@private.me/xbind 3.0.1 → 3.0.2

package/dist-standalone/plugins/validation.js

@@ -1 +1,297 @@
-import{ok,err}from"../_deps/shared/index.js";export class ValidationPlugin{name="validation";version="1.0.0";description="Validates payloads and envelopes before processing";priority=5;options;validationErrors=[];constructor(e={}){this.options={maxPayloadSize:e.maxPayloadSize??10485760,maxEnvelopeSize:e.maxEnvelopeSize??15728640,allowedScopes:e.allowedScopes??[],customRules:e.customRules??[],strictMode:e.strictMode??!1,validateSchema:e.validateSchema??!1}}onInit(){return ok(void 0)}onDestroy(){return this.validationErrors=[],ok(void 0)}onSend(e,r){const t=this.validatePayloadSize(e);if(!1===t.ok)return this.recordError("payload_size",t.error),err(t.error);if(r.scope){const e=this.validateScope(r.scope);if(!1===e.ok)return this.recordError("scope",e.error),err(e.error)}const o=this.validatePayloadStructure(e);if(!1===o.ok)return this.recordError("payload_structure",o.error),err(o.error);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("send")){const o=t.validate(e,r);if(o)return this.recordError(t.name,o),err(`VALIDATION_FAILED:${t.name}:${o}`)}return ok({payload:e})}onReceive(e,r){const t=this.validateEnvelopeSize(e);if(!1===t.ok)return this.recordError("envelope_size",t.error),err(t.error);const o=this.validateEnvelopeStructure(e);if(!1===o.ok)return this.recordError("envelope_structure",o.error),err(o.error);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("receive")){const o=t.validate(e,r);if(o)return this.recordError(t.name,o),err(`VALIDATION_FAILED:${t.name}:${o}`)}return ok({payload:e})}onEncrypt(e,r){if(0===e.length)return this.recordError("plaintext_empty","Plaintext cannot be empty"),err("VALIDATION_FAILED:PLAINTEXT_EMPTY");if(e.length>this.options.maxPayloadSize)return this.recordError("plaintext_size",`Plaintext exceeds max size: ${e.length} bytes`),err(`VALIDATION_FAILED:PLAINTEXT_TOO_LARGE:${e.length}`);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("encrypt")){const o=t.validate(e,r);if(o)return this.recordError(t.name,o),err(`VALIDATION_FAILED:${t.name}:${o}`)}return ok({payload:e})}onDecrypt(e,r){if(0===e.length)return this.recordError("plaintext_empty","Decrypted plaintext is empty"),err("VALIDATION_FAILED:DECRYPTED_EMPTY");for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("decrypt")){const o=t.validate(e,r);if(o)return this.recordError(t.name,o),err(`VALIDATION_FAILED:${t.name}:${o}`)}return ok({payload:e})}getValidationErrors(){return[...this.validationErrors]}clearErrors(){this.validationErrors=[]}addRule(e){this.options.customRules.push(e)}removeRule(e){const r=this.options.customRules.findIndex(r=>r.name===e);return-1!==r&&(this.options.customRules.splice(r,1),!0)}validatePayloadSize(e){const r=this.estimateSize(e);return r>this.options.maxPayloadSize?err(`VALIDATION_FAILED:PAYLOAD_TOO_LARGE:${r}>${this.options.maxPayloadSize}`):ok(void 0)}validateEnvelopeSize(e){const r=this.estimateSize(e);return r>this.options.maxEnvelopeSize?err(`VALIDATION_FAILED:ENVELOPE_TOO_LARGE:${r}>${this.options.maxEnvelopeSize}`):ok(void 0)}validateScope(e){return this.options.allowedScopes.length>0&&!this.options.allowedScopes.includes(e)?err(`VALIDATION_FAILED:SCOPE_NOT_ALLOWED:${e}`):ok(void 0)}validatePayloadStructure(e){if(null==e)return err("VALIDATION_FAILED:PAYLOAD_NULL_OR_UNDEFINED");try{JSON.stringify(e)}catch(e){return err(`VALIDATION_FAILED:PAYLOAD_NOT_SERIALIZABLE:${String(e)}`)}return ok(void 0)}validateEnvelopeStructure(e){return"v"in e||"version"in