@crewhaus/policy-engine 0.1.3 → 0.1.5

package/dist/index.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
+ *
+ * Composes with `permission-engine` (Section 7): permission grants
+ * "should this user be allowed to invoke this tool?" and policy grants
+ * "should the platform allow this side-effect class right now?". The
+ * gateway runs permission first, then policy; both must `allow` (or
+ * `audit-and-allow`) for the call to proceed.
+ *
+ * Side-effect classes:
+ *   "none"        — pure compute (e.g. ReadImage decoded in-process)
+ *   "filesystem"  — reads/writes inside the workspace
+ *   "network"     — makes external HTTP / SMTP / DNS calls
+ *   "external"    — any other observable side effect (default for
+ *                   tools without explicit flag — fail-closed)
+ *   "messaging"   — posts to a chat / email / external user surface
+ *
+ * Decision shape:
+ *   "allow"           — proceed
+ *   "audit-and-allow" — proceed AND emit an audit-log record
+ *   "deny"            — refuse with reason
+ *
+ * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
+ */
+import type { AuditLog } from "@crewhaus/audit-log";
+import { CrewhausError } from "@crewhaus/errors";
+export type SideEffect = "none" | "filesystem" | "network" | "external" | "messaging";
+export type PolicyDecision = "allow" | "audit-and-allow" | "deny";
+export type PolicyMode = "permissive" | "audit" | "strict";
+export type PolicyRule = {
+    /** Glob over tool name; "*" matches every tool. */
+    readonly toolPattern: string;
+    /** Side-effect classes the rule applies to; ["*"] for any. */
+    readonly sideEffects: ReadonlyArray<SideEffect | "*">;
+    readonly action: PolicyDecision;
+    /** Free-text reason returned to the gateway. */
+    readonly reason?: string;
+};
+export type ToolCallContext = {
+    readonly toolName: string;
+    /**
+     * The runtime infers `sideEffect` from the tool's flags:
+     *   readOnly + filesystem-only path     → "filesystem"
+     *   makes outbound network calls         → "network"
+     *   posts user-visible messages          → "messaging"
+     *   pure in-process compute              → "none"
+     *   anything else / unset                → "external"
+     *
+     * The gateway forwards this hint via the call site; tools that
+     * declare `sideEffect` explicitly override the heuristic.
+     */
+    readonly sideEffect?: SideEffect;
+    readonly input: unknown;
+    readonly tenantId?: string;
+};
+export type EvaluatePolicyResult = {
+    readonly decision: PolicyDecision;
+    readonly reason?: string;
+    readonly matchedRule?: number;
+};
+export declare class PolicyEngineError extends CrewhausError {
+    readonly name = "PolicyEngineError";
+    constructor(message: string, cause?: unknown);
+}
+export type EvaluatePolicyOptions = {
+    readonly mode?: PolicyMode;
+    readonly rules?: ReadonlyArray<PolicyRule>;
+    readonly tenantPolicy?: ReadonlyArray<PolicyRule>;
+};
+/**
+ * Decide policy for one tool call. Pure with respect to `call`,
+ * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
+ * paired with `auditPolicyDecision(...)` to actually write the
+ * record — keeping I/O out of the pure decider keeps tests trivial.
+ */
+export declare function evaluatePolicy(call: ToolCallContext, opts?: EvaluatePolicyOptions): EvaluatePolicyResult;
+/**
+ * Append a `policy_decision` audit record. Callers should invoke this
+ * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
+ * `deny`. `allow` outcomes don't generate an audit row by default to
+ * keep the chain readable; pass `auditAll: true` to override.
+ */
+export declare function auditPolicyDecision(log: AuditLog, call: ToolCallContext, result: EvaluatePolicyResult, opts?: {
+    readonly auditAll?: boolean;
+}): Promise<void>;
+export declare const DEFAULT_POLICY_RULES: readonly PolicyRule[];

