npm - @llm-dev-ops/agentics-cli - Versions diffs - 1.4.32 → 1.4.34 - Mend

@llm-dev-ops/agentics-cli 1.4.32 → 1.4.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (400) hide show

package/dist/bundled-agents/policy-engine-agents/dist/security/metrics.js ADDED Viewed

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * Enterprise Metrics Module
+ *
+ * Provides structured metrics for:
+ * - Evaluation latency
+ * - Policy hit rates
+ * - Deny vs allow ratios
+ * - Validation failures
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestDuration = exports.rateLimitHits = exports.authAttempts = exports.activePolicies = exports.policyMutations = exports.governanceViolations = exports.validationFailures = exports.decisionCounter = exports.evaluationCounter = exports.evaluationLatency = exports.metricsRegistry = void 0;
+exports.recordEvaluation = recordEvaluation;
+exports.recordDecision = recordDecision;
+exports.recordValidationFailure = recordValidationFailure;
+exports.recordGovernanceViolation = recordGovernanceViolation;
+exports.recordMutation = recordMutation;
+exports.updateActivePolicyCount = updateActivePolicyCount;
+exports.recordAuthAttempt = recordAuthAttempt;
+exports.recordRateLimitHit = recordRateLimitHit;
+exports.recordRequestDuration = recordRequestDuration;
+exports.getMetrics = getMetrics;
+exports.getMetricsJson = getMetricsJson;
+const prom_client_1 = require("prom-client");
+// Create a dedicated registry for policy engine metrics
+exports.metricsRegistry = new prom_client_1.Registry();
+// Add default metrics
+const prom_client_2 = require("prom-client");
+(0, prom_client_2.collectDefaultMetrics)({ register: exports.metricsRegistry });
+/**
+ * Evaluation latency histogram
+ */
+exports.evaluationLatency = new prom_client_1.Histogram({
+    name: 'policy_evaluation_latency_ms',
+    help: 'Policy evaluation latency in milliseconds',
+    labelNames: ['policy_id', 'decision', 'cached'],
+    buckets: [1, 5, 10, 25, 50, 100, 250, 500, 1000],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Policy evaluation counter
+ */
+exports.evaluationCounter = new prom_client_1.Counter({
+    name: 'policy_evaluations_total',
+    help: 'Total number of policy evaluations',
+    labelNames: ['policy_id', 'decision', 'namespace'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Deny vs Allow counter
+ */
+exports.decisionCounter = new prom_client_1.Counter({
+    name: 'policy_decisions_total',
+    help: 'Total policy decisions by type',
+    labelNames: ['decision', 'namespace', 'policy_type'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Validation failure counter
+ */
+exports.validationFailures = new prom_client_1.Counter({
+    name: 'policy_validation_failures_total',
+    help: 'Total number of policy validation failures',
+    labelNames: ['violation_type', 'severity', 'namespace'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Governance violation counter
+ */
+exports.governanceViolations = new prom_client_1.Counter({
+    name: 'policy_governance_violations_total',
+    help: 'Total number of governance violations',
+    labelNames: ['violation_type', 'policy_type'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Policy mutation counter
+ */
+exports.policyMutations = new prom_client_1.Counter({
+    name: 'policy_mutations_total',
+    help: 'Total number of policy mutations',
+    labelNames: ['action', 'namespace', 'actor_type'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Active policies gauge
+ */
+exports.activePolicies = new prom_client_1.Gauge({
+    name: 'policy_active_count',
+    help: 'Number of currently active policies',
+    labelNames: ['namespace', 'policy_type'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Authentication attempts counter
+ */
+exports.authAttempts = new prom_client_1.Counter({
+    name: 'policy_auth_attempts_total',
+    help: 'Total authentication attempts',
+    labelNames: ['result', 'identity_type'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Rate limit hits counter
+ */
+exports.rateLimitHits = new prom_client_1.Counter({
+    name: 'policy_rate_limit_hits_total',
+    help: 'Total rate limit hits',
+    labelNames: ['endpoint', 'identity'],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Request duration histogram
+ */
+exports.requestDuration = new prom_client_1.Histogram({
+    name: 'policy_request_duration_ms',
+    help: 'HTTP request duration in milliseconds',
+    labelNames: ['method', 'path', 'status'],
+    buckets: [5, 10, 25, 50, 100, 250, 500, 1000, 2500, 5000],
+    registers: [exports.metricsRegistry],
+});
+/**
+ * Record an evaluation metric
+ */
+function recordEvaluation(policyId, decision, namespace, latencyMs, cached) {
+    exports.evaluationLatency.observe({ policy_id: policyId, decision, cached: String(cached) }, latencyMs);
