@red-codes/policy 1.0.0

package/dist/evaluator.js

@@ -0,0 +1,335 @@
+// Policy evaluator — matches actions against loaded policies.
+// Pure domain logic. No DOM, no Node.js-specific APIs.
+import { PolicyMatcher } from '@red-codes/matchers';
+function matchAction(pattern, action) {
+    return PolicyMatcher.matchAction(pattern, action);
+}
+function matchScope(scopePatterns, target) {
+    return PolicyMatcher.matchScope(scopePatterns, target);
+}
+function matchPersonaCondition(personaCond, persona) {
+    if (!persona)
+        return false;
+    if (personaCond.trustTier && personaCond.trustTier.length > 0) {
+        if (!persona.trustTier || !personaCond.trustTier.includes(persona.trustTier))
+            return false;
+    }
+    if (personaCond.role && personaCond.role.length > 0) {
+        if (!persona.role || !personaCond.role.includes(persona.role))
+            return false;
+    }
+    if (personaCond.autonomy && personaCond.autonomy.length > 0) {
+        if (!persona.autonomy || !personaCond.autonomy.includes(persona.autonomy))
+            return false;
+    }
+    if (personaCond.riskTolerance && personaCond.riskTolerance.length > 0) {
+        if (!persona.riskTolerance || !personaCond.riskTolerance.includes(persona.riskTolerance)) {
+            return false;
+        }
+    }
+    if (personaCond.tags && personaCond.tags.length > 0) {
+        if (!persona.tags || !personaCond.tags.some((t) => persona.tags.includes(t)))
+            return false;
+    }
+    return true;
+}
+function matchForecastCondition(forecastCond, forecast) {
+    if (!forecast)
+        return { matched: false, values: {} };
+    const values = {};
+    if (forecastCond.testRiskScore !== undefined) {
+        values.testRiskScore = {
+            actual: forecast.testRiskScore,
+            threshold: forecastCond.testRiskScore,
+        };
+        if (forecast.testRiskScore < forecastCond.testRiskScore) {
+            return { matched: false, values };
+        }
+    }
+    if (forecastCond.blastRadiusScore !== undefined) {
+        values.blastRadiusScore = {
+            actual: forecast.blastRadiusScore,
+            threshold: forecastCond.blastRadiusScore,
+        };
+        if (forecast.blastRadiusScore < forecastCond.blastRadiusScore) {
+            return { matched: false, values };
+        }
+    }
+    if (forecastCond.riskLevel && forecastCond.riskLevel.length > 0) {
+        values.riskLevel = { actual: forecast.riskLevel, required: forecastCond.riskLevel };
+        if (!forecastCond.riskLevel.includes(forecast.riskLevel)) {
+            return { matched: false, values };
+        }
+    }
+    if (forecastCond.predictedFileCount !== undefined) {
+        values.predictedFileCount = {
+            actual: forecast.predictedFiles.length,
+            threshold: forecastCond.predictedFileCount,
+        };
+        if (forecast.predictedFiles.length < forecastCond.predictedFileCount) {
+            return { matched: false, values };
+        }
+    }
+    if (forecastCond.dependencyCount !== undefined) {
+        values.dependencyCount = {
+            actual: forecast.dependenciesAffected.length,
+            threshold: forecastCond.dependencyCount,
+        };
+        if (forecast.dependenciesAffected.length < forecastCond.dependencyCount) {
+            return { matched: false, values };
+        }
+    }
+    return { matched: true, values };
+}
+function matchConditions(conditions, intent, effect = 'allow') {
+    if (!conditions)
+        return { matched: true };
+    // Gate conditions: skip this rule when the required flag is satisfied.
+    // For deny rules, this means the deny is bypassed when the condition passes.
+    if (conditions.requireTests && intent.metadata?.testsPass === true) {
+        return { matched: false };
+    }
+    if (conditions.requireFormat && intent.metadata?.formatPass === true) {
+        return { matched: false };
+    }
+    if (conditions.requireWorktree && intent.metadata?.inWorktree === true) {
+        return { matched: false, requireWorktreeMatched: true };
+    }
+    if (conditions.scope && !matchScope(conditions.scope, intent.target)) {
+        return { matched: false, scopeMatched: false };
+    }
+    const scopeMatched = conditions.scope ? true : undefined;
+    let limitExceeded;
+    let branchMatched;
+    let personaMatched;
+    let forecastMatched;
+    let forecastValues;
+    if (conditions.limit !== undefined && intent.filesAffected !== undefined) {
+        limitExceeded = intent.filesAffected > conditions.limit;
+        if (limitExceeded) {
+            return { matched: true, scopeMatched, limitExceeded };
+        }
+    }
+    if (conditions.branches) {
+        // `branches` acts as a required filter: the rule only matches when the intent's branch is
+        // in the configured list (or cannot be determined for deny rules).
