@amaster.ai/pi-security 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,158 @@
+import type { JsonObject, RuntimeRequestContext, ToolCallRequest, ToolSource } from '@amaster.ai/pi-shared';
+export type SecurityDecision = {
+    kind: 'allow';
+    reason?: string;
+} | {
+    kind: 'deny';
+    reason: string;
+} | {
+    kind: 'ask';
+    reason: string;
+    prompt?: string;
+};
+export type CapabilityPolicy = {
+    allow?: string[];
+    deny?: string[];
+};
+export type SandboxMode = 'read-only' | 'workspace-write' | 'full-access';
+export type ApprovalMode = 'never' | 'on-failure' | 'on-request' | 'untrusted';
+export type SecurityResourceKind = 'file' | 'shell' | 'network';
+export type SecurityOperation = 'read' | 'write' | 'execute' | 'delete' | 'connect' | 'search';
+export type SecurityScope = 'workspace' | 'home' | 'system' | 'external' | 'unknown';
+export type SecuritySensitivity = 'normal' | 'source' | 'config' | 'secret' | 'credential';
+export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
+export type SecurityResource = {
+    kind: SecurityResourceKind;
+    operation: SecurityOperation;
+    target?: string;
+    scope: SecurityScope;
+    sensitivity: SecuritySensitivity;
+};
+export type RiskAssessment = {
+    level: RiskLevel;
+    reasons: string[];
+};
+export type SecurityRule = {
+    id: string;
+    priority?: number;
+    tools?: string[];
+    sources?: ToolSource[];
+    triggers?: Array<RuntimeRequestContext['trigger']>;
+    senderTrusts?: Array<RuntimeRequestContext['senderTrust']>;
+    args?: Record<string, string>;
+    argsRegex?: Record<string, string>;
+    resources?: SecurityResourceKind[];
+    operations?: SecurityOperation[];
+    scopes?: SecurityScope[];
+    sensitivity?: SecuritySensitivity[];
+    risk?: RiskLevel[];
+    decision: SecurityDecision;
+};
+export type SecurityPolicyEngineOptions = {
+    rules?: SecurityRule[];
+    defaultDecision?: SecurityDecision;
+};
+export type SecurityProfileConfig = {
+    extends?: string;
+    sandbox?: SandboxMode;
+    approval?: ApprovalMode;
+    rules?: SecurityRule[];
+    defaultDecision?: SecurityDecision;
+};
+export type SecurityConfig = {
+    defaultProfile?: string;
+    profiles?: Record<string, SecurityProfileConfig>;
+};
+export type SecurityEvaluationContext = {
+    request: RuntimeRequestContext;
+    toolCall: ToolCallRequest;
+    workspaceDir?: string;
+    resources: SecurityResource[];
+    risk: RiskAssessment;
+};
+export type SecurityEvaluationResult = {
+    evaluationId: string;
+    decision: SecurityDecision;
+    resources: SecurityResource[];
+    risk: RiskAssessment;
+    matchedRuleIds: string[];
+};
+export type SecurityAuditEvent = SecurityEvaluationResult & {
+    sessionId: string;
+    conversationId: string;
+    traceId?: string;
+    toolCallId: string;
+    toolName: string;
+    createdAt: string;
+    approvalId?: string;
+};
+export type SecurityApprovalRequest = {
+    request: RuntimeRequestContext;
+    toolCall: ToolCallRequest;
+    decision: Extract<SecurityDecision, {
+        kind: 'ask';
+    }>;
+    evaluation: SecurityEvaluationResult;
+};
+export type SecurityApprovalHandler = (input: SecurityApprovalRequest) => Promise<SecurityDecision>;
+export type SecurityAuditSink = (event: SecurityAuditEvent) => void | Promise<void>;
+export type SecurityGateAuthorizeInput = {
+    request: RuntimeRequestContext;
+    toolCall: ToolCallRequest;
+    workspaceDir?: string;
+};
+export type SecurityGateOptions = {
+    profile: string;
+    config?: SecurityConfig;
+    filePolicies?: Record<string, SecurityProfileConfig>;
+    engine?: SecurityPolicyEngine;
+    approvalHandler?: SecurityApprovalHandler;
+    auditSink?: SecurityAuditSink;
+};
+export declare class SecurityPolicyEngine {
+    private readonly entries;
+    private readonly defaultDecision;
+    constructor(options?: SecurityPolicyEngineOptions);
+    decide(input: {
+        request: RuntimeRequestContext;
+        toolCall: ToolCallRequest;
