@vess-id/vess 0.2.0-alpha.1

package/dist/identity/did-manager.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DIDManager = void 0;
+const ai_identity_1 = require("@vess-id/ai-identity");
+class DIDManager {
+    static async generateRootDID() {
+        return DIDManager.generateDID();
+    }
+    static async generateAgentDID() {
+        return DIDManager.generateDID();
+    }
+    static async generateDID() {
+        const keyPair = await (0, ai_identity_1.generateKeyPair)();
+        const did = (0, ai_identity_1.createDidJwk)(keyPair.publicKey);
+        return {
+            did,
+            privateKeyJwk: JSON.stringify(keyPair.privateKey),
+            publicKeyJwk: {
+                kty: keyPair.publicKey.kty,
+                crv: keyPair.publicKey.crv,
+                x: keyPair.publicKey.x,
+                y: keyPair.publicKey.y,
+                alg: keyPair.publicKey.alg,
+            },
+        };
+    }
+}
+exports.DIDManager = DIDManager;
+//# sourceMappingURL=did-manager.js.map

package/dist/identity/did-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-manager.js","sourceRoot":"","sources":["../../src/identity/did-manager.ts"],"names":[],"mappings":";;;AAAA,sDAAoE;AAcpE,MAAa,UAAU;IACrB,MAAM,CAAC,KAAK,CAAC,eAAe;QAC1B,OAAO,UAAU,CAAC,WAAW,EAAE,CAAA;IACjC,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,gBAAgB;QAC3B,OAAO,UAAU,CAAC,WAAW,EAAE,CAAA;IACjC,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,WAAW;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,GAAG,GAAG,IAAA,0BAAY,EAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QAE3C,OAAO;YACL,GAAG;YACH,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC;YACjD,YAAY,EAAE;gBACZ,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,GAAI;gBAC3B,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG;gBAC1B,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;gBACtB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;gBACtB,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG;aAC3B;SACF,CAAA;IACH,CAAC;CACF;AAzBD,gCAyBC"}

package/dist/identity/key-manager.d.ts

@@ -0,0 +1,18 @@
+export declare class KeyManager {
+    static getKeychainRef(keyType: 'root' | 'agent', projectId?: string, clientName?: string): string;
+    private createEntry;
+    storeRootKey(privateKeyJwk: string): void;
+    getRootKey(): string | null;
+    deleteRootKey(): void;
+    storeAgentKey(projectId: string, clientName: string, privateKeyJwk: string): void;
+    getAgentKey(projectId: string, clientName: string): string | null;
+    deleteAgentKey(projectId: string, clientName: string): void;
+    storeSessionToken(token: string): void;
+    getSessionToken(): string | null;
+    deleteSessionToken(): void;
+    private envAccount;
+    storeEnvSecret(profile: string, key: string, value: string): void;
+    getEnvSecret(profile: string, key: string): string | null;
+    deleteEnvSecret(profile: string, key: string): void;
+}
+//# sourceMappingURL=key-manager.d.ts.map

package/dist/identity/key-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager.d.ts","sourceRoot":"","sources":["../../src/identity/key-manager.ts"],"names":[],"mappings":"AAIA,qBAAa,UAAU;IACrB,MAAM,CAAC,cAAc,CACnB,OAAO,EAAE,MAAM,GAAG,OAAO,EACzB,SAAS,CAAC,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,GAClB,MAAM;IAOT,OAAO,CAAC,WAAW;IAInB,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI;IAIzC,UAAU,IAAI,MAAM,GAAG,IAAI;IAQ3B,aAAa,IAAI,IAAI;IAQrB,aAAa,CACX,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,IAAI;IAKP,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IASjE,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI;IAS3D,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAItC,eAAe,IAAI,MAAM,GAAG,IAAI;IAQhC,kBAAkB,IAAI,IAAI;IAU1B,OAAO,CAAC,UAAU;IAIlB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAIjE,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAQzD,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;CAOpD"}

