@ai-pip/core 0.3.0 → 0.5.0

package/dist/shared/envelope/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/shared/envelope/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAEjF,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAA;AACvG,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAA;AAEvG,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA"}

package/dist/shared/envelope/types.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Envelope types (transversal) – integrity and anti-replay
+ *
+ * @remarks
+ * The envelope is a cross-cutting concern: it wraps the pipeline result
+ * (e.g. ISL or AAL output) with metadata, nonce, and HMAC signature.
+ * It is not a processing layer; it applies to the result of the pipeline.
+ */
+import type { LineageEntry } from '../../csl/value-objects/index.js';
+/** Protocol version string (e.g. "0.1.4") */
+export type ProtocolVersion = string;
+/** Unix timestamp in milliseconds */
+export type Timestamp = number;
+/** Nonce value for replay prevention */
+export type NonceValue = string;
+/** Supported signature algorithm */
+export type SignatureAlgorithm = 'HMAC-SHA256';
+/** Signature value (hex string) */
+export type Signature = string;
+/** Envelope security metadata: timestamp, nonce, protocol version, optional previous signatures */
+export interface CPEMetadata {
+    readonly timestamp: Timestamp;
+    readonly nonce: NonceValue;
+    readonly protocolVersion: ProtocolVersion;
+    readonly previousSignatures?: {
+        readonly csl?: string | undefined;
+        readonly isl?: string | undefined;
+    } | undefined;
+}
+/** Full cryptographic envelope: payload, metadata, signature, lineage */
+export interface CPEEvelope {
+    readonly payload: unknown;
+    readonly metadata: CPEMetadata;
+    readonly signature: {
+        readonly value: string;
+        readonly algorithm: string;
+    };
+    readonly lineage: readonly LineageEntry[];
+}
+/** Result of envelope generation (envelope + optional processing time) */
+export interface CPEResult {
+    readonly envelope: CPEEvelope;
+    readonly processingTimeMs?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/shared/envelope/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/shared/envelope/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAA;AAEpE,6CAA6C;AAC7C,MAAM,MAAM,eAAe,GAAG,MAAM,CAAA;AAEpC,qCAAqC;AACrC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAA;AAE9B,wCAAwC;AACxC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAA;AAE/B,oCAAoC;AACpC,MAAM,MAAM,kBAAkB,GAAG,aAAa,CAAA;AAE9C,mCAAmC;AACnC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAA;AAE9B,mGAAmG;AACnG,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAC1B,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACzC,QAAQ,CAAC,kBAAkB,CAAC,EAAE;QAC5B,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QACjC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;KAClC,GAAG,SAAS,CAAA;CACd;AAED,yEAAyE;AACzE,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAA;IAC9B,QAAQ,CAAC,SAAS,EAAE;QAClB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;QACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;KAC3B,CAAA;IACD,QAAQ,CAAC,OAAO,EAAE,SAAS,YAAY,EAAE,CAAA;CAC1C;AAED,0EAA0E;AAC1E,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAA;IAC7B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CACnC"}

package/dist/shared/envelope/types.js

@@ -0,0 +1,10 @@
+/**
+ * Envelope types (transversal) – integrity and anti-replay
+ *
+ * @remarks
+ * The envelope is a cross-cutting concern: it wraps the pipeline result
+ * (e.g. ISL or AAL output) with metadata, nonce, and HMAC signature.
+ * It is not a processing layer; it applies to the result of the pipeline.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/shared/envelope/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/shared/envelope/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/shared/envelope/value-objects/Metadata.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Envelope metadata – security metadata value object (timestamp, nonce, version).
+ *
+ * @remarks
+ * Immutable; validates timestamp (positive, not in the future) and protocol version.
+ */
+import type { CPEMetadata, ProtocolVersion, Timestamp } from '../types.js';
+import type { Nonce as NonceVO } from './Nonce.js';
+/** Current protocol version for envelope metadata */
+export declare const CURRENT_PROTOCOL_VERSION: ProtocolVersion;
+/**
+ * Creates envelope metadata (frozen).
+ *
+ * @param timestamp - Unix timestamp in ms
+ * @param nonce - Nonce value object
+ * @param protocolVersion - Protocol version (default: CURRENT_PROTOCOL_VERSION)
+ * @param previousSignatures - Optional previous layer signatures (csl, isl)
+ */
+export declare function createMetadata(timestamp: Timestamp, nonce: NonceVO, protocolVersion?: ProtocolVersion, previousSignatures?: {
+    csl?: string;
+    isl?: string;
+}): CPEMetadata;
+/**
+ * Validates metadata shape and values.
+ */
+export declare function isValidMetadata(metadata: CPEMetadata): boolean;
+//# sourceMappingURL=Metadata.d.ts.map

