npm - @vainplex/openclaw-governance - Versions diffs - 0.1.0 - Mend

@vainplex/openclaw-governance 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/README.md +297 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +30 -0
package/dist/index.js.map +1 -0
package/dist/src/audit-redactor.d.ts +3 -0
package/dist/src/audit-redactor.d.ts.map +1 -0
package/dist/src/audit-redactor.js +68 -0
package/dist/src/audit-redactor.js.map +1 -0
package/dist/src/audit-trail.d.ts +27 -0
package/dist/src/audit-trail.d.ts.map +1 -0
package/dist/src/audit-trail.js +192 -0
package/dist/src/audit-trail.js.map +1 -0
package/dist/src/builtin-policies.d.ts +3 -0
package/dist/src/builtin-policies.d.ts.map +1 -0
package/dist/src/builtin-policies.js +152 -0
package/dist/src/builtin-policies.js.map +1 -0
package/dist/src/conditions/context.d.ts +3 -0
package/dist/src/conditions/context.d.ts.map +1 -0
package/dist/src/conditions/context.js +60 -0
package/dist/src/conditions/context.js.map +1 -0
package/dist/src/conditions/index.d.ts +4 -0
package/dist/src/conditions/index.d.ts.map +1 -0
package/dist/src/conditions/index.js +28 -0
package/dist/src/conditions/index.js.map +1 -0
package/dist/src/conditions/simple.d.ts +10 -0
package/dist/src/conditions/simple.d.ts.map +1 -0
package/dist/src/conditions/simple.js +94 -0
package/dist/src/conditions/simple.js.map +1 -0
package/dist/src/conditions/time.d.ts +3 -0
package/dist/src/conditions/time.d.ts.map +1 -0
package/dist/src/conditions/time.js +48 -0
package/dist/src/conditions/time.js.map +1 -0
package/dist/src/conditions/tool.d.ts +3 -0
package/dist/src/conditions/tool.d.ts.map +1 -0
package/dist/src/conditions/tool.js +57 -0
package/dist/src/conditions/tool.js.map +1 -0
package/dist/src/config.d.ts +3 -0
package/dist/src/config.d.ts.map +1 -0
package/dist/src/config.js +80 -0
package/dist/src/config.js.map +1 -0
package/dist/src/cross-agent.d.ts +23 -0
package/dist/src/cross-agent.d.ts.map +1 -0
package/dist/src/cross-agent.js +142 -0
package/dist/src/cross-agent.js.map +1 -0
package/dist/src/engine.d.ts +29 -0
package/dist/src/engine.d.ts.map +1 -0
package/dist/src/engine.js +195 -0
package/dist/src/engine.js.map +1 -0
package/dist/src/frequency-tracker.d.ts +12 -0
package/dist/src/frequency-tracker.d.ts.map +1 -0
package/dist/src/frequency-tracker.js +44 -0
package/dist/src/frequency-tracker.js.map +1 -0
package/dist/src/hooks.d.ts +4 -0
package/dist/src/hooks.d.ts.map +1 -0
package/dist/src/hooks.js +198 -0
package/dist/src/hooks.js.map +1 -0
package/dist/src/policy-evaluator.d.ts +16 -0
package/dist/src/policy-evaluator.d.ts.map +1 -0
package/dist/src/policy-evaluator.js +99 -0
package/dist/src/policy-evaluator.js.map +1 -0
package/dist/src/policy-loader.d.ts +8 -0
package/dist/src/policy-loader.d.ts.map +1 -0
package/dist/src/policy-loader.js +105 -0
package/dist/src/policy-loader.js.map +1 -0
package/dist/src/risk-assessor.d.ts +8 -0
package/dist/src/risk-assessor.d.ts.map +1 -0
package/dist/src/risk-assessor.js +80 -0
package/dist/src/risk-assessor.js.map +1 -0
package/dist/src/trust-manager.d.ts +29 -0
package/dist/src/trust-manager.d.ts.map +1 -0
package/dist/src/trust-manager.js +219 -0
package/dist/src/trust-manager.js.map +1 -0
package/dist/src/types.d.ts +438 -0
package/dist/src/types.d.ts.map +1 -0
package/dist/src/types.js +3 -0
package/dist/src/types.js.map +1 -0
package/dist/src/util.d.ts +28 -0
package/dist/src/util.d.ts.map +1 -0
package/dist/src/util.js +125 -0
package/dist/src/util.js.map +1 -0
package/openclaw.plugin.json +87 -0
package/package.json +48 -0

package/README.md ADDED Viewed

@@ -0,0 +1,297 @@
+# @vainplex/openclaw-governance
+**Your AI agents are powerful. That's the problem.**
+An agent that can `exec("rm -rf /")` at 3 AM because a prompt injection told it to? That's not a feature, that's a liability. This plugin adds contextual, learning governance to OpenClaw — so your agents stay powerful but accountable.
