@agent-wall/core 0.1.0

package/dist/index.js

@@ -0,0 +1,3067 @@
+// src/types.ts
+import { z } from "zod";
+var JsonRpcRequestSchema = z.object({
+  jsonrpc: z.literal("2.0"),
+  id: z.union([z.string(), z.number()]),
+  method: z.string(),
+  params: z.record(z.unknown()).optional()
+});
+var JsonRpcNotificationSchema = z.object({
+  jsonrpc: z.literal("2.0"),
+  method: z.string(),
+  params: z.record(z.unknown()).optional()
+});
+var JsonRpcResponseSchema = z.object({
+  jsonrpc: z.literal("2.0"),
+  id: z.union([z.string(), z.number()]),
+  result: z.unknown().optional(),
+  error: z.object({
+    code: z.number(),
+    message: z.string(),
+    data: z.unknown().optional()
+  }).optional()
+});
+var JsonRpcMessageSchema = z.union([
+  JsonRpcRequestSchema,
+  JsonRpcNotificationSchema,
+  JsonRpcResponseSchema
+]);
+function isRequest(msg) {
+  return "id" in msg && "method" in msg;
+}
+function isNotification(msg) {
+  return !("id" in msg) && "method" in msg;
+}
+function isResponse(msg) {
+  return "id" in msg && !("method" in msg);
+}
+function isToolCall(msg) {
+  return isRequest(msg) && msg.method === "tools/call";
+}
+function isToolList(msg) {
+  return isRequest(msg) && msg.method === "tools/list";
+}
+function getToolCallParams(msg) {
+  if (msg.method !== "tools/call" || !msg.params) return null;
+  const params = msg.params;
+  if (typeof params.name !== "string") return null;
+  return {
+    name: params.name,
+    arguments: params.arguments ?? {}
+  };
+}
+function createDenyResponse(id, message) {
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code: -32001,
+      // Custom: policy denied
+      message: `Agent Wall: ${message}`
+    }
+  };
+}
+function createPromptResponse(id, message) {
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code: -32002,
+      // Custom: awaiting approval
+      message: `Agent Wall: Awaiting approval \u2014 ${message}`
+    }
+  };
+}
+
+// src/read-buffer.ts
+var DEFAULT_MAX_BUFFER_SIZE = 10 * 1024 * 1024;
+var ReadBuffer = class {
+  buffer = null;
+  maxBufferSize;
+  constructor(maxBufferSize = DEFAULT_MAX_BUFFER_SIZE) {
+    this.maxBufferSize = maxBufferSize;
+  }
+  /**
+   * Append raw bytes from a stream chunk.
+   * Throws if the buffer exceeds the configured maximum size.
+   */
+  append(chunk) {
+    this.buffer = this.buffer ? Buffer.concat([this.buffer, chunk]) : chunk;
+    if (this.buffer.length > this.maxBufferSize) {
+      const size = this.buffer.length;
+      this.buffer = null;
+      throw new BufferOverflowError(
+        `Buffer size ${size} exceeds maximum ${this.maxBufferSize} bytes \u2014 possible DOS attack`
+      );
+    }
+  }
+  /**
+   * Try to extract the next complete JSON-RPC message.
+   * Returns null if no complete message is available yet.
+   * Automatically skips empty lines.
+   */
+  readMessage() {
+    while (this.buffer) {
+      const index = this.buffer.indexOf("\n");
+      if (index === -1) return null;
+      const line = this.buffer.toString("utf8", 0, index).replace(/\r$/, "");
+      this.buffer = this.buffer.subarray(index + 1);
+      if (this.buffer.length === 0) this.buffer = null;
+      if (line.length === 0) continue;
+      return deserializeMessage(line);
+    }
+    return null;
+  }
+  /**
+   * Extract ALL available messages from the buffer.
+   */
+  readAllMessages() {
+    const messages = [];
+    let msg;
+    while ((msg = this.readMessage()) !== null) {
+      messages.push(msg);
+    }
+    return messages;
+  }
+  /**
+   * Clear the buffer.
+   */
+  clear() {
+    this.buffer = null;
+  }
+  /**
+   * Check if there's any pending data in the buffer.
+   */
+  get hasPendingData() {
+    return this.buffer !== null && this.buffer.length > 0;
+  }
+  /**
+   * Get current buffer size in bytes.
+   */
+  get currentSize() {
+    return this.buffer?.length ?? 0;
+  }
+};
+var BufferOverflowError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BufferOverflowError";
+  }
+};
+function deserializeMessage(line) {
+  const parsed = JSON.parse(line);
+  return JsonRpcMessageSchema.parse(parsed);
+}
+function serializeMessage(message) {
+  return JSON.stringify(message) + "\n";
+}
+
+// src/policy-engine.ts
+import * as path from "path";
+import { minimatch } from "minimatch";
+var RateLimiter = class {
+  buckets = /* @__PURE__ */ new Map();
+  check(key, config) {
+    const now = Date.now();
+    const windowMs = config.windowSeconds * 1e3;
+    const bucket = this.buckets.get(key) ?? { timestamps: [] };
+    bucket.timestamps = bucket.timestamps.filter((t) => now - t < windowMs);
+    if (bucket.timestamps.length >= config.maxCalls) {
+      return false;
+    }
+    bucket.timestamps.push(now);
+    this.buckets.set(key, bucket);
+    return true;
+  }
+  reset() {
+    this.buckets.clear();
+  }
+};
+function normalizeValue(value) {
+  let normalized = value.normalize("NFC");
+  if (looksLikePath(normalized)) {
+    normalized = normalizePath(normalized);
+  }
+  return normalized;
+}
+function looksLikePath(value) {
+  return value.includes("/") || value.includes("\\") || value.startsWith(".") || value.startsWith("~");
+}
+function normalizePath(p) {
+  let normalized = p.replace(/\\/g, "/");
+  normalized = path.posix.normalize(normalized);
+  return normalized;
+}
+function safeGlobToRegex(pattern) {
+  if (pattern.length > 500) return null;
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
+  try {
+    return new RegExp(`^${escaped}$`, "i");
+  } catch {
+    return null;
+  }
+}
+var PATH_KEY_ALIASES = {
+  path: ["file", "filepath", "file_path", "filename", "file_name", "target", "source", "destination", "dest", "src", "uri", "url"],
+  command: ["cmd", "shell", "exec", "script", "run"],
+  content: ["text", "body", "data", "input", "message"]
+};
+function getKeyAliases(key) {
+  const lowerKey = key.toLowerCase();
+  const aliases = PATH_KEY_ALIASES[lowerKey];
+  if (aliases) return [lowerKey, ...aliases];
+  for (const [canonical, aliasList] of Object.entries(PATH_KEY_ALIASES)) {
+    if (aliasList.includes(lowerKey)) {
+      return [canonical, ...aliasList];
+    }
+  }
+  return [lowerKey];
+}
+var PolicyEngine = class {
+  config;
+  rateLimiter = new RateLimiter();
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Update the policy configuration (e.g., after file reload).
+   */
+  updateConfig(config) {
+    this.config = config;
+    this.rateLimiter.reset();
+  }
+  /**
+   * Evaluate a tool call against the policy rules.
+   * Returns the verdict: allow, deny, or prompt.
+   */
+  evaluate(toolCall) {
+    if (this.config.globalRateLimit) {
+      if (!this.rateLimiter.check("__global__", this.config.globalRateLimit)) {
+        return {
+          action: "deny",
+          rule: "__global_rate_limit__",
+          message: `Global rate limit exceeded (${this.config.globalRateLimit.maxCalls} calls per ${this.config.globalRateLimit.windowSeconds}s)`
+        };
+      }
+    }
+    for (const rule of this.config.rules) {
+      if (this.matchesRule(rule, toolCall)) {
+        if (rule.rateLimit) {
+          if (!this.rateLimiter.check(`rule:${rule.name}`, rule.rateLimit)) {
+            return {
+              action: "deny",
+              rule: rule.name,
+              message: rule.message ?? `Rate limit exceeded for rule "${rule.name}" (${rule.rateLimit.maxCalls} per ${rule.rateLimit.windowSeconds}s)`
+            };
+          }
+        }
+        return {
+          action: rule.action,
+          rule: rule.name,
+          message: rule.message ?? `${rule.action === "deny" ? "Blocked" : rule.action === "prompt" ? "Approval required" : "Allowed"} by rule "${rule.name}"`
+        };
+      }
+    }
+    const isStrict = this.config.mode === "strict";
+    const defaultAction = isStrict ? "deny" : this.config.defaultAction ?? "prompt";
+    return {
+      action: defaultAction,
+      rule: null,
+      message: isStrict ? `Zero-trust mode: no matching allow rule. Denied by default.` : `No matching rule. Default action: ${defaultAction}`
+    };
+  }
+  /**
+   * Check if a rule matches a tool call.
+   */
+  matchesRule(rule, toolCall) {
+    const normalizedToolName = toolCall.name.normalize("NFC");
+    if (!this.matchToolName(rule.tool, normalizedToolName)) {
+      return false;
+    }
+    if (rule.match?.arguments) {
+      if (!this.matchArguments(rule.match.arguments, toolCall.arguments ?? {})) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Match a tool name against a pattern.
+   * Pattern can contain "|" for multiple alternatives.
+   */
+  matchToolName(pattern, toolName) {
+    const patterns = pattern.split("|").map((p) => p.trim());
+    return patterns.some((p) => minimatch(toolName, p));
+  }
+  /**
+   * Match rule argument patterns against actual tool arguments.
+   * Each key in ruleArgs is an argument name, value is a glob pattern.
+   * ALL specified argument patterns must match for the rule to match.
+   *
+   * Security: normalizes paths and unicode before matching.
+   * Security: checks key aliases (path → file, filepath, etc.)
+   */
+  matchArguments(ruleArgs, actualArgs) {
+    for (const [key, pattern] of Object.entries(ruleArgs)) {
+      const aliases = getKeyAliases(key);
+      let rawValue;
+      for (const alias of aliases) {
+        const found = Object.entries(actualArgs).find(
+          ([k]) => k.toLowerCase() === alias
+        );
+        if (found !== void 0 && found[1] !== void 0) {
+          rawValue = found[1];
+          break;
+        }
+      }
+      if (rawValue === void 0) return false;
+      const strValue = normalizeValue(String(rawValue));
+      const patterns = pattern.split("|").map((p) => p.trim());
+      const matched = patterns.some((p) => {
+        if (minimatch(strValue, p, { dot: true })) return true;
+        if (p.includes("*") || p.includes("?")) {
+          const regex = safeGlobToRegex(p);
+          if (regex && regex.test(strValue)) return true;
+        }
+        if (!p.includes("*") && !p.includes("?")) {
+          return strValue.toLowerCase().includes(p.toLowerCase());
+        }
+        return false;
+      });
+      if (!matched) return false;
+    }
+    return true;
+  }
+  /**
+   * Get the current policy config.
+   */
+  getConfig() {
+    return this.config;
+  }
+  /**
+   * Get all rule names.