package/dist/index.js

@@ -0,0 +1,146 @@
+/**
+ * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
+ *
+ * Composes with `permission-engine` (Section 7): permission grants
+ * "should this user be allowed to invoke this tool?" and policy grants
+ * "should the platform allow this side-effect class right now?". The
+ * gateway runs permission first, then policy; both must `allow` (or
+ * `audit-and-allow`) for the call to proceed.
+ *
+ * Side-effect classes:
+ *   "none"        — pure compute (e.g. ReadImage decoded in-process)
+ *   "filesystem"  — reads/writes inside the workspace
+ *   "network"     — makes external HTTP / SMTP / DNS calls
+ *   "external"    — any other observable side effect (default for
+ *                   tools without explicit flag — fail-closed)
+ *   "messaging"   — posts to a chat / email / external user surface
+ *
+ * Decision shape:
+ *   "allow"           — proceed
+ *   "audit-and-allow" — proceed AND emit an audit-log record
+ *   "deny"            — refuse with reason
+ *
+ * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
+ */
+import { CrewhausError } from "@crewhaus/errors";
+export class PolicyEngineError extends CrewhausError {
+    name = "PolicyEngineError";
+    constructor(message, cause) {
+        super("config", message, cause);
+    }
+}
+const DEFAULT_RULES = [
+    // Allow read-only / pure compute everywhere.
+    { toolPattern: "*", sideEffects: ["none"], action: "allow" },
+    // Audit filesystem reads — they're the easy data-leak vector.
+    {
+        toolPattern: "*",
+        sideEffects: ["filesystem"],
+        action: "audit-and-allow",
+        reason: "filesystem side-effect",
+    },
+    // Audit network calls — same reasoning.
+    {
+        toolPattern: "*",
+        sideEffects: ["network"],
+        action: "audit-and-allow",
+        reason: "network side-effect",
+    },
+    {
+        toolPattern: "*",
+        sideEffects: ["messaging"],
+        action: "audit-and-allow",
+        reason: "messaging side-effect",
+    },
+    // Default for unclassified ("external") — deny in strict, audit elsewhere.
+    // This rule is only consulted in strict mode (we apply mode-specific
+    // overrides below). Keeping it last ensures explicit rules take precedence.
+    {
+        toolPattern: "*",
+        sideEffects: ["external"],
+        action: "audit-and-allow",
+        reason: "external side-effect",
+    },
+];
+function patternMatches(pattern, value) {
+    if (pattern === "*")
+        return true;
+    if (pattern === value)
+        return true;
+    // Prefix wildcard: "Bash*" → starts with "Bash".
+    if (pattern.endsWith("*") && value.startsWith(pattern.slice(0, -1)))
+        return true;
+    return false;
+}
+function ruleMatches(rule, toolName, effect) {
+    if (!patternMatches(rule.toolPattern, toolName))
+        return false;
+    for (const e of rule.sideEffects) {
+        if (e === "*" || e === effect)
+            return true;
+    }
+    return false;
+}
+function applyMode(decision, mode) {
+    if (mode === "permissive" && decision === "deny")
+        return "audit-and-allow";
+    if (mode === "strict" && decision === "audit-and-allow")
+        return "deny";
+    return decision;
+}
+/**
+ * Decide policy for one tool call. Pure with respect to `call`,
+ * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
+ * paired with `auditPolicyDecision(...)` to actually write the
+ * record — keeping I/O out of the pure decider keeps tests trivial.
+ */
+export function evaluatePolicy(call, opts = {}) {
+    const mode = opts.mode ?? "audit";
+    // Section 18 fail-closed default: tools without a sideEffect declaration
+    // are treated as "external" (the most-restrictive default class).
+    const effect = call.sideEffect ?? "external";
+    // Tenant rules win over global rules.
+    const ruleSets = [
+        opts.tenantPolicy ?? [],
+        opts.rules ?? DEFAULT_RULES,
+    ];
+    let idx = 0;
+    for (const set of ruleSets) {
+        for (const rule of set) {
+            if (ruleMatches(rule, call.toolName, effect)) {
+                const decision = applyMode(rule.action, mode);
+                return {
+                    decision,
+                    ...(rule.reason !== undefined ? { reason: rule.reason } : {}),
+                    matchedRule: idx,
+                };
+            }
+            idx += 1;
+        }
+    }
+    // Fail-closed: no rule matched.
+    return {
+        decision: applyMode("deny", mode),
+        reason: `no policy rule matched ${call.toolName} (sideEffect=${effect})`,
+    };
+}
+/**
+ * Append a `policy_decision` audit record. Callers should invoke this
+ * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
+ * `deny`. `allow` outcomes don't generate an audit row by default to
+ * keep the chain readable; pass `auditAll: true` to override.
+ */
+export async function auditPolicyDecision(log, call, result, opts = {}) {
+    if (result.decision === "allow" && opts.auditAll !== true)
+        return;
+    const payload = {
+        toolName: call.toolName,
+        sideEffect: call.sideEffect ?? "external",
+        decision: result.decision,
+        reason: result.reason,
+        tenantId: call.tenantId,
+        matchedRule: result.matchedRule,
+    };
+    await log.append({ kind: "policy_decision", payload });
+}
+export const DEFAULT_POLICY_RULES = DEFAULT_RULES;

