@surfinguard/core-engine 0.1.0 → 1.0.0

package/dist/patterns.js

@@ -1,66 +1,83 @@
-import { readFileSync } from 'node:fs';
-import { resolve, dirname } from 'node:path';
-import { fileURLToPath } from 'node:url';
-const __dirname = dirname(fileURLToPath(import.meta.url));
-// In dist/, patterns is at ../../patterns relative to the compiled JS
-// In src/, patterns is at ../patterns
-function findPatternsDir() {
-    // Try from dist/ first (compiled)
-    const fromDist = resolve(__dirname, '..', 'patterns');
-    return fromDist;
-}
-let cachedUrlPatterns = null;
-let cachedBrandPatterns = null;
-let cachedCommandPatterns = null;
-let cachedTextPatterns = null;
-let cachedFileReadPatterns = null;
-let cachedFileWritePatterns = null;
+// Static JSON imports — bundled at build time by esbuild (Cloudflare Workers)
+// and resolved at runtime in Node.js (tests, JS SDK local mode).
+import urlsJson from '../patterns/urls.json' with { type: 'json' };
+import brandsJson from '../patterns/brands.json' with { type: 'json' };
+import commandsJson from '../patterns/commands.json' with { type: 'json' };
+import textJson from '../patterns/text.json' with { type: 'json' };
+import fileReadJson from '../patterns/file-read.json' with { type: 'json' };
+import fileWriteJson from '../patterns/file-write.json' with { type: 'json' };
+import apiCallJson from '../patterns/api-call.json' with { type: 'json' };
+import queryJson from '../patterns/query.json' with { type: 'json' };
+import codeJson from '../patterns/code.json' with { type: 'json' };
+import chainsJson from '../patterns/chains.json' with { type: 'json' };
+import messageJson from '../patterns/message.json' with { type: 'json' };
+import transactionJson from '../patterns/transaction.json' with { type: 'json' };
+import authJson from '../patterns/auth.json' with { type: 'json' };
+import gitJson from '../patterns/git.json' with { type: 'json' };
+import uiActionJson from '../patterns/ui-action.json' with { type: 'json' };
+import infraJson from '../patterns/infra.json' with { type: 'json' };
+import agentCommJson from '../patterns/agent-comm.json' with { type: 'json' };
+import dataPipelineJson from '../patterns/data-pipeline.json' with { type: 'json' };
+import documentJson from '../patterns/document.json' with { type: 'json' };
+import iotJson from '../patterns/iot.json' with { type: 'json' };
 export function loadUrlPatterns() {
-    if (cachedUrlPatterns)
-        return cachedUrlPatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'urls.json'), 'utf-8');
-    cachedUrlPatterns = JSON.parse(raw);
-    return cachedUrlPatterns;
+    return urlsJson;
 }
 export function loadBrandPatterns() {
-    if (cachedBrandPatterns)
-        return cachedBrandPatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'brands.json'), 'utf-8');
-    cachedBrandPatterns = JSON.parse(raw);
-    return cachedBrandPatterns;
+    return brandsJson;
 }
 export function loadCommandPatterns() {
-    if (cachedCommandPatterns)
-        return cachedCommandPatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'commands.json'), 'utf-8');
-    cachedCommandPatterns = JSON.parse(raw);
-    return cachedCommandPatterns;
+    return commandsJson;
 }
 export function loadTextPatterns() {
-    if (cachedTextPatterns)
-        return cachedTextPatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'text.json'), 'utf-8');
-    cachedTextPatterns = JSON.parse(raw);
-    return cachedTextPatterns;
+    return textJson;
 }
 export function loadFileReadPatterns() {
-    if (cachedFileReadPatterns)
-        return cachedFileReadPatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'file-read.json'), 'utf-8');
-    cachedFileReadPatterns = JSON.parse(raw);
-    return cachedFileReadPatterns;
+    return fileReadJson;
 }
 export function loadFileWritePatterns() {
-    if (cachedFileWritePatterns)
-        return cachedFileWritePatterns;
-    const patternsDir = findPatternsDir();
-    const raw = readFileSync(resolve(patternsDir, 'file-write.json'), 'utf-8');
-    cachedFileWritePatterns = JSON.parse(raw);
