@vorionsys/atsf-core 0.4.2 → 0.4.3

package/dist/enforce/fast-path.js

@@ -0,0 +1,257 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024-2026 Vorion LLC
+/**
+ * Fast-Path Enforcement
+ *
+ * Pre-computed decision matrix that skips full policy evaluation for the
+ * ~70-80% of enforcement requests that have deterministic outcomes.
+ *
+ * At 10K concurrent agents the policy engine evaluation (~2ms per call)
+ * dominates the enforcement pipeline p99 latency. This fast path reduces
+ * the common case to an O(1) Map lookup (<0.01ms).
+ *
+ * How it works:
+ * 1. A decision matrix is pre-computed for every (trustTier x actionType x riskLevel) tuple.
+ * 2. Each tuple maps to ALLOW, DENY, or CONDITIONAL (needs full evaluation).
+ * 3. On enforcement request the fast path is checked first:
+ *    - ALLOW / DENY → return immediately, skip policy engine entirely
+ *    - CONDITIONAL → fall through to full evaluation pipeline
+ * 4. The matrix is rebuilt when policies change (event-driven invalidation).
+ *
+ * @packageDocumentation
+ */
+import { createLogger } from '../common/logger.js';
+const logger = createLogger({ component: 'fast-path-enforcer' });
+// =============================================================================
+// DEFAULTS
+// =============================================================================
+const ALL_TRUST_TIERS = [0, 1, 2, 3, 4, 5, 6, 7];
+const ALL_ACTION_TYPES = ['read', 'write', 'delete', 'execute', 'transfer'];
+const ALL_RISK_LEVELS = ['read', 'low', 'medium', 'high', 'critical'];
+const DEFAULT_THRESHOLDS = {
+    autoApproveTier: 4,
+    requireRefinementTier: 2,
+    autoDenyTier: 0,
+};
+// =============================================================================
+// FAST PATH ENFORCER
+// =============================================================================
+export class FastPathEnforcer {
+    matrix = new Map();
+    thresholds;
+    trustTiers;
+    actionTypes;
+    riskLevels;
+    // Metrics
+    _hits = 0;
+    _misses = 0;
+    _totalFastPathLatencyMs = 0;
+    _totalFullEvalLatencyMs = 0;
+    _fullEvalCount = 0;
+    constructor(config) {
+        this.thresholds = config?.thresholds ?? DEFAULT_THRESHOLDS;
+        this.trustTiers = config?.trustTiers ?? ALL_TRUST_TIERS;
+        this.actionTypes = config?.actionTypes ?? ALL_ACTION_TYPES;
+        this.riskLevels = config?.riskLevels ?? ALL_RISK_LEVELS;
+        this.rebuildMatrix();
+    }
+    // ===========================================================================
+    // Core API
+    // ===========================================================================
+    /**
+     * Check the fast-path decision matrix for an enforcement request.
+     *
+     * Returns `hit: true` with a definitive ALLOW or DENY when the matrix
+     * can resolve the request without full policy evaluation.
+     *
+     * Returns `hit: false` with verdict CONDITIONAL when the request must
+     * fall through to the full pipeline.
+     */
+    check(request) {
+        const t0 = performance.now();
+        // If the caller signals conditional rules, force fallthrough
+        if (request.hasConditionalRules) {
+            this._misses++;
+            return {
+                hit: false,
+                verdict: 'CONDITIONAL',
+                reasoning: 'Request has conditional policy rules — requires full evaluation',
+            };
+        }
+        const key = this.buildKey(request.trustTier, request.actionType, request.riskLevel);
+        const cell = this.matrix.get(key);
+        const elapsedMs = performance.now() - t0;
+        if (!cell || cell.verdict === 'CONDITIONAL') {
+            this._misses++;
+            return {
+                hit: false,
+                verdict: 'CONDITIONAL',
+                reasoning: cell?.reasoning ?? 'No matrix entry — requires full evaluation',
+                lookupTimeNs: Math.round(elapsedMs * 1_000_000),
+            };
+        }
+        this._hits++;
+        this._totalFastPathLatencyMs += elapsedMs;
+        return {
+            hit: true,
+            verdict: cell.verdict,
+            reasoning: cell.reasoning,
+            lookupTimeNs: Math.round(elapsedMs * 1_000_000),
+        };
+    }
+    // ===========================================================================
+    // Matrix management
+    // ===========================================================================
+    /**
+     * Rebuild the decision matrix from current thresholds.
