npm - @probelabs/visor - Versions diffs - 0.1.129 → 0.1.130 - Mend

@probelabs/visor 0.1.129 → 0.1.130

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (206) hide show

package/dist/docs/index.md CHANGED Viewed

@@ -135,6 +135,16 @@ The test framework allows you to write integration tests for your Visor workflow
 ---
+## Enterprise Edition
+> Enterprise features require a Visor EE license. Contact **hello@probelabs.com** for licensing.
+| Document | Description |
+|----------|-------------|
+| [Enterprise Policy Engine (OPA)](./enterprise-policy.md) | Comprehensive guide to the OPA-based policy engine: installation, licensing, Rego policies, configuration, and troubleshooting |
+---
 ## Guides
 Best practices and style guides for writing maintainable workflows.

package/dist/docs/scheduler-storage.md ADDED Viewed

@@ -0,0 +1,433 @@
+# Scheduler Storage
+This guide covers database storage configuration for the Visor scheduler, including cloud database setup, SSL/TLS, connection pooling, and high-availability deployments.
+## Overview
+The scheduler supports four storage drivers:
+| Driver | License | Use Case |
+|--------|---------|----------|
+| `sqlite` | OSS (free) | Single-node, local development, small deployments |
+| `postgresql` | Enterprise | Production, multi-node HA, cloud databases |
+| `mysql` | Enterprise | Production, multi-node HA, cloud databases |
+| `mssql` | Enterprise | Azure SQL, SQL Server environments |
+## SQLite (Default)
+Zero-configuration — works out of the box:
+```yaml
+scheduler:
+  enabled: true
+  storage:
+    driver: sqlite
+    connection:
+      filename: .visor/schedules.db  # default
+```
+SQLite is the default when no driver is specified. It stores data in a local file and supports all scheduler features except distributed locking (HA mode).
+## PostgreSQL
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: localhost
+      port: 5432
+      database: visor
+      user: visor
+      password: ${VISOR_DB_PASSWORD}
+      ssl: true
+```
+## MySQL
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      host: localhost
+      port: 3306
+      database: visor
+      user: visor
+      password: ${VISOR_DB_PASSWORD}
+      ssl: true
+```
+## MSSQL (SQL Server)
+```yaml
+scheduler:
+  storage:
+    driver: mssql
+    connection:
+      host: localhost
+      port: 1433
+      database: visor
+      user: sa
+      password: ${VISOR_DB_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+```
+For MSSQL, `host` is mapped to the tedious driver's `server` parameter internally. SSL configuration maps to `encrypt` and `trustServerCertificate` options.
+## Connection String
+All server drivers support connection string URLs as an alternative to individual parameters:
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      connection_string: postgresql://visor:secret@db.example.com:5432/visor?sslmode=require
+```
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      connection_string: mysql://visor:secret@db.example.com:3306/visor
+```
+When `connection_string` is set, `host`, `port`, `database`, `user`, and `password` are ignored.
+## SSL/TLS Configuration
+### Boolean (simple)
+```yaml
+connection:
+  host: db.example.com
+  ssl: true  # enables SSL with rejectUnauthorized: true
+```
+### Object (detailed)
+```yaml
+connection:
+  host: db.example.com
+  ssl:
+    enabled: true
+    reject_unauthorized: true    # default: true
+    ca: /path/to/ca-cert.pem     # CA certificate
+    cert: /path/to/client-cert.pem  # client certificate (mTLS)
+    key: /path/to/client-key.pem    # client key (mTLS)
+```
+| Field | Default | Description |
+|-------|---------|-------------|
+| `enabled` | `true` | Enable SSL (when object is provided) |
+| `reject_unauthorized` | `true` | Validate server certificate against CA |
+| `ca` | — | Path to CA certificate PEM file |
+| `cert` | — | Path to client certificate PEM file (for mTLS) |
+| `key` | — | Path to client key PEM file (for mTLS) |
+Certificate file paths are read at initialization time. This works well with Kubernetes secret mounts, AWS SSM Parameter Store files, and similar mechanisms.
