opalserve 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +19 -0
- package/AGENTS.md +23 -0
- package/README.md +109 -0
- package/config/servers.example.yaml +67 -0
- package/config/servers.yaml +2 -0
- package/dist/cli/discover.d.ts +3 -0
- package/dist/cli/discover.d.ts.map +1 -0
- package/dist/cli/discover.js +160 -0
- package/dist/cli/discover.js.map +1 -0
- package/dist/cli/index.d.ts +3 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +32 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/connectors/base.d.ts +49 -0
- package/dist/connectors/base.d.ts.map +1 -0
- package/dist/connectors/base.js +45 -0
- package/dist/connectors/base.js.map +1 -0
- package/dist/connectors/custom.d.ts +19 -0
- package/dist/connectors/custom.d.ts.map +1 -0
- package/dist/connectors/custom.js +129 -0
- package/dist/connectors/custom.js.map +1 -0
- package/dist/connectors/github.d.ts +18 -0
- package/dist/connectors/github.d.ts.map +1 -0
- package/dist/connectors/github.js +188 -0
- package/dist/connectors/github.js.map +1 -0
- package/dist/connectors/google-drive.d.ts +18 -0
- package/dist/connectors/google-drive.d.ts.map +1 -0
- package/dist/connectors/google-drive.js +209 -0
- package/dist/connectors/google-drive.js.map +1 -0
- package/dist/connectors/index.d.ts +11 -0
- package/dist/connectors/index.d.ts.map +1 -0
- package/dist/connectors/index.js +76 -0
- package/dist/connectors/index.js.map +1 -0
- package/dist/connectors/postgres.d.ts +18 -0
- package/dist/connectors/postgres.d.ts.map +1 -0
- package/dist/connectors/postgres.js +140 -0
- package/dist/connectors/postgres.js.map +1 -0
- package/dist/connectors/slack.d.ts +18 -0
- package/dist/connectors/slack.d.ts.map +1 -0
- package/dist/connectors/slack.js +181 -0
- package/dist/connectors/slack.js.map +1 -0
- package/dist/core/auth.d.ts +26 -0
- package/dist/core/auth.d.ts.map +1 -0
- package/dist/core/auth.js +81 -0
- package/dist/core/auth.js.map +1 -0
- package/dist/core/registry.d.ts +33 -0
- package/dist/core/registry.d.ts.map +1 -0
- package/dist/core/registry.js +237 -0
- package/dist/core/registry.js.map +1 -0
- package/dist/core/tokenizer.d.ts +16 -0
- package/dist/core/tokenizer.d.ts.map +1 -0
- package/dist/core/tokenizer.js +29 -0
- package/dist/core/tokenizer.js.map +1 -0
- package/dist/governance/audit.d.ts +27 -0
- package/dist/governance/audit.d.ts.map +1 -0
- package/dist/governance/audit.js +149 -0
- package/dist/governance/audit.js.map +1 -0
- package/dist/governance/index.d.ts +5 -0
- package/dist/governance/index.d.ts.map +1 -0
- package/dist/governance/index.js +5 -0
- package/dist/governance/index.js.map +1 -0
- package/dist/governance/policy.d.ts +20 -0
- package/dist/governance/policy.d.ts.map +1 -0
- package/dist/governance/policy.js +162 -0
- package/dist/governance/policy.js.map +1 -0
- package/dist/governance/rate-limiter.d.ts +20 -0
- package/dist/governance/rate-limiter.d.ts.map +1 -0
- package/dist/governance/rate-limiter.js +73 -0
- package/dist/governance/rate-limiter.js.map +1 -0
- package/dist/governance/types.d.ts +246 -0
- package/dist/governance/types.d.ts.map +1 -0
- package/dist/governance/types.js +72 -0
- package/dist/governance/types.js.map +1 -0
- package/dist/identity/access-control.d.ts +15 -0
- package/dist/identity/access-control.d.ts.map +1 -0
- package/dist/identity/access-control.js +81 -0
- package/dist/identity/access-control.js.map +1 -0
- package/dist/identity/index.d.ts +4 -0
- package/dist/identity/index.d.ts.map +1 -0
- package/dist/identity/index.js +4 -0
- package/dist/identity/index.js.map +1 -0
- package/dist/identity/manager.d.ts +29 -0
- package/dist/identity/manager.d.ts.map +1 -0
- package/dist/identity/manager.js +167 -0
- package/dist/identity/manager.js.map +1 -0
- package/dist/identity/types.d.ts +237 -0
- package/dist/identity/types.d.ts.map +1 -0
- package/dist/identity/types.js +80 -0
- package/dist/identity/types.js.map +1 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +10 -0
- package/dist/index.js.map +1 -0
- package/dist/registry/server.d.ts +14 -0
- package/dist/registry/server.d.ts.map +1 -0
- package/dist/registry/server.js +173 -0
- package/dist/registry/server.js.map +1 -0
- package/dist/types/index.d.ts +639 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +76 -0
- package/dist/types/index.js.map +1 -0
- package/dist/utils/config.d.ts +29 -0
- package/dist/utils/config.d.ts.map +1 -0
- package/dist/utils/config.js +47 -0
- package/dist/utils/config.js.map +1 -0
- package/dist/utils/index.d.ts +7 -0
- package/dist/utils/index.d.ts.map +1 -0
- package/dist/utils/index.js +44 -0
- package/dist/utils/index.js.map +1 -0
- package/dist/workflow/engine.d.ts +18 -0
- package/dist/workflow/engine.d.ts.map +1 -0
- package/dist/workflow/engine.js +155 -0
- package/dist/workflow/engine.js.map +1 -0
- package/dist/workflow/index.d.ts +4 -0
- package/dist/workflow/index.d.ts.map +1 -0
- package/dist/workflow/index.js +4 -0
- package/dist/workflow/index.js.map +1 -0
- package/dist/workflow/templates.d.ts +4 -0
- package/dist/workflow/templates.d.ts.map +1 -0
