@parmanasystems/governance 1.56.0 → 1.65.0

package/README.md

@@ -1,49 +1,288 @@
 # @parmanasystems/governance
 
-Policy lifecycle tooling for the parmanasystems deterministic governance runtime.
+Governance lifecycle infrastructure for deterministic policy versioning, validation, bundling, and release management.
 
 [![npm](https://img.shields.io/npm/v/@parmanasystems/governance)](https://www.npmjs.com/package/@parmanasystems/governance)
 
-## Overview
+---
+
+# Overview
+
+`@parmanasystems/governance` provides the governance lifecycle layer for Parmana Systems.
+
+It manages:
+
+- policy creation
+- policy validation
+- immutable policy lineage
+- governance versioning
+- deterministic governance bundles
+- signed governance artifacts
+- reproducible governance releases
+
+Governance policies are treated as immutable, reproducible infrastructure artifacts.
+
+---
+
+# Mental Model
+
+```txt id="9b6j2m"
+Author Policy
+    ↓
+Validate Policy
+    ↓
+Generate Bundle
+    ↓
+Sign Bundle
+    ↓
+Release Governance Artifact
+    ↓
+Execute Governed Decisions
+    ↓
+Independent Verification
+
+The governance layer defines how policies become reproducible, portable, and verifiable governance infrastructure.
+
+What this package does
+
+The governance package handles:
+
+policy scaffolding
+policy validation
+policy version upgrades
+governance bundle generation
+deterministic manifest generation
+governance artifact signing
+immutable policy lineage management
+governance release reproducibility
+
+Policies are versioned governance artifacts with deterministic provenance.
+
+When to use this package
+
+Use this package when:
+
+creating governance policies
+versioning deterministic governance logic
+validating governance structure
+generating signed governance bundles
+implementing governed release workflows
+managing immutable governance lineage
+building governance authoring pipelines
+
+Do NOT use this package when:
+
+executing governed decisions
+independently verifying attestations
+deploying HTTP runtimes
+integrating applications over HTTP
+
+In those cases use:
+
+Package	Responsibility
+@parmanasystems/execution	governed execution
+@parmanasystems/verifier	independent verification
+@parmanasystems/server	deployable runtime
+@parmanasystems/sdk-client	HTTP integration
+Features
+Immutable governance versioning
+Deterministic policy validation
+Signed governance bundles
+Canonical manifest generation
+Runtime compatibility requirements
+Portable governance artifacts
+Governance provenance lineage
+Deterministic governance releases
+Fail-closed governance validation
+Installation
+npm install @parmanasystems/governance
+Quick Start
+import {
+  createPolicy,
+  validatePolicy,
+  generateBundle,
+} from "@parmanasystems/governance";
 
-`@parmanasystems/governance` provides the policy management layer — creating, validating, versioning, and bundling governance policies before they enter the deterministic execution runtime.
+await createPolicy(
+  "claims-approval"
+);
 
-## Installation
+await validatePolicy(
+  "./policies/claims-approval/v1/policy.json"
+);
 
-```bash
-npm install @parmanasystems/governance
-```
+const bundle =
+  await generateBundle(
+    "claims-approval",
+    "v1",
+    "./policies/claims-approval/v1"
+  );
+
+console.log(
+  bundle.bundle_hash
+);
+Core Concepts
+Immutable Policy Lineage
+
+Policies are immutable governance artifacts.
+
+Example lineage:
+
+claims-approval/
+  v1/
+  v2/
+  v3/
+
+Older policy versions remain immutable after release.
+
+New governance behavior requires new versions.
+
+This ensures:
+
+reproducibility
+auditability
+deterministic governance lineage
+historical governance integrity
+signalsSchema
 
-## Policy structure
+Policies define governed input structure explicitly.
 
-Policies live at `policies/{policyId}/{version}/policy.json`:
+Example:
 
-```json
 {
+  "signalsSchema": {
+    "risk_score": {
+      "type": "integer",
+      "required": true
+    }
+  }
+}
+
+Signals are:
+
+typed
+deterministic
+explicitly governed
+schema validated
+Governance Bundles
+
+Governance bundles package deterministic governance artifacts.
+
+Bundles include:
+
+policy definition
+canonical manifest
+governance hashes
+signatures
+provenance metadata
+
+Bundles are:
+
+deterministic
+portable
+reproducible
+independently verifiable
+Bundle Provenance
+
+Governance provenance includes:
+
+deterministic hashes
+canonical manifests
+cryptographic signatures
+runtime compatibility lineage
+
+This enables:
+
+reproducible releases
+independent verification
+governance auditability
+portable governance validation
+Fail-Closed Governance
+
+Governance validation is fail-closed.
+
+Invalid governance artifacts reject execution.
+
+Validation failures include:
+
+malformed policies
+invalid schemas
+invalid rule structure
+compatibility violations
+signature failures
+Policy Structure
+
+Policies live at:
+
+policies/{policyId}/{version}/policy.json
+
+Example:
+
+policies/
+  claims-approval/
+    v1/
+      policy.json
+Example Policy
+{
+  "policyId": "claims-approval",
+
+  "version": "v1",
+
   "schemaVersion": "1.0.0",
+
   "signalsSchema": {
-    "insurance_active": { "type": "boolean", "required": true },
-    "risk_score":        { "type": "integer", "required": true },
-    "claim_amount":      { "type": "integer", "required": false }
+
+    "insurance_active": {
+      "type": "boolean",
+      "required": true
+    },
+
+    "risk_score": {
+      "type": "integer",
+      "required": true
+    },
+
+    "claim_amount": {
+      "type": "integer",
+      "required": false
+    }
   },
+
   "rules": [
+
     {
       "id": "rule_low_risk",
+
       "condition": {
         "all": [
-          { "signal": "insurance_active", "equals": true },
-          { "signal": "risk_score", "less_than": 50 }
+
+          {
+            "signal": "insurance_active",
+            "equals": true
+          },
+
+          {
+            "signal": "risk_score",
+            "less_than": 50
+          }
         ]
       },
+
       "outcome": {
         "action": "approve",
         "requires_override": false,
         "reason": "Low risk profile"
       }
     },
+
     {
       "id": "rule_high_risk",
-      "condition": { "signal": "risk_score", "greater_than": 80 },
+
+      "condition": {
+        "signal": "risk_score",
+        "greater_than": 80
+      },
+
       "outcome": {
         "action": "reject",
         "requires_override": false,
@@ -52,124 +291,182 @@ Policies live at `policies/{policyId}/{version}/policy.json`:
     }
   ]
 }
-```
-
-Rules are evaluated in order. The first matching rule determines the outcome. If no rule matches, execution fails closed.
-
-## API
 
-### `createPolicy(policyId: string): Promise<void>`
+Rules are evaluated deterministically in order.
 
