npm - @crewhaus/policy-engine - Versions diffs - 0.1.4 → 0.1.5 - Mend

@crewhaus/policy-engine 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
+ *
+ * Composes with `permission-engine` (Section 7): permission grants
+ * "should this user be allowed to invoke this tool?" and policy grants
+ * "should the platform allow this side-effect class right now?". The
+ * gateway runs permission first, then policy; both must `allow` (or
+ * `audit-and-allow`) for the call to proceed.
+ *
+ * Side-effect classes:
+ *   "none"        — pure compute (e.g. ReadImage decoded in-process)
+ *   "filesystem"  — reads/writes inside the workspace
+ *   "network"     — makes external HTTP / SMTP / DNS calls
+ *   "external"    — any other observable side effect (default for
+ *                   tools without explicit flag — fail-closed)
+ *   "messaging"   — posts to a chat / email / external user surface
+ *
+ * Decision shape:
+ *   "allow"           — proceed
+ *   "audit-and-allow" — proceed AND emit an audit-log record
+ *   "deny"            — refuse with reason
+ *
+ * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
+ */
+import type { AuditLog } from "@crewhaus/audit-log";
+import { CrewhausError } from "@crewhaus/errors";
+export type SideEffect = "none" | "filesystem" | "network" | "external" | "messaging";
+export type PolicyDecision = "allow" | "audit-and-allow" | "deny";
+export type PolicyMode = "permissive" | "audit" | "strict";
+export type PolicyRule = {
+    /** Glob over tool name; "*" matches every tool. */
+    readonly toolPattern: string;
+    /** Side-effect classes the rule applies to; ["*"] for any. */
+    readonly sideEffects: ReadonlyArray<SideEffect | "*">;
+    readonly action: PolicyDecision;
+    /** Free-text reason returned to the gateway. */
+    readonly reason?: string;
+};
+export type ToolCallContext = {
+    readonly toolName: string;
+    /**
+     * The runtime infers `sideEffect` from the tool's flags:
+     *   readOnly + filesystem-only path     → "filesystem"
+     *   makes outbound network calls         → "network"
+     *   posts user-visible messages          → "messaging"
+     *   pure in-process compute              → "none"
+     *   anything else / unset                → "external"
+     *
+     * The gateway forwards this hint via the call site; tools that
+     * declare `sideEffect` explicitly override the heuristic.
+     */
+    readonly sideEffect?: SideEffect;
+    readonly input: unknown;
+    readonly tenantId?: string;
+};
+export type EvaluatePolicyResult = {
+    readonly decision: PolicyDecision;
+    readonly reason?: string;
+    readonly matchedRule?: number;
+};
+export declare class PolicyEngineError extends CrewhausError {
+    readonly name = "PolicyEngineError";
+    constructor(message: string, cause?: unknown);
+}
+export type EvaluatePolicyOptions = {
+    readonly mode?: PolicyMode;
+    readonly rules?: ReadonlyArray<PolicyRule>;
+    readonly tenantPolicy?: ReadonlyArray<PolicyRule>;
+};
+/**
+ * Decide policy for one tool call. Pure with respect to `call`,
+ * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
+ * paired with `auditPolicyDecision(...)` to actually write the
+ * record — keeping I/O out of the pure decider keeps tests trivial.
+ */
+export declare function evaluatePolicy(call: ToolCallContext, opts?: EvaluatePolicyOptions): EvaluatePolicyResult;
+/**
+ * Append a `policy_decision` audit record. Callers should invoke this
+ * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
+ * `deny`. `allow` outcomes don't generate an audit row by default to
+ * keep the chain readable; pass `auditAll: true` to override.
