npm - @parmanasystems/governance - Versions diffs - 1.34.0 → 1.36.0 - Mend

@parmanasystems/governance 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import { DecisionResult } from '@parmanasystems/contracts';
 /**
  * Scaffolds a new policy directory at `./policies/<policyId>/v1/` and writes
  * a skeleton `policy.json` to it.
@@ -20,7 +22,7 @@ interface BundleGenerationResult {
     bundle_hash: string;
 }
 /** A single rule within a {@link PolicyDefinition}. */
-interface PolicyRule {
+interface PolicyRule$1 {
     /** Unique rule identifier. */
     id: string;
     /** Condition expression that must evaluate to true for the rule to apply. */
@@ -38,7 +40,7 @@ interface PolicyDefinition {
     /** Semantic version string (e.g. `"v1"`). */
     version: string;
     /** Ordered list of rules that make up the policy. */
-    rules: PolicyRule[];
+    rules: PolicyRule$1[];
 }
 /**
@@ -103,7 +105,57 @@ interface RuntimeRequirements {
 declare function definePolicy(config: {
     id: string;
     version: string;
-    rules: PolicyRule[];
+    rules: PolicyRule$1[];
 }): PolicyDefinition;
-export { type BundleGenerationResult, type PolicyDefinition, type PolicyRule, type RuntimeRequirements, createPolicy, definePolicy, generateBundle, upgradePolicy, validatePolicy };
+declare const schemaV1Semantics: {
+    schemaVersion: string;
+    ruleConditionField: string;
+    ruleOutcomeField: string;
+    signalReferenceField: string;
+    supportedOperators: string[];
+};
+declare const schemaV1Operators: {
+    equals(left: unknown, right: unknown): boolean;
+    greater_than(left: number, right: number): boolean;
+    less_than(left: number, right: number): boolean;
+};
+interface BaseCondition {
+    signal: string;
+    equals?: unknown;
+    greater_than?: number;
+    less_than?: number;
+}
+interface AllCondition {
+    all: RuleCondition[];
+}
+interface AnyCondition {
+    any: RuleCondition[];
+}
+type RuleCondition = BaseCondition | AllCondition | AnyCondition;
+interface PolicyRule {
+    id: string;
+    condition: RuleCondition;
+    outcome: {
+        action: "approve" | "reject";
+        requires_override: boolean;
+        reason?: string;
+    };
+}
+interface SchemaV1Policy {
+    schemaVersion: string;
+    signalsSchema: Record<string, unknown>;
+    rules: PolicyRule[];
+}
+declare function evaluateSchemaV1(policy: SchemaV1Policy, signals: Record<string, unknown>): DecisionResult;
+interface SchemaRuntime {
+    semantics: unknown;
+    operators: unknown;
+    evaluate: (policy: unknown, signals: Record<string, unknown>) => DecisionResult;
+}
+declare function loadSchemaRuntime(schemaVersion: string): SchemaRuntime;
+export { type BundleGenerationResult, type PolicyDefinition, type PolicyRule$1 as PolicyRule, type RuntimeRequirements, type SchemaRuntime, type SchemaV1Policy, createPolicy, definePolicy, evaluateSchemaV1, generateBundle, loadSchemaRuntime, schemaV1Operators, schemaV1Semantics, upgradePolicy, validatePolicy };

package/dist/index.js CHANGED Viewed

@@ -212,10 +212,129 @@ function definePolicy(config) {
     rules: config.rules
   };
 }
+// src/schema/v1/semantics.ts
+var schemaV1Semantics = {
+  schemaVersion: "1.0.0",
+  ruleConditionField: "condition",
+  ruleOutcomeField: "outcome",
+  signalReferenceField: "signal",
+  supportedOperators: [
+    "equals",
+    "greater_than",
+    "less_than"
+  ]
+};
+// src/schema/v1/operators.ts
+var schemaV1Operators = {
+  equals(left, right) {
+    return left === right;
+  },
+  greater_than(left, right) {
+    return left > right;
+  },
+  less_than(left, right) {
+    return left < right;
+  }
+};
+// src/schema/v1/evaluator.ts
+function evaluateCondition(condition, signals) {
+  if ("all" in condition) {
+    return condition.all.every(
+      (c) => evaluateCondition(
+        c,
