@mondaydotcomorg/atp-compiler 0.18.4-rc.0 → 0.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/__tests__/unit/default-compiler.test.ts +2 -3
- package/__tests__/unit/plugin-system.test.ts +0 -1
- package/dist/atp-compiler/src/plugin-system/examples/timeout-plugin.d.ts.map +1 -1
- package/dist/atp-compiler/src/plugin-system/examples/timeout-plugin.js.map +1 -1
- package/dist/atp-compiler/src/plugin-system/pluggable-compiler.d.ts.map +1 -1
- package/dist/atp-compiler/src/plugin-system/pluggable-compiler.js +1 -3
- package/dist/atp-compiler/src/plugin-system/pluggable-compiler.js.map +1 -1
- package/dist/protocol/src/types.d.ts +1 -1
- package/dist/protocol/src/types.d.ts.map +1 -1
- package/dist/provenance/src/index.d.ts +6 -1
- package/dist/provenance/src/index.d.ts.map +1 -1
- package/dist/provenance/src/index.js +6 -1
- package/dist/provenance/src/index.js.map +1 -1
- package/dist/provenance/src/policies/builder.d.ts +36 -0
- package/dist/provenance/src/policies/builder.d.ts.map +1 -0
- package/dist/provenance/src/policies/builder.js +77 -0
- package/dist/provenance/src/policies/builder.js.map +1 -0
- package/dist/provenance/src/policies/declarative.d.ts +47 -0
- package/dist/provenance/src/policies/declarative.d.ts.map +1 -0
- package/dist/provenance/src/policies/declarative.js +170 -0
- package/dist/provenance/src/policies/declarative.js.map +1 -0
- package/dist/provenance/src/policies/dynamic.d.ts +39 -0
- package/dist/provenance/src/policies/dynamic.d.ts.map +1 -0
- package/dist/provenance/src/policies/dynamic.js +75 -0
- package/dist/provenance/src/policies/dynamic.js.map +1 -0
- package/dist/provenance/src/policies/schema.d.ts +270 -0
- package/dist/provenance/src/policies/schema.d.ts.map +1 -0
- package/dist/provenance/src/policies/schema.js +42 -0
- package/dist/provenance/src/policies/schema.js.map +1 -0
- package/dist/provenance/src/registry.d.ts +15 -0
- package/dist/provenance/src/registry.d.ts.map +1 -1
- package/dist/provenance/src/registry.js +73 -0
- package/dist/provenance/src/registry.js.map +1 -1
- package/dist/provenance/src/store.d.ts +53 -0
- package/dist/provenance/src/store.d.ts.map +1 -0
- package/dist/provenance/src/store.js +78 -0
- package/dist/provenance/src/store.js.map +1 -0
- package/dist/runtime/src/llm/replay.d.ts.map +1 -1
- package/dist/runtime/src/llm/replay.js +38 -26
- package/dist/runtime/src/llm/replay.js.map +1 -1
- package/package.json +5 -5
- package/src/plugin-system/create-default-compiler.ts +7 -8
- package/src/plugin-system/default-plugins/array-transformer-plugin.ts +0 -1
- package/src/plugin-system/default-plugins/detection-plugin.ts +0 -1
- package/src/plugin-system/default-plugins/index.ts +1 -2
- package/src/plugin-system/default-plugins/loop-transformer-plugin.ts +0 -1
- package/src/plugin-system/default-plugins/promise-transformer-plugin.ts +0 -1
- package/src/plugin-system/examples/loop-transformer-plugin.ts +2 -3
- package/src/plugin-system/examples/security-validator-plugin.ts +2 -3
- package/src/plugin-system/examples/timeout-plugin.ts +24 -30
- package/src/plugin-system/index.ts +3 -4
- package/src/plugin-system/pluggable-compiler.ts +17 -14
- package/src/plugin-system/plugin-api.ts +1 -2
- package/src/types/compiler-interface.ts +4 -5
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
import { createDeclarativePolicy } from './declarative.js';
|
|
2
|
+
/**
|
|
3
|
+
* A dynamic registry that manages multiple policies and acts as a single SecurityPolicy.
|
|
4
|
+
* This allows policies to be updated at runtime (e.g. from a UI or database) without restarting the server.