package/dist/shared/envelope/value-objects/Metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Metadata.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAC1E,OAAO,KAAK,EAAE,KAAK,IAAI,OAAO,EAAE,MAAM,YAAY,CAAA;AAElD,qDAAqD;AACrD,eAAO,MAAM,wBAAwB,EAAE,eAAyB,CAAA;AAEhE;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE,OAAO,EACd,eAAe,GAAE,eAA0C,EAC3D,kBAAkB,CAAC,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAClD,WAAW,CAyBb;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,WAAW,GAAG,OAAO,CAS9D"}

package/dist/{cpe → shared/envelope}/value-objects/Metadata.js

@@ -1,32 +1,27 @@
 /**
- * CPEMetadata - Metadata de seguridad del envelope
- * Value Object puro e inmutable
- */
-/**
- * Versión actual del protocolo
+ * Envelope metadata – security metadata value object (timestamp, nonce, version).
+ *
+ * @remarks
+ * Immutable; validates timestamp (positive, not in the future) and protocol version.
  */
+/** Current protocol version for envelope metadata */
 export const CURRENT_PROTOCOL_VERSION = '0.1.4';
 /**
- * Crea metadata de seguridad para el envelope
- * Según especificación: timestamp, nonce, protocolVersion, previousSignatures opcionales
+ * Creates envelope metadata (frozen).
  *
- * @param timestamp - Timestamp Unix en milisegundos
- * @param nonce - Nonce único
- * @param protocolVersion - Versión del protocolo (default: CURRENT_PROTOCOL_VERSION)
- * @param previousSignatures - Firmas opcionales de capas anteriores (csl, isl)
- * @returns CPEMetadata inmutable
+ * @param timestamp - Unix timestamp in ms
+ * @param nonce - Nonce value object
+ * @param protocolVersion - Protocol version (default: CURRENT_PROTOCOL_VERSION)
+ * @param previousSignatures - Optional previous layer signatures (csl, isl)
  */
 export function createMetadata(timestamp, nonce, protocolVersion = CURRENT_PROTOCOL_VERSION, previousSignatures) {
-    // Validar timestamp
     if (timestamp <= 0) {
         throw new Error('Timestamp must be a positive number');
     }
-    // Validar que no sea del futuro (con margen de 5 minutos para sincronización)
     const maxFutureTimestamp = Date.now() + 5 * 60 * 1000;
     if (timestamp > maxFutureTimestamp) {
         throw new Error('Timestamp cannot be in the future');
     }
-    // Validar version del protocolo
     if (!protocolVersion || typeof protocolVersion !== 'string') {
         throw new Error('Protocol version must be a non-empty string');
     }
@@ -43,10 +38,7 @@ export function createMetadata(timestamp, nonce, protocolVersion = CURRENT_PROTO
     });
 }
 /**
- * Valida que la metadata sea válida
- *
- * @param metadata - Metadata a validar
- * @returns true si es válida
+ * Validates metadata shape and values.
  */
 export function isValidMetadata(metadata) {
     try {

