@vorionsys/platform-core 0.1.0

package/dist/security/policy-engine/types.d.ts

@@ -0,0 +1,2855 @@
+/**
+ * Security Policy Engine Types
+ *
+ * Type definitions for the flexible security policy engine including:
+ * - Policy conditions (user, request, time, risk, resource attributes)
+ * - Policy rules (MFA, approval, block, rate-limit, encryption, audit)
+ * - Policy actions (allow, deny, challenge, notify, log, escalate, quarantine)
+ * - Policy DSL schema
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+export declare const ConditionOperator: {
+    readonly EQUALS: "equals";
+    readonly NOT_EQUALS: "not_equals";
+    readonly GREATER_THAN: "greater_than";
+    readonly LESS_THAN: "less_than";
+    readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+    readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+    readonly IN: "in";
+    readonly NOT_IN: "not_in";
+    readonly CONTAINS: "contains";
+    readonly NOT_CONTAINS: "not_contains";
+    readonly STARTS_WITH: "starts_with";
+    readonly ENDS_WITH: "ends_with";
+    readonly MATCHES: "matches";
+    readonly EXISTS: "exists";
+    readonly NOT_EXISTS: "not_exists";
+    readonly BETWEEN: "between";
+};
+export type ConditionOperator = (typeof ConditionOperator)[keyof typeof ConditionOperator];
+export declare const conditionOperatorSchema: z.ZodNativeEnum<{
+    readonly EQUALS: "equals";
+    readonly NOT_EQUALS: "not_equals";
+    readonly GREATER_THAN: "greater_than";
+    readonly LESS_THAN: "less_than";
+    readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+    readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+    readonly IN: "in";
+    readonly NOT_IN: "not_in";
+    readonly CONTAINS: "contains";
+    readonly NOT_CONTAINS: "not_contains";
+    readonly STARTS_WITH: "starts_with";
+    readonly ENDS_WITH: "ends_with";
+    readonly MATCHES: "matches";
+    readonly EXISTS: "exists";
+    readonly NOT_EXISTS: "not_exists";
+    readonly BETWEEN: "between";
+}>;
+export declare const LogicalOperator: {
+    readonly AND: "and";
+    readonly OR: "or";
+    readonly NOT: "not";
+};
+export type LogicalOperator = (typeof LogicalOperator)[keyof typeof LogicalOperator];
+export declare const logicalOperatorSchema: z.ZodNativeEnum<{
+    readonly AND: "and";
+    readonly OR: "or";
+    readonly NOT: "not";
+}>;
+export declare const ConditionType: {
+    readonly USER_ATTRIBUTE: "user_attribute";
+    readonly REQUEST_ATTRIBUTE: "request_attribute";
+    readonly TIME_BASED: "time_based";
+    readonly RISK_BASED: "risk_based";
+    readonly RESOURCE_ATTRIBUTE: "resource_attribute";
+    readonly COMPOSITE: "composite";
+    readonly CUSTOM: "custom";
+};
+export type ConditionType = (typeof ConditionType)[keyof typeof ConditionType];
+export declare const conditionTypeSchema: z.ZodNativeEnum<{
+    readonly USER_ATTRIBUTE: "user_attribute";
+    readonly REQUEST_ATTRIBUTE: "request_attribute";
+    readonly TIME_BASED: "time_based";
+    readonly RISK_BASED: "risk_based";
+    readonly RESOURCE_ATTRIBUTE: "resource_attribute";
+    readonly COMPOSITE: "composite";
+    readonly CUSTOM: "custom";
+}>;
+/**
+ * User attributes that can be evaluated
+ */
+export interface UserAttributeCondition {
+    type: 'user_attribute';
+    field: 'role' | 'department' | 'tenant' | 'groups' | 'permissions' | 'email_domain' | 'custom';
+    customField?: string;
+    operator: ConditionOperator;
+    value: unknown;
+}
+export declare const userAttributeConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"user_attribute">;
+    field: z.ZodEnum<["role", "department", "tenant", "groups", "permissions", "email_domain", "custom"]>;
+    customField: z.ZodOptional<z.ZodString>;
+    operator: z.ZodNativeEnum<{
+        readonly EQUALS: "equals";
+        readonly NOT_EQUALS: "not_equals";
+        readonly GREATER_THAN: "greater_than";
+        readonly LESS_THAN: "less_than";
+        readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+        readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+        readonly IN: "in";
+        readonly NOT_IN: "not_in";
+        readonly CONTAINS: "contains";
+        readonly NOT_CONTAINS: "not_contains";
+        readonly STARTS_WITH: "starts_with";
+        readonly ENDS_WITH: "ends_with";
+        readonly MATCHES: "matches";
+        readonly EXISTS: "exists";
+        readonly NOT_EXISTS: "not_exists";
+        readonly BETWEEN: "between";
+    }>;
+    value: z.ZodUnknown;
+}, "strip", z.ZodTypeAny, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "user_attribute";
+    field?: "custom" | "permissions" | "role" | "tenant" | "groups" | "department" | "email_domain";
+    customField?: string;
+}, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "user_attribute";
+    field?: "custom" | "permissions" | "role" | "tenant" | "groups" | "department" | "email_domain";
+    customField?: string;
+}>;
+/**
+ * Request attributes that can be evaluated
+ */
+export interface RequestAttributeCondition {
+    type: 'request_attribute';
+    field: 'ip' | 'user_agent' | 'path' | 'method' | 'header' | 'query' | 'body' | 'origin' | 'referer' | 'custom';
+    customField?: string;
+    headerName?: string;
+    queryParam?: string;
+    bodyPath?: string;
+    operator: ConditionOperator;
+    value: unknown;
+}
+export declare const requestAttributeConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"request_attribute">;
+    field: z.ZodEnum<["ip", "user_agent", "path", "method", "header", "query", "body", "origin", "referer", "custom"]>;
+    customField: z.ZodOptional<z.ZodString>;
+    headerName: z.ZodOptional<z.ZodString>;
+    queryParam: z.ZodOptional<z.ZodString>;
+    bodyPath: z.ZodOptional<z.ZodString>;
+    operator: z.ZodNativeEnum<{
+        readonly EQUALS: "equals";
+        readonly NOT_EQUALS: "not_equals";
+        readonly GREATER_THAN: "greater_than";
+        readonly LESS_THAN: "less_than";
+        readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+        readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+        readonly IN: "in";
+        readonly NOT_IN: "not_in";
+        readonly CONTAINS: "contains";
+        readonly NOT_CONTAINS: "not_contains";
+        readonly STARTS_WITH: "starts_with";
+        readonly ENDS_WITH: "ends_with";
+        readonly MATCHES: "matches";
+        readonly EXISTS: "exists";
+        readonly NOT_EXISTS: "not_exists";
+        readonly BETWEEN: "between";
+    }>;
+    value: z.ZodUnknown;
+}, "strip", z.ZodTypeAny, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "request_attribute";
+    field?: "path" | "custom" | "ip" | "method" | "query" | "user_agent" | "body" | "origin" | "referer" | "header";
+    headerName?: string;
+    customField?: string;
+    queryParam?: string;
+    bodyPath?: string;
+}, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "request_attribute";
+    field?: "path" | "custom" | "ip" | "method" | "query" | "user_agent" | "body" | "origin" | "referer" | "header";
+    headerName?: string;
+    customField?: string;
+    queryParam?: string;
+    bodyPath?: string;
+}>;
+/**
+ * Time-based conditions
+ */
+export interface TimeBasedCondition {
+    type: 'time_based';
+    field: 'hour' | 'day_of_week' | 'date' | 'business_hours' | 'weekend' | 'holiday' | 'custom';
+    /** Timezone for evaluation (default: UTC) */
+    timezone?: string;
+    /** Start hour for business hours (0-23) */
+    startHour?: number;
+    /** End hour for business hours (0-23) */
+    endHour?: number;
+    /** Days of week (0=Sunday, 6=Saturday) */
+    daysOfWeek?: number[];
+    /** Specific dates to match (ISO format) */
+    dates?: string[];
+    /** Holiday calendar ID */
+    holidayCalendar?: string;
+    operator: ConditionOperator;
+    value: unknown;
+}
+export declare const timeBasedConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"time_based">;
+    field: z.ZodEnum<["hour", "day_of_week", "date", "business_hours", "weekend", "holiday", "custom"]>;
+    timezone: z.ZodOptional<z.ZodString>;
+    startHour: z.ZodOptional<z.ZodNumber>;
+    endHour: z.ZodOptional<z.ZodNumber>;
+    daysOfWeek: z.ZodOptional<z.ZodArray<z.ZodNumber, "many">>;
+    dates: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    holidayCalendar: z.ZodOptional<z.ZodString>;
+    operator: z.ZodNativeEnum<{
+        readonly EQUALS: "equals";
+        readonly NOT_EQUALS: "not_equals";
+        readonly GREATER_THAN: "greater_than";
+        readonly LESS_THAN: "less_than";
+        readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+        readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+        readonly IN: "in";
+        readonly NOT_IN: "not_in";
+        readonly CONTAINS: "contains";
+        readonly NOT_CONTAINS: "not_contains";
+        readonly STARTS_WITH: "starts_with";
+        readonly ENDS_WITH: "ends_with";
+        readonly MATCHES: "matches";
+        readonly EXISTS: "exists";
+        readonly NOT_EXISTS: "not_exists";
+        readonly BETWEEN: "between";
+    }>;
+    value: z.ZodUnknown;
+}, "strip", z.ZodTypeAny, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "time_based";
+    field?: "date" | "custom" | "hour" | "day_of_week" | "business_hours" | "weekend" | "holiday";
+    startHour?: number;
+    endHour?: number;
+    daysOfWeek?: number[];
+    timezone?: string;
+    dates?: string[];
+    holidayCalendar?: string;
+}, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "time_based";
+    field?: "date" | "custom" | "hour" | "day_of_week" | "business_hours" | "weekend" | "holiday";
+    startHour?: number;
+    endHour?: number;
+    daysOfWeek?: number[];
+    timezone?: string;
+    dates?: string[];
+    holidayCalendar?: string;
+}>;
+/**
+ * Risk-based conditions
+ */
+export interface RiskBasedCondition {
+    type: 'risk_based';
+    field: 'user_risk_score' | 'ip_reputation' | 'device_trust' | 'session_risk' | 'anomaly_score' | 'threat_level' | 'custom';
+    customField?: string;
+    operator: ConditionOperator;
+    value: unknown;
+    /** Optional threshold for numeric comparisons */
+    threshold?: number;
+}
+export declare const riskBasedConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"risk_based">;
+    field: z.ZodEnum<["user_risk_score", "ip_reputation", "device_trust", "session_risk", "anomaly_score", "threat_level", "custom"]>;
+    customField: z.ZodOptional<z.ZodString>;
+    operator: z.ZodNativeEnum<{
+        readonly EQUALS: "equals";
+        readonly NOT_EQUALS: "not_equals";
+        readonly GREATER_THAN: "greater_than";
+        readonly LESS_THAN: "less_than";
+        readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+        readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+        readonly IN: "in";
+        readonly NOT_IN: "not_in";
+        readonly CONTAINS: "contains";
+        readonly NOT_CONTAINS: "not_contains";
+        readonly STARTS_WITH: "starts_with";
+        readonly ENDS_WITH: "ends_with";
+        readonly MATCHES: "matches";
+        readonly EXISTS: "exists";
+        readonly NOT_EXISTS: "not_exists";
+        readonly BETWEEN: "between";
+    }>;
+    value: z.ZodUnknown;
+    threshold: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "risk_based";
+    field?: "custom" | "user_risk_score" | "ip_reputation" | "device_trust" | "session_risk" | "anomaly_score" | "threat_level";
+    threshold?: number;
+    customField?: string;
+}, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "risk_based";
+    field?: "custom" | "user_risk_score" | "ip_reputation" | "device_trust" | "session_risk" | "anomaly_score" | "threat_level";
+    threshold?: number;
+    customField?: string;
+}>;
