chainlesschain 0.143.0 → 0.152.0

package/src/lib/dlp-engine.js

@@ -692,25 +692,50 @@ export function getHighestUnresolvedSeverity() {
 
 export { _v2PolicyMeta, _v2IncidentMeta, _builtinPolicyTemplates };
 
-
 // ===== V2 Surface: DLP Engine governance overlay (CLI v0.135.0) =====
 export const DLP_POLICY_MATURITY_V2 = Object.freeze({
-  PENDING: "pending", ACTIVE: "active", SUSPENDED: "suspended", RETIRED: "retired",
+  PENDING: "pending",
+  ACTIVE: "active",
+  SUSPENDED: "suspended",
+  RETIRED: "retired",
 });
 export const DLP_SCAN_LIFECYCLE_V2 = Object.freeze({
-  QUEUED: "queued", SCANNING: "scanning", COMPLETED: "completed", FAILED: "failed", CANCELLED: "cancelled",
+  QUEUED: "queued",
+  SCANNING: "scanning",
+  COMPLETED: "completed",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
 });
 
 const _dlpPolTrans = new Map([
-  [DLP_POLICY_MATURITY_V2.PENDING, new Set([DLP_POLICY_MATURITY_V2.ACTIVE, DLP_POLICY_MATURITY_V2.RETIRED])],
-  [DLP_POLICY_MATURITY_V2.ACTIVE, new Set([DLP_POLICY_MATURITY_V2.SUSPENDED, DLP_POLICY_MATURITY_V2.RETIRED])],
-  [DLP_POLICY_MATURITY_V2.SUSPENDED, new Set([DLP_POLICY_MATURITY_V2.ACTIVE, DLP_POLICY_MATURITY_V2.RETIRED])],
+  [
+    DLP_POLICY_MATURITY_V2.PENDING,
+    new Set([DLP_POLICY_MATURITY_V2.ACTIVE, DLP_POLICY_MATURITY_V2.RETIRED]),
+  ],
+  [
+    DLP_POLICY_MATURITY_V2.ACTIVE,
+    new Set([DLP_POLICY_MATURITY_V2.SUSPENDED, DLP_POLICY_MATURITY_V2.RETIRED]),
+  ],
+  [
+    DLP_POLICY_MATURITY_V2.SUSPENDED,
+    new Set([DLP_POLICY_MATURITY_V2.ACTIVE, DLP_POLICY_MATURITY_V2.RETIRED]),
+  ],
   [DLP_POLICY_MATURITY_V2.RETIRED, new Set()],
 ]);
 const _dlpPolTerminal = new Set([DLP_POLICY_MATURITY_V2.RETIRED]);
 const _dlpScanTrans = new Map([
-  [DLP_SCAN_LIFECYCLE_V2.QUEUED, new Set([DLP_SCAN_LIFECYCLE_V2.SCANNING, DLP_SCAN_LIFECYCLE_V2.CANCELLED])],
-  [DLP_SCAN_LIFECYCLE_V2.SCANNING, new Set([DLP_SCAN_LIFECYCLE_V2.COMPLETED, DLP_SCAN_LIFECYCLE_V2.FAILED, DLP_SCAN_LIFECYCLE_V2.CANCELLED])],
+  [
+    DLP_SCAN_LIFECYCLE_V2.QUEUED,
+    new Set([DLP_SCAN_LIFECYCLE_V2.SCANNING, DLP_SCAN_LIFECYCLE_V2.CANCELLED]),
+  ],
+  [
+    DLP_SCAN_LIFECYCLE_V2.SCANNING,
+    new Set([
+      DLP_SCAN_LIFECYCLE_V2.COMPLETED,
+      DLP_SCAN_LIFECYCLE_V2.FAILED,
+      DLP_SCAN_LIFECYCLE_V2.CANCELLED,
+    ]),
+  ],
   [DLP_SCAN_LIFECYCLE_V2.COMPLETED, new Set()],
   [DLP_SCAN_LIFECYCLE_V2.FAILED, new Set()],
   [DLP_SCAN_LIFECYCLE_V2.CANCELLED, new Set()],
@@ -723,76 +748,628 @@ let _dlpMaxPendingPerPol = 20;
 let _dlpPolIdleMs = 12 * 60 * 60 * 1000;
 let _dlpScanStuckMs = 5 * 60 * 1000;
 
-function _dlpPos(n, lbl) { const v = Math.floor(Number(n)); if (!Number.isFinite(v) || v <= 0) throw new Error(`${lbl} must be positive integer`); return v; }
+function _dlpPos(n, lbl) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${lbl} must be positive integer`);
+  return v;
+}
 
-export function setMaxActiveDlpPoliciesPerOwnerV2(n) { _dlpMaxActivePerOwner = _dlpPos(n, "maxActiveDlpPoliciesPerOwner"); }
-export function getMaxActiveDlpPoliciesPerOwnerV2() { return _dlpMaxActivePerOwner; }
-export function setMaxPendingDlpScansPerPolicyV2(n) { _dlpMaxPendingPerPol = _dlpPos(n, "maxPendingDlpScansPerPolicy"); }
-export function getMaxPendingDlpScansPerPolicyV2() { return _dlpMaxPendingPerPol; }
-export function setDlpPolicyIdleMsV2(n) { _dlpPolIdleMs = _dlpPos(n, "dlpPolicyIdleMs"); }
-export function getDlpPolicyIdleMsV2() { return _dlpPolIdleMs; }
-export function setDlpScanStuckMsV2(n) { _dlpScanStuckMs = _dlpPos(n, "dlpScanStuckMs"); }
-export function getDlpScanStuckMsV2() { return _dlpScanStuckMs; }
+export function setMaxActiveDlpPoliciesPerOwnerV2(n) {
+  _dlpMaxActivePerOwner = _dlpPos(n, "maxActiveDlpPoliciesPerOwner");
+}
+export function getMaxActiveDlpPoliciesPerOwnerV2() {
