@private.me/xbind 3.0.2 → 3.0.4

package/dist-standalone/cjs/plugins/validation.js

@@ -1,302 +1 @@
-"use strict";
-/**
- * @module plugins/validation
- * Validation plugin for xBind plugin system
- *
- * Validates payloads, envelopes, and ensures data integrity before processing.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CommonRules = exports.ValidationPlugin = void 0;
-exports.createValidationPlugin = createValidationPlugin;
-const shared_1 = require("../../_deps/shared/index.js");
-/**
- * Validation plugin implementation.
- * Validates all data before processing to ensure integrity and compliance.
- */
-class ValidationPlugin {
-    name = 'validation';
-    version = '1.0.0';
-    description = 'Validates payloads and envelopes before processing';
-    priority = 5; // Execute very early
-    options;
-    validationErrors = [];
-    constructor(options = {}) {
-        this.options = {
-            maxPayloadSize: options.maxPayloadSize ?? 10 * 1024 * 1024, // 10MB
-            maxEnvelopeSize: options.maxEnvelopeSize ?? 15 * 1024 * 1024, // 15MB
-            allowedScopes: options.allowedScopes ?? [],
-            customRules: options.customRules ?? [],
-            strictMode: options.strictMode ?? false,
-            validateSchema: options.validateSchema ?? false,
-        };
-    }
-    onInit() {
-        return (0, shared_1.ok)(undefined);
-    }
-    onDestroy() {
-        this.validationErrors = [];
-        return (0, shared_1.ok)(undefined);
-    }
-    onSend(payload, context) {
-        // Validate payload size
-        const sizeResult = this.validatePayloadSize(payload);
-        if (sizeResult.ok === false) {
-            this.recordError('payload_size', sizeResult.error);
-            return (0, shared_1.err)(sizeResult.error);
-        }
-        // Validate scope
-        if (context.scope) {
-            const scopeResult = this.validateScope(context.scope);
-            if (scopeResult.ok === false) {
-                this.recordError('scope', scopeResult.error);
-                return (0, shared_1.err)(scopeResult.error);
-            }
-        }
-        // Validate payload structure
-        const structureResult = this.validatePayloadStructure(payload);
-        if (structureResult.ok === false) {
-            this.recordError('payload_structure', structureResult.error);
-            return (0, shared_1.err)(structureResult.error);
-        }
-        // Apply custom rules
-        for (const rule of this.options.customRules) {
-            if (!rule.appliesTo || rule.appliesTo.includes('send')) {
-                const error = rule.validate(payload, context);
-                if (error) {
-                    this.recordError(rule.name, error);
-                    return (0, shared_1.err)(`VALIDATION_FAILED:${rule.name}:${error}`);
-                }
-            }
-        }
-        return (0, shared_1.ok)({ payload });
-    }
-    onReceive(envelope, context) {
-        // Validate envelope size
-        const sizeResult = this.validateEnvelopeSize(envelope);
-        if (sizeResult.ok === false) {
-            this.recordError('envelope_size', sizeResult.error);
-            return (0, shared_1.err)(sizeResult.error);
-        }
-        // Validate envelope structure
-        const structureResult = this.validateEnvelopeStructure(envelope);
-        if (structureResult.ok === false) {
-            this.recordError('envelope_structure', structureResult.error);
-            return (0, shared_1.err)(structureResult.error);
-        }
-        // Apply custom rules
-        for (const rule of this.options.customRules) {
-            if (!rule.appliesTo || rule.appliesTo.includes('receive')) {
-                const error = rule.validate(envelope, context);
-                if (error) {
-                    this.recordError(rule.name, error);
-                    return (0, shared_1.err)(`VALIDATION_FAILED:${rule.name}:${error}`);
-                }
-            }
-        }
-        return (0, shared_1.ok)({ payload: envelope });
-    }
-    onEncrypt(plaintext, context) {
-        // Validate plaintext is not empty
-        if (plaintext.length === 0) {
-            this.recordError('plaintext_empty', 'Plaintext cannot be empty');
-            return (0, shared_1.err)('VALIDATION_FAILED:PLAINTEXT_EMPTY');
-        }
-        // Validate plaintext size
-        if (plaintext.length > this.options.maxPayloadSize) {
-            this.recordError('plaintext_size', `Plaintext exceeds max size: ${plaintext.length} bytes`);
-            return (0, shared_1.err)(`VALIDATION_FAILED:PLAINTEXT_TOO_LARGE:${plaintext.length}`);
-        }
-        // Apply custom rules
