@lannguyensi/harness 0.25.2 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/dist/cli/approve/risk.d.ts +43 -0
- package/dist/cli/approve/risk.js +126 -0
- package/dist/cli/approve/risk.js.map +1 -0
- package/dist/cli/audit.js +8 -2
- package/dist/cli/audit.js.map +1 -1
- package/dist/cli/doctor/format.js +24 -0
- package/dist/cli/doctor/format.js.map +1 -1
- package/dist/cli/doctor/index.js +26 -0
- package/dist/cli/doctor/index.js.map +1 -1
- package/dist/cli/doctor/types.d.ts +23 -0
- package/dist/cli/event-input.d.ts +28 -0
- package/dist/cli/event-input.js +73 -0
- package/dist/cli/event-input.js.map +1 -0
- package/dist/cli/explain-action.d.ts +20 -0
- package/dist/cli/explain-action.js +27 -0
- package/dist/cli/explain-action.js.map +1 -0
- package/dist/cli/explain-policy.d.ts +54 -0
- package/dist/cli/explain-policy.js +81 -0
- package/dist/cli/explain-policy.js.map +1 -0
- package/dist/cli/explain.js +4 -0
- package/dist/cli/explain.js.map +1 -1
- package/dist/cli/index.js +126 -4
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init/templates.d.ts +1 -1
- package/dist/cli/init/templates.js +98 -0
- package/dist/cli/init/templates.js.map +1 -1
- package/dist/cli/pack/hook-branch-protection.js +1 -1
- package/dist/cli/pack/hook-branch-protection.js.map +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-codex-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-post-tool-use.js +1 -1
- package/dist/cli/pack/hook-post-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js +1 -1
- package/dist/cli/pack/hook-pre-tool-use.js.map +1 -1
- package/dist/cli/pack/hook-track-active-claim.js +1 -1
- package/dist/cli/pack/hook-track-active-claim.js.map +1 -1
- package/dist/cli/{pack/pause-check.d.ts → pause-check.d.ts} +1 -1
- package/dist/cli/{pack/pause-check.js → pause-check.js} +14 -11
- package/dist/cli/pause-check.js.map +1 -0
- package/dist/cli/policy/intercept.d.ts +15 -0
- package/dist/cli/policy/intercept.js +55 -1
- package/dist/cli/policy/intercept.js.map +1 -1
- package/dist/cli/resolve-env.d.ts +32 -0
- package/dist/cli/resolve-env.js +47 -0
- package/dist/cli/resolve-env.js.map +1 -0
- package/dist/cli/test-risk.d.ts +26 -0
- package/dist/cli/test-risk.js +34 -0
- package/dist/cli/test-risk.js.map +1 -0
- package/dist/runtime/action-envelope.d.ts +64 -0
- package/dist/runtime/action-envelope.js +46 -0
- package/dist/runtime/action-envelope.js.map +1 -0
- package/dist/runtime/environment-resolver.d.ts +36 -0
- package/dist/runtime/environment-resolver.js +138 -0
- package/dist/runtime/environment-resolver.js.map +1 -0
- package/dist/runtime/index.d.ts +6 -1
- package/dist/runtime/index.js +6 -1
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/intercept.d.ts +60 -3
- package/dist/runtime/intercept.js +104 -6
- package/dist/runtime/intercept.js.map +1 -1
- package/dist/runtime/kube-context.d.ts +16 -0
- package/dist/runtime/kube-context.js +63 -0
- package/dist/runtime/kube-context.js.map +1 -0
- package/dist/runtime/ledger-record.d.ts +8 -0
- package/dist/runtime/ledger-record.js +2 -0
- package/dist/runtime/ledger-record.js.map +1 -1
- package/dist/runtime/risk-classifier.d.ts +38 -0
- package/dist/runtime/risk-classifier.js +148 -0
- package/dist/runtime/risk-classifier.js.map +1 -0
- package/dist/runtime/when-eval.d.ts +40 -0
- package/dist/runtime/when-eval.js +134 -0
- package/dist/runtime/when-eval.js.map +1 -0
- package/dist/schema/environments.d.ts +215 -0
- package/dist/schema/environments.js +101 -0
- package/dist/schema/environments.js.map +1 -0
- package/dist/schema/index.d.ts +419 -11
- package/dist/schema/index.js +8 -0
- package/dist/schema/index.js.map +1 -1
- package/dist/schema/policies.d.ts +152 -13
- package/dist/schema/policies.js +52 -1
- package/dist/schema/policies.js.map +1 -1
- package/dist/schema/risk.d.ts +131 -0
- package/dist/schema/risk.js +87 -0
- package/dist/schema/risk.js.map +1 -0
- package/package.json +1 -1
- package/dist/cli/pack/pause-check.js.map +0 -1
package/dist/schema/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/schema/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAExE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAE5C,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC;KAC5B,MAAM,CAAC;IACN,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC;IAC9C,SAAS,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IACtC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9B,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;IAChC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9B,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;IACpC,YAAY,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,mBAAmB,EAAE,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;IACzD,SAAS,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IACtC,gBAAgB,EAAE,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;IACnD,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/B,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;IAC7B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC,EAAE,MAAM,CAAC;gBAC7B,OAAO,EAAE,WAAW,CAAC,CAAC,IAAI,sBAAsB,CAAC,CAAC,IAAI,oCAAoC;aAC3F,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACtE,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE;QACpC,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;YAC5B,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACnE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,QAAQ,CAAC;wBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;wBAC3B,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,CAAC;wBAChD,OAAO,EAAE,6BAA6B,IAAI,CAAC,QAAQ,sCAAsC;qBAC1F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAIL,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IAFlB,YACE,OAAe,EACC,MAAoB;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7D,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,kBAAkB,CAC1B,wCAAwC,OAAO,EAAE,EACjD,MAAM,CAAC,KAAK,CAAC,MAAM,CACpB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,0BAA0B,CAAC;AACzC,cAAc,eAAe,CAAC;AAC9B,cAAc,mBAAmB,CAAC;AAClC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/schema/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAExE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAE5C,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC;KAC5B,MAAM,CAAC;IACN,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC;IAC9C,SAAS,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IACtC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9B,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;IAChC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9B,QAAQ,EAAE,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;IACpC,YAAY,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,gEAAgE;IAChE,iDAAiD;IACjD,IAAI,EAAE,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5B,YAAY,EAAE,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5C,mBAAmB,EAAE,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;IACzD,SAAS,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC;IACtC,gBAAgB,EAAE,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;IACnD,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/B,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;IAC7B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC,EAAE,MAAM,CAAC;gBAC7B,OAAO,EAAE,WAAW,CAAC,CAAC,IAAI,sBAAsB,CAAC,CAAC,IAAI,oCAAoC;aAC3F,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACtE,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE;QACpC,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,EAAE;YAC5B,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACnE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACtC,GAAG,CAAC,QAAQ,CAAC;wBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;wBAC3B,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,CAAC;wBAChD,OAAO,EAAE,6BAA6B,IAAI,CAAC,QAAQ,sCAAsC;qBAC1F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAIL,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IAFlB,YACE,OAAe,EACC,MAAoB;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7D,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,kBAAkB,CAC1B,wCAAwC,OAAO,EAAE,EACjD,MAAM,CAAC,KAAK,CAAC,MAAM,CACpB,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,0BAA0B,CAAC;AACzC,cAAc,eAAe,CAAC;AAC9B,cAAc,mBAAmB,CAAC;AAClC,cAAc,WAAW,CAAC;AAC1B,cAAc,mBAAmB,CAAC;AAClC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC"}
|
|
@@ -18,7 +18,7 @@ export declare const PolicyTriggerSchema: z.ZodObject<{
|
|
|
18
18
|
bash_match?: string | undefined;
|
|
19
19
|
extract?: Record<string, string> | undefined;
|
|
20
20
|
}>;
|
|
21
|
-
export declare const PolicyEnforcementSchema: z.ZodEnum<["block", "warn"]>;
|
|
21
|
+
export declare const PolicyEnforcementSchema: z.ZodEnum<["block", "warn", "require_approval"]>;
|
|
22
22
|
export declare const ProducerSchema: z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
|
|
23
23
|
kind: z.ZodLiteral<"bash">;
|
|
24
24
|
command: z.ZodString;
|
|
@@ -72,6 +72,32 @@ export declare const PolicyUxSchema: z.ZodObject<{
|
|
|
72
72
|
required: string[];
|
|
73
73
|
run: string[];
|
|
74
74
|
}>;
|
|
75
|
+
export declare const PolicyWhenSchema: z.ZodEffects<z.ZodObject<{
|
|
76
|
+
"risk.severity_at_least": z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
|
|
77
|
+
"risk.category_in": z.ZodOptional<z.ZodArray<z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>, "many">>;
|
|
78
|
+
"environment.name": z.ZodOptional<z.ZodEnum<["production", "staging", "dev", "local", "unknown"]>>;
|
|
79
|
+
"action.reversible": z.ZodOptional<z.ZodBoolean>;
|
|
80
|
+
}, "strict", z.ZodTypeAny, {
|
|
81
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
82
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
83
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
84
|
+
"action.reversible"?: boolean | undefined;
|
|
85
|
+
}, {
|
|
86
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
87
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
88
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
89
|
+
"action.reversible"?: boolean | undefined;
|
|
90
|
+
}>, {
|
|
91
