-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpolicy.zod.ts
More file actions
62 lines (53 loc) · 2.11 KB
/
policy.zod.ts
File metadata and controls
62 lines (53 loc) · 2.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
import { z } from 'zod';
/**
* Password Complexity Policy
*/
export const PasswordPolicySchema = z.object({
minLength: z.number().default(8),
requireUppercase: z.boolean().default(true),
requireLowercase: z.boolean().default(true),
requireNumbers: z.boolean().default(true),
requireSymbols: z.boolean().default(false),
expirationDays: z.number().optional().describe('Force password change every X days'),
historyCount: z.number().default(3).describe('Prevent reusing last X passwords'),
});
/**
* Network Access Policy (IP Whitelisting)
*/
export const NetworkPolicySchema = z.object({
trustedRanges: z.array(z.string()).describe('CIDR ranges allowed to access (e.g. 10.0.0.0/8)'),
blockUnknown: z.boolean().default(false).describe('Block all IPs not in trusted ranges'),
vpnRequired: z.boolean().default(false),
});
/**
* Session Policy
*/
export const SessionPolicySchema = z.object({
idleTimeout: z.number().default(30).describe('Minutes before idle session logout'),
absoluteTimeout: z.number().default(480).describe('Max session duration (minutes)'),
forceMfa: z.boolean().default(false).describe('Require 2FA for all users'),
});
/**
* Audit Retention Policy
*/
export const AuditPolicySchema = z.object({
logRetentionDays: z.number().default(180),
sensitiveFields: z.array(z.string()).describe('Fields to redact in logs (e.g. password, ssn)'),
captureRead: z.boolean().default(false).describe('Log read access (High volume!)'),
});
/**
* Security Policy Schema
* "The Cloud Compliance Contract"
*/
export const PolicySchema = z.object({
name: z.string().regex(/^[a-z_][a-z0-9_]*$/).describe('Policy Name'),
password: PasswordPolicySchema.optional(),
network: NetworkPolicySchema.optional(),
session: SessionPolicySchema.optional(),
audit: AuditPolicySchema.optional(),
/** Assignment */
isDefault: z.boolean().default(false).describe('Apply to all users by default'),
assignedProfiles: z.array(z.string()).optional().describe('Apply to specific profiles'),
});
export type Policy = z.infer<typeof PolicySchema>;