@navirondynamics/accord 1.0.0

package/README.md

@@ -0,0 +1,49 @@
+Accord
+
+Accord is a policy-first identity and access engine designed to unify identity representation, context resolution, and authorization under a single, declarative policy model.
+
+Installation
+
+`bashnpm install accord`
+
+Quick Start
+
+1. Initialize Configuration
+
+   Create a config folder in your project root.
+
+config/policies.json`json[ { "id": "policy-admin", "version": "1.0", "effect": "allow", "subject": { "type": "user", "attributes": { "role": "admin" } }, "action": ["delete"], "resource": { "type": "booking" } }]`
+
+config/identities.json`json[ { "id": "admin_01", "type": "user", "status": "active", "attributes": { "role": "admin" } }]`
+
+2. Use in Code
+
+````typescriptimport
+
+const accord = new Accord({ policyPath: './config/policies.json', identityPath: './config/identities.json'});
+
+async function deleteBooking(bookingId: string, userId: string) { const decision = await accord.check(userId, 'delete', { type: 'booking', id: bookingId });
+
+if (decision.decision === 'allow') { console.log('Access Granted'); // Perform delete... } else { console.log('Access Denied:', decision.reason); }}```
+
+Express Middleware
+Protect your routes easily:
+
+```typescriptimport express from 'express';import { Accord } from 'accord';import { protect } from 'accord/adapters/express'; // Note: Check actual path after build
+
+const app = express();const accord = new Accord({ policyPath: './config/policies.json', ... });
+
+// Protect this routeapp.delete('/bookings/:id', protect({ accordInstance: accord, action: 'delete', resourceType: 'booking' }), (req, res) => { // Only allowed users reach here res.send('Booking deleted'); });```
+
+CLI Tool
+Validate policies locally:
+
+```bashnpx accord-cli validate ./config/policies.json```
+
+Test access logic:
+
+```bashnpx accord-cli eval -i user_123 -a delete -r booking```
+
+License
+ISC
+````

package/dist/accord.d.ts

@@ -0,0 +1,16 @@
+import { IdentityStore } from './store/identity';
+import { Decision } from './core/types';
+export interface AccordConfig {
+    policyPath: string;
+    identityPath: string;
+}
+export declare class Accord {
+    private policies;
+    private identityStore;
+    private resolver;
+    private config;
+    constructor(config: AccordConfig);
+    check(externalId: string, action: string, resource: any, context?: any): Promise<Decision>;
+    getStore(): IdentityStore;
+}
+//# sourceMappingURL=accord.d.ts.map

package/dist/accord.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accord.d.ts","sourceRoot":"","sources":["../src/accord.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGjD,OAAO,EAAiB,QAAQ,EAAkB,MAAM,cAAc,CAAC;AAEvE,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,MAAM,CAAe;gBAEjB,MAAM,EAAE,YAAY;IAc1B,KAAK,CACT,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,GAAG,EACb,OAAO,CAAC,EAAE,GAAG,GACZ,OAAO,CAAC,QAAQ,CAAC;IAyBpB,QAAQ,IAAI,aAAa;CAG1B"}

package/dist/accord.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Accord = void 0;
+// src/accord.ts
+const loader_1 = require("./core/loader");
+const compiler_1 = require("./core/compiler"); // NEW
+const identity_1 = require("./store/identity");
+const resolver_1 = require("./core/resolver");
+const evaluator_1 = require("./core/evaluator");
+class Accord {
+    constructor(config) {
+        this.config = config;
+        // 1. Initialize Store
+        this.identityStore = new identity_1.IdentityStore(config.identityPath);
+        // 2. Initialize Resolver
+        this.resolver = new resolver_1.IdentityResolver(this.identityStore);
+        // 3. Load and COMPILE Policies
+        const rawPolicies = (0, loader_1.loadPolicies)(config.policyPath);
+        this.policies = (0, compiler_1.compilePolicies)(rawPolicies);
+    }
+    async check(externalId, action, resource, context) {
+        try {
+            // 1. Resolve Identity
+            const identity = this.resolver.resolve(externalId);
+            // 2. Construct AccessRequest
+            const request = {
+                subject: identity,
+                action: action,
+                resource: resource,
+                context: context || {}
+            };
+            // 3. Evaluate
+            const decision = await (0, evaluator_1.evaluate)(request, this.policies);
+            return decision;
+        }
+        catch (error) {
+            return {
+                decision: 'deny',
+                reason: error.message
+            };
+        }
+    }
+    getStore() {
+        return this.identityStore;
+    }
+}
+exports.Accord = Accord;
+//# sourceMappingURL=accord.js.map

