@gati-framework/runtime/dist/capability-manager.d.ts

Gati runtime execution engine for running handler-based applications

/**
 * @module runtime/capability-manager
 * @description Capability-based security enforcement for modules
 *
 * This implements capability enforcement from Task 10:
 * - Capability validation against module manifests
 * - Runtime capability checking
 * - Resource access control
 *
 * Requirements: 5.3, 12.1, 12.2
 */
import type { CapabilityValidationResult, ModuleManifest, NetworkAccess } from './types/module-manifest.js';
/**
 * Capability Manager
 *
 * Enforces capability-based security for modules.
 * Validates that modules only access resources they have declared capabilities for.
 */
export declare class CapabilityManager {
    /**
     * Map of module ID to granted capabilities
     */
    private grantedCapabilities;
    /**
     * Map of module ID to network access configuration
     */
    private networkAccess;
    /**
     * System-level capability policies
     * Defines which capabilities can be granted
     */
    private systemPolicies;
    constructor();
    /**
     * Initialize default system capability policies
     */
    private initializeDefaultPolicies;
    /**
     * Validate module capabilities against system policies
     *
     * @param manifest - Module manifest to validate
     * @returns Validation result with granted/denied capabilities
     */
    validateCapabilities(manifest: ModuleManifest): CapabilityValidationResult;
    /**
     * Register granted capabilities for a module
     *
     * @param moduleId - Module identifier
     * @param capabilities - List of granted capabilities
     * @param networkAccess - Network access configuration
     */
    registerModule(moduleId: string, capabilities: string[], networkAccess: NetworkAccess): void;
    /**
     * Check if a module has a specific capability
     *
     * @param moduleId - Module identifier
     * @param capability - Capability name to check
     * @returns True if module has the capability
     */
    hasCapability(moduleId: string, capability: string): boolean;
    /**
     * Enforce capability check - throws if module lacks capability
     *
     * @param moduleId - Module identifier
     * @param capability - Required capability
     * @param operation - Description of operation being attempted
     * @throws {CapabilityError} If module lacks the required capability
     */
    enforceCapability(moduleId: string, capability: string, operation: string): void;
    /**
     * Check if a module can access a specific network host
     *
     * @param moduleId - Module identifier
     * @param host - Hostname to check
     * @param port - Port number to check
     * @returns True if access is allowed
     */
    canAccessNetwork(moduleId: string, host: string, port?: number): boolean;
    /**
     * Enforce network access check - throws if access is denied
     *
     * @param moduleId - Module identifier
     * @param host - Hostname being accessed
     * @param port - Port number being accessed
     * @throws {NetworkAccessError} If network access is denied
     */
    enforceNetworkAccess(moduleId: string, host: string, port?: number): void;
    /**
     * Get all granted capabilities for a module
     *
     * @param moduleId - Module identifier
     * @returns Array of granted capability names
     */
    getGrantedCapabilities(moduleId: string): string[];
    /**
     * Get network access configuration for a module
     *
     * @param moduleId - Module identifier
     * @returns Network access configuration or undefined
     */
    getNetworkAccess(moduleId: string): NetworkAccess | undefined;
    /**
     * Unregister a module and revoke all capabilities
     *
     * @param moduleId - Module identifier
     */
    unregisterModule(moduleId: string): void;
    /**
     * Add a custom system capability policy
     *
     * @param policy - Capability policy to add
     */
    addSystemPolicy(policy: CapabilityPolicy): void;
    /**
     * Get all system capability policies
     *
     * @returns Array of capability policies
     */
    getSystemPolicies(): CapabilityPolicy[];
}
/**
 * System capability policy
 */
export interface CapabilityPolicy {
    /**
     * Capability name
     */
    name: string;
    /**
     * Description of what this capability allows
     */
    description: string;
    /**
     * Whether this capability can be granted to modules
     */
    grantable: boolean;
    /**
     * Optional additional constraints
     */
    constraints?: Record<string, unknown>;
}
/**
 * Capability error thrown when a module attempts unauthorized access
 */
export declare class CapabilityError extends Error {
    readonly moduleId: string;
    readonly capability: string;
    readonly operation: string;
    constructor(message: string, moduleId: string, capability: string, operation: string);
}
/**
 * Network access error thrown when a module attempts unauthorized network access
 */
export declare class NetworkAccessError extends Error {
    readonly moduleId: string;
    readonly host: string;
    readonly port?: number;
    constructor(message: string, moduleId: string, host: string, port?: number);
}
//# sourceMappingURL=capability-manager.d.ts.map