|
|
5
|
+
*/
|
|
6
|
+
export class DynamicPolicyRegistry {
|
|
7
|
+
name = 'dynamic-policy-registry';
|
|
8
|
+
description = 'Container for dynamically managed security policies';
|
|
9
|
+
policies = new Map();
|
|
10
|
+
constructor(initialPolicies = []) {
|
|
11
|
+
for (const policy of initialPolicies) {
|
|
12
|
+
this.policies.set(policy.name, policy);
|
|
13
|
+
}
|
|
14
|
+
}
|
|
15
|
+
/**
|
|
16
|
+
* Add or update a policy
|
|
17
|
+
*/
|
|
18
|
+
addPolicy(policy) {
|
|
19
|
+
this.policies.set(policy.name, policy);
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Remove a policy by name
|
|
23
|
+
*/
|
|
24
|
+
removePolicy(name) {
|
|
25
|
+
this.policies.delete(name);
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* clear all policies
|
|
29
|
+
*/
|
|
30
|
+
clear() {
|
|
31
|
+
this.policies.clear();
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Load policies from declarative configurations (JSON)
|
|
35
|
+
* This is useful for loading policies saved from a UI
|
|
36
|
+
*/
|
|
37
|
+
loadFromConfigs(configs, replace = false) {
|
|
38
|
+
if (replace) {
|
|
39
|
+
this.policies.clear();
|
|
40
|
+
}
|
|
41
|
+
for (const config of configs) {
|
|
42
|
+
const policy = createDeclarativePolicy(config);
|
|
43
|
+
this.policies.set(policy.name, policy);
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Get all registered policies
|
|
48
|
+
*/
|
|
49
|
+
getPolicies() {
|
|
50
|
+
return Array.from(this.policies.values());
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* Implementation of the SecurityPolicy check interface.
|
|
54
|
+
* Delegates to all registered policies.
|
|
55
|
+
*/
|
|
56
|
+
async check(toolName, args, getProvenance) {
|
|
57
|
+
let requiresApproval = null;
|
|
58
|
+
for (const policy of this.policies.values()) {
|
|
59
|
+
const result = await policy.check(toolName, args, getProvenance);
|
|
60
|
+
if (result.action === 'block') {
|
|
61
|
+
return result;
|
|
62
|
+
}
|
|
63
|
+
if (result.action === 'approve') {
|
|
64
|
+
if (!requiresApproval) {
|
|
65
|
+
requiresApproval = result;
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
if (requiresApproval) {
|
|
70
|
+
return requiresApproval;
|
|
71
|
+
}
|
|
72
|
+
return { action: 'log' };
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
//# sourceMappingURL=dynamic.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dynamic.js","sourceRoot":"","sources":["../../../../../provenance/src/policies/dynamic.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,uBAAuB,EAAgC,MAAM,kBAAkB,CAAC;AAEzF;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IACjC,IAAI,GAAG,yBAAyB,CAAC;IACjC,WAAW,GAAG,qDAAqD,CAAC;IAE5D,QAAQ,GAAgC,IAAI,GAAG,EAAE,CAAC;IAE1D,YAAY,kBAAoC,EAAE;QACjD,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAAsB;QAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAY;QACxB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK;QACJ,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,OAAkC,EAAE,OAAO,GAAG,KAAK;QAClE,IAAI,OAAO,EAAE,CAAC;YACb,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACxC,CAAC;IACF,CAAC;IAED;;OAEG;IACH,WAAW;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK,CACV,QAAgB,EAChB,IAA6B,EAC7B,aAA4D;QAE5D,IAAI,gBAAgB,GAAwB,IAAI,CAAC;QAEjD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;YAEjE,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC/B,OAAO,MAAM,CAAC;YACf,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBACjC,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACvB,gBAAgB,GAAG,MAAM,CAAC;gBAC3B,CAAC;YACF,CAAC;QACF,CAAC;QAED,IAAI,gBAAgB,EAAE,CAAC;YACtB,OAAO,gBAAgB,CAAC;QACzB,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC1B,CAAC;CACD"}
|
|
@@ -0,0 +1,270 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const OperatorSchema: z.ZodEnum<["equals", "notEquals", "contains", "notContains", "startsWith", "notStartsWith", "endsWith", "notEndsWith", "matches", "in", "notIn"]>;
|
|
3
|
+
export type Operator = z.infer<typeof OperatorSchema>;
|
|
4
|
+
export declare const ConditionSchema: z.ZodObject<{
|
|
5
|
+
field: z.ZodString;
|
|
6
|
+