package/dist/identity/key-manager.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyManager = void 0;
+const keyring_1 = require("@napi-rs/keyring");
+const SERVICE_NAME = 'com.vess';
+class KeyManager {
+    static getKeychainRef(keyType, projectId, clientName) {
+        if (keyType === 'root') {
+            return `${SERVICE_NAME}.root-key`;
+        }
+        return `${SERVICE_NAME}.agent.${projectId}.${clientName}`;
+    }
+    createEntry(account) {
+        return new keyring_1.Entry(SERVICE_NAME, account);
+    }
+    storeRootKey(privateKeyJwk) {
+        this.createEntry('root-key').setPassword(privateKeyJwk);
+    }
+    getRootKey() {
+        try {
+            return this.createEntry('root-key').getPassword();
+        }
+        catch {
+            return null;
+        }
+    }
+    deleteRootKey() {
+        try {
+            this.createEntry('root-key').deletePassword();
+        }
+        catch {
+            // Key doesn't exist, ignore
+        }
+    }
+    storeAgentKey(projectId, clientName, privateKeyJwk) {
+        const account = `agent.${projectId}.${clientName}`;
+        this.createEntry(account).setPassword(privateKeyJwk);
+    }
+    getAgentKey(projectId, clientName) {
+        try {
+            const account = `agent.${projectId}.${clientName}`;
+            return this.createEntry(account).getPassword();
+        }
+        catch {
+            return null;
+        }
+    }
+    deleteAgentKey(projectId, clientName) {
+        try {
+            const account = `agent.${projectId}.${clientName}`;
+            this.createEntry(account).deletePassword();
+        }
+        catch {
+            // Key doesn't exist, ignore
+        }
+    }
+    storeSessionToken(token) {
+        this.createEntry('session-token').setPassword(token);
+    }
+    getSessionToken() {
+        try {
+            return this.createEntry('session-token').getPassword();
+        }
+        catch {
+            return null;
+        }
+    }
+    deleteSessionToken() {
+        try {
+            this.createEntry('session-token').deletePassword();
+        }
+        catch {
+            // Token doesn't exist, ignore
+        }
+    }
+    // ── Env secret storage (vess://env/<profile>/<key>) ──
+    envAccount(profile, key) {
+        return `env.${profile}.${key}`;
+    }
+    storeEnvSecret(profile, key, value) {
+        this.createEntry(this.envAccount(profile, key)).setPassword(value);
+    }
+    getEnvSecret(profile, key) {
+        try {
+            return this.createEntry(this.envAccount(profile, key)).getPassword();
+        }
+        catch {
+            return null;
+        }
+    }
+    deleteEnvSecret(profile, key) {
+        try {
+            this.createEntry(this.envAccount(profile, key)).deletePassword();
+        }
+        catch {
+            // Secret doesn't exist, ignore
+        }
+    }
+}
+exports.KeyManager = KeyManager;
+//# sourceMappingURL=key-manager.js.map

package/dist/identity/key-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager.js","sourceRoot":"","sources":["../../src/identity/key-manager.ts"],"names":[],"mappings":";;;AAAA,8CAAwC;AAExC,MAAM,YAAY,GAAG,UAAU,CAAA;AAE/B,MAAa,UAAU;IACrB,MAAM,CAAC,cAAc,CACnB,OAAyB,EACzB,SAAkB,EAClB,UAAmB;QAEnB,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;YACvB,OAAO,GAAG,YAAY,WAAW,CAAA;QACnC,CAAC;QACD,OAAO,GAAG,YAAY,UAAU,SAAS,IAAI,UAAU,EAAE,CAAA;IAC3D,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,OAAO,IAAI,eAAK,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACzC,CAAC;IAED,YAAY,CAAC,aAAqB;QAChC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,CAAA;IACzD,CAAC;IAED,UAAU;QACR,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,aAAa;QACX,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,cAAc,EAAE,CAAA;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,4BAA4B;QAC9B,CAAC;IACH,CAAC;IAED,aAAa,CACX,SAAiB,EACjB,UAAkB,EAClB,aAAqB;QAErB,MAAM,OAAO,GAAG,SAAS,SAAS,IAAI,UAAU,EAAE,CAAA;QAClD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,CAAA;IACtD,CAAC;IAED,WAAW,CAAC,SAAiB,EAAE,UAAkB;QAC/C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,SAAS,IAAI,UAAU,EAAE,CAAA;YAClD,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAA;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,cAAc,CAAC,SAAiB,EAAE,UAAkB;QAClD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,SAAS,SAAS,IAAI,UAAU,EAAE,CAAA;YAClD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,CAAA;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,4BAA4B;QAC9B,CAAC;IACH,CAAC;IAED,iBAAiB,CAAC,KAAa;QAC7B,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;IACtD,CAAC;IAED,eAAe;QACb,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,WAAW,EAAE,CAAA;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,kBAAkB;QAChB,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,cAAc,EAAE,CAAA;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,8BAA8B;QAChC,CAAC;IACH,CAAC;IAED,wDAAwD;IAEhD,UAAU,CAAC,OAAe,EAAE,GAAW;QAC7C,OAAO,OAAO,OAAO,IAAI,GAAG,EAAE,CAAA;IAChC,CAAC;IAED,cAAc,CAAC,OAAe,EAAE,GAAW,EAAE,KAAa;QACxD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;IACpE,CAAC;IAED,YAAY,CAAC,OAAe,EAAE,GAAW;QACvC,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,eAAe,CAAC,OAAe,EAAE,GAAW;QAC1C,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,cAAc,EAAE,CAAA;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;CACF;AA5GD,gCA4GC"}

