@aion0/bastion 0.1.7

package/dist/storage/repositories/plugin-events.js

@@ -0,0 +1,64 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PluginEventsRepository = void 0;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+class PluginEventsRepository {
+    db;
+    insertStmt;
+    constructor(db) {
+        this.db = db;
+        this.insertStmt = db.prepare(`
+      INSERT INTO plugin_events (id, plugin_name, request_id, type, severity, rule, detail, matched_text)
+      VALUES (@id, @plugin_name, @request_id, @type, @severity, @rule, @detail, @matched_text)
+    `);
+    }
+    insert(record) {
+        this.insertStmt.run(record);
+    }
+    insertEvent(pluginName, requestId, event) {
+        this.insert({
+            id: node_crypto_1.default.randomUUID(),
+            plugin_name: pluginName,
+            request_id: requestId,
+            type: event.type,
+            severity: event.severity,
+            rule: event.rule,
+            detail: event.detail,
+            matched_text: event.matchedText ?? null,
+        });
+    }
+    getRecent(limit = 20, sinceHours) {
+        if (sinceHours) {
+            return this.db.prepare(`
+        SELECT * FROM plugin_events
+        WHERE created_at > datetime('now', '-' || ? || ' hours')
+        ORDER BY created_at DESC LIMIT ?
+      `).all(sinceHours, limit);
+        }
+        return this.db.prepare('SELECT * FROM plugin_events ORDER BY created_at DESC LIMIT ?').all(limit);
+    }
+    getByPlugin(pluginName, limit = 20) {
+        return this.db.prepare('SELECT * FROM plugin_events WHERE plugin_name = ? ORDER BY created_at DESC LIMIT ?').all(pluginName, limit);
+    }
+    purgeOlderThan(hours) {
+        const result = this.db.prepare(`DELETE FROM plugin_events WHERE created_at < datetime('now', '-' || ? || ' hours')`).run(hours);
+        return result.changes;
+    }
+    getStats() {
+        const total = this.db.prepare('SELECT COUNT(*) as count FROM plugin_events').get();
+        const pluginRows = this.db.prepare('SELECT plugin_name, COUNT(*) as count FROM plugin_events GROUP BY plugin_name').all();
+        const typeRows = this.db.prepare('SELECT type, COUNT(*) as count FROM plugin_events GROUP BY type').all();
+        const by_plugin = {};
+        for (const row of pluginRows)
+            by_plugin[row.plugin_name] = row.count;
+        const by_type = {};
+        for (const row of typeRows)
+            by_type[row.type] = row.count;
+        return { total_events: total.count, by_plugin, by_type };
+    }
+}
+exports.PluginEventsRepository = PluginEventsRepository;
+//# sourceMappingURL=plugin-events.js.map

package/dist/storage/repositories/plugin-events.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-events.js","sourceRoot":"","sources":["../../../src/storage/repositories/plugin-events.ts"],"names":[],"mappings":";;;;;;AAAA,8DAAiC;AAejC,MAAa,sBAAsB;IACzB,EAAE,CAAoB;IACtB,UAAU,CAAqB;IAEvC,YAAY,EAAqB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;KAG5B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,MAA6C;QAClD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,WAAW,CAAC,UAAkB,EAAE,SAAwB,EAAE,KAA6F;QACrJ,IAAI,CAAC,MAAM,CAAC;YACV,EAAE,EAAE,qBAAM,CAAC,UAAU,EAAE;YACvB,WAAW,EAAE,UAAU;YACvB,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,YAAY,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;SACxC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,CAAC,QAAgB,EAAE,EAAE,UAAmB;QAC/C,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;OAItB,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAwB,CAAC;QACnD,CAAC;QACD,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CACpB,8DAA8D,CAC/D,CAAC,GAAG,CAAC,KAAK,CAAwB,CAAC;IACtC,CAAC;IAED,WAAW,CAAC,UAAkB,EAAE,QAAgB,EAAE;QAChD,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CACpB,oFAAoF,CACrF,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAwB,CAAC;IAClD,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,oFAAoF,CACrF,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACb,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED,QAAQ;QACN,MAAM,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,6CAA6C,CAAC,CAAC,GAAG,EAAuB,CAAC;QACxG,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAChC,+EAA+E,CAChF,CAAC,GAAG,EAA8C,CAAC;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC9B,iEAAiE,CAClE,CAAC,GAAG,EAAuC,CAAC;QAE7C,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,KAAK,MAAM,GAAG,IAAI,UAAU;YAAE,SAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;QAErE,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,QAAQ;YAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;QAE1D,OAAO,EAAE,YAAY,EAAE,KAAK,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IAC3D,CAAC;CACF;AAxED,wDAwEC"}