operator: z.ZodEnum<["equals", "notEquals", "contains", "notContains", "startsWith", "notStartsWith", "endsWith", "notEndsWith", "matches", "in", "notIn"]>;
|
|
7
|
+
value: z.ZodAny;
|
|
8
|
+
}, "strip", z.ZodTypeAny, {
|
|
9
|
+
field: string;
|
|
10
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
11
|
+
value?: any;
|
|
12
|
+
}, {
|
|
13
|
+
field: string;
|
|
14
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
15
|
+
value?: any;
|
|
16
|
+
}>;
|
|
17
|
+
export type Condition = z.infer<typeof ConditionSchema>;
|
|
18
|
+
export declare const PolicyActionSchema: z.ZodEnum<["log", "approve", "block"]>;
|
|
19
|
+
export type PolicyAction = z.infer<typeof PolicyActionSchema>;
|
|
20
|
+
export declare const PolicyRuleSchema: z.ZodObject<{
|
|
21
|
+
id: z.ZodOptional<z.ZodString>;
|
|
22
|
+
action: z.ZodEnum<["log", "approve", "block"]>;
|
|
23
|
+
conditions: z.ZodArray<z.ZodObject<{
|
|
24
|
+
field: z.ZodString;
|
|
25
|
+
operator: z.ZodEnum<["equals", "notEquals", "contains", "notContains", "startsWith", "notStartsWith", "endsWith", "notEndsWith", "matches", "in", "notIn"]>;
|
|
26
|
+
value: z.ZodAny;
|
|
27
|
+
}, "strip", z.ZodTypeAny, {
|
|
28
|
+
field: string;
|
|
29
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
30
|
+
value?: any;
|
|
31
|
+
}, {
|
|
32
|
+
field: string;
|
|
33
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
34
|
+
value?: any;
|
|
35
|
+
}>, "many">;
|
|
36
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
37
|
+
}, "strip", z.ZodTypeAny, {
|
|
38
|
+
action: "log" | "approve" | "block";
|
|
39
|
+
conditions: {
|
|
40
|
+
field: string;
|
|
41
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
42
|
+
value?: any;
|
|
43
|
+
}[];
|
|
44
|
+
id?: string | undefined;
|
|
45
|
+
reason?: string | undefined;
|
|
46
|
+
}, {
|
|
47
|
+
action: "log" | "approve" | "block";
|
|
48
|
+
conditions: {
|
|
49
|
+
field: string;
|
|
50
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
51
|
+
value?: any;
|
|
52
|
+
}[];
|
|
53
|
+
id?: string | undefined;
|
|
54
|
+
reason?: string | undefined;
|
|
55
|
+
}>;
|
|
56
|
+
export type PolicyRule = z.infer<typeof PolicyRuleSchema>;
|
|
57
|
+
export declare const DeclarativePolicyConfigSchema: z.ZodObject<{
|
|
58
|
+
id: z.ZodString;
|
|
59
|
+
description: z.ZodOptional<z.ZodString>;
|
|
60
|
+
scope: z.ZodObject<{
|
|
61
|
+
toolName: z.ZodOptional<z.ZodString>;
|
|
62
|
+
apiGroup: z.ZodOptional<z.ZodString>;
|
|
63
|
+
}, "strip", z.ZodTypeAny, {
|
|
64
|
+
apiGroup?: string | undefined;
|
|
65
|
+
toolName?: string | undefined;
|
|
66
|
+
}, {
|
|
67
|
+
apiGroup?: string | undefined;
|
|
68
|
+
toolName?: string | undefined;
|
|
69
|
+
}>;
|
|
70
|
+
rules: z.ZodArray<z.ZodObject<{
|
|
71
|
+
id: z.ZodOptional<z.ZodString>;
|
|
72
|
+
action: z.ZodEnum<["log", "approve", "block"]>;
|
|
73
|
+
conditions: z.ZodArray<z.ZodObject<{
|
|
74
|
+
field: z.ZodString;
|
|
75
|
+
operator: z.ZodEnum<["equals", "notEquals", "contains", "notContains", "startsWith", "notStartsWith", "endsWith", "notEndsWith", "matches", "in", "notIn"]>;
|
|
76
|
+
value: z.ZodAny;
|
|
77
|
+
}, "strip", z.ZodTypeAny, {
|
|
78
|
+
field: string;
|
|
79
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
80
|
+
value?: any;
|
|
81
|
+
}, {
|
|
82
|
+
field: string;
|
|
83
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
84
|
+
value?: any;
|
|
85
|
+
}>, "many">;
|
|
86
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
87
|
+
}, "strip", z.ZodTypeAny, {
|
|
88
|
+
action: "log" | "approve" | "block";
|
|
89
|
+
conditions: {
|
|
90
|
+
field: string;
|
|
91
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
92
|
+
value?: any;
|
|
93
|
+
}[];
|
|
94
|
+
id?: string | undefined;
|
|
95
|
+
reason?: string | undefined;
|
|
96
|
+
}, {
|
|
97
|
+
action: "log" | "approve" | "block";
|
|
98
|
+
conditions: {
|
|
99
|
+
field: string;
|
|
100
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
101
|
+
value?: any;
|
|
102
|
+
}[];
|
|
103
|
+
id?: string | undefined;
|
|
104
|
+
reason?: string | undefined;
|
|
105
|
+
}>, "many">;
|
|