+        //
+        // For deny rules: when branch is unknown (undefined), assume match (fail-closed / conservative).
+        //   This prevents bypass via commands that defeat branch extraction (e.g. shell chains).
+        // For allow rules: when branch is unknown, do NOT match (fail-closed).
+        //   This ensures actions aren't allowed without confirmed branch context.
+        if (intent.branch) {
+            branchMatched = conditions.branches.includes(intent.branch);
+        }
+        else {
+            // No branch detected — conservative approach based on rule effect:
+            // Deny rules: match (block the action to be safe)
+            // Allow rules: skip (don't grant access without branch confirmation)
+            branchMatched = effect === 'deny';
+        }
+        if (!branchMatched) {
+            return { matched: false, scopeMatched, limitExceeded, branchMatched };
+        }
+    }
+    if (conditions.persona) {
+        personaMatched = matchPersonaCondition(conditions.persona, intent.persona);
+        if (!personaMatched) {
+            return { matched: false, scopeMatched, limitExceeded, branchMatched, personaMatched };
+        }
+    }
+    if (conditions.forecast) {
+        const forecastResult = matchForecastCondition(conditions.forecast, intent.forecast);
+        forecastMatched = forecastResult.matched;
+        forecastValues = forecastResult.values;
+        if (!forecastMatched) {
+            return {
+                matched: false,
+                scopeMatched,
+                limitExceeded,
+                branchMatched,
+                personaMatched,
+                forecastMatched,
+                forecastValues,
+            };
+        }
+    }
+    return {
+        matched: true,
+        scopeMatched,
+        limitExceeded,
+        branchMatched,
+        personaMatched,
+        forecastMatched,
+        forecastValues,
+    };
+}
+function ruleKey(policyId, ruleIndex) {
+    return `${policyId}:${ruleIndex}`;
+}
+function createRuleEval(policy, ruleIndex, rule, actionMatched, conditionResult, outcome) {
+    return {
+        policyId: policy.id,
+        policyName: policy.name,
+        ruleIndex,
+        rule,
+        actionMatched,
+        conditionsMatched: conditionResult?.matched ?? false,
+        conditionDetails: conditionResult
+            ? {
+                scopeMatched: conditionResult.scopeMatched,
+                limitExceeded: conditionResult.limitExceeded,
+                branchMatched: conditionResult.branchMatched,
+                personaMatched: conditionResult.personaMatched,
+                forecastMatched: conditionResult.forecastMatched,
+                forecastValues: conditionResult.forecastValues,
+                requireWorktreeMatched: conditionResult.requireWorktreeMatched,
+            }
+            : {},
+        outcome,
+    };
+}
+export function evaluate(intent, policies, options) {
+    const startTime = performance.now();
+    const rulesEvaluated = [];
+    const ruleIndexMap = new Map();
+    if (!intent || !intent.action) {
+        return {
+            allowed: false,
+            decision: 'deny',
+            matchedRule: null,
+            matchedPolicy: null,
+            reason: 'Intent is missing required field: action',
+            severity: 5,
+            trace: {
+                rulesEvaluated: [],
+                totalRulesChecked: 0,
+                phaseThatMatched: null,
+                durationMs: performance.now() - startTime,
+            },
+        };
+    }
+    // Phase 1: Evaluate deny rules
+    for (const policy of policies) {
+        for (let ruleIndex = 0; ruleIndex < policy.rules.length; ruleIndex++) {
+            const rule = policy.rules[ruleIndex];
+            const key = ruleKey(policy.id, ruleIndex);
+            if (rule.effect !== 'deny') {
+                ruleIndexMap.set(key, rulesEvaluated.length);
+                rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, false, null, 'skipped'));
+                continue;
+            }
+            const actions = Array.isArray(rule.action) ? rule.action : [rule.action];
+            const actionMatched = actions.some((pattern) => matchAction(pattern, intent.action));
+            if (!actionMatched) {
+                ruleIndexMap.set(key, rulesEvaluated.length);
+                rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, false, null, 'no-match'));
+                continue;
+            }
+            const conditionResult = matchConditions(rule.conditions, intent, 'deny');
+            if (conditionResult.matched) {
+                ruleIndexMap.set(key, rulesEvaluated.length);