package/package.json

@@ -1,19 +1,22 @@
 {
   "name": "@crewhaus/policy-engine",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "type": "module",
   "description": "Side-effect classification + audit-and-allow policy decisions for the managed-daemon target",
-  "main": "src/index.ts",
-  "types": "src/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
   "exports": {
-    ".": "./src/index.ts"
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
   },
   "scripts": {
     "test": "bun test src"
   },
   "dependencies": {
-    "@crewhaus/audit-log": "0.1.3",
-    "@crewhaus/errors": "0.1.3"
+    "@crewhaus/audit-log": "0.1.5",
+    "@crewhaus/errors": "0.1.5"
   },
   "license": "Apache-2.0",
   "author": {
@@ -33,5 +36,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "files": ["src", "README.md", "LICENSE", "NOTICE"]
+  "files": ["dist", "README.md", "LICENSE", "NOTICE"]
 }

package/src/index.test.ts

@@ -1,178 +0,0 @@
-import { afterEach, beforeEach, describe, expect, test } from "bun:test";
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { type AuditLog, openAuditLog } from "@crewhaus/audit-log";
-import { PolicyEngineError, type PolicyRule, auditPolicyDecision, evaluatePolicy } from "./index";
-
-let tmp: string;
-let log: AuditLog;
-
-beforeEach(async () => {
-  tmp = mkdtempSync(join(tmpdir(), "policy-engine-"));
-  log = await openAuditLog({ rootDir: tmp });
-});
-
-afterEach(() => {
-  rmSync(tmp, { recursive: true, force: true });
-});
-
-describe("evaluatePolicy — defaults (audit mode)", () => {
-  test("none side-effect → allow", () => {
-    const r = evaluatePolicy({ toolName: "ReadImage", sideEffect: "none", input: {} });
-    expect(r.decision).toBe("allow");
-  });
-
-  test("filesystem side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({ toolName: "Read", sideEffect: "filesystem", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-
-  test("network side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({ toolName: "WebFetch", sideEffect: "network", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-
-  test("messaging side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({
-      toolName: "SendMessage",
-      sideEffect: "messaging",
-      input: {},
-    });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-
-  test("missing sideEffect defaults to external (fail-closed → audit-and-allow in audit mode)", () => {
-    const r = evaluatePolicy({ toolName: "Mystery", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-    expect(r.reason).toMatch(/external/);
-  });
-});
-
-describe("strict mode", () => {
-  test("audit-and-allow demoted to deny", () => {
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { mode: "strict" },
-    );
-    expect(r.decision).toBe("deny");
-  });
-
-  test("none side-effect still allowed", () => {
-    const r = evaluatePolicy(
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { mode: "strict" },
-    );
-    expect(r.decision).toBe("allow");
-  });
-});
-
-describe("permissive mode", () => {
-  test("explicit deny rule is upgraded to audit-and-allow", () => {
-    const tenantPolicy: PolicyRule[] = [
-      {
-        toolPattern: "Bash",
-        sideEffects: ["*"],
-        action: "deny",
-        reason: "no shell in this tenant",
-      },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "Bash", sideEffect: "external", input: {} },
-      { tenantPolicy, mode: "permissive" },
-    );
-    expect(r.decision).toBe("audit-and-allow");
-  });
-});
-
-describe("tenant overrides win over defaults", () => {
-  test("tenant deny wins over default audit-and-allow", () => {
-    const tenantPolicy: PolicyRule[] = [
-      {
-        toolPattern: "*",
-        sideEffects: ["network"],
-        action: "deny",
-        reason: "no egress in tenant-x",
-      },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { tenantPolicy },
-    );
-    expect(r.decision).toBe("deny");
-    expect(r.reason).toMatch(/no egress/);
-  });
-
-  test("prefix glob matches", () => {
-    const tenantPolicy: PolicyRule[] = [
-      { toolPattern: "Web*", sideEffects: ["network"], action: "deny" },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { tenantPolicy },
-    );
-    expect(r.decision).toBe("deny");
-  });
-});
-
-describe("PolicyEngineError", () => {
-  test("carries config code, stable name, and preserves the cause chain", () => {
-    const cause = new Error("bad rule glob");
-    const err = new PolicyEngineError("invalid policy config", cause);
-    expect(err).toBeInstanceOf(Error);
-    expect(err.name).toBe("PolicyEngineError");
-    expect(err.code).toBe("config");
-    expect(err.message).toBe("invalid policy config");
-    expect(err.cause).toBe(cause);
-    // Serializes its cause chain for the logging layer.
-    expect(err.toJSON()).toMatchObject({
-      name: "PolicyEngineError",
-      code: "config",
-      message: "invalid policy config",
-      cause: { name: "Error", message: "bad rule glob" },
-    });
-  });
-
-  test("constructs without a cause", () => {
-    const err = new PolicyEngineError("no cause");
-    expect(err.cause).toBeUndefined();
-    expect(err.toJSON().cause).toBeUndefined();
-  });
-});
-
-describe("auditPolicyDecision", () => {
-  test("audit-and-allow appends a policy_decision record", async () => {
-    const r = await auditPolicyDecision(
-      log,
-      { toolName: "Read", sideEffect: "filesystem", input: {} },
-      { decision: "audit-and-allow", reason: "fs" },
-    );
-    expect(r).toBeUndefined();
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(1);
-  });
-
-  test("allow does NOT append by default", async () => {
-    await auditPolicyDecision(
-      log,
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { decision: "allow" },
-    );
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(0);
-  });
-
-  test("auditAll: true appends even allow decisions", async () => {
-    await auditPolicyDecision(
-      log,
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { decision: "allow" },
-      { auditAll: true },
-    );
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(1);
-  });
-});

