guardrail-compliance 1.0.0

package/dist/policy/opa-engine.js

@@ -0,0 +1,423 @@
+"use strict";
+/**
+ * Policy as Code Engine (OPA/Rego Integration)
+ *
+ * Enables custom security policies using Open Policy Agent and Rego language
+ * Supports:
+ * - Custom policy definitions
+ * - Policy evaluation against code/config
+ * - Policy bundles and versioning
+ * - Decision logging and auditing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.policyEngine = exports.PolicyEngine = exports.BUILTIN_POLICIES = void 0;
+// Built-in policy templates
+exports.BUILTIN_POLICIES = [
+    {
+        id: 'no-hardcoded-secrets',
+        name: 'No Hardcoded Secrets',
+        description: 'Prevents hardcoded secrets in source code',
+        version: '1.0.0',
+        category: 'security',
+        severity: 'critical',
+        enabled: true,
+        tags: ['secrets', 'security', 'owasp'],
+        rego: `
+package Guardrail.secrets
+
+default allow = true
+default violations = []
+
+secret_patterns := [
+  "api[_-]?key\\\\s*[=:]\\\\s*['\\\"][^'\\\"]{10,}",
+  "password\\\\s*[=:]\\\\s*['\\\"][^'\\\"]{6,}",
+  "secret\\\\s*[=:]\\\\s*['\\\"][^'\\\"]{10,}",
+  "token\\\\s*[=:]\\\\s*['\\\"][^'\\\"]{10,}",
+  "aws_access_key_id",
+  "aws_secret_access_key"
+]
+
+violations[v] {
+  pattern := secret_patterns[_]
+  regex.match(pattern, lower(input.content))
+  v := {
+    "rule": "no-hardcoded-secrets",
+    "message": sprintf("Potential secret detected matching pattern: %s", [pattern]),
+    "severity": "critical"
+  }
+}
+
+allow {
+  count(violations) == 0
+}
+`,
+    },
+    {
+        id: 'secure-dependencies',
+        name: 'Secure Dependencies',
+        description: 'Ensures dependencies meet security requirements',
+        version: '1.0.0',
+        category: 'security',
+        severity: 'high',
+        enabled: true,
+        tags: ['dependencies', 'supply-chain'],
+        rego: `
+package Guardrail.dependencies
+
+default allow = true
+default violations = []
+
+blocked_packages := [
+  "event-stream",
+  "flatmap-stream",
+  "ua-parser-js@0.7.29"
+]
+
+violations[v] {
+  pkg := input.dependencies[_]
+  blocked := blocked_packages[_]
+  contains(sprintf("%s@%s", [pkg.name, pkg.version]), blocked)
+  v := {
+    "rule": "blocked-package",
+    "message": sprintf("Blocked package detected: %s@%s", [pkg.name, pkg.version]),
+    "severity": "critical"
+  }
+}
+
+violations[v] {
+  pkg := input.dependencies[_]
+  pkg.vulnerabilities[_].severity == "critical"
+  v := {
+    "rule": "critical-vulnerability",
+    "message": sprintf("Critical vulnerability in %s@%s", [pkg.name, pkg.version]),
+    "severity": "critical"
+  }
+}
+
+allow {
+  count(violations) == 0
+}
+`,
+    },
+    {
+        id: 'license-compliance',
+        name: 'License Compliance',
+        description: 'Ensures dependency licenses are compliant',
+        version: '1.0.0',
+        category: 'compliance',
+        severity: 'high',
+        enabled: true,
+        tags: ['license', 'compliance', 'legal'],
+        rego: `
+package Guardrail.licenses
+
+default allow = true
+default violations = []
+
+copyleft_licenses := ["GPL-2.0", "GPL-3.0", "AGPL-3.0"]
+
+violations[v] {
+  input.project_license == "MIT"
+  pkg := input.dependencies[_]
+  copyleft := copyleft_licenses[_]
+  pkg.license == copyleft
+  v := {
+    "rule": "copyleft-contamination",
+    "message": sprintf("Copyleft license %s in %s incompatible with MIT project", [pkg.license, pkg.name]),
+    "severity": "high"
+  }
+}
+
+allow {
+  count(violations) == 0
+}
+`,
+    },
+    {
+        id: 'agent-permissions',
+        name: 'AI Agent Permission Control',
+        description: 'Controls what AI agents can do',
+        version: '1.0.0',
+        category: 'access',
+        severity: 'high',
+        enabled: true,
+        tags: ['ai', 'agent', 'permissions'],
+        rego: `
+package Guardrail.agent
+
+default allow = false
+
+dangerous_paths := ["/etc", "/root", "/var/log", "C:\\\\Windows\\\\System32"]
+dangerous_commands := ["rm -rf", "del /f", "format", "shutdown", "reboot"]
+
+allow {
+  input.action.type == "read"
+  not path_is_dangerous(input.action.path)