-Scaffolds a new policy directory at `./policies/{policyId}/v1/policy.json`.
+The first matching rule determines the governed outcome.
 
-```typescript
-import { createPolicy } from "@parmanasystems/governance";
-await createPolicy("fraud-detection");
-```
+If no rule matches, evaluation fails closed.
 
-### `definePolicy(options): PolicyDefinition`
+Governance Lifecycle APIs
+createPolicy
 
-Builds a `PolicyDefinition` object in memory.
+Scaffolds a governance policy directory.
 
-```typescript
-import { definePolicy } from "@parmanasystems/governance";
+import {
+  createPolicy
+} from "@parmanasystems/governance";
 
-const policy = definePolicy({
-  id:      "claims-approval",
-  version: "v1",
-  rules:   [...],
-});
-```
+await createPolicy(
+  "fraud-detection"
+);
+definePolicy
 
-### `validatePolicy(policy): void`
+Creates a policy definition in memory.
 
-Validates policy structure. Throws on missing `schemaVersion`, invalid `signalsSchema`, missing `rules`, or malformed `outcome` fields.
+import {
+  definePolicy
+} from "@parmanasystems/governance";
 
-```typescript
-import { validatePolicy } from "@parmanasystems/governance";
-validatePolicy(policy);
-```
-
-### `upgradePolicy(policy, nextVersion): PolicyDefinition`
-
-Creates a new version of an existing policy.
-
-```typescript
-import { upgradePolicy } from "@parmanasystems/governance";
-const v2 = upgradePolicy(policyV1, "v2");
-```
-
-### `generateBundle(policyId, version, directory): Promise<BundleGenerationResult>`
-
-Generates `bundle.manifest.json` and signs it as `bundle.sig`.
-
-```typescript
-import { generateBundle } from "@parmanasystems/governance";
-
-const result = await generateBundle("claims-approval", "v1", "./policies/claims-approval/v1");
-console.log(result.bundle_hash);   // SHA-256 of manifest
-console.log(result.signature_path); // path to bundle.sig
-```
-
-### `verifyBundle(directory): Promise<boolean>`
+const policy =
+  definePolicy({
 
-Verifies the `bundle.manifest.json` signature and hash integrity.
+    id:
+      "claims-approval",
 
-```typescript
-import { verifyBundle } from "@parmanasystems/governance";
-const ok = await verifyBundle("./policies/claims-approval/v1");
-```
+    version:
+      "v1",
 
-## Types
+    rules: [],
+  });
+validatePolicy
 
-### PolicyDefinition
+Validates governance structure.
 
-```typescript
-interface PolicyDefinition {
-  id: string;
-  version: string;
-  rules: PolicyRule[];
-}
-
-interface PolicyRule {
-  id: string;
-  condition: string;
-  action: string;
-}
-```
+Checks:
 
-### BundleGenerationResult
-
-```typescript
-interface BundleGenerationResult {
-  success: boolean;
-  manifest_path: string;
-  signature_path: string;
-  bundle_hash: string;
-}
-```
+schemaVersion
+signalsSchema
+rules
+outcomes
+deterministic structure
+import {
+  validatePolicy
+} from "@parmanasystems/governance";
 
-### RuntimeRequirements
+validatePolicy(policy);
+upgradePolicy
+
+Creates immutable next-version governance lineage.
+
+import {
+  upgradePolicy
+} from "@parmanasystems/governance";
+
+const v2 =
+  upgradePolicy(
+    policyV1,
+    "v2"
+  );
+generateBundle
+
+Generates deterministic governance bundles.
+
+Produces:
+
+bundle.manifest.json
+bundle.sig
+import {
+  generateBundle
+} from "@parmanasystems/governance";
+
+const result =
+  await generateBundle(
+    "claims-approval",
+    "v1",
+    "./policies/claims-approval/v1"
+  );
+
+console.log(
+  result.bundle_hash
+);
+verifyBundle
+
+Verifies governance bundle integrity.
+
+Checks:
+
+signatures
+hashes
+manifest integrity
+import {
+  verifyBundle
+} from "@parmanasystems/governance";
+
+const valid =
+  await verifyBundle(
+    "./policies/claims-approval/v1"
+  );
+Governance Bundle Structure
+claims-approval/
+  v1/
+    policy.json
+    bundle.manifest.json
+    bundle.sig
+Runtime Requirements
+
+Governance bundles may specify runtime compatibility requirements.
+
+Example:
 
-```typescript
 interface RuntimeRequirements {
-  required_capabilities: string[];
-  supported_runtime_versions: string[];
-  supported_schema_versions: string[];
-}
-```
 
-## Included policies
+  required_capabilities:
+    string[];
 
-The repository ships with example policies under `policies/`:
+  supported_runtime_versions:
+    string[];
 
-| Policy | Versions | Description |
-|---|---|---|
-| `claims-approval` | v1, v2 | Insurance claim approval with risk scoring |
-| `patient-triage` | v1 | Patient triage routing by severity |
-| `fraud-detection` | v1 | Transaction fraud detection |
-| `claims-advanced` | v1 | Advanced claims with multi-condition rules |
-
-## License
+  supported_schema_versions:
+    string[];
+}
 
-Apache-2.0
+This enables deterministic compatibility enforcement.
+
+Included Example Policies
+Policy	Versions	Description
+claims-approval	v1, v2	insurance claims governance
+patient-triage	v1	healthcare triage routing
+fraud-detection	v1	transaction fraud governance
+claims-advanced	v1	advanced multi-condition evaluation
+Recommended Architecture
+Governance Authoring
+        ↓
+Policy Validation
+        ↓
+Governance Bundle
+        ↓
+Signed Governance Artifact
+        ↓
+Governed Runtime Execution
+        ↓
+Independent Verification
+Relationship to Other Parmana Packages
+Package	Responsibility
+@parmanasystems/governance	governance lifecycle
+@parmanasystems/execution	governed execution
+@parmanasystems/verifier	independent verification
+@parmanasystems/bundle	canonical governance artifacts
+@parmanasystems/server	deployable runtime
+Security Model
+
+The governance layer enforces:
+
+immutable policy lineage
+deterministic governance structure
+fail-closed validation
+signed governance artifacts
+reproducible governance releases
+canonical manifest integrity
+runtime compatibility enforcement
+
+Governance artifacts are designed to be:
+
+portable
+reproducible
+independently verifiable
+Most Important Principle
+Governance policies are immutable, reproducible infrastructure artifacts with deterministic lineage.
+License
+
+Apache-2.0

package/dist/index.d.ts

@@ -90,9 +90,9 @@ interface RuntimeRequirements {
     /** Runtime capability strings that must appear in the executing runtime's capability list. */
     required_capabilities: string[];
     /** Runtime version strings (e.g. `"1.0.0"`) acceptable to this bundle. */
-    supported_runtime_versions: string[];
+    supported_runtimeVersions: string[];
     /** Schema version strings (e.g. `"1.0.0"`) that this bundle's artifacts conform to. */
-    supported_schema_versions: string[];
+    supported_schemaVersions: string[];
 }
 
