@aegis-scan/core 0.16.5 → 0.17.0

package/README.md

@@ -0,0 +1,37 @@
+# @aegis-scan/core
+
+Core engine for the [AEGIS](https://github.com/RideMatch1/a.e.g.i.s) security-scanner suite — a paranoid stack-specific SAST scanner for Next.js + Supabase projects.
+
+This package provides the orchestrator, scoring engine (0-1000 with FORTRESS / HARDENED / SOLID / NEEDS_WORK / AT_RISK / CRITICAL grades), Zod-strict config loader, suppression filter, and shared types + utilities consumed by `@aegis-scan/scanners`, `@aegis-scan/reporters`, and `@aegis-scan/cli`.
+
+Most consumers should depend on `@aegis-scan/cli` instead — it bundles core, scanners, and reporters into a single CLI binary. This package is exposed for advanced integrations (custom orchestration, programmatic API, custom reporter implementations).
+
+## Install
+
+```bash
+npm install @aegis-scan/core
+```
+
+Node 20+ required.
+
+## Supply-chain integrity
+
+Every published version ships with SLSA v1 provenance:
+
+```bash
+npm audit signatures
+npm view @aegis-scan/core@<version> dist.attestations.provenance.predicateType
+# → https://slsa.dev/provenance/v1
+```
+
+No install-time scripts are declared in any `@aegis-scan/*` package. See the top-level [SECURITY.md](https://github.com/RideMatch1/a.e.g.i.s/blob/main/SECURITY.md) for the full supply-chain integrity posture.
+
+## Links
+
+- **Main repo:** https://github.com/RideMatch1/a.e.g.i.s
+- **CLI on npm:** https://www.npmjs.com/package/@aegis-scan/cli
+- **CHANGELOG:** https://github.com/RideMatch1/a.e.g.i.s/blob/main/CHANGELOG.md
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -9,4 +9,9 @@ export { isTestFile } from './is-test-path.js';
 export { parseSuppressions, isSuppressed, getUnusedSuppressions, getNakedSuppressions, type Suppression, } from './suppressions.js';
 export { globToRegex, configSuppressionMatches, applyPipelineSuppressions, type SuppressionStats, } from './suppression-filter.js';
 export { PRECISION_GATES, SCANNER_TIERS, tierOf, gateFor, passesPrecisionGate, type PrecisionTier, } from './precision-tiers.js';
+export { RoESchema, validateTargetInScope, validateTemporalEnvelope, getAssetCriticality, validateAction, synthesizeMinimalRoE, loadRoE, type RoE, type ValidationDecision, type RoEParseResult, type RoEParseSuccess, type RoEParseFailure, } from './roe/index.js';
+export { emitEvent, makeEvent, findingEvent, isCriticalSeverity, initStateFile, EngagementStateSchema, writeEngagementState, loadEngagementState, newEngagementState, installSignalHandlers, dispatchNotification, sha256, canonicalize, hashCanonical, ChainedEmitter, verifyAuditChain, type EngagementEvent, type EngagementEventBase, type EventSink, type EngagementState, type LoadStateResult, type LoadStateOk, type LoadStateFailure, type DumpReason, type SignalHandlerOptions, type NotificationConfig, type ChainedEmitterOpts, type ChainVerifyResult, type ChainVerifyOk, type ChainVerifyFailure, } from './runtime/index.js';
+export { assignCiaVector, evaluateCiaThreshold, CWE_CIA_DEFAULTS, evaluateApprovalGate, detectIrreversibleActions, evaluateIrreversibleGate, PHASE_TO_AUTONOMY_LEVEL, validateDelegationMatrix, rolesForAction, escalateOnSeverity, escalateOnConfidence, escalateOnComplianceTrigger, type CiaThresholdEvaluation, type AutonomyLevel, type AutonomyLevelPolicy, type AutonomyLevelsConfig, type ApprovalGateDecision, type IrreversibleGateDecision, type DelegationEntry, type AuthorityMatrixValidation, type SeverityEscalationConfig, type ConfidencePauseConfig, type ComplianceTriggerConfig, type EscalationDecision, } from './oversight/index.js';
+export { startKillRequestWatcher, requestKill, startDeadManHeartbeat, runHealthCheck, newHealthCounters, currentHeapMb, errorRate, probeTargetIntegrity, detectScopeBreach, withPhaseTimeout, derivePhaseTimeoutMs, type KillRequestWatcherOptions, type KillRequestWatcherHandle, type HeartbeatOptions, type HeartbeatHandle, type HealthThresholds, type HealthCounters, type HealthCheckResult, type IntegrityProbeBaseline, type IntegrityProbeResult, type IntegrityProbeOptions, type FindingLike, type BreachDetectionResult, type TimeoutResult, type TimeoutOk, type TimeoutFailure, type PhaseTimeoutOptions, } from './safety-controls/index.js';
+export { enforceInstructionBoundary, WRAPPER_ACTION_ALLOWLIST, validateWrapperResponse, detectAuthorityClaim, pinConfig, verifyConfig, safeFetch, classifyIp, isSafeFetchRejection, detectScopeExpansion, composeEgressAllowlist, withEgressEnv, ORCHESTRATOR_ESSENTIALS, validateSandboxMode, wrapForSandbox, preflightSandboxImages, SANDBOX_MODES, DEFAULT_WRAPPER_IMAGES, type WrapperAction, type ResponseValidation, type AuthorityClaim, type AuthorityClaimResult, type ConfigPin, type ConfigVerifyResult, type SafeFetchOptions, type SafeFetchRejection, type SafeFetchRejectReason, type ScopeExpansionKind, type ScopeExpansionResult, type EgressAllowlist, type ComposeEgressAllowlistOptions, type SandboxMode, type SandboxModeValidation, type WrapForSandboxOptions, type WrappedExec, type SandboxPreflightResult, type PreflightSandboxOptions, } from './manipulation-resistance/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,KAAK,WAAW,EAAE,MAAM,YAAY,CAAC;AACnJ,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,WAAW,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,aAAa,EACb,MAAM,EACN,OAAO,EACP,mBAAmB,EACnB,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAE,KAAK,UAAU,EAAE,KAAK,WAAW,EAAE,MAAM,YAAY,CAAC;AACnJ,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,WAAW,GACjB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,aAAa,EACb,MAAM,EACN,OAAO,EACP,mBAAmB,EACnB,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,SAAS,EACT,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,cAAc,EACd,oBAAoB,EACpB,OAAO,EACP,KAAK,GAAG,EACR,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,SAAS,EACT,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,SAAS,EACd,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,UAAU,EACf,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,EAClB,oBAAoB,EACpB,2BAA2B,EAC3B,KAAK,sBAAsB,EAC3B,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,wBAAwB,EAC7B,KAAK,eAAe,EACpB,KAAK,yBAAyB,EAC9B,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,qBAAqB,EACrB,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,SAAS,EACT,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,yBAAyB,EAC9B,KAAK,wBAAwB,EAC7B,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,cAAc,EACnB,KAAK,mBAAmB,GACzB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,uBAAuB,EACvB,oBAAoB,EACpB,SAAS,EACT,YAAY,EACZ,SAAS,EACT,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,aAAa,EACb,uBAAuB,EACvB,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,aAAa,EACb,sBAAsB,EACtB,KAAK,aAAa,EAClB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,oBAAoB,EACzB,KAAK,SAAS,EACd,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,EACzB,KAAK,eAAe,EACpB,KAAK,6BAA6B,EAClC,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,oCAAoC,CAAC"}

