@servicenow/sdk-build-plugins 4.4.0 → 4.5.0

package/src/now-config-plugin.ts

@@ -1,11 +1,455 @@
-import { NowConfig, ObjectShape, MODULE_RESOLUTION, Plugin, Shape } from '@servicenow/sdk-build-core'
+import {
+    NowConfig,
+    ObjectShape,
+    MODULE_RESOLUTION,
+    Plugin,
+    Shape,
+    type Record as SdkRecord,
+    type Factory,
+    type Diagnostics,
+} from '@servicenow/sdk-build-core'
 
 import { JsonFileShape } from './json-plugin'
 
 export class NowConfigShape extends ObjectShape {}
 
+// ============================================================================
+// Application Runtime Policy Helper Functions
+// ============================================================================
+
+/**
+ * Maps Fluent mode values to ServiceNow XML state values for performance policy
+ */
+const PERFORMANCE_MODE_MAP = {
+    disabled: 'disabled',
+    enforced: 'enforced',
+    logOnly: 'log_only',
+} as const satisfies Record<string, string>
+
+/**
+ * Reverse mapping: ServiceNow XML state values to Fluent mode values
+ */
+const PERFORMANCE_MODE_REVERSE_MAP = {
+    disabled: 'disabled',
+    enforced: 'enforced',
+    log_only: 'logOnly',
+} as const satisfies Record<string, string>
+
+/**
+ * Maps applicationRuntimePolicy to performance policy mode
+ */
+const ARP_TO_PERFORMANCE_POLICY_MODE_MAP = {
+    none: 'disabled',
+    tracking: 'log_only',
+    enforcing: 'enforced',
+} as const satisfies Record<string, string>
+
+/**
+ * Maps Application Runtime Policy values to required Runtime Access Tracking values
+ * - none: RAT can be anything (no restriction)
+ * - tracking: RAT must be permissive
+ * - enforcing: RAT must be enforcing
+ */
+const ARP_TO_RAT_MAP = {
+    none: null, // No restriction - RAT can be any value
+    tracking: 'permissive',
+    enforcing: 'enforcing',
+} as const satisfies Record<string, string | null>
+
+// ============================================================================
+// Network Policy Validation Functions
+// ============================================================================
+
+/**
+ * Validates host field format and content
+ * Uses URL API for parsing with manual wildcard validation (URL can't handle wildcards)
+ * Matches platform business rule validation logic
+ */
+function validateHost(host: string | undefined, policyType: string, diagnostics: Diagnostics, source: Shape): boolean {
+    if (!host || !host.trim()) {
+        return true
+    }
+
+    const hostValue = host.trim()
+
+    // Use URL API for scheme/port parsing — replace wildcards with placeholder since URL can't handle them
+    const parseableUrl = hostValue.replace(/\*/g, 'wildcard-placeholder')
+    let url: URL
+    try {
+        url = new URL(parseableUrl)
+    } catch {
+        // URL throws for invalid ports (>65535) among other reasons
+        // Check if the host has an out-of-range port and diagnose it
+        const portMatch = hostValue.match(/:(\d+)\s*$/)
+        if (portMatch) {
+            const port = parseInt(portMatch[1]!, 10)
+            if (isNaN(port) || port < 1 || port > 65535) {
+                diagnostics.error(source, `Invalid port "${portMatch[1]}". Must be 1-65535.`)
+                return false
+            }
+        }
+        // Zod regex handles basic format validation; if URL can't parse for other reasons, skip
+        return true
+    }
+
+    const scheme = url.protocol.slice(0, -1) // Remove trailing ':'
+
+    // Validate scheme based on policy type
+    // Platform uses system properties to configure allowed schemes,
+    // but we use hardcoded defaults here for build-time validation
+    const allowedSchemes = getValidSchemes(policyType)
+    if (!allowedSchemes.includes(scheme)) {
+        diagnostics.error(
+            source,
+            `Invalid URL scheme "${scheme}" for policy type "${policyType}". Allowed schemes: ${allowedSchemes.join(', ')}`
+        )
+        return false
+    }
+
+    // Validate wildcards on original hostname (not the placeholder)
+    const originalHostname = url.hostname.replace(/wildcard-placeholder/g, '*')
+    if (!validateWildcards(originalHostname, diagnostics, source)) {
+        return false
+    }
+
+    // Validate port range using URL's parsed port
+    if (url.port) {
+        const port = parseInt(url.port, 10)
+        if (port < 1 || port > 65535) {
+            diagnostics.error(source, `Invalid port "${url.port}". Must be 1-65535.`)
+            return false
+        }
+    }
+
+    return true
+}
+
+/**
+ * Gets valid URL schemes based on policy type
+ * Matches platform business rule defaults for glide.arp.csp.allowed.url.schemes
+ * and glide.arp.server.outbound.allowed.url.schemes
+ */
+function getValidSchemes(policyType: string): string[] {
+    // CSP script-src only allows HTTPS
+    if (policyType === 'csp_script_src') {
+        return ['https']
+    }
+    // CSP connect-src allows HTTPS and WSS
+    if (policyType === 'csp_connect_src') {
+        return ['https', 'wss']
+    }
+    // Server outbound allows all four protocols
+    if (policyType === 'now_outbound') {
+        return ['http', 'https', 'ws', 'wss']
+    }
+    // For inbound policies, host should be empty, but if provided, use https
+    return ['https']
+}
+
+/**
+ * Validates wildcard patterns in hostname
+ */
+function validateWildcards(hostPart: string, diagnostics: Diagnostics, source: Shape): boolean {
+    if (hostPart === '*') {
+        diagnostics.error(source, 'Single wildcard "*" not allowed. Use "*.example.com" format.')
