@sovr/engine 1.1.1 → 2.0.0

package/LICENSE

@@ -0,0 +1,81 @@
+Business Source License 1.1
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Parameters
+
+Licensor:             SOVR AI
+Licensed Work:        @sovr/engine v1.2.0
+                      The Licensed Work is (c) 2025-2026 SOVR AI.
+Additional Use Grant: You may use the Licensed Work for non-production
+                      evaluation, development, and testing purposes.
+Change Date:          Four years from the date of each version's release.
+Change License:       Apache License, Version 2.0
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License's text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License's text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

package/README.md

@@ -0,0 +1,105 @@
+# @sovr/engine
+
+**Unified Policy Engine for SOVR** — the single decision plane for all proxy channels.
+
+[![npm](https://img.shields.io/npm/v/@sovr/engine)](https://www.npmjs.com/package/@sovr/engine)
+[![License](https://img.shields.io/badge/license-BSL--1.1-blue)](LICENSE)
+
+## Overview
+
+`@sovr/engine` is the core policy evaluation engine that powers all SOVR proxy channels. It provides a unified interface for evaluating actions against policy rules, regardless of the channel (exec, sql, http, mcp).
+
+This package is used internally by:
+
+- [`sovr-mcp-proxy`](https://www.npmjs.com/package/sovr-mcp-proxy) — MCP transport proxy
+- [`@sovr/proxy-exec`](https://www.npmjs.com/package/@sovr/proxy-exec) — Shell command proxy
+- [`@sovr/proxy-sql`](https://www.npmjs.com/package/@sovr/proxy-sql) — SQL statement proxy
+- [`@sovr/proxy-http`](https://www.npmjs.com/package/@sovr/proxy-http) — HTTP request proxy
+
+## Installation
+
+```bash
+npm install @sovr/engine
+```
+
+## Usage
+
+```typescript
+import { PolicyEngine, evaluate } from '@sovr/engine';
+
+const engine = new PolicyEngine({
+  rules: [/* your policy rules */],
+  failMode: 'fail-close',
+});
+
+const result = engine.evaluate({
+  channel: 'exec',
+  action: 'rm -rf /tmp/data',
+  context: { user: 'agent-1' },
+});
+
+// result.verdict: 'allow' | 'deny' | 'escalate'
+// result.rule: the matching rule (if any)
+// result.reason: human-readable explanation
+```
+
+## API
+
+### `PolicyEngine`
+
+The main class for policy evaluation.
+
+| Method | Description |
+|--------|-------------|
+| `evaluate(request)` | Evaluate an action against all loaded rules |
+| `addRule(rule)` | Add a rule at runtime |
+| `removeRule(id)` | Remove a rule by ID |
+| `listRules()` | List all active rules |
+| `getStats()` | Get evaluation statistics |
+
+### `evaluate(request)`
+
+Standalone function for one-shot evaluation without engine instantiation.
+
+### Rule Format
+
+```typescript
+interface PolicyRule {
+  id: string;
+  description: string;
+  channels: ('exec' | 'sql' | 'http' | 'mcp')[];
+  action_pattern: string;      // regex pattern
+  resource_pattern?: string;   // optional resource filter
+  effect: 'allow' | 'deny' | 'escalate';
+  risk_level: 'low' | 'medium' | 'high' | 'critical';
+  priority: number;            // higher = evaluated first
+}
+```
+
+### Verdict Format
+
+```typescript
+interface Verdict {
+  verdict: 'allow' | 'deny' | 'escalate';
+  rule: PolicyRule | null;
+  reason: string;
+  timestamp: number;
+  channel: string;
+}
+```
+
+## Built-in Rules
+
+The engine ships with 15 built-in rules covering common risk patterns across all four channels. See the [sovr-mcp-proxy documentation](https://www.npmjs.com/package/sovr-mcp-proxy) for the complete list.
+
+## License
+
+BSL-1.1 (Business Source License 1.1) — See [LICENSE](LICENSE) for details.
+
+The Licensed Work is the @sovr/engine software. The Change Date is four years from each version's release. After the Change Date, each version converts to Apache-2.0.
+
+## Links
+
+- **Website**: [sovr.inc](https://sovr.inc)
+- **GitHub**: [xie38388/sovr](https://github.com/xie38388/sovr)
+- **npm**: [@sovr/engine](https://www.npmjs.com/package/@sovr/engine)