-        for (const rule of this.options.customRules) {
-            if (!rule.appliesTo || rule.appliesTo.includes('encrypt')) {
-                const error = rule.validate(plaintext, context);
-                if (error) {
-                    this.recordError(rule.name, error);
-                    return (0, shared_1.err)(`VALIDATION_FAILED:${rule.name}:${error}`);
-                }
-            }
-        }
-        return (0, shared_1.ok)({ payload: plaintext });
-    }
-    onDecrypt(plaintext, context) {
-        // Validate plaintext is not empty
-        if (plaintext.length === 0) {
-            this.recordError('plaintext_empty', 'Decrypted plaintext is empty');
-            return (0, shared_1.err)('VALIDATION_FAILED:DECRYPTED_EMPTY');
-        }
-        // Apply custom rules
-        for (const rule of this.options.customRules) {
-            if (!rule.appliesTo || rule.appliesTo.includes('decrypt')) {
-                const error = rule.validate(plaintext, context);
-                if (error) {
-                    this.recordError(rule.name, error);
-                    return (0, shared_1.err)(`VALIDATION_FAILED:${rule.name}:${error}`);
-                }
-            }
-        }
-        return (0, shared_1.ok)({ payload: plaintext });
-    }
-    /**
-     * Get all validation errors.
-     */
-    getValidationErrors() {
-        return [...this.validationErrors];
-    }
-    /**
-     * Clear validation errors.
-     */
-    clearErrors() {
-        this.validationErrors = [];
-    }
-    /**
-     * Add a custom validation rule.
-     */
-    addRule(rule) {
-        this.options.customRules.push(rule);
-    }
-    /**
-     * Remove a custom validation rule by name.
-     */
-    removeRule(name) {
-        const index = this.options.customRules.findIndex((r) => r.name === name);
-        if (index === -1) {
-            return false;
-        }
-        this.options.customRules.splice(index, 1);
-        return true;
-    }
-    validatePayloadSize(payload) {
-        const size = this.estimateSize(payload);
-        if (size > this.options.maxPayloadSize) {
-            return (0, shared_1.err)(`VALIDATION_FAILED:PAYLOAD_TOO_LARGE:${size}>${this.options.maxPayloadSize}`);
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    validateEnvelopeSize(envelope) {
-        const size = this.estimateSize(envelope);
-        if (size > this.options.maxEnvelopeSize) {
-            return (0, shared_1.err)(`VALIDATION_FAILED:ENVELOPE_TOO_LARGE:${size}>${this.options.maxEnvelopeSize}`);
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    validateScope(scope) {
-        if (this.options.allowedScopes.length > 0 && !this.options.allowedScopes.includes(scope)) {
-            return (0, shared_1.err)(`VALIDATION_FAILED:SCOPE_NOT_ALLOWED:${scope}`);
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    validatePayloadStructure(payload) {
-        if (payload === null || payload === undefined) {
-            return (0, shared_1.err)('VALIDATION_FAILED:PAYLOAD_NULL_OR_UNDEFINED');
-        }
-        // Validate can be serialized to JSON
-        try {
-            JSON.stringify(payload);
-        }
-        catch (error) {
-            return (0, shared_1.err)(`VALIDATION_FAILED:PAYLOAD_NOT_SERIALIZABLE:${String(error)}`);
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    validateEnvelopeStructure(envelope) {
-        // Validate required fields
-        if (!('v' in envelope) && !('version' in envelope)) {
-            return (0, shared_1.err)('VALIDATION_FAILED:ENVELOPE_MISSING_VERSION');
-        }
-        if (!envelope.sender) {
-            return (0, shared_1.err)('VALIDATION_FAILED:ENVELOPE_MISSING_SENDER');
-        }
-        if (!envelope.recipient) {
-            return (0, shared_1.err)('VALIDATION_FAILED:ENVELOPE_MISSING_RECIPIENT');
-        }
-        if (!('payload' in envelope) && !('ciphertext' in envelope)) {
-            return (0, shared_1.err)('VALIDATION_FAILED:ENVELOPE_MISSING_CIPHERTEXT');
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    estimateSize(value) {
-        if (value instanceof Uint8Array) {
-            return value.length;
-        }
-        try {
-            return JSON.stringify(value).length;
-        }
-        catch {
-            return 0;
-        }
-    }
-    recordError(rule, error) {
-        this.validationErrors.push({
-            timestamp: Date.now(),
-            rule,
-            error,
-        });
-        // Keep only last 1000 errors
-        if (this.validationErrors.length > 1000) {
-            this.validationErrors.shift();
-        }
-    }
-}
-exports.ValidationPlugin = ValidationPlugin;
-/**
- * Create a validation plugin with options.
