wtc-control-plane
v1.0.1
Published
Core control-plane SDK for self-hosted WTC enterprise operating layers by Eksido.com / WeTakeControl.eu.
Downloads
51
Maintainers
Readme
WTC Control Plane
wtc-control-plane is the first reusable TypeScript SDK package for the
Eksido.com / WeTakeControl.eu self-hosted enterprise operating layer.
The package is maintained by Franz Malten Buemann [email protected].
It provides the domain model, runtime validation, simple policy decision flow, audit event structure, evidence references, dependency graph primitives, connector registry, snapshot import/export, and a small CLI that future WTC services can reuse.
What It Is
- A small Node.js 20+ ESM npm package.
- A foundational SDK for governed AI and MCP access, policy-based control, connector governance, evidence references, audit logging, risk signals, dependency mapping, semantic workflows, and SaaS replacement programmes.
- A local-first package with in-memory and JSON-file stores.
What It Is Not
- Not a SaaS app.
- Not a web server.
- Not an authentication system.
- Not a database adapter.
- Not an OpenAI, Anthropic, or MCP SDK wrapper.
- Not a telemetry collector.
Installation
npm install wtc-control-planeSDK Usage
import { createControlPlane } from "wtc-control-plane";
const cp = await createControlPlane({
tenantId: "demo",
store: "memory"
});
await cp.registerResource({
tenantId: "demo",
provider: "github",
resourceType: "repository",
name: "CampaignBuilder",
externalId: "eksido/CampaignBuilder",
tags: ["source-code", "critical"],
metadata: {}
});
await cp.addPolicy({
tenantId: "demo",
name: "Require approval for agent write actions",
description: "Agents may read repositories but need approval for write actions.",
effect: "require_approval",
subjects: ["agent:*"],
actions: ["repo.write", "pull_request.create"],
resources: ["github:repository:*"],
conditions: {},
priority: 100,
status: "active"
});
const decision = await cp.evaluatePolicy({
tenantId: "demo",
subject: "agent:codex",
action: "pull_request.create",
resource: "github:repository:eksido/CampaignBuilder",
context: {},
requestedAt: new Date().toISOString()
});
console.log(decision.effect);CLI Usage
wtc-control-plane init --file ./wtc-control-plane.json
wtc-control-plane add-resource \
--file ./wtc-control-plane.json \
--json '{"tenantId":"demo","provider":"github","resourceType":"repository","name":"CampaignBuilder","tags":["critical"],"metadata":{}}'
wtc-control-plane add-policy \
--file ./wtc-control-plane.json \
--json '{"tenantId":"demo","name":"Allow repo reads","description":"Allow repository reads.","effect":"allow","subjects":["user:*"],"actions":["repo.read"],"resources":["github:repository:*"],"conditions":{},"priority":10,"status":"active"}'
wtc-control-plane evaluate \
--file ./wtc-control-plane.json \
--json '{"tenantId":"demo","subject":"user:franz","action":"repo.read","resource":"github:repository:eksido/CampaignBuilder","context":{},"requestedAt":"2026-05-30T00:00:00.000Z"}'
wtc-control-plane snapshot --file ./wtc-control-plane.jsonExamples
Production-shaped examples live in examples/:
- Node.js full pipeline from governed JSON inputs to decision, audit events, and snapshot.
- Static frontend console for visual snapshot inspection and dependency graph review.
- Snapshot validation before import or review.
- CLI full pipeline using a file-backed local control-plane state.
- Package inspection for release checks.
Domain Model Overview
The SDK includes zod schemas and TypeScript types for:
- Tenant contexts
- WTC resources
- Control objects
- Connector manifests
- Policy rules, policy inputs, and decisions
- Evidence references
- Risk signals
- Dependency edges
- Audit events
- External scanner findings
Security Principles
- Default deny.
- Every policy evaluation creates an audit event.
- Never log secrets.
- Use
tenantIdeverywhere. - Validate all external input.
- Keep raw scanner findings separate from normalized WTC objects.
- Make exports deterministic and portable.
Roadmap
- OPA policy adapter.
- MCP gateway integration points.
- Prowler and scanner ingestion helpers.
- Postgres store.
- Graph storage adapter.
- Signed snapshots and evidence hash verification.