package/dist/accord.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"accord.js","sourceRoot":"","sources":["../src/accord.ts"],"names":[],"mappings":";;;AAAA,gBAAgB;AAChB,0CAA6C;AAC7C,8CAAkD,CAAC,MAAM;AACzD,+CAAiD;AACjD,8CAAmD;AACnD,gDAA4C;AAQ5C,MAAa,MAAM;IAMjB,YAAY,MAAoB;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,sBAAsB;QACtB,IAAI,CAAC,aAAa,GAAG,IAAI,wBAAa,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAE5D,yBAAyB;QACzB,IAAI,CAAC,QAAQ,GAAG,IAAI,2BAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAEzD,+BAA+B;QAC/B,MAAM,WAAW,GAAG,IAAA,qBAAY,EAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAA,0BAAe,EAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,KAAK,CACT,UAAkB,EAClB,MAAc,EACd,QAAa,EACb,OAAa;QAEb,IAAI,CAAC;YACH,sBAAsB;YACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAEnD,6BAA6B;YAC7B,MAAM,OAAO,GAAkB;gBAC7B,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,OAAO,IAAI,EAAE;aACvB,CAAC;YAEF,cAAc;YACd,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAQ,EAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAExD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAG,KAAe,CAAC,OAAO;aACjC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF;AArDD,wBAqDC"}

package/dist/adapters/express.d.ts

@@ -0,0 +1,14 @@
+import { Request, Response, NextFunction } from 'express';
+import { Accord } from '../accord';
+export interface MiddlewareOptions {
+    accordInstance: Accord;
+    action: string;
+    resourceType: string;
+    getId?: (req: Request) => string;
+}
+/**
+ * Express Middleware Factory
+ * Usage: app.use(protect({ accord: myAccord, action: 'delete', resourceType: 'booking' }))
+ */
+export declare function protect(options: MiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<Response<any, Record<string, any>> | undefined>;
+//# sourceMappingURL=express.d.ts.map

package/dist/adapters/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/adapters/express.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAGnC,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IAErB,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;CAClC;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,OAAO,EAAE,iBAAiB,IAClC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,6DA6C9D"}

package/dist/adapters/express.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protect = protect;
+/**
+ * Express Middleware Factory
+ * Usage: app.use(protect({ accord: myAccord, action: 'delete', resourceType: 'booking' }))
+ */
+function protect(options) {
+    return async (req, res, next) => {
+        try {
+            // 1. Determine User ID
+            // In real app, this comes from JWT (req.user.sub). 
+            // For v1, we support a custom getter or default to req.headers['x-user-id']
+            const userId = options.getId
+                ? options.getId(req)
+                : req.headers['x-user-id'];
+            if (!userId) {
+                return res.status(401).json({ error: 'User ID missing' });
+            }
+            // 2. Construct Resource Object
+            // We extract ID from route params (e.g., /bookings/:id)
+            const resource = {
+                type: options.resourceType,
+                id: req.params.id,
+                attributes: req.body || {} // Merge body attributes for ABAC checks
+            };
+            // 3. Check Policy
+            const decision = await options.accordInstance.check(userId, options.action, resource);
+            // 4. Enforce Decision
+            if (decision.decision === 'allow') {
+                // Optional: Attach decision to request for downstream use
+                req.authDecision = decision;
+                next();
+            }
+            else {
+                res.status(403).json({
+                    error: 'Access Denied',
+                    reason: decision.reason
+                });
+            }
+        }
+        catch (error) {
+            console.error('Middleware Error:', error);
+            res.status(500).json({ error: 'Internal Server Error' });
+        }
+    };
+}
+//# sourceMappingURL=express.js.map