+   */
+  getRuleNames() {
+    return this.config.rules.map((r) => r.name);
+  }
+};
+
+// src/policy-loader.ts
+import * as fs from "fs";
+import * as path2 from "path";
+import * as yaml from "js-yaml";
+import { z as z2 } from "zod";
+var RateLimitSchema = z2.object({
+  maxCalls: z2.number().int().positive(),
+  windowSeconds: z2.number().positive()
+});
+var RuleMatchSchema = z2.object({
+  arguments: z2.record(z2.string()).optional()
+});
+var PolicyRuleSchema = z2.object({
+  name: z2.string().min(1),
+  tool: z2.string().min(1),
+  match: RuleMatchSchema.optional(),
+  action: z2.enum(["allow", "deny", "prompt"]),
+  message: z2.string().optional(),
+  rateLimit: RateLimitSchema.optional()
+});
+var ResponsePatternSchema = z2.object({
+  name: z2.string().min(1),
+  pattern: z2.string().min(1),
+  flags: z2.string().optional(),
+  action: z2.enum(["pass", "redact", "block"]),
+  message: z2.string().optional(),
+  category: z2.string().optional()
+});
+var ResponseScanningSchema = z2.object({
+  enabled: z2.boolean().optional(),
+  maxResponseSize: z2.number().int().nonnegative().optional(),
+  oversizeAction: z2.enum(["block", "redact"]).optional(),
+  detectSecrets: z2.boolean().optional(),
+  detectPII: z2.boolean().optional(),
+  base64Action: z2.enum(["pass", "redact", "block"]).optional(),
+  maxPatterns: z2.number().int().positive().optional(),
+  patterns: z2.array(ResponsePatternSchema).optional()
+});
+var InjectionDetectionSchema = z2.object({
+  enabled: z2.boolean().optional(),
+  sensitivity: z2.enum(["low", "medium", "high"]).optional(),
+  customPatterns: z2.array(z2.string()).optional(),
+  excludeTools: z2.array(z2.string()).optional()
+});
+var EgressControlSchema = z2.object({
+  enabled: z2.boolean().optional(),
+  allowedDomains: z2.array(z2.string()).optional(),
+  blockedDomains: z2.array(z2.string()).optional(),
+  blockPrivateIPs: z2.boolean().optional(),
+  blockMetadataEndpoints: z2.boolean().optional(),
+  excludeTools: z2.array(z2.string()).optional()
+});
+var KillSwitchSchema = z2.object({
+  enabled: z2.boolean().optional(),
+  checkFile: z2.boolean().optional(),
+  killFileNames: z2.array(z2.string()).optional(),
+  pollIntervalMs: z2.number().int().positive().optional()
+});
+var ChainDetectionSchema = z2.object({
+  enabled: z2.boolean().optional(),
+  windowSize: z2.number().int().positive().optional(),
+  windowMs: z2.number().int().positive().optional()
+});
+var SecuritySchema = z2.object({
+  injectionDetection: InjectionDetectionSchema.optional(),
+  egressControl: EgressControlSchema.optional(),
+  killSwitch: KillSwitchSchema.optional(),
+  chainDetection: ChainDetectionSchema.optional(),
+  signing: z2.boolean().optional(),
+  signingKey: z2.string().optional()
+});
+var PolicyConfigSchema = z2.object({
+  version: z2.number().int().min(1),
+  mode: z2.enum(["standard", "strict"]).optional(),
+  defaultAction: z2.enum(["allow", "deny", "prompt"]).optional(),
+  globalRateLimit: RateLimitSchema.optional(),
+  responseScanning: ResponseScanningSchema.optional(),
+  security: SecuritySchema.optional(),
+  rules: z2.array(PolicyRuleSchema)
+});
+var CONFIG_FILENAMES = [
+  "agent-wall.yaml",
+  "agent-wall.yml",
+  ".agent-wall.yaml",
+  ".agent-wall.yml"
+  // Legacy support
+];
+function loadPolicyFile(filePath) {
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`Policy file not found: ${filePath}`);
+  }
+  const content = fs.readFileSync(filePath, "utf-8");
+  return parsePolicyYaml(content);
+}
+function parsePolicyYaml(yamlContent) {
+  const raw = yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA });
+  const validated = PolicyConfigSchema.parse(raw);
+  return validated;
+}
+function discoverPolicyFile(startDir = process.cwd()) {
+  let dir = path2.resolve(startDir);
+  while (true) {
+    for (const filename of CONFIG_FILENAMES) {
+      const candidate = path2.join(dir, filename);
+      if (fs.existsSync(candidate)) {
+        return candidate;
+      }
+    }
+    const parent = path2.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+function loadPolicy(configPath) {
+  if (configPath) {
+    return {
+      config: loadPolicyFile(configPath),
+      filePath: configPath
+    };
+  }
+  const discovered = discoverPolicyFile();
+  if (discovered) {
+    return {
+      config: loadPolicyFile(discovered),
+      filePath: discovered
+    };
+  }
+  return {
+    config: getDefaultPolicy(),
+    filePath: null
+  };
+}
+function getDefaultPolicy() {
+  return {
+    version: 1,
+    defaultAction: "prompt",
+    globalRateLimit: {
+      maxCalls: 200,
+      windowSeconds: 60
+    },
+    responseScanning: {
+      enabled: true,
+      maxResponseSize: 5 * 1024 * 1024,
+      // 5MB
+      oversizeAction: "redact",
+      detectSecrets: true,
+      detectPII: false
+    },
+    security: {
+      injectionDetection: { enabled: true, sensitivity: "medium" },
+      egressControl: { enabled: true, blockPrivateIPs: true, blockMetadataEndpoints: true },
+      killSwitch: { enabled: true, checkFile: true },
+      chainDetection: { enabled: true },
+      signing: false
+    },
+    rules: [
+      // ── Always block: credential access ──
+      {
+        name: "block-ssh-keys",
+        tool: "*",
+        match: { arguments: { path: "**/.ssh/**|**/.ssh" } },
+        action: "deny",
+        message: "Access to SSH keys is blocked by default policy"
+      },
+      {
+        name: "block-env-files",
+        tool: "*",
+        match: { arguments: { path: "**/.env*" } },
+        action: "deny",
+        message: "Access to .env files is blocked by default policy"
+      },
+      {
+        name: "block-credential-files",
+        tool: "*",
+        match: {
+          arguments: { path: "*credentials*|**/*.pem|**/*.key|**/*.pfx|**/*.p12" }
+        },
+        action: "deny",
+        message: "Access to credential files is blocked by default policy"
+      },
+      // ── Always block: exfiltration patterns ──
+      {
+        name: "block-curl-exfil",
+        tool: "shell_exec|run_command|execute_command",
+        match: { arguments: { command: "*curl *" } },
+        action: "deny",
+        message: "Shell commands with curl are blocked \u2014 potential data exfiltration"
+      },
+      {
+        name: "block-wget-exfil",
+        tool: "shell_exec|run_command|execute_command",
+        match: { arguments: { command: "*wget *" } },
+        action: "deny",
+        message: "Shell commands with wget are blocked \u2014 potential data exfiltration"
+      },
+      {
+        name: "block-netcat-exfil",
+        tool: "shell_exec|run_command|execute_command",
+        match: { arguments: { command: "*nc *|*ncat *|*netcat *" } },
+        action: "deny",
+        message: "Shell commands with netcat are blocked \u2014 potential data exfiltration"
+      },
+      {
+        name: "block-powershell-exfil",
+        tool: "shell_exec|run_command|execute_command|bash",
+        match: { arguments: { command: "*powershell*|*pwsh*|*Invoke-WebRequest*|*Invoke-RestMethod*|*DownloadString*|*DownloadFile*|*Start-BitsTransfer*" } },
+        action: "deny",
+        message: "PowerShell command blocked \u2014 potential data exfiltration"
+      },
+      {
+        name: "block-dns-exfil",
+        tool: "shell_exec|run_command|execute_command|bash",
+        match: { arguments: { command: "*nslookup *|*dig *|*host *" } },
+        action: "deny",
+        message: "DNS lookup command blocked \u2014 potential DNS exfiltration vector"
+      },
+      // ── Require approval: scripting language one-liners ──
+      {
+        name: "approve-script-exec",
+        tool: "shell_exec|run_command|execute_command|bash",
+        match: { arguments: { command: "*python* -c *|*python3* -c *|*ruby* -e *|*perl* -e *|*node* -e *|*node* --eval*" } },
+        action: "prompt",
+        message: "Inline script execution requires approval \u2014 may be used for exfiltration"
+      },
+      // ── Require approval: destructive operations ──
+      {
+        name: "approve-file-delete",
+        tool: "*delete*|*remove*|*unlink*",
+        action: "prompt",
+        message: "File deletion requires approval"
+      },
+      {
+        name: "approve-shell-exec",
+        tool: "shell_exec|run_command|execute_command|bash",
+        action: "prompt",
+        message: "Shell command execution requires approval"
+      },
+      // ── Allow: safe read operations ──
+      {
+        name: "allow-read-file",
+        tool: "read_file|get_file_contents|view_file",
+        action: "allow"
+      },
+      {
+        name: "allow-list-dir",
+        tool: "list_directory|list_dir|ls",
+        action: "allow"
+      },
+      {
+        name: "allow-search",
+        tool: "search_files|grep|find_files|ripgrep",
+        action: "allow"
+      }
+    ]
+  };
+}
+function generateDefaultConfigYaml() {
+  return `# Agent Wall Policy Configuration
+# Docs: https://github.com/agent-wall/agent-wall
+#
+# Rules are evaluated in order \u2014 first match wins.
+# Actions: allow, deny, prompt (ask human for approval)
+
+version: 1
+
+# Default action when no rule matches
+defaultAction: prompt
+
+# Global rate limit across all tools
+globalRateLimit:
+  maxCalls: 200
+  windowSeconds: 60
+
+# Response scanning \u2014 inspect what the MCP server returns
+# before it reaches the AI agent
+responseScanning:
+  enabled: true
+  maxResponseSize: 5242880  # 5MB
+  oversizeAction: redact    # "block" or "redact" (truncate)
+  detectSecrets: true       # API keys, tokens, private keys
+  detectPII: false          # Email, phone, SSN, credit cards (opt-in)
+  # Custom patterns (optional):
+  # patterns:
+  #   - name: internal-urls
+  #     pattern: "https?://internal\\.[a-z]+\\.corp"
+  #     action: redact
+  #     message: "Internal URL detected"
+  #     category: custom
+
+# Security modules
+security:
+  injectionDetection:
+    enabled: true
+    sensitivity: medium      # low, medium, high
+  egressControl:
+    enabled: true
+    blockPrivateIPs: true    # Block RFC1918, loopback, link-local IPs
+    blockMetadataEndpoints: true  # Block cloud metadata (169.254.169.254)
+  killSwitch:
+    enabled: true
+    checkFile: true          # Watch for .agent-wall-kill file
+  chainDetection:
+    enabled: true            # Detect exfiltration chains (read\u2192curl, etc.)
+  signing: false             # HMAC-SHA256 audit log signing
+
+rules:
+  # \u2500\u2500 Block: Credential Access \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  - name: block-ssh-keys
+    tool: "*"
+    match:
+      arguments:
+        path: "**/.ssh/**|**/.ssh"
+    action: deny
+    message: "Access to SSH keys is blocked"
+
+  - name: block-env-files
+    tool: "*"
+    match:
+      arguments:
+        path: "**/.env*"
+    action: deny
+    message: "Access to .env files is blocked"
+
+  - name: block-credential-files
+    tool: "*"
+    match:
+      arguments:
+        path: "*credentials*|**/*.pem|**/*.key|**/*.pfx|**/*.p12"
+    action: deny
+    message: "Access to credential files is blocked"
+
+  # \u2500\u2500 Block: Exfiltration Patterns \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  - name: block-curl-exfil
+    tool: "shell_exec|run_command|execute_command"
+    match:
+      arguments:
+        command: "*curl *"
+    action: deny
+    message: "Shell commands with curl are blocked (potential exfiltration)"
+
+  - name: block-wget-exfil
+    tool: "shell_exec|run_command|execute_command"
+    match:
+      arguments:
+        command: "*wget *"
+    action: deny
+    message: "Shell commands with wget are blocked (potential exfiltration)"
+
+  - name: block-netcat-exfil
+    tool: "shell_exec|run_command|execute_command"
+    match:
+      arguments:
+        command: "*nc *|*ncat *|*netcat *"
+    action: deny
+    message: "Shell commands with netcat are blocked (potential exfiltration)"
+
+  - name: block-powershell-exfil
+    tool: "shell_exec|run_command|execute_command|bash"
+    match:
+      arguments:
+        command: "*powershell*|*pwsh*|*Invoke-WebRequest*|*Invoke-RestMethod*|*DownloadString*|*DownloadFile*|*Start-BitsTransfer*"
+    action: deny
+    message: "PowerShell command blocked (potential exfiltration)"
+
+  - name: block-dns-exfil
+    tool: "shell_exec|run_command|execute_command|bash"
+    match:
+      arguments:
+        command: "*nslookup *|*dig *|*host *"
+    action: deny
+    message: "DNS lookup blocked (potential DNS exfiltration)"
+
+  # \u2500\u2500 Prompt: Scripting One-Liners \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  - name: approve-script-exec
+    tool: "shell_exec|run_command|execute_command|bash"
+    match:
+      arguments:
+        command: "*python* -c *|*python3* -c *|*ruby* -e *|*perl* -e *|*node* -e *|*node* --eval*"
+    action: prompt
+    message: "Inline script execution requires approval"
+
+  # \u2500\u2500 Prompt: Destructive Operations \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  - name: approve-file-delete
+    tool: "*delete*|*remove*|*unlink*"
+    action: prompt
+    message: "File deletion requires approval"
+
+  - name: approve-shell-exec
+    tool: "shell_exec|run_command|execute_command|bash"
+    action: prompt
+    message: "Shell command execution requires approval"
+
+  # \u2500\u2500 Allow: Safe Read Operations \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  - name: allow-read-file
+    tool: "read_file|get_file_contents|view_file"
+    action: allow
+
+  - name: allow-list-dir
+    tool: "list_directory|list_dir|ls"
+    action: allow
+
+  - name: allow-search
+    tool: "search_files|grep|find_files|ripgrep"
+    action: allow
+
+  # \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Add your own rules below. Remember: first match wins!