package/dist/index.d.mts

@@ -179,12 +179,34 @@ declare const DEFAULT_RULES: PolicyRule[];
  * }
  * ```
  */
+type EngineTier = 'free' | 'personal' | 'starter' | 'pro' | 'enterprise';
+interface EngineTierLimits {
+    evaluationsPerMonth: number;
+    irreversibleAllowsPerMonth: number;
+}
 declare class PolicyEngine {
     private rules;
     private defaultVerdict;
     private auditLog;
     private onAudit?;
-    constructor(config: EngineConfig);
+    private _tier;
+    private _usage;
+    constructor(config: EngineConfig & {
+        tier?: EngineTier;
+    });
+    /** Set the current tier (e.g., after API key verification) */
+    setTier(tier: EngineTier): void;
+    /** Get current tier */
+    get tier(): EngineTier;
+    /** Get tier limits */
+    get tierLimits(): EngineTierLimits;
+    /** Get current usage */
+    get usage(): {
+        evaluations: number;
+        irreversibleAllows: number;
+        monthKey: string;
+    };
+    private _resetMonthIfNeeded;
     /**
      * Evaluate an action against the policy rules.
      * Returns a decision with verdict, risk score, and matched rules.
@@ -215,4 +237,4 @@ declare class PolicyEngine {
     }): void;
 }
 
-export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };
+export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EngineTier, type EngineTierLimits, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };

package/dist/index.d.ts

@@ -179,12 +179,34 @@ declare const DEFAULT_RULES: PolicyRule[];
  * }
  * ```
  */
+type EngineTier = 'free' | 'personal' | 'starter' | 'pro' | 'enterprise';
+interface EngineTierLimits {
+    evaluationsPerMonth: number;
+    irreversibleAllowsPerMonth: number;
+}
 declare class PolicyEngine {
     private rules;
     private defaultVerdict;
     private auditLog;
     private onAudit?;
-    constructor(config: EngineConfig);
+    private _tier;
+    private _usage;
+    constructor(config: EngineConfig & {
+        tier?: EngineTier;
+    });
+    /** Set the current tier (e.g., after API key verification) */
+    setTier(tier: EngineTier): void;
+    /** Get current tier */
+    get tier(): EngineTier;
+    /** Get tier limits */
+    get tierLimits(): EngineTierLimits;
+    /** Get current usage */
+    get usage(): {
+        evaluations: number;
+        irreversibleAllows: number;
+        monthKey: string;
+    };
+    private _resetMonthIfNeeded;
     /**
      * Evaluate an action against the policy rules.
      * Returns a decision with verdict, risk score, and matched rules.
@@ -215,4 +237,4 @@ declare class PolicyEngine {
     }): void;
 }
 
-export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };
+export { type AuditEvent, type Channel, DEFAULT_RULES, type EngineConfig, type EngineTier, type EngineTierLimits, type EvalRequest, type EvalResult, type ExecContext, type HttpContext, type McpContext, PolicyEngine, type PolicyRule, type RiskLevel, type RuleCondition, type SqlContext, type Verdict, PolicyEngine as default };

package/dist/index.js

@@ -258,22 +258,75 @@ var RISK_SCORES = {
   high: 70,
   critical: 95
 };
+var ENGINE_TIER_LIMITS = {
+  free: { evaluationsPerMonth: 50, irreversibleAllowsPerMonth: 0 },
+  personal: { evaluationsPerMonth: 5e3, irreversibleAllowsPerMonth: 500 },
+  starter: { evaluationsPerMonth: 5e4, irreversibleAllowsPerMonth: 5e3 },
+  pro: { evaluationsPerMonth: 5e5, irreversibleAllowsPerMonth: 5e4 },
+  enterprise: { evaluationsPerMonth: -1, irreversibleAllowsPerMonth: -1 }
+};
 var PolicyEngine = class {
   rules;
   defaultVerdict;
   auditLog;
   onAudit;
+  _tier = "free";
+  _usage = { evaluations: 0, irreversibleAllows: 0, monthKey: "" };
   constructor(config) {
     this.rules = config.rules.map((r) => ({ ...r, conditions: r.conditions ? [...r.conditions] : void 0 })).sort((a, b) => b.priority - a.priority);
     this.defaultVerdict = config.default_verdict ?? "allow";
     this.auditLog = config.audit_log ?? false;
     this.onAudit = config.on_audit;
+    this._tier = config.tier ?? "free";
+    const now = /* @__PURE__ */ new Date();
+    this._usage.monthKey = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+  }
+  /** Set the current tier (e.g., after API key verification) */
+  setTier(tier) {
+    this._tier = tier;
+  }
+  /** Get current tier */
+  get tier() {
+    return this._tier;
+  }
+  /** Get tier limits */
+  get tierLimits() {
+    return ENGINE_TIER_LIMITS[this._tier];
+  }
+  /** Get current usage */
+  get usage() {
+    return { ...this._usage };
+  }
+  _resetMonthIfNeeded() {
+    const now = /* @__PURE__ */ new Date();
+    const mk = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+    if (this._usage.monthKey !== mk) {
+      this._usage = { evaluations: 0, irreversibleAllows: 0, monthKey: mk };
+    }
   }
   /**
    * Evaluate an action against the policy rules.
    * Returns a decision with verdict, risk score, and matched rules.
    */
   evaluate(request) {
+    this._resetMonthIfNeeded();
+    this._usage.evaluations++;
+    const evalLimit = ENGINE_TIER_LIMITS[this._tier].evaluationsPerMonth;
+    if (evalLimit >= 0 && this._usage.evaluations > evalLimit) {
+      return {
+        decision_id: generateDecisionId(),
+        verdict: "deny",
+        allowed: false,
+        requires_approval: false,
+        reason: `Evaluation quota exceeded (${evalLimit}/month for ${this._tier} tier). Upgrade at https://sovr.inc/pricing`,
+        risk_score: 0,
+        matched_rules: [],
+        risk_level: "none",
+        channel: request.channel,
+        trace_id: request.trace_id || generateTraceId(),
+        timestamp: Date.now()
+      };
+    }
     const traceId = request.trace_id || generateTraceId();
     const decisionId = generateDecisionId();
     const matchedRules = [];
@@ -339,6 +392,14 @@ var PolicyEngine = class {
       Promise.resolve(this.onAudit(event)).catch(() => {
       });
     }
+    if (this._tier === "free") {
+      return {
+        ...result,
+        risk_score: 0,
+        matched_rules: [],
+        reason: "[UPGRADE to Personal+ for detailed evaluation results] https://sovr.inc/pricing"
+      };
+    }
     return result;
   }
   /**

