@servicenow/sdk-build-plugins 4.4.0 → 4.5.0

package/dist/now-config-plugin.js

@@ -6,8 +6,345 @@ const json_plugin_1 = require("./json-plugin");
 class NowConfigShape extends sdk_build_core_1.ObjectShape {
 }
 exports.NowConfigShape = NowConfigShape;
+// ============================================================================
+// Application Runtime Policy Helper Functions
+// ============================================================================
+/**
+ * Maps Fluent mode values to ServiceNow XML state values for performance policy
+ */
+const PERFORMANCE_MODE_MAP = {
+    disabled: 'disabled',
+    enforced: 'enforced',
+    logOnly: 'log_only',
+};
+/**
+ * Reverse mapping: ServiceNow XML state values to Fluent mode values
+ */
+const PERFORMANCE_MODE_REVERSE_MAP = {
+    disabled: 'disabled',
+    enforced: 'enforced',
+    log_only: 'logOnly',
+};
+/**
+ * Maps applicationRuntimePolicy to performance policy mode
+ */
+const ARP_TO_PERFORMANCE_POLICY_MODE_MAP = {
+    none: 'disabled',
+    tracking: 'log_only',
+    enforcing: 'enforced',
+};
+/**
+ * Maps Application Runtime Policy values to required Runtime Access Tracking values
+ * - none: RAT can be anything (no restriction)
+ * - tracking: RAT must be permissive
+ * - enforcing: RAT must be enforcing
+ */
+const ARP_TO_RAT_MAP = {
+    none: null, // No restriction - RAT can be any value
+    tracking: 'permissive',
+    enforcing: 'enforcing',
+};
+// ============================================================================
+// Network Policy Validation Functions
+// ============================================================================
+/**
+ * Validates host field format and content
+ * Uses URL API for parsing with manual wildcard validation (URL can't handle wildcards)
+ * Matches platform business rule validation logic
+ */
+function validateHost(host, policyType, diagnostics, source) {
+    if (!host || !host.trim()) {
+        return true;
+    }
+    const hostValue = host.trim();
+    // Use URL API for scheme/port parsing — replace wildcards with placeholder since URL can't handle them
+    const parseableUrl = hostValue.replace(/\*/g, 'wildcard-placeholder');
+    let url;
+    try {
+        url = new URL(parseableUrl);
+    }
+    catch {
+        // URL throws for invalid ports (>65535) among other reasons
+        // Check if the host has an out-of-range port and diagnose it
+        const portMatch = hostValue.match(/:(\d+)\s*$/);
+        if (portMatch) {
+            const port = parseInt(portMatch[1], 10);
+            if (isNaN(port) || port < 1 || port > 65535) {
+                diagnostics.error(source, `Invalid port "${portMatch[1]}". Must be 1-65535.`);
+                return false;
+            }
+        }
+        // Zod regex handles basic format validation; if URL can't parse for other reasons, skip
+        return true;
+    }
+    const scheme = url.protocol.slice(0, -1); // Remove trailing ':'
+    // Validate scheme based on policy type
+    // Platform uses system properties to configure allowed schemes,
+    // but we use hardcoded defaults here for build-time validation
+    const allowedSchemes = getValidSchemes(policyType);
+    if (!allowedSchemes.includes(scheme)) {
+        diagnostics.error(source, `Invalid URL scheme "${scheme}" for policy type "${policyType}". Allowed schemes: ${allowedSchemes.join(', ')}`);
+        return false;
+    }
+    // Validate wildcards on original hostname (not the placeholder)
+    const originalHostname = url.hostname.replace(/wildcard-placeholder/g, '*');
+    if (!validateWildcards(originalHostname, diagnostics, source)) {
+        return false;
+    }
+    // Validate port range using URL's parsed port
+    if (url.port) {
+        const port = parseInt(url.port, 10);
+        if (port < 1 || port > 65535) {
+            diagnostics.error(source, `Invalid port "${url.port}". Must be 1-65535.`);
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Gets valid URL schemes based on policy type
+ * Matches platform business rule defaults for glide.arp.csp.allowed.url.schemes
+ * and glide.arp.server.outbound.allowed.url.schemes
+ */
+function getValidSchemes(policyType) {
+    // CSP script-src only allows HTTPS
+    if (policyType === 'csp_script_src') {
+        return ['https'];
+    }
+    // CSP connect-src allows HTTPS and WSS
+    if (policyType === 'csp_connect_src') {
+        return ['https', 'wss'];
+    }
+    // Server outbound allows all four protocols
+    if (policyType === 'now_outbound') {
+        return ['http', 'https', 'ws', 'wss'];
+    }
+    // For inbound policies, host should be empty, but if provided, use https
+    return ['https'];
+}
+/**
+ * Validates wildcard patterns in hostname
+ */
+function validateWildcards(hostPart, diagnostics, source) {
+    if (hostPart === '*') {
+        diagnostics.error(source, 'Single wildcard "*" not allowed. Use "*.example.com" format.');