 /**

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/create-policy.ts","../src/generate-bundle.ts","../src/upgrade-policy.ts","../src/validate-policy.ts","../src/define-policy.ts","../src/schema/v1/semantics.ts","../src/schema/v1/operators.ts","../src/schema/v1/evaluator.ts","../src/schema/load-schema-runtime.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Scaffolds a new policy directory at `./policies/<policyId>/v1/` and writes\r\n * a skeleton `policy.json` to it.\r\n *\r\n * @param policyId - Unique policy identifier.  Must not already exist on disk.\r\n * @returns Absolute path of the created `v1` version directory.\r\n * @throws When `./policies/<policyId>` already exists.\r\n */\r\nexport function createPolicy(\r\n  policyId: string\r\n): string {\r\n  const policyRoot = path.join(\r\n    \"./policies\",\r\n    policyId\r\n  );\r\n\r\n  const versionDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      \"v1\"\r\n    );\r\n\r\n  if (fs.existsSync(policyRoot)) {\r\n    throw new Error(\r\n      `Policy already exists: ${policyId}`\r\n    );\r\n  }\r\n\r\n  fs.mkdirSync(\r\n    versionDirectory,\r\n    {\r\n      recursive: true,\r\n    }\r\n  );\r\n\r\n  fs.writeFileSync(\r\n    path.join(\r\n      versionDirectory,\r\n      \"policy.json\"\r\n    ),\r\n\r\n    JSON.stringify(\r\n      {\r\n        policy: policyId,\r\n        version: \"v1\",\r\n      },\r\n      null,\r\n      2\r\n    ),\r\n\r\n    \"utf8\"\r\n  );\r\n\r\n  return versionDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import * as path from \"node:path\";\r\n\r\nimport {\r\n  generateManifest,\r\n  writeManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n  signManifest,\r\n  writeSignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\nimport type {\r\n  BundleGenerationResult,\r\n} from \"./types.js\";\r\n\r\n/**\r\n * Generates a signed bundle for `policyId`/`policyVersion` in `policyDirectory`:\r\n * 1. Hashes all artifacts and writes `bundle.manifest.json`.\r\n * 2. Signs the manifest and writes `bundle.sig`.\r\n *\r\n * The signing key is loaded via `loadPrivateKey()` (dev-keys or env injection).\r\n *\r\n * @param policyId        - Policy identifier embedded in the manifest.\r\n * @param policyVersion   - Policy version string (e.g. `\"v1\"`).\r\n * @param policyDirectory - Path to the directory containing the policy artifacts.\r\n * @returns Paths to the written files and the deterministic bundle hash.\r\n */\r\nexport function generateBundle(\r\n  policyId: string,\r\n  policyVersion: string,\r\n  policyDirectory: string\r\n): BundleGenerationResult {\r\n\r\n  const directory =\r\n    path.resolve(\r\n      policyDirectory\r\n    );\r\n\r\n  const manifest =\r\n    generateManifest(\r\n      policyId,\r\n      policyVersion,\r\n      directory\r\n    );\r\n\r\n  writeManifest(\r\n    manifest,\r\n    directory\r\n  );\r\n\r\n  const manifestPath =\r\n    path.join(\r\n      directory,\r\n      \"bundle.manifest.json\"\r\n    );\r\n\r\n  const signature =\r\n    signManifest(\r\n      manifestPath\r\n    );\r\n\r\n  writeSignature(\r\n    signature,\r\n    directory\r\n  );\r\n\r\n  return {\r\n    success: true,\r\n\r\n    manifest_path:\r\n      manifestPath,\r\n\r\n    signature_path:\r\n      path.join(\r\n        directory,\r\n        \"bundle.sig\"\r\n      ),\r\n\r\n    bundle_hash:\r\n      manifest.bundle_hash,\r\n  };\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Creates the next version directory for `policyId` by copying the latest\r\n * existing version and incrementing its numeric suffix (e.g. `v1` → `v2`).\r\n * The copied `policy.json` has its `version` field updated to the new version\r\n * string.\r\n *\r\n * @param policyId - An existing policy identifier under `./policies/`.\r\n * @returns Absolute path of the newly created version directory.\r\n * @throws When the policy does not exist on disk.\r\n */\r\nexport function upgradePolicy(\r\n  policyId: string\r\n): string {\r\n  const policyRoot = path.join(\r\n    \"./policies\",\r\n    policyId\r\n  );\r\n\r\n  if (!fs.existsSync(policyRoot)) {\r\n    throw new Error(\r\n      `Policy does not exist: ${policyId}`\r\n    );\r\n  }\r\n\r\n  const versions = fs\r\n    .readdirSync(policyRoot)\r\n    .filter((entry) =>\r\n      entry.startsWith(\"v\")\r\n    )\r\n    .sort();\r\n\r\n  const latestVersion =\r\n    versions[\r\n      versions.length - 1\r\n    ];\r\n\r\n  const latestNumber =\r\n    Number(\r\n      latestVersion.replace(\"v\", \"\")\r\n    );\r\n\r\n  const nextVersion =\r\n    `v${latestNumber + 1}`;\r\n\r\n  const latestDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      latestVersion\r\n    );\r\n\r\n  const nextDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      nextVersion\r\n    );\r\n\r\n  fs.cpSync(\r\n    latestDirectory,\r\n    nextDirectory,\r\n    {\r\n      recursive: true,\r\n    }\r\n  );\r\n\r\n  const policyFile =\r\n    path.join(\r\n      nextDirectory,\r\n      \"policy.json\"\r\n    );\r\n\r\n  const content =\r\n    JSON.parse(\r\n      fs.readFileSync(\r\n        policyFile,\r\n        \"utf8\"\r\n      )\r\n    );\r\n\r\n  content.version =\r\n    nextVersion;\r\n\r\n  fs.writeFileSync(\r\n    policyFile,\r\n    JSON.stringify(\r\n      content,\r\n      null,\r\n      2\r\n    ),\r\n    \"utf8\"\r\n  );\r\n\r\n  return nextDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport {\r\n  readManifest,\r\n  verifyManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n  readSignature,\r\n  verifySignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\n/**\r\n * Validates every version directory under `./policies/<policyId>` by\r\n * re-verifying all bundle manifests (content hashes) and cryptographic\r\n * signatures (bundle.sig).