106
|
+
}, "strip", z.ZodTypeAny, {
|
|
107
|
+
id: string;
|
|
108
|
+
scope: {
|
|
109
|
+
apiGroup?: string | undefined;
|
|
110
|
+
toolName?: string | undefined;
|
|
111
|
+
};
|
|
112
|
+
rules: {
|
|
113
|
+
action: "log" | "approve" | "block";
|
|
114
|
+
conditions: {
|
|
115
|
+
field: string;
|
|
116
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
117
|
+
value?: any;
|
|
118
|
+
}[];
|
|
119
|
+
id?: string | undefined;
|
|
120
|
+
reason?: string | undefined;
|
|
121
|
+
}[];
|
|
122
|
+
description?: string | undefined;
|
|
123
|
+
}, {
|
|
124
|
+
id: string;
|
|
125
|
+
scope: {
|
|
126
|
+
apiGroup?: string | undefined;
|
|
127
|
+
toolName?: string | undefined;
|
|
128
|
+
};
|
|
129
|
+
rules: {
|
|
130
|
+
action: "log" | "approve" | "block";
|
|
131
|
+
conditions: {
|
|
132
|
+
field: string;
|
|
133
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
134
|
+
value?: any;
|
|
135
|
+
}[];
|
|
136
|
+
id?: string | undefined;
|
|
137
|
+
reason?: string | undefined;
|
|
138
|
+
}[];
|
|
139
|
+
description?: string | undefined;
|
|
140
|
+
}>;
|
|
141
|
+
export type DeclarativePolicyConfig = z.infer<typeof DeclarativePolicyConfigSchema>;
|
|
142
|
+
export declare const PolicyConfigurationSchema: z.ZodObject<{
|
|
143
|
+
version: z.ZodString;
|
|
144
|
+
policies: z.ZodArray<z.ZodObject<{
|
|
145
|
+
id: z.ZodString;
|
|
146
|
+
description: z.ZodOptional<z.ZodString>;
|
|
147
|
+
scope: z.ZodObject<{
|
|
148
|
+
toolName: z.ZodOptional<z.ZodString>;
|
|
149
|
+
apiGroup: z.ZodOptional<z.ZodString>;
|
|
150
|
+
}, "strip", z.ZodTypeAny, {
|
|
151
|
+
apiGroup?: string | undefined;
|
|
152
|
+
toolName?: string | undefined;
|
|
153
|
+
}, {
|
|
154
|
+
apiGroup?: string | undefined;
|
|
155
|
+
toolName?: string | undefined;
|
|
156
|
+
}>;
|
|
157
|
+
rules: z.ZodArray<z.ZodObject<{
|
|
158
|
+
id: z.ZodOptional<z.ZodString>;
|
|
159
|
+
action: z.ZodEnum<["log", "approve", "block"]>;
|
|
160
|
+
conditions: z.ZodArray<z.ZodObject<{
|
|
161
|
+
field: z.ZodString;
|
|
162
|
+
operator: z.ZodEnum<["equals", "notEquals", "contains", "notContains", "startsWith", "notStartsWith", "endsWith", "notEndsWith", "matches", "in", "notIn"]>;
|
|
163
|
+
value: z.ZodAny;
|
|
164
|
+
}, "strip", z.ZodTypeAny, {
|
|
165
|
+
field: string;
|
|
166
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
167
|
+
value?: any;
|
|
168
|
+
}, {
|
|
169
|
+
field: string;
|
|
170
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
171
|
+
value?: any;
|
|
172
|
+
}>, "many">;
|
|
173
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
174
|
+
}, "strip", z.ZodTypeAny, {
|
|
175
|
+
action: "log" | "approve" | "block";
|
|
176
|
+
conditions: {
|
|
177
|
+
field: string;
|
|
178
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
179
|
+
value?: any;
|
|
180
|
+
}[];
|
|
181
|
+
id?: string | undefined;
|
|
182
|
+
reason?: string | undefined;
|
|
183
|
+
}, {
|
|
184
|
+
action: "log" | "approve" | "block";
|
|
185
|
+
conditions: {
|
|
186
|
+
field: string;
|
|
187
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
188
|
+
value?: any;
|
|
189
|
+
}[];
|
|
190
|
+
id?: string | undefined;
|
|
191
|
+
reason?: string | undefined;
|
|
192
|
+
}>, "many">;
|
|
193
|
+
}, "strip", z.ZodTypeAny, {
|
|
194
|
+
id: string;
|
|
195
|
+
scope: {
|
|
196
|
+
apiGroup?: string | undefined;
|
|
197
|
+
toolName?: string | undefined;
|
|
198
|
+
};
|
|
199
|
+
rules: {
|
|
200
|
+
action: "log" | "approve" | "block";
|
|
201
|
+
conditions: {
|
|
202
|
+
field: string;
|
|
203
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
204
|
+
value?: any;
|
|
205
|
+
}[];
|
|
206
|
+
id?: string | undefined;
|
|
207
|
+
reason?: string | undefined;
|
|
208
|
+
}[];
|
|
209
|
+
description?: string | undefined;
|
|
210
|
+
}, {
|
|
211
|
+
id: string;
|
|
212
|
+
scope: {
|
|
213
|
+
apiGroup?: string | undefined;
|
|
214
|
+
toolName?: string | undefined;
|
|
215
|
+
};
|
|
216
|
+
rules: {
|
|
217
|
+
action: "log" | "approve" | "block";
|
|
218
|
+
conditions: {
|
|
219
|
+
field: string;
|
|
220
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