+  return _dlpMaxActivePerOwner;
+}
+export function setMaxPendingDlpScansPerPolicyV2(n) {
+  _dlpMaxPendingPerPol = _dlpPos(n, "maxPendingDlpScansPerPolicy");
+}
+export function getMaxPendingDlpScansPerPolicyV2() {
+  return _dlpMaxPendingPerPol;
+}
+export function setDlpPolicyIdleMsV2(n) {
+  _dlpPolIdleMs = _dlpPos(n, "dlpPolicyIdleMs");
+}
+export function getDlpPolicyIdleMsV2() {
+  return _dlpPolIdleMs;
+}
+export function setDlpScanStuckMsV2(n) {
+  _dlpScanStuckMs = _dlpPos(n, "dlpScanStuckMs");
+}
+export function getDlpScanStuckMsV2() {
+  return _dlpScanStuckMs;
+}
 
 export function _resetStateDlpEngineV2() {
-  _dlpPols.clear(); _dlpScans.clear();
-  _dlpMaxActivePerOwner = 16; _dlpMaxPendingPerPol = 20;
-  _dlpPolIdleMs = 12 * 60 * 60 * 1000; _dlpScanStuckMs = 5 * 60 * 1000;
+  _dlpPols.clear();
+  _dlpScans.clear();
+  _dlpMaxActivePerOwner = 16;
+  _dlpMaxPendingPerPol = 20;
+  _dlpPolIdleMs = 12 * 60 * 60 * 1000;
+  _dlpScanStuckMs = 5 * 60 * 1000;
 }
 
-export function registerDlpPolicyV2({ id, owner, classification, metadata } = {}) {
+export function registerDlpPolicyV2({
+  id,
+  owner,
+  classification,
+  metadata,
+} = {}) {
   if (!id || typeof id !== "string") throw new Error("id is required");
   if (!owner || typeof owner !== "string") throw new Error("owner is required");
   if (_dlpPols.has(id)) throw new Error(`dlp policy ${id} already registered`);
   const now = Date.now();
-  const p = { id, owner, classification: classification || "internal", status: DLP_POLICY_MATURITY_V2.PENDING, createdAt: now, updatedAt: now, activatedAt: null, retiredAt: null, lastTouchedAt: now, metadata: { ...(metadata || {}) } };
+  const p = {
+    id,
+    owner,
+    classification: classification || "internal",
+    status: DLP_POLICY_MATURITY_V2.PENDING,
+    createdAt: now,
+    updatedAt: now,
+    activatedAt: null,
+    retiredAt: null,
+    lastTouchedAt: now,
+    metadata: { ...(metadata || {}) },
+  };
   _dlpPols.set(id, p);
   return { ...p, metadata: { ...p.metadata } };
 }
-function _dlpCheckP(from, to) { const a = _dlpPolTrans.get(from); if (!a || !a.has(to)) throw new Error(`invalid dlp policy transition ${from} → ${to}`); }
-function _dlpCountActive(owner) { let n = 0; for (const p of _dlpPols.values()) if (p.owner === owner && p.status === DLP_POLICY_MATURITY_V2.ACTIVE) n++; return n; }
+function _dlpCheckP(from, to) {
+  const a = _dlpPolTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid dlp policy transition ${from} → ${to}`);
+}
+function _dlpCountActive(owner) {
+  let n = 0;
+  for (const p of _dlpPols.values())
+    if (p.owner === owner && p.status === DLP_POLICY_MATURITY_V2.ACTIVE) n++;
+  return n;
+}
 
 export function activateDlpPolicyV2(id) {
-  const p = _dlpPols.get(id); if (!p) throw new Error(`dlp policy ${id} not found`);
+  const p = _dlpPols.get(id);
+  if (!p) throw new Error(`dlp policy ${id} not found`);
   _dlpCheckP(p.status, DLP_POLICY_MATURITY_V2.ACTIVE);
   const recovery = p.status === DLP_POLICY_MATURITY_V2.SUSPENDED;
-  if (!recovery) { const a = _dlpCountActive(p.owner); if (a >= _dlpMaxActivePerOwner) throw new Error(`max active dlp policies per owner (${_dlpMaxActivePerOwner}) reached for ${p.owner}`); }
-  const now = Date.now(); p.status = DLP_POLICY_MATURITY_V2.ACTIVE; p.updatedAt = now; p.lastTouchedAt = now; if (!p.activatedAt) p.activatedAt = now;
+  if (!recovery) {
+    const a = _dlpCountActive(p.owner);
+    if (a >= _dlpMaxActivePerOwner)
+      throw new Error(
+        `max active dlp policies per owner (${_dlpMaxActivePerOwner}) reached for ${p.owner}`,
+      );
+  }
+  const now = Date.now();
+  p.status = DLP_POLICY_MATURITY_V2.ACTIVE;
+  p.updatedAt = now;
+  p.lastTouchedAt = now;
+  if (!p.activatedAt) p.activatedAt = now;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function suspendDlpPolicyV2(id) {