+        return false
+    }
+
+    if (hostPart.indexOf('*') === -1) {
+        return true
+    }
+
+    const parts = hostPart.split('.')
+    let wildcardCount = 0
+
+    for (let i = 0; i < parts.length; i++) {
+        const part = parts[i]!
+        if (part === '*') {
+            wildcardCount++
+            if (i !== 0 || wildcardCount > 1) {
+                diagnostics.error(source, `Wildcard must be first segment only. Invalid: "${hostPart}"`)
+                return false
+            }
+        } else if (part.indexOf('*') !== -1) {
+            diagnostics.error(source, `Partial wildcards not allowed: "${part}"`)
+            return false
+        }
+    }
+
+    return true
+}
+
+/**
+ * Validates path field format
+ * Each path in the array must start with single forward slash
+ */
+function validatePath(path: string[] | undefined, diagnostics: Diagnostics, source: Shape): boolean {
+    if (!path || path.length === 0) {
+        return true
+    }
+
+    for (const singlePath of path) {
+        const trimmedPath = singlePath.trim()
+        if (!trimmedPath.startsWith('/') || trimmedPath.startsWith('//')) {
+            diagnostics.error(source, `Path must start with single "/": "${trimmedPath}"`)
+            return false
+        }
+    }
+
+    return true
+}
+
+/**
+ * Validates network policy fields for cross-field and business rules
+ */
+function validateNetworkPolicy(
+    policy: { policyType?: unknown; host?: unknown; path?: unknown },
+    diagnostics: Diagnostics,
+    source: Shape
+): boolean {
+    let isValid = true
+
+    const policyType = typeof policy.policyType === 'string' ? policy.policyType : ''
+    const host = typeof policy.host === 'string' ? policy.host : undefined
+    const path = Array.isArray(policy.path) ? policy.path : undefined
+
+    if (host && !validateHost(host, policyType, diagnostics, source)) {
+        isValid = false
+    }
+
+    if (path && !validatePath(path, diagnostics, source)) {
+        isValid = false
+    }
+
+    return isValid
+}
+
+/**
+ * Creates network policy records from config
+ */
+async function createNetworkPolicyRecords(
+    networkPolicies: Shape[],
+    factory: Factory,
+    source: Shape,
+    diagnostics: Diagnostics
+): Promise<SdkRecord[]> {
+    const records: SdkRecord[] = []
+
+    for (const policy of networkPolicies) {
+        const policyObj = policy.asObject()
+
+        // Validate policy fields (complex validations that can't be done in schema)
+        const policyData = {
+            policyType: policyObj.get('policyType')?.getValue(),
+            host: policyObj.get('host')?.getValue(),
+            path: policyObj.get('path')?.getValue(),
+        }
+        validateNetworkPolicy(policyData, diagnostics, policy)
+
+        const record = await factory.createRecord({
+            source: source,
+            table: 'sys_arp_network_policy',
+            explicitId: policyObj.get('$id'),
+            properties: policyObj.transform(({ $ }) => ({
+                active: $.def(true),
+                policy_type: $.from('policyType'),
+                status: $,
+                host: $,
+                scheme: $,
+                // Join path array with newlines for XML storage
+                path: $.from('path').map(
+                    (pathShape) =>
+                        pathShape
+                            .ifArray()
+                            ?.getElements()
+                            .map((e: Shape) => e.getValue())
+                            .join('\n') ?? ''
+                ),
+                resource: $,
+                short_description: $.from('shortDescription'),
+            })),
+        })
+
+        records.push(record)
+    }
+
+    return records
+}
+
+/**
+ * Creates wildcard policy record from config
+ */
+async function createWildcardPolicyRecord(
+    wildcardPolicy: ObjectShape,
+    factory: Factory,
+    source: Shape,
+    scopeId: string,
+    diagnostics: Diagnostics
+): Promise<SdkRecord> {
+    // Extract nested pillar objects
+    const networkPillar = wildcardPolicy.get('network')?.ifDefined()?.asObject()
+    const scriptingPillar = wildcardPolicy.get('scripting')?.ifDefined()?.asObject()
+    const arlPillar = wildcardPolicy.get('arl')?.ifDefined()?.asObject()
+
+    // Validate pillar active/wildcard consistency
+    const networkActive = networkPillar?.get('active')?.toBoolean().getValue() ?? false
+    const networkWildcardShape = networkPillar?.get('networkWildcard')?.ifArray()
+    const networkWildcard = networkWildcardShape?.getElements()
+    if (!networkActive && networkWildcard && networkWildcard.length > 0) {
+        diagnostics.warn(networkWildcardShape!, 'networkWildcard values will be ignored when network.active is false')
+    }
+    if (networkActive && (!networkWildcard || networkWildcard.length === 0)) {
+        diagnostics.hint(
+            networkPillar!.get('active'),
+            'Network pillar is active but has no networkWildcard selections. Consider adding networkWildcard values or setting active to false.'
