@aion0/bastion 0.1.7

package/dist/dlp/semantics.js

@@ -0,0 +1,93 @@
+"use strict";
+/**
+ * Layer 3: Field-name Semantics
+ *
+ * Uses JSON field names to identify potentially sensitive data.
+ * When a value appears under a field like "api_key" or "password",
+ * it provides strong signal that the value is a secret — even if
+ * no specific regex pattern matches.
+ *
+ * Built-in patterns are immutable defaults.
+ * Additional patterns / non-sensitive names can be added at runtime
+ * via updateSemanticConfig() (driven by the Settings UI).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.updateSemanticConfig = updateSemanticConfig;
+exports.getBuiltinSensitivePatterns = getBuiltinSensitivePatterns;
+exports.getBuiltinNonSensitiveNames = getBuiltinNonSensitiveNames;
+exports.isSensitiveFieldName = isSensitiveFieldName;
+// ── Built-in defaults (immutable) ──
+/** Patterns that indicate a field likely holds a secret */
+const BUILTIN_SENSITIVE = [
+    /passw(?:or)?d/i,
+    /(?:^|[_-]|\b)secret/i,
+    /(?:^|[_-]|\b)token(?:$|[_-]|\b)/i,
+    /api[_-]?key/i,
+    /(?:^|[_-]|\b)auth(?:$|[_-])/i,
+    /credential/i,
+    /private[_-]?key/i,
+    /access[_-]?key/i,
+    /secret[_-]?key/i,
+    /(?:^|[_-]|\b)cipher(?:$|[_-]|\b)/i,
+    /(?:^|[_-]|\b)salt(?:$|[_-]|\b)/i,
+    /connection[_-]?string/i,
+    /(?:^|[_-]|\b)dsn(?:$|[_-]|\b)/i,
+    /(?:^|[_-]|\b)signing/i,
+    /(?:^|[_-]|\b)bearer(?:$|[_-]|\b)/i,
+    /(?:^|[_-]|\b)authorization(?:$|[_-]|\b)/i,
+];
+/** Known non-sensitive field names (fast reject to avoid false positives) */
+const BUILTIN_NON_SENSITIVE = new Set([
+    'role', 'model', 'content', 'type', 'name', 'id', 'version',
+    'method', 'path', 'url', 'status', 'message', 'description',
+    'format', 'language', 'encoding', 'timestamp', 'created',
+    'max_tokens', 'temperature', 'top_p', 'stream', 'stop',
+    'n', 'presence_penalty', 'frequency_penalty', 'text',
+    'index', 'object', 'finish_reason', 'logprobs', 'usage',
+    'prompt_tokens', 'completion_tokens', 'total_tokens',
+    'system_fingerprint', 'created_at', 'updated_at', 'choices',
+    'response_format', 'seed', 'tool_choice', 'function_call',
+    'safety_ratings', 'candidates',
+]);
+// ── User-configurable extras (mutable at runtime) ──
+let extraSensitive = [];
+let extraNonSensitive = new Set();
+/** Update user-configurable semantic rules. Called when config changes. */
+function updateSemanticConfig(config) {
+    extraSensitive = (config.sensitivePatterns ?? [])
+        .filter(p => p.length > 0)
+        .map(p => {
+        try {
+            return new RegExp(p, 'i');
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((r) => r !== null);
+    extraNonSensitive = new Set((config.nonSensitiveNames ?? []).map(n => n.toLowerCase()));
+}
+/** Read-only access to built-in sensitive patterns (for UI display) */
+function getBuiltinSensitivePatterns() {
+    return BUILTIN_SENSITIVE.map(r => r.source);
+}
+/** Read-only access to built-in non-sensitive names (for UI display) */
+function getBuiltinNonSensitiveNames() {
+    return [...BUILTIN_NON_SENSITIVE];
+}
+/** Check if a field name suggests it holds sensitive data */
+function isSensitiveFieldName(name) {
+    const lower = name.toLowerCase();
+    // Non-sensitive fast reject (built-in + user extras)
+    if (BUILTIN_NON_SENSITIVE.has(lower))
+        return false;
+    if (extraNonSensitive.has(lower))
+        return false;
+    // Sensitive check (built-in + user extras)
+    if (BUILTIN_SENSITIVE.some(re => re.test(name)))
+        return true;
+    if (extraSensitive.some(re => re.test(name)))
+        return true;
+    return false;
+}
+//# sourceMappingURL=semantics.js.map