+        return false;
+    }
+    if (hostPart.indexOf('*') === -1) {
+        return true;
+    }
+    const parts = hostPart.split('.');
+    let wildcardCount = 0;
+    for (let i = 0; i < parts.length; i++) {
+        const part = parts[i];
+        if (part === '*') {
+            wildcardCount++;
+            if (i !== 0 || wildcardCount > 1) {
+                diagnostics.error(source, `Wildcard must be first segment only. Invalid: "${hostPart}"`);
+                return false;
+            }
+        }
+        else if (part.indexOf('*') !== -1) {
+            diagnostics.error(source, `Partial wildcards not allowed: "${part}"`);
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Validates path field format
+ * Each path in the array must start with single forward slash
+ */
+function validatePath(path, diagnostics, source) {
+    if (!path || path.length === 0) {
+        return true;
+    }
+    for (const singlePath of path) {
+        const trimmedPath = singlePath.trim();
+        if (!trimmedPath.startsWith('/') || trimmedPath.startsWith('//')) {
+            diagnostics.error(source, `Path must start with single "/": "${trimmedPath}"`);
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Validates network policy fields for cross-field and business rules
+ */
+function validateNetworkPolicy(policy, diagnostics, source) {
+    let isValid = true;
+    const policyType = typeof policy.policyType === 'string' ? policy.policyType : '';
+    const host = typeof policy.host === 'string' ? policy.host : undefined;
+    const path = Array.isArray(policy.path) ? policy.path : undefined;
+    if (host && !validateHost(host, policyType, diagnostics, source)) {
+        isValid = false;
+    }
+    if (path && !validatePath(path, diagnostics, source)) {
+        isValid = false;
+    }
+    return isValid;
+}
+/**
+ * Creates network policy records from config
+ */
+async function createNetworkPolicyRecords(networkPolicies, factory, source, diagnostics) {
+    const records = [];
+    for (const policy of networkPolicies) {
+        const policyObj = policy.asObject();
+        // Validate policy fields (complex validations that can't be done in schema)
+        const policyData = {
+            policyType: policyObj.get('policyType')?.getValue(),
+            host: policyObj.get('host')?.getValue(),
+            path: policyObj.get('path')?.getValue(),
+        };
+        validateNetworkPolicy(policyData, diagnostics, policy);
+        const record = await factory.createRecord({
+            source: source,
+            table: 'sys_arp_network_policy',
+            explicitId: policyObj.get('$id'),
+            properties: policyObj.transform(({ $ }) => ({
+                active: $.def(true),
+                policy_type: $.from('policyType'),
+                status: $,
+                host: $,
+                scheme: $,
+                // Join path array with newlines for XML storage
+                path: $.from('path').map((pathShape) => pathShape
+                    .ifArray()
+                    ?.getElements()
+                    .map((e) => e.getValue())
+                    .join('\n') ?? ''),
+                resource: $,
+                short_description: $.from('shortDescription'),
+            })),
+        });
+        records.push(record);
+    }
+    return records;
+}
+/**
+ * Creates wildcard policy record from config
+ */
+async function createWildcardPolicyRecord(wildcardPolicy, factory, source, scopeId, diagnostics) {
+    // Extract nested pillar objects
+    const networkPillar = wildcardPolicy.get('network')?.ifDefined()?.asObject();
+    const scriptingPillar = wildcardPolicy.get('scripting')?.ifDefined()?.asObject();
+    const arlPillar = wildcardPolicy.get('arl')?.ifDefined()?.asObject();
+    // Validate pillar active/wildcard consistency
+    const networkActive = networkPillar?.get('active')?.toBoolean().getValue() ?? false;
+    const networkWildcardShape = networkPillar?.get('networkWildcard')?.ifArray();
+    const networkWildcard = networkWildcardShape?.getElements();
+    if (!networkActive && networkWildcard && networkWildcard.length > 0) {
+        diagnostics.warn(networkWildcardShape, 'networkWildcard values will be ignored when network.active is false');
+    }
+    if (networkActive && (!networkWildcard || networkWildcard.length === 0)) {
+        diagnostics.hint(networkPillar.get('active'), 'Network pillar is active but has no networkWildcard selections. Consider adding networkWildcard values or setting active to false.');
+    }
+    const scriptingActive = scriptingPillar?.get('active')?.toBoolean().getValue() ?? false;
+    const scriptingWildcardShape = scriptingPillar?.get('scriptingWildcard')?.ifArray();
+    const scriptingWildcard = scriptingWildcardShape?.getElements();
+    if (!scriptingActive && scriptingWildcard && scriptingWildcard.length > 0) {
