chainlesschain 0.143.0 → 0.145.0

package/src/lib/permission-engine.js

@@ -375,81 +375,319 @@ export function listUserRoles(db) {
 
 // ===== V2 Surface: Permission Engine governance overlay (CLI v0.141.0) =====
 export const PERM_RULE_MATURITY_V2 = Object.freeze({
-  PENDING: "pending", ACTIVE: "active", DISABLED: "disabled", RETIRED: "retired",
+  PENDING: "pending",
+  ACTIVE: "active",
+  DISABLED: "disabled",
+  RETIRED: "retired",
 });
 export const PERM_CHECK_LIFECYCLE_V2 = Object.freeze({
-  QUEUED: "queued", EVALUATING: "evaluating", ALLOWED: "allowed", DENIED: "denied", CANCELLED: "cancelled",
+  QUEUED: "queued",
+  EVALUATING: "evaluating",
+  ALLOWED: "allowed",
+  DENIED: "denied",
+  CANCELLED: "cancelled",
 });
 const _permRTrans = new Map([
-  [PERM_RULE_MATURITY_V2.PENDING, new Set([PERM_RULE_MATURITY_V2.ACTIVE, PERM_RULE_MATURITY_V2.RETIRED])],
-  [PERM_RULE_MATURITY_V2.ACTIVE, new Set([PERM_RULE_MATURITY_V2.DISABLED, PERM_RULE_MATURITY_V2.RETIRED])],
-  [PERM_RULE_MATURITY_V2.DISABLED, new Set([PERM_RULE_MATURITY_V2.ACTIVE, PERM_RULE_MATURITY_V2.RETIRED])],
+  [
+    PERM_RULE_MATURITY_V2.PENDING,
+    new Set([PERM_RULE_MATURITY_V2.ACTIVE, PERM_RULE_MATURITY_V2.RETIRED]),
+  ],
+  [
+    PERM_RULE_MATURITY_V2.ACTIVE,
+    new Set([PERM_RULE_MATURITY_V2.DISABLED, PERM_RULE_MATURITY_V2.RETIRED]),
+  ],
+  [
+    PERM_RULE_MATURITY_V2.DISABLED,
+    new Set([PERM_RULE_MATURITY_V2.ACTIVE, PERM_RULE_MATURITY_V2.RETIRED]),
+  ],
   [PERM_RULE_MATURITY_V2.RETIRED, new Set()],
 ]);
 const _permRTerminal = new Set([PERM_RULE_MATURITY_V2.RETIRED]);
 const _permCTrans = new Map([
-  [PERM_CHECK_LIFECYCLE_V2.QUEUED, new Set([PERM_CHECK_LIFECYCLE_V2.EVALUATING, PERM_CHECK_LIFECYCLE_V2.CANCELLED])],
-  [PERM_CHECK_LIFECYCLE_V2.EVALUATING, new Set([PERM_CHECK_LIFECYCLE_V2.ALLOWED, PERM_CHECK_LIFECYCLE_V2.DENIED, PERM_CHECK_LIFECYCLE_V2.CANCELLED])],
+  [
+    PERM_CHECK_LIFECYCLE_V2.QUEUED,
+    new Set([
+      PERM_CHECK_LIFECYCLE_V2.EVALUATING,
+      PERM_CHECK_LIFECYCLE_V2.CANCELLED,
+    ]),
+  ],
+  [
+    PERM_CHECK_LIFECYCLE_V2.EVALUATING,
+    new Set([
+      PERM_CHECK_LIFECYCLE_V2.ALLOWED,
+      PERM_CHECK_LIFECYCLE_V2.DENIED,
+      PERM_CHECK_LIFECYCLE_V2.CANCELLED,
+    ]),
+  ],
   [PERM_CHECK_LIFECYCLE_V2.ALLOWED, new Set()],
   [PERM_CHECK_LIFECYCLE_V2.DENIED, new Set()],
   [PERM_CHECK_LIFECYCLE_V2.CANCELLED, new Set()],
 ]);
 const _permRsV2 = new Map();
 const _permCsV2 = new Map();
-let _permMaxActivePerOwner = 10, _permMaxPendingChecksPerRule = 30, _permIdleMs = 30 * 24 * 60 * 60 * 1000, _permStuckMs = 60 * 1000;
-function _permPos(n, label) { const v = Math.floor(Number(n)); if (!Number.isFinite(v) || v <= 0) throw new Error(`${label} must be positive integer`); return v; }
-function _permCheckR(from, to) { const a = _permRTrans.get(from); if (!a || !a.has(to)) throw new Error(`invalid perm rule transition ${from} → ${to}`); }
-function _permCheckC(from, to) { const a = _permCTrans.get(from); if (!a || !a.has(to)) throw new Error(`invalid perm check transition ${from} → ${to}`); }
-export function setMaxActivePermRulesPerOwnerV2(n) { _permMaxActivePerOwner = _permPos(n, "maxActivePermRulesPerOwner"); }
