@aion0/bastion 0.1.7

package/dist/tool-guard/rules.js

@@ -0,0 +1,255 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BUILTIN_RULES = void 0;
+exports.matchRules = matchRules;
+/**
+ * Matches tool names that execute shell commands or interact with the OS.
+ *
+ * Rules tagged with toolName: SHELL_TOOL_PATTERN only fire when the tool
+ * actually runs code — bash, computer, terminal, etc. This prevents false
+ * positives when tools like write_file, str_replace_editor, or search handle
+ * content that merely *mentions* dangerous shell patterns without executing them.
+ *
+ * Intentionally uses substring matching so unconventional names like
+ * "bash_tool" or "run_shell_command" are also covered.
+ */
+const SHELL_TOOL_PATTERN = /bash|shell|exec|terminal|computer|repl/i;
+exports.BUILTIN_RULES = [
+    // ── destructive-fs (critical) ──
+    {
+        id: 'fs-rm-rf-root',
+        name: 'Recursive delete root/home',
+        description: 'rm -rf targeting / or ~ or /home',
+        severity: 'critical',
+        category: 'destructive-fs',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /rm\s+-[^\n]*r[^\n]*f[^\n]*\s+(?:\/(?:\s|"|$)|\/*(?:\s|"|$)|~\/?(?:\s|"|$)|~\/?\*|\/home)/i },
+    },
+    {
+        id: 'fs-rm-rf-wildcard',
+        name: 'Recursive delete with wildcard',
+        description: 'rm -rf with dangerous wildcard patterns',
+        severity: 'critical',
+        category: 'destructive-fs',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /rm\s+-[^\n]*rf\s+(?:\.\s|\.\*|\*\s|\/\*)/i },
+    },
+    {
+        id: 'fs-chmod-777',
+        name: 'chmod 777 on sensitive paths',
+        description: 'Making files world-writable',
+        severity: 'high',
+        category: 'destructive-fs',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /chmod\s+(?:-[^\n]*)?\s*777/i },
+    },
+    {
+        id: 'fs-mkfs',
+        name: 'Format filesystem',
+        description: 'mkfs on a block device',
+        severity: 'critical',
+        category: 'destructive-fs',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /mkfs\b/i },
+    },
+    {
+        id: 'fs-dd-device',
+        name: 'dd to block device',
+        description: 'dd writing directly to a device',
+        severity: 'critical',
+        category: 'destructive-fs',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /dd\s+[^\n]*of=\/dev\//i },
+    },
+    // ── code-execution (critical) ──
+    {
+        id: 'exec-curl-pipe',
+        name: 'curl pipe to shell',
+        description: 'Piping remote content directly to a shell interpreter',
+        severity: 'critical',
+        category: 'code-execution',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /curl\s+[^\n|]*\|\s*(?:bash|sh|zsh|python|perl|ruby|node)/i },
+    },
+    {
+        id: 'exec-wget-pipe',
+        name: 'wget pipe to shell',
+        description: 'Piping wget output to a shell interpreter',
+        severity: 'critical',
+        category: 'code-execution',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /wget\s+[^\n|]*\|\s*(?:bash|sh|zsh|python|perl|ruby|node)/i },
+    },
+    {
+        id: 'exec-eval',
+        name: 'eval() on dynamic input',
+        description: 'Using eval on variables or external input',
+        severity: 'high',
+        category: 'code-execution',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /\beval\s*\(/i },
+    },
+    {
+        id: 'exec-base64-decode-pipe',
+        name: 'base64 decode and execute',
+        description: 'Decoding base64 content and piping to shell',
+        severity: 'critical',
+        category: 'code-execution',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /base64\s+(?:-d|--decode)[^\n|]*\|\s*(?:bash|sh|zsh)/i },
+    },
+    // ── credential-access (high) ──
+    {
+        id: 'cred-env-read',
+        name: 'Read .env file',
+        description: 'Reading environment files that may contain secrets',
+        severity: 'high',
+        category: 'credential-access',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:cat|less|more|head|tail|bat|type|get-content)\s+[^\n]*\.env\b/i },
+    },
+    {
+        id: 'cred-private-key',
+        name: 'Access private key',
+        description: 'Reading SSH or TLS private key files',
+        severity: 'high',
+        category: 'credential-access',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:cat|less|more|head|tail|bat|type|get-content)\s+[^\n]*(?:id_rsa|id_ed25519|\.pem|private[_-]?key)/i },
+    },
+    {
