoleArn)(principal) ||
                         (0, iam_utils_1.isIamUserArn)(principal) ||
                         (0, iam_utils_1.isFederatedUserArn)(principal)) {
-                        if (request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match')) {
-                            return {
-                                result: 'Allowed',
-                                ...baseResult
-                            };
+                        // If the principal is an assumed role, IAM user, or federated user ARN, check if the resource
+                        // policy allows the exact ARN.
+                        if (!request.resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'Match')) {
+                            blockedByLog.add('pb', 'ImplicitlyDenied');
                         }
                     }
+                    else {
+                        // Not in discovery mode or doesn't match a session/user exactly, so the permission boundary implicit deny applies.
+                        blockedByLog.add('pb', 'ImplicitlyDenied');
+                    }
+                }
+                else {
+                    // Resource policy doesn't allow the principal, so the permission boundary implicit deny applies.
+                    blockedByLog.add('pb', 'ImplicitlyDenied');
                 }
-                return {
-                    result: 'ImplicitlyDenied',
-                    ...baseResult
-                };
-            }
-            /*
-              TODO: Implicit denies in identity policies
-              I think if the identity policy has an implicit deny for assumed roles or federated users,
-              then the resource policy must have the federated or assumed role ARN exactly.
-      
-              That doesn't seem right though. I know many cases where the resource policy has the role ARN and it works
-      
-              Need to add some tests for this.
-            */
-            const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
-            if (resourcePolicyResult === 'Allowed' ||
-                (trustedAccount && identityStatementResult === 'Allowed')) {
-                return {
-                    result: 'Allowed',
-                    ...baseResult
-                };
             }
-            return {
-                result: 'ImplicitlyDenied',
-                ...baseResult
-            };
         }
-        //Cross Account
-        if (permissionBoundaryResult === 'ImplicitlyDenied') {
-            return {
-                result: 'ImplicitlyDenied',
-                ...baseResult
-            };
-        }
-        if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
-            if (identityStatementResult === 'Allowed') {
-                return {
-                    result: 'Allowed',
-                    ...baseResult
-                };
+        else {
+            //Cross Account
+            if (permissionBoundaryResult === 'ImplicitlyDenied') {
+                blockedByLog.add('pb', 'ImplicitlyDenied');
             }
-            return {
-                result: 'ImplicitlyDenied',
-                ...baseResult
-            };
+        }
+        const blockedReasons = blockedByLog.getBlockedBy();
+        if (blockedReasons.length !== 0) {
+            baseResult.blockedBy = blockedReasons;
         }
         return {
-            result: 'ImplicitlyDenied',
+            result: blockedByLog.getResult(),
             ...baseResult
         };
         /**
          * Add checks for:
          * * root user - can override resource policies for most resource types
-         * * service linked roles - ignore SCPs and RCPs
-         * * session policies
-         * * vpc endpoint policies
          * * organization APIs and delegated admin policy
          */
     }
@@ -196,6 +188,56 @@ class DefaultServiceAuthorizer {
         }
         return resourceAnalysis.allowStatements.some((statement) => statement.principalMatch === 'AccountLevelMatch');
     }
+    /**
+     * Evaluations whether the minimum requirements for the request to be allowed are met based on the core policies
+     *   - Identity
+     *   - Resource
+     *   - Session
+     *
+     * Depending on the service, and whether the principal and resources are in the same account, the requirements may differ.
+     * For same account requests, for most services an Allow in the resource policy or the identity policy is sufficient to
+     * allow the request, so this function will return 'Allowed'. If there is an explicit deny elsewhere, that is not considered.
+     * This function only determines if there are enough core policies to allow the request, and final determination of the
+     * request is done elsewhere.
+     *
+     * @param request the service authorization request containing all analyses
+     * @returns 'Allowed' if the core policies allow the request, otherwise may return 'ImplicitlyDenied' or 'ExplicitlyDenied' depending on the analyses
+     */
+    initialEvaluationResult(request) {
+        const sessionResult = request.sessionAnalysis?.result;
+        const identityStatementResult = request.identityAnalysis.result;
+        const resourcePolicyResult = request.resourceAnalysis?.result;
+        const principalAccount = request.request.principal.accountId();
+        const resourceAccount = request.request.resource?.accountId();
+        const sameAccount = principalAccount === resourceAccount;
+        if (sessionResult && sessionResult !== 'Allowed') {
+            return sessionResult;
+        }
+        // Service Principals
+        if ((0, iam_utils_1.isServicePrincipal)(request.request.principal.value())) {
+            // Service principals are allowed if the resource policy allows them
+            if (resourcePolicyResult === 'Allowed') {
+                return 'Allowed';
+            }
+            return 'ImplicitlyDenied';
+        }
+        //Same Account
+        if (sameAccount) {
+            const trustedAccount = this.serviceTrustsPrincipalAccount(sameAccount, request.resourceAnalysis, request.request.resource);
+            if (resourcePolicyResult === 'Allowed' ||
+                (trustedAccount && identityStatementResult === 'Allowed')) {
+                return 'Allowed';
+            }
+            return 'ImplicitlyDenied';
+        }
+        //Cross Account
+        if (resourcePolicyResult === 'Allowed' || resourcePolicyResult === 'AllowedForAccount') {
+            if (identityStatementResult === 'Allowed') {
+                return 'Allowed';
+            }
+        }
+        return 'ImplicitlyDenied';
+    }
 }
 exports.DefaultServiceAuthorizer = DefaultServiceAuthorizer;
 //# sourceMappingURL=DefaultServiceAuthorizer.js.map