+---
+## Why This Exists
+Every other guardrail tool works like a firewall: static rules, single-agent, no memory. *"Can agent X use tool Y? Yes/No."*
+That's not governance. That's a whitelist.
+Real governance asks: **"Should agent X run `docker rm` at 3 AM on production, given it failed twice this week and its trust score dropped to 25?"**
+This plugin answers that question in <5ms.
+## What It Does
+```
+Agent calls exec("git push origin main")
+  → Governance evaluates: tool + time + trust + frequency + context
+  → Verdict: DENY — "Forge cannot push to main (trust: restricted, score: 32)"
+  → Audit record written (JSONL, ISO 27001 mapped)
+  → Agent gets a clear rejection reason
+```
+**Four things no competitor does:**
+1. **Contextual Policies** — Not just "which tool" but "which tool, when, by whom, in what conversation, at what risk level"
+2. **Learning Trust** — Agents earn autonomy. Score 0-100, five tiers, decay on inactivity. A new sub-agent starts untrusted and works its way up.
+3. **Cross-Agent Governance** — Parent policies cascade to sub-agents. A "no deploy" rule on main also blocks forge. Trust is capped: child can never exceed parent.
+4. **Compliance Audit Trail** — Append-only JSONL with ISO 27001 Annex A control mapping. Every decision recorded, redacted, rotatable.
+## Quick Start
+### Install
+```bash
+npm install @vainplex/openclaw-governance
+```
+### Minimal Config
+Add to `openclaw.json` → `plugins`:
+```json
+{
+  "openclaw-governance": {
+    "enabled": true,
+    "timezone": "Europe/Berlin",
+    "builtinPolicies": {
+      "nightMode": true,
+      "credentialGuard": true
+    }
+  }
+}
+```
+That's it. Night mode blocks risky operations 23:00–08:00. Credential guard blocks access to secrets, `.env` files, and password stores.
+### Realistic Config
+```json
+{
+  "openclaw-governance": {
+    "enabled": true,
+    "timezone": "Europe/Berlin",
+    "failMode": "open",
+    "trust": {
+      "defaults": {
+        "main": 60,
+        "forge": 45,
+        "cerberus": 50,
+        "*": 10
+      }
+    },
+    "builtinPolicies": {
+      "nightMode": { "after": "23:00", "before": "08:00" },
+      "credentialGuard": true,
+      "productionSafeguard": true,
+      "rateLimiter": { "maxPerMinute": 15 }
+    },
+    "policies": [
+      {
+        "id": "forge-no-deploy",
+        "name": "Forge Cannot Deploy",
+        "version": "1.0.0",
+        "scope": { "agents": ["forge"] },
+        "rules": [{
+          "id": "block-push",
+          "conditions": [
+            { "type": "tool", "name": "exec", "params": { "command": { "matches": "git push.*(main|master)" } } }
+          ],
+          "effect": { "action": "deny", "reason": "Forge cannot push to main — submit a PR instead" }
+        }]
+      }
+    ],
+    "audit": {
+      "retentionDays": 90,
+      "level": "standard"
+    }
+  }
+}
+```
+## Policy Examples
+### "No dangerous commands at night"
+```json
+{
+  "id": "night-guard",
+  "name": "Night Guard",
+  "scope": {},
+  "rules": [{
+    "id": "deny-exec-at-night",
+    "conditions": [
+      { "type": "tool", "name": ["exec", "gateway", "cron"] },
+      { "type": "time", "after": "23:00", "before": "07:00" }
+    ],
+    "effect": { "action": "deny", "reason": "High-risk tools blocked during night hours" }
+  }]
+}
+```
+### "Only trusted agents can spawn sub-agents"
+```json
+{
+  "id": "spawn-control",
+  "name": "Spawn Control",
+  "scope": {},