package/dist/storage/repositories/requests.d.ts

@@ -0,0 +1,68 @@
+import type Database from 'better-sqlite3';
+export interface RequestRecord {
+    id: string;
+    provider: string;
+    model: string;
+    method: string;
+    path: string;
+    status_code: number | null;
+    input_tokens: number;
+    output_tokens: number;
+    cache_creation_tokens: number;
+    cache_read_tokens: number;
+    cost_usd: number;
+    latency_ms: number;
+    cached: number;
+    dlp_action: string | null;
+    dlp_findings: number;
+    session_id: string | null;
+    api_key_hash: string | null;
+    created_at: string;
+}
+export interface RequestStats {
+    total_requests: number;
+    total_cost_usd: number;
+    total_input_tokens: number;
+    total_output_tokens: number;
+    cache_hits: number;
+    avg_latency_ms: number;
+    by_provider: Record<string, {
+        requests: number;
+        cost_usd: number;
+    }>;
+    by_model: Record<string, {
+        requests: number;
+        cost_usd: number;
+    }>;
+}
+export interface StatsFilter {
+    sinceHours?: number;
+    sessionId?: string;
+    apiKeyHash?: string;
+}
+export interface SessionInfo {
+    session_id: string;
+    request_count: number;
+    total_cost_usd: number;
+    first_seen: string;
+    last_seen: string;
+    label: string | null;
+    source: string | null;
+    project_path: string | null;
+}
+export declare class RequestsRepository {
+    private db;
+    private insertStmt;
+    constructor(db: Database.Database);
+    insert(record: Omit<RequestRecord, 'created_at'>): void;
+    getStats(filter?: StatsFilter): RequestStats;
+    getRecent(limit?: number, sinceHours?: number): RequestRecord[];
+    purgeOlderThan(hours: number): number;
+    getSessions(): SessionInfo[];
+    getApiKeys(): {
+        api_key_hash: string;
+        request_count: number;
+        total_cost_usd: number;
+    }[];
+}
+//# sourceMappingURL=requests.d.ts.map

package/dist/storage/repositories/requests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requests.d.ts","sourceRoot":"","sources":["../../../src/storage/repositories/requests.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAClE;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,UAAU,CAAqB;gBAE3B,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAYjC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,GAAG,IAAI;IAIvD,QAAQ,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,YAAY;IAgE5C,SAAS,CAAC,KAAK,GAAE,MAAW,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,aAAa,EAAE;IAWnE,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAOrC,WAAW,IAAI,WAAW,EAAE;IAiB5B,UAAU,IAAI;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,MAAM,CAAA;KAAE,EAAE;CAYxF"}

