@predicatesystems/authority 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. package/LICENSE +24 -0
  2. package/LICENSE-APACHE +201 -0
  3. package/LICENSE-MIT +21 -0
  4. package/README.md +267 -0
  5. package/dist/src/contracts/action-request.d.ts +43 -0
  6. package/dist/src/contracts/action-request.d.ts.map +1 -0
  7. package/dist/src/contracts/action-request.js +32 -0
  8. package/dist/src/contracts/action-request.js.map +1 -0
  9. package/dist/src/contracts/authorization-decision.d.ts +11 -0
  10. package/dist/src/contracts/authorization-decision.d.ts.map +1 -0
  11. package/dist/src/contracts/authorization-decision.js +17 -0
  12. package/dist/src/contracts/authorization-decision.js.map +1 -0
  13. package/dist/src/contracts/decision.d.ts +10 -0
  14. package/dist/src/contracts/decision.d.ts.map +1 -0
  15. package/dist/src/contracts/decision.js +13 -0
  16. package/dist/src/contracts/decision.js.map +1 -0
  17. package/dist/src/contracts/enums.d.ts +7 -0
  18. package/dist/src/contracts/enums.d.ts.map +1 -0
  19. package/dist/src/contracts/enums.js +12 -0
  20. package/dist/src/contracts/enums.js.map +1 -0
  21. package/dist/src/contracts/index.d.ts +16 -0
  22. package/dist/src/contracts/index.d.ts.map +1 -0
  23. package/dist/src/contracts/index.js +9 -0
  24. package/dist/src/contracts/index.js.map +1 -0
  25. package/dist/src/contracts/mandate.d.ts +29 -0
  26. package/dist/src/contracts/mandate.d.ts.map +1 -0
  27. package/dist/src/contracts/mandate.js +24 -0
  28. package/dist/src/contracts/mandate.js.map +1 -0
  29. package/dist/src/contracts/policy-rule.d.ts +12 -0
  30. package/dist/src/contracts/policy-rule.d.ts.map +1 -0
  31. package/dist/src/contracts/policy-rule.js +17 -0
  32. package/dist/src/contracts/policy-rule.js.map +1 -0
  33. package/dist/src/contracts/proof-event.d.ts +13 -0
  34. package/dist/src/contracts/proof-event.d.ts.map +1 -0
  35. package/dist/src/contracts/proof-event.js +15 -0
  36. package/dist/src/contracts/proof-event.js.map +1 -0
  37. package/dist/src/contracts/verification.d.ts +4 -0
  38. package/dist/src/contracts/verification.d.ts.map +1 -0
  39. package/dist/src/contracts/verification.js +15 -0
  40. package/dist/src/contracts/verification.js.map +1 -0
  41. package/dist/src/errors.d.ts +13 -0
  42. package/dist/src/errors.d.ts.map +1 -0
  43. package/dist/src/errors.js +16 -0
  44. package/dist/src/errors.js.map +1 -0
  45. package/dist/src/evidence/non-web.d.ts +47 -0
  46. package/dist/src/evidence/non-web.d.ts.map +1 -0
  47. package/dist/src/evidence/non-web.js +58 -0
  48. package/dist/src/evidence/non-web.js.map +1 -0
  49. package/dist/src/evidence/web-state.d.ts +33 -0
  50. package/dist/src/evidence/web-state.d.ts.map +1 -0
  51. package/dist/src/evidence/web-state.js +58 -0
  52. package/dist/src/evidence/web-state.js.map +1 -0
  53. package/dist/src/guard/action-guard.d.ts +24 -0
  54. package/dist/src/guard/action-guard.d.ts.map +1 -0
  55. package/dist/src/guard/action-guard.js +49 -0
  56. package/dist/src/guard/action-guard.js.map +1 -0
  57. package/dist/src/index.d.ts +27 -0
  58. package/dist/src/index.d.ts.map +1 -0
  59. package/dist/src/index.js +142 -0
  60. package/dist/src/index.js.map +1 -0
  61. package/dist/src/policy/engine.d.ts +19 -0
  62. package/dist/src/policy/engine.d.ts.map +1 -0
  63. package/dist/src/policy/engine.js +82 -0
  64. package/dist/src/policy/engine.js.map +1 -0
  65. package/dist/src/policy/matching.d.ts +6 -0
  66. package/dist/src/policy/matching.d.ts.map +1 -0
  67. package/dist/src/policy/matching.js +46 -0
  68. package/dist/src/policy/matching.js.map +1 -0
  69. package/dist/src/types.d.ts +19 -0
  70. package/dist/src/types.d.ts.map +1 -0