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
92
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
93
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
94
|
+
"action.reversible"?: boolean | undefined;
|
|
95
|
+
}, {
|
|
96
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
97
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
98
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
99
|
+
"action.reversible"?: boolean | undefined;
|
|
100
|
+
}>;
|
|
75
101
|
export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
76
102
|
name: z.ZodString;
|
|
77
103
|
description: z.ZodString;
|
|
@@ -163,7 +189,7 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
163
189
|
at_head?: boolean | undefined;
|
|
164
190
|
}>;
|
|
165
191
|
hook: z.ZodString;
|
|
166
|
-
enforcement: z.ZodEnum<["block", "warn"]>;
|
|
192
|
+
enforcement: z.ZodEnum<["block", "warn", "require_approval"]>;
|
|
167
193
|
producers: z.ZodOptional<z.ZodArray<z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
|
|
168
194
|
kind: z.ZodLiteral<"bash">;
|
|
169
195
|
command: z.ZodString;
|
|
@@ -217,6 +243,32 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
217
243
|
required: string[];
|
|
218
244
|
run: string[];
|
|
219
245
|
}>>;
|
|
246
|
+
when: z.ZodOptional<z.ZodEffects<z.ZodObject<{
|
|
247
|
+
"risk.severity_at_least": z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
|
|
248
|
+
"risk.category_in": z.ZodOptional<z.ZodArray<z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>, "many">>;
|
|
249
|
+
"environment.name": z.ZodOptional<z.ZodEnum<["production", "staging", "dev", "local", "unknown"]>>;
|
|
250
|
+
"action.reversible": z.ZodOptional<z.ZodBoolean>;
|
|
251
|
+
}, "strict", z.ZodTypeAny, {
|
|
252
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
253
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
254
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
255
|
+
"action.reversible"?: boolean | undefined;
|
|
256
|
+
}, {
|
|
257
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
258
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
259
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
260
|
+
"action.reversible"?: boolean | undefined;
|
|
261
|
+
}>, {
|
|
262
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
263
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
264
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
265
|
+
"action.reversible"?: boolean | undefined;
|
|
266
|
+
}, {
|
|
267
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
268
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
269
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
270
|
+
"action.reversible"?: boolean | undefined;
|
|
271
|
+
}>>;
|
|
220
272
|
}, "strict", z.ZodTypeAny, {
|
|
221
273
|
name: string;
|
|
222
274
|
description: string;
|
|
@@ -238,7 +290,7 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
238
290
|
at_head?: boolean | undefined;
|
|
239
291
|
};
|
|
240
292
|
hook: string;
|
|
241
|
-
enforcement: "warn" | "block";
|
|
293
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
242
294
|
producers?: ({
|
|
243
295
|
command: string;
|
|
244
296
|
description: string;
|
|
@@ -258,6 +310,12 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
258
310
|
required: string[];
|
|
259
311
|
run: string[];
|
|
260
312
|
} | undefined;
|
|
313
|
+
when?: {
|
|
314
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
315
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
316
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
317
|
+
"action.reversible"?: boolean | undefined;
|
|
318
|
+
} | undefined;
|
|
261
319
|
}, {
|
|
262
320
|
name: string;
|
|
263
321
|
description: string;
|
|
@@ -279,7 +337,7 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
279
337
|
at_head?: boolean | undefined;
|
|
280
338
|
};
|
|
281
339
|
hook: string;
|
|
282
|
-
enforcement: "warn" | "block";
|
|
340
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
283
341
|
producers?: ({
|
|
284
342
|
command: string;
|
|
285
343
|
description: string;
|
|
@@ -299,6 +357,12 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
299
357
|
required: string[];
|
|
300
358
|
run: string[];
|
|
301
359
|
} | undefined;
|
|
360
|
+
when?: {
|
|
361
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
362
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
363
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
364
|
+
"action.reversible"?: boolean | undefined;
|
|
365
|
+
} | undefined;
|
|
302
366
|
}>, {
|
|
303
367
|
name: string;
|
|
304
368
|
description: string;
|
|
@@ -320,7 +384,7 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
320
384
|
at_head?: boolean | undefined;
|
|
321
385
|
};
|
|
322
386
|
hook: string;
|
|
323
|
-
enforcement: "warn" | "block";
|
|
387
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
324
388
|
producers?: ({
|
|
325
389
|
command: string;
|
|
326
390
|
description: string;
|
|
@@ -340,6 +404,12 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
340
404
|
required: string[];
|
|
341