+## Connection Pool
+```yaml
+connection:
+  host: db.example.com
+  pool:
+    min: 0    # default: 0 (good for serverless)
+    max: 10   # default: 10
+```
+| Field | Default | Description |
+|-------|---------|-------------|
+| `min` | `0` | Minimum connections to keep open |
+| `max` | `10` | Maximum simultaneous connections |
+**Serverless tip**: Keep `min: 0` to avoid holding idle connections in Lambda/Cloud Functions. The pool will scale up on demand and release connections when idle.
+**High-throughput tip**: Increase `max` if you have many concurrent schedule executions. Each execution may hold a connection during locking and updates.
+## Cloud Database Examples
+### AWS RDS PostgreSQL
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: mydb.abc123.us-east-1.rds.amazonaws.com
+      port: 5432
+      database: visor
+      user: visor
+      password: ${RDS_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/rds-combined-ca-bundle.pem
+      pool:
+        min: 0
+        max: 10
+```
+Download the [RDS CA bundle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and mount it in your container or EC2 instance.
+### AWS RDS MySQL
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      host: mydb.abc123.us-east-1.rds.amazonaws.com
+      port: 3306
+      database: visor
+      user: visor
+      password: ${RDS_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/rds-combined-ca-bundle.pem
+```
+### AWS Aurora PostgreSQL
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: mycluster.cluster-abc123.us-east-1.rds.amazonaws.com
+      port: 5432
+      database: visor
+      user: visor
+      password: ${AURORA_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/rds-combined-ca-bundle.pem
+      pool:
+        min: 0
+        max: 10
+```
+Use the **cluster endpoint** (writer) for the scheduler. Aurora uses the same CA bundle as RDS.
+### AWS Aurora MySQL
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      host: mycluster.cluster-abc123.us-east-1.rds.amazonaws.com
+      port: 3306
+      database: visor
+      user: visor
+      password: ${AURORA_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/rds-combined-ca-bundle.pem
+```
+### Azure Database for PostgreSQL
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: myserver.postgres.database.azure.com
+      port: 5432
+      database: visor
+      user: visor@myserver
+      password: ${AZURE_DB_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/DigiCertGlobalRootCA.crt.pem
+```
+Azure PostgreSQL requires the username in `user@servername` format. Download the [DigiCert Global Root CA](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security).
+### Azure Database for MySQL
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      host: myserver.mysql.database.azure.com
+      port: 3306
+      database: visor
+      user: visor@myserver
+      password: ${AZURE_DB_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+        ca: /etc/ssl/certs/DigiCertGlobalRootCA.crt.pem
+```
+### Azure SQL Database (MSSQL)
+```yaml
+scheduler:
+  storage:
+    driver: mssql
+    connection:
+      host: myserver.database.windows.net
+      port: 1433
+      database: visor
+      user: visor
+      password: ${AZURE_SQL_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+```
+Azure SQL Database enforces encryption by default. The `ssl.reject_unauthorized: true` setting maps to `trustServerCertificate: false` (i.e., the server certificate is validated).