-export function getMaxActivePermRulesPerOwnerV2() { return _permMaxActivePerOwner; }
-export function setMaxPendingPermChecksPerRuleV2(n) { _permMaxPendingChecksPerRule = _permPos(n, "maxPendingPermChecksPerRule"); }
-export function getMaxPendingPermChecksPerRuleV2() { return _permMaxPendingChecksPerRule; }
-export function setPermRuleIdleMsV2(n) { _permIdleMs = _permPos(n, "permRuleIdleMs"); }
-export function getPermRuleIdleMsV2() { return _permIdleMs; }
-export function setPermCheckStuckMsV2(n) { _permStuckMs = _permPos(n, "permCheckStuckMs"); }
-export function getPermCheckStuckMsV2() { return _permStuckMs; }
-export function _resetStatePermissionEngineV2() { _permRsV2.clear(); _permCsV2.clear(); _permMaxActivePerOwner = 10; _permMaxPendingChecksPerRule = 30; _permIdleMs = 30 * 24 * 60 * 60 * 1000; _permStuckMs = 60 * 1000; }
+let _permMaxActivePerOwner = 10,
+  _permMaxPendingChecksPerRule = 30,
+  _permIdleMs = 30 * 24 * 60 * 60 * 1000,
+  _permStuckMs = 60 * 1000;
+function _permPos(n, label) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${label} must be positive integer`);
+  return v;
+}
+function _permCheckR(from, to) {
+  const a = _permRTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid perm rule transition ${from} → ${to}`);
+}
+function _permCheckC(from, to) {
+  const a = _permCTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid perm check transition ${from} → ${to}`);
+}
+export function setMaxActivePermRulesPerOwnerV2(n) {
+  _permMaxActivePerOwner = _permPos(n, "maxActivePermRulesPerOwner");
+}
+export function getMaxActivePermRulesPerOwnerV2() {
+  return _permMaxActivePerOwner;
+}
+export function setMaxPendingPermChecksPerRuleV2(n) {
+  _permMaxPendingChecksPerRule = _permPos(n, "maxPendingPermChecksPerRule");
+}
+export function getMaxPendingPermChecksPerRuleV2() {
+  return _permMaxPendingChecksPerRule;
+}
+export function setPermRuleIdleMsV2(n) {
+  _permIdleMs = _permPos(n, "permRuleIdleMs");
+}
+export function getPermRuleIdleMsV2() {
+  return _permIdleMs;
+}
+export function setPermCheckStuckMsV2(n) {
+  _permStuckMs = _permPos(n, "permCheckStuckMs");
+}
+export function getPermCheckStuckMsV2() {
+  return _permStuckMs;
+}
+export function _resetStatePermissionEngineV2() {
+  _permRsV2.clear();
+  _permCsV2.clear();
+  _permMaxActivePerOwner = 10;
+  _permMaxPendingChecksPerRule = 30;
+  _permIdleMs = 30 * 24 * 60 * 60 * 1000;
+  _permStuckMs = 60 * 1000;
+}
 export function registerPermRuleV2({ id, owner, scope, metadata } = {}) {
-  if (!id) throw new Error("perm rule id required"); if (!owner) throw new Error("perm rule owner required");
+  if (!id) throw new Error("perm rule id required");
+  if (!owner) throw new Error("perm rule owner required");
   if (_permRsV2.has(id)) throw new Error(`perm rule ${id} already registered`);
   const now = Date.now();
-  const r = { id, owner, scope: scope || "*", status: PERM_RULE_MATURITY_V2.PENDING, createdAt: now, updatedAt: now, activatedAt: null, retiredAt: null, lastTouchedAt: now, metadata: { ...(metadata || {}) } };
-  _permRsV2.set(id, r); return { ...r, metadata: { ...r.metadata } };
+  const r = {
+    id,
+    owner,
+    scope: scope || "*",
+    status: PERM_RULE_MATURITY_V2.PENDING,