package/dist/dlp/semantics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semantics.js","sourceRoot":"","sources":["../../src/dlp/semantics.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAmDH,oDAYC;AAGD,kEAEC;AAGD,kEAEC;AAGD,oDAYC;AAtFD,sCAAsC;AAEtC,2DAA2D;AAC3D,MAAM,iBAAiB,GAAa;IAClC,gBAAgB;IAChB,sBAAsB;IACtB,kCAAkC;IAClC,cAAc;IACd,8BAA8B;IAC9B,aAAa;IACb,kBAAkB;IAClB,iBAAiB;IACjB,iBAAiB;IACjB,mCAAmC;IACnC,iCAAiC;IACjC,wBAAwB;IACxB,gCAAgC;IAChC,uBAAuB;IACvB,mCAAmC;IACnC,0CAA0C;CAC3C,CAAC;AAEF,6EAA6E;AAC7E,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS;IAC3D,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa;IAC3D,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS;IACxD,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM;IACtD,GAAG,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM;IACpD,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO;IACvD,eAAe,EAAE,mBAAmB,EAAE,cAAc;IACpD,oBAAoB,EAAE,YAAY,EAAE,YAAY,EAAE,SAAS;IAC3D,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,eAAe;IACzD,gBAAgB,EAAE,YAAY;CAC/B,CAAC,CAAC;AAEH,sDAAsD;AAEtD,IAAI,cAAc,GAAa,EAAE,CAAC;AAClC,IAAI,iBAAiB,GAAgB,IAAI,GAAG,EAAE,CAAC;AAS/C,2EAA2E;AAC3E,SAAgB,oBAAoB,CAAC,MAAsB;IACzD,cAAc,GAAG,CAAC,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC;SAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;SACzB,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,IAAI,CAAC;YAAC,OAAO,IAAI,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAC,CAAC;QAClC,MAAM,CAAC;YAAC,OAAO,IAAI,CAAC;QAAC,CAAC;IACxB,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;IAE1C,iBAAiB,GAAG,IAAI,GAAG,CACzB,CAAC,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC3D,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,SAAgB,2BAA2B;IACzC,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED,wEAAwE;AACxE,SAAgB,2BAA2B;IACzC,OAAO,CAAC,GAAG,qBAAqB,CAAC,CAAC;AACpC,CAAC;AAED,6DAA6D;AAC7D,SAAgB,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEjC,qDAAqD;IACrD,IAAI,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/C,2CAA2C;IAC3C,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7D,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1D,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/dlp/structure.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Layer 0: Structure-aware Parsing
+ *
+ * Extracts key-value fields from JSON request/response bodies.
+ * Provides structural context for downstream layers:
+ * - Field names help identify sensitive data by semantic meaning
+ * - Extracted values can be individually analyzed for entropy
+ *
+ * Also extracts inline assignments (KEY=value) from text content,
+ * catching secrets embedded in message strings.
+ */
+export interface StructuredField {
+    /** Immediate field name (e.g., "api_key") */
+    key: string;
+    /** Full JSON path (e.g., "credentials.api_key") */
+    path: string;
+    /** The string value */
+    value: string;
+}
+/**
+ * Extract string fields from a JSON text body.
+ * Returns empty array if text is not valid JSON or exceeds size limit.
+ */
+export declare function extractStructuredFields(text: string): StructuredField[];
+//# sourceMappingURL=structure.d.ts.map

package/dist/dlp/structure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"structure.d.ts","sourceRoot":"","sources":["../../src/dlp/structure.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,WAAW,eAAe;IAC9B,6CAA6C;IAC7C,GAAG,EAAE,MAAM,CAAC;IACZ,mDAAmD;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAKD;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,EAAE,CAcvE"}

package/dist/dlp/structure.js

@@ -0,0 +1,86 @@
+"use strict";
+/**
+ * Layer 0: Structure-aware Parsing
+ *
+ * Extracts key-value fields from JSON request/response bodies.
+ * Provides structural context for downstream layers:
+ * - Field names help identify sensitive data by semantic meaning
+ * - Extracted values can be individually analyzed for entropy
+ *
+ * Also extracts inline assignments (KEY=value) from text content,
+ * catching secrets embedded in message strings.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractStructuredFields = extractStructuredFields;
+/** Maximum text size for structural analysis (skip for very large bodies) */
+const MAX_TEXT_LENGTH = 512 * 1024;
+/**
+ * Extract string fields from a JSON text body.
+ * Returns empty array if text is not valid JSON or exceeds size limit.
+ */
+function extractStructuredFields(text) {
+    if (text.length > MAX_TEXT_LENGTH)
+        return [];
+    const fields = [];
+    try {
+        const parsed = JSON.parse(text);
+        walkJson(parsed, '', fields);
+    }
+    catch {
+        // Not JSON — extract assignment patterns as fallback
+        extractAssignments(text, fields);
+    }
+    return fields;
+}
+/** Recursively walk JSON and collect string values with their paths */
+function walkJson(obj, path, out) {
+    if (obj === null || obj === undefined)
+        return;
+    if (typeof obj === 'string') {
+        const key = extractKey(path);
+        if (obj.length >= 6) {
+            out.push({ key, path, value: obj });
+        }
+        // Try parsing string values that look like embedded JSON
+        if (obj.length > 10 && (obj[0] === '{' || obj[0] === '[')) {
+            try {
+                const nested = JSON.parse(obj);
+                walkJson(nested, path, out);
+                return; // Embedded JSON handled; skip assignment extraction
+            }
+            catch { /* not valid JSON, fall through */ }
+        }
+        // Also scan long string content for inline assignments
+        if (obj.length > 20) {
+            extractAssignments(obj, out);
+        }
+        return;
+    }
+    if (Array.isArray(obj)) {
+        for (let i = 0; i < obj.length; i++) {
+            walkJson(obj[i], `${path}[${i}]`, out);
+        }
+        return;
+    }
+    if (typeof obj === 'object') {
+        for (const [k, v] of Object.entries(obj)) {
+            walkJson(v, path ? `${path}.${k}` : k, out);
+        }
+    }
+}
+/** Extract the immediate key name from a JSON path */
+function extractKey(path) {
+    const parts = path.split('.');
+    const last = parts[parts.length - 1];
+    return last.replace(/\[\d+\]$/, '');
+}
+/** Extract KEY=VALUE and KEY: VALUE assignment patterns from text */
+const ASSIGN_RE = /\b([A-Za-z_][A-Za-z0-9_]*)\s*[=:]\s*['"]?([^\s'"=;,}{)]{8,})/g;
+function extractAssignments(text, out) {
+    const re = new RegExp(ASSIGN_RE.source, ASSIGN_RE.flags);
+    let m;
+    while ((m = re.exec(text)) !== null) {
+        out.push({ key: m[1], path: m[1], value: m[2] });
+    }
+}
+//# sourceMappingURL=structure.js.map

