aaronrene / knowtation public
calendar-policy.mjs
63 lines 1.9 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 1 day ago
1 /**
2 * Org/vault calendar agent-tier policy caps (Calendar Events v0).
3 *
4 * Self-hosted operators may cap the maximum `agent_context_tier_max` users can set
5 * per source calendar (e.g. minors/classrooms → tier 0–1 only).
6 *
7 * @see docs/CALENDAR-EVENTS-V0-SPEC.md — Security checklist #4
8 */
9
10 import fs from 'fs';
11 import path from 'path';
12 import { AGENT_CONTEXT_TIERS } from './source-calendar-defaults.mjs';
13
14 /** @typedef {import('./source-calendar-defaults.mjs').AgentContextTier} AgentContextTier */
15
16 const POLICY_FILENAME = 'hub_calendar_policy.json';
17
18 /**
19 * Read the org policy cap for agent_context_tier_max (inclusive upper bound).
20 * Default 4 = no restriction beyond v0 tier enum.
21 *
22 * @param {string} dataDir
23 * @returns {AgentContextTier}
24 */
25 export function readCalendarAgentTierCap(dataDir) {
26 const envRaw = process.env.KNOWTATION_CALENDAR_AGENT_TIER_MAX_CAP;
27 if (envRaw != null && String(envRaw).trim() !== '') {
28 const parsed = Number.parseInt(String(envRaw).trim(), 10);
29 if (Number.isInteger(parsed) && parsed >= 0 && parsed <= 4) {
30 return /** @type {AgentContextTier} */ (parsed);
31 }
32 }
33
34 if (dataDir) {
35 const filePath = path.join(dataDir, POLICY_FILENAME);
36 if (fs.existsSync(filePath)) {
37 try {
38 const raw = fs.readFileSync(filePath, 'utf8');
39 const data = JSON.parse(raw);
40 const cap = data?.agent_context_tier_max_cap;
41 if (Number.isInteger(cap) && cap >= 0 && cap <= 4) {
42 return /** @type {AgentContextTier} */ (cap);
43 }
44 } catch {
45 /* fall through to default */
46 }
47 }
48 }
49
50 return 4;
51 }
52
53 /**
54 * @param {AgentContextTier} requestedTier
55 * @param {AgentContextTier} policyCap
56 * @returns {boolean}
57 */
58 export function isAgentTierWithinPolicyCap(requestedTier, policyCap) {
59 if (!AGENT_CONTEXT_TIERS.includes(requestedTier)) {
60 return false;
61 }
62 return requestedTier <= policyCap;
63 }
File History 1 commit
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 1 day ago