+        workspaceDir?: string;
+    }): SecurityDecision;
+    evaluate(input: {
+        request: RuntimeRequestContext;
+        toolCall: ToolCallRequest;
+        workspaceDir?: string;
+    }): SecurityEvaluationResult;
+}
+export declare class SecurityGate {
+    private readonly engine;
+    private readonly approvalHandler;
+    private readonly auditSink;
+    constructor(options: SecurityGateOptions);
+    authorize(input: SecurityGateAuthorizeInput): Promise<SecurityEvaluationResult>;
+    private resolveDecision;
+    private audit;
+}
+export declare function createSecurityGate(options: SecurityGateOptions): SecurityGate;
+export declare function assertSecurityAllowed(input: {
+    request: RuntimeRequestContext;
+    securityGate: SecurityGate;
+    toolCall: ToolCallRequest;
+    workspaceDir?: string;
+}): Promise<SecurityEvaluationResult>;
+export declare function assertSecurityDecisionAllowed(decision: SecurityDecision): void;
+export declare function resolveCapabilityPolicy(profile: string, config?: SecurityConfig, filePolicies?: Record<string, SecurityProfileConfig>): CapabilityPolicy;
+export declare function isCapabilityExposed(toolName: string, policy: CapabilityPolicy): boolean;
+export declare function createSecurityPolicyEngineForProfile(profile: string, config?: SecurityConfig, filePolicies?: Record<string, SecurityProfileConfig>): SecurityPolicyEngine;
+export declare function classifySecurityResources(input: {
+    request: RuntimeRequestContext;
+    toolCall: ToolCallRequest;
+    workspaceDir?: string;
+}): SecurityResource[];
+export declare function assessRisk(input: {
+    toolCall: ToolCallRequest;
+    resources: SecurityResource[];
+}): RiskAssessment;
+export declare function securityEvaluationDetails(evaluation: SecurityEvaluationResult): JsonObject;
+export { default } from './extension.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,UAAU,EACV,qBAAqB,EACrB,eAAe,EACf,UAAU,EACX,MAAM,uBAAuB,CAAC;AAE/B,MAAM,MAAM,gBAAgB,GACxB;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAChC;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAErD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,iBAAiB,GAAG,aAAa,CAAC;AAC1E,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,YAAY,GAAG,YAAY,GAAG,WAAW,CAAC;AAE/E,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAChE,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;AAC/F,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AACrF,MAAM,MAAM,mBAAmB,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,YAAY,CAAC;AAC3F,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,oBAAoB,CAAC;IAC3B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,aAAa,CAAC;IACrB,WAAW,EAAE,mBAAmB,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,KAAK,EAAE,SAAS,CAAC;IACjB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,CAAC,EAAE,UAAU,EAAE,CAAC;IACvB,QAAQ,CAAC,EAAE,KAAK,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC;IACnD,YAAY,CAAC,EAAE,KAAK,CAAC,qBAAqB,CAAC,aAAa,CAAC,CAAC,CAAC;IAC3D,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,SAAS,CAAC,EAAE,oBAAoB,EAAE,CAAC;IACnC,UAAU,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACjC,MAAM,CAAC,EAAE,aAAa,EAAE,CAAC;IACzB,WAAW,CAAC,EAAE,mBAAmB,EAAE,CAAC;IACpC,IAAI,CAAC,EAAE,SAAS,EAAE,CAAC;IACnB,QAAQ,EAAE,gBAAgB,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,KAAK,CAAC,EAAE,YAAY,EAAE,CAAC;IACvB,eAAe,CAAC,EAAE,gBAAgB,CAAC;CACpC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,KAAK,CAAC,EAAE,YAAY,EAAE,CAAC;IACvB,eAAe,CAAC,EAAE,gBAAgB,CAAC;CACpC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;CAClD,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,OAAO,EAAE,qBAAqB,CAAC;IAC/B,QAAQ,EAAE,eAAe,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,IAAI,EAAE,cAAc,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,IAAI,EAAE,cAAc,CAAC;IACrB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,wBAAwB,GAAG;IAC1D,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,OAAO,EAAE,qBAAqB,CAAC;IAC/B,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC,gBAAgB,EAAE;QAAE,IAAI,EAAE,KAAK,CAAA;KAAE,CAAC,CAAC;IACrD,UAAU,EAAE,wBAAwB,CAAC;CACtC,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,KAAK,EAAE,uBAAuB,KAAK,OAAO,CAAC,gBAAgB,CAAC,CAAC;AACpG,MAAM,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAEpF,MAAM,MAAM,0BAA0B,GAAG;IACvC,OAAO,EAAE,qBAAqB,CAAC;IAC/B,QAAQ,EAAE,eAAe,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IACrD,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,eAAe,CAAC,EAAE,uBAAuB,CAAC;IAC1C,SAAS,CAAC,EAAE,iBAAiB,CAAC;CAC/B,CAAC;AAwFF,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAmB;gBAEvC,OAAO,GAAE,2BAAgC;IAKrD,MAAM,CAAC,KAAK,EAAE;QACZ,OAAO,EAAE,qBAAqB,CAAC;QAC/B,QAAQ,EAAE,eAAe,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,GAAG,gBAAgB;IAIpB,QAAQ,CAAC,KAAK,EAAE;QACd,OAAO,EAAE,qBAAqB,CAAC;QAC/B,QAAQ,EAAE,eAAe,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,GAAG,wBAAwB;CAyB7B;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuB;IAC9C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAsC;IACtE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAgC;gBAE9C,OAAO,EAAE,mBAAmB;IAQlC,SAAS,CAAC,KAAK,EAAE,0BAA0B,GAAG,OAAO,CAAC,wBAAwB,CAAC;YAQvE,eAAe;YAmBf,KAAK;CAiBpB;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB,GAAG,YAAY,CAE7E;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE;IACjD,OAAO,EAAE,qBAAqB,CAAC;IAC/B,YAAY,EAAE,YAAY,CAAC;IAC3B,QAAQ,EAAE,eAAe,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAQpC;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI,CAS9E;AAED,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,MAAM,GAAE,cAAmB,EAC3B,YAAY,GAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAM,GACvD,gBAAgB,CAElB;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CASvF;AAED,wBAAgB,oCAAoC,CAClD,OAAO,EAAE,MAAM,EACf,MAAM,GAAE,cAAmB,EAC3B,YAAY,GAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAM,GACvD,oBAAoB,CAwBtB;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE;IAC/C,OAAO,EAAE,qBAAqB,CAAC;IAC/B,QAAQ,EAAE,eAAe,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GAAG,gBAAgB,EAAE,CAmDrB;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE;IAChC,QAAQ,EAAE,eAAe,CAAC;IAC1B,SAAS,EAAE,gBAAgB,EAAE,CAAC;CAC/B,GAAG,cAAc,CA6CjB;AAED,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,wBAAwB,GAAG,UAAU,CAc1F;AAiQD,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/index.js

@@ -0,0 +1,517 @@
+import { randomUUID } from 'node:crypto';
+import path from 'node:path';
+const DEFAULT_DECISION = {
+    kind: 'ask',
+    reason: 'No security rule matched this tool call.',
+};
+const SANDBOX_CAPABILITIES = {
+    'read-only': {
+        allow: ['read', 'ls', 'find', 'grep'],
+        deny: ['write', 'edit', 'bash'],
+    },
+    'workspace-write': {
+        allow: ['read', 'ls', 'find', 'grep', 'write', 'edit', 'bash'],
+        deny: [],
+    },
+    'full-access': { allow: ['*'] },
+};
+const BUILTIN_PROFILES = {
+    'read-only': { sandbox: 'read-only', approval: 'never' },
+    default: { sandbox: 'workspace-write', approval: 'on-request' },
+    auto: { sandbox: 'workspace-write', approval: 'on-failure' },
+    'full-access': { sandbox: 'full-access', approval: 'never' },
+};
+const DEFAULT_BUILTIN_PROFILE = BUILTIN_PROFILES.default;
+const DENY_SECRETS_RULE = {
+    id: 'deny-secrets',
+    priority: 600,
+    sensitivity: ['secret', 'credential'],
+    decision: { kind: 'deny', reason: 'Secret or credential resources are protected.' },
+};
+const BASELINE_SECURITY_RULES = [DENY_SECRETS_RULE];
+const ASK_WORKSPACE_WRITE_RULE = {
+    id: 'ask-workspace-write',
+    priority: 260,
+    resources: ['file'],
+    operations: ['write', 'delete'],
+    scopes: ['workspace'],
+    decision: {
+        kind: 'ask',
+        reason: 'Workspace file modifications require approval.',
+        prompt: 'Approve this file modification?',
+    },
+};
+const ASK_HIGH_RISK_RULES = [
+    {
+        id: 'ask-critical-risk',
+        priority: 500,
+        risk: ['critical'],
+        decision: { kind: 'ask', reason: 'Critical risk operation requires approval.' },