package/dist/adapters/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../../src/adapters/express.ts"],"names":[],"mappings":";;AAiBA,0BA8CC;AAlDD;;;GAGG;AACH,SAAgB,OAAO,CAAC,OAA0B;IAChD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,uBAAuB;YACvB,oDAAoD;YACpD,4EAA4E;YAC5E,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK;gBAC1B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;gBACpB,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAW,CAAC;YAEvC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAC5D,CAAC;YAED,+BAA+B;YAC/B,wDAAwD;YACxD,MAAM,QAAQ,GAAG;gBACf,IAAI,EAAE,OAAO,CAAC,YAAY;gBAC1B,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE;gBACjB,UAAU,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,wCAAwC;aACpE,CAAC;YAEF,kBAAkB;YAClB,MAAM,QAAQ,GAAa,MAAM,OAAO,CAAC,cAAc,CAAC,KAAK,CAC3D,MAAM,EACN,OAAO,CAAC,MAAM,EACd,QAAQ,CACT,CAAC;YAEF,sBAAsB;YACtB,IAAI,QAAQ,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAClC,0DAA0D;gBACzD,GAAW,CAAC,YAAY,GAAG,QAAQ,CAAC;gBACrC,IAAI,EAAE,CAAC;YACT,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,eAAe;oBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;iBACxB,CAAC,CAAC;YACL,CAAC;QAEH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;YAC1C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+// src/cli/index.ts
+// #!/usr/bin/env node
+const commander_1 = require("commander");
+const accord_1 = require("../accord");
+const loader_1 = require("../core/loader");
+const program = new commander_1.Command();
+program
+    .name('accord')
+    .description('Accord Policy Engine CLI')
+    .version('1.0.0');
+// ---------------------------------------------------------
+// Command: validate
+// Checks if a policy file is valid JSON and loadable
+// ---------------------------------------------------------
+program
+    .command('validate <file>')
+    .description('Validate a policy JSON file')
+    .action((file) => {
+    try {
+        console.log(`Validating ${file}...`);
+        const policies = (0, loader_1.loadPolicies)(file);
+        console.log(`✓ Valid! Loaded ${policies.length} policies.`);
+    }
+    catch (error) {
+        console.error(`✗ Validation Failed:`);
+        console.error(error.message);
+        process.exit(1);
+    }
+});
+// ---------------------------------------------------------
+// Command: eval
+// Dry-run an access check
+// Usage: accord eval --id u1 --action delete --resource booking
+// ---------------------------------------------------------
+program
+    .command('eval')
+    .description('Evaluate an access request')
+    .requiredOption('-i, --id <userId>', 'User ID')
+    .requiredOption('-a, --action <action>', 'Action (e.g., delete)')
+    .requiredOption('-r, --resource <type>', 'Resource Type (e.g., booking)')
+    .option('--rid <resourceId>', 'Resource ID (optional)')
+    .option('-p, --policy <path>', 'Path to policies file', './config/policies.json')
+    .option('-u, --user <path>', 'Path to identities file', './config/identities.json')
+    .action(async (options) => {
+    try {
+        // 1. Initialize Accord
+        const accord = new accord_1.Accord({
+            policyPath: options.policy,
+            identityPath: options.user
+        });
+        // 2. Construct Resource
+        const resource = {
+            type: options.resource,
+            attributes: {}
+        };
+        if (options.rid) {
+            resource.id = options.rid;
+        }
+        console.log(`Checking if '${options.id}' can '${options.action}' on '${options.resource}'...`);
+        // 3. Check Access
+        const decision = await accord.check(options.id, options.action, resource);
+        // 4. Output Result
+        console.log(JSON.stringify(decision, null, 2));
+        // Exit with error code if denied (useful for CI/CD)
+        if (decision.decision === 'deny') {
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error.message}`);
+        process.exit(1);
+    }
+});
+// Parse arguments
+program.parse(process.argv);
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;AAAA,mBAAmB;AACnB,sBAAsB;AACtB,yCAAoC;AACpC,sCAAmC;AACnC,2CAA8C;AAI9C,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,QAAQ,CAAC;KACd,WAAW,CAAC,0BAA0B,CAAC;KACvC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,4DAA4D;AAC5D,oBAAoB;AACpB,qDAAqD;AACrD,4DAA4D;AAC5D,OAAO;KACJ,OAAO,CAAC,iBAAiB,CAAC;KAC1B,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;IACf,IAAI,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,KAAK,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAA,qBAAY,EAAC,IAAI,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,mBAAmB,QAAQ,CAAC,MAAM,YAAY,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtC,OAAO,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,4DAA4D;AAC5D,gBAAgB;AAChB,0BAA0B;AAC1B,gEAAgE;AAChE,4DAA4D;AAC5D,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,4BAA4B,CAAC;KACzC,cAAc,CAAC,mBAAmB,EAAE,SAAS,CAAC;KAC9C,cAAc,CAAC,uBAAuB,EAAE,uBAAuB,CAAC;KAChE,cAAc,CAAC,uBAAuB,EAAE,+BAA+B,CAAC;KACxE,MAAM,CAAC,oBAAoB,EAAE,wBAAwB,CAAC;KACtD,MAAM,CAAC,qBAAqB,EAAE,uBAAuB,EAAE,wBAAwB,CAAC;KAChF,MAAM,CAAC,mBAAmB,EAAE,yBAAyB,EAAE,0BAA0B,CAAC;KAClF,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,IAAI,CAAC;QACH,uBAAuB;QACvB,MAAM,MAAM,GAAG,IAAI,eAAM,CAAC;YACxB,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,YAAY,EAAE,OAAO,CAAC,IAAI;SAC3B,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,QAAQ,GAAQ;YACpB,IAAI,EAAE,OAAO,CAAC,QAAQ;YACtB,UAAU,EAAE,EAAE;SACf,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,QAAQ,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC;QAC5B,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,OAAO,CAAC,EAAE,UAAU,OAAO,CAAC,MAAM,SAAS,OAAO,CAAC,QAAQ,MAAM,CAAC,CAAC;QAE/F,kBAAkB;QAClB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE1E,mBAAmB;QACnB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAE/C,oDAAoD;QACpD,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,UAAW,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,kBAAkB;AAClB,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/core/compiler.d.ts