package/dist/shared/envelope/value-objects/Metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Metadata.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,qDAAqD;AACrD,MAAM,CAAC,MAAM,wBAAwB,GAAoB,OAAO,CAAA;AAEhE;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAoB,EACpB,KAAc,EACd,kBAAmC,wBAAwB,EAC3D,kBAAmD;IAEnD,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;IACrD,IAAI,SAAS,GAAG,kBAAkB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IAED,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAA;IAChE,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,SAAS;QACT,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,eAAe;QACf,kBAAkB,EAAE,kBAAkB;YACpC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;gBACZ,GAAG,EAAE,kBAAkB,CAAC,GAAG,IAAI,SAAS;gBACxC,GAAG,EAAE,kBAAkB,CAAC,GAAG,IAAI,SAAS;aACzC,CAAC;YACJ,CAAC,CAAC,SAAS;KACd,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAqB;IACnD,IAAI,CAAC;QACH,IAAI,QAAQ,CAAC,SAAS,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA;QACzC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE;YAAE,OAAO,KAAK,CAAA;QAC/D,IAAI,CAAC,QAAQ,CAAC,eAAe;YAAE,OAAO,KAAK,CAAA;QAC3C,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC"}

package/dist/shared/envelope/value-objects/Nonce.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Nonce – unique value for replay prevention. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to bind each wrapped result to a unique value;
+ * verification layer (SDK) should reject duplicate nonces within a time window.
+ */
+export type Nonce = {
+    readonly value: string;
+};
+/**
+ * Creates a unique nonce (default 16 bytes, hex-encoded).
+ *
+ * @param length - Length in bytes (8–64)
+ * @returns Frozen Nonce value object
+ */
+export declare function createNonce(length?: number): Nonce;
+/**
+ * Validates that a string is a valid nonce format (hex, 16–128 chars).
+ */
+export declare function isValidNonce(value: string): boolean;
+/**
+ * Compares two nonces for equality.
+ */
+export declare function equalsNonce(nonce1: Nonce, nonce2: Nonce): boolean;
+//# sourceMappingURL=Nonce.d.ts.map

package/dist/shared/envelope/value-objects/Nonce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Nonce.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Nonce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,MAAM,MAAM,KAAK,GAAG;IAClB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;CACvB,CAAA;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,MAAM,GAAE,MAAW,GAAG,KAAK,CAYtD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEnD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,GAAG,OAAO,CAEjE"}

package/dist/{cpe → shared/envelope}/value-objects/Nonce.js

@@ -1,13 +1,16 @@
 /**
- * Nonce - Valor único para prevenir ataques de replay
- * Value Object puro e inmutable
+ * Nonce – unique value for replay prevention. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to bind each wrapped result to a unique value;
+ * verification layer (SDK) should reject duplicate nonces within a time window.
  */
 import { randomBytes } from 'node:crypto';
 /**
- * Genera un nonce único
+ * Creates a unique nonce (default 16 bytes, hex-encoded).
  *
- * @param length - Longitud del nonce en bytes (default: 16)
- * @returns Nonce único
+ * @param length - Length in bytes (8–64)
+ * @returns Frozen Nonce value object
  */
 export function createNonce(length = 16) {
     if (length < 8) {
@@ -18,25 +21,16 @@ export function createNonce(length = 16) {
     }
     const bytes = randomBytes(length);
     const value = bytes.toString('hex');
-    return Object.freeze({
-        value,
-    });
+    return Object.freeze({ value });
 }
 /**
- * Valida que un string sea un nonce válido
- *
- * @param value - String a validar
- * @returns true si es un nonce válido
+ * Validates that a string is a valid nonce format (hex, 16–128 chars).
  */
 export function isValidNonce(value) {
     return /^[a-f0-9]{16,128}$/i.test(value);
 }
 /**
- * Compara dos nonces
- *
- * @param nonce1 - Primer nonce
- * @param nonce2 - Segundo nonce
- * @returns true si son iguales
+ * Compares two nonces for equality.
  */
 export function equalsNonce(nonce1, nonce2) {
     return nonce1.value === nonce2.value;

package/dist/shared/envelope/value-objects/Nonce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Nonce.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Nonce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAMzC;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE;IAC7C,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAA;IAC1D,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAEnC,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,MAAa,EAAE,MAAa;IACtD,OAAO,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,KAAK,CAAA;AACtC,CAAC"}