- */
-function createValidationPlugin(options) {
-    return new ValidationPlugin(options);
-}
-/**
- * Common validation rules.
- */
-exports.CommonRules = {
-    /**
-     * Validate payload contains required fields.
-     */
-    requireFields(fields) {
-        return {
-            name: 'require_fields',
-            appliesTo: ['send'],
-            validate: (value) => {
-                if (typeof value !== 'object' || value === null) {
-                    return 'Payload must be an object';
-                }
-                const obj = value;
-                const missing = fields.filter((field) => !(field in obj));
-                if (missing.length > 0) {
-                    return `Missing required fields: ${missing.join(', ')}`;
-                }
-                return null;
-            },
-        };
-    },
-    /**
-     * Validate DID format.
-     */
-    validateDIDFormat() {
-        return {
-            name: 'did_format',
-            appliesTo: ['send', 'receive'],
-            validate: (value, context) => {
-                if (context.recipient && !context.recipient.startsWith('did:')) {
-                    return `Invalid DID format: ${context.recipient}`;
-                }
-                return null;
-            },
-        };
-    },
-    /**
-     * Validate timestamp is recent.
-     */
-    validateTimestamp(maxAgeMs = 300000) {
-        return {
-            name: 'timestamp_freshness',
-            appliesTo: ['receive'],
-            validate: (value, context) => {
-                const age = Date.now() - context.timestamp;
-                if (age > maxAgeMs) {
-                    return `Timestamp too old: ${age}ms > ${maxAgeMs}ms`;
-                }
-                return null;
-            },
-        };
-    },
-};
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.CommonRules=exports.ValidationPlugin=void 0,exports.createValidationPlugin=createValidationPlugin;const shared_1=require("../../_deps/shared/index.js");class ValidationPlugin{name="validation";version="1.0.0";description="Validates payloads and envelopes before processing";priority=5;options;validationErrors=[];constructor(e={}){this.options={maxPayloadSize:e.maxPayloadSize??10485760,maxEnvelopeSize:e.maxEnvelopeSize??15728640,allowedScopes:e.allowedScopes??[],customRules:e.customRules??[],strictMode:e.strictMode??!1,validateSchema:e.validateSchema??!1}}onInit(){return(0,shared_1.ok)(void 0)}onDestroy(){return this.validationErrors=[],(0,shared_1.ok)(void 0)}onSend(e,r){const t=this.validatePayloadSize(e);if(!1===t.ok)return this.recordError("payload_size",t.error),(0,shared_1.err)(t.error);if(r.scope){const e=this.validateScope(r.scope);if(!1===e.ok)return this.recordError("scope",e.error),(0,shared_1.err)(e.error)}const i=this.validatePayloadStructure(e);if(!1===i.ok)return this.recordError("payload_structure",i.error),(0,shared_1.err)(i.error);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("send")){const i=t.validate(e,r);if(i)return this.recordError(t.name,i),(0,shared_1.err)(`VALIDATION_FAILED:${t.name}:${i}`)}return(0,shared_1.ok)({payload:e})}onReceive(e,r){const t=this.validateEnvelopeSize(e);if(!1===t.ok)return this.recordError("envelope_size",t.error),(0,shared_1.err)(t.error);const i=this.validateEnvelopeStructure(e);if(!1===i.ok)return this.recordError("envelope_structure",i.error),(0,shared_1.err)(i.error);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("receive")){const i=t.validate(e,r);if(i)return this.recordError(t.name,i),(0,shared_1.err)(`VALIDATION_FAILED:${t.name}:${i}`)}return(0,shared_1.ok)({payload:e})}onEncrypt(e,r){if(0===e.length)return this.recordError("plaintext_empty","Plaintext