npm - agentic-qe - Versions diffs - 2.8.1 → 2.8.2 - Mend

agentic-qe 2.8.1 → 2.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/dist/infrastructure/network/NetworkPolicyManager.js ADDED Viewed

@@ -0,0 +1,309 @@
+"use strict";
+/**
+ * Network Policy Manager for Agent Network Access Control
+ *
+ * Central manager for enforcing network policies, domain whitelisting,
+ * rate limiting, and audit logging for all agent types.
+ *
+ * @module infrastructure/network/NetworkPolicyManager
+ * @see Issue #146 - Security Hardening: SP-3 Network Policy Enforcement
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkPolicyManager = void 0;
+exports.createNetworkPolicyManager = createNetworkPolicyManager;
+const DomainWhitelist_js_1 = require("./DomainWhitelist.js");
+const AgentRateLimiter_js_1 = require("./AgentRateLimiter.js");
+const AuditLogger_js_1 = require("./AuditLogger.js");
+const default_policies_js_1 = require("./policies/default-policies.js");
+/**
+ * Default manager configuration
+ */
+const DEFAULT_MANAGER_CONFIG = {
+    defaultPolicy: default_policies_js_1.DEFAULT_NETWORK_POLICIES['default'],
+    enableAuditLogging: true,
+    maxAuditEntries: 10000,
+    persistAuditLog: false,
+    debug: false,
+};
+/**
+ * Network Policy Manager
+ *
+ * Features:
+ * - Per-agent-type policies
+ * - Domain whitelisting
+ * - Rate limiting with token bucket
+ * - Comprehensive audit logging
+ * - Event emission for monitoring
+ */
+class NetworkPolicyManager {
+    constructor(config = {}) {
+        this.eventHandlers = [];
+        this.initialized = false;
+        this.config = { ...DEFAULT_MANAGER_CONFIG, ...config };
+        this.policies = new Map();
+        this.whitelists = new Map();
+        this.rateLimiters = new Map();
+        this.auditLogger = new AuditLogger_js_1.AuditLogger({
+            maxEntries: this.config.maxAuditEntries,
+            persistToFile: this.config.persistAuditLog,
+            filePath: this.config.auditLogPath,
+            debug: this.config.debug,
+        });
+    }
+    /**
+     * Initialize the policy manager with default policies
+     */
+    async initialize() {
+        if (this.initialized)
+            return;
+        // Load default policies
+        for (const [agentType, policy] of Object.entries(default_policies_js_1.DEFAULT_NETWORK_POLICIES)) {
+            this.registerPolicy(policy);
+        }
+        // Load audit log if persisted
+        if (this.config.persistAuditLog) {
+            await this.auditLogger.load();
+        }
+        this.initialized = true;
+        this.log('NetworkPolicyManager initialized');
+    }
+    /**
+     * Shutdown the policy manager
+     */
+    async shutdown() {
+        // Close all rate limiters
+        for (const limiter of this.rateLimiters.values()) {
+            limiter.close();
+        }
+        // Save and close audit logger
+        await this.auditLogger.close();
+        this.initialized = false;
+        this.log('NetworkPolicyManager shutdown');
+    }
+    /**
+     * Register a network policy
+     */
+    registerPolicy(policy) {
+        this.policies.set(policy.agentType, policy);
+        // Create whitelist for this agent type
+        const whitelist = new DomainWhitelist_js_1.DomainWhitelist(policy.allowedDomains);
+        this.whitelists.set(policy.agentType, whitelist);
+        // Create rate limiter for this agent type
+        const rateLimiter = new AgentRateLimiter_js_1.AgentRateLimiter(policy.rateLimit);
+        this.rateLimiters.set(policy.agentType, rateLimiter);
+        this.log(`Registered policy for ${policy.agentType}`);
+    }
+    /**
+     * Check if a request is allowed
+     */
+    async checkRequest(agentId, agentType, domain) {
+        const policy = this.getPolicy(agentType);
+        const whitelist = this.getWhitelist(agentType);
+        const rateLimiter = this.getRateLimiter(agentType);
+        // Check rate limit first
+        const rateLimitStatus = rateLimiter.check(agentId);
+        if (rateLimitStatus.limited) {