+/**
+ * Resource attribute conditions
+ */
+export interface ResourceAttributeCondition {
+    type: 'resource_attribute';
+    field: 'sensitivity_level' | 'data_type' | 'classification' | 'owner' | 'department' | 'region' | 'tags' | 'custom';
+    customField?: string;
+    operator: ConditionOperator;
+    value: unknown;
+}
+export declare const resourceAttributeConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"resource_attribute">;
+    field: z.ZodEnum<["sensitivity_level", "data_type", "classification", "owner", "department", "region", "tags", "custom"]>;
+    customField: z.ZodOptional<z.ZodString>;
+    operator: z.ZodNativeEnum<{
+        readonly EQUALS: "equals";
+        readonly NOT_EQUALS: "not_equals";
+        readonly GREATER_THAN: "greater_than";
+        readonly LESS_THAN: "less_than";
+        readonly GREATER_THAN_OR_EQUAL: "greater_than_or_equal";
+        readonly LESS_THAN_OR_EQUAL: "less_than_or_equal";
+        readonly IN: "in";
+        readonly NOT_IN: "not_in";
+        readonly CONTAINS: "contains";
+        readonly NOT_CONTAINS: "not_contains";
+        readonly STARTS_WITH: "starts_with";
+        readonly ENDS_WITH: "ends_with";
+        readonly MATCHES: "matches";
+        readonly EXISTS: "exists";
+        readonly NOT_EXISTS: "not_exists";
+        readonly BETWEEN: "between";
+    }>;
+    value: z.ZodUnknown;
+}, "strip", z.ZodTypeAny, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "resource_attribute";
+    field?: "custom" | "region" | "tags" | "owner" | "classification" | "department" | "sensitivity_level" | "data_type";
+    customField?: string;
+}, {
+    operator?: "equals" | "not_equals" | "greater_than" | "less_than" | "greater_than_or_equal" | "less_than_or_equal" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "exists" | "not_exists" | "starts_with" | "ends_with" | "between";
+    value?: unknown;
+    type?: "resource_attribute";
+    field?: "custom" | "region" | "tags" | "owner" | "classification" | "department" | "sensitivity_level" | "data_type";
+    customField?: string;
+}>;
+/**
+ * Forward declaration for recursive type
+ */
+export interface CompositeCondition {
+    type: 'composite';
+    operator: LogicalOperator;
+    conditions: PolicyCondition[];
+}
+/**
+ * Custom condition using expression
+ */
+export interface CustomCondition {
+    type: 'custom';
+    /** Custom expression (e.g., JSONPath, CEL, custom DSL) */
+    expression: string;
+    /** Expression language */
+    language?: 'jsonpath' | 'cel' | 'jmespath' | 'custom';
+    /** Additional parameters for evaluation */
+    params?: Record<string, unknown>;
+}
+export declare const customConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    expression: z.ZodString;
+    language: z.ZodOptional<z.ZodEnum<["jsonpath", "cel", "jmespath", "custom"]>>;
+    params: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    expression?: string;
+    params?: Record<string, unknown>;
+    type?: "custom";
+    language?: "custom" | "jsonpath" | "cel" | "jmespath";
+}, {
+    expression?: string;
+    params?: Record<string, unknown>;
+    type?: "custom";
+    language?: "custom" | "jsonpath" | "cel" | "jmespath";
+}>;
+export type PolicyCondition = UserAttributeCondition | RequestAttributeCondition | TimeBasedCondition | RiskBasedCondition | ResourceAttributeCondition | CompositeCondition | CustomCondition;
+export declare const policyConditionSchema: z.ZodSchema<any>;
+export declare const compositeConditionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"composite">;
+    operator: z.ZodNativeEnum<{
+        readonly AND: "and";
+        readonly OR: "or";
+        readonly NOT: "not";
+    }>;
+    conditions: z.ZodArray<z.ZodType<any, z.ZodTypeDef, any>, "many">;
+}, "strip", z.ZodTypeAny, {
+    operator?: "and" | "or" | "not";
+    type?: "composite";
+    conditions?: any[];
+}, {
+    operator?: "and" | "or" | "not";
+    type?: "composite";
+    conditions?: any[];
+}>;
+export declare const PolicyRuleType: {
+    readonly REQUIRE_MFA: "require_mfa";
+    readonly REQUIRE_APPROVAL: "require_approval";
+    readonly BLOCK_ACCESS: "block_access";
+    readonly RATE_LIMIT: "rate_limit";
+    readonly REQUIRE_ENCRYPTION: "require_encryption";
+    readonly AUDIT_LOG: "audit_log";
+    readonly STEP_UP_AUTH: "step_up_auth";
+    readonly DATA_MASKING: "data_masking";
+    readonly SESSION_TIMEOUT: "session_timeout";
+    readonly GEO_RESTRICTION: "geo_restriction";
+    readonly CUSTOM: "custom";
+};
+export type PolicyRuleType = (typeof PolicyRuleType)[keyof typeof PolicyRuleType];
+export declare const policyRuleTypeSchema: z.ZodNativeEnum<{
+    readonly REQUIRE_MFA: "require_mfa";
+    readonly REQUIRE_APPROVAL: "require_approval";
+    readonly BLOCK_ACCESS: "block_access";
+    readonly RATE_LIMIT: "rate_limit";
+    readonly REQUIRE_ENCRYPTION: "require_encryption";
+    readonly AUDIT_LOG: "audit_log";
+    readonly STEP_UP_AUTH: "step_up_auth";
+    readonly DATA_MASKING: "data_masking";
+    readonly SESSION_TIMEOUT: "session_timeout";
+    readonly GEO_RESTRICTION: "geo_restriction";
+    readonly CUSTOM: "custom";
+}>;
+/**
+ * MFA rule configuration
+ */
+export interface MFARule {
+    type: 'require_mfa';
+    enforced: boolean;
+    methods?: ('totp' | 'sms' | 'email' | 'push' | 'webauthn' | 'hardware_key')[];
+    timeout?: number;
+    rememberDevice?: boolean;
+    rememberDuration?: number;
+}
+export declare const mfaRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"require_mfa">;
+    enforced: z.ZodBoolean;
+    methods: z.ZodOptional<z.ZodArray<z.ZodEnum<["totp", "sms", "email", "push", "webauthn", "hardware_key"]>, "many">>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    rememberDevice: z.ZodOptional<z.ZodBoolean>;
+    rememberDuration: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "require_mfa";
+    enforced?: boolean;
+    methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+    rememberDevice?: boolean;
+    rememberDuration?: number;
+}, {
+    timeout?: number;
+    type?: "require_mfa";
+    enforced?: boolean;
+    methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+    rememberDevice?: boolean;
+    rememberDuration?: number;
+}>;
+/**
+ * Approval rule configuration
+ */
+export interface ApprovalRule {
+    type: 'require_approval';
+    enforced: boolean;
+    approvers?: string[];
+    approverRoles?: string[];
+    approvalTimeout?: number;
+    minApprovers?: number;
+    autoRejectOnTimeout?: boolean;
+    requireJustification?: boolean;
+}
+export declare const approvalRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"require_approval">;
+    enforced: z.ZodBoolean;
+    approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    approverRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    approvalTimeout: z.ZodOptional<z.ZodNumber>;
+    minApprovers: z.ZodOptional<z.ZodNumber>;
+    autoRejectOnTimeout: z.ZodOptional<z.ZodBoolean>;
+    requireJustification: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "require_approval";
+    requireJustification?: boolean;
+    enforced?: boolean;
+    approvers?: string[];
+    approverRoles?: string[];
+    approvalTimeout?: number;
+    minApprovers?: number;
+    autoRejectOnTimeout?: boolean;
+}, {
+    type?: "require_approval";
+    requireJustification?: boolean;
+    enforced?: boolean;
+    approvers?: string[];
+    approverRoles?: string[];
+    approvalTimeout?: number;
+    minApprovers?: number;
+    autoRejectOnTimeout?: boolean;
+}>;
+/**
+ * Block access rule configuration
+ */
+export interface BlockAccessRule {
+    type: 'block_access';
+    enforced: boolean;
+    reason?: string;
+    errorCode?: string;
+    redirectUrl?: string;
+}
+export declare const blockAccessRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"block_access">;
+    enforced: z.ZodBoolean;
+    reason: z.ZodOptional<z.ZodString>;
+    errorCode: z.ZodOptional<z.ZodString>;
+    redirectUrl: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "block_access";
+    errorCode?: string;
+    enforced?: boolean;
+    redirectUrl?: string;
+}, {
+    reason?: string;
+    type?: "block_access";
+    errorCode?: string;
+    enforced?: boolean;
+    redirectUrl?: string;
+}>;
+/**
+ * Rate limit rule configuration
+ */
+export interface RateLimitRule {
+    type: 'rate_limit';
+    enforced: boolean;
+    limit: number;
+    window: number;
+    windowUnit?: 'second' | 'minute' | 'hour' | 'day';
+    keyBy?: ('user' | 'ip' | 'tenant' | 'api_key' | 'custom')[];
+    customKey?: string;
+    burstLimit?: number;
+    retryAfter?: number;
+}
+export declare const rateLimitRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"rate_limit">;
+    enforced: z.ZodBoolean;
+    limit: z.ZodNumber;
+    window: z.ZodNumber;
+    windowUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+    keyBy: z.ZodOptional<z.ZodArray<z.ZodEnum<["user", "ip", "tenant", "api_key", "custom"]>, "many">>;
+    customKey: z.ZodOptional<z.ZodString>;
+    burstLimit: z.ZodOptional<z.ZodNumber>;
+    retryAfter: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    limit?: number;
+    type?: "rate_limit";
+    retryAfter?: number;
+    window?: number;
+    enforced?: boolean;
+    burstLimit?: number;
+    windowUnit?: "hour" | "day" | "second" | "minute";
+    keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+    customKey?: string;
+}, {
+    limit?: number;
+    type?: "rate_limit";
+    retryAfter?: number;
+    window?: number;
+    enforced?: boolean;
+    burstLimit?: number;
+    windowUnit?: "hour" | "day" | "second" | "minute";
+    keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+    customKey?: string;
+}>;
+/**
+ * Encryption rule configuration
+ */
+export interface EncryptionRule {
+    type: 'require_encryption';
+    enforced: boolean;
+    fields?: string[];
+    algorithm?: 'AES-256-GCM' | 'RSA-OAEP' | 'ChaCha20-Poly1305';
+    keyId?: string;
+}
+export declare const encryptionRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"require_encryption">;
+    enforced: z.ZodBoolean;
+    fields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    algorithm: z.ZodOptional<z.ZodEnum<["AES-256-GCM", "RSA-OAEP", "ChaCha20-Poly1305"]>>;
+    keyId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type?: "require_encryption";
+    algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+    fields?: string[];
+    enforced?: boolean;
+    keyId?: string;
+}, {
+    type?: "require_encryption";
+    algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+    fields?: string[];
+    enforced?: boolean;
+    keyId?: string;
+}>;
+/**
+ * Audit log rule configuration
+ */
+export interface AuditLogRule {
+    type: 'audit_log';
+    enforced: boolean;
+    level?: 'basic' | 'detailed' | 'full';
+    includeRequest?: boolean;
+    includeResponse?: boolean;
+    includeHeaders?: boolean;
+    redactFields?: string[];
+    destination?: string;
+}
+export declare const auditLogRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"audit_log">;
+    enforced: z.ZodBoolean;
+    level: z.ZodOptional<z.ZodEnum<["basic", "detailed", "full"]>>;
+    includeRequest: z.ZodOptional<z.ZodBoolean>;
+    includeResponse: z.ZodOptional<z.ZodBoolean>;
+    includeHeaders: z.ZodOptional<z.ZodBoolean>;
+    redactFields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    destination: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    level?: "full" | "detailed" | "basic";
+    type?: "audit_log";
+    enforced?: boolean;
+    includeRequest?: boolean;
+    includeResponse?: boolean;
+    includeHeaders?: boolean;
+    redactFields?: string[];
+    destination?: string;