+    },
+    {
+        id: 'ask-high-risk',
+        priority: 420,
+        risk: ['high'],
+        decision: { kind: 'ask', reason: 'High risk operation requires approval.' },
+    },
+];
+function builtinRulesForApproval(approval) {
+    switch (approval) {
+        case 'never':
+            return [...BASELINE_SECURITY_RULES];
+        case 'on-failure':
+            return [...BASELINE_SECURITY_RULES, ...ASK_HIGH_RISK_RULES];
+        case 'on-request':
+            return [...BASELINE_SECURITY_RULES, ASK_WORKSPACE_WRITE_RULE];
+        case 'untrusted':
+            return [...BASELINE_SECURITY_RULES, ...ASK_HIGH_RISK_RULES, ASK_WORKSPACE_WRITE_RULE];
+    }
+}
+function defaultDecisionForApproval(approval) {
+    if (approval === 'untrusted') {
+        return { kind: 'ask', reason: 'Untrusted profile requires approval for unknown tool calls.' };
+    }
+    return { kind: 'allow' };
+}
+export class SecurityPolicyEngine {
+    entries;
+    defaultDecision;
+    constructor(options = {}) {
+        this.entries = [...(options.rules ?? [])].sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+        this.defaultDecision = options.defaultDecision ?? DEFAULT_DECISION;
+    }
+    decide(input) {
+        return this.evaluate(input).decision;
+    }
+    evaluate(input) {
+        const resources = classifySecurityResources(input);
+        const risk = assessRisk({ ...input, resources });
+        const context = { ...input, resources, risk };
+        const matchedRuleIds = [];
+        for (const entry of this.entries) {
+            if (matchesSecurityRule(entry, context)) {
+                matchedRuleIds.push(entry.id);
+                return {
+                    evaluationId: randomUUID(),
+                    decision: normalizeForInteraction(entry.decision, input.request.interactive),
+                    resources,
+                    risk,
+                    matchedRuleIds,
+                };
+            }
+        }
+        return {
+            evaluationId: randomUUID(),
+            decision: normalizeForInteraction(this.defaultDecision, input.request.interactive),
+            resources,
+            risk,
+            matchedRuleIds,
+        };
+    }
+}
+export class SecurityGate {
+    engine;
+    approvalHandler;
+    auditSink;
+    constructor(options) {
+        this.engine =
+            options.engine ??
+                createSecurityPolicyEngineForProfile(options.profile, options.config, options.filePolicies);
+        this.approvalHandler = options.approvalHandler;
+        this.auditSink = options.auditSink;
+    }
+    async authorize(input) {
+        const initial = this.engine.evaluate(input);
+        const decision = await this.resolveDecision(input, initial);
+        const evaluation = { ...initial, decision };
+        await this.audit(input, evaluation);
+        return evaluation;
+    }
+    async resolveDecision(input, evaluation) {
+        if (evaluation.decision.kind !== 'ask') {
+            return evaluation.decision;
+        }
+        if (!this.approvalHandler) {
+            return evaluation.decision;
+        }
+        const resolved = await this.approvalHandler({
+            request: input.request,
+            toolCall: input.toolCall,
+            decision: evaluation.decision,
+            evaluation,
+        });
+        return resolved;
+    }
+    async audit(input, evaluation) {
+        if (!this.auditSink) {
+            return;
+        }
+        await this.auditSink({
+            ...evaluation,
+            sessionId: input.request.sessionId,
+            conversationId: input.request.conversationId,
+            ...(input.request.traceId ? { traceId: input.request.traceId } : {}),
+            toolCallId: input.toolCall.id,
+            toolName: input.toolCall.name,
+            createdAt: new Date().toISOString(),
+        });
+    }
+}
+export function createSecurityGate(options) {
+    return new SecurityGate(options);
+}
+export async function assertSecurityAllowed(input) {
