npm - @probelabs/visor - Versions diffs - 0.1.129 → 0.1.130 - Mend

@probelabs/visor 0.1.129 → 0.1.130

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (206) hide show

package/dist/examples/enterprise-policy/policies/capability_resolve_test.rego ADDED Viewed

@@ -0,0 +1,230 @@
+# Tests for AI capability restriction policy
+# Run with: opa test examples/enterprise-policy/policies/
+package visor.capability.resolve
+# ---------------------------------------------------------------------------
+# External contributors – allowBash=false and allowEdit=false
+# ---------------------------------------------------------------------------
+test_external_gets_allowBash_false {
+  capabilities["allowBash"] == false with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+test_external_gets_allowEdit_false {
+  capabilities["allowEdit"] == false with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+test_external_both_restricted {
+  caps := capabilities with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+  caps["allowBash"] == false
+  caps["allowEdit"] == false
+}
+# ---------------------------------------------------------------------------
+# Reviewer – not developer/admin so allowEdit=false, not external so no bash restriction
+# ---------------------------------------------------------------------------
+test_reviewer_gets_allowEdit_false {
+  capabilities["allowEdit"] == false with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_reviewer_no_allowBash_restriction {
+  not capabilities["allowBash"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Developer – keeps allowEdit (is_developer), no bash restriction
+# ---------------------------------------------------------------------------
+test_developer_no_allowEdit_restriction {
+  not capabilities["allowEdit"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_developer_no_allowBash_restriction {
+  not capabilities["allowBash"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_developer_capabilities_empty {
+  # Developer should produce no capability restrictions at all
+  count(capabilities) == 0 with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Admin – keeps everything (is_admin bypasses allowEdit restriction)
+# ---------------------------------------------------------------------------
+test_admin_no_allowEdit_restriction {
+  not capabilities["allowEdit"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_admin_no_allowBash_restriction {
+  not capabilities["allowBash"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_admin_capabilities_empty {
+  count(capabilities) == 0 with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Empty roles – not developer, not admin => allowEdit=false; not external => no bash
+# ---------------------------------------------------------------------------
+test_empty_roles_gets_allowEdit_false {
+  capabilities["allowEdit"] == false with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": [], "isLocalMode": false}
+  }
+}
+test_empty_roles_no_allowBash_restriction {
+  not capabilities["allowBash"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": [], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Helper rules
+# ---------------------------------------------------------------------------
+test_is_developer_true {
+  is_developer with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_is_developer_false_for_reviewer {
+  not is_developer with input as {
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_is_admin_true {
+  is_admin with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_is_admin_false_for_developer {
+  not is_admin with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_is_admin_false_for_empty_roles {
+  not is_admin with input as {
+    "actor": {"roles": [], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Multi-role actors
+# ---------------------------------------------------------------------------
+test_developer_and_external_keeps_edit_but_loses_bash {
+  # developer satisfies is_developer so allowEdit is not restricted
+  # external triggers allowBash=false
+  caps := capabilities with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["developer", "external"], "isLocalMode": false}
+  }
+  not caps["allowEdit"]
+  caps["allowBash"] == false
+}
+test_admin_and_external_keeps_edit_but_loses_bash {
+  # admin satisfies is_admin so allowEdit is not restricted
+  # external role still triggers allowBash=false
+  caps := capabilities with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["admin", "external"], "isLocalMode": false}
+  }
+  not caps["allowEdit"]
+  caps["allowBash"] == false
+}
+# ---------------------------------------------------------------------------
+# Unknown role – not developer/admin => allowEdit=false, not external => no bash
+# ---------------------------------------------------------------------------
+test_unknown_role_gets_allowEdit_false {
+  capabilities["allowEdit"] == false with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["guest"], "isLocalMode": false}
+  }
+}
+test_unknown_role_no_allowBash_restriction {
+  not capabilities["allowBash"] with input as {
+    "scope": "capability.resolve",
+    "check": {"id": "ai-review", "type": "ai"},
+    "capability": {"allowEdit": true, "allowBash": true},
+    "actor": {"roles": ["guest"], "isLocalMode": false}
+  }
+}