+        signals
+      )
+    );
+  }
+  if ("any" in condition) {
+    return condition.any.some(
+      (c) => evaluateCondition(
+        c,
+        signals
+      )
+    );
+  }
+  const {
+    signal,
+    equals,
+    greater_than,
+    less_than
+  } = condition;
+  if (!(signal in signals)) {
+    throw new Error(
+      `Signal not found: ${signal}`
+    );
+  }
+  const actual = signals[signal];
+  if (equals !== void 0) {
+    return schemaV1Operators.equals(
+      actual,
+      equals
+    );
+  }
+  if (greater_than !== void 0) {
+    return schemaV1Operators.greater_than(
+      actual,
+      greater_than
+    );
+  }
+  if (less_than !== void 0) {
+    return schemaV1Operators.less_than(
+      actual,
+      less_than
+    );
+  }
+  return false;
+}
+function evaluateSchemaV1(policy, signals) {
+  for (const rule of policy.rules) {
+    const matched = evaluateCondition(
+      rule.condition,
+      signals
+    );
+    if (matched) {
+      return {
+        status: "decided",
+        outcome: rule.outcome,
+        rule_id: rule.id,
+        source: "rule_match"
+      };
+    }
+  }
+  throw new Error(
+    "[SYS-006] No rule matched \u2014 policy must cover all cases"
+  );
+}
+// src/schema/load-schema-runtime.ts
+function loadSchemaRuntime(schemaVersion) {
+  const major = Number(
+    schemaVersion.split(".")[0]
+  );
+  switch (major) {
+    case 1:
+      return {
+        semantics: schemaV1Semantics,
+        operators: schemaV1Operators,
+        evaluate: evaluateSchemaV1
+      };
+    default:
+      throw new Error(
+        `Unsupported schema version: ${schemaVersion}`
+      );
+  }
+}
 export {
   createPolicy,
   definePolicy,
+  evaluateSchemaV1,
   generateBundle,
+  loadSchemaRuntime,
+  schemaV1Operators,
+  schemaV1Semantics,
   upgradePolicy,
   validatePolicy
 };

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/create-policy.ts","../src/generate-bundle.ts","../src/upgrade-policy.ts","../src/validate-policy.ts","../src/define-policy.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/*\r\n Scaffolds a new policy directory at `./policies/<policyId>/v1/` and writes\r\n * a skeleton `policy.json` to it.\r\n \r\n @param policyId - Unique policy identifier. Must not already exist on disk.\r\n * @returns Absolute path of the created `v1` version directory.\r\n * @throws When `./policies/<policyId>` already exists.\r\n /\r\nexport function createPolicy(\r\n policyId: string\r\n): string {\r\n const policyRoot = path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n const versionDirectory =\r\n path.join(\r\n policyRoot,\r\n \"v1\"\r\n );\r\n\r\n if (fs.existsSync(policyRoot)) {\r\n throw new Error(\r\n `Policy already exists: ${policyId}`\r\n );\r\n }\r\n\r\n fs.mkdirSync(\r\n versionDirectory,\r\n {\r\n recursive: true,\r\n }\r\n );\r\n\r\n fs.writeFileSync(\r\n path.join(\r\n versionDirectory,\r\n \"policy.json\"\r\n ),\r\n\r\n JSON.stringify(\r\n {\r\n policy: policyId,\r\n version: \"v1\",\r\n },\r\n null,\r\n 2\r\n ),\r\n\r\n \"utf8\"\r\n );\r\n\r\n return versionDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import as path from \"node:path\";\r\n\r\nimport {\r\n generateManifest,\r\n writeManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n signManifest,\r\n writeSignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\nimport type {\r\n BundleGenerationResult,\r\n} from \"./types.js\";\r\n\r\n/*\r\n Generates a signed bundle for `policyId`/`policyVersion` in `policyDirectory`:\r\n * 1. Hashes all artifacts and writes `bundle.manifest.json`.\r\n * 2. Signs the manifest and writes `bundle.sig`.\r\n \r\n The signing key is loaded via `loadPrivateKey()` (dev-keys or env injection).\r\n \r\n @param policyId - Policy identifier embedded in the manifest.\r\n * @param policyVersion - Policy version string (e.g. `\"v1\"`).