package/dist/dlp/structure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"structure.js","sourceRoot":"","sources":["../../src/dlp/structure.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAkBH,0DAcC;AArBD,6EAA6E;AAC7E,MAAM,eAAe,GAAG,GAAG,GAAG,IAAI,CAAC;AAEnC;;;GAGG;AACH,SAAgB,uBAAuB,CAAC,IAAY;IAClD,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe;QAAE,OAAO,EAAE,CAAC;IAE7C,MAAM,MAAM,GAAsB,EAAE,CAAC;IAErC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,QAAQ,CAAC,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;QACrD,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,uEAAuE;AACvE,SAAS,QAAQ,CAAC,GAAY,EAAE,IAAY,EAAE,GAAsB;IAClE,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO;IAE9C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACpB,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QACtC,CAAC;QACD,yDAAyD;QACzD,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1D,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC/B,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC5B,OAAO,CAAC,oDAAoD;YAC9D,CAAC;YAAC,MAAM,CAAC,CAAC,kCAAkC,CAAC,CAAC;QAChD,CAAC;QACD,uDAAuD;QACvD,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACpB,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACpC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;YACpE,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;AACH,CAAC;AAED,sDAAsD;AACtD,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;AACtC,CAAC;AAED,qEAAqE;AACrE,MAAM,SAAS,GAAG,+DAA+D,CAAC;AAElF,SAAS,kBAAkB,CAAC,IAAY,EAAE,GAAsB;IAC9D,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IACzD,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/dist/dlp/validators.d.ts

@@ -0,0 +1,6 @@
+/** Luhn algorithm for credit card validation */
+export declare function luhnCheck(number: string): boolean;
+/** SSN format validation — checks structure beyond regex */
+export declare function ssnCheck(ssn: string): boolean;
+export declare const validators: Record<string, (value: string) => boolean>;
+//# sourceMappingURL=validators.d.ts.map

package/dist/dlp/validators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/dlp/validators.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAkBjD;AAED,4DAA4D;AAC5D,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAc7C;AAED,eAAO,MAAM,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAGjE,CAAC"}

package/dist/dlp/validators.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validators = void 0;
+exports.luhnCheck = luhnCheck;
+exports.ssnCheck = ssnCheck;
+/** Luhn algorithm for credit card validation */
+function luhnCheck(number) {
+    const digits = number.replace(/\D/g, '');
+    if (digits.length < 13 || digits.length > 19)
+        return false;
+    let sum = 0;
+    let alternate = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = parseInt(digits[i], 10);
+        if (alternate) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alternate = !alternate;
+    }
+    return sum % 10 === 0;
+}
+/** SSN format validation — checks structure beyond regex */
+function ssnCheck(ssn) {
+    const clean = ssn.replace(/\D/g, '');
+    if (clean.length !== 9)
+        return false;
+    const area = parseInt(clean.substring(0, 3), 10);
+    const group = parseInt(clean.substring(3, 5), 10);
+    const serial = parseInt(clean.substring(5, 9), 10);
+    // Invalid ranges
+    if (area === 0 || area === 666 || area >= 900)
+        return false;
+    if (group === 0)
+        return false;
+    if (serial === 0)
+        return false;
+    return true;
+}
+exports.validators = {
+    luhn: luhnCheck,
+    ssn: ssnCheck,
+};
+//# sourceMappingURL=validators.js.map