+        id: 'cred-aws-credentials',
+        name: 'Access AWS credentials',
+        description: 'Reading AWS credentials or config files',
+        severity: 'high',
+        category: 'credential-access',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:cat|less|more|head|tail|bat|type|get-content)\s+[^\n]*(?:\.aws\/credentials|\.aws\/config)/i },
+    },
+    {
+        id: 'cred-secret-env-var',
+        name: 'Echo secret environment variable',
+        description: 'Printing sensitive environment variables',
+        severity: 'high',
+        category: 'credential-access',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:echo|printf|print)\s+[^\n]*\$(?:AWS_SECRET|PRIVATE_KEY|API_KEY|SECRET_KEY|DATABASE_URL|DB_PASSWORD)/i },
+    },
+    // ── network-exfil ──
+    {
+        id: 'net-curl-post-data',
+        name: 'curl POST with data',
+        description: 'Sending data via curl POST to an external endpoint',
+        severity: 'medium',
+        category: 'network-exfil',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /curl\s+[^\n]*(?:-X\s*POST|-d\s|--data)/i },
+    },
+    {
+        id: 'net-exfil-to-ip',
+        name: 'Data transfer to raw IP',
+        description: 'Sending data to a raw IP address (potential exfiltration)',
+        severity: 'high',
+        category: 'network-exfil',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:curl|wget|nc|ncat)\s+[^\n]*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i },
+    },
+    // ── git-destructive ──
+    {
+        id: 'git-force-push',
+        name: 'git force push',
+        description: 'Force pushing can overwrite remote history',
+        severity: 'high',
+        category: 'git-destructive',
+        // (?!-with-lease) prevents matching --force-with-lease, which is safe
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /git\s+push\s+[^\n]*(?:--force(?!-with-lease)|-f\b)/i },
+    },
+    {
+        id: 'git-reset-hard',
+        name: 'git reset --hard',
+        description: 'Hard reset discards uncommitted changes',
+        severity: 'high',
+        category: 'git-destructive',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /git\s+reset\s+--hard/i },
+    },
+    {
+        id: 'git-clean-force',
+        name: 'git clean -f',
+        description: 'Force-cleaning untracked files',
+        severity: 'medium',
+        category: 'git-destructive',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /git\s+clean\s+[^\n]*-[^\n]*f/i },
+    },
+    // ── package-publish ──
+    {
+        id: 'pkg-npm-publish',
+        name: 'npm publish',
+        description: 'Publishing package to npm registry',
+        severity: 'medium',
+        category: 'package-publish',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /npm\s+publish/i },
+    },
+    {
+        id: 'pkg-pip-upload',
+        name: 'pip/twine upload',
+        description: 'Uploading package to PyPI',
+        severity: 'medium',
+        category: 'package-publish',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /(?:twine\s+upload|pip\s+.*upload)/i },
+    },
+    // ── system-config ──
+    {
+        id: 'sys-sudo',
+        name: 'sudo command',
+        description: 'Executing command with elevated privileges',
+        severity: 'medium',
+        category: 'system-config',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /\bsudo\s+/i },
+    },
+    {
+        id: 'sys-iptables',
+        name: 'iptables modification',
+        description: 'Modifying firewall rules',
+        severity: 'medium',
+        category: 'system-config',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /\biptables\s+/i },
+    },
+    {
+        id: 'sys-systemctl',
+        name: 'systemctl service control',
+        description: 'Starting/stopping/enabling system services',
+        severity: 'medium',
+        category: 'system-config',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /\bsystemctl\s+(?:start|stop|enable|disable|restart)/i },
+    },
+    // ── file-delete ──
+    {
+        id: 'fs-rm',
+        name: 'File/directory deletion',
+        description: 'Removing files or directories',
+        severity: 'medium',
+        category: 'file-delete',
+        match: { toolName: SHELL_TOOL_PATTERN, inputPattern: /\brm\s+/i },
+    },
+    // ── file-write-outside (low) ──
+    // No toolName constraint: writing to /etc/ or /usr/ is suspicious regardless
+    // of whether the tool is a shell executor or a file writer.
