@devtrack-solution/codesdd 1.2.2 → 1.2.4-rc3

package/dist/core/sdd/plugin-manifest.js

@@ -0,0 +1,225 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { toJSONSchema, z } from 'zod';
+import { pluginPackageGovernanceSchema, pluginLanguageRuntimeSchema } from './plugin-sdk-contract.js';
+const JSON_SCHEMA_DRAFT = 'https://json-schema.org/draft/2020-12/schema';
+const PLUGIN_ID_PATTERN = /^codesdd-plugin-[a-z0-9][a-z0-9-]*$/;
+const SEMVER_PATTERN = /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/;
+const CAPABILITY_NAME_PATTERN = /^[a-z][a-z0-9-]*(?:\.[a-z][a-z0-9-]*)+$/;
+const WINDOWS_ABSOLUTE_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
+const jsonObjectSchema = z.record(z.string(), z.unknown());
+const safeRelativePathSchema = z
+    .string()
+    .min(1)
+    .refine((value) => isSafeRelativePath(value), {
+    message: 'Path must be relative to the project root and must not contain traversal segments.',
+});
+export const pluginCapabilitySchema = z
+    .object({
+    name: z.string().regex(CAPABILITY_NAME_PATTERN),
+    description: z.string().min(20),
+    input_schema: jsonObjectSchema,
+    output_schema: jsonObjectSchema,
+    deterministic: z.boolean(),
+    idempotent: z.boolean(),
+    supports_dry_run: z.boolean(),
+    supports_apply: z.boolean(),
+    supports_rollback: z.boolean().default(false),
+    write_scope: z.array(safeRelativePathSchema).default([]),
+    risk_tier: z.enum(['low', 'medium', 'high', 'critical']).default('medium'),
+    approval: z.enum(['none', 'maintainer', 'security', 'architecture-board']).default('maintainer'),
+})
+    .superRefine((capability, context) => {
+    if (capability.supports_apply && !capability.supports_dry_run) {
+        context.addIssue({
+            code: 'custom',
+            path: ['supports_dry_run'],
+            message: 'Apply-capable plugin capabilities must support dry-run mode.',
+        });
+    }
+});
+export const pluginCompressionConfigSchema = z
+    .object({
+    enabled: z.boolean().default(false),
+    engine: z.enum(['rtk', 'headroom', 'builtin', 'none']).default('none'),
+    mode: z.literal('pretooluse').default('pretooluse'),
+    exclude_commands: z.array(z.string().min(1)).default([]),
+    tee: z.enum(['failures', 'always', 'never']).default('failures'),
+    max_output_tokens: z.number().int().positive().max(64000).default(4000),
+})
+    .superRefine((compression, context) => {
+    if (compression.enabled && compression.engine === 'none') {
+        context.addIssue({
+            code: 'custom',
+            path: ['engine'],
+            message: 'Compression engine must not be none when compression is enabled.',
+        });
+    }
+});
+export const pluginManifestSchema = z
+    .object({
+    id: z.string().regex(PLUGIN_ID_PATTERN),
+    name: z.string().min(3),
+    version: z.string().regex(SEMVER_PATTERN),
+    contract_version: z.literal(1),
+    vendor: z.string().min(2),
+    codesdd_compat: z.object({
+        versions: z.string().min(1),
+        sdd_contract_versions: z.array(z.number().int().positive()).min(1),
+    }),
+    technology: z.object({
+        language: z.string().min(1),
+        framework: z.string().optional(),
+        runtime: z.string().optional(),
+        package_manager: z.string().optional(),
+        min_versions: z.record(z.string(), z.string()).default({}),
+    }),
+    package_governance: pluginPackageGovernanceSchema.optional(),
+    language_runtime: pluginLanguageRuntimeSchema.optional(),
+    capabilities: z.array(pluginCapabilitySchema).min(1),
+    execution: z.object({
+        command: z.string().min(1),
+        args: z.array(z.string()).default([]),
+        timeout_seconds: z.number().int().positive().max(3600).default(120),
+        env_allowlist: z.array(z.string().regex(/^[A-Z_][A-Z0-9_]*$/)).default([]),
+        network: z.enum(['disabled', 'restricted', 'enabled']).default('disabled'),
+        process_spawn: z.enum(['forbidden', 'declared']).default('forbidden'),
+        working_directory: safeRelativePathSchema.default('.'),
+    }),
+    artifacts: z.object({
+        writes: z.array(safeRelativePathSchema).default([]),
+        forbidden_writes: z.array(safeRelativePathSchema).default([]),
+        naming_conventions: z.array(z.string().min(1)).default([]),
+    }),
+    supply_chain: z.object({
+        checksum: z.string().optional(),