+}, {
+    level?: "full" | "detailed" | "basic";
+    type?: "audit_log";
+    enforced?: boolean;
+    includeRequest?: boolean;
+    includeResponse?: boolean;
+    includeHeaders?: boolean;
+    redactFields?: string[];
+    destination?: string;
+}>;
+/**
+ * Step-up authentication rule
+ */
+export interface StepUpAuthRule {
+    type: 'step_up_auth';
+    enforced: boolean;
+    requiredLevel: number;
+    method?: 'mfa' | 'password' | 'biometric';
+    timeout?: number;
+}
+export declare const stepUpAuthRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"step_up_auth">;
+    enforced: z.ZodBoolean;
+    requiredLevel: z.ZodNumber;
+    method: z.ZodOptional<z.ZodEnum<["mfa", "password", "biometric"]>>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "step_up_auth";
+    method?: "password" | "biometric" | "mfa";
+    requiredLevel?: number;
+    enforced?: boolean;
+}, {
+    timeout?: number;
+    type?: "step_up_auth";
+    method?: "password" | "biometric" | "mfa";
+    requiredLevel?: number;
+    enforced?: boolean;
+}>;
+/**
+ * Data masking rule
+ */
+export interface DataMaskingRule {
+    type: 'data_masking';
+    enforced: boolean;
+    fields: string[];
+    maskType?: 'full' | 'partial' | 'hash' | 'tokenize';
+    partialMaskPattern?: string;
+}
+export declare const dataMaskingRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"data_masking">;
+    enforced: z.ZodBoolean;
+    fields: z.ZodArray<z.ZodString, "many">;
+    maskType: z.ZodOptional<z.ZodEnum<["full", "partial", "hash", "tokenize"]>>;
+    partialMaskPattern: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type?: "data_masking";
+    fields?: string[];
+    enforced?: boolean;
+    maskType?: "hash" | "partial" | "full" | "tokenize";
+    partialMaskPattern?: string;
+}, {
+    type?: "data_masking";
+    fields?: string[];
+    enforced?: boolean;
+    maskType?: "hash" | "partial" | "full" | "tokenize";
+    partialMaskPattern?: string;
+}>;
+/**
+ * Session timeout rule
+ */
+export interface SessionTimeoutRule {
+    type: 'session_timeout';
+    enforced: boolean;
+    maxDuration?: number;
+    idleTimeout?: number;
+    requireReauth?: boolean;
+}
+export declare const sessionTimeoutRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"session_timeout">;
+    enforced: z.ZodBoolean;
+    maxDuration: z.ZodOptional<z.ZodNumber>;
+    idleTimeout: z.ZodOptional<z.ZodNumber>;
+    requireReauth: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "session_timeout";
+    enforced?: boolean;
+    maxDuration?: number;
+    idleTimeout?: number;
+    requireReauth?: boolean;
+}, {
+    type?: "session_timeout";
+    enforced?: boolean;
+    maxDuration?: number;
+    idleTimeout?: number;
+    requireReauth?: boolean;
+}>;
+/**
+ * Geo restriction rule
+ */
+export interface GeoRestrictionRule {
+    type: 'geo_restriction';
+    enforced: boolean;
+    allowedCountries?: string[];
+    blockedCountries?: string[];
+    allowedRegions?: string[];
+    blockedRegions?: string[];
+}
+export declare const geoRestrictionRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"geo_restriction">;
+    enforced: z.ZodBoolean;
+    allowedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blockedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    allowedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blockedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type?: "geo_restriction";
+    enforced?: boolean;
+    allowedCountries?: string[];
+    blockedCountries?: string[];
+    allowedRegions?: string[];
+    blockedRegions?: string[];
+}, {
+    type?: "geo_restriction";
+    enforced?: boolean;
+    allowedCountries?: string[];
+    blockedCountries?: string[];
+    allowedRegions?: string[];
+    blockedRegions?: string[];
+}>;
+/**
+ * Custom rule
+ */
+export interface CustomRule {
+    type: 'custom';
+    enforced: boolean;
+    handler: string;
+    config?: Record<string, unknown>;
+}
+export declare const customRuleSchema: z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    enforced: z.ZodBoolean;
+    handler: z.ZodString;
+    config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type?: "custom";
+    config?: Record<string, unknown>;
+    handler?: string;
+    enforced?: boolean;
+}, {
+    type?: "custom";
+    config?: Record<string, unknown>;
+    handler?: string;
+    enforced?: boolean;
+}>;
+/**
+ * Union of all rule types
+ */
+export type PolicyRule = MFARule | ApprovalRule | BlockAccessRule | RateLimitRule | EncryptionRule | AuditLogRule | StepUpAuthRule | DataMaskingRule | SessionTimeoutRule | GeoRestrictionRule | CustomRule;
+export declare const policyRuleSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"require_mfa">;
+    enforced: z.ZodBoolean;
+    methods: z.ZodOptional<z.ZodArray<z.ZodEnum<["totp", "sms", "email", "push", "webauthn", "hardware_key"]>, "many">>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    rememberDevice: z.ZodOptional<z.ZodBoolean>;
+    rememberDuration: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "require_mfa";
+    enforced?: boolean;
+    methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+    rememberDevice?: boolean;
+    rememberDuration?: number;
+}, {
+    timeout?: number;
+    type?: "require_mfa";
+    enforced?: boolean;
+    methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+    rememberDevice?: boolean;
+    rememberDuration?: number;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"require_approval">;
+    enforced: z.ZodBoolean;
+    approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    approverRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    approvalTimeout: z.ZodOptional<z.ZodNumber>;
+    minApprovers: z.ZodOptional<z.ZodNumber>;
+    autoRejectOnTimeout: z.ZodOptional<z.ZodBoolean>;
+    requireJustification: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "require_approval";
+    requireJustification?: boolean;
+    enforced?: boolean;
+    approvers?: string[];
+    approverRoles?: string[];
+    approvalTimeout?: number;
+    minApprovers?: number;
+    autoRejectOnTimeout?: boolean;
+}, {
+    type?: "require_approval";
+    requireJustification?: boolean;
+    enforced?: boolean;
+    approvers?: string[];
+    approverRoles?: string[];
+    approvalTimeout?: number;
+    minApprovers?: number;
+    autoRejectOnTimeout?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"block_access">;
+    enforced: z.ZodBoolean;
+    reason: z.ZodOptional<z.ZodString>;
+    errorCode: z.ZodOptional<z.ZodString>;
+    redirectUrl: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "block_access";
+    errorCode?: string;
+    enforced?: boolean;
+    redirectUrl?: string;
+}, {
+    reason?: string;
+    type?: "block_access";
+    errorCode?: string;
+    enforced?: boolean;
+    redirectUrl?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"rate_limit">;
+    enforced: z.ZodBoolean;
+    limit: z.ZodNumber;
+    window: z.ZodNumber;
+    windowUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+    keyBy: z.ZodOptional<z.ZodArray<z.ZodEnum<["user", "ip", "tenant", "api_key", "custom"]>, "many">>;
+    customKey: z.ZodOptional<z.ZodString>;
+    burstLimit: z.ZodOptional<z.ZodNumber>;
+    retryAfter: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    limit?: number;
+    type?: "rate_limit";
+    retryAfter?: number;
+    window?: number;
+    enforced?: boolean;
+    burstLimit?: number;
+    windowUnit?: "hour" | "day" | "second" | "minute";
+    keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+    customKey?: string;
+}, {
+    limit?: number;
+    type?: "rate_limit";
+    retryAfter?: number;
+    window?: number;
+    enforced?: boolean;
+    burstLimit?: number;
+    windowUnit?: "hour" | "day" | "second" | "minute";
+    keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+    customKey?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"require_encryption">;
+    enforced: z.ZodBoolean;
+    fields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    algorithm: z.ZodOptional<z.ZodEnum<["AES-256-GCM", "RSA-OAEP", "ChaCha20-Poly1305"]>>;
+    keyId: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type?: "require_encryption";
+    algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+    fields?: string[];
+    enforced?: boolean;
+    keyId?: string;
+}, {
+    type?: "require_encryption";
+    algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+    fields?: string[];
+    enforced?: boolean;
+    keyId?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"audit_log">;
+    enforced: z.ZodBoolean;
+    level: z.ZodOptional<z.ZodEnum<["basic", "detailed", "full"]>>;
+    includeRequest: z.ZodOptional<z.ZodBoolean>;
+    includeResponse: z.ZodOptional<z.ZodBoolean>;
+    includeHeaders: z.ZodOptional<z.ZodBoolean>;
+    redactFields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    destination: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    level?: "full" | "detailed" | "basic";
+    type?: "audit_log";
+    enforced?: boolean;
+    includeRequest?: boolean;
+    includeResponse?: boolean;
+    includeHeaders?: boolean;
+    redactFields?: string[];
+    destination?: string;
+}, {
+    level?: "full" | "detailed" | "basic";
+    type?: "audit_log";
+    enforced?: boolean;
+    includeRequest?: boolean;
+    includeResponse?: boolean;
+    includeHeaders?: boolean;
+    redactFields?: string[];
+    destination?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"step_up_auth">;
+    enforced: z.ZodBoolean;
+    requiredLevel: z.ZodNumber;
+    method: z.ZodOptional<z.ZodEnum<["mfa", "password", "biometric"]>>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "step_up_auth";
+    method?: "password" | "biometric" | "mfa";
+    requiredLevel?: number;
+    enforced?: boolean;
+}, {
+    timeout?: number;
+    type?: "step_up_auth";
+    method?: "password" | "biometric" | "mfa";
+    requiredLevel?: number;
+    enforced?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"data_masking">;
+    enforced: z.ZodBoolean;
+    fields: z.ZodArray<z.ZodString, "many">;
+    maskType: z.ZodOptional<z.ZodEnum<["full", "partial", "hash", "tokenize"]>>;
+    partialMaskPattern: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    type?: "data_masking";
+    fields?: string[];
+    enforced?: boolean;
+    maskType?: "hash" | "partial" | "full" | "tokenize";
+    partialMaskPattern?: string;
+}, {
+    type?: "data_masking";
+    fields?: string[];
+    enforced?: boolean;
+    maskType?: "hash" | "partial" | "full" | "tokenize";
+    partialMaskPattern?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"session_timeout">;
+    enforced: z.ZodBoolean;
+    maxDuration: z.ZodOptional<z.ZodNumber>;
+    idleTimeout: z.ZodOptional<z.ZodNumber>;
+    requireReauth: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "session_timeout";
+    enforced?: boolean;
+    maxDuration?: number;
+    idleTimeout?: number;
+    requireReauth?: boolean;
+}, {
+    type?: "session_timeout";
+    enforced?: boolean;
+    maxDuration?: number;
+    idleTimeout?: number;
+    requireReauth?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"geo_restriction">;
+    enforced: z.ZodBoolean;
+    allowedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blockedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    allowedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    blockedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type?: "geo_restriction";
+    enforced?: boolean;
+    allowedCountries?: string[];
+    blockedCountries?: string[];
+    allowedRegions?: string[];
+    blockedRegions?: string[];
+}, {
+    type?: "geo_restriction";