\r\n *\r\n * Returns `true` only when every version passes all checks.\r\n *\r\n * @param policyId - Policy identifier whose version directories will be checked.\r\n * @throws When the policy directory does not exist.\r\n */\r\nexport function validatePolicy(\r\n  policyId: string\r\n): boolean {\r\n\r\n  const policyRoot =\r\n    path.join(\r\n      \"./policies\",\r\n      policyId\r\n    );\r\n\r\n  if (\r\n    !fs.existsSync(\r\n      policyRoot\r\n    )\r\n  ) {\r\n    throw new Error(\r\n      `Policy does not exist: ${policyId}`\r\n    );\r\n  }\r\n\r\n  const versions =\r\n    fs\r\n      .readdirSync(\r\n        policyRoot\r\n      )\r\n      .filter(\r\n        (entry) =>\r\n          entry.startsWith(\"v\")\r\n      )\r\n      .sort();\r\n\r\n  for (const version of versions) {\r\n\r\n    const versionDirectory =\r\n      path.join(\r\n        policyRoot,\r\n        version\r\n      );\r\n\r\n    const manifest =\r\n      readManifest(\r\n        versionDirectory\r\n      );\r\n\r\n    const manifestResult =\r\n      verifyManifest(\r\n        manifest,\r\n        versionDirectory\r\n      );\r\n\r\n    if (\r\n      !manifestResult.valid\r\n    ) {\r\n      return false;\r\n    }\r\n\r\n    const signature =\r\n      readSignature(\r\n        versionDirectory\r\n      );\r\n\r\n    const manifestPath =\r\n      path.join(\r\n        versionDirectory,\r\n        \"bundle.manifest.json\"\r\n      );\r\n\r\n    const signatureValid =\r\n      verifySignature(\r\n        manifestPath,\r\n        signature\r\n      );\r\n\r\n    if (\r\n      !signatureValid\r\n    ) {\r\n      return false;\r\n    }\r\n  }\r\n\r\n  return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import type {\r\n  PolicyDefinition,\r\n  PolicyRule,\r\n} from \"./types.js\";\r\n\r\n/**\r\n * Constructs a {@link PolicyDefinition} from a plain config object.\r\n * Use this as the first step in the policy-authoring pipeline before\r\n * serializing the policy to disk and calling {@link generateBundle}.\r\n *\r\n * @param config - Policy id, version, and rules.\r\n */\r\nexport function definePolicy(config: {\r\n  id: string;\r\n  version: string;\r\n  rules: PolicyRule[];\r\n}): PolicyDefinition {\r\n\r\n  return {\r\n    id: config.id,\r\n\r\n    version: config.version,\r\n\r\n    rules: config.rules,\r\n  };\r\n}\r\n","export const schemaV1Semantics = {\r\n\r\n  schemaVersion:\r\n    \"1.0.0\",\r\n\r\n  ruleConditionField:\r\n    \"condition\",\r\n\r\n  ruleOutcomeField:\r\n    \"outcome\",\r\n\r\n  signalReferenceField:\r\n    \"signal\",\r\n\r\n  supportedOperators: [\r\n    \"equals\",\r\n    \"greater_than\",\r\n    \"less_than\",\r\n  ],\r\n};","export const schemaV1Operators = {\r\n\r\n  equals(\r\n    left: unknown,\r\n    right: unknown\r\n  ): boolean {\r\n\r\n    return left === right;\r\n  },\r\n\r\n  greater_than(\r\n    left: number,\r\n    right: number\r\n  ): boolean {\r\n\r\n    return left > right;\r\n  },\r\n\r\n  less_than(\r\n    left: number,\r\n    right: number\r\n  ): boolean {\r\n\r\n    return left < right;\r\n  },\r\n};","import type {\r\n  DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n  schemaV1Operators\r\n} from \"./operators.js\";\r\n\r\ninterface BaseCondition {\r\n  signal: string;\r\n  equals?: unknown;\r\n  greater_than?: number;\r\n  less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n  all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n  any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n  | BaseCondition\r\n  | AllCondition\r\n  | AnyCondition;\r\n\r\ninterface PolicyRule {\r\n  id: string;\r\n\r\n  condition: RuleCondition;\r\n\r\n  outcome: {\r\n    action:\r\n      | \"approve\"\r\n      | \"reject\";\r\n\r\n    requires_override:\r\n      boolean;\r\n\r\n    reason?: string;\r\n  };\r\n}\r\n\r\nexport interface SchemaV1Policy {\r\n  schemaVersion: string;\r\n\r\n  signalsSchema:\r\n    Record<string, unknown>;\r\n\r\n  rules: PolicyRule[];\r\n}\r\n\r\nfunction evaluateCondition(\r\n  condition: RuleCondition,\r\n  signals: Record<string, unknown>\r\n): boolean {\r\n\r\n  if (\"all\" in condition) {\r\n    return condition.all.every(\r\n      c =>\r\n        evaluateCondition(\r\n          c,\r\n          signals\r\n        )\r\n    );\r\n  }\r\n\r\n  if (\"any\" in condition) {\r\n    return condition.any.some(\r\n      c =>\r\n        evaluateCondition(\r\n          c,\r\n          signals\r\n        )\r\n    );\r\n  }\r\n\r\n  const {\r\n    signal,\r\n    equals,\r\n    greater_than,\r\n    less_than,\r\n  } = condition;\r\n\r\n  if (!(signal in signals)) {\r\n\r\n    throw new Error(\r\n      `Signal not found: ${signal}`\r\n    );\r\n  }\r\n\r\n  const actual =\r\n    signals[signal];\r\n\r\n  if (equals !== undefined) {\r\n\r\n    return schemaV1Operators.equals(\r\n      actual,\r\n      equals\r\n    );\r\n  }\r\n\r\n  if (\r\n    greater_than !== undefined\r\n  ) {\r\n\r\n    return schemaV1Operators.greater_than(\r\n      actual as number,\r\n      greater_than\r\n    );\r\n  }\r\n\r\n  if (\r\n    less_than !