- package/dist/workflow/templates.js +218 -0
- package/dist/workflow/templates.js.map +1 -0
- package/dist/workflow/types.d.ts +255 -0
- package/dist/workflow/types.d.ts.map +1 -0
- package/dist/workflow/types.js +48 -0
- package/dist/workflow/types.js.map +1 -0
- package/eslint.config.js +25 -0
- package/package.json +78 -0
- package/src/cli/discover.ts +223 -0
- package/src/cli/index.ts +40 -0
- package/src/connectors/base.ts +75 -0
- package/src/connectors/custom.ts +139 -0
- package/src/connectors/github.ts +195 -0
- package/src/connectors/google-drive.ts +217 -0
- package/src/connectors/index.ts +86 -0
- package/src/connectors/postgres.ts +148 -0
- package/src/connectors/slack.ts +188 -0
- package/src/core/auth.ts +109 -0
- package/src/core/registry.ts +301 -0
- package/src/core/tokenizer.ts +40 -0
- package/src/governance/audit.ts +182 -0
- package/src/governance/index.ts +4 -0
- package/src/governance/policy.ts +187 -0
- package/src/governance/rate-limiter.ts +95 -0
- package/src/governance/types.ts +100 -0
- package/src/identity/access-control.ts +119 -0
- package/src/identity/index.ts +3 -0
- package/src/identity/manager.ts +207 -0
- package/src/identity/types.ts +91 -0
- package/src/index.ts +16 -0
- package/src/registry/server.ts +195 -0
- package/src/types/index.ts +128 -0
- package/src/utils/config.ts +78 -0
- package/src/utils/index.ts +47 -0
- package/src/workflow/engine.ts +187 -0
- package/src/workflow/index.ts +3 -0
- package/src/workflow/templates.ts +220 -0
- package/src/workflow/types.ts +89 -0
- package/tsconfig.json +25 -0
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
export class PolicyEngine {
|
|
2
|
+
policies = new Map();
|
|
3
|
+
auditCallback;
|
|
4
|
+
setAuditCallback(callback) {
|
|
5
|
+
this.auditCallback = callback;
|
|
6
|
+
}
|
|
7
|
+
registerPolicy(policy) {
|
|
8
|
+
policy.rules.sort((a, b) => b.priority - a.priority);
|
|
9
|
+
this.policies.set(policy.id, policy);
|
|
10
|
+
}
|
|
11
|
+
getPolicy(id) {
|
|
12
|
+
return this.policies.get(id);
|
|
13
|
+
}
|
|
14
|
+
getAllPolicies() {
|
|
15
|
+
return Array.from(this.policies.values());
|
|
16
|
+
}
|
|
17
|
+
deletePolicy(id) {
|
|
18
|
+
return this.policies.delete(id);
|
|
19
|
+
}
|
|
20
|
+
evaluate(context) {
|
|
21
|
+
const auditEvents = [];
|
|
22
|
+
const matchedRules = [];
|
|
23
|
+
for (const policy of this.policies.values()) {
|
|
24
|
+
if (!policy.enabled)
|
|
25
|
+
continue;
|
|
26
|
+
for (const rule of policy.rules) {
|
|
27
|
+
if (!rule.enabled)
|
|
28
|
+
continue;
|
|
29
|
+
const matches = this.evaluateConditions(rule.conditions, context);
|
|
30
|
+
if (matches) {
|
|
31
|
+
matchedRules.push(rule);
|
|
32
|
+
if (policy.auditEnabled && this.auditCallback) {
|
|
33
|
+
auditEvents.push({
|
|
34
|
+
type: 'admin.action',
|
|
35
|
+
requestId: context.requestId || `policy-${Date.now()}`,
|
|
36
|
+
agentId: context.agentId,
|
|
37
|
+
agentName: context.agentName,
|
|
38
|
+
action: `policy:${policy.name}:${rule.name}`,
|
|
39
|
+
result: rule.effect === 'allow' ? 'success' : rule.effect === 'deny' ? 'denied' : 'success',
|
|
40
|
+
metadata: { policyId: policy.id, ruleId: rule.id },
|
|
41
|
+
context: {},
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
if (rule.effect === 'deny') {
|
|
45
|
+
return { allowed: false, matchedRules, auditEvents };
|
|
46
|
+
}
|
|
47
|
+
if (rule.effect === 'allow') {
|
|
48
|
+
return { allowed: true, matchedRules, auditEvents };
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
if (matchedRules.length === 0) {
|
|
53
|
+
return {
|
|
54
|
+
allowed: policy.defaultEffect === 'allow',
|
|
55
|
+
matchedRules: [],
|
|
56
|
+
auditEvents,
|
|
57
|
+
};
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
return { allowed: true, matchedRules, auditEvents };
|
|
61
|
+
}
|
|
62
|
+
evaluateConditions(conditions, context) {
|
|
63
|
+
if (conditions.length === 0)
|
|
64
|
+
return true;
|
|
65
|
+
return conditions.every(condition => {
|
|
66
|
+
const value = this.getNestedValue(context, condition.field);
|
|
67
|
+
return this.evaluateOperator(condition.operator, value, condition.value);
|
|
68
|
+
});
|
|
69
|
+
}
|
|
70
|
+
getNestedValue(obj, path) {
|
|
71
|
+
const keys = path.split('.');
|
|
72
|
+
let current = obj;
|
|
73
|
+
for (const key of keys) {
|
|
74
|
+
if (current === null || current === undefined)
|
|
75
|
+
return undefined;
|
|
76
|
+
current = current[key];
|
|
77
|
+
}
|
|
78
|
+
return current;
|
|
79
|
+
}
|
|
80
|
+
evaluateOperator(operator, actual, expected) {
|
|
81
|
+
switch (operator) {
|
|
82
|
+
case 'equals':
|
|
83
|
+
return actual === expected;
|
|
84
|
+
case 'not_equals':
|
|
85
|
+
return actual !== expected;
|
|
86
|
+
case 'contains':
|
|
87
|
+
return typeof actual === 'string' && typeof expected === 'string' && actual.includes(expected);
|
|
88
|
+
case 'not_contains':
|
|
89
|
+
return typeof actual === 'string' && typeof expected === 'string' && !actual.includes(expected);
|
|
90
|
+
case 'in':
|
|
91
|
+
return Array.isArray(expected) && expected.includes(actual);
|
|
92
|
+
case 'not_in':
|
|
93
|
+
