@sovr/engine 1.1.0

package/dist/index.d.mts

@@ -0,0 +1,218 @@
+/**
+ * @sovr/engine — Unified Policy Engine
+ *
+ * The single decision plane that all SOVR proxies share.
+ * Four proxy channels (MCP, HTTP, SQL, Exec) feed into this engine,
+ * which evaluates rules and returns allow/deny/escalate decisions.
+ *
+ * Architecture:
+ *   AI Agent → [MCP Proxy | HTTP Proxy | SQL Proxy | Exec Proxy]
+ *                              ↓
+ *                    SOVR Policy Engine (this)
+ *                              ↓
+ *                        External World
+ */
+/** The channel through which the action was intercepted */
+type Channel = 'mcp' | 'http' | 'sql' | 'exec';
+/** Risk level classification */
+type RiskLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
+/** Decision verdict */
+type Verdict = 'allow' | 'deny' | 'escalate';
+/** A single policy rule */
+interface PolicyRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Human-readable description */
+    description: string;
+    /** Which channels this rule applies to (empty = all) */
+    channels: Channel[];
+    /** Pattern matching for action names (glob-style) */
+    action_pattern: string;
+    /** Pattern matching for resources (glob-style) */
+    resource_pattern: string;
+    /** Conditions that must be true for the rule to match */
+    conditions?: RuleCondition[];
+    /** What to do when the rule matches */
+    effect: Verdict;
+    /** Risk level assigned when this rule matches */
+    risk_level: RiskLevel;
+    /** Whether to require human approval */
+    require_approval: boolean;
+    /** Priority (higher = evaluated first) */
+    priority: number;
+    /** Whether this rule is enabled */
+    enabled: boolean;
+}
+/** A condition within a rule */
+interface RuleCondition {
+    /** JSON path into the context object */
+    field: string;
+    /** Comparison operator */
+    operator: 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'contains' | 'matches' | 'in' | 'not_in' | 'exists';
+    /** Value to compare against */
+    value: unknown;
+}
+/** Input to the policy engine for evaluation */
+interface EvalRequest {
+    /** Which proxy channel intercepted this */
+    channel: Channel;
+    /** The action being attempted */
+    action: string;
+    /** The resource being acted upon */
+    resource: string;
+    /** Additional context (varies by channel) */
+    context: Record<string, unknown>;
+    /** Actor performing the action */
+    actor_id?: string;
+    /** Trace ID for correlation */
+    trace_id?: string;
+}
+/** Channel-specific context for HTTP proxy */
+interface HttpContext extends Record<string, unknown> {
+    method: string;
+    url: string;
+    host: string;
+    path: string;
+    headers?: Record<string, string>;
+    body_preview?: string;
+}
+/** Channel-specific context for MCP proxy */
+interface McpContext extends Record<string, unknown> {
+    tool_name: string;
+    server_name?: string;
+    arguments?: Record<string, unknown>;
+}
+/** Channel-specific context for SQL proxy */
+interface SqlContext extends Record<string, unknown> {
+    statement_type: 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE' | 'DROP' | 'ALTER' | 'TRUNCATE' | 'CREATE' | 'OTHER';
+    tables: string[];
+    has_where_clause: boolean;
+    raw_sql?: string;
+}
+/** Channel-specific context for Exec proxy */
+interface ExecContext extends Record<string, unknown> {
+    command: string;
+    args: string[];
+    cwd?: string;
+    env?: Record<string, string>;
+}
+/** Result of policy evaluation */
+interface EvalResult {
+    /** Unique decision ID */
+    decision_id: string;
+    /** The verdict */
+    verdict: Verdict;
+    /** Whether the action is allowed (verdict === 'allow') */
+    allowed: boolean;
+    /** Whether human approval is required */
+    requires_approval: boolean;
+    /** Human-readable reason */
+    reason: string;
+    /** Computed risk score (0-100) */
+    risk_score: number;
+    /** Which rules matched */
+    matched_rules: string[];
+    /** Risk level classification */
+    risk_level: RiskLevel;
+    /** The channel that was evaluated */
+    channel: Channel;
+    /** Trace ID */
+    trace_id: string;
+    /** Timestamp */
+    timestamp: number;
+}
+/** Engine configuration */
+interface EngineConfig {
+    /** Policy rules */
+    rules: PolicyRule[];
+    /** Default verdict when no rules match */
+    default_verdict?: Verdict;
+    /** Whether to log all evaluations */
+    audit_log?: boolean;
+    /** Callback for audit events */
+    on_audit?: (event: AuditEvent) => void | Promise<void>;
+}
+/** Audit event emitted for every evaluation */
+interface AuditEvent {
+    decision_id: string;
+    channel: Channel;
+    action: string;
+    resource: string;
+    verdict: Verdict;
+    risk_score: number;
+    matched_rules: string[];
+    actor_id?: string;
+    trace_id: string;
+    timestamp: number;
+    context_snapshot: Record<string, unknown>;
+}
+/**
+ * Default rules that cover the most dangerous operations across all channels.