+ */
+export declare function auditPolicyDecision(log: AuditLog, call: ToolCallContext, result: EvaluatePolicyResult, opts?: {
+    readonly auditAll?: boolean;
+}): Promise<void>;
+export declare const DEFAULT_POLICY_RULES: readonly PolicyRule[];

package/dist/index.js ADDED Viewed

@@ -0,0 +1,146 @@
+/**
+ * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
+ *
+ * Composes with `permission-engine` (Section 7): permission grants
+ * "should this user be allowed to invoke this tool?" and policy grants
+ * "should the platform allow this side-effect class right now?". The
+ * gateway runs permission first, then policy; both must `allow` (or
+ * `audit-and-allow`) for the call to proceed.
+ *
+ * Side-effect classes:
+ *   "none"        — pure compute (e.g. ReadImage decoded in-process)
+ *   "filesystem"  — reads/writes inside the workspace
+ *   "network"     — makes external HTTP / SMTP / DNS calls
+ *   "external"    — any other observable side effect (default for
+ *                   tools without explicit flag — fail-closed)
+ *   "messaging"   — posts to a chat / email / external user surface
+ *
+ * Decision shape:
+ *   "allow"           — proceed
+ *   "audit-and-allow" — proceed AND emit an audit-log record
+ *   "deny"            — refuse with reason
+ *
+ * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
+ */
+import { CrewhausError } from "@crewhaus/errors";
+export class PolicyEngineError extends CrewhausError {
+    name = "PolicyEngineError";
+    constructor(message, cause) {
+        super("config", message, cause);
+    }
+}
+const DEFAULT_RULES = [
+    // Allow read-only / pure compute everywhere.
+    { toolPattern: "*", sideEffects: ["none"], action: "allow" },
+    // Audit filesystem reads — they're the easy data-leak vector.
+    {
+        toolPattern: "*",
+        sideEffects: ["filesystem"],
+        action: "audit-and-allow",
+        reason: "filesystem side-effect",
+    },
+    // Audit network calls — same reasoning.
+    {
+        toolPattern: "*",
+        sideEffects: ["network"],
+        action: "audit-and-allow",
+        reason: "network side-effect",
+    },
+    {
+        toolPattern: "*",
+        sideEffects: ["messaging"],
+        action: "audit-and-allow",
+        reason: "messaging side-effect",
+    },
+    // Default for unclassified ("external") — deny in strict, audit elsewhere.
+    // This rule is only consulted in strict mode (we apply mode-specific
+    // overrides below). Keeping it last ensures explicit rules take precedence.
+    {
+        toolPattern: "*",
+        sideEffects: ["external"],
+        action: "audit-and-allow",
+        reason: "external side-effect",
+    },
+];
+function patternMatches(pattern, value) {
+    if (pattern === "*")
+        return true;
+    if (pattern === value)
+        return true;
+    // Prefix wildcard: "Bash*" → starts with "Bash".
+    if (pattern.endsWith("*") && value.startsWith(pattern.slice(0, -1)))
+        return true;
+    return false;
+}
+function ruleMatches(rule, toolName, effect) {
+    if (!patternMatches(rule.toolPattern, toolName))
+        return false;
+    for (const e of rule.sideEffects) {
+        if (e === "*" || e === effect)
+            return true;
+    }
+    return false;
+}
+function applyMode(decision, mode) {
+    if (mode === "permissive" && decision === "deny")
+        return "audit-and-allow";
+    if (mode === "strict" && decision === "audit-and-allow")
+        return "deny";
+    return decision;
+}
+/**
+ * Decide policy for one tool call. Pure with respect to `call`,
+ * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
+ * paired with `auditPolicyDecision(...)` to actually write the
+ * record — keeping I/O out of the pure decider keeps tests trivial.
+ */
+export function evaluatePolicy(call, opts = {}) {
+    const mode = opts.mode ?? "audit";
+    // Section 18 fail-closed default: tools without a sideEffect declaration
+    // are treated as "external" (the most-restrictive default class).
+    const effect = call.sideEffect ?? "external";
+    // Tenant rules win over global rules.