package/dist/shared/envelope/value-objects/Signature.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Signature – HMAC-SHA256 cryptographic signature. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to sign payload + metadata; verification is responsibility of the SDK.
+ */
+import type { SignatureAlgorithm } from '../types.js';
+export type SignatureVO = {
+    readonly value: string;
+    readonly algorithm: SignatureAlgorithm;
+};
+/**
+ * Creates HMAC-SHA256 signature of the given content.
+ *
+ * @param content - String to sign (e.g. JSON.stringify(payload + metadata))
+ * @param secretKey - Secret key for HMAC (must not be logged or serialized)
+ * @returns Frozen Signature value object
+ */
+export declare function createSignature(content: string, secretKey: string): SignatureVO;
+/**
+ * Verifies that a signature matches the content (constant-time comparison should be used in production).
+ */
+export declare function verifySignature(content: string, signature: string, secretKey: string): boolean;
+/**
+ * Validates signature format (64 hex chars for HMAC-SHA256).
+ */
+export declare function isValidSignatureFormat(signature: string): boolean;
+//# sourceMappingURL=Signature.d.ts.map

package/dist/shared/envelope/value-objects/Signature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Signature.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Signature.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAErD,MAAM,MAAM,WAAW,GAAG;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,SAAS,EAAE,kBAAkB,CAAA;CACvC,CAAA;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,WAAW,CAiB/E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAQT;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAEjE"}

package/dist/shared/envelope/value-objects/Signature.js

@@ -0,0 +1,50 @@
+/**
+ * Signature – HMAC-SHA256 cryptographic signature. Immutable value object.
+ *
+ * @remarks
+ * Used by the envelope to sign payload + metadata; verification is responsibility of the SDK.
+ */
+import { createHmac } from 'node:crypto';
+/**
+ * Creates HMAC-SHA256 signature of the given content.
+ *
+ * @param content - String to sign (e.g. JSON.stringify(payload + metadata))
+ * @param secretKey - Secret key for HMAC (must not be logged or serialized)
+ * @returns Frozen Signature value object
+ */
+export function createSignature(content, secretKey) {
+    if (!secretKey || secretKey.length === 0) {
+        throw new Error('Secret key is required for signature generation');
+    }
+    if (typeof content !== 'string') {
+        throw new TypeError('Content must be a string');
+    }
+    const hmac = createHmac('sha256', secretKey);
+    hmac.update(content);
+    const signature = hmac.digest('hex');
+    return Object.freeze({
+        value: signature,
+        algorithm: 'HMAC-SHA256',
+    });
+}
+/**
+ * Verifies that a signature matches the content (constant-time comparison should be used in production).
+ */
+export function verifySignature(content, signature, secretKey) {
+    if (!secretKey || secretKey.length === 0)
+        return false;
+    try {
+        const expected = createSignature(content, secretKey);
+        return expected.value === signature;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Validates signature format (64 hex chars for HMAC-SHA256).
+ */
+export function isValidSignatureFormat(signature) {
+    return /^[a-f0-9]{64}$/i.test(signature);
+}
+//# sourceMappingURL=Signature.js.map

package/dist/shared/envelope/value-objects/Signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Signature.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/Signature.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAQxC;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,SAAiB;IAChE,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,0BAA0B,CAAC,CAAA;IACjD,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IACpB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAEpC,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,KAAK,EAAE,SAAS;QAChB,SAAS,EAAE,aAAa;KACzB,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,SAAiB,EACjB,SAAiB;IAEjB,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACtD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QACpD,OAAO,QAAQ,CAAC,KAAK,KAAK,SAAS,CAAA;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB;IACtD,OAAO,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC1C,CAAC"}

package/dist/{cpe → shared/envelope}/value-objects/index.d.ts

@@ -1,5 +1,5 @@
 /**
- * CPE Value Objects - Exports
+ * Envelope value objects – nonce, metadata, signature
  */
 export type { Nonce } from './Nonce.js';
 export { createNonce, isValidNonce, equalsNonce } from './Nonce.js';

package/dist/shared/envelope/value-objects/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,YAAY,EAAE,KAAK,EAAE,MAAM,YAAY,CAAA;AACvC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACnE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAC/D,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/{cpe → shared/envelope}/value-objects/index.js

