@peac/policy-kit 0.9.18

package/dist/loader.js

@@ -0,0 +1,245 @@
+"use strict";
+/**
+ * PEAC Policy Kit Loader
+ *
+ * Loads and validates policy documents from YAML or JSON.
+ * No network calls - file system only.
+ *
+ * @packageDocumentation
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyValidationError = exports.PolicyLoadError = void 0;
+exports.parsePolicy = parsePolicy;
+exports.validatePolicy = validatePolicy;
+exports.loadPolicy = loadPolicy;
+exports.policyFileExists = policyFileExists;
+exports.createExamplePolicy = createExamplePolicy;
+exports.serializePolicyYaml = serializePolicyYaml;
+exports.serializePolicyJson = serializePolicyJson;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const yaml = __importStar(require("yaml"));
+const zod_1 = require("zod");
+const types_1 = require("./types");
+/**
+ * Policy load error
+ */
+class PolicyLoadError extends Error {
+    cause;
+    constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = 'PolicyLoadError';
+    }
+}
+exports.PolicyLoadError = PolicyLoadError;
+/**
+ * Policy validation error with details
+ */
+class PolicyValidationError extends PolicyLoadError {
+    issues;
+    constructor(message, issues) {
+        super(message);
+        this.issues = issues;
+        this.name = 'PolicyValidationError';
+    }
+}
+exports.PolicyValidationError = PolicyValidationError;
+/**
+ * Parse policy from string content
+ *
+ * @param content - YAML or JSON string
+ * @param format - Optional format hint ('yaml' | 'json'), auto-detected if not provided
+ * @returns Validated policy document
+ * @throws PolicyLoadError on parse failure
+ * @throws PolicyValidationError on schema validation failure
+ */
+function parsePolicy(content, format) {
+    let parsed;
+    try {
+        if (format === 'json') {
+            parsed = JSON.parse(content);
+        }
+        else if (format === 'yaml') {
+            parsed = yaml.parse(content);
+        }
+        else {
+            // Auto-detect: try JSON first (faster), fall back to YAML
+            try {
+                parsed = JSON.parse(content);
+            }
+            catch {
+                parsed = yaml.parse(content);
+            }
+        }
+    }
+    catch (err) {
+        throw new PolicyLoadError(`Failed to parse policy: ${err instanceof Error ? err.message : String(err)}`, err instanceof Error ? err : undefined);
+    }
+    return validatePolicy(parsed);
+}
+/**
+ * Validate a parsed policy object
+ *
+ * @param obj - Parsed policy object (from YAML/JSON)
+ * @returns Validated policy document
+ * @throws PolicyValidationError on schema validation failure
+ */
+function validatePolicy(obj) {
+    try {
+        return types_1.PolicyDocumentSchema.parse(obj);
+    }
+    catch (err) {
+        if (err instanceof zod_1.ZodError) {
+            const issues = err.issues.map((i) => `${i.path.join('.')}: ${i.message}`).join('; ');
+            throw new PolicyValidationError(`Policy validation failed: ${issues}`, err.issues);
+        }
+        throw new PolicyLoadError(`Policy validation failed: ${err instanceof Error ? err.message : String(err)}`, err instanceof Error ? err : undefined);
+    }
+}
+/**
+ * Load policy from file
+ *
+ * @param filePath - Path to policy file (.yaml, .yml, or .json)
+ * @returns Validated policy document
+ * @throws PolicyLoadError on file read or parse failure
+ * @throws PolicyValidationError on schema validation failure
+ */
+function loadPolicy(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    let format;
+    if (ext === '.json') {
+        format = 'json';
+    }
+    else if (ext === '.yaml' || ext === '.yml') {
+        format = 'yaml';
+    }
+    let content;
+    try {
+        content = fs.readFileSync(filePath, 'utf-8');
+    }
+    catch (err) {
+        throw new PolicyLoadError(`Failed to read policy file: ${err instanceof Error ? err.message : String(err)}`, err instanceof Error ? err : undefined);
+    }
+    return parsePolicy(content, format);
+}
+/**
+ * Check if a policy file exists and is readable
+ *
+ * @param filePath - Path to policy file
+ * @returns true if file exists and is readable
+ */
+function policyFileExists(filePath) {
+    try {
+        fs.accessSync(filePath, fs.constants.R_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Create a minimal example policy document
+ *
+ * Useful for scaffolding new policy files.