package/dist/index.js

@@ -9,4 +9,9 @@ export { isTestFile } from './is-test-path.js';
 export { parseSuppressions, isSuppressed, getUnusedSuppressions, getNakedSuppressions, } from './suppressions.js';
 export { globToRegex, configSuppressionMatches, applyPipelineSuppressions, } from './suppression-filter.js';
 export { PRECISION_GATES, SCANNER_TIERS, tierOf, gateFor, passesPrecisionGate, } from './precision-tiers.js';
+export { RoESchema, validateTargetInScope, validateTemporalEnvelope, getAssetCriticality, validateAction, synthesizeMinimalRoE, loadRoE, } from './roe/index.js';
+export { emitEvent, makeEvent, findingEvent, isCriticalSeverity, initStateFile, EngagementStateSchema, writeEngagementState, loadEngagementState, newEngagementState, installSignalHandlers, dispatchNotification, sha256, canonicalize, hashCanonical, ChainedEmitter, verifyAuditChain, } from './runtime/index.js';
+export { assignCiaVector, evaluateCiaThreshold, CWE_CIA_DEFAULTS, evaluateApprovalGate, detectIrreversibleActions, evaluateIrreversibleGate, PHASE_TO_AUTONOMY_LEVEL, validateDelegationMatrix, rolesForAction, escalateOnSeverity, escalateOnConfidence, escalateOnComplianceTrigger, } from './oversight/index.js';
+export { startKillRequestWatcher, requestKill, startDeadManHeartbeat, runHealthCheck, newHealthCounters, currentHeapMb, errorRate, probeTargetIntegrity, detectScopeBreach, withPhaseTimeout, derivePhaseTimeoutMs, } from './safety-controls/index.js';
+export { enforceInstructionBoundary, WRAPPER_ACTION_ALLOWLIST, validateWrapperResponse, detectAuthorityClaim, pinConfig, verifyConfig, safeFetch, classifyIp, isSafeFetchRejection, detectScopeExpansion, composeEgressAllowlist, withEgressEnv, ORCHESTRATOR_ESSENTIALS, validateSandboxMode, wrapForSandbox, preflightSandboxImages, SANDBOX_MODES, DEFAULT_WRAPPER_IMAGES, } from './manipulation-resistance/index.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,UAAU,EAAwB,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAqC,MAAM,YAAY,CAAC;AACnJ,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,GAErB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,GAE1B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,aAAa,EACb,MAAM,EACN,OAAO,EACP,mBAAmB,GAEpB,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,UAAU,EAAwB,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAqC,MAAM,YAAY,CAAC;AACnJ,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,GAErB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,GAE1B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,eAAe,EACf,aAAa,EACb,MAAM,EACN,OAAO,EACP,mBAAmB,GAEpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,SAAS,EACT,qBAAqB,EACrB,wBAAwB,EACxB,mBAAmB,EACnB,cAAc,EACd,oBAAoB,EACpB,OAAO,GAMR,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,SAAS,EACT,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,oBAAoB,EACpB,MAAM,EACN,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,GAejB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,cAAc,EACd,kBAAkB,EAClB,oBAAoB,EACpB,2BAA2B,GAa5B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,qBAAqB,EACrB,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,SAAS,EACT,oBAAoB,EACpB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,GAiBrB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,uBAAuB,EACvB,oBAAoB,EACpB,SAAS,EACT,YAAY,EACZ,SAAS,EACT,UAAU,EACV,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,aAAa,EACb,uBAAuB,EACvB,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,aAAa,EACb,sBAAsB,GAoBvB,MAAM,oCAAoC,CAAC"}