\r\n * @param policyDirectory - Path to the directory containing the policy artifacts.\r\n * @returns Paths to the written files and the deterministic bundle hash.\r\n /\r\nexport function generateBundle(\r\n policyId: string,\r\n policyVersion: string,\r\n policyDirectory: string\r\n): BundleGenerationResult {\r\n\r\n const directory =\r\n path.resolve(\r\n policyDirectory\r\n );\r\n\r\n const manifest =\r\n generateManifest(\r\n policyId,\r\n policyVersion,\r\n directory\r\n );\r\n\r\n writeManifest(\r\n manifest,\r\n directory\r\n );\r\n\r\n const manifestPath =\r\n path.join(\r\n directory,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const signature =\r\n signManifest(\r\n manifestPath\r\n );\r\n\r\n writeSignature(\r\n signature,\r\n directory\r\n );\r\n\r\n return {\r\n success: true,\r\n\r\n manifest_path:\r\n manifestPath,\r\n\r\n signature_path:\r\n path.join(\r\n directory,\r\n \"bundle.sig\"\r\n ),\r\n\r\n bundle_hash:\r\n manifest.bundle_hash,\r\n };\r\n}\r\n\r\n\r\n\r\n\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/*\r\n Creates the next version directory for `policyId` by copying the latest\r\n * existing version and incrementing its numeric suffix (e.g. `v1` → `v2`).\r\n * The copied `policy.json` has its `version` field updated to the new version\r\n * string.\r\n \r\n @param policyId - An existing policy identifier under `./policies/`.\r\n * @returns Absolute path of the newly created version directory.\r\n * @throws When the policy does not exist on disk.\r\n /\r\nexport function upgradePolicy(\r\n policyId: string\r\n): string {\r\n const policyRoot = path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n if (!fs.existsSync(policyRoot)) {\r\n throw new Error(\r\n `Policy does not exist: ${policyId}`\r\n );\r\n }\r\n\r\n const versions = fs\r\n .readdirSync(policyRoot)\r\n .filter((entry) =>\r\n entry.startsWith(\"v\")\r\n )\r\n .sort();\r\n\r\n const latestVersion =\r\n versions[\r\n versions.length - 1\r\n ];\r\n\r\n const latestNumber =\r\n Number(\r\n latestVersion.replace(\"v\", \"\")\r\n );\r\n\r\n const nextVersion =\r\n `v${latestNumber + 1}`;\r\n\r\n const latestDirectory =\r\n path.join(\r\n policyRoot,\r\n latestVersion\r\n );\r\n\r\n const nextDirectory =\r\n path.join(\r\n policyRoot,\r\n nextVersion\r\n );\r\n\r\n fs.cpSync(\r\n latestDirectory,\r\n nextDirectory,\r\n {\r\n recursive: true,\r\n }\r\n );\r\n\r\n const policyFile =\r\n path.join(\r\n nextDirectory,\r\n \"policy.json\"\r\n );\r\n\r\n const content =\r\n JSON.parse(\r\n fs.readFileSync(\r\n policyFile,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n content.version =\r\n nextVersion;\r\n\r\n fs.writeFileSync(\r\n policyFile,\r\n JSON.stringify(\r\n content,\r\n null,\r\n 2\r\n ),\r\n \"utf8\"\r\n );\r\n\r\n return nextDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport {\r\n readManifest,\r\n verifyManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n readSignature,\r\n verifySignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\n/*\r\n Validates every version directory under `./policies/<policyId>` by\r\n * re-verifying all bundle manifests (content hashes) and cryptographic\r\n * signatures (bundle.sig).\r\n \r\n Returns `true` only when every version passes all checks.\r\n \r\n @param policyId - Policy identifier whose version directories will be checked.\r\n * @throws When the policy directory does not exist.