+ */
+function createExamplePolicy() {
+    return {
+        version: types_1.POLICY_VERSION,
+        name: 'Example Policy',
+        defaults: {
+            decision: 'deny',
+            reason: 'No matching rule found',
+        },
+        rules: [
+            {
+                name: 'allow-subscribed-crawl',
+                subject: {
+                    type: 'human',
+                    labels: ['subscribed'],
+                },
+                purpose: 'crawl',
+                licensing_mode: 'subscription',
+                decision: 'allow',
+                reason: 'Subscribed users can crawl',
+            },
+            {
+                name: 'allow-verified-agents-inference',
+                subject: {
+                    type: 'agent',
+                    labels: ['verified'],
+                },
+                purpose: ['inference', 'ai_input'],
+                licensing_mode: 'pay_per_inference',
+                decision: 'allow',
+                reason: 'Verified agents can run inference with payment',
+            },
+            {
+                name: 'review-org-train',
+                subject: {
+                    type: 'org',
+                },
+                purpose: 'train',
+                decision: 'review',
+                reason: 'Training requests from organizations require review',
+            },
+        ],
+    };
+}
+/**
+ * Serialize policy to YAML string
+ *
+ * @param policy - Policy document to serialize
+ * @returns YAML string
+ */
+function serializePolicyYaml(policy) {
+    return yaml.stringify(policy, {
+        lineWidth: 100,
+        defaultKeyType: 'PLAIN',
+        defaultStringType: 'QUOTE_DOUBLE',
+    });
+}
+/**
+ * Serialize policy to JSON string
+ *
+ * @param policy - Policy document to serialize
+ * @param pretty - Pretty-print with indentation (default: true)
+ * @returns JSON string
+ */
+function serializePolicyJson(policy, pretty = true) {
+    return JSON.stringify(policy, null, pretty ? 2 : undefined);
+}
+//# sourceMappingURL=loader.js.map

package/dist/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../src/loader.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2CH,kCAwBC;AASD,wCAaC;AAUD,gCAqBC;AAQD,4CAOC;AAOD,kDA0CC;AAQD,kDAMC;AASD,kDAEC;AA/MD,uCAAyB;AACzB,2CAA6B;AAC7B,2CAA6B;AAC7B,6BAA+B;AAC/B,mCAA+E;AAE/E;;GAEG;AACH,MAAa,eAAgB,SAAQ,KAAK;IAGtB;IAFlB,YACE,OAAe,EACC,KAAwB;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,UAAK,GAAL,KAAK,CAAmB;QAGxC,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AARD,0CAQC;AAED;;GAEG;AACH,MAAa,qBAAsB,SAAQ,eAAe;IAGtC;IAFlB,YACE,OAAe,EACC,MAA0B;QAE1C,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAoB;QAG1C,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AARD,sDAQC;AAED;;;;;;;;GAQG;AACH,SAAgB,WAAW,CAAC,OAAe,EAAE,MAAwB;IACnE,IAAI,MAAe,CAAC;IAEpB,IAAI,CAAC;QACH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7B,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,0DAA0D;YAC1D,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CACvB,2BAA2B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAC7E,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CACvC,CAAC;IACJ,CAAC;IAED,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,GAAY;IACzC,IAAI,CAAC;QACH,OAAO,4BAAoB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,cAAQ,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrF,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,MAAM,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QACrF,CAAC;QACD,MAAM,IAAI,eAAe,CACvB,6BAA6B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAC/E,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CACvC,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,UAAU,CAAC,QAAgB;IACzC