package/dist/manipulation-resistance/ai-io-boundary.d.ts

@@ -0,0 +1,84 @@
+import type { EgressAllowlist } from './oob-blocker.js';
+export type SandboxMode = 'docker' | 'firejail' | 'none';
+export declare const SANDBOX_MODES: readonly SandboxMode[];
+/**
+ * Per-wrapper container image map. Operators may override via
+ * RoE.sandboxing.image_overrides; defaults below assume the operator
+ * has built/pulled the image under the canonical tag.
+ */
+export declare const DEFAULT_WRAPPER_IMAGES: Readonly<Record<string, string>>;
+export interface WrapForSandboxOptions {
+    /** Custom docker network to attach the container to (egress allowlist enforcement). */
+    dockerNetwork?: string;
+    /** Per-wrapper image override. Falls back to DEFAULT_WRAPPER_IMAGES. */
+    imageOverride?: string;
+    /** Egress allowlist to mount as env (works in all modes; enforced in docker). */
+    allowlist?: EgressAllowlist;
+    /** Extra docker run security flags. Sensible defaults applied; do not disable lightly. */
+    extraDockerArgs?: readonly string[];
+}
+export interface WrappedExec {
+    binary: string;
+    args: string[];
+    /** Env additions the wrapper should pass through to exec. */
+    envAdditions: NodeJS.ProcessEnv;
+    /** True when the original (binary, args) were rewritten through a sandboxer. */
+    sandboxed: boolean;
+    /** Diagnostic — what mode actually applied (might be 'none' on unmapped wrapper). */
+    mode_applied: SandboxMode;
+}
+export interface SandboxModeValidation {
+    ok: boolean;
+    mode?: SandboxMode;
+    reason?: string;
+}
+/**
+ * Validate an operator-supplied --sandbox-mode value.
+ */
+export declare function validateSandboxMode(input: string | undefined): SandboxModeValidation;
+/**
+ * Wrap a wrapper exec call through the chosen sandbox mode. Returns
+ * { binary, args, envAdditions, sandboxed, mode_applied }. When mode is
+ * 'none' (or the wrapper has no image mapping), the original tuple is
+ * returned with sandboxed=false so the caller still observes that the
+ * wrapper ran un-sandboxed.
+ */
+export declare function wrapForSandbox(wrapperName: string, binary: string, args: readonly string[], mode: SandboxMode, opts?: WrapForSandboxOptions): WrappedExec;
+export interface SandboxPreflightResult {
+    ok: boolean;
+    /** Missing wrapper images (map: wrapperName → image tag). */
+    missing_images: Record<string, string>;
+    /** True when the egress docker network is missing. */
+    missing_network: boolean;
+    /** Network name that was checked. */
+    network_name: string;
+    /** Operator-readable instruction block for fixing the missing artifacts. */
+    remediation?: string;
+    /** APTS refs the preflight closes when ok=true. */
+    apts_refs: string[];
+}
+export interface PreflightSandboxOptions {
+    /** Wrappers required by the engagement (e.g. ['strix','ptai']). */
+    wrappers: readonly string[];
+    /** Per-wrapper image override (RoE.sandboxing.image_overrides). */
+    imageOverrides?: Readonly<Record<string, string>>;
+    /** Custom egress network. Defaults to 'aegis-egress'. */
+    dockerNetwork?: string;
+    /**
+     * Probe function for testability. Defaults to running
+     * `docker image inspect <ref>` / `docker network inspect <name>`.
+     * Should resolve true when artifact exists, false otherwise.
+     */
+    probe?: (kind: 'image' | 'network', ref: string) => boolean;
+}
+/**
+ * Preflight check for `--sandbox-mode=docker`. Verifies every required
+ * wrapper image is present locally and the egress network exists.
+ * Returns `ok=false` with a remediation block when artifacts are missing.
+ *
+ * Call this at engagement start (after `validateSandboxMode` resolves to
+ * 'docker') and halt the engagement when ok=false. Closes the audit-flagged
+ * gap where docker-mode could be selected against non-existent images.
+ */
+export declare function preflightSandboxImages(opts: PreflightSandboxOptions): SandboxPreflightResult;
+//# sourceMappingURL=ai-io-boundary.d.ts.map