e?e.sender?e.recipient?"payload"in e||"ciphertext"in e?ok(void 0):err("VALIDATION_FAILED:ENVELOPE_MISSING_CIPHERTEXT"):err("VALIDATION_FAILED:ENVELOPE_MISSING_RECIPIENT"):err("VALIDATION_FAILED:ENVELOPE_MISSING_SENDER"):err("VALIDATION_FAILED:ENVELOPE_MISSING_VERSION")}estimateSize(e){if(e instanceof Uint8Array)return e.length;try{return JSON.stringify(e).length}catch{return 0}}recordError(e,r){this.validationErrors.push({timestamp:Date.now(),rule:e,error:r}),this.validationErrors.length>1e3&&this.validationErrors.shift()}}export function createValidationPlugin(e){return new ValidationPlugin(e)}export const CommonRules={requireFields:e=>({name:"require_fields",appliesTo:["send"],validate:r=>{if("object"!=typeof r||null===r)return"Payload must be an object";const t=r,o=e.filter(e=>!(e in t));return o.length>0?`Missing required fields: ${o.join(", ")}`:null}}),validateDIDFormat:()=>({name:"did_format",appliesTo:["send","receive"],validate:(e,r)=>r.recipient&&!r.recipient.startsWith("did:")?`Invalid DID format: ${r.recipient}`:null}),validateTimestamp:(e=3e5)=>({name:"timestamp_freshness",appliesTo:["receive"],validate:(r,t)=>{const o=Date.now()-t.timestamp;return o>e?`Timestamp too old: ${o}ms > ${e}ms`:null}})};
+/**
+ * @module plugins/validation
+ * Validation plugin for xBind plugin system
+ *
+ * Validates payloads, envelopes, and ensures data integrity before processing.
+ */
+import { ok, err } from"../_deps/shared/index.js";
+/**
+ * Validation plugin implementation.
+ * Validates all data before processing to ensure integrity and compliance.
+ */
+export class ValidationPlugin {
+    name = 'validation';
+    version = '1.0.0';
+    description = 'Validates payloads and envelopes before processing';
+    priority = 5; // Execute very early
+    options;
+    validationErrors = [];
+    constructor(options = {}) {
+        this.options = {
+            maxPayloadSize: options.maxPayloadSize ?? 10 * 1024 * 1024, // 10MB
+            maxEnvelopeSize: options.maxEnvelopeSize ?? 15 * 1024 * 1024, // 15MB
+            allowedScopes: options.allowedScopes ?? [],
+            customRules: options.customRules ?? [],
+            strictMode: options.strictMode ?? false,
+            validateSchema: options.validateSchema ?? false,
+        };
+    }
+    onInit() {
+        return ok(undefined);
+    }
+    onDestroy() {
+        this.validationErrors = [];
+        return ok(undefined);
+    }
+    onSend(payload, context) {
+        // Validate payload size
+        const sizeResult = this.validatePayloadSize(payload);
+        if (sizeResult.ok === false) {
+            this.recordError('payload_size', sizeResult.error);
+            return err(sizeResult.error);
+        }
+        // Validate scope
+        if (context.scope) {
+            const scopeResult = this.validateScope(context.scope);
+            if (scopeResult.ok === false) {
+                this.recordError('scope', scopeResult.error);
+                return err(scopeResult.error);
+            }
+        }
+        // Validate payload structure
+        const structureResult = this.validatePayloadStructure(payload);
+        if (structureResult.ok === false) {
+            this.recordError('payload_structure', structureResult.error);
+            return err(structureResult.error);
+        }
+        // Apply custom rules
+        for (const rule of this.options.customRules) {
+            if (!rule.appliesTo || rule.appliesTo.includes('send')) {
+                const error = rule.validate(payload, context);
+                if (error) {