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,IAAI,MAAmC,CAAC;IAExC,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QAC7C,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CACvB,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACjF,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CACvC,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,mBAAmB;IACjC,OAAO;QACL,OAAO,EAAE,sBAAc;QACvB,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE;YACR,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,wBAAwB;SACjC;QACD,KAAK,EAAE;YACL;gBACE,IAAI,EAAE,wBAAwB;gBAC9B,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,CAAC,YAAY,CAAC;iBACvB;gBACD,OAAO,EAAE,OAAO;gBAChB,cAAc,EAAE,cAAc;gBAC9B,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,4BAA4B;aACrC;YACD;gBACE,IAAI,EAAE,iCAAiC;gBACvC,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,CAAC,UAAU,CAAC;iBACrB;gBACD,OAAO,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;gBAClC,cAAc,EAAE,mBAAmB;gBACnC,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,gDAAgD;aACzD;YACD;gBACE,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE;oBACP,IAAI,EAAE,KAAK;iBACZ;gBACD,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,qDAAqD;aAC9D;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,mBAAmB,CAAC,MAAsB;IACxD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE;QAC5B,SAAS,EAAE,GAAG;QACd,cAAc,EAAE,OAAO;QACvB,iBAAiB,EAAE,cAAc;KAClC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,MAAsB,EAAE,MAAM,GAAG,IAAI;IACvE,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;AAC9D,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,276 @@
+/**
+ * PEAC Policy Kit Types
+ *
+ * Deterministic policy format for CAL semantics.
+ * Version: peac-policy/0.1
+ *
+ * Design principles:
+ * - No scripting, no dynamic code
+ * - Deterministic, auditable, side-effect free
+ * - First-match-wins rule semantics
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+import { ControlPurposeSchema, ControlLicensingModeSchema, ControlDecisionSchema, SubjectTypeSchema } from '@peac/schema';
+/**
+ * Policy format version
+ */
+export declare const POLICY_VERSION = "peac-policy/0.1";
+/**
+ * Subject type (re-export from schema)
+ */
+export type SubjectType = z.infer<typeof SubjectTypeSchema>;
+/**
+ * Control purpose (re-export from schema)
+ */
+export type ControlPurpose = z.infer<typeof ControlPurposeSchema>;
+/**
+ * Control licensing mode (re-export from schema)
+ */
+export type ControlLicensingMode = z.infer<typeof ControlLicensingModeSchema>;
+/**
+ * Control decision (re-export from schema)
+ */
+export type ControlDecision = z.infer<typeof ControlDecisionSchema>;
+/**
+ * Subject matcher - criteria for matching a subject
+ *
+ * All fields are optional (omitted = any/wildcard).
+ * When multiple fields are present, all must match (AND logic).
+ */
+export declare const SubjectMatcherSchema: z.ZodObject<{
+    /** Match by subject type(s) - single type or array */
+    type: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["human", "org", "agent"]>, z.ZodArray<z.ZodEnum<["human", "org", "agent"]>, "many">]>>;
+    /** Match by label(s) - subject must have ALL specified labels */
+    labels: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Match by subject ID pattern (exact match or prefix with *) */
+    id: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+    labels?: string[] | undefined;
+    id?: string | undefined;
+}, {
+    type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+    labels?: string[] | undefined;
+    id?: string | undefined;
+}>;
+export type SubjectMatcher = z.infer<typeof SubjectMatcherSchema>;
+/**
+ * Policy rule - a single rule in the policy
+ *
+ * Evaluated in order; first match wins.