+  # \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+`;
+}
+
+// src/response-scanner.ts
+var REDOS_DANGEROUS_PATTERNS = [
+  /\([^)]*[+*][^)]*\)[+*]/,
+  // (x+)+ or (x*)* nested quantifiers
+  /\([^)]*\|[^)]*\)[+*]{/,
+  // (a|a)+ overlapping alternation with quantifier
+  /(.+)\1[+*]/
+  // backreference with quantifier
+];
+var MAX_PATTERN_LENGTH = 1e3;
+var DEFAULT_MAX_PATTERNS = 100;
+function isRegexSafe(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) return false;
+  for (const dangerous of REDOS_DANGEROUS_PATTERNS) {
+    if (dangerous.test(pattern)) return false;
+  }
+  try {
+    new RegExp(pattern);
+    return true;
+  } catch {
+    return false;
+  }
+}
+var SECRET_PATTERNS = [
+  // ── API Keys & Tokens ──
+  {
+    name: "aws-access-key",
+    pattern: "(?:^|[^A-Za-z0-9])AKIA[0-9A-Z]{16}(?:[^A-Za-z0-9]|$)",
+    action: "redact",
+    message: "AWS Access Key ID detected in response",
+    category: "secrets"
+  },
+  {
+    name: "aws-secret-key",
+    pattern: "(?:aws_secret_access_key|aws_secret_key|secret_access_key)\\s*[=:]\\s*[A-Za-z0-9/+=]{40}",
+    flags: "gi",
+    action: "redact",
+    message: "AWS Secret Access Key detected in response",
+    category: "secrets"
+  },
+  {
+    name: "github-token",
+    pattern: "(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,255}",
+    action: "redact",
+    message: "GitHub token detected in response",
+    category: "secrets"
+  },
+  {
+    name: "openai-api-key",
+    pattern: "sk-[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9]{20}",
+    action: "redact",
+    message: "OpenAI API key detected in response",
+    category: "secrets"
+  },
+  {
+    name: "generic-api-key",
+    pattern: `(?:api[_-]?key|apikey|api[_-]?secret)\\s*[=:]+\\s*["']?[A-Za-z0-9_\\-]{20,}`,
+    flags: "gi",
+    action: "redact",
+    message: "Generic API key detected in response",
+    category: "secrets"
+  },
+  {
+    name: "bearer-token",
+    pattern: "Bearer\\s+[A-Za-z0-9\\-._~+/]+=*",
+    flags: "gi",
+    action: "redact",
+    message: "Bearer token detected in response",
+    category: "secrets"
+  },
+  {
+    name: "jwt-token",
+    pattern: "eyJ[A-Za-z0-9_-]{10,}\\.eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_\\-]{10,}",
+    action: "redact",
+    message: "JWT token detected in response",
+    category: "secrets"
+  },
+  // ── Private Keys & Certificates ──
+  {
+    name: "private-key",
+    pattern: "-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+    action: "block",
+    message: "Private key detected in response \u2014 blocking entirely",
+    category: "secrets"
+  },
+  {
+    name: "certificate",
+    pattern: "-----BEGIN CERTIFICATE-----",
+    action: "redact",
+    message: "Certificate detected in response",
+    category: "secrets"
+  },
+  // ── Connection Strings ──
+  {
+    name: "database-url",
+    pattern: `(?:postgres|mysql|mongodb|redis|amqp)://[^\\s"']+:[^\\s"']+@[^\\s"']+`,
+    flags: "gi",
+    action: "redact",
+    message: "Database connection string with credentials detected",
+    category: "secrets"
+  },
+  // ── Password Patterns ──
+  {
+    name: "password-assignment",
+    pattern: `(?:password|passwd|pwd)\\s*[=:]\\s*["']?[^\\s"']{8,}`,
+    flags: "gi",
+    action: "redact",
+    message: "Password assignment detected in response",
+    category: "secrets"
+  }
+];
+function getExfiltrationPatterns(base64Action) {
+  return [
+    {
+      name: "large-base64-blob",
+      pattern: "(?:[A-Za-z0-9+/]{100,}={0,2})",
+      action: base64Action,
+      message: "Large base64-encoded blob detected",
+      category: "exfiltration"
+    },
+    {
+      name: "hex-dump",
+      pattern: "(?:[0-9a-f]{2}[:\\s]){32,}",
+      flags: "gi",
+      action: "pass",
+      message: "Large hex dump detected (informational)",
+      category: "exfiltration"
+    }
+  ];
+}
+var PII_PATTERNS = [
+  {
+    name: "email-address",
+    pattern: "[a-zA-Z0-9._%+\\-]+@[a-zA-Z0-9.\\-]+\\.[a-zA-Z]{2,}",
+    action: "redact",
+    message: "Email address detected in response",
+    category: "pii"
+  },
+  {
+    name: "phone-number",
+    pattern: "(?:\\+?1[\\s.-]?)?\\(?[0-9]{3}\\)?[\\s.-]?[0-9]{3}[\\s.-]?[0-9]{4}",
+    action: "redact",
+    message: "Phone number detected in response",
+    category: "pii"
+  },
+  {
+    name: "ssn",
+    pattern: "\\b\\d{3}-\\d{2}-\\d{4}\\b",
+    action: "block",
+    message: "Social Security Number detected \u2014 blocking response",
+    category: "pii"
+  },
+  {
+    name: "credit-card",
+    pattern: "\\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\\b",
+    action: "block",
+    message: "Credit card number detected \u2014 blocking response",
+    category: "pii"
+  },
+  {
+    name: "ip-address",
+    pattern: "\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b",
+    action: "pass",
+    message: "IP address detected (informational)",
+    category: "pii"
+  }
+];
+var ResponseScanner = class {
+  config;
+  compiledPatterns = [];
+  rejectedPatterns = [];
+  constructor(config = {}) {
+    this.config = {
+      enabled: config.enabled ?? true,
+      maxResponseSize: config.maxResponseSize ?? 0,
+      oversizeAction: config.oversizeAction ?? "redact",
+      detectSecrets: config.detectSecrets ?? true,
+      detectPII: config.detectPII ?? false,
+      base64Action: config.base64Action ?? "pass",
+      maxPatterns: config.maxPatterns ?? DEFAULT_MAX_PATTERNS,
+      patterns: config.patterns ?? []
+    };
+    this.compilePatterns();
+  }
+  /**
+   * Compile all regex patterns upfront for performance.
+   * Validates each pattern for ReDoS safety before compilation.
+   */
+  compilePatterns() {
+    this.compiledPatterns = [];
+    this.rejectedPatterns = [];
+    if (this.config.detectSecrets) {
+      for (const p of SECRET_PATTERNS) {
+        this.safeCompile(p, true);
+      }
+    }
+    if (this.config.detectSecrets) {
+      for (const p of getExfiltrationPatterns(this.config.base64Action)) {
+        this.safeCompile(p, true);
+      }
+    }
+    if (this.config.detectPII) {
+      for (const p of PII_PATTERNS) {
+        this.safeCompile(p, true);
+      }
+    }
+    const userPatterns = this.config.patterns ?? [];
+    const maxAllowed = this.config.maxPatterns;
+    const limited = userPatterns.slice(0, maxAllowed);
+    if (userPatterns.length > maxAllowed) {
+      this.rejectedPatterns.push(
+        `${userPatterns.length - maxAllowed} patterns exceeded max limit of ${maxAllowed}`
+      );
+    }
+    for (const p of limited) {
+      this.safeCompile(p, false);
+    }
+  }
+  /**
+   * Safely compile a pattern. For user patterns, validate ReDoS safety first.
+   */
+  safeCompile(pattern, trusted) {
+    if (!trusted) {
+      if (!isRegexSafe(pattern.pattern)) {
+        this.rejectedPatterns.push(
+          `Pattern "${pattern.name}" rejected: potentially unsafe regex (ReDoS risk)`
+        );
+        return;
+      }
+    }
+    try {
+      const regex = new RegExp(pattern.pattern, pattern.flags ?? "gi");
+      this.compiledPatterns.push({ pattern, regex });
+    } catch {
+      this.rejectedPatterns.push(
+        `Pattern "${pattern.name}" rejected: invalid regex`
+      );
+    }
+  }
+  /**
+   * Scan a response text for sensitive content.
+   */
+  scan(text) {
+    if (!this.config.enabled) {
+      return {
+        clean: true,
+        action: "pass",
+        findings: [],
+        originalSize: Buffer.byteLength(text, "utf-8")
+      };
+    }
+    const originalSize = Buffer.byteLength(text, "utf-8");
+    const findings = [];
+    if (this.config.maxResponseSize && this.config.maxResponseSize > 0) {
+      if (originalSize > this.config.maxResponseSize) {
+        findings.push({
+          pattern: "__oversize__",
+          category: "size",
+          action: this.config.oversizeAction ?? "redact",
+          message: `Response size (${originalSize} bytes) exceeds limit (${this.config.maxResponseSize} bytes)`,
+          matchCount: 1
+        });
+      }
+    }
+    for (const { pattern, regex } of this.compiledPatterns) {
+      regex.lastIndex = 0;
+      const matches = text.match(regex);
+      if (matches && matches.length > 0) {
+        findings.push({
+          pattern: pattern.name,
+          category: pattern.category ?? "custom",
+          action: pattern.action,
+          message: pattern.message ?? `Pattern "${pattern.name}" matched`,
+          matchCount: matches.length,
+          preview: this.createPreview(matches[0])
+        });
+      }
+    }
+    if (findings.length === 0) {
+      return { clean: true, action: "pass", findings: [], originalSize };
+    }
+    const overallAction = this.resolveAction(findings);
+    const result = {
+      clean: false,
+      action: overallAction,
+      findings,
+      originalSize
+    };
+    if (overallAction === "redact") {
+      result.redactedText = this.redactText(text, findings);
+    }
+    return result;
+  }
+  /**
+   * Scan the content array from an MCP tools/call response.
+   * MCP responses have the shape: { content: [{ type: "text", text: "..." }, ...] }
+   */
+  scanMcpResponse(result) {
+    const text = this.extractText(result);
+    return this.scan(text);
+  }
+  /**
+   * Extract all text content from an MCP response result.
+   */
+  extractText(result) {
+    if (typeof result === "string") return result;
+    if (!result || typeof result !== "object") return "";
+    const obj = result;
+    if (Array.isArray(obj.content)) {
+      return obj.content.filter((c) => c?.type === "text" && typeof c?.text === "string").map((c) => c.text).join("\n");
+    }
+    try {
+      return JSON.stringify(result);
+    } catch {
+      return "";
+    }
+  }
+  /**
+   * Resolve the highest-severity action from all findings.
+   * Priority: block > redact > pass
+   */
+  resolveAction(findings) {
+    let highest = "pass";
+    for (const f of findings) {
+      if (f.action === "block") return "block";
+      if (f.action === "redact") highest = "redact";
+    }
+    return highest;
+  }
+  /**
+   * Redact matched patterns from the text.
+   * Uses generic [REDACTED] marker — never leaks pattern names.
+   */
+  redactText(text, findings) {
+    let redacted = text;
+    if (this.config.maxResponseSize && this.config.maxResponseSize > 0) {
+      const sizeExceeded = findings.some((f) => f.pattern === "__oversize__");
+      if (sizeExceeded) {
+        const limit = this.config.maxResponseSize;
+        redacted = redacted.slice(0, limit) + "\n\n[Agent Wall: Response truncated \u2014 exceeded size limit]";
+      }
+    }
+    for (const { pattern, regex } of this.compiledPatterns) {
+      const finding = findings.find((f) => f.pattern === pattern.name);
+      if (!finding || finding.action !== "redact") continue;
+      regex.lastIndex = 0;
+      redacted = redacted.replace(regex, `[REDACTED]`);
+    }
+    return redacted;
+  }
+  /**
+   * Create a safe preview of matched content (first 4 chars + last 4).