+    const ruleSets = [
+        opts.tenantPolicy ?? [],
+        opts.rules ?? DEFAULT_RULES,
+    ];
+    let idx = 0;
+    for (const set of ruleSets) {
+        for (const rule of set) {
+            if (ruleMatches(rule, call.toolName, effect)) {
+                const decision = applyMode(rule.action, mode);
+                return {
+                    decision,
+                    ...(rule.reason !== undefined ? { reason: rule.reason } : {}),
+                    matchedRule: idx,
+                };
+            }
+            idx += 1;
+        }
+    }
+    // Fail-closed: no rule matched.
+    return {
+        decision: applyMode("deny", mode),
+        reason: `no policy rule matched ${call.toolName} (sideEffect=${effect})`,
+    };
+}
+/**
+ * Append a `policy_decision` audit record. Callers should invoke this
+ * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
+ * `deny`. `allow` outcomes don't generate an audit row by default to
+ * keep the chain readable; pass `auditAll: true` to override.
+ */
+export async function auditPolicyDecision(log, call, result, opts = {}) {
+    if (result.decision === "allow" && opts.auditAll !== true)
+        return;
+    const payload = {
+        toolName: call.toolName,
+        sideEffect: call.sideEffect ?? "external",
+        decision: result.decision,
+        reason: result.reason,
+        tenantId: call.tenantId,
+        matchedRule: result.matchedRule,
+    };
+    await log.append({ kind: "policy_decision", payload });
+}
+export const DEFAULT_POLICY_RULES = DEFAULT_RULES;

package/package.json CHANGED Viewed

@@ -1,19 +1,22 @@
 {
   "name": "@crewhaus/policy-engine",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "type": "module",
   "description": "Side-effect classification + audit-and-allow policy decisions for the managed-daemon target",
-  "main": "src/index.ts",
-  "types": "src/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
   "exports": {
-    ".": "./src/index.ts"
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
   },
   "scripts": {
     "test": "bun test src"
   },
   "dependencies": {
-    "@crewhaus/audit-log": "0.1.4",
-    "@crewhaus/errors": "0.1.4"
+    "@crewhaus/audit-log": "0.1.5",
+    "@crewhaus/errors": "0.1.5"
   },
   "license": "Apache-2.0",
   "author": {
@@ -33,5 +36,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "files": ["src", "README.md", "LICENSE", "NOTICE"]
+  "files": ["dist", "README.md", "LICENSE", "NOTICE"]
 }

package/src/index.test.ts DELETED Viewed

@@ -1,178 +0,0 @@
-import { afterEach, beforeEach, describe, expect, test } from "bun:test";
-import { mkdtempSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { type AuditLog, openAuditLog } from "@crewhaus/audit-log";
-import { PolicyEngineError, type PolicyRule, auditPolicyDecision, evaluatePolicy } from "./index";
-let tmp: string;
-let log: AuditLog;
-beforeEach(async () => {
-  tmp = mkdtempSync(join(tmpdir(), "policy-engine-"));
-  log = await openAuditLog({ rootDir: tmp });
-});
-afterEach(() => {
-  rmSync(tmp, { recursive: true, force: true });
-});
-describe("evaluatePolicy — defaults (audit mode)", () => {
-  test("none side-effect → allow", () => {
-    const r = evaluatePolicy({ toolName: "ReadImage", sideEffect: "none", input: {} });
-    expect(r.decision).toBe("allow");
-  });
-  test("filesystem side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({ toolName: "Read", sideEffect: "filesystem", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-  test("network side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({ toolName: "WebFetch", sideEffect: "network", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-  test("messaging side-effect → audit-and-allow", () => {
-    const r = evaluatePolicy({
-      toolName: "SendMessage",
-      sideEffect: "messaging",
-      input: {},
-    });
-    expect(r.decision).toBe("audit-and-allow");
-  });
-  test("missing sideEffect defaults to external (fail-closed → audit-and-allow in audit mode)", () => {