+        )
+    }
+
+    const scriptingActive = scriptingPillar?.get('active')?.toBoolean().getValue() ?? false
+    const scriptingWildcardShape = scriptingPillar?.get('scriptingWildcard')?.ifArray()
+    const scriptingWildcard = scriptingWildcardShape?.getElements()
+    if (!scriptingActive && scriptingWildcard && scriptingWildcard.length > 0) {
+        diagnostics.warn(
+            scriptingWildcardShape!,
+            'scriptingWildcard values will be ignored when scripting.active is false'
+        )
+    }
+    if (scriptingActive && (!scriptingWildcard || scriptingWildcard.length === 0)) {
+        diagnostics.hint(
+            scriptingPillar!.get('active'),
+            'Scripting pillar is active but has no scriptingWildcard selections. Consider adding scriptingWildcard values or setting active to false.'
+        )
+    }
+
+    const arlActive = arlPillar?.get('active')?.toBoolean().getValue() ?? false
+    const arlWildcardShape = arlPillar?.get('arlWildcard')?.ifArray()
+    const arlWildcard = arlWildcardShape?.getElements()
+    if (!arlActive && arlWildcard && arlWildcard.length > 0) {
+        diagnostics.warn(arlWildcardShape!, 'arlWildcard values will be ignored when arl.active is false')
+    }
+    if (arlActive && (!arlWildcard || arlWildcard.length === 0)) {
+        diagnostics.hint(
+            arlPillar!.get('active'),
+            'ARL pillar is active but has no arlWildcard selections. Consider adding arlWildcard values or setting active to false.'
+        )
+    }
+
+    return await factory.createRecord({
+        source: source,
+        table: 'sys_arp_segment_policy',
+        explicitId: wildcardPolicy.get('$id'),
+        properties: wildcardPolicy.transform(({ $ }) => ({
+            sys_scope: $.val(scopeId),
+            active: $.def(false),
+            short_description: $.from('shortDescription').def(''),
+            arp_record: $.from('record').toBoolean().def(false),
+            // Network pillar
+            arp_network: $.val(networkPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_network_wildcard: $.val(
+                networkPillar
+                    ?.get('networkWildcard')
+                    ?.ifArray()
+                    ?.getElements()
+                    .map((e) => e.getValue())
+                    .join(',') ?? ''
+            ),
+            // Scripting pillar
+            arp_script: $.val(scriptingPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_script_wildcard: $.val(
+                scriptingPillar
+                    ?.get('scriptingWildcard')
+                    ?.ifArray()
+                    ?.getElements()
+                    .map((e) => e.getValue())
+                    .join(',') ?? ''
+            ),
+            // ARL pillar
+            arp_arl: $.val(arlPillar?.get('active')?.toBoolean().getValue() ?? false),
+            arp_arl_wildcard: $.val(
+                arlPillar
+                    ?.get('arlWildcard')
+                    ?.ifArray()
+                    ?.getElements()
+                    .map((e) => e.getValue())
+                    .join(',') ?? ''
+            ),
+        })),
+    })
+}
+
+/**
+ * Creates performance policy record from config
+ * Mode is auto-derived from applicationRuntimePolicy if not explicitly set
+ */
+async function createPerformancePolicyRecord(
+    performancePolicy: ObjectShape,
+    factory: Factory,
+    source: Shape,
+    scopeId: string,
+    applicationRuntimePolicy: string,
+    diagnostics: Diagnostics
+): Promise<SdkRecord> {
+    // Derive state from applicationRuntimePolicy
+    const derivedMode =
+        ARP_TO_PERFORMANCE_POLICY_MODE_MAP[
+            applicationRuntimePolicy as keyof typeof ARP_TO_PERFORMANCE_POLICY_MODE_MAP
+        ] ?? 'log_only'
+
+    // Check if user explicitly set mode and it differs from auto-derived value
+    const explicitModeShape = performancePolicy.get('mode').ifDefined()
+    if (explicitModeShape) {
+        const explicitMode = explicitModeShape.toString().getValue()
+        const explicitModeInXml = PERFORMANCE_MODE_MAP[explicitMode as keyof typeof PERFORMANCE_MODE_MAP]
+        if (explicitModeInXml && explicitModeInXml !== derivedMode) {
+            const derivedModeInFluent = Object.entries(PERFORMANCE_MODE_MAP).find(
+                ([_, xml]) => xml === derivedMode
+            )?.[0]
+            diagnostics.warn(
+                explicitModeShape,
+                `Performance policy mode '${explicitMode}' differs from auto-derived mode '${derivedModeInFluent}' based on applicationRuntimePolicy='${applicationRuntimePolicy}'. The explicit mode will be used.`
+            )
+        }
+    }
+
+    return await factory.createRecord({
+        source: source,
+        table: 'sys_app_resource_limit_template',
+        explicitId: performancePolicy.get('$id'),
+        properties: performancePolicy.transform(({ $ }) => ({
+            template_name: $.from('name'),
+            // Auto-derive appCondition to query current scope
+            app_condition: $.val(`sys_id=${scopeId}`),
+            scheduled_job_limit: $.from('scheduledJobLimit').def(20),
+            event_handler_limit: $.from('eventHandlerLimit').def(20),