+  "rules": [{
+    "id": "require-trust",
+    "conditions": [
+      { "type": "tool", "name": "sessions_spawn" },
+      { "type": "agent", "maxScore": 39 }
+    ],
+    "effect": { "action": "deny", "reason": "Agents below score 40 cannot spawn sub-agents" }
+  }]
+}
+```
+### "Rate limit external messaging"
+```json
+{
+  "id": "message-rate-limit",
+  "name": "Message Rate Limit",
+  "scope": {},
+  "rules": [{
+    "id": "throttle",
+    "conditions": [
+      { "type": "tool", "name": "message" },
+      { "type": "frequency", "maxCount": 5, "windowSeconds": 60, "scope": "agent" }
+    ],
+    "effect": { "action": "deny", "reason": "Message rate limit exceeded (5/min)" }
+  }]
+}
+```
+### "Block production commands for untrusted agents"
+```json
+{
+  "id": "prod-safety",
+  "name": "Production Safety",
+  "scope": {},
+  "rules": [{
+    "id": "block-prod",
+    "conditions": [
+      { "type": "tool", "name": "exec", "params": { "command": { "matches": "(systemctl|docker).*(restart|stop|rm|kill)" } } },
+      { "type": "agent", "trustTier": ["untrusted", "restricted"] }
+    ],
+    "effect": { "action": "deny", "reason": "Production operations require at least 'standard' trust tier" }
+  }]
+}
+```
+## Condition Types
+| Type | What it checks | Example |
+|------|---------------|---------|
+| `tool` | Tool name, parameters (exact, glob, regex) | `{ "type": "tool", "name": "exec", "params": { "command": { "contains": "rm" } } }` |
+| `time` | Hour, day-of-week, named windows | `{ "type": "time", "after": "22:00", "before": "06:00", "days": [0, 6] }` |
+| `agent` | Agent ID, trust tier, score range | `{ "type": "agent", "trustTier": "untrusted", "maxScore": 20 }` |
+| `context` | Conversation, message content, channel | `{ "type": "context", "channel": "telegram" }` |
+| `risk` | Computed risk level | `{ "type": "risk", "minRisk": "high" }` |
+| `frequency` | Actions per time window | `{ "type": "frequency", "maxCount": 10, "windowSeconds": 60 }` |
+| `any` | OR — at least one sub-condition | `{ "type": "any", "conditions": [...] }` |
+| `not` | Negation | `{ "type": "not", "condition": { ... } }` |
+All conditions in a rule are AND-combined. Use `any` for OR logic.
+## Trust System
+Agents start with a configured default score and earn (or lose) trust through actions:
+| Tier | Score | What they can do |
+|------|-------|-----------------|
+| `untrusted` | 0–19 | Read-only, no external actions |
+| `restricted` | 20–39 | Basic operations, no production |
+| `standard` | 40–59 | Normal operation |
+| `trusted` | 60–79 | Extended permissions, can spawn agents |
+| `privileged` | 80–100 | Full autonomy |
+- **+0.1** per successful tool call (capped at +30 total)
+- **-2** per violation (resets clean streak)
+- **+0.5/day** age bonus (capped at +20)
+- **+0.3/day** clean streak (capped at +20)
+- **Decay:** Score × 0.95 after 30 days of inactivity
+Trust persists across restarts. Sub-agents inherit a trust ceiling from their parent — they can never exceed their parent's score.
+## Cross-Agent Governance
+When a main agent spawns a sub-agent (e.g. `forge`):
+1. The parent→child relationship is tracked automatically
+2. Parent's deny policies cascade to the child
+3. Child's trust is capped at parent's score
+4. Audit records include the full lineage (`parentAgentId`, `inheritedPolicyIds`)
+This means: if you deny `main` from touching production, `forge` can't either. No escaping through sub-agents.
