d-bis/CurrenciCombo
4
0
Fork 0
Code Issues Pull Requests 9 Actions Packages Projects Releases Wiki Activity

Compare commits

base: d-bis:devin/1776882394-pr-p-rules-engine
Branches Tags
d-bis:main d-bis:devin/1776919187-responsive-uiux-system d-bis:devin/1776918348-pr-ab-complete-phoenix-scaffolding d-bis:sync/currencicombo-phoenix-e2e d-bis:devin/1776898782-pr-aa-phoenix-migration d-bis:devin/1776896284-pr-z-deploy-sandbox d-bis:devin/1776890754-pr-t-evaluator-consolidation d-bis:devin/1776883227-pr-s-obligations d-bis:devin/1776883027-pr-r-fin-sandbox d-bis:devin/1776882556-pr-q-e2e d-bis:devin/1776882394-pr-p-rules-engine d-bis:devin/1776882169-pr-o-eip712 d-bis:devin/1776881860-pr-n-swift-msgid d-bis:devin/1776881763-pr-m-role-binding d-bis:devin/1776881508-pr-l-participants d-bis:devin/1776881375-pr-k-phase-timeouts d-bis:devin/1776881249-pr-j-redis-event-bus d-bis:devin/1776880983-pr-i-boot-assertions-ci d-bis:devin/1776533597-fix-undo-redo-history d-bis:develop
..
compare: d-bis:devin/1776881763-pr-m-role-binding
Branches Tags
d-bis:devin/1776919187-responsive-uiux-system d-bis:main d-bis:devin/1776918348-pr-ab-complete-phoenix-scaffolding d-bis:sync/currencicombo-phoenix-e2e d-bis:devin/1776898782-pr-aa-phoenix-migration d-bis:devin/1776896284-pr-z-deploy-sandbox d-bis:devin/1776890754-pr-t-evaluator-consolidation d-bis:devin/1776883227-pr-s-obligations d-bis:devin/1776883027-pr-r-fin-sandbox d-bis:devin/1776882556-pr-q-e2e d-bis:devin/1776882394-pr-p-rules-engine d-bis:devin/1776882169-pr-o-eip712 d-bis:devin/1776881860-pr-n-swift-msgid d-bis:devin/1776881763-pr-m-role-binding d-bis:devin/1776881508-pr-l-participants d-bis:devin/1776881375-pr-k-phase-timeouts d-bis:devin/1776881249-pr-j-redis-event-bus d-bis:devin/1776880983-pr-i-boot-assertions-ci d-bis:devin/1776533597-fix-undo-redo-history d-bis:develop

1 Commits
devin/1776 ... devin/1776

Author SHA1 Message Date
Devin
5a66cf87c8 API-key role binding: inject req.actorRole
Some checks failed
CI / Frontend Lint (pull_request) Failing after 6s
Details
CI / Frontend Type Check (pull_request) Failing after 6s
Details
CI / Frontend Build (pull_request) Failing after 8s
Details
CI / Frontend E2E Tests (pull_request) Failing after 8s
Details
CI / Orchestrator Build (pull_request) Failing after 7s
Details
CI / Contracts Compile (pull_request) Failing after 5s
Details
CI / Contracts Test (pull_request) Failing after 5s
Details
Code Quality / SonarQube Analysis (pull_request) Failing after 18s
Details
Code Quality / Code Quality Checks (pull_request) Failing after 4s
Details
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 5s
Details
Security Scan / OWASP ZAP Scan (pull_request) Failing after 4s
Details 
Closes gap-analysis v2 §7.7.

- API_KEYS entries now accept the form key:role (back-compat: bare keys
  default to role=operator). Known roles come from ActorRole in
  transactionState.ts (coordinator / approver / releaser / validator /
  exception_manager / operator).
- apiKeyAuth + optionalApiKeyAuth inject req.actorRole alongside
  req.apiKey so the SoD enforcement in the state machine can consult
  the authenticated role directly.