+   */
+  createPreview(match) {
+    if (match.length <= 8) return "***";
+    const start = match.slice(0, 4);
+    const end = match.slice(-4);
+    return `${start}...${end}`;
+  }
+  /**
+   * Get the current configuration.
+   */
+  getConfig() {
+    return { ...this.config };
+  }
+  /**
+   * Get the number of compiled patterns.
+   */
+  getPatternCount() {
+    return this.compiledPatterns.length;
+  }
+  /**
+   * Get list of patterns that were rejected during compilation.
+   */
+  getRejectedPatterns() {
+    return [...this.rejectedPatterns];
+  }
+  /**
+   * Update configuration (e.g., after policy file reload).
+   */
+  updateConfig(config) {
+    this.config = {
+      enabled: config.enabled ?? true,
+      maxResponseSize: config.maxResponseSize ?? 0,
+      oversizeAction: config.oversizeAction ?? "redact",
+      detectSecrets: config.detectSecrets ?? true,
+      detectPII: config.detectPII ?? false,
+      base64Action: config.base64Action ?? "pass",
+      maxPatterns: config.maxPatterns ?? DEFAULT_MAX_PATTERNS,
+      patterns: config.patterns ?? []
+    };
+    this.compilePatterns();
+  }
+};
+function createDefaultScanner() {
+  return new ResponseScanner({
+    enabled: true,
+    maxResponseSize: 5 * 1024 * 1024,
+    // 5MB
+    oversizeAction: "redact",
+    detectSecrets: true,
+    detectPII: false
+  });
+}
+
+// src/audit-logger.ts
+import * as crypto from "crypto";
+import * as fs2 from "fs";
+import * as path3 from "path";
+var SENSITIVE_PATTERNS = [
+  /password/i,
+  /secret/i,
+  /token/i,
+  /api[_-]?key/i,
+  /auth/i,
+  /credential/i,
+  /private[_-]?key/i,
+  /access[_-]?key/i
+];
+var DEFAULT_MAX_FILE_SIZE = 50 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 5;
+var AuditLogger = class {
+  options;
+  fileFd = null;
+  entries = [];
+  prevHash = "genesis";
+  seqCounter = 0;
+  currentFileSize = 0;
+  constructor(options = {}) {
+    this.options = {
+      stdout: options.stdout ?? true,
+      filePath: options.filePath ?? "",
+      redact: options.redact ?? true,
+      maxArgLength: options.maxArgLength ?? 200,
+      silent: options.silent ?? false,
+      signing: options.signing ?? false,
+      signingKey: options.signingKey ?? crypto.randomBytes(32).toString("hex"),
+      maxFileSize: options.maxFileSize ?? DEFAULT_MAX_FILE_SIZE,
+      maxFiles: options.maxFiles ?? DEFAULT_MAX_FILES,
+      onEntry: options.onEntry
+    };
+    if (this.options.filePath) {
+      this.openLogFile();
+    }
+  }
+  /**
+   * Open or reopen the log file using synchronous fd (reliable on Windows).
+   */
+  openLogFile() {
+    const dir = path3.dirname(this.options.filePath);
+    if (!fs2.existsSync(dir)) {
+      fs2.mkdirSync(dir, { recursive: true });
+    }
+    try {
+      const stat = fs2.statSync(this.options.filePath);
+      this.currentFileSize = stat.size;
+    } catch {
+      this.currentFileSize = 0;
+    }
+    this.fileFd = fs2.openSync(this.options.filePath, "a");
+  }
+  /**
+   * Log a tool call with its policy verdict.
+   */
+  log(entry) {
+    const processed = this.options.redact ? this.redactEntry(entry) : entry;
+    this.entries.push(processed);
+    let outputEntry = { ...processed };
+    if (this.options.signing) {
+      this.seqCounter++;
+      const sig = this.computeHmac(processed);
+      outputEntry._seq = this.seqCounter;
+      outputEntry._sig = sig;
+      this.prevHash = sig;
+    }
+    const line = JSON.stringify(outputEntry);
+    if (this.options.stdout && !this.options.silent) {
+      process.stderr.write(`[agent-wall] ${line}
+`);
+    }
+    if (this.fileFd !== null) {
+      const data = line + "\n";
+      const bytes = Buffer.byteLength(data, "utf-8");
+      fs2.writeSync(this.fileFd, data);
+      this.currentFileSize += bytes;
+      if (this.options.maxFileSize > 0 && this.currentFileSize >= this.options.maxFileSize) {
+        this.rotateLogFile();
+      }
+    }
+    this.options.onEntry?.(processed);
+  }
+  /**
+   * Compute HMAC-SHA256 for a log entry in the chain.
+   * Chain: HMAC(entry_json + prev_hash)
+   */
+  computeHmac(entry) {
+    const payload = JSON.stringify(entry) + "|" + this.prevHash;
+    return crypto.createHmac("sha256", this.options.signingKey).update(payload).digest("hex");
+  }
+  /**
+   * Rotate log files: current → .1, .1 → .2, etc.
+   * Oldest file beyond maxFiles is deleted.
+   */
+  rotateLogFile() {
+    if (this.fileFd !== null) {
+      fs2.closeSync(this.fileFd);
+      this.fileFd = null;
+    }
+    const basePath = this.options.filePath;
+    const oldest = `${basePath}.${this.options.maxFiles}`;
+    try {
+      fs2.unlinkSync(oldest);
+    } catch {
+    }
+    for (let i = this.options.maxFiles - 1; i >= 1; i--) {
+      const src = `${basePath}.${i}`;
+      const dst = `${basePath}.${i + 1}`;
+      try {
+        fs2.renameSync(src, dst);
+      } catch {
+      }
+    }
+    try {
+      fs2.renameSync(basePath, `${basePath}.1`);
+    } catch {
+    }
+    this.currentFileSize = 0;
+    this.openLogFile();
+  }
+  /**
+   * Log a denied tool call (convenience method).
+   */
+  logDeny(sessionId, tool, args, ruleName, message) {
+    this.log({
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId,
+      direction: "request",
+      method: "tools/call",
+      tool,
+      arguments: args,
+      verdict: {
+        action: "deny",
+        rule: ruleName,
+        message
+      }
+    });
+  }
+  /**
+   * Log an allowed tool call (convenience method).
+   */
+  logAllow(sessionId, tool, args, ruleName, message) {
+    this.log({
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      sessionId,
+      direction: "request",
+      method: "tools/call",
+      tool,
+      arguments: args,
+      verdict: {
+        action: "allow",
+        rule: ruleName,
+        message
+      }
+    });
+  }
+  /**
+   * Get all logged entries (for the audit command).
+   */
+  getEntries() {
+    return this.entries;
+  }
+  /**
+   * Get summary statistics.
+   */
+  getStats() {
+    let allowed = 0;
+    let denied = 0;
+    let prompted = 0;
+    for (const entry of this.entries) {
+      switch (entry.verdict?.action) {
+        case "allow":
+          allowed++;
+          break;
+        case "deny":
+          denied++;
+          break;
+        case "prompt":
+          prompted++;
+          break;
+      }
+    }
+    return {
+      total: this.entries.length,
+      allowed,
+      denied,
+      prompted
+    };
+  }
+  /**
+   * Redact sensitive argument values.
+   */
+  redactEntry(entry) {
+    if (!entry.arguments) return entry;
+    const redacted = {};
+    for (const [key, value] of Object.entries(entry.arguments)) {
+      if (SENSITIVE_PATTERNS.some((p) => p.test(key))) {
+        redacted[key] = "[REDACTED]";
+      } else if (typeof value === "string" && value.length > this.options.maxArgLength) {
+        redacted[key] = value.slice(0, this.options.maxArgLength) + "...[truncated]";
+      } else {
+        redacted[key] = value;
+      }
+    }
+    return { ...entry, arguments: redacted };
+  }
+  /**
+   * Verify the HMAC chain integrity of a log file.
+   * Returns { valid: boolean, entries: number, firstBroken: number | null }
+   */
+  static verifyChain(logFilePath, signingKey) {
+    const content = fs2.readFileSync(logFilePath, "utf-8");
+    const lines = content.trim().split("\n").filter(Boolean);
+    let prevHash = "genesis";
+    let firstBroken = null;
+    for (let i = 0; i < lines.length; i++) {
+      const parsed = JSON.parse(lines[i]);
+      const { _sig, _seq, ...entry } = parsed;
+      if (!_sig) {
+        continue;
+      }
+      const payload = JSON.stringify(entry) + "|" + prevHash;
+      const expected = crypto.createHmac("sha256", signingKey).update(payload).digest("hex");
+      if (_sig !== expected) {
+        if (firstBroken === null) firstBroken = i;
+      }
+      prevHash = _sig;
+    }
+    return {
+      valid: firstBroken === null,
+      entries: lines.length,
+      firstBroken
+    };
+  }
+  /**
+   * Set or replace the onEntry callback (for dashboard streaming).
+   */
+  setOnEntry(callback) {
+    this.options.onEntry = callback;
+  }
+  /**
+   * Close the logger (flush file stream).
+   */
+  close() {
+    if (this.fileFd !== null) {
+      fs2.closeSync(this.fileFd);
+      this.fileFd = null;
+    }
+  }
+};
+function checkFilePermissions(filePath) {
+  const warnings = [];
+  try {
+    const stat = fs2.statSync(filePath);
+    const mode = stat.mode;
+    if (mode !== void 0) {
+      if (mode & 2) {
+        warnings.push(
+          `Policy file is world-writable (mode ${(mode & 511).toString(8)}). Run: chmod 644 ${filePath}`
+        );
+      }
+      if (mode & 16) {
+        warnings.push(
+          `Policy file is group-writable (mode ${(mode & 511).toString(8)}). Consider: chmod 644 ${filePath}`
+        );
+      }
+    }
+    const lstat = fs2.lstatSync(filePath);
+    if (lstat.isSymbolicLink()) {
+      warnings.push(
+        `Policy file is a symbolic link. Ensure it points to a trusted location.`
+      );
+    }
+  } catch (err) {
+    warnings.push(`Cannot check permissions for ${filePath}: ${err}`);
+  }
+  return {
+    safe: warnings.length === 0,
+    warnings
+  };
+}
+
+// src/proxy.ts
+import spawn from "cross-spawn";
+import * as crypto2 from "crypto";
+import * as fs3 from "fs";
+import * as readline from "readline";
+import { EventEmitter } from "events";
+var DEFAULT_PENDING_CALL_TTL_MS = 3e4;
+var PENDING_CALL_CLEANUP_INTERVAL_MS = 1e4;
+var StdioProxy = class extends EventEmitter {
+  child = null;
+  clientBuffer;
+  serverBuffer;
+  options;
+  sessionId;
+  running = false;
+  stats = { forwarded: 0, denied: 0, prompted: 0, total: 0, scanned: 0, responseBlocked: 0, responseRedacted: 0 };
+  /** Track pending tools/call requests by JSON-RPC id, so we can correlate responses */
+  pendingToolCalls = /* @__PURE__ */ new Map();
+  /** Cleanup timer for expired pending calls */
+  pendingCleanupTimer = null;
+  pendingCallTtlMs;
+  constructor(options) {
+    super();
+    this.options = options;
+    const maxBuf = options.maxBufferSize;
+    this.clientBuffer = new ReadBuffer(maxBuf);
+    this.serverBuffer = new ReadBuffer(maxBuf);
+    this.sessionId = options.sessionId ?? `ag-${crypto2.randomUUID()}`;
+    this.pendingCallTtlMs = options.pendingCallTtlMs ?? DEFAULT_PENDING_CALL_TTL_MS;
+    this.on("error", (err) => {
+      this.options.onError?.(err);
+    });
+  }
+  /**
+   * Start the proxy — spawn the child MCP server and begin intercepting.