+### Google Cloud SQL PostgreSQL
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: /cloudsql/project:region:instance  # Unix socket
+      database: visor
+      user: visor
+      password: ${CLOUDSQL_PASSWORD}
+```
+When using the [Cloud SQL Auth Proxy](https://cloud.google.com/sql/docs/postgres/connect-auth-proxy), connect via Unix socket (no SSL needed as the proxy handles encryption):
+```yaml
+connection:
+  host: 127.0.0.1
+  port: 5432
+  database: visor
+  user: visor
+  password: ${CLOUDSQL_PASSWORD}
+```
+### Google Cloud SQL MySQL
+```yaml
+scheduler:
+  storage:
+    driver: mysql
+    connection:
+      host: 127.0.0.1
+      port: 3306
+      database: visor
+      user: visor
+      password: ${CLOUDSQL_PASSWORD}
+```
+### Google Cloud SQL - SQL Server
+```yaml
+scheduler:
+  storage:
+    driver: mssql
+    connection:
+      host: 127.0.0.1
+      port: 1433
+      database: visor
+      user: sqlserver
+      password: ${CLOUDSQL_PASSWORD}
+      ssl:
+        reject_unauthorized: true
+```
+## High Availability
+For multi-node deployments, enable HA mode with a server database:
+```yaml
+scheduler:
+  storage:
+    driver: postgresql
+    connection:
+      host: db.example.com
+      database: visor
+      user: visor
+      password: ${DB_PASSWORD}
+      ssl: true
+  ha:
+    enabled: true
+    node_id: node-1          # unique per node (default: hostname-pid)
+    lock_ttl: 60             # lock expiry in seconds
+    heartbeat_interval: 15   # lock renewal interval
+```
+HA mode uses row-level distributed locking to ensure each schedule is executed by exactly one node. SQLite does **not** support HA mode — use PostgreSQL, MySQL, or MSSQL.
+## Migration from JSON
+If you previously used JSON file storage (`storage.path: .visor/schedules.json`), the scheduler automatically migrates data to the configured database on first startup. The JSON file is preserved as a backup.
+```yaml
+# Legacy config (auto-migrated)
+scheduler:
+  storage:
+    path: .visor/schedules.json
+# New config
+scheduler:
+  storage:
+    driver: sqlite  # or postgresql/mysql/mssql
+```
+## Troubleshooting
+### Connection Refused
+```
+Error: connect ECONNREFUSED 127.0.0.1:5432
+```
+- Verify the database server is running and accessible
+- Check host, port, and firewall rules
+- For cloud databases, ensure your IP is whitelisted
+### SSL Certificate Error
+```
+Error: self signed certificate in certificate chain
+```
+- Set the `ca` path to your cloud provider's CA certificate bundle
+- For development with self-signed certs: `ssl.reject_unauthorized: false` (not recommended for production)
+### Authentication Failed
+```
+Error: password authentication failed for user "visor"
+```
+- Verify `user` and `password` are correct
+- For Azure PostgreSQL, use `user@servername` format
+- Check that the user has access to the specified database
+### Module Not Found
+```
+Error: knex is required for PostgreSQL/MySQL/MSSQL schedule storage
+```
+Install the required database driver:
+```bash
+npm install knex pg          # PostgreSQL
+npm install knex mysql2      # MySQL
+npm install knex tedious     # MSSQL
+```
+### Pool Exhaustion
+```
+Error: Knex: Timeout acquiring a connection
+```
+- Increase `pool.max` in your configuration
+- Check for connection leaks or long-running transactions
+- For serverless, ensure `pool.min: 0` to avoid stale connections

package/dist/docs/scheduler.md CHANGED Viewed

@@ -13,6 +13,8 @@ Output destinations (Slack, GitHub, webhooks) are handled by **output adapters**
 ## Configuration
+> **Storage & Cloud Databases**: For detailed database configuration (PostgreSQL, MySQL, MSSQL, SSL/TLS, connection strings, cloud provider examples), see [Scheduler Storage](scheduler-storage.md).