+## Audit Trail
+Every governance decision is logged to `{workspace}/governance/audit/YYYY-MM-DD.jsonl`:
+```json
+{
+  "id": "550e8400-e29b-41d4-a716-446655440000",
+  "timestamp": 1708300000000,
+  "timestampIso": "2026-02-18T14:00:00.000Z",
+  "verdict": "deny",
+  "context": {
+    "hook": "before_tool_call",
+    "agentId": "forge",
+    "toolName": "exec",
+    "toolParams": { "command": "git push origin main" },
+    "crossAgent": { "parentAgentId": "main", "trustCeiling": 60 }
+  },
+  "trust": { "score": 32, "tier": "restricted" },
+  "risk": { "level": "high", "score": 72 },
+  "matchedPolicies": [{ "policyId": "forge-no-deploy", "ruleId": "block-push" }],
+  "controls": ["A.8.3", "A.8.5", "A.5.24", "A.5.28"]
+}
+```
+- **Rotation:** One file per day, auto-cleaned after `retentionDays`
+- **Redaction:** Sensitive data (passwords, tokens, keys) redacted before write
+- **ISO 27001:** Each record maps to Annex A controls for compliance audits
+## Built-in Policies
+Enable with a boolean or customize:
+| Policy | What it does | Config |
+|--------|-------------|--------|
+| `nightMode` | Blocks risky tools during off-hours | `true` or `{ "after": "23:00", "before": "08:00" }` |
+| `credentialGuard` | Blocks access to secrets, `.env`, passwords | `true` |
+| `productionSafeguard` | Blocks `systemctl`, `docker rm`, destructive ops | `true` |
+| `rateLimiter` | Throttles tool calls per minute | `true` or `{ "maxPerMinute": 15 }` |
+## Commands
+| Command | Description |
+|---------|-------------|
+| `/governance` | Show engine status, policy count, trust overview |
+## Performance
+- Evaluation: **<5ms** for 10+ regex policies
+- Zero runtime dependencies (only Node.js builtins)
+- Pre-compiled regex cache, ring buffer frequency tracking
+- Fail-open by default (configurable to fail-closed)
+## Requirements
+- Node.js ≥ 22.0.0
+- OpenClaw gateway
+## Part of the Vainplex Plugin Suite
+| # | Plugin | Status |
+|---|--------|--------|
+| 1 | [@vainplex/openclaw-nats-eventstore](https://github.com/alberthild/openclaw-nats-eventstore) | ✅ v0.2.0 |
+| 2 | [@vainplex/openclaw-cortex](https://github.com/alberthild/openclaw-cortex) | ✅ v0.1.0 |
+| 3 | **@vainplex/openclaw-governance** | ✅ v0.1.0 |
+| 4 | [@vainplex/openclaw-knowledge-engine](https://github.com/alberthild/openclaw-knowledge-engine) | ✅ v0.1.2 |
+| 5 | @vainplex/openclaw-membrane | 🔜 Planning |
+## License
+MIT © [Albert Hild](https://github.com/alberthild)

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { OpenClawPluginApi } from "./src/types.js";
+declare const plugin: {
+    id: string;
+    name: string;
+    description: string;
+    version: string;
+    register(api: OpenClawPluginApi): void;
+};
+export default plugin;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAOxD,QAAA,MAAM,MAAM;;;;;kBAMI,iBAAiB;CAiChC,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,30 @@
+import { resolveConfig } from "./src/config.js";
+import { GovernanceEngine } from "./src/engine.js";
+import { registerGovernanceHooks } from "./src/hooks.js";
+const plugin = {
+    id: "openclaw-governance",
+    name: "OpenClaw Governance",
+    description: "Contextual, learning, cross-agent governance for AI agents",
+    version: "0.1.0",
+    register(api) {
+        const config = resolveConfig(api.pluginConfig);
+        if (!config.enabled) {
+            api.logger.info("[governance] Disabled via config");
+            return;
+        }
+        const engine = new GovernanceEngine(config, api.logger);
+        api.registerService({
+            id: "governance-engine",
+            start: async () => engine.start(),
+            stop: async () => engine.stop(),
+        });
+        registerGovernanceHooks(api, engine, config);
+        api.registerGatewayMethod("governance.status", async () => engine.getStatus());
+        api.registerGatewayMethod("governance.trust", async (...args) => {
+            const params = args[0];
+            return engine.getTrust(params?.agentId);
+        });
+    },
+};
+export default plugin;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAIzD,MAAM,MAAM,GAAG;IACb,EAAE,EAAE,qBAAqB;IACzB,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,4DAA4D;IACzE,OAAO,EAAE,OAAO;IAEhB,QAAQ,CAAC,GAAsB;QAC7B,MAAM,MAAM,GAAG,aAAa,CAC1B,GAAG,CAAC,YAAmD,CACxD,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAExD,GAAG,CAAC,eAAe,CAAC;YAClB,EAAE,EAAE,mBAAmB;YACvB,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE;YACjC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE;SAChC,CAAC,CAAC;QAEH,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAE7C,GAAG,CAAC,qBAAqB,CACvB,mBAAmB,EACnB,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,CAC/B,CAAC;QAEF,GAAG,CAAC,qBAAqB,CACvB,kBAAkB,EAClB,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;YAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAc,CAAC;YACpC,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1C,CAAC,CACF,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/dist/src/audit-redactor.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { AuditContext } from "./types.js";