+    exports.evaluationCounter.inc({ policy_id: policyId, decision, namespace });
+}
+/**
+ * Record a decision metric
+ */
+function recordDecision(decision, namespace, policyType) {
+    exports.decisionCounter.inc({ decision, namespace, policy_type: policyType });
+}
+/**
+ * Record a validation failure
+ */
+function recordValidationFailure(violationType, severity, namespace) {
+    exports.validationFailures.inc({ violation_type: violationType, severity, namespace });
+}
+/**
+ * Record a governance violation
+ */
+function recordGovernanceViolation(violationType, policyType) {
+    exports.governanceViolations.inc({ violation_type: violationType, policy_type: policyType });
+}
+/**
+ * Record a policy mutation
+ */
+function recordMutation(action, namespace, actorType) {
+    exports.policyMutations.inc({ action, namespace, actor_type: actorType });
+}
+/**
+ * Update active policy count
+ */
+function updateActivePolicyCount(namespace, policyType, count) {
+    exports.activePolicies.set({ namespace, policy_type: policyType }, count);
+}
+/**
+ * Record authentication attempt
+ */
+function recordAuthAttempt(result, identityType) {
+    exports.authAttempts.inc({ result, identity_type: identityType });
+}
+/**
+ * Record rate limit hit
+ */
+function recordRateLimitHit(endpoint, identity) {
+    exports.rateLimitHits.inc({ endpoint, identity });
+}
+/**
+ * Record request duration
+ */
+function recordRequestDuration(method, path, status, durationMs) {
+    exports.requestDuration.observe({ method, path, status: String(status) }, durationMs);
+}
+/**
+ * Get metrics in Prometheus format
+ */
+async function getMetrics() {
+    return exports.metricsRegistry.metrics();
+}
+/**
+ * Get metrics as JSON (for debugging)
+ */
+async function getMetricsJson() {
+    return exports.metricsRegistry.getMetricsAsJSON();
+}
+//# sourceMappingURL=metrics.js.map

package/dist/bundled-agents/policy-engine-agents/dist/security/metrics.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"metrics.js","sourceRoot":"","sources":["../../src/security/metrics.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAoHH,4CAaC;AAKD,wCAMC;AAKD,0DAMC;AAKD,8DAKC;AAKD,wCAMC;AAKD,0DAMC;AAKD,8CAKC;AAKD,gDAEC;AAKD,sDAOC;AAKD,gCAEC;AAKD,wCAEC;AAhOD,6CAAkE;AAElE,wDAAwD;AAC3C,QAAA,eAAe,GAAG,IAAI,sBAAQ,EAAE,CAAC;AAE9C,sBAAsB;AACtB,6CAAoD;AACpD,IAAA,mCAAqB,EAAC,EAAE,QAAQ,EAAE,uBAAe,EAAE,CAAC,CAAC;AAErD;;GAEG;AACU,QAAA,iBAAiB,GAAG,IAAI,uBAAS,CAAC;IAC7C,IAAI,EAAE,8BAA8B;IACpC,IAAI,EAAE,2CAA2C;IACjD,UAAU,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,QAAQ,CAAC;IAC/C,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC;IAChD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,iBAAiB,GAAG,IAAI,qBAAO,CAAC;IAC3C,IAAI,EAAE,0BAA0B;IAChC,IAAI,EAAE,oCAAoC;IAC1C,UAAU,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC;IAClD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,eAAe,GAAG,IAAI,qBAAO,CAAC;IACzC,IAAI,EAAE,wBAAwB;IAC9B,IAAI,EAAE,gCAAgC;IACtC,UAAU,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,aAAa,CAAC;IACpD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,kBAAkB,GAAG,IAAI,qBAAO,CAAC;IAC5C,IAAI,EAAE,kCAAkC;IACxC,IAAI,EAAE,4CAA4C;IAClD,UAAU,EAAE,CAAC,gBAAgB,EAAE,UAAU,EAAE,WAAW,CAAC;IACvD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,oBAAoB,GAAG,IAAI,qBAAO,CAAC;IAC9C,IAAI,EAAE,oCAAoC;IAC1C,IAAI,EAAE,uCAAuC;IAC7C,UAAU,EAAE,CAAC,gBAAgB,EAAE,aAAa,CAAC;IAC7C,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,eAAe,GAAG,IAAI,qBAAO,CAAC;IACzC,IAAI,EAAE,wBAAwB;IAC9B,IAAI,EAAE,kCAAkC;IACxC,UAAU,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC;IACjD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,cAAc,GAAG,IAAI,mBAAK,CAAC;IACtC,IAAI,EAAE,qBAAqB;IAC3B,IAAI,EAAE,qCAAqC;IAC3C,UAAU,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC;IACxC,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,YAAY,GAAG,IAAI,qBAAO,CAAC;IACtC,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE,+BAA+B;IACrC,UAAU,EAAE,CAAC,QAAQ,EAAE,eAAe,CAAC;IACvC,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,aAAa,GAAG,IAAI,qBAAO,CAAC;IACvC,IAAI,EAAE,8BAA8B;IACpC,IAAI,EAAE,uBAAuB;IAC7B,UAAU,EAAE,CAAC,UAAU,EAAE,UAAU,CAAC;IACpC,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACU,QAAA,eAAe,GAAG,IAAI,uBAAS,CAAC;IAC3C,IAAI,EAAE,4BAA4B;IAClC,IAAI,EAAE,uCAAuC;IAC7C,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;IACzD,SAAS,EAAE,CAAC,uBAAe,CAAC;CAC7B,CAAC,CAAC;AAEH;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,SAAiB,EACjB,SAAiB,EACjB,MAAe;IAEf,yBAAiB,CAAC,OAAO,CACvB,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,EACzD,SAAS,CACV,CAAC;IAEF,yBAAiB,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAC5B,QAAgB,EAChB,SAAiB,EACjB,UAAkB;IAElB,uBAAe,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,SAAgB,uBAAuB,CACrC,aAAqB,EACrB,QAAgB,EAChB,SAAiB;IAEjB,0BAAkB,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC;AACjF,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB,CACvC,aAAqB,EACrB,UAAkB;IAElB,4BAAoB,CAAC,GAAG,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC;AACvF,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAC5B,MAAc,EACd,SAAiB,EACjB,SAAiB;IAEjB,uBAAe,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACH,SAAgB,uBAAuB,CACrC,SAAiB,EACjB,UAAkB,EAClB,KAAa;IAEb,sBAAc,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,MAA6B,EAC7B,YAAoB;IAEpB,oBAAY,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,QAAgB,EAAE,QAAgB;IACnE,qBAAa,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,MAAc,EACd,IAAY,EACZ,MAAc,EACd,UAAkB;IAElB,uBAAe,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;AAChF,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,UAAU;IAC9B,OAAO,uBAAe,CAAC,OAAO,EAAE,CAAC;AACnC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,cAAc;IAClC,OAAO,uBAAe,CAAC,gBAAgB,EAAE,CAAC;AAC5C,CAAC"}

package/dist/bundled-agents/policy-engine-agents/dist/security/policy-governance.d.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * Policy Governance Module
+ *
+ * Enforces enterprise governance rules:
+ * - Fail-closed validation
+ * - Production safety checks
+ * - Approval requirements for security/compliance policies
+ */
+import { Policy, PolicyStatus } from '../types/policy';
+/**
+ * Governance violation types
+ */
+export type GovernanceViolationType = 'MISSING_CONDITIONS' | 'CONFLICTING_RULES' | 'DENY_WITHOUT_SCOPE' | 'MISSING_ENVIRONMENT' | 'MISSING_APPROVAL' | 'INVALID_RULE_STRUCTURE' | 'CRITICAL_RESOURCE_DENY';
+/**
+ * Governance violation details
+ */
+export interface GovernanceViolation {
+    type: GovernanceViolationType;
+    severity: 'error' | 'critical';
+    message: string;
+    ruleId?: string;
+    ruleName?: string;
+    details?: Record<string, unknown>;
+}
+/**
+ * Governance check result
+ */
+export interface GovernanceCheckResult {
+    valid: boolean;
+    violations: GovernanceViolation[];
+    requiresApproval: boolean;
+    approvalReason?: string;
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+}
+/**
+ * Policy type classification
+ */
+export type PolicyType = 'security' | 'compliance' | 'cost' | 'operational' | 'general';
+/**
+ * Detect policy type from tags and namespace
+ */
+export declare function detectPolicyType(policy: Policy): PolicyType;
+/**
+ * Check if policy targets production environment
+ */
+export declare function isProductionPolicy(policy: Policy): boolean;
+/**
+ * Main governance check function
+ * Enforces fail-closed validation
+ */
+export declare function validatePolicyGovernance(policy: Policy, options?: {
+    isEnabling?: boolean;
+    hasApproval?: boolean;
+    approvedBy?: string;
+}): GovernanceCheckResult;
+/**
+ * Enforce governance - throws if validation fails
+ * Use this in mutation endpoints for fail-closed behavior
+ */
+export declare function enforceGovernance(policy: Policy, options?: {
+    isEnabling?: boolean;
+    hasApproval?: boolean;
+    approvedBy?: string;
+}): void;
+/**
+ * Check if a status change requires approval
+ */
+export declare function requiresApprovalForStatusChange(policy: Policy, oldStatus: PolicyStatus, newStatus: PolicyStatus): boolean;
+//# sourceMappingURL=policy-governance.d.ts.map

package/dist/bundled-agents/policy-engine-agents/dist/security/policy-governance.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy-governance.d.ts","sourceRoot":"","sources":["../../src/security/policy-governance.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAc,YAAY,EAAmC,MAAM,iBAAiB,CAAC;AAIpG;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAC/B,oBAAoB,GACpB,mBAAmB,GACnB,oBAAoB,GACpB,qBAAqB,GACrB,kBAAkB,GAClB,wBAAwB,GACxB,wBAAwB,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,uBAAuB,CAAC;IAC9B,QAAQ,EAAE,OAAO,GAAG,UAAU,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,mBAAmB,EAAE,CAAC;IAClC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,YAAY,GAAG,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;AAExF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAyB3D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAiB1D;AA6MD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;IACP,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CAChB,GACL,qBAAqB,CAyEvB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE;IACP,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CAChB,GACL,IAAI,CAeN;AAED;;GAEG;AACH,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,YAAY,EACvB,SAAS,EAAE,YAAY,GACtB,OAAO,CAUT"}

package/dist/bundled-agents/policy-engine-agents/dist/security/policy-governance.js ADDED Viewed

@@ -0,0 +1,327 @@
+"use strict";
+/**
+ * Policy Governance Module
+ *
+ * Enforces enterprise governance rules:
+ * - Fail-closed validation
