npm - @kya-os/checkpoint-express - Versions diffs - 1.0.0 → 1.1.1 - Mend

@kya-os/checkpoint-express 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/policy.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/policy.ts"],"names":[],"mappings":";;;;;AAsFA,IAAM,iBAAA,GAAoB;AAAA,EACxB,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,qEAAA;AAAA,EACA,0DAAA;AAAA,EACA,EAAA;AAAA,EACA,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,4BAAA;AAAA,EACA,wCAAA;AAAA,EACA,2DAAA;AAAA,EACA,QAAA;AAAA,EACA,EAAA;AAAA,EACA,4EAAA;AAAA,EACA,8EAAA;AAAA,EACA,yEAAA;AAAA,EACA;AACF,CAAA,CAAE,KAAK,IAAI,CAAA;AAOJ,SAAS,0BAAA,CACd,YACA,IAAA,EACyB;AACzB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,0BAAA,CACd,UAAA,EACA,IAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,mBAAA,CACd,IAAA,EACA,SAAA,EACA,OAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,oBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,qBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,oBAAA,CACpB,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,UAAU,OAAA,EAAwD;AACtF,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,WAAA,CACpB,IAAA,EACA,IAAA,EACA,UAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC","file":"policy.js","sourcesContent":["/**\n * Legacy policy module — Phase E throw-stub.\n *\n * Local policy evaluation (deny lists, allow lists, threshold checks)\n * was the JS-side enforcement path; per the architect's no-JS-verify\n * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now\n * the single authoritative policy output — the orchestrator builds it\n * from the customer's tenant policy (loaded via `PolicyEvaluator`\n * adapter), and `withCheckpoint`'s response adapter renders it.\n *\n * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and\n * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,\n * `DEFAULT_POLICY`) remain so customers' config types keep\n * type-checking through the migration window. Function exports throw\n * with a migration message at runtime.\n *\n * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.\n * Tenant policy is loaded by the engine's PolicyEvaluator adapter.\n */\n\nimport type { Request, Response } from 'express';\n\nimport type {\n PolicyConfig,\n PolicyEvaluationContext,\n PolicyEvaluationResult,\n DetectionResult,\n} from '@kya-os/checkpoint-shared';\n\n// Re-export shared policy types + helpers for convenience. Call sites\n// that destructure these continue to type-check; only the function-body\n// invocations of the legacy local-policy helpers (below) throw.\nexport {\n evaluatePolicy,\n createEvaluationContext,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n} from '@kya-os/checkpoint-shared';\n\n/**\n * Policy middleware configuration (legacy type). Preserved so customer\n * config types keep type-checking; the factories that consumed it now\n * throw.\n */\nexport interface PolicyMiddlewareConfig {\n /** Local policy configuration (static). */\n policy?: Partial<PolicyConfig>;\n /** Fetch policy from AgentShield API. */\n fetchPolicy?: {\n projectId: string;\n apiUrl?: string;\n apiKey?: string;\n cacheTtlSeconds?: number;\n };\n /** Fallback policy to use when fetch fails. */\n fallbackPolicy?: Partial<PolicyConfig>;\n /** Custom blocked response. */\n blockedResponse?: {\n status?: number;\n message?: string;\n headers?: Record<string, string>;\n };\n /** Default redirect URL for redirect actions. */\n redirectUrl?: string;\n /** Callback when policy decision is made. */\n onPolicyDecision?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult,\n context: PolicyEvaluationContext\n ) => void | Promise<void>;\n /** Custom response handler for blocked requests. */\n customBlockedResponse?