- New requireRole(...roles) guard for per-route role gating.
- Fail-closed: unknown roles are skipped during parsing, not silently
  promoted to operator. Cache auto-invalidates when API_KEYS changes.
- 9 unit tests.
 2026-04-22 18:17:05 +00:00
4 changed files with 252 additions and 566 deletions
Expand all files Collapse all files

135
orchestrator/src/middleware/apiKeyAuth.ts
View File

@@ -1,44 +1,145 @@
import { Request, Response, NextFunction } from "express";
import type { ActorRole } from "../types/transactionState";
/**
* API Key authentication middleware
* API-key authentication middleware with role binding.
*
* Closes gap-analysis v2 §7.7: API-key middleware used to authenticate
* requests but never bound the caller to an ActorRole, so segregation-
* of-duties enforcement at the state-transition layer had to fall back
* to user-agent-level checks.
*
* API_KEYS format (back-compat):
* API_KEYS="keyA,keyB:approver,keyC:releaser,keyD:validator"
*
* Each entry is either `key` (defaults to role=operator) or `key:role`
* where role ∈ ActorRole. Unknown roles fail parsing and the key is
* rejected as if it were missing — fail-closed rather than silently
* granting a broader role.
*/
interface ApiKeyEntry {
key: string;
role: ActorRole;
}
const KNOWN_ROLES: ReadonlySet<ActorRole> = new Set<ActorRole>([
"coordinator",
"approver",
"releaser",
"validator",
"exception_manager",
"operator",
]);
let cache: ReadonlyMap<string, ApiKeyEntry> | undefined;
let cachedRaw: string | undefined;
function parseApiKeys(raw: string): ReadonlyMap<string, ApiKeyEntry> {
const out = new Map<string, ApiKeyEntry>();
for (const item of raw.split(",").map((s) => s.trim()).filter(Boolean)) {
const [key, roleRaw] = item.split(":");
if (!key) continue;
const role = (roleRaw ?? "operator").trim() as ActorRole;
if (!KNOWN_ROLES.has(role)) {
// Fail-closed: skip entries with unknown roles rather than
// silently promoting to operator.
continue;
}
out.set(key, { key, role });
}
return out;
}
function getCache(): ReadonlyMap<string, ApiKeyEntry> {
const raw = process.env.API_KEYS ?? "";
if (cache === undefined || raw !== cachedRaw) {
cache = parseApiKeys(raw);
cachedRaw = raw;
}
return cache;
}
export function __resetApiKeyCacheForTests(): void {
cache = undefined;
cachedRaw = undefined;
}
function extractKey(req: Request): string | undefined {
const header =
(req.headers["x-api-key"] as string | undefined) ??
((req.headers["authorization"] as string | undefined)?.replace(
/^Bearer\s+/i,
"",
));
return header?.trim() || undefined;
}
/**
* Required API-key auth. Injects `req.apiKey` and `req.actorRole`.
*/
export const apiKeyAuth = (req: Request, res: Response, next: NextFunction) => {
const apiKey = req.headers["x-api-key"] || req.headers["authorization"]?.replace("Bearer ", "");
if (!apiKey) {
const key = extractKey(req);
if (!key) {
return res.status(401).json({
error: "Unauthorized",
message: "API key is required",
});
}
// Validate API key (in production, check against database)
const validApiKeys = process.env.API_KEYS?.split(",") || [];
if (!validApiKeys.includes(apiKey as string)) {
const entry = getCache().get(key);
if (!entry) {
return res.status(403).json({
error: "Forbidden",
message: "Invalid API key",
});
}
// Attach API key info to request
(req as any).apiKey = apiKey;
const r = req as Request & { apiKey?: string; actorRole?: ActorRole };
r.apiKey = entry.key;
r.actorRole = entry.role;
next();
};
/**
* Optional API key authentication (for public endpoints)
* Optional auth — injects role only when the key is valid.