package/dist/index.mjs

@@ -232,22 +232,75 @@ var RISK_SCORES = {
   high: 70,
   critical: 95
 };
+var ENGINE_TIER_LIMITS = {
+  free: { evaluationsPerMonth: 50, irreversibleAllowsPerMonth: 0 },
+  personal: { evaluationsPerMonth: 5e3, irreversibleAllowsPerMonth: 500 },
+  starter: { evaluationsPerMonth: 5e4, irreversibleAllowsPerMonth: 5e3 },
+  pro: { evaluationsPerMonth: 5e5, irreversibleAllowsPerMonth: 5e4 },
+  enterprise: { evaluationsPerMonth: -1, irreversibleAllowsPerMonth: -1 }
+};
 var PolicyEngine = class {
   rules;
   defaultVerdict;
   auditLog;
   onAudit;
+  _tier = "free";
+  _usage = { evaluations: 0, irreversibleAllows: 0, monthKey: "" };
   constructor(config) {
     this.rules = config.rules.map((r) => ({ ...r, conditions: r.conditions ? [...r.conditions] : void 0 })).sort((a, b) => b.priority - a.priority);
     this.defaultVerdict = config.default_verdict ?? "allow";
     this.auditLog = config.audit_log ?? false;
     this.onAudit = config.on_audit;
+    this._tier = config.tier ?? "free";
+    const now = /* @__PURE__ */ new Date();
+    this._usage.monthKey = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+  }
+  /** Set the current tier (e.g., after API key verification) */
+  setTier(tier) {
+    this._tier = tier;
+  }
+  /** Get current tier */
+  get tier() {
+    return this._tier;
+  }
+  /** Get tier limits */
+  get tierLimits() {
+    return ENGINE_TIER_LIMITS[this._tier];
+  }
+  /** Get current usage */
+  get usage() {
+    return { ...this._usage };
+  }
+  _resetMonthIfNeeded() {
+    const now = /* @__PURE__ */ new Date();
+    const mk = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, "0")}`;
+    if (this._usage.monthKey !== mk) {
+      this._usage = { evaluations: 0, irreversibleAllows: 0, monthKey: mk };
+    }
   }
   /**
    * Evaluate an action against the policy rules.
    * Returns a decision with verdict, risk score, and matched rules.
    */
   evaluate(request) {
+    this._resetMonthIfNeeded();
+    this._usage.evaluations++;
+    const evalLimit = ENGINE_TIER_LIMITS[this._tier].evaluationsPerMonth;
+    if (evalLimit >= 0 && this._usage.evaluations > evalLimit) {
+      return {
+        decision_id: generateDecisionId(),
+        verdict: "deny",
+        allowed: false,
+        requires_approval: false,
+        reason: `Evaluation quota exceeded (${evalLimit}/month for ${this._tier} tier). Upgrade at https://sovr.inc/pricing`,
+        risk_score: 0,
+        matched_rules: [],
+        risk_level: "none",
+        channel: request.channel,
+        trace_id: request.trace_id || generateTraceId(),
+        timestamp: Date.now()
+      };
+    }
     const traceId = request.trace_id || generateTraceId();
     const decisionId = generateDecisionId();
     const matchedRules = [];
@@ -313,6 +366,14 @@ var PolicyEngine = class {
       Promise.resolve(this.onAudit(event)).catch(() => {
       });
     }
+    if (this._tier === "free") {
+      return {
+        ...result,
+        risk_score: 0,
+        matched_rules: [],
+        reason: "[UPGRADE to Personal+ for detailed evaluation results] https://sovr.inc/pricing"
+      };
+    }
     return result;
   }
   /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sovr/engine",
-  "version": "1.1.1",
+  "version": "2.0.0",
   "description": "Unified Policy Engine for SOVR — the single decision plane for all proxy channels",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -14,7 +14,8 @@
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "LICENSE"
   ],
   "scripts": {
     "build": "tsup src/index.ts --format cjs,esm --dts --clean",
@@ -25,11 +26,11 @@
   "keywords": [
     "sovr",
     "policy-engine",
-    "ai-firewall",
+    "ai-responsibility",
     "proxy",
     "rules-engine"
   ],
-  "author": "SOVR Inc. <sdk@sovr.inc>",
+  "author": "SOVR AI <contact@sovrapp.com>",
   "license": "BSL-1.1",
   "repository": {
     "type": "git",