+        signature: z.string().optional(),
+        provenance: z.string().optional(),
+        sbom: z.string().optional(),
+    }),
+    governance: z.object({
+        owner: z.string().min(2),
+        support_sla: z.string().min(1),
+        deprecation_window: z.string().min(1),
+        policy_packs: z.array(z.string().min(1)).default([]),
+        trust_tier: z.enum(['local-dev', 'experimental', 'enterprise-approved', 'blocked']),
+        allowed_domains: z.array(z.string().min(1)).default([]),
+        risk_tier: z.enum(['low', 'medium', 'high', 'critical']).default('medium'),
+    }),
+    validation: z.object({
+        commands: z.array(z.string().min(1)).min(1),
+        coverage_target: z.number().min(0).max(100).default(95),
+        security_checks: z.array(z.string().min(1)).default([]),
+        dependency_checks: z.array(z.string().min(1)).default([]),
+    }),
+    compression: pluginCompressionConfigSchema.default({
+        enabled: false,
+        engine: 'none',
+        mode: 'pretooluse',
+        exclude_commands: [],
+        tee: 'failures',
+        max_output_tokens: 4000,
+    }),
+})
+    .superRefine((manifest, context) => {
+    if (manifest.language_runtime && manifest.language_runtime.language !== manifest.technology.language) {
+        context.addIssue({
+            code: 'custom',
+            path: ['language_runtime', 'language'],
+            message: 'Language runtime language must match technology.language.',
+        });
+    }
+    const duplicateCapabilityNames = findDuplicates(manifest.capabilities.map((capability) => capability.name));
+    for (const duplicateName of duplicateCapabilityNames) {
+        context.addIssue({
+            code: 'custom',
+            path: ['capabilities'],
+            message: `Duplicate capability name: ${duplicateName}.`,
+        });
+    }
+    if (manifest.governance.trust_tier === 'enterprise-approved') {
+        if (!manifest.supply_chain.checksum) {
+            context.addIssue({
+                code: 'custom',
+                path: ['supply_chain', 'checksum'],
+                message: 'Enterprise-approved plugins must declare a checksum.',
+            });
+        }
+        if (!manifest.supply_chain.signature && !manifest.supply_chain.provenance) {
+            context.addIssue({
+                code: 'custom',
+                path: ['supply_chain', 'provenance'],
+                message: 'Enterprise-approved plugins must declare either a signature or provenance.',
+            });
+        }
+        if (!manifest.supply_chain.sbom) {
+            context.addIssue({
+                code: 'custom',
+                path: ['supply_chain', 'sbom'],
+                message: 'Enterprise-approved plugins must declare SBOM metadata.',
+            });
+        }
+    }
+});
+export class PluginManifestValidationError extends Error {
+    issues;
+    constructor(sourceLabel, issues) {
+        super(`Plugin manifest validation failed for ${sourceLabel}: ${issues.join('; ')}`);
+        this.name = 'PluginManifestValidationError';
+        this.issues = issues;
+    }
+}
+export function parsePluginManifest(content, sourceLabel = 'codesdd-plugin.yaml') {
+    let parsed;
+    try {
+        parsed = parseYaml(content);
+    }
+    catch (error) {
+        throw new PluginManifestValidationError(sourceLabel, [`YAML parse failed: ${String(error)}`]);
+    }
+    return validatePluginManifest(parsed, sourceLabel);
+}
+export async function loadPluginManifest(filePath) {
+    const content = await fs.readFile(filePath, 'utf8');
+    return parsePluginManifest(content, path.basename(filePath));
+}
+export function validatePluginManifest(value, sourceLabel = 'codesdd-plugin.yaml') {
+    const result = pluginManifestSchema.safeParse(value);
+    if (!result.success) {
+        throw new PluginManifestValidationError(sourceLabel, formatIssues(result.error.issues));
+    }
+    return result.data;
+}
+export function buildPluginManifestJsonSchema() {
+    return {
+        ...toJSONSchema(pluginManifestSchema),
+        $schema: JSON_SCHEMA_DRAFT,
+        title: 'CodeSDD Enterprise Plugin Manifest',
+        description: 'Machine-readable contract for a CodeSDD enterprise plugin manifest.',
+    };
+}
+function isSafeRelativePath(value) {
+    if (value.startsWith('/') || WINDOWS_ABSOLUTE_PATH_PATTERN.test(value)) {