+            api_transaction_limit: $.from('apiTransactionLimit').def(30),
+            interactive_transaction_limit: $.from('interactiveTransactionLimit').def(30),
+            // State is auto-derived from applicationRuntimePolicy unless explicitly overridden
+            state: $.from('mode')
+                .map((v) => {
+                    const explicitMode = v.getValue() as string
+                    const mappedMode = PERFORMANCE_MODE_MAP[explicitMode as keyof typeof PERFORMANCE_MODE_MAP]
+                    if (explicitMode && !mappedMode) {
+                        // Invalid mode value - should have been caught by schema validation
+                        // but add a diagnostic warning just in case
+                        diagnostics.warn(
+                            v,
+                            `Invalid mode value '${explicitMode}'. Valid values are: disabled, enforced, logOnly. Using auto-derived mode instead.`
+                        )
+                    }
+                    return mappedMode ?? derivedMode
+                })
+                .def(derivedMode),
+            enable_auto_gen_limits: $.val(true), // Always enabled, hidden from user
+            order: $.val(100), // Default order, hidden from user
+        })),
+    })
+}
+
+// ============================================================================
+
 export const NowConfigPlugin = Plugin.create({
     name: 'NowConfigPlugin',
+    docs: [],
     files: [
         {
             matcher: /\Wnow\.config\.json$/,
@@ -14,15 +458,243 @@ export const NowConfigPlugin = Plugin.create({
     ],
     records: {
         sys_app: {
-            toShape(record, { packageJson, config }) {
+            relationships: {
+                sys_arp_network_policy: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+                sys_arp_segment_policy: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+                sys_app_resource_limit_template: {
+                    via: 'sys_scope',
+                    descendant: true,
+                },
+            },
+            toShape(record, { packageJson, config, database }) {
                 const { name: packageName } = packageJson
+
+                // Query policy records directly from database
+                // During transform, the database only contains records from the current scope's XML
+                const networkPolicyRecords = database.query('sys_arp_network_policy')
+                const segmentPolicyRecords = database.query('sys_arp_segment_policy')
+                const resourceLimitRecords = database.query('sys_app_resource_limit_template')
+
+                // Transform network policies (exclude default values)
+                const networkPolicies = networkPolicyRecords.map((policyRecord) => {
+                    const policyType = policyRecord.get('policy_type').toString().getValue()
+                    const result: Record<string, unknown> = {
+                        $id: policyRecord.getId().getValue(),
+                        policyType: policyType,
+                    }
+
+                    // Only include active if not default (true)
+                    const active = policyRecord.get('active').toBoolean().getValue()
+                    if (active !== true) {
+                        result['active'] = active
+                    }
+
+                    // Status is required - always include it (default to 'requested' if missing for backwards compatibility)
+                    const status = policyRecord.get('status').toString().getValue() || 'requested'
+                    result['status'] = status
+
+                    const host = policyRecord.get('host').ifDefined()?.toString().getValue()
+                    if (host) {
+                        result['host'] = host
+                    }
+                    const scheme = policyRecord.get('scheme').ifDefined()?.toString().getValue()
+                    if (scheme) {
+                        result['scheme'] = scheme
+                    }
+                    const pathVal = policyRecord.get('path').ifDefined()?.toString().getValue()
+                    if (pathVal) {
+                        // Split path string by newlines and clean each path
+                        // ServiceNow stores multi-line fields with CRLF (\r\n) which get XML-encoded as \n&#13;
+                        // The fast-xml-parser doesn't decode numeric character references, so we strip them manually
+                        result['path'] = pathVal
+                            .split('\n')
+                            .map((p) => p.replace(/&#13;/g, '').trim())
+                            .filter((p) => p)
+                    }
+                    const resource = policyRecord.get('resource').ifDefined()?.toString().getValue()
+                    if (resource) {
+                        result['resource'] = resource
+                    }
+                    const shortDesc = policyRecord.get('short_description').ifDefined()?.toString().getValue()
+                    if (shortDesc) {
+                        result['shortDescription'] = shortDesc
+                    }
+                    return result
+                })
+