package/dist/identity/session-key.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Ephemeral session key generation.
+ * Future extension: delegation chain Root -> Agent -> Session.
+ * Not implemented in beta — this file is a placeholder.
+ *
+ * Future design (spec section 4.2):
+ *   Root Key signs delegation VC from Agent DID to Session DID
+ *   Session Key signs VP (KB-JWT)
+ *   Gateway verifies VC chain (original VC + delegation VC)
+ */
+export declare class SessionKeyManager {
+}
+//# sourceMappingURL=session-key.d.ts.map

package/dist/identity/session-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-key.d.ts","sourceRoot":"","sources":["../../src/identity/session-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,qBAAa,iBAAiB;CAE7B"}

package/dist/identity/session-key.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionKeyManager = void 0;
+/**
+ * Ephemeral session key generation.
+ * Future extension: delegation chain Root -> Agent -> Session.
+ * Not implemented in beta — this file is a placeholder.
+ *
+ * Future design (spec section 4.2):
+ *   Root Key signs delegation VC from Agent DID to Session DID
+ *   Session Key signs VP (KB-JWT)
+ *   Gateway verifies VC chain (original VC + delegation VC)
+ */
+class SessionKeyManager {
+}
+exports.SessionKeyManager = SessionKeyManager;
+//# sourceMappingURL=session-key.js.map

package/dist/identity/session-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-key.js","sourceRoot":"","sources":["../../src/identity/session-key.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;GASG;AACH,MAAa,iBAAiB;CAE7B;AAFD,8CAEC"}

package/dist/policy/policy-evaluator.d.ts

@@ -0,0 +1,63 @@
+import { PermissionRule, PermissionResource } from '@vess-id/ai-identity';
+import { LocalPolicy, PolicyEvaluationResult, PolicySource } from './types';
+/**
+ * Two-layer policy evaluator (spec §7.1, §7.3).
+ *
+ * Evaluation flow:
+ * 1. Local Policy evaluation → deny? block immediately
+ * 2. Org Policy evaluation (from synced cache) → deny? block immediately
+ * 3. Pass-through → continue to VC acquisition
+ *
+ * Semantics (spec §7.5):
+ * - deny > allow (deny always wins over allow)
+ * - more specific resource wins
+ * - explicit action > wildcard
+ * - local allow does NOT grant permission — only means "not blocked"
+ */
+export declare class PolicyEvaluator {
+    private readonly localPolicy;
+    private readonly orgRules;
+    constructor(localPolicy: LocalPolicy, orgRules?: PermissionRule[]);
+    /**
+     * Evaluate both local and org policies.
+     * Returns allowed=false if any deny rule matches.
+     * Returns allowed=true if no deny matches (pass-through, not a grant).
+     */
+    evaluate(provider: string, action: string, resource: PermissionResource): PolicyEvaluationResult;
+    evaluateLocal(provider: string, action: string, resource: PermissionResource): PolicyEvaluationResult;
+    evaluateOrg(provider: string, action: string, resource: PermissionResource): PolicyEvaluationResult;
+    private evaluateRules;
+    /**
+     * Compute specificity score for a rule (spec §7.5).
+     * Higher = more specific.
+     *
+     * Scoring:
+     * - Specific provider (+10) vs wildcard provider (+0)
+     * - Specific resource type (+10) vs wildcard (+0)
+     * - Resource id (+20) > resource pattern (+10) > no constraint (+0)
+     * - Specific action (+10) vs wildcard action (+0)
+     */
+    private computeSpecificity;
+    private matchesProvider;
+    private matchesAction;
+    private expandTilde;
+    private matchesResource;
+    /**
+     * Add a deny rule at runtime (e.g., from user's deny_persistent choice).
+     * For beta, this only adds to in-memory policy. Persistence to policy.yaml is β2+.
+     */
+    addDenyRule(rule: {
+        actions: string[];
+        effect: 'deny';
+        source: PolicySource;
+    }): void;
+    /**
+     * Simple glob matching for resource patterns.
+     * Supports:
+     * - '*' matches any sequence of characters (except /)
+     * - '**' matches any sequence including /
+     * - '?' matches a single character
+     */
+    private globMatch;
+}
+//# sourceMappingURL=policy-evaluator.d.ts.map