-    const r = evaluatePolicy({ toolName: "Mystery", input: {} });
-    expect(r.decision).toBe("audit-and-allow");
-    expect(r.reason).toMatch(/external/);
-  });
-});
-describe("strict mode", () => {
-  test("audit-and-allow demoted to deny", () => {
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { mode: "strict" },
-    );
-    expect(r.decision).toBe("deny");
-  });
-  test("none side-effect still allowed", () => {
-    const r = evaluatePolicy(
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { mode: "strict" },
-    );
-    expect(r.decision).toBe("allow");
-  });
-});
-describe("permissive mode", () => {
-  test("explicit deny rule is upgraded to audit-and-allow", () => {
-    const tenantPolicy: PolicyRule[] = [
-      {
-        toolPattern: "Bash",
-        sideEffects: ["*"],
-        action: "deny",
-        reason: "no shell in this tenant",
-      },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "Bash", sideEffect: "external", input: {} },
-      { tenantPolicy, mode: "permissive" },
-    );
-    expect(r.decision).toBe("audit-and-allow");
-  });
-});
-describe("tenant overrides win over defaults", () => {
-  test("tenant deny wins over default audit-and-allow", () => {
-    const tenantPolicy: PolicyRule[] = [
-      {
-        toolPattern: "*",
-        sideEffects: ["network"],
-        action: "deny",
-        reason: "no egress in tenant-x",
-      },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { tenantPolicy },
-    );
-    expect(r.decision).toBe("deny");
-    expect(r.reason).toMatch(/no egress/);
-  });
-  test("prefix glob matches", () => {
-    const tenantPolicy: PolicyRule[] = [
-      { toolPattern: "Web*", sideEffects: ["network"], action: "deny" },
-    ];
-    const r = evaluatePolicy(
-      { toolName: "WebFetch", sideEffect: "network", input: {} },
-      { tenantPolicy },
-    );
-    expect(r.decision).toBe("deny");
-  });
-});
-describe("PolicyEngineError", () => {
-  test("carries config code, stable name, and preserves the cause chain", () => {
-    const cause = new Error("bad rule glob");
-    const err = new PolicyEngineError("invalid policy config", cause);
-    expect(err).toBeInstanceOf(Error);
-    expect(err.name).toBe("PolicyEngineError");
-    expect(err.code).toBe("config");
-    expect(err.message).toBe("invalid policy config");
-    expect(err.cause).toBe(cause);
-    // Serializes its cause chain for the logging layer.
-    expect(err.toJSON()).toMatchObject({
-      name: "PolicyEngineError",
-      code: "config",
-      message: "invalid policy config",
-      cause: { name: "Error", message: "bad rule glob" },
-    });
-  });
-  test("constructs without a cause", () => {
-    const err = new PolicyEngineError("no cause");
-    expect(err.cause).toBeUndefined();
-    expect(err.toJSON().cause).toBeUndefined();
-  });
-});
-describe("auditPolicyDecision", () => {
-  test("audit-and-allow appends a policy_decision record", async () => {
-    const r = await auditPolicyDecision(
-      log,
-      { toolName: "Read", sideEffect: "filesystem", input: {} },
-      { decision: "audit-and-allow", reason: "fs" },
-    );
-    expect(r).toBeUndefined();
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(1);
-  });
-  test("allow does NOT append by default", async () => {
-    await auditPolicyDecision(
-      log,
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { decision: "allow" },
-    );
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(0);
-  });
-  test("auditAll: true appends even allow decisions", async () => {
-    await auditPolicyDecision(
-      log,
-      { toolName: "ReadImage", sideEffect: "none", input: {} },
-      { decision: "allow" },
-      { auditAll: true },
-    );
-    const records: unknown[] = [];
-    for await (const rec of log.read()) records.push(rec);
-    expect(records.length).toBe(1);
-  });
-});

package/src/index.ts DELETED Viewed

@@ -1,203 +0,0 @@
-/**
- * Catalog R8 `policy-engine` — side-effect classification + audit hooks.