221
|
+
value?: any;
|
|
222
|
+
}[];
|
|
223
|
+
id?: string | undefined;
|
|
224
|
+
reason?: string | undefined;
|
|
225
|
+
}[];
|
|
226
|
+
description?: string | undefined;
|
|
227
|
+
}>, "many">;
|
|
228
|
+
}, "strip", z.ZodTypeAny, {
|
|
229
|
+
version: string;
|
|
230
|
+
policies: {
|
|
231
|
+
id: string;
|
|
232
|
+
scope: {
|
|
233
|
+
apiGroup?: string | undefined;
|
|
234
|
+
toolName?: string | undefined;
|
|
235
|
+
};
|
|
236
|
+
rules: {
|
|
237
|
+
action: "log" | "approve" | "block";
|
|
238
|
+
conditions: {
|
|
239
|
+
field: string;
|
|
240
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
241
|
+
value?: any;
|
|
242
|
+
}[];
|
|
243
|
+
id?: string | undefined;
|
|
244
|
+
reason?: string | undefined;
|
|
245
|
+
}[];
|
|
246
|
+
description?: string | undefined;
|
|
247
|
+
}[];
|
|
248
|
+
}, {
|
|
249
|
+
version: string;
|
|
250
|
+
policies: {
|
|
251
|
+
id: string;
|
|
252
|
+
scope: {
|
|
253
|
+
apiGroup?: string | undefined;
|
|
254
|
+
toolName?: string | undefined;
|
|
255
|
+
};
|
|
256
|
+
rules: {
|
|
257
|
+
action: "log" | "approve" | "block";
|
|
258
|
+
conditions: {
|
|
259
|
+
field: string;
|
|
260
|
+
operator: "equals" | "notEquals" | "contains" | "notContains" | "startsWith" | "notStartsWith" | "endsWith" | "notEndsWith" | "matches" | "in" | "notIn";
|
|
261
|
+
value?: any;
|
|
262
|
+
}[];
|
|
263
|
+
id?: string | undefined;
|
|
264
|
+
reason?: string | undefined;
|
|
265
|
+
}[];
|
|
266
|
+
description?: string | undefined;
|
|
267
|
+
}[];
|
|
268
|
+
}>;
|
|
269
|
+
export type PolicyConfiguration = z.infer<typeof PolicyConfigurationSchema>;
|
|
270
|
+
//# sourceMappingURL=schema.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../../../../provenance/src/policies/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,cAAc,mJAYzB,CAAC;AAEH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEtD,eAAO,MAAM,eAAe;;;;;;;;;;;;EAM1B,CAAC;AAEH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAExD,eAAO,MAAM,kBAAkB,wCAAsC,CAAC;AAEtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAK3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQxC,CAAC;AAEH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export const OperatorSchema = z.enum([
|
|
3
|
+
'equals',
|
|
4
|
+
'notEquals',
|
|
5
|
+
'contains',
|
|
6
|
+
'notContains',
|
|
7
|
+
'startsWith',
|
|
8
|
+
'notStartsWith',
|
|
9
|
+
'endsWith',
|
|
10
|
+
'notEndsWith',
|
|
11
|
+
'matches',
|
|
12
|
+
'in',
|
|
13
|
+
'notIn',
|
|
14
|
+
]);
|
|
15
|
+
export const ConditionSchema = z.object({
|
|
16
|
+
field: z
|
|
17
|
+
.string()
|
|
18
|
+
.describe('Field to check (e.g. args.paramName, provenance.args.param.source.type)'),
|
|
19
|
+
operator: OperatorSchema,
|
|
20
|
+
value: z.any().describe('Value to compare against'),
|
|
21
|
+
});
|
|
22
|
+
export const PolicyActionSchema = z.enum(['log', 'approve', 'block']);
|
|
23
|
+
export const PolicyRuleSchema = z.object({
|
|
24
|
+
id: z.string().optional(),
|
|
25
|
+
action: PolicyActionSchema,
|
|
26
|
+
conditions: z.array(ConditionSchema).describe('All conditions must match (implicit AND)'),
|
|
27
|
+
reason: z.string().optional(),
|
|
28
|
+
});
|
|
29
|
+
export const DeclarativePolicyConfigSchema = z.object({
|
|
30
|
+
id: z.string(),
|
|
31
|
+
description: z.string().optional(),
|
|
32
|
+
scope: z.object({
|
|
33
|
+
toolName: z.string().optional().describe('Regex pattern or exact match for tool name'),
|
|
34
|
+
apiGroup: z.string().optional().describe('Regex pattern or exact match for API group'),
|
|
35
|
+
}),
|
|
36
|
+
rules: z.array(PolicyRuleSchema).describe('Rules are evaluated in order. First match wins.'),
|
|
37
|
+
});
|
|
38
|
+
export const PolicyConfigurationSchema = z.object({
|
|
39
|
+
version: z.string(),
|
|
40
|
+
policies: z.array(DeclarativePolicyConfigSchema),
|
|
41
|
+
});
|
|
42