*/
export const optionalApiKeyAuth = (req: Request, res: Response, next: NextFunction) => {
const apiKey = req.headers["x-api-key"] || req.headers["authorization"]?.replace("Bearer ", "");
if (apiKey) {
const validApiKeys = process.env.API_KEYS?.split(",") || [];
if (validApiKeys.includes(apiKey as string)) {
(req as any).apiKey = apiKey;
(req as any).authenticated = true;
export const optionalApiKeyAuth = (
req: Request,
_res: Response,
next: NextFunction,
) => {
const key = extractKey(req);
if (key) {
const entry = getCache().get(key);
if (entry) {
const r = req as Request & {
apiKey?: string;
actorRole?: ActorRole;
authenticated?: boolean;
};
r.apiKey = entry.key;
r.actorRole = entry.role;
r.authenticated = true;
}
}
next();
};
/**
* Guard: require that the authenticated caller carries one of the
* specified roles. Returns 403 otherwise.
*/
export function requireRole(...allowed: ActorRole[]) {
const set = new Set<ActorRole>(allowed);
return (req: Request, res: Response, next: NextFunction) => {
const role = (req as Request & { actorRole?: ActorRole }).actorRole;
if (!role || !set.has(role)) {
return res.status(403).json({
error: "Forbidden",
message: `role ${role ?? "(none)"} is not permitted for this action`,
});
}
next();
};
}

304
orchestrator/src/services/rulesEngine.ts
View File

@@ -1,304 +0,0 @@
/**
* Pluggable Rules Engine (arch §5.2 Rules Engine; gap v2 §5.2 partial).
*
* Before this PR, business rules were hardcoded at the call sites
* (e.g. "plan must have a pay step" baked into iso20022.ts, SoD
* matrix hard-coded in transactionState.ts). This module introduces
* a minimal, declarative JSON DSL so that ruleSets can be loaded
* from env (RULES_FILE) or swapped per-environment.
*
* Design principles
* -----------------
* - No eval. The evaluator is a small recursive switch over a
* closed operator set — no runtime code injection.
* - Pure, deterministic, side-effect free. Evaluation order is
* explicit so the engine can be reasoned about and replayed.
* - Context is a flat name → value map. Callers project whatever
* shape they need ({plan, state, compliance, participants}).
* - Failures are collected, not thrown. The caller decides whether
* a single failure aborts, or whether to accumulate and report.
*/
import { readFileSync } from "fs";
/** Supported primitive operators. */
export type Operator =
| "eq"
| "neq"
| "gt"
| "gte"
| "lt"
| "lte"
| "in"
| "not_in"
| "exists"
| "matches" // regex
| "length_gte"
| "length_lte";
/** Leaf condition — references a context path against a literal. */
export interface LeafCondition {
path: string; // dotted path into the context object
op: Operator;
value?: unknown; // not required for `exists`
/** Optional human label for failure messages. */
message?: string;
}
/** Combinator — AND / OR / NOT over child conditions. */
export interface AndCondition {
all: Condition[];
message?: string;
}
export interface OrCondition {
any: Condition[];
message?: string;
}
export interface NotCondition {
not: Condition;
message?: string;
}
export type Condition = LeafCondition | AndCondition | OrCondition | NotCondition;
export interface Rule {
id: string;
description?: string;
when?: Condition; // precondition — rule only fires when `when` is true
assert: Condition; // the rule passes when `assert` evaluates true
/** Optional severity for reporting: "error" (default) blocks, "warn" does not. */
severity?: "error" | "warn";
}
export interface RuleSet {
id: string;
version?: string;
rules: Rule[];
}
export interface RuleFailure {
ruleId: string;
severity: "error" | "warn";
message: string;
path?: string;
}
export interface EvaluationResult {
ok: boolean;
failures: RuleFailure[];
}
/* -----------------------------------------------------------------
* Dotted-path resolver. Supports a.b.c and a.b[0].c.
