Class: ZeroTrustService
Defined in: src/auth/zero-trust/zero-trust-service.ts:178
Zero Trust policy service.
Remarks
Evaluates access requests using multiple trust signals:
- Authentication strength (MFA, session age)
- Device posture (known device, security state)
- Behavioral analysis (unusual patterns)
- Network context (IP reputation, location)
Example
const ztService = new ZeroTrustService({
redis,
logger,
});
const decision = await ztService.evaluate({
subject: { did: userDid, roles: ['author'] },
action: 'write',
resource: { type: 'preprint', id: preprintId },
});
if (!decision.allow) {
// Handle denial or step-up auth requirement
}
Implements
Constructors
new ZeroTrustService()
new ZeroTrustService(
options):ZeroTrustService
Defined in: src/auth/zero-trust/zero-trust-service.ts:189
Creates a new ZeroTrustService.
Parameters
options
Service options
Returns
Methods
auditDecision()
auditDecision(
decision,input):Promise<void>
Defined in: src/auth/zero-trust/zero-trust-service.ts:357
Audits a policy decision.
Parameters
decision
Policy decision
input
Original policy input
Returns
Promise<void>
Remarks
Logs the decision for compliance and debugging.
Implementation of
IZeroTrustPolicy.auditDecision
evaluate()
evaluate(
input):Promise<PolicyDecision>
Defined in: src/auth/zero-trust/zero-trust-service.ts:206
Evaluates a policy decision for an access request.
Parameters
input
Policy input
Returns
Promise<PolicyDecision>
Policy decision
Implementation of
getKnownDevices()
getKnownDevices(
did):Promise<string[]>
Defined in: src/auth/zero-trust/zero-trust-service.ts:417
Gets known devices for a user.
Parameters
did
string
User's DID
Returns
Promise<string[]>
Array of device IDs
getPolicyVersion()
getPolicyVersion():
Promise<string>
Defined in: src/auth/zero-trust/zero-trust-service.ts:344
Gets current policy version.
Returns
Promise<string>
Policy version string
Implementation of
IZeroTrustPolicy.getPolicyVersion
loadPolicy()
loadPolicy(
bundleUrl):Promise<void>
Defined in: src/auth/zero-trust/zero-trust-service.ts:256
Loads policy bundle from URL.
Parameters
bundleUrl
string
URL to OPA bundle (tar.gz)
Returns
Promise<void>
Remarks
Fetches and validates an OPA policy bundle from the specified URL. The bundle is expected to be a tar.gz file containing Rego policies.
OPA bundles follow the format specified in: https://www.openpolicyagent.org/docs/latest/management-bundles/
Throws
ConfigurationError if bundle cannot be fetched or is invalid
Implementation of
recordDevicePosture()
recordDevicePosture(
did,deviceId,posture):Promise<void>
Defined in: src/auth/zero-trust/zero-trust-service.ts:392
Records device posture for a user.
Parameters
did
string
User's DID
deviceId
string
Device identifier
posture
DevicePosture
Device posture data
Returns
Promise<void>
recordSecurityEvent()
recordSecurityEvent(
did,eventType,context):Promise<void>
Defined in: src/auth/zero-trust/zero-trust-service.ts:429
Records a security event for behavior analysis.
Parameters
did
string
User's DID
eventType
string
Event type
context
Record<string, unknown>
Event context
Returns
Promise<void>