package/dist/dlp/validators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/dlp/validators.ts"],"names":[],"mappings":";;;AACA,8BAkBC;AAGD,4BAcC;AApCD,gDAAgD;AAChD,SAAgB,SAAS,CAAC,MAAc;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAE3D,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,IAAI,SAAS,EAAE,CAAC;YACd,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;QACT,SAAS,GAAG,CAAC,SAAS,CAAC;IACzB,CAAC;IAED,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAED,4DAA4D;AAC5D,SAAgB,QAAQ,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEnD,iBAAiB;IACjB,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IAC5D,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/B,OAAO,IAAI,CAAC;AACd,CAAC;AAEY,QAAA,UAAU,GAA+C;IACpE,IAAI,EAAE,SAAS;IACf,GAAG,EAAE,QAAQ;CACd,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export declare function startGateway(): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAkCA,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAgKlD"}

package/dist/index.js

@@ -0,0 +1,200 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startGateway = startGateway;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const index_js_1 = require("./config/index.js");
+const manager_js_1 = require("./config/manager.js");
+const logger_js_1 = require("./utils/logger.js");
+const logger_js_2 = require("./utils/logger.js");
+const database_js_1 = require("./storage/database.js");
+const index_js_2 = require("./plugins/index.js");
+const metrics_collector_js_1 = require("./plugins/builtin/metrics-collector.js");
+const dlp_scanner_js_1 = require("./plugins/builtin/dlp-scanner.js");
+const token_optimizer_js_1 = require("./plugins/builtin/token-optimizer.js");
+const audit_logger_js_1 = require("./plugins/builtin/audit-logger.js");
+const tool_guard_js_1 = require("./plugins/builtin/tool-guard.js");
+const anthropic_js_1 = require("./proxy/providers/anthropic.js");
+const openai_js_1 = require("./proxy/providers/openai.js");
+const gemini_js_1 = require("./proxy/providers/gemini.js");
+const claude_web_js_1 = require("./proxy/providers/claude-web.js");
+const messaging_js_1 = require("./proxy/providers/messaging.js");
+const server_js_1 = require("./proxy/server.js");
+const daemon_js_1 = require("./cli/daemon.js");
+const certs_js_1 = require("./proxy/certs.js");
+const semantics_js_1 = require("./dlp/semantics.js");
+const requests_js_1 = require("./storage/repositories/requests.js");
+const dlp_events_js_1 = require("./storage/repositories/dlp-events.js");
+const optimizer_events_js_1 = require("./storage/repositories/optimizer-events.js");
+const sessions_js_1 = require("./storage/repositories/sessions.js");
+const audit_log_js_1 = require("./storage/repositories/audit-log.js");
+const tool_calls_js_1 = require("./storage/repositories/tool-calls.js");
+const plugin_events_js_1 = require("./storage/repositories/plugin-events.js");
+const event_bus_js_1 = require("./plugins/event-bus.js");
+const loader_js_1 = require("./plugins/loader.js");
+const version_js_1 = require("./version.js");
+const log = (0, logger_js_2.createLogger)('main');
+async function startGateway() {
+    // Load configuration
+    const config = (0, index_js_1.loadConfig)();
+    (0, logger_js_1.setLogLevel)(config.logging.level);
+    const version = (0, version_js_1.getVersion)();
+    log.info('Starting Bastion AI Gateway', { version });
+    // Initialize config manager for runtime updates
+    const configManager = new manager_js_1.ConfigManager(config);
+    // Auto-generate auth token if auth enabled but no token configured
+    if (config.server.auth?.enabled !== false && !config.server.auth?.token) {
+        const token = node_crypto_1.default.randomBytes(32).toString('hex');
+        configManager.update({ server: { auth: { token } } });
+        console.log(`\n  Dashboard token generated: ${token}`);
+        console.log('  Set server.auth.token in config.yaml to use a custom token\n');
+    }
+    // Apply initial semantic config + listen for changes
+    if (config.plugins.dlp.semantics) {
+        (0, semantics_js_1.updateSemanticConfig)(config.plugins.dlp.semantics);
+    }
+    configManager.onChange((c) => {
+        if (c.plugins.dlp.semantics)
+            (0, semantics_js_1.updateSemanticConfig)(c.plugins.dlp.semantics);
+    });
+    // Initialize database
+    const db = (0, database_js_1.getDatabase)();
+    // Register providers