* --------------------------------------------------------------- */
function getPath(ctx: unknown, path: string): unknown {
if (!path) return ctx;
const parts = path
.replace(/\[(\d+)\]/g, ".$1")
.split(".")
.filter(Boolean);
let cur: unknown = ctx;
for (const p of parts) {
if (cur === null || cur === undefined) return undefined;
if (typeof cur === "object") {
cur = (cur as Record<string, unknown>)[p];
} else {
return undefined;
}
}
return cur;
}
/* -----------------------------------------------------------------
* Operator evaluation. Pure — no throws.
* --------------------------------------------------------------- */
function evalOp(op: Operator, actual: unknown, expected: unknown): boolean {
switch (op) {
case "eq":
return actual === expected;
case "neq":
return actual !== expected;
case "gt":
return typeof actual === "number" && typeof expected === "number" && actual > expected;
case "gte":
return typeof actual === "number" && typeof expected === "number" && actual >= expected;
case "lt":
return typeof actual === "number" && typeof expected === "number" && actual < expected;
case "lte":
return typeof actual === "number" && typeof expected === "number" && actual <= expected;
case "in":
return Array.isArray(expected) && expected.includes(actual as never);
case "not_in":
return Array.isArray(expected) && !expected.includes(actual as never);
case "exists":
return actual !== undefined && actual !== null;
case "matches":
if (typeof actual !== "string" || typeof expected !== "string") return false;
try {
return new RegExp(expected).test(actual);
} catch {
return false;
}
case "length_gte":
if (!Array.isArray(actual) && typeof actual !== "string") return false;
return (actual as { length: number }).length >= (expected as number);
case "length_lte":
if (!Array.isArray(actual) && typeof actual !== "string") return false;
return (actual as { length: number }).length <= (expected as number);
default:
return false;
}
}
function isLeaf(c: Condition): c is LeafCondition {
return (c as LeafCondition).op !== undefined && (c as LeafCondition).path !== undefined;
}
export function evaluateCondition(
condition: Condition,
context: Record<string, unknown>,
): boolean {
if (isLeaf(condition)) {
const actual = getPath(context, condition.path);
return evalOp(condition.op, actual, condition.value);
}
if ("all" in condition) {
return condition.all.every((c) => evaluateCondition(c, context));
}
if ("any" in condition) {
return condition.any.some((c) => evaluateCondition(c, context));
}
if ("not" in condition) {
return !evaluateCondition(condition.not, context);
}
return false;
}
/* -----------------------------------------------------------------
* Public evaluate(): runs the full rule set and collects failures.
* --------------------------------------------------------------- */
export function evaluate(
ruleSet: RuleSet,
context: Record<string, unknown>,
): EvaluationResult {
const failures: RuleFailure[] = [];
for (const rule of ruleSet.rules) {
if (rule.when && !evaluateCondition(rule.when, context)) continue;
const passed = evaluateCondition(rule.assert, context);
if (!passed) {
failures.push({
ruleId: rule.id,
severity: rule.severity ?? "error",
message: rule.description ?? `rule ${rule.id} failed`,
path: isLeaf(rule.assert) ? rule.assert.path : undefined,
});
}
}
const blocking = failures.filter((f) => f.severity === "error");
return { ok: blocking.length === 0, failures };
}
/* -----------------------------------------------------------------
* Built-in rule sets. These mirror the pre-DSL hardcoded checks so
* callers can migrate incrementally.