405
|
run: string[];
|
|
342
406
|
} | undefined;
|
|
407
|
+
when?: {
|
|
408
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
409
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
410
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
411
|
+
"action.reversible"?: boolean | undefined;
|
|
412
|
+
} | undefined;
|
|
343
413
|
}, {
|
|
344
414
|
name: string;
|
|
345
415
|
description: string;
|
|
@@ -361,7 +431,7 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
361
431
|
at_head?: boolean | undefined;
|
|
362
432
|
};
|
|
363
433
|
hook: string;
|
|
364
|
-
enforcement: "warn" | "block";
|
|
434
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
365
435
|
producers?: ({
|
|
366
436
|
command: string;
|
|
367
437
|
description: string;
|
|
@@ -381,6 +451,12 @@ export declare const PolicySchema: z.ZodEffects<z.ZodObject<{
|
|
|
381
451
|
required: string[];
|
|
382
452
|
run: string[];
|
|
383
453
|
} | undefined;
|
|
454
|
+
when?: {
|
|
455
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
456
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
457
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
458
|
+
"action.reversible"?: boolean | undefined;
|
|
459
|
+
} | undefined;
|
|
384
460
|
}>;
|
|
385
461
|
export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodObject<{
|
|
386
462
|
name: z.ZodString;
|
|
@@ -473,7 +549,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
473
549
|
at_head?: boolean | undefined;
|
|
474
550
|
}>;
|
|
475
551
|
hook: z.ZodString;
|
|
476
|
-
enforcement: z.ZodEnum<["block", "warn"]>;
|
|
552
|
+
enforcement: z.ZodEnum<["block", "warn", "require_approval"]>;
|
|
477
553
|
producers: z.ZodOptional<z.ZodArray<z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
|
|
478
554
|
kind: z.ZodLiteral<"bash">;
|
|
479
555
|
command: z.ZodString;
|
|
@@ -527,6 +603,32 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
527
603
|
required: string[];
|
|
528
604
|
run: string[];
|
|
529
605
|
}>>;
|
|
606
|
+
when: z.ZodOptional<z.ZodEffects<z.ZodObject<{
|
|
607
|
+
"risk.severity_at_least": z.ZodOptional<z.ZodEnum<["low", "medium", "high", "critical"]>>;
|
|
608
|
+
"risk.category_in": z.ZodOptional<z.ZodArray<z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>, "many">>;
|
|
609
|
+
"environment.name": z.ZodOptional<z.ZodEnum<["production", "staging", "dev", "local", "unknown"]>>;
|
|
610
|
+
"action.reversible": z.ZodOptional<z.ZodBoolean>;
|
|
611
|
+
}, "strict", z.ZodTypeAny, {
|
|
612
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
613
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
614
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
615
|
+
"action.reversible"?: boolean | undefined;
|
|
616
|
+
}, {
|
|
617
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
618
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
619
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
620
|
+
"action.reversible"?: boolean | undefined;
|
|
621
|
+
}>, {
|
|
622
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
623
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
624
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
625
|
+
"action.reversible"?: boolean | undefined;
|
|
626
|
+
}, {
|
|
627
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
628
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
629
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
630
|
+
"action.reversible"?: boolean | undefined;
|
|
631
|
+
}>>;
|
|
530
632
|
}, "strict", z.ZodTypeAny, {
|
|
531
633
|
name: string;
|
|
532
634
|
description: string;
|
|
@@ -548,7 +650,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
548
650
|
at_head?: boolean | undefined;
|
|
549
651
|
};
|
|
550
652
|
hook: string;
|
|
551
|
-
enforcement: "warn" | "block";
|
|
653
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
552
654
|
producers?: ({
|
|
553
655
|
command: string;
|
|
554
656
|
description: string;
|
|
@@ -568,6 +670,12 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
568
670
|
required: string[];
|
|
569
671
|
run: string[];
|
|
570
672
|
} | undefined;
|
|
673
|
+
when?: {
|
|
674
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
675
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
676
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
677
|
+
"action.reversible"?: boolean | undefined;
|
|
678
|
+
} | undefined;
|
|
571
679
|
}, {
|
|
572
680
|
name: string;
|
|
573
681
|
description: string;
|
|
@@ -589,7 +697,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
589
697
|
at_head?: boolean | undefined;
|
|
590
698
|
};
|
|
591
699
|
hook: string;
|
|
592
|
-
enforcement: "warn" | "block";
|
|
700
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
593
701
|
producers?: ({
|
|
594
702
|
command: string;
|
|
595
703
|
description: string;
|
|
@@ -609,6 +717,12 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
609
717
|
required: string[];
|
|
610
718
|
run: string[];
|
|
611
719
|
} | undefined;
|
|
720
|
+
when?: {
|
|
721
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