== undefined\r\n  ) {\r\n\r\n    return schemaV1Operators.less_than(\r\n      actual as number,\r\n      less_than\r\n    );\r\n  }\r\n\r\n  return false;\r\n}\r\n\r\nexport function evaluateSchemaV1(\r\n  policy: SchemaV1Policy,\r\n  signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n  for (const rule of policy.rules) {\r\n\r\n    const matched =\r\n      evaluateCondition(\r\n        rule.condition,\r\n        signals\r\n      );\r\n\r\n    if (matched) {\r\n\r\n      return {\r\n        status: \"decided\",\r\n\r\n        outcome:\r\n          rule.outcome,\r\n\r\n        rule_id:\r\n          rule.id,\r\n\r\n        source:\r\n          \"rule_match\",\r\n      };\r\n    }\r\n  }\r\n\r\n  throw new Error(\r\n    \"[SYS-006] No rule matched — policy must cover all cases\"\r\n  );\r\n}","import type {\r\n  DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n  evaluateSchemaV1\r\n} from \"./v1/evaluator.js\";\r\n\r\nimport {\r\n  schemaV1Operators\r\n} from \"./v1/operators.js\";\r\n\r\nimport {\r\n  schemaV1Semantics\r\n} from \"./v1/semantics.js\";\r\n\r\nexport interface SchemaRuntime {\r\n\r\n  semantics: unknown;\r\n\r\n  operators: unknown;\r\n\r\n  evaluate: (\r\n    policy: unknown,\r\n    signals: Record<string, unknown>\r\n  ) => DecisionResult;\r\n}\r\n\r\nexport function loadSchemaRuntime(\r\n  schemaVersion: string\r\n): SchemaRuntime {\r\n\r\n  const major =\r\n    Number(\r\n      schemaVersion.split(\".\")[0]\r\n    );\r\n\r\n  switch (major) {\r\n\r\n    case 1:\r\n\r\n      return {\r\n\r\n        semantics:\r\n          schemaV1Semantics,\r\n\r\n        operators:\r\n          schemaV1Operators,\r\n\r\n        evaluate:\r\n          evaluateSchemaV1 as (\r\n            policy: unknown,\r\n            signals: Record<string, unknown>\r\n          ) => DecisionResult,\r\n      };\r\n\r\n    default:\r\n\r\n      throw new Error(\r\n        `Unsupported schema version: ${schemaVersion}`\r\n      );\r\n  }\r\n}"],"mappings":";AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAUf,SAAS,aACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,mBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MAAO,cAAW,UAAU,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,EAAG;AAAA,IACI;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEA,KAAK;AAAA,MACH;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDA,YAAYA,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAkBA,SAAS,eACd,UACA,eACA,iBACwB;AAExB,QAAM,YACC;AAAA,IACH;AAAA,EACF;AAEF,QAAM,WACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,QAAM,eACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IAET,eACE;AAAA,IAEF,gBACO;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEF,aACE,SAAS;AAAA,EACb;AACF;;;AClFA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAYf,SAAS,cACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,eAAW,UAAU,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WACH,gBAAY,UAAU,EACtB;AAAA,IAAO,CAAC,UACP,MAAM,WAAW,GAAG;AAAA,EACtB,EACC,KAAK;AAER,QAAM,gBACJ,SACE,SAAS,SAAS,CACpB;AAEF,QAAM,eACJ;AAAA,IACE,cAAc,QAAQ,KAAK,EAAE;AAAA,EAC/B;AAEF,QAAM,cACJ,IAAI,eAAe,CAAC;AAEtB,QAAM,kBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,gBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,UACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,UAAQ,UACN;AAEF,EAAG;AAAA,IACD;AAAA,IACA,KAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AACT;;;AC/FA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAYA,SAAS,eACd,UACS;AAET,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MACE,CAAI;AAAA,IACF;AAAA,EACF,GACA;AACA,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WAED;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC,CAAC,UACC,MAAM,WAAW,GAAG;AAAA,EACxB,EACC,KAAK;AAEV,aAAW,WAAW,UAAU;AAE9B,UAAM,mBACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,WACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,eAAe,OAChB;AACA,aAAO;AAAA,IACT;AAEA,UAAM,YACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,eACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,gBACD;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AC5FO,SAAS,aAAa,QAIR;AAEnB,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IAEX,SAAS,OAAO;AAAA,IAEhB,OAAO,OAAO;AAAA,EAChB;AACF;;;ACzBO,IAAM,oBAAoB;AAAA,EAE/B,eACE;AAAA,EAEF,oBACE;AAAA,EAEF,kBACE;AAAA,EAEF,sBACE;AAAA,EAEF,oBAAoB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACnBO,IAAM,oBAAoB;AAAA,EAE/B,OACE,MACA,OACS;AAET,WAAO,SAAS;AAAA,EAClB;AAAA,EAEA,aACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,UACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AACF;;;AC6BA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,EAAE,UAAU,UAAU;AAExB,UAAM,IAAI;AAAA,MACR,qBAAqB,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,SACJ,QAAQ,MAAM;AAEhB,MAAI,WAAW,QAAW;AAExB,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,iBAAiB,QACjB;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,cAAc,QACd;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,iBACd,QACA,SACgB;AAEhB,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UACJ;AAAA,MACE,KAAK;AAAA,MACL;AAAA,IACF;AAEF,QAAI,SAAS;AAEX,aAAO;AAAA,QACL,QAAQ;AAAA,QAER,SACE,KAAK;AAAA,QAEP,SACE,KAAK;AAAA,QAEP,QACE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACpIO,SAAS,kBACd,eACe;AAEf,QAAM,QACJ;AAAA,IACE,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,EAC5B;AAEF,UAAQ,OAAO;AAAA,IAEb,KAAK;AAEH,aAAO;AAAA,QAEL,WACE;AAAA,QAEF,WACE;AAAA,QAEF,UACE;AAAA,MAIJ;AAAA,IAEF;AAEE,YAAM,IAAI;AAAA,QACR,+BAA+B,aAAa;AAAA,MAC9C;AAAA,EACJ;AACF;","names":["path","fs","path","fs","path"]}