* --------------------------------------------------------------- */
/** Preconditions check — arch §8 PRECONDITIONS_PENDING -> READY_FOR_PREPARE. */
export const BUILTIN_PRECONDITIONS: RuleSet = {
id: "preconditions.builtin",
version: "1",
rules: [
{
id: "plan.exists",
description: "plan must be present on the context",
assert: { path: "plan", op: "exists" },
},
{
id: "plan.steps.non_empty",
description: "plan must contain at least one step",
assert: { path: "plan.steps", op: "length_gte", value: 1 },
},
{
id: "plan.pay_step_present",
description: "plan must contain at least one pay step (ISO-20022 envelope)",
assert: {
any: [
{ path: "plan.steps[0].type", op: "eq", value: "pay" },
{ path: "plan.steps[1].type", op: "eq", value: "pay" },
{ path: "plan.steps[2].type", op: "eq", value: "pay" },
{ path: "plan.steps[3].type", op: "eq", value: "pay" },
],
},
},
{
id: "participants.at_least_one",
description: "participant registry must not be empty",
assert: { path: "participants", op: "length_gte", value: 1 },
},
{
id: "compliance.kyc_ok",
description: "compliance KYC status must be ok",
when: { path: "compliance", op: "exists" },
assert: { path: "compliance.kyc", op: "eq", value: "ok" },
},
],
};
/** Commit rule — arch §9.2. */
export const BUILTIN_COMMIT: RuleSet = {
id: "commit.builtin",
version: "1",
rules: [
{
id: "dlt.tx_hash",
description: "DLT leg must produce a 0x + 64-hex tx hash",
assert: { path: "dlt.txHash", op: "matches", value: "^0x[0-9a-fA-F]{64}$" },
},
{
id: "bank.iso_message_id",
description: "bank leg must produce a non-empty ISO message id",
assert: { path: "bank.isoMessageId", op: "exists" },
},
{
id: "state.is_validating",
description: "commit is only valid from VALIDATING",
assert: { path: "state", op: "eq", value: "VALIDATING" },
},
{
id: "no_exception_holds",
description: "no exception may be outstanding",
assert: { path: "exceptions.active", op: "length_lte", value: 0 },
},
],
};
/* -----------------------------------------------------------------
* Loader: RULES_FILE env points at a JSON file containing a map
* {ruleSetId: RuleSet}. Falls back to built-ins on any error.
* --------------------------------------------------------------- */
let cachedOverrides: Record<string, RuleSet> | undefined;
export function getRuleSet(id: string): RuleSet {
if (cachedOverrides === undefined) {
cachedOverrides = {};
const path = process.env.RULES_FILE;
if (path) {
try {
const raw = readFileSync(path, "utf8");
const parsed = JSON.parse(raw) as Record<string, RuleSet>;
if (parsed && typeof parsed === "object") cachedOverrides = parsed;
} catch {
// leave empty — silent fall-through to built-ins
}
}
}
if (cachedOverrides[id]) return cachedOverrides[id];
if (id === BUILTIN_PRECONDITIONS.id) return BUILTIN_PRECONDITIONS;
if (id === BUILTIN_COMMIT.id) return BUILTIN_COMMIT;
return { id, rules: [] };
}
export function __resetRulesCacheForTests(): void {
cachedOverrides = undefined;
}

134
orchestrator/tests/unit/apiKeyAuth.test.ts Normal file
View File

@@ -0,0 +1,134 @@
/**
* Tests for API-key role binding (gap v2 §7.7).