+                    this.recordError(rule.name, error);
+                    return err(`VALIDATION_FAILED:${rule.name}:${error}`);
+                }
+            }
+        }
+        return ok({ payload });
+    }
+    onReceive(envelope, context) {
+        // Validate envelope size
+        const sizeResult = this.validateEnvelopeSize(envelope);
+        if (sizeResult.ok === false) {
+            this.recordError('envelope_size', sizeResult.error);
+            return err(sizeResult.error);
+        }
+        // Validate envelope structure
+        const structureResult = this.validateEnvelopeStructure(envelope);
+        if (structureResult.ok === false) {
+            this.recordError('envelope_structure', structureResult.error);
+            return err(structureResult.error);
+        }
+        // Apply custom rules
+        for (const rule of this.options.customRules) {
+            if (!rule.appliesTo || rule.appliesTo.includes('receive')) {
+                const error = rule.validate(envelope, context);
+                if (error) {
+                    this.recordError(rule.name, error);
+                    return err(`VALIDATION_FAILED:${rule.name}:${error}`);
+                }
+            }
+        }
+        return ok({ payload: envelope });
+    }
+    onEncrypt(plaintext, context) {
+        // Validate plaintext is not empty
+        if (plaintext.length === 0) {
+            this.recordError('plaintext_empty', 'Plaintext cannot be empty');
+            return err('VALIDATION_FAILED:PLAINTEXT_EMPTY');
+        }
+        // Validate plaintext size
+        if (plaintext.length > this.options.maxPayloadSize) {
+            this.recordError('plaintext_size', `Plaintext exceeds max size: ${plaintext.length} bytes`);
+            return err(`VALIDATION_FAILED:PLAINTEXT_TOO_LARGE:${plaintext.length}`);
+        }
+        // Apply custom rules
+        for (const rule of this.options.customRules) {
+            if (!rule.appliesTo || rule.appliesTo.includes('encrypt')) {
+                const error = rule.validate(plaintext, context);
+                if (error) {
+                    this.recordError(rule.name, error);
+                    return err(`VALIDATION_FAILED:${rule.name}:${error}`);
+                }
+            }
+        }
+        return ok({ payload: plaintext });
+    }
+    onDecrypt(plaintext, context) {
+        // Validate plaintext is not empty
+        if (plaintext.length === 0) {
+            this.recordError('plaintext_empty', 'Decrypted plaintext is empty');
+            return err('VALIDATION_FAILED:DECRYPTED_EMPTY');
+        }
+        // Apply custom rules
+        for (const rule of this.options.customRules) {
+            if (!rule.appliesTo || rule.appliesTo.includes('decrypt')) {
+                const error = rule.validate(plaintext, context);
+                if (error) {
+                    this.recordError(rule.name, error);
+                    return err(`VALIDATION_FAILED:${rule.name}:${error}`);
+                }
+            }
+        }
+        return ok({ payload: plaintext });
+    }
+    /**
+     * Get all validation errors.
+     */
+    getValidationErrors() {
+        return [...this.validationErrors];
+    }
+    /**
+     * Clear validation errors.
+     */
+    clearErrors() {
+        this.validationErrors = [];
+    }
+    /**
+     * Add a custom validation rule.
+     */
+    addRule(rule) {
+        this.options.customRules.push(rule);
+    }
+    /**
+     * Remove a custom validation rule by name.