 Add scheduler settings to your `.visor.yaml`:
 ```yaml
@@ -392,11 +394,19 @@ This feature enables continuity for status updates, progress tracking, and any r
 src/
 ├── scheduler/                    # Generic scheduler module
 │   ├── index.ts                  # Public exports
-│   ├── schedule-store.ts         # JSON persistence for schedules
+│   ├── schedule-store.ts         # Schedule persistence facade
 │   ├── schedule-parser.ts        # Natural language parsing utilities
 │   ├── scheduler.ts              # Generic scheduler daemon
 │   ├── schedule-tool.ts          # AI tool for schedule management
-│   └── cli-handler.ts            # CLI command handlers
+│   ├── cli-handler.ts            # CLI command handlers
+│   └── store/                    # Storage backends
+│       ├── index.ts              # Backend factory
+│       ├── types.ts              # Backend interface & config types
+│       └── sqlite-store.ts       # SQLite backend (OSS)
+│
+├── enterprise/
+│   └── scheduler/
+│       └── knex-store.ts         # PostgreSQL/MySQL/MSSQL backend (Enterprise)
 │
 └── slack/
     └── slack-output-adapter.ts   # Posts results to Slack

package/dist/enterprise/license/validator.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+export interface LicensePayload {
+    org: string;
+    features: string[];
+    exp: number;
+    iat: number;
+    sub: string;
+}
+export declare class LicenseValidator {
+    /** Ed25519 public key for license verification (PEM format). */
+    private static PUBLIC_KEY;
+    private cache;
+    private static CACHE_TTL;
+    private static GRACE_PERIOD;
+    /**
+     * Load and validate license from environment or file.
+     *
+     * Resolution order:
+     * 1. VISOR_LICENSE env var (JWT string)
+     * 2. VISOR_LICENSE_FILE env var (path to file)
+     * 3. .visor-license in project root (cwd)
+     * 4. .visor-license in ~/.config/visor/
+     */
+    loadAndValidate(): Promise<LicensePayload | null>;
+    /** Check if a specific feature is licensed */
+    hasFeature(feature: string): boolean;
+    /** Check if license is valid (with grace period) */
+    isValid(): boolean;
+    /** Check if the license is within its grace period (expired but still valid) */
+    isInGracePeriod(): boolean;
+    private resolveToken;
+    private readFile;
+    private verifyAndDecode;
+}
+//# sourceMappingURL=validator.d.ts.map

package/dist/enterprise/license/validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["file:///home/runner/work/visor/visor/src/enterprise/license/validator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,gBAAgB;IAC3B,gEAAgE;IAChE,OAAO,CAAC,MAAM,CAAC,UAAU,CAGM;IAE/B,OAAO,CAAC,KAAK,CAAiE;IAC9E,OAAO,CAAC,MAAM,CAAC,SAAS,CAAiB;IACzC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAoB;IAE/C;;;;;;;;OAQG;IACG,eAAe,IAAI,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAgBvD,8CAA8C;IAC9C,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAKpC,oDAAoD;IACpD,OAAO,IAAI,OAAO;IAOlB,gFAAgF;IAChF,eAAe,IAAI,OAAO;IAO1B,OAAO,CAAC,YAAY;IA+CpB,OAAO,CAAC,QAAQ;IAQhB,OAAO,CAAC,eAAe;CAwDxB"}

package/dist/enterprise/loader.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+import type { PolicyEngine, PolicyConfig } from '../policy/types';
+import type { ScheduleStoreBackend, StorageConfig, HAConfig } from '../scheduler/store/types';
+/**
+ * Load the enterprise policy engine if licensed, otherwise return the default no-op engine.
+ *
+ * This is the sole import boundary between OSS and enterprise code. Core code
+ * must only import from this module (via dynamic `await import()`), never from
+ * individual enterprise submodules.
+ */
+export declare function loadEnterprisePolicyEngine(config: PolicyConfig): Promise<PolicyEngine>;
+/**
+ * Load the enterprise schedule store backend if licensed.