+        diagnostics.warn(scriptingWildcardShape, 'scriptingWildcard values will be ignored when scripting.active is false');
+    }
+    if (scriptingActive && (!scriptingWildcard || scriptingWildcard.length === 0)) {
+        diagnostics.hint(scriptingPillar.get('active'), 'Scripting pillar is active but has no scriptingWildcard selections. Consider adding scriptingWildcard values or setting active to false.');
+    }
+    const arlActive = arlPillar?.get('active')?.toBoolean().getValue() ?? false;
+    const arlWildcardShape = arlPillar?.get('arlWildcard')?.ifArray();
+    const arlWildcard = arlWildcardShape?.getElements();
+    if (!arlActive && arlWildcard && arlWildcard.length > 0) {
+        diagnostics.warn(arlWildcardShape, 'arlWildcard values will be ignored when arl.active is false');
+    }
+    if (arlActive && (!arlWildcard || arlWildcard.length === 0)) {
+        diagnostics.hint(arlPillar.get('active'), 'ARL pillar is active but has no arlWildcard selections. Consider adding arlWildcard values or setting active to false.');
+    }
+    return await factory.createRecord({
+        source: source,
+        table: 'sys_arp_segment_policy',
+        explicitId: wildcardPolicy.get('$id'),
+        properties: wildcardPolicy.transform(({ $ }) => ({
+            sys_scope: $.val(scopeId),
+            active: $.def(false),
+            short_description: $.from('shortDescription').def(''),
+            arp_record: $.from('record').toBoolean().def(false),
+            // Network pillar
+            arp_network: $.val(networkPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_network_wildcard: $.val(networkPillar
+                ?.get('networkWildcard')
+                ?.ifArray()
+                ?.getElements()
+                .map((e) => e.getValue())
+                .join(',') ?? ''),
+            // Scripting pillar
+            arp_script: $.val(scriptingPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_script_wildcard: $.val(scriptingPillar
+                ?.get('scriptingWildcard')
+                ?.ifArray()
+                ?.getElements()
+                .map((e) => e.getValue())
+                .join(',') ?? ''),
+            // ARL pillar
+            arp_arl: $.val(arlPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_arl_wildcard: $.val(arlPillar
+                ?.get('arlWildcard')
+                ?.ifArray()
+                ?.getElements()
+                .map((e) => e.getValue())
+                .join(',') ?? ''),
+        })),
+    });
+}
+/**
+ * Creates performance policy record from config
+ * Mode is auto-derived from applicationRuntimePolicy if not explicitly set
+ */
+async function createPerformancePolicyRecord(performancePolicy, factory, source, scopeId, applicationRuntimePolicy, diagnostics) {
+    // Derive state from applicationRuntimePolicy
+    const derivedMode = ARP_TO_PERFORMANCE_POLICY_MODE_MAP[applicationRuntimePolicy] ?? 'log_only';
+    // Check if user explicitly set mode and it differs from auto-derived value
+    const explicitModeShape = performancePolicy.get('mode').ifDefined();
+    if (explicitModeShape) {
+        const explicitMode = explicitModeShape.toString().getValue();
+        const explicitModeInXml = PERFORMANCE_MODE_MAP[explicitMode];
+        if (explicitModeInXml && explicitModeInXml !== derivedMode) {
+            const derivedModeInFluent = Object.entries(PERFORMANCE_MODE_MAP).find(([_, xml]) => xml === derivedMode)?.[0];
+            diagnostics.warn(explicitModeShape, `Performance policy mode '${explicitMode}' differs from auto-derived mode '${derivedModeInFluent}' based on applicationRuntimePolicy='${applicationRuntimePolicy}'. The explicit mode will be used.`);
+        }
+    }
+    return await factory.createRecord({
+        source: source,
+        table: 'sys_app_resource_limit_template',
+        explicitId: performancePolicy.get('$id'),
+        properties: performancePolicy.transform(({ $ }) => ({
+            template_name: $.from('name'),
+            // Auto-derive appCondition to query current scope
+            app_condition: $.val(`sys_id=${scopeId}`),
+            scheduled_job_limit: $.from('scheduledJobLimit').def(20),
+            event_handler_limit: $.from('eventHandlerLimit').def(20),
+            api_transaction_limit: $.from('apiTransactionLimit').def(30),
+            interactive_transaction_limit: $.from('interactiveTransactionLimit').def(30),
+            // State is auto-derived from applicationRuntimePolicy unless explicitly overridden
+            state: $.from('mode')
+                .map((v) => {
+                const explicitMode = v.getValue();
+                const mappedMode = PERFORMANCE_MODE_MAP[explicitMode];
+                if (explicitMode && !mappedMode) {
+                    // Invalid mode value - should have been caught by schema validation