+   */
+  async start() {
+    return new Promise((resolve3, reject) => {
+      try {
+        this.child = spawn(this.options.command, this.options.args ?? [], {
+          stdio: ["pipe", "pipe", "inherit"],
+          env: {
+            ...process.env,
+            ...this.options.env
+          },
+          cwd: this.options.cwd,
+          shell: false,
+          windowsHide: true
+        });
+        this.child.on("error", (err) => {
+          this.options.onError?.(err);
+          this.emit("error", err);
+          reject(err);
+        });
+        this.child.on("spawn", () => {
+          this.running = true;
+          this.setupPipelines();
+          this.startPendingCallCleanup();
+          this.options.onReady?.();
+          this.emit("ready");
+          resolve3();
+        });
+        this.child.on("close", (code) => {
+          this.running = false;
+          this.options.onExit?.(code);
+          this.emit("exit", code);
+        });
+      } catch (err) {
+        reject(err);
+      }
+    });
+  }
+  /**
+   * Stop the proxy — gracefully shut down the child process.
+   * Follows the MCP SDK pattern: stdin.end() → SIGTERM → SIGKILL
+   */
+  async stop() {
+    if (!this.child) return;
+    const child = this.child;
+    this.child = null;
+    this.running = false;
+    const closePromise = new Promise((resolve3) => {
+      child.once("close", () => resolve3());
+    });
+    try {
+      child.stdin?.end();
+    } catch {
+    }
+    const timeout = (ms) => new Promise((resolve3) => {
+      const t = setTimeout(resolve3, ms);
+      t.unref();
+    });
+    await Promise.race([closePromise, timeout(2e3)]);
+    if (child.exitCode === null) {
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+      await Promise.race([closePromise, timeout(2e3)]);
+    }
+    if (child.exitCode === null) {
+      try {
+        child.kill("SIGKILL");
+      } catch {
+      }
+    }
+    this.stopPendingCallCleanup();
+    this.pendingToolCalls.clear();
+    this.clientBuffer.clear();
+    this.serverBuffer.clear();
+    this.options.killSwitch?.dispose();
+    this.options.chainDetector?.reset();
+    this.options.logger.close();
+  }
+  /**
+   * Get proxy statistics.
+   */
+  getStats() {
+    return { ...this.stats };
+  }
+  /**
+   * Wire up the stdin/stdout pipelines with interception.
+   */
+  setupPipelines() {
+    process.stdin.on("data", (chunk) => {
+      try {
+        this.clientBuffer.append(chunk);
+        this.processClientMessages();
+      } catch (err) {
+        if (err instanceof BufferOverflowError) {
+          this.emit("error", err);
+          this.clientBuffer.clear();
+        } else {
+          this.emit("error", new Error(`Client buffer error: ${err}`));
+        }
+      }
+    });
+    process.stdin.on("end", () => {
+      this.stop();
+    });
+    this.child?.stdout?.on("data", (chunk) => {
+      try {
+        this.serverBuffer.append(chunk);
+        this.processServerMessages();
+      } catch (err) {
+        if (err instanceof BufferOverflowError) {
+          this.emit("error", err);
+          this.serverBuffer.clear();
+        } else {
+          this.emit("error", new Error(`Server buffer error: ${err}`));
+        }
+      }
+    });
+  }
+  /**
+   * Start periodic cleanup of expired pending tool calls.
+   */
+  startPendingCallCleanup() {
+    this.pendingCleanupTimer = setInterval(() => {
+      const now = Date.now();
+      for (const [id, entry] of this.pendingToolCalls) {
+        if (now - entry.timestamp > this.pendingCallTtlMs) {
+          this.pendingToolCalls.delete(id);
+        }
+      }
+    }, PENDING_CALL_CLEANUP_INTERVAL_MS);
+    this.pendingCleanupTimer.unref();
+  }
+  /**
+   * Stop the pending call cleanup timer.
+   */
+  stopPendingCallCleanup() {
+    if (this.pendingCleanupTimer) {
+      clearInterval(this.pendingCleanupTimer);
+      this.pendingCleanupTimer = null;
+    }
+  }
+  /**
+   * Process buffered messages from the MCP client.
+   * This is where policy enforcement happens.
+   */
+  processClientMessages() {
+    try {
+      const messages = this.clientBuffer.readAllMessages();
+      for (const msg of messages) {
+        this.handleClientMessage(msg);
+      }
+    } catch (err) {
+      this.emit("error", new Error(`Invalid JSON from client: ${err}`));
+    }
+  }
+  /**
+   * Process buffered messages from the MCP server.
+   * Applies response scanning before forwarding to the client.
+   */
+  processServerMessages() {
+    try {
+      const messages = this.serverBuffer.readAllMessages();
+      for (const msg of messages) {
+        this.handleServerMessage(msg);
+      }
+    } catch (err) {
+      this.emit("error", new Error(`Invalid JSON from server: ${err}`));
+    }
+  }
+  /**
+   * Handle a single message from the MCP server.
+   * If it's a response to a tools/call we tracked, scan it.
+   */
+  handleServerMessage(msg) {
+    if (!isResponse(msg)) {
+      this.writeToClient(msg);
+      return;
+    }
+    const response = msg;
+    const pending = this.pendingToolCalls.get(response.id);
+    if (!pending || !this.options.responseScanner) {
+      if (pending) this.pendingToolCalls.delete(response.id);
+      this.writeToClient(msg);
+      return;
+    }
+    this.pendingToolCalls.delete(response.id);
+    this.stats.scanned++;
+    const scanResult = response.error ? this.options.responseScanner.scan(this.extractErrorText(response)) : response.result !== void 0 ? this.options.responseScanner.scanMcpResponse(response.result) : null;
+    if (!scanResult || scanResult.clean) {
+      this.writeToClient(msg);
+      return;
+    }
+    const findingSummary = scanResult.findings.map((f) => `${f.pattern}: ${f.message}`).join("; ");
+    switch (scanResult.action) {
+      case "block": {
+        this.stats.responseBlocked++;
+        this.options.logger.log({
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          sessionId: this.sessionId,
+          direction: "response",
+          method: "tools/call",
+          tool: pending.tool,
+          arguments: pending.args,
+          verdict: { action: "deny", rule: "__response_scanner__", message: `Response blocked: ${findingSummary}` }
+        });
+        this.emit("responseBlocked", pending.tool, findingSummary);
+        const errorResponse = createDenyResponse(
+          response.id,
+          `Response blocked by Agent Wall scanner: ${findingSummary}`
+        );
+        this.writeToClient(errorResponse);
+        break;
+      }
+      case "redact": {
+        this.stats.responseRedacted++;
+        this.options.logger.log({
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          sessionId: this.sessionId,
+          direction: "response",
+          method: "tools/call",
+          tool: pending.tool,
+          arguments: pending.args,
+          verdict: { action: "allow", rule: "__response_scanner__", message: `Response redacted: ${findingSummary}` }
+        });
+        this.emit("responseRedacted", pending.tool, findingSummary);
+        const redacted = this.buildRedactedResponse(response, scanResult);
+        this.writeToClient(redacted);
+        break;
+      }
+      default:
+        this.writeToClient(msg);
+        break;
+    }
+  }
+  /**
+   * Build a redacted MCP response by replacing text content.
+   */
+  buildRedactedResponse(original, scanResult) {
+    if (!scanResult.redactedText || !original.result) {
+      return original;
+    }
+    const result = original.result;
+    if (Array.isArray(result.content)) {
+      const redactedContent = result.content.map((block) => {
+        if (block.type === "text" && typeof block.text === "string") {
+          return { ...block, text: scanResult.redactedText };
+        }
+        return block;
+      });
+      return {
+        ...original,
+        result: { ...result, content: redactedContent }
+      };
+    }
+    return {
+      ...original,
+      result: { content: [{ type: "text", text: scanResult.redactedText }] }
+    };
+  }
+  /**
+   * Handle a single message from the MCP client.
+   *
+   * Security check order (defense in depth):
+   *   1. Kill switch — if active, deny ALL calls immediately
+   *   2. Injection detection — scan arguments for prompt injection
+   *   3. Egress control — check for blocked URLs/IPs
+   *   4. Policy engine — evaluate rules (existing behavior)
+   *   5. Chain detection — record call and check for suspicious sequences
+   */
+  handleClientMessage(msg) {
+    this.stats.total++;
+    if (!isToolCall(msg)) {
+      this.writeToServer(msg);
+      return;
+    }
+    const request = msg;
+    const toolCall = getToolCallParams(request);
+    if (!toolCall) {
+      this.writeToServer(msg);
+      return;
+    }
+    const args = toolCall.arguments ?? {};
+    if (this.options.killSwitch?.isActive()) {
+      const reason = this.options.killSwitch.getStatus().reason;
+      this.emit("killSwitchActive", toolCall.name);
+      this.handleDeny(request, toolCall.name, args, {
+        action: "deny",
+        rule: "__kill_switch__",
+        message: `Kill switch active: ${reason}. All tool calls denied.`
+      });
+      return;
+    }
+    if (this.options.injectionDetector) {
+      const injection = this.options.injectionDetector.scan(toolCall);
+      if (injection.detected && injection.confidence !== "low") {
+        this.emit("injectionDetected", toolCall.name, injection.summary);
+        this.handleDeny(request, toolCall.name, args, {
+          action: "deny",
+          rule: "__injection_detector__",
+          message: `Prompt injection blocked: ${injection.summary}`
+        });
+        return;
+      }
+    }
+    if (this.options.egressControl) {
+      const egress = this.options.egressControl.check(toolCall);
+      if (!egress.allowed) {
+        this.emit("egressBlocked", toolCall.name, egress.summary);
+        this.handleDeny(request, toolCall.name, args, {
+          action: "deny",
+          rule: "__egress_control__",
+          message: `Egress blocked: ${egress.summary}`
+        });
+        return;
+      }
+    }
+    const verdict = this.options.policyEngine.evaluate(toolCall);
+    if (this.options.chainDetector && verdict.action !== "deny") {
+      const chain = this.options.chainDetector.record(toolCall);
+      if (chain.detected) {
+        const critical = chain.matches.some((m) => m.severity === "critical");
+        const summary = chain.matches.map((m) => `${m.chain}(${m.severity})`).join(", ");
+        this.emit("chainDetected", toolCall.name, summary);
+        if (critical) {
+          this.handleDeny(request, toolCall.name, args, {
+            action: "deny",
+            rule: "__chain_detector__",
+            message: `Critical tool chain blocked: ${summary}`
+          });
+          return;
+        }
+        this.options.logger.log({
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          sessionId: this.sessionId,
+          direction: "request",
+          method: "tools/call",
+          tool: toolCall.name,
+          arguments: args,
+          verdict: {
+            action: "allow",
+            rule: "__chain_detector__",
+            message: `Suspicious tool chain (warning): ${summary}`
+          }
+        });
+      }
+    }
+    switch (verdict.action) {
+      case "allow":
+        this.handleAllow(request, toolCall.name, args, verdict);
+        break;
+      case "deny":
+        this.handleDeny(request, toolCall.name, args, verdict);
+        break;
+      case "prompt":
+        this.handlePrompt(request, toolCall.name, args, verdict);
+        break;
+    }
+  }
+  /**
+   * Handle an allowed tool call — forward to server.
+   */
+  handleAllow(request, tool, args, verdict) {
+    this.stats.forwarded++;
+    if (this.options.responseScanner) {
+      this.pendingToolCalls.set(request.id, { tool, args, timestamp: Date.now() });
+    }
+    this.options.logger.logAllow(
+      this.sessionId,
+      tool,
+      args,
+      verdict.rule,
+      verdict.message
+    );
+    this.emit("allowed", tool);
+    this.writeToServer(request);
+  }
+  /**
+   * Handle a denied tool call — return error to client, never forward.
+   */
+  handleDeny(request, tool, args, verdict) {
+    this.stats.denied++;
+    this.options.logger.logDeny(
+      this.sessionId,
+      tool,
+      args,
+      verdict.rule,
+      verdict.message
+    );
+    this.emit("denied", tool, verdict.message);
+    const errorResponse = createDenyResponse(request.id, verdict.message);
+    this.writeToClient(errorResponse);
+  }
+  /**
+   * Handle a prompt tool call — ask for human approval.