-    return cachedFileWritePatterns;
+    return fileWriteJson;
+}
+export function loadApiCallPatterns() {
+    return apiCallJson;
+}
+export function loadQueryPatterns() {
+    return queryJson;
+}
+export function loadCodePatterns() {
+    return codeJson;
+}
+export function loadChainPatterns() {
+    return chainsJson;
+}
+export function loadMessagePatterns() {
+    return messageJson;
+}
+export function loadTransactionPatterns() {
+    return transactionJson;
+}
+export function loadAuthPatterns() {
+    return authJson;
+}
+export function loadGitPatterns() {
+    return gitJson;
+}
+export function loadUiActionPatterns() {
+    return uiActionJson;
+}
+export function loadInfraPatterns() {
+    return infraJson;
+}
+export function loadAgentCommPatterns() {
+    return agentCommJson;
+}
+export function loadDataPipelinePatterns() {
+    return dataPipelineJson;
+}
+export function loadDocumentPatterns() {
+    return documentJson;
+}
+export function loadIotPatterns() {
+    return iotJson;
 }
 //# sourceMappingURL=patterns.js.map

package/dist/patterns.js.map

@@ -1 +1 @@
-{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,sEAAsE;AACtE,sCAAsC;AACtC,SAAS,eAAe;IACtB,kCAAkC;IAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;IACtD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,IAAI,iBAAiB,GAA8B,IAAI,CAAC;AACxD,IAAI,mBAAmB,GAAgC,IAAI,CAAC;AAC5D,IAAI,qBAAqB,GAAkC,IAAI,CAAC;AAChE,IAAI,kBAAkB,GAA+B,IAAI,CAAC;AAC1D,IAAI,sBAAsB,GAAmC,IAAI,CAAC;AAClE,IAAI,uBAAuB,GAAoC,IAAI,CAAC;AAEpE,MAAM,UAAU,eAAe;IAC7B,IAAI,iBAAiB;QAAE,OAAO,iBAAiB,CAAC;IAChD,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;IACrE,iBAAiB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAuB,CAAC;IAC1D,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,mBAAmB;QAAE,OAAO,mBAAmB,CAAC;IACpD,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;IACvE,mBAAmB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAC;IAC9D,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,IAAI,qBAAqB;QAAE,OAAO,qBAAqB,CAAC;IACxD,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,EAAE,OAAO,CAAC,CAAC;IACzE,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;IAClE,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;IACrE,kBAAkB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwB,CAAC;IAC5D,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,IAAI,sBAAsB;QAAE,OAAO,sBAAsB,CAAC;IAC1D,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,gBAAgB,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1E,sBAAsB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;IACpE,OAAO,sBAAsB,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,IAAI,uBAAuB;QAAE,OAAO,uBAAuB,CAAC;IAC5D,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE,OAAO,CAAC,CAAC;IAC3E,uBAAuB,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;IACtE,OAAO,uBAAuB,CAAC;AACjC,CAAC"}
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":"AAuBA,8EAA8E;AAC9E,iEAAiE;AACjE,OAAO,QAAQ,MAAM,uBAAuB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,UAAU,MAAM,yBAAyB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACvE,OAAO,YAAY,MAAM,2BAA2B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC3E,OAAO,QAAQ,MAAM,uBAAuB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,YAAY,MAAM,4BAA4B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC5E,OAAO,aAAa,MAAM,6BAA6B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9E,OAAO,WAAW,MAAM,2BAA2B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1E,OAAO,SAAS,MAAM,wBAAwB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACrE,OAAO,QAAQ,MAAM,uBAAuB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,UAAU,MAAM,yBAAyB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACvE,OAAO,WAAW,MAAM,0BAA0B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACzE,OAAO,eAAe,MAAM,8BAA8B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACjF,OAAO,QAAQ,MAAM,uBAAuB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,OAAO,MAAM,sBAAsB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACjE,OAAO,YAAY,MAAM,4BAA4B