+ * - Production safety checks
+ * - Approval requirements for security/compliance policies
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectPolicyType = detectPolicyType;
+exports.isProductionPolicy = isProductionPolicy;
+exports.validatePolicyGovernance = validatePolicyGovernance;
+exports.enforceGovernance = enforceGovernance;
+exports.requiresApprovalForStatusChange = requiresApprovalForStatusChange;
+const policy_1 = require("../types/policy");
+const errors_1 = require("@utils/errors");
+const logger_1 = __importDefault(require("@utils/logger"));
+/**
+ * Detect policy type from tags and namespace
+ */
+function detectPolicyType(policy) {
+    const tags = policy.metadata.tags?.map(t => t.toLowerCase()) || [];
+    const namespace = policy.metadata.namespace.toLowerCase();
+    const name = policy.metadata.name.toLowerCase();
+    if (tags.includes('security') || namespace.includes('security') || name.includes('security')) {
+        return 'security';
+    }
+    if (tags.includes('compliance') || namespace.includes('compliance') || name.includes('audit')) {
+        return 'compliance';
+    }
+    if (tags.includes('cost') || namespace.includes('cost') || name.includes('budget')) {
+        return 'cost';
+    }
+    if (tags.includes('operational') || namespace.includes('ops')) {
+        return 'operational';
+    }
+    // Check rules for security indicators
+    const hasDenyRules = policy.rules.some(r => r.action.decision === policy_1.DecisionType.DENY);
+    if (hasDenyRules) {
+        return 'security';
+    }
+    return 'general';
+}
+/**
+ * Check if policy targets production environment
+ */
+function isProductionPolicy(policy) {
+    const namespace = policy.metadata.namespace.toLowerCase();
+    const tags = policy.metadata.tags?.map(t => t.toLowerCase()) || [];
+    // Explicit production indicators
+    if (namespace.includes('prod') || tags.includes('production') || tags.includes('prod')) {
+        return true;
+    }
+    // Policies without explicit environment are implicitly production
+    const hasExplicitEnv = tags.some(t => ['dev', 'development', 'staging', 'test', 'qa'].includes(t)) || ['dev', 'development', 'staging', 'test', 'qa'].some(e => namespace.includes(e));
+    return !hasExplicitEnv;
+}
+/**
+ * Check if a rule targets critical resources
+ */
+function isCriticalResource(rule) {
+    const criticalPatterns = [
+        'admin', 'root', 'system', 'database', 'credentials',
+        'secret', 'key', 'token', 'password', 'auth', 'pii',
+        'financial', 'payment', 'ssn', 'health', 'hipaa',
+    ];
+    const ruleName = rule.name.toLowerCase();
+    const ruleDesc = (rule.description || '').toLowerCase();
+    const conditionField = rule.condition.field?.toLowerCase() || '';
+    return criticalPatterns.some(pattern => ruleName.includes(pattern) ||
+        ruleDesc.includes(pattern) ||
+        conditionField.includes(pattern));
+}
+/**
+ * Validate rule has proper conditions (fail-closed)
+ */
+function validateRuleConditions(rule) {
+    const violations = [];
+    // Rule must have a condition
+    if (!rule.condition) {
+        violations.push({
+            type: 'MISSING_CONDITIONS',
+            severity: 'critical',
+            message: `Rule '${rule.name}' has no conditions - fail-closed requires explicit conditions`,
+            ruleId: rule.id,
+            ruleName: rule.name,
+        });
+        return violations;
+    }
+    // Non-composite conditions must have a field
+    const isComposite = [policy_1.ConditionOperator.AND, policy_1.ConditionOperator.OR, policy_1.ConditionOperator.NOT]
+        .includes(rule.condition.operator);
+    if (!isComposite && !rule.condition.field) {
+        violations.push({
+            type: 'MISSING_CONDITIONS',
+            severity: 'critical',
+            message: `Rule '${rule.name}' has no condition field - ambiguous evaluation`,
+            ruleId: rule.id,
+            ruleName: rule.name,
+        });
+    }
+    // Composite conditions must have nested conditions
+    if (isComposite && (!rule.condition.conditions || rule.condition.conditions.length === 0)) {
+        violations.push({
+            type: 'INVALID_RULE_STRUCTURE',
+            severity: 'critical',
+            message: `Rule '${rule.name}' has composite operator but no nested conditions`,
+            ruleId: rule.id,
+            ruleName: rule.name,
+        });
+    }
+    return violations;
+}
+/**
+ * Validate deny rules have proper scope
+ */
+function validateDenyRuleScope(rule, policy) {
+    const violations = [];
+    if (rule.action.decision !== policy_1.DecisionType.DENY) {
+        return violations;
+    }
+    // Deny rules on critical resources need explicit environment
+    if (isCriticalResource(rule)) {