package/dist/storage/repositories/requests.js

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequestsRepository = void 0;
+class RequestsRepository {
+    db;
+    insertStmt;
+    constructor(db) {
+        this.db = db;
+        this.insertStmt = db.prepare(`
+      INSERT INTO requests (id, provider, model, method, path, status_code,
+        input_tokens, output_tokens, cache_creation_tokens, cache_read_tokens,
+        cost_usd, latency_ms, cached, dlp_action, dlp_findings, session_id, api_key_hash)
+      VALUES (@id, @provider, @model, @method, @path, @status_code,
+        @input_tokens, @output_tokens, @cache_creation_tokens, @cache_read_tokens,
+        @cost_usd, @latency_ms, @cached, @dlp_action, @dlp_findings, @session_id, @api_key_hash)
+    `);
+    }
+    insert(record) {
+        this.insertStmt.run(record);
+    }
+    getStats(filter) {
+        const conditions = [];
+        const params = [];
+        if (filter?.sinceHours) {
+            conditions.push(`created_at >= datetime('now', '-' || ? || ' hours')`);
+            params.push(filter.sinceHours);
+        }
+        if (filter?.sessionId) {
+            conditions.push('session_id = ?');
+            params.push(filter.sessionId);
+        }
+        if (filter?.apiKeyHash) {
+            conditions.push('api_key_hash = ?');
+            params.push(filter.apiKeyHash);
+        }
+        const whereClause = conditions.length > 0
+            ? 'WHERE ' + conditions.join(' AND ')
+            : '';
+        const totals = this.db.prepare(`
+      SELECT
+        COUNT(*) as total_requests,
+        COALESCE(SUM(cost_usd), 0) as total_cost_usd,
+        COALESCE(SUM(input_tokens), 0) as total_input_tokens,
+        COALESCE(SUM(output_tokens), 0) as total_output_tokens,
+        COALESCE(SUM(cached), 0) as cache_hits,
+        COALESCE(AVG(latency_ms), 0) as avg_latency_ms
+      FROM requests ${whereClause}
+    `).get(...params);
+        const providerRows = this.db.prepare(`
+      SELECT provider, COUNT(*) as requests, COALESCE(SUM(cost_usd), 0) as cost_usd
+      FROM requests ${whereClause}
+      GROUP BY provider
+    `).all(...params);
+        const modelRows = this.db.prepare(`
+      SELECT model, COUNT(*) as requests, COALESCE(SUM(cost_usd), 0) as cost_usd
+      FROM requests ${whereClause}
+      GROUP BY model
+    `).all(...params);
+        const by_provider = {};
+        for (const row of providerRows) {
+            by_provider[row.provider] = { requests: row.requests, cost_usd: row.cost_usd };
+        }
+        const by_model = {};
+        for (const row of modelRows) {
+            by_model[row.model] = { requests: row.requests, cost_usd: row.cost_usd };
+        }
+        return { ...totals, by_provider, by_model };
+    }
+    getRecent(limit = 10, sinceHours) {
+        if (sinceHours) {
+            return this.db.prepare(`
+        SELECT * FROM requests WHERE created_at > datetime('now', '-' || ? || ' hours') ORDER BY created_at DESC LIMIT ?
+      `).all(sinceHours, limit);
+        }
+        return this.db.prepare(`
+      SELECT * FROM requests ORDER BY created_at DESC LIMIT ?
+    `).all(limit);
+    }
+    purgeOlderThan(hours) {
+        const result = this.db.prepare(`DELETE FROM requests WHERE created_at < datetime('now', '-' || ? || ' hours')`).run(hours);
+        return result.changes;
+    }
+    getSessions() {
+        return this.db.prepare(`
+      SELECT
+        r.session_id,
+        COUNT(*) as request_count,
+        COALESCE(SUM(r.cost_usd), 0) as total_cost_usd,
+        MIN(r.created_at) as first_seen,
+        MAX(r.created_at) as last_seen,
+        s.label, s.source, s.project_path
+      FROM requests r
+      LEFT JOIN sessions s ON s.id = r.session_id
+      WHERE r.session_id IS NOT NULL
+      GROUP BY r.session_id
+      ORDER BY last_seen DESC
+    `).all();
+    }
+    getApiKeys() {
+        return this.db.prepare(`
+      SELECT
+        api_key_hash,
+        COUNT(*) as request_count,
+        COALESCE(SUM(cost_usd), 0) as total_cost_usd
+      FROM requests
+      WHERE api_key_hash IS NOT NULL
+      GROUP BY api_key_hash
+      ORDER BY request_count DESC
+    `).all();
+    }
+}
+exports.RequestsRepository = RequestsRepository;
+//# sourceMappingURL=requests.js.map

package/dist/storage/repositories/requests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"requests.js","sourceRoot":"","sources":["../../../src/storage/repositories/requests.ts"],"names":[],"mappings":";;;AAmDA,MAAa,kBAAkB;IACrB,EAAE,CAAoB;IACtB,UAAU,CAAqB;IAEvC,YAAY,EAAqB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;KAO5B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,MAAyC;QAC9C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,QAAQ,CAAC,MAAoB;QAC3B,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAc,EAAE,CAAC;QAE7B,IAAI,MAAM,EAAE,UAAU,EAAE,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACvE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,MAAM,EAAE,SAAS,EAAE,CAAC;YACtB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,MAAM,EAAE,UAAU,EAAE,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC;YACvC,CAAC,CAAC,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YACrC,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;sBAQb,WAAW;KAC5B,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAOf,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;sBAEnB,WAAW;;KAE5B,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAA+D,CAAC;QAEhF,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;sBAEhB,WAAW;;KAE5B,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAA4D,CAAC;QAE7E,MAAM,WAAW,GAA2D,EAAE,CAAC;QAC/E,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjF,CAAC;QAED,MAAM,QAAQ,GAA2D,EAAE,CAAC;QAC5E,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC3E,CAAC;QAED,OAAO,EAAE,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IAED,SAAS,CAAC,QAAgB,EAAE,EAAE,UAAmB;QAC/C,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;OAEtB,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAoB,CAAC;QAC/C,CAAC;QACD,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;KAEtB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAoB,CAAC;IACnC,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,+EAA+E,CAChF,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACb,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;;KAatB,CAAC,CAAC,GAAG,EAAmB,CAAC;IAC5B,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;KAStB,CAAC,CAAC,GAAG,EAA+E,CAAC;IACxF,CAAC;CACF;AAnID,gDAmIC"}