cannot be empty"),(0,shared_1.err)("VALIDATION_FAILED:PLAINTEXT_EMPTY");if(e.length>this.options.maxPayloadSize)return this.recordError("plaintext_size",`Plaintext exceeds max size: ${e.length} bytes`),(0,shared_1.err)(`VALIDATION_FAILED:PLAINTEXT_TOO_LARGE:${e.length}`);for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("encrypt")){const i=t.validate(e,r);if(i)return this.recordError(t.name,i),(0,shared_1.err)(`VALIDATION_FAILED:${t.name}:${i}`)}return(0,shared_1.ok)({payload:e})}onDecrypt(e,r){if(0===e.length)return this.recordError("plaintext_empty","Decrypted plaintext is empty"),(0,shared_1.err)("VALIDATION_FAILED:DECRYPTED_EMPTY");for(const t of this.options.customRules)if(!t.appliesTo||t.appliesTo.includes("decrypt")){const i=t.validate(e,r);if(i)return this.recordError(t.name,i),(0,shared_1.err)(`VALIDATION_FAILED:${t.name}:${i}`)}return(0,shared_1.ok)({payload:e})}getValidationErrors(){return[...this.validationErrors]}clearErrors(){this.validationErrors=[]}addRule(e){this.options.customRules.push(e)}removeRule(e){const r=this.options.customRules.findIndex(r=>r.name===e);return-1!==r&&(this.options.customRules.splice(r,1),!0)}validatePayloadSize(e){const r=this.estimateSize(e);return r>this.options.maxPayloadSize?(0,shared_1.err)(`VALIDATION_FAILED:PAYLOAD_TOO_LARGE:${r}>${this.options.maxPayloadSize}`):(0,shared_1.ok)(void 0)}validateEnvelopeSize(e){const r=this.estimateSize(e);return r>this.options.maxEnvelopeSize?(0,shared_1.err)(`VALIDATION_FAILED:ENVELOPE_TOO_LARGE:${r}>${this.options.maxEnvelopeSize}`):(0,shared_1.ok)(void 0)}validateScope(e){return this.options.allowedScopes.length>0&&!this.options.allowedScopes.includes(e)?(0,shared_1.err)(`VALIDATION_FAILED:SCOPE_NOT_ALLOWED:${e}`):(0,shared_1.ok)(void 0)}validatePayloadStructure(e){if(null==e)return(0,shared_1.err)("VALIDATION_FAILED:PAYLOAD_NULL_OR_UNDEFINED");try{JSON.stringify(e)}catch(e){return(0,shared_1.err)(`VALIDATION_FAILED:PAYLOAD_NOT_SERIALIZABLE:${String(e)}`)}return(0,shared_1.ok)(void 0)}validateEnvelopeStructure(e){return"v"in e||"version"in e?e.sender?e.recipient?"payload"in e||"ciphertext"in e?(0,shared_1.ok)(void 0):(0,shared_1.err)("VALIDATION_FAILED:ENVELOPE_MISSING_CIPHERTEXT"):(0,shared_1.err)("VALIDATION_FAILED:ENVELOPE_MISSING_RECIPIENT"):(0,shared_1.err)("VALIDATION_FAILED:ENVELOPE_MISSING_SENDER"):(0,shared_1.err)("VALIDATION_FAILED:ENVELOPE_MISSING_VERSION")}estimateSize(e){if(e instanceof Uint8Array)return e.length;try{return JSON.stringify(e).length}catch{return 0}}recordError(e,r){this.validationErrors.push({timestamp:Date.now(),rule:e,error:r}),this.validationErrors.length>1e3&&this.validationErrors.shift()}}function createValidationPlugin(e){return new ValidationPlugin(e)}exports.ValidationPlugin=ValidationPlugin,exports.CommonRules={requireFields:e=>({name:"require_fields",appliesTo:["send"],validate:r=>{if("object"!=typeof r||null===r)return"Payload must be an object";const t=r,i=e.filter(e=>!(e in t));return i.length>0?`Missing required fields: ${i.join(", ")}`:null}}),validateDIDFormat:()=>({name:"did_format",appliesTo:["send","receive"],validate:(e,r)=>r.recipient&&!r.recipient.startsWith("did:")?`Invalid DID format: ${r.recipient}`:null}),validateTimestamp:(e=3e5)=>({name:"timestamp_freshness",appliesTo:["receive"],validate:(r,t)=>{const i=Date.now()-t.timestamp;return i>e?`Timestamp too old: ${i}ms > ${e}ms`:null}})};

package/dist-standalone/cjs/policy.js

@@ -1,320 +1 @@
-"use strict";
-/**
- * @module policy
- * PolicyEngine for agent.call() constraint enforcement
- *
- * Enforces spending limits, rate limits, scope restrictions, and data filters
- * on agent tool calls. Separate from SecurityPolicy (risk classification).