\r\n /\r\nexport function validatePolicy(\r\n policyId: string\r\n): boolean {\r\n\r\n const policyRoot =\r\n path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n if (\r\n !fs.existsSync(\r\n policyRoot\r\n )\r\n ) {\r\n throw new Error(\r\n `Policy does not exist: ${policyId}`\r\n );\r\n }\r\n\r\n const versions =\r\n fs\r\n .readdirSync(\r\n policyRoot\r\n )\r\n .filter(\r\n (entry) =>\r\n entry.startsWith(\"v\")\r\n )\r\n .sort();\r\n\r\n for (const version of versions) {\r\n\r\n const versionDirectory =\r\n path.join(\r\n policyRoot,\r\n version\r\n );\r\n\r\n const manifest =\r\n readManifest(\r\n versionDirectory\r\n );\r\n\r\n const manifestResult =\r\n verifyManifest(\r\n manifest,\r\n versionDirectory\r\n );\r\n\r\n if (\r\n !manifestResult.valid\r\n ) {\r\n return false;\r\n }\r\n\r\n const signature =\r\n readSignature(\r\n versionDirectory\r\n );\r\n\r\n const manifestPath =\r\n path.join(\r\n versionDirectory,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const signatureValid =\r\n verifySignature(\r\n manifestPath,\r\n signature\r\n );\r\n\r\n if (\r\n !signatureValid\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import type {\r\n PolicyDefinition,\r\n PolicyRule,\r\n} from \"./types.js\";\r\n\r\n/\r\n Constructs a {@link PolicyDefinition} from a plain config object.\r\n * Use this as the first step in the policy-authoring pipeline before\r\n * serializing the policy to disk and calling {@link generateBundle}.\r\n \r\n @param config - Policy id, version, and rules.\r\n */\r\nexport function definePolicy(config: {\r\n id: string;\r\n version: string;\r\n rules: PolicyRule[];\r\n}): PolicyDefinition {\r\n\r\n return {\r\n id: config.id,\r\n\r\n version: config.version,\r\n\r\n rules: config.rules,\r\n };\r\n}\r\n"],"mappings":";AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAUf,SAAS,aACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,mBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MAAO,cAAW,UAAU,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,EAAG;AAAA,IACI;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEA,KAAK;AAAA,MACH;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDA,YAAYA,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAkBA,SAAS,eACd,UACA,eACA,iBACwB;AAExB,QAAM,YACC;AAAA,IACH;AAAA,EACF;AAEF,QAAM,WACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,QAAM,eACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IAET,eACE;AAAA,IAEF,gBACO;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEF,aACE,SAAS;AAAA,EACb;AACF;;;AClFA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAYf,SAAS,cACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,eAAW,UAAU,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WACH,gBAAY,UAAU,EACtB;AAAA,IAAO,CAAC,UACP,MAAM,WAAW,GAAG;AAAA,EACtB,EACC,KAAK;AAER,QAAM,gBACJ,SACE,SAAS,SAAS,CACpB;AAEF,QAAM,eACJ;AAAA,IACE,cAAc,QAAQ,KAAK,EAAE;AAAA,EAC/B;AAEF,QAAM,cACJ,IAAI,eAAe,CAAC;AAEtB,QAAM,kBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,gBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,UACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,UAAQ,UACN;AAEF,EAAG;AAAA,IACD;AAAA,IACA,KAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AACT;;;AC/FA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAYA,SAAS,eACd,UACS;AAET,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MACE,CAAI;AAAA,IACF;AAAA,EACF,GACA;AACA,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WAED;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC,CAAC,UACC,MAAM,WAAW,GAAG;AAAA,EACxB,EACC,KAAK;AAEV,aAAW,WAAW,UAAU;AAE9B,UAAM,mBACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,WACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,eAAe,OAChB;AACA,aAAO;AAAA,IACT;AAEA,UAAM,YACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,eACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,gBACD;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AC5FO,SAAS,aAAa,QAIR;AAEnB,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IAEX,SAAS,OAAO;AAAA,IAEhB,OAAO,OAAO;AAAA,EAChB;AACF;","names":["path","fs","path","fs","path"]}