*/
import { describe, it, expect, beforeEach, jest } from "@jest/globals";
import type { Request, Response, NextFunction } from "express";
import {
apiKeyAuth,
optionalApiKeyAuth,
requireRole,
__resetApiKeyCacheForTests,
} from "../../src/middleware/apiKeyAuth";
function makeReqRes(headers: Record<string, string> = {}) {
const req = { headers } as unknown as Request;
const json = jest.fn();
const status = jest.fn().mockReturnValue({ json }) as unknown as Response["status"];
const res = { status, json } as unknown as Response;
const next = jest.fn() as unknown as NextFunction;
return { req, res, next, status, json };
}
describe("apiKeyAuth role binding", () => {
beforeEach(() => {
__resetApiKeyCacheForTests();
process.env.API_KEYS = "";
});
it("rejects when no key is supplied (401)", () => {
const { req, res, next, status } = makeReqRes();
apiKeyAuth(req, res, next);
expect(status).toHaveBeenCalledWith(401);
expect(next).not.toHaveBeenCalled();
});
it("rejects when the key is not registered (403)", () => {
process.env.API_KEYS = "good-key:approver";
const { req, res, next, status } = makeReqRes({ "x-api-key": "bad-key" });
apiKeyAuth(req, res, next);
expect(status).toHaveBeenCalledWith(403);
expect(next).not.toHaveBeenCalled();
});
it("binds role=operator for bare keys (back-compat)", () => {
process.env.API_KEYS = "legacy-key";
const { req, res, next } = makeReqRes({ "x-api-key": "legacy-key" });
apiKeyAuth(req, res, next);
expect(next).toHaveBeenCalled();
expect((req as Request & { actorRole?: string }).actorRole).toBe("operator");
});
it("binds the declared role for key:role entries", () => {
process.env.API_KEYS = "k1:approver,k2:releaser,k3:validator";
const cases: Array<[string, string]> = [
["k1", "approver"],
["k2", "releaser"],
["k3", "validator"],
];
for (const [key, role] of cases) {
__resetApiKeyCacheForTests();
const { req, res, next } = makeReqRes({ "x-api-key": key });
apiKeyAuth(req, res, next);
expect(next).toHaveBeenCalled();
expect((req as Request & { actorRole?: string }).actorRole).toBe(role);
}
});
it("fails closed on unknown roles — entry is skipped", () => {
process.env.API_KEYS = "k1:root,k2:approver";
const reject = makeReqRes({ "x-api-key": "k1" });
apiKeyAuth(reject.req, reject.res, reject.next);
expect(reject.status).toHaveBeenCalledWith(403);
__resetApiKeyCacheForTests();
process.env.API_KEYS = "k1:root,k2:approver";
const accept = makeReqRes({ "x-api-key": "k2" });
apiKeyAuth(accept.req, accept.res, accept.next);
expect(accept.next).toHaveBeenCalled();
expect(
(accept.req as Request & { actorRole?: string }).actorRole,
).toBe("approver");
});
it("accepts Bearer authorization header", () => {
process.env.API_KEYS = "bearer-key:releaser";
const { req, res, next } = makeReqRes({
authorization: "Bearer bearer-key",
});
apiKeyAuth(req, res, next);
expect(next).toHaveBeenCalled();
expect((req as Request & { actorRole?: string }).actorRole).toBe("releaser");
});
it("re-parses the cache when API_KEYS changes", () => {
process.env.API_KEYS = "v1:approver";
const first = makeReqRes({ "x-api-key": "v1" });
apiKeyAuth(first.req, first.res, first.next);
expect(first.next).toHaveBeenCalled();
process.env.API_KEYS = "v2:releaser";
const second = makeReqRes({ "x-api-key": "v1" });
apiKeyAuth(second.req, second.res, second.next);
expect(second.status).toHaveBeenCalledWith(403);
});
it("optionalApiKeyAuth is a pass-through when no key is supplied", () => {
const { req, res, next } = makeReqRes();
optionalApiKeyAuth(req, res, next);
expect(next).toHaveBeenCalled();
expect((req as Request & { actorRole?: string }).actorRole).toBeUndefined();
});
it("requireRole lets permitted roles through and 403s others", () => {
process.env.API_KEYS = "a:approver,r:releaser";
const guard = requireRole("approver");
__resetApiKeyCacheForTests();
const ok = makeReqRes({ "x-api-key": "a" });
apiKeyAuth(ok.req, ok.res, ok.next);
const okNext = jest.fn() as unknown as NextFunction;
const okStatus = jest.fn().mockReturnValue({ json: jest.fn() }) as unknown as Response["status"];
guard(ok.req, { status: okStatus } as unknown as Response, okNext);
expect(okNext).toHaveBeenCalled();
__resetApiKeyCacheForTests();
const bad = makeReqRes({ "x-api-key": "r" });
apiKeyAuth(bad.req, bad.res, bad.next);
const badNext = jest.fn() as unknown as NextFunction;
const badStatus = jest.fn().mockReturnValue({ json: jest.fn() }) as unknown as Response["status"];
guard(bad.req, { status: badStatus } as unknown as Response, badNext);
expect(badStatus).toHaveBeenCalledWith(403);
expect(badNext).not.toHaveBeenCalled();
});
});

245
orchestrator/tests/unit/rulesEngine.test.ts
View File

@@ -1,245 +0,0 @@
/**
* PR P — Pluggable Rules Engine (gap-analysis v2 §5.2 partial).