+ * Users can extend or override these.
+ */
+declare const DEFAULT_RULES: PolicyRule[];
+/**
+ * The SOVR Policy Engine.
+ *
+ * Evaluates actions from any proxy channel against a unified rule set.
+ * All four proxy types (MCP, HTTP, SQL, Exec) feed into this same engine.
+ *
+ * @example
+ * ```ts
+ * import { PolicyEngine, DEFAULT_RULES } from '@sovr/engine';
+ *
+ * const engine = new PolicyEngine({
+ *   rules: DEFAULT_RULES,
+ *   audit_log: true,
+ *   on_audit: (event) => console.log(event),
+ * });
+ *
+ * const result = engine.evaluate({
+ *   channel: 'http',
+ *   action: 'POST',
+ *   resource: 'api.stripe.com/v1/charges',
+ *   context: { method: 'POST', host: 'api.stripe.com', url: '...', path: '/v1/charges' },
+ * });
+ *
+ * if (!result.allowed) {
+ *   console.log(`Blocked: ${result.reason}`);
+ * }
+ * ```
+ */
+declare class PolicyEngine {
+    private rules;
+    private defaultVerdict;
+    private auditLog;
+    private onAudit?;
+    constructor(config: EngineConfig);
+    /**
+     * Evaluate an action against the policy rules.
+     * Returns a decision with verdict, risk score, and matched rules.
+     */
+    evaluate(request: EvalRequest): EvalResult;
+    /**
+     * Add a rule at runtime.
+     */
+    addRule(rule: PolicyRule): void;
+    /**
+     * Remove a rule by ID.
+     */
+    removeRule(ruleId: string): boolean;
+    /**
+     * Enable or disable a rule.
+     */
+    setRuleEnabled(ruleId: string, enabled: boolean): boolean;
+    /**
+     * Get all rules (for inspection/export).
+     */
+    getRules(): readonly PolicyRule[];
+    /**
+     * Load rules from a YAML/JSON policy file content.
+     * Expects { rules: PolicyRule[] } format.
+     */
+    loadRules(rulesData: {
+        rules: PolicyRule[];
+    }): void;
+}
+
+export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };

package/dist/index.d.ts

@@ -0,0 +1,218 @@
+/**
+ * @sovr/engine — Unified Policy Engine
+ *
+ * The single decision plane that all SOVR proxies share.
+ * Four proxy channels (MCP, HTTP, SQL, Exec) feed into this engine,
+ * which evaluates rules and returns allow/deny/escalate decisions.
+ *
+ * Architecture:
+ *   AI Agent → [MCP Proxy | HTTP Proxy | SQL Proxy | Exec Proxy]
+ *                              ↓
+ *                    SOVR Policy Engine (this)
+ *                              ↓
+ *                        External World
+ */
+/** The channel through which the action was intercepted */
+type Channel = 'mcp' | 'http' | 'sql' | 'exec';
+/** Risk level classification */
+type RiskLevel = 'none' | 'low' | 'medium' | 'high' | 'critical';
+/** Decision verdict */
+type Verdict = 'allow' | 'deny' | 'escalate';
+/** A single policy rule */
+interface PolicyRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Human-readable description */
+    description: string;
+    /** Which channels this rule applies to (empty = all) */
+    channels: Channel[];
+    /** Pattern matching for action names (glob-style) */
+    action_pattern: string;
+    /** Pattern matching for resources (glob-style) */
+    resource_pattern: string;
+    /** Conditions that must be true for the rule to match */
+    conditions?: RuleCondition[];
+    /** What to do when the rule matches */
+    effect: Verdict;
+    /** Risk level assigned when this rule matches */
+    risk_level: RiskLevel;
+    /** Whether to require human approval */
+    require_approval: boolean;
+    /** Priority (higher = evaluated first) */
+    priority: number;
+    /** Whether this rule is enabled */
+    enabled: boolean;
+}
+/** A condition within a rule */
+interface RuleCondition {
+    /** JSON path into the context object */
+    field: string;
+    /** Comparison operator */
+    operator: 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'contains' | 'matches' | 'in' | 'not_in' | 'exists';
+    /** Value to compare against */
+    value: unknown;
+}
+/** Input to the policy engine for evaluation */
+interface EvalRequest {