@@ -1,5 +1,5 @@
 /**
- * CPE Value Objects - Exports
+ * Envelope value objects – nonce, metadata, signature
  */
 export { createNonce, isValidNonce, equalsNonce } from './Nonce.js';
 export { createMetadata, isValidMetadata } from './Metadata.js';

package/dist/shared/envelope/value-objects/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/shared/envelope/value-objects/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AACnE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAE/D,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/shared/index.d.ts

@@ -6,6 +6,6 @@
  */
 export { addLineageEntry, addLineageEntries, filterLineageByStep, getLastLineageEntry } from './lineage.js';
 export { formatLineageForAudit, formatCSLForAudit, formatISLForAudit, formatISLSignalForAudit, formatAALForAudit, formatCPEForAudit, formatPipelineAudit, formatPipelineAuditFull, formatPipelineAuditAsJson, createAuditRunId, buildAuditLogEntry, buildFullAuditPayload } from './audit.js';
-export type { LineageEntryLike, CSLResultLike, ISLResultLike, ISLSignalLike, DecisionReasonLike, RemovalPlanLike, CPEResultLike, AuditRunInfo, AuditLogSummary, FullPipelineAuditOptions, PipelineAuditJsonOptions } from './audit.js';
+export type { LineageEntryLike, CSLResultLike, ISLResultLike, ISLSignalLike, DecisionReasonLike, RemediationPlanLike, CPEResultLike, AuditRunInfo, AuditLogSummary, FullPipelineAuditOptions, PipelineAuditJsonOptions } from './audit.js';
 export type { Position, SegmentRef } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/shared/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAGrB,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACtB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,eAAe,EACf,aAAa,EACb,YAAY,EACZ,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,QAAQ,EACR,UAAU,EACX,MAAM,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,cAAc,CAAA;AAGrB,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACtB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,aAAa,EACb,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,eAAe,EACf,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,YAAY,CAAA;AAEnB,YAAY,EACV,QAAQ,EACR,UAAU,EACX,MAAM,YAAY,CAAA"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ai-pip/core",
-  "version": "0.3.0",
-  "description": "Core implementation of the AI-PIP protocol. Provides layered, zero-trust context processing (CSL, ISL, AAL, CPE)",
+  "version": "0.5.0",
+  "description": "Core implementation of the AI-PIP protocol. Provides layered, zero-trust context processing (CSL, ISL, AAL) and transversal integrity (CPE)",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -27,9 +27,9 @@
       "default": "./dist/AAL/index.js"
     },
     "./cpe": {
-      "types": "./dist/cpe/index.d.ts",
-      "import": "./dist/cpe/index.js",
-      "default": "./dist/cpe/index.js"
+      "types": "./dist/shared/envelope/index.d.ts",
+      "import": "./dist/shared/envelope/index.js",
+      "default": "./dist/shared/envelope/index.js"
     },
     "./shared": {
       "types": "./dist/shared/index.d.ts",
@@ -87,9 +87,11 @@
     "test:ui": "vitest --ui",
     "test:coverage": "vitest --coverage",
     "test:install": "node test-package-install.js",
+    "test:tags": "node scripts/test-tags-exhaustive.mjs",
     "verify-risk": "node scripts/verify-risk-score.mjs",
     "demo-menu": "node scripts/interactive-risk-menu.mjs",
     "demo-full": "node scripts/demo-full-flow.mjs",
-    "audit-report": "node scripts/audit-report.mjs"
+    "audit-report": "node scripts/audit-report.mjs",
+    "scan-removal": "node scripts/scan-removal.mjs"
   }
 }

package/dist/AAL/process/applyRemovalPlan.d.ts

@@ -1,21 +0,0 @@
-/**
- * applyRemovalPlan - Applies a removal plan to ISL result (pure, deterministic).
- *
- * @remarks
- * Removes malicious ranges from each segment's sanitizedContent according to the plan.
- * Only instructions with segmentId are applied; others are skipped.
- * Overlapping ranges per segment are merged before removal.
- */
-import type { RemovalPlan } from './buildRemovalPlan.js';
-import type { ISLResult } from '../../isl/types.js';
-/**
- * Applies a removal plan to an ISL result.
- * Produces a new ISLResult with segment sanitizedContent updated (malicious ranges removed).
- * Instructions without segmentId are ignored. Positions are clamped to [0, content.length] per segment; invalid or empty ranges are dropped. Lineage and metadata are preserved.
- *
- * @param islResult - ISL result (segments with sanitizedContent and optional piDetection)
- * @param plan - Removal plan from buildRemovalPlanFromResult (must include segmentIds for removal)
- * @returns New ISLResult with sanitizedContent updated per segment
- */
-export declare function applyRemovalPlan(islResult: ISLResult, plan: RemovalPlan): ISLResult;
-//# sourceMappingURL=applyRemovalPlan.d.ts.map