package/dist/examples/enterprise-policy/policies/check_execute.rego ADDED Viewed

@@ -0,0 +1,71 @@
+# Check execution gating policy (Visor Enterprise Edition)
+# Controls which roles can run each check.
+# Contact hello@probelabs.com for licensing.
+package visor.check.execute
+default allowed = false
+# Explicit deny list from YAML policy.deny — if any of the actor's roles
+# appear in the deny list, the check is unconditionally blocked.
+# This is WASM-safe: uses explicit iteration with `some` instead of
+# `not collection[_] == value`.
+denied {
+  input.check.policy
+  some i, j
+  input.check.policy.deny[i] == input.actor.roles[j]
+}
+# Admin can run anything (unless explicitly denied)
+allowed {
+  not denied
+  input.actor.roles[_] == "admin"
+}
+# Developers can run non-production checks (unless explicitly denied)
+allowed {
+  not denied
+  input.actor.roles[_] == "developer"
+  not startswith(input.check.id, "deploy-production")
+}
+# Reviewers can run read-only checks (info/policy criticality)
+allowed {
+  not denied
+  input.actor.roles[_] == "reviewer"
+  input.check.criticality == "info"
+}
+allowed {
+  not denied
+  input.actor.roles[_] == "reviewer"
+  input.check.criticality == "policy"
+}
+# Per-step role requirement (from YAML policy.require)
+allowed {
+  not denied
+  required := input.check.policy.require
+  is_string(required)
+  input.actor.roles[_] == required
+}
+allowed {
+  not denied
+  required := input.check.policy.require
+  is_array(required)
+  required[_] == input.actor.roles[_]
+}
+# Local mode bypasses policy for checks without explicit requirements.
+# Checks that declare `policy.require` in YAML still enforce roles even when
+# running locally, so sensitive steps (e.g. deploy-production) stay protected.
+# Explicit deny lists are still enforced in local mode.
+allowed {
+  not denied
+  input.actor.isLocalMode == true
+  not input.check.policy
+}
+reason = "role is in the deny list for this check" { denied }
+reason = "insufficient role for this check" { not denied; not allowed }

package/dist/examples/enterprise-policy/policies/check_execute_test.rego ADDED Viewed

@@ -0,0 +1,321 @@
+# Tests for check execution gating policy
+# Run with: opa test examples/enterprise-policy/policies/
+package visor.check.execute
+# ---------------------------------------------------------------------------
+# Admin bypass – admin can run anything regardless of check id or type
+# ---------------------------------------------------------------------------
+test_admin_allowed_for_production_deploy {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_admin_allowed_for_arbitrary_check {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "lint-code", "type": "ai", "criticality": "high"},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_admin_allowed_even_with_require_other_role {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command", "policy": {"require": "superadmin"}},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Developer restrictions – allowed for non-production, denied for production
+# ---------------------------------------------------------------------------
+test_developer_allowed_for_non_production_check {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "lint-code", "type": "ai"},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_developer_allowed_for_test_suite {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "run-tests", "type": "command"},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_developer_denied_for_deploy_production {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_developer_denied_for_deploy_production_with_suffix {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production-canary", "type": "command"},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Reviewer – allowed only for info and policy criticality
+# ---------------------------------------------------------------------------
+test_reviewer_allowed_for_info_criticality {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "info-check", "type": "ai", "criticality": "info"},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_reviewer_allowed_for_policy_criticality {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "policy-check", "type": "ai", "criticality": "policy"},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_reviewer_denied_for_high_criticality {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "high-check", "type": "ai", "criticality": "high"},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_reviewer_denied_when_no_criticality {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "some-check", "type": "command"},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+test_reviewer_denied_for_critical_criticality {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "critical-check", "type": "command", "criticality": "critical"},
+    "actor": {"roles": ["reviewer"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Per-step policy.require – string match
+# ---------------------------------------------------------------------------
+test_require_string_match {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "custom-step", "type": "command", "policy": {"require": "developer"}},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_require_string_no_match {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "custom-step", "type": "command", "policy": {"require": "admin"}},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+test_require_string_exact_role {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "ops-step", "type": "command", "policy": {"require": "ops"}},
+    "actor": {"roles": ["ops"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Per-step policy.require – array match
+# ---------------------------------------------------------------------------
+test_require_array_match_first_element {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "multi-role-step", "type": "command", "policy": {"require": ["admin", "developer"]}},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+test_require_array_match_second_element {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "multi-role-step", "type": "command", "policy": {"require": ["admin", "developer"]}},
+    "actor": {"roles": ["developer"], "isLocalMode": false}
+  }
+}
+test_require_array_no_match {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "multi-role-step", "type": "command", "policy": {"require": ["admin", "developer"]}},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Local mode – CLI gets broader access regardless of roles
+# ---------------------------------------------------------------------------
+test_local_mode_allows_everything {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": [], "isLocalMode": true}
+  }
+}
+test_local_mode_allows_with_no_roles {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "any-check", "type": "ai"},
+    "actor": {"roles": [], "isLocalMode": true}
+  }
+}
+test_local_mode_false_does_not_grant_access {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": [], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Deny cases – no matching role and not local mode
+# ---------------------------------------------------------------------------
+test_external_denied_for_production {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+test_empty_roles_denied {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "lint-code", "type": "ai"},
+    "actor": {"roles": [], "isLocalMode": false}
+  }
+}
+test_unknown_role_denied {
+  not allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "lint-code", "type": "ai"},
+    "actor": {"roles": ["guest"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Reason message
+# ---------------------------------------------------------------------------
+test_reason_present_when_denied {
+  reason == "insufficient role for this check" with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["external"], "isLocalMode": false}
+  }
+}
+test_reason_not_defined_when_allowed {
+  not reason with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["admin"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Multi-role actor – at least one matching role grants access
+# ---------------------------------------------------------------------------
+test_multi_role_actor_allowed_via_admin {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "deploy-production", "type": "command"},
+    "actor": {"roles": ["reviewer", "admin"], "isLocalMode": false}
+  }
+}
+test_multi_role_actor_developer_plus_reviewer_non_production {
+  allowed with input as {
+    "scope": "check.execute",
+    "check": {"id": "lint-code", "type": "ai"},
+    "actor": {"roles": ["developer", "reviewer"], "isLocalMode": false}
+  }
+}
+# ---------------------------------------------------------------------------
+# Deny list tests
+# ---------------------------------------------------------------------------
+test_denied_blocks_admin_when_in_deny_list {
+  not allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false},
+    "check": {"id": "sensitive-check", "type": "ai", "policy": {"deny": ["admin"]}}
+  }
+}
+test_denied_blocks_developer_when_in_deny_list {
+  not allowed with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false},
+    "check": {"id": "some-check", "type": "ai", "policy": {"deny": ["developer"]}}
+  }
+}
+test_denied_does_not_block_when_role_not_in_deny_list {
+  allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false},
+    "check": {"id": "some-check", "type": "ai", "policy": {"deny": ["external"]}}
+  }
+}
+test_denied_with_empty_deny_list {
+  allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false},
+    "check": {"id": "some-check", "type": "ai", "policy": {"deny": []}}
+  }
+}
+test_denied_reason_message {
+  reason == "role is in the deny list for this check" with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false},
+    "check": {"id": "some-check", "type": "ai", "policy": {"deny": ["developer"]}}
+  }
+}
+# ---------------------------------------------------------------------------
+# Local mode + policy.require
+# ---------------------------------------------------------------------------
+test_local_mode_with_policy_require_enforces_roles {
+  not allowed with input as {
+    "actor": {"roles": [], "isLocalMode": true},
+    "check": {"id": "secure-deploy", "type": "command", "policy": {"require": "admin"}}
+  }
+}
+test_local_mode_with_policy_require_admin_allowed {
+  allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": true},
+    "check": {"id": "secure-deploy", "type": "command", "policy": {"require": "admin"}}
+  }
+}