+ */
+export declare const PolicyRuleSchema: z.ZodObject<{
+    /** Rule name (for debugging/auditing) */
+    name: z.ZodString;
+    /** Subject matcher (omit for any subject) */
+    subject: z.ZodOptional<z.ZodObject<{
+        /** Match by subject type(s) - single type or array */
+        type: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["human", "org", "agent"]>, z.ZodArray<z.ZodEnum<["human", "org", "agent"]>, "many">]>>;
+        /** Match by label(s) - subject must have ALL specified labels */
+        labels: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Match by subject ID pattern (exact match or prefix with *) */
+        id: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+        labels?: string[] | undefined;
+        id?: string | undefined;
+    }, {
+        type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+        labels?: string[] | undefined;
+        id?: string | undefined;
+    }>>;
+    /** Purpose(s) this rule applies to - single purpose or array */
+    purpose: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["crawl", "index", "train", "inference", "ai_input", "ai_index", "search"]>, z.ZodArray<z.ZodEnum<["crawl", "index", "train", "inference", "ai_input", "ai_index", "search"]>, "many">]>>;
+    /** Licensing mode(s) this rule applies to */
+    licensing_mode: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["subscription", "pay_per_crawl", "pay_per_inference"]>, z.ZodArray<z.ZodEnum<["subscription", "pay_per_crawl", "pay_per_inference"]>, "many">]>>;
+    /** Decision if rule matches */
+    decision: z.ZodEnum<["allow", "deny", "review"]>;
+    /** Reason for decision (for audit trail) */
+    reason: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    name: string;
+    decision: "allow" | "deny" | "review";
+    subject?: {
+        type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+        labels?: string[] | undefined;
+        id?: string | undefined;
+    } | undefined;
+    purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+    licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+    reason?: string | undefined;
+}, {
+    name: string;
+    decision: "allow" | "deny" | "review";
+    subject?: {
+        type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+        labels?: string[] | undefined;
+        id?: string | undefined;
+    } | undefined;
+    purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+    licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+    reason?: string | undefined;
+}>;
+export type PolicyRule = z.infer<typeof PolicyRuleSchema>;
+/**
+ * Policy defaults - fallback values when no rule matches
+ */
+export declare const PolicyDefaultsSchema: z.ZodObject<{
+    /** Default decision when no rule matches */
+    decision: z.ZodEnum<["allow", "deny", "review"]>;
+    /** Default reason for audit trail */
+    reason: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    decision: "allow" | "deny" | "review";
+    reason?: string | undefined;
+}, {
+    decision: "allow" | "deny" | "review";
+    reason?: string | undefined;
+}>;
+export type PolicyDefaults = z.infer<typeof PolicyDefaultsSchema>;
+/**
+ * Complete policy document
+ */
+export declare const PolicyDocumentSchema: z.ZodObject<{
+    /** Policy format version */
+    version: z.ZodLiteral<"peac-policy/0.1">;
+    /** Policy name/description (optional) */
+    name: z.ZodOptional<z.ZodString>;
+    /** Default decision (required) */
+    defaults: z.ZodObject<{
+        /** Default decision when no rule matches */
+        decision: z.ZodEnum<["allow", "deny", "review"]>;
+        /** Default reason for audit trail */
+        reason: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        decision: "allow" | "deny" | "review";
+        reason?: string | undefined;
+    }, {
+        decision: "allow" | "deny" | "review";