+    (0, anthropic_js_1.registerAnthropicProvider)();
+    (0, openai_js_1.registerOpenAIProvider)();
+    (0, gemini_js_1.registerGeminiProvider)();
+    (0, claude_web_js_1.registerClaudeWebProvider)();
+    (0, messaging_js_1.registerMessagingProviders)();
+    // Initialize plugin manager — register all plugins, disable those not enabled
+    const pluginManager = new index_js_2.PluginManager(config.timeouts.plugin, config.server.failMode ?? 'open');
+    pluginManager.register((0, metrics_collector_js_1.createMetricsCollectorPlugin)(db));
+    if (!config.plugins.metrics.enabled)
+        pluginManager.disable('metrics-collector');
+    pluginManager.register((0, dlp_scanner_js_1.createDlpScannerPlugin)(db, {
+        action: config.plugins.dlp.action,
+        patterns: config.plugins.dlp.patterns,
+        remotePatterns: config.plugins.dlp.remotePatterns,
+        aiValidation: config.plugins.dlp.aiValidation,
+        getAction: () => configManager.get().plugins.dlp.action,
+    }));
+    if (!config.plugins.dlp.enabled)
+        pluginManager.disable('dlp-scanner');
+    pluginManager.register((0, token_optimizer_js_1.createTokenOptimizerPlugin)(db, {
+        cache: config.plugins.optimizer.cache,
+        cacheTtlSeconds: config.plugins.optimizer.cacheTtlSeconds ?? 300,
+        trimWhitespace: config.plugins.optimizer.trimWhitespace,
+        reorderForCache: config.plugins.optimizer.reorderForCache,
+    }));
+    if (!config.plugins.optimizer.enabled)
+        pluginManager.disable('token-optimizer');
+    pluginManager.register((0, audit_logger_js_1.createAuditLoggerPlugin)(db, {
+        rawData: config.plugins.audit?.rawData ?? true,
+        rawMaxBytes: config.plugins.audit?.rawMaxBytes ?? 524288,
+        summaryMaxBytes: config.plugins.audit?.summaryMaxBytes ?? 1024,
+    }));
+    if (!config.plugins.audit?.enabled)
+        pluginManager.disable('audit-logger');
+    pluginManager.register((0, tool_guard_js_1.createToolGuardPlugin)(db, {
+        enabled: config.plugins.toolGuard?.enabled ?? true,
+        action: config.plugins.toolGuard?.action ?? 'audit',
+        recordAll: config.plugins.toolGuard?.recordAll ?? true,
+        blockMinSeverity: config.plugins.toolGuard?.blockMinSeverity ?? 'critical',
+        alertMinSeverity: config.plugins.toolGuard?.alertMinSeverity ?? 'high',
+        alertDesktop: config.plugins.toolGuard?.alertDesktop ?? true,
+        alertWebhookUrl: config.plugins.toolGuard?.alertWebhookUrl ?? '',
+        getLiveConfig: () => {
+            const tg = configManager.get().plugins.toolGuard;
+            const live = {
+                action: tg?.action ?? 'audit',
+                recordAll: tg?.recordAll ?? true,
+                blockMinSeverity: tg?.blockMinSeverity ?? 'critical',
+                alertMinSeverity: tg?.alertMinSeverity ?? 'high',
+            };
+            return live;
+        },
+    }));
+    if (!config.plugins.toolGuard?.enabled)
+        pluginManager.disable('tool-guard');
+    // Load external plugins
+    const eventBus = new event_bus_js_1.PluginEventBus();
+    const externalConfigs = config.plugins.external ?? [];
+    let destroyCallbacks = [];
+    let getPluginState = () => undefined;
+    if (externalConfigs.length > 0) {
+        const result = await (0, loader_js_1.loadExternalPlugins)(externalConfigs, db, eventBus);
+        destroyCallbacks = result.destroyCallbacks;
+        getPluginState = result.getPluginState;
+        for (const plugin of result.plugins) {
+            pluginManager.register(plugin);
+        }
+    }
+    else {
+        log.info('No external plugins configured');
+    }
+    // Sync failMode changes at runtime
+    configManager.onChange((c) => {
+        pluginManager.setFailMode(c.server.failMode ?? 'open');
+    });
+    // Create and start server
+    const server = (0, server_js_1.createProxyServer)(config, pluginManager, () => {
+        for (const cb of destroyCallbacks)
+            cb().catch(() => { });
+        (0, database_js_1.closeDatabase)();
+    }, db, configManager, getPluginState);
+    await (0, server_js_1.startServer)(server, config);
+    // Write PID file
+    (0, daemon_js_1.writePidFile)(process.pid);
+    // Centralized data retention purge
+    const requestsRepo = new requests_js_1.RequestsRepository(db);
+    const dlpEventsRepo = new dlp_events_js_1.DlpEventsRepository(db);
+    const optimizerEventsRepo = new optimizer_events_js_1.OptimizerEventsRepository(db);