+    const evaluation = await input.securityGate.authorize({
+        request: input.request,
+        toolCall: input.toolCall,
+        ...(input.workspaceDir ? { workspaceDir: input.workspaceDir } : {}),
+    });
+    assertSecurityDecisionAllowed(evaluation.decision);
+    return evaluation;
+}
+export function assertSecurityDecisionAllowed(decision) {
+    switch (decision.kind) {
+        case 'allow':
+            return;
+        case 'ask':
+            throw new Error(`Tool call requires approval: ${decision.reason}`);
+        case 'deny':
+            throw new Error(`Tool call denied by security policy: ${decision.reason}`);
+    }
+}
+export function resolveCapabilityPolicy(profile, config = {}, filePolicies = {}) {
+    return resolveSecurityProfile(profile, config, [], filePolicies).capabilities;
+}
+export function isCapabilityExposed(toolName, policy) {
+    const normalized = normalizePatternValue(toolName);
+    if (policy.deny?.some((entry) => matchesPattern(normalized, entry))) {
+        return false;
+    }
+    if (!policy.allow?.length) {
+        return false;
+    }
+    return policy.allow.some((entry) => matchesPattern(normalized, entry));
+}
+export function createSecurityPolicyEngineForProfile(profile, config = {}, filePolicies = {}) {
+    const resolvedProfile = resolveSecurityProfile(profile, config, [], filePolicies);
+    const denyCapabilityRules = resolvedProfile.capabilities.deny?.map((toolName) => ({
+        id: `deny-capability-${profile}-${toolName}`,
+        priority: 110,
+        tools: [toolName],
+        decision: {
+            kind: 'deny',
+            reason: `Tool '${toolName}' is denied by sandbox '${resolvedProfile.sandbox}'.`,
+        },
+    })) ?? [];
+    const allowCapabilityRules = resolvedProfile.capabilities.allow?.map((toolName) => ({
+        id: `allow-capability-${profile}-${toolName}`,
+        priority: 100,
+        tools: [toolName],
+        decision: { kind: 'allow' },
+    })) ?? [];
+    return new SecurityPolicyEngine({
+        rules: resolvedProfile.rules.concat(denyCapabilityRules).concat(allowCapabilityRules),
+        defaultDecision: resolvedProfile.defaultDecision ?? defaultDecisionForApproval(resolvedProfile.approval),
+    });
+}
+export function classifySecurityResources(input) {
+    const { toolCall } = input;
+    if (toolCall.name === 'read') {
+        return [fileResource('read', stringArg(toolCall.args, 'path'), input.workspaceDir)];
+    }
+    if (toolCall.name === 'ls') {
+        return [fileResource('read', stringArg(toolCall.args, 'path'), input.workspaceDir)];
+    }
+    if (toolCall.name === 'find' || toolCall.name === 'grep') {
+        return [
+            fileResource('search', stringArg(toolCall.args, 'path') ?? stringArg(toolCall.args, 'cwd'), input.workspaceDir),
+        ];
+    }
+    if (toolCall.name === 'write' || toolCall.name === 'edit') {
+        return [fileResource('write', stringArg(toolCall.args, 'path'), input.workspaceDir)];
+    }
+    if (toolCall.name === 'bash') {
+        const command = stringArg(toolCall.args, 'command') ?? toolCall.name;
+        const resources = [
+            {
+                kind: 'shell',
+                operation: 'execute',
+                target: command,
+                scope: fileScope(stringArg(toolCall.args, 'cwd'), input.workspaceDir),
+                sensitivity: 'normal',
+            },
+        ];
+        if (/https?:\/\/|(^|\s)(curl|wget|ssh|scp|rsync)\b/i.test(command)) {
+            resources.push({
+                kind: 'network',
+                operation: 'connect',
+                target: command,
+                scope: 'external',
+                sensitivity: 'normal',
+            });
+        }
+        return resources;
+    }
+    return [
+        {
+            kind: 'shell',
+            operation: 'execute',
+            target: toolCall.name,
+            scope: 'unknown',
+            sensitivity: 'normal',
+        },
+    ];
+}
+export function assessRisk(input) {