package/dist/manipulation-resistance/ai-io-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-io-boundary.d.ts","sourceRoot":"","sources":["../../src/manipulation-resistance/ai-io-boundary.ts"],"names":[],"mappings":"AA4BA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,CAAC;AAEzD,eAAO,MAAM,aAAa,EAAE,SAAS,WAAW,EAI9C,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIlE,CAAC;AAEH,MAAM,WAAW,qBAAqB;IACpC,uFAAuF;IACvF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iFAAiF;IACjF,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B,0FAA0F;IAC1F,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACrC;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,6DAA6D;IAC7D,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC;IAChC,gFAAgF;IAChF,SAAS,EAAE,OAAO,CAAC;IACnB,qFAAqF;IACrF,YAAY,EAAE,WAAW,CAAC;CAC3B;AAED,MAAM,WAAW,qBAAqB;IACpC,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,qBAAqB,CAUpF;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,GAAE,qBAA0B,GAC/B,WAAW,CA6Eb;AAKD,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,sDAAsD;IACtD,eAAe,EAAE,OAAO,CAAC;IACzB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,4EAA4E;IAC5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,uBAAuB;IACtC,mEAAmE;IACnE,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,mEAAmE;IACnE,cAAc,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,yDAAyD;IACzD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;CAC7D;AAkBD;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,uBAAuB,GAC5B,sBAAsB,CAoDxB"}