1	+ {"version":3,"sources":["../src/create-policy.ts","../src/generate-bundle.ts","../src/upgrade-policy.ts","../src/validate-policy.ts","../src/define-policy.ts","../src/schema/v1/semantics.ts","../src/schema/v1/operators.ts","../src/schema/v1/evaluator.ts","../src/schema/load-schema-runtime.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/*\r\n Scaffolds a new policy directory at `./policies/<policyId>/v1/` and writes\r\n * a skeleton `policy.json` to it.\r\n \r\n @param policyId - Unique policy identifier. Must not already exist on disk.\r\n * @returns Absolute path of the created `v1` version directory.\r\n * @throws When `./policies/<policyId>` already exists.\r\n /\r\nexport function createPolicy(\r\n policyId: string\r\n): string {\r\n const policyRoot = path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n const versionDirectory =\r\n path.join(\r\n policyRoot,\r\n \"v1\"\r\n );\r\n\r\n if (fs.existsSync(policyRoot)) {\r\n throw new Error(\r\n `Policy already exists: ${policyId}`\r\n );\r\n }\r\n\r\n fs.mkdirSync(\r\n versionDirectory,\r\n {\r\n recursive: true,\r\n }\r\n );\r\n\r\n fs.writeFileSync(\r\n path.join(\r\n versionDirectory,\r\n \"policy.json\"\r\n ),\r\n\r\n JSON.stringify(\r\n {\r\n policy: policyId,\r\n version: \"v1\",\r\n },\r\n null,\r\n 2\r\n ),\r\n\r\n \"utf8\"\r\n );\r\n\r\n return versionDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import as path from \"node:path\";\r\n\r\nimport {\r\n generateManifest,\r\n writeManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n signManifest,\r\n writeSignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\nimport type {\r\n BundleGenerationResult,\r\n} from \"./types.js\";\r\n\r\n/*\r\n Generates a signed bundle for `policyId`/`policyVersion` in `policyDirectory`:\r\n * 1. Hashes all artifacts and writes `bundle.manifest.json`.\r\n * 2. Signs the manifest and writes `bundle.sig`.\r\n \r\n The signing key is loaded via `loadPrivateKey()` (dev-keys or env injection).\r\n \r\n @param policyId - Policy identifier embedded in the manifest.\r\n * @param policyVersion - Policy version string (e.g. `\"v1\"`).\r\n * @param policyDirectory - Path to the directory containing the policy artifacts.\r\n * @returns Paths to the written files and the deterministic bundle hash.\r\n /\r\nexport function generateBundle(\r\n policyId: string,\r\n policyVersion: string,\r\n policyDirectory: string\r\n): BundleGenerationResult {\r\n\r\n const directory =\r\n path.resolve(\r\n policyDirectory\r\n );\r\n\r\n const manifest =\r\n generateManifest(\r\n policyId,\r\n policyVersion,\r\n directory\r\n );\r\n\r\n writeManifest(\r\n manifest,\r\n directory\r\n );\r\n\r\n const manifestPath =\r\n path.join(\r\n directory,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const signature =\r\n signManifest(\r\n manifestPath\r\n );\r\n\r\n writeSignature(\r\n signature,\r\n directory\r\n );\r\n\r\n return {\r\n success: true,\r\n\r\n manifest_path:\r\n manifestPath,\r\n\r\n signature_path:\r\n path.join(\r\n directory,\r\n \"bundle.sig\"\r\n ),\r\n\r\n bundle_hash:\r\n manifest.bundle_hash,\r\n };\r\n}\r\n\r\n\r\n\r\n\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/*\r\n Creates the next version directory for `policyId` by copying the latest\r\n * existing version and incrementing its numeric suffix (e.g. `v1` → `v2`).\r\n * The copied `policy.json` has its `version` field updated to the new version\r\n * string.\r\n \r\n @param policyId - An existing policy identifier under `./policies/`.\r\n * @returns Absolute path of the newly created version directory.\r\n * @throws When the policy does not exist on disk.