package/dist/storage/repositories/sessions.d.ts

@@ -0,0 +1,23 @@
+import type Database from 'better-sqlite3';
+export interface SessionRecord {
+    id: string;
+    label: string | null;
+    source: string;
+    project_path: string | null;
+    created_at: string;
+    last_seen_at: string;
+}
+export declare class SessionsRepository {
+    private db;
+    constructor(db: Database.Database);
+    upsert(id: string, info: {
+        label?: string;
+        source?: string;
+        projectPath?: string;
+    }): void;
+    get(id: string): SessionRecord | undefined;
+    touch(id: string): void;
+    getAll(limit?: number): SessionRecord[];
+    purgeOlderThan(hours: number): number;
+}
+//# sourceMappingURL=sessions.d.ts.map

package/dist/storage/repositories/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../src/storage/repositories/sessions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,EAAE,CAAoB;gBAElB,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAIjC,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAkBzF,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAI1C,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI;IAIvB,MAAM,CAAC,KAAK,GAAE,MAAW,GAAG,aAAa,EAAE;IAI3C,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;CAMtC"}

package/dist/storage/repositories/sessions.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionsRepository = void 0;
+class SessionsRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    upsert(id, info) {
+        const existing = this.get(id);
+        if (existing) {
+            // Update: only overwrite label/project_path if provided and currently null
+            const label = existing.label ?? info.label ?? null;
+            const projectPath = existing.project_path ?? info.projectPath ?? null;
+            this.db.prepare(`
+        UPDATE sessions SET label = ?, project_path = ?, last_seen_at = datetime('now')
+        WHERE id = ?
+      `).run(label, projectPath, id);
+        }
+        else {
+            this.db.prepare(`
+        INSERT INTO sessions (id, label, source, project_path)
+        VALUES (?, ?, ?, ?)
+      `).run(id, info.label ?? null, info.source ?? 'auto', info.projectPath ?? null);
+        }
+    }
+    get(id) {
+        return this.db.prepare('SELECT * FROM sessions WHERE id = ?').get(id);
+    }
+    touch(id) {
+        this.db.prepare("UPDATE sessions SET last_seen_at = datetime('now') WHERE id = ?").run(id);
+    }
+    getAll(limit = 50) {
+        return this.db.prepare('SELECT * FROM sessions ORDER BY last_seen_at DESC LIMIT ?').all(limit);
+    }
+    purgeOlderThan(hours) {
+        const result = this.db.prepare(`DELETE FROM sessions WHERE last_seen_at < datetime('now', '-' || ? || ' hours')`).run(hours);
+        return result.changes;
+    }
+}
+exports.SessionsRepository = SessionsRepository;
+//# sourceMappingURL=sessions.js.map

package/dist/storage/repositories/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","sourceRoot":"","sources":["../../../src/storage/repositories/sessions.ts"],"names":[],"mappings":";;;AAWA,MAAa,kBAAkB;IACrB,EAAE,CAAoB;IAE9B,YAAY,EAAqB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED,MAAM,CAAC,EAAU,EAAE,IAA+D;QAChF,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,QAAQ,EAAE,CAAC;YACb,2EAA2E;YAC3E,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC;YACnD,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;OAGf,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;OAGf,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,MAAM,IAAI,MAAM,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,GAAG,CAAC,EAAU;QACZ,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,CAAC,EAAE,CAA8B,CAAC;IACrG,CAAC;IAED,KAAK,CAAC,EAAU;QACd,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,iEAAiE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,CAAC,QAAgB,EAAE;QACvB,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC,GAAG,CAAC,KAAK,CAAoB,CAAC;IACpH,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,iFAAiF,CAClF,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACb,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;CACF;AA3CD,gDA2CC"}