+        return false;
+    }
+    return !value.split(/[\\/]+/).some((segment) => segment === '..');
+}
+function findDuplicates(values) {
+    const seen = new Set();
+    const duplicates = new Set();
+    for (const value of values) {
+        if (seen.has(value)) {
+            duplicates.add(value);
+        }
+        seen.add(value);
+    }
+    return [...duplicates];
+}
+function formatIssues(issues) {
+    return issues.map((issue) => {
+        const issuePath = issue.path.length > 0 ? issue.path.join('.') : '<root>';
+        return `${issuePath}: ${issue.message}`;
+    });
+}
+//# sourceMappingURL=plugin-manifest.js.map

package/dist/core/sdd/plugin-policy-pack.d.ts

@@ -0,0 +1,88 @@
+import { z } from 'zod';
+import { type PluginManifest } from './plugin-manifest.js';
+export declare const pluginPolicyPackSchema: z.ZodObject<{
+    id: z.ZodString;
+    version: z.ZodString;
+    description: z.ZodString;
+    applies_to: z.ZodDefault<z.ZodObject<{
+        trust_tiers: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+            experimental: "experimental";
+            blocked: "blocked";
+            "local-dev": "local-dev";
+            "enterprise-approved": "enterprise-approved";
+        }>>>;
+    }, z.core.$strip>>;
+    requirements: z.ZodDefault<z.ZodObject<{
+        max_risk_tier: z.ZodDefault<z.ZodEnum<{
+            low: "low";
+            medium: "medium";
+            high: "high";
+            critical: "critical";
+        }>>;
+        supply_chain: z.ZodDefault<z.ZodObject<{
+            checksum: z.ZodDefault<z.ZodBoolean>;
+            signature_or_provenance: z.ZodDefault<z.ZodBoolean>;
+            sbom: z.ZodDefault<z.ZodBoolean>;
+            sbom_formats: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+                custom: "custom";
+                cyclonedx: "cyclonedx";
+                spdx: "spdx";
+            }>>>;
+        }, z.core.$strip>>;
+        validation: z.ZodDefault<z.ZodObject<{
+            min_coverage: z.ZodDefault<z.ZodNumber>;
+            security_checks: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            dependency_checks: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        }, z.core.$strip>>;
+        execution: z.ZodDefault<z.ZodObject<{
+            network: z.ZodOptional<z.ZodEnum<{
+                disabled: "disabled";
+                enabled: "enabled";
+                restricted: "restricted";
+            }>>;
+            process_spawn: z.ZodOptional<z.ZodEnum<{
+                forbidden: "forbidden";
+                declared: "declared";
+            }>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export declare const pluginPolicyPackIssueSchema: z.ZodObject<{
+    code: z.ZodString;
+    severity: z.ZodEnum<{
+        deny: "deny";
+        warn: "warn";
+    }>;
+    message: z.ZodString;
+    policy_pack: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const pluginPolicyPackEvaluationSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<1>;
+    plugin_ref: z.ZodObject<{
+        id: z.ZodString;
+        version: z.ZodString;
+    }, z.core.$strip>;
+    decision: z.ZodEnum<{
+        deny: "deny";
+        warn: "warn";
+        allow: "allow";
+    }>;
+    declared_policy_packs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    applied_policy_packs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    issues: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        code: z.ZodString;
+        severity: z.ZodEnum<{
+            deny: "deny";
+            warn: "warn";
+        }>;
+        message: z.ZodString;
+        policy_pack: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type PluginPolicyPack = z.infer<typeof pluginPolicyPackSchema>;
+export type PluginPolicyPackIssue = z.infer<typeof pluginPolicyPackIssueSchema>;
+export type PluginPolicyPackEvaluation = z.infer<typeof pluginPolicyPackEvaluationSchema>;
+export declare const ENTERPRISE_DEFAULT_POLICY_PACK: PluginPolicyPack;
+export declare const DEVTRACK_API_FOUNDATION_POLICY_PACK: PluginPolicyPack;
+export declare function evaluatePluginPolicyPacks(manifest: PluginManifest, policyPacks: PluginPolicyPack[]): PluginPolicyPackEvaluation;
+//# sourceMappingURL=plugin-policy-pack.d.ts.map

package/dist/core/sdd/plugin-policy-pack.js

@@ -0,0 +1,236 @@
+import { z } from 'zod';