+    const sessionsRepo = new sessions_js_1.SessionsRepository(db);
+    const auditLogRepo = new audit_log_js_1.AuditLogRepository(db);
+    const toolCallsRepo = new tool_calls_js_1.ToolCallsRepository(db);
+    const pluginEventsRepo = new plugin_events_js_1.PluginEventsRepository(db);
+    function runPurge() {
+        const r = configManager.get().retention;
+        try {
+            let total = 0;
+            total += requestsRepo.purgeOlderThan(r.requestsHours);
+            total += dlpEventsRepo.purgeOlderThan(r.dlpEventsHours);
+            total += optimizerEventsRepo.purgeOlderThan(r.optimizerEventsHours);
+            total += sessionsRepo.purgeOlderThan(r.sessionsHours);
+            total += auditLogRepo.purgeOlderThan(r.auditLogHours);
+            total += toolCallsRepo.purgeOlderThan(r.toolCallsHours);
+            total += pluginEventsRepo.purgeOlderThan(r.pluginEventsHours ?? 720);
+            if (total > 0)
+                log.info('Data retention purge completed', { purged: total });
+        }
+        catch (err) {
+            log.warn('Data retention purge failed', { error: err.message });
+        }
+    }
+    // Run immediately on startup, then every hour
+    runPurge();
+    const purgeInterval = setInterval(runPurge, 60 * 60 * 1000);
+    purgeInterval.unref();
+    const baseUrl = `http://${config.server.host}:${config.server.port}`;
+    log.info('Gateway ready', {
+        host: config.server.host,
+        port: config.server.port,
+        plugins: pluginManager.getPlugins().map((p) => p.name),
+        dashboard: `${baseUrl}/dashboard`,
+        httpsProxy: baseUrl,
+        caCert: (0, certs_js_1.getCACertPath)(),
+    });
+}
+// Auto-start if run directly (daemon mode)
+if (process.env.BASTION_DAEMON === '1' || process.argv[1]?.endsWith('index.ts') || process.argv[1]?.endsWith('index.js')) {
+    // Only auto-start when this file is the entry point (not imported from CLI)
+    const isCLI = process.argv.some((a) => a.includes('cli'));
+    if (!isCLI) {
+        startGateway().catch((err) => {
+            log.error('Failed to start gateway', { error: err.message });
+            process.exit(1);
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;AAkCA,oCAgKC;AAlMD,8DAAiC;AACjC,gDAA+C;AAC/C,oDAAoD;AACpD,iDAAgD;AAChD,iDAAiD;AACjD,uDAAmE;AACnE,iDAAmD;AACnD,iFAAsF;AACtF,qEAA0E;AAC1E,6EAAkF;AAClF,uEAA4E;AAC5E,mEAAwE;AACxE,iEAA2E;AAC3E,2DAAqE;AACrE,2DAAqE;AACrE,mEAA4E;AAC5E,iEAA4E;AAC5E,iDAAmE;AACnE,+CAA+C;AAC/C,+CAAiD;AACjD,qDAA0D;AAC1D,oEAAwE;AACxE,wEAA2E;AAC3E,oFAAuF;AACvF,oEAAwE;AACxE,sEAAyE;AACzE,wEAA2E;AAC3E,8EAAiF;AACjF,yDAAwD;AACxD,mDAA0D;AAC1D,6CAA0C;AAE1C,MAAM,GAAG,GAAG,IAAA,wBAAY,EAAC,MAAM,CAAC,CAAC;AAE1B,KAAK,UAAU,YAAY;IAChC,qBAAqB;IACrB,MAAM,MAAM,GAAG,IAAA,qBAAU,GAAE,CAAC;IAC5B,IAAA,uBAAW,EAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAElC,MAAM,OAAO,GAAG,IAAA,uBAAU,GAAE,CAAC;IAC7B,GAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAErD,gDAAgD;IAChD,MAAM,aAAa,GAAG,IAAI,0BAAa,CAAC,MAAM,CAAC,CAAC;IAEhD,mEAAmE;IACnE,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QACxE,MAAM,KAAK,GAAG,qBAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACrD,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;IAChF,CAAC;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACjC,IAAA,mCAAoB,EAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC;IACD,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS;YAAE,IAAA,mCAAoB,EAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,EAAE,GAAG,IAAA,yBAAW,GAAE,CAAC;IAEzB,qBAAqB;IACrB,IAAA,wCAAyB,GAAE,CAAC;IAC5B,IAAA,kCAAsB,GAAE,CAAC;IACzB,IAAA,kCAAsB,GAAE,CAAC;IACzB,IAAA,yCAAyB,GAAE,CAAC;IAC5B,IAAA,yCAA0B,GAAE,CAAC;IAE7B,8EAA8E;IAC9E,MAAM,aAAa,GAAG,IAAI,wBAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;IAElG,aAAa,CAAC,QAAQ,CAAC,IAAA,mDAA4B,EAAC,EAAE,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhF,aAAa,CAAC,QAAQ,CAAC,IAAA,uCAAsB,EAAC,EAAE,EAAE;QAChD,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;QACjC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ;QACrC,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc;QACjD,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7C,SAAS,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM;KACxD,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAEtE,aAAa,CAAC,QAAQ,CAAC,IAAA,+CAA0B,EAAC,EAAE,EAAE;QACpD,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK;QACrC