+   */
+  async handlePrompt(request, tool, args, verdict) {
+    this.emit("prompted", tool, verdict.message);
+    if (!this.options.onPrompt) {
+      this.handleDeny(request, tool, args, {
+        ...verdict,
+        action: "deny",
+        message: `${verdict.message} (auto-denied: no prompt handler)`
+      });
+      return;
+    }
+    try {
+      const approved = await this.options.onPrompt(
+        tool,
+        args,
+        verdict.message
+      );
+      if (approved) {
+        this.handleAllow(request, tool, args, {
+          ...verdict,
+          action: "allow",
+          message: `${verdict.message} (manually approved)`
+        });
+      } else {
+        this.handleDeny(request, tool, args, {
+          ...verdict,
+          action: "deny",
+          message: `${verdict.message} (manually denied)`
+        });
+      }
+    } catch (err) {
+      this.handleDeny(request, tool, args, {
+        ...verdict,
+        action: "deny",
+        message: `${verdict.message} (prompt error: ${err})`
+      });
+    }
+  }
+  /**
+   * Extract scannable text from a JSON-RPC error response.
+   */
+  extractErrorText(response) {
+    const parts = [];
+    if (response.error?.message) parts.push(response.error.message);
+    if (response.error?.data !== void 0) {
+      parts.push(typeof response.error.data === "string" ? response.error.data : JSON.stringify(response.error.data));
+    }
+    return parts.join("\n");
+  }
+  /**
+   * Write a JSON-RPC message to the MCP server (child's stdin).
+   */
+  writeToServer(msg) {
+    if (!this.child?.stdin?.writable) return;
+    const data = serializeMessage(msg);
+    this.child.stdin.write(data);
+  }
+  /**
+   * Write a JSON-RPC message to the MCP client (our stdout).
+   */
+  writeToClient(msg) {
+    const data = serializeMessage(msg);
+    process.stdout.write(data);
+  }
+};
+function createTerminalPromptHandler() {
+  return async (tool, args, message) => {
+    let ttyFd;
+    try {
+      ttyFd = fs3.openSync("/dev/tty", "r");
+    } catch {
+      try {
+        ttyFd = fs3.openSync("CON", "r");
+      } catch {
+        process.stderr.write(
+          "\n[agent-wall] No terminal available for prompt \u2014 auto-denying (fail-secure)\n"
+        );
+        return false;
+      }
+    }
+    const ttyInput = fs3.createReadStream("", { fd: ttyFd, autoClose: false });
+    const rl = readline.createInterface({
+      input: ttyInput,
+      output: process.stderr
+    });
+    process.stderr.write("\n");
+    process.stderr.write("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n");
+    process.stderr.write("\u2551  Agent Wall: Approval Required                   \u2551\n");
+    process.stderr.write("\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563\n");
+    process.stderr.write(`\u2551  Tool:    ${tool}
+`);
+    process.stderr.write(`\u2551  Rule:    ${message}
+`);
+    process.stderr.write(`\u2551  Args:    ${JSON.stringify(args, null, 0).slice(0, 120)}
+`);
+    process.stderr.write("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D\n");
+    return new Promise((resolve3) => {
+      rl.question("  Allow this call? [y/N]: ", (answer) => {
+        rl.close();
+        ttyInput.destroy();
+        try {
+          fs3.closeSync(ttyFd);
+        } catch {
+        }
+        resolve3(answer.trim().toLowerCase() === "y");
+      });
+    });
+  };
+}
+
+// src/injection-detector.ts
+var INJECTION_PATTERNS = [
+  // ── Direct instruction override (HIGH confidence) ──
+  {
+    category: "instruction-override",
+    pattern: /ignore\s+(all\s+)?previous\s+(instructions?|context|rules?|prompts?)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /disregard\s+(all\s+)?(previous|above|prior|earlier)\s+(instructions?|context|rules?)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /forget\s+(all\s+)?(your|previous|prior)\s+(instructions?|rules?|context|training)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /override\s+(all\s+)?(previous|system|safety)\s+(instructions?|rules?|restrictions?|filters?)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /new\s+instructions?:\s/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /you\s+are\s+now\s+(a|an|in)\s/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "instruction-override",
+    pattern: /from\s+now\s+on,?\s+(you|ignore|disregard|forget)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  // ── System/Role prompt markers (HIGH confidence) ──
+  {
+    category: "prompt-marker",
+    pattern: /<\|im_start\|>system/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "prompt-marker",
+    pattern: /<\|system\|>/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "prompt-marker",
+    pattern: /\[SYSTEM\]\s*:/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "prompt-marker",
+    pattern: /\[INST\]/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "prompt-marker",
+    pattern: /<<SYS>>/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "prompt-marker",
+    pattern: /###\s*(System|Instruction|Human|Assistant)\s*:/i,
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  // ── Authority claims (MEDIUM confidence) ──
+  {
+    category: "authority-claim",
+    pattern: /admin(istrator)?\s+(override|mode|access|command)/i,
+    confidence: "medium",
+    sensitivity: "low"
+  },
+  {
+    category: "authority-claim",
+    pattern: /IMPORTANT:\s*(override|ignore|disregard|new\s+instruction)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "authority-claim",
+    pattern: /URGENT:\s*(you\s+must|override|ignore)/i,
+    confidence: "medium",
+    sensitivity: "low"
+  },
+  {
+    category: "authority-claim",
+    pattern: /developer\s+mode\s+(enabled|activated|on)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "authority-claim",
+    pattern: /jailbreak/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "authority-claim",
+    pattern: /DAN\s+(mode|prompt)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  // ── Data exfiltration instructions (HIGH confidence) ──
+  {
+    category: "exfil-instruction",
+    pattern: /send\s+(all\s+)?(the\s+|this\s+|my\s+)?(data|information|content|file|secret|key|token|password|credential)\s+(to|via|through|using)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "exfil-instruction",
+    pattern: /exfiltrate|steal\s+(the\s+)?(data|secret|key|credential|token)/i,
+    confidence: "high",
+    sensitivity: "low"
+  },
+  {
+    category: "exfil-instruction",
+    pattern: /upload\s+(all\s+)?(the\s+|this\s+|my\s+|every\s+)?(files?|data|content|secrets?)/i,
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  // ── Output manipulation (MEDIUM confidence) ──
+  {
+    category: "output-manipulation",
+    pattern: /respond\s+with\s+(only|just|exactly)\s/i,
+    confidence: "low",
+    sensitivity: "high"
+  },
+  {
+    category: "output-manipulation",
+    pattern: /do\s+not\s+(mention|reveal|tell|show|display|output)\s/i,
+    confidence: "low",
+    sensitivity: "high"
+  },
+  {
+    category: "output-manipulation",
+    pattern: /pretend\s+(you|that|to\s+be)/i,
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  // ── Unicode obfuscation markers (HIGH confidence) ──
+  {
+    category: "unicode-obfuscation",
+    pattern: /[\u200B-\u200F\u2028-\u202F\uFEFF]/,
+    // Zero-width chars
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  {
+    category: "unicode-obfuscation",
+    pattern: /[\u2060-\u2064]/,
+    // Invisible formatting chars
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  {
+    category: "unicode-obfuscation",
+    pattern: /[\uE000-\uF8FF]/,
+    // Private Use Area (sometimes used to hide text)
+    confidence: "low",
+    sensitivity: "high"
+  },
+  // ── Encoded injection (base64 "ignore" etc.) ──
+  {
+    category: "encoded-injection",
+    pattern: /aWdub3Jl/,
+    // base64 of "ignore"
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  {
+    category: "encoded-injection",
+    pattern: /c3lzdGVt/,
+    // base64 of "system"
+    confidence: "low",
+    sensitivity: "high"
+  },
+  // ── Delimiter injection (trying to break out of a tool argument) ──
+  {
+    category: "delimiter-injection",
+    pattern: /\}\s*\]\s*\}\s*\{/,
+    // Trying to close JSON and start new object
+    confidence: "medium",
+    sensitivity: "medium"
+  },
+  {
+    category: "delimiter-injection",
+    pattern: /```\s*(system|instruction|prompt)/i,
+    // Code block with system marker
+    confidence: "medium",
+    sensitivity: "medium"
+  }
+];
+var SENSITIVITY_LEVELS = {
+  low: 1,
+  medium: 2,
+  high: 3
+};
+var InjectionDetector = class {
+  config;
+  customRegexes = [];
+  constructor(config = {}) {
+    this.config = {
+      enabled: config.enabled ?? true,
+      sensitivity: config.sensitivity ?? "medium",
+      customPatterns: config.customPatterns ?? [],
+      excludeTools: config.excludeTools ?? []
+    };
+    for (const p of this.config.customPatterns) {
+      try {
+        this.customRegexes.push(new RegExp(p, "i"));
+      } catch {
+        process.stderr.write(`[agent-wall] Warning: invalid custom injection pattern: "${p}"
+`);
+      }
+    }
+  }
+  /**
+   * Scan a tool call's arguments for prompt injection.
+   */
+  scan(toolCall) {
+    if (!this.config.enabled) {
+      return { detected: false, confidence: "low", matches: [], summary: "Injection detection disabled" };
+    }
+    if (this.config.excludeTools.includes(toolCall.name)) {
+      return { detected: false, confidence: "low", matches: [], summary: "Tool excluded from injection scanning" };
+    }
+    const matches = [];
+    const args = toolCall.arguments ?? {};
+    const sensitivityLevel = SENSITIVITY_LEVELS[this.config.sensitivity] ?? 2;
+    for (const [key, value] of Object.entries(args)) {
+      const strValue = this.extractString(value);
+      if (!strValue || strValue.length < 5) continue;
+      for (const injPattern of INJECTION_PATTERNS) {
+        const patternSensitivity = SENSITIVITY_LEVELS[injPattern.sensitivity] ?? 2;
+        if (patternSensitivity > sensitivityLevel) continue;
+        if (injPattern.pattern.test(strValue)) {
+          const match = strValue.match(injPattern.pattern);
+          matches.push({
+            category: injPattern.category,
+            matched: match ? match[0].slice(0, 80) : "***",
+            argumentKey: key,
+            confidence: injPattern.confidence
+          });
+        }
+      }
+      for (const regex of this.customRegexes) {
+        regex.lastIndex = 0;
+        if (regex.test(strValue)) {
+          matches.push({
+            category: "custom",
+            matched: "custom pattern match",
+            argumentKey: key,
+            confidence: "medium"
+          });
+        }
+      }
+    }
+    if (matches.length === 0) {
+      return { detected: false, confidence: "low", matches: [], summary: "No injection detected" };
+    }
+    const highestConfidence = matches.reduce((best, m) => {
+      const mLevel = SENSITIVITY_LEVELS[m.confidence] ?? 0;
+      const bLevel = SENSITIVITY_LEVELS[best] ?? 0;
+      return mLevel > bLevel ? m.confidence : best;
+    }, "low");
+    const categories = [...new Set(matches.map((m) => m.category))];
+    const summary = `Prompt injection detected (${highestConfidence} confidence): ${categories.join(", ")}. ${matches.length} pattern(s) matched.`;
+    return {
+      detected: true,
+      confidence: highestConfidence,
+      matches,
+      summary
+    };
+  }
+  /**
+   * Extract a string from an argument value (handles nested objects).
+   */
+  extractString(value) {
+    if (typeof value === "string") return value;
+    if (typeof value === "number" || typeof value === "boolean") return String(value);
+    if (value === null || value === void 0) return "";
+    try {
+      return JSON.stringify(value);
+    } catch {
+      return "";
+    }
+  }
+};
+
+// src/egress-control.ts
+function isPrivateIP(ip) {
+  const parts = ip.split(".").map(Number);
+  if (parts.length === 4 && parts.every((p) => p >= 0 && p <= 255)) {
+    if (parts[0] === 10) return true;
+    if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) return true;
+    if (parts[0] === 192 && parts[1] === 168) return true;
+    if (parts[0] === 127) return true;
+    if (parts[0] === 169 && parts[1] === 254) return true;
+    if (parts.every((p) => p === 0)) return true;
+  }
+  if (ip === "::1" || ip === "[::1]") return true;
+  if (ip.toLowerCase().startsWith("fe80:")) return true;
+  if (ip.toLowerCase().startsWith("fc") || ip.toLowerCase().startsWith("fd")) return true;
+  return false;
+}
+var METADATA_ENDPOINTS = [
+  "169.254.169.254",
+  // AWS, GCP, Azure
+  "metadata.google.internal",
+  "metadata.goog",
+  "100.100.100.200",
+  // Alibaba Cloud
+  "169.254.170.2"
+  // AWS ECS task metadata
+];
+var URL_REGEX = /https?:\/\/[^\s"'<>\])}]+/gi;
+function extractUrls(value) {
+  const matches = value.match(URL_REGEX);
+  return matches ? [...new Set(matches)] : [];
+}
+function parseHostname(urlStr) {
+  try {
+    const url = new URL(urlStr);
+    return url.hostname;
+  } catch {
+    const match = urlStr.match(/https?:\/\/([^/:?\s#]+)/i);
+    return match ? match[1] : null;
+  }
+}
+function extractRawHostname(urlStr) {
+  const match = urlStr.match(/https?:\/\/([^/:?\s#]+)/i);
+  return match ? match[1] : null;
+}
+var EgressControl = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      enabled: config.enabled ?? true,
+      allowedDomains: config.allowedDomains ?? [],
+      blockedDomains: config.blockedDomains ?? [],
+      blockPrivateIPs: config.blockPrivateIPs ?? true,
+      blockMetadataEndpoints: config.blockMetadataEndpoints ?? true,
+      excludeTools: config.excludeTools ?? []
+    };
+  }
+  /**
+   * Check a tool call's arguments for blocked URLs.