+     * Call this when policies change.
+     */
+    rebuildMatrix(thresholds) {
+        if (thresholds) {
+            this.thresholds = thresholds;
+        }
+        this.matrix.clear();
+        for (const tier of this.trustTiers) {
+            for (const action of this.actionTypes) {
+                for (const risk of this.riskLevels) {
+                    const cell = this.computeCell(tier, action, risk);
+                    this.matrix.set(this.buildKey(tier, action, risk), cell);
+                }
+            }
+        }
+        logger.info({ matrixSize: this.matrix.size, thresholds: this.thresholds }, 'Fast-path decision matrix rebuilt');
+    }
+    /**
+     * Get the raw matrix size (number of pre-computed cells).
+     */
+    get matrixSize() {
+        return this.matrix.size;
+    }
+    /**
+     * Get a specific matrix cell for inspection/debugging.
+     */
+    getCell(trustTier, actionType, riskLevel) {
+        return this.matrix.get(this.buildKey(trustTier, actionType, riskLevel));
+    }
+    // ===========================================================================
+    // Full eval latency tracking (called externally)
+    // ===========================================================================
+    /**
+     * Record a full evaluation latency (for metrics comparison).
+     * Call this from the pipeline optimizer when a full eval is performed.
+     */
+    recordFullEvalLatency(latencyMs) {
+        this._totalFullEvalLatencyMs += latencyMs;
+        this._fullEvalCount++;
+    }
+    // ===========================================================================
+    // Metrics
+    // ===========================================================================
+    getMetrics() {
+        const total = this._hits + this._misses;
+        return {
+            fastPathHits: this._hits,
+            fastPathMisses: this._misses,
+            fastPathHitRate: total > 0 ? this._hits / total : 0,
+            fastPathMissRate: total > 0 ? this._misses / total : 0,
+            avgFastPathLatencyMs: this._hits > 0 ? this._totalFastPathLatencyMs / this._hits : 0,
+            avgFullEvalLatencyMs: this._fullEvalCount > 0 ? this._totalFullEvalLatencyMs / this._fullEvalCount : 0,
+            matrixSize: this.matrix.size,
+        };
+    }
+    resetMetrics() {
+        this._hits = 0;
+        this._misses = 0;
+        this._totalFastPathLatencyMs = 0;
+        this._totalFullEvalLatencyMs = 0;
+        this._fullEvalCount = 0;
+    }
+    // ===========================================================================
+    // Private helpers
+    // ===========================================================================
+    buildKey(tier, action, risk) {
+        return `${tier}:${action}:${risk}`;
+    }
+    /**
+     * Compute a single matrix cell.
+     *
+     * The logic mirrors TrustAwareEnforcementService.determineTier() but
+     * without evaluation context (no specific violated rules). This means
+     * we can only produce definitive answers for cases that DON'T depend on
+     * per-request policy evaluation results.