+  const p = _dlpPols.get(id);
+  if (!p) throw new Error(`dlp policy ${id} not found`);
+  _dlpCheckP(p.status, DLP_POLICY_MATURITY_V2.SUSPENDED);
+  p.status = DLP_POLICY_MATURITY_V2.SUSPENDED;
+  p.updatedAt = Date.now();
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function retireDlpPolicyV2(id) {
+  const p = _dlpPols.get(id);
+  if (!p) throw new Error(`dlp policy ${id} not found`);
+  _dlpCheckP(p.status, DLP_POLICY_MATURITY_V2.RETIRED);
+  const now = Date.now();
+  p.status = DLP_POLICY_MATURITY_V2.RETIRED;
+  p.updatedAt = now;
+  if (!p.retiredAt) p.retiredAt = now;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function touchDlpPolicyV2(id) {
+  const p = _dlpPols.get(id);
+  if (!p) throw new Error(`dlp policy ${id} not found`);
+  if (_dlpPolTerminal.has(p.status))
+    throw new Error(`cannot touch terminal dlp policy ${id}`);
+  const now = Date.now();
+  p.lastTouchedAt = now;
+  p.updatedAt = now;
   return { ...p, metadata: { ...p.metadata } };
 }
-export function suspendDlpPolicyV2(id) { const p = _dlpPols.get(id); if (!p) throw new Error(`dlp policy ${id} not found`); _dlpCheckP(p.status, DLP_POLICY_MATURITY_V2.SUSPENDED); p.status = DLP_POLICY_MATURITY_V2.SUSPENDED; p.updatedAt = Date.now(); return { ...p, metadata: { ...p.metadata } }; }
-export function retireDlpPolicyV2(id) { const p = _dlpPols.get(id); if (!p) throw new Error(`dlp policy ${id} not found`); _dlpCheckP(p.status, DLP_POLICY_MATURITY_V2.RETIRED); const now = Date.now(); p.status = DLP_POLICY_MATURITY_V2.RETIRED; p.updatedAt = now; if (!p.retiredAt) p.retiredAt = now; return { ...p, metadata: { ...p.metadata } }; }
-export function touchDlpPolicyV2(id) { const p = _dlpPols.get(id); if (!p) throw new Error(`dlp policy ${id} not found`); if (_dlpPolTerminal.has(p.status)) throw new Error(`cannot touch terminal dlp policy ${id}`); const now = Date.now(); p.lastTouchedAt = now; p.updatedAt = now; return { ...p, metadata: { ...p.metadata } }; }
-export function getDlpPolicyV2(id) { const p = _dlpPols.get(id); if (!p) return null; return { ...p, metadata: { ...p.metadata } }; }
-export function listDlpPoliciesV2() { return [..._dlpPols.values()].map((p) => ({ ...p, metadata: { ...p.metadata } })); }
+export function getDlpPolicyV2(id) {
+  const p = _dlpPols.get(id);
+  if (!p) return null;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function listDlpPoliciesV2() {
+  return [..._dlpPols.values()].map((p) => ({
+    ...p,
+    metadata: { ...p.metadata },
+  }));
+}
 
-function _dlpCountPending(pid) { let n = 0; for (const s of _dlpScans.values()) if (s.policyId === pid && (s.status === DLP_SCAN_LIFECYCLE_V2.QUEUED || s.status === DLP_SCAN_LIFECYCLE_V2.SCANNING)) n++; return n; }
+function _dlpCountPending(pid) {
+  let n = 0;
+  for (const s of _dlpScans.values())
+    if (
+      s.policyId === pid &&
+      (s.status === DLP_SCAN_LIFECYCLE_V2.QUEUED ||
+        s.status === DLP_SCAN_LIFECYCLE_V2.SCANNING)
+    )
+      n++;
+  return n;
+}
 
 export function createDlpScanV2({ id, policyId, target, metadata } = {}) {
   if (!id || typeof id !== "string") throw new Error("id is required");
-  if (!policyId || typeof policyId !== "string") throw new Error("policyId is required");
+  if (!policyId || typeof policyId !== "string")
+    throw new Error("policyId is required");
   if (_dlpScans.has(id)) throw new Error(`dlp scan ${id} already exists`);
-  if (!_dlpPols.has(policyId)) throw new Error(`dlp policy ${policyId} not found`);
+  if (!_dlpPols.has(policyId))
+    throw new Error(`dlp policy ${policyId} not found`);
   const pending = _dlpCountPending(policyId);
-  if (pending >= _dlpMaxPendingPerPol) throw new Error(`max pending dlp scans per policy (${_dlpMaxPendingPerPol}) reached for ${policyId}`);