package/dist/manipulation-resistance/ai-io-boundary.js

@@ -0,0 +1,216 @@
+/**
+ * AI model input/output architectural boundary.
+ *
+ * Closes APTS-MR-018 (AI Model Input/Output Architectural Boundary).
+ *
+ * Design notes:
+ *   - LLM-pentest wrappers run as full-privilege child processes by
+ *     default. APTS-MR-018 mandates an architectural boundary —
+ *     sandboxed process, restricted FS, restricted network egress.
+ *   - AEGIS exposes a `--sandbox-mode <docker|firejail|none>` siege
+ *     flag. Default is `none` for back-compat. When the operator opts
+ *     in, AEGIS rewrites every wrapper invocation through the chosen
+ *     sandboxer so that the wrapper executes inside the boundary.
+ *   - `wrapForSandbox` produces the transformation. Wrapper code calls
+ *     it before exec; if mode is 'none' the call is a no-op pass-through.
+ *   - For docker mode, AEGIS expects a per-wrapper container image
+ *     to exist locally (operator-provisioned via
+ *     `dockerfiles/sandboxes/build.sh`). The wrapper-image map keys off
+ *     the wrapper name; an unmapped wrapper falls back to pass-through
+ *     with an explicit warning so unsupported wrappers do not silently
+ *     bypass the boundary.
+ *   - `preflightSandboxImages` runs at engagement-start when
+ *     --sandbox-mode=docker is selected and verifies that every
+ *     required image and the egress network exist. Missing artifacts
+ *     produce a clear instruction-rich error so operators see exactly
+ *     what to build before re-running.
+ */
+import { execFileSync } from 'node:child_process';
+export const SANDBOX_MODES = Object.freeze([
+    'docker',
+    'firejail',
+    'none',
+]);
+/**
+ * Per-wrapper container image map. Operators may override via
+ * RoE.sandboxing.image_overrides; defaults below assume the operator
+ * has built/pulled the image under the canonical tag.
+ */
+export const DEFAULT_WRAPPER_IMAGES = Object.freeze({
+    strix: 'aegis/strix-sandbox:latest',
+    ptai: 'aegis/ptai-sandbox:latest',
+    pentestswarm: 'aegis/pentestswarm-sandbox:latest',
+});
+/**
+ * Validate an operator-supplied --sandbox-mode value.
+ */
+export function validateSandboxMode(input) {
+    if (input === undefined || input === '')
+        return { ok: true, mode: 'none' };
+    const lower = input.toLowerCase();
+    if (SANDBOX_MODES.includes(lower)) {
+        return { ok: true, mode: lower };
+    }
+    return {
+        ok: false,
+        reason: `unknown --sandbox-mode "${input}"; valid: ${SANDBOX_MODES.join(', ')}`,
+    };
+}
+/**
+ * Wrap a wrapper exec call through the chosen sandbox mode. Returns
+ * { binary, args, envAdditions, sandboxed, mode_applied }. When mode is
+ * 'none' (or the wrapper has no image mapping), the original tuple is
+ * returned with sandboxed=false so the caller still observes that the
+ * wrapper ran un-sandboxed.
+ */
+export function wrapForSandbox(wrapperName, binary, args, mode, opts = {}) {
+    const envAdditions = {
+        AEGIS_SANDBOX_MODE: mode,
+    };
+    if (opts.allowlist) {
+        envAdditions.AEGIS_EGRESS_ALLOWLIST = opts.allowlist.envValue;
+    }
+    if (mode === 'none') {
+        return {
+            binary,
+            args: [...args],
+            envAdditions,
+            sandboxed: false,
+            mode_applied: 'none',
+        };
+    }
+    if (mode === 'firejail') {
+        // Conservative profile: read-only root FS, drop network namespace
+        // unless the operator opts back in via allowlist, no IPC namespace.
+        const firejailArgs = [
+            '--quiet',
+            '--noprofile',
+            '--read-only=/',
+            '--ipc-namespace',
+            '--noroot',
+            '--',
+            binary,
+            ...args,
+        ];
+        return {
+            binary: 'firejail',
+            args: firejailArgs,
+            envAdditions,
+            sandboxed: true,
+            mode_applied: 'firejail',
+        };
+    }
+    // docker mode
+    const image = opts.imageOverride ?? DEFAULT_WRAPPER_IMAGES[wrapperName];
+    if (!image) {
+        // Unmapped wrapper — fall back to pass-through but loud about it.
+        return {
+            binary,
+            args: [...args],
+            envAdditions: {
+                ...envAdditions,
+                AEGIS_SANDBOX_FALLBACK: `unmapped-wrapper:${wrapperName}`,
+            },
+            sandboxed: false,
+            mode_applied: 'none',
+        };
+    }
+    const network = opts.dockerNetwork ?? 'aegis-egress';
+    const baseDockerArgs = [
+        'run',
+        '--rm',
+        `--network=${network}`,
+        '--security-opt=no-new-privileges',
+        '--cap-drop=ALL',
+        '--read-only',
+        '--tmpfs=/tmp',
+        ...(opts.extraDockerArgs ?? []),
+    ];
+    if (opts.allowlist) {
+        baseDockerArgs.push('--env', `AEGIS_EGRESS_ALLOWLIST=${opts.allowlist.envValue}`);
+    }
+    baseDockerArgs.push(image, ...args);
+    return {
+        binary: 'docker',
+        args: baseDockerArgs,
+        envAdditions,
+        sandboxed: true,
+        mode_applied: 'docker',
+    };
+}
+function defaultDockerProbe(kind, ref) {
+    // execFileSync (no shell) — argv is passed as an array so neither `kind`
+    // nor `ref` can be interpreted as shell metacharacters even when the RoE
+    // config supplies an unusual image name. Closes CodeQL
+    // js/shell-command-constructed-from-input.
+    try {
+        execFileSync('docker', [kind, 'inspect', ref], {
+            stdio: ['ignore', 'ignore', 'ignore'],
+            timeout: 10_000,
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Preflight check for `--sandbox-mode=docker`. Verifies every required
+ * wrapper image is present locally and the egress network exists.
+ * Returns `ok=false` with a remediation block when artifacts are missing.
+ *
+ * Call this at engagement start (after `validateSandboxMode` resolves to
+ * 'docker') and halt the engagement when ok=false. Closes the audit-flagged
+ * gap where docker-mode could be selected against non-existent images.
+ */
+export function preflightSandboxImages(opts) {
+    const probe = opts.probe ?? defaultDockerProbe;
+    const networkName = opts.dockerNetwork ?? 'aegis-egress';
+    const overrides = opts.imageOverrides ?? {};
+    const missing_images = {};
+    for (const wrapper of opts.wrappers) {
+        const image = overrides[wrapper] ?? DEFAULT_WRAPPER_IMAGES[wrapper];
+        if (!image)
+            continue; // unmapped wrapper — wrapForSandbox falls back
+        if (!probe('image', image)) {
+            missing_images[wrapper] = image;
+        }
+    }
+    const missing_network = !probe('network', networkName);
+    const ok = missing_network === false && Object.keys(missing_images).length === 0;
+    let remediation;
+    if (!ok) {
+        const lines = [
+            'APTS-MR-018 sandbox preflight failed.',
+            '',
+        ];
+        if (Object.keys(missing_images).length > 0) {
+            lines.push('Missing docker images:');
+            for (const [wrapper, image] of Object.entries(missing_images)) {
+                lines.push(`  - ${wrapper}: ${image}`);
+            }
+            lines.push('');
+            lines.push('Build them with:');
+            lines.push('  bash dockerfiles/sandboxes/build.sh');
+            lines.push('');
+        }
+        if (missing_network) {
+            lines.push(`Missing docker network: ${networkName}`);
+            lines.push('Create with:');
+            lines.push(`  docker network create --driver=bridge --internal ${networkName}`);
+            lines.push('(or run the build script which creates it automatically.)');
+            lines.push('');
+        }
+        lines.push('After fixing, re-run with --sandbox-mode=docker.');
+        remediation = lines.join('\n');
+    }
+    return {
+        ok,
+        missing_images,
+        missing_network,
+        network_name: networkName,
+        remediation,
+        apts_refs: ['APTS-MR-018'],
+    };
+}
+//# sourceMappingURL=ai-io-boundary.js.map