+            const result = {
+                allowed: false,
+                policy,
+                reason: 'rate_limit_exceeded',
+                details: `Rate limit exceeded. Retry after ${rateLimitStatus.retryAfter}ms`,
+                rateLimitStatus,
+            };
+            await this.logAndEmit(agentId, agentType, domain, result);
+            return result;
+        }
+        // Check domain whitelist
+        const domainAllowed = whitelist.isAllowed(domain);
+        if (!domainAllowed && policy.blockUnknownDomains) {
+            const result = {
+                allowed: false,
+                policy,
+                reason: 'domain_not_allowed',
+                details: `Domain ${domain} is not in the whitelist`,
+                rateLimitStatus,
+            };
+            await this.logAndEmit(agentId, agentType, domain, result);
+            return result;
+        }
+        // Request is allowed
+        const result = {
+            allowed: true,
+            policy,
+            rateLimitStatus,
+        };
+        return result;
+    }
+    /**
+     * Record a request (consumes rate limit token)
+     */
+    async recordRequest(agentId, agentType, domain, allowed, responseTimeMs) {
+        const policy = this.getPolicy(agentType);
+        const rateLimiter = this.getRateLimiter(agentType);
+        // Consume rate limit token
+        const rateLimitStatus = rateLimiter.consume(agentId);
+        // Log to audit
+        if (policy.auditLogging && this.config.enableAuditLogging) {
+            if (allowed) {
+                await this.auditLogger.logAllowed(agentId, agentType, domain, {
+                    responseTimeMs,
+                });
+            }
+            else if (rateLimitStatus.limited) {
+                await this.auditLogger.logRateLimited(agentId, agentType, domain);
+            }
+            else {
+                await this.auditLogger.logBlocked(agentId, agentType, domain, 'Domain not allowed');
+            }
+        }
+    }
+    /**
+     * Get policy for an agent type
+     */
+    getPolicy(agentType) {
+        return this.policies.get(agentType) || this.config.defaultPolicy;
+    }
+    /**
+     * Update a policy
+     */
+    updatePolicy(agentType, updates) {
+        const current = this.getPolicy(agentType);
+        const updated = {
+            ...current,
+            ...updates,
+            rateLimit: {
+                ...current.rateLimit,
+                ...updates.rateLimit,
+            },
+        };
+        this.registerPolicy(updated);
+        this.emitEvent({
+            type: 'policy_updated',
+            timestamp: new Date(),
+            agentId: '',
+            agentType,
+            details: { updates },
+        });
+    }
+    /**
+     * Get rate limit status for an agent
+     */
+    getRateLimitStatus(agentId, agentType) {
+        const rateLimiter = this.getRateLimiter(agentType);
+        return rateLimiter.getStatus(agentId);
+    }
+    /**
+     * Reset rate limit for an agent
+     */
+    resetRateLimit(agentId, agentType) {
+        const rateLimiter = this.getRateLimiter(agentType);
+        rateLimiter.reset(agentId);
+        this.log(`Reset rate limit for ${agentId} (${agentType})`);
+    }
+    /**
+     * Get audit logger
+     */
+    getAuditLogger() {
+        return this.auditLogger;
+    }
+    /**
+     * Get audit statistics
+     */
+    async getAuditStats(since) {
+        return this.auditLogger.getStats(since);
+    }
+    /**
+     * List all registered policy agent types
+     */
+    listPolicies() {
+        return Array.from(this.policies.keys());
+    }
+    /**
+     * Add event handler
+     */
+    on(handler) {
+        this.eventHandlers.push(handler);
+    }
+    /**
+     * Remove event handler
+     */
+    off(handler) {
+        const index = this.eventHandlers.indexOf(handler);
+        if (index !== -1) {
+            this.eventHandlers.splice(index, 1);
+        }
+    }