+export declare function createRedactor(customPatterns: string[]): (ctx: AuditContext) => AuditContext;
+//# sourceMappingURL=audit-redactor.d.ts.map

package/dist/src/audit-redactor.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"audit-redactor.d.ts","sourceRoot":"","sources":["../../src/audit-redactor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA+D/C,wBAAgB,cAAc,CAC5B,cAAc,EAAE,MAAM,EAAE,GACvB,CAAC,GAAG,EAAE,YAAY,KAAK,YAAY,CAyBrC"}

package/dist/src/audit-redactor.js ADDED Viewed

@@ -0,0 +1,68 @@
+const SENSITIVE_KEYS = new Set([
+    "password",
+    "secret",
+    "token",
+    "apikey",
+    "api_key",
+    "credential",
+    "auth",
+    "authorization",
+    "cookie",
+    "session",
+]);
+const MAX_MESSAGE_LENGTH = 500;
+function isSensitiveKey(key) {
+    return SENSITIVE_KEYS.has(key.toLowerCase());
+}
+function redactValue(key, value, customPatterns) {
+    if (isSensitiveKey(key))
+        return "[REDACTED]";
+    if (typeof value === "string") {
+        for (const pattern of customPatterns) {
+            if (pattern.test(key) || pattern.test(value)) {
+                return "[REDACTED]";
+            }
+        }
+    }
+    return value;
+}
+function redactRecord(obj, customPatterns) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+            result[key] = redactRecord(value, customPatterns);
+        }
+        else {
+            result[key] = redactValue(key, value, customPatterns);
+        }
+    }
+    return result;
+}
+function truncateMessage(content) {
+    if (!content)
+        return content;
+    if (content.length <= MAX_MESSAGE_LENGTH)
+        return content;
+    return content.slice(0, MAX_MESSAGE_LENGTH) + " [TRUNCATED]";
+}
+export function createRedactor(customPatterns) {
+    const compiled = customPatterns
+        .map((p) => {
+        try {
+            return new RegExp(p, "i");
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((r) => r !== null);
+    return (ctx) => {
+        const redacted = { ...ctx };
+        if (redacted.toolParams) {
+            redacted.toolParams = redactRecord(redacted.toolParams, compiled);
+        }
+        redacted.messageContent = truncateMessage(redacted.messageContent);
+        return redacted;
+    };
+}
+//# sourceMappingURL=audit-redactor.js.map

package/dist/src/audit-redactor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"audit-redactor.js","sourceRoot":"","sources":["../../src/audit-redactor.ts"],"names":[],"mappings":"AAEA,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,UAAU;IACV,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,MAAM;IACN,eAAe;IACf,QAAQ;IACR,SAAS;CACV,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,WAAW,CAClB,GAAW,EACX,KAAc,EACd,cAAwB;IAExB,IAAI,cAAc,CAAC,GAAG,CAAC;QAAE,OAAO,YAAY,CAAC;IAE7C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC7C,OAAO,YAAY,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,GAA4B,EAC5B,cAAwB;IAExB,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzE,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CACxB,KAAgC,EAChC,cAAc,CACf,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,OAA2B;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,OAAO,CAAC,MAAM,IAAI,kBAAkB;QAAE,OAAO,OAAO,CAAC;IACzD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,GAAG,cAAc,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,cAAwB;IAExB,MAAM,QAAQ,GAAG,cAAc;SAC5B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACT,IAAI,CAAC;YACH,OAAO,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;IAE1C,OAAO,CAAC,GAAiB,EAAgB,EAAE;QACzC,MAAM,QAAQ,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;QAE5B,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,QAAQ,CAAC,UAAU,GAAG,YAAY,CAChC,QAAQ,CAAC,UAAU,EACnB,QAAQ,CACT,CAAC;QACJ,CAAC;QAED,QAAQ,CAAC,cAAc,GAAG,eAAe,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAEnE,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC"}

package/dist/src/audit-trail.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { AuditConfig, AuditContext, AuditFilter, AuditRecord, AuditStats, AuditVerdict, MatchedPolicy, PluginLogger, RiskLevel, TrustTier } from "./types.js";
