@tuent/sentinel 0.1.0

package/dist/Sentinel-JLQL3YRD.js

@@ -0,0 +1,10 @@
+import {
+  Sentinel
+} from "./chunk-QFRDEISP.js";
+import "./chunk-6MHWJATS.js";
+import "./chunk-2FFMYSVC.js";
+import "./chunk-NUXSUSYY.js";
+export {
+  Sentinel
+};
+//# sourceMappingURL=Sentinel-JLQL3YRD.js.map

package/dist/auditTrailKeys-GKCW5KUD.js

@@ -0,0 +1,23 @@
+import {
+  generateKeyPair,
+  getOrCreateKeyPair,
+  loadKeyPair,
+  publicKeyFromBase64,
+  publicKeyToBase64,
+  reconstructSigningPayload,
+  saveKeyPair,
+  signPayload,
+  verifySignature
+} from "./chunk-NUXSUSYY.js";
+export {
+  generateKeyPair,
+  getOrCreateKeyPair,
+  loadKeyPair,
+  publicKeyFromBase64,
+  publicKeyToBase64,
+  reconstructSigningPayload,
+  saveKeyPair,
+  signPayload,
+  verifySignature
+};
+//# sourceMappingURL=auditTrailKeys-GKCW5KUD.js.map

package/dist/chunk-2FFMYSVC.js

@@ -0,0 +1,428 @@
+// src/policyLoader.ts
+import yaml from "js-yaml";
+var LOCKED_ACTIONABLE_TYPES = /* @__PURE__ */ new Set([
+  "role_violation",
+  "unauthorized_target",
+  "scope_violation"
+]);
+var VALID_DAYS = /* @__PURE__ */ new Set([
+  "monday",
+  "tuesday",
+  "wednesday",
+  "thursday",
+  "friday",
+  "saturday",
+  "sunday"
+]);
+var VALID_CHANNELS = /* @__PURE__ */ new Set(["console", "webhook", "file"]);
+var VALID_SEVERITIES = /* @__PURE__ */ new Set(["LOW", "MEDIUM", "HIGH", "CRITICAL"]);
+var VALID_KINDS = /* @__PURE__ */ new Set(["informational", "actionable"]);
+var VALID_ACTIONS = /* @__PURE__ */ new Set([
+  "file_read",
+  "file_write",
+  "api_call",
+  "database_query",
+  "command_exec",
+  "tool_invocation",
+  "network_request"
+]);
+function fail(message) {
+  throw new Error(`Policy validation error: ${message}`);
+}
+function validatePolicy(data) {
+  if (typeof data !== "object" || data === null) {
+    fail("policy must be a YAML object");
+  }
+  const doc = data;
+  if (doc.version === void 0) fail("version is required");
+  if (String(doc.version) !== "1.0") fail('version must be "1.0"');
+  if (typeof doc.agent !== "object" || doc.agent === null) fail("agent section is required");
+  const agent = doc.agent;
+  if (typeof agent.id !== "string" || agent.id.length === 0) fail("agent.id is required");
+  if (typeof agent.name !== "string" || agent.name.length === 0) fail("agent.name is required");
+  if (agent.description !== void 0 && typeof agent.description !== "string") {
+    fail("agent.description must be a string");
+  }
+  if (typeof doc.policy !== "object" || doc.policy === null) fail("policy section is required");
+  const policy = doc.policy;
+  if (typeof policy.allow !== "object" || policy.allow === null) {
+    fail("policy.allow section is required");
+  }
+  const allow = policy.allow;
+  if (!Array.isArray(allow.actions) || allow.actions.length === 0) {
+    fail("policy.allow.actions must be a non-empty array of strings");
+  }
+  if (!allow.actions.every((a) => typeof a === "string")) {
+    fail("policy.allow.actions must be a non-empty array of strings");
+  }
+  if (!Array.isArray(allow.targets) || allow.targets.length === 0) {
+    fail("policy.allow.targets must be a non-empty array of strings");
+  }
+  if (!allow.targets.every((t) => typeof t === "string")) {
+    fail("policy.allow.targets must be a non-empty array of strings");
+  }
+  if (allow.networkHosts !== void 0) {
+    if (!Array.isArray(allow.networkHosts)) {
+      fail("policy.allow.networkHosts must be an array of strings");
+    }
+    for (let i = 0; i < allow.networkHosts.length; i++) {
+      const entry = allow.networkHosts[i];
+      if (typeof entry !== "string" || entry.length === 0) {