+                    // but add a diagnostic warning just in case
+                    diagnostics.warn(v, `Invalid mode value '${explicitMode}'. Valid values are: disabled, enforced, logOnly. Using auto-derived mode instead.`);
+                }
+                return mappedMode ?? derivedMode;
+            })
+                .def(derivedMode),
+            enable_auto_gen_limits: $.val(true), // Always enabled, hidden from user
+            order: $.val(100), // Default order, hidden from user
+        })),
+    });
+}
+// ============================================================================
 exports.NowConfigPlugin = sdk_build_core_1.Plugin.create({
     name: 'NowConfigPlugin',
+    docs: [],
     files: [
         {
             matcher: /\Wnow\.config\.json$/,
@@ -16,15 +353,221 @@ exports.NowConfigPlugin = sdk_build_core_1.Plugin.create({
     ],
     records: {
         sys_app: {
-            toShape(record, { packageJson, config }) {
+            relationships: {
+                sys_arp_network_policy: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+                sys_arp_segment_policy: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+                sys_app_resource_limit_template: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+            },
+            toShape(record, { packageJson, config, database }) {
                 const { name: packageName } = packageJson;
+                // Query policy records directly from database
+                // During transform, the database only contains records from the current scope's XML
+                const networkPolicyRecords = database.query('sys_arp_network_policy');
+                const segmentPolicyRecords = database.query('sys_arp_segment_policy');
+                const resourceLimitRecords = database.query('sys_app_resource_limit_template');
+                // Transform network policies (exclude default values)
+                const networkPolicies = networkPolicyRecords.map((policyRecord) => {
+                    const policyType = policyRecord.get('policy_type').toString().getValue();
+                    const result = {
+                        $id: policyRecord.getId().getValue(),
+                        policyType: policyType,
+                    };
+                    // Only include active if not default (true)
+                    const active = policyRecord.get('active').toBoolean().getValue();
+                    if (active !== true) {
+                        result['active'] = active;
+                    }
+                    // Status is required - always include it (default to 'requested' if missing for backwards compatibility)
+                    const status = policyRecord.get('status').toString().getValue() || 'requested';
+                    result['status'] = status;
+                    const host = policyRecord.get('host').ifDefined()?.toString().getValue();
+                    if (host) {
+                        result['host'] = host;
+                    }
+                    const scheme = policyRecord.get('scheme').ifDefined()?.toString().getValue();
+                    if (scheme) {
+                        result['scheme'] = scheme;
+                    }
+                    const pathVal = policyRecord.get('path').ifDefined()?.toString().getValue();
+                    if (pathVal) {
+                        // Split path string by newlines and clean each path
+                        // ServiceNow stores multi-line fields with CRLF (\r\n) which get XML-encoded as \n&#13;
+                        // The fast-xml-parser doesn't decode numeric character references, so we strip them manually
+                        result['path'] = pathVal
+                            .split('\n')
+                            .map((p) => p.replace(/&#13;/g, '').trim())
+                            .filter((p) => p);
+                    }
+                    const resource = policyRecord.get('resource').ifDefined()?.toString().getValue();
+                    if (resource) {
+                        result['resource'] = resource;
+                    }
+                    const shortDesc = policyRecord.get('short_description').ifDefined()?.toString().getValue();
+                    if (shortDesc) {
+                        result['shortDescription'] = shortDesc;
+                    }
+                    return result;
+                });
+                // Transform wildcard/segment policy (only one per scope, exclude default values)
+                let wildcardPolicy;
+                const segmentRecord = segmentPolicyRecords[0];
+                if (segmentRecord) {
+                    wildcardPolicy = {
+                        $id: segmentRecord.getId().getValue(),
+                    };
+                    // Only include active if not default (false)
+                    const active = segmentRecord.get('active').toBoolean().getValue();