  71. package/dist/src/types.js +11 -0
  72. package/dist/src/types.js.map +1 -0
  73. package/dist/src/wrappers/sensitive-operations.d.ts +44 -0
  74. package/dist/src/wrappers/sensitive-operations.d.ts.map +1 -0
  75. package/dist/src/wrappers/sensitive-operations.js +52 -0
  76. package/dist/src/wrappers/sensitive-operations.js.map +1 -0
  77. package/package.json +52 -0
package/dist/src/index.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EAGtB,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,aAAa,EACb,UAAU,EACV,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,UAAU,EACV,uBAAuB,EACvB,aAAa,EACb,aAAa,EACb,oBAAoB,EACpB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,oBAAoB,EAAE,KAAK,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,EACZ,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAE/B,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,eAAe,GAAG,YAAY,CAAC;CAC/C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;gBAElD,OAAO,EAAE,sBAAsB;IAQrC,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAoE3E"}
package/dist/src/index.js ADDED
@@ -0,0 +1,142 @@
1
+ import { AuthorityClientError } from "./errors.js";
2
+ import { isAuthorizationResponse, toSidecarAuthorizeRequest, } from "./types.js";
3
+ export { AuthorityClientError } from "./errors.js";
4
+ export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES, isAuthorizationDecision, isMandateClaims, isLabelPassed, isPolicyRule, isProofEvent, passedLabels, isSignedMandate, toSidecarAuthorizeRequest, } from "./types.js";
5
+ export { effectiveMaxDelegationDepth, globMatch, matchesRule } from "./policy/matching.js";
6
+ export { PolicyEngine } from "./policy/engine.js";
7
+ export { ActionGuard, AuthorizationDeniedError, } from "./guard/action-guard.js";
8
+ export { guardedFileRead, guardedFileWrite, guardedHttp, guardedShell, } from "./wrappers/sensitive-operations.js";
9
+ export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
10
+ export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, } from "./evidence/non-web.js";
11
+ export class AuthorityClient {
12
+ baseUrl;
13
+ timeoutMs;
14
+ maxRetries;
15
+ backoffInitialMs;
16
+ endpointPath;
17
+ constructor(options) {
18
+ this.baseUrl = options.baseUrl.replace(/\/+$/, "");
19
+ this.timeoutMs = options.timeoutMs ?? 2000;
20
+ this.maxRetries = options.maxRetries ?? 0;
21
+ this.backoffInitialMs = options.backoffInitialMs ?? 200;
22
+ this.endpointPath = options.endpointPath ?? "/v1/authorize";
23
+ }
24
+ async authorize(request) {
25
+ const wireRequest = toSidecarAuthorizeRequest(request);
26
+ const attempts = this.maxRetries + 1;
27
+ for (let attempt = 0; attempt < attempts; attempt += 1) {
28
+ const controller = new AbortController();
29
+ const timer = setTimeout(() => controller.abort(), this.timeoutMs);
30
+ try {
31
+ let response;
32
+ try {
33
+ response = await fetch(`${this.baseUrl}${this.endpointPath}`, {
34
+ method: "POST",
35
+ headers: {
36
+ "content-type": "application/json",
37
+ },
38
+ body: JSON.stringify(wireRequest),
39
+ signal: controller.signal,
40
+ });
41
+ }
42
+ catch (error) {
43
+ if (attempt < this.maxRetries) {
44
+ await sleep(this.backoffInitialMs * (attempt + 1));
45
+ continue;
46
+ }
47
+ if (error instanceof Error && error.name === "AbortError") {
48
+ throw new AuthorityClientError("authorize request timed out", {
49
+ code: "timeout",
50
+ cause: error,
51
+ });
52
+ }
53
+ throw new AuthorityClientError("authorize request failed before response", {
54
+ code: "network_error",
55
+ cause: error,
56
+ });
57
+ }
58
+ const payload = await parseJsonSafely(response);
59
+ // Sidecar deny decisions intentionally return HTTP 403 with decision body.