+        fail(`policy.allow.networkHosts[${i}] must be a non-empty string`);
+      }
+      if (/[\s/:]/.test(entry)) {
+        fail(
+          `policy.allow.networkHosts[${i}] ("${entry}") contains whitespace, slash, or colon \u2014 these are not valid hostnames. Use bare hostnames only (e.g. "docs.anthropic.com").`
+        );
+      }
+    }
+    for (let i = 0; i < allow.networkHosts.length; i++) {
+      allow.networkHosts[i] = allow.networkHosts[i].trim().toLowerCase().replace(/\.+$/, "");
+    }
+  }
+  if (typeof policy.forbid !== "object" || policy.forbid === null) {
+    fail("policy.forbid section is required");
+  }
+  const forbid = policy.forbid;
+  if (!Array.isArray(forbid.targets) || forbid.targets.length === 0) {
+    fail("policy.forbid.targets must be a non-empty array of strings");
+  }
+  if (!forbid.targets.every((t) => typeof t === "string")) {
+    fail("policy.forbid.targets must be a non-empty array of strings");
+  }
+  if (policy.exceptions !== void 0) {
+    if (!Array.isArray(policy.exceptions)) {
+      fail("policy.exceptions must be an array");
+    }
+    for (let i = 0; i < policy.exceptions.length; i++) {
+      const prefix = `exception #${i + 1}`;
+      const ex = policy.exceptions[i];
+      if (typeof ex !== "object" || ex === null) {
+        fail(`${prefix}: must be an object`);
+      }
+      if (typeof ex.target !== "string" || ex.target.length === 0) {
+        fail(`${prefix}: target is required and must be a non-empty string`);
+      }
+      if (!Array.isArray(ex.allowedActions) || ex.allowedActions.length === 0) {
+        fail(
+          `${prefix}: allowedActions must be a non-empty array of valid AgentAction values; got ${JSON.stringify(ex.allowedActions ?? "undefined")}`
+        );
+      }
+      for (const action of ex.allowedActions) {
+        if (typeof action !== "string" || !VALID_ACTIONS.has(action)) {
+          fail(
+            `${prefix}: allowedActions contains invalid action "${action}". Valid: ${[...VALID_ACTIONS].join(", ")}`
+          );
+        }
+      }
+      if (ex.requiresTask !== void 0) {
+        if (typeof ex.requiresTask !== "string" || ex.requiresTask.length === 0) {
+          fail(`${prefix}: requiresTask must be a non-empty string`);
+        }
+      }
+      if (ex.requiresApproval !== void 0) {
+        if (typeof ex.requiresApproval !== "boolean") {
+          fail(`${prefix}: requiresApproval must be a boolean`);
+        }
+      }
+      if (ex.expiresAfter !== void 0) {
+        if (typeof ex.expiresAfter !== "number" || !Number.isFinite(ex.expiresAfter) || ex.expiresAfter <= 0) {
+          fail(
+            `${prefix}: expiresAfter must be a positive finite number (milliseconds); got ${ex.expiresAfter}`
+          );
+        }
+      }
+      if (ex.downgradeKindTo !== void 0) {
+        if (typeof ex.downgradeKindTo !== "string" || !VALID_KINDS.has(ex.downgradeKindTo)) {
+          fail(`${prefix}: downgradeKindTo must be one of: informational, actionable`);
+        }
+      }
+    }
+  }
+  if (policy.schedule !== void 0) {
+    if (typeof policy.schedule !== "object" || policy.schedule === null) {
+      fail("policy.schedule must be an object");
+    }
+    const schedule = policy.schedule;
+    if (!Array.isArray(schedule.hours) || schedule.hours.length !== 2) {
+      fail("schedule.hours must be [start, end] with values 0-23");
+    }
+    const [start, end] = schedule.hours;
+    if (typeof start !== "number" || typeof end !== "number" || !Number.isInteger(start) || !Number.isInteger(end) || start < 0 || start > 23 || end < 0 || end > 23) {