+    const reasons = [];
+    let level = 'low';
+    const raise = (next, reason) => {
+        if (riskRank(next) > riskRank(level)) {
+            level = next;
+        }
+        reasons.push(reason);
+    };
+    for (const resource of input.resources) {
+        if (resource.sensitivity === 'secret' || resource.sensitivity === 'credential') {
+            raise('critical', `Sensitive ${resource.sensitivity} resource`);
+        }
+        if (resource.kind === 'file' && resource.operation === 'write') {
+            raise(resource.scope === 'workspace' ? 'medium' : 'high', `File write in ${resource.scope} scope`);
+        }
+        if (resource.kind === 'shell') {
+            raise('medium', 'Shell/code execution');
+            const command = resource.target ?? '';
+            if (/\brm\s+-rf\b|:\(\)\s*\{|\bmkfs\b|\bdd\s+if=|\bshutdown\b|\breboot\b/i.test(command)) {
+                raise('critical', 'Destructive shell command');
+            }
+            if (/\bsudo\b|\bchmod\b|\bchown\b|\bkill(all)?\b|\blaunchctl\b/i.test(command)) {
+                raise('high', 'Privileged or permission-changing shell command');
+            }
+            if (/\b(npm|pnpm|yarn|pip|brew|apt|apt-get)\s+(install|add|upgrade|update)\b/i.test(command)) {
+                raise('high', 'Dependency or package manager mutation');
+            }
+            if (/curl\b.*\|\s*(sh|bash)|wget\b.*\|\s*(sh|bash)/i.test(command)) {
+                raise('critical', 'Remote script execution');
+            }
+        }
+        if (resource.kind === 'network') {
+            raise('high', 'External network access');
+        }
+    }
+    return {
+        level,
+        reasons: reasons.length ? [...new Set(reasons)] : ['Low risk read-only operation'],
+    };
+}
+export function securityEvaluationDetails(evaluation) {
+    return {
+        decision: evaluation.decision.kind,
+        risk: evaluation.risk.level,
+        riskReasons: evaluation.risk.reasons,
+        matchedRules: evaluation.matchedRuleIds,
+        resources: evaluation.resources.map((resource) => ({
+            kind: resource.kind,
+            operation: resource.operation,
+            scope: resource.scope,
+            sensitivity: resource.sensitivity,
+            ...(resource.target ? { target: summarizeTarget(resource.target) } : {}),
+        })),
+    };
+}
+function resolvedFromBuiltin(name) {
+    const builtin = BUILTIN_PROFILES[name] ?? DEFAULT_BUILTIN_PROFILE;
+    return {
+        sandbox: builtin.sandbox,
+        approval: builtin.approval,
+        capabilities: SANDBOX_CAPABILITIES[builtin.sandbox],
+        rules: builtinRulesForApproval(builtin.approval),
+    };
+}
+function resolveSecurityProfile(profile, config, seen = [], filePolicies = {}) {
+    const normalizedProfile = profile.trim();
+    if (seen.includes(normalizedProfile)) {
+        return resolvedFromBuiltin('default');
+    }
+    const configured = filePolicies[normalizedProfile] ?? config.profiles?.[normalizedProfile];
+    const parent = configured?.extends
+        ? resolveSecurityProfile(configured.extends, config, seen.concat(normalizedProfile), filePolicies)
+        : resolvedFromBuiltin(normalizedProfile);
+    if (!configured) {
+        return parent;
+    }
+    const sandbox = configured.sandbox ?? parent.sandbox;
+    const approval = configured.approval ?? parent.approval;
+    const sandboxChanged = configured.sandbox !== undefined && configured.sandbox !== parent.sandbox;
+    const approvalChanged = configured.approval !== undefined && configured.approval !== parent.approval;
+    const inheritedDefault = configured.defaultDecision ?? parent.defaultDecision;
+    return {
+        sandbox,
+        approval,
+        capabilities: sandboxChanged ? SANDBOX_CAPABILITIES[sandbox] : parent.capabilities,
+        rules: (approvalChanged ? builtinRulesForApproval(approval) : parent.rules).concat(normalizeConfiguredRules(configured.rules)),
+        ...(inheritedDefault ? { defaultDecision: inheritedDefault } : {}),