return Array.isArray(expected) && !expected.includes(actual);
|
|
94
|
+
case 'greater_than':
|
|
95
|
+
return typeof actual === 'number' && typeof expected === 'number' && actual > expected;
|
|
96
|
+
case 'less_than':
|
|
97
|
+
return typeof actual === 'number' && typeof expected === 'number' && actual < expected;
|
|
98
|
+
default:
|
|
99
|
+
return false;
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
createDefaultPolicies() {
|
|
103
|
+
const highValueToolsPolicy = {
|
|
104
|
+
id: 'high-value-tools',
|
|
105
|
+
name: 'High-Value Tool Protection',
|
|
106
|
+
description: 'Protect sensitive tools requiring additional verification',
|
|
107
|
+
version: '1.0.0',
|
|
108
|
+
enabled: true,
|
|
109
|
+
rules: [
|
|
110
|
+
{
|
|
111
|
+
id: 'deny-database-write',
|
|
112
|
+
name: 'Deny Database Writes',
|
|
113
|
+
description: 'Block write operations to production databases',
|
|
114
|
+
enabled: true,
|
|
115
|
+
priority: 100,
|
|
116
|
+
conditions: [
|
|
117
|
+
{ field: 'tool.capabilities', operator: 'contains', value: 'write' },
|
|
118
|
+
{ field: 'tool.serverName', operator: 'contains', value: 'postgres' },
|
|
119
|
+
],
|
|
120
|
+
effect: 'deny',
|
|
121
|
+
actions: ['notify-admin'],
|
|
122
|
+
metadata: {},
|
|
123
|
+
},
|
|
124
|
+
],
|
|
125
|
+
defaultEffect: 'allow',
|
|
126
|
+
auditEnabled: true,
|
|
127
|
+
complianceFrameworks: ['SOC2', 'GDPR'],
|
|
128
|
+
createdAt: new Date().toISOString(),
|
|
129
|
+
updatedAt: new Date().toISOString(),
|
|
130
|
+
};
|
|
131
|
+
const trustLevelPolicy = {
|
|
132
|
+
id: 'trust-level-access',
|
|
133
|
+
name: 'Trust Level Access Control',
|
|
134
|
+
description: 'Restrict access based on identity trust level',
|
|
135
|
+
version: '1.0.0',
|
|
136
|
+
enabled: true,
|
|
137
|
+
rules: [
|
|
138
|
+
{
|
|
139
|
+
id: 'low-trust-limited-tools',
|
|
140
|
+
name: 'Low Trust Limited Access',
|
|
141
|
+
description: 'Limit tools for low-trust identities',
|
|
142
|
+
enabled: true,
|
|
143
|
+
priority: 50,
|
|
144
|
+
conditions: [
|
|
145
|
+
{ field: 'identity.trustLevel', operator: 'in', value: ['untrusted', 'low'] },
|
|
146
|
+
],
|
|
147
|
+
effect: 'deny',
|
|
148
|
+
actions: ['require-reapproval'],
|
|
149
|
+
metadata: {},
|
|
150
|
+
},
|
|
151
|
+
],
|
|
152
|
+
defaultEffect: 'allow',
|
|
153
|
+
auditEnabled: true,
|
|
154
|
+
complianceFrameworks: ['ISO27001'],
|
|
155
|
+
createdAt: new Date().toISOString(),
|
|
156
|
+
updatedAt: new Date().toISOString(),
|
|
157
|
+
};
|
|
158
|
+
this.registerPolicy(highValueToolsPolicy);
|
|
159
|
+
this.registerPolicy(trustLevelPolicy);
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
//# sourceMappingURL=policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/governance/policy.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,YAAY;IACf,QAAQ,GAAkC,IAAI,GAAG,EAAE,CAAC;IACpD,aAAa,CAAyD;IAE9E,gBAAgB,CAAC,QAA+D;QAC9E,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC;IAChC,CAAC;IAED,cAAc,CAAC,MAAwB;QACrC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,EAAU;QAClB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,cAAc;QACZ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,YAAY,CAAC,EAAU;QACrB,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,QAAQ,CAAC,OAAgC;QAKvC,MAAM,WAAW,GAA2C,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAiB,EAAE,CAAC;QAEtC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YAC5C,IAAI,CAAC,MAAM,CAAC,OAAO;gBAAE,SAAS;YAE9B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,IAAI,CAAC,IAAI,CAAC,OAAO;oBAAE,SAAS;gBAE5B,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBAElE,IAAI,OAAO,EAAE,CAAC;oBACZ,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAExB,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;wBAC9C,WAAW,CAAC,IAAI,CAAC;4BACf,IAAI,EAAE,cAAc;4BACpB,SAAS,EAAE,OAAO,CAAC,SAAmB,IAAI,UAAU,IAAI,CAAC,GAAG,EAAE,EAAE;4BAChE,OAAO,EAAE,OAAO,CAAC,OAAiB;4BAClC,SAAS,EAAE,OAAO,CAAC,SAAmB;4BACtC,MAAM,EAAE,UAAU,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE;4BAC5C,MAAM,EAAE,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;4BAC3F,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE;4BAClD,OAAO,EAAE,EAAE;yBACZ,CAAC,CAAC;oBACL,CAAC;oBAED,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;wBAC3B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;oBACvD,CAAC;oBAED,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;wBAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO;oBACL,OAAO,EAAE,MAAM,CAAC,aAAa,KAAK,OAAO;oBACzC,YAAY,EAAE,EAAE;oBAChB,WAAW;iBACZ,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;IACtD,CAAC;IAEO,kBAAkB,CAAC,UAAoC,EAAE,OAAgC;QAC/F,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEzC,OAAO,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE;YAClC,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,cAAc,CAAC,GAA4B,EAAE,IAAY;QAC/D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,OAAO,GAAY,GAAG,CAAC;QAE3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;YAChE,OAAO,GAAI,OAAmC,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,gBAAgB,CAAC,QAAiD,EAAE,MAAe,EAAE,QAAiB;QAC5G