+      fail("schedule.hours must be [start, end] with values 0-23");
+    }
+    if (schedule.days !== void 0) {
+      if (!Array.isArray(schedule.days)) {
+        fail("schedule.days must be an array of day strings");
+      }
+      for (const day of schedule.days) {
+        if (typeof day !== "string" || !VALID_DAYS.has(day.toLowerCase())) {
+          fail(
+            `schedule.days contains invalid day "${day}". Valid days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday`
+          );
+        }
+      }
+    }
+  }
+  if (policy.limits !== void 0) {
+    if (typeof policy.limits !== "object" || policy.limits === null) {
+      fail("policy.limits must be an object");
+    }
+    const limits = policy.limits;
+    if (limits.maxEventsPerHour !== void 0 && typeof limits.maxEventsPerHour !== "number") {
+      fail("policy.limits.maxEventsPerHour must be a number");
+    }
+    if (limits.maxSessionDuration !== void 0 && typeof limits.maxSessionDuration !== "number") {
+      fail("policy.limits.maxSessionDuration must be a number");
+    }
+  }
+  if (doc.enforcement !== void 0) {
+    if (typeof doc.enforcement !== "object" || doc.enforcement === null) {
+      fail("enforcement must be an object");
+    }
+    const enforcement = doc.enforcement;
+    if (enforcement.restrictAfter !== void 0 && typeof enforcement.restrictAfter !== "number") {
+      fail("enforcement.restrictAfter must be a number");
+    }
+    if (enforcement.quarantineAfter !== void 0 && typeof enforcement.quarantineAfter !== "number") {
+      fail("enforcement.quarantineAfter must be a number");
+    }
+    if (enforcement.approvalRequired !== void 0 && typeof enforcement.approvalRequired !== "boolean") {
+      fail("enforcement.approvalRequired must be a boolean");
+    }
+    if (enforcement.minKind !== void 0) {
+      if (typeof enforcement.minKind !== "string" || !VALID_KINDS.has(enforcement.minKind)) {
+        fail("enforcement.minKind must be one of: informational, actionable");
+      }
+    }
+    if (enforcement.promote !== void 0) {
+      if (!Array.isArray(enforcement.promote)) {
+        fail("enforcement.promote must be an array of finding type strings");
+      }
+      for (const pt of enforcement.promote) {
+        if (typeof pt !== "string") {
+          fail("enforcement.promote must be an array of finding type strings");
+        }
+        if (LOCKED_ACTIONABLE_TYPES.has(pt)) {
+          fail(
+            `enforcement.promote cannot include "${pt}" \u2014 it is a locked-actionable type that is always actionable`
+          );
+        }
+      }
+    }
+    if (enforcement.baselineMaturity !== void 0) {
+      if (typeof enforcement.baselineMaturity !== "object" || enforcement.baselineMaturity === null) {
+        fail("enforcement.baselineMaturity must be an object");
+      }
+      const bm = enforcement.baselineMaturity;
+      for (const key of ["minSessions", "minDaysObserved", "minCategoryDiversity"]) {
+        if (bm[key] !== void 0) {
+          if (typeof bm[key] !== "number" || !Number.isFinite(bm[key])) {
+            fail(`enforcement.baselineMaturity.${key} must be a finite number`);
+          }
+          if (bm[key] < 0) {
+            fail(`enforcement.baselineMaturity.${key} must not be negative`);
+          }
+        }
+      }
+    }
+  }
+  if (doc.alerts !== void 0) {
+    if (typeof doc.alerts !== "object" || doc.alerts === null) {
+      fail("alerts must be an object");
+    }
+    const alerts = doc.alerts;
+    if (!Array.isArray(alerts.channels) || alerts.channels.length === 0) {