+    // ============================================
+    // Private Methods
+    // ============================================
+    getWhitelist(agentType) {
+        let whitelist = this.whitelists.get(agentType);
+        if (!whitelist) {
+            const policy = this.getPolicy(agentType);
+            whitelist = new DomainWhitelist_js_1.DomainWhitelist(policy.allowedDomains);
+            this.whitelists.set(agentType, whitelist);
+        }
+        return whitelist;
+    }
+    getRateLimiter(agentType) {
+        let limiter = this.rateLimiters.get(agentType);
+        if (!limiter) {
+            const policy = this.getPolicy(agentType);
+            limiter = new AgentRateLimiter_js_1.AgentRateLimiter(policy.rateLimit);
+            this.rateLimiters.set(agentType, limiter);
+        }
+        return limiter;
+    }
+    async logAndEmit(agentId, agentType, domain, result) {
+        const policy = result.policy;
+        // Audit log
+        if (policy.auditLogging && this.config.enableAuditLogging) {
+            if (result.reason === 'rate_limit_exceeded') {
+                await this.auditLogger.logRateLimited(agentId, agentType, domain);
+            }
+            else if (result.reason === 'domain_not_allowed') {
+                await this.auditLogger.logBlocked(agentId, agentType, domain, result.details || 'Domain not allowed');
+            }
+        }
+        // Emit event
+        const eventType = result.allowed
+            ? 'request_allowed'
+            : result.reason === 'rate_limit_exceeded'
+                ? 'request_rate_limited'
+                : 'request_blocked';
+        this.emitEvent({
+            type: eventType,
+            timestamp: new Date(),
+            agentId,
+            agentType,
+            domain,
+            details: {
+                reason: result.reason,
+                rateLimitStatus: result.rateLimitStatus,
+            },
+        });
+    }
+    emitEvent(event) {
+        for (const handler of this.eventHandlers) {
+            try {
+                handler(event);
+            }
+            catch (error) {
+                console.error('Error in network policy event handler:', error);
+            }
+        }
+    }
+    log(message) {
+        if (this.config.debug) {
+            console.log(`[NetworkPolicyManager] ${message}`);
+        }
+    }
+}
+exports.NetworkPolicyManager = NetworkPolicyManager;
+/**
+ * Create a new NetworkPolicyManager
+ */
+function createNetworkPolicyManager(config) {
+    return new NetworkPolicyManager(config);
+}
+//# sourceMappingURL=NetworkPolicyManager.js.map

package/dist/infrastructure/network/NetworkPolicyManager.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"NetworkPolicyManager.js","sourceRoot":"","sources":["../../../src/infrastructure/network/NetworkPolicyManager.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AA2WH,gEAIC;AApWD,6DAAuD;AACvD,+DAAyD;AACzD,qDAA+C;AAC/C,wEAA4F;AAE5F;;GAEG;AACH,MAAM,sBAAsB,GAA+B;IACzD,aAAa,EAAE,8CAAwB,CAAC,SAAS,CAAC;IAClD,kBAAkB,EAAE,IAAI;IACxB,eAAe,EAAE,KAAK;IACtB,eAAe,EAAE,KAAK;IACtB,KAAK,EAAE,KAAK;CACb,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAa,oBAAoB;IAS/B,YAAY,SAA8C,EAAE;QAHpD,kBAAa,GAAgC,EAAE,CAAC;QAChD,gBAAW,GAAY,KAAK,CAAC;QAGnC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,sBAAsB,EAAE,GAAG,MAAM,EAAE,CAAC;QACvD,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,EAAE,CAAC;QAC1B,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,EAAE,CAAC;QAE9B,IAAI,CAAC,WAAW,GAAG,IAAI,4BAAW,CAAC;YACjC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;YACvC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;YAC1C,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YAClC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;SACzB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,wBAAwB;QACxB,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,8CAAwB,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QAChC,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,0BAA0B;QAC1B