+    /** Which proxy channel intercepted this */
+    channel: Channel;
+    /** The action being attempted */
+    action: string;
+    /** The resource being acted upon */
+    resource: string;
+    /** Additional context (varies by channel) */
+    context: Record<string, unknown>;
+    /** Actor performing the action */
+    actor_id?: string;
+    /** Trace ID for correlation */
+    trace_id?: string;
+}
+/** Channel-specific context for HTTP proxy */
+interface HttpContext extends Record<string, unknown> {
+    method: string;
+    url: string;
+    host: string;
+    path: string;
+    headers?: Record<string, string>;
+    body_preview?: string;
+}
+/** Channel-specific context for MCP proxy */
+interface McpContext extends Record<string, unknown> {
+    tool_name: string;
+    server_name?: string;
+    arguments?: Record<string, unknown>;
+}
+/** Channel-specific context for SQL proxy */
+interface SqlContext extends Record<string, unknown> {
+    statement_type: 'SELECT' | 'INSERT' | 'UPDATE' | 'DELETE' | 'DROP' | 'ALTER' | 'TRUNCATE' | 'CREATE' | 'OTHER';
+    tables: string[];
+    has_where_clause: boolean;
+    raw_sql?: string;
+}
+/** Channel-specific context for Exec proxy */
+interface ExecContext extends Record<string, unknown> {
+    command: string;
+    args: string[];
+    cwd?: string;
+    env?: Record<string, string>;
+}
+/** Result of policy evaluation */
+interface EvalResult {
+    /** Unique decision ID */
+    decision_id: string;
+    /** The verdict */
+    verdict: Verdict;
+    /** Whether the action is allowed (verdict === 'allow') */
+    allowed: boolean;
+    /** Whether human approval is required */
+    requires_approval: boolean;
+    /** Human-readable reason */
+    reason: string;
+    /** Computed risk score (0-100) */
+    risk_score: number;
+    /** Which rules matched */
+    matched_rules: string[];
+    /** Risk level classification */
+    risk_level: RiskLevel;
+    /** The channel that was evaluated */
+    channel: Channel;
+    /** Trace ID */
+    trace_id: string;
+    /** Timestamp */
+    timestamp: number;
+}
+/** Engine configuration */
+interface EngineConfig {
+    /** Policy rules */
+    rules: PolicyRule[];
+    /** Default verdict when no rules match */
+    default_verdict?: Verdict;
+    /** Whether to log all evaluations */
+    audit_log?: boolean;
+    /** Callback for audit events */
+    on_audit?: (event: AuditEvent) => void | Promise<void>;
+}
+/** Audit event emitted for every evaluation */
+interface AuditEvent {
+    decision_id: string;
+    channel: Channel;
+    action: string;
+    resource: string;
+    verdict: Verdict;
+    risk_score: number;
+    matched_rules: string[];
+    actor_id?: string;
+    trace_id: string;
+    timestamp: number;
+    context_snapshot: Record<string, unknown>;
+}
+/**
+ * Default rules that cover the most dangerous operations across all channels.
+ * Users can extend or override these.
+ */
+declare const DEFAULT_RULES: PolicyRule[];
+/**
+ * The SOVR Policy Engine.
+ *
+ * Evaluates actions from any proxy channel against a unified rule set.
+ * All four proxy types (MCP, HTTP, SQL, Exec) feed into this same engine.
+ *
+ * @example
+ * ```ts
+ * import { PolicyEngine, DEFAULT_RULES } from '@sovr/engine';
+ *
+ * const engine = new PolicyEngine({
+ *   rules: DEFAULT_RULES,
+ *   audit_log: true,
+ *   on_audit: (event) => console.log(event),
+ * });
+ *
+ * const result = engine.evaluate({
+ *   channel: 'http',
+ *   action: 'POST',
+ *   resource: 'api.stripe.com/v1/charges',
+ *   context: { method: 'POST', host: 'api.stripe.com', url: '...', path: '/v1/charges' },
+ * });
+ *
+ * if (!result.allowed) {
+ *   console.log(`Blocked: ${result.reason}`);
+ * }
+ * ```
+ */
+declare class PolicyEngine {
+    private rules;
+    private defaultVerdict;
+    private auditLog;
+    private onAudit?;
+    constructor(config: EngineConfig);
+    /**
+     * Evaluate an action against the policy rules.