+                rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, true, conditionResult, 'match'));
+                return {
+                    allowed: false,
+                    decision: 'deny',
+                    matchedRule: rule,
+                    matchedPolicy: policy,
+                    reason: rule.reason || `Denied by policy "${policy.name}"`,
+                    severity: policy.severity,
+                    policyIntervention: rule.intervention,
+                    trace: {
+                        rulesEvaluated,
+                        totalRulesChecked: rulesEvaluated.length,
+                        phaseThatMatched: 'deny',
+                        durationMs: performance.now() - startTime,
+                    },
+                };
+            }
+            ruleIndexMap.set(key, rulesEvaluated.length);
+            rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, true, conditionResult, 'no-match'));
+        }
+    }
+    // Phase 2: Evaluate allow rules
+    for (const policy of policies) {
+        for (let ruleIndex = 0; ruleIndex < policy.rules.length; ruleIndex++) {
+            const rule = policy.rules[ruleIndex];
+            if (rule.effect !== 'allow')
+                continue;
+            const key = ruleKey(policy.id, ruleIndex);
+            const existingIdx = ruleIndexMap.get(key);
+            const alreadyRecorded = existingIdx !== undefined;
+            const actions = Array.isArray(rule.action) ? rule.action : [rule.action];
+            const actionMatched = actions.some((pattern) => matchAction(pattern, intent.action));
+            if (!actionMatched) {
+                if (!alreadyRecorded) {
+                    ruleIndexMap.set(key, rulesEvaluated.length);
+                    rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, false, null, 'no-match'));
+                }
+                continue;
+            }
+            const conditionResult = matchConditions(rule.conditions, intent, 'allow');
+            if (conditionResult.matched) {
+                const evalRecord = createRuleEval(policy, ruleIndex, rule, true, conditionResult, 'match');
+                if (alreadyRecorded) {
+                    rulesEvaluated[existingIdx] = evalRecord;
+                }
+                else {
+                    ruleIndexMap.set(key, rulesEvaluated.length);
+                    rulesEvaluated.push(evalRecord);
+                }
+                return {
+                    allowed: true,
+                    decision: 'allow',
+                    matchedRule: rule,
+                    matchedPolicy: policy,
+                    reason: rule.reason || `Allowed by policy "${policy.name}"`,
+                    severity: 0,
+                    trace: {
+                        rulesEvaluated,
+                        totalRulesChecked: rulesEvaluated.filter((r) => r.outcome !== 'skipped').length,
+                        phaseThatMatched: 'allow',
+                        durationMs: performance.now() - startTime,
+                    },
+                };
+            }
+            if (!alreadyRecorded) {
+                ruleIndexMap.set(key, rulesEvaluated.length);
+                rulesEvaluated.push(createRuleEval(policy, ruleIndex, rule, true, conditionResult, 'no-match'));
+            }
+        }
+    }
+    const defaultDeny = options?.defaultDeny ?? true;
+    if (defaultDeny) {
+        return {
+            allowed: false,
+            decision: 'deny',
+            matchedRule: null,
+            matchedPolicy: null,
+            reason: 'No matching policy rule — default deny (fail-closed)',
+            severity: 3,
+            trace: {
+                rulesEvaluated,
+                totalRulesChecked: rulesEvaluated.filter((r) => r.outcome !== 'skipped').length,
+                phaseThatMatched: 'default',
+                durationMs: performance.now() - startTime,
+            },
+        };
+    }
+    return {
+        allowed: true,
+        decision: 'allow',
+        matchedRule: null,
+        matchedPolicy: null,
+        reason: 'No matching policy rule — default allow (fail-open)',
+        severity: 0,
+        warning: 'SECURITY: Fail-open mode is active. All unmatched actions are allowed. Load a policy to enable governance.',
+        trace: {
+            rulesEvaluated,
+            totalRulesChecked: rulesEvaluated.filter((r) => r.outcome !== 'skipped').length,
+            phaseThatMatched: 'default',
+            durationMs: performance.now() - startTime,
+        },
+    };
+}
+export { matchAction, matchScope, matchPersonaCondition, matchForecastCondition };