+    enforced?: boolean;
+    allowedCountries?: string[];
+    blockedCountries?: string[];
+    allowedRegions?: string[];
+    blockedRegions?: string[];
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"custom">;
+    enforced: z.ZodBoolean;
+    handler: z.ZodString;
+    config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type?: "custom";
+    config?: Record<string, unknown>;
+    handler?: string;
+    enforced?: boolean;
+}, {
+    type?: "custom";
+    config?: Record<string, unknown>;
+    handler?: string;
+    enforced?: boolean;
+}>]>;
+export declare const PolicyActionType: {
+    readonly ALLOW: "allow";
+    readonly DENY: "deny";
+    readonly CHALLENGE: "challenge";
+    readonly NOTIFY: "notify";
+    readonly LOG: "log";
+    readonly ESCALATE: "escalate";
+    readonly QUARANTINE: "quarantine";
+    readonly REDIRECT: "redirect";
+    readonly MODIFY: "modify";
+};
+export type PolicyActionType = (typeof PolicyActionType)[keyof typeof PolicyActionType];
+export declare const policyActionTypeSchema: z.ZodNativeEnum<{
+    readonly ALLOW: "allow";
+    readonly DENY: "deny";
+    readonly CHALLENGE: "challenge";
+    readonly NOTIFY: "notify";
+    readonly LOG: "log";
+    readonly ESCALATE: "escalate";
+    readonly QUARANTINE: "quarantine";
+    readonly REDIRECT: "redirect";
+    readonly MODIFY: "modify";
+}>;
+/**
+ * Allow action
+ */
+export interface AllowAction {
+    type: 'allow';
+    message?: string;
+    metadata?: Record<string, unknown>;
+}
+export declare const allowActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"allow">;
+    message: z.ZodOptional<z.ZodString>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    message?: string;
+    type?: "allow";
+    metadata?: Record<string, unknown>;
+}, {
+    message?: string;
+    type?: "allow";
+    metadata?: Record<string, unknown>;
+}>;
+/**
+ * Deny action
+ */
+export interface DenyAction {
+    type: 'deny';
+    reason: string;
+    errorCode?: string;
+    httpStatus?: number;
+    retryable?: boolean;
+    retryAfter?: number;
+}
+export declare const denyActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"deny">;
+    reason: z.ZodString;
+    errorCode: z.ZodOptional<z.ZodString>;
+    httpStatus: z.ZodOptional<z.ZodNumber>;
+    retryable: z.ZodOptional<z.ZodBoolean>;
+    retryAfter: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "deny";
+    retryAfter?: number;
+    errorCode?: string;
+    httpStatus?: number;
+    retryable?: boolean;
+}, {
+    reason?: string;
+    type?: "deny";
+    retryAfter?: number;
+    errorCode?: string;
+    httpStatus?: number;
+    retryable?: boolean;
+}>;
+/**
+ * Challenge action (request additional authentication)
+ */
+export interface ChallengeAction {
+    type: 'challenge';
+    method: 'mfa' | 'password' | 'captcha' | 'approval' | 'custom';
+    timeout?: number;
+    redirectUrl?: string;
+    customChallenge?: string;
+}
+export declare const challengeActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"challenge">;
+    method: z.ZodEnum<["mfa", "password", "captcha", "approval", "custom"]>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    redirectUrl: z.ZodOptional<z.ZodString>;
+    customChallenge: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "challenge";
+    method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+    redirectUrl?: string;
+    customChallenge?: string;
+}, {
+    timeout?: number;
+    type?: "challenge";
+    method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+    redirectUrl?: string;
+    customChallenge?: string;
+}>;
+/**
+ * Notify action (alert security team)
+ */
+export interface NotifyAction {
+    type: 'notify';
+    channels: ('email' | 'slack' | 'pagerduty' | 'webhook' | 'sms')[];
+    recipients?: string[];
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    template?: string;
+    includeContext?: boolean;
+}
+export declare const notifyActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"notify">;
+    channels: z.ZodArray<z.ZodEnum<["email", "slack", "pagerduty", "webhook", "sms"]>, "many">;
+    recipients: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+    template: z.ZodOptional<z.ZodString>;
+    includeContext: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "notify";
+    severity?: "critical" | "low" | "medium" | "high";
+    template?: string;
+    channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+    recipients?: string[];
+    includeContext?: boolean;
+}, {
+    type?: "notify";
+    severity?: "critical" | "low" | "medium" | "high";
+    template?: string;
+    channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+    recipients?: string[];
+    includeContext?: boolean;
+}>;
+/**
+ * Log action (audit trail)
+ */
+export interface LogAction {
+    type: 'log';
+    level: 'debug' | 'info' | 'warn' | 'error';
+    message?: string;
+    includeContext?: boolean;
+    includeRequest?: boolean;
+    includeUser?: boolean;
+    destination?: string;
+    tags?: string[];
+}
+export declare const logActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"log">;
+    level: z.ZodEnum<["debug", "info", "warn", "error"]>;
+    message: z.ZodOptional<z.ZodString>;
+    includeContext: z.ZodOptional<z.ZodBoolean>;
+    includeRequest: z.ZodOptional<z.ZodBoolean>;
+    includeUser: z.ZodOptional<z.ZodBoolean>;
+    destination: z.ZodOptional<z.ZodString>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    level?: "error" | "warn" | "info" | "debug";
+    message?: string;
+    type?: "log";
+    tags?: string[];
+    includeRequest?: boolean;
+    destination?: string;
+    includeContext?: boolean;
+    includeUser?: boolean;
+}, {
+    level?: "error" | "warn" | "info" | "debug";
+    message?: string;
+    type?: "log";
+    tags?: string[];
+    includeRequest?: boolean;
+    destination?: string;
+    includeContext?: boolean;
+    includeUser?: boolean;
+}>;
+/**
+ * Escalate action (create incident)
+ */
+export interface EscalateAction {
+    type: 'escalate';
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    assignTo?: string[];
+    assignToRoles?: string[];
+    createIncident?: boolean;
+    incidentType?: string;
+    timeout?: number;
+    autoResolve?: boolean;
+}
+export declare const escalateActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"escalate">;
+    severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+    assignTo: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    assignToRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    createIncident: z.ZodOptional<z.ZodBoolean>;
+    incidentType: z.ZodOptional<z.ZodString>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    autoResolve: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "escalate";
+    severity?: "critical" | "low" | "medium" | "high";
+    incidentType?: string;
+    assignTo?: string[];
+    assignToRoles?: string[];
+    createIncident?: boolean;
+    autoResolve?: boolean;
+}, {
+    timeout?: number;
+    type?: "escalate";
+    severity?: "critical" | "low" | "medium" | "high";
+    incidentType?: string;
+    assignTo?: string[];
+    assignToRoles?: string[];
+    createIncident?: boolean;
+    autoResolve?: boolean;
+}>;
+/**
+ * Quarantine action (temporary block)
+ */
+export interface QuarantineAction {
+    type: 'quarantine';
+    duration: number;
+    durationUnit?: 'second' | 'minute' | 'hour' | 'day';
+    reason: string;
+    notifyUser?: boolean;
+    notifyAdmin?: boolean;
+    allowAppeal?: boolean;
+}
+export declare const quarantineActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"quarantine">;
+    duration: z.ZodNumber;
+    durationUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+    reason: z.ZodString;
+    notifyUser: z.ZodOptional<z.ZodBoolean>;
+    notifyAdmin: z.ZodOptional<z.ZodBoolean>;
+    allowAppeal: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "quarantine";
+    duration?: number;
+    durationUnit?: "hour" | "day" | "second" | "minute";
+    notifyUser?: boolean;
+    notifyAdmin?: boolean;
+    allowAppeal?: boolean;
+}, {
+    reason?: string;
+    type?: "quarantine";
+    duration?: number;
+    durationUnit?: "hour" | "day" | "second" | "minute";
+    notifyUser?: boolean;
+    notifyAdmin?: boolean;
+    allowAppeal?: boolean;
+}>;
+/**
+ * Redirect action
+ */
+export interface RedirectAction {
+    type: 'redirect';
+    url: string;
+    statusCode?: 301 | 302 | 303 | 307 | 308;
+    preserveQuery?: boolean;
+}
+export declare const redirectActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"redirect">;
+    url: z.ZodString;
+    statusCode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<301>, z.ZodLiteral<302>, z.ZodLiteral<303>, z.ZodLiteral<307>, z.ZodLiteral<308>]>>;
+    preserveQuery: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "redirect";
+    url?: string;
+    statusCode?: 301 | 302 | 303 | 307 | 308;
+    preserveQuery?: boolean;
+}, {
+    type?: "redirect";
+    url?: string;
+    statusCode?: 301 | 302 | 303 | 307 | 308;
+    preserveQuery?: boolean;
+}>;
+/**
+ * Modify action (modify request/response)
+ */
+export interface ModifyAction {
+    type: 'modify';
+    addHeaders?: Record<string, string>;
+    removeHeaders?: string[];
+    modifyBody?: Record<string, unknown>;
+    addClaims?: Record<string, unknown>;
+}
+export declare const modifyActionSchema: z.ZodObject<{
+    type: z.ZodLiteral<"modify">;
+    addHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    removeHeaders: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    modifyBody: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    addClaims: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type?: "modify";
+    addHeaders?: Record<string, string>;
+    removeHeaders?: string[];
+    modifyBody?: Record<string, unknown>;
+    addClaims?: Record<string, unknown>;
+}, {
+    type?: "modify";
+    addHeaders?: Record<string, string>;
+    removeHeaders?: string[];
+    modifyBody?: Record<string, unknown>;
+    addClaims?: Record<string, unknown>;
+}>;
+/**
+ * Union of all action types
+ */
+export type PolicyAction = AllowAction | DenyAction | ChallengeAction | NotifyAction | LogAction | EscalateAction | QuarantineAction | RedirectAction | ModifyAction;
+export declare const policyActionSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+    type: z.ZodLiteral<"allow">;
+    message: z.ZodOptional<z.ZodString>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    message?: string;
+    type?: "allow";
+    metadata?: Record<string, unknown>;
+}, {
+    message?: string;
+    type?: "allow";
+    metadata?: Record<string, unknown>;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"deny">;
+    reason: z.ZodString;
+    errorCode: z.ZodOptional<z.ZodString>;
+    httpStatus: z.ZodOptional<z.ZodNumber>;
+    retryable: z.ZodOptional<z.ZodBoolean>;
+    retryAfter: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "deny";
+    retryAfter?: number;
+    errorCode?: string;
+    httpStatus?: number;
+    retryable?: boolean;
+}, {
+    reason?: string;
+    type?: "deny";
+    retryAfter?: number;
+    errorCode?: string;
+    httpStatus?: number;
+    retryable?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"challenge">;
+    method: z.ZodEnum<["mfa", "password", "captcha", "approval", "custom"]>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    redirectUrl: z.ZodOptional<z.ZodString>;
+    customChallenge: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "challenge";
+    method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+    redirectUrl?: string;
+    customChallenge?: string;
+}, {
+    timeout?: number;