+ *
+ * @param driver Database driver ('postgresql', 'mysql', or 'mssql')
+ * @param storageConfig Storage configuration with connection details
+ * @param haConfig Optional HA configuration
+ * @throws Error if enterprise license is not available or missing 'scheduler-sql' feature
+ */
+export declare function loadEnterpriseStoreBackend(driver: 'postgresql' | 'mysql' | 'mssql', storageConfig: StorageConfig, haConfig?: HAConfig): Promise<ScheduleStoreBackend>;
+//# sourceMappingURL=loader.d.ts.map

package/dist/enterprise/loader.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["file:///home/runner/work/visor/visor/src/enterprise/loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAElE,OAAO,KAAK,EAAE,oBAAoB,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAE9F;;;;;;GAMG;AACH,wBAAsB,0BAA0B,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAiC5F;AAED;;;;;;;GAOG;AACH,wBAAsB,0BAA0B,CAC9C,MAAM,EAAE,YAAY,GAAG,OAAO,GAAG,OAAO,EACxC,aAAa,EAAE,aAAa,EAC5B,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAsB/B"}

package/dist/enterprise/policy/opa-compiler.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+/**
+ * OPA Rego Compiler - compiles .rego policy files to WASM bundles using the `opa` CLI.
+ *
+ * Handles:
+ * - Resolving input paths to WASM bytes (direct .wasm, directory with policy.wasm, or .rego files)
+ * - Compiling .rego files to WASM via `opa build`
+ * - Caching compiled bundles based on content hashes
+ * - Extracting policy.wasm from OPA tar.gz bundles
+ *
+ * Requires:
+ * - `opa` CLI on PATH (only when auto-compiling .rego files)
+ */
+export declare class OpaCompiler {
+    private static CACHE_DIR;
+    /**
+     * Resolve the input paths to WASM bytes.
+     *
+     * Strategy:
+     * 1. If any path is a .wasm file, read it directly
+     * 2. If a directory contains policy.wasm, read it
+     * 3. Otherwise, collect all .rego files and auto-compile via `opa build`
+     */
+    resolveWasmBytes(paths: string[]): Promise<Buffer>;
+    /**
+     * Auto-compile .rego files to a WASM bundle using the `opa` CLI.
+     *
+     * Caches the compiled bundle based on a content hash of all input .rego files
+     * so subsequent runs skip compilation if policies haven't changed.
+     */
+    private compileRego;
+}
+//# sourceMappingURL=opa-compiler.d.ts.map

package/dist/enterprise/policy/opa-compiler.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"opa-compiler.d.ts","sourceRoot":"","sources":["file:///home/runner/work/visor/visor/src/enterprise/policy/opa-compiler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH;;;;;;;;;;;GAWG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA6C;IAErE;;;;;;;OAOG;IACG,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IA+CxD;;;;;OAKG;IACH,OAAO,CAAC,WAAW;CA2FpB"}

package/dist/enterprise/policy/opa-http-evaluator.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+/**
+ * OPA HTTP Evaluator - evaluates policies via an external OPA server's REST API.
+ *
+ * Uses the built-in `fetch` API (Node 18+), so no extra dependencies are needed.
+ */
+export declare class OpaHttpEvaluator {
+    private baseUrl;
+    private timeout;
+    constructor(baseUrl: string, timeout?: number);
+    /**
+     * Check if a hostname is blocked due to SSRF concerns.
+     *
+     * Blocks:
+     * - Loopback addresses (127.x.x.x, localhost, 0.0.0.0, ::1)
+     * - Link-local addresses (169.254.x.x)
+     * - Private networks (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
+     * - IPv6 unique local addresses (fd00::/8)
+     * - Cloud metadata services (*.internal)
+     */
+    private isBlockedHostname;
+    /**
+     * Evaluate a policy rule against an input document via OPA REST API.
+     *
+     * @param input - The input document to evaluate
+     * @param rulePath - OPA rule path (e.g., 'visor/check/execute')
+     * @returns The result object from OPA, or undefined on error
+     */
+    evaluate(input: object, rulePath: string): Promise<any>;
+    shutdown(): Promise<void>;
+}
+//# sourceMappingURL=opa-http-evaluator.d.ts.map

package/dist/enterprise/policy/opa-http-evaluator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"opa-http-evaluator.d.ts","sourceRoot":"","sources":["file:///home/runner/work/visor/visor/src/enterprise/policy/opa-http-evaluator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;GAIG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,MAAa;IAyBnD;;;;;;;;;OASG;IACH,OAAO,CAAC,iBAAiB;IA6EzB;;;;;;OAMG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAsCvD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAGhC"}

package/dist/enterprise/policy/opa-policy-engine.d.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) ProbeLabs. All rights reserved.