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC5E,OAAO,SAAS,MAAM,wBAAwB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACrE,OAAO,aAAa,MAAM,6BAA6B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9E,OAAO,gBAAgB,MAAM,gCAAgC,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACpF,OAAO,YAAY,MAAM,2BAA2B,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAC3E,OAAO,OAAO,MAAM,sBAAsB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAEjE,MAAM,UAAU,eAAe;IAC7B,OAAO,QAAyC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,UAA6C,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,YAAiD,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAA0C,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,YAAkD,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,aAAoD,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAgD,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,SAA4C,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAA0C,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,UAA6C,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,WAAgD,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,eAAwD,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAA0C,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,OAAO,OAAwC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,YAAkD,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,SAA4C,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,aAAoD,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,OAAO,gBAA0D,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO,YAAkD,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,OAAO,OAAwC,CAAC;AAClD,CAAC"}

package/dist/policy-engine.d.ts

@@ -0,0 +1,44 @@
+import type { ActionInput, CheckResult, Policy, PolicyTemplate, AllowlistEntry, BlocklistEntry } from '@surfinguard/types';
+/**
+ * Result of policy evaluation.
+ */
+export interface PolicyDecision {
+    allowed: boolean;
+    reason: string;
+    policyName: string;
+    matchedRule?: string;
+    matchedAllowlist?: AllowlistEntry;
+    matchedBlocklist?: BlocklistEntry;
+}
+/**
+ * Built-in policy templates.
+ */
+export declare const POLICY_TEMPLATES: Record<PolicyTemplate, Policy>;
+/**
+ * Policy engine that evaluates actions against a rich policy configuration.
+ *
+ * Evaluation order: allowlist → blocklist → environment overrides → custom rules → base level.
+ */
+export declare class PolicyEngine {
+    private policy;
+    constructor(policyOrTemplate: Policy | PolicyTemplate);
+    /**
+     * Get the underlying policy configuration.
+     */
+    getPolicy(): Policy;
+    /**
+     * Evaluate an action + result against the policy.
+     */
+    evaluate(input: ActionInput, result: CheckResult, environment?: string): PolicyDecision;
+    /**
+     * Check if a result requires human approval based on policy.
+     */
+    requiresApproval(result: CheckResult): boolean;
+    private getEffectiveLevel;
+    private getEffectiveRules;
+    private matchList;
+    private globMatch;
+    private levelMeetsThreshold;
+    private isBlockedByLevel;
+}
+//# sourceMappingURL=policy-engine.d.ts.map

package/dist/policy-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.d.ts","sourceRoot":"","sources":["../src/policy-engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,WAAW,EACX,MAAM,EACN,cAAc,EAEd,cAAc,EACd,cAAc,EACf,MAAM,oBAAoB,CAAC;AAE5B;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC,gBAAgB,CAAC,EAAE,cAAc,CAAC;CACnC;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CA2C3D,CAAC;AAEF;;;;GAIG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAS;gBAEX,gBAAgB,EAAE,MAAM,GAAG,cAAc;IAYrD;;OAEG;IACH,SAAS,IAAI,MAAM;IAInB;;OAEG;IACH,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,cAAc;IAsEvF;;OAEG;IACH,gBAAgB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO;IAU9C,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,iBAAiB;IAWzB,OAAO,CAAC,SAAS;IAsBjB,OAAO,CAAC,SAAS;IAajB,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,gBAAgB;CAYzB"}

package/dist/policy-engine.js

@@ -0,0 +1,225 @@
+/**
+ * Built-in policy templates.