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.PolicyEngine = void 0;
-exports.getGlobalPolicyEngine = getGlobalPolicyEngine;
-const shared_1 = require("../_deps/shared/index.js");
-const agent_call_js_1 = require("./agent-call.js");
-/**
- * PolicyEngine - Enforces constraints on agent.call() requests
- *
- * Tracks:
- * - Per-transaction spending limits
- * - Daily spending limits
- * - Rate limits (calls per minute)
- * - Allowed tools/scopes
- *
- * Thread-safe for concurrent requests from the same agent.
- */
-class PolicyEngine {
-    /** Rate limit tracker by agent DID */
-    rateLimits = new Map();
-    /** Daily spending tracker by agent DID */
-    dailySpending = new Map();
-    /** Monthly spending tracker by agent DID */
-    monthlySpending = new Map();
-    /**
-     * Evaluate a policy against a request
-     *
-     * @param agentDID - Agent DID making the request
-     * @param tool - Tool being called (e.g., "stripe:createCharge")
-     * @param params - Tool parameters
-     * @param constraints - Policy constraints to enforce
-     * @returns Policy evaluation result
-     */
-    evaluate(agentDID, tool, params, constraints) {
-        // Check allowed tools
-        if (constraints.allowedTools && constraints.allowedTools.length > 0) {
-            const [service] = tool.split(':');
-            const isAllowed = constraints.allowedTools.some((allowed) => allowed === tool || allowed === `${service}:*` || allowed === '*');
-            if (!isAllowed) {
-                const details = {
-                    requested: tool,
-                    allowed: constraints.allowedTools,
-                    constraint: 'tool',
-                    fix: `Update policy.allowedTools to include "${tool}" or "${service}:*" or request approval`,
-                };
-                return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Tool "${tool}" is not allowed by policy`, details));
-            }
-        }
-        // Check scopes
-        if (constraints.scopes && constraints.scopes.length > 0) {
-            // Extract scope from params if present
-            const scope = typeof params === 'object' && params !== null && 'scope' in params
-                ? params.scope
-                : undefined;
-            if (scope && !constraints.scopes.includes(scope)) {
-                const details = {
-                    requested: scope,
-                    allowed: constraints.scopes,
-                    constraint: 'scope',
-                    fix: `Update policy.scopes to include "${scope}" or request additional permissions`,
-                };
-                return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Scope "${scope}" is not allowed by policy`, details));
-            }
-        }
-        // Check rate limits
-        if (constraints.limits?.callsPerMinute) {
-            const rateCheck = this.checkRateLimit(agentDID, constraints.limits.callsPerMinute);
-            if (!rateCheck.ok) {
-                return rateCheck;
-            }
-        }
-        // Check spending limits (if amount is in params)
-        const amount = this.extractAmount(params);
-        if (amount !== null) {
-            // Check per-transaction limit
-            if (constraints.limits?.amountPerTxn && amount > constraints.limits.amountPerTxn) {
-                const details = {
-                    requested: amount,
-                    allowed: constraints.limits.amountPerTxn,
-                    constraint: 'amountPerTxn',
-                    fix: `Reduce amount to ${constraints.limits.amountPerTxn} or less, or update policy.limits.amountPerTxn`,
-                };
-                return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} exceeds per-transaction limit of ${constraints.limits.amountPerTxn}`, details));
-            }
-            // Check daily limit
-            if (constraints.limits?.dailyAmount) {
-                const dailyCheck = this.checkDailyLimit(agentDID, amount, constraints.limits.dailyAmount);
-                if (!dailyCheck.ok) {
-                    return dailyCheck;