+{"version":3,"sources":["../src/create-policy.ts","../src/generate-bundle.ts","../src/upgrade-policy.ts","../src/validate-policy.ts","../src/define-policy.ts","../src/schema/v1/semantics.ts","../src/schema/v1/operators.ts","../src/schema/v1/evaluator.ts","../src/schema/load-schema-runtime.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Scaffolds a new policy directory at `./policies/<policyId>/v1/` and writes\r\n * a skeleton `policy.json` to it.\r\n *\r\n * @param policyId - Unique policy identifier.  Must not already exist on disk.\r\n * @returns Absolute path of the created `v1` version directory.\r\n * @throws When `./policies/<policyId>` already exists.\r\n */\r\nexport function createPolicy(\r\n  policyId: string\r\n): string {\r\n  const policyRoot = path.join(\r\n    \"./policies\",\r\n    policyId\r\n  );\r\n\r\n  const versionDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      \"v1\"\r\n    );\r\n\r\n  if (fs.existsSync(policyRoot)) {\r\n    throw new Error(\r\n      `Policy already exists: ${policyId}`\r\n    );\r\n  }\r\n\r\n  fs.mkdirSync(\r\n    versionDirectory,\r\n    {\r\n      recursive: true,\r\n    }\r\n  );\r\n\r\n  fs.writeFileSync(\r\n    path.join(\r\n      versionDirectory,\r\n      \"policy.json\"\r\n    ),\r\n\r\n    JSON.stringify(\r\n      {\r\n        policy: policyId,\r\n        version: \"v1\",\r\n      },\r\n      null,\r\n      2\r\n    ),\r\n\r\n    \"utf8\"\r\n  );\r\n\r\n  return versionDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import * as path from \"node:path\";\r\n\r\nimport {\r\n  generateManifest,\r\n  writeManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n  signManifest,\r\n  writeSignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\nimport type {\r\n  BundleGenerationResult,\r\n} from \"./types.js\";\r\n\r\n/**\r\n * Generates a signed bundle for `policyId`/`policyVersion` in `policyDirectory`:\r\n * 1. Hashes all artifacts and writes `bundle.manifest.json`.\r\n * 2. Signs the manifest and writes `bundle.sig`.\r\n *\r\n * The signing key is loaded via `loadPrivateKey()` (dev-keys or env injection).\r\n *\r\n * @param policyId        - Policy identifier embedded in the manifest.\r\n * @param policyVersion   - Policy version string (e.g. `\"v1\"`).\r\n * @param policyDirectory - Path to the directory containing the policy artifacts.\r\n * @returns Paths to the written files and the deterministic bundle hash.\r\n */\r\nexport function generateBundle(\r\n  policyId: string,\r\n  policyVersion: string,\r\n  policyDirectory: string\r\n): BundleGenerationResult {\r\n\r\n  const directory =\r\n    path.resolve(\r\n      policyDirectory\r\n    );\r\n\r\n  const manifest =\r\n    generateManifest(\r\n      policyId,\r\n      policyVersion,\r\n      directory\r\n    );\r\n\r\n  writeManifest(\r\n    manifest,\r\n    directory\r\n  );\r\n\r\n  const manifestPath =\r\n    path.join(\r\n      directory,\r\n      \"bundle.manifest.json\"\r\n    );\r\n\r\n  const signature =\r\n    signManifest(\r\n      manifestPath\r\n    );\r\n\r\n  writeSignature(\r\n    signature,\r\n    directory\r\n  );\r\n\r\n  return {\r\n    success: true,\r\n\r\n    manifest_path:\r\n      manifestPath,\r\n\r\n    signature_path:\r\n      path.join(\r\n        directory,\r\n        \"bundle.sig\"\r\n      ),\r\n\r\n    bundle_hash:\r\n      manifest.bundle_hash,\r\n  };\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Creates the next version directory for `policyId` by copying the latest\r\n * existing version and incrementing its numeric suffix (e.g. `v1` → `v2`).\r\n * The copied `policy.json` has its `version` field updated to the new version\r\n * string.\r\n *\r\n * @param policyId - An existing policy identifier under `./policies/`.\r\n * @returns Absolute path of the newly created version directory.\r\n * @throws When the policy does not exist on disk.\r\n */\r\nexport function upgradePolicy(\r\n  policyId: string\r\n): string {\r\n  const policyRoot = path.join(\r\n    \"./policies\",\r\n    policyId\r\n  );\r\n\r\n  if (!fs.existsSync(policyRoot)) {\r\n    throw new Error(\r\n      `Policy does not exist: ${policyId}`\r\n    );\r\n  }\r\n\r\n  const versions = fs\r\n    .readdirSync(policyRoot)\r\n    .filter((entry) =>\r\n      entry.startsWith(\"v\")\r\n    )\r\n    .sort();\r\n\r\n  const latestVersion =\r\n    versions[\r\n      versions.length - 1\r\n    ];\r\n\r\n  const latestNumber =\r\n    Number(\r\n      latestVersion.replace(\"v\", \"\")\r\n    );\r\n\r\n  const nextVersion =\r\n    `v${latestNumber + 1}`;\r\n\r\n  const latestDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      latestVersion\r\n    );\r\n\r\n  const nextDirectory =\r\n    path.join(\r\n      policyRoot,\r\n      nextVersion\r\n    );\r\n\r\n  fs.cpSync(\r\n    latestDirectory,\r\n    nextDirectory,\r\n    {\r\n      recursive: true,\r\n    }\r\n  );\r\n\r\n  const policyFile =\r\n    path.join(\r\n      nextDirectory,\r\n      \"policy.json\"\r\n    );\r\n\r\n  const content =\r\n    JSON.parse(\r\n      fs.readFileSync(\r\n        policyFile,\r\n        \"utf8\"\r\n      )\r\n    );\r\n\r\n  content.version =\r\n    nextVersion;\r\n\r\n  fs.writeFileSync(\r\n    policyFile,\r\n    JSON.stringify(\r\n      content,\r\n      null,\r\n      2\r\n    ),\r\n    \"utf8\"\r\n  );\r\n\r\n  return nextDirectory;\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\nimport {\r\n  readManifest,\r\n  verifyManifest,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n  readSignature,\r\n  verifySignature,\r\n} from \"@parmanasystems/crypto\";\r\n\r\n/**\r\n * Validates every version directory under `./policies/<policyId>` by\r\n * re-verifying all bundle manifests (content hashes) and cryptographic\r\n * signatures (bundle.sig).\r\n *\r\n * Returns `true` only when every version passes all checks.\r\n *\r\n * @param policyId - Policy identifier whose version directories will be checked.\r\n * @throws When the policy directory does not exist.