*/
import { describe, it, expect, beforeEach } from "@jest/globals";
import {
evaluate,
evaluateCondition,
getRuleSet,
BUILTIN_PRECONDITIONS,
BUILTIN_COMMIT,
__resetRulesCacheForTests,
type RuleSet,
} from "../../src/services/rulesEngine";
describe("rulesEngine — primitive operators", () => {
it("eq / neq / gt / gte / lt / lte", () => {
expect(
evaluateCondition({ path: "a", op: "eq", value: 1 }, { a: 1 }),
).toBe(true);
expect(
evaluateCondition({ path: "a", op: "neq", value: 1 }, { a: 2 }),
).toBe(true);
expect(
evaluateCondition({ path: "a", op: "gt", value: 1 }, { a: 2 }),
).toBe(true);
expect(
evaluateCondition({ path: "a", op: "lte", value: 3 }, { a: 3 }),
).toBe(true);
});
it("in / not_in / exists / matches", () => {
expect(
evaluateCondition(
{ path: "role", op: "in", value: ["approver", "releaser"] },
{ role: "approver" },
),
).toBe(true);
expect(
evaluateCondition(
{ path: "role", op: "not_in", value: ["approver"] },
{ role: "operator" },
),
).toBe(true);
expect(
evaluateCondition({ path: "x", op: "exists" }, { x: 0 }),
).toBe(true);
expect(
evaluateCondition(
{ path: "hash", op: "matches", value: "^0x[0-9a-f]+$" },
{ hash: "0xabc" },
),
).toBe(true);
});
it("length_gte / length_lte work on arrays and strings", () => {
expect(
evaluateCondition({ path: "a", op: "length_gte", value: 2 }, { a: [1, 2] }),
).toBe(true);
expect(
evaluateCondition({ path: "a", op: "length_lte", value: 5 }, { a: "abcd" }),
).toBe(true);
});
it("dotted + indexed path resolution", () => {
expect(
evaluateCondition(
{ path: "plan.steps[1].type", op: "eq", value: "pay" },
{ plan: { steps: [{ type: "issue" }, { type: "pay" }] } },
),
).toBe(true);
});
});
describe("rulesEngine — combinators", () => {
const ctx = { role: "approver", amount: 1000 };
it("all (AND) — every child must pass", () => {
expect(
evaluateCondition(
{
all: [
{ path: "role", op: "eq", value: "approver" },
{ path: "amount", op: "gt", value: 500 },
],
},
ctx,
),
).toBe(true);
expect(
evaluateCondition(
{
all: [
{ path: "role", op: "eq", value: "approver" },
{ path: "amount", op: "gt", value: 5000 },
],
},
ctx,
),
).toBe(false);
});
it("any (OR) — at least one child must pass", () => {
expect(
evaluateCondition(
{
any: [
{ path: "role", op: "eq", value: "releaser" },
{ path: "amount", op: "gt", value: 500 },
],
},
ctx,
),
).toBe(true);
});
it("not — inverts the child", () => {
expect(
evaluateCondition(
{ not: { path: "role", op: "eq", value: "releaser" } },
ctx,
),
).toBe(true);
});
});
describe("rulesEngine — evaluate() and failure reporting", () => {
const ruleSet: RuleSet = {
id: "test.rs",
rules: [
{
id: "amount_positive",
description: "amount must be > 0",
assert: { path: "amount", op: "gt", value: 0 },
},
{
id: "role_listed",
description: "role must be in the allowed list",
assert: {
path: "role",
op: "in",
value: ["approver", "releaser", "operator"],
},
},
{
id: "warning_only",