60
+ if (response.status === 403 && isAuthorizationResponse(payload)) {
61
+ return payload;
62
+ }
63
+ if (!response.ok) {
64
+ if (response.status >= 500 && attempt < this.maxRetries) {
65
+ await sleep(this.backoffInitialMs * (attempt + 1));
66
+ continue;
67
+ }
68
+ throw mapHttpError(response.status, payload);
69
+ }
70
+ if (!isAuthorizationResponse(payload)) {
71
+ throw new AuthorityClientError("invalid authorize response payload", {
72
+ code: "protocol_error",
73
+ status: response.status,
74
+ details: payload,
75
+ });
76
+ }
77
+ return payload;
78
+ }
79
+ finally {
80
+ clearTimeout(timer);
81
+ }
82
+ }
83
+ throw new AuthorityClientError("authorize request exhausted retry budget", {
84
+ code: "network_error",
85
+ });
86
+ }
87
+ }
88
+ function sleep(ms) {
89
+ if (ms <= 0) {
90
+ return Promise.resolve();
91
+ }
92
+ return new Promise((resolve) => {
93
+ setTimeout(resolve, ms);
94
+ });
95
+ }
96
+ async function parseJsonSafely(response) {
97
+ const text = await response.text();
98
+ if (text.trim() === "") {
99
+ return {};
100
+ }
101
+ try {
102
+ return JSON.parse(text);
103
+ }
104
+ catch (error) {
105
+ throw new AuthorityClientError("non-JSON response from authority sidecar", {
106
+ code: "protocol_error",
107
+ status: response.status,
108
+ details: text,
109
+ cause: error,
110
+ });
111
+ }
112
+ }
113
+ function mapHttpError(status, payload) {
114
+ const message = extractErrorMessage(payload) ?? `authorize_failed_${status}`;
115
+ if (status === 400) {
116
+ return new AuthorityClientError(message, { code: "bad_request", status, details: payload });
117
+ }
118
+ if (status === 401) {
119
+ return new AuthorityClientError(message, { code: "unauthorized", status, details: payload });
120
+ }
121
+ if (status === 403) {
122
+ return new AuthorityClientError(message, { code: "forbidden", status, details: payload });
123
+ }
124
+ if (status >= 500) {
125
+ return new AuthorityClientError(message, { code: "server_error", status, details: payload });
126
+ }
127
+ return new AuthorityClientError(message, { code: "protocol_error", status, details: payload });
128
+ }
129
+ function extractErrorMessage(payload) {
130
+ if (typeof payload !== "object" || payload === null) {
131
+ return null;
132
+ }
133
+ const obj = payload;
134
+ if (typeof obj.error === "string" && obj.error.trim() !== "") {
135
+ return obj.error;
136
+ }
137
+ if (typeof obj.detail === "string" && obj.detail.trim() !== "") {
138
+ return obj.detail;
139
+ }
140
+ return null;
141
+ }
142
+ //# sourceMappingURL=index.js.map
package/dist/src/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAGL,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAsBpB,OAAO,EAAE,oBAAoB,EAAiC,MAAM,aAAa,CAAC;AAClF,OAAO,EACL,qBAAqB,EACrB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,eAAe,EACf,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC3F,OAAO,EAAE,YAAY,EAA0B,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EACL,WAAW,EACX,wBAAwB,GAGzB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,YAAY,GAKb,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC;AAU/B,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,gBAAgB,CAAS;IACzB,YAAY,CAAiC;IAE9D,YAAY,OAA+B;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;QACxD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,EAAE,OAAO,IAAI,CAAC,EAAE,CAAC;YACvD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBACH,IAAI,QAAkB,CAAC;gBACvB,IAAI,CAAC;oBACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,EAAE;wBAC5D,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;yBACnC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;wBACjC,MAAM,EAAE,UAAU,CAAC,MAAM;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBAC9B,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC1D,MAAM,IAAI,oBAAoB,CAAC,6BAA6B,EAAE;4BAC5D,IAAI,EAAE,SAAS;4BACf,KAAK,EAAE,KAAK;yBACb,CAAC,CAAC;oBACL,CAAC;oBACD,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;wBACzE,IAAI,EAAE,eAAe;wBACrB,KAAK,EAAE,KAAK;qBACb,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;gBAEhD,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBAChE,OAAO,OAAO,CAAC;gBACjB,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;wBACxD,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;wBACnD,SAAS;oBACX,CAAC;oBACD,MAAM,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAED,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtC,MAAM,IAAI,oBAAoB,CAAC,oCAAoC,EAAE;wBACnE,IAAI,EAAE,gBAAgB;wBACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;wBACvB,OAAO,EAAE,OAAO;qBACjB,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,OAAO,CAAC;YACjB,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB;IAC/C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAAC,0CAA0C,EAAE;YACzE,IAAI,EAAE,gBAAgB;YACtB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,OAAgB;IACpD,MAAM,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,oBAAoB,MAAM,EAAE,CAAC;IAC7E,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;QAClB,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,IAAI,oBAAoB,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC7D,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC/D,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
package/dist/src/policy/engine.d.ts ADDED
@@ -0,0 +1,19 @@
1
+ import type { ActionRequest } from "../contracts/action-request.js";
2
+ import type { AuthorizationReason } from "../contracts/enums.js";
3
+ import type { PolicyRule } from "../contracts/policy-rule.js";
4
+ export interface PolicyMatchResult {
5
+ allowed: boolean;
6
+ reason: AuthorizationReason;
7
+ matched_rule?: string | null;
8
+ missing_labels?: string[];
9
+ }
10
+ export declare class PolicyEngine {
11
+ private rules;
12
+ private globalMaxDelegationDepth;
13
+ constructor(rules: PolicyRule[], globalMaxDelegationDepth?: number | null);
14
+ replaceRules(rules: PolicyRule[]): void;
15
+ setGlobalMaxDelegationDepth(maxDepth: number | null): void;
16
+ replacePolicy(rules: PolicyRule[], globalMaxDelegationDepth: number | null): void;
17
+ evaluate(request: ActionRequest, delegationDepth?: number): PolicyMatchResult;
18
+ }
19
+ //# sourceMappingURL=engine.d.ts.map
package/dist/src/policy/engine.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/policy/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAI9D,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,mBAAmB,CAAC;IAC5B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,wBAAwB,CAAgB;gBAEpC,KAAK,EAAE,UAAU,EAAE,EAAE,wBAAwB,CAAC,EAAE,MAAM,GAAG,IAAI;IAKzE,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,IAAI;IAIvC,2BAA2B,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAI1D,aAAa,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,wBAAwB,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAKjF,QAAQ,CAAC,OAAO,EAAE,aAAa,EAAE,eAAe,SAAI,GAAG,iBAAiB;CAyEzE"}
package/dist/src/policy/engine.js ADDED
@@ -0,0 +1,82 @@
1
+ import { isLabelPassed } from "../contracts/verification.js";
2
+ import { effectiveMaxDelegationDepth, matchesRule } from "./matching.js";
3
+ export class PolicyEngine {
4
+ rules;
5
+ globalMaxDelegationDepth;
6
+ constructor(rules, globalMaxDelegationDepth) {
7
+ this.rules = rules;
8
+ this.globalMaxDelegationDepth = globalMaxDelegationDepth ?? null;
9
+ }
10
+ replaceRules(rules) {
11
+ this.rules = rules;
12
+ }
13
+ setGlobalMaxDelegationDepth(maxDepth) {
14
+ this.globalMaxDelegationDepth = maxDepth;
15
+ }
16
+ replacePolicy(rules, globalMaxDelegationDepth) {
17
+ this.rules = rules;
18
+ this.globalMaxDelegationDepth = globalMaxDelegationDepth;
19
+ }
20
+ evaluate(request, delegationDepth = 0) {
21
+ const matchingRules = this.rules.filter((rule) => matchesRule(rule, request));
22
+ if (matchingRules.length === 0) {
23
+ return {
24
+ allowed: false,
25
+ reason: "no_matching_policy",
26
+ };
27
+ }
28
+ for (const rule of matchingRules) {
29
+ if (rule.effect === "deny") {
30
+ return {
31
+ allowed: false,
32
+ reason: "explicit_deny",
33
+ matched_rule: rule.name,
34
+ };
35
+ }
36
+ }
37
+ let firstAllowFailure = null;
38
+ for (const rule of matchingRules) {
39
+ if (rule.effect !== "allow") {
40
+ continue;
41
+ }
42
+ const effectiveMaxDepth = effectiveMaxDelegationDepth(this.globalMaxDelegationDepth, rule.max_delegation_depth);
43
+ if (effectiveMaxDepth !== null && delegationDepth > effectiveMaxDepth) {
44
+ const failure = {
45
+ allowed: false,
46
+ reason: "max_delegation_depth_exceeded",
47
+ matched_rule: rule.name,
48
+ };
49
+ if (firstAllowFailure === null) {
50
+ firstAllowFailure = failure;
51
+ }
52
+ continue;
53
+ }
54
+ const missingLabels = (rule.required_labels ?? []).filter((label) => !isLabelPassed(request.verification_evidence, label));
55
+ if (missingLabels.length > 0) {
56
+ const failure = {
57
+ allowed: false,
58
+ reason: "missing_required_verification",
59
+ matched_rule: rule.name,
60
+ missing_labels: missingLabels,
61
+ };
62
+ if (firstAllowFailure === null) {
63
+ firstAllowFailure = failure;
