/** * @fileoverview Security Policy Engine * @module @nahisaho/musubix-security/policy/policy-engine * * Provides customizable security policy definition, evaluation, * and enforcement capabilities. */ import type { ScanResult, Vulnerability, Severity } from '../types/index.js'; /** * Policy rule operator */ export type PolicyOperator = 'equals' | 'not_equals' | 'greater_than' | 'less_than' | 'greater_than_or_equals' | 'less_than_or_equals' | 'contains' | 'not_contains' | 'matches' | 'exists' | 'not_exists'; /** * Policy rule target */ export type PolicyTarget = 'severity' | 'rule' | 'owasp' | 'cwe' | 'file' | 'message' | 'count.critical' | 'count.high' | 'count.medium' | 'count.low' | 'count.total' | 'score'; /** * Policy action */ export type PolicyAction = 'fail' | 'warn' | 'info' | 'ignore' | 'require_review'; /** * Policy rule condition */ export interface PolicyCondition { /** Target field to evaluate */ target: PolicyTarget; /** Operator for comparison */ operator: PolicyOperator; /** Value to compare against */ value: string | number | string[]; } /** * Policy rule */ export interface PolicyRule { /** Rule ID */ id: string; /** Rule name */ name: string; /** Rule description */ description?: string; /** Conditions (all must match - AND logic) */ conditions: PolicyCondition[]; /** Action to take when rule matches */ action: PolicyAction; /** Priority (higher = evaluated first) */ priority?: number; /** Whether rule is enabled */ enabled?: boolean; /** Tags for categorization */ tags?: string[]; /** Custom metadata */ metadata?: Record; } /** * Security policy */ export interface SecurityPolicy { /** Policy name */ name: string; /** Policy version */ version: string; /** Policy description */ description?: string; /** Base policies to extend */ extends?: string[]; /** Policy rules */ rules: PolicyRule[]; /** Global settings */ settings?: PolicySettings; /** Custom metadata */ metadata?: Record; } /** * Policy settings */ export interface PolicySettings { /** Default action when no rules match */ defaultAction?: PolicyAction; /** Stop evaluating after first match */ stopOnFirstMatch?: boolean; /** Enable strict mode (fail on unknown rules) */ strictMode?: boolean; /** Allowed severities (others are ignored) */ allowedSeverities?: Severity[]; /** Blocked file patterns */ blockedPatterns?: string[]; /** Required compliance standards */ requiredCompliance?: string[]; } /** * Policy evaluation result */ export interface PolicyEvaluationResult { /** Policy name */ policyName: string; /** Policy version */ policyVersion: string; /** Overall pass/fail */ passed: boolean; /** Final action */ action: PolicyAction; /** Rules that matched */ matchedRules: PolicyRuleMatch[]; /** Rules that were evaluated */ evaluatedRules: number; /** Evaluation time in ms */ evaluationTime: number; /** Summary by action */ summary: PolicyEvaluationSummary; /** Recommendations */ recommendations: string[]; } /** * Policy rule match */ export interface PolicyRuleMatch { /** Rule that matched */ rule: PolicyRule; /** Vulnerabilities that triggered the match */ triggeredBy: Vulnerability[]; /** Conditions that matched */ matchedConditions: PolicyCondition[]; /** Action from rule */ action: PolicyAction; } /** * Policy evaluation summary */ export interface PolicyEvaluationSummary { /** Count by action */ byAction: Record; /** Count of failures */ failures: number; /** Count of warnings */ warnings: number; /** Count of reviews required */ reviewsRequired: number; } /** * Policy validation result */ export interface PolicyValidationResult { /** Whether policy is valid */ valid: boolean; /** Validation errors */ errors: PolicyValidationError[]; /** Validation warnings */ warnings: PolicyValidationWarning[]; } /** * Policy validation error */ export interface PolicyValidationError { /** Error code */ code: string; /** Error message */ message: string; /** Path to problematic element */ path?: string; } /** * Policy validation warning */ export interface PolicyValidationWarning { /** Warning code */ code: string; /** Warning message */ message: string; /** Path to element */ path?: string; } /** * Policy engine options */ export interface PolicyEngineOptions { /** Built-in policies to load */ builtInPolicies?: ('default' | 'strict' | 'minimal' | 'enterprise')[]; /** Custom policies */ customPolicies?: SecurityPolicy[]; /** Enable caching */ enableCache?: boolean; } /** * Security Policy Engine * * @example * ```typescript * const engine = createPolicyEngine({ * builtInPolicies: ['default'], * }); * * const result = engine.evaluate('default', scanResult); * if (!result.passed) { * console.log('Policy violations:', result.matchedRules); * } * ``` */ export declare class PolicyEngine { private policies; private options; constructor(options?: PolicyEngineOptions); /** * Evaluate scan result against a policy */ evaluate(policyName: string, scanResult: ScanResult): PolicyEvaluationResult; /** * Validate a policy definition */ validatePolicy(policy: SecurityPolicy): PolicyValidationResult; /** * Register a custom policy */ registerPolicy(policy: SecurityPolicy): void; /** * Get a policy by name */ getPolicy(name: string): SecurityPolicy | undefined; /** * List all available policies */ listPolicies(): string[]; /** * Get built-in policy by name */ getBuiltInPolicy(name: string): SecurityPolicy | undefined; /** * Create policy from YAML string */ parsePolicy(yamlContent: string): SecurityPolicy; /** * Export policy to YAML */ exportPolicy(policyName: string): string; private resolvePolicy; private evaluateRule; private evaluateCondition; private compareValues; private compareStringValues; private calculateSummary; private determineFinalAction; private generateRecommendations; private isValidTarget; private isValidOperator; } /** * Create a policy engine */ export declare function createPolicyEngine(options?: PolicyEngineOptions): PolicyEngine; /** * Get a built-in policy */ export declare function getBuiltInPolicy(name: 'default' | 'strict' | 'minimal' | 'enterprise'): SecurityPolicy; //# sourceMappingURL=policy-engine.d.ts.map