@@ -0,0 +1,7 @@
+import { Policy, CompiledPolicy } from './types';
+/**
+ * Compiles policy conditions into executable functions.
+ * This happens ONCE at startup.
+ */
+export declare function compilePolicies(policies: Policy[]): CompiledPolicy[];
+//# sourceMappingURL=compiler.d.ts.map

package/dist/core/compiler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiler.d.ts","sourceRoot":"","sources":["../../src/core/compiler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAGjD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,cAAc,EAAE,CAmBpE"}

package/dist/core/compiler.js

@@ -0,0 +1,31 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compilePolicies = compilePolicies;
+const jsonata_1 = __importDefault(require("jsonata"));
+/**
+ * Compiles policy conditions into executable functions.
+ * This happens ONCE at startup.
+ */
+function compilePolicies(policies) {
+    return policies.map(policy => {
+        const compiled = { ...policy };
+        // Only compile if a condition exists
+        if (policy.condition) {
+            try {
+                const expression = (0, jsonata_1.default)(policy.condition);
+                // Store the compiled function. We evaluate it later.
+                compiled.compiledCondition = expression.evaluate.bind(expression);
+            }
+            catch (error) {
+                console.error(`Failed to compile condition for policy ${policy.id}:`, error);
+                // If it fails to compile, it effectively becomes "false" (Deny)
+                compiled.compiledCondition = () => false;
+            }
+        }
+        return compiled;
+    });
+}
+//# sourceMappingURL=compiler.js.map

package/dist/core/compiler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiler.js","sourceRoot":"","sources":["../../src/core/compiler.ts"],"names":[],"mappings":";;;;;AAQA,0CAmBC;AAzBD,sDAA8B;AAE9B;;;GAGG;AACH,SAAgB,eAAe,CAAC,QAAkB;IAChD,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;QAC3B,MAAM,QAAQ,GAAmB,EAAE,GAAG,MAAM,EAAE,CAAC;QAE/C,qCAAqC;QACrC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAC7C,qDAAqD;gBACrD,QAAQ,CAAC,iBAAiB,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACpE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC7E,gEAAgE;gBAChE,QAAQ,CAAC,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/evaluator.d.ts

@@ -0,0 +1,6 @@
+import { CompiledPolicy, AccessRequest, Decision } from './types';
+/**
+ * MAIN ENTRY POINT: The Brain.
+ */
+export declare function evaluate(request: AccessRequest, policies: CompiledPolicy[]): Promise<Decision>;
+//# sourceMappingURL=evaluator.d.ts.map

package/dist/core/evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/core/evaluator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,QAAQ,EAAY,MAAM,SAAS,CAAC;AA6H5E;;GAEG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyCpG"}