+    type?: "challenge";
+    method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+    redirectUrl?: string;
+    customChallenge?: string;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"notify">;
+    channels: z.ZodArray<z.ZodEnum<["email", "slack", "pagerduty", "webhook", "sms"]>, "many">;
+    recipients: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+    template: z.ZodOptional<z.ZodString>;
+    includeContext: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "notify";
+    severity?: "critical" | "low" | "medium" | "high";
+    template?: string;
+    channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+    recipients?: string[];
+    includeContext?: boolean;
+}, {
+    type?: "notify";
+    severity?: "critical" | "low" | "medium" | "high";
+    template?: string;
+    channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+    recipients?: string[];
+    includeContext?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"log">;
+    level: z.ZodEnum<["debug", "info", "warn", "error"]>;
+    message: z.ZodOptional<z.ZodString>;
+    includeContext: z.ZodOptional<z.ZodBoolean>;
+    includeRequest: z.ZodOptional<z.ZodBoolean>;
+    includeUser: z.ZodOptional<z.ZodBoolean>;
+    destination: z.ZodOptional<z.ZodString>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    level?: "error" | "warn" | "info" | "debug";
+    message?: string;
+    type?: "log";
+    tags?: string[];
+    includeRequest?: boolean;
+    destination?: string;
+    includeContext?: boolean;
+    includeUser?: boolean;
+}, {
+    level?: "error" | "warn" | "info" | "debug";
+    message?: string;
+    type?: "log";
+    tags?: string[];
+    includeRequest?: boolean;
+    destination?: string;
+    includeContext?: boolean;
+    includeUser?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"escalate">;
+    severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+    assignTo: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    assignToRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    createIncident: z.ZodOptional<z.ZodBoolean>;
+    incidentType: z.ZodOptional<z.ZodString>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+    autoResolve: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    timeout?: number;
+    type?: "escalate";
+    severity?: "critical" | "low" | "medium" | "high";
+    incidentType?: string;
+    assignTo?: string[];
+    assignToRoles?: string[];
+    createIncident?: boolean;
+    autoResolve?: boolean;
+}, {
+    timeout?: number;
+    type?: "escalate";
+    severity?: "critical" | "low" | "medium" | "high";
+    incidentType?: string;
+    assignTo?: string[];
+    assignToRoles?: string[];
+    createIncident?: boolean;
+    autoResolve?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"quarantine">;
+    duration: z.ZodNumber;
+    durationUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+    reason: z.ZodString;
+    notifyUser: z.ZodOptional<z.ZodBoolean>;
+    notifyAdmin: z.ZodOptional<z.ZodBoolean>;
+    allowAppeal: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    reason?: string;
+    type?: "quarantine";
+    duration?: number;
+    durationUnit?: "hour" | "day" | "second" | "minute";
+    notifyUser?: boolean;
+    notifyAdmin?: boolean;
+    allowAppeal?: boolean;
+}, {
+    reason?: string;
+    type?: "quarantine";
+    duration?: number;
+    durationUnit?: "hour" | "day" | "second" | "minute";
+    notifyUser?: boolean;
+    notifyAdmin?: boolean;
+    allowAppeal?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"redirect">;
+    url: z.ZodString;
+    statusCode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<301>, z.ZodLiteral<302>, z.ZodLiteral<303>, z.ZodLiteral<307>, z.ZodLiteral<308>]>>;
+    preserveQuery: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    type?: "redirect";
+    url?: string;
+    statusCode?: 301 | 302 | 303 | 307 | 308;
+    preserveQuery?: boolean;
+}, {
+    type?: "redirect";
+    url?: string;
+    statusCode?: 301 | 302 | 303 | 307 | 308;
+    preserveQuery?: boolean;
+}>, z.ZodObject<{
+    type: z.ZodLiteral<"modify">;
+    addHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    removeHeaders: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    modifyBody: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    addClaims: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    type?: "modify";
+    addHeaders?: Record<string, string>;
+    removeHeaders?: string[];
+    modifyBody?: Record<string, unknown>;
+    addClaims?: Record<string, unknown>;
+}, {
+    type?: "modify";
+    addHeaders?: Record<string, string>;
+    removeHeaders?: string[];
+    modifyBody?: Record<string, unknown>;
+    addClaims?: Record<string, unknown>;
+}>]>;
+/**
+ * Security policy definition
+ */
+export interface SecurityPolicy {
+    /** Unique policy identifier */
+    id: string;
+    /** Human-readable policy name */
+    name: string;
+    /** Policy description */
+    description: string;
+    /** Policy priority (higher = evaluated first) */
+    priority: number;
+    /** Whether policy is enabled */
+    enabled: boolean;
+    /** Conditions that determine when policy applies */
+    conditions: PolicyCondition[];
+    /** Rules that define what to enforce */
+    rules: PolicyRule[];
+    /** Actions to take when policy matches */
+    actions: PolicyAction[];
+    /** Policy version */
+    version: string;
+    /** Policy tags for categorization */
+    tags?: string[];
+    /** Metadata */
+    metadata?: Record<string, unknown>;
+    /** Created timestamp */
+    createdAt: string;
+    /** Updated timestamp */
+    updatedAt: string;
+    /** Created by user ID */
+    createdBy?: string;
+    /** Updated by user ID */
+    updatedBy?: string;
+}
+export declare const securityPolicySchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodString;
+    priority: z.ZodNumber;
+    enabled: z.ZodBoolean;
+    conditions: z.ZodArray<z.ZodType<any, z.ZodTypeDef, any>, "many">;
+    rules: z.ZodArray<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+        type: z.ZodLiteral<"require_mfa">;
+        enforced: z.ZodBoolean;
+        methods: z.ZodOptional<z.ZodArray<z.ZodEnum<["totp", "sms", "email", "push", "webauthn", "hardware_key"]>, "many">>;
+        timeout: z.ZodOptional<z.ZodNumber>;
+        rememberDevice: z.ZodOptional<z.ZodBoolean>;
+        rememberDuration: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        type?: "require_mfa";
+        enforced?: boolean;
+        methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+        rememberDevice?: boolean;
+        rememberDuration?: number;
+    }, {
+        timeout?: number;
+        type?: "require_mfa";
+        enforced?: boolean;
+        methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+        rememberDevice?: boolean;
+        rememberDuration?: number;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"require_approval">;
+        enforced: z.ZodBoolean;
+        approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        approverRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        approvalTimeout: z.ZodOptional<z.ZodNumber>;
+        minApprovers: z.ZodOptional<z.ZodNumber>;
+        autoRejectOnTimeout: z.ZodOptional<z.ZodBoolean>;
+        requireJustification: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "require_approval";
+        requireJustification?: boolean;
+        enforced?: boolean;
+        approvers?: string[];
+        approverRoles?: string[];
+        approvalTimeout?: number;
+        minApprovers?: number;
+        autoRejectOnTimeout?: boolean;
+    }, {
+        type?: "require_approval";
+        requireJustification?: boolean;
+        enforced?: boolean;
+        approvers?: string[];
+        approverRoles?: string[];
+        approvalTimeout?: number;
+        minApprovers?: number;
+        autoRejectOnTimeout?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"block_access">;
+        enforced: z.ZodBoolean;
+        reason: z.ZodOptional<z.ZodString>;
+        errorCode: z.ZodOptional<z.ZodString>;
+        redirectUrl: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        type?: "block_access";
+        errorCode?: string;
+        enforced?: boolean;
+        redirectUrl?: string;
+    }, {
+        reason?: string;
+        type?: "block_access";
+        errorCode?: string;
+        enforced?: boolean;
+        redirectUrl?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"rate_limit">;
+        enforced: z.ZodBoolean;
+        limit: z.ZodNumber;
+        window: z.ZodNumber;
+        windowUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+        keyBy: z.ZodOptional<z.ZodArray<z.ZodEnum<["user", "ip", "tenant", "api_key", "custom"]>, "many">>;
+        customKey: z.ZodOptional<z.ZodString>;
+        burstLimit: z.ZodOptional<z.ZodNumber>;
+        retryAfter: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        limit?: number;
+        type?: "rate_limit";
+        retryAfter?: number;
+        window?: number;
+        enforced?: boolean;
+        burstLimit?: number;
+        windowUnit?: "hour" | "day" | "second" | "minute";
+        keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+        customKey?: string;
+    }, {
+        limit?: number;
+        type?: "rate_limit";
+        retryAfter?: number;
+        window?: number;
+        enforced?: boolean;
+        burstLimit?: number;
+        windowUnit?: "hour" | "day" | "second" | "minute";
+        keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+        customKey?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"require_encryption">;
+        enforced: z.ZodBoolean;
+        fields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        algorithm: z.ZodOptional<z.ZodEnum<["AES-256-GCM", "RSA-OAEP", "ChaCha20-Poly1305"]>>;
+        keyId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "require_encryption";
+        algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+        fields?: string[];
+        enforced?: boolean;
+        keyId?: string;
+    }, {
+        type?: "require_encryption";
+        algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+        fields?: string[];
+        enforced?: boolean;
+        keyId?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"audit_log">;
+        enforced: z.ZodBoolean;
+        level: z.ZodOptional<z.ZodEnum<["basic", "detailed", "full"]>>;
+        includeRequest: z.ZodOptional<z.ZodBoolean>;
+        includeResponse: z.ZodOptional<z.ZodBoolean>;
+        includeHeaders: z.ZodOptional<z.ZodBoolean>;
+        redactFields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        destination: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        level?: "full" | "detailed" | "basic";
+        type?: "audit_log";
+        enforced?: boolean;
+        includeRequest?: boolean;
+        includeResponse?: boolean;
+        includeHeaders?: boolean;
+        redactFields?: string[];
+        destination?: string;
+    }, {
+        level?: "full" | "detailed" | "basic";
+        type?: "audit_log";
+        enforced?: boolean;
+        includeRequest?: boolean;
+        includeResponse?: boolean;
+        includeHeaders?: boolean;
+        redactFields?: string[];
+        destination?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"step_up_auth">;
+        enforced: z.ZodBoolean;
+        requiredLevel: z.ZodNumber;
+        method: z.ZodOptional<z.ZodEnum<["mfa", "password", "biometric"]>>;
+        timeout: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        type?: "step_up_auth";
+        method?: "password" | "biometric" | "mfa";