+ */
+export const POLICY_TEMPLATES = {
+    'open-development': {
+        name: 'Open Development',
+        level: 'permissive',
+        rules: [],
+        allowlist: [],
+        blocklist: [],
+        requireApprovalForCaution: false,
+        requireApprovalForDanger: false,
+    },
+    'standard-production': {
+        name: 'Standard Production',
+        level: 'balanced',
+        rules: [{ blockLevel: 'DANGER' }],
+        allowlist: [],
+        blocklist: [],
+        requireApprovalForCaution: false,
+        requireApprovalForDanger: true,
+    },
+    'high-security': {
+        name: 'High Security',
+        level: 'strict',
+        rules: [{ blockLevel: 'CAUTION' }],
+        allowlist: [],
+        blocklist: [],
+        requireApprovalForCaution: true,
+        requireApprovalForDanger: true,
+        sessionRiskCeiling: 15,
+    },
+    'compliance-strict': {
+        name: 'Compliance Strict',
+        level: 'strict',
+        rules: [{ blockLevel: 'CAUTION' }],
+        allowlist: [],
+        blocklist: [
+            { type: 'command', pattern: 'rm *', reason: 'Destructive commands forbidden' },
+            { type: 'query', pattern: 'DROP *', reason: 'DDL operations forbidden' },
+            { type: 'query', pattern: 'TRUNCATE *', reason: 'DDL operations forbidden' },
+        ],
+        requireApprovalForCaution: true,
+        requireApprovalForDanger: true,
+        sessionRiskCeiling: 10,
+    },
+};
+/**
+ * Policy engine that evaluates actions against a rich policy configuration.
+ *
+ * Evaluation order: allowlist → blocklist → environment overrides → custom rules → base level.
+ */
+export class PolicyEngine {
+    policy;
+    constructor(policyOrTemplate) {
+        if (typeof policyOrTemplate === 'string') {
+            const template = POLICY_TEMPLATES[policyOrTemplate];
+            if (!template) {
+                throw new Error(`Unknown policy template: ${policyOrTemplate}`);
+            }
+            this.policy = { ...template };
+        }
+        else {
+            this.policy = policyOrTemplate;
+        }
+    }
+    /**
+     * Get the underlying policy configuration.
+     */
+    getPolicy() {
+        return this.policy;
+    }
+    /**
+     * Evaluate an action + result against the policy.
+     */
+    evaluate(input, result, environment) {
+        // 1. Allowlist check (always wins)
+        if (this.policy.allowlist && this.policy.allowlist.length > 0) {
+            const allowMatch = this.matchList(this.policy.allowlist, input);
+            if (allowMatch) {
+                return {
+                    allowed: true,
+                    reason: allowMatch.reason ?? 'Matched allowlist entry',
+                    policyName: this.policy.name,
+                    matchedAllowlist: allowMatch,
+                };
+            }
+        }
+        // 2. Blocklist check (trumps score)
+        if (this.policy.blocklist && this.policy.blocklist.length > 0) {
+            const blockMatch = this.matchList(this.policy.blocklist, input);
+            if (blockMatch) {
+                return {
+                    allowed: false,
+                    reason: blockMatch.reason ?? 'Matched blocklist entry',
+                    policyName: this.policy.name,
+                    matchedBlocklist: blockMatch,
+                };
+            }
+        }
+        // 3. Environment overrides
+        const effectiveLevel = this.getEffectiveLevel(environment);
+        const effectiveRules = this.getEffectiveRules(environment);
+        // 4. Custom rules
+        if (effectiveRules && effectiveRules.length > 0) {
+            for (const rule of effectiveRules) {
+                // Check if rule applies to this action type
+                if (rule.actionTypes && rule.actionTypes.length > 0) {
+                    if (!rule.actionTypes.includes(input.type))
+                        continue;
+                }
+                // Check if rule applies to this primitive
+                if (rule.primitives && rule.primitives.length > 0) {
+                    if (!result.primitive || !rule.primitives.includes(result.primitive))
+                        continue;
+                }
+                // Check min score
+                if (rule.minScore !== undefined && result.score < rule.minScore)
+                    continue;
+                // Check block level
+                if (this.levelMeetsThreshold(result.level, rule.blockLevel)) {
+                    return {
+                        allowed: false,
+                        reason: `Blocked by policy rule (${rule.blockLevel} threshold)`,
+                        policyName: this.policy.name,
+                        matchedRule: JSON.stringify(rule),
+                    };
+                }
+            }
+        }
+        // 5. Base level fallback
+        const blocked = this.isBlockedByLevel(result.level, effectiveLevel);
+        return {
+            allowed: !blocked,
+            reason: blocked
+                ? `Blocked by ${effectiveLevel} policy (${result.level} result)`
+                : 'Allowed by policy',
+            policyName: this.policy.name,
+        };
+    }
+    /**
+     * Check if a result requires human approval based on policy.