+//# sourceMappingURL=evaluator.js.map

package/dist/evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../src/evaluator.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,uDAAuD;AAGvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAyKpD,SAAS,WAAW,CAAC,OAAe,EAAE,MAAc;IAClD,OAAO,aAAa,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,UAAU,CAAC,aAAuB,EAAE,MAAc;IACzD,OAAO,aAAa,CAAC,UAAU,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;AACzD,CAAC;AAaD,SAAS,qBAAqB,CAC5B,WAA6B,EAC7B,OAAiC;IAEjC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,IAAI,WAAW,CAAC,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;IAC7F,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IAC9E,CAAC;IACD,IAAI,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;IAC1F,CAAC;IACD,IAAI,WAAW,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtE,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YACzF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,IAAI,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAC9F,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,sBAAsB,CAC7B,YAA+B,EAC/B,QAAoC;IAEpC,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAErD,MAAM,MAAM,GAAwB,EAAE,CAAC;IAEvC,IAAI,YAAY,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,CAAC,aAAa,GAAG;YACrB,MAAM,EAAE,QAAQ,CAAC,aAAa;YAC9B,SAAS,EAAE,YAAY,CAAC,aAAa;SACtC,CAAC;QACF,IAAI,QAAQ,CAAC,aAAa,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC;YACxD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QAChD,MAAM,CAAC,gBAAgB,GAAG;YACxB,MAAM,EAAE,QAAQ,CAAC,gBAAgB;YACjC,SAAS,EAAE,YAAY,CAAC,gBAAgB;SACzC,CAAC;QACF,IAAI,QAAQ,CAAC,gBAAgB,GAAG,YAAY,CAAC,gBAAgB,EAAE,CAAC;YAC9D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,SAAS,IAAI,YAAY,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,SAAS,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,YAAY,CAAC,SAAS,EAAE,CAAC;QACpF,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QAClD,MAAM,CAAC,kBAAkB,GAAG;YAC1B,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC,MAAM;YACtC,SAAS,EAAE,YAAY,CAAC,kBAAkB;SAC3C,CAAC;QACF,IAAI,QAAQ,CAAC,cAAc,CAAC,MAAM,GAAG,YAAY,CAAC,kBAAkB,EAAE,CAAC;YACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,CAAC,eAAe,GAAG;YACvB,MAAM,EAAE,QAAQ,CAAC,oBAAoB,CAAC,MAAM;YAC5C,SAAS,EAAE,YAAY,CAAC,eAAe;SACxC,CAAC;QACF,IAAI,QAAQ,CAAC,oBAAoB,CAAC,MAAM,GAAG,YAAY,CAAC,eAAe,EAAE,CAAC;YACxE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,eAAe,CACtB,UAAoC,EACpC,MAAwB,EACxB,SAA2B,OAAO;IAElC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAE1C,uEAAuE;IACvE,6EAA6E;IAC7E,IAAI,UAAU,CAAC,YAAY,IAAI,MAAM,CAAC,QAAQ,EAAE,SAAS,KAAK,IAAI,EAAE,CAAC;QACnE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,IAAI,UAAU,CAAC,aAAa,IAAI,MAAM,CAAC,QAAQ,EAAE,UAAU,KAAK,IAAI,EAAE,CAAC;QACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,IAAI,UAAU,CAAC,eAAe,IAAI,MAAM,CAAC,QAAQ,EAAE,UAAU,KAAK,IAAI,EAAE,CAAC;QACvE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACrE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IACzD,IAAI,aAAkC,CAAC;IACvC,IAAI,aAAkC,CAAC;IACvC,IAAI,cAAmC,CAAC;IACxC,IAAI,eAAoC,CAAC;IACzC,IAAI,cAA+C,CAAC;IAEpD,IAAI,UAAU,CAAC,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACzE,aAAa,GAAG,MAAM,CAAC,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;QACxD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,0FAA0F;QAC1F,mEAAmE;QACnE,EAAE;QACF,iGAAiG;QACjG,yFAAyF;QACzF,uEAAuE;QACvE,0EAA0E;QAC1E,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9D,CAAC;aAAM,CAAC;YACN,mEAAmE;YACnE,kDAAkD;YAClD,qEAAqE;YACrE,aAAa,GAAG,MAAM,KAAK,MAAM,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;QACxE,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;QACvB,cAAc,GAAG,qBAAqB,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAC3E,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC;QACxF,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,cAAc,GAAG,sBAAsB,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpF,eAAe,GAAG,cAAc,CAAC,OAAO,CAAC;QACzC,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC;QACvC,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY;gBACZ,aAAa;gBACb,aAAa;gBACb,cAAc;gBACd,eAAe;gBACf,cAAc;aACf,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,YAAY;QACZ,aAAa;QACb,aAAa;QACb,cAAc;QACd,eAAe;QACf,cAAc;KACf,CAAC;AACJ,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB,EAAE,SAAiB;IAClD,OAAO,GAAG,QAAQ,IAAI,SAAS,EAAE,CAAC;AACpC,CAAC;AAED,SAAS,cAAc,CACrB,MAAoB,EACpB,SAAiB,EACjB,IAAgB,EAChB,aAAsB,EACtB,eAA4C,EAC5C,OAAkC;IAElC,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,UAAU,EAAE,MAAM,CAAC,IAAI;QACvB,SAAS;QACT,IAAI;QACJ,aAAa;QACb,iBAAiB,EAAE,eAAe,EAAE,OAAO,IAAI,KAAK;QACpD,gBAAgB,EAAE,eAAe;YAC/B,CAAC,CAAC;gBACE,YAAY,EAAE,eAAe,CAAC,YAAY;gBAC1C,aAAa,EAAE,eAAe,CAAC,aAAa;gBAC5C,aAAa,EAAE,eAAe,CAAC,aAAa;gBAC5C,cAAc,EAAE,eAAe,CAAC,cAAc;gBAC9C,eAAe,EAAE,eAAe,CAAC,eAAe;gBAChD,cAAc,EAAE,eAAe,CAAC,cAAc;gBAC9C,sBAAsB,EAAE,eAAe,CAAC,sBAAsB;aAC/D;YACH,CAAC,CAAC,EAAE;QACN,OAAO;KACR,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,MAAwB,EACxB,QAAwB,EACxB,OAAyB;IAEzB,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,MAAM,cAAc,GAAqB,EAAE,CAAC;IAC5C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE/C,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,IAAI;YACjB,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,0CAA0C;YAClD,QAAQ,EAAE,CAAC;YACX,KAAK,EAAE;gBACL,cAAc,EAAE,EAAE;gBAClB,iBAAiB,EAAE,CAAC;gBACpB,gBAAgB,EAAE,IAAI;gBACtB,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;aAC1C;SACF,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;YACrE,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;YAE1C,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC7C,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;gBACrF,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzE,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAErF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC7C,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;gBACtF,SAAS;YACX,CAAC;YAED,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAEzE,IAAI,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC5B,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC7C,cAAc,CAAC,IAAI,CACjB,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,CACxE,CAAC;gBAEF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,QAAQ,EAAE,MAAM;oBAChB,WAAW,EAAE,IAAI;oBACjB,aAAa,EAAE,MAAM;oBACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,qBAAqB,MAAM,CAAC,IAAI,GAAG;oBAC1D,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,kBAAkB,EAAE,IAAI,CAAC,YAAY;oBACrC,KAAK,EAAE;wBACL,cAAc;wBACd,iBAAiB,EAAE,cAAc,CAAC,MAAM;wBACxC,gBAAgB,EAAE,MAAM;wBACxB,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;qBAC1C;iBACF,CAAC;YACJ,CAAC;YAED,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;YAC7C,cAAc,CAAC,IAAI,CACjB,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,UAAU,CAAC,CAC3E,CAAC;QACJ,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;YACrE,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACrC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO;gBAAE,SAAS;YAEtC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;YAC1C,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,MAAM,eAAe,GAAG,WAAW,KAAK,SAAS,CAAC;YAElD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzE,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAErF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;oBAC7C,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC;gBACxF,CAAC;gBACD,SAAS;YACX,CAAC;YAED,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAE1E,IAAI,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC5B,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;gBAC3F,IAAI,eAAe,EAAE,CAAC;oBACpB,cAAc,CAAC,WAAW,CAAC,GAAG,UAAU,CAAC;gBAC3C,CAAC;qBAAM,CAAC;oBACN,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;oBAC7C,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAClC,CAAC;gBAED,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE,OAAO;oBACjB,WAAW,EAAE,IAAI;oBACjB,aAAa,EAAE,MAAM;oBACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,sBAAsB,MAAM,CAAC,IAAI,GAAG;oBAC3D,QAAQ,EAAE,CAAC;oBACX,KAAK,EAAE;wBACL,cAAc;wBACd,iBAAiB,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM;wBAC/E,gBAAgB,EAAE,OAAO;wBACzB,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;qBAC1C;iBACF,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC7C,cAAc,CAAC,IAAI,CACjB,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,UAAU,CAAC,CAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,IAAI,CAAC;IAEjD,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,IAAI;YACjB,aAAa,EAAE,IAAI;YACnB,MAAM,EAAE,sDAAsD;YAC9D,QAAQ,EAAE,CAAC;YACX,KAAK,EAAE;gBACL,cAAc;gBACd,iBAAiB,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM;gBAC/E,gBAAgB,EAAE,SAAS;gBAC3B,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;aAC1C;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,IAAI;QACjB,aAAa,EAAE,IAAI;QACnB,MAAM,EAAE,qDAAqD;QAC7D,QAAQ,EAAE,CAAC;QACX,OAAO,EACL,4GAA4G;QAC9G,KAAK,EAAE;YACL,cAAc;YACd,iBAAiB,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,MAAM;YAC/E,gBAAgB,EAAE,SAAS;YAC3B,UAAU,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS;SAC1C;KACF,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export * from './evaluator.js';
+export * from './loader.js';
+export * from './yaml-loader.js';
+export * from './pack-loader.js';
+export * from './pack-version.js';