+     * Returns a decision with verdict, risk score, and matched rules.
+     */
+    evaluate(request: EvalRequest): EvalResult;
+    /**
+     * Add a rule at runtime.
+     */
+    addRule(rule: PolicyRule): void;
+    /**
+     * Remove a rule by ID.
+     */
+    removeRule(ruleId: string): boolean;
+    /**
+     * Enable or disable a rule.
+     */
+    setRuleEnabled(ruleId: string, enabled: boolean): boolean;
+    /**
+     * Get all rules (for inspection/export).
+     */
+    getRules(): readonly PolicyRule[];
+    /**
+     * Load rules from a YAML/JSON policy file content.
+     * Expects { rules: PolicyRule[] } format.
+     */
+    loadRules(rulesData: {
+        rules: PolicyRule[];
+    }): void;
+}
+
+export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };

package/dist/index.js

@@ -0,0 +1,388 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DEFAULT_RULES: () => DEFAULT_RULES,
+  PolicyEngine: () => PolicyEngine,
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+var DEFAULT_RULES = [
+  // --- HTTP Proxy: Dangerous outbound calls ---
+  {
+    id: "http-payment-apis",
+    description: "Intercept all payment API calls (Stripe, PayPal, etc.)",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "matches", value: "(api\\.stripe\\.com|api\\.paypal\\.com|api\\.square\\.com)" },
+      { field: "method", operator: "in", value: ["POST", "PUT", "DELETE"] }
+    ],
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 100,
+    enabled: true
+  },
+  {
+    id: "http-cloud-destructive",
+    description: "Block destructive cloud API calls (DELETE on AWS, GCP, Azure)",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "matches", value: "(.*\\.amazonaws\\.com|.*\\.googleapis\\.com|.*\\.azure\\.com)" },
+      { field: "method", operator: "eq", value: "DELETE" }
+    ],
+    effect: "escalate",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 110,
+    enabled: true
+  },
+  {
+    id: "http-github-push",
+    description: "Intercept GitHub write operations",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "eq", value: "api.github.com" },
+      { field: "method", operator: "in", value: ["POST", "PUT", "PATCH", "DELETE"] }
+    ],
+    effect: "escalate",
+    risk_level: "medium",
+    require_approval: false,
+    priority: 80,
+    enabled: true
+  },
+  // --- MCP Proxy: Dangerous tool calls ---
+  {
+    id: "mcp-file-write",
+    description: "Intercept file system write operations via MCP",
+    channels: ["mcp"],
+    action_pattern: "file_write",
+    resource_pattern: "*",
+    effect: "escalate",
+    risk_level: "medium",
+    require_approval: false,
+    priority: 70,
+    enabled: true
+  },
+  {
+    id: "mcp-shell-exec",
+    description: "Intercept shell command execution via MCP",
+    channels: ["mcp"],
+    action_pattern: "shell_exec",
+    resource_pattern: "*",
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 90,
+    enabled: true
+  },
+  {
+    id: "mcp-database-mutation",
+    description: "Intercept database mutations via MCP",
+    channels: ["mcp"],
+    action_pattern: "db_*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "tool_name", operator: "matches", value: "(db_insert|db_update|db_delete|db_execute)" }
+    ],
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 85,
+    enabled: true
+  },
+  // --- SQL Proxy: Dangerous SQL operations ---
+  {
+    id: "sql-ddl-block",
+    description: "Block DDL operations (DROP, ALTER, TRUNCATE)",
+    channels: ["sql"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "statement_type", operator: "in", value: ["DROP", "ALTER", "TRUNCATE"] }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 120,
+    enabled: true
+  },
+  {
+    id: "sql-delete-no-where",
+    description: "Block DELETE without WHERE clause",
+    channels: ["sql"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "statement_type", operator: "eq", value: "DELETE" },
+      { field: "has_where_clause", operator: "eq", value: false }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 115,
+    enabled: true
+  },
+  // --- Exec Proxy: Dangerous shell commands ---
+  {
+    id: "exec-rm-rf",
+    description: "Block rm -rf and similar destructive commands",
+    channels: ["exec"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "command", operator: "matches", value: "(rm|rmdir|del)" },
+      { field: "args", operator: "contains", value: "-rf" }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 130,
+    enabled: true
+  },
+  {
+    id: "exec-kubectl-delete",
+    description: "Intercept kubectl delete operations",
+    channels: ["exec"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "command", operator: "eq", value: "kubectl" },
+      { field: "args", operator: "contains", value: "delete" }
+    ],
+    effect: "escalate",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 125,
+    enabled: true
+  }
+];
+var decisionCounter = 0;
+function generateDecisionId() {
+  const ts = Date.now().toString(36);
+  const rand = Math.random().toString(36).substring(2, 8);
+  decisionCounter++;