+     */
+    requiresApproval(result) {
+        if (this.policy.requireApprovalForDanger && result.level === 'DANGER') {
+            return true;
+        }
+        if (this.policy.requireApprovalForCaution && result.level === 'CAUTION') {
+            return true;
+        }
+        return false;
+    }
+    getEffectiveLevel(environment) {
+        if (environment && this.policy.environments) {
+            const override = this.policy.environments.find((e) => e.environment === environment);
+            if (override?.level)
+                return override.level;
+        }
+        return this.policy.level;
+    }
+    getEffectiveRules(environment) {
+        const baseRules = this.policy.rules ?? [];
+        if (environment && this.policy.environments) {
+            const override = this.policy.environments.find((e) => e.environment === environment);
+            if (override?.rules) {
+                return [...baseRules, ...override.rules];
+            }
+        }
+        return baseRules;
+    }
+    matchList(list, input) {
+        for (const entry of list) {
+            if (entry.type !== input.type)
+                continue;
+            if (entry.isRegex) {
+                try {
+                    const regex = new RegExp(entry.pattern, 'i');
+                    if (regex.test(input.value))
+                        return entry;
+                }
+                catch {
+                    // Invalid regex — skip
+                }
+            }
+            else {
+                // Glob-like matching: * matches any sequence, ? matches single char
+                if (this.globMatch(entry.pattern, input.value))
+                    return entry;
+            }
+        }
+        return undefined;
+    }
+    globMatch(pattern, value) {
+        // Convert glob to regex: escape special chars, then replace * and ?
+        const escaped = pattern
+            .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+            .replace(/\*/g, '.*')
+            .replace(/\?/g, '.');
+        try {
+            return new RegExp(`^${escaped}$`, 'i').test(value);
+        }
+        catch {
+            return false;
+        }
+    }
+    levelMeetsThreshold(resultLevel, blockLevel) {
+        const order = { SAFE: 0, CAUTION: 1, DANGER: 2 };
+        const resultOrder = order[resultLevel] ?? 0;
+        const blockOrder = order[blockLevel] ?? 0;
+        return resultOrder >= blockOrder;
+    }
+    isBlockedByLevel(resultLevel, policyLevel) {
+        switch (policyLevel) {
+            case 'permissive':
+                return false;
+            case 'balanced':
+                return resultLevel === 'DANGER';
+            case 'strict':
+                return resultLevel === 'CAUTION' || resultLevel === 'DANGER';
+            default:
+                return false;
+        }
+    }
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../src/policy-engine.ts"],"names":[],"mappings":"AAsBA;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAmC;IAC9D,kBAAkB,EAAE;QAClB,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,YAAY;QACnB,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,EAAE;QACb,SAAS,EAAE,EAAE;QACb,yBAAyB,EAAE,KAAK;QAChC,wBAAwB,EAAE,KAAK;KAChC;IACD,qBAAqB,EAAE;QACrB,IAAI,EAAE,qBAAqB;QAC3B,KAAK,EAAE,UAAU;QACjB,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;QACjC,SAAS,EAAE,EAAE;QACb,SAAS,EAAE,EAAE;QACb,yBAAyB,EAAE,KAAK;QAChC,wBAAwB,EAAE,IAAI;KAC/B;IACD,eAAe,EAAE;QACf,IAAI,EAAE,eAAe;QACrB,KAAK,EAAE,QAAQ;QACf,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;QAClC,SAAS,EAAE,EAAE;QACb,SAAS,EAAE,EAAE;QACb,yBAAyB,EAAE,IAAI;QAC/B,wBAAwB,EAAE,IAAI;QAC9B,kBAAkB,EAAE,EAAE;KACvB;IACD,mBAAmB,EAAE;QACnB,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,QAAQ;QACf,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;QAClC,SAAS,EAAE,EAAE;QACb,SAAS,EAAE;YACT,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gCAAgC,EAAE;YAC9E,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,0BAA0B,EAAE;YACxE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,0BAA0B,EAAE;SAC7E;QACD,yBAAyB,EAAE,IAAI;QAC/B,wBAAwB,EAAE,IAAI;QAC9B,kBAAkB,EAAE,EAAE;KACvB;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,OAAO,YAAY;IACf,MAAM,CAAS;IAEvB,YAAY,gBAAyC;QACnD,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,CAAC;YACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,gBAAgB,EAAE,CAAC,CAAC;YAClE,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC;QACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,KAAkB,EAAE,MAAmB,EAAE,WAAoB;QACpE,mCAAmC;QACnC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YAChE,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,yBAAyB;oBACtD,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;oBAC5B,gBAAgB,EAAE,UAAU;iBAC7B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YAChE,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,yBAAyB;oBACtD,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;oBAC5B,gBAAgB,EAAE,UAAU;iBAC7B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;QAE3D,kBAAkB;QAClB,IAAI,cAAc,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;gBAClC,4CAA4C;gBAC5C,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;wBAAE,SAAS;gBACvD,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClD,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;wBAAE,SAAS;gBACjF,CAAC;gBAED,kBAAkB;gBAClB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAE1E,oBAAoB;gBACpB,IAAI,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC5D,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,MAAM,EAAE,2BAA2B,IAAI,CAAC,UAAU,aAAa;wBAC/D,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;wBAC5B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;qBAClC,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QACpE,OAAO;YACL,OAAO,EAAE,CAAC,OAAO;YACjB,MAAM,EAAE,OAAO;gBACb,CAAC,CAAC,cAAc,cAAc,YAAY,MAAM,CAAC,KAAK,UAAU;gBAChE,CAAC,CAAC,mBAAmB;YACvB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;SAC7B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,MAAmB;QAClC,IAAI,IAAI,CAAC,MAAM,CAAC,wBAAwB,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,yBAAyB,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,iBAAiB,CAAC,WAAoB;QAC5C,IAAI,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC;YACrF,IAAI,QAAQ,EAAE,KAAK;gBAAE,OAAO,QAAQ,CAAC,KAAK,CAAC;QAC7C,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;IAC3B,CAAC;IAEO,iBAAiB,CAAC,WAAoB;QAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1C,IAAI,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC;YACrF,IAAI,QAAQ,EAAE,KAAK,EAAE,CAAC;gBACpB,OAAO,CAAC,GAAG,SAAS,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,SAAS,CACf,IAAS,EACT,KAAkB;QAElB,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE,CAAC;YACzB,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI;gBAAE,SAAS;YAExC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;oBAC7C,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;wBAAE,OAAO,KAAK,CAAC;gBAC5C,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,oEAAoE;gBACpE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAAE,OAAO,KAAK,CAAC;YAC/D,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,SAAS,CAAC,OAAe,EAAE,KAAa;QAC9C,oEAAoE;QACpE,MAAM,OAAO,GAAG,OAAO;aACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;aACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC;aACpB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC;YACH,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,mBAAmB,CAAC,WAAmB,EAAE,UAAkB;QACjE,MAAM,KAAK,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAiC,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,KAAK,CAAC,UAAgC,CAAC,IAAI,CAAC,CAAC;QAChE,OAAO,WAAW,IAAI,UAAU,CAAC;IACnC,CAAC;IAEO,gBAAgB,CAAC,WAAmB,EAAE,WAAwB;QACpE,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,YAAY;gBACf,OAAO,KAAK,CAAC;YACf,KAAK,UAAU;gBACb,OAAO,WAAW,KAAK,QAAQ,CAAC;YAClC,KAAK,QAAQ;gBACX,OAAO,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,QAAQ,CAAC;YAC/D;gBACE,OAAO,KAAK,CAAC;QACjB,CAAC;IACH,CAAC;CACF"}

package/dist/session-tracker.d.ts

@@ -0,0 +1,50 @@
+import type { ActionInput, ActionContext, CheckResult, ChainDetection, SessionState, SessionInfo } from '@surfinguard/types';
+/**
+ * In-memory session tracker for multi-step attack chain detection.
+ */
+export declare class SessionTracker {
+    private sessions;
+    private chainDefinitions;
+    constructor();
+    /**
+     * Record an action result in a session and detect chains.
+     */
+    recordAction(sessionId: string, input: ActionInput, result: CheckResult, agentId?: string): {
+        contextBoost: number;
+        chainDetections: ChainDetection[];
+        riskTrend: 'rising' | 'stable' | 'declining';
+    };
+    /**
+     * Get a session by ID.
+     */
+    getSession(sessionId: string): SessionState | undefined;
+    /**
+     * Get session summary info (for API responses).
+     */
+    getSessionInfo(sessionId: string): SessionInfo | undefined;
+    /**
+     * Build an ActionContext from session state (for passing to engine).
+     */
+    buildContext(sessionId: string): ActionContext | undefined;
+    /**
+     * Clear a specific session.
+     */
+    clearSession(sessionId: string): void;
+    /**
+     * Remove all expired sessions.
+     */
+    pruneExpiredSessions(): number;
+    /**
+     * Get all active session IDs.
+     */
+    getActiveSessionIds(): string[];
+    private getOrCreateSession;
+    private isExpired;
+    /**
+     * Detect active chains in a session by walking chain definitions.
+     */
+    private detectChains;
+    private actionMatchesStep;
+    private computeTrend;
+}
+//# sourceMappingURL=session-tracker.d.ts.map

package/dist/session-tracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-tracker.d.ts","sourceRoot":"","sources":["../src/session-tracker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAEX,aAAa,EACb,WAAW,EACX,cAAc,EAGd,YAAY,EACZ,WAAW,EACZ,MAAM,oBAAoB,CAAC;AAO5B;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAmC;IACnD,OAAO,CAAC,gBAAgB,CAAoB;;IAM5C;;OAEG;IACH,YAAY,CACV,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,WAAW,EAClB,MAAM,EAAE,WAAW,EACnB,OAAO,CAAC,EAAE,MAAM,GACf;QACD,YAAY,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,cAAc,EAAE,CAAC;QAClC,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;KAC9C;IAiDD;;OAEG;IACH,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IASvD;;OAEG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAe1D;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAgB1D;;OAEG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIrC;;OAEG;IACH,oBAAoB,IAAI,MAAM;IAW9B;;OAEG;IACH,mBAAmB,IAAI,MAAM,EAAE;IAK/B,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,SAAS;IAIjB;;OAEG;IACH,OAAO,CAAC,YAAY;IA8EpB,OAAO,CAAC,iBAAiB;IA8BzB,OAAO,CAAC,YAAY;CA4BrB"}