package/dist/AAL/process/applyRemovalPlan.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"applyRemovalPlan.d.ts","sourceRoot":"","sources":["../../../src/AAL/process/applyRemovalPlan.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,oBAAoB,CAAA;AAwG/D;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,GAAG,SAAS,CAmCnF"}

package/dist/AAL/process/applyRemovalPlan.js

@@ -1,150 +0,0 @@
-/**
- * applyRemovalPlan - Applies a removal plan to ISL result (pure, deterministic).
- *
- * @remarks
- * Removes malicious ranges from each segment's sanitizedContent according to the plan.
- * Only instructions with segmentId are applied; others are skipped.
- * Overlapping ranges per segment are merged before removal.
- */
-/**
- * Clamps position ranges to valid [0, contentLength) and drops empty or invalid ranges.
- * Ensures 0 <= start <= end <= contentLength and start < end.
- */
-function clampRangesToContent(ranges, contentLength) {
-    if (contentLength <= 0 || ranges.length === 0)
-        return [];
-    const result = [];
-    for (const r of ranges) {
-        const start = Math.max(0, Math.min(Number(r.start), contentLength));
-        const end = Math.max(0, Math.min(Number(r.end), contentLength));
-        if (start < end)
-            result.push({ start, end });
-    }
-    return result;
-}
-/**
- * Merges overlapping ranges (start inclusive, end exclusive). Sorted by start.
- */
-function mergeRanges(ranges) {
-    if (ranges.length === 0)
-        return [];
-    const sorted = [...ranges].sort((a, b) => a.start - b.start);
-    const merged = [{ start: sorted[0].start, end: sorted[0].end }];
-    for (let i = 1; i < sorted.length; i++) {
-        const r = sorted[i];
-        const last = merged.at(-1);
-        if (r.start <= last.end) {
-            merged[merged.length - 1] = { start: last.start, end: Math.max(last.end, r.end) };
-        }
-        else {
-            merged.push({ start: r.start, end: r.end });
-        }
-    }
-    return merged;
-}
-/** Max gap (chars) between ranges to consider for merging when gap is only punctuation/whitespace */
-const MAX_PUNCTUATION_GAP = 10;
-/** True if the substring is only whitespace and/or common punctuation (no words). */
-function isOnlyPunctuationOrWhitespace(s) {
-    return /^[\s.,;:!?'"-]*$/.test(s);
-}
-/**
- * Merges consecutive ranges when the gap between them is only punctuation/whitespace,
- * so we remove one contiguous block instead of leaving fragments like ", . ".
- */
-function mergeAdjacentByPunctuation(ranges, content) {
-    if (ranges.length <= 1)
-        return [...ranges];
-    const result = [{ ...ranges[0] }];
-    for (let i = 1; i < ranges.length; i++) {
-        const r = ranges[i];
-        const last = result.at(-1);
-        const gapStart = last.end;
-        const gapEnd = r.start;
-        if (gapEnd > gapStart && gapEnd - gapStart <= MAX_PUNCTUATION_GAP) {
-            const gap = content.slice(gapStart, gapEnd);
-            if (isOnlyPunctuationOrWhitespace(gap)) {
-                result[result.length - 1] = { start: last.start, end: r.end };
-                continue;
-            }
-        }
-        result.push({ ...r });
-    }
-    return result;
-}
-/**
- * Removes given ranges from content. Ranges must be non-overlapping and sorted by start.
- */
-function removeRanges(content, ranges) {
-    if (ranges.length === 0)
-        return content;
-    let result = '';
-    let pos = 0;
-    for (const r of ranges) {
-        if (r.start > pos)
-            result += content.slice(pos, r.start);
-        pos = Math.max(pos, r.end);
-    }
-    if (pos < content.length)
-        result += content.slice(pos);
-    return result;
-}
-function assertApplyRemovalPlanArgs(islResult, plan) {
-    if (islResult == null || typeof islResult !== 'object') {
-        throw new TypeError('AAL applyRemovalPlan: islResult must be a non-null object');
-    }
-    if (!Array.isArray(islResult.segments)) {
-        throw new TypeError('AAL applyRemovalPlan: islResult.segments must be an array');
-    }
-    if (plan == null || typeof plan !== 'object') {
-        throw new TypeError('AAL applyRemovalPlan: plan must be a non-null object');
-    }
-    if (!Array.isArray(plan.instructionsToRemove)) {
-        throw new TypeError('AAL applyRemovalPlan: plan.instructionsToRemove must be an array');
-    }
-}
-/**
- * Applies a removal plan to an ISL result.
- * Produces a new ISLResult with segment sanitizedContent updated (malicious ranges removed).
- * Instructions without segmentId are ignored. Positions are clamped to [0, content.length] per segment; invalid or empty ranges are dropped. Lineage and metadata are preserved.
- *
- * @param islResult - ISL result (segments with sanitizedContent and optional piDetection)
- * @param plan - Removal plan from buildRemovalPlanFromResult (must include segmentIds for removal)
- * @returns New ISLResult with sanitizedContent updated per segment
- */
-export function applyRemovalPlan(islResult, plan) {
-    assertApplyRemovalPlanArgs(islResult, plan);
-    if (!plan.shouldRemove || plan.instructionsToRemove.length === 0) {
-        return islResult;
-    }
-    const bySegmentId = new Map();
-    for (const inst of plan.instructionsToRemove) {
-        if (inst.segmentId == null)
-            continue;
-        const list = bySegmentId.get(inst.segmentId) ?? [];
-        list.push(inst.position);
-        bySegmentId.set(inst.segmentId, list);
-    }
-    if (bySegmentId.size === 0)
-        return islResult;
-    const newSegments = islResult.segments.map((seg) => {
-        const ranges = bySegmentId.get(seg.id);
-        if (ranges == null || ranges.length === 0)
-            return seg;
-        const content = seg.sanitizedContent ?? '';
-        const len = typeof content === 'string' ? content.length : 0;
-        const clamped = clampRangesToContent(ranges, len);
-        if (clamped.length === 0)
-            return seg;
-        const merged = mergeRanges(clamped);
-        const mergedAdjacent = mergeAdjacentByPunctuation(merged, content);
-        const newContent = removeRanges(content, mergedAdjacent);
-        return { ...seg, sanitizedContent: newContent };
-    });
-    return {
-        segments: Object.freeze(newSegments),
-        lineage: islResult.lineage,
-        metadata: islResult.metadata
-    };
-}
-//# sourceMappingURL=applyRemovalPlan.js.map