+}
+
+allow {
+  input.action.type == "write"
+  input.agent.permissions.write == true
+  not path_is_dangerous(input.action.path)
+}
+
+path_is_dangerous(path) {
+  dangerous := dangerous_paths[_]
+  startswith(path, dangerous)
+}
+
+command_is_dangerous(cmd) {
+  dangerous := dangerous_commands[_]
+  contains(lower(cmd), dangerous)
+}
+
+violations[v] {
+  input.action.type == "execute"
+  command_is_dangerous(input.action.command)
+  v := {
+    "rule": "dangerous-command",
+    "message": sprintf("Dangerous command blocked: %s", [input.action.command]),
+    "severity": "critical"
+  }
+}
+`,
+    },
+    {
+        id: 'code-quality',
+        name: 'Code Quality Standards',
+        description: 'Enforces code quality standards',
+        version: '1.0.0',
+        category: 'quality',
+        severity: 'medium',
+        enabled: true,
+        tags: ['quality', 'standards'],
+        rego: `
+package Guardrail.quality
+
+default allow = true
+default violations = []
+
+violations[v] {
+  input.metrics.complexity > 20
+  v := {
+    "rule": "high-complexity",
+    "message": sprintf("Cyclomatic complexity %d exceeds threshold 20", [input.metrics.complexity]),
+    "severity": "medium"
+  }
+}
+
+violations[v] {
+  input.metrics.lines_of_code > 500
+  v := {
+    "rule": "large-file",
+    "message": sprintf("File has %d lines, exceeds threshold 500", [input.metrics.lines_of_code]),
+    "severity": "low"
+  }
+}
+
+violations[v] {
+  input.metrics.test_coverage < 60
+  v := {
+    "rule": "low-coverage",
+    "message": sprintf("Test coverage %d%% below threshold 60%%", [input.metrics.test_coverage]),
+    "severity": "medium"
+  }
+}
+
+allow {
+  count(violations) == 0
+}
+`,
+    },
+];
+/**
+ * Policy Engine for evaluating Rego policies
+ */
+class PolicyEngine {
+    policies = new Map();
+    decisionLog = [];
+    constructor() {
+        // Load built-in policies
+        for (const policy of exports.BUILTIN_POLICIES) {
+            this.policies.set(policy.id, policy);
+        }
+    }
+    /**
+     * Register a custom policy
+     */
+    registerPolicy(policy) {
+        this.policies.set(policy.id, policy);
+    }
+    /**
+     * Remove a policy
+     */
+    removePolicy(policyId) {
+        return this.policies.delete(policyId);
+    }
+    /**
+     * Get all registered policies
+     */
+    getPolicies() {
+        return Array.from(this.policies.values());
+    }
+    /**
+     * Get a specific policy
+     */
+    getPolicy(policyId) {
+        return this.policies.get(policyId);
+    }
+    /**
+     * Evaluate input against all enabled policies
+     */
+    async evaluate(input) {
+        const decisions = [];
+        for (const policy of this.policies.values()) {
+            if (!policy.enabled)
+                continue;
+            const decision = await this.evaluatePolicy(policy, input);
+            decisions.push(decision);
+            this.decisionLog.push(decision);
+        }
+        return decisions;
+    }
+    /**
+     * Evaluate input against a specific policy
+     */
+    async evaluatePolicy(policy, input) {
+        const startTime = Date.now();
+        try {
+            // In a real implementation, this would use an OPA client or WASM module
+            // For now, we use a simplified JavaScript-based evaluation
+            const result = await this.evaluateRego(policy.rego, input);
+            const violations = (result.violations || []).map((v) => ({
+                rule: v.rule || policy.id,
+                message: v.message || 'Policy violation',
+                severity: v.severity || policy.severity,
+                remediation: v.remediation,
+                location: v.location,
+            }));
+            return {
+                policyId: policy.id,
+                allowed: result.allow !== false && violations.length === 0,
+                violations,
+                warnings: result.warnings || [],
+                metadata: { policyVersion: policy.version },
+                evaluatedAt: new Date().toISOString(),
+                durationMs: Date.now() - startTime,
+            };
+        }
+        catch (error) {