description: "low amount warning",
severity: "warn",
assert: { path: "amount", op: "gte", value: 10_000 },
},
],
};
it("returns ok=true when all error-severity rules pass", () => {
const res = evaluate(ruleSet, { amount: 1000, role: "approver" });
expect(res.ok).toBe(true);
// warn still reported even though ok=true
expect(res.failures.some((f) => f.ruleId === "warning_only")).toBe(true);
expect(res.failures.every((f) => f.severity === "warn")).toBe(true);
});
it("returns ok=false with error failure when a blocking rule fails", () => {
const res = evaluate(ruleSet, { amount: -1, role: "approver" });
expect(res.ok).toBe(false);
const amountFail = res.failures.find((f) => f.ruleId === "amount_positive");
expect(amountFail?.severity).toBe("error");
});
it("'when' gates a rule — false when-clause skips the assert", () => {
const guarded: RuleSet = {
id: "guarded.rs",
rules: [
{
id: "kyc_if_present",
when: { path: "compliance", op: "exists" },
assert: { path: "compliance.kyc", op: "eq", value: "ok" },
},
],
};
expect(evaluate(guarded, {}).ok).toBe(true);
expect(evaluate(guarded, { compliance: { kyc: "ok" } }).ok).toBe(true);
expect(evaluate(guarded, { compliance: { kyc: "fail" } }).ok).toBe(false);
});
});
describe("rulesEngine — built-in rule sets", () => {
it("preconditions: pay step + non-empty participants passes", () => {
const res = evaluate(BUILTIN_PRECONDITIONS, {
plan: { steps: [{ type: "pay" }] },
participants: [{ id: "p1" }],
});
expect(res.ok).toBe(true);
});
it("preconditions: missing pay step fails", () => {
const res = evaluate(BUILTIN_PRECONDITIONS, {
plan: { steps: [{ type: "issueInstrument" }] },
participants: [{ id: "p1" }],
});
expect(res.ok).toBe(false);
expect(res.failures.some((f) => f.ruleId === "plan.pay_step_present")).toBe(
true,
);
});
it("commit: VALIDATING + matching refs + no exceptions passes", () => {
const res = evaluate(BUILTIN_COMMIT, {
state: "VALIDATING",
dlt: { txHash: `0x${"a".repeat(64)}` },
bank: { isoMessageId: "MSG-1" },
exceptions: { active: [] },
});
expect(res.ok).toBe(true);
});
it("commit: state != VALIDATING blocks", () => {
const res = evaluate(BUILTIN_COMMIT, {
state: "EXECUTING",
dlt: { txHash: `0x${"a".repeat(64)}` },
bank: { isoMessageId: "MSG-1" },
exceptions: { active: [] },
});
expect(res.ok).toBe(false);
expect(res.failures.some((f) => f.ruleId === "state.is_validating")).toBe(
true,
);
});
});
describe("rulesEngine — pluggable loading", () => {
beforeEach(() => {
__resetRulesCacheForTests();
delete process.env.RULES_FILE;
});
it("returns built-ins when RULES_FILE is unset", () => {
expect(getRuleSet(BUILTIN_PRECONDITIONS.id).rules.length).toBeGreaterThan(0);
expect(getRuleSet(BUILTIN_COMMIT.id).rules.length).toBeGreaterThan(0);
});
it("returns an empty rule set for unknown ids (no throw)", () => {
const rs = getRuleSet("nonexistent");
expect(rs.rules).toEqual([]);
});
});