package/dist/storage/repositories/tool-calls.d.ts

@@ -0,0 +1,49 @@
+import type Database from 'better-sqlite3';
+export interface ToolCallRecord {
+    id: string;
+    request_id: string;
+    tool_name: string;
+    tool_input: string | null;
+    rule_id: string | null;
+    rule_name: string | null;
+    severity: string | null;
+    category: string | null;
+    action: string | null;
+    provider: string | null;
+    session_id: string | null;
+    created_at: string;
+}
+export interface ToolCallStats {
+    total: number;
+    flagged: number;
+    bySeverity: Record<string, number>;
+    byCategory: Record<string, number>;
+    topToolNames: Array<{
+        tool_name: string;
+        count: number;
+    }>;
+}
+export declare class ToolCallsRepository {
+    private db;
+    private insertStmt;
+    constructor(db: Database.Database);
+    insert(record: {
+        id: string;
+        request_id: string;
+        tool_name: string;
+        tool_input: string;
+        rule_id: string | null;
+        rule_name: string | null;
+        severity: string | null;
+        category: string | null;
+        action: string | null;
+        provider: string;
+        session_id: string | null;
+    }): void;
+    getByRequestId(requestId: string): ToolCallRecord[];
+    getRecent(limit?: number, sinceHours?: number): ToolCallRecord[];
+    getBySession(sessionId: string): ToolCallRecord[];
+    getStats(): ToolCallStats;
+    purgeOlderThan(hours: number): number;
+}
+//# sourceMappingURL=tool-calls.d.ts.map

package/dist/storage/repositories/tool-calls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-calls.d.ts","sourceRoot":"","sources":["../../../src/storage/repositories/tool-calls.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAE3C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D;AAID,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,UAAU,CAAqB;gBAE3B,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAQjC,MAAM,CAAC,MAAM,EAAE;QACb,EAAE,EAAE,MAAM,CAAC;QACX,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;QACvB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;KAC3B,GAAG,IAAI;IASR,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,EAAE;IAMnD,SAAS,CAAC,KAAK,GAAE,MAAW,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,cAAc,EAAE;IAWpE,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,EAAE;IAMjD,QAAQ,IAAI,aAAa;IAuBzB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;CAMtC"}

package/dist/storage/repositories/tool-calls.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ToolCallsRepository = void 0;
+const MAX_INPUT_BYTES = 2048;
+class ToolCallsRepository {
+    db;
+    insertStmt;
+    constructor(db) {
+        this.db = db;
+        this.insertStmt = db.prepare(`
+      INSERT INTO tool_calls (id, request_id, tool_name, tool_input, rule_id, rule_name, severity, category, action, provider, session_id)
+      VALUES (@id, @request_id, @tool_name, @tool_input, @rule_id, @rule_name, @severity, @category, @action, @provider, @session_id)
+    `);
+    }
+    insert(record) {
+        this.insertStmt.run({
+            ...record,
+            tool_input: record.tool_input.length > MAX_INPUT_BYTES
+                ? record.tool_input.slice(0, MAX_INPUT_BYTES)
+                : record.tool_input,
+        });
+    }
+    getByRequestId(requestId) {
+        return this.db.prepare('SELECT * FROM tool_calls WHERE request_id = ? ORDER BY created_at ASC').all(requestId);
+    }
+    getRecent(limit = 50, sinceHours) {
+        if (sinceHours) {
+            return this.db.prepare(`
+        SELECT * FROM tool_calls WHERE created_at > datetime('now', '-' || ? || ' hours') ORDER BY created_at DESC LIMIT ?
+      `).all(sinceHours, limit);
+        }
+        return this.db.prepare(`
+      SELECT * FROM tool_calls ORDER BY created_at DESC LIMIT ?
+    `).all(limit);
+    }
+    getBySession(sessionId) {
+        return this.db.prepare(`
+      SELECT * FROM tool_calls WHERE session_id = ? ORDER BY created_at DESC
+    `).all(sessionId);
+    }
+    getStats() {
+        const total = this.db.prepare('SELECT COUNT(*) as c FROM tool_calls').get().c;
+        const flagged = this.db.prepare('SELECT COUNT(*) as c FROM tool_calls WHERE severity IS NOT NULL').get().c;
+        const bySeverityRows = this.db.prepare('SELECT severity, COUNT(*) as c FROM tool_calls WHERE severity IS NOT NULL GROUP BY severity').all();
+        const bySeverity = {};
+        for (const row of bySeverityRows)
+            bySeverity[row.severity] = row.c;
+        const byCategoryRows = this.db.prepare('SELECT category, COUNT(*) as c FROM tool_calls WHERE category IS NOT NULL GROUP BY category ORDER BY c DESC').all();
+        const byCategory = {};
+        for (const row of byCategoryRows)
+            byCategory[row.category] = row.c;
+        const topToolNames = this.db.prepare('SELECT tool_name, COUNT(*) as count FROM tool_calls GROUP BY tool_name ORDER BY count DESC LIMIT 10').all();
+        return { total, flagged, bySeverity, byCategory, topToolNames };
+    }
+    purgeOlderThan(hours) {
+        const result = this.db.prepare(`DELETE FROM tool_calls WHERE created_at < datetime('now', '-' || ? || ' hours')`).run(hours);
+        return result.changes;
+    }
+}
+exports.ToolCallsRepository = ToolCallsRepository;
+//# sourceMappingURL=tool-calls.js.map