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../../provenance/src/policies/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC;IACpC,QAAQ;IACR,WAAW;IACX,UAAU;IACV,aAAa;IACb,YAAY;IACZ,eAAe;IACf,UAAU;IACV,aAAa;IACb,SAAS;IACT,IAAI;IACJ,OAAO;CACP,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC;SACN,MAAM,EAAE;SACR,QAAQ,CAAC,yEAAyE,CAAC;IACrF,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC;CACnD,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;AAItE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzB,MAAM,EAAE,kBAAkB;IAC1B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,QAAQ,CAAC,0CAA0C,CAAC;IACzF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC7B,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;QACtF,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;KACtF,CAAC;IACF,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,iDAAiD,CAAC;CAC5F,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,6BAA6B,CAAC;CAChD,CAAC,CAAC"}
|
|
@@ -1,4 +1,9 @@
|
|
|
1
1
|
import type { ProvenanceMetadata, SourceMetadata, ReaderPermissions } from './types.js';
|
|
2
|
+
import { type ProvenanceStore } from './store.js';
|
|
3
|
+
/**
|
|
4
|
+
* Set the global provenance store implementation
|
|
5
|
+
*/
|
|
6
|
+
export declare function setGlobalProvenanceStore(store: ProvenanceStore): void;
|
|
2
7
|
/**
|
|
3
8
|
* Mark a primitive value as tainted (derived from tool data)
|
|
4
9
|
* Used by AST mode to track derived values
|
|
@@ -17,6 +22,16 @@ export declare function setProvenanceExecutionId(executionId: string): void;
|
|
|
17
22
|
* Clear the current execution ID
|
|
18
23
|
*/
|
|
19
24
|
export declare function clearProvenanceExecutionId(): void;
|
|
25
|
+
/**
|
|
26
|
+
* Hydrate provenance metadata for an execution (Multi-pod support)
|
|
27
|
+
* Call this when resuming an execution on a new pod to warm up the local cache
|
|
28
|
+
*/
|
|
29
|
+
export declare function hydrateProvenance(ids: string[]): Promise<void>;
|
|
30
|
+
/**
|
|
31
|
+
* Hydrate all provenance for a specific execution ID (if store supports tracking by execution)
|
|
32
|
+
* Note: Standard InMemoryProvenanceStore tracks execution IDs, but Redis implementations might need explicit sets
|
|
33
|
+
*/
|
|
34
|
+
export declare function hydrateExecutionProvenance(executionId: string): Promise<void>;
|
|
20
35
|
/**
|
|
21
36
|
* Register provenance metadata directly (for AST tracking in isolated-vm)
|
|
22
37
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../../provenance/src/registry.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACX,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EAEjB,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../../provenance/src/registry.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACX,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EAEjB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,KAAK,eAAe,EAA2B,MAAM,YAAY,CAAC;AAkB3E;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,CAErE;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,kBAAkB,GAAG,IAAI,CAkB7F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAa1D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAQlE;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAapE;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBnF;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACzC,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,kBAAkB,EAC5B,WAAW,CAAC,EAAE,MAAM,GAClB,IAAI,CAkCN;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAwBvE;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,kBAAkB,GAAG,IAAI,CAwCnF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAY3F;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG;IAC/D,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC9C,UAAU,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAChD,CA6BA;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACrC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,GACpC,IAAI,CASN;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACxC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE;IACT,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC9C,UAAU,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAChD,GACC,IAAI,CAkBN;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACtC,KAAK,EAAE,CAAC,EACR,MAAM,EAAE,cAAc,EACtB,OAAO,GAAE,iBAAsC,EAC/C,YAAY,GAAE,MAAM,EAAO,GACzB,CAAC,CAwEH;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,kBAAkB,GAAG,IAAI,CAgCvE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,WAAiB,GAAG,kBAAkB,EAAE,CAkC/F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC3B,QAAQ,EAAE,iBAAiB,EAC3B,QAAQ,EAAE,iBAAiB,GACzB,iBAAiB,CAUnB;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAK/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CACnC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAqCjC;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CACnC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,EAC9C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,IAAI,CAON"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { nanoid } from 'nanoid';
|
|
2
2
|
import { computeDigest } from './tokens.js';
|
|
3
|
+
import { InMemoryProvenanceStore } from './store.js';
|
|
3
4
|
const PROVENANCE_KEY = '__provenance__';
|
|
4
5
|
const PROVENANCE_ID_KEY = '__prov_id__';
|
|
5
6
|
const provenanceStore = new WeakMap();
|
|
@@ -8,6 +9,13 @@ const executionProvenanceIds = new Map();
|
|
|
8
9
|
let currentExecutionId = null;
|
|
9
10
|
const primitiveProvenanceMap = new Map();
|
|
10
11
|
const executionTaintedPrimitives = new Map();
|
|
12
|
+
let globalStore = new InMemoryProvenanceStore();
|
|
13
|
+
/**
|
|
14
|
+
* Set the global provenance store implementation
|
|
15
|
+
*/
|
|
16
|
+
export function setGlobalProvenanceStore(store) {
|
|
17
|
+
globalStore = store;
|
|
18
|
+
}
|
|
11
19
|
/**
|
|
12
20
|
* Mark a primitive value as tainted (derived from tool data)
|
|
13
21
|
* Used by AST mode to track derived values
|
|
@@ -24,6 +32,9 @@ export function markPrimitiveTainted(value, sourceMetadata) {
|
|
|
24
32
|
}
|
|
25
33
|
const key = `tainted:${String(value)}`;
|
|
26
34
|
primitiveProvenanceMap.set(key, sourceMetadata);
|
|
35
|
+
globalStore.setPrimitive(key, sourceMetadata, currentExecutionId || undefined).catch((err) => {
|
|
36
|
+
console.warn('Failed to save primitive taint to provenance store', err);
|
|
37
|
+
});
|
|
27
38
|
}
|
|
28
39
|
/**
|
|
29
40
|
* Check if a primitive is tainted (derived from tool data)
|
|
@@ -59,12 +70,57 @@ export function setProvenanceExecutionId(executionId) {
|
|
|
59
70
|
export function clearProvenanceExecutionId() {
|
|
60
71
|
currentExecutionId = null;
|
|
61
72
|
}
|
|
73
|
+
/**
|
|
74
|
+
* Hydrate provenance metadata for an execution (Multi-pod support)
|
|
75
|
+
* Call this when resuming an execution on a new pod to warm up the local cache
|
|
76
|
+
*/
|
|
77
|
+
export async function hydrateProvenance(ids) {
|
|
78
|
+
const batch = await globalStore.getBatch(ids);
|
|
79
|
+
for (const [id, metadata] of batch.entries()) {
|
|
80
|
+
provenanceRegistry.set(id, metadata);
|
|
81
|
+
if (currentExecutionId) {
|
|
82
|
+
let execIds = executionProvenanceIds.get(currentExecutionId);
|
|
83
|
+
if (!execIds) {
|
|
84
|
+
execIds = new Set();
|
|
85
|
+
executionProvenanceIds.set(currentExecutionId, execIds);
|
|
86
|
+
}
|
|
87
|
+
execIds.add(id);
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Hydrate all provenance for a specific execution ID (if store supports tracking by execution)
|
|
93
|
+
* Note: Standard InMemoryProvenanceStore tracks execution IDs, but Redis implementations might need explicit sets
|
|
94
|
+
*/
|
|
95
|
+
export async function hydrateExecutionProvenance(executionId) {
|
|
96
|
+
const batch = await globalStore.getExecution(executionId);
|
|
97
|
+
for (const [id, metadata] of batch.entries()) {
|
|
98
|
+
provenanceRegistry.set(id, metadata);
|
|
99
|
+
// Also track in current execution context (re-bind to new execution scope if needed)
|
|
100
|
+
// Or just ensure it's in registry for reading.
|
|
101
|
+
// Typically, we just want it available for reading.
|
|
102
|
+
// If we want to ensure cleanup works for the *new* resumed execution, we might need to track it.
|
|
103
|
+
// But usually resumed execution has same ID?
|
|
104
|
+
// If executionId passed here IS the currentExecutionId, we track it.