+     */
+    removeRule(name) {
+        const index = this.options.customRules.findIndex((r) => r.name === name);
+        if (index === -1) {
+            return false;
+        }
+        this.options.customRules.splice(index, 1);
+        return true;
+    }
+    validatePayloadSize(payload) {
+        const size = this.estimateSize(payload);
+        if (size > this.options.maxPayloadSize) {
+            return err(`VALIDATION_FAILED:PAYLOAD_TOO_LARGE:${size}>${this.options.maxPayloadSize}`);
+        }
+        return ok(undefined);
+    }
+    validateEnvelopeSize(envelope) {
+        const size = this.estimateSize(envelope);
+        if (size > this.options.maxEnvelopeSize) {
+            return err(`VALIDATION_FAILED:ENVELOPE_TOO_LARGE:${size}>${this.options.maxEnvelopeSize}`);
+        }
+        return ok(undefined);
+    }
+    validateScope(scope) {
+        if (this.options.allowedScopes.length > 0 && !this.options.allowedScopes.includes(scope)) {
+            return err(`VALIDATION_FAILED:SCOPE_NOT_ALLOWED:${scope}`);
+        }
+        return ok(undefined);
+    }
+    validatePayloadStructure(payload) {
+        if (payload === null || payload === undefined) {
+            return err('VALIDATION_FAILED:PAYLOAD_NULL_OR_UNDEFINED');
+        }
+        // Validate can be serialized to JSON
+        try {
+            JSON.stringify(payload);
+        }
+        catch (error) {
+            return err(`VALIDATION_FAILED:PAYLOAD_NOT_SERIALIZABLE:${String(error)}`);
+        }
+        return ok(undefined);
+    }
+    validateEnvelopeStructure(envelope) {
+        // Validate required fields
+        if (!('v' in envelope) && !('version' in envelope)) {
+            return err('VALIDATION_FAILED:ENVELOPE_MISSING_VERSION');
+        }
+        if (!envelope.sender) {
+            return err('VALIDATION_FAILED:ENVELOPE_MISSING_SENDER');
+        }
+        if (!envelope.recipient) {
+            return err('VALIDATION_FAILED:ENVELOPE_MISSING_RECIPIENT');
+        }
+        if (!('payload' in envelope) && !('ciphertext' in envelope)) {
+            return err('VALIDATION_FAILED:ENVELOPE_MISSING_CIPHERTEXT');
+        }
+        return ok(undefined);
+    }
+    estimateSize(value) {
+        if (value instanceof Uint8Array) {
+            return value.length;
+        }
+        try {
+            return JSON.stringify(value).length;
+        }
+        catch {
+            return 0;
+        }
+    }
+    recordError(rule, error) {
+        this.validationErrors.push({
+            timestamp: Date.now(),
+            rule,
+            error,
+        });
+        // Keep only last 1000 errors
+        if (this.validationErrors.length > 1000) {
+            this.validationErrors.shift();
+        }
+    }
+}
+/**
+ * Create a validation plugin with options.
+ */
+export function createValidationPlugin(options) {
+    return new ValidationPlugin(options);
+}
+/**
+ * Common validation rules.
+ */
+export const CommonRules = {
+    /**
+     * Validate payload contains required fields.
+     */
+    requireFields(fields) {
+        return {
+            name: 'require_fields',
+            appliesTo: ['send'],
+            validate: (value) => {
+                if (typeof value !== 'object' || value === null) {
+                    return 'Payload must be an object';
+                }
+                const obj = value;
+                const missing = fields.filter((field) => !(field in obj));
+                if (missing.length > 0) {
+                    return `Missing required fields: ${missing.join(', ')}`;
+                }
+                return null;
+            },
+        };
+    },
+    /**
+     * Validate DID format.
+     */
+    validateDIDFormat() {
+        return {
+            name: 'did_format',
+            appliesTo: ['send', 'receive'],
+            validate: (value, context) => {
+                if (context.recipient && !context.recipient.startsWith('did:')) {
+                    return `Invalid DID format: ${context.recipient}`;
+                }
+                return null;
+            },
+        };
+    },
+    /**
+     * Validate timestamp is recent.