- *
- * Composes with `permission-engine` (Section 7): permission grants
- * "should this user be allowed to invoke this tool?" and policy grants
- * "should the platform allow this side-effect class right now?". The
- * gateway runs permission first, then policy; both must `allow` (or
- * `audit-and-allow`) for the call to proceed.
- *
- * Side-effect classes:
- *   "none"        — pure compute (e.g. ReadImage decoded in-process)
- *   "filesystem"  — reads/writes inside the workspace
- *   "network"     — makes external HTTP / SMTP / DNS calls
- *   "external"    — any other observable side effect (default for
- *                   tools without explicit flag — fail-closed)
- *   "messaging"   — posts to a chat / email / external user surface
- *
- * Decision shape:
- *   "allow"           — proceed
- *   "audit-and-allow" — proceed AND emit an audit-log record
- *   "deny"            — refuse with reason
- *
- * Layer R8. Pairs with `permission-engine` (R8) and `audit-log` (R17).
- */
-import type { AppendInput, AuditLog } from "@crewhaus/audit-log";
-import { CrewhausError } from "@crewhaus/errors";
-export type SideEffect = "none" | "filesystem" | "network" | "external" | "messaging";
-export type PolicyDecision = "allow" | "audit-and-allow" | "deny";
-export type PolicyMode = "permissive" | "audit" | "strict";
-export type PolicyRule = {
-  /** Glob over tool name; "*" matches every tool. */
-  readonly toolPattern: string;
-  /** Side-effect classes the rule applies to; ["*"] for any. */
-  readonly sideEffects: ReadonlyArray<SideEffect | "*">;
-  readonly action: PolicyDecision;
-  /** Free-text reason returned to the gateway. */
-  readonly reason?: string;
-};
-export type ToolCallContext = {
-  readonly toolName: string;
-  /**
-   * The runtime infers `sideEffect` from the tool's flags:
-   *   readOnly + filesystem-only path     → "filesystem"
-   *   makes outbound network calls         → "network"
-   *   posts user-visible messages          → "messaging"
-   *   pure in-process compute              → "none"
-   *   anything else / unset                → "external"
-   *
-   * The gateway forwards this hint via the call site; tools that
-   * declare `sideEffect` explicitly override the heuristic.
-   */
-  readonly sideEffect?: SideEffect;
-  readonly input: unknown;
-  readonly tenantId?: string;
-};
-export type EvaluatePolicyResult = {
-  readonly decision: PolicyDecision;
-  readonly reason?: string;
-  readonly matchedRule?: number;
-};
-export class PolicyEngineError extends CrewhausError {
-  override readonly name = "PolicyEngineError";
-  constructor(message: string, cause?: unknown) {
-    super("config", message, cause);
-  }
-}
-const DEFAULT_RULES: ReadonlyArray<PolicyRule> = [
-  // Allow read-only / pure compute everywhere.
-  { toolPattern: "*", sideEffects: ["none"], action: "allow" },
-  // Audit filesystem reads — they're the easy data-leak vector.
-  {
-    toolPattern: "*",
-    sideEffects: ["filesystem"],
-    action: "audit-and-allow",
-    reason: "filesystem side-effect",
-  },
-  // Audit network calls — same reasoning.
-  {
-    toolPattern: "*",
-    sideEffects: ["network"],
-    action: "audit-and-allow",
-    reason: "network side-effect",
-  },
-  {
-    toolPattern: "*",
-    sideEffects: ["messaging"],
-    action: "audit-and-allow",
-    reason: "messaging side-effect",
-  },
-  // Default for unclassified ("external") — deny in strict, audit elsewhere.
-  // This rule is only consulted in strict mode (we apply mode-specific
-  // overrides below). Keeping it last ensures explicit rules take precedence.