+export declare class AuditTrail {
+    private readonly config;
+    private readonly auditDir;
+    private readonly logger;
+    private readonly redact;
+    private buffer;
+    private flushTimer;
+    private todayRecordCount;
+    constructor(config: AuditConfig, workspace: string, logger: PluginLogger);
+    load(): void;
+    record(verdict: AuditVerdict, context: AuditContext, trust: {
+        score: number;
+        tier: TrustTier;
+    }, risk: {
+        level: RiskLevel;
+        score: number;
+    }, matchedPolicies: MatchedPolicy[], evaluationUs: number): AuditRecord;
+    query(filter: AuditFilter): AuditRecord[];
+    flush(): void;
+    startAutoFlush(): void;
+    stopAutoFlush(): void;
+    getStats(): AuditStats;
+    private cleanOldFiles;
+    private countTodayRecords;
+}
+//# sourceMappingURL=audit-trail.d.ts.map

package/dist/src/audit-trail.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"audit-trail.d.ts","sourceRoot":"","sources":["../../src/audit-trail.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,WAAW,EACX,WAAW,EACX,UAAU,EACV,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,SAAS,EACT,SAAS,EACV,MAAM,YAAY,CAAC;AAuBpB,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsC;IAC7D,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,gBAAgB,CAAK;gBAG3B,MAAM,EAAE,WAAW,EACnB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,YAAY;IAQtB,IAAI,IAAI,IAAI;IASZ,MAAM,CACJ,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,YAAY,EACrB,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,SAAS,CAAA;KAAE,EACzC,IAAI,EAAE;QAAE,KAAK,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EACzC,eAAe,EAAE,aAAa,EAAE,EAChC,YAAY,EAAE,MAAM,GACnB,WAAW;IA2Bd,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,WAAW,EAAE;IAuCzC,KAAK,IAAI,IAAI;IA8Bb,cAAc,IAAI,IAAI;IAMtB,aAAa,IAAI,IAAI;IAQrB,QAAQ,IAAI,UAAU;IAetB,OAAO,CAAC,aAAa;IAsBrB,OAAO,CAAC,iBAAiB;CAQ1B"}

package/dist/src/audit-trail.js ADDED Viewed

@@ -0,0 +1,192 @@
+import { appendFileSync, existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { join } from "node:path";
+import { createRedactor } from "./audit-redactor.js";
+const ISO_CONTROLS_MAP = {
+    before_tool_call: ["A.8.3", "A.8.5"],
+    message_sending: ["A.5.14"],
+    trust_adjustment: ["A.5.15", "A.8.2"],
+    violation: ["A.5.24", "A.5.28"],
+    config_change: ["A.8.9"],
+};
+function getControls(hook, verdict) {
+    const controls = ISO_CONTROLS_MAP[hook] ?? [];
+    if (verdict === "deny") {
+        return [...controls, "A.5.24", "A.5.28"];
+    }
+    return controls;
+}
+function dateStr(ts) {
+    return new Date(ts).toISOString().slice(0, 10);
+}
+export class AuditTrail {
+    config;
+    auditDir;
+    logger;
+    redact;
+    buffer = [];
+    flushTimer = null;
+    todayRecordCount = 0;
+    constructor(config, workspace, logger) {
+        this.config = config;
+        this.auditDir = join(workspace, "governance", "audit");
+        this.logger = logger;
+        this.redact = createRedactor(config.redactPatterns);
+    }
+    load() {
+        if (!existsSync(this.auditDir)) {
+            mkdirSync(this.auditDir, { recursive: true });
+        }
+        this.cleanOldFiles();
+        this.countTodayRecords();
+        this.logger.info("[governance] Audit trail loaded");
+    }
+    record(verdict, context, trust, risk, matchedPolicies, evaluationUs) {
+        const now = Date.now();
+        const redacted = this.redact(context);
+        const rec = {
+            id: randomUUID(),
+            timestamp: now,
+            timestampIso: new Date(now).toISOString(),
+            verdict,
+            context: redacted,
+            trust,
+            risk,
+            matchedPolicies,
+            evaluationUs,
+            controls: [...new Set(getControls(context.hook, verdict))],
+        };
+        this.buffer.push(rec);
+        this.todayRecordCount++;
+        if (this.buffer.length >= 100) {
+            this.flush();
+        }
+        return rec;
+    }
+    query(filter) {
+        const results = [];
+        const limit = filter.limit ?? 100;
+        if (!existsSync(this.auditDir))
+            return results;
+        const files = readdirSync(this.auditDir)
+            .filter((f) => f.endsWith(".jsonl"))
+            .sort()
+            .reverse();
+        for (const file of files) {
+            const content = readFileSync(join(this.auditDir, file), "utf-8");
+            const lines = content.trim().split("\n").filter(Boolean);
+            for (const line of lines.reverse()) {