+                // Transform wildcard/segment policy (only one per scope, exclude default values)
+                let wildcardPolicy: Record<string, unknown> | undefined
+                const segmentRecord = segmentPolicyRecords[0]
+                if (segmentRecord) {
+                    wildcardPolicy = {
+                        $id: segmentRecord.getId().getValue(),
+                    }
+
+                    // Only include active if not default (false)
+                    const active = segmentRecord.get('active').toBoolean().getValue()
+                    if (active !== false) {
+                        wildcardPolicy['active'] = active
+                    }
+
+                    const shortDesc = segmentRecord.get('short_description').ifDefined()?.toString().getValue()
+                    if (shortDesc) {
+                        wildcardPolicy['shortDescription'] = shortDesc
+                    }
+
+                    // Network pillar
+                    const networkActive = segmentRecord.get('arp_network').ifDefined()?.toBoolean().getValue()
+                    const networkWildcardStr = segmentRecord
+                        .get('arp_network_wildcard')
+                        .ifDefined()
+                        ?.toString()
+                        .getValue()
+                    const networkWildcardArr = networkWildcardStr
+                        ? networkWildcardStr.split(',').filter((s: string) => s.trim())
+                        : []
+                    if (networkActive !== undefined || networkWildcardArr.length > 0) {
+                        const networkPillar: Record<string, unknown> = {}
+                        // Only include active if not default (false)
+                        if (networkActive !== false) {
+                            networkPillar['active'] = networkActive ?? false
+                        }
+                        if (networkWildcardArr.length > 0) {
+                            networkPillar['networkWildcard'] = networkWildcardArr
+                        }
+                        if (Object.keys(networkPillar).length > 0) {
+                            wildcardPolicy['network'] = networkPillar
+                        }
+                    }
+
+                    // Scripting pillar
+                    const scriptingActive = segmentRecord.get('arp_script').ifDefined()?.toBoolean().getValue()
+                    const scriptWildcardStr = segmentRecord
+                        .get('arp_script_wildcard')
+                        .ifDefined()
+                        ?.toString()
+                        .getValue()
+                    const scriptWildcardArr = scriptWildcardStr
+                        ? scriptWildcardStr.split(',').filter((s: string) => s.trim())
+                        : []
+                    if (scriptingActive !== undefined || scriptWildcardArr.length > 0) {
+                        const scriptingPillar: Record<string, unknown> = {}
+                        // Only include active if not default (false)
+                        if (scriptingActive !== false) {
+                            scriptingPillar['active'] = scriptingActive ?? false
+                        }
+                        if (scriptWildcardArr.length > 0) {
+                            scriptingPillar['scriptingWildcard'] = scriptWildcardArr
+                        }
+                        if (Object.keys(scriptingPillar).length > 0) {
+                            wildcardPolicy['scripting'] = scriptingPillar
+                        }
+                    }
+
+                    // ARL pillar
+                    const arlActive = segmentRecord.get('arp_arl').ifDefined()?.toBoolean().getValue()
+                    const arlWildcardStr = segmentRecord.get('arp_arl_wildcard').ifDefined()?.toString().getValue()
+                    const arlWildcardArr = arlWildcardStr
+                        ? arlWildcardStr.split(',').filter((s: string) => s.trim())
+                        : []
+                    if (arlActive !== undefined || arlWildcardArr.length > 0) {
+                        const arlPillar: Record<string, unknown> = {}
+                        // Only include active if not default (false)
+                        if (arlActive !== false) {
+                            arlPillar['active'] = arlActive ?? false
+                        }
+                        if (arlWildcardArr.length > 0) {
+                            arlPillar['arlWildcard'] = arlWildcardArr
+                        }
+                        if (Object.keys(arlPillar).length > 0) {
+                            wildcardPolicy['arl'] = arlPillar
+                        }
+                    }
+
+                    // Record flag - only include if not default (false)
+                    const arpRecord = segmentRecord.get('arp_record').ifDefined()?.toBoolean().getValue()
+                    if (arpRecord !== undefined && arpRecord !== false) {
+                        wildcardPolicy['record'] = arpRecord
+                    }
+
+                    // If wildcardPolicy is empty, set to undefined
+                    if (Object.keys(wildcardPolicy).length === 0) {
+                        wildcardPolicy = undefined