+      fail("alerts.channels must be a non-empty array");
+    }
+    for (const ch of alerts.channels) {
+      if (typeof ch === "string") {
+        if (!VALID_CHANNELS.has(ch)) {
+          fail(`alerts.channels contains invalid channel "${ch}". Valid: console, webhook, file`);
+        }
+      } else if (typeof ch === "object" && ch !== null) {
+        const chObj = ch;
+        if (typeof chObj.type !== "string" || !VALID_CHANNELS.has(chObj.type)) {
+          fail(
+            `alerts.channels contains invalid channel type "${chObj.type}". Valid: console, webhook, file`
+          );
+        }
+        if (chObj.minKind !== void 0) {
+          if (typeof chObj.minKind !== "string" || !VALID_KINDS.has(chObj.minKind)) {
+            fail("alerts.channels[].minKind must be one of: informational, actionable");
+          }
+        }
+      } else {
+        fail("alerts.channels entries must be strings or objects with a type field");
+      }
+    }
+    if (alerts.webhookUrl !== void 0 && typeof alerts.webhookUrl !== "string") {
+      fail("alerts.webhookUrl must be a string");
+    }
+    if (alerts.filePath !== void 0 && typeof alerts.filePath !== "string") {
+      fail("alerts.filePath must be a string");
+    }
+    if (alerts.minSeverity !== void 0) {
+      if (typeof alerts.minSeverity !== "string" || !VALID_SEVERITIES.has(alerts.minSeverity)) {
+        fail("alerts.minSeverity must be one of: LOW, MEDIUM, HIGH, CRITICAL");
+      }
+    }
+    if (alerts.minKind !== void 0) {
+      if (typeof alerts.minKind !== "string" || !VALID_KINDS.has(alerts.minKind)) {
+        fail("alerts.minKind must be one of: informational, actionable");
+      }
+    }
+  }
+  if (doc.repo !== void 0) {
+    if (typeof doc.repo !== "object" || doc.repo === null) {
+      fail("repo must be an object");
+    }
+    const repo = doc.repo;
+    if (repo.root !== void 0) {
+      if (typeof repo.root !== "string" || repo.root.length === 0) {
+        fail("repo.root must be a non-empty string");
+      }
+    }
+    if (repo.scanOnStartup !== void 0) {
+      if (typeof repo.scanOnStartup !== "boolean") {
+        fail("repo.scanOnStartup must be a boolean");
+      }
+    }
+    if (repo.mapPath !== void 0) {
+      if (typeof repo.mapPath !== "string" || repo.mapPath.length === 0) {
+        fail("repo.mapPath must be a non-empty string");
+      }
+    }
+    if (repo.overlayPath !== void 0) {
+      if (typeof repo.overlayPath !== "string" || repo.overlayPath.length === 0) {
+        fail("repo.overlayPath must be a non-empty string");
+      }
+    }
+  }
+  return data;
+}
+async function loadPolicy(yamlPath) {
+  const { readFile } = await import("fs/promises");
+  let raw;
+  try {
+    raw = await readFile(yamlPath, "utf-8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      const e = new Error(`Policy file not found: ${yamlPath}`);
+      e.cause = err;
+      throw e;
+    }
+    throw err;
+  }
+  return loadPolicyFromString(raw);
+}
+function loadPolicyFromString(yamlString) {
+  let parsed;
+  try {
+    parsed = yaml.load(yamlString);
+  } catch (err) {
+    const e = new Error(`Invalid YAML syntax: ${err.message}`);
+    e.cause = err;
+    throw e;
+  }
+  return validatePolicy(parsed);
+}
+function policyToRole(policy) {
+  const role = {
+    agentId: policy.agent.id,
+    name: policy.agent.name,
+    description: policy.agent.description ?? `Monitored agent: ${policy.agent.name}`,
+    allowedActions: policy.policy.allow.actions,
+    allowedTargetPatterns: policy.policy.allow.targets,
+    forbiddenTargetPatterns: policy.policy.forbid.targets