-                }
-            }
-            // Check monthly limit
-            if (constraints.limits?.monthlyAmount) {
-                const monthlyCheck = this.checkMonthlyLimit(agentDID, amount, constraints.limits.monthlyAmount);
-                if (!monthlyCheck.ok) {
-                    return monthlyCheck;
-                }
-            }
-        }
-        // All checks passed
-        return (0, shared_1.ok)(undefined);
-    }
-    /**
-     * Record a successful call (for rate limiting)
-     *
-     * @param agentDID - Agent DID
-     */
-    recordCall(agentDID) {
-        const now = Date.now();
-        const entry = this.rateLimits.get(agentDID) ?? {
-            calls: [],
-            windowStart: now,
-        };
-        entry.calls.push(now);
-        // Clean up old calls (older than 1 minute)
-        const oneMinuteAgo = now - 60000;
-        entry.calls = entry.calls.filter((timestamp) => timestamp > oneMinuteAgo);
-        this.rateLimits.set(agentDID, entry);
-    }
-    /**
-     * Record successful spending (for daily and monthly limits)
-     *
-     * @param agentDID - Agent DID
-     * @param amount - Amount spent
-     */
-    recordSpending(agentDID, amount) {
-        const today = this.getCurrentDay();
-        const thisMonth = this.getCurrentMonth();
-        // Update daily spending
-        const dailyEntry = this.dailySpending.get(agentDID);
-        if (dailyEntry && dailyEntry.day === today) {
-            dailyEntry.amount += amount;
-        }
-        else {
-            this.dailySpending.set(agentDID, {
-                amount,
-                day: today,
-            });
-        }
-        // Update monthly spending
-        const monthlyEntry = this.monthlySpending.get(agentDID);
-        if (monthlyEntry && monthlyEntry.month === thisMonth) {
-            monthlyEntry.amount += amount;
-        }
-        else {
-            this.monthlySpending.set(agentDID, {
-                amount,
-                month: thisMonth,
-            });
-        }
-    }
-    /**
-     * Get current rate limit status for an agent
-     *
-     * @param agentDID - Agent DID
-     * @returns Calls in current minute
-     */
-    getCurrentRateLimit(agentDID) {
-        const entry = this.rateLimits.get(agentDID);
-        if (!entry)
-            return 0;
-        const now = Date.now();
-        const oneMinuteAgo = now - 60000;
-        // Count calls in last minute
-        return entry.calls.filter((timestamp) => timestamp > oneMinuteAgo).length;
-    }
-    /**
-     * Get current daily spending for an agent
-     *
-     * @param agentDID - Agent DID
-     * @returns Amount spent today
-     */
-    getDailySpending(agentDID) {
-        const today = this.getCurrentDay();
-        const entry = this.dailySpending.get(agentDID);
-        if (!entry || entry.day !== today)
-            return 0;
-        return entry.amount;
-    }
-    /**
-     * Get current monthly spending for an agent
-     *
-     * @param agentDID - Agent DID
-     * @returns Amount spent this month
-     */
-    getMonthlySpending(agentDID) {
-        const thisMonth = this.getCurrentMonth();
-        const entry = this.monthlySpending.get(agentDID);
-        if (!entry || entry.month !== thisMonth)
-            return 0;
-        return entry.amount;
-    }
-    /**
-     * Reset all limits for an agent (for testing)
-     *
-     * @param agentDID - Agent DID
-     */
-    reset(agentDID) {
-        this.rateLimits.delete(agentDID);
-        this.dailySpending.delete(agentDID);
-        this.monthlySpending.delete(agentDID);
-    }
-    /**
-     * Check rate limit
-     */
-    checkRateLimit(agentDID, limit) {
-        const current = this.getCurrentRateLimit(agentDID);
-        if (current >= limit) {
-            const details = {
-                requested: current + 1,
-                allowed: limit,
-                constraint: 'callsPerMinute',
-                current,
-                fix: `Wait before making additional calls, or update policy.limits.callsPerMinute to a higher value`,
-            };