+     */
+    validateTimestamp(maxAgeMs = 300000) {
+        return {
+            name: 'timestamp_freshness',
+            appliesTo: ['receive'],
+            validate: (value, context) => {
+                const age = Date.now() - context.timestamp;
+                if (age > maxAgeMs) {
+                    return `Timestamp too old: ${age}ms > ${maxAgeMs}ms`;
+                }
+                return null;
+            },
+        };
+    },
+};

package/dist-standalone/policy.js

@@ -1 +1,315 @@
-import{ok,err}from"./_deps/shared/index.js";import{AgentError,AgentErrorCode}from"./agent-call.js";export class PolicyEngine{rateLimits=new Map;dailySpending=new Map;monthlySpending=new Map;evaluate(t,e,n,o){if(o.allowedTools&&o.allowedTools.length>0){const[t]=e.split(":");if(!o.allowedTools.some(n=>n===e||n===`${t}:*`||"*"===n)){const n={requested:e,allowed:o.allowedTools,constraint:"tool",fix:`Update policy.allowedTools to include "${e}" or "${t}:*" or request approval`};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Tool "${e}" is not allowed by policy`,n))}}if(o.scopes&&o.scopes.length>0){const t="object"==typeof n&&null!==n&&"scope"in n?n.scope:void 0;if(t&&!o.scopes.includes(t)){const e={requested:t,allowed:o.scopes,constraint:"scope",fix:`Update policy.scopes to include "${t}" or request additional permissions`};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Scope "${t}" is not allowed by policy`,e))}}if(o.limits?.callsPerMinute){const e=this.checkRateLimit(t,o.limits.callsPerMinute);if(!e.ok)return e}const i=this.extractAmount(n);if(null!==i){if(o.limits?.amountPerTxn&&i>o.limits.amountPerTxn){const t={requested:i,allowed:o.limits.amountPerTxn,constraint:"amountPerTxn",fix:`Reduce amount to ${o.limits.amountPerTxn} or less, or update policy.limits.amountPerTxn`};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Amount ${i} exceeds per-transaction limit of ${o.limits.amountPerTxn}`,t))}if(o.limits?.dailyAmount){const e=this.checkDailyLimit(t,i,o.limits.dailyAmount);if(!e.ok)return e}if(o.limits?.monthlyAmount){const e=this.checkMonthlyLimit(t,i,o.limits.monthlyAmount);if(!e.ok)return e}}return ok(void 0)}recordCall(t){const e=Date.now(),n=this.rateLimits.get(t)??{calls:[],windowStart:e};n.calls.push(e);const o=e-6e4;n.calls=n.calls.filter(t=>t>o),this.rateLimits.set(t,n)}recordSpending(t,e){const n=this.getCurrentDay(),o=this.getCurrentMonth(),i=this.dailySpending.get(t);i&&i.day===n?i.amount+=e:this.dailySpending.set(t,{amount:e,day:n});const r=this.monthlySpending.get(t);r&&r.month===o?r.amount+=e:this.monthlySpending.set(t,{amount:e,month:o})}getCurrentRateLimit(t){const e=this.rateLimits.get(t);if(!e)return 0;const n=Date.now()-6e4;return e.calls.filter(t=>t>n).length}getDailySpending(t){const e=this.getCurrentDay(),n=this.dailySpending.get(t);return n&&n.day===e?n.amount:0}getMonthlySpending(t){const e=this.getCurrentMonth(),n=this.monthlySpending.get(t);return n&&n.month===e?n.amount:0}reset(t){this.rateLimits.delete(t),this.dailySpending.delete(t),this.monthlySpending.delete(t)}checkRateLimit(t,e){const n=this.getCurrentRateLimit(t);if(n>=e){const t={requested:n+1,allowed:e,constraint:"callsPerMinute",current:n,fix:"Wait before making additional calls, or update policy.limits.callsPerMinute to a higher value"};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Rate limit exceeded: ${n}/${e} calls per minute`,t))}return ok(void 0)}checkDailyLimit(t,e,n){const o=this.getDailySpending(t),i=o+e;if(i>n){const t=n-o,r={requested:e,allowed:n,constraint:"dailyAmount",current:o,newTotal:i,fix:t>0?`Reduce amount to ${t} or less (remaining today), or update policy.limits.dailyAmount`:"Daily limit already reached. Wait until tomorrow or update policy.limits.dailyAmount"};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Amount ${e} would exceed daily limit: ${i}/${n} (current: ${o})`,r))}return ok(void 0)}extractAmount(t){if("object"!=typeof t||null===t)return null;const e=t;return"number"==typeof e.amount?e.amount:"number"==typeof e.value?e.value:"number"==typeof e.price?e.price:"number"==typeof e.total?e.total:null}getCurrentDay(){return(new Date).toISOString().split("T")[0]??""