64
+ }
65
+ continue;
66
+ }
67
+ return {
68
+ allowed: true,
69
+ reason: "allowed",
70
+ matched_rule: rule.name,
71
+ };
72
+ }
73
+ if (firstAllowFailure !== null) {
74
+ return firstAllowFailure;
75
+ }
76
+ return {
77
+ allowed: false,
78
+ reason: "no_matching_policy",
79
+ };
80
+ }
81
+ }
82
+ //# sourceMappingURL=engine.js.map
package/dist/src/policy/engine.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/policy/engine.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,EAAE,2BAA2B,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AASzE,MAAM,OAAO,YAAY;IACf,KAAK,CAAe;IACpB,wBAAwB,CAAgB;IAEhD,YAAY,KAAmB,EAAE,wBAAwC;QACvE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,wBAAwB,GAAG,wBAAwB,IAAI,IAAI,CAAC;IACnE,CAAC;IAED,YAAY,CAAC,KAAmB;QAC9B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,2BAA2B,CAAC,QAAuB;QACjD,IAAI,CAAC,wBAAwB,GAAG,QAAQ,CAAC;IAC3C,CAAC;IAED,aAAa,CAAC,KAAmB,EAAE,wBAAuC;QACxE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,wBAAwB,GAAG,wBAAwB,CAAC;IAC3D,CAAC;IAED,QAAQ,CAAC,OAAsB,EAAE,eAAe,GAAG,CAAC;QAClD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9E,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,oBAAoB;aAC7B,CAAC;QACJ,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,eAAe;oBACvB,YAAY,EAAE,IAAI,CAAC,IAAI;iBACxB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,iBAAiB,GAA6B,IAAI,CAAC;QACvD,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC5B,SAAS;YACX,CAAC;YAED,MAAM,iBAAiB,GAAG,2BAA2B,CACnD,IAAI,CAAC,wBAAwB,EAC7B,IAAI,CAAC,oBAAoB,CAC1B,CAAC;YACF,IAAI,iBAAiB,KAAK,IAAI,IAAI,eAAe,GAAG,iBAAiB,EAAE,CAAC;gBACtE,MAAM,OAAO,GAAsB;oBACjC,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,+BAA+B;oBACvC,YAAY,EAAE,IAAI,CAAC,IAAI;iBACxB,CAAC;gBACF,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;oBAC/B,iBAAiB,GAAG,OAAO,CAAC;gBAC9B,CAAC;gBACD,SAAS;YACX,CAAC;YAED,MAAM,aAAa,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,MAAM,CACvD,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAChE,CAAC;YACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,MAAM,OAAO,GAAsB;oBACjC,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,+BAA+B;oBACvC,YAAY,EAAE,IAAI,CAAC,IAAI;oBACvB,cAAc,EAAE,aAAa;iBAC9B,CAAC;gBACF,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;oBAC/B,iBAAiB,GAAG,OAAO,CAAC;gBAC9B,CAAC;gBACD,SAAS;YACX,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,IAAI,CAAC,IAAI;aACxB,CAAC;QACJ,CAAC;QAED,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;YAC/B,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,oBAAoB;SAC7B,CAAC;IACJ,CAAC;CACF"}
package/dist/src/policy/matching.d.ts ADDED
@@ -0,0 +1,6 @@
1
+ import type { ActionRequest } from "../contracts/action-request.js";
2
+ import type { PolicyRule } from "../contracts/policy-rule.js";
3
+ export declare function matchesRule(rule: PolicyRule, request: ActionRequest): boolean;
4
+ export declare function effectiveMaxDelegationDepth(globalMax: number | null | undefined, ruleMax: number | null | undefined): number | null;
5
+ export declare function globMatch(value: string, pattern: string): boolean;
6
+ //# sourceMappingURL=matching.d.ts.map
package/dist/src/policy/matching.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"matching.d.ts","sourceRoot":"","sources":["../../../src/policy/matching.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAQ7E;AAED,wBAAgB,2BAA2B,CACzC,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACpC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GACjC,MAAM,GAAG,IAAI,CAUf;AAGD,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAGjE"}
package/dist/src/policy/matching.js ADDED
@@ -0,0 +1,46 @@
1
+ export function matchesRule(rule, request) {
2
+ const principal = request.principal.principal_id;
3
+ const action = request.action_spec.action;
4
+ const resource = request.action_spec.resource;
5
+ const principalOk = rule.principals.some((pattern) => globMatch(principal, pattern));
6
+ const actionOk = rule.actions.some((pattern) => globMatch(action, pattern));
7
+ const resourceOk = rule.resources.some((pattern) => globMatch(resource, pattern));
8
+ return principalOk && actionOk && resourceOk;
9
+ }
10
+ export function effectiveMaxDelegationDepth(globalMax, ruleMax) {
11
+ const g = globalMax ?? null;
12
+ const r = ruleMax ?? null;
13
+ if (g === null) {
14
+ return r;
15
+ }
16
+ if (r === null) {
17
+ return g;
18
+ }
19
+ return Math.min(g, r);
20
+ }
21
+ // Minimal fnmatch-like matcher for parity with Python rule patterns.