,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,QAAQ;gBACX,OAAO,MAAM,KAAK,QAAQ,CAAC;YAC7B,KAAK,YAAY;gBACf,OAAO,MAAM,KAAK,QAAQ,CAAC;YAC7B,KAAK,UAAU;gBACb,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjG,KAAK,cAAc;gBACjB,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAClG,KAAK,IAAI;gBACP,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC9D,KAAK,QAAQ;gBACX,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC/D,KAAK,cAAc;gBACjB,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YACzF,KAAK,WAAW;gBACd,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YACzF;gBACE,OAAO,KAAK,CAAC;QACjB,CAAC;IACH,CAAC;IAED,qBAAqB;QACnB,MAAM,oBAAoB,GAAqB;YAC7C,EAAE,EAAE,kBAAkB;YACtB,IAAI,EAAE,4BAA4B;YAClC,WAAW,EAAE,2DAA2D;YACxE,OAAO,EAAE,OAAO;YAChB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE;gBACL;oBACE,EAAE,EAAE,qBAAqB;oBACzB,IAAI,EAAE,sBAAsB;oBAC5B,WAAW,EAAE,gDAAgD;oBAC7D,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE,GAAG;oBACb,UAAU,EAAE;wBACV,EAAE,KAAK,EAAE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE;wBACpE,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE;qBACtE;oBACD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,CAAC,cAAc,CAAC;oBACzB,QAAQ,EAAE,EAAE;iBACb;aACF;YACD,aAAa,EAAE,OAAO;YACtB,YAAY,EAAE,IAAI;YAClB,oBAAoB,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;YACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,MAAM,gBAAgB,GAAqB;YACzC,EAAE,EAAE,oBAAoB;YACxB,IAAI,EAAE,4BAA4B;YAClC,WAAW,EAAE,+CAA+C;YAC5D,OAAO,EAAE,OAAO;YAChB,OAAO,EAAE,IAAI;YACb,KAAK,EAAE;gBACL;oBACE,EAAE,EAAE,yBAAyB;oBAC7B,IAAI,EAAE,0BAA0B;oBAChC,WAAW,EAAE,sCAAsC;oBACnD,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE,EAAE;oBACZ,UAAU,EAAE;wBACV,EAAE,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE;qBAC9E;oBACD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,QAAQ,EAAE,EAAE;iBACb;aACF;YACD,aAAa,EAAE,OAAO;YACtB,YAAY,EAAE,IAAI;YAClB,oBAAoB,EAAE,CAAC,UAAU,CAAC;YAClC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,IAAI,CAAC,cAAc,CAAC,oBAAoB,CAAC,CAAC;QAC1C,IAAI,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACxC,CAAC;CACF"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import type { RateLimitState } from './types.js';
|
|
2
|
+
export interface RateLimitConfig {
|
|
3
|
+
windowMs: number;
|
|
4
|
+
maxRequests: number;
|
|
5
|
+
blockDurationMs: number;
|
|
6
|
+
}
|
|
7
|
+
export declare class RateLimiter {
|
|
8
|
+
private states;
|
|
9
|
+
private configs;
|
|
10
|
+
configure(identityId: string, config: RateLimitConfig): void;
|
|
11
|
+
check(identityId: string): {
|
|
12
|
+
allowed: boolean;
|
|
13
|
+
remaining: number;
|
|
14
|
+
resetAt: number;
|
|
15
|
+
};
|
|
16
|
+
reset(identityId: string): void;
|
|
17
|
+
getState(identityId: string): RateLimitState | undefined;
|
|
18
|
+
cleanup(maxAgeMs: number): number;
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=rate-limiter.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/governance/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,OAAO,CAA2C;IAE1D,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,IAAI;IAI5D,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAyDnF,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAI/B,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIxD,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAalC"}
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
export class RateLimiter {
|
|
2
|
+
states = new Map();
|
|
3
|
+
configs = new Map();
|
|
4
|
+
configure(identityId, config) {
|
|
5
|
+
this.configs.set(identityId, config);
|
|
6
|
+
}
|
|
7
|
+
check(identityId) {
|
|
8
|
+
const config = this.configs.get(identityId);
|
|
9
|
+
if (!config) {
|
|
10
|
+
return { allowed: true, remaining: -1, resetAt: 0 };
|
|
11
|
+
}
|
|
12
|
+
const now = Date.now();
|
|
13
|
+
let state = this.states.get(identityId);
|
|
14
|
+
if (!state || now - state.windowStart >= config.windowMs) {
|
|
15
|
+
state = {
|
|
16
|
+
identityId,
|
|
17
|
+
windowStart: now,
|
|
18
|
+
count: 0,
|
|
19
|
+
blocked: false,
|
|
20
|
+
blockedUntil: null,
|
|
21
|
+
};
|
|
22
|
+
this.states.set(identityId, state);
|
|
23
|
+
}
|
|
24
|
+
if (state.blocked && state.blockedUntil && now < state.blockedUntil) {
|
|
25
|
+
return {
|
|
26
|
+
allowed: false,
|
|
27
|
+
remaining: 0,
|
|
28
|
+
resetAt: state.blockedUntil,
|
|
29
|
+
};
|
|
30
|
+
}
|
|
31
|
+
if (state.blocked && state.blockedUntil && now >= state.blockedUntil) {
|
|
32
|
+
state.blocked = false;
|
|
33
|
+
state.blockedUntil = null;
|
|
34
|
+
state.windowStart = now;
|
|
35
|
+
state.count = 0;
|
|
36
|
+
}
|
|
37
|
+
state.count++;
|
|
38
|
+
this.states.set(identityId, state);
|
|
39
|
+
if (state.count > config.maxRequests) {
|
|
40
|
+
state.blocked = true;
|
|
41
|
+
state.blockedUntil = now + config.blockDurationMs;
|
|
42
|
+
this.states.set(identityId, state);
|
|
43
|
+
return {
|
|
44
|
+
allowed: false,
|
|
45
|
+
remaining: 0,
|
|
46
|
+
resetAt: state.blockedUntil,
|
|
47
|
+
};
|
|
48
|
+
}
|
|
49
|
+
return {
|
|
50
|
+
allowed: true,
|
|
51
|
+
remaining: config.maxRequests - state.count,