package/dist/manipulation-resistance/ai-io-boundary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai-io-boundary.js","sourceRoot":"","sources":["../../src/manipulation-resistance/ai-io-boundary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAKlD,MAAM,CAAC,MAAM,aAAa,GAA2B,MAAM,CAAC,MAAM,CAAC;IACjE,QAAQ;IACR,UAAU;IACV,MAAM;CACP,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAqC,MAAM,CAAC,MAAM,CAAC;IACpF,KAAK,EAAE,4BAA4B;IACnC,IAAI,EAAE,2BAA2B;IACjC,YAAY,EAAE,mCAAmC;CAClD,CAAC,CAAC;AA8BH;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAyB;IAC3D,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC3E,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAK,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAoB,EAAE,CAAC;IAClD,CAAC;IACD,OAAO;QACL,EAAE,EAAE,KAAK;QACT,MAAM,EAAE,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KAChF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,WAAmB,EACnB,MAAc,EACd,IAAuB,EACvB,IAAiB,EACjB,OAA8B,EAAE;IAEhC,MAAM,YAAY,GAAsB;QACtC,kBAAkB,EAAE,IAAI;KACzB,CAAC;IACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,YAAY,CAAC,sBAAsB,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;IAChE,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,OAAO;YACL,MAAM;YACN,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;YACf,YAAY;YACZ,SAAS,EAAE,KAAK;YAChB,YAAY,EAAE,MAAM;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,kEAAkE;QAClE,oEAAoE;QACpE,MAAM,YAAY,GAAG;YACnB,SAAS;YACT,aAAa;YACb,eAAe;YACf,iBAAiB;YACjB,UAAU;YACV,IAAI;YACJ,MAAM;YACN,GAAG,IAAI;SACR,CAAC;QACF,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,IAAI,EAAE,YAAY;YAClB,YAAY;YACZ,SAAS,EAAE,IAAI;YACf,YAAY,EAAE,UAAU;SACzB,CAAC;IACJ,CAAC;IAED,cAAc;IACd,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,IAAI,sBAAsB,CAAC,WAAW,CAAC,CAAC;IACxE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,kEAAkE;QAClE,OAAO;YACL,MAAM;YACN,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;YACf,YAAY,EAAE;gBACZ,GAAG,YAAY;gBACf,sBAAsB,EAAE,oBAAoB,WAAW,EAAE;aAC1D;YACD,SAAS,EAAE,KAAK;YAChB,YAAY,EAAE,MAAM;SACrB,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,IAAI,cAAc,CAAC;IACrD,MAAM,cAAc,GAAG;QACrB,KAAK;QACL,MAAM;QACN,aAAa,OAAO,EAAE;QACtB,kCAAkC;QAClC,gBAAgB;QAChB,aAAa;QACb,cAAc;QACd,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC;KAChC,CAAC;IACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,0BAA0B,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpF,CAAC;IACD,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,OAAO;QACL,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,cAAc;QACpB,YAAY;QACZ,SAAS,EAAE,IAAI;QACf,YAAY,EAAE,QAAQ;KACvB,CAAC;AACJ,CAAC;AAkCD,SAAS,kBAAkB,CAAC,IAAyB,EAAE,GAAW;IAChE,yEAAyE;IACzE,yEAAyE;IACzE,uDAAuD;IACvD,2CAA2C;IAC3C,IAAI,CAAC;QACH,YAAY,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE;YAC7C,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;YACrC,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAA6B;IAE7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kBAAkB,CAAC;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,IAAI,cAAc,CAAC;IACzD,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;IAC5C,MAAM,cAAc,GAA2B,EAAE,CAAC;IAElD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;QACpE,IAAI,CAAC,KAAK;YAAE,SAAS,CAAC,+CAA+C;QACrE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;YAC3B,cAAc,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,eAAe,KAAK,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAEjF,IAAI,WAA+B,CAAC;IACpC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,KAAK,GAAa;YACtB,uCAAuC;YACvC,EAAE;SACH,CAAC;QACF,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3C,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACrC,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC9D,KAAK,CAAC,IAAI,CAAC,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;YACzC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,IAAI,CAAC,2BAA2B,WAAW,EAAE,CAAC,CAAC;YACrD,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,sDAAsD,WAAW,EAAE,CAAC,CAAC;YAChF,KAAK,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;YACxE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAC/D,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAED,OAAO;QACL,EAAE;QACF,cAAc;QACd,eAAe;QACf,YAAY,EAAE,WAAW;QACzB,WAAW;QACX,SAAS,EAAE,CAAC,aAAa,CAAC;KAC3B,CAAC;AACJ,CAAC"}

package/dist/manipulation-resistance/config-integrity.d.ts

@@ -0,0 +1,28 @@
+export interface ConfigPin {
+    /** Lowercase-hex SHA-256 of the canonical-JSON serialization. */
+    hash: string;
+    /** ISO-8601 timestamp when the pin was created. */
+    pinned_at: string;
+    /** Operator-supplied label for audit traceability (e.g. "roe", "aegis-config"). */
+    label: string;
+}
+export interface ConfigVerifyResult {
+    ok: boolean;
+    reason?: string;
+    /** Hash that was actually computed (for mismatch reporting). */
+    observed_hash?: string;
+    apts_refs: string[];
+}
+/**
+ * Pin a config value at engagement-start. The returned pin is the
+ * source of truth for subsequent verifications. Caller should emit a
+ * scope-validation or audit event recording the pin.
+ */
+export declare function pinConfig(label: string, config: unknown): ConfigPin;
+/**
+ * Verify the current in-memory config against a previous pin. Returns
+ * { ok: true } on match or { ok: false, reason, observed_hash } on
+ * mismatch. Callers should halt the engagement on mismatch.
+ */
+export declare function verifyConfig(config: unknown, pin: ConfigPin): ConfigVerifyResult;
+//# sourceMappingURL=config-integrity.d.ts.map