+                    if (active !== false) {
+                        wildcardPolicy['active'] = active;
+                    }
+                    const shortDesc = segmentRecord.get('short_description').ifDefined()?.toString().getValue();
+                    if (shortDesc) {
+                        wildcardPolicy['shortDescription'] = shortDesc;
+                    }
+                    // Network pillar
+                    const networkActive = segmentRecord.get('arp_network').ifDefined()?.toBoolean().getValue();
+                    const networkWildcardStr = segmentRecord
+                        .get('arp_network_wildcard')
+                        .ifDefined()
+                        ?.toString()
+                        .getValue();
+                    const networkWildcardArr = networkWildcardStr
+                        ? networkWildcardStr.split(',').filter((s) => s.trim())
+                        : [];
+                    if (networkActive !== undefined || networkWildcardArr.length > 0) {
+                        const networkPillar = {};
+                        // Only include active if not default (false)
+                        if (networkActive !== false) {
+                            networkPillar['active'] = networkActive ?? false;
+                        }
+                        if (networkWildcardArr.length > 0) {
+                            networkPillar['networkWildcard'] = networkWildcardArr;
+                        }
+                        if (Object.keys(networkPillar).length > 0) {
+                            wildcardPolicy['network'] = networkPillar;
+                        }
+                    }
+                    // Scripting pillar
+                    const scriptingActive = segmentRecord.get('arp_script').ifDefined()?.toBoolean().getValue();
+                    const scriptWildcardStr = segmentRecord
+                        .get('arp_script_wildcard')
+                        .ifDefined()
+                        ?.toString()
+                        .getValue();
+                    const scriptWildcardArr = scriptWildcardStr
+                        ? scriptWildcardStr.split(',').filter((s) => s.trim())
+                        : [];
+                    if (scriptingActive !== undefined || scriptWildcardArr.length > 0) {
+                        const scriptingPillar = {};
+                        // Only include active if not default (false)
+                        if (scriptingActive !== false) {
+                            scriptingPillar['active'] = scriptingActive ?? false;
+                        }
+                        if (scriptWildcardArr.length > 0) {
+                            scriptingPillar['scriptingWildcard'] = scriptWildcardArr;
+                        }
+                        if (Object.keys(scriptingPillar).length > 0) {
+                            wildcardPolicy['scripting'] = scriptingPillar;
+                        }
+                    }
+                    // ARL pillar
+                    const arlActive = segmentRecord.get('arp_arl').ifDefined()?.toBoolean().getValue();
+                    const arlWildcardStr = segmentRecord.get('arp_arl_wildcard').ifDefined()?.toString().getValue();
+                    const arlWildcardArr = arlWildcardStr
+                        ? arlWildcardStr.split(',').filter((s) => s.trim())
+                        : [];
+                    if (arlActive !== undefined || arlWildcardArr.length > 0) {
+                        const arlPillar = {};
+                        // Only include active if not default (false)
+                        if (arlActive !== false) {
+                            arlPillar['active'] = arlActive ?? false;
+                        }
+                        if (arlWildcardArr.length > 0) {
+                            arlPillar['arlWildcard'] = arlWildcardArr;
+                        }
+                        if (Object.keys(arlPillar).length > 0) {
+                            wildcardPolicy['arl'] = arlPillar;
+                        }
+                    }
+                    // Record flag - only include if not default (false)
+                    const arpRecord = segmentRecord.get('arp_record').ifDefined()?.toBoolean().getValue();
+                    if (arpRecord !== undefined && arpRecord !== false) {
+                        wildcardPolicy['record'] = arpRecord;
+                    }
+                    // If wildcardPolicy is empty, set to undefined
+                    if (Object.keys(wildcardPolicy).length === 0) {
+                        wildcardPolicy = undefined;
+                    }
+                }
+                // Transform performance/resource limit policy (only one per scope, exclude default values)
+                let performancePolicy;
+                const limitRecord = resourceLimitRecords[0];