package/dist/core/evaluator.js

@@ -0,0 +1,148 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluate = evaluate;
+const jsonata_1 = __importDefault(require("jsonata"));
+/**
+ * Helper: Matches attributes between policy and request.
+ */
+function matchesAttributes(policyAttrs, requestSubject) {
+    if (!policyAttrs)
+        return true;
+    for (const key in policyAttrs) {
+        const expectedValue = policyAttrs[key];
+        if (key === 'status') {
+            if (requestSubject.status !== expectedValue)
+                return false;
+        }
+        else {
+            if (requestSubject.attributes?.[key] !== expectedValue) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+/**
+ * Helper: Checks if the policy subject matches the request subject.
+ */
+function matchesSubject(policy, request) {
+    const pSub = policy.subject;
+    const rSub = request.subject;
+    if (pSub.type && pSub.type !== rSub.type) {
+        return false;
+    }
+    if (pSub.id && pSub.id !== rSub.id) {
+        return false;
+    }
+    if (!matchesAttributes(pSub.attributes, rSub)) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Helper: Checks if the policy resource matches the request resource.
+ */
+function matchesResource(policy, request) {
+    const pRes = policy.resource;
+    const rRes = request.resource;
+    if (pRes.type && pRes.type !== rRes.type) {
+        return false;
+    }
+    if (pRes.attributes) {
+        for (const key in pRes.attributes) {
+            if (rRes.attributes[key] !== pRes.attributes[key]) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+/**
+ * Helper: Checks if the action is covered by the policy.
+ */
+function matchesAction(policy, request) {
+    return policy.action.includes(request.action);
+}
+/**
+ * Helper: Evaluates Condition using a PRE-COMPILED function.
+ * Falls back to runtime compilation if no pre-compiled function exists (for unit tests).
+ */
+async function evaluateCondition(policy, request) {
+    // If no condition, it passes.
+    if (!policy.condition)
+        return true;
+    try {
+        const scope = {
+            subject: request.subject,
+            resource: request.resource,
+            context: request.context || {}
+        };
+        // 1. Optimized Path: Use pre-compiled function (Production)
+        if (policy.compiledCondition) {
+            const result = await policy.compiledCondition(scope);
+            return result === true;
+        }
+        // 2. Fallback Path: Compile and run immediately (Unit Tests / Raw Data)
+        // This ensures unit tests using raw Policy objects still work.
+        else {
+            const expression = (0, jsonata_1.default)(policy.condition);
+            const result = await expression.evaluate(scope);
+            return result === true;
+        }
+    }
+    catch (error) {
+        console.error(`Condition evaluation error for policy ${policy.id}:`, error);
+        return false;
+    }
+}
+/**
+ * CORE FUNCTION: Evaluates a single policy against a request.
+ */
+async function isApplicable(policy, request) {
+    return (matchesSubject(policy, request) &&
+        matchesResource(policy, request) &&
+        matchesAction(policy, request) &&
+        (await evaluateCondition(policy, request)));
+}
+/**
+ * MAIN ENTRY POINT: The Brain.
+ */
+async function evaluate(request, policies) {
+    let hasMatch = false;
+    let deniedBy;
+    // 1. Scan all policies
+    for (const policy of policies) {
+        if (await isApplicable(policy, request)) {
+            hasMatch = true;
+            // 2. Conflict Resolution: Explicit Deny wins immediately
+            if (policy.effect === 'deny') {
+                return {
+                    decision: 'deny',
+                    policy_id: policy.id,
+                    reason: 'Explicit deny policy matched',
+                };
+            }
+        }
+    }
+    // 3. Final Decision
+    if (hasMatch) {
+        const allowingPolicy = policies.find(p => p.effect === 'allow' &&
+            matchesSubject(p, request) &&
+            matchesResource(p, request) &&
+            matchesAction(p, request));
+        return {
+            decision: 'allow',
+            policy_id: allowingPolicy?.id,
+            reason: 'Allowed by matching policy',
+        };
+    }
+    // 4. Default Deny
+    return {
+        decision: 'deny',
+        reason: 'No matching policy found (Default Deny)',
+    };
+}
+//# sourceMappingURL=evaluator.js.map

package/dist/core/evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/core/evaluator.ts"],"names":[],"mappings":";;;;;AAiIA,4BAyCC;AAxKD,sDAA8B;AAE9B;;GAEG;AACH,SAAS,iBAAiB,CACxB,WAA4C,EAC5C,cAAwB;IAExB,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,IAAI,cAAc,CAAC,MAAM,KAAK,aAAa;gBAAE,OAAO,KAAK,CAAC;QAC5D,CAAC;aACI,CAAC;YACJ,IAAI,cAAc,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,KAAK,aAAa,EAAE,CAAC;gBACvD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAsB,EAAE,OAAsB;IACpE,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAE7B,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAsB,EAAE,OAAsB;IACrE,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC;IAE9B,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAClC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,MAAsB,EAAE,OAAsB;IACnE,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAAC,MAAsB,EAAE,OAAsB;IAC7E,8BAA8B;IAC9B,IAAI,CAAC,MAAM,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG;YACZ,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;SAC/B,CAAC;QAEF,4DAA4D;QAC5D,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;YACrD,OAAQ,MAAc,KAAK,IAAI,CAAC;QAClC,CAAC;QAED,wEAAwE;QACxE,+DAA+D;aAC1D,CAAC;YACJ,MAAM,UAAU,GAAG,IAAA,iBAAO,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAChD,OAAQ,MAAc,KAAK,IAAI,CAAC;QAClC,CAAC;IAEH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,yCAAyC,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,YAAY,CAAC,MAAsB,EAAE,OAAsB;IACxE,OAAO,CACL,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC;QAC/B,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC;QAChC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC;QAC9B,CAAC,MAAM,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAC3C,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,QAAQ,CAAC,OAAsB,EAAE,QAA0B;IAC/E,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAA4B,CAAC;IAEjC,uBAAuB;IACvB,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,MAAM,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;YACxC,QAAQ,GAAG,IAAI,CAAC;YAEhB,yDAAyD;YACzD,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC7B,OAAO;oBACL,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,MAAM,CAAC,EAAE;oBACpB,MAAM,EAAE,8BAA8B;iBACvC,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvC,CAAC,CAAC,MAAM,KAAK,OAAO;YACpB,cAAc,CAAC,CAAC,EAAE,OAAO,CAAC;YAC1B,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC;YAC3B,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,CAC1B,CAAC;QAEF,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,SAAS,EAAE,cAAc,EAAE,EAAE;YAC7B,MAAM,EAAE,4BAA4B;SACrC,CAAC;IACJ,CAAC;IAED,kBAAkB;IAClB,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,yCAAyC;KAClD,CAAC;AACJ,CAAC"}