package/dist/storage/repositories/tool-calls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-calls.js","sourceRoot":"","sources":["../../../src/storage/repositories/tool-calls.ts"],"names":[],"mappings":";;;AAyBA,MAAM,eAAe,GAAG,IAAI,CAAC;AAE7B,MAAa,mBAAmB;IACtB,EAAE,CAAoB;IACtB,UAAU,CAAqB;IAEvC,YAAY,EAAqB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;KAG5B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,CAAC,MAYN;QACC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAClB,GAAG,MAAM;YACT,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,eAAe;gBACpD,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC;gBAC7C,CAAC,CAAC,MAAM,CAAC,UAAU;SACtB,CAAC,CAAC;IACL,CAAC;IAED,cAAc,CAAC,SAAiB;QAC9B,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CACpB,uEAAuE,CACxE,CAAC,GAAG,CAAC,SAAS,CAAqB,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,QAAgB,EAAE,EAAE,UAAmB;QAC/C,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;OAEtB,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAqB,CAAC;QAChD,CAAC;QACD,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;KAEtB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAqB,CAAC;IACpC,CAAC;IAED,YAAY,CAAC,SAAiB;QAC5B,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;KAEtB,CAAC,CAAC,GAAG,CAAC,SAAS,CAAqB,CAAC;IACxC,CAAC;IAED,QAAQ;QACN,MAAM,KAAK,GAAI,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,sCAAsC,CAAC,CAAC,GAAG,EAAoB,CAAC,CAAC,CAAC;QACjG,MAAM,OAAO,GAAI,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,iEAAiE,CAAC,CAAC,GAAG,EAAoB,CAAC,CAAC,CAAC;QAE9H,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACpC,6FAA6F,CAC9F,CAAC,GAAG,EAA4C,CAAC;QAClD,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,cAAc;YAAE,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAEnE,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACpC,6GAA6G,CAC9G,CAAC,GAAG,EAA4C,CAAC;QAClD,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,cAAc;YAAE,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAEnE,MAAM,YAAY,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAClC,qGAAqG,CACtG,CAAC,GAAG,EAAiD,CAAC;QAEvD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IAClE,CAAC;IAED,cAAc,CAAC,KAAa;QAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,iFAAiF,CAClF,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACb,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;CACF;AArFD,kDAqFC"}

package/dist/storage/repositories/tool-guard-rules.d.ts

@@ -0,0 +1,50 @@
+import type Database from 'better-sqlite3';
+import type { ToolGuardRule } from '../../tool-guard/rules.js';
+export interface ToolGuardRuleRecord {
+    id: string;
+    name: string;
+    description: string | null;
+    severity: string;
+    category: string;
+    tool_name_pattern: string | null;
+    tool_name_flags: string | null;
+    input_pattern: string;
+    input_flags: string;
+    enabled: number;
+    is_builtin: number;
+    created_at: string;
+}
+export declare class ToolGuardRulesRepository {
+    private db;
+    constructor(db: Database.Database);
+    /**
+     * Seed built-in rules.
+     *
+     * On first run: inserts all rules with enabled=1.
+     * On subsequent runs: updates rule definitions (patterns, severity, category)
+     * while preserving the user's enabled/disabled toggle state.
+     */
+    seedBuiltins(rules: ToolGuardRule[]): void;
+    /** Get all enabled rules, converted to ToolGuardRule objects */
+    getEnabled(): ToolGuardRule[];
+    /** Get all rules for UI listing */
+    getAll(): ToolGuardRuleRecord[];
+    /** Toggle enabled flag */
+    toggle(id: string, enabled: boolean): void;
+    /** Insert or update a custom rule */
+    upsert(record: {
+        id: string;
+        name: string;
+        description?: string | null;
+        severity?: string;
+        category?: string;
+        tool_name_pattern?: string | null;
+        tool_name_flags?: string | null;
+        input_pattern: string;
+        input_flags?: string;
+        enabled?: boolean;
+    }): void;
+    /** Delete a custom rule. Rejects if is_builtin=1. Returns true if deleted. */
+    remove(id: string): boolean;
+}
+//# sourceMappingURL=tool-guard-rules.d.ts.map