package/dist/policy/policy-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-evaluator.d.ts","sourceRoot":"","sources":["../../src/policy/policy-evaluator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAA;AACzE,OAAO,EAAE,WAAW,EAAmB,sBAAsB,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AAE5F;;;;;;;;;;;;;GAaG;AACH,qBAAa,eAAe;IAExB,OAAO,CAAC,QAAQ,CAAC,WAAW;IAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBADR,WAAW,EAAE,WAAW,EACxB,QAAQ,GAAE,cAAc,EAAO;IAGlD;;;;OAIG;IACH,QAAQ,CACN,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,kBAAkB,GAC3B,sBAAsB;IAYzB,aAAa,CACX,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,kBAAkB,GAC3B,sBAAsB;IAIzB,WAAW,CACT,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,kBAAkB,GAC3B,sBAAsB;IAazB,OAAO,CAAC,aAAa;IAyCrB;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IAsB1B,OAAO,CAAC,eAAe;IAKvB,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,WAAW;IAOnB,OAAO,CAAC,eAAe;IA8BvB;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,YAAY,CAAA;KAAE,GAAG,IAAI;IAuBpF;;;;;;OAMG;IACH,OAAO,CAAC,SAAS;CA2BlB"}

package/dist/policy/policy-evaluator.js

@@ -0,0 +1,266 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyEvaluator = void 0;
+const os = __importStar(require("os"));
+/**
+ * Two-layer policy evaluator (spec §7.1, §7.3).
+ *
+ * Evaluation flow:
+ * 1. Local Policy evaluation → deny? block immediately
+ * 2. Org Policy evaluation (from synced cache) → deny? block immediately
+ * 3. Pass-through → continue to VC acquisition
+ *
+ * Semantics (spec §7.5):
+ * - deny > allow (deny always wins over allow)
+ * - more specific resource wins
+ * - explicit action > wildcard
+ * - local allow does NOT grant permission — only means "not blocked"
+ */
+class PolicyEvaluator {
+    localPolicy;
+    orgRules;
+    constructor(localPolicy, orgRules = []) {
+        this.localPolicy = localPolicy;
+        this.orgRules = orgRules;
+    }
+    /**
+     * Evaluate both local and org policies.
+     * Returns allowed=false if any deny rule matches.
+     * Returns allowed=true if no deny matches (pass-through, not a grant).
+     */
+    evaluate(provider, action, resource) {
+        // Step 1: Local policy evaluation
+        const localResult = this.evaluateLocal(provider, action, resource);
+        if (!localResult.allowed)
+            return localResult;
+        // Step 2: Org policy evaluation
+        const orgResult = this.evaluateOrg(provider, action, resource);
+        if (!orgResult.allowed)
+            return orgResult;
+        return { allowed: true };
+    }
+    evaluateLocal(provider, action, resource) {
+        return this.evaluateRules(this.localPolicy.rules, provider, action, resource, 'local_policy');
+    }
+    evaluateOrg(provider, action, resource) {
+        // Org policies are PermissionRule (allow-only from VCs).
+        // Convert to LocalPolicyRule format for evaluation.
+        // Org deny is expressed via absence of allow — but for explicit deny rules
+        // synced from Gateway, we treat effect='deny' if present.
+        const orgLocalRules = this.orgRules.map(r => ({
+            ...r,
+            effect: r.effect || 'allow',
+        }));
+        return this.evaluateRules(orgLocalRules, provider, action, resource, 'org_policy');
+    }
+    evaluateRules(rules, provider, action, resource, source) {
+        // Find all matching rules
+        const matchingRules = rules.filter(rule => this.matchesProvider(rule, provider) &&
+            this.matchesAction(rule, action) &&
+            this.matchesResource(rule, resource));
+        if (matchingRules.length === 0) {
+            return { allowed: true };
+        }
+        // Sort by specificity (most specific first)
+        // Then apply: deny > allow at equal specificity, but more specific wins overall
+        const sorted = matchingRules
+            .map(rule => ({ rule, specificity: this.computeSpecificity(rule) }))
+            .sort((a, b) => b.specificity - a.specificity);
+        // At the highest specificity level, deny > allow
+        const topSpecificity = sorted[0].specificity;
+        const topRules = sorted.filter(s => s.specificity === topSpecificity);
+        const topDeny = topRules.find(s => s.rule.effect === 'deny');
+        if (topDeny) {
+            return {
+                allowed: false,
+                reason: `Denied by ${source}: ${topDeny.rule.provider}.${topDeny.rule.actions?.join(',')} on ${topDeny.rule.resource?.pattern || topDeny.rule.resource?.type || '*'}`,
+                matchedRule: topDeny.rule,
+            };
+        }
+        // Only allow rules matched — pass-through (not a grant)
+        return { allowed: true };
+    }
+    /**
+     * Compute specificity score for a rule (spec §7.5).
+     * Higher = more specific.
+     *
+     * Scoring:
+     * - Specific provider (+10) vs wildcard provider (+0)
+     * - Specific resource type (+10) vs wildcard (+0)
+     * - Resource id (+20) > resource pattern (+10) > no constraint (+0)
+     * - Specific action (+10) vs wildcard action (+0)
+     */
+    computeSpecificity(rule) {
+        let score = 0;
+        // Provider specificity
+        if (rule.provider && rule.provider !== '*')
+            score += 10;
+        // Resource specificity