+  if (pending >= _dlpMaxPendingPerPol)
+    throw new Error(
+      `max pending dlp scans per policy (${_dlpMaxPendingPerPol}) reached for ${policyId}`,
+    );
   const now = Date.now();
-  const s = { id, policyId, target: target || "", status: DLP_SCAN_LIFECYCLE_V2.QUEUED, createdAt: now, updatedAt: now, startedAt: null, settledAt: null, metadata: { ...(metadata || {}) } };
+  const s = {
+    id,
+    policyId,
+    target: target || "",
+    status: DLP_SCAN_LIFECYCLE_V2.QUEUED,
+    createdAt: now,
+    updatedAt: now,
+    startedAt: null,
+    settledAt: null,
+    metadata: { ...(metadata || {}) },
+  };
   _dlpScans.set(id, s);
   return { ...s, metadata: { ...s.metadata } };
 }
-function _dlpCheckS(from, to) { const a = _dlpScanTrans.get(from); if (!a || !a.has(to)) throw new Error(`invalid dlp scan transition ${from} → ${to}`); }
-export function startDlpScanV2(id) { const s = _dlpScans.get(id); if (!s) throw new Error(`dlp scan ${id} not found`); _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.SCANNING); const now = Date.now(); s.status = DLP_SCAN_LIFECYCLE_V2.SCANNING; s.updatedAt = now; if (!s.startedAt) s.startedAt = now; return { ...s, metadata: { ...s.metadata } }; }
-export function completeDlpScanV2(id) { const s = _dlpScans.get(id); if (!s) throw new Error(`dlp scan ${id} not found`); _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.COMPLETED); const now = Date.now(); s.status = DLP_SCAN_LIFECYCLE_V2.COMPLETED; s.updatedAt = now; if (!s.settledAt) s.settledAt = now; return { ...s, metadata: { ...s.metadata } }; }
-export function failDlpScanV2(id, reason) { const s = _dlpScans.get(id); if (!s) throw new Error(`dlp scan ${id} not found`); _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.FAILED); const now = Date.now(); s.status = DLP_SCAN_LIFECYCLE_V2.FAILED; s.updatedAt = now; if (!s.settledAt) s.settledAt = now; if (reason) s.metadata.failReason = String(reason); return { ...s, metadata: { ...s.metadata } }; }
-export function cancelDlpScanV2(id, reason) { const s = _dlpScans.get(id); if (!s) throw new Error(`dlp scan ${id} not found`); _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.CANCELLED); const now = Date.now(); s.status = DLP_SCAN_LIFECYCLE_V2.CANCELLED; s.updatedAt = now; if (!s.settledAt) s.settledAt = now; if (reason) s.metadata.cancelReason = String(reason); return { ...s, metadata: { ...s.metadata } }; }
-export function getDlpScanV2(id) { const s = _dlpScans.get(id); if (!s) return null; return { ...s, metadata: { ...s.metadata } }; }
-export function listDlpScansV2() { return [..._dlpScans.values()].map((s) => ({ ...s, metadata: { ...s.metadata } })); }
+function _dlpCheckS(from, to) {
+  const a = _dlpScanTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid dlp scan transition ${from} → ${to}`);
+}
+export function startDlpScanV2(id) {
+  const s = _dlpScans.get(id);
+  if (!s) throw new Error(`dlp scan ${id} not found`);
+  _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.SCANNING);
+  const now = Date.now();
+  s.status = DLP_SCAN_LIFECYCLE_V2.SCANNING;
+  s.updatedAt = now;
+  if (!s.startedAt) s.startedAt = now;
+  return { ...s, metadata: { ...s.metadata } };
+}
+export function completeDlpScanV2(id) {
+  const s = _dlpScans.get(id);
+  if (!s) throw new Error(`dlp scan ${id} not found`);
+  _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.COMPLETED);
+  const now = Date.now();
+  s.status = DLP_SCAN_LIFECYCLE_V2.COMPLETED;
+  s.updatedAt = now;
+  if (!s.settledAt) s.settledAt = now;
+  return { ...s, metadata: { ...s.metadata } };
+}
+export function failDlpScanV2(id, reason) {
+  const s = _dlpScans.get(id);
+  if (!s) throw new Error(`dlp scan ${id} not found`);
+  _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.FAILED);