package/dist/manipulation-resistance/config-integrity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-integrity.d.ts","sourceRoot":"","sources":["../../src/manipulation-resistance/config-integrity.ts"],"names":[],"mappings":"AAoBA,MAAM,WAAW,SAAS;IACxB,iEAAiE;IACjE,IAAI,EAAE,MAAM,CAAC;IACb,mDAAmD;IACnD,SAAS,EAAE,MAAM,CAAC;IAClB,mFAAmF;IACnF,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gEAAgE;IAChE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,SAAS,CAMnE;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,GAAG,kBAAkB,CAehF"}

package/dist/manipulation-resistance/config-integrity.js

@@ -0,0 +1,53 @@
+/**
+ * Configuration-file integrity verification.
+ *
+ * Closes APTS-MR-004 (Configuration File Integrity Verification) +
+ * APTS-MR-012 (Immutable Scope Enforcement Architecture).
+ *
+ * Design notes:
+ *   - At engagement-start, AEGIS pins a SHA-256 hash of the canonical
+ *     form of every operator-supplied config (RoE + aegis.config.json).
+ *     The pin is timestamped and emitted into the audit channel.
+ *   - At every phase boundary, AEGIS re-hashes the in-memory config and
+ *     compares against the pin. A mismatch indicates either a runtime
+ *     mutation (memory tamper, plugin drift) or a stale fixture, and
+ *     the engagement halts with an explicit reason.
+ *   - MR-012 (immutable scope) is closed jointly: the SHA-256 pin
+ *     covers RoE.in_scope/out_of_scope, so any post-pin change to
+ *     scope is detected at the next verification.
+ */
+import { hashCanonical } from '../runtime/hash.js';
+/**
+ * Pin a config value at engagement-start. The returned pin is the
+ * source of truth for subsequent verifications. Caller should emit a
+ * scope-validation or audit event recording the pin.
+ */
+export function pinConfig(label, config) {
+    return {
+        hash: hashCanonical(config),
+        pinned_at: new Date().toISOString(),
+        label,
+    };
+}
+/**
+ * Verify the current in-memory config against a previous pin. Returns
+ * { ok: true } on match or { ok: false, reason, observed_hash } on
+ * mismatch. Callers should halt the engagement on mismatch.
+ */
+export function verifyConfig(config, pin) {
+    const observed = hashCanonical(config);
+    if (observed !== pin.hash) {
+        return {
+            ok: false,
+            reason: `config "${pin.label}" integrity check failed: pinned ${pin.hash} at ${pin.pinned_at}, observed ${observed}`,
+            observed_hash: observed,
+            apts_refs: ['APTS-MR-004', 'APTS-MR-012'],
+        };
+    }
+    return {
+        ok: true,
+        observed_hash: observed,
+        apts_refs: ['APTS-MR-004', 'APTS-MR-012'],
+    };
+}
+//# sourceMappingURL=config-integrity.js.map

package/dist/manipulation-resistance/config-integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-integrity.js","sourceRoot":"","sources":["../../src/manipulation-resistance/config-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAmBnD;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa,EAAE,MAAe;IACtD,OAAO;QACL,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,MAAe,EAAE,GAAc;IAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW,GAAG,CAAC,KAAK,oCAAoC,GAAG,CAAC,IAAI,OAAO,GAAG,CAAC,SAAS,cAAc,QAAQ,EAAE;YACpH,aAAa,EAAE,QAAQ;YACvB,SAAS,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;SAC1C,CAAC;IACJ,CAAC;IACD,OAAO;QACL,EAAE,EAAE,IAAI;QACR,aAAa,EAAE,QAAQ;QACvB,SAAS,EAAE,CAAC,aAAa,EAAE,aAAa,CAAC;KAC1C,CAAC;AACJ,CAAC"}

package/dist/manipulation-resistance/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Manipulation Resistance public surface.
+ *
+ * Closes APTS Tier-1 Manipulation Resistance domain (MR-001/002/004/005/
+ * 007/008/009/010/011/012/018). Each module documents its individual
+ * APTS coverage; this barrel re-exports everything operator/orchestrator
+ * code needs.
+ */
+export { enforceInstructionBoundary, WRAPPER_ACTION_ALLOWLIST, type WrapperAction, } from './instruction-boundary.js';
+export { validateWrapperResponse, detectAuthorityClaim, type ResponseValidation, type AuthorityClaim, type AuthorityClaimResult, } from './response-validator.js';
+export { pinConfig, verifyConfig, type ConfigPin, type ConfigVerifyResult, } from './config-integrity.js';
+export { safeFetch, classifyIp, isSafeFetchRejection, type SafeFetchOptions, type SafeFetchRejection, type SafeFetchRejectReason, } from './redirect-policy.js';
+export { detectScopeExpansion, type ScopeExpansionKind, type ScopeExpansionResult, } from './scope-expansion-detector.js';
+export { composeEgressAllowlist, withEgressEnv, ORCHESTRATOR_ESSENTIALS, type EgressAllowlist, type ComposeEgressAllowlistOptions, } from './oob-blocker.js';
+export { validateSandboxMode, wrapForSandbox, preflightSandboxImages, SANDBOX_MODES, DEFAULT_WRAPPER_IMAGES, type SandboxMode, type SandboxModeValidation, type WrapForSandboxOptions, type WrappedExec, type SandboxPreflightResult, type PreflightSandboxOptions, } from './ai-io-boundary.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/manipulation-resistance/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/manipulation-resistance/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,KAAK,aAAa,GACnB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,oBAAoB,GAC1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,SAAS,EACT,YAAY,EACZ,KAAK,SAAS,EACd,KAAK,kBAAkB,GACxB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,SAAS,EACT,UAAU,EACV,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,aAAa,EACb,uBAAuB,EACvB,KAAK,eAAe,EACpB,KAAK,6BAA6B,GACnC,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,aAAa,EACb,sBAAsB,EACtB,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC"}