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,CAAC;QAED,8BAA8B;QAC9B,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;QAE/B,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;QACzB,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,MAAqB;QAClC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAE5C,uCAAuC;QACvC,MAAM,SAAS,GAAG,IAAI,oCAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC7D,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEjD,0CAA0C;QAC1C,MAAM,WAAW,GAAG,IAAI,sCAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAErD,IAAI,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,OAAe,EACf,SAAiB,EACjB,MAAc;QAEd,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QAEnD,yBAAyB;QACzB,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnD,IAAI,eAAe,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAsB;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM;gBACN,MAAM,EAAE,qBAAqB;gBAC7B,OAAO,EAAE,oCAAoC,eAAe,CAAC,UAAU,IAAI;gBAC3E,eAAe;aAChB,CAAC;YAEF,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAC1D,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,yBAAyB;QACzB,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,CAAC,aAAa,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACjD,MAAM,MAAM,GAAsB;gBAChC,OAAO,EAAE,KAAK;gBACd,MAAM;gBACN,MAAM,EAAE,oBAAoB;gBAC5B,OAAO,EAAE,UAAU,MAAM,0BAA0B;gBACnD,eAAe;aAChB,CAAC;YAEF,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;YAC1D,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,qBAAqB;QACrB,MAAM,MAAM,GAAsB;YAChC,OAAO,EAAE,IAAI;YACb,MAAM;YACN,eAAe;SAChB,CAAC;QAEF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,OAAgB,EAChB,cAAuB;QAEvB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QAEnD,2BAA2B;QAC3B,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErD,eAAe;QACf,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC1D,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE;oBAC5D,cAAc;iBACf,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,eAAe,CAAC,OAAO,EAAE,CAAC;gBACnC,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,SAAiB;QACzB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;IACnE,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,SAAiB,EAAE,OAA+B;QAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAkB;YAC7B,GAAG,OAAO;YACV,GAAG,OAAO;YACV,SAAS,EAAE;gBACT,GAAG,OAAO,CAAC,SAAS;gBACpB,GAAG,OAAO,CAAC,SAAS;aACrB;SACF,CAAC;QAEF,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAE7B,IAAI,CAAC,SAAS,CAAC;YACb,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO,EAAE,EAAE;YACX,SAAS;YACT,OAAO,EAAE,EAAE,OAAO,EAAE;SACrB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,OAAe,EAAE,SAAiB;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QACnD,OAAO,WAAW,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,OAAe,EAAE,SAAiB;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QACnD,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,wBAAwB,OAAO,KAAK,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAY;QAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,OAAkC;QACnC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,OAAkC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,kBAAkB;IAClB,+CAA+C;IAEvC,YAAY,CAAC,SAAiB;QACpC,IAAI,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACzC,SAAS,GAAG,IAAI,oCAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,cAAc,CAAC,SAAiB;QACtC,IAAI,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACzC,OAAO,GAAG,IAAI,sCAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACjD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,MAAyB;QAEzB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAE7B,YAAY;QACZ,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC1D,IAAI,MAAM,CAAC,MAAM,KAAK,qBAAqB,EAAE,CAAC;gBAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;iBAAM,IAAI,MAAM,CAAC,MAAM,KAAK,oBAAoB,EAAE,CAAC;gBAClD,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,IAAI,oBAAoB,CAAC,CAAC;YACxG,CAAC;QACH,CAAC;QAED,aAAa;QACb,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO;YAC9B,CAAC,CAAC,iBAAiB;YACnB,