+  const now = Date.now();
+  s.status = DLP_SCAN_LIFECYCLE_V2.FAILED;
+  s.updatedAt = now;
+  if (!s.settledAt) s.settledAt = now;
+  if (reason) s.metadata.failReason = String(reason);
+  return { ...s, metadata: { ...s.metadata } };
+}
+export function cancelDlpScanV2(id, reason) {
+  const s = _dlpScans.get(id);
+  if (!s) throw new Error(`dlp scan ${id} not found`);
+  _dlpCheckS(s.status, DLP_SCAN_LIFECYCLE_V2.CANCELLED);
+  const now = Date.now();
+  s.status = DLP_SCAN_LIFECYCLE_V2.CANCELLED;
+  s.updatedAt = now;
+  if (!s.settledAt) s.settledAt = now;
+  if (reason) s.metadata.cancelReason = String(reason);
+  return { ...s, metadata: { ...s.metadata } };
+}
+export function getDlpScanV2(id) {
+  const s = _dlpScans.get(id);
+  if (!s) return null;
+  return { ...s, metadata: { ...s.metadata } };
+}
+export function listDlpScansV2() {
+  return [..._dlpScans.values()].map((s) => ({
+    ...s,
+    metadata: { ...s.metadata },
+  }));
+}
 
-export function autoSuspendIdleDlpPoliciesV2({ now } = {}) { const t = now ?? Date.now(); const flipped = []; for (const p of _dlpPols.values()) if (p.status === DLP_POLICY_MATURITY_V2.ACTIVE && (t - p.lastTouchedAt) >= _dlpPolIdleMs) { p.status = DLP_POLICY_MATURITY_V2.SUSPENDED; p.updatedAt = t; flipped.push(p.id); } return { flipped, count: flipped.length }; }
-export function autoFailStuckDlpScansV2({ now } = {}) { const t = now ?? Date.now(); const flipped = []; for (const s of _dlpScans.values()) if (s.status === DLP_SCAN_LIFECYCLE_V2.SCANNING && s.startedAt != null && (t - s.startedAt) >= _dlpScanStuckMs) { s.status = DLP_SCAN_LIFECYCLE_V2.FAILED; s.updatedAt = t; if (!s.settledAt) s.settledAt = t; s.metadata.failReason = "auto-fail-stuck"; flipped.push(s.id); } return { flipped, count: flipped.length }; }
+export function autoSuspendIdleDlpPoliciesV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const p of _dlpPols.values())
+    if (
+      p.status === DLP_POLICY_MATURITY_V2.ACTIVE &&
+      t - p.lastTouchedAt >= _dlpPolIdleMs
+    ) {
+      p.status = DLP_POLICY_MATURITY_V2.SUSPENDED;
+      p.updatedAt = t;
+      flipped.push(p.id);
+    }
+  return { flipped, count: flipped.length };
+}
+export function autoFailStuckDlpScansV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const s of _dlpScans.values())
+    if (
+      s.status === DLP_SCAN_LIFECYCLE_V2.SCANNING &&
+      s.startedAt != null &&
+      t - s.startedAt >= _dlpScanStuckMs
+    ) {
+      s.status = DLP_SCAN_LIFECYCLE_V2.FAILED;
+      s.updatedAt = t;
+      if (!s.settledAt) s.settledAt = t;
+      s.metadata.failReason = "auto-fail-stuck";
+      flipped.push(s.id);
+    }
+  return { flipped, count: flipped.length };
+}
 
 export function getDlpEngineStatsV2() {
-  const policiesByStatus = {}; for (const s of Object.values(DLP_POLICY_MATURITY_V2)) policiesByStatus[s] = 0; for (const p of _dlpPols.values()) policiesByStatus[p.status]++;
-  const scansByStatus = {}; for (const s of Object.values(DLP_SCAN_LIFECYCLE_V2)) scansByStatus[s] = 0; for (const sc of _dlpScans.values()) scansByStatus[sc.status]++;
-  return { totalPoliciesV2: _dlpPols.size, totalScansV2: _dlpScans.size, maxActiveDlpPoliciesPerOwner: _dlpMaxActivePerOwner, maxPendingDlpScansPerPolicy: _dlpMaxPendingPerPol, dlpPolicyIdleMs: _dlpPolIdleMs, dlpScanStuckMs: _dlpScanStuckMs, policiesByStatus, scansByStatus };
+  const policiesByStatus = {};
+  for (const s of Object.values(DLP_POLICY_MATURITY_V2))
+    policiesByStatus[s] = 0;
+  for (const p of _dlpPols.values()) policiesByStatus[p.status]++;
+  const scansByStatus = {};
+  for (const s of Object.values(DLP_SCAN_LIFECYCLE_V2)) scansByStatus[s] = 0;
+  for (const sc of _dlpScans.values()) scansByStatus[sc.status]++;
+  return {
+    totalPoliciesV2: _dlpPols.size,