+        const hasExplicitEnv = policy.metadata.tags?.some(t => ['production', 'staging', 'development', 'test'].includes(t.toLowerCase()));
+        if (!hasExplicitEnv) {
+            violations.push({
+                type: 'DENY_WITHOUT_SCOPE',
+                severity: 'critical',
+                message: `Deny rule '${rule.name}' on critical resource requires explicit environment tag`,
+                ruleId: rule.id,
+                ruleName: rule.name,
+                details: { resource: 'critical' },
+            });
+        }
+        // Check for explicit scope in condition
+        const hasExplicitScope = rule.condition.field?.includes('scope') ||
+            rule.condition.field?.includes('namespace') ||
+            rule.condition.field?.includes('environment');
+        if (!hasExplicitScope && !hasExplicitEnv) {
+            violations.push({
+                type: 'CRITICAL_RESOURCE_DENY',
+                severity: 'critical',
+                message: `Deny rule '${rule.name}' on critical resource requires explicit scope condition`,
+                ruleId: rule.id,
+                ruleName: rule.name,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * Detect conflicting rules
+ */
+function detectConflictingRules(rules) {
+    const violations = [];
+    // Group rules by condition field
+    const rulesByField = new Map();
+    for (const rule of rules) {
+        if (rule.enabled === false)
+            continue;
+        const field = rule.condition.field || 'composite';
+        if (!rulesByField.has(field)) {
+            rulesByField.set(field, []);
+        }
+        rulesByField.get(field).push(rule);
+    }
+    // Check for conflicting decisions on same field
+    for (const [field, fieldRules] of rulesByField) {
+        if (fieldRules.length < 2)
+            continue;
+        const allowRules = fieldRules.filter(r => r.action.decision === policy_1.DecisionType.ALLOW);
+        const denyRules = fieldRules.filter(r => r.action.decision === policy_1.DecisionType.DENY);
+        if (allowRules.length > 0 && denyRules.length > 0) {
+            // Check if they have overlapping conditions (simplified check)
+            for (const allow of allowRules) {
+                for (const deny of denyRules) {
+                    if (allow.condition.value === deny.condition.value) {
+                        violations.push({
+                            type: 'CONFLICTING_RULES',
+                            severity: 'critical',
+                            message: `Rules '${allow.name}' and '${deny.name}' have conflicting ALLOW/DENY on same condition`,
+                            details: {
+                                field,
+                                allowRule: allow.id,
+                                denyRule: deny.id,
+                            },
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * Check if policy requires approval
+ */
+function checkApprovalRequirement(policy, policyType, isEnabling) {
+    // Security policies always require approval to enable
+    if (policyType === 'security' && isEnabling) {
+        return {
+            required: true,
+            reason: 'Security policies require approval before enabling',
+        };
+    }
+    // Compliance policies always require approval to enable
+    if (policyType === 'compliance' && isEnabling) {
+        return {
+            required: true,
+            reason: 'Compliance policies require approval before enabling',
+        };
+    }
+    // Production policies with deny rules require approval
+    if (isProductionPolicy(policy) && isEnabling) {
+        const hasDenyRules = policy.rules.some(r => r.action.decision === policy_1.DecisionType.DENY && r.enabled !== false);
+        if (hasDenyRules) {
+            return {
+                required: true,
+                reason: 'Production policies with deny rules require approval',
+            };
+        }
+    }
+    return { required: false };
+}
+/**
+ * Main governance check function
+ * Enforces fail-closed validation
+ */
+function validatePolicyGovernance(policy, options = {}) {
+    const violations = [];
+    const policyType = detectPolicyType(policy);
+    const isProduction = isProductionPolicy(policy);
+    // 1. Validate all rules have proper conditions (fail-closed)
+    for (const rule of policy.rules) {
+        if (rule.enabled === false)
+            continue;
+        violations.push(...validateRuleConditions(rule));
+        violations.push(...validateDenyRuleScope(rule, policy));
+    }
+    // 2. Detect conflicting rules
+    violations.push(...detectConflictingRules(policy.rules));
+    // 3. Check for production environment requirements
+    if (isProduction && !policy.metadata.tags?.some(t => t.toLowerCase() === 'production')) {