-  {
-    toolPattern: "*",
-    sideEffects: ["external"],
-    action: "audit-and-allow",
-    reason: "external side-effect",
-  },
-];
-function patternMatches(pattern: string, value: string): boolean {
-  if (pattern === "*") return true;
-  if (pattern === value) return true;
-  // Prefix wildcard: "Bash*" → starts with "Bash".
-  if (pattern.endsWith("*") && value.startsWith(pattern.slice(0, -1))) return true;
-  return false;
-}
-function ruleMatches(rule: PolicyRule, toolName: string, effect: SideEffect): boolean {
-  if (!patternMatches(rule.toolPattern, toolName)) return false;
-  for (const e of rule.sideEffects) {
-    if (e === "*" || e === effect) return true;
-  }
-  return false;
-}
-function applyMode(decision: PolicyDecision, mode: PolicyMode): PolicyDecision {
-  if (mode === "permissive" && decision === "deny") return "audit-and-allow";
-  if (mode === "strict" && decision === "audit-and-allow") return "deny";
-  return decision;
-}
-export type EvaluatePolicyOptions = {
-  readonly mode?: PolicyMode;
-  readonly rules?: ReadonlyArray<PolicyRule>;
-  readonly tenantPolicy?: ReadonlyArray<PolicyRule>;
-};
-/**
- * Decide policy for one tool call. Pure with respect to `call`,
- * `mode`, and the rules. The `audit-and-allow` decision SHOULD be
- * paired with `auditPolicyDecision(...)` to actually write the
- * record — keeping I/O out of the pure decider keeps tests trivial.
- */
-export function evaluatePolicy(
-  call: ToolCallContext,
-  opts: EvaluatePolicyOptions = {},
-): EvaluatePolicyResult {
-  const mode = opts.mode ?? "audit";
-  // Section 18 fail-closed default: tools without a sideEffect declaration
-  // are treated as "external" (the most-restrictive default class).
-  const effect: SideEffect = call.sideEffect ?? "external";
-  // Tenant rules win over global rules.
-  const ruleSets: ReadonlyArray<ReadonlyArray<PolicyRule>> = [
-    opts.tenantPolicy ?? [],
-    opts.rules ?? DEFAULT_RULES,
-  ];
-  let idx = 0;
-  for (const set of ruleSets) {
-    for (const rule of set) {
-      if (ruleMatches(rule, call.toolName, effect)) {
-        const decision = applyMode(rule.action, mode);
-        return {
-          decision,
-          ...(rule.reason !== undefined ? { reason: rule.reason } : {}),
-          matchedRule: idx,
-        };
-      }
-      idx += 1;
-    }
-  }
-  // Fail-closed: no rule matched.
-  return {
-    decision: applyMode("deny", mode),
-    reason: `no policy rule matched ${call.toolName} (sideEffect=${effect})`,
-  };
-}
-/**
- * Append a `policy_decision` audit record. Callers should invoke this
- * AFTER `evaluatePolicy` whenever the decision is `audit-and-allow` or
- * `deny`. `allow` outcomes don't generate an audit row by default to
- * keep the chain readable; pass `auditAll: true` to override.
- */
-export async function auditPolicyDecision(
-  log: AuditLog,
-  call: ToolCallContext,
-  result: EvaluatePolicyResult,
-  opts: { readonly auditAll?: boolean } = {},
-): Promise<void> {
-  if (result.decision === "allow" && opts.auditAll !== true) return;
-  const payload: AppendInput["payload"] = {
-    toolName: call.toolName,
-    sideEffect: call.sideEffect ?? "external",
-    decision: result.decision,
-    reason: result.reason,
-    tenantId: call.tenantId,
-    matchedRule: result.matchedRule,
-  };
-  await log.append({ kind: "policy_decision", payload });
-}
-export const DEFAULT_POLICY_RULES = DEFAULT_RULES;