+    totalScansV2: _dlpScans.size,
+    maxActiveDlpPoliciesPerOwner: _dlpMaxActivePerOwner,
+    maxPendingDlpScansPerPolicy: _dlpMaxPendingPerPol,
+    dlpPolicyIdleMs: _dlpPolIdleMs,
+    dlpScanStuckMs: _dlpScanStuckMs,
+    policiesByStatus,
+    scansByStatus,
+  };
+}
+
+// =====================================================================
+// dlp-engine V2 governance overlay (iter20)
+// =====================================================================
+export const DLPGOV_PROFILE_MATURITY_V2 = Object.freeze({
+  PENDING: "pending",
+  ACTIVE: "active",
+  SUSPENDED: "suspended",
+  ARCHIVED: "archived",
+});
+export const DLPGOV_SCAN_LIFECYCLE_V2 = Object.freeze({
+  QUEUED: "queued",
+  SCANNING: "scanning",
+  SCANNED: "scanned",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+});
+const _dlpgovPTrans = new Map([
+  [
+    DLPGOV_PROFILE_MATURITY_V2.PENDING,
+    new Set([
+      DLPGOV_PROFILE_MATURITY_V2.ACTIVE,
+      DLPGOV_PROFILE_MATURITY_V2.ARCHIVED,
+    ]),
+  ],
+  [
+    DLPGOV_PROFILE_MATURITY_V2.ACTIVE,
+    new Set([
+      DLPGOV_PROFILE_MATURITY_V2.SUSPENDED,
+      DLPGOV_PROFILE_MATURITY_V2.ARCHIVED,
+    ]),
+  ],
+  [
+    DLPGOV_PROFILE_MATURITY_V2.SUSPENDED,
+    new Set([
+      DLPGOV_PROFILE_MATURITY_V2.ACTIVE,
+      DLPGOV_PROFILE_MATURITY_V2.ARCHIVED,
+    ]),
+  ],
+  [DLPGOV_PROFILE_MATURITY_V2.ARCHIVED, new Set()],
+]);
+const _dlpgovPTerminal = new Set([DLPGOV_PROFILE_MATURITY_V2.ARCHIVED]);
+const _dlpgovJTrans = new Map([
+  [
+    DLPGOV_SCAN_LIFECYCLE_V2.QUEUED,
+    new Set([
+      DLPGOV_SCAN_LIFECYCLE_V2.SCANNING,
+      DLPGOV_SCAN_LIFECYCLE_V2.CANCELLED,
+    ]),
+  ],
+  [
+    DLPGOV_SCAN_LIFECYCLE_V2.SCANNING,
+    new Set([
+      DLPGOV_SCAN_LIFECYCLE_V2.SCANNED,
+      DLPGOV_SCAN_LIFECYCLE_V2.FAILED,
+      DLPGOV_SCAN_LIFECYCLE_V2.CANCELLED,
+    ]),
+  ],
+  [DLPGOV_SCAN_LIFECYCLE_V2.SCANNED, new Set()],
+  [DLPGOV_SCAN_LIFECYCLE_V2.FAILED, new Set()],
+  [DLPGOV_SCAN_LIFECYCLE_V2.CANCELLED, new Set()],
+]);
+const _dlpgovPsV2 = new Map();
+const _dlpgovJsV2 = new Map();
+let _dlpgovMaxActive = 8,
+  _dlpgovMaxPending = 20,
+  _dlpgovIdleMs = 30 * 24 * 60 * 60 * 1000,
+  _dlpgovStuckMs = 60 * 1000;
+function _dlpgovPos(n, label) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${label} must be positive integer`);
+  return v;
+}
+function _dlpgovCheckP(from, to) {
+  const a = _dlpgovPTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid dlpgov profile transition ${from} → ${to}`);
+}
+function _dlpgovCheckJ(from, to) {
+  const a = _dlpgovJTrans.get(from);
+  if (!a || !a.has(to))
+    throw new Error(`invalid dlpgov scan transition ${from} → ${to}`);
+}
+function _dlpgovCountActive(owner) {
+  let c = 0;
+  for (const p of _dlpgovPsV2.values())
+    if (p.owner === owner && p.status === DLPGOV_PROFILE_MATURITY_V2.ACTIVE)
+      c++;
+  return c;
+}
+function _dlpgovCountPending(profileId) {
+  let c = 0;
+  for (const j of _dlpgovJsV2.values())
+    if (
+      j.profileId === profileId &&
+      (j.status === DLPGOV_SCAN_LIFECYCLE_V2.QUEUED ||
+        j.status === DLPGOV_SCAN_LIFECYCLE_V2.SCANNING)
+    )
+      c++;
+  return c;
+}
+export function setMaxActiveDlpgovProfilesPerOwnerV2(n) {
+  _dlpgovMaxActive = _dlpgovPos(n, "maxActiveDlpgovProfilesPerOwner");
+}
+export function getMaxActiveDlpgovProfilesPerOwnerV2() {
+  return _dlpgovMaxActive;
+}
+export function setMaxPendingDlpgovScansPerProfileV2(n) {
+  _dlpgovMaxPending = _dlpgovPos(n, "maxPendingDlpgovScansPerProfile");
+}
+export function getMaxPendingDlpgovScansPerProfileV2() {
+  return _dlpgovMaxPending;
+}
+export function setDlpgovProfileIdleMsV2(n) {
+  _dlpgovIdleMs = _dlpgovPos(n, "dlpgovProfileIdleMs");
+}
+export function getDlpgovProfileIdleMsV2() {
+  return _dlpgovIdleMs;