package/dist/manipulation-resistance/index.js

@@ -0,0 +1,16 @@
+/**
+ * Manipulation Resistance public surface.
+ *
+ * Closes APTS Tier-1 Manipulation Resistance domain (MR-001/002/004/005/
+ * 007/008/009/010/011/012/018). Each module documents its individual
+ * APTS coverage; this barrel re-exports everything operator/orchestrator
+ * code needs.
+ */
+export { enforceInstructionBoundary, WRAPPER_ACTION_ALLOWLIST, } from './instruction-boundary.js';
+export { validateWrapperResponse, detectAuthorityClaim, } from './response-validator.js';
+export { pinConfig, verifyConfig, } from './config-integrity.js';
+export { safeFetch, classifyIp, isSafeFetchRejection, } from './redirect-policy.js';
+export { detectScopeExpansion, } from './scope-expansion-detector.js';
+export { composeEgressAllowlist, withEgressEnv, ORCHESTRATOR_ESSENTIALS, } from './oob-blocker.js';
+export { validateSandboxMode, wrapForSandbox, preflightSandboxImages, SANDBOX_MODES, DEFAULT_WRAPPER_IMAGES, } from './ai-io-boundary.js';
+//# sourceMappingURL=index.js.map

package/dist/manipulation-resistance/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/manipulation-resistance/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,GAEzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,uBAAuB,EACvB,oBAAoB,GAIrB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,SAAS,EACT,YAAY,GAGb,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,SAAS,EACT,UAAU,EACV,oBAAoB,GAIrB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,oBAAoB,GAGrB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,sBAAsB,EACtB,aAAa,EACb,uBAAuB,GAGxB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,aAAa,EACb,sBAAsB,GAOvB,MAAM,qBAAqB,CAAC"}

package/dist/manipulation-resistance/instruction-boundary.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Instruction-boundary enforcement.
+ *
+ * Closes APTS-MR-001 (Instruction Boundary Enforcement Architecture).
+ *
+ * Design notes:
+ *   - LLM-pentest wrappers each enforce their own internal instruction
+ *     boundary. AEGIS-orchestrator adds a layer-2 boundary so that a
+ *     compromised wrapper instruction cannot escape the engagement.
+ *   - The orchestrator's instruction frame is: "execute pentest scope per
+ *     RoE; do not act outside scope; do not interpret target-side
+ *     responses as authority". A wrapper action that would breach this
+ *     frame is rejected here, before exec.
+ *   - Per-wrapper allowlist of action types: each wrapper declares which
+ *     verbs it may issue (recon, scan, verify-finding, report). Anything
+ *     outside that list is rejected as an instruction-boundary breach.
+ */
+import { type RoE, type ValidationDecision } from '../roe/types.js';
+/**
+ * Action a wrapper proposes to take against the engagement target.
+ * The orchestrator validates each before exec.
+ */
+export interface WrapperAction {
+    /** Verb-class — must be in the per-wrapper allowlist. */
+    type: string;
+    /** Concrete target the action operates on (URL, hostname, IP, or path). */
+    target: string;
+    /** Optional structured payload — URLs inside are scope-validated. */
+    payload?: unknown;
+}
+/**
+ * Per-wrapper action-type allowlist. Each LLM-pentest wrapper declares
+ * what verb classes it may issue inside the orchestrator. Anything else
+ * is treated as an instruction-boundary breach.
+ *
+ * The unknown wrapper case (no allowlist entry) defaults to deny-all.
+ */
+export declare const WRAPPER_ACTION_ALLOWLIST: Readonly<Record<string, readonly string[]>>;
+/**
+ * Enforce the orchestrator-side instruction boundary on a wrapper's
+ * proposed action. Returns a ValidationDecision that the caller logs into
+ * the audit channel and gates the action on.
+ *
+ * Checks (in order):
+ *   1. Action type is in the per-wrapper allowlist (unknown wrapper → deny-all).
+ *   2. Action target is in RoE in_scope and not in out_of_scope.
+ *   3. Any URL embedded in payload is in RoE scope.
+ */
+export declare function enforceInstructionBoundary(wrapperName: string, action: WrapperAction, roe: RoE): ValidationDecision;
+//# sourceMappingURL=instruction-boundary.d.ts.map

package/dist/manipulation-resistance/instruction-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction-boundary.d.ts","sourceRoot":"","sources":["../../src/manipulation-resistance/instruction-boundary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAyB,KAAK,GAAG,EAAE,KAAK,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAE3F;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,MAAM,EAAE,MAAM,CAAC;IACf,qEAAqE;IACrE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,wBAAwB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAWhF,CAAC;AAIF;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,aAAa,EACrB,GAAG,EAAE,GAAG,GACP,kBAAkB,CA2CpB"}