+     */
+    computeCell(tier, action, risk) {
+        // ----- DEFINITIVE DENY cases -----
+        // Trust below auto-deny → always RED
+        if (tier < this.thresholds.autoDenyTier) {
+            return {
+                verdict: 'DENY',
+                reasoning: `Trust T${tier} below auto-deny threshold T${this.thresholds.autoDenyTier}`,
+            };
+        }
+        // Critical risk below T6 → never auto-approved (needs refinement or denial)
+        if (risk === 'critical' && tier < 6) {
+            if (tier < this.thresholds.requireRefinementTier) {
+                return {
+                    verdict: 'DENY',
+                    reasoning: `Critical risk at T${tier} — below refinement threshold`,
+                };
+            }
+            // YELLOW zone for critical risk — cannot fast-path ALLOW
+            return {
+                verdict: 'CONDITIONAL',
+                reasoning: `Critical risk at T${tier} — requires refinement evaluation`,
+            };
+        }
+        // High risk requires elevated approval (autoApprove + 1)
+        if (risk === 'high') {
+            const elevatedApproveTier = Math.min(7, this.thresholds.autoApproveTier + 1);
+            if (tier >= elevatedApproveTier) {
+                return {
+                    verdict: 'ALLOW',
+                    reasoning: `T${tier} meets elevated threshold T${elevatedApproveTier} for high-risk ${action}`,
+                };
+            }
+            if (tier < this.thresholds.requireRefinementTier) {
+                return {
+                    verdict: 'DENY',
+                    reasoning: `T${tier} below refinement threshold for high-risk ${action}`,
+                };
+            }
+            return {
+                verdict: 'CONDITIONAL',
+                reasoning: `High risk at T${tier} — requires policy evaluation`,
+            };
+        }
+        // ----- DEFINITIVE ALLOW cases -----
+        // Reads at T3+ with low/read risk → always ALLOW
+        if (action === 'read' && (risk === 'read' || risk === 'low') && tier >= 3) {
+            return {
+                verdict: 'ALLOW',
+                reasoning: `Read-only at T${tier} with ${risk} risk — auto-approved`,
+            };
+        }
+        // Trust at or above auto-approve → ALLOW (assuming evaluation passes)
+        // We mark this ALLOW because the fast path only fires when there are
+        // no pre-existing violated rules in the evaluation.
+        if (tier >= this.thresholds.autoApproveTier) {
+            return {
+                verdict: 'ALLOW',
+                reasoning: `T${tier} meets auto-approve threshold T${this.thresholds.autoApproveTier} for ${action}/${risk}`,
+            };
+        }
+        // Trust below refinement threshold → CONDITIONAL (could be YELLOW or RED depending on eval)
+        if (tier < this.thresholds.requireRefinementTier) {
+            return {
+                verdict: 'CONDITIONAL',
+                reasoning: `T${tier} below refinement threshold — decision depends on evaluation`,
+            };
+        }
+        // Everything else is in the YELLOW zone — requires evaluation
+        return {
+            verdict: 'CONDITIONAL',
+            reasoning: `T${tier} with ${action}/${risk} — requires policy evaluation for refinement`,
+        };
+    }
+}
+//# sourceMappingURL=fast-path.js.map

package/dist/enforce/fast-path.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fast-path.js","sourceRoot":"","sources":["../../src/enforce/fast-path.