+import { pluginManifestSchema } from './plugin-manifest.js';
+const SEMVER_PATTERN = /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/;
+const riskRank = {
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+export const pluginPolicyPackSchema = z.object({
+    id: z.string().regex(/^[a-z][a-z0-9-]*$/),
+    version: z.string().regex(SEMVER_PATTERN),
+    description: z.string().min(20),
+    applies_to: z
+        .object({
+        trust_tiers: z
+            .array(z.enum(['local-dev', 'experimental', 'enterprise-approved', 'blocked']))
+            .default(['enterprise-approved']),
+    })
+        .default({ trust_tiers: ['enterprise-approved'] }),
+    requirements: z
+        .object({
+        max_risk_tier: z.enum(['low', 'medium', 'high', 'critical']).default('medium'),
+        supply_chain: z
+            .object({
+            checksum: z.boolean().default(false),
+            signature_or_provenance: z.boolean().default(false),
+            sbom: z.boolean().default(false),
+            sbom_formats: z.array(z.enum(['cyclonedx', 'spdx', 'custom'])).default([]),
+        })
+            .default({ checksum: false, signature_or_provenance: false, sbom: false, sbom_formats: [] }),
+        validation: z
+            .object({
+            min_coverage: z.number().min(0).max(100).default(0),
+            security_checks: z.array(z.string().min(1)).default([]),
+            dependency_checks: z.array(z.string().min(1)).default([]),
+        })
+            .default({ min_coverage: 0, security_checks: [], dependency_checks: [] }),
+        execution: z
+            .object({
+            network: z.enum(['disabled', 'restricted', 'enabled']).optional(),
+            process_spawn: z.enum(['forbidden', 'declared']).optional(),
+        })
+            .default({}),
+    })
+        .default({
+        max_risk_tier: 'medium',
+        supply_chain: { checksum: false, signature_or_provenance: false, sbom: false, sbom_formats: [] },
+        validation: { min_coverage: 0, security_checks: [], dependency_checks: [] },
+        execution: {},
+    }),
+});
+export const pluginPolicyPackIssueSchema = z.object({
+    code: z.string().min(1),
+    severity: z.enum(['deny', 'warn']),
+    message: z.string().min(1),
+    policy_pack: z.string().optional(),
+});
+export const pluginPolicyPackEvaluationSchema = z.object({
+    schema_version: z.literal(1),
+    plugin_ref: z.object({
+        id: z.string().min(1),
+        version: z.string().min(1),
+    }),
+    decision: z.enum(['allow', 'warn', 'deny']),
+    declared_policy_packs: z.array(z.string()).default([]),
+    applied_policy_packs: z.array(z.string()).default([]),
+    issues: z.array(pluginPolicyPackIssueSchema).default([]),
+});
+export const ENTERPRISE_DEFAULT_POLICY_PACK = pluginPolicyPackSchema.parse({
+    id: 'enterprise-default',
+    version: '1.0.0',
+    description: 'Default enterprise plugin policy for supply-chain, validation, and safe execution controls.',
+    applies_to: {
+        trust_tiers: ['enterprise-approved', 'local-dev', 'experimental'],
+    },
+    requirements: {
+        max_risk_tier: 'high',
+        supply_chain: {
+            checksum: true,
+            signature_or_provenance: true,
+            sbom: true,
+            sbom_formats: ['cyclonedx', 'spdx'],
+        },
+        validation: {
+            min_coverage: 95,
+            security_checks: ['dependency-audit'],
+            dependency_checks: ['lockfile-review'],
+        },
+        execution: {
+            network: 'disabled',
+            process_spawn: 'forbidden',
+        },
+    },
+});
+export const DEVTRACK_API_FOUNDATION_POLICY_PACK = pluginPolicyPackSchema.parse({
+    id: 'devtrack-api-foundation',
+    version: '1.0.0',
+    description: 'DevTrack API Foundation appliance policy for TypeORM-only dependency and structural validation.',
+    applies_to: {
+        trust_tiers: ['enterprise-approved'],
+    },
+    requirements: {
+        max_risk_tier: 'high',
+        supply_chain: {
+            checksum: true,
+            signature_or_provenance: true,
+            sbom: true,
+            sbom_formats: ['cyclonedx'],
+        },
+        validation: {
+            min_coverage: 95,
+            security_checks: ['dependency-audit', 'no-secret-fixtures', 'no-out-of-root-writes'],