+        // Implicitly production - require explicit marking for clarity
+        logger_1.default.warn({
+            policyId: policy.metadata.id,
+            namespace: policy.metadata.namespace,
+        }, 'Policy implicitly affects production - consider adding explicit production tag');
+    }
+    // 4. Check approval requirements
+    const approvalCheck = checkApprovalRequirement(policy, policyType, options.isEnabling || false);
+    if (approvalCheck.required && !options.hasApproval) {
+        violations.push({
+            type: 'MISSING_APPROVAL',
+            severity: 'critical',
+            message: approvalCheck.reason || 'This policy change requires approval',
+        });
+    }
+    // 5. Calculate risk level
+    const criticalCount = violations.filter(v => v.severity === 'critical').length;
+    const errorCount = violations.filter(v => v.severity === 'error').length;
+    let riskLevel;
+    if (criticalCount > 0) {
+        riskLevel = 'critical';
+    }
+    else if (errorCount > 0 || policyType === 'security') {
+        riskLevel = 'high';
+    }
+    else if (isProduction || policyType === 'compliance') {
+        riskLevel = 'medium';
+    }
+    else {
+        riskLevel = 'low';
+    }
+    const result = {
+        valid: violations.length === 0,
+        violations,
+        requiresApproval: approvalCheck.required,
+        approvalReason: approvalCheck.reason,
+        riskLevel,
+    };
+    if (!result.valid) {
+        logger_1.default.warn({
+            policyId: policy.metadata.id,
+            policyName: policy.metadata.name,
+            violationCount: violations.length,
+            violations: violations.map(v => ({
+                type: v.type,
+                severity: v.severity,
+                message: v.message,
+            })),
+        }, 'Policy governance validation failed');
+    }
+    return result;
+}
+/**
+ * Enforce governance - throws if validation fails
+ * Use this in mutation endpoints for fail-closed behavior
+ */
+function enforceGovernance(policy, options = {}) {
+    const result = validatePolicyGovernance(policy, options);
+    if (!result.valid) {
+        const criticalViolations = result.violations.filter(v => v.severity === 'critical');
+        throw new errors_1.PolicyValidationError(`Governance validation failed: ${criticalViolations.length} critical violation(s)`, {
+            violations: result.violations,
+            riskLevel: result.riskLevel,
+            requiresApproval: result.requiresApproval,
+        });
+    }
+}
+/**
+ * Check if a status change requires approval
+ */
+function requiresApprovalForStatusChange(policy, oldStatus, newStatus) {
+    // Enabling a policy (draft/deprecated -> active) requires approval for security/compliance
+    const isEnabling = newStatus === policy_1.PolicyStatus.ACTIVE && oldStatus !== policy_1.PolicyStatus.ACTIVE;
+    if (!isEnabling) {
+        return false;
+    }
+    const policyType = detectPolicyType(policy);
+    return policyType === 'security' || policyType === 'compliance';
+}
+//# sourceMappingURL=policy-governance.js.map

package/dist/bundled-agents/policy-engine-agents/dist/security/policy-governance.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy-governance.js","sourceRoot":"","sources":["../../src/security/policy-governance.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;AAiDH,4CAyBC;AAKD,gDAiBC;AAiND,4DAgFC;AAMD,8CAsBC;AAKD,0EAcC;AA9aD,4CAAoG;AACpG,0CAAsD;AACtD,2DAAmC;AA0CnC;;GAEG;AACH,SAAgB,gBAAgB,CAAC,MAAc;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACnE,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAEhD,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7F,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9F,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnF,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9D,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,qBAAY,CAAC,IAAI,CAAC,CAAC;IACrF,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,MAAc;IAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;IAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAEnE,iCAAiC;IACjC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACvF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kEAAkE;IAClE,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC5D,IAAI,CAAC,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC5D,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CACtB,CAAC;IAEF,OAAO,CAAC,cAAc,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAgB;IAC1C,MAAM,gBAAgB,GAAG;QACvB,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa;QACpD,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK;QACnD,WAAW,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO;KACjD,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACxD,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAEjE,OAAO,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACrC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC1B,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC1B,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CACjC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,IAAgB;IAC9C,MAAM,UAAU,GAA0B,EAAE,CAAC;IAE7C,6BAA6B;IAC7B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACpB,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,oBAAoB;YAC1B,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,SAAS,IAAI,CAAC,IAAI,gEAAgE;YAC3F,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,IAAI,CAAC,IAAI;SACpB,CAAC,CAAC;QACH,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,6CAA6C;IAC7C,MAAM,WAAW,GAAG,CAAC,0BAAiB,CAAC,GAAG,EAAE,0BAAiB,CAAC,EAAE,EAAE,0BAAiB,CAAC,GAAG,CAAC;SACrF,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAErC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1C,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,oBAAoB;YAC1B,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,SAAS,IAAI,CAAC,IAAI,iDAAiD;YAC5E,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,IAAI,CAAC,IAAI;SACpB,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,IAAI,WAAW,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QAC1F,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,wBAAwB;YAC9B,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,SAAS,IAAI,CAAC,IAAI,mDAAmD;YAC9E,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,QAAQ,EAAE,IAAI,CAAC,IAAI;SACpB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IAC7D,MAAM,UAAU,GAA0B,EAAE,CAAC;IAE7C,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,KAAK,qBAAY,CAAC,IAAI,EAAE,CAAC;QAC/C,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,6DAA6D;IAC7D,IAAI,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CACpD,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC3E,CAAC;QAEF,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,cAAc,IAAI,CAAC,IAAI,0DAA0D;gBAC1F,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;aAClC,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC;YAC9D,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,WAAW,CAAC;YAC3C,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC;QAEhD,IAAI,CAAC,gBAAgB,IAAI,CAAC,cAAc,EAAE,CAAC;YACzC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,wBAAwB;gBAC9B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,cAAc,IAAI,CAAC,IAAI,0DAA0D;gBAC1F,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,QAAQ,EAAE,IAAI,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,KAAmB;IACjD,MAAM,UAAU,GAA0B,EAAE,CAAC;IAE7C,iCAAiC;IACjC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAwB,CAAC;IAErD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK;YAAE,SAAS;QAErC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,WAAW,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9B,CAAC;QACD,YAAY,CAAC,GAAG,CAAC,KAAK,CAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,IAAI,YAAY,EAAE,CAAC;QAC/C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAEpC,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,qBAAY,CAAC,KAAK,CAAC,CAAC;QACpF,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,qBAAY,CAAC,IAAI,CAAC,CAAC;QAElF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,+DAA+D;YAC/D,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;oBAC7B,IAAI,KAAK,CAAC,SAAS,CAAC,KAAK,KAAK,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;wBACnD,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,mBAAmB;4BACzB,QAAQ,EAAE,UAAU;4BACpB,OAAO,EAAE,UAAU,KAAK,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,iDAAiD;4BACjG,OAAO,EAAE;gCACP,KAAK;gCACL,SAAS,EAAE,KAAK,CAAC,EAAE;gCACnB,QAAQ,EAAE,IAAI,CAAC,EAAE;6BAClB;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAC/B,MAAc,EACd,UAAsB,EACtB,UAAmB;IAEnB,sDAAsD;IACtD,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,EAAE,CAAC;QAC5C,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,oDAAoD;SAC7D,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,IAAI,UAAU,KAAK,YAAY,IAAI,UAAU,EAAE,CAAC;QAC9C,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,sDAAsD;SAC/D,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,IAAI,kBAAkB,CAAC,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC,CAAC,MAAM,CAAC,QAAQ,KAAK,qBAAY,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,CAC/D,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO;gBACL,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,sDAAsD;aAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CACtC,MAAc,EACd,UAII,EAAE;IAEN,MAAM,UAAU,GAA0B,EAAE,CAAC;IAC7C,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAEhD,6DAA6D;IAC7D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAChC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK;YAAE,SAAS;QAErC,UAAU,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