package/dist/examples/enterprise-policy/policies/deploy_production.rego ADDED Viewed

@@ -0,0 +1,33 @@
+# Production deployment policy (Visor Enterprise Edition)
+# Custom rule path example: routes `deploy-production` check to this
+# dedicated package instead of the default `visor.check.execute`.
+#
+# Usage in .visor.yaml:
+#   steps:
+#     deploy-production:
+#       type: command
+#       exec: ./deploy.sh production
+#       policy:
+#         require: admin
+#         rule: visor/deploy/production
+#
+# The YAML `rule` field uses slashes; the Rego package uses dots.
+# visor/deploy/production  -->  package visor.deploy.production
+#
+# Contact hello@probelabs.com for licensing.
+package visor.deploy.production
+default allowed = false
+# Helper: check if actor is an admin (WASM-safe pattern —
+# avoids `not input.actor.roles[_] == "admin"` which is unsafe for WASM)
+is_admin { input.actor.roles[_] == "admin" }
+# Only admins can deploy to production, and only when targeting main
+allowed {
+  is_admin
+  input.repository.baseBranch == "main"
+}
+reason = "only admins can deploy to production" { not allowed }

package/dist/examples/enterprise-policy/policies/deploy_production_test.rego ADDED Viewed

@@ -0,0 +1,29 @@
+package visor.deploy.production
+test_admin_allowed_with_main_branch {
+  allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false},
+    "repository": {"baseBranch": "main"}
+  }
+}
+test_admin_denied_without_main_branch {
+  not allowed with input as {
+    "actor": {"roles": ["admin"], "isLocalMode": false},
+    "repository": {"baseBranch": "develop"}
+  }
+}
+test_non_admin_denied {
+  not allowed with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false},
+    "repository": {"baseBranch": "main"}
+  }
+}
+test_reason_when_denied {
+  reason == "only admins can deploy to production" with input as {
+    "actor": {"roles": ["developer"], "isLocalMode": false},
+    "repository": {"baseBranch": "main"}
+  }
+}