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult\n ) => void | Promise<void>;\n /** Whether to fail open (allow) on policy evaluation errors. */\n failOpen?: boolean;\n /** Enable debug logging. */\n debug?: boolean;\n}\n\nconst MIGRATION_MESSAGE = [\n '[checkpoint-express] Local policy evaluation has been retired.',\n '',\n 'Tenant policy now flows through the engine PolicyEvaluator adapter.',\n \"Configure it via withCheckpoint's `dashboardUrl` option:\",\n '',\n \" import { withCheckpoint } from '@kya-os/checkpoint-express';\",\n '',\n ' app.use(withCheckpoint({',\n \" tenantHost: 'your.tenant.example',\",\n \" dashboardUrl: 'https://dashboard.checkpoint.example',\",\n ' }));',\n '',\n 'The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)',\n 'is the single authoritative policy output — the response adapter inside',\n '`withCheckpoint` renders it. Custom block-response shapes belong in the',\n 'dashboard policy itself, not in middleware code.',\n].join('\\n');\n\n// ---------------------------------------------------------------------------\n// Throw-stub function exports — names preserved, bodies retired.\n// ---------------------------------------------------------------------------\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function createContextFromDetection(\n _detection: DetectionResult,\n _req: Request\n): PolicyEvaluationContext {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function evaluatePolicyForDetection(\n _detection: DetectionResult,\n _req: Request,\n _policy: PolicyConfig\n): PolicyEvaluationResult {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendBlockedResponse(\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendRedirectResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendChallengeResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function handlePolicyDecision(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */\nexport async function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function applyPolicy(\n _req: Request,\n _res: Response,\n _detection: DetectionResult,\n _config: PolicyMiddlewareConfig\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n"]}

package/dist/policy.mjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/policy.ts"],"names":[],"mappings":";;;AAsFA,IAAM,iBAAA,GAAoB;AAAA,EACxB,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,qEAAA;AAAA,EACA,0DAAA;AAAA,EACA,EAAA;AAAA,EACA,gEAAA;AAAA,EACA,EAAA;AAAA,EACA,4BAAA;AAAA,EACA,wCAAA;AAAA,EACA,2DAAA;AAAA,EACA,QAAA;AAAA,EACA,EAAA;AAAA,EACA,4EAAA;AAAA,EACA,8EAAA;AAAA,EACA,yEAAA;AAAA,EACA;AACF,CAAA,CAAE,KAAK,IAAI,CAAA;AAOJ,SAAS,0BAAA,CACd,YACA,IAAA,EACyB;AACzB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,0BAAA,CACd,UAAA,EACA,IAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,mBAAA,CACd,IAAA,EACA,SAAA,EACA,OAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,oBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGO,SAAS,qBAAA,CACd,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACM;AACN,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,oBAAA,CACpB,IAAA,EACA,IAAA,EACA,SAAA,EACA,SACA,UAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,UAAU,OAAA,EAAwD;AACtF,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC;AAGA,eAAsB,WAAA,CACpB,IAAA,EACA,IAAA,EACA,UAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAI,MAAM,iBAAiB,CAAA;AACnC","file":"policy.mjs","sourcesContent":["/**\n * Legacy policy module — Phase E throw-stub.\n *\n * Local policy evaluation (deny lists, allow lists, threshold checks)\n * was the JS-side enforcement path; per the architect's no-JS-verify\n * pin (Phase 1 review § Q4) it dies. The engine's `Decision` is now\n * the single authoritative policy output — the orchestrator builds it\n * from the customer's tenant policy (loaded via `PolicyEvaluator`\n * adapter), and `withCheckpoint`'s response adapter renders it.\n *\n * Type exports (`PolicyMiddlewareConfig`, `PolicyConfig`, etc.) and\n * shared-package re-exports (`evaluatePolicy`, `ENFORCEMENT_ACTIONS`,\n * `DEFAULT_POLICY`) remain so customers' config types keep\n * type-checking through the migration window. Function exports throw\n * with a migration message at runtime.\n *\n * @deprecated Use `withCheckpoint` from `@kya-os/checkpoint-express`.\n * Tenant policy is loaded by the engine's PolicyEvaluator adapter.\n */\n\nimport type { Request, Response } from 'express';\n\nimport type {\n PolicyConfig,\n PolicyEvaluationContext,\n PolicyEvaluationResult,\n DetectionResult,\n} from '@kya-os/checkpoint-shared';\n\n// Re-export shared policy types + helpers for convenience. Call sites\n// that destructure these continue to type-check; only the function-body\n// invocations of the legacy local-policy helpers (below) throw.