+ * Licensed under the Elastic License 2.0; you may not use this file except
+ * in compliance with the Elastic License 2.0.
+ */
+import type { PolicyEngine, PolicyConfig, PolicyDecision } from '../../policy/types';
+import { type ActorContext, type RepositoryContext, type PullRequestContext } from './policy-input-builder';
+/**
+ * Enterprise OPA Policy Engine.
+ *
+ * Wraps both WASM (local) and HTTP (remote) OPA evaluators behind the
+ * OSS PolicyEngine interface. All OPA input building and role resolution
+ * is handled internally — the OSS call sites pass only plain types.
+ */
+export declare class OpaPolicyEngine implements PolicyEngine {
+    private evaluator;
+    private fallback;
+    private timeout;
+    private config;
+    private inputBuilder;
+    private logger;
+    constructor(config: PolicyConfig);
+    initialize(config: PolicyConfig): Promise<void>;
+    /**
+     * Update actor/repo/PR context (e.g., after PR info becomes available).
+     * Called by the enterprise loader when engine context is enriched.
+     */
+    setActorContext(actor: ActorContext, repo?: RepositoryContext, pullRequest?: PullRequestContext): void;
+    evaluateCheckExecution(checkId: string, checkConfig: unknown): Promise<PolicyDecision>;
+    evaluateToolInvocation(serverName: string, methodName: string, transport?: string): Promise<PolicyDecision>;
+    evaluateCapabilities(checkId: string, capabilities: {
+        allowEdit?: boolean;
+        allowBash?: boolean;
+        allowedTools?: string[];
+    }): Promise<PolicyDecision>;
+    shutdown(): Promise<void>;
+    private resolveRulePath;
+    private doEvaluate;
+    private rawEvaluate;
+    /**
+     * Navigate nested OPA WASM result tree to reach the specific rule's output.
+     * The WASM entrypoint `-e visor` means the result root IS the visor package,
+     * so we strip the `visor/` prefix and walk the remaining segments.
+     */
+    private navigateWasmResult;
+    private parseDecision;
+}
+//# sourceMappingURL=opa-policy-engine.d.ts.map

package/dist/enterprise/policy/opa-policy-engine.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"opa-policy-engine.d.ts","sourceRoot":"","sources":["file:///home/runner/work/visor/visor/src/enterprise/policy/opa-policy-engine.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,YAAY,EACZ,cAAc,EAEf,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,wBAAwB,CAAC;AAEhC;;;;;;GAMG;AACH,qBAAa,eAAgB,YAAW,YAAY;IAClD,OAAO,CAAC,SAAS,CAAoD;IACrE,OAAO,CAAC,QAAQ,CAA4B;IAC5C,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,YAAY,CAAmC;IACvD,OAAO,CAAC,MAAM,CAAa;gBAEf,MAAM,EAAE,YAAY;IAM1B,UAAU,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAiDrD;;;OAGG;IACH,eAAe,CACb,KAAK,EAAE,YAAY,EACnB,IAAI,CAAC,EAAE,iBAAiB,EACxB,WAAW,CAAC,EAAE,kBAAkB,GAC/B,IAAI;IAID,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,CAAC;IAmBtF,sBAAsB,CAC1B,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,cAAc,CAAC;IAMpB,oBAAoB,CACxB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE;QACZ,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;KACzB,GACA,OAAO,CAAC,cAAc,CAAC;IAMpB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ/B,OAAO,CAAC,eAAe;YAOT,UAAU;YAkCV,WAAW;IAWzB;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,aAAa;CAqBtB"}