+  return `dec_${ts}_${rand}_${decisionCounter}`;
+}
+function generateTraceId() {
+  const ts = Date.now().toString(36);
+  const rand = Math.random().toString(36).substring(2, 10);
+  return `trace_${ts}_${rand}`;
+}
+function globMatch(pattern, value) {
+  if (pattern === "*") return true;
+  const regex = new RegExp(
+    "^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+  );
+  return regex.test(value);
+}
+function evaluateCondition(condition, context) {
+  const fieldValue = getNestedValue(context, condition.field);
+  switch (condition.operator) {
+    case "eq":
+      return fieldValue === condition.value;
+    case "neq":
+      return fieldValue !== condition.value;
+    case "gt":
+      return typeof fieldValue === "number" && fieldValue > condition.value;
+    case "gte":
+      return typeof fieldValue === "number" && fieldValue >= condition.value;
+    case "lt":
+      return typeof fieldValue === "number" && fieldValue < condition.value;
+    case "lte":
+      return typeof fieldValue === "number" && fieldValue <= condition.value;
+    case "contains":
+      if (Array.isArray(fieldValue)) {
+        return fieldValue.includes(condition.value);
+      }
+      if (typeof fieldValue === "string") {
+        return fieldValue.includes(condition.value);
+      }
+      return false;
+    case "matches":
+      if (typeof fieldValue !== "string") return false;
+      try {
+        return new RegExp(condition.value).test(fieldValue);
+      } catch {
+        return false;
+      }
+    case "in":
+      if (!Array.isArray(condition.value)) return false;
+      return condition.value.includes(fieldValue);
+    case "not_in":
+      if (!Array.isArray(condition.value)) return true;
+      return !condition.value.includes(fieldValue);
+    case "exists":
+      return fieldValue !== void 0 && fieldValue !== null;
+    default:
+      return false;
+  }
+}
+function getNestedValue(obj, path) {
+  const parts = path.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current === null || current === void 0) return void 0;
+    current = current[part];
+  }
+  return current;
+}
+var RISK_SCORES = {
+  none: 0,
+  low: 20,
+  medium: 45,
+  high: 70,
+  critical: 95
+};
+var PolicyEngine = class {
+  rules;
+  defaultVerdict;
+  auditLog;
+  onAudit;
+  constructor(config) {
+    this.rules = config.rules.map((r) => ({ ...r, conditions: r.conditions ? [...r.conditions] : void 0 })).sort((a, b) => b.priority - a.priority);
+    this.defaultVerdict = config.default_verdict ?? "allow";
+    this.auditLog = config.audit_log ?? false;
+    this.onAudit = config.on_audit;
+  }
+  /**
+   * Evaluate an action against the policy rules.
+   * Returns a decision with verdict, risk score, and matched rules.
+   */
+  evaluate(request) {
+    const traceId = request.trace_id || generateTraceId();
+    const decisionId = generateDecisionId();
+    const matchedRules = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      if (rule.channels.length > 0 && !rule.channels.includes(request.channel)) {
+        continue;
+      }
+      if (!globMatch(rule.action_pattern, request.action)) {
+        continue;
+      }
+      if (!globMatch(rule.resource_pattern, request.resource)) {
+        continue;
+      }
+      if (rule.conditions && rule.conditions.length > 0) {
+        const allMatch = rule.conditions.every(
+          (c) => evaluateCondition(c, request.context)
+        );
+        if (!allMatch) continue;
+      }
+      matchedRules.push(rule);
+    }
+    let verdict = this.defaultVerdict;
+    let riskLevel = "none";
+    let requiresApproval = false;
+    let reason = "No matching rules \u2014 default policy applied";
+    if (matchedRules.length > 0) {
+      const topRule = matchedRules[0];
+      verdict = topRule.effect;
+      riskLevel = topRule.risk_level;
+      requiresApproval = topRule.require_approval;
+      reason = `Matched rule: ${topRule.id} \u2014 ${topRule.description}`;
+    }
+    const riskScore = RISK_SCORES[riskLevel];
+    const allowed = verdict === "allow" || verdict === "escalate";
+    const result = {
+      decision_id: decisionId,
+      verdict,
+      allowed,
+      requires_approval: requiresApproval,
+      reason,
+      risk_score: riskScore,
+      matched_rules: matchedRules.map((r) => r.id),
+      risk_level: riskLevel,
+      channel: request.channel,
+      trace_id: traceId,
+      timestamp: Date.now()
+    };
+    if (this.auditLog && this.onAudit) {
+      const event = {
+        decision_id: decisionId,
+        channel: request.channel,
+        action: request.action,
+        resource: request.resource,
+        verdict,
+        risk_score: riskScore,
+        matched_rules: matchedRules.map((r) => r.id),
+        actor_id: request.actor_id,
+        trace_id: traceId,
+        timestamp: Date.now(),
+        context_snapshot: { ...request.context }
+      };
+      Promise.resolve(this.onAudit(event)).catch(() => {
+      });
+    }
+    return result;
+  }
+  /**
+   * Add a rule at runtime.