22
+ export function globMatch(value, pattern) {
23
+ const regex = globToRegExp(pattern);
24
+ return regex.test(value);
25
+ }
26
+ function globToRegExp(pattern) {
27
+ let out = "^";
28
+ for (let i = 0; i < pattern.length; i += 1) {
29
+ const ch = pattern[i];
30
+ if (ch === "*") {
31
+ out += ".*";
32
+ }
33
+ else if (ch === "?") {
34
+ out += ".";
35
+ }
36
+ else {
37
+ out += escapeRegexChar(ch);
38
+ }
39
+ }
40
+ out += "$";
41
+ return new RegExp(out);
42
+ }
43
+ function escapeRegexChar(ch) {
44
+ return /[\\^$.*+?()[\]{}|]/.test(ch) ? `\\${ch}` : ch;
45
+ }
46
+ //# sourceMappingURL=matching.js.map
package/dist/src/policy/matching.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"matching.js","sourceRoot":"","sources":["../../../src/policy/matching.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,WAAW,CAAC,IAAgB,EAAE,OAAsB;IAClE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,YAAY,CAAC;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;IAClF,OAAO,WAAW,IAAI,QAAQ,IAAI,UAAU,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,SAAoC,EACpC,OAAkC;IAElC,MAAM,CAAC,GAAG,SAAS,IAAI,IAAI,CAAC;IAC5B,MAAM,CAAC,GAAG,OAAO,IAAI,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACxB,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,OAAe;IACtD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,GAAG,GAAG,GAAG,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,GAAG,IAAI,IAAI,CAAC;QACd,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,GAAG,IAAI,GAAG,CAAC;QACb,CAAC;aAAM,CAAC;YACN,GAAG,IAAI,eAAe,CAAC,EAAE,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,GAAG,IAAI,GAAG,CAAC;IACX,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,EAAU;IACjC,OAAO,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACxD,CAAC"}
package/dist/src/types.d.ts ADDED
@@ -0,0 +1,19 @@
1
+ export type { ActionRequest, ActionSpec, AuthorizeRequest, PrincipalRef, SidecarAuthorizeRequest, StateEvidence, VerificationEvidence, VerificationSignal, } from "./contracts/action-request.js";
2
+ export { toSidecarAuthorizeRequest } from "./contracts/action-request.js";
3
+ export type { AuthorizationResponse } from "./contracts/decision.js";
4
+ export { isAuthorizationResponse } from "./contracts/decision.js";
5
+ export type { AuthorizationDecision } from "./contracts/authorization-decision.js";
6
+ export { isAuthorizationDecision } from "./contracts/authorization-decision.js";
7
+ export type { AuthorizationReason, PolicyEffect, VerificationStatus } from "./contracts/enums.js";
8
+ export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES } from "./contracts/enums.js";
9
+ export type { MandateClaims, SignedMandate } from "./contracts/mandate.js";
10
+ export { isMandateClaims, isSignedMandate } from "./contracts/mandate.js";
11
+ export type { PolicyRule } from "./contracts/policy-rule.js";
12
+ export { isPolicyRule } from "./contracts/policy-rule.js";
13
+ export type { ProofEvent } from "./contracts/proof-event.js";
14
+ export { isProofEvent } from "./contracts/proof-event.js";
15
+ export { isLabelPassed, passedLabels } from "./contracts/verification.js";
16
+ export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, type RuntimeSnapshotLike, type WebStateEvidenceOptions, type WebStateSnapshot, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
17
+ export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, type DesktopAccessibilityEvidenceProvider, type DesktopAccessibilitySnapshot, type DesktopStateEvidenceOptions, type EvidenceHasher, type TerminalEvidenceProvider, type TerminalSessionSnapshot, type TerminalStateEvidenceOptions, type VerificationSignalProvider, } from "./evidence/non-web.js";
18
+ export type { SidecarAuthorizeRequest as AuthorizationRequest } from "./contracts/action-request.js";
19
+ //# sourceMappingURL=types.d.ts.map
package/dist/src/types.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,YAAY,EACZ,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAC1E,YAAY,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,YAAY,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAC;AACnF,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAClG,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACpG,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC1E,YAAY,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,YAAY,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,gBAAgB,EACrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,oCAAoC,EACzC,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,KAAK,cAAc,EACnB,KAAK,wBAAwB,EAC7B,KAAK,uBAAuB,EAC5B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,GAChC,MAAM,uBAAuB,CAAC;AAG/B,YAAY,EAAE,uBAAuB,IAAI,oBAAoB,EAAE,MAAM,+BAA+B,CAAC"}