+        requiredLevel?: number;
+        enforced?: boolean;
+    }, {
+        timeout?: number;
+        type?: "step_up_auth";
+        method?: "password" | "biometric" | "mfa";
+        requiredLevel?: number;
+        enforced?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"data_masking">;
+        enforced: z.ZodBoolean;
+        fields: z.ZodArray<z.ZodString, "many">;
+        maskType: z.ZodOptional<z.ZodEnum<["full", "partial", "hash", "tokenize"]>>;
+        partialMaskPattern: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "data_masking";
+        fields?: string[];
+        enforced?: boolean;
+        maskType?: "hash" | "partial" | "full" | "tokenize";
+        partialMaskPattern?: string;
+    }, {
+        type?: "data_masking";
+        fields?: string[];
+        enforced?: boolean;
+        maskType?: "hash" | "partial" | "full" | "tokenize";
+        partialMaskPattern?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"session_timeout">;
+        enforced: z.ZodBoolean;
+        maxDuration: z.ZodOptional<z.ZodNumber>;
+        idleTimeout: z.ZodOptional<z.ZodNumber>;
+        requireReauth: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "session_timeout";
+        enforced?: boolean;
+        maxDuration?: number;
+        idleTimeout?: number;
+        requireReauth?: boolean;
+    }, {
+        type?: "session_timeout";
+        enforced?: boolean;
+        maxDuration?: number;
+        idleTimeout?: number;
+        requireReauth?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"geo_restriction">;
+        enforced: z.ZodBoolean;
+        allowedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blockedCountries: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        allowedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        blockedRegions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "geo_restriction";
+        enforced?: boolean;
+        allowedCountries?: string[];
+        blockedCountries?: string[];
+        allowedRegions?: string[];
+        blockedRegions?: string[];
+    }, {
+        type?: "geo_restriction";
+        enforced?: boolean;
+        allowedCountries?: string[];
+        blockedCountries?: string[];
+        allowedRegions?: string[];
+        blockedRegions?: string[];
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"custom">;
+        enforced: z.ZodBoolean;
+        handler: z.ZodString;
+        config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "custom";
+        config?: Record<string, unknown>;
+        handler?: string;
+        enforced?: boolean;
+    }, {
+        type?: "custom";
+        config?: Record<string, unknown>;
+        handler?: string;
+        enforced?: boolean;
+    }>]>, "many">;
+    actions: z.ZodArray<z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
+        type: z.ZodLiteral<"allow">;
+        message: z.ZodOptional<z.ZodString>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        message?: string;
+        type?: "allow";
+        metadata?: Record<string, unknown>;
+    }, {
+        message?: string;
+        type?: "allow";
+        metadata?: Record<string, unknown>;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"deny">;
+        reason: z.ZodString;
+        errorCode: z.ZodOptional<z.ZodString>;
+        httpStatus: z.ZodOptional<z.ZodNumber>;
+        retryable: z.ZodOptional<z.ZodBoolean>;
+        retryAfter: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        type?: "deny";
+        retryAfter?: number;
+        errorCode?: string;
+        httpStatus?: number;
+        retryable?: boolean;
+    }, {
+        reason?: string;
+        type?: "deny";
+        retryAfter?: number;
+        errorCode?: string;
+        httpStatus?: number;
+        retryable?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"challenge">;
+        method: z.ZodEnum<["mfa", "password", "captcha", "approval", "custom"]>;
+        timeout: z.ZodOptional<z.ZodNumber>;
+        redirectUrl: z.ZodOptional<z.ZodString>;
+        customChallenge: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        type?: "challenge";
+        method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+        redirectUrl?: string;
+        customChallenge?: string;
+    }, {
+        timeout?: number;
+        type?: "challenge";
+        method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+        redirectUrl?: string;
+        customChallenge?: string;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"notify">;
+        channels: z.ZodArray<z.ZodEnum<["email", "slack", "pagerduty", "webhook", "sms"]>, "many">;
+        recipients: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+        template: z.ZodOptional<z.ZodString>;
+        includeContext: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "notify";
+        severity?: "critical" | "low" | "medium" | "high";
+        template?: string;
+        channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+        recipients?: string[];
+        includeContext?: boolean;
+    }, {
+        type?: "notify";
+        severity?: "critical" | "low" | "medium" | "high";
+        template?: string;
+        channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+        recipients?: string[];
+        includeContext?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"log">;
+        level: z.ZodEnum<["debug", "info", "warn", "error"]>;
+        message: z.ZodOptional<z.ZodString>;
+        includeContext: z.ZodOptional<z.ZodBoolean>;
+        includeRequest: z.ZodOptional<z.ZodBoolean>;
+        includeUser: z.ZodOptional<z.ZodBoolean>;
+        destination: z.ZodOptional<z.ZodString>;
+        tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        level?: "error" | "warn" | "info" | "debug";
+        message?: string;
+        type?: "log";
+        tags?: string[];
+        includeRequest?: boolean;
+        destination?: string;
+        includeContext?: boolean;
+        includeUser?: boolean;
+    }, {
+        level?: "error" | "warn" | "info" | "debug";
+        message?: string;
+        type?: "log";
+        tags?: string[];
+        includeRequest?: boolean;
+        destination?: string;
+        includeContext?: boolean;
+        includeUser?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"escalate">;
+        severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+        assignTo: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        assignToRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        createIncident: z.ZodOptional<z.ZodBoolean>;
+        incidentType: z.ZodOptional<z.ZodString>;
+        timeout: z.ZodOptional<z.ZodNumber>;
+        autoResolve: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        type?: "escalate";
+        severity?: "critical" | "low" | "medium" | "high";
+        incidentType?: string;
+        assignTo?: string[];
+        assignToRoles?: string[];
+        createIncident?: boolean;
+        autoResolve?: boolean;
+    }, {
+        timeout?: number;
+        type?: "escalate";
+        severity?: "critical" | "low" | "medium" | "high";
+        incidentType?: string;
+        assignTo?: string[];
+        assignToRoles?: string[];
+        createIncident?: boolean;
+        autoResolve?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"quarantine">;
+        duration: z.ZodNumber;
+        durationUnit: z.ZodOptional<z.ZodEnum<["second", "minute", "hour", "day"]>>;
+        reason: z.ZodString;
+        notifyUser: z.ZodOptional<z.ZodBoolean>;
+        notifyAdmin: z.ZodOptional<z.ZodBoolean>;
+        allowAppeal: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        type?: "quarantine";
+        duration?: number;
+        durationUnit?: "hour" | "day" | "second" | "minute";
+        notifyUser?: boolean;
+        notifyAdmin?: boolean;
+        allowAppeal?: boolean;
+    }, {
+        reason?: string;
+        type?: "quarantine";
+        duration?: number;
+        durationUnit?: "hour" | "day" | "second" | "minute";
+        notifyUser?: boolean;
+        notifyAdmin?: boolean;
+        allowAppeal?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"redirect">;
+        url: z.ZodString;
+        statusCode: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<301>, z.ZodLiteral<302>, z.ZodLiteral<303>, z.ZodLiteral<307>, z.ZodLiteral<308>]>>;
+        preserveQuery: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "redirect";
+        url?: string;
+        statusCode?: 301 | 302 | 303 | 307 | 308;
+        preserveQuery?: boolean;
+    }, {
+        type?: "redirect";
+        url?: string;
+        statusCode?: 301 | 302 | 303 | 307 | 308;
+        preserveQuery?: boolean;
+    }>, z.ZodObject<{
+        type: z.ZodLiteral<"modify">;
+        addHeaders: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        removeHeaders: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        modifyBody: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        addClaims: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        type?: "modify";
+        addHeaders?: Record<string, string>;
+        removeHeaders?: string[];
+        modifyBody?: Record<string, unknown>;
+        addClaims?: Record<string, unknown>;
+    }, {
+        type?: "modify";
+        addHeaders?: Record<string, string>;
+        removeHeaders?: string[];
+        modifyBody?: Record<string, unknown>;
+        addClaims?: Record<string, unknown>;
+    }>]>, "many">;
+    version: z.ZodString;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    createdAt: z.ZodString;
+    updatedAt: z.ZodString;
+    createdBy: z.ZodOptional<z.ZodString>;
+    updatedBy: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    version?: string;
+    name?: string;
+    priority?: number;
+    id?: string;
+    description?: string;
+    enabled?: boolean;
+    conditions?: any[];
+    metadata?: Record<string, unknown>;
+    rules?: ({
+        timeout?: number;
+        type?: "require_mfa";
+        enforced?: boolean;
+        methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+        rememberDevice?: boolean;
+        rememberDuration?: number;
+    } | {
+        type?: "require_approval";
+        requireJustification?: boolean;
+        enforced?: boolean;
+        approvers?: string[];
+        approverRoles?: string[];
+        approvalTimeout?: number;
+        minApprovers?: number;
+        autoRejectOnTimeout?: boolean;
+    } | {
+        reason?: string;
+        type?: "block_access";
+        errorCode?: string;
+        enforced?: boolean;
+        redirectUrl?: string;
+    } | {
+        limit?: number;
+        type?: "rate_limit";
+        retryAfter?: number;
+        window?: number;
+        enforced?: boolean;
+        burstLimit?: number;
+        windowUnit?: "hour" | "day" | "second" | "minute";
+        keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+        customKey?: string;
+    } | {
+        type?: "require_encryption";
+        algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+        fields?: string[];
+        enforced?: boolean;
+        keyId?: string;
+    } | {
+        level?: "full" | "detailed" | "basic";
+        type?: "audit_log";
+        enforced?: boolean;
+        includeRequest?: boolean;
+        includeResponse?: boolean;
+        includeHeaders?: boolean;
+        redactFields?: string[];
+        destination?: string;
+    } | {
+        timeout?: number;
+        type?: "step_up_auth";
+        method?: "password" | "biometric" | "mfa";
+        requiredLevel?: number;
+        enforced?: boolean;
+    } | {
+        type?: "data_masking";
+        fields?: string[];