+        reason?: string | undefined;
+    }>;
+    /** Rules evaluated in order (first match wins) */
+    rules: z.ZodArray<z.ZodObject<{
+        /** Rule name (for debugging/auditing) */
+        name: z.ZodString;
+        /** Subject matcher (omit for any subject) */
+        subject: z.ZodOptional<z.ZodObject<{
+            /** Match by subject type(s) - single type or array */
+            type: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["human", "org", "agent"]>, z.ZodArray<z.ZodEnum<["human", "org", "agent"]>, "many">]>>;
+            /** Match by label(s) - subject must have ALL specified labels */
+            labels: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            /** Match by subject ID pattern (exact match or prefix with *) */
+            id: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        }, {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        }>>;
+        /** Purpose(s) this rule applies to - single purpose or array */
+        purpose: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["crawl", "index", "train", "inference", "ai_input", "ai_index", "search"]>, z.ZodArray<z.ZodEnum<["crawl", "index", "train", "inference", "ai_input", "ai_index", "search"]>, "many">]>>;
+        /** Licensing mode(s) this rule applies to */
+        licensing_mode: z.ZodOptional<z.ZodUnion<[z.ZodEnum<["subscription", "pay_per_crawl", "pay_per_inference"]>, z.ZodArray<z.ZodEnum<["subscription", "pay_per_crawl", "pay_per_inference"]>, "many">]>>;
+        /** Decision if rule matches */
+        decision: z.ZodEnum<["allow", "deny", "review"]>;
+        /** Reason for decision (for audit trail) */
+        reason: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        name: string;
+        decision: "allow" | "deny" | "review";
+        subject?: {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        } | undefined;
+        purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+        licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+        reason?: string | undefined;
+    }, {
+        name: string;
+        decision: "allow" | "deny" | "review";
+        subject?: {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        } | undefined;
+        purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+        licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+        reason?: string | undefined;
+    }>, "many">;
+}, "strict", z.ZodTypeAny, {
+    version: "peac-policy/0.1";
+    defaults: {
+        decision: "allow" | "deny" | "review";
+        reason?: string | undefined;
+    };
+    rules: {
+        name: string;
+        decision: "allow" | "deny" | "review";
+        subject?: {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        } | undefined;
+        purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+        licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+        reason?: string | undefined;
+    }[];
+    name?: string | undefined;
+}, {
+    version: "peac-policy/0.1";
+    defaults: {
+        decision: "allow" | "deny" | "review";
+        reason?: string | undefined;
+    };
+    rules: {
+        name: string;
+        decision: "allow" | "deny" | "review";
+        subject?: {
+            type?: "human" | "org" | "agent" | ("human" | "org" | "agent")[] | undefined;
+            labels?: string[] | undefined;
+            id?: string | undefined;
+        } | undefined;
+        purpose?: "crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search" | ("crawl" | "index" | "train" | "inference" | "ai_input" | "ai_index" | "search")[] | undefined;
+        licensing_mode?: "subscription" | "pay_per_crawl" | "pay_per_inference" | ("subscription" | "pay_per_crawl" | "pay_per_inference")[] | undefined;
+        reason?: string | undefined;
+    }[];