+   */
+  check(toolCall) {
+    if (!this.config.enabled) {
+      return { allowed: true, urlsFound: [], blocked: [], summary: "Egress control disabled" };
+    }
+    if (this.config.excludeTools.includes(toolCall.name)) {
+      return { allowed: true, urlsFound: [], blocked: [], summary: "Tool excluded from egress control" };
+    }
+    const urlsFound = [];
+    const blocked = [];
+    const args = toolCall.arguments ?? {};
+    for (const [key, value] of Object.entries(args)) {
+      const strValue = typeof value === "string" ? value : JSON.stringify(value ?? "");
+      const urls = extractUrls(strValue);
+      for (const url of urls) {
+        const rawHostname = extractRawHostname(url);
+        const hostname = parseHostname(url);
+        if (!hostname) continue;
+        const info = { url, hostname, argumentKey: key };
+        urlsFound.push(info);
+        const blockReason = this.checkUrl(hostname, url, rawHostname);
+        if (blockReason) {
+          blocked.push({ ...info, reason: blockReason });
+        }
+      }
+    }
+    if (blocked.length === 0) {
+      return {
+        allowed: true,
+        urlsFound,
+        blocked: [],
+        summary: urlsFound.length > 0 ? `${urlsFound.length} URL(s) found, all allowed` : "No URLs found in arguments"
+      };
+    }
+    const reasons = [...new Set(blocked.map((b) => b.reason))];
+    return {
+      allowed: false,
+      urlsFound,
+      blocked,
+      summary: `Blocked ${blocked.length} URL(s): ${reasons.join("; ")}`
+    };
+  }
+  /**
+   * Check a single hostname/URL against all rules.
+   * Returns the block reason, or null if allowed.
+   *
+   * Check order matters: more specific checks (obfuscated, metadata) run
+   * before generic private IP, so the reason message is precise.
+   */
+  checkUrl(hostname, fullUrl, rawHostname) {
+    const lowerHost = hostname.toLowerCase();
+    const rawHost = rawHostname ?? hostname;
+    if (this.config.allowedDomains.length > 0) {
+      const allowed = this.config.allowedDomains.some(
+        (d) => lowerHost === d.toLowerCase() || lowerHost.endsWith("." + d.toLowerCase())
+      );
+      if (!allowed) {
+        return `Domain "${hostname}" is not in the allowed domains list`;
+      }
+    }
+    if (this.config.blockedDomains.length > 0) {
+      const isBlocked = this.config.blockedDomains.some(
+        (d) => lowerHost === d.toLowerCase() || lowerHost.endsWith("." + d.toLowerCase())
+      );
+      if (isBlocked) {
+        return `Domain "${hostname}" is in the blocked domains list`;
+      }
+    }
+    if (this.config.blockPrivateIPs) {
+      if (/^0x[0-9a-f]+$/i.test(rawHost) || /^\d{8,}$/.test(rawHost)) {
+        return `Obfuscated IP address "${rawHost}" is blocked (potential SSRF bypass)`;
+      }
+    }
+    if (this.config.blockMetadataEndpoints) {
+      if (METADATA_ENDPOINTS.some((ep) => lowerHost === ep.toLowerCase())) {
+        return `Cloud metadata endpoint "${hostname}" is blocked`;
+      }
+      if (fullUrl.includes("/latest/meta-data") || fullUrl.includes("/metadata/instance")) {
+        return `Cloud metadata access is blocked`;
+      }
+    }
+    if (this.config.blockPrivateIPs) {
+      if (isPrivateIP(hostname)) {
+        return `Private/internal IP address "${hostname}" is blocked (SSRF protection)`;
+      }
+      if (lowerHost === "localhost" || lowerHost === "ip6-localhost") {
+        return `Localhost address is blocked (SSRF protection)`;
+      }
+    }
+    return null;
+  }
+};
+
+// src/kill-switch.ts
+import * as fs4 from "fs";
+import * as path4 from "path";
+import * as os from "os";
+var DEFAULT_KILL_FILES = [".agent-wall-kill"];
+var DEFAULT_POLL_INTERVAL = 1e3;
+var KillSwitch = class {
+  config;
+  manuallyActive = false;
+  fileActive = false;
+  activeReason = "";
+  activatedAt = null;
+  pollTimer = null;
+  constructor(config = {}) {
+    const isUnix = process.platform !== "win32";
+    this.config = {
+      enabled: config.enabled ?? true,
+      checkFile: config.checkFile ?? true,
+      killFileNames: config.killFileNames ?? DEFAULT_KILL_FILES,
+      checkDirs: config.checkDirs ?? [process.cwd(), os.homedir()],
+      pollIntervalMs: config.pollIntervalMs ?? DEFAULT_POLL_INTERVAL,
+      registerSignal: config.registerSignal ?? isUnix
+    };
+    if (this.config.enabled) {
+      this.startPolling();
+      this.registerSignalHandler();
+    }
+  }
+  /**
+   * Check if the kill switch is currently active.
+   * This should be called at the TOP of the proxy pipeline.
+   */
+  isActive() {
+    if (!this.config.enabled) return false;
+    return this.manuallyActive || this.fileActive;
+  }
+  /**
+   * Get the current kill switch status.
+   */
+  getStatus() {
+    return {
+      active: this.isActive(),
+      reason: this.isActive() ? this.activeReason : "inactive",
+      activatedAt: this.isActive() ? this.activatedAt : null
+    };
+  }
+  /**
+   * Programmatically activate the kill switch.
+   */
+  activate(reason = "Manually activated") {
+    this.manuallyActive = true;
+    this.activeReason = reason;
+    this.activatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  }
+  /**
+   * Programmatically deactivate the kill switch.
+   * Note: file-based kill switch must be deactivated by removing the file.
+   */
+  deactivate() {
+    this.manuallyActive = false;
+    if (!this.fileActive) {
+      this.activeReason = "";
+      this.activatedAt = null;
+    }
+  }
+  /**
+   * Start polling for kill files.
+   */
+  startPolling() {
+    if (!this.config.checkFile) return;
+    this.checkKillFiles();
+    this.pollTimer = setInterval(() => {
+      this.checkKillFiles();
+    }, this.config.pollIntervalMs);
+    this.pollTimer.unref();
+  }
+  /**
+   * Check if any kill file exists.
+   */
+  checkKillFiles() {
+    for (const dir of this.config.checkDirs) {
+      for (const fileName of this.config.killFileNames) {
+        const filePath = path4.join(dir, fileName);
+        try {
+          if (fs4.existsSync(filePath)) {
+            if (!this.fileActive) {
+              this.fileActive = true;
+              this.activeReason = `Kill file detected: ${filePath}`;
+              this.activatedAt = (/* @__PURE__ */ new Date()).toISOString();
+            }
+            return;
+          }
+        } catch {
+        }
+      }
+    }
+    if (this.fileActive) {
+      this.fileActive = false;
+      if (!this.manuallyActive) {
+        this.activeReason = "";
+        this.activatedAt = null;
+      }
+    }
+  }
+  /**
+   * Register SIGUSR2 signal handler to toggle kill switch.
+   * SIGUSR2 is used (not SIGUSR1) because some tools use SIGUSR1.
+   */
+  registerSignalHandler() {
+    if (!this.config.registerSignal) return;
+    try {
+      process.on("SIGUSR2", () => {
+        if (this.manuallyActive) {
+          this.deactivate();
+          process.stderr.write("[agent-wall] Kill switch DEACTIVATED via SIGUSR2\n");
+        } else {
+          this.activate("Activated via SIGUSR2 signal");
+          process.stderr.write("[agent-wall] Kill switch ACTIVATED via SIGUSR2\n");
+        }
+      });
+    } catch {
+    }
+  }
+  /**
+   * Stop the kill switch (cleanup timers and signal handlers).
+   */
+  dispose() {
+    if (this.pollTimer) {
+      clearInterval(this.pollTimer);
+      this.pollTimer = null;
+    }
+  }
+};
+
+// src/chain-detector.ts
+var BUILTIN_CHAINS = [
+  // ── Exfiltration chains ──
+  {
+    name: "read-then-network",
+    sequence: ["read_*|get_*|view_*", "shell_*|run_*|execute_*|bash"],
+    severity: "high",
+    message: "Potential data exfiltration: file read followed by shell command"
+  },
+  {
+    name: "read-write-send",
+    sequence: ["read_*|get_*", "write_*|create_*", "shell_*|run_*|bash"],
+    severity: "critical",
+    message: "Exfiltration chain: read \u2192 write \u2192 shell (staged exfiltration)"
+  },
+  {
+    name: "env-then-network",
+    sequence: ["read_*|get_*", "shell_*|run_*|bash"],
+    severity: "critical",
+    message: "Potential secret exfiltration: file read followed by network command",
+    trackArguments: true
+  },
+  // ── Reconnaissance chains ──
+  {
+    name: "directory-scan",
+    sequence: ["list_*|ls", "list_*|ls", "list_*|ls", "read_*|get_*"],
+    severity: "medium",
+    message: "Directory scanning pattern: multiple listings followed by file read"
+  },
+  // ── Dropper/persistence chains ──
+  {
+    name: "write-execute",
+    sequence: ["write_*|create_*", "shell_*|run_*|bash"],
+    severity: "high",
+    message: "Potential dropper: file write followed by shell execution"
+  },
+  {
+    name: "write-chmod-execute",
+    sequence: ["write_*|create_*", "shell_*|run_*|bash", "shell_*|run_*|bash"],
+    severity: "critical",
+    message: "Dropper chain: write \u2192 chmod \u2192 execute"
+  },
+  // ── Privilege escalation ──
+  {
+    name: "read-sensitive-then-write",
+    sequence: ["read_*|get_*", "write_*|create_*|edit_*"],
+    severity: "medium",
+    message: "Sensitive file read followed by file modification",
+    trackArguments: true
+  },
+  // ── Rapid shell commands ──
+  {
+    name: "shell-burst",
+    sequence: ["shell_*|run_*|bash", "shell_*|run_*|bash", "shell_*|run_*|bash", "shell_*|run_*|bash"],
+    severity: "high",
+    message: "Rapid burst of shell commands \u2014 potential automated attack"
+  }
+];
+var ChainDetector = class {
+  config;
+  history = [];
+  allChains;
+  constructor(config = {}) {
+    this.config = {
+      enabled: config.enabled ?? true,
+      windowSize: config.windowSize ?? 20,
+      windowMs: config.windowMs ?? 6e4,
+      // 1 minute
+      customChains: config.customChains ?? []
+    };
+    this.allChains = [...BUILTIN_CHAINS, ...this.config.customChains];
+  }
+  /**
+   * Record a tool call and check for suspicious chains.
+   * Call this AFTER the policy engine allows the call.