722
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
723
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
724
|
+
"action.reversible"?: boolean | undefined;
|
|
725
|
+
} | undefined;
|
|
612
726
|
}>, {
|
|
613
727
|
name: string;
|
|
614
728
|
description: string;
|
|
@@ -630,7 +744,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
630
744
|
at_head?: boolean | undefined;
|
|
631
745
|
};
|
|
632
746
|
hook: string;
|
|
633
|
-
enforcement: "warn" | "block";
|
|
747
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
634
748
|
producers?: ({
|
|
635
749
|
command: string;
|
|
636
750
|
description: string;
|
|
@@ -650,6 +764,12 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
650
764
|
required: string[];
|
|
651
765
|
run: string[];
|
|
652
766
|
} | undefined;
|
|
767
|
+
when?: {
|
|
768
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
769
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
770
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
771
|
+
"action.reversible"?: boolean | undefined;
|
|
772
|
+
} | undefined;
|
|
653
773
|
}, {
|
|
654
774
|
name: string;
|
|
655
775
|
description: string;
|
|
@@ -671,7 +791,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
671
791
|
at_head?: boolean | undefined;
|
|
672
792
|
};
|
|
673
793
|
hook: string;
|
|
674
|
-
enforcement: "warn" | "block";
|
|
794
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
675
795
|
producers?: ({
|
|
676
796
|
command: string;
|
|
677
797
|
description: string;
|
|
@@ -691,6 +811,12 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
691
811
|
required: string[];
|
|
692
812
|
run: string[];
|
|
693
813
|
} | undefined;
|
|
814
|
+
when?: {
|
|
815
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
816
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
817
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
818
|
+
"action.reversible"?: boolean | undefined;
|
|
819
|
+
} | undefined;
|
|
694
820
|
}>, "many">, {
|
|
695
821
|
name: string;
|
|
696
822
|
description: string;
|
|
@@ -712,7 +838,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
712
838
|
at_head?: boolean | undefined;
|
|
713
839
|
};
|
|
714
840
|
hook: string;
|
|
715
|
-
enforcement: "warn" | "block";
|
|
841
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
716
842
|
producers?: ({
|
|
717
843
|
command: string;
|
|
718
844
|
description: string;
|
|
@@ -732,6 +858,12 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
732
858
|
required: string[];
|
|
733
859
|
run: string[];
|
|
734
860
|
} | undefined;
|
|
861
|
+
when?: {
|
|
862
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
863
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
864
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
865
|
+
"action.reversible"?: boolean | undefined;
|
|
866
|
+
} | undefined;
|
|
735
867
|
}[], {
|
|
736
868
|
name: string;
|
|
737
869
|
description: string;
|
|
@@ -753,7 +885,7 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
753
885
|
at_head?: boolean | undefined;
|
|
754
886
|
};
|
|
755
887
|
hook: string;
|
|
756
|
-
enforcement: "warn" | "block";
|
|
888
|
+
enforcement: "warn" | "block" | "require_approval";
|
|
757
889
|
producers?: ({
|
|
758
890
|
command: string;
|
|
759
891
|
description: string;
|
|
@@ -773,7 +905,14 @@ export declare const PoliciesSchema: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
|
|
|
773
905
|
required: string[];
|
|
774
906
|
run: string[];
|
|
775
907
|
} | undefined;
|
|
908
|
+
when?: {
|
|
909
|
+
"risk.severity_at_least"?: "low" | "medium" | "high" | "critical" | undefined;
|
|
910
|
+
"risk.category_in"?: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[] | undefined;
|
|
911
|
+
"environment.name"?: "production" | "staging" | "dev" | "local" | "unknown" | undefined;
|
|
912
|
+
"action.reversible"?: boolean | undefined;
|
|
913
|
+
} | undefined;
|
|
776
914
|
}[]>;
|
|
777
915
|
export type Policy = z.infer<typeof PolicySchema>;
|
|
778
916
|
export type Producer = z.infer<typeof ProducerSchema>;
|
|
779
917
|
export type PolicyUx = z.infer<typeof PolicyUxSchema>;
|
|
918
|
+
export type PolicyWhen = z.infer<typeof PolicyWhenSchema>;
|
package/dist/schema/policies.js
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
import { z } from "zod";
|
|
2
|
+
import { MatchableEnvironmentSchema } from "./environments.js";
|
|
2
3
|
import { ExtractMapSchema } from "./extract.js";
|
|
3
4
|
import { HookEventSchema } from "./hooks.js";
|
|
4
5
|
import { RequiresSchema, isBuiltinVariable, referencedVariables } from "./requires.js";
|
|
6
|
+
import { RiskCategorySchema, RiskSeveritySchema } from "./risk.js";
|
|
5
7
|
export const PolicyTriggerSchema = z
|
|
6
8
|
.object({
|
|
7
9
|
event: HookEventSchema,
|
|
@@ -11,7 +13,19 @@ export const PolicyTriggerSchema = z
|
|
|
11
13
|
extract: ExtractMapSchema.optional(),
|
|
12
14
|
})
|
|
13
15
|
.strict();
|
|
14
|
-
|
|
16
|
+
// How a policy acts when its `requires:` evidence is absent:
|
|
17
|
+
// block — deny the tool call.