+   */
+  addRule(rule) {
+    this.rules.push(rule);
+    this.rules.sort((a, b) => b.priority - a.priority);
+  }
+  /**
+   * Remove a rule by ID.
+   */
+  removeRule(ruleId) {
+    const idx = this.rules.findIndex((r) => r.id === ruleId);
+    if (idx === -1) return false;
+    this.rules.splice(idx, 1);
+    return true;
+  }
+  /**
+   * Enable or disable a rule.
+   */
+  setRuleEnabled(ruleId, enabled) {
+    const rule = this.rules.find((r) => r.id === ruleId);
+    if (!rule) return false;
+    rule.enabled = enabled;
+    return true;
+  }
+  /**
+   * Get all rules (for inspection/export).
+   */
+  getRules() {
+    return this.rules;
+  }
+  /**
+   * Load rules from a YAML/JSON policy file content.
+   * Expects { rules: PolicyRule[] } format.
+   */
+  loadRules(rulesData) {
+    this.rules = [...rulesData.rules].sort((a, b) => b.priority - a.priority);
+  }
+};
+var index_default = PolicyEngine;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_RULES,
+  PolicyEngine
+});

package/dist/index.mjs

@@ -0,0 +1,362 @@
+// src/index.ts
+var DEFAULT_RULES = [
+  // --- HTTP Proxy: Dangerous outbound calls ---
+  {
+    id: "http-payment-apis",
+    description: "Intercept all payment API calls (Stripe, PayPal, etc.)",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "matches", value: "(api\\.stripe\\.com|api\\.paypal\\.com|api\\.square\\.com)" },
+      { field: "method", operator: "in", value: ["POST", "PUT", "DELETE"] }
+    ],
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 100,
+    enabled: true
+  },
+  {
+    id: "http-cloud-destructive",
+    description: "Block destructive cloud API calls (DELETE on AWS, GCP, Azure)",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "matches", value: "(.*\\.amazonaws\\.com|.*\\.googleapis\\.com|.*\\.azure\\.com)" },
+      { field: "method", operator: "eq", value: "DELETE" }
+    ],
+    effect: "escalate",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 110,
+    enabled: true
+  },
+  {
+    id: "http-github-push",
+    description: "Intercept GitHub write operations",
+    channels: ["http"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "host", operator: "eq", value: "api.github.com" },
+      { field: "method", operator: "in", value: ["POST", "PUT", "PATCH", "DELETE"] }
+    ],
+    effect: "escalate",
+    risk_level: "medium",
+    require_approval: false,
+    priority: 80,
+    enabled: true
+  },
+  // --- MCP Proxy: Dangerous tool calls ---
+  {
+    id: "mcp-file-write",
+    description: "Intercept file system write operations via MCP",
+    channels: ["mcp"],
+    action_pattern: "file_write",
+    resource_pattern: "*",
+    effect: "escalate",
+    risk_level: "medium",
+    require_approval: false,
+    priority: 70,
+    enabled: true
+  },
+  {
+    id: "mcp-shell-exec",
+    description: "Intercept shell command execution via MCP",
+    channels: ["mcp"],
+    action_pattern: "shell_exec",
+    resource_pattern: "*",
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 90,
+    enabled: true
+  },
+  {
+    id: "mcp-database-mutation",
+    description: "Intercept database mutations via MCP",
+    channels: ["mcp"],
+    action_pattern: "db_*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "tool_name", operator: "matches", value: "(db_insert|db_update|db_delete|db_execute)" }
+    ],
+    effect: "escalate",
+    risk_level: "high",
+    require_approval: true,
+    priority: 85,
+    enabled: true
+  },
+  // --- SQL Proxy: Dangerous SQL operations ---
+  {
+    id: "sql-ddl-block",
+    description: "Block DDL operations (DROP, ALTER, TRUNCATE)",
+    channels: ["sql"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "statement_type", operator: "in", value: ["DROP", "ALTER", "TRUNCATE"] }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 120,
+    enabled: true
+  },
+  {
+    id: "sql-delete-no-where",
+    description: "Block DELETE without WHERE clause",
+    channels: ["sql"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "statement_type", operator: "eq", value: "DELETE" },