+                if (limitRecord) {
+                    performancePolicy = {
+                        $id: limitRecord.getId().getValue(),
+                        name: limitRecord.get('template_name').toString().getValue(),
+                    };
+                    // Only include quota limits if not default values
+                    const scheduledJobLimit = limitRecord.get('scheduled_job_limit').ifDefined()?.toNumber().getValue();
+                    if (scheduledJobLimit !== undefined && scheduledJobLimit !== 20) {
+                        performancePolicy['scheduledJobLimit'] = scheduledJobLimit;
+                    }
+                    const eventHandlerLimit = limitRecord.get('event_handler_limit').ifDefined()?.toNumber().getValue();
+                    if (eventHandlerLimit !== undefined && eventHandlerLimit !== 20) {
+                        performancePolicy['eventHandlerLimit'] = eventHandlerLimit;
+                    }
+                    const apiTransactionLimit = limitRecord
+                        .get('api_transaction_limit')
+                        .ifDefined()
+                        ?.toNumber()
+                        .getValue();
+                    if (apiTransactionLimit !== undefined && apiTransactionLimit !== 30) {
+                        performancePolicy['apiTransactionLimit'] = apiTransactionLimit;
+                    }
+                    const interactiveTransactionLimit = limitRecord
+                        .get('interactive_transaction_limit')
+                        .ifDefined()
+                        ?.toNumber()
+                        .getValue();
+                    if (interactiveTransactionLimit !== undefined && interactiveTransactionLimit !== 30) {
+                        performancePolicy['interactiveTransactionLimit'] = interactiveTransactionLimit;
+                    }
+                    // Only include mode if it differs from auto-derived value based on applicationRuntimePolicy
+                    // This ensures round-trip consistency with toRecord behavior
+                    const arpValue = record.get('application_runtime_policy').ifDefined()?.toString().getValue() || 'none';
+                    const autoDerivedMode = ARP_TO_PERFORMANCE_POLICY_MODE_MAP[arpValue] ?? 'log_only';
+                    const state = limitRecord.get('state').ifDefined()?.toString().getValue();
+                    if (state && state !== autoDerivedMode) {
+                        const mode = PERFORMANCE_MODE_REVERSE_MAP[state] ?? state;
+                        performancePolicy['mode'] = mode;
+                    }
+                }
                 return {
                     success: true,
                     value: new NowConfigShape({
                         source: record,
                         properties: record.transform(({ $ }) => ({
-                            name: $.toString().def(packageName),
+                            // Required fields
+                            scope: $.from('scope').toString(),
+                            scopeId: $.val(record.getId().getValue()),
+                            name: $.from('name').toString().def(packageName),
                             active: $.toBoolean().def(true),
+                            // Include ARP configuration
+                            applicationRuntimePolicy: $.from('application_runtime_policy').def('none'),
+                            // Policy records are always included in config regardless of ARP mode
+                            // The platform will honor or ignore them based on applicationRuntimePolicy value
+                            ...(networkPolicies.length > 0 ? { networkPolicies: $.val(networkPolicies) } : {}),
+                            ...(wildcardPolicy ? { wildcardPolicy: $.val(wildcardPolicy) } : {}),
+                            ...(performancePolicy ? { performancePolicy: $.val(performancePolicy) } : {}),
                             accessControls: $.from('scoped_administration', 'restrict_table_access', 'can_edit_in_studio', 'runtime_access_tracking', 'private', 'trackable', 'uninstall_blocked', 'hide_on_ui', 'user_role')
                                 .def({
                                 scopedAdministration: false,
@@ -83,6 +626,27 @@ exports.NowConfigPlugin = sdk_build_core_1.Plugin.create({
                 };
             },
         },
+        // Policy table configurations for transform (XML to Fluent)
+        // These records are merged into now.config.json via sys_app.toShape descendants query
+        // toNoOpShape prevents RecordPlugin from creating separate files for these descendants
+        sys_arp_network_policy: {
+            coalesce: ['policy_type', 'host', 'scheme', 'path', 'resource'],
+            toShape(record) {
+                return { success: true, value: sdk_build_core_1.Shape.noOp(record) };