+                    }
+                }
+
+                // Transform performance/resource limit policy (only one per scope, exclude default values)
+                let performancePolicy: Record<string, unknown> | undefined
+                const limitRecord = resourceLimitRecords[0]
+                if (limitRecord) {
+                    performancePolicy = {
+                        $id: limitRecord.getId().getValue(),
+                        name: limitRecord.get('template_name').toString().getValue(),
+                    }
+
+                    // Only include quota limits if not default values
+                    const scheduledJobLimit = limitRecord.get('scheduled_job_limit').ifDefined()?.toNumber().getValue()
+                    if (scheduledJobLimit !== undefined && scheduledJobLimit !== 20) {
+                        performancePolicy['scheduledJobLimit'] = scheduledJobLimit
+                    }
+                    const eventHandlerLimit = limitRecord.get('event_handler_limit').ifDefined()?.toNumber().getValue()
+                    if (eventHandlerLimit !== undefined && eventHandlerLimit !== 20) {
+                        performancePolicy['eventHandlerLimit'] = eventHandlerLimit
+                    }
+                    const apiTransactionLimit = limitRecord
+                        .get('api_transaction_limit')
+                        .ifDefined()
+                        ?.toNumber()
+                        .getValue()
+                    if (apiTransactionLimit !== undefined && apiTransactionLimit !== 30) {
+                        performancePolicy['apiTransactionLimit'] = apiTransactionLimit
+                    }
+                    const interactiveTransactionLimit = limitRecord
+                        .get('interactive_transaction_limit')
+                        .ifDefined()
+                        ?.toNumber()
+                        .getValue()
+                    if (interactiveTransactionLimit !== undefined && interactiveTransactionLimit !== 30) {
+                        performancePolicy['interactiveTransactionLimit'] = interactiveTransactionLimit
+                    }
+
+                    // Only include mode if it differs from auto-derived value based on applicationRuntimePolicy
+                    // This ensures round-trip consistency with toRecord behavior
+                    const arpValue =
+                        record.get('application_runtime_policy').ifDefined()?.toString().getValue() || 'none'
+                    const autoDerivedMode =
+                        ARP_TO_PERFORMANCE_POLICY_MODE_MAP[
+                            arpValue as keyof typeof ARP_TO_PERFORMANCE_POLICY_MODE_MAP
+                        ] ?? 'log_only'
+                    const state = limitRecord.get('state').ifDefined()?.toString().getValue()
+                    if (state && state !== autoDerivedMode) {
+                        const mode =
+                            PERFORMANCE_MODE_REVERSE_MAP[state as keyof typeof PERFORMANCE_MODE_REVERSE_MAP] ?? state
+                        performancePolicy['mode'] = mode
+                    }
+                }
+
                 return {
                     success: true,
                     value: new NowConfigShape({
                         source: record,
                         properties: record.transform(({ $ }) => ({
-                            name: $.toString().def(packageName),
+                            // Required fields
+                            scope: $.from('scope').toString(),
+                            scopeId: $.val(record.getId().getValue()),
+                            name: $.from('name').toString().def(packageName),
                             active: $.toBoolean().def(true),
+                            // Include ARP configuration
+                            applicationRuntimePolicy: $.from('application_runtime_policy').def('none'),
+                            // Policy records are always included in config regardless of ARP mode
+                            // The platform will honor or ignore them based on applicationRuntimePolicy value
+                            ...(networkPolicies.length > 0 ? { networkPolicies: $.val(networkPolicies) } : {}),
+                            ...(wildcardPolicy ? { wildcardPolicy: $.val(wildcardPolicy) } : {}),
+                            ...(performancePolicy ? { performancePolicy: $.val(performancePolicy) } : {}),
                             accessControls: $.from(
                                 'scoped_administration',
                                 'restrict_table_access',
@@ -121,6 +793,28 @@ export const NowConfigPlugin = Plugin.create({
                 }
             },
         },
+
+        // Policy table configurations for transform (XML to Fluent)
+        // These records are merged into now.config.json via sys_app.toShape descendants query
+        // toNoOpShape prevents RecordPlugin from creating separate files for these descendants
+        sys_arp_network_policy: {
+            coalesce: ['policy_type', 'host', 'scheme', 'path', 'resource'],
+            toShape(record) {
+                return { success: true, value: Shape.noOp(record) }