+export * from './composer.js';
+export * from './policy-trust.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,eAAe,CAAC;AAC9B,cAAc,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export * from './evaluator.js';
+export * from './loader.js';
+export * from './yaml-loader.js';
+export * from './pack-loader.js';
+export * from './pack-version.js';
+export * from './composer.js';
+export * from './policy-trust.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,eAAe,CAAC;AAC9B,cAAc,mBAAmB,CAAC"}

package/dist/loader.d.ts

@@ -0,0 +1,13 @@
+import type { LoadedPolicy } from './evaluator.js';
+export declare const VALID_ACTIONS: Set<string>;
+interface ValidationResult {
+    valid: boolean;
+    errors: string[];
+}
+export declare function validatePolicy(policy: unknown): ValidationResult;
+export declare function loadPolicies(policyDefs: unknown[]): {
+    policies: LoadedPolicy[];
+    errors: string[];
+};
+export {};
+//# sourceMappingURL=loader.d.ts.map

package/dist/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../src/loader.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAInD,eAAO,MAAM,aAAa,aAexB,CAAC;AAEH,UAAU,gBAAgB;IACxB,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AA0ED,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,gBAAgB,CAyChE;AAED,wBAAgB,YAAY,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG;IACnD,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAkCA"}

package/dist/loader.js

@@ -0,0 +1,151 @@
+// Policy loader — parses and validates policy definitions.
+// Pure domain logic. No DOM, no Node.js-specific APIs.
+//
+// Policy pack loading: see pack-loader.ts for extends/merge support.
+const VALID_EFFECTS = new Set(['allow', 'deny']);
+export const VALID_ACTIONS = new Set([
+    'file.write',
+    'file.delete',
+    'file.rename',
+    'shell.exec',
+    'git.push',
+    'git.force-push',
+    'git.branch.delete',
+    'git.commit',
+    'git.merge',
+    'config.modify',
+    'dependency.add',
+    'dependency.remove',
+    'deploy.trigger',
+    '*',
+]);
+function validateRule(rule) {
+    const errors = [];
+    if (!rule || typeof rule !== 'object') {
+        return { valid: false, errors: ['Rule must be a non-null object'] };
+    }
+    const r = rule;
+    if (!r.action) {
+        errors.push('Rule is missing required field: action');
+    }
+    else {
+        const actions = Array.isArray(r.action) ? r.action : [r.action];
+        for (const a of actions) {
+            if (typeof a !== 'string') {
+                errors.push(`Invalid action type: ${typeof a}`);
+            }
+        }
+    }
+    if (!r.effect) {
+        errors.push('Rule is missing required field: effect');
+    }
+    else if (!VALID_EFFECTS.has(r.effect)) {
+        errors.push(`Invalid effect: ${r.effect}. Must be "allow" or "deny"`);
+    }
+    if (r.conditions) {
+        if (typeof r.conditions !== 'object') {
+            errors.push('Conditions must be an object');
+        }
+        const conds = r.conditions;
+        if (conds.limit !== undefined && typeof conds.limit !== 'number') {
+            errors.push('Condition "limit" must be a number');
+        }
+        if (conds.forecast !== undefined) {
+            if (typeof conds.forecast !== 'object' || conds.forecast === null) {
+                errors.push('Condition "forecast" must be an object');
+            }
+            else {
+                const fc = conds.forecast;
+                if (fc.testRiskScore !== undefined && typeof fc.testRiskScore !== 'number') {
+                    errors.push('Forecast condition "testRiskScore" must be a number');
+                }
+                if (fc.blastRadiusScore !== undefined && typeof fc.blastRadiusScore !== 'number') {
+                    errors.push('Forecast condition "blastRadiusScore" must be a number');
+                }
+                if (fc.predictedFileCount !== undefined && typeof fc.predictedFileCount !== 'number') {
+                    errors.push('Forecast condition "predictedFileCount" must be a number');
+                }
+                if (fc.dependencyCount !== undefined && typeof fc.dependencyCount !== 'number') {
+                    errors.push('Forecast condition "dependencyCount" must be a number');
+                }
+                if (fc.riskLevel !== undefined) {
+                    const validLevels = new Set(['low', 'medium', 'high']);
+                    if (!Array.isArray(fc.riskLevel)) {
+                        errors.push('Forecast condition "riskLevel" must be an array');
+                    }
+                    else {
+                        for (const level of fc.riskLevel) {