+            },
+        },
+        sys_arp_segment_policy: {
+            coalesce: ['sys_scope'],
+            toShape(record) {
+                return { success: true, value: sdk_build_core_1.Shape.noOp(record) };
+            },
+        },
+        sys_app_resource_limit_template: {
+            coalesce: ['template_name'],
+            toShape(record) {
+                return { success: true, value: sdk_build_core_1.Shape.noOp(record) };
+            },
+        },
     },
     shapes: [
         {
@@ -107,57 +671,101 @@ exports.NowConfigPlugin = sdk_build_core_1.Plugin.create({
                 }
                 const accessControls = config.get('accessControls').ifDefined()?.asObject();
                 const licensing = config.get('licensing').ifDefined()?.asObject();
+                // Application Runtime Policy configuration
+                const applicationRuntimePolicy = config.get('applicationRuntimePolicy').ifString()?.getValue() ?? 'none';
+                const networkPoliciesShape = config.get('networkPolicies')?.ifArray()?.getElements() ?? [];
+                const wildcardPolicyShape = config.get('wildcardPolicy')?.ifDefined()?.asObject();
+                const performancePolicyShape = config.get('performancePolicy')?.ifDefined()?.asObject();
+                const hasPolicyDefinitions = networkPoliciesShape.length > 0 || wildcardPolicyShape || performancePolicyShape;
+                // Warn if ARP is 'none' but policies are defined
+                if (applicationRuntimePolicy === 'none' && hasPolicyDefinitions) {
+                    diagnostics.warn(config, `Application Runtime Policy is set to 'none'. Policy records will be created but the ServiceNow platform will not enforce them. Set applicationRuntimePolicy to 'tracking' or 'enforcing' to enable policy enforcement.`);
+                }
+                // Create sys_app record
+                const sysAppRecord = await factory.createRecord({
+                    source: config,
+                    table: 'sys_app',
+                    properties: config.transform(({ $ }) => ({
+                        active: $.toBoolean().def(true),
+                        // Application Runtime Policy field - only include if not 'none' (default)
+                        ...(applicationRuntimePolicy && applicationRuntimePolicy !== 'none'
+                            ? { application_runtime_policy: $.val(applicationRuntimePolicy) }
+                            : {}),
+                        scoped_administration: $.val(accessControls?.get('scopedAdministration'))
+                            .toBoolean()
+                            .def(false),
+                        can_edit_in_studio: $.val(accessControls?.get('canEditInStudio')).toBoolean().def(true),
+                        js_level: $.from('jsLevel').toString().def('es_latest'),
+                        restrict_table_access: $.val(accessControls?.get('restrictTableAccess')).toBoolean().def(false),
+                        runtime_access_tracking: $.map(() => {
+                            const ratShape = accessControls?.get('runtimeAccessTracking');
+                            const userProvidedRat = ratShape?.getValue();
+                            // ARP may require a specific RAT value
+                            const requiredRat = ARP_TO_RAT_MAP[applicationRuntimePolicy];
+                            // Error only when user *explicitly* set a conflicting value — not when it was omitted
+                            if (userProvidedRat && requiredRat && userProvidedRat !== requiredRat) {
+                                diagnostics.error(ratShape || config.get('accessControls'), `Runtime Access Tracking is set to '${userProvidedRat}' but Application Runtime Policy '${applicationRuntimePolicy}' requires '${requiredRat}'. ` +
+                                    `Set runtimeAccessTracking to '${requiredRat}' to match the Application Runtime Policy.`);
+                            }
+                            // Hint when ARP auto-derives RAT and user also set it explicitly (even if not conflicting)
+                            if (userProvidedRat && requiredRat && userProvidedRat === requiredRat) {
+                                diagnostics.hint(ratShape || config.get('accessControls'), `runtimeAccessTracking is auto-derived from applicationRuntimePolicy='${applicationRuntimePolicy}'. ` +
+                                    `The explicit value '${userProvidedRat}' can be removed.`);
+                            }
+                            // Auto-derive from ARP when it specifies a required value; otherwise fall back to
+                            // the user-provided value or the platform default of 'permissive'.
+                            const rat = requiredRat ?? userProvidedRat ?? 'permissive';
+                            // Convert 'none' to undefined for XML (empty field).