}getCurrentMonth(){return(new Date).toISOString().substring(0,7)}checkMonthlyLimit(t,e,n){const o=this.getMonthlySpending(t),i=o+e;if(i>n){const t=n-o,r={requested:e,allowed:n,constraint:"dailyAmount",current:o,newTotal:i,fix:t>0?`Reduce amount to ${t} or less (remaining this month), or update policy.limits.monthlyAmount`:"Monthly limit already reached. Wait until next month or update policy.limits.monthlyAmount"};return err(new AgentError(AgentErrorCode.POLICY_VIOLATION,`Amount ${e} would exceed monthly limit: ${i}/${n} (current: ${o})`,r))}return ok(void 0)}}let globalPolicyEngine=null;export function getGlobalPolicyEngine(){return globalPolicyEngine||(globalPolicyEngine=new PolicyEngine),globalPolicyEngine}
+/**
+ * @module policy
+ * PolicyEngine for agent.call() constraint enforcement
+ *
+ * Enforces spending limits, rate limits, scope restrictions, and data filters
+ * on agent tool calls. Separate from SecurityPolicy (risk classification).
+ */
+import { ok, err } from"./_deps/shared/index.js";
+import { AgentError, AgentErrorCode } from './agent-call.js';
+/**
+ * PolicyEngine - Enforces constraints on agent.call() requests
+ *
+ * Tracks:
+ * - Per-transaction spending limits
+ * - Daily spending limits
+ * - Rate limits (calls per minute)
+ * - Allowed tools/scopes
+ *
+ * Thread-safe for concurrent requests from the same agent.
+ */
+export class PolicyEngine {
+    /** Rate limit tracker by agent DID */
+    rateLimits = new Map();
+    /** Daily spending tracker by agent DID */
+    dailySpending = new Map();
+    /** Monthly spending tracker by agent DID */
+    monthlySpending = new Map();
+    /**
+     * Evaluate a policy against a request
+     *
+     * @param agentDID - Agent DID making the request
+     * @param tool - Tool being called (e.g., "stripe:createCharge")
+     * @param params - Tool parameters
+     * @param constraints - Policy constraints to enforce
+     * @returns Policy evaluation result
+     */
+    evaluate(agentDID, tool, params, constraints) {
+        // Check allowed tools
+        if (constraints.allowedTools && constraints.allowedTools.length > 0) {
+            const [service] = tool.split(':');
+            const isAllowed = constraints.allowedTools.some((allowed) => allowed === tool || allowed === `${service}:*` || allowed === '*');
+            if (!isAllowed) {
+                const details = {
+                    requested: tool,
+                    allowed: constraints.allowedTools,
+                    constraint: 'tool',
+                    fix: `Update policy.allowedTools to include "${tool}" or "${service}:*" or request approval`,
+                };
+                return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Tool "${tool}" is not allowed by policy`, details));
+            }
+        }
+        // Check scopes
+        if (constraints.scopes && constraints.scopes.length > 0) {
+            // Extract scope from params if present
+            const scope = typeof params === 'object' && params !== null && 'scope' in params
+                ? params.scope
+                : undefined;
+            if (scope && !constraints.scopes.includes(scope)) {
+                const details = {
+                    requested: scope,
+                    allowed: constraints.scopes,
+                    constraint: 'scope',
+                    fix: `Update policy.scopes to include "${scope}" or request additional permissions`,
+                };
+                return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Scope "${scope}" is not allowed by policy`, details));
+            }
+        }
+        // Check rate limits
+        if (constraints.limits?.callsPerMinute) {
+            const rateCheck = this.checkRateLimit(agentDID, constraints.limits.callsPerMinute);
+            if (!rateCheck.ok) {
+                return rateCheck;
+            }
+        }
+        // Check spending limits (if amount is in params)
+        const amount = this.extractAmount(params);
+        if (amount !== null) {
+            // Check per-transaction limit
+            if (constraints.limits?.amountPerTxn && amount > constraints.limits.amountPerTxn) {
+                const details = {