+    createdAt: now,
+    updatedAt: now,
+    activatedAt: null,
+    retiredAt: null,
+    lastTouchedAt: now,
+    metadata: { ...(metadata || {}) },
+  };
+  _permRsV2.set(id, r);
+  return { ...r, metadata: { ...r.metadata } };
+}
+function _permCountActive(owner) {
+  let n = 0;
+  for (const r of _permRsV2.values())
+    if (r.owner === owner && r.status === PERM_RULE_MATURITY_V2.ACTIVE) n++;
+  return n;
 }
-function _permCountActive(owner) { let n = 0; for (const r of _permRsV2.values()) if (r.owner === owner && r.status === PERM_RULE_MATURITY_V2.ACTIVE) n++; return n; }
 export function activatePermRuleV2(id) {
-  const r = _permRsV2.get(id); if (!r) throw new Error(`perm rule ${id} not found`);
+  const r = _permRsV2.get(id);
+  if (!r) throw new Error(`perm rule ${id} not found`);
   _permCheckR(r.status, PERM_RULE_MATURITY_V2.ACTIVE);
   const recovery = r.status === PERM_RULE_MATURITY_V2.DISABLED;
-  if (!recovery && _permCountActive(r.owner) >= _permMaxActivePerOwner) throw new Error(`max active perm rules for owner ${r.owner} reached`);
-  const now = Date.now(); r.status = PERM_RULE_MATURITY_V2.ACTIVE; r.updatedAt = now; r.lastTouchedAt = now; if (!r.activatedAt) r.activatedAt = now;
+  if (!recovery && _permCountActive(r.owner) >= _permMaxActivePerOwner)
+    throw new Error(`max active perm rules for owner ${r.owner} reached`);
+  const now = Date.now();
+  r.status = PERM_RULE_MATURITY_V2.ACTIVE;
+  r.updatedAt = now;
+  r.lastTouchedAt = now;
+  if (!r.activatedAt) r.activatedAt = now;
+  return { ...r, metadata: { ...r.metadata } };
+}
+export function disablePermRuleV2(id) {
+  const r = _permRsV2.get(id);
+  if (!r) throw new Error(`perm rule ${id} not found`);
+  _permCheckR(r.status, PERM_RULE_MATURITY_V2.DISABLED);
+  r.status = PERM_RULE_MATURITY_V2.DISABLED;
+  r.updatedAt = Date.now();
+  return { ...r, metadata: { ...r.metadata } };
+}
+export function retirePermRuleV2(id) {
+  const r = _permRsV2.get(id);
+  if (!r) throw new Error(`perm rule ${id} not found`);
+  _permCheckR(r.status, PERM_RULE_MATURITY_V2.RETIRED);
+  const now = Date.now();
+  r.status = PERM_RULE_MATURITY_V2.RETIRED;
+  r.updatedAt = now;
+  if (!r.retiredAt) r.retiredAt = now;
+  return { ...r, metadata: { ...r.metadata } };
+}
+export function touchPermRuleV2(id) {
+  const r = _permRsV2.get(id);
+  if (!r) throw new Error(`perm rule ${id} not found`);
+  if (_permRTerminal.has(r.status))
+    throw new Error(`cannot touch terminal perm rule ${id}`);
+  const now = Date.now();
+  r.lastTouchedAt = now;
+  r.updatedAt = now;
+  return { ...r, metadata: { ...r.metadata } };
+}
+export function getPermRuleV2(id) {
+  const r = _permRsV2.get(id);
+  if (!r) return null;
   return { ...r, metadata: { ...r.metadata } };
 }
-export function disablePermRuleV2(id) { const r = _permRsV2.get(id); if (!r) throw new Error(`perm rule ${id} not found`); _permCheckR(r.status, PERM_RULE_MATURITY_V2.DISABLED); r.status = PERM_RULE_MATURITY_V2.DISABLED; r.updatedAt = Date.now(); return { ...r, metadata: { ...r.metadata } }; }