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,qBAAqB;gBACvC,CAAC,CAAC,sBAAsB;gBACxB,CAAC,CAAC,iBAAiB,CAAC;QAExB,IAAI,CAAC,SAAS,CAAC;YACb,IAAI,EAAE,SAAS;YACf,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO;YACP,SAAS;YACT,MAAM;YACN,OAAO,EAAE;gBACP,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,eAAe,EAAE,MAAM,CAAC,eAAe;aACxC;SACF,CAAC,CAAC;IACL,CAAC;IAEO,SAAS,CAAC,KAAyB;QACzC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;YACjE,CAAC;QACH,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;CACF;AAjUD,oDAiUC;AAED;;GAEG;AACH,SAAgB,0BAA0B,CACxC,MAA4C;IAE5C,OAAO,IAAI,oBAAoB,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC"}

package/dist/infrastructure/network/index.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Network Policy Enforcement Infrastructure
+ *
+ * Provides secure network access control for QE agents:
+ * - Domain whitelisting per agent type
+ * - Rate limiting with token bucket algorithm
+ * - Comprehensive audit logging
+ * - Event-driven monitoring
+ *
+ * @module infrastructure/network
+ * @see Issue #146 - Security Hardening: SP-3 Network Policy Enforcement
+ */
+export { type NetworkPolicy, type RateLimitConfig, type PolicyCheckResult, type PolicyBlockReason, type RateLimitStatus, type AuditEntry, type AuditAction, type AuditQueryFilter, type AuditStats, type NetworkPolicyManagerConfig, type NetworkPolicyEvent, type NetworkPolicyEventType, type NetworkPolicyEventHandler, type IRateLimiter, NetworkPolicyError, } from './types.js';
+export { NetworkPolicyManager, createNetworkPolicyManager, } from './NetworkPolicyManager.js';
+export { DomainWhitelist, COMMON_DOMAIN_PRESETS, createWhitelistFromPresets, } from './DomainWhitelist.js';
+export { AgentRateLimiter, createDefaultRateLimiter, } from './AgentRateLimiter.js';
+export { AuditLogger, type AuditLoggerConfig, } from './AuditLogger.js';
+export { DEFAULT_NETWORK_POLICIES, getNetworkPolicy, listPolicyAgentTypes, mergePolicy, createRestrictivePolicy, enableRestrictiveModeGlobally, LLM_PROVIDER_DOMAINS, DEVELOPMENT_DOMAINS, RESTRICTIVE_POLICY_TEMPLATE, } from './policies/default-policies.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/infrastructure/network/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/network/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,UAAU,EACf,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,UAAU,EACf,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,yBAAyB,EAC9B,KAAK,YAAY,EACjB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,oBAAoB,EACpB,0BAA0B,GAC3B,MAAM,2BAA2B,CAAC;AAGnC,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,WAAW,EACX,KAAK,iBAAiB,GACvB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,oBAAoB,EACpB,WAAW,EACX,uBAAuB,EACvB,6BAA6B,EAC7B,oBAAoB,EACpB,mBAAmB,EACnB,2BAA2B,GAC5B,MAAM,gCAAgC,CAAC"}

package/dist/infrastructure/network/index.js ADDED Viewed

@@ -0,0 +1,46 @@
+"use strict";
+/**
+ * Network Policy Enforcement Infrastructure
+ *
+ * Provides secure network access control for QE agents:
+ * - Domain whitelisting per agent type
+ * - Rate limiting with token bucket algorithm
+ * - Comprehensive audit logging
+ * - Event-driven monitoring
+ *
+ * @module infrastructure/network
+ * @see Issue #146 - Security Hardening: SP-3 Network Policy Enforcement
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RESTRICTIVE_POLICY_TEMPLATE = exports.DEVELOPMENT_DOMAINS = exports.LLM_PROVIDER_DOMAINS = exports.enableRestrictiveModeGlobally = exports.createRestrictivePolicy = exports.mergePolicy = exports.listPolicyAgentTypes = exports.getNetworkPolicy = exports.DEFAULT_NETWORK_POLICIES = exports.AuditLogger = exports.createDefaultRateLimiter = exports.AgentRateLimiter = exports.createWhitelistFromPresets = exports.COMMON_DOMAIN_PRESETS = exports.DomainWhitelist = exports.createNetworkPolicyManager = exports.NetworkPolicyManager = exports.NetworkPolicyError = void 0;
+// Types
+var types_js_1 = require("./types.js");
+Object.defineProperty(exports, "NetworkPolicyError", { enumerable: true, get: function () { return types_js_1.NetworkPolicyError; } });