+}
+export function setDlpgovScanStuckMsV2(n) {
+  _dlpgovStuckMs = _dlpgovPos(n, "dlpgovScanStuckMs");
+}
+export function getDlpgovScanStuckMsV2() {
+  return _dlpgovStuckMs;
+}
+export function _resetStateDlpEngineGovV2() {
+  _dlpgovPsV2.clear();
+  _dlpgovJsV2.clear();
+  _dlpgovMaxActive = 8;
+  _dlpgovMaxPending = 20;
+  _dlpgovIdleMs = 30 * 24 * 60 * 60 * 1000;
+  _dlpgovStuckMs = 60 * 1000;
+}
+export function registerDlpgovProfileV2({
+  id,
+  owner,
+  classification,
+  metadata,
+} = {}) {
+  if (!id || !owner) throw new Error("id and owner required");
+  if (_dlpgovPsV2.has(id))
+    throw new Error(`dlpgov profile ${id} already exists`);
+  const now = Date.now();
+  const p = {
+    id,
+    owner,
+    classification: classification || "internal",
+    status: DLPGOV_PROFILE_MATURITY_V2.PENDING,
+    createdAt: now,
+    updatedAt: now,
+    lastTouchedAt: now,
+    activatedAt: null,
+    archivedAt: null,
+    metadata: { ...(metadata || {}) },
+  };
+  _dlpgovPsV2.set(id, p);
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function activateDlpgovProfileV2(id) {
+  const p = _dlpgovPsV2.get(id);
+  if (!p) throw new Error(`dlpgov profile ${id} not found`);
+  const isInitial = p.status === DLPGOV_PROFILE_MATURITY_V2.PENDING;
+  _dlpgovCheckP(p.status, DLPGOV_PROFILE_MATURITY_V2.ACTIVE);
+  if (isInitial && _dlpgovCountActive(p.owner) >= _dlpgovMaxActive)
+    throw new Error(`max active dlpgov profiles for owner ${p.owner} reached`);
+  const now = Date.now();
+  p.status = DLPGOV_PROFILE_MATURITY_V2.ACTIVE;
+  p.updatedAt = now;
+  p.lastTouchedAt = now;
+  if (!p.activatedAt) p.activatedAt = now;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function suspendDlpgovProfileV2(id) {
+  const p = _dlpgovPsV2.get(id);
+  if (!p) throw new Error(`dlpgov profile ${id} not found`);
+  _dlpgovCheckP(p.status, DLPGOV_PROFILE_MATURITY_V2.SUSPENDED);
+  p.status = DLPGOV_PROFILE_MATURITY_V2.SUSPENDED;
+  p.updatedAt = Date.now();
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function archiveDlpgovProfileV2(id) {
+  const p = _dlpgovPsV2.get(id);
+  if (!p) throw new Error(`dlpgov profile ${id} not found`);
+  _dlpgovCheckP(p.status, DLPGOV_PROFILE_MATURITY_V2.ARCHIVED);
+  const now = Date.now();
+  p.status = DLPGOV_PROFILE_MATURITY_V2.ARCHIVED;
+  p.updatedAt = now;
+  if (!p.archivedAt) p.archivedAt = now;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function touchDlpgovProfileV2(id) {
+  const p = _dlpgovPsV2.get(id);
+  if (!p) throw new Error(`dlpgov profile ${id} not found`);
+  if (_dlpgovPTerminal.has(p.status))
+    throw new Error(`cannot touch terminal dlpgov profile ${id}`);
+  const now = Date.now();
+  p.lastTouchedAt = now;
+  p.updatedAt = now;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function getDlpgovProfileV2(id) {
+  const p = _dlpgovPsV2.get(id);
+  if (!p) return null;
+  return { ...p, metadata: { ...p.metadata } };
+}
+export function listDlpgovProfilesV2() {
+  return [..._dlpgovPsV2.values()].map((p) => ({
+    ...p,
+    metadata: { ...p.metadata },
+  }));
+}
+export function createDlpgovScanV2({ id, profileId, resource, metadata } = {}) {
+  if (!id || !profileId) throw new Error("id and profileId required");
+  if (_dlpgovJsV2.has(id)) throw new Error(`dlpgov scan ${id} already exists`);
+  if (!_dlpgovPsV2.has(profileId))
+    throw new Error(`dlpgov profile ${profileId} not found`);
+  if (_dlpgovCountPending(profileId) >= _dlpgovMaxPending)
+    throw new Error(
+      `max pending dlpgov scans for profile ${profileId} reached`,
+    );
+  const now = Date.now();
+  const j = {
+    id,
+    profileId,
+    resource: resource || "",
+    status: DLPGOV_SCAN_LIFECYCLE_V2.QUEUED,
+    createdAt: now,
+    updatedAt: now,
+    startedAt: null,
+    settledAt: null,