+                try {
+                    const rec = JSON.parse(line);
+                    if (matchesFilter(rec, filter)) {
+                        results.push(rec);
+                        if (results.length >= limit)
+                            return results;
+                    }
+                }
+                catch {
+                    // Skip malformed lines
+                }
+            }
+        }
+        // Also include buffered records
+        for (const rec of [...this.buffer].reverse()) {
+            if (matchesFilter(rec, filter)) {
+                results.push(rec);
+                if (results.length >= limit)
+                    return results;
+            }
+        }
+        return results;
+    }
+    flush() {
+        if (this.buffer.length === 0)
+            return;
+        if (!existsSync(this.auditDir)) {
+            mkdirSync(this.auditDir, { recursive: true });
+        }
+        const groups = new Map();
+        for (const rec of this.buffer) {
+            const day = dateStr(rec.timestamp);
+            const list = groups.get(day) ?? [];
+            list.push(rec);
+            groups.set(day, list);
+        }
+        for (const [day, records] of groups) {
+            const filePath = join(this.auditDir, `${day}.jsonl`);
+            const lines = records.map((r) => JSON.stringify(r)).join("\n") + "\n";
+            try {
+                appendFileSync(filePath, lines);
+            }
+            catch (e) {
+                this.logger.error(`[governance] Failed to write audit: ${e instanceof Error ? e.message : String(e)}`);
+            }
+        }
+        this.buffer = [];
+    }
+    startAutoFlush() {
+        if (this.flushTimer)
+            return;
+        this.flushTimer = setInterval(() => this.flush(), 1000);
+        this.flushTimer.unref();
+    }
+    stopAutoFlush() {
+        if (this.flushTimer) {
+            clearInterval(this.flushTimer);
+            this.flushTimer = null;
+        }
+        this.flush();
+    }
+    getStats() {
+        const files = existsSync(this.auditDir)
+            ? readdirSync(this.auditDir)
+                .filter((f) => f.endsWith(".jsonl"))
+                .sort()
+            : [];
+        return {
+            totalRecords: this.todayRecordCount,
+            todayRecords: this.todayRecordCount,
+            oldestRecord: files[0]?.replace(".jsonl", ""),
+            newestRecord: files[files.length - 1]?.replace(".jsonl", ""),
+        };
+    }
+    cleanOldFiles() {
+        if (!existsSync(this.auditDir))
+            return;
+        const cutoff = Date.now() - this.config.retentionDays * 24 * 60 * 60 * 1000;
+        const files = readdirSync(this.auditDir).filter((f) => f.endsWith(".jsonl"));
+        for (const file of files) {
+            const dateStr = file.replace(".jsonl", "");
+            const fileDate = new Date(dateStr).getTime();
+            if (!Number.isNaN(fileDate) && fileDate < cutoff) {
+                try {
+                    unlinkSync(join(this.auditDir, file));
+                    this.logger.info(`[governance] Cleaned old audit file: ${file}`);
+                }
+                catch {
+                    // ignore cleanup errors
+                }
+            }
+        }
+    }
+    countTodayRecords() {
+        const today = dateStr(Date.now());
+        const filePath = join(this.auditDir, `${today}.jsonl`);
+        if (existsSync(filePath)) {
+            const content = readFileSync(filePath, "utf-8");
+            this.todayRecordCount = content.trim().split("\n").filter(Boolean).length;
+        }
+    }
+}
+function matchesFilter(rec, filter) {
+    if (filter.agentId && rec.context.agentId !== filter.agentId)
+        return false;
+    if (filter.verdict && rec.verdict !== filter.verdict)
+        return false;
+    if (filter.after && rec.timestamp < filter.after)
+        return false;
+    if (filter.before && rec.timestamp > filter.before)
+        return false;
+    return true;
+}
+//# sourceMappingURL=audit-trail.js.map