+                    requested: amount,
+                    allowed: constraints.limits.amountPerTxn,
+                    constraint: 'amountPerTxn',
+                    fix: `Reduce amount to ${constraints.limits.amountPerTxn} or less, or update policy.limits.amountPerTxn`,
+                };
+                return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} exceeds per-transaction limit of ${constraints.limits.amountPerTxn}`, details));
+            }
+            // Check daily limit
+            if (constraints.limits?.dailyAmount) {
+                const dailyCheck = this.checkDailyLimit(agentDID, amount, constraints.limits.dailyAmount);
+                if (!dailyCheck.ok) {
+                    return dailyCheck;
+                }
+            }
+            // Check monthly limit
+            if (constraints.limits?.monthlyAmount) {
+                const monthlyCheck = this.checkMonthlyLimit(agentDID, amount, constraints.limits.monthlyAmount);
+                if (!monthlyCheck.ok) {
+                    return monthlyCheck;
+                }
+            }
+        }
+        // All checks passed
+        return ok(undefined);
+    }
+    /**
+     * Record a successful call (for rate limiting)
+     *
+     * @param agentDID - Agent DID
+     */
+    recordCall(agentDID) {
+        const now = Date.now();
+        const entry = this.rateLimits.get(agentDID) ?? {
+            calls: [],
+            windowStart: now,
+        };
+        entry.calls.push(now);
+        // Clean up old calls (older than 1 minute)
+        const oneMinuteAgo = now - 60000;
+        entry.calls = entry.calls.filter((timestamp) => timestamp > oneMinuteAgo);
+        this.rateLimits.set(agentDID, entry);
+    }
+    /**
+     * Record successful spending (for daily and monthly limits)
+     *
+     * @param agentDID - Agent DID
+     * @param amount - Amount spent
+     */
+    recordSpending(agentDID, amount) {
+        const today = this.getCurrentDay();
+        const thisMonth = this.getCurrentMonth();
+        // Update daily spending
+        const dailyEntry = this.dailySpending.get(agentDID);
+        if (dailyEntry && dailyEntry.day === today) {
+            dailyEntry.amount += amount;
+        }
+        else {
+            this.dailySpending.set(agentDID, {
+                amount,
+                day: today,
+            });
+        }
+        // Update monthly spending
+        const monthlyEntry = this.monthlySpending.get(agentDID);
+        if (monthlyEntry && monthlyEntry.month === thisMonth) {
+            monthlyEntry.amount += amount;
+        }
+        else {
+            this.monthlySpending.set(agentDID, {
+                amount,
+                month: thisMonth,
+            });
+        }
+    }
+    /**
+     * Get current rate limit status for an agent
+     *
+     * @param agentDID - Agent DID
+     * @returns Calls in current minute
+     */
+    getCurrentRateLimit(agentDID) {
+        const entry = this.rateLimits.get(agentDID);
+        if (!entry)
+            return 0;
+        const now = Date.now();
+        const oneMinuteAgo = now - 60000;
+        // Count calls in last minute
+        return entry.calls.filter((timestamp) => timestamp > oneMinuteAgo).length;
+    }
+    /**
+     * Get current daily spending for an agent
+     *
+     * @param agentDID - Agent DID
+     * @returns Amount spent today
+     */
+    getDailySpending(agentDID) {
+        const today = this.getCurrentDay();
+        const entry = this.dailySpending.get(agentDID);
+        if (!entry || entry.day !== today)
+            return 0;
+        return entry.amount;
+    }
+    /**
+     * Get current monthly spending for an agent
+     *
+     * @param agentDID - Agent DID
+     * @returns Amount spent this month
+     */
+    getMonthlySpending(agentDID) {
+        const thisMonth = this.getCurrentMonth();
+        const entry = this.monthlySpending.get(agentDID);
+        if (!entry || entry.month !== thisMonth)
+            return 0;
+        return entry.amount;
+    }
+    /**
+     * Reset all limits for an agent (for testing)
+     *
+     * @param agentDID - Agent DID
+     */
+    reset(agentDID) {