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,iCAAiC;AAEjC;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC,CAAC;AA+FjE,gFAAgF;AAChF,WAAW;AACX,gFAAgF;AAEhF,MAAM,eAAe,GAAiB,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/D,MAAM,gBAAgB,GAAiB,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AAC1F,MAAM,eAAe,GAAgB,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AAEnF,MAAM,kBAAkB,GAAuB;IAC7C,eAAe,EAAE,CAAe;IAChC,qBAAqB,EAAE,CAAe;IACtC,YAAY,EAAE,CAAe;CAC9B,CAAC;AAEF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,OAAO,gBAAgB;IACnB,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC1C,UAAU,CAAqB;IAC/B,UAAU,CAAe;IACzB,WAAW,CAAe;IAC1B,UAAU,CAAc;IAEhC,UAAU;IACF,KAAK,GAAG,CAAC,CAAC;IACV,OAAO,GAAG,CAAC,CAAC;IACZ,uBAAuB,GAAG,CAAC,CAAC;IAC5B,uBAAuB,GAAG,CAAC,CAAC;IAC5B,cAAc,GAAG,CAAC,CAAC;IAE3B,YAAY,MAAgC;QAC1C,IAAI,CAAC,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,kBAAkB,CAAC;QAC3D,IAAI,CAAC,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,eAAe,CAAC;QACxD,IAAI,CAAC,WAAW,GAAG,MAAM,EAAE,WAAW,IAAI,gBAAgB,CAAC;QAC3D,IAAI,CAAC,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,eAAe,CAAC;QAExD,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAED,8EAA8E;IAC9E,WAAW;IACX,8EAA8E;IAE9E;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAwB;QAC5B,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAE7B,6DAA6D;QAC7D,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;YAChC,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO;gBACL,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,aAAa;gBACtB,SAAS,EAAE,iEAAiE;aAC7E,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CACvB,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,UAAwB,EAChC,OAAO,CAAC,SAAsB,CAC/B,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QAEzC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,aAAa,EAAE,CAAC;YAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO;gBACL,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,aAAa;gBACtB,SAAS,EAAE,IAAI,EAAE,SAAS,IAAI,4CAA4C;gBAC1E,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;aAChD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACb,IAAI,CAAC,uBAAuB,IAAI,SAAS,CAAC;QAE1C,OAAO;YACL,GAAG,EAAE,IAAI;YACT,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;SAChD,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,oBAAoB;IACpB,8EAA8E;IAE9E;;;OAGG;IACH,aAAa,CAAC,UAA+B;QAC3C,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAEpB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;oBACnC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;oBAClD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CACT,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,EAC7D,mCAAmC,CACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAqB,EAAE,UAAsB,EAAE,SAAoB;QACzE,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,8EAA8E;IAC9E,iDAAiD;IACjD,8EAA8E;IAE9E;;;OAGG;IACH,qBAAqB,CAAC,SAAiB;QACrC,IAAI,CAAC,uBAAuB,IAAI,SAAS,CAAC;QAC1C,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAED,8EAA8E;IAC9E,UAAU;IACV,8EAA8E;IAE9E,UAAU;QACR,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC;QACxC,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,KAAK;YACxB,cAAc,EAAE,IAAI,CAAC,OAAO;YAC5B,eAAe,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACnD,gBAAgB,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtD,oBAAoB,EAAE,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACpF,oBAAoB,EAAE,IAAI,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;YACtG,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;SAC7B,CAAC;IACJ,CAAC;IAED,YAAY;QACV,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;QACf,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC;QACjB,IAAI,CAAC,uBAAuB,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,uBAAuB,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,cAAc,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,8EAA8E;IAC9E,kBAAkB;IAClB,8EAA8E;IAEtE,QAAQ,CAAC,IAAgB,EAAE,MAA2B,EAAE,IAAwB;QACtF,OAAO,GAAG,IAAI,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;IACrC,CAAC;IAED;;;;;;;OAOG;IACK,WAAW,CAAC,IAAgB,EAAE,MAAkB,EAAE,IAAe;QACvE,oCAAoC;QAEpC,qCAAqC;QACrC,IAAI,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;YACxC,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,SAAS,EAAE,UAAU,IAAI,+BAA+B,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE;aACvF,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,IAAI,IAAI,KAAK,UAAU,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;YACpC,IAAI,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACjD,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,SAAS,EAAE,qBAAqB,IAAI,+BAA+B;iBACpE,CAAC;YACJ,CAAC;YACD,yDAAyD;YACzD,OAAO;gBACL,OAAO,EAAE,aAAa;gBACtB,SAAS,EAAE,qBAAqB,IAAI,mCAAmC;aACxE,CAAC;QACJ,CAAC;QAED,yDAAyD;QACzD,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