+// NetworkPolicyManager
+var NetworkPolicyManager_js_1 = require("./NetworkPolicyManager.js");
+Object.defineProperty(exports, "NetworkPolicyManager", { enumerable: true, get: function () { return NetworkPolicyManager_js_1.NetworkPolicyManager; } });
+Object.defineProperty(exports, "createNetworkPolicyManager", { enumerable: true, get: function () { return NetworkPolicyManager_js_1.createNetworkPolicyManager; } });
+// DomainWhitelist
+var DomainWhitelist_js_1 = require("./DomainWhitelist.js");
+Object.defineProperty(exports, "DomainWhitelist", { enumerable: true, get: function () { return DomainWhitelist_js_1.DomainWhitelist; } });
+Object.defineProperty(exports, "COMMON_DOMAIN_PRESETS", { enumerable: true, get: function () { return DomainWhitelist_js_1.COMMON_DOMAIN_PRESETS; } });
+Object.defineProperty(exports, "createWhitelistFromPresets", { enumerable: true, get: function () { return DomainWhitelist_js_1.createWhitelistFromPresets; } });
+// AgentRateLimiter
+var AgentRateLimiter_js_1 = require("./AgentRateLimiter.js");
+Object.defineProperty(exports, "AgentRateLimiter", { enumerable: true, get: function () { return AgentRateLimiter_js_1.AgentRateLimiter; } });
+Object.defineProperty(exports, "createDefaultRateLimiter", { enumerable: true, get: function () { return AgentRateLimiter_js_1.createDefaultRateLimiter; } });
+// AuditLogger
+var AuditLogger_js_1 = require("./AuditLogger.js");
+Object.defineProperty(exports, "AuditLogger", { enumerable: true, get: function () { return AuditLogger_js_1.AuditLogger; } });
+// Default Policies
+var default_policies_js_1 = require("./policies/default-policies.js");
+Object.defineProperty(exports, "DEFAULT_NETWORK_POLICIES", { enumerable: true, get: function () { return default_policies_js_1.DEFAULT_NETWORK_POLICIES; } });
+Object.defineProperty(exports, "getNetworkPolicy", { enumerable: true, get: function () { return default_policies_js_1.getNetworkPolicy; } });
+Object.defineProperty(exports, "listPolicyAgentTypes", { enumerable: true, get: function () { return default_policies_js_1.listPolicyAgentTypes; } });
+Object.defineProperty(exports, "mergePolicy", { enumerable: true, get: function () { return default_policies_js_1.mergePolicy; } });
+Object.defineProperty(exports, "createRestrictivePolicy", { enumerable: true, get: function () { return default_policies_js_1.createRestrictivePolicy; } });
+Object.defineProperty(exports, "enableRestrictiveModeGlobally", { enumerable: true, get: function () { return default_policies_js_1.enableRestrictiveModeGlobally; } });
+Object.defineProperty(exports, "LLM_PROVIDER_DOMAINS", { enumerable: true, get: function () { return default_policies_js_1.LLM_PROVIDER_DOMAINS; } });
+Object.defineProperty(exports, "DEVELOPMENT_DOMAINS", { enumerable: true, get: function () { return default_policies_js_1.DEVELOPMENT_DOMAINS; } });
+Object.defineProperty(exports, "RESTRICTIVE_POLICY_TEMPLATE", { enumerable: true, get: function () { return default_policies_js_1.RESTRICTIVE_POLICY_TEMPLATE; } });
+//# sourceMappingURL=index.js.map

package/dist/infrastructure/network/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/network/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAEH,QAAQ;AACR,uCAgBoB;AADlB,8GAAA,kBAAkB,OAAA;AAGpB,uBAAuB;AACvB,qEAGmC;AAFjC,+HAAA,oBAAoB,OAAA;AACpB,qIAAA,0BAA0B,OAAA;AAG5B,kBAAkB;AAClB,2DAI8B;AAH5B,qHAAA,eAAe,OAAA;AACf,2HAAA,qBAAqB,OAAA;AACrB,gIAAA,0BAA0B,OAAA;AAG5B,mBAAmB;AACnB,6DAG+B;AAF7B,uHAAA,gBAAgB,OAAA;AAChB,+HAAA,wBAAwB,OAAA;AAG1B,cAAc;AACd,mDAG0B;AAFxB,6GAAA,WAAW,OAAA;AAIb,mBAAmB;AACnB,sEAUwC;AATtC,+HAAA,wBAAwB,OAAA;AACxB,uHAAA,gBAAgB,OAAA;AAChB,2HAAA,oBAAoB,OAAA;AACpB,kHAAA,WAAW,OAAA;AACX,8HAAA,uBAAuB,OAAA;AACvB,oIAAA,6BAA6B,OAAA;AAC7B,2HAAA,oBAAoB,OAAA;AACpB,0HAAA,mBAAmB,OAAA;AACnB,kIAAA,2BAA2B,OAAA"}

package/dist/infrastructure/network/policies/default-policies.d.ts ADDED Viewed

@@ -0,0 +1,78 @@
+/**
+ * Default Network Policies for QE Agents
+ *
+ * IMPORTANT: Network policy enforcement is OPT-IN, not opt-out.