+    name?: string | undefined;
+}>;
+export type PolicyDocument = z.infer<typeof PolicyDocumentSchema>;
+/**
+ * Evaluation context - input to policy evaluation
+ */
+export interface EvaluationContext {
+    /** Subject information */
+    subject?: {
+        /** Subject ID */
+        id?: string;
+        /** Subject type */
+        type?: SubjectType;
+        /** Subject labels */
+        labels?: string[];
+    };
+    /** Purpose of access */
+    purpose?: ControlPurpose;
+    /** Licensing mode */
+    licensing_mode?: ControlLicensingMode;
+}
+/**
+ * Evaluation result
+ */
+export interface EvaluationResult {
+    /** Decision from evaluation */
+    decision: ControlDecision;
+    /** Name of matched rule (undefined if default applied) */
+    matched_rule?: string;
+    /** Reason for decision */
+    reason?: string;
+    /** Whether default was applied (no rule matched) */
+    is_default: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,0BAA0B,EAC1B,qBAAqB,EACrB,iBAAiB,EAClB,MAAM,cAAc,CAAC;AAEtB;;GAEG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;IAE7B,sDAAsD;;IAGtD,iEAAiE;;IAGjE,iEAAiE;;;;;;;;;;EAG1D,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;IAEzB,yCAAyC;;IAGzC,6CAA6C;;QAvB7C,sDAAsD;;QAGtD,iEAAiE;;QAGjE,iEAAiE;;;;;;;;;;;IAoBjE,gEAAgE;;IAGhE,6CAA6C;;IAK7C,+BAA+B;;IAG/B,4CAA4C;;;;;;;;;;;;;;;;;;;;;;;;EAGrC,CAAC;AAEZ,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;GAEG;AACH,eAAO,MAAM,oBAAoB;IAE7B,4CAA4C;;IAG5C,qCAAqC;;;;;;;;EAG9B,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;GAEG;AACH,eAAO,MAAM,oBAAoB;IAE7B,4BAA4B;;IAG5B,yCAAyC;;IAGzC,kCAAkC;;QArBlC,4CAA4C;;QAG5C,qCAAqC;;;;;;;;;IAqBrC,kDAAkD;;QArDlD,yCAAyC;;QAGzC,6CAA6C;;YAvB7C,sDAAsD;;YAGtD,iEAAiE;;YAGjE,iEAAiE;;;;;;;;;;;QAoBjE,gEAAgE;;QAGhE,6CAA6C;;QAK7C,+BAA+B;;QAG/B,4CAA4C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAuCrC,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,0BAA0B;IAC1B,OAAO,CAAC,EAAE;QACR,iBAAiB;QACjB,EAAE,CAAC,EAAE,MAAM,CAAC;QAEZ,mBAAmB;QACnB,IAAI,CAAC,EAAE,WAAW,CAAC;QAEnB,qBAAqB;QACrB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IAEF,wBAAwB;IACxB,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB,qBAAqB;IACrB,cAAc,CAAC,EAAE,oBAAoB,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,+BAA+B;IAC/B,QAAQ,EAAE,eAAe,CAAC;IAE1B,0DAA0D;IAC1D,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,oDAAoD;IACpD,UAAU,EAAE,OAAO,CAAC;CACrB"}

package/dist/types.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * PEAC Policy Kit Types
+ *
+ * Deterministic policy format for CAL semantics.
+ * Version: peac-policy/0.1
+ *
+ * Design principles:
+ * - No scripting, no dynamic code
+ * - Deterministic, auditable, side-effect free
+ * - First-match-wins rule semantics
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyDocumentSchema = exports.PolicyDefaultsSchema = exports.PolicyRuleSchema = exports.SubjectMatcherSchema = exports.POLICY_VERSION = void 0;
+const zod_1 = require("zod");
+const schema_1 = require("@peac/schema");
+/**
+ * Policy format version
+ */
+exports.POLICY_VERSION = 'peac-policy/0.1';
+/**
+ * Subject matcher - criteria for matching a subject
+ *
+ * All fields are optional (omitted = any/wildcard).
+ * When multiple fields are present, all must match (AND logic).
+ */
+exports.SubjectMatcherSchema = zod_1.z
+    .object({
+    /** Match by subject type(s) - single type or array */
+    type: zod_1.z.union([schema_1.SubjectTypeSchema, zod_1.z.array(schema_1.SubjectTypeSchema)]).optional(),
+    /** Match by label(s) - subject must have ALL specified labels */
+    labels: zod_1.z.array(zod_1.z.string().min(1)).optional(),
+    /** Match by subject ID pattern (exact match or prefix with *) */
+    id: zod_1.z.string().min(1).optional(),
+})
+    .strict();
+/**
+ * Policy rule - a single rule in the policy
+ *
+ * Evaluated in order; first match wins.