+                            if (!validLevels.has(level)) {
+                                errors.push(`Forecast condition "riskLevel" contains invalid value: ${level}. Must be "low", "medium", or "high"`);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return { valid: errors.length === 0, errors };
+}
+export function validatePolicy(policy) {
+    const errors = [];
+    if (!policy || typeof policy !== 'object') {
+        return { valid: false, errors: ['Policy must be a non-null object'] };
+    }
+    const p = policy;
+    if (!p.id || typeof p.id !== 'string') {
+        errors.push('Policy is missing required field: id (string)');
+    }
+    if (!p.name || typeof p.name !== 'string') {
+        errors.push('Policy is missing required field: name (string)');
+    }
+    if (!Array.isArray(p.rules) || p.rules.length === 0) {
+        errors.push('Policy must have at least one rule');
+    }
+    else {
+        for (let i = 0; i < p.rules.length; i++) {
+            const result = validateRule(p.rules[i]);
+            if (!result.valid) {
+                for (const err of result.errors) {
+                    errors.push(`Rule[${i}]: ${err}`);
+                }
+            }
+        }
+    }
+    if (p.severity !== undefined) {
+        if (typeof p.severity !== 'number' ||
+            p.severity < 1 ||
+            p.severity > 5) {
+            errors.push('Severity must be a number between 1 and 5');
+        }
+    }
+    return { valid: errors.length === 0, errors };
+}
+export function loadPolicies(policyDefs) {
+    const policies = [];
+    const errors = [];
+    if (!Array.isArray(policyDefs)) {
+        return { policies: [], errors: ['Policy definitions must be an array'] };
+    }
+    const seenIds = new Set();
+    for (let i = 0; i < policyDefs.length; i++) {
+        const def = policyDefs[i];
+        const result = validatePolicy(def);
+        if (!result.valid) {
+            for (const err of result.errors) {
+                errors.push(`Policy[${i}]: ${err}`);
+            }
+            continue;
+        }
+        if (seenIds.has(def.id)) {
+            errors.push(`Policy[${i}]: Duplicate policy ID "${def.id}"`);
+            continue;
+        }
+        seenIds.add(def.id);
+        policies.push({
+            ...def,
+            severity: def.severity ?? 3,
+        });
+    }
+    return { policies, errors };
+}
+//# sourceMappingURL=loader.js.map

package/dist/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../src/loader.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uDAAuD;AACvD,EAAE;AACF,qEAAqE;AAIrE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAEjD,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IACnC,YAAY;IACZ,aAAa;IACb,aAAa;IACb,YAAY;IACZ,UAAU;IACV,gBAAgB;IAChB,mBAAmB;IACnB,YAAY;IACZ,WAAW;IACX,eAAe;IACf,gBAAgB;IAChB,mBAAmB;IACnB,gBAAgB;IAChB,GAAG;CACJ,CAAC,CAAC;AAOH,SAAS,YAAY,CAAC,IAAa;IACjC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,gCAAgC,CAAC,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,CAAC,GAAG,IAA+B,CAAC;IAE1C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAChE,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,CAAC,IAAI,CAAC,wBAAwB,OAAO,CAAC,EAAE,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACxD,CAAC;SAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,MAAgB,CAAC,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAgB,6BAA6B,CAAC,CAAC;IAClF,CAAC;IAED,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;QACjB,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;QACD,MAAM,KAAK,GAAG,CAAC,CAAC,UAAqC,CAAC;QACtD,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACjC,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;gBAClE,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;YACxD,CAAC;iBAAM,CAAC;gBACN,MAAM,EAAE,GAAG,KAAK,CAAC,QAAmC,CAAC;gBACrD,IAAI,EAAE,CAAC,aAAa,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;oBAC3E,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;gBACrE,CAAC;gBACD,IAAI,EAAE,CAAC,gBAAgB,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,gBAAgB,KAAK,QAAQ,EAAE,CAAC;oBACjF,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;gBACxE,CAAC;gBACD,IAAI,EAAE,CAAC,kBAAkB,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,kBAAkB,KAAK,QAAQ,EAAE,CAAC;oBACrF,MAAM,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;gBAC1E,CAAC;gBACD,IAAI,EAAE,CAAC,eAAe,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,eAAe,KAAK,QAAQ,EAAE,CAAC;oBAC/E,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;gBACvE,CAAC;gBACD,IAAI,EAAE,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;oBAC/B,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;oBACvD