+    {
+        id: 'write-etc',
+        name: 'Write to /etc/',
+        description: 'Writing to system configuration directory',
+        severity: 'low',
+        category: 'file-write-outside',
+        match: { inputPattern: /(?:>|tee|write_file|Write)\s*[^\n]*\/etc\//i },
+    },
+    {
+        id: 'write-usr',
+        name: 'Write to /usr/',
+        description: 'Writing to system binaries directory',
+        severity: 'low',
+        category: 'file-write-outside',
+        match: { inputPattern: /(?:>|tee|write_file|Write)\s*[^\n]*\/usr\//i },
+    },
+];
+function matchRules(toolName, toolInput, rules = exports.BUILTIN_RULES) {
+    const inputStr = typeof toolInput === 'string' ? toolInput : JSON.stringify(toolInput);
+    for (const rule of rules) {
+        // Check tool name pattern if specified
+        if (rule.match.toolName && !rule.match.toolName.test(toolName))
+            continue;
+        // Check input pattern
+        if (rule.match.inputPattern) {
+            const m = rule.match.inputPattern.exec(inputStr);
+            if (m) {
+                return { rule, matchedText: m[0] };
+            }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=rules.js.map

package/dist/tool-guard/rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rules.js","sourceRoot":"","sources":["../../src/tool-guard/rules.ts"],"names":[],"mappings":";;;AAqQA,gCAqBC;AA9QD;;;;;;;;;;GAUG;AACH,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAExD,QAAA,aAAa,GAAoB;IAC5C,kCAAkC;IAClC;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,kCAAkC;QAC/C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,2FAA2F,EAAE;KACnJ;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,2CAA2C,EAAE;KACnG;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,6BAA6B;QAC1C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,6BAA6B,EAAE;KACrF;IACD;QACE,EAAE,EAAE,SAAS;QACb,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,wBAAwB;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,SAAS,EAAE;KACjE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,iCAAiC;QAC9C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,wBAAwB,EAAE;KAChF;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,uDAAuD;QACpE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,2DAA2D,EAAE;KACnH;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2CAA2C;QACxD,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,2DAA2D,EAAE;KACnH;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,2CAA2C;QACxD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,cAAc,EAAE;KACtE;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;QAC1B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,sDAAsD,EAAE;KAC9G;IAED,iCAAiC;IACjC;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,oDAAoD;QACjE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,mEAAmE,EAAE;KAC3H;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,uGAAuG,EAAE;KAC/J;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,gGAAgG,EAAE;KACxJ;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,kCAAkC;QACxC,WAAW,EAAE,0CAA0C;QACvD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,mBAAmB;QAC7B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,yGAAyG,EAAE;KACjK;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,oDAAoD;QACjE,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,yCAAyC,EAAE;KACjG;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,2DAA2D;QACxE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,eAAe;QACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,mEAAmE,EAAE;KAC3H;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,iBAAiB;QAC3B,sEAAsE;QACtE,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,qDAAqD,EAAE;KAC7G;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,iBAAiB;QAC3B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE;KAC/E;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,gCAAgC;QAC7C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,iBAAiB;QAC3B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,+BAA+B,EAAE;KACvF;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,iBAAiB;QAC3B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,gBAAgB,EAAE;KACxE;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,2BAA2B;QACxC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,iBAAiB;QAC3B,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,oCAAoC,EAAE;KAC5F;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY,EAAE;KACpE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,0BAA0B;QACvC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,gBAAgB,EAAE;KACxE;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,eAAe;QACzB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,sDAAsD,EAAE;KAC9G;IAED,oBAAoB;IACpB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,+BAA+B;QAC5C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,aAAa;QACvB,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,YAAY,EAAE,UAAU,EAAE;KAClE;IAED,iCAAiC;IACjC,6EAA6E;IAC7E,4DAA4D;IAC5D;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,2CAA2C;QACxD,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,EAAE,YAAY,EAAE,6CAA6C,EAAE;KACvE;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,EAAE,YAAY,EAAE,6CAA6C,EAAE;KACvE;CACF,CAAC;AAOF,SAAgB,UAAU,CACxB,QAAgB,EAChB,SAA2C,EAC3C,QAAyB,qBAAa;IAEtC,MAAM,QAAQ,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAEvF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,uCAAuC;QACvC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEzE,sBAAsB;QACtB,IAAI,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,EAAE,CAAC;gBACN,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/tool-guard/streaming-guard.d.ts

@@ -0,0 +1,57 @@
+/**
+ * StreamingToolGuard — intercepts SSE events during streaming responses.