package/dist/src/audit-trail.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"audit-trail.js","sourceRoot":"","sources":["../../src/audit-trail.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,UAAU,EACV,SAAS,EACT,YAAY,EACZ,WAAW,EACX,UAAU,GACX,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAajC,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,MAAM,gBAAgB,GAA6B;IACjD,gBAAgB,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC;IACpC,eAAe,EAAE,CAAC,QAAQ,CAAC;IAC3B,gBAAgB,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;IACrC,SAAS,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC/B,aAAa,EAAE,CAAC,OAAO,CAAC;CACzB,CAAC;AAEF,SAAS,WAAW,CAAC,IAAY,EAAE,OAAqB;IACtD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IAC9C,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,OAAO,CAAC,EAAU;IACzB,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,OAAO,UAAU;IACJ,MAAM,CAAc;IACpB,QAAQ,CAAS;IACjB,MAAM,CAAe;IACrB,MAAM,CAAsC;IACrD,MAAM,GAAkB,EAAE,CAAC;IAC3B,UAAU,GAA0C,IAAI,CAAC;IACzD,gBAAgB,GAAG,CAAC,CAAC;IAE7B,YACE,MAAmB,EACnB,SAAiB,EACjB,MAAoB;QAEpB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACtD,CAAC;IAED,IAAI;QACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,CACJ,OAAqB,EACrB,OAAqB,EACrB,KAAyC,EACzC,IAAyC,EACzC,eAAgC,EAChC,YAAoB;QAEpB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEtC,MAAM,GAAG,GAAgB;YACvB,EAAE,EAAE,UAAU,EAAE;YAChB,SAAS,EAAE,GAAG;YACd,YAAY,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE;YACzC,OAAO;YACP,OAAO,EAAE,QAAQ;YACjB,KAAK;YACL,IAAI;YACJ,eAAe;YACf,YAAY;YACZ,QAAQ,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;SAC3D,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,MAAmB;QACvB,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC;QAElC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,OAAO,OAAO,CAAC;QAE/C,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;aACrC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;aACnC,IAAI,EAAE;aACN,OAAO,EAAE,CAAC;QAEb,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YACjE,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEzD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;gBACnC,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAgB,CAAC;oBAC5C,IAAI,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;wBAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBAClB,IAAI,OAAO,CAAC,MAAM,IAAI,KAAK;4BAAE,OAAO,OAAO,CAAC;oBAC9C,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAC7C,IAAI,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClB,IAAI,OAAO,CAAC,MAAM,IAAI,KAAK;oBAAE,OAAO,OAAO,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK;QACH,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAErC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;QAChD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACf,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACxB,CAAC;QAED,KAAK,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,MAAM,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,GAAG,QAAQ,CAAC,CAAC;YACrD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YACtE,IAAI,CAAC;gBACH,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAClC,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,uCAAuC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACpF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;IACnB,CAAC;IAED,cAAc;QACZ,IAAI,IAAI,CAAC,UAAU;YAAE,OAAO;QAC5B,IAAI,CAAC,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;IAC1B,CAAC;IAED,aAAa;QACX,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;IAED,QAAQ;QACN,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;iBACvB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;iBACnC,IAAI,EAAE;YACX,CAAC,CAAC,EAAE,CAAC;QAEP,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,gBAAgB;YACnC,YAAY,EAAE,IAAI,CAAC,gBAAgB;YACnC,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC7C,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAEO,aAAa;QACnB,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,OAAO;QAEvC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC5E,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACrB,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,MAAM,EAAE,CAAC;gBACjD,IAAI,CAAC;oBACH,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;oBACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;gBACnE,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,iBAAiB;QACvB,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC;QACvD,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QAC5E,CAAC;IACH,CAAC;CACF;AAED,SAAS,aAAa,CAAC,GAAgB,EAAE,MAAmB;IAC1D,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IACnE,IAAI,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,SAAS,GAAG,MAAM,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/D,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACjE,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/builtin-policies.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { BuiltinPoliciesConfig, Policy } from "./types.js";
+export declare function getBuiltinPolicies(config: BuiltinPoliciesConfig): Policy[];
+//# sourceMappingURL=builtin-policies.d.ts.map