+            },
+        },
+        sys_arp_segment_policy: {
+            coalesce: ['sys_scope'],
+            toShape(record) {
+                return { success: true, value: Shape.noOp(record) }
+            },
+        },
+        sys_app_resource_limit_template: {
+            coalesce: ['template_name'],
+            toShape(record) {
+                return { success: true, value: Shape.noOp(record) }
+            },
+        },
     },
     shapes: [
         {
@@ -150,58 +844,144 @@ export const NowConfigPlugin = Plugin.create({
                 const accessControls = config.get('accessControls').ifDefined()?.asObject()
                 const licensing = config.get('licensing').ifDefined()?.asObject()
 
+                // Application Runtime Policy configuration
+                const applicationRuntimePolicy = config.get('applicationRuntimePolicy').ifString()?.getValue() ?? 'none'
+                const networkPoliciesShape = config.get('networkPolicies')?.ifArray()?.getElements() ?? []
+                const wildcardPolicyShape = config.get('wildcardPolicy')?.ifDefined()?.asObject()
+                const performancePolicyShape = config.get('performancePolicy')?.ifDefined()?.asObject()
+
+                const hasPolicyDefinitions =
+                    networkPoliciesShape.length > 0 || wildcardPolicyShape || performancePolicyShape
+
+                // Warn if ARP is 'none' but policies are defined
+                if (applicationRuntimePolicy === 'none' && hasPolicyDefinitions) {
+                    diagnostics.warn(
+                        config,
+                        `Application Runtime Policy is set to 'none'. Policy records will be created but the ServiceNow platform will not enforce them. Set applicationRuntimePolicy to 'tracking' or 'enforcing' to enable policy enforcement.`
+                    )
+                }
+
+                // Create sys_app record
+                const sysAppRecord = await factory.createRecord({
+                    source: config,
+                    table: 'sys_app',
+                    properties: config.transform(({ $ }) => ({
+                        active: $.toBoolean().def(true),
+                        // Application Runtime Policy field - only include if not 'none' (default)
+                        ...(applicationRuntimePolicy && applicationRuntimePolicy !== 'none'
+                            ? { application_runtime_policy: $.val(applicationRuntimePolicy) }
+                            : {}),
+                        scoped_administration: $.val(accessControls?.get('scopedAdministration'))
+                            .toBoolean()
+                            .def(false),
+                        can_edit_in_studio: $.val(accessControls?.get('canEditInStudio')).toBoolean().def(true),
+                        js_level: $.from('jsLevel').toString().def('es_latest'),
+                        restrict_table_access: $.val(accessControls?.get('restrictTableAccess')).toBoolean().def(false),
+                        runtime_access_tracking: $.map(() => {
+                            const ratShape = accessControls?.get('runtimeAccessTracking')
+                            const userProvidedRat = ratShape?.getValue() as string | undefined
+
+                            // ARP may require a specific RAT value
+                            const requiredRat = ARP_TO_RAT_MAP[applicationRuntimePolicy as keyof typeof ARP_TO_RAT_MAP]
+
+                            // Error only when user *explicitly* set a conflicting value — not when it was omitted
+                            if (userProvidedRat && requiredRat && userProvidedRat !== requiredRat) {
+                                diagnostics.error(
+                                    ratShape || config.get('accessControls'),
+                                    `Runtime Access Tracking is set to '${userProvidedRat}' but Application Runtime Policy '${applicationRuntimePolicy}' requires '${requiredRat}'. ` +
+                                        `Set runtimeAccessTracking to '${requiredRat}' to match the Application Runtime Policy.`
+                                )
+                            }
+
+                            // Hint when ARP auto-derives RAT and user also set it explicitly (even if not conflicting)
+                            if (userProvidedRat && requiredRat && userProvidedRat === requiredRat) {
+                                diagnostics.hint(
+                                    ratShape || config.get('accessControls'),
+                                    `runtimeAccessTracking is auto-derived from applicationRuntimePolicy='${applicationRuntimePolicy}'. ` +
+                                        `The explicit value '${userProvidedRat}' can be removed.`
+                                )
+                            }
+
+                            // Auto-derive from ARP when it specifies a required value; otherwise fall back to
+                            // the user-provided value or the platform default of 'permissive'.
+                            const rat = requiredRat ?? userProvidedRat ?? 'permissive'
+
+                            // Convert 'none' to undefined for XML (empty field).