|
|
18
|
+
// warn — let the call proceed, record + surface a warning.
|
|
19
|
+
// require_approval — Phase 7 #5. The evaluator returns a first-class
|
|
20
|
+
// `require_approval` outcome, distinct from `deny`
|
|
21
|
+
// and `warn`; Phase 7 #6 makes it actually block
|
|
22
|
+
// until matching approval evidence exists in the
|
|
23
|
+
// ledger. A `block` / `warn` policy is unchanged.
|
|
24
|
+
export const PolicyEnforcementSchema = z.enum([
|
|
25
|
+
"block",
|
|
26
|
+
"warn",
|
|
27
|
+
"require_approval",
|
|
28
|
+
]);
|
|
15
29
|
// `producers:` is the structured remediation hint the policy engine
|
|
16
30
|
// appends to the deny envelope. Each entry tells the agent ONE concrete
|
|
17
31
|
// way to produce the ledger evidence that would unblock the gate.
|
|
@@ -79,6 +93,42 @@ export const PolicyUxSchema = z
|
|
|
79
93
|
run: z.array(z.string().min(1)).min(1),
|
|
80
94
|
})
|
|
81
95
|
.strict();
|
|
96
|
+
// `when:` — the risk/environment-aware match layer.
|
|
97
|
+
//
|
|
98
|
+
// STATUS: live as of Phase 7 #5. `harness policy intercept` ANDs a
|
|
99
|
+
// declared `when:` onto the policy's `trigger:` match, evaluating it
|
|
100
|
+
// against the Action Envelope enriched by the Risk Classifier (#3) and
|
|
101
|
+
// Context Resolver (#4). A policy with no `when:` matches on `trigger:`
|
|
102
|
+
// alone, exactly as in Phase 4. See src/runtime/when-eval.ts for the
|
|
103
|
+
// evaluator and docs/risk-gate.md for the clause semantics.
|
|
104
|
+
//
|
|
105
|
+
// Each clause is optional and keyed by the envelope path it tests:
|
|
106
|
+
// risk.severity_at_least — envelope risk severity at or above this
|
|
107
|
+
// rung of the ordered scale.
|
|
108
|
+
// risk.category_in — envelope risk carries any of these
|
|
109
|
+
// categories.
|
|
110
|
+
// environment.name — resolved environment equals this name
|
|
111
|
+
// (`unknown` is matchable: unknown is not
|
|
112
|
+
// safe).
|
|
113
|
+
// action.reversible — envelope action reversibility flag.
|
|
114
|
+
// An empty `when: {}` is rejected: it would be a silent no-op.
|
|
115
|
+
export const PolicyWhenSchema = z
|
|
116
|
+
.object({
|
|
117
|
+
"risk.severity_at_least": RiskSeveritySchema.optional(),
|
|
118
|
+
"risk.category_in": z.array(RiskCategorySchema).min(1).optional(),
|
|
119
|
+
"environment.name": MatchableEnvironmentSchema.optional(),
|
|
120
|
+
"action.reversible": z.boolean().optional(),
|
|
121
|
+
})
|
|
122
|
+
.strict()
|
|
123
|
+
.superRefine((when, ctx) => {
|
|
124
|
+
if (Object.keys(when).length === 0) {
|
|
125
|
+
ctx.addIssue({
|
|
126
|
+
code: z.ZodIssueCode.custom,
|
|
127
|
+
path: [],
|
|
128
|
+
message: "policy.when must declare at least one clause; an empty when: {} is a silent no-op",
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
});
|
|
82
132
|
export const PolicySchema = z
|
|
83
133
|
.object({
|
|
84
134
|
name: z.string().min(1),
|
|
@@ -89,6 +139,7 @@ export const PolicySchema = z
|
|
|
89
139
|
enforcement: PolicyEnforcementSchema,
|
|
90
140
|
producers: z.array(ProducerSchema).min(1).optional(),
|
|
91
141
|
ux: PolicyUxSchema.optional(),
|
|
142
|
+
when: PolicyWhenSchema.optional(),
|
|
92
143
|
})
|
|
93
144
|
.strict()
|
|
94
145
|
.superRefine((policy, ctx) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policies.js","sourceRoot":"","sources":["../../src/schema/policies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"policies.js","sourceRoot":"","sources":["../../src/schema/policies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAEnE,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC;KACjC,MAAM,CAAC;IACN,KAAK,EAAE,eAAe;IACtB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACxC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACxC,OAAO,EAAE,gBAAgB,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,6DAA6D;AAC7D,2CAA2C;AAC3C,yEAAyE;AACzE,wEAAwE;AACxE,yEAAyE;AACzE,uEAAuE;AACvE,uEAAuE;AACvE,wEAAwE;AACxE,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC5C,OAAO;IACP,MAAM;IACN,kBAAkB;CACnB,CAAC,CAAC;AAEH,oEAAoE;AACpE,wEAAwE;AACxE,kEAAkE;AAClE,qBAAqB;AACrB,qEAAqE;AACrE,kEAAkE;AAClE,wGAAwG;AACxG,mEAAmE;AACnE,0EAA0E;AAC1E,0DAA0D;AAC1D,EAAE;AACF,uEAAuE;AACvE,wEAAwE;AACxE,oEAAoE;AACpE,6BAA6B;AAC7B,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACzD,CAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC/B,CAAC;SACD,MAAM,EAAE;IACX,CAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACtB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC/B,CAAC;SACD,MAAM,EAAE;IACX,CAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACtB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KAC/B,CAAC;SACD,MAAM,EAAE;CACZ,CAAC,CAAC;AAEH,qEAAqE;AACrE,EAAE;AACF,oEAAoE;AACpE,8DAA8D;AAC9D,sEAAsE;AACtE,uEAAuE;AACvE,wDAAwD;AACxD,kEAAkE;AAClE,EAAE;AACF,qEAAqE;AACrE,sEAAsE;AACtE,mEAAmE;AACnE,sEAAsE;AACtE,oEAAoE;AACpE,EAAE;AACF,sEAAsE;AACtE,sEAAsE;AACtE,qEAAqE;AACrE,cAAc;AACd,8DAA8D;AAC9D,oEAAoE;AACpE,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC;KAC5B,MAAM,CAAC;IACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CACvC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,oDAAoD;AACpD,EAAE;AACF,mEAAmE;AACnE,qEAAqE;AACrE,uEAAuE;AACvE,wEAAwE;AACxE,qEAAqE;AACrE,4DAA4D;AAC5D,EAAE;AACF,mEAAmE;AACnE,qEAAqE;AACrE,wDAAwD;AACxD,gEAAgE;AAChE,yCAAyC;AACzC,mEAAmE;AACnE,qEAAqE;AACrE,oCAAoC;AACpC,iEAAiE;AACjE,+DAA+D;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,wBAAwB,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACvD,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjE,kBAAkB,EAAE,0BAA0B,CAAC,QAAQ,EAAE;IACzD,mBAAmB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC5C,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,EAAE;YACR,OAAO,EACL,mFAAmF;SACtF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,OAAO,EAAE,mBAAmB;IAC5B,QAAQ,EAAE,cAAc;IACxB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,WAAW,EAAE,uBAAuB;IACpC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpD,EAAE,EAAE,cAAc,CAAC,QAAQ,EAAE;IAC7B,IAAI,EAAE,gBAAgB,CAAC,QAAQ,EAAE;CAClC,CAAC;KACD,MAAM,EAAE;KACR,WAAW,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE;IAC3B,MAAM,IAAI,GAAG,mBAAmB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;IACpE,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,iBAAiB,CAAC,CAAC,CAAC;YAAE,SAAS;QACnC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,UAAU,EAAE,YAAY,CAAC;gBAChC,OAAO,EAAE,qCAAqC,CAAC,sDAAsD;aACtG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,WAAW,CAAC;gBACnB,OAAO,EACL,2HAA2H;aAC9H,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;IAChF,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC;gBACjB,OAAO,EAAE,0BAA0B,CAAC,CAAC,IAAI,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
import { z } from "zod";
|
|
2
|
+
export declare const RiskSeveritySchema: z.ZodEnum<["low", "medium", "high", "critical"]>;
|
|
3
|
+
export declare const RiskCategorySchema: z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>;
|
|
4
|
+
export declare const RiskClassifierSchema: z.ZodObject<{
|
|
5
|
+
name: z.ZodString;
|
|
6
|
+
tool: z.ZodString;
|
|
7
|
+
patterns: z.ZodArray<z.ZodEffects<z.ZodObject<{
|
|
8
|
+
pattern: z.ZodString;
|
|
9
|
+
categories: z.ZodArray<z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>, "many">;
|
|
10
|
+
severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
|
|
11
|
+
}, "strict", z.ZodTypeAny, {
|
|
12
|
+
pattern: string;
|
|
13
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
14
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
15
|
+
}, {
|
|
16
|
+
pattern: string;
|
|
17
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
18
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
19
|
+
}>, {
|
|
20
|
+
pattern: string;
|
|
21
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
22
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
23
|
+
}, {
|
|
24
|
+
pattern: string;
|
|
25
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
26
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
27
|
+
}>, "many">;
|
|
28
|
+
}, "strict", z.ZodTypeAny, {
|
|
29
|
+
patterns: {
|
|
30
|
+
pattern: string;
|
|
31