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;wBACjC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;oBACjE,CAAC;yBAAM,CAAC;wBACN,KAAK,MAAM,KAAK,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;4BACjC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAe,CAAC,EAAE,CAAC;gCACtC,MAAM,CAAC,IAAI,CACT,0DAA0D,KAAK,sCAAsC,CACtG,CAAC;4BACJ,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAe;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,kCAAkC,CAAC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,CAAC,GAAG,MAAiC,CAAC;IAE5C,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAChC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC7B,IACE,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ;YAC7B,CAAC,CAAC,QAAmB,GAAG,CAAC;YACzB,CAAC,CAAC,QAAmB,GAAG,CAAC,EAC1B,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,UAAqB;IAIhD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,qCAAqC,CAAC,EAAE,CAAC;IAC3E,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAA4B,CAAC;QACrD,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAEnC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;YACtC,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAY,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,2BAA2B,GAAG,CAAC,EAAY,GAAG,CAAC,CAAC;YACvE,SAAS;QACX,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAY,CAAC,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,GAAG,GAAG;YACN,QAAQ,EAAG,GAAG,CAAC,QAAmB,IAAI,CAAC;SACxB,CAAC,CAAC;IACrB,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC"}

package/dist/pack-loader.d.ts

@@ -0,0 +1,51 @@
+import type { LoadedPolicy } from './evaluator.js';
+export interface PackResolutionResult {
+    policies: LoadedPolicy[];
+    errors: string[];
+    /** Non-fatal version warnings (e.g., version pin mismatch) */
+    warnings: string[];
+}
+/** Options for resolving and loading policy packs */
+export interface PackLoadOptions {
+    /** The current AgentGuard version for compatibility checking (e.g., "2.2.0") */
+    currentAgentguardVersion?: string;
+}
+/**
+ * Resolve a single pack reference to an absolute file path.
+ *
+ * Supports three reference styles:
+ * 1. Relative path — `"./packs/strict"` or `"./packs/strict.yaml"`
+ * 2. Absolute path — `"/home/user/packs/strict.yaml"`
+ * 3. npm package — `"@agentguard/security-pack"` resolved from node_modules
+ *
+ * References may include a version constraint suffix (e.g., `"./pack@^1.2.0"`),
+ * which is stripped before path resolution.
+ */
+export declare function resolvePackPath(ref: string, baseDir: string): string | null;
+/**
+ * Load a single policy pack from a resolved file path.
+ */
+export declare function loadPackFile(filePath: string): LoadedPolicy | null;
+/**
+ * Resolve and load all policy packs from an `extends` list.
+ *
+ * @param extends_ - Array of pack references (paths, npm package names, or versioned refs like "pack@^1.0.0")
+ * @param baseDir  - Directory to resolve relative paths from
+ * @param options  - Optional settings including the current AgentGuard version for compatibility checks
+ * @returns Loaded pack policies, errors, and version warnings
+ */
+export declare function resolveExtends(extends_: string[], baseDir: string, options?: PackLoadOptions): PackResolutionResult;
+/**
+ * Merge pack policies with a local policy.
+ *
+ * Precedence: local rules override pack rules. Within packs, earlier entries
+ * in the `extends` list take precedence over later entries.
+ *
+ * The merge strategy is:
+ * 1. Collect all rules from packs (in extends order)
+ * 2. Append local rules (which take precedence during evaluation since
+ *    the evaluator checks deny rules first, then allow rules)
+ * 3. Return a single merged policy array
+ */
+export declare function mergePolicies(localPolicy: LoadedPolicy, packPolicies: LoadedPolicy[]): LoadedPolicy[];
+//# sourceMappingURL=pack-loader.d.ts.map

package/dist/pack-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pack-loader.d.ts","sourceRoot":"","sources":["../src/pack-loader.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,YAAY,EAAc,MAAM,gBAAgB,CAAC;AAc/D,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,8DAA8D;IAC9D,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,qDAAqD;AACrD,MAAM,WAAW,eAAe;IAC9B,gFAAgF;IAChF,wBAAwB,CAAC,EAAE,MAAM,CAAC;CACnC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAyC3E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAyBlE;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAAE,EAClB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,eAAe,GACxB,oBAAoB,CA0DtB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,WAAW,EAAE,YAAY,EACzB,YAAY,EAAE,YAAY,EAAE,GAC3B,YAAY,EAAE,CAIhB"}