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe,IAAI,GAAG;QAChE,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,cAAc;QACvD,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,eAAe;KAC1D,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAEhF,aAAa,CAAC,QAAQ,CAAC,IAAA,yCAAuB,EAAC,EAAE,EAAE;QACjD,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,IAAI,IAAI;QAC9C,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,IAAI,MAAM;QACxD,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,eAAe,IAAI,IAAI;KAC/D,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAE1E,aAAa,CAAC,QAAQ,CAAC,IAAA,qCAAqB,EAAC,EAAE,EAAE;QAC/C,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,IAAI,IAAI;QAClD,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,IAAI,OAAO;QACnD,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,IAAI,IAAI;QACtD,gBAAgB,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,IAAI,UAAU;QAC1E,gBAAgB,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,IAAI,MAAM;QACtE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,YAAY,IAAI,IAAI;QAC5D,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,eAAe,IAAI,EAAE;QAChE,aAAa,EAAE,GAAG,EAAE;YAClB,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;YACjD,MAAM,IAAI,GAAG;gBACX,MAAM,EAAE,EAAE,EAAE,MAAM,IAAI,OAAO;gBAC7B,SAAS,EAAE,EAAE,EAAE,SAAS,IAAI,IAAI;gBAChC,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,IAAI,UAAU;gBACpD,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,IAAI,MAAM;aACjD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO;QAAE,aAAa,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAE5E,wBAAwB;IACxB,MAAM,QAAQ,GAAG,IAAI,6BAAc,EAAE,CAAC;IACtC,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtD,IAAI,gBAAgB,GAA+B,EAAE,CAAC;IACtD,IAAI,cAAc,GAA6D,GAAG,EAAE,CAAC,SAAS,CAAC;IAC/F,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAA,+BAAmB,EAAC,eAAe,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;QACxE,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAC3C,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QACvC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC7C,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QAC3B,aAAa,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,MAAM,GAAG,IAAA,6BAAiB,EAAC,MAAM,EAAE,aAAa,EAAE,GAAG,EAAE;QAC3D,KAAK,MAAM,EAAE,IAAI,gBAAgB;YAAE,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACxD,IAAA,2BAAa,GAAE,CAAC;IAClB,CAAC,EAAE,EAAE,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;IAEtC,MAAM,IAAA,uBAAW,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAElC,iBAAiB;IACjB,IAAA,wBAAY,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE1B,mCAAmC;IACnC,MAAM,YAAY,GAAG,IAAI,gCAAkB,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,IAAI,mCAAmB,CAAC,EAAE,CAAC,CAAC;IAClD,MAAM,mBAAmB,GAAG,IAAI,+CAAyB,CAAC,EAAE,CAAC,CAAC;IAC9D,MAAM,YAAY,GAAG,IAAI,gCAAkB,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,IAAI,iCAAkB,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,IAAI,mCAAmB,CAAC,EAAE,CAAC,CAAC;IAClD,MAAM,gBAAgB,GAAG,IAAI,yCAAsB,CAAC,EAAE,CAAC,CAAC;IAExD,SAAS,QAAQ;QACf,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;QACxC,IAAI,CAAC;YACH,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YACtD,KAAK,IAAI,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;YACxD,KAAK,IAAI,mBAAmB,CAAC,cAAc,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC;YACpE,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YACtD,KAAK,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YACtD,KAAK,IAAI,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;YACxD,KAAK,IAAI,gBAAgB,CAAC,cAAc,CAAC,CAAC,CAAC,iBAAiB,IAAI,GAAG,CAAC,CAAC;YACrE,IAAI,KAAK,GAAG,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,QAAQ,EAAE,CAAC;IACX,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC5D,aAAa,CAAC,KAAK,EAAE,CAAC;IAEtB,MAAM,OAAO,GAAG,UAAU,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACrE,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE;QACxB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QACxB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QACxB,OAAO,EAAE,aAAa,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACtD,SAAS,EAAE,GAAG,OAAO,YAAY;QACjC,UAAU,EAAE,OAAO;QACnB,MAAM,EAAE,IAAA,wBAAa,GAAE;KACxB,CAAC,CAAC;AACL,CAAC;AAED,2CAA2C;AAC3C,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;IACzH,4EAA4E;IAC5E,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC3B,GAAG,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/license/verify.d.ts