\r\n /\r\nexport function upgradePolicy(\r\n policyId: string\r\n): string {\r\n const policyRoot = path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n if (!fs.existsSync(policyRoot)) {\r\n throw new Error(\r\n `Policy does not exist: ${policyId}`\r\n );\r\n }\r\n\r\n const versions = fs\r\n .readdirSync(policyRoot)\r\n .filter((entry) =>\r\n entry.startsWith(\"v\")\r\n )\r\n .sort();\r\n\r\n const latestVersion =\r\n versions[\r\n versions.length - 1\r\n ];\r\n\r\n const latestNumber =\r\n Number(\r\n latestVersion.replace(\"v\", \"\")\r\n );\r\n\r\n const nextVersion =\r\n `v${latestNumber + 1}`;\r\n\r\n const latestDirectory =\r\n path.join(\r\n policyRoot,\r\n latestVersion\r\n );\r\n\r\n const nextDirectory =\r\n path.join(\r\n policyRoot,\r\n nextVersion\r\n );\r\n\r\n fs.cpSync(\r\n latestDirectory,\r\n nextDirectory,\r\n {\r\n recursive: true,\r\n }\r\n );\r\n\r\n const policyFile =\r\n path.join(\r\n nextDirectory,\r\n \"policy.json\"\r\n );\r\n\r\n const content =\r\n JSON.parse(\r\n fs.readFileSync(\r\n policyFile,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n content.version =\r\n nextVersion;\r\n\r\n fs.writeFileSync(\r\n policyFile,\r\n JSON.stringify(\r\n content,\r\n null,\r\n 2\r\n ),\r\n \"utf8\"\r\n );\r\n\r\n return nextDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport {\r\n readManifest,\r\n verifyManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n readSignature,\r\n verifySignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\n/*\r\n Validates every version directory under `./policies/<policyId>` by\r\n * re-verifying all bundle manifests (content hashes) and cryptographic\r\n * signatures (bundle.sig).\r\n \r\n Returns `true` only when every version passes all checks.\r\n \r\n @param policyId - Policy identifier whose version directories will be checked.\r\n * @throws When the policy directory does not exist.\r\n /\r\nexport function validatePolicy(\r\n policyId: string\r\n): boolean {\r\n\r\n const policyRoot =\r\n path.join(\r\n \"./policies\",\r\n policyId\r\n );\r\n\r\n if (\r\n !fs.existsSync(\r\n policyRoot\r\n )\r\n ) {\r\n throw new Error(\r\n `Policy does not exist: ${policyId}`\r\n );\r\n }\r\n\r\n const versions =\r\n fs\r\n .readdirSync(\r\n policyRoot\r\n )\r\n .filter(\r\n (entry) =>\r\n entry.startsWith(\"v\")\r\n )\r\n .sort();\r\n\r\n for (const version of versions) {\r\n\r\n const versionDirectory =\r\n path.join(\r\n policyRoot,\r\n version\r\n );\r\n\r\n const manifest =\r\n readManifest(\r\n versionDirectory\r\n );\r\n\r\n const manifestResult =\r\n verifyManifest(\r\n manifest,\r\n versionDirectory\r\n );\r\n\r\n if (\r\n !manifestResult.valid\r\n ) {\r\n return false;\r\n }\r\n\r\n const signature =\r\n readSignature(\r\n versionDirectory\r\n );\r\n\r\n const manifestPath =\r\n path.join(\r\n versionDirectory,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const signatureValid =\r\n verifySignature(\r\n manifestPath,\r\n signature\r\n );\r\n\r\n if (\r\n !signatureValid\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import type {\r\n PolicyDefinition,\r\n PolicyRule,\r\n} from \"./types.js\";\r\n\r\n/\r\n Constructs a {@link PolicyDefinition} from a plain config object.\r\n * Use this as the first step in the policy-authoring pipeline before\r\n * serializing the policy to disk and calling {@link generateBundle}.\r\n \r\n @param config - Policy id, version, and rules.\r\n */\r\nexport function definePolicy(config: {\r\n id: string;\r\n version: string;\r\n rules: PolicyRule[];\r\n}): PolicyDefinition {\r\n\r\n return {\r\n id: config.id,\r\n\r\n version: config.version,\r\n\r\n rules: config.rules,\r\n };\r\n}\r\n","export const schemaV1Semantics = {\r\n\r\n schemaVersion:\r\n \"1.0.0\",\r\n\r\n ruleConditionField:\r\n \"condition\",\r\n\r\n ruleOutcomeField:\r\n \"outcome\",\r\n\r\n signalReferenceField:\r\n \"signal\",\r\n\r\n supportedOperators: [\r\n \"equals\",\r\n \"greater_than\",\r\n \"less_than\",\r\n ],\r\n};","export const schemaV1Operators = {\r\n\r\n equals(\r\n left: unknown,\r\n right: unknown\r\n ): boolean {\r\n\r\n return left === right;\r\n },\r\n\r\n greater_than(\r\n left: number,\r\n right: number\r\n ): boolean {\r\n\r\n return