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
32
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
33
|
+
}[];
|
|
34
|
+
name: string;
|
|
35
|
+
tool: string;
|
|
36
|
+
}, {
|
|
37
|
+
patterns: {
|
|
38
|
+
pattern: string;
|
|
39
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
40
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
41
|
+
}[];
|
|
42
|
+
name: string;
|
|
43
|
+
tool: string;
|
|
44
|
+
}>;
|
|
45
|
+
export declare const RiskSchema: z.ZodEffects<z.ZodObject<{
|
|
46
|
+
classifiers: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
47
|
+
name: z.ZodString;
|
|
48
|
+
tool: z.ZodString;
|
|
49
|
+
patterns: z.ZodArray<z.ZodEffects<z.ZodObject<{
|
|
50
|
+
pattern: z.ZodString;
|
|
51
|
+
categories: z.ZodArray<z.ZodEnum<["destructive", "data_loss", "production_mutation", "credential_access", "secret_exfiltration", "network_exfiltration", "deployment_change", "infrastructure_change", "privilege_escalation", "irreversible_action", "mass_update"]>, "many">;
|
|
52
|
+
severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
|
|
53
|
+
}, "strict", z.ZodTypeAny, {
|
|
54
|
+
pattern: string;
|
|
55
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
56
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
57
|
+
}, {
|
|
58
|
+
pattern: string;
|
|
59
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
60
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
61
|
+
}>, {
|
|
62
|
+
pattern: string;
|
|
63
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
64
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
65
|
+
}, {
|
|
66
|
+
pattern: string;
|
|
67
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
68
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
69
|
+
}>, "many">;
|
|
70
|
+
}, "strict", z.ZodTypeAny, {
|
|
71
|
+
patterns: {
|
|
72
|
+
pattern: string;
|
|
73
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
74
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
75
|
+
}[];
|
|
76
|
+
name: string;
|
|
77
|
+
tool: string;
|
|
78
|
+
}, {
|
|
79
|
+
patterns: {
|
|
80
|
+
pattern: string;
|
|
81
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
82
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
83
|
+
}[];
|
|
84
|
+
name: string;
|
|
85
|
+
tool: string;
|
|
86
|
+
}>, "many">>;
|
|
87
|
+
}, "strict", z.ZodTypeAny, {
|
|
88
|
+
classifiers: {
|
|
89
|
+
patterns: {
|
|
90
|
+
pattern: string;
|
|
91
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
92
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
93
|
+
}[];
|
|
94
|
+
name: string;
|
|
95
|
+
tool: string;
|
|
96
|
+
}[];
|
|
97
|
+
}, {
|
|
98
|
+
classifiers?: {
|
|
99
|
+
patterns: {
|
|
100
|
+
pattern: string;
|
|
101
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
102
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
103
|
+
}[];
|
|
104
|
+
name: string;
|
|
105
|
+
tool: string;
|
|
106
|
+
}[] | undefined;
|
|
107
|
+
}>, {
|
|
108
|
+
classifiers: {
|
|
109
|
+
patterns: {
|
|
110
|
+
pattern: string;
|
|
111
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
112
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
113
|
+
}[];
|
|
114
|
+
name: string;
|
|
115
|
+
tool: string;
|
|
116
|
+
}[];
|
|
117
|
+
}, {
|
|
118
|
+
classifiers?: {
|
|
119
|
+
patterns: {
|
|
120
|
+
pattern: string;
|
|
121
|
+
categories: ("destructive" | "data_loss" | "production_mutation" | "credential_access" | "secret_exfiltration" | "network_exfiltration" | "deployment_change" | "infrastructure_change" | "privilege_escalation" | "irreversible_action" | "mass_update")[];
|
|
122
|
+
severity: "low" | "medium" | "high" | "critical";
|
|
123
|
+
}[];
|
|
124
|
+
name: string;
|
|
125
|
+
tool: string;
|
|
126
|
+
}[] | undefined;
|
|
127
|
+
}>;
|
|
128
|
+
export type RiskSeverity = z.infer<typeof RiskSeveritySchema>;
|
|
129
|
+
export type RiskCategory = z.infer<typeof RiskCategorySchema>;
|
|
130
|
+
export type RiskClassifier = z.infer<typeof RiskClassifierSchema>;
|
|
131
|
+
export type RiskConfig = z.infer<typeof RiskSchema>;
|