kavachos 0.3.0 → 0.4.0

package/dist/permission/index.d.ts

@@ -1,7 +1,7 @@
-import { D as Database, A as AgentIdentity, i as AuthorizeRequest, j as AuthorizeResult, P as Permission } from '../types-B02D3kZy.js';
-export { an as PermissionConstraints } from '../types-B02D3kZy.js';
+import { D as Database, A as AgentIdentity, i as AuthorizeRequest, j as AuthorizeResult, P as Permission } from '../types-RJPOU4un.js';
+export { ar as PermissionConstraints } from '../types-RJPOU4un.js';
 import 'drizzle-orm/sqlite-core';
-import '../types-BuHrZcjE.js';
+import '../types-BiUe9e8u.js';
 import 'zod';
 import '../redirect/index.js';
 
@@ -11,6 +11,11 @@ interface PermissionEngineConfig {
 }
 /**
  * Create the permission/authorization engine.
+ *
+ * This remains the public entry point used by adapters. The constraint and
+ * matching primitives now live in policy/abac.ts so the new unified policy
+ * engine can reuse them. A follow-on patch rewires this function to delegate
+ * to policy/engine.ts; today it still performs direct-permission evaluation.
  */
 declare function createPermissionEngine(config: PermissionEngineConfig): {
     authorize: (agent: AgentIdentity, request: AuthorizeRequest) => Promise<AuthorizeResult>;

package/dist/permission/index.js

@@ -1,7 +1,5 @@
-import { and, eq, gte } from 'drizzle-orm';
 import { sqliteTable, integer, text } from 'drizzle-orm/sqlite-core';
-
-// src/permission/engine.ts
+import { and, eq, gte } from 'drizzle-orm';
 
