UNPKG

@safeapi/safeapi

Version:

SafeAPI: Secure, deterministic, and tamper-resistant API policy engine for Node and browser.

github.com/mukundsankunny/self-heal

mukundsankunny/self-heal

118 lines (117 loc) 4.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import { createSafeApiAuditPayload } from "./audit/SafeApiAuditPayload"; import { deepFreeze } from "./shared"; import { evaluateGuards } from "./SafeApiGuardEngine"; import { computePolicyHash, normalizePolicy, } from "./SafeApiPolicyLifecycle"; function createDefaultContext() { return { clientId: "unknown", environment: "dev", metadata: {}, }; } /** @internal */ export class SafeApiEngine { policyResolver; guard; audit; hooks; constructor(options) { this.policyResolver = options.policyResolver; this.guard = options.guardEvaluator; this.audit = options.audit; this.hooks = options.hooks; } async process(request, context) { await this.invokePreValidate(request); const effectiveContext = { ...createDefaultContext(), ...context }; const resolvedPolicy = await this.policyResolver.resolve(request, effectiveContext); const policy = normalizePolicy(resolvedPolicy); const policyHash = computePolicyHash(policy); await this.invokePreExecute(request, policy); // Phase 13.2: Guard evaluation const guardMatrix = policy.guards ?? []; const guardEval = evaluateGuards(guardMatrix, effectiveContext, { trace: true }); if (!guardEval.allowed) { const response = Object.freeze({ requestId: request.requestId, status: "blocked", payload: request.payload, reason: `Blocked by guard: ${guardEval.matchedGuard}`, policyId: policy.policyId, }); await this.invokePostExecute(response, effectiveContext); if (this.audit) { const auditPayload = createSafeApiAuditPayload({ ruleId: policy.policyId ?? policy.ruleSetId, phase: "safeapi", priority: 0, eventType: "evaluation", timestampMs: 1, meta: { safeApi: { policyHash, guardTrace: guardEval.guardTrace, result: "deny", }, }, }); await this.audit.record(request, effectiveContext, response, auditPayload); } return response; } // If allowed, continue with existing pipeline const guardResult = await this.guard.evaluate(request, effectiveContext, policy); const response = this.buildResponse(request, policy, guardResult); await this.invokePostExecute(response, effectiveContext); if (this.audit) { const auditPayload = createSafeApiAuditPayload({ ruleId: policy.policyId ?? policy.ruleSetId, phase: "safeapi", priority: 0, eventType: "evaluation", timestampMs: 1, meta: { safeApi: { policyHash, guardTrace: guardEval.guardTrace, result: "allow", }, }, }); await this.audit.record(request, effectiveContext, response, auditPayload); } return response; } buildResponse(request, policy, guardResult) { const status = guardResult.allowed ? guardResult.modifiedPayload !== undefined ? "modified" : "allowed" : "blocked"; return Object.freeze({ requestId: request.requestId, status, payload: guardResult.modifiedPayload ?? request.payload, reason: guardResult.reason, policyId: policy.policyId, }); } async invokePreValidate(request) { const handler = this.hooks?.preValidate; if (!handler) return; await handler(deepFreeze(request)); } async invokePreExecute(request, policy) { const handler = this.hooks?.preExecute; if (!handler) return; await handler(deepFreeze(request), deepFreeze(policy)); } async invokePostExecute(response, context) { const handler = this.hooks?.postExecute; if (!handler) return; await handler(deepFreeze(response), deepFreeze(context)); } }