left > right;\r\n },\r\n\r\n less_than(\r\n left: number,\r\n right: number\r\n ): boolean {\r\n\r\n return left < right;\r\n },\r\n};","import type {\r\n DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n schemaV1Operators\r\n} from \"./operators.js\";\r\n\r\ninterface BaseCondition {\r\n signal: string;\r\n equals?: unknown;\r\n greater_than?: number;\r\n less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n \| BaseCondition\r\n \| AllCondition\r\n \| AnyCondition;\r\n\r\ninterface PolicyRule {\r\n id: string;\r\n\r\n condition: RuleCondition;\r\n\r\n outcome: {\r\n action:\r\n \| \"approve\"\r\n \| \"reject\";\r\n\r\n requires_override:\r\n boolean;\r\n\r\n reason?: string;\r\n };\r\n}\r\n\r\nexport interface SchemaV1Policy {\r\n schemaVersion: string;\r\n\r\n signalsSchema:\r\n Record<string, unknown>;\r\n\r\n rules: PolicyRule[];\r\n}\r\n\r\nfunction evaluateCondition(\r\n condition: RuleCondition,\r\n signals: Record<string, unknown>\r\n): boolean {\r\n\r\n if (\"all\" in condition) {\r\n return condition.all.every(\r\n c =>\r\n evaluateCondition(\r\n c,\r\n signals\r\n )\r\n );\r\n }\r\n\r\n if (\"any\" in condition) {\r\n return condition.any.some(\r\n c =>\r\n evaluateCondition(\r\n c,\r\n signals\r\n )\r\n );\r\n }\r\n\r\n const {\r\n signal,\r\n equals,\r\n greater_than,\r\n less_than,\r\n } = condition;\r\n\r\n if (!(signal in signals)) {\r\n\r\n throw new Error(\r\n `Signal not found: ${signal}`\r\n );\r\n }\r\n\r\n const actual =\r\n signals[signal];\r\n\r\n if (equals !== undefined) {\r\n\r\n return schemaV1Operators.equals(\r\n actual,\r\n equals\r\n );\r\n }\r\n\r\n if (\r\n greater_than !== undefined\r\n ) {\r\n\r\n return schemaV1Operators.greater_than(\r\n actual as number,\r\n greater_than\r\n );\r\n }\r\n\r\n if (\r\n less_than !== undefined\r\n ) {\r\n\r\n return schemaV1Operators.less_than(\r\n actual as number,\r\n less_than\r\n );\r\n }\r\n\r\n return false;\r\n}\r\n\r\nexport function evaluateSchemaV1(\r\n policy: SchemaV1Policy,\r\n signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n for (const rule of policy.rules) {\r\n\r\n const matched =\r\n evaluateCondition(\r\n rule.condition,\r\n signals\r\n );\r\n\r\n if (matched) {\r\n\r\n return {\r\n status: \"decided\",\r\n\r\n outcome:\r\n rule.outcome,\r\n\r\n rule_id:\r\n rule.id,\r\n\r\n source:\r\n \"rule_match\",\r\n };\r\n }\r\n }\r\n\r\n throw new Error(\r\n \"[SYS-006] No rule matched — policy must cover all cases\"\r\n );\r\n}","import type {\r\n DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n evaluateSchemaV1\r\n} from \"./v1/evaluator.js\";\r\n\r\nimport {\r\n schemaV1Operators\r\n} from \"./v1/operators.js\";\r\n\r\nimport {\r\n schemaV1Semantics\r\n} from \"./v1/semantics.js\";\r\n\r\nexport interface SchemaRuntime {\r\n\r\n semantics: unknown;\r\n\r\n operators: unknown;\r\n\r\n evaluate: (\r\n policy: unknown,\r\n signals: Record<string, unknown>\r\n ) => DecisionResult;\r\n}\r\n\r\nexport function loadSchemaRuntime(\r\n schemaVersion: string\r\n): SchemaRuntime {\r\n\r\n const major =\r\n Number(\r\n schemaVersion.split(\".\")[0]\r\n );\r\n\r\n switch (major) {\r\n\r\n case 1:\r\n\r\n return {\r\n\r\n semantics:\r\n schemaV1Semantics,\r\n\r\n operators:\r\n schemaV1Operators,\r\n\r\n evaluate:\r\n evaluateSchemaV1 as (\r\n policy: unknown,\r\n signals: Record<string, unknown>\r\n ) => DecisionResult,\r\n };\r\n\r\n default:\r\n\r\n throw new Error(\r\n `Unsupported schema version: ${schemaVersion}`\r\n );\r\n }\r\n}"],"mappings":";AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAUf,SAAS,aACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,mBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MAAO,cAAW,UAAU,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,EAAG;AAAA,IACI;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEA,KAAK;AAAA,MACH;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDA,YAAYA,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAkBA,SAAS,eACd,UACA,eACA,iBACwB;AAExB,QAAM,YACC;AAAA,IACH;AAAA,EACF;AAEF,QAAM,WACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,QAAM,eACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IAET,eACE;AAAA,IAEF,gBACO;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEF,aACE,SAAS;AAAA,EACb;AACF;;;AClFA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAYf,SAAS,cACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,eAAW,UAAU,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WACH,gBAAY,UAAU,EACtB;AAAA,IAAO,CAAC,UACP,MAAM,WAAW,GAAG;AAAA,EACtB,EACC,KAAK;AAER,QAAM,gBACJ,SACE,SAAS,SAAS,CACpB;AAEF,QAAM,eACJ;AAAA,IACE,cAAc,QAAQ,KAAK,EAAE;AAAA,EAC/B;AAEF,QAAM,cACJ,IAAI,eAAe,CAAC;AAEtB,QAAM,kBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,gBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,UACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,UAAQ,UACN;AAEF,EAAG;AAAA,IACD;AAAA,IACA,KAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AACT;;;AC/FA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAYA,SAAS,eACd,UACS;AAET,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MACE,CAAI;AAAA,IACF;AAAA,EACF,GACA;AACA,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WAED;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC,CAAC,UACC,MAAM,WAAW,GAAG;AAAA,EACxB,EACC,KAAK;AAEV,aAAW,WAAW,UAAU;AAE9B,UAAM,mBACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,WACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,eAAe,OAChB;AACA,aAAO;AAAA,IACT;AAEA,UAAM,YACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,eACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,gBACD;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AC5FO,SAAS,aAAa,QAIR;AAEnB,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IAEX,SAAS,OAAO;AAAA,IAEhB,OAAO,OAAO;AAAA,EAChB;AACF;;;ACzBO,IAAM,oBAAoB;AAAA,EAE/B,eACE;AAAA,EAEF,oBACE;AAAA,EAEF,kBACE;AAAA,EAEF,sBACE;AAAA,EAEF,oBAAoB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACnBO,IAAM,oBAAoB;AAAA,EAE/B,OACE,MACA,OACS;AAET,WAAO,SAAS;AAAA,EAClB;AAAA,EAEA,aACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,UACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AACF;;;AC6BA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,EAAE,UAAU,UAAU;AAExB,UAAM,IAAI;AAAA,MACR,qBAAqB,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,SACJ,QAAQ,MAAM;AAEhB,MAAI,WAAW,QAAW;AAExB,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,iBAAiB,QACjB;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,cAAc,QACd;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,iBACd,QACA,SACgB;AAEhB,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UACJ;AAAA,MACE,KAAK;AAAA,MACL;AAAA,IACF;AAEF,QAAI,SAAS;AAEX,aAAO;AAAA,QACL,QAAQ;AAAA,QAER,SACE,KAAK;AAAA,QAEP,SACE,KAAK;AAAA,QAEP,QACE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACpIO,SAAS,kBACd,eACe;AAEf,QAAM,QACJ;AAAA,IACE,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,EAC5B;AAEF,UAAQ,OAAO;AAAA,IAEb,KAAK;AAEH,aAAO;AAAA,QAEL,WACE;AAAA,QAEF,WACE;AAAA,QAEF,UACE;AAAA,MAIJ;AAAA,IAEF;AAEE,YAAM,IAAI;AAAA,QACR,+BAA+B,aAAa;AAAA,MAC9C;AAAA,EACJ;AACF;","names":["path","fs","path","fs","path"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@parmanasystems/governance",
-  "version": "1.34.0",
+  "version": "1.36.0",
   "private": false,
   "type": "module",
   "scripts": {
@@ -18,8 +18,9 @@
   ],
   "sideEffects": false,
   "dependencies": {
-    "@parmanasystems/bundle": "^1.34.0",
-    "@parmanasystems/crypto": "^1.34.0"
+    "@parmanasystems/bundle": "^1.36.0",
+    "@parmanasystems/crypto": "^1.36.0",
+    "@parmanasystems/contracts": "^1.36.0"
   },
   "description": "Deterministic governance lifecycle and policy infrastructure for parmanasystems.",
   "license": "Apache-2.0",