+        if (rule.resource) {
+            if (rule.resource.type !== '*')
+                score += 10;
+            if (rule.resource.id && rule.resource.id !== '*')
+                score += 20;
+            else if (rule.resource.pattern)
+                score += 10;
+        }
+        // Action specificity
+        if (rule.actions && rule.actions.length > 0) {
+            const hasWildcard = rule.actions.some(a => a === '*');
+            if (!hasWildcard)
+                score += 10;
+        }
+        return score;
+    }
+    matchesProvider(rule, provider) {
+        if (!rule.provider || rule.provider === '*')
+            return true;
+        return rule.provider === provider;
+    }
+    matchesAction(rule, action) {
+        if (!rule.actions || rule.actions.length === 0)
+            return true;
+        return rule.actions.some(a => {
+            if (a === '*')
+                return true;
+            if (a === action)
+                return true;
+            // Wildcard suffix: "secret.*" matches "secret.read"
+            if (a.endsWith('.*')) {
+                const prefix = a.slice(0, -2);
+                return action.startsWith(prefix + '.');
+            }
+            return false;
+        });
+    }
+    expandTilde(pattern) {
+        if (pattern.startsWith('~/') || pattern === '~') {
+            return os.homedir() + pattern.slice(1);
+        }
+        return pattern;
+    }
+    matchesResource(rule, resource) {
+        if (!rule.resource)
+            return true;
+        if (rule.resource.type !== '*' && rule.resource.type !== resource.type)
+            return false;
+        const expandedRulePattern = rule.resource.pattern ? this.expandTilde(rule.resource.pattern) : undefined;
+        const expandedResourcePattern = resource.pattern ? this.expandTilde(resource.pattern) : undefined;
+        const expandedResourceId = resource.id ? this.expandTilde(resource.id) : undefined;
+        // Pattern matching
+        if (expandedRulePattern && expandedResourcePattern) {
+            return this.globMatch(expandedRulePattern, expandedResourcePattern);
+        }
+        // If rule has a pattern but resource has an id, try matching id against pattern
+        if (expandedRulePattern && expandedResourceId) {
+            return this.globMatch(expandedRulePattern, expandedResourceId);
+        }
+        // If rule has no pattern/id constraint, it matches all resources of this type
+        if (!rule.resource.pattern && !rule.resource.id)
+            return true;
+        // Exact id match
+        const expandedRuleId = rule.resource.id ? this.expandTilde(rule.resource.id) : undefined;
+        if (expandedRuleId && expandedResourceId) {
+            return expandedRuleId === expandedResourceId || expandedRuleId === '*';
+        }
+        return true;
+    }
+    /**
+     * Add a deny rule at runtime (e.g., from user's deny_persistent choice).
+     * For beta, this only adds to in-memory policy. Persistence to policy.yaml is β2+.
+     */
+    addDenyRule(rule) {
+        // Validate: only allow known action formats
+        for (const action of rule.actions) {
+            if (!action.includes('.'))
+                return; // Invalid action format, skip silently
+        }
+        // Deduplicate: don't add if an identical deny rule already exists
+        const isDuplicate = this.localPolicy.rules.some(existing => existing.effect === 'deny' &&
+            existing.actions?.length === rule.actions.length &&
+            existing.actions?.every(a => rule.actions.includes(a)));
+        if (isDuplicate)
+            return;
+        this.localPolicy.rules.push({
+            provider: rule.actions[0]?.split('.')[0] || '*',
+            resource: { type: '*' },
+            actions: rule.actions,
+            effect: 'deny',
+            source: rule.source,
+        });
+    }
+    /**
+     * Simple glob matching for resource patterns.
+     * Supports:
+     * - '*' matches any sequence of characters (except /)
+     * - '**' matches any sequence including /
+     * - '?' matches a single character
+     */
+    globMatch(pattern, value) {
+        // Convert glob to regex
+        let regex = '^';
+        for (let i = 0; i < pattern.length; i++) {
+            const c = pattern[i];
+            if (c === '*' && pattern[i + 1] === '*') {
+                regex += '.*';
+                i++; // skip second *
+                if (pattern[i + 1] === '/')
+                    i++; // skip trailing /
+            }
+            else if (c === '*') {
+                regex += '[^/]*';
+            }
+            else if (c === '?') {
+                regex += '.';
+            }
+            else if (c === '.' || c === '(' || c === ')' || c === '[' || c === ']' || c === '{' || c === '}' || c === '+' || c === '^' || c === '$' || c === '|' || c === '\\') {
+                regex += '\\' + c;
+            }
+            else {
+                regex += c;
+            }
+        }
+        regex += '$';
+        try {
+            return new RegExp(regex).test(value);
+        }
+        catch {
+            return false;
+        }
+    }
+}
+exports.PolicyEvaluator = PolicyEvaluator;
+//# sourceMappingURL=policy-evaluator.js.map