package/dist/storage/repositories/tool-guard-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-guard-rules.d.ts","sourceRoot":"","sources":["../../../src/storage/repositories/tool-guard-rules.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAE/D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,wBAAwB;IACnC,OAAO,CAAC,EAAE,CAAoB;gBAElB,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAIjC;;;;;;OAMG;IACH,YAAY,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,IAAI;IAqC1C,gEAAgE;IAChE,UAAU,IAAI,aAAa,EAAE;IAO7B,mCAAmC;IACnC,MAAM,IAAI,mBAAmB,EAAE;IAM/B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;IAM1C,qCAAqC;IACrC,MAAM,CAAC,MAAM,EAAE;QACb,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAClC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAChC,aAAa,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,GAAG,IAAI;IA8BR,8EAA8E;IAC9E,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;CAa5B"}

package/dist/storage/repositories/tool-guard-rules.js

@@ -0,0 +1,120 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ToolGuardRulesRepository = void 0;
+class ToolGuardRulesRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /**
+     * Seed built-in rules.
+     *
+     * On first run: inserts all rules with enabled=1.
+     * On subsequent runs: updates rule definitions (patterns, severity, category)
+     * while preserving the user's enabled/disabled toggle state.
+     */
+    seedBuiltins(rules) {
+        const stmt = this.db.prepare(`
+      INSERT INTO tool_guard_rules
+        (id, name, description, severity, category, tool_name_pattern, tool_name_flags, input_pattern, input_flags, enabled, is_builtin)
+      VALUES
+        (@id, @name, @description, @severity, @category, @tool_name_pattern, @tool_name_flags, @input_pattern, @input_flags, 1, 1)
+      ON CONFLICT(id) DO UPDATE SET
+        name             = excluded.name,
+        description      = excluded.description,
+        severity         = excluded.severity,
+        category         = excluded.category,
+        tool_name_pattern = excluded.tool_name_pattern,
+        tool_name_flags  = excluded.tool_name_flags,
+        input_pattern    = excluded.input_pattern,
+        input_flags      = excluded.input_flags,
+        is_builtin       = 1
+        -- enabled is intentionally omitted to preserve user toggle state
+    `);
+        const seed = this.db.transaction(() => {
+            for (const r of rules) {
+                stmt.run({
+                    id: r.id,
+                    name: r.name,
+                    description: r.description ?? null,
+                    severity: r.severity,
+                    category: r.category,
+                    tool_name_pattern: r.match.toolName?.source ?? null,
+                    tool_name_flags: r.match.toolName?.flags ?? null,
+                    input_pattern: r.match.inputPattern?.source ?? '',
+                    input_flags: r.match.inputPattern?.flags ?? 'i',
+                });
+            }
+        });
+        seed();
+    }
+    /** Get all enabled rules, converted to ToolGuardRule objects */
+    getEnabled() {
+        const rows = this.db.prepare('SELECT * FROM tool_guard_rules WHERE enabled = 1').all();
+        return rows.map(rowToRule);
+    }
+    /** Get all rules for UI listing */
+    getAll() {
+        return this.db.prepare('SELECT * FROM tool_guard_rules ORDER BY is_builtin DESC, category, name').all();
+    }
+    /** Toggle enabled flag */
+    toggle(id, enabled) {
+        this.db.prepare('UPDATE tool_guard_rules SET enabled = ? WHERE id = ?').run(enabled ? 1 : 0, id);
+    }
+    /** Insert or update a custom rule */
+    upsert(record) {
+        this.db.prepare(`
+      INSERT INTO tool_guard_rules
+        (id, name, description, severity, category, tool_name_pattern, tool_name_flags, input_pattern, input_flags, enabled, is_builtin)
+      VALUES
+        (@id, @name, @description, @severity, @category, @tool_name_pattern, @tool_name_flags, @input_pattern, @input_flags, @enabled, 0)
+      ON CONFLICT(id) DO UPDATE SET
+        name = @name,
+        description = @description,
+        severity = @severity,
+        category = @category,
+        tool_name_pattern = @tool_name_pattern,
+        tool_name_flags = @tool_name_flags,
+        input_pattern = @input_pattern,
+        input_flags = @input_flags,
+        enabled = @enabled
+    `).run({
+            id: record.id,
+            name: record.name,
+            description: record.description ?? null,
+            severity: record.severity ?? 'medium',
+            category: record.category ?? 'custom',
+            tool_name_pattern: record.tool_name_pattern ?? null,
+            tool_name_flags: record.tool_name_flags ?? null,
+            input_pattern: record.input_pattern,
+            input_flags: record.input_flags ?? 'i',
+            enabled: record.enabled === false ? 0 : 1,
+        });
+    }
+    /** Delete a custom rule. Rejects if is_builtin=1. Returns true if deleted. */
+    remove(id) {
+        const row = this.db.prepare('SELECT is_builtin FROM tool_guard_rules WHERE id = ?').get(id);
+        if (!row)
+            return false;
+        if (row.is_builtin === 1) {
+            throw new Error('Cannot delete built-in rule');
+        }
+        this.db.prepare('DELETE FROM tool_guard_rules WHERE id = ?').run(id);
+        return true;
+    }
+}
+exports.ToolGuardRulesRepository = ToolGuardRulesRepository;
+function rowToRule(row) {
+    return {
+        id: row.id,
+        name: row.name,
+        description: row.description ?? '',
+        severity: row.severity,
+        category: row.category,
+        match: {
+            toolName: row.tool_name_pattern ? new RegExp(row.tool_name_pattern, row.tool_name_flags ?? '') : undefined,
+            inputPattern: row.input_pattern ? new RegExp(row.input_pattern, row.input_flags ?? 'i') : undefined,
+        },
+    };
+}
+//# sourceMappingURL=tool-guard-rules.js.map