|
|
52
|
+
resetAt: state.windowStart + config.windowMs,
|
|
53
|
+
};
|
|
54
|
+
}
|
|
55
|
+
reset(identityId) {
|
|
56
|
+
this.states.delete(identityId);
|
|
57
|
+
}
|
|
58
|
+
getState(identityId) {
|
|
59
|
+
return this.states.get(identityId);
|
|
60
|
+
}
|
|
61
|
+
cleanup(maxAgeMs) {
|
|
62
|
+
const now = Date.now();
|
|
63
|
+
let cleaned = 0;
|
|
64
|
+
for (const [identityId, state] of this.states.entries()) {
|
|
65
|
+
if (now - state.windowStart > maxAgeMs && !state.blocked) {
|
|
66
|
+
this.states.delete(identityId);
|
|
67
|
+
cleaned++;
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
return cleaned;
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
//# sourceMappingURL=rate-limiter.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/governance/rate-limiter.ts"],"names":[],"mappings":"AAQA,MAAM,OAAO,WAAW;IACd,MAAM,GAAgC,IAAI,GAAG,EAAE,CAAC;IAChD,OAAO,GAAiC,IAAI,GAAG,EAAE,CAAC;IAE1D,SAAS,CAAC,UAAkB,EAAE,MAAuB;QACnD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,UAAkB;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;QACtD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAExC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACzD,KAAK,GAAG;gBACN,UAAU;gBACV,WAAW,EAAE,GAAG;gBAChB,KAAK,EAAE,CAAC;gBACR,OAAO,EAAE,KAAK;gBACd,YAAY,EAAE,IAAI;aACnB,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,YAAY,IAAI,GAAG,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;YACpE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,KAAK,CAAC,YAAY;aAC5B,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,YAAY,IAAI,GAAG,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACrE,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC;YACtB,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC;YAC1B,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC;YACxB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;QAClB,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAEnC,IAAI,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;YACrC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;YACrB,KAAK,CAAC,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAEnC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,KAAK,CAAC,YAAY;aAC5B,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK;YAC3C,OAAO,EAAE,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,QAAQ;SAC7C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAkB;QACtB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAED,QAAQ,CAAC,UAAkB;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,CAAC,QAAgB;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,GAAG,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;gBACzD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC/B,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}
|
|
@@ -0,0 +1,246 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const AuditEventTypeSchema: z.ZodEnum<["identity.created", "identity.updated", "identity.deleted", "identity.authenticated", "identity.auth_failed", "tool.accessed", "tool.executed", "tool.denied", "tool.error", "server.registered", "server.deregistered", "server.health_check", "workflow.created", "workflow.executed", "workflow.failed", "workflow.completed", "permission.checked", "permission.denied", "rate_limit.exceeded", "token.issued", "token.revoked", "admin.action"]>;
|
|
3
|
+
export declare const AuditEventSchema: z.ZodObject<{
|
|
4
|
+
id: z.ZodString;
|
|
5
|
+
type: z.ZodEnum<["identity.created", "identity.updated", "identity.deleted", "identity.authenticated", "identity.auth_failed", "tool.accessed", "tool.executed", "tool.denied", "tool.error", "server.registered", "server.deregistered", "server.health_check", "workflow.created", "workflow.executed", "workflow.failed", "workflow.completed", "permission.checked", "permission.denied", "rate_limit.exceeded", "token.issued", "token.revoked", "admin.action"]>;
|
|
6
|
+
timestamp: z.ZodString;
|
|
7
|
+
agentId: z.ZodOptional<z.ZodString>;
|
|
8
|
+
agentName: z.ZodOptional<z.ZodString>;
|
|
9
|
+
sessionId: z.ZodOptional<z.ZodString>;
|
|
10
|
+
requestId: z.ZodString;
|
|
11
|
+
ipAddress: z.ZodOptional<z.ZodString>;
|
|
12
|
+
userAgent: z.ZodOptional<z.ZodString>;
|
|
13
|
+
resourceType: z.ZodOptional<z.ZodString>;
|
|
14
|
+
resourceId: z.ZodOptional<z.ZodString>;
|
|
15
|
+
action: z.ZodString;
|
|
16
|
+
result: z.ZodEnum<["success", "denied", "error"]>;
|
|
17
|
+
reason: z.ZodOptional<z.ZodString>;
|
|
18
|
+
metadata: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
19
|
+
context: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
20
|
+
}, "strip", z.ZodTypeAny, {
|
|
21
|
+
id: string;
|
|
22
|
+
type: "identity.created" | "identity.updated" | "identity.deleted" | "identity.authenticated" | "identity.auth_failed" | "tool.accessed" | "tool.executed" | "tool.denied" | "tool.error" | "server.registered" | "server.deregistered" | "server.health_check" | "workflow.created" | "workflow.executed" | "workflow.failed" | "workflow.completed" | "permission.checked" | "permission.denied" | "rate_limit.exceeded" | "token.issued" | "token.revoked" | "admin.action";