-            return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Rate limit exceeded: ${current}/${limit} calls per minute`, details));
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    /**
-     * Check daily spending limit
-     */
-    checkDailyLimit(agentDID, amount, limit) {
-        const current = this.getDailySpending(agentDID);
-        const newTotal = current + amount;
-        if (newTotal > limit) {
-            const remaining = limit - current;
-            const details = {
-                requested: amount,
-                allowed: limit,
-                constraint: 'dailyAmount',
-                current,
-                newTotal,
-                fix: remaining > 0
-                    ? `Reduce amount to ${remaining} or less (remaining today), or update policy.limits.dailyAmount`
-                    : `Daily limit already reached. Wait until tomorrow or update policy.limits.dailyAmount`,
-            };
-            return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} would exceed daily limit: ${newTotal}/${limit} (current: ${current})`, details));
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-    /**
-     * Extract amount from params
-     */
-    extractAmount(params) {
-        if (typeof params !== 'object' || params === null)
-            return null;
-        const obj = params;
-        // Check common amount field names
-        if (typeof obj.amount === 'number')
-            return obj.amount;
-        if (typeof obj.value === 'number')
-            return obj.value;
-        if (typeof obj.price === 'number')
-            return obj.price;
-        if (typeof obj.total === 'number')
-            return obj.total;
-        return null;
-    }
-    /**
-     * Get current day identifier (YYYY-MM-DD in UTC)
-     */
-    getCurrentDay() {
-        const now = new Date();
-        return now.toISOString().split('T')[0] ?? '';
-    }
-    /**
-     * Get current month identifier (YYYY-MM in UTC)
-     */
-    getCurrentMonth() {
-        const now = new Date();
-        const iso = now.toISOString();
-        return iso.substring(0, 7); // YYYY-MM
-    }
-    /**
-     * Check monthly spending limit
-     */
-    checkMonthlyLimit(agentDID, amount, limit) {
-        const current = this.getMonthlySpending(agentDID);
-        const newTotal = current + amount;
-        if (newTotal > limit) {
-            const remaining = limit - current;
-            const details = {
-                requested: amount,
-                allowed: limit,
-                constraint: 'dailyAmount', // Reuse constraint type (will add monthlyAmount later)
-                current,
-                newTotal,
-                fix: remaining > 0
-                    ? `Reduce amount to ${remaining} or less (remaining this month), or update policy.limits.monthlyAmount`
-                    : `Monthly limit already reached. Wait until next month or update policy.limits.monthlyAmount`,
-            };
-            return (0, shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION, `Amount ${amount} would exceed monthly limit: ${newTotal}/${limit} (current: ${current})`, details));
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-}
-exports.PolicyEngine = PolicyEngine;
-/**
- * Global policy engine instance (singleton)
- */
-let globalPolicyEngine = null;
-/**
- * Get the global policy engine instance
- *
- * @returns PolicyEngine instance
- */
-function getGlobalPolicyEngine() {
-    if (!globalPolicyEngine) {
-        globalPolicyEngine = new PolicyEngine();
-    }
-    return globalPolicyEngine;
-}