+            return {
+                policyId: policy.id,
+                allowed: false,
+                violations: [{
+                        rule: 'policy-error',
+                        message: `Policy evaluation failed: ${error}`,
+                        severity: 'high',
+                    }],
+                warnings: [],
+                metadata: { error: String(error) },
+                evaluatedAt: new Date().toISOString(),
+                durationMs: Date.now() - startTime,
+            };
+        }
+    }
+    /**
+     * Simplified Rego evaluation (placeholder for OPA integration)
+     * In production, this would use @open-policy-agent/opa-wasm or call OPA server
+     */
+    async evaluateRego(_rego, input) {
+        const violations = [];
+        const warnings = [];
+        let allow = true;
+        const data = input.data;
+        // Basic pattern matching for demonstration
+        // Real implementation would parse and evaluate Rego
+        // Check for secrets in content
+        if (data.content) {
+            const secretPatterns = [
+                /api[_-]?key\s*[=:]\s*['"][^'"]{10,}/i,
+                /password\s*[=:]\s*['"][^'"]{6,}/i,
+                /secret\s*[=:]\s*['"][^'"]{10,}/i,
+            ];
+            for (const pattern of secretPatterns) {
+                if (pattern.test(data.content)) {
+                    violations.push({
+                        rule: 'no-hardcoded-secrets',
+                        message: 'Potential hardcoded secret detected',
+                        severity: 'critical',
+                    });
+                    allow = false;
+                }
+            }
+        }
+        // Check for dangerous dependencies
+        if (data.dependencies) {
+            const blocked = ['event-stream', 'flatmap-stream'];
+            for (const dep of data.dependencies) {
+                if (blocked.includes(dep.name)) {
+                    violations.push({
+                        rule: 'blocked-package',
+                        message: `Blocked package: ${dep.name}`,
+                        severity: 'critical',
+                    });
+                    allow = false;
+                }
+            }
+        }
+        return { allow, violations, warnings };
+    }
+    /**
+     * Get decision log
+     */
+    getDecisionLog() {
+        return [...this.decisionLog];
+    }
+    /**
+     * Clear decision log
+     */
+    clearDecisionLog() {
+        this.decisionLog = [];
+    }
+    /**
+     * Export policies as a bundle
+     */
+    exportBundle(name) {
+        return {
+            id: `bundle-${Date.now()}`,
+            name,
+            version: '1.0.0',
+            policies: this.getPolicies(),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Import policies from a bundle
+     */
+    importBundle(bundle) {
+        for (const policy of bundle.policies) {
+            this.registerPolicy(policy);
+        }
+    }
+    /**
+     * Validate Rego syntax (placeholder)
+     */
+    validateRego(rego) {
+        const errors = [];
+        // Basic syntax checks
+        if (!rego.includes('package ')) {
+            errors.push('Missing package declaration');
+        }
+        if (!rego.includes('default ') && !rego.includes('allow') && !rego.includes('deny')) {
+            errors.push('Policy should define allow or deny rules');
+        }
+        return {
+            valid: errors.length === 0,
+            errors,
+        };
+    }
+}
+exports.PolicyEngine = PolicyEngine;
+// Export singleton
+exports.policyEngine = new PolicyEngine();

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "guardrail-compliance",
+  "version": "1.0.0",
+  "main": "./dist/index.js",
+  "files": ["dist/**/*", "src/**/*"],
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest"
+  },
+  "dependencies": {
+    "guardrail-core": "^1.0.0",
+    "cron": "^3.1.6",
+    "nodemailer": "^7.0.12",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@types/cron": "^2.0.1",
+    "@types/node": "^20.11.5",
+    "@types/nodemailer": "^6.4.14",
+    "typescript": "^5.9.3",
+    "vitest": "^1.2.0"
+  }
+}