@sovr/engine 1.1.0 → 1.2.0

package/LICENSE

@@ -0,0 +1,81 @@
+Business Source License 1.1
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Parameters
+
+Licensor:             SOVR AI
+Licensed Work:        @sovr/engine v1.2.0
+                      The Licensed Work is (c) 2025-2026 SOVR AI.
+Additional Use Grant: You may use the Licensed Work for non-production
+                      evaluation, development, and testing purposes.
+Change Date:          Four years from the date of each version's release.
+Change License:       Apache License, Version 2.0
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License's text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License's text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

package/README.md

@@ -0,0 +1,105 @@
+# @sovr/engine
+
+**Unified Policy Engine for SOVR** — the single decision plane for all proxy channels.
+
+[![npm](https://img.shields.io/npm/v/@sovr/engine)](https://www.npmjs.com/package/@sovr/engine)
+[![License](https://img.shields.io/badge/license-BSL--1.1-blue)](LICENSE)
+
+## Overview
+
+`@sovr/engine` is the core policy evaluation engine that powers all SOVR proxy channels. It provides a unified interface for evaluating actions against policy rules, regardless of the channel (exec, sql, http, mcp).
+
+This package is used internally by:
+
+- [`sovr-mcp-proxy`](https://www.npmjs.com/package/sovr-mcp-proxy) — MCP transport proxy
+- [`@sovr/proxy-exec`](https://www.npmjs.com/package/@sovr/proxy-exec) — Shell command proxy
+- [`@sovr/proxy-sql`](https://www.npmjs.com/package/@sovr/proxy-sql) — SQL statement proxy
+- [`@sovr/proxy-http`](https://www.npmjs.com/package/@sovr/proxy-http) — HTTP request proxy
+
+## Installation
+
+```bash
+npm install @sovr/engine
+```
+
+## Usage
+
+```typescript
+import { PolicyEngine, evaluate } from '@sovr/engine';
+
+const engine = new PolicyEngine({
+  rules: [/* your policy rules */],
+  failMode: 'fail-close',
+});
+
+const result = engine.evaluate({
+  channel: 'exec',
+  action: 'rm -rf /tmp/data',
+  context: { user: 'agent-1' },
+});
+
+// result.verdict: 'allow' | 'deny' | 'escalate'
+// result.rule: the matching rule (if any)
+// result.reason: human-readable explanation
+```
+
+## API
+
+### `PolicyEngine`
+
+The main class for policy evaluation.
+
+| Method | Description |
+|--------|-------------|
+| `evaluate(request)` | Evaluate an action against all loaded rules |
+| `addRule(rule)` | Add a rule at runtime |
+| `removeRule(id)` | Remove a rule by ID |
+| `listRules()` | List all active rules |
+| `getStats()` | Get evaluation statistics |
+
+### `evaluate(request)`
+
+Standalone function for one-shot evaluation without engine instantiation.
+
+### Rule Format
+
+```typescript
+interface PolicyRule {
+  id: string;
+  description: string;
+  channels: ('exec' | 'sql' | 'http' | 'mcp')[];
+  action_pattern: string;      // regex pattern
+  resource_pattern?: string;   // optional resource filter
+  effect: 'allow' | 'deny' | 'escalate';
+  risk_level: 'low' | 'medium' | 'high' | 'critical';
+  priority: number;            // higher = evaluated first
+}
+```
+
+### Verdict Format
+
+```typescript
+interface Verdict {
+  verdict: 'allow' | 'deny' | 'escalate';
+  rule: PolicyRule | null;
+  reason: string;
+  timestamp: number;
+  channel: string;
+}
+```
+
+## Built-in Rules
+
+The engine ships with 15 built-in rules covering common risk patterns across all four channels. See the [sovr-mcp-proxy documentation](https://www.npmjs.com/package/sovr-mcp-proxy) for the complete list.
+
+## License
+
+BSL-1.1 (Business Source License 1.1) — See [LICENSE](LICENSE) for details.
+
+The Licensed Work is the @sovr/engine software. The Change Date is four years from each version's release. After the Change Date, each version converts to Apache-2.0.
+
+## Links
+
+- **Website**: [sovr.inc](https://sovr.inc)
+- **GitHub**: [xie38388/sovr](https://github.com/xie38388/sovr)
+- **npm**: [@sovr/engine](https://www.npmjs.com/package/@sovr/engine)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sovr/engine",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Unified Policy Engine for SOVR — the single decision plane for all proxy channels",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -14,7 +14,8 @@
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "scripts": {
     "build": "tsup src/index.ts --format cjs,esm --dts --clean",
@@ -25,12 +26,12 @@
   "keywords": [
     "sovr",
     "policy-engine",
-    "ai-firewall",
+    "ai-responsibility",
     "proxy",
     "rules-engine"
   ],
-  "author": "SOVR Inc. <sdk@sovr.inc>",
-  "license": "MIT",
+  "author": "SOVR AI <contact@sovrapp.com>",
+  "license": "BSL-1.1",
   "repository": {
     "type": "git",
     "url": "https://github.com/xie38388/sovr"