package/dist/src/types.js ADDED
@@ -0,0 +1,11 @@
1
+ export { toSidecarAuthorizeRequest } from "./contracts/action-request.js";
2
+ export { isAuthorizationResponse } from "./contracts/decision.js";
3
+ export { isAuthorizationDecision } from "./contracts/authorization-decision.js";
4
+ export { AUTHORIZATION_REASONS, POLICY_EFFECTS, VERIFICATION_STATUSES } from "./contracts/enums.js";
5
+ export { isMandateClaims, isSignedMandate } from "./contracts/mandate.js";
6
+ export { isPolicyRule } from "./contracts/policy-rule.js";
7
+ export { isProofEvent } from "./contracts/proof-event.js";
8
+ export { isLabelPassed, passedLabels } from "./contracts/verification.js";
9
+ export { buildWebStateEvidenceFromRuntimeSnapshot, buildWebStateEvidence, webStateSnapshotFromRuntimeSnapshot, } from "./evidence/web-state.js";
10
+ export { buildDesktopAccessibilityStateEvidence, buildTerminalStateEvidence, collectVerificationEvidence, } from "./evidence/non-web.js";
11
+ //# sourceMappingURL=types.js.map
package/dist/src/types.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAEhF,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAEpG,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAE1E,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,EACL,wCAAwC,EACxC,qBAAqB,EAIrB,mCAAmC,GACpC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,sCAAsC,EACtC,0BAA0B,EAC1B,2BAA2B,GAS5B,MAAM,uBAAuB,CAAC"}
package/dist/src/wrappers/sensitive-operations.d.ts ADDED
@@ -0,0 +1,44 @@
1
+ import { type ActionExecutionResult, type ActionGuard } from "../guard/action-guard.js";
2
+ import type { ActionRequest } from "../types.js";
3
+ export interface GuardedShellOptions<T> {
4
+ guard: ActionGuard;
5
+ request: ActionRequest;
6
+ command: string;
7
+ execute: (command: string) => Promise<T> | T;
8
+ delegationDepth?: number;
9
+ }
10
+ export interface GuardedFileReadOptions<T> {
11
+ guard: ActionGuard;
12
+ request: ActionRequest;
13
+ path: string;
14
+ read: (path: string) => Promise<T> | T;
15
+ delegationDepth?: number;
16
+ }
17
+ export interface GuardedFileWriteOptions<T> {
18
+ guard: ActionGuard;
19
+ request: ActionRequest;
20
+ path: string;
21
+ contents: string;
22
+ write: (path: string, contents: string) => Promise<T> | T;
23
+ delegationDepth?: number;
24
+ }
25
+ export interface GuardedHttpOptions<T> {
26
+ guard: ActionGuard;
27
+ request: ActionRequest;
28
+ url: string;
29
+ method?: string;
30
+ headers?: Record<string, string>;
31
+ body?: string;
32
+ send: (request: {
33
+ url: string;
34
+ method: string;
35
+ headers?: Record<string, string>;
36
+ body?: string;
37
+ }) => Promise<T> | T;
38
+ delegationDepth?: number;
39
+ }
40
+ export declare function guardedShell<T>(options: GuardedShellOptions<T>): Promise<ActionExecutionResult<T>>;
41
+ export declare function guardedFileRead<T>(options: GuardedFileReadOptions<T>): Promise<ActionExecutionResult<T>>;
42
+ export declare function guardedFileWrite<T>(options: GuardedFileWriteOptions<T>): Promise<ActionExecutionResult<T>>;
43
+ export declare function guardedHttp<T>(options: GuardedHttpOptions<T>): Promise<ActionExecutionResult<T>>;
44
+ //# sourceMappingURL=sensitive-operations.d.ts.map
package/dist/src/wrappers/sensitive-operations.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sensitive-operations.d.ts","sourceRoot":"","sources":["../../../src/wrappers/sensitive-operations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,qBAAqB,EAAE,KAAK,WAAW,EAA4B,MAAM,0BAA0B,CAAC;AAClH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,aAAa,CAAC;AAExE,MAAM,WAAW,mBAAmB,CAAC,CAAC;IACpC,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7C,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,sBAAsB,CAAC,CAAC;IACvC,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,uBAAuB,CAAC,CAAC;IACxC,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB,CAAC,CAAC;IACnC,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,aAAa,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,CAAC,OAAO,EAAE;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAQD,wBAAsB,YAAY,CAAC,CAAC,EAAE,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,CASxG;AAED,wBAAsB,eAAe,CAAC,CAAC,EACrC,OAAO,EAAE,sBAAsB,CAAC,CAAC,CAAC,GACjC,OAAO,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,CASnC;AAED,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,OAAO,EAAE,uBAAuB,CAAC,CAAC,CAAC,GAClC,OAAO,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,CASnC;AAED,wBAAsB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,CActG"}
package/dist/src/wrappers/sensitive-operations.js ADDED
@@ -0,0 +1,52 @@
1
+ import { AuthorizationDeniedError } from "../guard/action-guard.js";