+      { field: "has_where_clause", operator: "eq", value: false }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 115,
+    enabled: true
+  },
+  // --- Exec Proxy: Dangerous shell commands ---
+  {
+    id: "exec-rm-rf",
+    description: "Block rm -rf and similar destructive commands",
+    channels: ["exec"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "command", operator: "matches", value: "(rm|rmdir|del)" },
+      { field: "args", operator: "contains", value: "-rf" }
+    ],
+    effect: "deny",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 130,
+    enabled: true
+  },
+  {
+    id: "exec-kubectl-delete",
+    description: "Intercept kubectl delete operations",
+    channels: ["exec"],
+    action_pattern: "*",
+    resource_pattern: "*",
+    conditions: [
+      { field: "command", operator: "eq", value: "kubectl" },
+      { field: "args", operator: "contains", value: "delete" }
+    ],
+    effect: "escalate",
+    risk_level: "critical",
+    require_approval: true,
+    priority: 125,
+    enabled: true
+  }
+];
+var decisionCounter = 0;
+function generateDecisionId() {
+  const ts = Date.now().toString(36);
+  const rand = Math.random().toString(36).substring(2, 8);
+  decisionCounter++;
+  return `dec_${ts}_${rand}_${decisionCounter}`;
+}
+function generateTraceId() {
+  const ts = Date.now().toString(36);
+  const rand = Math.random().toString(36).substring(2, 10);
+  return `trace_${ts}_${rand}`;
+}
+function globMatch(pattern, value) {
+  if (pattern === "*") return true;
+  const regex = new RegExp(
+    "^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".") + "$"
+  );
+  return regex.test(value);
+}
+function evaluateCondition(condition, context) {
+  const fieldValue = getNestedValue(context, condition.field);
+  switch (condition.operator) {
+    case "eq":
+      return fieldValue === condition.value;
+    case "neq":
+      return fieldValue !== condition.value;
+    case "gt":
+      return typeof fieldValue === "number" && fieldValue > condition.value;
+    case "gte":
+      return typeof fieldValue === "number" && fieldValue >= condition.value;
+    case "lt":
+      return typeof fieldValue === "number" && fieldValue < condition.value;
+    case "lte":
+      return typeof fieldValue === "number" && fieldValue <= condition.value;
+    case "contains":
+      if (Array.isArray(fieldValue)) {
+        return fieldValue.includes(condition.value);
+      }
+      if (typeof fieldValue === "string") {
+        return fieldValue.includes(condition.value);
+      }
+      return false;
+    case "matches":
+      if (typeof fieldValue !== "string") return false;
+      try {
+        return new RegExp(condition.value).test(fieldValue);
+      } catch {
+        return false;
+      }
+    case "in":
+      if (!Array.isArray(condition.value)) return false;
+      return condition.value.includes(fieldValue);
+    case "not_in":
+      if (!Array.isArray(condition.value)) return true;
+      return !condition.value.includes(fieldValue);
+    case "exists":
+      return fieldValue !== void 0 && fieldValue !== null;
+    default:
+      return false;
+  }
+}
+function getNestedValue(obj, path) {
+  const parts = path.split(".");
+  let current = obj;
+  for (const part of parts) {
+    if (current === null || current === void 0) return void 0;
+    current = current[part];
+  }
+  return current;
+}
+var RISK_SCORES = {
+  none: 0,
+  low: 20,
+  medium: 45,
+  high: 70,
+  critical: 95
+};
+var PolicyEngine = class {
+  rules;
+  defaultVerdict;
+  auditLog;
+  onAudit;
+  constructor(config) {
+    this.rules = config.rules.map((r) => ({ ...r, conditions: r.conditions ? [...r.conditions] : void 0 })).sort((a, b) => b.priority - a.priority);
+    this.defaultVerdict = config.default_verdict ?? "allow";
+    this.auditLog = config.audit_log ?? false;
+    this.onAudit = config.on_audit;
+  }
+  /**
+   * Evaluate an action against the policy rules.