|
|
23
|
+
metadata: Record<string, any>;
|
|
24
|
+
context: Record<string, any>;
|
|
25
|
+
result: "error" | "success" | "denied";
|
|
26
|
+
timestamp: string;
|
|
27
|
+
requestId: string;
|
|
28
|
+
action: string;
|
|
29
|
+
agentId?: string | undefined;
|
|
30
|
+
agentName?: string | undefined;
|
|
31
|
+
sessionId?: string | undefined;
|
|
32
|
+
ipAddress?: string | undefined;
|
|
33
|
+
userAgent?: string | undefined;
|
|
34
|
+
resourceType?: string | undefined;
|
|
35
|
+
resourceId?: string | undefined;
|
|
36
|
+
reason?: string | undefined;
|
|
37
|
+
}, {
|
|
38
|
+
id: string;
|
|
39
|
+
type: "identity.created" | "identity.updated" | "identity.deleted" | "identity.authenticated" | "identity.auth_failed" | "tool.accessed" | "tool.executed" | "tool.denied" | "tool.error" | "server.registered" | "server.deregistered" | "server.health_check" | "workflow.created" | "workflow.executed" | "workflow.failed" | "workflow.completed" | "permission.checked" | "permission.denied" | "rate_limit.exceeded" | "token.issued" | "token.revoked" | "admin.action";
|
|
40
|
+
result: "error" | "success" | "denied";
|
|
41
|
+
timestamp: string;
|
|
42
|
+
requestId: string;
|
|
43
|
+
action: string;
|
|
44
|
+
metadata?: Record<string, any> | undefined;
|
|
45
|
+
agentId?: string | undefined;
|
|
46
|
+
context?: Record<string, any> | undefined;
|
|
47
|
+
agentName?: string | undefined;
|
|
48
|
+
sessionId?: string | undefined;
|
|
49
|
+
ipAddress?: string | undefined;
|
|
50
|
+
userAgent?: string | undefined;
|
|
51
|
+
resourceType?: string | undefined;
|
|
52
|
+
resourceId?: string | undefined;
|
|
53
|
+
reason?: string | undefined;
|
|
54
|
+
}>;
|
|
55
|
+
export declare const PolicyRuleSchema: z.ZodObject<{
|
|
56
|
+
id: z.ZodString;
|
|
57
|
+
name: z.ZodString;
|
|
58
|
+
description: z.ZodOptional<z.ZodString>;
|
|
59
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
60
|
+
priority: z.ZodDefault<z.ZodNumber>;
|
|
61
|
+
conditions: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
62
|
+
field: z.ZodString;
|
|
63
|
+
operator: z.ZodEnum<["equals", "not_equals", "contains", "not_contains", "in", "not_in", "greater_than", "less_than"]>;
|
|
64
|
+
value: z.ZodUnknown;
|
|
65
|
+
}, "strip", z.ZodTypeAny, {
|
|
66
|
+
field: string;
|
|
67
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
68
|
+
value?: unknown;
|
|
69
|
+
}, {
|
|
70
|
+
field: string;
|
|
71
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
72
|
+
value?: unknown;
|
|
73
|
+
}>, "many">>;
|
|
74
|
+
effect: z.ZodEnum<["allow", "deny", "audit", "rate_limit"]>;
|
|
75
|
+
actions: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
76
|
+
metadata: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
77
|
+
}, "strip", z.ZodTypeAny, {
|
|
78
|
+
id: string;
|
|
79
|
+
name: string;
|
|
80
|
+
metadata: Record<string, any>;
|
|
81
|
+
enabled: boolean;
|
|
82
|
+
priority: number;
|
|
83
|
+
conditions: {
|
|
84
|
+
field: string;
|
|
85
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
86
|
+
value?: unknown;
|
|
87
|
+
}[];
|
|
88
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
89
|
+
actions: string[];
|
|
90
|
+
description?: string | undefined;
|
|
91
|
+
}, {
|
|
92
|
+
id: string;
|
|
93
|
+
name: string;
|
|
94
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
95
|
+
description?: string | undefined;
|
|
96
|
+
metadata?: Record<string, any> | undefined;
|
|
97
|
+
enabled?: boolean | undefined;
|
|
98
|
+
priority?: number | undefined;
|
|
99
|
+
conditions?: {
|
|
100
|
+
field: string;
|
|
101
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
102
|
+
value?: unknown;
|
|
103
|
+
}[] | undefined;
|
|
104
|
+
actions?: string[] | undefined;
|
|
105
|
+
}>;
|
|
106
|
+
export declare const GovernancePolicySchema: z.ZodObject<{
|
|
107
|
+
id: z.ZodString;
|
|
108
|
+
name: z.ZodString;
|
|
109
|
+
description: z.ZodString;
|
|
110
|
+
version: z.ZodDefault<z.ZodString>;
|
|
111
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
112
|
+
rules: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
113
|
+
id: z.ZodString;
|
|
114
|
+
name: z.ZodString;
|
|
115
|
+
description: z.ZodOptional<z.ZodString>;
|
|
116
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
117
|
+
priority: z.ZodDefault<z.ZodNumber>;
|
|
118
|
+
conditions: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
119
|
+
field: z.ZodString;
|
|
120
|
+
operator: z.ZodEnum<["equals", "not_equals", "contains", "not_contains", "in", "not_in", "greater_than", "less_than"]>;
|
|
121
|
+
value: z.ZodUnknown;
|
|
122
|
+
}, "strip", z.ZodTypeAny, {
|
|
123
|
+
field: string;
|
|
124
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
125
|
+
value?: unknown;
|
|
126
|
+
}, {
|
|
127
|
+
field: string;
|
|
128
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
129
|
+
value?: unknown;
|
|
130
|
+
}>, "many">>;
|
|
131
|
+
effect: z.ZodEnum<["allow", "deny", "audit", "rate_limit"]>;
|
|
132
|
+
actions: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
133
|
+
metadata: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