+            dependency_checks: ['lockfile-review', 'typeorm-only-persistence'],
+        },
+        execution: {
+            network: 'disabled',
+            process_spawn: 'forbidden',
+        },
+    },
+});
+export function evaluatePluginPolicyPacks(manifest, policyPacks) {
+    const parsedManifest = pluginManifestSchema.parse(manifest);
+    const parsedPolicyPacks = policyPacks.map((pack) => pluginPolicyPackSchema.parse(pack));
+    const packById = new Map(parsedPolicyPacks.map((pack) => [pack.id, pack]));
+    const issues = [];
+    const appliedPolicyPacks = [];
+    if (parsedManifest.governance.policy_packs.length === 0) {
+        issues.push(warn('NO_POLICY_PACK_DECLARED', `Plugin ${parsedManifest.id} declares no policy packs.`));
+    }
+    for (const policyPackId of parsedManifest.governance.policy_packs) {
+        const policyPack = packById.get(policyPackId);
+        if (!policyPack) {
+            issues.push(deny('POLICY_PACK_NOT_AVAILABLE', `Policy pack ${policyPackId} is not available.`, policyPackId));
+            continue;
+        }
+        appliedPolicyPacks.push(policyPack.id);
+        issues.push(...evaluatePolicyPack(parsedManifest, policyPack));
+    }
+    return pluginPolicyPackEvaluationSchema.parse({
+        schema_version: 1,
+        plugin_ref: {
+            id: parsedManifest.id,
+            version: parsedManifest.version,
+        },
+        decision: issues.some((issue) => issue.severity === 'deny')
+            ? 'deny'
+            : issues.some((issue) => issue.severity === 'warn')
+                ? 'warn'
+                : 'allow',
+        declared_policy_packs: parsedManifest.governance.policy_packs,
+        applied_policy_packs: appliedPolicyPacks,
+        issues,
+    });
+}
+function evaluatePolicyPack(manifest, policyPack) {
+    const issues = [];
+    if (!policyPack.applies_to.trust_tiers.includes(manifest.governance.trust_tier)) {
+        issues.push(warn('POLICY_PACK_NOT_APPLICABLE', `Policy pack ${policyPack.id} does not target trust tier ${manifest.governance.trust_tier}.`, policyPack.id));
+    }
+    if (riskRank[manifest.governance.risk_tier] > riskRank[policyPack.requirements.max_risk_tier]) {
+        issues.push(deny('RISK_TIER_EXCEEDS_POLICY', `Plugin risk tier ${manifest.governance.risk_tier} exceeds policy maximum ${policyPack.requirements.max_risk_tier}.`, policyPack.id));
+    }
+    issues.push(...evaluateSupplyChainPolicy(manifest, policyPack));
+    issues.push(...evaluateValidationPolicy(manifest, policyPack));
+    issues.push(...evaluateExecutionPolicy(manifest, policyPack));
+    return issues;
+}
+function evaluateSupplyChainPolicy(manifest, policyPack) {
+    const requirements = policyPack.requirements.supply_chain;
+    const issues = [];
+    if (requirements.checksum && !manifest.supply_chain.checksum) {
+        issues.push(deny('CHECKSUM_REQUIRED', `Policy pack ${policyPack.id} requires a checksum.`, policyPack.id));
+    }
+    if (requirements.signature_or_provenance && !manifest.supply_chain.signature && !manifest.supply_chain.provenance) {
+        issues.push(deny('SIGNATURE_OR_PROVENANCE_REQUIRED', `Policy pack ${policyPack.id} requires signature or provenance.`, policyPack.id));
+    }
+    if (requirements.sbom && !manifest.supply_chain.sbom) {
+        issues.push(deny('SBOM_REQUIRED', `Policy pack ${policyPack.id} requires SBOM metadata.`, policyPack.id));
+    }
+    if (manifest.supply_chain.sbom && requirements.sbom_formats.length > 0) {
+        const format = resolveSbomFormat(manifest.supply_chain.sbom);
+        if (!requirements.sbom_formats.includes(format)) {
+            issues.push(deny('SBOM_FORMAT_NOT_ALLOWED', `SBOM format ${format} is not allowed by policy pack ${policyPack.id}.`, policyPack.id));
+        }
+    }
+    return issues;
+}
+function evaluateValidationPolicy(manifest, policyPack) {
+    const requirements = policyPack.requirements.validation;
+    const issues = [];
+    if (manifest.validation.coverage_target < requirements.min_coverage) {
+        issues.push(deny('COVERAGE_TARGET_TOO_LOW', `Coverage target ${manifest.validation.coverage_target}% is below policy minimum ${requirements.min_coverage}%.`, policyPack.id));
+    }
+    issues.push(...missingValues(requirements.security_checks, manifest.validation.security_checks).map((check) => deny('SECURITY_CHECK_REQUIRED', `Required security check ${check} is missing.`, policyPack.id)));