package/dist/core/loader.d.ts

@@ -0,0 +1,6 @@
+import { Policy } from './types';
+/**
+ * Loads Policies from a JSON file.
+ */
+export declare function loadPolicies(filePath: string): Policy[];
+//# sourceMappingURL=loader.d.ts.map

package/dist/core/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/core/loader.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAY,MAAM,SAAS,CAAC;AAI3C;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CASvD"}

package/dist/core/loader.js

@@ -0,0 +1,53 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadPolicies = loadPolicies;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/**
+ * Loads Policies from a JSON file.
+ */
+function loadPolicies(filePath) {
+    try {
+        const absolutePath = path.resolve(filePath);
+        const fileContent = fs.readFileSync(absolutePath, 'utf-8');
+        return JSON.parse(fileContent);
+    }
+    catch (error) {
+        console.error(`Failed to load policies from ${filePath}:`, error);
+        return []; // Return empty array on failure to be safe
+    }
+}
+//# sourceMappingURL=loader.js.map

package/dist/core/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/core/loader.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQA,oCASC;AAfD,uCAAyB;AACzB,2CAA6B;AAE7B;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,WAAW,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QAClE,OAAO,EAAE,CAAC,CAAC,2CAA2C;IACxD,CAAC;AACH,CAAC"}

package/dist/core/resolver.d.ts

@@ -0,0 +1,12 @@
+import { Identity } from './types';
+import { IdentityStore } from '../store/identity';
+export declare class IdentityResolver {
+    private store;
+    constructor(identityStore: IdentityStore);
+    /**
+     * Resolves an external ID to an Internal Identity.
+     * This is the "Bridge" logic.
+     */
+    resolve(externalId: string): Identity;
+}
+//# sourceMappingURL=resolver.d.ts.map

package/dist/core/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/core/resolver.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAAgB;gBAEjB,aAAa,EAAE,aAAa;IAIxC;;;OAGG;IACH,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,QAAQ;CAiBtC"}

package/dist/core/resolver.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdentityResolver = void 0;
+class IdentityResolver {
+    constructor(identityStore) {
+        this.store = identityStore;
+    }
+    /**
+     * Resolves an external ID to an Internal Identity.
+     * This is the "Bridge" logic.
+     */
+    resolve(externalId) {
+        const identity = this.store.getIdentity(externalId);
+        if (!identity) {
+            // In a real app, you might auto-provision here (Shadow Identity).
+            // For v1, we strictly require the user to exist in the DB.
+            throw new Error(`Identity not found for ID: ${externalId}`);
+        }
+        // ENFORCEMENT: The "Kill Switch"
+        // Even if the token is valid, if internal status is suspended, access is denied.
+        if (identity.status !== 'active') {
+            throw new Error(`Identity ${externalId} is ${identity.status}. Access denied.`);
+        }
+        return identity;
+    }
+}
+exports.IdentityResolver = IdentityResolver;
+//# sourceMappingURL=resolver.js.map

package/dist/core/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/core/resolver.ts"],"names":[],"mappings":";;;AAIA,MAAa,gBAAgB;IAG3B,YAAY,aAA4B;QACtC,IAAI,CAAC,KAAK,GAAG,aAAa,CAAC;IAC7B,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,UAAkB;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAEpD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,kEAAkE;YAClE,2DAA2D;YAC3D,MAAM,IAAI,KAAK,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,iCAAiC;QACjC,iFAAiF;QACjF,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,YAAY,UAAU,OAAO,QAAQ,CAAC,MAAM,kBAAkB,CAAC,CAAC;QAClF,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA5BD,4CA4BC"}