package/src/index.ts

@@ -1,203 +0,0 @@
-/**
- * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
- *
- * Composes with `permission-engine` (Section 7): permission grants
- * "should this user be allowed to invoke this tool?" and policy grants
- * "should the platform allow this side-effect class right now?". The
- * gateway runs permission first, then policy; both must `allow` (or
- * `audit-and-allow`) for the call to proceed.
- *
- * Side-effect classes:
- *   "none"        — pure compute (e.g. ReadImage decoded in-process)
- *   "filesystem"  — reads/writes inside the workspace
- *   "network"     — makes external HTTP / SMTP / DNS calls
- *   "external"    — any other observable side effect (default for
- *                   tools without explicit flag — fail-closed)
- *   "messaging"   — posts to a chat / email / external user surface
- *
- * Decision shape:
- *   "allow"           — proceed
- *   "audit-and-allow" — proceed AND emit an audit-log record
- *   "deny"            — refuse with reason
- *
- * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
- */
-
-import type { AppendInput, AuditLog } from "@crewhaus/audit-log";
-import { CrewhausError } from "@crewhaus/errors";
-
-export type SideEffect = "none" | "filesystem" | "network" | "external" | "messaging";
-
-export type PolicyDecision = "allow" | "audit-and-allow" | "deny";
-
-export type PolicyMode = "permissive" | "audit" | "strict";
-
-export type PolicyRule = {
-  /** Glob over tool name; "*" matches every tool. */
-  readonly toolPattern: string;
-  /** Side-effect classes the rule applies to; ["*"] for any. */
-  readonly sideEffects: ReadonlyArray<SideEffect | "*">;
-  readonly action: PolicyDecision;
-  /** Free-text reason returned to the gateway. */
-  readonly reason?: string;
-};
-
-export type ToolCallContext = {
-  readonly toolName: string;
-  /**
-   * The runtime infers `sideEffect` from the tool's flags:
-   *   readOnly + filesystem-only path     → "filesystem"
-   *   makes outbound network calls         → "network"
-   *   posts user-visible messages          → "messaging"
-   *   pure in-process compute              → "none"
-   *   anything else / unset                → "external"
-   *
-   * The gateway forwards this hint via the call site; tools that
-   * declare `sideEffect` explicitly override the heuristic.
-   */
-  readonly sideEffect?: SideEffect;
-  readonly input: unknown;
-  readonly tenantId?: string;
-};
-
-export type EvaluatePolicyResult = {
-  readonly decision: PolicyDecision;
-  readonly reason?: string;
-  readonly matchedRule?: number;
-};
-
-export class PolicyEngineError extends CrewhausError {
-  override readonly name = "PolicyEngineError";
-  constructor(message: string, cause?: unknown) {
-    super("config", message, cause);
-  }
-}
-
-const DEFAULT_RULES: ReadonlyArray<PolicyRule> = [
-  // Allow read-only / pure compute everywhere.
-  { toolPattern: "*", sideEffects: ["none"], action: "allow" },
-  // Audit filesystem reads — they're the easy data-leak vector.
-  {
-    toolPattern: "*",
-    sideEffects: ["filesystem"],
-    action: "audit-and-allow",
-    reason: "filesystem side-effect",
-  },
-  // Audit network calls — same reasoning.
-  {
-    toolPattern: "*",
-    sideEffects: ["network"],
-    action: "audit-and-allow",
-    reason: "network side-effect",
-  },
-  {
-    toolPattern: "*",
-    sideEffects: ["messaging"],
-    action: "audit-and-allow",
-    reason: "messaging side-effect",
-  },
-  // Default for unclassified ("external") — deny in strict, audit elsewhere.