134
|
+
}, "strip", z.ZodTypeAny, {
|
|
135
|
+
id: string;
|
|
136
|
+
name: string;
|
|
137
|
+
metadata: Record<string, any>;
|
|
138
|
+
enabled: boolean;
|
|
139
|
+
priority: number;
|
|
140
|
+
conditions: {
|
|
141
|
+
field: string;
|
|
142
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
143
|
+
value?: unknown;
|
|
144
|
+
}[];
|
|
145
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
146
|
+
actions: string[];
|
|
147
|
+
description?: string | undefined;
|
|
148
|
+
}, {
|
|
149
|
+
id: string;
|
|
150
|
+
name: string;
|
|
151
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
152
|
+
description?: string | undefined;
|
|
153
|
+
metadata?: Record<string, any> | undefined;
|
|
154
|
+
enabled?: boolean | undefined;
|
|
155
|
+
priority?: number | undefined;
|
|
156
|
+
conditions?: {
|
|
157
|
+
field: string;
|
|
158
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
159
|
+
value?: unknown;
|
|
160
|
+
}[] | undefined;
|
|
161
|
+
actions?: string[] | undefined;
|
|
162
|
+
}>, "many">>;
|
|
163
|
+
defaultEffect: z.ZodDefault<z.ZodEnum<["allow", "deny"]>>;
|
|
164
|
+
auditEnabled: z.ZodDefault<z.ZodBoolean>;
|
|
165
|
+
complianceFrameworks: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
166
|
+
createdAt: z.ZodString;
|
|
167
|
+
updatedAt: z.ZodString;
|
|
168
|
+
}, "strip", z.ZodTypeAny, {
|
|
169
|
+
id: string;
|
|
170
|
+
name: string;
|
|
171
|
+
description: string;
|
|
172
|
+
createdAt: string;
|
|
173
|
+
updatedAt: string;
|
|
174
|
+
version: string;
|
|
175
|
+
enabled: boolean;
|
|
176
|
+
rules: {
|
|
177
|
+
id: string;
|
|
178
|
+
name: string;
|
|
179
|
+
metadata: Record<string, any>;
|
|
180
|
+
enabled: boolean;
|
|
181
|
+
priority: number;
|
|
182
|
+
conditions: {
|
|
183
|
+
field: string;
|
|
184
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
185
|
+
value?: unknown;
|
|
186
|
+
}[];
|
|
187
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
188
|
+
actions: string[];
|
|
189
|
+
description?: string | undefined;
|
|
190
|
+
}[];
|
|
191
|
+
defaultEffect: "allow" | "deny";
|
|
192
|
+
auditEnabled: boolean;
|
|
193
|
+
complianceFrameworks: string[];
|
|
194
|
+
}, {
|
|
195
|
+
id: string;
|
|
196
|
+
name: string;
|
|
197
|
+
description: string;
|
|
198
|
+
createdAt: string;
|
|
199
|
+
updatedAt: string;
|
|
200
|
+
version?: string | undefined;
|
|
201
|
+
enabled?: boolean | undefined;
|
|
202
|
+
rules?: {
|
|
203
|
+
id: string;
|
|
204
|
+
name: string;
|
|
205
|
+
effect: "allow" | "deny" | "audit" | "rate_limit";
|
|
206
|
+
description?: string | undefined;
|
|
207
|
+
metadata?: Record<string, any> | undefined;
|
|
208
|
+
enabled?: boolean | undefined;
|
|
209
|
+
priority?: number | undefined;
|
|
210
|
+
conditions?: {
|
|
211
|
+
field: string;
|
|
212
|
+
operator: "equals" | "greater_than" | "not_equals" | "contains" | "not_contains" | "in" | "not_in" | "less_than";
|
|
213
|
+
value?: unknown;
|
|
214
|
+
}[] | undefined;
|
|
215
|
+
actions?: string[] | undefined;
|
|
216
|
+
}[] | undefined;
|
|
217
|
+
defaultEffect?: "allow" | "deny" | undefined;
|
|
218
|
+
auditEnabled?: boolean | undefined;
|
|
219
|
+
complianceFrameworks?: string[] | undefined;
|
|
220
|
+
}>;
|
|
221
|
+
export type AuditEventType = z.infer<typeof AuditEventTypeSchema>;
|
|
222
|
+
export type AuditEvent = z.infer<typeof AuditEventSchema>;
|
|
223
|
+
export type PolicyRule = z.infer<typeof PolicyRuleSchema>;
|
|
224
|
+
export type GovernancePolicy = z.infer<typeof GovernancePolicySchema>;
|
|
225
|
+
export interface RateLimitState {
|
|
226
|
+
identityId: string;
|
|
227
|
+
windowStart: number;
|
|
228
|
+
count: number;
|
|
229
|
+
blocked: boolean;
|
|
230
|
+
blockedUntil: number | null;
|
|
231
|
+
}
|
|
232
|
+
export interface ComplianceReport {
|
|
233
|
+
generatedAt: string;
|
|
234
|
+
period: {
|
|
235
|
+
start: string;
|
|
236
|
+
end: string;
|
|
237
|
+
};
|
|
238
|
+
totalEvents: number;
|
|
239
|
+
byType: Record<string, number>;
|
|
240
|
+
byAgent: Record<string, number>;
|
|
241
|
+
deniedAccess: number;
|
|
242
|
+
rateLimitExceeded: number;
|
|
243
|
+
policyViolations: number;
|
|
244
|
+
recommendations: string[];
|
|
245
|
+
}
|
|
246
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/governance/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,oBAAoB,kcAuB/B,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiB3B,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc3B,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAYjC,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B"}
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export const AuditEventTypeSchema = z.enum([
|
|
3
|
+
'identity.created',
|
|
4
|
+
'identity.updated',
|
|
5
|
+
'identity.deleted',
|
|
6
|
+
'identity.authenticated',
|
|
7
|
+
'identity.auth_failed',
|
|
8
|
+
'tool.accessed',
|
|
9
|
+
'tool.executed',
|
|
10
|
+
'tool.denied',
|
|
11
|
+
'tool.error',
|
|
12
|
+
'server.registered',
|
|
13
|
+
'server.deregistered',
|
|
14
|
+
'server.health_check',
|
|
15
|
+
'workflow.created',
|