+  };
+  if (policy.policy.allow.networkHosts && policy.policy.allow.networkHosts.length > 0) {
+    role.networkHosts = policy.policy.allow.networkHosts;
+  }
+  if (policy.policy.exceptions && policy.policy.exceptions.length > 0) {
+    role.exceptions = policy.policy.exceptions.map((ex) => {
+      const exception = {
+        target: ex.target,
+        allowedActions: ex.allowedActions
+      };
+      if (ex.requiresTask !== void 0) exception.requiresTask = ex.requiresTask;
+      if (ex.requiresApproval !== void 0) exception.requiresApproval = ex.requiresApproval;
+      if (ex.expiresAfter !== void 0) exception.expiresAfter = ex.expiresAfter;
+      if (ex.downgradeKindTo !== void 0) exception.downgradeKindTo = ex.downgradeKindTo;
+      return exception;
+    });
+  }
+  if (policy.policy.schedule) {
+    role.expectedSchedule = {
+      activeHours: policy.policy.schedule.hours,
+      activeDays: policy.policy.schedule.days
+    };
+  }
+  if (policy.policy.limits) {
+    if (policy.policy.limits.maxEventsPerHour !== void 0) {
+      role.maxEventsPerHour = policy.policy.limits.maxEventsPerHour;
+    }
+    if (policy.policy.limits.maxSessionDuration !== void 0) {
+      role.maxSessionDuration = policy.policy.limits.maxSessionDuration;
+    }
+  }
+  return role;
+}
+function policyToConfig(policy) {
+  const config = {};
+  if (policy.enforcement) {
+    if (policy.enforcement.restrictAfter !== void 0 || policy.enforcement.quarantineAfter !== void 0 || policy.enforcement.promote !== void 0 || policy.enforcement.baselineMaturity !== void 0) {
+      config.enforcement = {};
+      if (policy.enforcement.restrictAfter !== void 0) {
+        config.enforcement.restrictAfter = policy.enforcement.restrictAfter;
+      }
+      if (policy.enforcement.quarantineAfter !== void 0) {
+        config.enforcement.quarantineAfter = policy.enforcement.quarantineAfter;
+      }
+      if (policy.enforcement.promote !== void 0) {
+        config.enforcement.promote = policy.enforcement.promote;
+      }
+      if (policy.enforcement.baselineMaturity !== void 0) {
+        config.enforcement.baselineMaturity = policy.enforcement.baselineMaturity;
+      }
+    }
+  }
+  if (policy.alerts) {
+    config.alerts = {
+      channels: policy.alerts.channels.map((ch) => {
+        const isObj = typeof ch === "object" && ch !== null;
+        const type = isObj ? ch.type : ch;
+        const perChannelMinKind = isObj ? ch.minKind : void 0;
+        return {
+          type,
+          name: type,
+          config: {
+            ...type === "webhook" && policy.alerts?.webhookUrl ? { url: policy.alerts.webhookUrl } : {},
+            ...type === "file" && policy.alerts?.filePath ? { filePath: policy.alerts.filePath } : {}
+          },
+          ...perChannelMinKind ? { minKind: perChannelMinKind } : {}
+        };
+      }),
+      minSeverity: policy.alerts.minSeverity,
+      ...policy.alerts.minKind ? { minKind: policy.alerts.minKind } : {}
+    };
+  }
+  if (policy.repo) {
+    config.repo = {};
+    if (policy.repo.root !== void 0) config.repo.root = policy.repo.root;
+    if (policy.repo.scanOnStartup !== void 0)
+      config.repo.scanOnStartup = policy.repo.scanOnStartup;
+    if (policy.repo.mapPath !== void 0) config.repo.mapPath = policy.repo.mapPath;
+    if (policy.repo.overlayPath !== void 0) config.repo.overlayPath = policy.repo.overlayPath;
+  }
+  return config;
+}
+
+export {
+  LOCKED_ACTIONABLE_TYPES,
+  loadPolicy,
+  loadPolicyFromString,
+  policyToRole,
+  policyToConfig
+};
+//# sourceMappingURL=chunk-2FFMYSVC.js.map