-  // This rule is only consulted in strict mode (we apply mode-specific
-  // overrides below). Keeping it last ensures explicit rules take precedence.
-  {
-    toolPattern: "*",
-    sideEffects: ["external"],
-    action: "audit-and-allow",
-    reason: "external side-effect",
-  },
-];
-
-function patternMatches(pattern: string, value: string): boolean {
-  if (pattern === "*") return true;
-  if (pattern === value) return true;
-  // Prefix wildcard: "Bash*" → starts with "Bash".
-  if (pattern.endsWith("*") && value.startsWith(pattern.slice(0, -1))) return true;
-  return false;
-}
-
-function ruleMatches(rule: PolicyRule, toolName: string, effect: SideEffect): boolean {
-  if (!patternMatches(rule.toolPattern, toolName)) return false;
-  for (const e of rule.sideEffects) {
-    if (e === "*" || e === effect) return true;
-  }
-  return false;
-}
-
-function applyMode(decision: PolicyDecision, mode: PolicyMode): PolicyDecision {
-  if (mode === "permissive" && decision === "deny") return "audit-and-allow";
-  if (mode === "strict" && decision === "audit-and-allow") return "deny";
-  return decision;
-}
-
-export type EvaluatePolicyOptions = {
-  readonly mode?: PolicyMode;
-  readonly rules?: ReadonlyArray<PolicyRule>;
-  readonly tenantPolicy?: ReadonlyArray<PolicyRule>;
-};
-
-/**
- * Decide policy for one tool call. Pure with respect to `call`,
- * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
- * paired with `auditPolicyDecision(...)` to actually write the
- * record — keeping I/O out of the pure decider keeps tests trivial.
- */
-export function evaluatePolicy(
-  call: ToolCallContext,
-  opts: EvaluatePolicyOptions = {},
-): EvaluatePolicyResult {
-  const mode = opts.mode ?? "audit";
-  // Section 18 fail-closed default: tools without a sideEffect declaration
-  // are treated as "external" (the most-restrictive default class).
-  const effect: SideEffect = call.sideEffect ?? "external";
-
-  // Tenant rules win over global rules.
-  const ruleSets: ReadonlyArray<ReadonlyArray<PolicyRule>> = [
-    opts.tenantPolicy ?? [],
-    opts.rules ?? DEFAULT_RULES,
-  ];
-  let idx = 0;
-  for (const set of ruleSets) {
-    for (const rule of set) {
-      if (ruleMatches(rule, call.toolName, effect)) {
-        const decision = applyMode(rule.action, mode);
-        return {
-          decision,
-          ...(rule.reason !== undefined ? { reason: rule.reason } : {}),
-          matchedRule: idx,
-        };
-      }
-      idx += 1;
-    }
-  }
-  // Fail-closed: no rule matched.
-  return {
-    decision: applyMode("deny", mode),
-    reason: `no policy rule matched ${call.toolName} (sideEffect=${effect})`,
-  };
-}
-
-/**
- * Append a `policy_decision` audit record. Callers should invoke this
- * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
- * `deny`. `allow` outcomes don't generate an audit row by default to
- * keep the chain readable; pass `auditAll: true` to override.
- */
-export async function auditPolicyDecision(
-  log: AuditLog,
-  call: ToolCallContext,
-  result: EvaluatePolicyResult,
-  opts: { readonly auditAll?: boolean } = {},
-): Promise<void> {
-  if (result.decision === "allow" && opts.auditAll !== true) return;
-  const payload: AppendInput["payload"] = {
-    toolName: call.toolName,
-    sideEffect: call.sideEffect ?? "external",
-    decision: result.decision,
-    reason: result.reason,
-    tenantId: call.tenantId,
-    matchedRule: result.matchedRule,
-  };
-  await log.append({ kind: "policy_decision", payload });
-}
-
-export const DEFAULT_POLICY_RULES = DEFAULT_RULES;