package/dist/storage/repositories/tool-guard-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-guard-rules.js","sourceRoot":"","sources":["../../../src/storage/repositories/tool-guard-rules.ts"],"names":[],"mappings":";;;AAkBA,MAAa,wBAAwB;IAC3B,EAAE,CAAoB;IAE9B,YAAY,EAAqB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED;;;;;;OAMG;IACH,YAAY,CAAC,KAAsB;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;;;;;KAgB5B,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE;YACpC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,IAAI,CAAC,GAAG,CAAC;oBACP,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI;oBAClC,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,IAAI,IAAI;oBACnD,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,IAAI,IAAI;oBAChD,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,EAAE,MAAM,IAAI,EAAE;oBACjD,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,EAAE,KAAK,IAAI,GAAG;iBAChD,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,IAAI,EAAE,CAAC;IACT,CAAC;IAED,gEAAgE;IAChE,UAAU;QACR,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC1B,kDAAkD,CACnD,CAAC,GAAG,EAA2B,CAAC;QACjC,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC7B,CAAC;IAED,mCAAmC;IACnC,MAAM;QACJ,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CACpB,yEAAyE,CAC1E,CAAC,GAAG,EAA2B,CAAC;IACnC,CAAC;IAED,0BAA0B;IAC1B,MAAM,CAAC,EAAU,EAAE,OAAgB;QACjC,IAAI,CAAC,EAAE,CAAC,OAAO,CACb,sDAAsD,CACvD,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7B,CAAC;IAED,qCAAqC;IACrC,MAAM,CAAC,MAWN;QACC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;;;;KAef,CAAC,CAAC,GAAG,CAAC;YACL,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;YACvC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;YACrC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,IAAI;YACnD,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI;YAC/C,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,GAAG;YACtC,OAAO,EAAE,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,MAAM,CAAC,EAAU;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACzB,sDAAsD,CACvD,CAAC,GAAG,CAAC,EAAE,CAAuC,CAAC;QAEhD,IAAI,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QACvB,IAAI,GAAG,CAAC,UAAU,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,2CAA2C,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAjID,4DAiIC;AAED,SAAS,SAAS,CAAC,GAAwB;IACzC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE;QAClC,QAAQ,EAAE,GAAG,CAAC,QAAqC;QACnD,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,KAAK,EAAE;YACL,QAAQ,EAAE,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;YAC1G,YAAY,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;SACpG;KACF,CAAC;AACJ,CAAC"}