+        enforced?: boolean;
+        maskType?: "hash" | "partial" | "full" | "tokenize";
+        partialMaskPattern?: string;
+    } | {
+        type?: "session_timeout";
+        enforced?: boolean;
+        maxDuration?: number;
+        idleTimeout?: number;
+        requireReauth?: boolean;
+    } | {
+        type?: "geo_restriction";
+        enforced?: boolean;
+        allowedCountries?: string[];
+        blockedCountries?: string[];
+        allowedRegions?: string[];
+        blockedRegions?: string[];
+    } | {
+        type?: "custom";
+        config?: Record<string, unknown>;
+        handler?: string;
+        enforced?: boolean;
+    })[];
+    createdAt?: string;
+    updatedAt?: string;
+    tags?: string[];
+    createdBy?: string;
+    actions?: ({
+        message?: string;
+        type?: "allow";
+        metadata?: Record<string, unknown>;
+    } | {
+        reason?: string;
+        type?: "deny";
+        retryAfter?: number;
+        errorCode?: string;
+        httpStatus?: number;
+        retryable?: boolean;
+    } | {
+        timeout?: number;
+        type?: "challenge";
+        method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+        redirectUrl?: string;
+        customChallenge?: string;
+    } | {
+        type?: "notify";
+        severity?: "critical" | "low" | "medium" | "high";
+        template?: string;
+        channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+        recipients?: string[];
+        includeContext?: boolean;
+    } | {
+        level?: "error" | "warn" | "info" | "debug";
+        message?: string;
+        type?: "log";
+        tags?: string[];
+        includeRequest?: boolean;
+        destination?: string;
+        includeContext?: boolean;
+        includeUser?: boolean;
+    } | {
+        timeout?: number;
+        type?: "escalate";
+        severity?: "critical" | "low" | "medium" | "high";
+        incidentType?: string;
+        assignTo?: string[];
+        assignToRoles?: string[];
+        createIncident?: boolean;
+        autoResolve?: boolean;
+    } | {
+        reason?: string;
+        type?: "quarantine";
+        duration?: number;
+        durationUnit?: "hour" | "day" | "second" | "minute";
+        notifyUser?: boolean;
+        notifyAdmin?: boolean;
+        allowAppeal?: boolean;
+    } | {
+        type?: "redirect";
+        url?: string;
+        statusCode?: 301 | 302 | 303 | 307 | 308;
+        preserveQuery?: boolean;
+    } | {
+        type?: "modify";
+        addHeaders?: Record<string, string>;
+        removeHeaders?: string[];
+        modifyBody?: Record<string, unknown>;
+        addClaims?: Record<string, unknown>;
+    })[];
+    updatedBy?: string;
+}, {
+    version?: string;
+    name?: string;
+    priority?: number;
+    id?: string;
+    description?: string;
+    enabled?: boolean;
+    conditions?: any[];
+    metadata?: Record<string, unknown>;
+    rules?: ({
+        timeout?: number;
+        type?: "require_mfa";
+        enforced?: boolean;
+        methods?: ("push" | "email" | "totp" | "webauthn" | "sms" | "hardware_key")[];
+        rememberDevice?: boolean;
+        rememberDuration?: number;
+    } | {
+        type?: "require_approval";
+        requireJustification?: boolean;
+        enforced?: boolean;
+        approvers?: string[];
+        approverRoles?: string[];
+        approvalTimeout?: number;
+        minApprovers?: number;
+        autoRejectOnTimeout?: boolean;
+    } | {
+        reason?: string;
+        type?: "block_access";
+        errorCode?: string;
+        enforced?: boolean;
+        redirectUrl?: string;
+    } | {
+        limit?: number;
+        type?: "rate_limit";
+        retryAfter?: number;
+        window?: number;
+        enforced?: boolean;
+        burstLimit?: number;
+        windowUnit?: "hour" | "day" | "second" | "minute";
+        keyBy?: ("user" | "custom" | "ip" | "api_key" | "tenant")[];
+        customKey?: string;
+    } | {
+        type?: "require_encryption";
+        algorithm?: "AES-256-GCM" | "RSA-OAEP" | "ChaCha20-Poly1305";
+        fields?: string[];
+        enforced?: boolean;
+        keyId?: string;
+    } | {
+        level?: "full" | "detailed" | "basic";
+        type?: "audit_log";
+        enforced?: boolean;
+        includeRequest?: boolean;
+        includeResponse?: boolean;
+        includeHeaders?: boolean;
+        redactFields?: string[];
+        destination?: string;
+    } | {
+        timeout?: number;
+        type?: "step_up_auth";
+        method?: "password" | "biometric" | "mfa";
+        requiredLevel?: number;
+        enforced?: boolean;
+    } | {
+        type?: "data_masking";
+        fields?: string[];
+        enforced?: boolean;
+        maskType?: "hash" | "partial" | "full" | "tokenize";
+        partialMaskPattern?: string;
+    } | {
+        type?: "session_timeout";
+        enforced?: boolean;
+        maxDuration?: number;
+        idleTimeout?: number;
+        requireReauth?: boolean;
+    } | {
+        type?: "geo_restriction";
+        enforced?: boolean;
+        allowedCountries?: string[];
+        blockedCountries?: string[];
+        allowedRegions?: string[];
+        blockedRegions?: string[];
+    } | {
+        type?: "custom";
+        config?: Record<string, unknown>;
+        handler?: string;
+        enforced?: boolean;
+    })[];
+    createdAt?: string;
+    updatedAt?: string;
+    tags?: string[];
+    createdBy?: string;
+    actions?: ({
+        message?: string;
+        type?: "allow";
+        metadata?: Record<string, unknown>;
+    } | {
+        reason?: string;
+        type?: "deny";
+        retryAfter?: number;
+        errorCode?: string;
+        httpStatus?: number;
+        retryable?: boolean;
+    } | {
+        timeout?: number;
+        type?: "challenge";
+        method?: "password" | "custom" | "approval" | "mfa" | "captcha";
+        redirectUrl?: string;
+        customChallenge?: string;
+    } | {
+        type?: "notify";
+        severity?: "critical" | "low" | "medium" | "high";
+        template?: string;
+        channels?: ("email" | "webhook" | "slack" | "pagerduty" | "sms")[];
+        recipients?: string[];
+        includeContext?: boolean;
+    } | {
+        level?: "error" | "warn" | "info" | "debug";
+        message?: string;
+        type?: "log";
+        tags?: string[];
+        includeRequest?: boolean;
+        destination?: string;
+        includeContext?: boolean;
+        includeUser?: boolean;
+    } | {
+        timeout?: number;
+        type?: "escalate";
+        severity?: "critical" | "low" | "medium" | "high";
+        incidentType?: string;
+        assignTo?: string[];
+        assignToRoles?: string[];
+        createIncident?: boolean;
+        autoResolve?: boolean;
+    } | {
+        reason?: string;
+        type?: "quarantine";
+        duration?: number;
+        durationUnit?: "hour" | "day" | "second" | "minute";
+        notifyUser?: boolean;
+        notifyAdmin?: boolean;
+        allowAppeal?: boolean;
+    } | {
+        type?: "redirect";
+        url?: string;
+        statusCode?: 301 | 302 | 303 | 307 | 308;
+        preserveQuery?: boolean;
+    } | {
+        type?: "modify";
+        addHeaders?: Record<string, string>;
+        removeHeaders?: string[];
+        modifyBody?: Record<string, unknown>;
+        addClaims?: Record<string, unknown>;
+    })[];
+    updatedBy?: string;
+}>;
+/**
+ * User information in policy context
+ */
+export interface PolicyContextUser {
+    id: string;
+    email?: string;
+    role?: string;
+    roles?: string[];
+    department?: string;
+    tenant?: string;
+    groups?: string[];
+    permissions?: string[];
+    attributes?: Record<string, unknown>;
+    riskScore?: number;
+    mfaVerified?: boolean;
+    lastMfaAt?: string;
+    sessionStartedAt?: string;
+}
+/**
+ * Request information in policy context
+ */
+export interface PolicyContextRequest {
+    id: string;
+    method: string;
+    path: string;
+    url: string;
+    ip: string;
+    userAgent?: string;
+    origin?: string;
+    referer?: string;
+    headers?: Record<string, string | string[] | undefined>;
+    query?: Record<string, string | string[]>;
+    body?: unknown;
+    contentType?: string;
+}
+/**
+ * Resource information in policy context
+ */
+export interface PolicyContextResource {
+    id?: string;
+    type?: string;
+    sensitivityLevel?: 'public' | 'internal' | 'confidential' | 'restricted' | 'top_secret';
+    dataType?: string;
+    classification?: string;
+    owner?: string;
+    department?: string;
+    region?: string;
+    tags?: string[];
+    attributes?: Record<string, unknown>;
+}
+/**
+ * Risk information in policy context
+ */
+export interface PolicyContextRisk {
+    userRiskScore?: number;
+    ipReputation?: number;
+    deviceTrust?: number;
+    sessionRisk?: number;
+    anomalyScore?: number;
+    threatLevel?: 'none' | 'low' | 'medium' | 'high' | 'critical';
+    riskFactors?: string[];
+}
+/**
+ * Environment information in policy context
+ */
+export interface PolicyContextEnvironment {
+    timestamp: string;
+    timezone: string;
+    dayOfWeek: number;
+    hour: number;
+    isBusinessHours?: boolean;
+    isWeekend?: boolean;
+    isHoliday?: boolean;
+    geoLocation?: {
+        country?: string;
+        region?: string;
+        city?: string;
+    };
+}
+/**
+ * Full policy evaluation context
+ */
+export interface PolicyContext {
+    /** User making the request */
+    user?: PolicyContextUser;
+    /** Request details */
+    request: PolicyContextRequest;
+    /** Resource being accessed */
+    resource?: PolicyContextResource;
+    /** Risk assessment */
+    risk?: PolicyContextRisk;
+    /** Environment context */
+    environment?: PolicyContextEnvironment;
+    /** Custom context data */
+    custom?: Record<string, unknown>;
+    /** Break-glass override token */
+    breakGlassToken?: string;
+}
+export declare const policyContextSchema: z.ZodObject<{
+    user: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodOptional<z.ZodString>;
+        role: z.ZodOptional<z.ZodString>;
+        roles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        department: z.ZodOptional<z.ZodString>;
+        tenant: z.ZodOptional<z.ZodString>;
+        groups: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        riskScore: z.ZodOptional<z.ZodNumber>;
+        mfaVerified: z.ZodOptional<z.ZodBoolean>;
+        lastMfaAt: z.ZodOptional<z.ZodString>;
+        sessionStartedAt: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        id?: string;
+        email?: string;
+        roles?: string[];
+        permissions?: string[];
+        role?: string;
+        tenant?: string;
+        attributes?: Record<string, unknown>;
+        riskScore?: number;
+        groups?: string[];
+        department?: string;
+        mfaVerified?: boolean;
+        lastMfaAt?: string;
+        sessionStartedAt?: string;
+    }, {
+        id?: string;
+        email?: string;
+        roles?: string[];
+        permissions?: string[];
+        role?: string;
+        tenant?: string;
+        attributes?: Record<string, unknown>;
+        riskScore?: number;
+        groups?: string[];
+        department?: string;
+        mfaVerified?: boolean;
+        lastMfaAt?: string;
+        sessionStartedAt?: string;
+    }>>;
+    request: z.ZodObject<{
+        id: z.ZodString;
+        method: z.ZodString;
+        path: z.ZodString;
+        url: z.ZodString;
+        ip: z.ZodString;
+        userAgent: z.ZodOptional<z.ZodString>;
+        origin: z.ZodOptional<z.ZodString>;
+        referer: z.ZodOptional<z.ZodString>;