package/dist/AAL/process/applyRemovalPlan.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"applyRemovalPlan.js","sourceRoot":"","sources":["../../../src/AAL/process/applyRemovalPlan.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH;;;GAGG;AACH,SAAS,oBAAoB,CAC3B,MAA2B,EAC3B,aAAqB;IAErB,IAAI,aAAa,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IACxD,MAAM,MAAM,GAAe,EAAE,CAAA;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,aAAa,CAAC,CAAC,CAAA;QACnE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,aAAa,CAAC,CAAC,CAAA;QAC/D,IAAI,KAAK,GAAG,GAAG;YAAE,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;IAC9C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,MAA2B;IAC9C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAA;IAClC,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5D,MAAM,MAAM,GAAe,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,GAAG,EAAE,CAAC,CAAA;IAC7E,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QACpB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;QAC3B,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAA;QACnF,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,qGAAqG;AACrG,MAAM,mBAAmB,GAAG,EAAE,CAAA;AAE9B,qFAAqF;AACrF,SAAS,6BAA6B,CAAC,CAAS;IAC9C,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACnC,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CACjC,MAA2B,EAC3B,OAAe;IAEf,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAe,CAAC,EAAE,GAAG,MAAM,CAAC,CAAC,CAAE,EAAE,CAAC,CAAA;IAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QACpB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAA;QACzB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAA;QACtB,IAAI,MAAM,GAAG,QAAQ,IAAI,MAAM,GAAG,QAAQ,IAAI,mBAAmB,EAAE,CAAC;YAClE,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;YAC3C,IAAI,6BAA6B,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;gBAC7D,SAAQ;YACV,CAAC;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAA;IACvB,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe,EAAE,MAA2B;IAChE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,OAAO,CAAA;IACvC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,IAAI,GAAG,GAAG,CAAC,CAAA;IACX,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,KAAK,GAAG,GAAG;YAAE,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAA;QACxD,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAA;IAC5B,CAAC;IACD,IAAI,GAAG,GAAG,OAAO,CAAC,MAAM;QAAE,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACtD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,0BAA0B,CAAC,SAAoB,EAAE,IAAiB;IACzE,IAAI,SAAS,IAAI,IAAI,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CAAC,2DAA2D,CAAC,CAAA;IAClF,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,SAAS,CAAC,2DAA2D,CAAC,CAAA;IAClF,CAAC;IACD,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7C,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAA;IAC7E,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,kEAAkE,CAAC,CAAA;IACzF,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAoB,EAAE,IAAiB;IACtE,0BAA0B,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IAE3C,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,oBAAoB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjE,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAsB,CAAA;IACjD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC7C,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI;YAAE,SAAQ;QACpC,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAA;QAClD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACxB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAA;IACvC,CAAC;IAED,IAAI,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,SAAS,CAAA;IAE5C,MAAM,WAAW,GAAiB,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC/D,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACtC,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,GAAG,CAAA;QACrD,MAAM,OAAO,GAAG,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAA;QAC1C,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;QAC5D,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;QACjD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,GAAG,CAAA;QACpC,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QACnC,MAAM,cAAc,GAAG,0BAA0B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;QAClE,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,EAAE,cAAc,CAAC,CAAA;QACxD,OAAO,EAAE,GAAG,GAAG,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,OAAO,EAAE,SAAS,CAAC,OAAO;QAC1B,QAAQ,EAAE,SAAS,CAAC,QAAQ;KAC7B,CAAA;AACH,CAAC"}