|
|
105
|
+
if (currentExecutionId === executionId) {
|
|
106
|
+
let executionSet = executionProvenanceIds.get(executionId);
|
|
107
|
+
if (!executionSet) {
|
|
108
|
+
executionSet = new Set();
|
|
109
|
+
executionProvenanceIds.set(executionId, executionSet);
|
|
110
|
+
}
|
|
111
|
+
executionSet.add(id);
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
}
|
|
62
115
|
/**
|
|
63
116
|
* Register provenance metadata directly (for AST tracking in isolated-vm)
|
|
64
117
|
*/
|
|
65
118
|
export function registerProvenanceMetadata(id, metadata, executionId) {
|
|
66
119
|
if (id.startsWith('tainted:') || id.includes(':')) {
|
|
67
120
|
primitiveProvenanceMap.set(id, metadata);
|
|
121
|
+
globalStore.setPrimitive(id, metadata, executionId).catch((err) => {
|
|
122
|
+
console.warn('Failed to save primitive provenance to store', err);
|
|
123
|
+
});
|
|
68
124
|
if (id.startsWith('tainted:')) {
|
|
69
125
|
const value = id.slice('tainted:'.length);
|
|
70
126
|
if (executionId) {
|
|
@@ -79,6 +135,9 @@ export function registerProvenanceMetadata(id, metadata, executionId) {
|
|
|
79
135
|
}
|
|
80
136
|
else {
|
|
81
137
|
provenanceRegistry.set(id, metadata);
|
|
138
|
+
globalStore.set(id, metadata, executionId).catch((err) => {
|
|
139
|
+
console.warn('Failed to save provenance to store', err);
|
|
140
|
+
});
|
|
82
141
|
}
|
|
83
142
|
if (executionId) {
|
|
84
143
|
let ids = executionProvenanceIds.get(executionId);
|
|
@@ -111,6 +170,10 @@ export function cleanupProvenanceForExecution(executionId) {
|
|
|
111
170
|
executionProvenanceIds.delete(executionId);
|
|
112
171
|
}
|
|
113
172
|
executionTaintedPrimitives.delete(executionId);
|
|
173
|
+
// Cleanup from persistent store
|
|
174
|
+
globalStore.cleanupExecution(executionId).catch((err) => {
|
|
175
|
+
console.warn('Failed to cleanup provenance store', err);
|
|
176
|
+
});
|
|
114
177
|
}
|
|
115
178
|
/**
|
|
116
179
|
* Check if a primitive value was extracted from a provenance-tracked object
|
|
@@ -206,6 +269,7 @@ export function restoreProvenanceState(executionId, state) {
|
|
|
206
269
|
for (const [id, metadata] of state) {
|
|
207
270
|
provenanceRegistry.set(id, metadata);
|
|
208
271
|
ids.add(id);
|
|
272
|
+
globalStore.set(id, metadata, executionId).catch(console.error);
|
|
209
273
|
}
|
|
210
274
|
}
|
|
211
275
|
/**
|
|
@@ -216,6 +280,7 @@ export function restoreProvenanceSnapshot(executionId, snapshot) {
|
|
|
216
280
|
restoreProvenanceState(executionId, registryMap);
|
|
217
281
|
for (const [key, meta] of snapshot.primitives) {
|
|
218
282
|
primitiveProvenanceMap.set(key, meta);
|
|
283
|
+
globalStore.setPrimitive(key, meta, executionId).catch(console.error);
|
|
219
284
|
if (key.startsWith('tainted:')) {
|
|
220
285
|
const value = key.slice('tainted:'.length);
|
|
221
286
|
let set = executionTaintedPrimitives.get(executionId);
|
|
@@ -256,12 +321,17 @@ export function createProvenanceProxy(value, source, readers = { type: 'public'
|
|
|
256
321
|
ids.add(id);
|
|
257
322
|
}
|
|
258
323
|
}
|
|
324
|
+
globalStore.set(id, metadata, currentExecutionId || undefined).catch((err) => {
|
|
325
|
+
console.warn('Failed to persist provenance to store', err);
|
|
326
|
+
});
|
|
259
327
|
try {
|
|
260
328
|
Object.defineProperty(value, PROVENANCE_ID_KEY, {
|
|
261
329
|
value: id,
|
|
262
330
|
writable: false,
|
|
263
331
|
enumerable: true,
|
|
264
332
|
configurable: true,
|
|
333
|
+
// @ts-ignore
|
|
334
|
+
__proto__: null,
|
|
265
335
|
});
|
|
266
336
|
}
|
|
267
337
|
catch (e) {
|
|
@@ -286,6 +356,9 @@ export function createProvenanceProxy(value, source, readers = { type: 'public'
|
|
|
286
356
|
else if (typeof nestedValue === 'string' || typeof nestedValue === 'number') {
|
|
287
357
|
const primitiveKey = `${id}:${key}:${String(nestedValue)}`;
|
|
288
358
|
primitiveProvenanceMap.set(primitiveKey, metadata);
|
|
359
|
+
globalStore
|
|
360
|
+
.setPrimitive(primitiveKey, metadata, currentExecutionId || undefined)
|
|
361
|
+
.catch(console.error);
|
|
289
362
|
}
|
|
290
363
|
}
|
|
291
364
|
}
|