+ *
+ * Text content blocks are forwarded immediately. Tool_use content blocks are
+ * buffered until complete, then evaluated against rules.
+ * Dangerous tool calls are replaced with a text block warning.
+ *
+ * Supports Anthropic, OpenAI Chat Completions, and OpenAI Responses API formats.
+ *
+ * Anthropic:        content_block_start → content_block_delta → content_block_stop (per block)
+ * OpenAI Chat:      choices[].delta.tool_calls[] accumulates until finish_reason appears
+ * OpenAI Responses: response.output_item.added(function_call) → response.function_call_arguments.delta → .done
+ */
+import { type ToolGuardRule, type RuleMatch } from './rules.js';
+export interface StreamingGuardConfig {
+    blockMinSeverity: string;
+    rules?: ToolGuardRule[];
+}
+export interface StreamingGuardResult {
+    toolName: string;
+    ruleMatch: RuleMatch;
+    blocked: boolean;
+}
+export declare class StreamingToolGuard {
+    private config;
+    private rules;
+    private onForward;
+    private buffering;
+    private bufferEvents;
+    private toolName;
+    private toolInput;
+    private toolIndex;
+    private anthropicBlocked;
+    private oaiBuffering;
+    private oaiBufferEvents;
+    private oaiToolCalls;
+    private respBuffering;
+    private respBufferEvents;
+    private respToolName;
+    private respToolArgs;
+    private responsesApiBlocked;
+    results: StreamingGuardResult[];
+    constructor(config: StreamingGuardConfig, onForward: (data: string) => void);
+    /**
+     * Process a single SSE event (raw text including "event:" and "data:" lines + trailing newline).
+     */
+    processEvent(rawEvent: string, parsed: Record<string, unknown> | null): void;
+    /** Evaluate the buffered Anthropic tool_use block and either flush or replace it. */
+    private evaluateAndFlushAnthropic;
+    /** Evaluate all buffered OpenAI tool calls and either flush or replace. */
+    private evaluateAndFlushOpenAI;
+    /** Evaluate buffered OpenAI Responses API tool call and either flush or replace. */
+    private evaluateAndFlushResponses;
+    /** Flush any remaining buffered data (e.g., if stream ended mid-block). */
+    flush(): void;
+}
+//# sourceMappingURL=streaming-guard.d.ts.map

package/dist/tool-guard/streaming-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"streaming-guard.d.ts","sourceRoot":"","sources":["../../src/tool-guard/streaming-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAA6B,KAAK,aAAa,EAAE,KAAK,SAAS,EAAE,MAAM,YAAY,CAAC;AAM3F,MAAM,WAAW,oBAAoB;IACnC,gBAAgB,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,aAAa,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,KAAK,CAAkB;IAC/B,OAAO,CAAC,SAAS,CAAyB;IAG1C,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,SAAS,CAAM;IACvB,OAAO,CAAC,SAAS,CAAM;IACvB,OAAO,CAAC,gBAAgB,CAAS;IAGjC,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,eAAe,CAAgB;IACvC,OAAO,CAAC,YAAY,CAA0D;IAG9E,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,gBAAgB,CAAgB;IACxC,OAAO,CAAC,YAAY,CAAM;IAC1B,OAAO,CAAC,YAAY,CAAM;IAC1B,OAAO,CAAC,mBAAmB,CAAS;IAG7B,OAAO,EAAE,oBAAoB,EAAE,CAAM;gBAG1C,MAAM,EAAE,oBAAoB,EAC5B,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI;IAOnC;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,GAAG,IAAI;IAyM5E,qFAAqF;IACrF,OAAO,CAAC,yBAAyB;IAgDjC,2EAA2E;IAC3E,OAAO,CAAC,sBAAsB;IA4C9B,oFAAoF;IACpF,OAAO,CAAC,yBAAyB;IAwCjC,2EAA2E;IAC3E,KAAK,IAAI,IAAI;CA+Bd"}