package/dist/AAL/process/buildRemovalPlan.d.ts

@@ -1,39 +0,0 @@
-/**
- * buildRemovalPlan - Builds a plan for instruction removal
- *
- * @remarks
- * Two entry points:
- * - buildRemovalPlan(islSignal, policy): from signal only; no segmentId (descriptive).
- * - buildRemovalPlanFromResult(islResult, policy): from result; includes segmentId for applyRemovalPlan.
- */
-import type { RemovedInstruction } from '../types.js';
-import type { AgentPolicy } from '../types.js';
-import type { ISLSignal } from '../../isl/signals.js';
-import type { ISLResult } from '../../isl/types.js';
-/**
- * Plan for instruction removal
- */
-export interface RemovalPlan {
-    readonly instructionsToRemove: readonly RemovedInstruction[];
-    readonly shouldRemove: boolean;
-    readonly removalEnabled: boolean;
-}
-/**
- * Builds a plan for instruction removal from ISL signal (no segment ids).
- * Use when you only have the signal; plan is descriptive. For actionable removal use buildRemovalPlanFromResult.
- *
- * @param islSignal - ISL signal with detections
- * @param policy - Agent policy
- * @returns RemovalPlan with instructions to remove (no segmentId)
- */
-export declare function buildRemovalPlan(islSignal: ISLSignal, policy: AgentPolicy): RemovalPlan;
-/**
- * Builds a plan for instruction removal from ISL result (with segment ids).
- * Use with applyRemovalPlan to produce content with malicious ranges removed.
- *
- * @param islResult - ISL result with segments and per-segment piDetection
- * @param policy - Agent policy
- * @returns RemovalPlan with instructions to remove (segmentId set per instruction)
- */
-export declare function buildRemovalPlanFromResult(islResult: ISLResult, policy: AgentPolicy): RemovalPlan;
-//# sourceMappingURL=buildRemovalPlan.d.ts.map