+                            // Round-trip safe: toShape maps empty string back to 'none' (line 796-798)
+                            if (rat === 'none') {
+                                return undefined
+                            }
+                            return rat
+                        }),
+                        licensable: $.val(licensing?.get('licensable')).toBoolean().def(true),
+                        enforce_license: $.val(licensing?.get('enforceLicense')).toString().def('log'),
+                        license_model: $.val(licensing?.get('licenseModel')).toString().def('none'),
+                        menu: $.toString().def(''),
+                        user_role: $.val(accessControls?.get('userRole')).toString().def(''),
+                        short_description: $.from('description').toString().def(''),
+                        logo: $.toString().def(''),
+                        guided_setup_guid: $.from('guidedSetupGuid').toString().def(''),
+                        subscription_entitlement: $.val(licensing?.get('subscriptionEntitlement')).toString().def(''),
+                        private: $.val(accessControls?.get('private')).toBoolean().def(false),
+                        trackable: $.val(accessControls?.get('trackable')).toBoolean().def(true),
+                        uninstall_blocked: $.val(accessControls?.get('uninstallBlocked')).toBoolean().def(false),
+                        hide_on_ui: $.val(accessControls?.get('hideOnUI')).toBoolean().def(false),
+                        installed_as_dependency: $.from('installedAsDependency').toBoolean().def(false),
+                        license_category: $.val(licensing?.get('licenseCategory')).toString().def('none'),
+                        scope: $.val(scope),
+                        package_json: $.val(packageJsonPath),
+                        name: $.val(name),
+                        source: $.val(scope),
+                        sys_id: $.from('scopeId'),
+                        version: $.val(version),
+                        package_resolver_version: $.from('packageResolverVersion').def(
+                            scope === 'global' ? MODULE_RESOLUTION.V2 : MODULE_RESOLUTION.V1
+                        ),
+                    })),
+                })
+
+                const policyRecords: SdkRecord[] = []
+                const scopeId = config.get('scopeId').asString().getValue()
+
+                // Create network policy records
+                if (networkPoliciesShape.length > 0) {
+                    const networkRecords = await createNetworkPolicyRecords(
+                        networkPoliciesShape,
+                        factory,
+                        config,
+                        diagnostics
+                    )
+                    policyRecords.push(...networkRecords)
+                }
+
+                // Create wildcard policy record
+                if (wildcardPolicyShape) {
+                    const wildcardRecord = await createWildcardPolicyRecord(
+                        wildcardPolicyShape,
+                        factory,
+                        config,
+                        scopeId,
+                        diagnostics
+                    )
+                    policyRecords.push(wildcardRecord)
+                }
+
+                // Create performance policy record
+                if (performancePolicyShape) {
+                    const performanceRecord = await createPerformancePolicyRecord(
+                        performancePolicyShape,
+                        factory,
+                        config,
+                        scopeId,
+                        applicationRuntimePolicy,
+                        diagnostics
+                    )
+                    policyRecords.push(performanceRecord)
+                }
+
                 return {
                     success: true,
-                    value: await factory.createRecord({
-                        source: config,
-                        table: 'sys_app',
-                        properties: config.transform(({ $ }) => ({
-                            active: $.toBoolean().def(true),
-                            scoped_administration: $.val(accessControls?.get('scopedAdministration'))
-                                .toBoolean()
-                                .def(false),
-                            can_edit_in_studio: $.val(accessControls?.get('canEditInStudio')).toBoolean().def(true),
-                            js_level: $.from('jsLevel').toString().def('es_latest'),
-                            restrict_table_access: $.val(accessControls?.get('restrictTableAccess'))
-                                .toBoolean()
-                                .def(false),
-                            runtime_access_tracking: $.map(() => {
-                                const rac = accessControls?.get('runtimeAccessTracking').getValue()
-                                if (!rac) {
-                                    return 'permissive'
-                                } else if (rac === 'none') {
-                                    return undefined
-                                }
-                                return rac
-                            }),
-                            licensable: $.val(licensing?.get('licensable')).toBoolean().def(true),
-                            enforce_license: $.val(licensing?.get('enforceLicense')).toString().def('log'),
-                            license_model: $.val(licensing?.get('licenseModel')).toString().def('none'),
-                            menu: $.toString().def(''),
-                            user_role: $.val(accessControls?.get('userRole')).toString().def(''),
-                            short_description: $.from('description').toString().def(''),
-                            logo: $.toString().def(''),
-                            guided_setup_guid: $.from('guidedSetupGuid').toString().def(''),
-                            subscription_entitlement: $.val(licensing?.get('subscriptionEntitlement'))
-                                .toString()
-                                .def(''),
-                            private: $.val(accessControls?.get('private')).toBoolean().def(false),
-                            trackable: $.val(accessControls?.get('trackable')).toBoolean().def(true),
-                            uninstall_blocked: $.val(accessControls?.get('uninstallBlocked')).toBoolean().def(false),
-                            hide_on_ui: $.val(accessControls?.get('hideOnUI')).toBoolean().def(false),
-                            installed_as_dependency: $.from('installedAsDependency').toBoolean().def(false),
-                            license_category: $.val(licensing?.get('licenseCategory')).toString().def('none'),
-                            scope: $.val(scope),
-                            package_json: $.val(packageJsonPath),
-                            name: $.val(name),
-                            source: $.val(scope),
-                            sys_id: $.from('scopeId'),
-                            version: $.val(version),
-                            package_resolver_version: $.from('packageResolverVersion').def(
-                                scope === 'global' ? MODULE_RESOLUTION.V2 : MODULE_RESOLUTION.V1
-                            ),
-                        })),
-                    }),
+                    value: sysAppRecord.with(...policyRecords),
                 }
             },
         },