\r\n */\r\nexport function validatePolicy(\r\n  policyId: string\r\n): boolean {\r\n\r\n  const policyRoot =\r\n    path.join(\r\n      \"./policies\",\r\n      policyId\r\n    );\r\n\r\n  if (\r\n    !fs.existsSync(\r\n      policyRoot\r\n    )\r\n  ) {\r\n    throw new Error(\r\n      `Policy does not exist: ${policyId}`\r\n    );\r\n  }\r\n\r\n  const versions =\r\n    fs\r\n      .readdirSync(\r\n        policyRoot\r\n      )\r\n      .filter(\r\n        (entry) =>\r\n          entry.startsWith(\"v\")\r\n      )\r\n      .sort();\r\n\r\n  for (const version of versions) {\r\n\r\n    const versionDirectory =\r\n      path.join(\r\n        policyRoot,\r\n        version\r\n      );\r\n\r\n    const manifest =\r\n      readManifest(\r\n        versionDirectory\r\n      );\r\n\r\n    const manifestResult =\r\n      verifyManifest(\r\n        manifest,\r\n        versionDirectory\r\n      );\r\n\r\n    if (\r\n      !manifestResult.valid\r\n    ) {\r\n      return false;\r\n    }\r\n\r\n    const signature =\r\n      readSignature(\r\n        versionDirectory\r\n      );\r\n\r\n    const manifestPath =\r\n      path.join(\r\n        versionDirectory,\r\n        \"bundle.manifest.json\"\r\n      );\r\n\r\n    const signatureValid =\r\n      verifySignature(\r\n        manifestPath,\r\n        signature\r\n      );\r\n\r\n    if (\r\n      !signatureValid\r\n    ) {\r\n      return false;\r\n    }\r\n  }\r\n\r\n  return true;\r\n}\r\n\r\n\r\n\r\n\r\n","import type {\r\n  PolicyDefinition,\r\n  PolicyRule,\r\n} from \"./types.js\";\r\n\r\n/**\r\n * Constructs a {@link PolicyDefinition} from a plain config object.\r\n * Use this as the first step in the policy-authoring pipeline before\r\n * serializing the policy to disk and calling {@link generateBundle}.\r\n *\r\n * @param config - Policy id, version, and rules.\r\n */\r\nexport function definePolicy(config: {\r\n  id: string;\r\n  version: string;\r\n  rules: PolicyRule[];\r\n}): PolicyDefinition {\r\n\r\n  return {\r\n    id: config.id,\r\n\r\n    version: config.version,\r\n\r\n    rules: config.rules,\r\n  };\r\n}\r\n","export const schemaV1Semantics = {\r\n\r\n  schemaVersion:\r\n    \"1.0.0\",\r\n\r\n  ruleConditionField:\r\n    \"condition\",\r\n\r\n  ruleOutcomeField:\r\n    \"outcome\",\r\n\r\n  signalReferenceField:\r\n    \"signal\",\r\n\r\n  supportedOperators: [\r\n    \"equals\",\r\n    \"greater_than\",\r\n    \"less_than\",\r\n  ],\r\n};\r\n","export const schemaV1Operators = {\r\n\r\n  equals(\r\n    left: unknown,\r\n    right: unknown\r\n  ): boolean {\r\n\r\n    return left === right;\r\n  },\r\n\r\n  greater_than(\r\n    left: number,\r\n    right: number\r\n  ): boolean {\r\n\r\n    return left > right;\r\n  },\r\n\r\n  less_than(\r\n    left: number,\r\n    right: number\r\n  ): boolean {\r\n\r\n    return left < right;\r\n  },\r\n};\r\n","import type {\r\n  DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n  schemaV1Operators\r\n} from \"./operators.js\";\r\n\r\ninterface BaseCondition {\r\n  signal: string;\r\n  equals?: unknown;\r\n  greater_than?: number;\r\n  less_than?: number;\r\n}\r\n\r\ninterface AllCondition {\r\n  all: RuleCondition[];\r\n}\r\n\r\ninterface AnyCondition {\r\n  any: RuleCondition[];\r\n}\r\n\r\ntype RuleCondition =\r\n  | BaseCondition\r\n  | AllCondition\r\n  | AnyCondition;\r\n\r\ninterface PolicyRule {\r\n  id: string;\r\n\r\n  condition: RuleCondition;\r\n\r\n  outcome: {\r\n    action:\r\n      | \"approve\"\r\n      | \"reject\";\r\n\r\n    requires_override:\r\n      boolean;\r\n\r\n    reason?: string;\r\n  };\r\n}\r\n\r\nexport interface SchemaV1Policy {\r\n  schemaVersion: string;\r\n\r\n  signalsSchema:\r\n    Record<string, unknown>;\r\n\r\n  rules: PolicyRule[];\r\n}\r\n\r\nfunction evaluateCondition(\r\n  condition: RuleCondition,\r\n  signals: Record<string, unknown>\r\n): boolean {\r\n\r\n  if (\"all\" in condition) {\r\n    return condition.all.every(\r\n      c =>\r\n        evaluateCondition(\r\n          c,\r\n          signals\r\n        )\r\n    );\r\n  }\r\n\r\n  if (\"any\" in condition) {\r\n    return condition.any.some(\r\n      c =>\r\n        evaluateCondition(\r\n          c,\r\n          signals\r\n        )\r\n    );\r\n  }\r\n\r\n  const {\r\n    signal,\r\n    equals,\r\n    greater_than,\r\n    less_than,\r\n  } = condition;\r\n\r\n  if (!(signal in signals)) {\r\n\r\n    throw new Error(\r\n      `Signal not found: ${signal}`\r\n    );\r\n  }\r\n\r\n  const actual =\r\n    signals[signal];\r\n\r\n  if (equals !== undefined) {\r\n\r\n    return schemaV1Operators.equals(\r\n      actual,\r\n      equals\r\n    );\r\n  }\r\n\r\n  if (\r\n    greater_than !== undefined\r\n  ) {\r\n\r\n    return schemaV1Operators.greater_than(\r\n      actual as number,\r\n      greater_than\r\n    );\r\n  }\r\n\r\n  if (\r\n    less_than !== undefined\r\n  ) {\r\n\r\n    return schemaV1Operators.less_than(\r\n      actual as number,\r\n      less_than\r\n    );\r\n  }\r\n\r\n  return false;\r\n}\r\n\r\nexport function evaluateSchemaV1(\r\n  policy: SchemaV1Policy,\r\n  signals: Record<string, unknown>\r\n): DecisionResult {\r\n\r\n  for (const rule of policy.rules) {\r\n\r\n    const matched =\r\n      evaluateCondition(\r\n        rule.condition,\r\n        signals\r\n      );\r\n\r\n    if (matched) {\r\n\r\n      return {\r\n        status: \"decided\",\r\n\r\n        outcome:\r\n          rule.outcome,\r\n\r\n        rule_id:\r\n          rule.id,\r\n\r\n        source:\r\n          \"rule_match\",\r\n      };\r\n    }\r\n  }\r\n\r\n  throw new Error(\r\n    \"[SYS-006] No rule matched — policy must cover all cases\"\r\n  );\r\n}\r\n","import type {\r\n  DecisionResult\r\n} from \"@parmanasystems/contracts\";\r\n\r\nimport {\r\n  evaluateSchemaV1\r\n} from \"./v1/evaluator.js\";\r\n\r\nimport {\r\n  schemaV1Operators\r\n} from \"./v1/operators.js\";\r\n\r\nimport {\r\n  schemaV1Semantics\r\n} from \"./v1/semantics.js\";\r\n\r\nexport interface SchemaRuntime {\r\n\r\n  semantics: unknown;\r\n\r\n  operators: unknown;\r\n\r\n  evaluate: (\r\n    policy: unknown,\r\n    signals: Record<string, unknown>\r\n  ) => DecisionResult;\r\n}\r\n\r\nexport function loadSchemaRuntime(\r\n  schemaVersion: string\r\n): SchemaRuntime {\r\n\r\n  const major =\r\n    Number(\r\n      schemaVersion.split(\".