package/dist/core/types.d.ts

@@ -0,0 +1,72 @@
+/**
+ * The fundamental primitive: Who is acting?
+ * In Accord v1, this is the Internal Identity profile.
+ */
+export interface Identity {
+    id: string;
+    type: 'user' | 'service' | 'system' | 'agent';
+    status: 'active' | 'suspended' | 'revoked';
+    attributes: Record<string, any>;
+}
+/**
+ * The fundamental primitive: What is being acted upon?
+ */
+export interface Resource {
+    type: string;
+    id?: string;
+    attributes: Record<string, any>;
+}
+/**
+ * The fundamental primitive: What is happening?
+ * Verb-based, not permission-based.
+ */
+export type Action = string | string[];
+/**
+ * The fundamental primitive: The situation.
+ * Runtime context like Tenant, Time, IP, etc.
+ */
+export type Context = Record<string, any>;
+/**
+ * Policy Definition (APL v1)
+ */
+export interface Policy {
+    id: string;
+    version: string;
+    effect: 'allow' | 'deny';
+    subject: {
+        type?: string;
+        id?: string;
+        attributes?: Record<string, any>;
+    };
+    action: string[];
+    resource: {
+        type?: string;
+        attributes?: Record<string, any>;
+    };
+    condition?: string;
+}
+/**
+ * A Policy with a pre-compiled expression function.
+ * Used internally by Accord for performance.
+ */
+export interface CompiledPolicy extends Policy {
+    compiledCondition?: ((scope: any) => any);
+}
+/**
+ * The Input Request for the Evaluation Engine
+ */
+export interface AccessRequest {
+    subject: Identity;
+    action: string;
+    resource: Resource;
+    context?: Context;
+}
+/**
+ * The Output Decision
+ */
+export interface Decision {
+    decision: 'allow' | 'deny';
+    policy_id?: string;
+    reason?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IAC9C,MAAM,EAAE,QAAQ,GAAG,WAAW,GAAG,SAAS,CAAC;IAC3C,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACjC;AAED;;;GAGG;AACH,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC;AAEvC;;;GAGG;AACH,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IAGzB,OAAO,EAAE;QACP,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAClC,CAAC;IAGF,MAAM,EAAE,MAAM,EAAE,CAAC;IAGjB,QAAQ,EAAE;QACR,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KAClC,CAAC;IAGF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,cAAe,SAAQ,MAAM;IAC5C,iBAAiB,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,GAAG,KAAK,GAAG,CAAC,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,QAAQ,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB"}

package/dist/core/types.js

@@ -0,0 +1,4 @@
+"use strict";
+// src/core/types.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/core/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":";AAAA,oBAAoB"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { Accord, AccordConfig } from './accord';
+export * from './core/types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAEhD,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Accord = void 0;
+// src/index.ts
+var accord_1 = require("./accord");
+Object.defineProperty(exports, "Accord", { enumerable: true, get: function () { return accord_1.Accord; } });
+// Re-export types for convenience if needed
+__exportStar(require("./core/types"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,eAAe;AACf,mCAAgD;AAAvC,gGAAA,MAAM,OAAA;AACf,4CAA4C;AAC5C,+CAA6B"}

package/dist/store/identity.d.ts

@@ -0,0 +1,28 @@
+import { Identity } from '../core/types';
+export declare class IdentityStore {
+    private filePath;
+    private identities;
+    constructor(filePath: string);
+    /**
+     * Loads identities from the JSON file into memory.
+     */
+    private load;
+    /**
+     * Saves the current in-memory identities back to the JSON file.
+     */
+    private save;
+    /**
+     * Retrieves an identity by ID.
+     */
+    getIdentity(id: string): Identity | undefined;
+    /**
+     * Updates attributes (including status) of a specific identity.
+     * If the identity doesn't exist, it can optionally create one (not implemented for v1 safety).
+     */
+    updateIdentity(id: string, updates: Partial<Identity>): Identity;
+    /**
+     * Helper to get all identities (useful for testing/debugging)
+     */
+    getAllIdentities(): Identity[];
+}
+//# sourceMappingURL=identity.d.ts.map

package/dist/store/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/store/identity.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAIzC,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAAkB;gBAExB,QAAQ,EAAE,MAAM;IAK5B;;OAEG;IACH,OAAO,CAAC,IAAI;IAeZ;;OAEG;IACH,OAAO,CAAC,IAAI;IASZ;;OAEG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS;IAI7C;;;OAGG;IACH,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,GAAG,QAAQ;IAyBhE;;OAEG;IACH,gBAAgB,IAAI,QAAQ,EAAE;CAG/B"}

