predicate-claw/src/authority-client.ts at 2e3b0828b6a474471bbda0606aaa24a20938bb9f · PredicateSystems/predicate-claw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import {
  AuthorityClient,
  Verifier,
  type AuthorizationRequest,
  type VerifyRequest,
  type ActualOperation,
} from "@predicatesystems/authority";
import type { ProviderConfig } from "./config.js";

export type { VerifyRequest, ActualOperation };

export interface AuthorityDecision {
  allow: boolean;
  reason?: string;
  mandateId?: string;
}

export interface VerificationResult {
  verified: boolean;
  reason?: string;
  auditId?: string;
  authorized?: { action: string; resource: string };
  actual?: { action: string; resource: string };
}

export interface AuthorityAdapter {
  authorize(request: AuthorizationRequest): Promise<AuthorityDecision>;
  verify?(request: VerifyRequest): Promise<VerificationResult>;
}

interface SdkDecision {
  allowed: boolean;
  reason?: string;
  mandate_id?: string | null;
}

interface SdkLike {
  authorize(request: AuthorizationRequest): Promise<SdkDecision>;
}

export function createAuthorityAdapter(client: SdkLike): AuthorityAdapter {
  return {
    async authorize(request: AuthorizationRequest): Promise<AuthorityDecision> {
      const decision = await client.authorize(request);
      return {
        allow: decision.allowed,
        reason: decision.reason,
        mandateId: decision.mandate_id ?? undefined,
      };
    },
  };
}

export function createDefaultAuthorityAdapter(
  config: ProviderConfig,
): AuthorityAdapter {
  const sdkClient = new AuthorityClient({
    baseUrl: config.baseUrl,
    timeoutMs: config.timeoutMs,
    maxRetries: config.maxRetries,
    backoffInitialMs: config.backoffInitialMs,
  });

  // Create verifier for post-execution verification
  const verifier = new Verifier({
    baseUrl: config.baseUrl,
    timeoutMs: config.timeoutMs,
  });

  return {
    async authorize(request: AuthorizationRequest): Promise<AuthorityDecision> {
      const decision = await sdkClient.authorize(request);
      return {
        allow: decision.allowed,
        reason: decision.reason,
        mandateId: decision.mandate_id ?? undefined,
      };
    },

    async verify(request: VerifyRequest): Promise<VerificationResult> {
      const result = await verifier.verify(request);
      return {
        verified: result.verified,
        reason: result.reason,
        auditId: result.auditId,
        authorized: result.details?.authorized
          ? { action: result.details.authorized.action, resource: result.details.authorized.resource }
          : undefined,
        actual: result.details?.actual
          ? { action: result.details.actual.action, resource: result.details.actual.resource }
          : undefined,
      };
    },
  };
}