\")[0]\r\n    );\r\n\r\n  switch (major) {\r\n\r\n    case 1:\r\n\r\n      return {\r\n\r\n        semantics:\r\n          schemaV1Semantics,\r\n\r\n        operators:\r\n          schemaV1Operators,\r\n\r\n        evaluate:\r\n          evaluateSchemaV1 as (\r\n            policy: unknown,\r\n            signals: Record<string, unknown>\r\n          ) => DecisionResult,\r\n      };\r\n\r\n    default:\r\n\r\n      throw new Error(\r\n        `Unsupported schema version: ${schemaVersion}`\r\n      );\r\n  }\r\n}\r\n"],"mappings":";AAAA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAUf,SAAS,aACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,mBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MAAO,cAAW,UAAU,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,EAAG;AAAA,IACI;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEA,KAAK;AAAA,MACH;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEA,SAAO;AACT;;;ACzDA,YAAYA,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAkBA,SAAS,eACd,UACA,eACA,iBACwB;AAExB,QAAM,YACC;AAAA,IACH;AAAA,EACF;AAEF,QAAM,WACJ;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,QAAM,eACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IAET,eACE;AAAA,IAEF,gBACO;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAAA,IAEF,aACE,SAAS;AAAA,EACb;AACF;;;AClFA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAYf,SAAS,cACd,UACQ;AACR,QAAM,aAAkB;AAAA,IACtB;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAI,eAAW,UAAU,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WACH,gBAAY,UAAU,EACtB;AAAA,IAAO,CAAC,UACP,MAAM,WAAW,GAAG;AAAA,EACtB,EACC,KAAK;AAER,QAAM,gBACJ,SACE,SAAS,SAAS,CACpB;AAEF,QAAM,eACJ;AAAA,IACE,cAAc,QAAQ,KAAK,EAAE;AAAA,EAC/B;AAEF,QAAM,cACJ,IAAI,eAAe,CAAC;AAEtB,QAAM,kBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,gBACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,MACE,WAAW;AAAA,IACb;AAAA,EACF;AAEA,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,QAAM,UACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,UAAQ,UACN;AAEF,EAAG;AAAA,IACD;AAAA,IACA,KAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AACT;;;AC/FA,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAEtB;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAYA,SAAS,eACd,UACS;AAET,QAAM,aACC;AAAA,IACH;AAAA,IACA;AAAA,EACF;AAEF,MACE,CAAI;AAAA,IACF;AAAA,EACF,GACA;AACA,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IACpC;AAAA,EACF;AAEA,QAAM,WAED;AAAA,IACC;AAAA,EACF,EACC;AAAA,IACC,CAAC,UACC,MAAM,WAAW,GAAG;AAAA,EACxB,EACC,KAAK;AAEV,aAAW,WAAW,UAAU;AAE9B,UAAM,mBACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,WACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,eAAe,OAChB;AACA,aAAO;AAAA,IACT;AAEA,UAAM,YACJ;AAAA,MACE;AAAA,IACF;AAEF,UAAM,eACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,iBACJ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AAEF,QACE,CAAC,gBACD;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AC5FO,SAAS,aAAa,QAIR;AAEnB,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IAEX,SAAS,OAAO;AAAA,IAEhB,OAAO,OAAO;AAAA,EAChB;AACF;;;ACzBO,IAAM,oBAAoB;AAAA,EAE/B,eACE;AAAA,EAEF,oBACE;AAAA,EAEF,kBACE;AAAA,EAEF,sBACE;AAAA,EAEF,oBAAoB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACnBO,IAAM,oBAAoB;AAAA,EAE/B,OACE,MACA,OACS;AAET,WAAO,SAAS;AAAA,EAClB;AAAA,EAEA,aACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,UACE,MACA,OACS;AAET,WAAO,OAAO;AAAA,EAChB;AACF;;;AC6BA,SAAS,kBACP,WACA,SACS;AAET,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,MAAI,SAAS,WAAW;AACtB,WAAO,UAAU,IAAI;AAAA,MACnB,OACE;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,EAAE,UAAU,UAAU;AAExB,UAAM,IAAI;AAAA,MACR,qBAAqB,MAAM;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,SACJ,QAAQ,MAAM;AAEhB,MAAI,WAAW,QAAW;AAExB,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,iBAAiB,QACjB;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MACE,cAAc,QACd;AAEA,WAAO,kBAAkB;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,iBACd,QACA,SACgB;AAEhB,aAAW,QAAQ,OAAO,OAAO;AAE/B,UAAM,UACJ;AAAA,MACE,KAAK;AAAA,MACL;AAAA,IACF;AAEF,QAAI,SAAS;AAEX,aAAO;AAAA,QACL,QAAQ;AAAA,QAER,SACE,KAAK;AAAA,QAEP,SACE,KAAK;AAAA,QAEP,QACE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;;;ACpIO,SAAS,kBACd,eACe;AAEf,QAAM,QACJ;AAAA,IACE,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,EAC5B;AAEF,UAAQ,OAAO;AAAA,IAEb,KAAK;AAEH,aAAO;AAAA,QAEL,WACE;AAAA,QAEF,WACE;AAAA,QAEF,UACE;AAAA,MAIJ;AAAA,IAEF;AAEE,YAAM,IAAI;AAAA,QACR,+BAA+B,aAAa;AAAA,MAC9C;AAAA,EACJ;AACF;","names":["path","fs","path","fs","path"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@parmanasystems/governance",
-  "version": "1.56.0",
+  "version": "1.65.0",
   "private": false,
   "type": "module",
   "scripts": {
@@ -18,9 +18,9 @@
   ],
   "sideEffects": false,
   "dependencies": {
-    "@parmanasystems/bundle": "^1.56.0",
-    "@parmanasystems/crypto": "^1.56.0",
-    "@parmanasystems/contracts": "^1.56.0"
+    "@parmanasystems/bundle": "^1.65.0",
+    "@parmanasystems/crypto": "^1.65.0",
+    "@parmanasystems/contracts": "^1.65.0"
   },
   "description": "Deterministic governance lifecycle and policy infrastructure for parmanasystems.",
   "license": "Apache-2.0",