+ */
+exports.PolicyRuleSchema = zod_1.z
+    .object({
+    /** Rule name (for debugging/auditing) */
+    name: zod_1.z.string().min(1),
+    /** Subject matcher (omit for any subject) */
+    subject: exports.SubjectMatcherSchema.optional(),
+    /** Purpose(s) this rule applies to - single purpose or array */
+    purpose: zod_1.z.union([schema_1.ControlPurposeSchema, zod_1.z.array(schema_1.ControlPurposeSchema)]).optional(),
+    /** Licensing mode(s) this rule applies to */
+    licensing_mode: zod_1.z
+        .union([schema_1.ControlLicensingModeSchema, zod_1.z.array(schema_1.ControlLicensingModeSchema)])
+        .optional(),
+    /** Decision if rule matches */
+    decision: schema_1.ControlDecisionSchema,
+    /** Reason for decision (for audit trail) */
+    reason: zod_1.z.string().optional(),
+})
+    .strict();
+/**
+ * Policy defaults - fallback values when no rule matches
+ */
+exports.PolicyDefaultsSchema = zod_1.z
+    .object({
+    /** Default decision when no rule matches */
+    decision: schema_1.ControlDecisionSchema,
+    /** Default reason for audit trail */
+    reason: zod_1.z.string().optional(),
+})
+    .strict();
+/**
+ * Complete policy document
+ */
+exports.PolicyDocumentSchema = zod_1.z
+    .object({
+    /** Policy format version */
+    version: zod_1.z.literal(exports.POLICY_VERSION),
+    /** Policy name/description (optional) */
+    name: zod_1.z.string().optional(),
+    /** Default decision (required) */
+    defaults: exports.PolicyDefaultsSchema,
+    /** Rules evaluated in order (first match wins) */
+    rules: zod_1.z.array(exports.PolicyRuleSchema),
+})
+    .strict();
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,6BAAwB;AACxB,yCAKsB;AAEtB;;GAEG;AACU,QAAA,cAAc,GAAG,iBAAiB,CAAC;AAsBhD;;;;;GAKG;AACU,QAAA,oBAAoB,GAAG,OAAC;KAClC,MAAM,CAAC;IACN,sDAAsD;IACtD,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,0BAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,0BAAiB,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEzE,iEAAiE;IACjE,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAE7C,iEAAiE;IACjE,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACjC,CAAC;KACD,MAAM,EAAE,CAAC;AAIZ;;;;GAIG;AACU,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,CAAC;IACN,yCAAyC;IACzC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEvB,6CAA6C;IAC7C,OAAO,EAAE,4BAAoB,CAAC,QAAQ,EAAE;IAExC,gEAAgE;IAChE,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,6BAAoB,EAAE,OAAC,CAAC,KAAK,CAAC,6BAAoB,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAElF,6CAA6C;IAC7C,cAAc,EAAE,OAAC;SACd,KAAK,CAAC,CAAC,mCAA0B,EAAE,OAAC,CAAC,KAAK,CAAC,mCAA0B,CAAC,CAAC,CAAC;SACxE,QAAQ,EAAE;IAEb,+BAA+B;IAC/B,QAAQ,EAAE,8BAAqB;IAE/B,4CAA4C;IAC5C,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC;KACD,MAAM,EAAE,CAAC;AAIZ;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAC;KAClC,MAAM,CAAC;IACN,4CAA4C;IAC5C,QAAQ,EAAE,8BAAqB;IAE/B,qCAAqC;IACrC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC;KACD,MAAM,EAAE,CAAC;AAIZ;;GAEG;AACU,QAAA,oBAAoB,GAAG,OAAC;KAClC,MAAM,CAAC;IACN,4BAA4B;IAC5B,OAAO,EAAE,OAAC,CAAC,OAAO,CAAC,sBAAc,CAAC;IAElC,yCAAyC;IACzC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE3B,kCAAkC;IAClC,QAAQ,EAAE,4BAAoB;IAE9B,kDAAkD;IAClD,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,wBAAgB,CAAC;CACjC,CAAC;KACD,MAAM,EAAE,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@peac/policy-kit",
+  "version": "0.9.18",
+  "description": "PEAC Policy Kit - deterministic policy evaluation for CAL semantics",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/peacprotocol/peac.git",
+    "directory": "packages/policy-kit"
+  },
+  "author": "jithinraj <7850727+jithinraj@users.noreply.github.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/peacprotocol/peac/issues"
+  },
+  "homepage": "https://github.com/peacprotocol/peac#readme",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@peac/schema": "workspace:*",
+    "yaml": "^2.3.4",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.3",
+    "vitest": "^1.1.0"
+  }
+}