,MAAM,mBAAmB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,eAAe,GAAG,CAAC,CAAe,CAAC;YAC3F,IAAI,IAAI,IAAI,mBAAmB,EAAE,CAAC;gBAChC,OAAO;oBACL,OAAO,EAAE,OAAO;oBAChB,SAAS,EAAE,IAAI,IAAI,8BAA8B,mBAAmB,kBAAkB,MAAM,EAAE;iBAC/F,CAAC;YACJ,CAAC;YACD,IAAI,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACjD,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,SAAS,EAAE,IAAI,IAAI,6CAA6C,MAAM,EAAE;iBACzE,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,aAAa;gBACtB,SAAS,EAAE,iBAAiB,IAAI,+BAA+B;aAChE,CAAC;QACJ,CAAC;QAED,qCAAqC;QAErC,iDAAiD;QACjD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;YAC1E,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,iBAAiB,IAAI,SAAS,IAAI,uBAAuB;aACrE,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,qEAAqE;QACrE,oDAAoD;QACpD,IAAI,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;YAC5C,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,SAAS,EAAE,IAAI,IAAI,kCAAkC,IAAI,CAAC,UAAU,CAAC,eAAe,QAAQ,MAAM,IAAI,IAAI,EAAE;aAC7G,CAAC;QACJ,CAAC;QAED,4FAA4F;QAC5F,IAAI,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;YACjD,OAAO;gBACL,OAAO,EAAE,aAAa;gBACtB,SAAS,EAAE,IAAI,IAAI,8DAA8D;aAClF,CAAC;QACJ,CAAC;QAED,8DAA8D;QAC9D,OAAO;YACL,OAAO,EAAE,aAAa;YACtB,SAAS,EAAE,IAAI,IAAI,SAAS,MAAM,IAAI,IAAI,8CAA8C;SACzF,CAAC;IACJ,CAAC;CACF"}

package/dist/enforce/pipeline-optimizer.d.ts

@@ -0,0 +1,111 @@
+import type { ID } from '../common/types.js';
+import type { EnforcementContext, FluidDecisionResult } from './index.js';
+import type { TrustAwareEnforcementService } from './trust-aware-enforcement-service.js';
+import { FastPathEnforcer } from './fast-path.js';
+import { TrustLookupCache } from './trust-cache.js';
+import type { TrustScoreProvider, TrustSignalBus } from './trust-cache.js';
+/**
+ * Optimizer configuration.
+ */
+export interface PipelineOptimizerConfig {
+    /** Enable the fast-path matrix (default: true) */
+    enableFastPath: boolean;
+    /** Enable the trust lookup cache (default: true) */
+    enableTrustCache: boolean;
+    /** Enable parallel evaluation of independent checks (default: true) */
+    enableParallelEval: boolean;
+    /** Enable early termination on capability denial (default: true) */
+    enableEarlyTermination: boolean;
+    /** Trust cache TTL in ms (default: 5000) */
+    trustCacheTtlMs: number;
+    /** Maximum trust cache entries (default: 50000) */
+    trustCacheMaxEntries: number;
+}
+/**
+ * Batch enforcement request — multiple contexts for the same or different agents.
+ */
+export interface BatchEnforcementRequest {
+    contexts: EnforcementContext[];
+}
+/**
+ * Batch enforcement result.
+ */
+export interface BatchEnforcementResult {
+    results: FluidDecisionResult[];
+    totalLatencyMs: number;
+    avgLatencyMs: number;
+    fastPathHits: number;
+    fullEvals: number;
+}
+/**
+ * Pipeline optimizer metrics.
+ */
+export interface PipelineOptimizerMetrics {
+    totalRequests: number;
+    fastPathHits: number;
+    fastPathMisses: number;
+    earlyTerminations: number;
+    parallelEvals: number;
+    batchRequests: number;
+    batchItemsProcessed: number;
+    avgLatencyMs: number;
+    p99LatencyMs: number;
+}
+export declare class PipelineOptimizer {
+    private readonly config;
+    private readonly enforcementService;
+    private readonly fastPath;
+    private readonly trustCache;
+    private _totalRequests;
+    private _fastPathHits;
+    private _fastPathMisses;
+    private _earlyTerminations;
+    private _parallelEvals;
+    private _batchRequests;
+    private _batchItemsProcessed;
+    private _latencies;
+    private readonly _maxLatencyBuffer;
+    constructor(enforcementService: TrustAwareEnforcementService, config?: Partial<PipelineOptimizerConfig>);
+    getFastPath(): FastPathEnforcer;
+    getTrustCache(): TrustLookupCache;
+    /**
+     * Enforce a single request with optimizations:
+     * 1. Fast-path check
+     * 2. Trust cache lookup
+     * 3. Parallel evaluation of independent checks
+     * 4. Early termination on fast-path DENY
+     */
+    enforce(context: EnforcementContext): Promise<FluidDecisionResult>;
+    /**
+     * Enforce multiple requests in a batch.