|
16
|
+
'workflow.executed',
|
|
17
|
+
'workflow.failed',
|
|
18
|
+
'workflow.completed',
|
|
19
|
+
'permission.checked',
|
|
20
|
+
'permission.denied',
|
|
21
|
+
'rate_limit.exceeded',
|
|
22
|
+
'token.issued',
|
|
23
|
+
'token.revoked',
|
|
24
|
+
'admin.action',
|
|
25
|
+
]);
|
|
26
|
+
export const AuditEventSchema = z.object({
|
|
27
|
+
id: z.string(),
|
|
28
|
+
type: AuditEventTypeSchema,
|
|
29
|
+
timestamp: z.string(),
|
|
30
|
+
agentId: z.string().optional(),
|
|
31
|
+
agentName: z.string().optional(),
|
|
32
|
+
sessionId: z.string().optional(),
|
|
33
|
+
requestId: z.string(),
|
|
34
|
+
ipAddress: z.string().optional(),
|
|
35
|
+
userAgent: z.string().optional(),
|
|
36
|
+
resourceType: z.string().optional(),
|
|
37
|
+
resourceId: z.string().optional(),
|
|
38
|
+
action: z.string(),
|
|
39
|
+
result: z.enum(['success', 'denied', 'error']),
|
|
40
|
+
reason: z.string().optional(),
|
|
41
|
+
metadata: z.record(z.any()).default({}),
|
|
42
|
+
context: z.record(z.any()).default({}),
|
|
43
|
+
});
|
|
44
|
+
export const PolicyRuleSchema = z.object({
|
|
45
|
+
id: z.string(),
|
|
46
|
+
name: z.string(),
|
|
47
|
+
description: z.string().optional(),
|
|
48
|
+
enabled: z.boolean().default(true),
|
|
49
|
+
priority: z.number().default(0),
|
|
50
|
+
conditions: z.array(z.object({
|
|
51
|
+
field: z.string(),
|
|
52
|
+
operator: z.enum(['equals', 'not_equals', 'contains', 'not_contains', 'in', 'not_in', 'greater_than', 'less_than']),
|
|
53
|
+
value: z.unknown(),
|
|
54
|
+
})).default([]),
|
|
55
|
+
effect: z.enum(['allow', 'deny', 'audit', 'rate_limit']),
|
|
56
|
+
actions: z.array(z.string()).default([]),
|
|
57
|
+
metadata: z.record(z.any()).default({}),
|
|
58
|
+
});
|
|
59
|
+
export const GovernancePolicySchema = z.object({
|
|
60
|
+
id: z.string(),
|
|
61
|
+
name: z.string(),
|
|
62
|
+
description: z.string(),
|
|
63
|
+
version: z.string().default('1.0.0'),
|
|
64
|
+
enabled: z.boolean().default(true),
|
|
65
|
+
rules: z.array(PolicyRuleSchema).default([]),
|
|
66
|
+
defaultEffect: z.enum(['allow', 'deny']).default('allow'),
|
|
67
|
+
auditEnabled: z.boolean().default(true),
|
|
68
|
+
complianceFrameworks: z.array(z.string()).default([]),
|
|
69
|
+
createdAt: z.string(),
|
|
70
|
+
updatedAt: z.string(),
|
|
71
|
+
});
|
|
72
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/governance/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC;IACzC,kBAAkB;IAClB,kBAAkB;IAClB,kBAAkB;IAClB,wBAAwB;IACxB,sBAAsB;IACtB,eAAe;IACf,eAAe;IACf,aAAa;IACb,YAAY;IACZ,mBAAmB;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,kBAAkB;IAClB,mBAAmB;IACnB,iBAAiB;IACjB,oBAAoB;IACpB,oBAAoB;IACpB,mBAAmB;IACnB,qBAAqB;IACrB,cAAc;IACd,eAAe;IACf,cAAc;CACf,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,oBAAoB;IAC1B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACvC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;QAC3B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;QACnH,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;KACnB,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACf,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IACxD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACxC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;IACpC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC5C,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACzD,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACvC,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACrD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;CACtB,CAAC,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import type { IdentityContext, Permission } from './types.js';
|
|
2
|
+
import type { Tool, Server } from '../types/index.js';
|
|
3
|
+
export interface AccessDecision {
|
|
4
|
+
allowed: boolean;
|
|
5
|
+
reason: string;
|
|
6
|
+
constraints?: Record<string, unknown>;
|
|
7
|
+
}
|
|
8
|
+
export declare class AccessControl {
|
|
9
|
+
checkToolAccess(context: IdentityContext, tool: Tool): AccessDecision;
|
|
10
|
+
checkServerAccess(context: IdentityContext, server: Server): AccessDecision;
|
|
11
|
+
checkPermission(context: IdentityContext, permission: Permission): AccessDecision;
|
|
12
|
+
checkRateLimit(context: IdentityContext, currentCount: number, window: 'minute' | 'hour'): AccessDecision;
|
|
13
|
+
sanitizeContext(context: IdentityContext, tool: Tool): Record<string, unknown>;
|
|
14
|
+
}
|
|
15
|
+
//# sourceMappingURL=access-control.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../src/identity/access-control.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAEtD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAED,qBAAa,aAAa;IACxB,eAAe,CAAC,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,GAAG,cAAc;IA4CrE,iBAAiB,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,GAAG,cAAc;IAmB3E,eAAe,CAAC,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,UAAU,GAAG,cAAc;IAOjF,cAAc,CAAC,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,MAAM,GAAG,cAAc;IAmBzG,eAAe,CAAC,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAmB/E"}
|