-export function retirePermRuleV2(id) { const r = _permRsV2.get(id); if (!r) throw new Error(`perm rule ${id} not found`); _permCheckR(r.status, PERM_RULE_MATURITY_V2.RETIRED); const now = Date.now(); r.status = PERM_RULE_MATURITY_V2.RETIRED; r.updatedAt = now; if (!r.retiredAt) r.retiredAt = now; return { ...r, metadata: { ...r.metadata } }; }
-export function touchPermRuleV2(id) { const r = _permRsV2.get(id); if (!r) throw new Error(`perm rule ${id} not found`); if (_permRTerminal.has(r.status)) throw new Error(`cannot touch terminal perm rule ${id}`); const now = Date.now(); r.lastTouchedAt = now; r.updatedAt = now; return { ...r, metadata: { ...r.metadata } }; }
-export function getPermRuleV2(id) { const r = _permRsV2.get(id); if (!r) return null; return { ...r, metadata: { ...r.metadata } }; }
-export function listPermRulesV2() { return [..._permRsV2.values()].map((r) => ({ ...r, metadata: { ...r.metadata } })); }
-function _permCountPending(ruleId) { let n = 0; for (const c of _permCsV2.values()) if (c.ruleId === ruleId && (c.status === PERM_CHECK_LIFECYCLE_V2.QUEUED || c.status === PERM_CHECK_LIFECYCLE_V2.EVALUATING)) n++; return n; }
+export function listPermRulesV2() {
+  return [..._permRsV2.values()].map((r) => ({
+    ...r,
+    metadata: { ...r.metadata },
+  }));
+}
+function _permCountPending(ruleId) {
+  let n = 0;
+  for (const c of _permCsV2.values())
+    if (
+      c.ruleId === ruleId &&
+      (c.status === PERM_CHECK_LIFECYCLE_V2.QUEUED ||
+        c.status === PERM_CHECK_LIFECYCLE_V2.EVALUATING)
+    )
+      n++;
+  return n;
+}
 export function createPermCheckV2({ id, ruleId, subject, metadata } = {}) {
-  if (!id) throw new Error("perm check id required"); if (!ruleId) throw new Error("perm check ruleId required");
+  if (!id) throw new Error("perm check id required");
+  if (!ruleId) throw new Error("perm check ruleId required");
   if (_permCsV2.has(id)) throw new Error(`perm check ${id} already exists`);
   if (!_permRsV2.has(ruleId)) throw new Error(`perm rule ${ruleId} not found`);
-  if (_permCountPending(ruleId) >= _permMaxPendingChecksPerRule) throw new Error(`max pending perm checks for rule ${ruleId} reached`);
+  if (_permCountPending(ruleId) >= _permMaxPendingChecksPerRule)
+    throw new Error(`max pending perm checks for rule ${ruleId} reached`);
+  const now = Date.now();
+  const c = {
+    id,
+    ruleId,
+    subject: subject || "",
+    status: PERM_CHECK_LIFECYCLE_V2.QUEUED,
+    createdAt: now,
+    updatedAt: now,
+    startedAt: null,
+    settledAt: null,
+    metadata: { ...(metadata || {}) },
+  };
+  _permCsV2.set(id, c);
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function evaluatePermCheckV2(id) {
+  const c = _permCsV2.get(id);
+  if (!c) throw new Error(`perm check ${id} not found`);
+  _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.EVALUATING);
+  const now = Date.now();
+  c.status = PERM_CHECK_LIFECYCLE_V2.EVALUATING;
+  c.updatedAt = now;
+  if (!c.startedAt) c.startedAt = now;
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function allowPermCheckV2(id) {
+  const c = _permCsV2.get(id);
+  if (!c) throw new Error(`perm check ${id} not found`);
+  _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.ALLOWED);
+  const now = Date.now();
+  c.status = PERM_CHECK_LIFECYCLE_V2.ALLOWED;
+  c.updatedAt = now;
+  if (!c.settledAt) c.settledAt = now;