+     *
+     * Optimizations:
+     * - Shared trust lookups for requests from the same agent
+     * - Fast-path filtering to separate definitive from conditional requests
+     * - Parallel execution of remaining full evaluations
+     */
+    enforceBatch(batch: BatchEnforcementRequest): Promise<BatchEnforcementResult>;
+    /**
+     * Pre-load trust profiles for known active agents.
+     * Call during application startup to avoid cold-cache latency on first request.
+     */
+    warmUp(agentIds: ID[], trustProvider: TrustScoreProvider): Promise<number>;
+    /**
+     * Subscribe to trust signal bus for cache invalidation.
+     */
+    subscribeToSignals(bus: TrustSignalBus): void;
+    /**
+     * Notify the optimizer that policies have changed.
+     * Rebuilds the fast-path matrix from the enforcement service's current config.
+     */
+    onPolicyChange(): void;
+    getMetrics(): PipelineOptimizerMetrics;
+    resetMetrics(): void;
+    dispose(): void;
+    private recordLatency;
+    /**
+     * Cache trust data extracted from a decision result.
+     */
+    private cacheResultTrust;
+}
+//# sourceMappingURL=pipeline-optimizer.d.ts.map

package/dist/enforce/pipeline-optimizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pipeline-optimizer.d.ts","sourceRoot":"","sources":["../../src/enforce/pipeline-optimizer.ts"],"names":[],"mappings":"AA0BA,OAAO,KAAK,EAAE,EAAE,EAA0B,MAAM,oBAAoB,CAAC;AACrE,OAAO,KAAK,EACV,kBAAkB,EAClB,mBAAmB,EAEpB,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,4BAA4B,EAAwC,MAAM,sCAAsC,CAAC;AAC/H,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,KAAK,EAAoB,kBAAkB,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAQ7F;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,kDAAkD;IAClD,cAAc,EAAE,OAAO,CAAC;IACxB,oDAAoD;IACpD,gBAAgB,EAAE,OAAO,CAAC;IAC1B,uEAAuE;IACvE,kBAAkB,EAAE,OAAO,CAAC;IAC5B,oEAAoE;IACpE,sBAAsB,EAAE,OAAO,CAAC;IAChC,4CAA4C;IAC5C,eAAe,EAAE,MAAM,CAAC;IACxB,mDAAmD;IACnD,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;CACtB;AAoDD,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA0B;IACjD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAA+B;IAClE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmB;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAmB;IAG9C,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,aAAa,CAAK;IAC1B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,oBAAoB,CAAK;IACjC,OAAO,CAAC,UAAU,CAAgB;IAClC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAU;gBAG1C,kBAAkB,EAAE,4BAA4B,EAChD,MAAM,CAAC,EAAE,OAAO,CAAC,uBAAuB,CAAC;IA0B3C,WAAW,IAAI,gBAAgB;IAI/B,aAAa,IAAI,gBAAgB;IAQjC;;;;;;OAMG;IACG,OAAO,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAoFxE;;;;;;;OAOG;IACG,YAAY,CAAC,KAAK,EAAE,uBAAuB,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAyFnF;;;OAGG;IACG,MAAM,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;IAQhF;;OAEG;IACH,kBAAkB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI;IAQ7C;;;OAGG;IACH,cAAc,IAAI,IAAI;IActB,UAAU,IAAI,wBAAwB;IA4BtC,YAAY,IAAI,IAAI;IAepB,OAAO,IAAI,IAAI;IAQf,OAAO,CAAC,aAAa;IAQrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;CAWzB"}