2
+ function requireAllow(decision) {
3
+ if (!decision.allowed) {
4
+ throw new AuthorizationDeniedError(decision);
5
+ }
6
+ }
7
+ export async function guardedShell(options) {
8
+ const decision = options.guard.authorize(options.request, options.delegationDepth ?? 0);
9
+ requireAllow(decision);
10
+ const value = await options.execute(options.command);
11
+ return {
12
+ value,
13
+ decision,
14
+ mandate: decision.mandate ?? null,
15
+ };
16
+ }
17
+ export async function guardedFileRead(options) {
18
+ const decision = options.guard.authorize(options.request, options.delegationDepth ?? 0);
19
+ requireAllow(decision);
20
+ const value = await options.read(options.path);
21
+ return {
22
+ value,
23
+ decision,
24
+ mandate: decision.mandate ?? null,
25
+ };
26
+ }
27
+ export async function guardedFileWrite(options) {
28
+ const decision = options.guard.authorize(options.request, options.delegationDepth ?? 0);
29
+ requireAllow(decision);
30
+ const value = await options.write(options.path, options.contents);
31
+ return {
32
+ value,
33
+ decision,
34
+ mandate: decision.mandate ?? null,
35
+ };
36
+ }
37
+ export async function guardedHttp(options) {
38
+ const decision = options.guard.authorize(options.request, options.delegationDepth ?? 0);
39
+ requireAllow(decision);
40
+ const value = await options.send({
41
+ url: options.url,
42
+ method: options.method ?? "GET",
43
+ headers: options.headers,
44
+ body: options.body,
45
+ });
46
+ return {
47
+ value,
48
+ decision,
49
+ mandate: decision.mandate ?? null,
50
+ };
51
+ }
52
+ //# sourceMappingURL=sensitive-operations.js.map
package/dist/src/wrappers/sensitive-operations.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sensitive-operations.js","sourceRoot":"","sources":["../../../src/wrappers/sensitive-operations.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgD,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AA4ClH,SAAS,YAAY,CAAC,QAA+B;IACnD,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,MAAM,IAAI,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAI,OAA+B;IACnE,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;IACxF,YAAY,CAAC,QAAQ,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,OAAO;QACL,KAAK;QACL,QAAQ;QACR,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAkC;IAElC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;IACxF,YAAY,CAAC,QAAQ,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO;QACL,KAAK;QACL,QAAQ;QACR,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAmC;IAEnC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;IACxF,YAAY,CAAC,QAAQ,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClE,OAAO;QACL,KAAK;QACL,QAAQ;QACR,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAI,OAA8B;IACjE,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;IACxF,YAAY,CAAC,QAAQ,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;QAC/B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;QAC/B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAC,CAAC;IACH,OAAO;QACL,KAAK;QACL,QAAQ;QACR,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI;KAClC,CAAC;AACJ,CAAC"}
package/package.json ADDED
@@ -0,0 +1,52 @@
1
+ {
2
+ "name": "@predicatesystems/authority",
3
+ "version": "0.3.1",
4
+ "description": "TypeScript authority SDK for Predicate Systems sidecar integration.",
5
+ "license": "(MIT OR Apache-2.0)",
6
+ "type": "module",
7
+ "main": "dist/index.js",
8
+ "types": "dist/index.d.ts",
9
+ "files": [
10
+ "dist",
11
+ "README.md",
12
+ "LICENSE*"
13
+ ],
14
+ "scripts": {
15
+ "build": "tsc -p tsconfig.build.json",
16
+ "typecheck": "tsc --noEmit",
17
+ "lint": "biome check src tests",
18
+ "test": "vitest run",
19
+ "test:integration": "RUN_SIDECAR_INTEGRATION_TESTS=true vitest run tests/integration.sidecar.test.ts",
20
+ "test:watch": "vitest",
21
+ "smoke:npm": "bash ./smoke-from-npm.sh",
22
+ "security:audit": "npm audit --audit-level=high",
23
+ "precommit": "npm run lint && npm run typecheck && npm test",
24
+ "prepare": "husky",
25
+ "clean": "rm -rf dist",
26
+ "prepublishOnly": "npm run typecheck && npm run test && npm run build"
27
+ },
28
+ "publishConfig": {
29
+ "access": "public"
30
+ },
31
+ "engines": {
32
+ "node": ">=20.0.0"
33
+ },
34
+ "repository": {
35
+ "type": "git",
36
+ "url": "https://github.com/PredicateSystems/predicate-authority-ts.git"
37
+ },
38
+ "keywords": [
39
+ "predicate",
40
+ "authority",
41
+ "typescript",
42
+ "sdk",
43
+ "security"
44
+ ],
45
+ "devDependencies": {
46
+ "@biomejs/biome": "^1.9.4",
47
+ "@types/node": "^22.13.10",
48
+ "husky": "^9.1.7",
49
+ "typescript": "^5.8.2",
50
+ "vitest": "^3.0.8"
51
+ }
52
+ }