+   */
+  record(toolCall) {
+    if (!this.config.enabled) {
+      return { detected: false, matches: [], summary: "Chain detection disabled" };
+    }
+    const now = Date.now();
+    this.history.push({
+      tool: toolCall.name,
+      args: toolCall.arguments ?? {},
+      timestamp: now
+    });
+    this.pruneHistory(now);
+    const matches = [];
+    for (const chain of this.allChains) {
+      if (this.matchesChain(chain)) {
+        matches.push({
+          chain: chain.name,
+          severity: chain.severity,
+          calls: this.history.slice(-chain.sequence.length).map((c) => c.tool),
+          message: chain.message
+        });
+      }
+    }
+    if (matches.length === 0) {
+      return { detected: false, matches: [], summary: "No suspicious chains detected" };
+    }
+    const highestSeverity = matches.reduce((best, m) => {
+      const levels = { low: 0, medium: 1, high: 2, critical: 3 };
+      return levels[m.severity] > levels[best] ? m.severity : best;
+    }, "low");
+    return {
+      detected: true,
+      matches,
+      summary: `Suspicious tool call chain detected (${highestSeverity}): ${matches.map((m) => m.chain).join(", ")}`
+    };
+  }
+  /**
+   * Check if the current history matches a chain pattern.
+   * Looks for the sequence appearing in order (not necessarily consecutive).
+   */
+  matchesChain(chain) {
+    if (this.history.length < chain.sequence.length) return false;
+    const recentCalls = this.history.slice(-chain.sequence.length);
+    for (let i = 0; i < chain.sequence.length; i++) {
+      const pattern = chain.sequence[i];
+      const call = recentCalls[i];
+      if (!this.matchesToolPattern(pattern, call.tool)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Match a tool name against a pipe-separated glob-like pattern.
+   */
+  matchesToolPattern(pattern, toolName) {
+    const alternatives = pattern.split("|").map((p) => p.trim());
+    return alternatives.some((p) => {
+      if (p === "*") return true;
+      if (p.endsWith("*")) {
+        return toolName.startsWith(p.slice(0, -1));
+      }
+      if (p.startsWith("*")) {
+        return toolName.endsWith(p.slice(1));
+      }
+      return toolName === p;
+    });
+  }
+  /**
+   * Remove entries outside the time window or exceeding window size.
+   */
+  pruneHistory(now) {
+    const cutoff = now - this.config.windowMs;
+    this.history = this.history.filter((c) => c.timestamp >= cutoff);
+    if (this.history.length > this.config.windowSize) {
+      this.history = this.history.slice(-this.config.windowSize);
+    }
+  }
+  /**
+   * Clear the call history (e.g., on session reset).
+   */
+  reset() {
+    this.history = [];
+  }
+  /**
+   * Get the current call history length.
+   */
+  getHistoryLength() {
+    return this.history.length;
+  }
+};
+
+// src/dashboard-server.ts
+import * as http from "http";
+import * as fs5 from "fs";
+import * as path5 from "path";
+import { WebSocketServer } from "ws";
+var MIME_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".png": "image/png",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2"
+};
+var DashboardServer = class {
+  httpServer = null;
+  wss = null;
+  statsTimer = null;
+  ruleHitCounts = /* @__PURE__ */ new Map();
+  startTime = Date.now();
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  async start() {
+    const { port, staticDir, statsIntervalMs = 2e3 } = this.options;
+    this.httpServer = http.createServer((req, res) => {
+      this.handleHttpRequest(req, res, staticDir);
+    });
+    this.wss = new WebSocketServer({ server: this.httpServer });
+    this.wss.on("error", () => {
+    });
+    this.wss.on("connection", (ws) => {
+      this.sendTo(ws, {
+        type: "welcome",
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        payload: { message: "Agent Wall Dashboard connected" }
+      });
+      this.sendStats(ws);
+      this.sendConfig(ws);
+      this.sendRuleHits(ws);
+      ws.on("message", (data) => {
+        try {
+          const msg = JSON.parse(data.toString());
+          this.handleClientMessage(ws, msg);
+        } catch {
+        }
+      });
+    });
+    this.wireProxyEvents();
+    this.statsTimer = setInterval(() => {
+      this.broadcastStats();
+    }, statsIntervalMs);
+    return new Promise((resolve3, reject) => {
+      this.httpServer.on("error", reject);
+      this.httpServer.listen(port, () => resolve3());
+    });
+  }
+  async stop() {
+    if (this.statsTimer) {
+      clearInterval(this.statsTimer);
+      this.statsTimer = null;
+    }
+    if (this.wss) {
+      for (const ws of this.wss.clients) {
+        ws.close();
+      }
+      this.wss.close();
+      this.wss = null;
+    }
+    if (this.httpServer) {
+      return new Promise((resolve3) => {
+        this.httpServer.close(() => resolve3());
+        this.httpServer = null;
+      });
+    }
+  }
+  /** Get the actual port (useful when port 0 is used for testing) */
+  getPort() {
+    const addr = this.httpServer?.address();
+    if (addr && typeof addr === "object") return addr.port;
+    return this.options.port;
+  }
+  // ── Event Wiring ──────────────────────────────────────────────────
+  wireProxyEvents() {
+    const { proxy } = this.options;
+    const eventMap = [
+      { event: "allowed", severity: "info", getArgs: (tool) => ({ tool, detail: "" }) },
+      { event: "denied", severity: "warn", getArgs: (tool, msg = "") => ({ tool, detail: msg }) },
+      { event: "prompted", severity: "info", getArgs: (tool, msg = "") => ({ tool, detail: msg }) },
+      { event: "responseBlocked", severity: "warn", getArgs: (tool, findings = "") => ({ tool, detail: findings }) },
+      { event: "responseRedacted", severity: "info", getArgs: (tool, findings = "") => ({ tool, detail: findings }) },
+      { event: "injectionDetected", severity: "critical", getArgs: (tool, summary = "") => ({ tool, detail: summary }) },
+      { event: "egressBlocked", severity: "critical", getArgs: (tool, summary = "") => ({ tool, detail: summary }) },
+      { event: "killSwitchActive", severity: "critical", getArgs: (tool) => ({ tool, detail: "Kill switch is active \u2014 all calls denied" }) },
+      { event: "chainDetected", severity: "warn", getArgs: (tool, summary = "") => ({ tool, detail: summary }) }
+    ];
+    for (const { event, severity, getArgs } of eventMap) {
+      proxy.on(event, (tool, detail) => {
+        const parsed = getArgs(tool, detail);
+        this.broadcast({
+          type: "event",
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          payload: { event, tool: parsed.tool, detail: parsed.detail, severity }
+        });
+      });
+    }
+  }
+  /** Called by the audit logger's onEntry callback */
+  handleAuditEntry(entry) {
+    if (entry.verdict?.rule) {
+      const key = entry.verdict.rule;
+      const existing = this.ruleHitCounts.get(key);
+      if (existing) {
+        existing.hits++;
+      } else {
+        this.ruleHitCounts.set(key, {
+          action: entry.verdict.action,
+          hits: 1
+        });
+      }
+    }
+    this.broadcast({
+      type: "audit",
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: entry
+    });
+    if (entry.verdict?.rule) {
+      const rules = Array.from(this.ruleHitCounts.entries()).map(
+        ([name, { action, hits }]) => ({ name, action, hits })
+      );
+      this.broadcast({
+        type: "ruleHits",
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        payload: { rules }
+      });
+    }
+  }
+  // ── Client Message Handling ────────────────────────────────────────
+  handleClientMessage(ws, msg) {
+    switch (msg.type) {
+      case "toggleKillSwitch":
+        if (this.options.killSwitch) {
+          if (this.options.killSwitch.isActive()) {
+            this.options.killSwitch.deactivate();
+          } else {
+            this.options.killSwitch.activate();
+          }
+          this.broadcast({
+            type: "killSwitch",
+            ts: (/* @__PURE__ */ new Date()).toISOString(),
+            payload: { active: this.options.killSwitch.isActive() }
+          });
+        }
+        break;
+      case "getStats":
+        this.sendStats(ws);
+        break;
+      case "getConfig":
+        this.sendConfig(ws);
+        break;
+      case "getAuditLog": {
+        const entries = this.options.logger?.getEntries() ?? [];
+        let filtered = entries;
+        if (msg.filter && msg.filter !== "all") {
+          filtered = entries.filter((e) => e.verdict?.action === msg.filter);
+        }
+        const limited = msg.limit ? filtered.slice(-msg.limit) : filtered.slice(-100);
+        this.sendTo(ws, {
+          type: "audit",
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          payload: limited
+        });
+        break;
+      }
+    }
+  }
+  // ── Broadcasting ──────────────────────────────────────────────────
+  broadcast(msg) {
+    if (!this.wss) return;
+    const data = JSON.stringify(msg);
+    for (const ws of this.wss.clients) {
+      if (ws.readyState === 1) {
+        ws.send(data);
+      }
+    }
+  }
+  sendTo(ws, msg) {
+    if (ws.readyState === 1) {
+      ws.send(JSON.stringify(msg));
+    }
+  }
+  broadcastStats() {
+    if (!this.wss || this.wss.clients.size === 0) return;
+    const stats = this.buildStats();
+    this.broadcast({
+      type: "stats",
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: stats
+    });
+  }
+  sendStats(ws) {
+    this.sendTo(ws, {
+      type: "stats",
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: this.buildStats()
+    });
+  }
+  buildStats() {
+    const proxyStats = this.options.proxy.getStats();
+    return {
+      ...proxyStats,
+      uptime: Math.floor((Date.now() - this.startTime) / 1e3),
+      killSwitchActive: this.options.killSwitch?.isActive() ?? false
+    };
+  }
+  sendConfig(ws) {
+    const pe = this.options.policyEngine;
+    const policyConfig = pe?.getConfig();
+    const config = {
+      defaultAction: policyConfig?.defaultAction ?? "prompt",
+      ruleCount: policyConfig?.rules?.length ?? 0,
+      mode: policyConfig?.mode ?? "standard",
+      security: {
+        injection: policyConfig?.security?.injectionDetection?.enabled ?? false,
+        egress: policyConfig?.security?.egressControl?.enabled ?? false,
+        killSwitch: !!this.options.killSwitch,
+        chain: policyConfig?.security?.chainDetection?.enabled ?? false,
+        signing: policyConfig?.security?.signing ?? false
+      }
+    };
+    this.sendTo(ws, {
+      type: "config",
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: config
+    });
+  }
+  sendRuleHits(ws) {
+    const rules = Array.from(this.ruleHitCounts.entries()).map(
+      ([name, { action, hits }]) => ({ name, action, hits })
+    );
+    this.sendTo(ws, {
+      type: "ruleHits",
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      payload: { rules }
+    });
+  }
+  // ── Static File Serving ───────────────────────────────────────────
+  handleHttpRequest(req, res, staticDir) {
+    if (!staticDir) {
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end("<html><body><h1>Agent Wall Dashboard</h1><p>No static assets found. Build the dashboard package first.</p></body></html>");
+      return;
+    }
+    const url = req.url?.split("?")[0] ?? "/";
+    let filePath = path5.join(staticDir, url === "/" ? "index.html" : url);
+    const resolved = path5.resolve(filePath);
+    if (!resolved.startsWith(path5.resolve(staticDir))) {
+      res.writeHead(403);
+      res.end("Forbidden");
+      return;
+    }
+    try {
+      if (!fs5.existsSync(resolved) || fs5.statSync(resolved).isDirectory()) {
+        filePath = path5.join(staticDir, "index.html");
+      }
+      const content = fs5.readFileSync(filePath);
+      const ext = path5.extname(filePath).toLowerCase();
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      res.writeHead(200, { "Content-Type": contentType });
+      res.end(content);
+    } catch {
+      res.writeHead(404);
+      res.end("Not Found");
+    }
+  }
+};
+export {
+  AuditLogger,
+  BufferOverflowError,
+  ChainDetector,
+  DashboardServer,
+  EgressControl,
+  InjectionDetector,
+  JsonRpcMessageSchema,
+  JsonRpcNotificationSchema,
+  JsonRpcRequestSchema,
+  JsonRpcResponseSchema,
+  KillSwitch,
+  PolicyEngine,
+  ReadBuffer,
+  ResponseScanner,
+  StdioProxy,
+  checkFilePermissions,
+  createDefaultScanner,
+  createDenyResponse,
+  createPromptResponse,
+  createTerminalPromptHandler,
+  deserializeMessage,
+  discoverPolicyFile,
+  generateDefaultConfigYaml,
+  getDefaultPolicy,
+  getToolCallParams,
+  isNotification,
+  isRegexSafe,
+  isRequest,
+  isResponse,
+  isToolCall,
+  isToolList,
+  loadPolicy,
+  loadPolicyFile,
+  parsePolicyYaml,
+  serializeMessage
+};
+//# sourceMappingURL=index.js.map