+   * Returns a decision with verdict, risk score, and matched rules.
+   */
+  evaluate(request) {
+    const traceId = request.trace_id || generateTraceId();
+    const decisionId = generateDecisionId();
+    const matchedRules = [];
+    for (const rule of this.rules) {
+      if (!rule.enabled) continue;
+      if (rule.channels.length > 0 && !rule.channels.includes(request.channel)) {
+        continue;
+      }
+      if (!globMatch(rule.action_pattern, request.action)) {
+        continue;
+      }
+      if (!globMatch(rule.resource_pattern, request.resource)) {
+        continue;
+      }
+      if (rule.conditions && rule.conditions.length > 0) {
+        const allMatch = rule.conditions.every(
+          (c) => evaluateCondition(c, request.context)
+        );
+        if (!allMatch) continue;
+      }
+      matchedRules.push(rule);
+    }
+    let verdict = this.defaultVerdict;
+    let riskLevel = "none";
+    let requiresApproval = false;
+    let reason = "No matching rules \u2014 default policy applied";
+    if (matchedRules.length > 0) {
+      const topRule = matchedRules[0];
+      verdict = topRule.effect;
+      riskLevel = topRule.risk_level;
+      requiresApproval = topRule.require_approval;
+      reason = `Matched rule: ${topRule.id} \u2014 ${topRule.description}`;
+    }
+    const riskScore = RISK_SCORES[riskLevel];
+    const allowed = verdict === "allow" || verdict === "escalate";
+    const result = {
+      decision_id: decisionId,
+      verdict,
+      allowed,
+      requires_approval: requiresApproval,
+      reason,
+      risk_score: riskScore,
+      matched_rules: matchedRules.map((r) => r.id),
+      risk_level: riskLevel,
+      channel: request.channel,
+      trace_id: traceId,
+      timestamp: Date.now()
+    };
+    if (this.auditLog && this.onAudit) {
+      const event = {
+        decision_id: decisionId,
+        channel: request.channel,
+        action: request.action,
+        resource: request.resource,
+        verdict,
+        risk_score: riskScore,
+        matched_rules: matchedRules.map((r) => r.id),
+        actor_id: request.actor_id,
+        trace_id: traceId,
+        timestamp: Date.now(),
+        context_snapshot: { ...request.context }
+      };
+      Promise.resolve(this.onAudit(event)).catch(() => {
+      });
+    }
+    return result;
+  }
+  /**
+   * Add a rule at runtime.
+   */
+  addRule(rule) {
+    this.rules.push(rule);
+    this.rules.sort((a, b) => b.priority - a.priority);
+  }
+  /**
+   * Remove a rule by ID.
+   */
+  removeRule(ruleId) {
+    const idx = this.rules.findIndex((r) => r.id === ruleId);
+    if (idx === -1) return false;
+    this.rules.splice(idx, 1);
+    return true;
+  }
+  /**
+   * Enable or disable a rule.
+   */
+  setRuleEnabled(ruleId, enabled) {
+    const rule = this.rules.find((r) => r.id === ruleId);
+    if (!rule) return false;
+    rule.enabled = enabled;
+    return true;
+  }
+  /**
+   * Get all rules (for inspection/export).
+   */
+  getRules() {
+    return this.rules;
+  }
+  /**
+   * Load rules from a YAML/JSON policy file content.
+   * Expects { rules: PolicyRule[] } format.
+   */
+  loadRules(rulesData) {
+    this.rules = [...rulesData.rules].sort((a, b) => b.priority - a.priority);
+  }
+};
+var index_default = PolicyEngine;
+export {
+  DEFAULT_RULES,
+  PolicyEngine,
+  index_default as default
+};

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@sovr/engine",
+  "version": "1.1.0",
+  "description": "Unified Policy Engine for SOVR — the single decision plane for all proxy channels",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts --clean",
+    "test": "vitest run --config vitest.config.ts",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "pnpm build"
+  },
+  "keywords": [
+    "sovr",
+    "policy-engine",
+    "ai-firewall",
+    "proxy",
+    "rules-engine"
+  ],
+  "author": "SOVR Inc. <sdk@sovr.inc>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/xie38388/sovr"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^1.0.0"
+  }
+}