package/dist/store/identity.js

@@ -0,0 +1,115 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdentityStore = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+class IdentityStore {
+    constructor(filePath) {
+        this.identities = [];
+        this.filePath = path.resolve(filePath);
+        this.load();
+    }
+    /**
+     * Loads identities from the JSON file into memory.
+     */
+    load() {
+        try {
+            if (fs.existsSync(this.filePath)) {
+                const fileContent = fs.readFileSync(this.filePath, 'utf-8');
+                this.identities = JSON.parse(fileContent);
+            }
+            else {
+                this.identities = [];
+                console.warn(`Identity file not found at ${this.filePath}, starting empty.`);
+            }
+        }
+        catch (error) {
+            console.error('Failed to load identities:', error);
+            this.identities = [];
+        }
+    }
+    /**
+     * Saves the current in-memory identities back to the JSON file.
+     */
+    save() {
+        try {
+            fs.writeFileSync(this.filePath, JSON.stringify(this.identities, null, 2), 'utf-8');
+        }
+        catch (error) {
+            console.error('Failed to save identities:', error);
+            throw new Error('Could not write to identity store');
+        }
+    }
+    /**
+     * Retrieves an identity by ID.
+     */
+    getIdentity(id) {
+        return this.identities.find(ident => ident.id === id);
+    }
+    /**
+     * Updates attributes (including status) of a specific identity.
+     * If the identity doesn't exist, it can optionally create one (not implemented for v1 safety).
+     */
+    updateIdentity(id, updates) {
+        const index = this.identities.findIndex(ident => ident.id === id);
+        if (index === -1) {
+            throw new Error(`Identity with ID ${id} not found.`);
+        }
+        // Merge updates (shallow merge for simplicity in v1)
+        // We specifically handle 'attributes' merging so we don't overwrite the whole attributes object
+        const current = this.identities[index];
+        if (updates.attributes) {
+            this.identities[index] = {
+                ...current,
+                ...updates,
+                attributes: { ...current.attributes, ...updates.attributes }
+            };
+        }
+        else {
+            this.identities[index] = { ...current, ...updates };
+        }
+        this.save(); // Persist to disk
+        return this.identities[index];
+    }
+    /**
+     * Helper to get all identities (useful for testing/debugging)
+     */
+    getAllIdentities() {
+        return this.identities;
+    }
+}
+exports.IdentityStore = IdentityStore;
+//# sourceMappingURL=identity.js.map

package/dist/store/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/store/identity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,uCAAyB;AACzB,2CAA6B;AAE7B,MAAa,aAAa;IAIxB,YAAY,QAAgB;QAFpB,eAAU,GAAe,EAAE,CAAC;QAGlC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAED;;OAEG;IACK,IAAI;QACV,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAC5D,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC5C,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,QAAQ,mBAAmB,CAAC,CAAC;YAC/E,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,IAAI;QACV,IAAI,CAAC;YACH,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACrF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,EAAU;QACpB,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,EAAU,EAAE,OAA0B;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAElE,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,oBAAoB,EAAE,aAAa,CAAC,CAAC;QACvD,CAAC;QAED,qDAAqD;QACrD,gGAAgG;QAChG,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG;gBACvB,GAAG,OAAO;gBACV,GAAG,OAAO;gBACV,UAAU,EAAE,EAAE,GAAG,OAAO,CAAC,UAAU,EAAE,GAAG,OAAO,CAAC,UAAU,EAAE;aAC7D,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,OAAO,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,kBAAkB;QAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;CACF;AAjFD,sCAiFC"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@navirondynamics/accord",
+  "version": "1.0.0",
+  "description": "A policy-first identity and access engine for modular systems.",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "test": "jest",
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "cli": "ts-node src/cli/index.ts"
+  },
+  "keywords": ["authorization", "access-control", "rbac", "abac", "policy"],
+  "author": "",
+  "license": "ISC",
+  "type": "commonjs",
+  "devDependencies": {
+    "@types/express": "^5.0.6",
+    "@types/jest": "^30.0.0",
+    "@types/jsonata": "^1.3.1",
+    "@types/node": "^25.0.10",
+    "@typescript-eslint/eslint-plugin": "^8.53.1",
+    "@typescript-eslint/parser": "^8.53.1",
+    "eslint": "^9.39.2",
+    "jest": "^30.2.0",
+    "prettier": "^3.8.1",
+    "ts-jest": "^29.4.6",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "commander": "^14.0.2",
+    "express": "^5.2.1",
+    "jsonata": "^2.1.0"
+  }
+}