+        headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">, z.ZodUndefined]>>>;
+        query: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+        body: z.ZodOptional<z.ZodUnknown>;
+        contentType: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path?: string;
+        id?: string;
+        url?: string;
+        ip?: string;
+        userAgent?: string;
+        method?: string;
+        query?: Record<string, string | string[]>;
+        headers?: Record<string, string | string[]>;
+        body?: unknown;
+        origin?: string;
+        referer?: string;
+        contentType?: string;
+    }, {
+        path?: string;
+        id?: string;
+        url?: string;
+        ip?: string;
+        userAgent?: string;
+        method?: string;
+        query?: Record<string, string | string[]>;
+        headers?: Record<string, string | string[]>;
+        body?: unknown;
+        origin?: string;
+        referer?: string;
+        contentType?: string;
+    }>;
+    resource: z.ZodOptional<z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        type: z.ZodOptional<z.ZodString>;
+        sensitivityLevel: z.ZodOptional<z.ZodEnum<["public", "internal", "confidential", "restricted", "top_secret"]>>;
+        dataType: z.ZodOptional<z.ZodString>;
+        classification: z.ZodOptional<z.ZodString>;
+        owner: z.ZodOptional<z.ZodString>;
+        department: z.ZodOptional<z.ZodString>;
+        region: z.ZodOptional<z.ZodString>;
+        tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        id?: string;
+        type?: string;
+        region?: string;
+        dataType?: string;
+        tags?: string[];
+        owner?: string;
+        classification?: string;
+        attributes?: Record<string, unknown>;
+        department?: string;
+        sensitivityLevel?: "confidential" | "public" | "internal" | "restricted" | "top_secret";
+    }, {
+        id?: string;
+        type?: string;
+        region?: string;
+        dataType?: string;
+        tags?: string[];
+        owner?: string;
+        classification?: string;
+        attributes?: Record<string, unknown>;
+        department?: string;
+        sensitivityLevel?: "confidential" | "public" | "internal" | "restricted" | "top_secret";
+    }>>;
+    risk: z.ZodOptional<z.ZodObject<{
+        userRiskScore: z.ZodOptional<z.ZodNumber>;
+        ipReputation: z.ZodOptional<z.ZodNumber>;
+        deviceTrust: z.ZodOptional<z.ZodNumber>;
+        sessionRisk: z.ZodOptional<z.ZodNumber>;
+        anomalyScore: z.ZodOptional<z.ZodNumber>;
+        threatLevel: z.ZodOptional<z.ZodEnum<["none", "low", "medium", "high", "critical"]>>;
+        riskFactors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        ipReputation?: number;
+        userRiskScore?: number;
+        deviceTrust?: number;
+        sessionRisk?: number;
+        anomalyScore?: number;
+        threatLevel?: "none" | "critical" | "low" | "medium" | "high";
+        riskFactors?: string[];
+    }, {
+        ipReputation?: number;
+        userRiskScore?: number;
+        deviceTrust?: number;
+        sessionRisk?: number;
+        anomalyScore?: number;
+        threatLevel?: "none" | "critical" | "low" | "medium" | "high";
+        riskFactors?: string[];
+    }>>;
+    environment: z.ZodOptional<z.ZodObject<{
+        timestamp: z.ZodString;
+        timezone: z.ZodString;
+        dayOfWeek: z.ZodNumber;
+        hour: z.ZodNumber;
+        isBusinessHours: z.ZodOptional<z.ZodBoolean>;
+        isWeekend: z.ZodOptional<z.ZodBoolean>;
+        isHoliday: z.ZodOptional<z.ZodBoolean>;
+        geoLocation: z.ZodOptional<z.ZodObject<{
+            country: z.ZodOptional<z.ZodString>;
+            region: z.ZodOptional<z.ZodString>;
+            city: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            region?: string;
+            country?: string;
+            city?: string;
+        }, {
+            region?: string;
+            country?: string;
+            city?: string;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        timestamp?: string;
+        hour?: number;
+        dayOfWeek?: number;
+        timezone?: string;
+        geoLocation?: {
+            region?: string;
+            country?: string;
+            city?: string;
+        };
+        isBusinessHours?: boolean;
+        isWeekend?: boolean;
+        isHoliday?: boolean;
+    }, {
+        timestamp?: string;
+        hour?: number;
+        dayOfWeek?: number;
+        timezone?: string;
+        geoLocation?: {
+            region?: string;
+            country?: string;
+            city?: string;
+        };
+        isBusinessHours?: boolean;
+        isWeekend?: boolean;
+        isHoliday?: boolean;
+    }>>;
+    custom: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    breakGlassToken: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    user?: {
+        id?: string;
+        email?: string;
+        roles?: string[];
+        permissions?: string[];
+        role?: string;
+        tenant?: string;
+        attributes?: Record<string, unknown>;
+        riskScore?: number;
+        groups?: string[];
+        department?: string;
+        mfaVerified?: boolean;
+        lastMfaAt?: string;
+        sessionStartedAt?: string;
+    };
+    custom?: Record<string, unknown>;
+    environment?: {
+        timestamp?: string;
+        hour?: number;
+        dayOfWeek?: number;
+        timezone?: string;
+        geoLocation?: {
+            region?: string;
+            country?: string;
+            city?: string;
+        };
+        isBusinessHours?: boolean;
+        isWeekend?: boolean;
+        isHoliday?: boolean;
+    };
+    request?: {
+        path?: string;
+        id?: string;
+        url?: string;
+        ip?: string;
+        userAgent?: string;
+        method?: string;
+        query?: Record<string, string | string[]>;
+        headers?: Record<string, string | string[]>;
+        body?: unknown;
+        origin?: string;
+        referer?: string;
+        contentType?: string;
+    };
+    resource?: {
+        id?: string;
+        type?: string;
+        region?: string;
+        dataType?: string;
+        tags?: string[];
+        owner?: string;
+        classification?: string;
+        attributes?: Record<string, unknown>;
+        department?: string;
+        sensitivityLevel?: "confidential" | "public" | "internal" | "restricted" | "top_secret";
+    };
+    risk?: {
+        ipReputation?: number;
+        userRiskScore?: number;
+        deviceTrust?: number;
+        sessionRisk?: number;
+        anomalyScore?: number;
+        threatLevel?: "none" | "critical" | "low" | "medium" | "high";
+        riskFactors?: string[];
+    };
+    breakGlassToken?: string;
+}, {
+    user?: {
+        id?: string;
+        email?: string;
+        roles?: string[];
+        permissions?: string[];
+        role?: string;
+        tenant?: string;
+        attributes?: Record<string, unknown>;
+        riskScore?: number;
+        groups?: string[];
+        department?: string;
+        mfaVerified?: boolean;
+        lastMfaAt?: string;
+        sessionStartedAt?: string;
+    };
+    custom?: Record<string, unknown>;
+    environment?: {
+        timestamp?: string;
+        hour?: number;
+        dayOfWeek?: number;
+        timezone?: string;
+        geoLocation?: {
+            region?: string;
+            country?: string;
+            city?: string;
+        };
+        isBusinessHours?: boolean;
+        isWeekend?: boolean;
+        isHoliday?: boolean;
+    };
+    request?: {
+        path?: string;
+        id?: string;
+        url?: string;
+        ip?: string;
+        userAgent?: string;
+        method?: string;
+        query?: Record<string, string | string[]>;
+        headers?: Record<string, string | string[]>;
+        body?: unknown;
+        origin?: string;
+        referer?: string;
+        contentType?: string;
+    };
+    resource?: {
+        id?: string;
+        type?: string;
+        region?: string;
+        dataType?: string;
+        tags?: string[];
+        owner?: string;
+        classification?: string;
+        attributes?: Record<string, unknown>;
+        department?: string;
+        sensitivityLevel?: "confidential" | "public" | "internal" | "restricted" | "top_secret";
+    };
+    risk?: {
+        ipReputation?: number;
+        userRiskScore?: number;
+        deviceTrust?: number;
+        sessionRisk?: number;
+        anomalyScore?: number;
+        threatLevel?: "none" | "critical" | "low" | "medium" | "high";
+        riskFactors?: string[];
+    };
+    breakGlassToken?: string;
+}>;
+/**
+ * Decision outcome
+ */
+export declare const DecisionOutcome: {
+    readonly ALLOW: "allow";
+    readonly DENY: "deny";
+    readonly CHALLENGE: "challenge";
+    readonly PENDING: "pending";
+};
+export type DecisionOutcome = (typeof DecisionOutcome)[keyof typeof DecisionOutcome];
+/**
+ * Individual policy evaluation result
+ */
+export interface PolicyEvaluationResult {
+    policyId: string;
+    policyName: string;
+    policyVersion: string;
+    matched: boolean;
+    conditionResults: ConditionEvaluationResult[];
+    ruleResults: RuleEvaluationResult[];
+    actions: PolicyAction[];
+    durationMs: number;
+    evaluatedAt: string;
+}
+/**
+ * Condition evaluation result
+ */
+export interface ConditionEvaluationResult {
+    conditionType: ConditionType | 'composite';
+    field?: string;
+    operator?: ConditionOperator | LogicalOperator;
+    expected?: unknown;
+    actual?: unknown;
+    matched: boolean;
+    error?: string;
+}
+/**
+ * Rule evaluation result
+ */
+export interface RuleEvaluationResult {
+    ruleType: PolicyRuleType;
+    enforced: boolean;
+    passed: boolean;
+    reason?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Final policy decision
+ */
+export interface PolicyDecision {
+    /** Decision ID */
+    id: string;
+    /** Request ID */
+    requestId: string;
+    /** Decision outcome */
+    outcome: DecisionOutcome;
+    /** Primary reason for decision */
+    reason: string;
+    /** Actions to execute */
+    actions: PolicyAction[];
+    /** All evaluated policies */
+    evaluatedPolicies: PolicyEvaluationResult[];
+    /** Matched policies (subset of evaluated) */
+    matchedPolicies: PolicyEvaluationResult[];
+    /** Whether break-glass was used */
+    breakGlassUsed: boolean;
+    /** Total evaluation time */
+    totalDurationMs: number;
+    /** Decision timestamp */
+    decidedAt: string;
+    /** Metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Policy version record
+ */
+export interface PolicyVersionRecord {
+    id: string;
+    policyId: string;
+    version: string;
+    policy: SecurityPolicy;
+    changeSummary?: string;
+    createdBy?: string;
+    createdAt: string;
+}
+/**
+ * Simulation request
+ */
+export interface PolicySimulationRequest {
+    context: PolicyContext;
+    policies?: string[];
+    includeDisabled?: boolean;
+    verbose?: boolean;
+}
+/**
+ * Simulation result
+ */
+export interface PolicySimulationResult {
+    decision: PolicyDecision;
+    whatIf: {
+        withoutPolicy?: Record<string, PolicyDecision>;
+        withModifiedContext?: Record<string, PolicyDecision>;
+    };
+    recommendations?: string[];
+}
+/**
+ * Policy validation error
+ */
+export interface PolicyValidationError {
+    path: string;
+    message: string;
+    code: string;
+}
+/**
+ * Policy validation result
+ */
+export interface PolicyValidationResult {
+    valid: boolean;
+    errors: PolicyValidationError[];
+    warnings: string[];
+}
+//# sourceMappingURL=types.d.ts.map