+    metadata: { ...(metadata || {}) },
+  };
+  _dlpgovJsV2.set(id, j);
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function scanningDlpgovScanV2(id) {
+  const j = _dlpgovJsV2.get(id);
+  if (!j) throw new Error(`dlpgov scan ${id} not found`);
+  _dlpgovCheckJ(j.status, DLPGOV_SCAN_LIFECYCLE_V2.SCANNING);
+  const now = Date.now();
+  j.status = DLPGOV_SCAN_LIFECYCLE_V2.SCANNING;
+  j.updatedAt = now;
+  if (!j.startedAt) j.startedAt = now;
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function completeScanDlpgovV2(id) {
+  const j = _dlpgovJsV2.get(id);
+  if (!j) throw new Error(`dlpgov scan ${id} not found`);
+  _dlpgovCheckJ(j.status, DLPGOV_SCAN_LIFECYCLE_V2.SCANNED);
+  const now = Date.now();
+  j.status = DLPGOV_SCAN_LIFECYCLE_V2.SCANNED;
+  j.updatedAt = now;
+  if (!j.settledAt) j.settledAt = now;
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function failDlpgovScanV2(id, reason) {
+  const j = _dlpgovJsV2.get(id);
+  if (!j) throw new Error(`dlpgov scan ${id} not found`);
+  _dlpgovCheckJ(j.status, DLPGOV_SCAN_LIFECYCLE_V2.FAILED);
+  const now = Date.now();
+  j.status = DLPGOV_SCAN_LIFECYCLE_V2.FAILED;
+  j.updatedAt = now;
+  if (!j.settledAt) j.settledAt = now;
+  if (reason) j.metadata.failReason = String(reason);
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function cancelDlpgovScanV2(id, reason) {
+  const j = _dlpgovJsV2.get(id);
+  if (!j) throw new Error(`dlpgov scan ${id} not found`);
+  _dlpgovCheckJ(j.status, DLPGOV_SCAN_LIFECYCLE_V2.CANCELLED);
+  const now = Date.now();
+  j.status = DLPGOV_SCAN_LIFECYCLE_V2.CANCELLED;
+  j.updatedAt = now;
+  if (!j.settledAt) j.settledAt = now;
+  if (reason) j.metadata.cancelReason = String(reason);
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function getDlpgovScanV2(id) {
+  const j = _dlpgovJsV2.get(id);
+  if (!j) return null;
+  return { ...j, metadata: { ...j.metadata } };
+}
+export function listDlpgovScansV2() {
+  return [..._dlpgovJsV2.values()].map((j) => ({
+    ...j,
+    metadata: { ...j.metadata },
+  }));
+}
+export function autoSuspendIdleDlpgovProfilesV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const p of _dlpgovPsV2.values())
+    if (
+      p.status === DLPGOV_PROFILE_MATURITY_V2.ACTIVE &&
+      t - p.lastTouchedAt >= _dlpgovIdleMs
+    ) {
+      p.status = DLPGOV_PROFILE_MATURITY_V2.SUSPENDED;
+      p.updatedAt = t;
+      flipped.push(p.id);
+    }
+  return { flipped, count: flipped.length };
+}
+export function autoFailStuckDlpgovScansV2({ now } = {}) {
+  const t = now ?? Date.now();
+  const flipped = [];
+  for (const j of _dlpgovJsV2.values())
+    if (
+      j.status === DLPGOV_SCAN_LIFECYCLE_V2.SCANNING &&
+      j.startedAt != null &&
+      t - j.startedAt >= _dlpgovStuckMs
+    ) {
+      j.status = DLPGOV_SCAN_LIFECYCLE_V2.FAILED;
+      j.updatedAt = t;
+      if (!j.settledAt) j.settledAt = t;
+      j.metadata.failReason = "auto-fail-stuck";
+      flipped.push(j.id);
+    }
+  return { flipped, count: flipped.length };
+}
+export function getDlpEngineGovStatsV2() {
+  const profilesByStatus = {};
+  for (const v of Object.values(DLPGOV_PROFILE_MATURITY_V2))
+    profilesByStatus[v] = 0;
+  for (const p of _dlpgovPsV2.values()) profilesByStatus[p.status]++;
+  const scansByStatus = {};
+  for (const v of Object.values(DLPGOV_SCAN_LIFECYCLE_V2)) scansByStatus[v] = 0;
+  for (const j of _dlpgovJsV2.values()) scansByStatus[j.status]++;
+  return {
+    totalDlpgovProfilesV2: _dlpgovPsV2.size,
+    totalDlpgovScansV2: _dlpgovJsV2.size,
+    maxActiveDlpgovProfilesPerOwner: _dlpgovMaxActive,
+    maxPendingDlpgovScansPerProfile: _dlpgovMaxPending,
+    dlpgovProfileIdleMs: _dlpgovIdleMs,
+    dlpgovScanStuckMs: _dlpgovStuckMs,
+    profilesByStatus,
+    scansByStatus,
+  };
 }