package/dist/policy/policy-evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-evaluator.js","sourceRoot":"","sources":["../../src/policy/policy-evaluator.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAwB;AAIxB;;;;;;;;;;;;;GAaG;AACH,MAAa,eAAe;IAEP;IACA;IAFnB,YACmB,WAAwB,EACxB,WAA6B,EAAE;QAD/B,gBAAW,GAAX,WAAW,CAAa;QACxB,aAAQ,GAAR,QAAQ,CAAuB;IAC/C,CAAC;IAEJ;;;;OAIG;IACH,QAAQ,CACN,QAAgB,EAChB,MAAc,EACd,QAA4B;QAE5B,kCAAkC;QAClC,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;QAClE,IAAI,CAAC,WAAW,CAAC,OAAO;YAAE,OAAO,WAAW,CAAA;QAE5C,gCAAgC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;QAC9D,IAAI,CAAC,SAAS,CAAC,OAAO;YAAE,OAAO,SAAS,CAAA;QAExC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED,aAAa,CACX,QAAgB,EAChB,MAAc,EACd,QAA4B;QAE5B,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;IAC/F,CAAC;IAED,WAAW,CACT,QAAgB,EAChB,MAAc,EACd,QAA4B;QAE5B,yDAAyD;QACzD,oDAAoD;QACpD,2EAA2E;QAC3E,0DAA0D;QAC1D,MAAM,aAAa,GAAsB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC/D,GAAG,CAAC;YACJ,MAAM,EAAG,CAAC,CAAC,MAA2B,IAAI,OAAO;SAClD,CAAC,CAAC,CAAA;QAEH,OAAO,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAA;IACpF,CAAC;IAEO,aAAa,CACnB,KAAwB,EACxB,QAAgB,EAChB,MAAc,EACd,QAA4B,EAC5B,MAAc;QAEd,0BAA0B;QAC1B,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CACxC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC;YACpC,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC;YAChC,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,CACrC,CAAA;QAED,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;QAED,4CAA4C;QAC5C,gFAAgF;QAChF,MAAM,MAAM,GAAG,aAAa;aACzB,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;aACnE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC,CAAA;QAEhD,iDAAiD;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAA;QAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,cAAc,CAAC,CAAA;QAErE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,CAAA;QAC5D,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,aAAa,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,GAAG,EAAE;gBACrK,WAAW,EAAE,OAAO,CAAC,IAAI;aAC1B,CAAA;QACH,CAAC;QAED,wDAAwD;QACxD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC1B,CAAC;IAED;;;;;;;;;OASG;IACK,kBAAkB,CAAC,IAAqB;QAC9C,IAAI,KAAK,GAAG,CAAC,CAAA;QAEb,uBAAuB;QACvB,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG;YAAE,KAAK,IAAI,EAAE,CAAA;QAEvD,uBAAuB;QACvB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,GAAG;gBAAE,KAAK,IAAI,EAAE,CAAA;YAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAK,GAAG;gBAAE,KAAK,IAAI,EAAE,CAAA;iBACxD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO;gBAAE,KAAK,IAAI,EAAE,CAAA;QAC7C,CAAC;QAED,qBAAqB;QACrB,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAA;YACrD,IAAI,CAAC,WAAW;gBAAE,KAAK,IAAI,EAAE,CAAA;QAC/B,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC;IAEO,eAAe,CAAC,IAAqB,EAAE,QAAgB;QAC7D,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG;YAAE,OAAO,IAAI,CAAA;QACxD,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAA;IACnC,CAAC;IAEO,aAAa,CAAC,IAAqB,EAAE,MAAc;QACzD,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAC3D,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;YAC3B,IAAI,CAAC,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAA;YAC1B,IAAI,CAAC,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAA;YAC7B,oDAAoD;YACpD,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;gBAC7B,OAAO,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAA;YACxC,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC,CAAC,CAAA;IACJ,CAAC;IAEO,WAAW,CAAC,OAAe;QACjC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;YAChD,OAAO,EAAE,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QACxC,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAEO,eAAe,CAAC,IAAqB,EAAE,QAA4B;QACzE,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC/B,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,IAAI;YAAE,OAAO,KAAK,CAAA;QAEpF,MAAM,mBAAmB,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACvG,MAAM,uBAAuB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACjG,MAAM,kBAAkB,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAElF,mBAAmB;QACnB,IAAI,mBAAmB,IAAI,uBAAuB,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAA;QACrE,CAAC;QAED,gFAAgF;QAChF,IAAI,mBAAmB,IAAI,kBAAkB,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,kBAAkB,CAAC,CAAA;QAChE,CAAC;QAED,8EAA8E;QAC9E,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE5D,iBAAiB;QACjB,MAAM,cAAc,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACxF,IAAI,cAAc,IAAI,kBAAkB,EAAE,CAAC;YACzC,OAAO,cAAc,KAAK,kBAAkB,IAAI,cAAc,KAAK,GAAG,CAAA;QACxE,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,IAAiE;QAC3E,4CAA4C;QAC5C,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAM,CAAC,uCAAuC;QAC3E,CAAC;QAED,kEAAkE;QAClE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACzD,QAAQ,CAAC,MAAM,KAAK,MAAM;YAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC,OAAO,CAAC,MAAM;YAChD,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CACvD,CAAA;QACD,IAAI,WAAW;YAAE,OAAM;QAEvB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC;YAC1B,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG;YAC/C,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB,CAAC,CAAA;IACJ,CAAC;IAED;;;;;;OAMG;IACK,SAAS,CAAC,OAAe,EAAE,KAAa;QAC9C,wBAAwB;QACxB,IAAI,KAAK,GAAG,GAAG,CAAA;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAA;YACpB,IAAI,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACxC,KAAK,IAAI,IAAI,CAAA;gBACb,CAAC,EAAE,CAAA,CAAC,gBAAgB;gBACpB,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG;oBAAE,CAAC,EAAE,CAAA,CAAC,kBAAkB;YACpD,CAAC;iBAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;gBACrB,KAAK,IAAI,OAAO,CAAA;YAClB,CAAC;iBAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;gBACrB,KAAK,IAAI,GAAG,CAAA;YACd,CAAC;iBAAM,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBACrK,KAAK,IAAI,IAAI,GAAG,CAAC,CAAA;YACnB,CAAC;iBAAM,CAAC;gBACN,KAAK,IAAI,CAAC,CAAA;YACZ,CAAC;QACH,CAAC;QACD,KAAK,IAAI,GAAG,CAAA;QAEZ,IAAI,CAAC;YACH,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;CACF;AAlPD,0CAkPC"}