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function denyPermCheckV2(id, reason) {
+  const c = _permCsV2.get(id);
+  if (!c) throw new Error(`perm check ${id} not found`);
+  _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.DENIED);
   const now = Date.now();
-  const c = { id, ruleId, subject: subject || "", status: PERM_CHECK_LIFECYCLE_V2.QUEUED, createdAt: now, updatedAt: now, startedAt: null, settledAt: null, metadata: { ...(metadata || {}) } };
-  _permCsV2.set(id, c); return { ...c, metadata: { ...c.metadata } };
-}
-export function evaluatePermCheckV2(id) { const c = _permCsV2.get(id); if (!c) throw new Error(`perm check ${id} not found`); _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.EVALUATING); const now = Date.now(); c.status = PERM_CHECK_LIFECYCLE_V2.EVALUATING; c.updatedAt = now; if (!c.startedAt) c.startedAt = now; return { ...c, metadata: { ...c.metadata } }; }
-export function allowPermCheckV2(id) { const c = _permCsV2.get(id); if (!c) throw new Error(`perm check ${id} not found`); _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.ALLOWED); const now = Date.now(); c.status = PERM_CHECK_LIFECYCLE_V2.ALLOWED; c.updatedAt = now; if (!c.settledAt) c.settledAt = now; return { ...c, metadata: { ...c.metadata } }; }
-export function denyPermCheckV2(id, reason) { const c = _permCsV2.get(id); if (!c) throw new Error(`perm check ${id} not found`); _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.DENIED); const now = Date.now(); c.status = PERM_CHECK_LIFECYCLE_V2.DENIED; c.updatedAt = now; if (!c.settledAt) c.settledAt = now; if (reason) c.metadata.denyReason = String(reason); return { ...c, metadata: { ...c.metadata } }; }
-export function cancelPermCheckV2(id, reason) { const c = _permCsV2.get(id); if (!c) throw new Error(`perm check ${id} not found`); _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.CANCELLED); const now = Date.now(); c.status = PERM_CHECK_LIFECYCLE_V2.CANCELLED; c.updatedAt = now; if (!c.settledAt) c.settledAt = now; if (reason) c.metadata.cancelReason = String(reason); return { ...c, metadata: { ...c.metadata } }; }
-export function getPermCheckV2(id) { const c = _permCsV2.get(id); if (!c) return null; return { ...c, metadata: { ...c.metadata } }; }
-export function listPermChecksV2() { return [..._permCsV2.values()].map((c) => ({ ...c, metadata: { ...c.metadata } })); }
-export function autoDisableIdlePermRulesV2({ now } = {}) { const t = now ?? Date.now(); const flipped = []; for (const r of _permRsV2.values()) if (r.status === PERM_RULE_MATURITY_V2.ACTIVE && (t - r.lastTouchedAt) >= _permIdleMs) { r.status = PERM_RULE_MATURITY_V2.DISABLED; r.updatedAt = t; flipped.push(r.id); } return { flipped, count: flipped.length }; }
-export function autoDenyStuckPermChecksV2({ now } = {}) { const t = now ?? Date.now(); const flipped = []; for (const c of _permCsV2.values()) if (c.status === PERM_CHECK_LIFECYCLE_V2.EVALUATING && c.startedAt != null && (t - c.startedAt) >= _permStuckMs) { c.status = PERM_CHECK_LIFECYCLE_V2.DENIED; c.updatedAt = t; if (!c.settledAt) c.settledAt = t; c.metadata.denyReason = "auto-deny-stuck"; flipped.push(c.id); } return { flipped, count: flipped.length }; }