+ * By default, agents have unrestricted network access for flexibility.
+ *
+ * Enable restrictive policies only when:
+ * - Deploying in security-sensitive environments
+ * - Running untrusted agent code
+ * - Compliance requirements mandate network isolation
+ *
+ * @module infrastructure/network/policies/default-policies
+ * @see Issue #146 - Security Hardening: SP-3 Network Policy Enforcement
+ */
+import type { NetworkPolicy } from '../types.js';
+/**
+ * All known LLM provider domains that the multi-model router may access
+ * Add new providers here as they're supported
+ */
+export declare const LLM_PROVIDER_DOMAINS: readonly ["api.anthropic.com", "api.openai.com", "openrouter.ai", "api.groq.com", "generativelanguage.googleapis.com", "api.together.xyz", "models.inference.ai.azure.com", "openai.azure.com", "api.fireworks.ai", "api.mistral.ai", "api.cohere.ai", "api.perplexity.ai", "api.deepseek.com", "localhost", "127.0.0.1"];
+/**
+ * Development/testing domains that agents commonly need
+ */
+export declare const DEVELOPMENT_DOMAINS: readonly ["registry.npmjs.org", "pypi.org", "api.github.com", "github.com", "gitlab.com", "api.gitlab.com", "bitbucket.org", "nvd.nist.gov", "cve.mitre.org", "osv.dev", "security.snyk.io", "cvedetails.com"];
+/**
+ * Restrictive policy template for security-sensitive deployments
+ * Use this when you need to lock down agent network access
+ */
+export declare const RESTRICTIVE_POLICY_TEMPLATE: NetworkPolicy;
+/**
+ * Default network policies for all QE agent types
+ *
+ * DESIGN PRINCIPLE: Permissive by default (blockUnknownDomains: false)
+ * - QE agents need to test arbitrary websites/APIs
+ * - Multi-model router accesses multiple LLM providers
+ * - Rate limiting still applies for protection
+ *
+ * To enable restrictive mode:
+ * ```typescript
+ * const policy = getNetworkPolicy('qe-test-generator');
+ * policy.blockUnknownDomains = true;
+ * policy.allowedDomains = [...LLM_PROVIDER_DOMAINS, 'my-api.example.com'];
+ * ```
+ */
+export declare const DEFAULT_NETWORK_POLICIES: Record<string, NetworkPolicy>;
+/**
+ * Get policy for an agent type
+ * Falls back to default if not found
+ */
+export declare function getNetworkPolicy(agentType: string): NetworkPolicy;
+/**
+ * List all agent types with policies
+ */
+export declare function listPolicyAgentTypes(): string[];
+/**
+ * Merge custom policy with default
+ */
+export declare function mergePolicy(agentType: string, customPolicy: Partial<NetworkPolicy>): NetworkPolicy;
+/**
+ * Create a restrictive policy for security-sensitive deployments
+ *
+ * @example
+ * ```typescript
+ * // Lock down an agent to only access LLM providers and specific APIs
+ * const policy = createRestrictivePolicy('qe-test-generator', [
+ *   'api.example.com',
+ *   'staging.example.com'
+ * ]);
+ * manager.registerPolicy(policy);
+ * ```
+ */
+export declare function createRestrictivePolicy(agentType: string, additionalDomains?: string[]): NetworkPolicy;
+/**
+ * Enable restrictive mode for all default policies
+ * Call this when deploying in a security-sensitive environment
+ */
+export declare function enableRestrictiveModeGlobally(): void;
+//# sourceMappingURL=default-policies.d.ts.map

package/dist/infrastructure/network/policies/default-policies.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"default-policies.d.ts","sourceRoot":"","sources":["../../../../src/infrastructure/network/policies/default-policies.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2TA2CvB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,mBAAmB,gNAkBtB,CAAC;AAmBX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,aAWzC,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAoJlE,CAAC;AAEF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa,CAEjE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,OAAO,CAAC,aAAa,CAAC,GACnC,aAAa,CAUf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,MAAM,EACjB,iBAAiB,GAAE,MAAM,EAAO,GAC/B,aAAa,CAOf;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,IAAI,IAAI,CAKpD"}