@@ -0,0 +1,18 @@
+export interface LicensePayload {
+    plan: string;
+    expiresAt: string;
+    features: string[];
+}
+export interface LicenseResult {
+    valid: boolean;
+    payload?: LicensePayload;
+    reason?: string;
+}
+/**
+ * Verify a signed license token.
+ *
+ * Returns { valid: true, payload } on success,
+ * or { valid: false, reason } on failure.
+ */
+export declare function verifyLicenseToken(token: unknown): LicenseResult;
+//# sourceMappingURL=verify.d.ts.map

package/dist/license/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/license/verify.ts"],"names":[],"mappings":"AAiBA,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,cAAc,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,aAAa,CAmDhE"}

package/dist/license/verify.js

@@ -0,0 +1,71 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyLicenseToken = verifyLicenseToken;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+/**
+ * Bastion Pro license verification.
+ *
+ * License token format: base64(JSON payload) + '.' + base64(Ed25519 signature)
+ *
+ * The Pro plugin sets a signed token; we verify it here with the embedded
+ * public key so a forged plugin cannot simply claim `valid: true`.
+ */
+// Ed25519 public key (PEM) — only Bastion can sign with the corresponding private key.
+// Replace this with the real production key before shipping.
+const LICENSE_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAPlr2YjKxlMzVGOZ2WFmYOFCT3JHaFz8rECPFwbzVSXg=
+-----END PUBLIC KEY-----`;
+/**
+ * Verify a signed license token.
+ *
+ * Returns { valid: true, payload } on success,
+ * or { valid: false, reason } on failure.
+ */
+function verifyLicenseToken(token) {
+    if (typeof token !== 'string' || !token.includes('.')) {
+        return { valid: false, reason: 'malformed token' };
+    }
+    const dotIndex = token.lastIndexOf('.');
+    const payloadB64 = token.slice(0, dotIndex);
+    const signatureB64 = token.slice(dotIndex + 1);
+    // Verify signature
+    let signatureValid;
+    try {
+        const key = node_crypto_1.default.createPublicKey(LICENSE_PUBLIC_KEY);
+        signatureValid = node_crypto_1.default.verify(null, // Ed25519 does not use a separate hash algorithm
+        Buffer.from(payloadB64, 'base64'), key, Buffer.from(signatureB64, 'base64'));
+    }
+    catch {
+        return { valid: false, reason: 'signature verification error' };
+    }
+    if (!signatureValid) {
+        return { valid: false, reason: 'invalid signature' };
+    }
+    // Decode payload
+    let payload;
+    try {
+        payload = JSON.parse(Buffer.from(payloadB64, 'base64').toString('utf-8'));
+    }
+    catch {
+        return { valid: false, reason: 'invalid payload' };
+    }
+    // Check expiry
+    if (typeof payload.expiresAt === 'string') {
+        const exp = new Date(payload.expiresAt);
+        if (exp.getTime() < Date.now()) {
+            return { valid: false, reason: 'license expired' };
+        }
+    }
+    return {
+        valid: true,
+        payload: {
+            plan: payload.plan ?? 'pro',
+            expiresAt: payload.expiresAt ?? '',
+            features: payload.features ?? [],
+        },
+    };
+}
+//# sourceMappingURL=verify.js.map

package/dist/license/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/license/verify.ts"],"names":[],"mappings":";;;;;AAmCA,gDAmDC;AAtFD,8DAAiC;AAEjC;;;;;;;GAOG;AAEH,uFAAuF;AACvF,6DAA6D;AAC7D,MAAM,kBAAkB,GAAG;;yBAEF,CAAC;AAc1B;;;;;GAKG;AACH,SAAgB,kBAAkB,CAAC,KAAc;IAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE/C,mBAAmB;IACnB,IAAI,cAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,qBAAM,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC;QACvD,cAAc,GAAG,qBAAM,CAAC,MAAM,CAC5B,IAAI,EAAE,iDAAiD;QACvD,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EACjC,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CACpC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IAClE,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAgC,CAAC;IACrC,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACrD,CAAC;IAED,eAAe;IACf,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACxC,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI;QACX,OAAO,EAAE;YACP,IAAI,EAAG,OAAO,CAAC,IAAe,IAAI,KAAK;YACvC,SAAS,EAAG,OAAO,CAAC,SAAoB,IAAI,EAAE;YAC9C,QAAQ,EAAG,OAAO,CAAC,QAAqB,IAAI,EAAE;SAC/C;KACF,CAAC;AACJ,CAAC"}

package/dist/metrics/collector.d.ts

@@ -0,0 +1,11 @@
+import type { ResponseCompleteContext } from '../plugins/types.js';
+export interface UsageMetrics {
+    inputTokens: number;
+    outputTokens: number;
+    cacheCreationTokens: number;
+    cacheReadTokens: number;
+    costUsd: number;
+    latencyMs: number;
+}
+export declare function extractMetrics(context: ResponseCompleteContext): UsageMetrics;
+//# sourceMappingURL=collector.d.ts.map

package/dist/metrics/collector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"collector.d.ts","sourceRoot":"","sources":["../../src/metrics/collector.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAGnE,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,uBAAuB,GAAG,YAAY,CAmB7E"}

package/dist/metrics/collector.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.extractMetrics = extractMetrics;
+const pricing_js_1 = require("./pricing.js");
+function extractMetrics(context) {
+    const { usage, latencyMs, request } = context;
+    const costUsd = (0, pricing_js_1.calculateCost)(request.model, usage.inputTokens, usage.outputTokens, usage.cacheCreationTokens, usage.cacheReadTokens);
+    return {
+        inputTokens: usage.inputTokens,
+        outputTokens: usage.outputTokens,
+        cacheCreationTokens: usage.cacheCreationTokens,
+        cacheReadTokens: usage.cacheReadTokens,
+        costUsd,
+        latencyMs,
+    };
+}
+//# sourceMappingURL=collector.js.map