\nexport {\n evaluatePolicy,\n createEvaluationContext,\n type PolicyConfig,\n type PolicyEvaluationContext,\n type PolicyEvaluationResult,\n ENFORCEMENT_ACTIONS,\n DEFAULT_POLICY,\n} from '@kya-os/checkpoint-shared';\n\n/**\n * Policy middleware configuration (legacy type). Preserved so customer\n * config types keep type-checking; the factories that consumed it now\n * throw.\n */\nexport interface PolicyMiddlewareConfig {\n /** Local policy configuration (static). */\n policy?: Partial<PolicyConfig>;\n /** Fetch policy from AgentShield API. */\n fetchPolicy?: {\n projectId: string;\n apiUrl?: string;\n apiKey?: string;\n cacheTtlSeconds?: number;\n };\n /** Fallback policy to use when fetch fails. */\n fallbackPolicy?: Partial<PolicyConfig>;\n /** Custom blocked response. */\n blockedResponse?: {\n status?: number;\n message?: string;\n headers?: Record<string, string>;\n };\n /** Default redirect URL for redirect actions. */\n redirectUrl?: string;\n /** Callback when policy decision is made. */\n onPolicyDecision?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult,\n context: PolicyEvaluationContext\n ) => void | Promise<void>;\n /** Custom response handler for blocked requests. */\n customBlockedResponse?: (\n req: Request,\n res: Response,\n decision: PolicyEvaluationResult\n ) => void | Promise<void>;\n /** Whether to fail open (allow) on policy evaluation errors. */\n failOpen?: boolean;\n /** Enable debug logging. */\n debug?: boolean;\n}\n\nconst MIGRATION_MESSAGE = [\n '[checkpoint-express] Local policy evaluation has been retired.',\n '',\n 'Tenant policy now flows through the engine PolicyEvaluator adapter.',\n \"Configure it via withCheckpoint's `dashboardUrl` option:\",\n '',\n \" import { withCheckpoint } from '@kya-os/checkpoint-express';\",\n '',\n ' app.use(withCheckpoint({',\n \" tenantHost: 'your.tenant.example',\",\n \" dashboardUrl: 'https://dashboard.checkpoint.example',\",\n ' }));',\n '',\n 'The engine`s `Decision` (Permit / Block / Redirect / Challenge / Instruct)',\n 'is the single authoritative policy output — the response adapter inside',\n '`withCheckpoint` renders it. Custom block-response shapes belong in the',\n 'dashboard policy itself, not in middleware code.',\n].join('\\n');\n\n// ---------------------------------------------------------------------------\n// Throw-stub function exports — names preserved, bodies retired.\n// ---------------------------------------------------------------------------\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function createContextFromDetection(\n _detection: DetectionResult,\n _req: Request\n): PolicyEvaluationContext {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine PolicyEvaluator owns this. */\nexport function evaluatePolicyForDetection(\n _detection: DetectionResult,\n _req: Request,\n _policy: PolicyConfig\n): PolicyEvaluationResult {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendBlockedResponse(\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendRedirectResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — its response adapter owns this. */\nexport function sendChallengeResponse(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): void {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function handlePolicyDecision(\n _req: Request,\n _res: Response,\n _decision: PolicyEvaluationResult,\n _config: PolicyMiddlewareConfig,\n _detection?: { detectedAgent?: { name?: string } }\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Tenant policy now loads via the engine PolicyEvaluator. */\nexport async function getPolicy(_config: PolicyMiddlewareConfig): Promise<PolicyConfig> {\n throw new Error(MIGRATION_MESSAGE);\n}\n\n/** @deprecated Use `withCheckpoint` — engine + adapter compose this. */\nexport async function applyPolicy(\n _req: Request,\n _res: Response,\n _detection: DetectionResult,\n _config: PolicyMiddlewareConfig\n): Promise<boolean> {\n throw new Error(MIGRATION_MESSAGE);\n}\n"]}