;QACjD,UAAU,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,8BAA8B;IAC9B,UAAU,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAEzD,mDAAmD;IACnD,IAAI,YAAY,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,YAAY,CAAC,EAAE,CAAC;QACvF,+DAA+D;QAC/D,gBAAM,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE;YAC5B,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS;SACrC,EAAE,gFAAgF,CAAC,CAAC;IACvF,CAAC;IAED,iCAAiC;IACjC,MAAM,aAAa,GAAG,wBAAwB,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC,CAAC;IAEhG,IAAI,aAAa,CAAC,QAAQ,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACnD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI,EAAE,kBAAkB;YACxB,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,aAAa,CAAC,MAAM,IAAI,sCAAsC;SACxE,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,aAAa,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAC/E,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;IAEzE,IAAI,SAAiD,CAAC;IACtD,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,SAAS,GAAG,UAAU,CAAC;IACzB,CAAC;SAAM,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QACvD,SAAS,GAAG,MAAM,CAAC;IACrB,CAAC;SAAM,IAAI,YAAY,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;QACvD,SAAS,GAAG,QAAQ,CAAC;IACvB,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,KAAK,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAA0B;QACpC,KAAK,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;QAC9B,UAAU;QACV,gBAAgB,EAAE,aAAa,CAAC,QAAQ;QACxC,cAAc,EAAE,aAAa,CAAC,MAAM;QACpC,SAAS;KACV,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,gBAAM,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE;YAC5B,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;YAChC,cAAc,EAAE,UAAU,CAAC,MAAM;YACjC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC/B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,OAAO,EAAE,CAAC,CAAC,OAAO;aACnB,CAAC,CAAC;SACJ,EAAE,qCAAqC,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAC/B,MAAc,EACd,UAII,EAAE;IAEN,MAAM,MAAM,GAAG,wBAAwB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEzD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,kBAAkB,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;QAEpF,MAAM,IAAI,8BAAqB,CAC7B,iCAAiC,kBAAkB,CAAC,MAAM,wBAAwB,EAClF;YACE,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,+BAA+B,CAC7C,MAAc,EACd,SAAuB,EACvB,SAAuB;IAEvB,2FAA2F;IAC3F,MAAM,UAAU,GAAG,SAAS,KAAK,qBAAY,CAAC,MAAM,IAAI,SAAS,KAAK,qBAAY,CAAC,MAAM,CAAC;IAE1F,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,YAAY,CAAC;AAClE,CAAC"}

package/dist/bundled-agents/policy-engine-agents/dist/security/rate-limiter.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Post-Authentication Rate Limiter
+ *
+ * Rate limiting that applies AFTER authentication.
+ * Limits are per-identity, not per-IP.
+ */
+import { Response, NextFunction } from 'express';
+import { AuthenticatedRequest } from './agentics-identity';
+/**
+ * Rate limit configuration
+ */
+interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+    keyPrefix: string;
+}
+/**
+ * Create post-auth rate limiter middleware
+ */
+export declare function createPostAuthRateLimiter(config?: Partial<RateLimitConfig>): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+/**
+ * Evaluation endpoint rate limiter
+ * More restrictive for evaluation to prevent abuse
+ */
+export declare const evaluationRateLimiter: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+/**
+ * Mutation endpoint rate limiter
+ * More restrictive for mutations
+ */
+export declare const mutationRateLimiter: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+/**
+ * Read endpoint rate limiter
+ */
+export declare const readRateLimiter: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+/**
+ * Strict rate limiter for sensitive operations
+ */
+export declare const strictRateLimiter: (req: AuthenticatedRequest, res: Response, next: NextFunction) => void;
+export {};
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/bundled-agents/policy-engine-agents/dist/security/rate-limiter.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/security/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEjD,OAAO,EAAE,oBAAoB,EAAoB,MAAM,qBAAqB,CAAC;AAG7E;;GAEG;AACH,UAAU,eAAe;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAqED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,GAAE,OAAO,CAAC,eAAe,CAAM,IAOrE,KAAK,oBAAoB,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAqC5E;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QA3CnB,oBAAoB,OAAO,QAAQ,QAAQ,YAAY,KAAG,IA+CvE,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QArDjB,oBAAoB,OAAO,QAAQ,QAAQ,YAAY,KAAG,IAyDvE,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,eAAe,QA9Db,oBAAoB,OAAO,QAAQ,QAAQ,YAAY,KAAG,IAkEvE,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,iBAAiB,QAvEf,oBAAoB,OAAO,QAAQ,QAAQ,YAAY,KAAG,IA2EvE,CAAC"}