 // src/crypto/web-crypto.ts
 function generateId() {
@@ -76,6 +74,8 @@ sqliteTable("kavach_permissions", {
   actions: text("actions", { mode: "json" }).notNull().$type(),
   // ["read", "write", "execute"]
   constraints: text("constraints", { mode: "json" }).$type(),
+  // When set, the policy engine consults the ReBAC graph for this permission.
+  relation: text("relation"),
   createdAt: integer("created_at", { mode: "timestamp" }).notNull()
 });
 sqliteTable("kavach_delegation_chains", {
@@ -105,6 +105,8 @@ var auditLogs = sqliteTable("kavach_audit_logs", {
   tokensCost: integer("tokens_cost"),
   ip: text("ip"),
   userAgent: text("user_agent"),
+  // True when this audit row corresponds to a policy-engine cache-hit evaluation.
+  cacheHit: integer("cache_hit", { mode: "boolean" }).notNull().default(false),
   timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
 });
 var rateLimits = sqliteTable("kavach_rate_limits", {
@@ -541,8 +543,6 @@ sqliteTable("kavach_refresh_tokens", {
   expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
   createdAt: integer("created_at", { mode: "timestamp" }).notNull()
 });
-
-// src/permission/engine.ts
 function matchResource(pattern, resource) {
   if (pattern === "*") return true;
   const patternParts = pattern.split(":");
@@ -600,6 +600,9 @@ function validateArgPatterns(patterns, args) {
   return { valid: true };
 }
 async function checkRateLimit(db, agentId, resource, maxCallsPerHour) {
+  if (!agentId) {
+    return { allowed: true };
+  }
   const oneHourAgo = new Date(Date.now() - 60 * 60 * 1e3);
   const rows = await db.select().from(rateLimits).where(
     and(
@@ -630,66 +633,20 @@ async function checkRateLimit(db, agentId, resource, maxCallsPerHour) {
   }
   return { allowed: true };
 }
-function createPermissionEngine(config) {
-  const { db, auditAll } = config;
-  async function authorize(agent, request) {
-    const startTime = performance.now();
-    const auditId = generateId();
-    const matchingPermission = agent.permissions.find(
-      (p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action)
-    );
-    if (!matchingPermission) {
-      const result2 = {
-        allowed: false,
-        reason: `No permission grants agent "${agent.name}" access to "${request.action}" on "${request.resource}"`,
-        auditId
-      };
-      if (auditAll) {
-        await writeAuditLog(db, agent, request, result2, startTime, auditId);
-      }
-      return result2;
-    }
-    if (matchingPermission.constraints) {
-      const constraintResult = await evaluateConstraints(
-        db,
-        agent,
-        request,
-        matchingPermission.constraints
-      );
-      if (!constraintResult.allowed) {
-        const result2 = {
-          allowed: false,
-          reason: constraintResult.reason,
-          auditId
-        };
-        if (auditAll) {
-          await writeAuditLog(db, agent, request, result2, startTime, auditId);
-        }
-        return result2;
-      }
-    }
-    const result = { allowed: true, auditId };
-    if (auditAll) {
-      await writeAuditLog(db, agent, request, result, startTime, auditId);
-    }
-    return result;
-  }
-  return { authorize };
-}
-async function evaluateConstraints(db, agent, request, constraints) {
+async function evaluateConstraints(db, input, constraints) {
   if (constraints.maxCallsPerHour) {
     const rateResult = await checkRateLimit(
       db,
-      agent.id,
-      request.resource,
+      input.subjectId,
+      input.resource,
       constraints.maxCallsPerHour
     );
     if (!rateResult.allowed) {
       return rateResult;
     }
   }
-  if (constraints.allowedArgPatterns && request.arguments) {
-    const patternResult = validateArgPatterns(constraints.allowedArgPatterns, request.arguments);
+  if (constraints.allowedArgPatterns && input.arguments) {
+    const patternResult = validateArgPatterns(constraints.allowedArgPatterns, input.arguments);
     if (!patternResult.valid) {
       return { allowed: false, reason: patternResult.reason };
     }
@@ -713,21 +670,73 @@ async function evaluateConstraints(db, agent, request, constraints) {
     }
   }
   if (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {
-    if (!request.ip) {
+    if (!input.ip) {
       return {
         allowed: false,
         reason: "IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match"
       };
     }
-    if (!isIPAllowed(constraints.ipAllowlist, request.ip)) {
+    if (!isIPAllowed(constraints.ipAllowlist, input.ip)) {
       return {
         allowed: false,
-        reason: `IP_NOT_ALLOWED: IP "${request.ip}" is not in the allowlist for this resource`
+        reason: `IP_NOT_ALLOWED: IP "${input.ip}" is not in the allowlist for this resource`
       };
     }
   }
   return { allowed: true };
 }
+
+// src/permission/engine.ts
+function createPermissionEngine(config) {
+  const { db, auditAll } = config;
+  async function authorize(agent, request) {
+    const startTime = performance.now();
+    const auditId = generateId();
+    const matchingPermission = agent.permissions.find(
+      (p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action)
+    );
+    if (!matchingPermission) {
+      const result2 = {
+        allowed: false,
+        reason: `No permission grants agent "${agent.name}" access to "${request.action}" on "${request.resource}"`,
+        auditId
+      };
+      if (auditAll) {
+        await writeAuditLog(db, agent, request, result2, startTime, auditId);
+      }
+      return result2;
+    }
+    if (matchingPermission.constraints) {
+      const constraintResult = await evaluateConstraints(
+        db,
+        {
+          subjectId: agent.id,
+          resource: request.resource,
+          arguments: request.arguments,
+          ip: request.ip
+        },
+        matchingPermission.constraints
+      );
+      if (!constraintResult.allowed) {
+        const result2 = {
+          allowed: false,
+          reason: constraintResult.reason,
+          auditId
+        };
+        if (auditAll) {
+          await writeAuditLog(db, agent, request, result2, startTime, auditId);
+        }
+        return result2;
+      }
+    }
+    const result = { allowed: true, auditId };
+    if (auditAll) {
+      await writeAuditLog(db, agent, request, result, startTime, auditId);
+    }
+    return result;
+  }
+  return { authorize };
+}
 async function writeAuditLog(db, agent, request, result, startTime, auditId) {
   const durationMs = Math.round(performance.now() - startTime);
   await db.insert(auditLogs).values({