+  c.status = PERM_CHECK_LIFECYCLE_V2.DENIED;
+  c.updatedAt = now;
+  if (!c.settledAt) c.settledAt = now;
+  if (reason) c.metadata.denyReason = String(reason);
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function cancelPermCheckV2(id, reason) {
+  const c = _permCsV2.get(id);
+  if (!c) throw new Error(`perm check ${id} not found`);
+  _permCheckC(c.status, PERM_CHECK_LIFECYCLE_V2.CANCELLED);
+  const now = Date.now();
+  c.status = PERM_CHECK_LIFECYCLE_V2.CANCELLED;
+  c.updatedAt = now;
+  if (!c.settledAt) c.settledAt = now;
+  if (reason) c.metadata.cancelReason = String(reason);
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function getPermCheckV2(id) {
+  const c = _permCsV2.get(id);
+  if (!c) return null;
+  return { ...c, metadata: { ...c.metadata } };
+}
+export function listPermChecksV2() {
+  return [..._permCsV2.values()].map((c) => ({
+    ...c,
+    metadata: { ...c.metadata },
+  }));
+}
+export function autoDisableIdlePermRulesV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const r of _permRsV2.values())
+    if (
+      r.status === PERM_RULE_MATURITY_V2.ACTIVE &&
+      t - r.lastTouchedAt >= _permIdleMs
+    ) {
+      r.status = PERM_RULE_MATURITY_V2.DISABLED;
+      r.updatedAt = t;
+      flipped.push(r.id);
+    }
+  return { flipped, count: flipped.length };
+}
+export function autoDenyStuckPermChecksV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const c of _permCsV2.values())
+    if (
+      c.status === PERM_CHECK_LIFECYCLE_V2.EVALUATING &&
+      c.startedAt != null &&
+      t - c.startedAt >= _permStuckMs
+    ) {
+      c.status = PERM_CHECK_LIFECYCLE_V2.DENIED;
+      c.updatedAt = t;
+      if (!c.settledAt) c.settledAt = t;
+      c.metadata.denyReason = "auto-deny-stuck";
+      flipped.push(c.id);
+    }
+  return { flipped, count: flipped.length };
+}
 export function getPermissionEngineGovStatsV2() {
-  const rulesByStatus = {}; for (const v of Object.values(PERM_RULE_MATURITY_V2)) rulesByStatus[v] = 0; for (const r of _permRsV2.values()) rulesByStatus[r.status]++;
-  const checksByStatus = {}; for (const v of Object.values(PERM_CHECK_LIFECYCLE_V2)) checksByStatus[v] = 0; for (const c of _permCsV2.values()) checksByStatus[c.status]++;
-  return { totalPermRulesV2: _permRsV2.size, totalPermChecksV2: _permCsV2.size, maxActivePermRulesPerOwner: _permMaxActivePerOwner, maxPendingPermChecksPerRule: _permMaxPendingChecksPerRule, permRuleIdleMs: _permIdleMs, permCheckStuckMs: _permStuckMs, rulesByStatus, checksByStatus };
+  const rulesByStatus = {};
+  for (const v of Object.values(PERM_RULE_MATURITY_V2)) rulesByStatus[v] = 0;
+  for (const r of _permRsV2.values()) rulesByStatus[r.status]++;
+  const checksByStatus = {};
+  for (const v of Object.values(PERM_CHECK_LIFECYCLE_V2)) checksByStatus[v] = 0;
+  for (const c of _permCsV2.values()) checksByStatus[c.status]++;
+  return {
+    totalPermRulesV2: _permRsV2.size,
+    totalPermChecksV2: _permCsV2.size,
+    maxActivePermRulesPerOwner: _permMaxActivePerOwner,
+    maxPendingPermChecksPerRule: _permMaxPendingChecksPerRule,
+    permRuleIdleMs: _permIdleMs,
+    permCheckStuckMs: _permStuckMs,
+    rulesByStatus,
+    checksByStatus,
+  };
 }