+        this.rateLimits.delete(agentDID);
+        this.dailySpending.delete(agentDID);
+        this.monthlySpending.delete(agentDID);
+    }
+    /**
+     * Check rate limit
+     */
+    checkRateLimit(agentDID, limit) {
+        const current = this.getCurrentRateLimit(agentDID);
+        if (current >= limit) {
+            const details = {
+                requested: current + 1,
+                allowed: limit,
+                constraint: 'callsPerMinute',
+                current,
+                fix: `Wait before making additional calls, or update policy.limits.callsPerMinute to a higher value`,
+            };
+            return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Rate limit exceeded: ${current}/${limit} calls per minute`, details));
+        }
+        return ok(undefined);
+    }
+    /**
+     * Check daily spending limit
+     */
+    checkDailyLimit(agentDID, amount, limit) {
+        const current = this.getDailySpending(agentDID);
+        const newTotal = current + amount;
+        if (newTotal > limit) {
+            const remaining = limit - current;
+            const details = {
+                requested: amount,
+                allowed: limit,
+                constraint: 'dailyAmount',
+                current,
+                newTotal,
+                fix: remaining > 0
+                    ? `Reduce amount to ${remaining} or less (remaining today), or update policy.limits.dailyAmount`
+                    : `Daily limit already reached. Wait until tomorrow or update policy.limits.dailyAmount`,
+            };
+            return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} would exceed daily limit: ${newTotal}/${limit} (current: ${current})`, details));
+        }
+        return ok(undefined);
+    }
+    /**
+     * Extract amount from params
+     */
+    extractAmount(params) {
+        if (typeof params !== 'object' || params === null)
+            return null;
+        const obj = params;
+        // Check common amount field names
+        if (typeof obj.amount === 'number')
+            return obj.amount;
+        if (typeof obj.value === 'number')
+            return obj.value;
+        if (typeof obj.price === 'number')
+            return obj.price;
+        if (typeof obj.total === 'number')
+            return obj.total;
+        return null;
+    }
+    /**
+     * Get current day identifier (YYYY-MM-DD in UTC)
+     */
+    getCurrentDay() {
+        const now = new Date();
+        return now.toISOString().split('T')[0] ?? '';
+    }
+    /**
+     * Get current month identifier (YYYY-MM in UTC)
+     */
+    getCurrentMonth() {
+        const now = new Date();
+        const iso = now.toISOString();
+        return iso.substring(0, 7); // YYYY-MM
+    }
+    /**
+     * Check monthly spending limit
+     */
+    checkMonthlyLimit(agentDID, amount, limit) {
+        const current = this.getMonthlySpending(agentDID);
+        const newTotal = current + amount;
+        if (newTotal > limit) {
+            const remaining = limit - current;
+            const details = {
+                requested: amount,
+                allowed: limit,
+                constraint: 'dailyAmount', // Reuse constraint type (will add monthlyAmount later)
+                current,
+                newTotal,
+                fix: remaining > 0
+                    ? `Reduce amount to ${remaining} or less (remaining this month), or update policy.limits.monthlyAmount`
+                    : `Monthly limit already reached. Wait until next month or update policy.limits.monthlyAmount`,
+            };
+            return err(new AgentError(AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} would exceed monthly limit: ${newTotal}/${limit} (current: ${current})`, details));
+        }
+        return ok(undefined);
+    }
+}
+/**
+ * Global policy engine instance (singleton)
+ */
+let globalPolicyEngine = null;
+/**
+ * Get the global policy engine instance
+ *
+ * @returns PolicyEngine instance
+ */
+export function getGlobalPolicyEngine() {
+    if (!globalPolicyEngine) {
+        globalPolicyEngine = new PolicyEngine();
+    }
+    return globalPolicyEngine;
+}