package/dist/policy/policy-loader.d.ts

@@ -0,0 +1,10 @@
+import Database from 'better-sqlite3';
+import { LocalPolicy } from './types';
+import { PermissionRule } from '@vess-id/ai-identity';
+export declare function loadLocalPolicy(policyPath: string): LocalPolicy;
+/**
+ * Load synced org policies from SQLite synced_policies table.
+ * Returns PermissionRule[] (org policies are allow-only, like VCs).
+ */
+export declare function loadOrgPolicies(db: Database.Database, projectId: string): PermissionRule[];
+//# sourceMappingURL=policy-loader.d.ts.map

package/dist/policy/policy-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-loader.d.ts","sourceRoot":"","sources":["../../src/policy/policy-loader.ts"],"names":[],"mappings":"AACA,OAAO,QAAQ,MAAM,gBAAgB,CAAA;AACrC,OAAO,EAAE,WAAW,EAAmB,MAAM,SAAS,CAAA;AACtD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAErD,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,CAU/D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,SAAS,EAAE,MAAM,GAChB,cAAc,EAAE,CAclB"}

package/dist/policy/policy-loader.js

@@ -0,0 +1,71 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadLocalPolicy = loadLocalPolicy;
+exports.loadOrgPolicies = loadOrgPolicies;
+const fs = __importStar(require("fs"));
+function loadLocalPolicy(policyPath) {
+    try {
+        if (!fs.existsSync(policyPath)) {
+            return { v: '1', rules: [] };
+        }
+        const raw = fs.readFileSync(policyPath, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return { v: '1', rules: [] };
+    }
+}
+/**
+ * Load synced org policies from SQLite synced_policies table.
+ * Returns PermissionRule[] (org policies are allow-only, like VCs).
+ */
+function loadOrgPolicies(db, projectId) {
+    try {
+        const row = db.prepare('SELECT policy_json FROM synced_policies WHERE project_id = ? ORDER BY synced_at DESC LIMIT 1').get(projectId);
+        if (!row)
+            return [];
+        const parsed = JSON.parse(row.policy_json);
+        if (Array.isArray(parsed))
+            return parsed;
+        if (parsed.rules && Array.isArray(parsed.rules))
+            return parsed.rules;
+        return [];
+    }
+    catch {
+        return [];
+    }
+}
+//# sourceMappingURL=policy-loader.js.map

package/dist/policy/policy-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-loader.js","sourceRoot":"","sources":["../../src/policy/policy-loader.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAKA,0CAUC;AAMD,0CAiBC;AAtCD,uCAAwB;AAKxB,SAAgB,eAAe,CAAC,UAAkB;IAChD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;QAC9B,CAAC;QACD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;QAChD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IAC9B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAC7B,EAAqB,EACrB,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CACpB,8FAA8F,CAC/F,CAAC,GAAG,CAAC,SAAS,CAAwC,CAAA;QAEvD,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,CAAA;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;QAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,OAAO,MAA0B,CAAA;QAC5D,IAAI,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;YAAE,OAAO,MAAM,CAAC,KAAyB,CAAA;QACxF,OAAO,EAAE,CAAA;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC"}