+                            // Round-trip safe: toShape maps empty string back to 'none' (line 796-798)
+                            if (rat === 'none') {
+                                return undefined;
+                            }
+                            return rat;
+                        }),
+                        licensable: $.val(licensing?.get('licensable')).toBoolean().def(true),
+                        enforce_license: $.val(licensing?.get('enforceLicense')).toString().def('log'),
+                        license_model: $.val(licensing?.get('licenseModel')).toString().def('none'),
+                        menu: $.toString().def(''),
+                        user_role: $.val(accessControls?.get('userRole')).toString().def(''),
+                        short_description: $.from('description').toString().def(''),
+                        logo: $.toString().def(''),
+                        guided_setup_guid: $.from('guidedSetupGuid').toString().def(''),
+                        subscription_entitlement: $.val(licensing?.get('subscriptionEntitlement')).toString().def(''),
+                        private: $.val(accessControls?.get('private')).toBoolean().def(false),
+                        trackable: $.val(accessControls?.get('trackable')).toBoolean().def(true),
+                        uninstall_blocked: $.val(accessControls?.get('uninstallBlocked')).toBoolean().def(false),
+                        hide_on_ui: $.val(accessControls?.get('hideOnUI')).toBoolean().def(false),
+                        installed_as_dependency: $.from('installedAsDependency').toBoolean().def(false),
+                        license_category: $.val(licensing?.get('licenseCategory')).toString().def('none'),
+                        scope: $.val(scope),
+                        package_json: $.val(packageJsonPath),
+                        name: $.val(name),
+                        source: $.val(scope),
+                        sys_id: $.from('scopeId'),
+                        version: $.val(version),
+                        package_resolver_version: $.from('packageResolverVersion').def(scope === 'global' ? sdk_build_core_1.MODULE_RESOLUTION.V2 : sdk_build_core_1.MODULE_RESOLUTION.V1),
+                    })),
+                });
+                const policyRecords = [];
+                const scopeId = config.get('scopeId').asString().getValue();
+                // Create network policy records
+                if (networkPoliciesShape.length > 0) {
+                    const networkRecords = await createNetworkPolicyRecords(networkPoliciesShape, factory, config, diagnostics);
+                    policyRecords.push(...networkRecords);
+                }
+                // Create wildcard policy record
+                if (wildcardPolicyShape) {
+                    const wildcardRecord = await createWildcardPolicyRecord(wildcardPolicyShape, factory, config, scopeId, diagnostics);
+                    policyRecords.push(wildcardRecord);
+                }
+                // Create performance policy record
+                if (performancePolicyShape) {
+                    const performanceRecord = await createPerformancePolicyRecord(performancePolicyShape, factory, config, scopeId, applicationRuntimePolicy, diagnostics);
+                    policyRecords.push(performanceRecord);
+                }
                 return {
                     success: true,
-                    value: await factory.createRecord({
-                        source: config,
-                        table: 'sys_app',
-                        properties: config.transform(({ $ }) => ({
-                            active: $.toBoolean().def(true),
-                            scoped_administration: $.val(accessControls?.get('scopedAdministration'))
-                                .toBoolean()
-                                .def(false),
-                            can_edit_in_studio: $.val(accessControls?.get('canEditInStudio')).toBoolean().def(true),
-                            js_level: $.from('jsLevel').toString().def('es_latest'),
-                            restrict_table_access: $.val(accessControls?.get('restrictTableAccess'))
-                                .toBoolean()
-                                .def(false),
-                            runtime_access_tracking: $.map(() => {
-                                const rac = accessControls?.get('runtimeAccessTracking').getValue();
-                                if (!rac) {
-                                    return 'permissive';
-                                }
-                                else if (rac === 'none') {
-                                    return undefined;
-                                }
-                                return rac;
-                            }),
-                            licensable: $.val(licensing?.get('licensable')).toBoolean().def(true),
-                            enforce_license: $.val(licensing?.get('enforceLicense')).toString().def('log'),
-                            license_model: $.val(licensing?.get('licenseModel')).toString().def('none'),
-                            menu: $.toString().def(''),
-                            user_role: $.val(accessControls?.get('userRole')).toString().def(''),
-                            short_description: $.from('description').toString().def(''),
-                            logo: $.toString().def(''),
-                            guided_setup_guid: $.from('guidedSetupGuid').toString().def(''),
-                            subscription_entitlement: $.val(licensing?.get('subscriptionEntitlement'))
-                                .toString()
-                                .def(''),
-                            private: $.val(accessControls?.get('private')).toBoolean().def(false),
-                            trackable: $.val(accessControls?.get('trackable')).toBoolean().def(true),
-                            uninstall_blocked: $.val(accessControls?.get('uninstallBlocked')).toBoolean().def(false),
-                            hide_on_ui: $.val(accessControls?.get('hideOnUI')).toBoolean().def(false),
-                            installed_as_dependency: $.from('installedAsDependency').toBoolean().def(false),
-                            license_category: $.val(licensing?.get('licenseCategory')).toString().def('none'),
-                            scope: $.val(scope),
-                            package_json: $.val(packageJsonPath),
-                            name: $.val(name),
-                            source: $.val(scope),
-                            sys_id: $.from('scopeId'),
-                            version: $.val(version),
-                            package_resolver_version: $.from('packageResolverVersion').def(scope === 'global' ? sdk_build_core_1.MODULE_RESOLUTION.V2 : sdk_build_core_1.MODULE_RESOLUTION.V1),
-                        })),
-                    }),
+                    value: sysAppRecord.with(...policyRecords),
                 };
             },
         },