+    issues.push(...missingValues(requirements.dependency_checks, manifest.validation.dependency_checks).map((check) => deny('DEPENDENCY_CHECK_REQUIRED', `Required dependency check ${check} is missing.`, policyPack.id)));
+    return issues;
+}
+function evaluateExecutionPolicy(manifest, policyPack) {
+    const requirements = policyPack.requirements.execution;
+    const issues = [];
+    if (requirements.network && manifest.execution.network !== requirements.network) {
+        issues.push(deny('NETWORK_POLICY_MISMATCH', `Network policy ${manifest.execution.network} does not match required ${requirements.network}.`, policyPack.id));
+    }
+    if (requirements.process_spawn && manifest.execution.process_spawn !== requirements.process_spawn) {
+        issues.push(deny('PROCESS_SPAWN_POLICY_MISMATCH', `Process spawn policy ${manifest.execution.process_spawn} does not match required ${requirements.process_spawn}.`, policyPack.id));
+    }
+    return issues;
+}
+function resolveSbomFormat(sbom) {
+    const prefix = sbom.split(':', 1)[0]?.toLowerCase();
+    if (prefix === 'cyclonedx' || prefix === 'spdx') {
+        return prefix;
+    }
+    return 'custom';
+}
+function missingValues(required, actual) {
+    return required.filter((value) => !actual.includes(value));
+}
+function deny(code, message, policyPack) {
+    return {
+        code,
+        severity: 'deny',
+        message,
+        policy_pack: policyPack,
+    };
+}
+function warn(code, message, policyPack) {
+    return {
+        code,
+        severity: 'warn',
+        message,
+        policy_pack: policyPack,
+    };
+}
+//# sourceMappingURL=plugin-policy-pack.js.map

package/dist/core/sdd/plugin-policy.d.ts

@@ -0,0 +1,68 @@
+import { z } from 'zod';
+import { type PluginManifest } from './plugin-manifest.js';
+export declare const pluginPolicyEvaluationRequestSchema: z.ZodObject<{
+    capability: z.ZodString;
+    mode: z.ZodDefault<z.ZodEnum<{
+        apply: "apply";
+        "dry-run": "dry-run";
+        rollback: "rollback";
+    }>>;
+    approval_grants: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        maintainer: "maintainer";
+        security: "security";
+        "architecture-board": "architecture-board";
+    }>>>;
+    source_checksum: z.ZodOptional<z.ZodString>;
+    requested_write_scope: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    planned_writes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    requested_env: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    network_domains: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    process_spawn_requested: z.ZodDefault<z.ZodBoolean>;
+    filesystem_checks: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        path: z.ZodString;
+        real_path: z.ZodString;
+        project_root: z.ZodString;
+        is_symlink: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export declare const pluginPolicyIssueSchema: z.ZodObject<{
+    code: z.ZodString;
+    severity: z.ZodEnum<{
+        deny: "deny";
+        warn: "warn";
+    }>;
+    message: z.ZodString;
+    path: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const pluginPolicyEvaluationSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<1>;
+    plugin_ref: z.ZodObject<{
+        id: z.ZodString;
+        version: z.ZodString;
+    }, z.core.$strip>;
+    capability: z.ZodString;
+    mode: z.ZodEnum<{
+        apply: "apply";
+        "dry-run": "dry-run";
+        rollback: "rollback";
+    }>;
+    decision: z.ZodEnum<{
+        deny: "deny";
+        warn: "warn";
+        allow: "allow";
+    }>;
+    issues: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        code: z.ZodString;
+        severity: z.ZodEnum<{
+            deny: "deny";
+            warn: "warn";
+        }>;
+        message: z.ZodString;
+        path: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type PluginPolicyEvaluationRequest = z.infer<typeof pluginPolicyEvaluationRequestSchema>;
+export type PluginPolicyIssue = z.infer<typeof pluginPolicyIssueSchema>;
+export type PluginPolicyEvaluation = z.infer<typeof pluginPolicyEvaluationSchema>;
+export declare function evaluatePluginTrustPolicy(manifest: PluginManifest, request: PluginPolicyEvaluationRequest): PluginPolicyEvaluation;
+//# sourceMappingURL=plugin-policy.d.ts.map