+"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.PolicyEngine=void 0,exports.getGlobalPolicyEngine=getGlobalPolicyEngine;const shared_1=require("../_deps/shared/index.js"),agent_call_js_1=require("./agent-call.js");class PolicyEngine{rateLimits=new Map;dailySpending=new Map;monthlySpending=new Map;evaluate(t,e,n,o){if(o.allowedTools&&o.allowedTools.length>0){const[t]=e.split(":");if(!o.allowedTools.some(n=>n===e||n===`${t}:*`||"*"===n)){const n={requested:e,allowed:o.allowedTools,constraint:"tool",fix:`Update policy.allowedTools to include "${e}" or "${t}:*" or request approval`};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Tool "${e}" is not allowed by policy`,n))}}if(o.scopes&&o.scopes.length>0){const t="object"==typeof n&&null!==n&&"scope"in n?n.scope:void 0;if(t&&!o.scopes.includes(t)){const e={requested:t,allowed:o.scopes,constraint:"scope",fix:`Update policy.scopes to include "${t}" or request additional permissions`};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Scope "${t}" is not allowed by policy`,e))}}if(o.limits?.callsPerMinute){const e=this.checkRateLimit(t,o.limits.callsPerMinute);if(!e.ok)return e}const i=this.extractAmount(n);if(null!==i){if(o.limits?.amountPerTxn&&i>o.limits.amountPerTxn){const t={requested:i,allowed:o.limits.amountPerTxn,constraint:"amountPerTxn",fix:`Reduce amount to ${o.limits.amountPerTxn} or less, or update policy.limits.amountPerTxn`};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Amount ${i} exceeds per-transaction limit of ${o.limits.amountPerTxn}`,t))}if(o.limits?.dailyAmount){const e=this.checkDailyLimit(t,i,o.limits.dailyAmount);if(!e.ok)return e}if(o.limits?.monthlyAmount){const e=this.checkMonthlyLimit(t,i,o.limits.monthlyAmount);if(!e.ok)return e}}return(0,shared_1.ok)(void 0)}recordCall(t){const e=Date.now(),n=this.rateLimits.get(t)??{calls:[],windowStart:e};n.calls.push(e);const o=e-6e4;n.calls=n.calls.filter(t=>t>o),this.rateLimits.set(t,n)}recordSpending(t,e){const n=this.getCurrentDay(),o=this.getCurrentMonth(),i=this.dailySpending.get(t);i&&i.day===n?i.amount+=e:this.dailySpending.set(t,{amount:e,day:n});const l=this.monthlySpending.get(t);l&&l.month===o?l.amount+=e:this.monthlySpending.set(t,{amount:e,month:o})}getCurrentRateLimit(t){const e=this.rateLimits.get(t);if(!e)return 0;const n=Date.now()-6e4;return e.calls.filter(t=>t>n).length}getDailySpending(t){const e=this.getCurrentDay(),n=this.dailySpending.get(t);return n&&n.day===e?n.amount:0}getMonthlySpending(t){const e=this.getCurrentMonth(),n=this.monthlySpending.get(t);return n&&n.month===e?n.amount:0}reset(t){this.rateLimits.delete(t),this.dailySpending.delete(t),this.monthlySpending.delete(t)}checkRateLimit(t,e){const n=this.getCurrentRateLimit(t);if(n>=e){const t={requested:n+1,allowed:e,constraint:"callsPerMinute",current:n,fix:"Wait before making additional calls, or update policy.limits.callsPerMinute to a higher value"};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Rate limit exceeded: ${n}/${e} calls per minute`,t))}return(0,shared_1.ok)(void 0)}checkDailyLimit(t,e,n){const o=this.getDailySpending(t),i=o+e;if(i>n){const t=n-o,l={requested:e,allowed:n,constraint:"dailyAmount",current:o,newTotal:i,fix:t>0?`Reduce amount to ${t} or less (remaining today), or update policy.limits.dailyAmount`:"Daily limit already reached. Wait until tomorrow or update policy.limits.dailyAmount"};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Amount ${e} would exceed daily limit: ${i}/${n} (current: ${o})`,l))}return(0,shared_1.ok)(void 0)}extractAmount(t){if("object"!=typeof t||null===t)return null;const e=t;return"number"==typeof e.amount?e.amount:"number"==typeof e.value?e.value:"number"==typeof e.price?e.price:"number"==typeof e.total?e.total:null}getCurrentDay(){return(new Date).toISOString().split("T")[0]??""}getCurrentMonth(){return(new Date).toISOString().substring(0,7)}checkMonthlyLimit(t,e,n){const o=this.getMonthlySpending(t),i=o+e;if(i>n){const t=n-o,l={requested:e,allowed:n,constraint:"dailyAmount",current:o,newTotal:i,fix:t>0?`Reduce amount to ${t} or less (remaining this month), or update policy.limits.monthlyAmount`:"Monthly limit already reached. Wait until next month or update policy.limits.monthlyAmount"};return(0,shared_1.err)(new agent_call_js_1.AgentError(agent_call_js_1.AgentErrorCode.POLICY_VIOLATION,`Amount ${e} would exceed monthly limit: ${i}/${n} (current: ${o})`,l))}return(0,shared_1.ok)(void 0)}}exports.PolicyEngine=PolicyEngine;let globalPolicyEngine=null;function getGlobalPolicyEngine(){return globalPolicyEngine||(globalPolicyEngine=new PolicyEngine),globalPolicyEngine}