+    };
+}
+function normalizeConfiguredRules(rules) {
+    return (rules ?? []).map((rule) => ({
+        ...rule,
+        priority: rule.priority ?? 300,
+    }));
+}
+function matchesSecurityRule(rule, context) {
+    if (rule.tools?.length &&
+        !rule.tools.some((tool) => matchesPattern(context.toolCall.name, tool))) {
+        return false;
+    }
+    if (rule.sources?.length && !rule.sources.includes(context.toolCall.source)) {
+        return false;
+    }
+    if (rule.triggers?.length && !rule.triggers.includes(context.request.trigger)) {
+        return false;
+    }
+    if (rule.senderTrusts?.length && !rule.senderTrusts.includes(context.request.senderTrust)) {
+        return false;
+    }
+    if (rule.args && !matchesArgs(rule.args, context.toolCall.args)) {
+        return false;
+    }
+    if (rule.argsRegex && !matchesArgsRegex(rule.argsRegex, context.toolCall.args)) {
+        return false;
+    }
+    if (rule.risk?.length && !rule.risk.includes(context.risk.level)) {
+        return false;
+    }
+    if (hasResourceCriteria(rule) &&
+        !context.resources.some((resource) => matchesResourceCriteria(rule, resource))) {
+        return false;
+    }
+    return true;
+}
+function hasResourceCriteria(rule) {
+    return Boolean(rule.resources?.length ||
+        rule.operations?.length ||
+        rule.scopes?.length ||
+        rule.sensitivity?.length);
+}
+function matchesResourceCriteria(rule, resource) {
+    if (rule.resources?.length && !rule.resources.includes(resource.kind)) {
+        return false;
+    }
+    if (rule.operations?.length && !rule.operations.includes(resource.operation)) {
+        return false;
+    }
+    if (rule.scopes?.length && !rule.scopes.includes(resource.scope)) {
+        return false;
+    }
+    if (rule.sensitivity?.length && !rule.sensitivity.includes(resource.sensitivity)) {
+        return false;
+    }
+    return true;
+}
+function normalizeForInteraction(decision, interactive) {
+    if (decision.kind === 'ask' && !interactive) {
+        return {
+            kind: 'deny',
+            reason: `Security policy requires approval but the context is non-interactive: ${decision.reason}`,
+        };
+    }
+    return decision;
+}
+function fileResource(operation, value, workspaceDir) {
+    return {
+        kind: 'file',
+        operation,
+        ...(value ? { target: value } : {}),
+        scope: fileScope(value, workspaceDir),
+        sensitivity: classifyPathSensitivity(value),
+    };
+}
+function fileScope(value, workspaceDir) {
+    if (!value) {
+        return 'unknown';
+    }
+    if (!path.isAbsolute(value)) {
+        return 'workspace';
+    }
+    const normalized = path.resolve(value);
+    if (workspaceDir && pathInside(normalized, path.resolve(workspaceDir))) {
+        return 'workspace';
+    }
+    const home = process.env.HOME;
+    if (home && pathInside(normalized, path.resolve(home))) {
+        return 'home';
+    }
+    return 'system';
+}
+function pathInside(value, parent) {
+    const relative = path.relative(parent, value);
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+function classifyPathSensitivity(value) {
+    const lower = value?.toLowerCase() ?? '';
+    if (!lower) {
+        return 'normal';
+    }
+    if (/(^|\/)\.ssh(\/|$)|id_rsa|id_ed25519|private[_-]?key|credential|password|token|secret|\.pem$|\.key$/i.test(lower)) {
+        return 'credential';
+    }
+    if (/(^|\/)\.env(\.|$)|(^|\/)\.npmrc$|(^|\/)\.pypirc$|(^|\/)secrets?(\/|$)/i.test(lower)) {
+        return 'secret';
+    }
+    if (/(^|\/)(package\.json|pnpm-lock\.yaml|package-lock\.json|yarn\.lock|tsconfig\.json|dockerfile|docker-compose\.ya?ml)$/i.test(lower)) {
+        return 'config';
+    }
+    if (/\.(ts|tsx|js|jsx|py|go|rs|java|kt|swift|c|cc|cpp|h|hpp|css|html|md)$/i.test(lower)) {
+        return 'source';
+    }
+    return 'normal';
+}
+function matchesArgs(patterns, args) {
+    for (const [key, expected] of Object.entries(patterns)) {
+        const actual = args[key];
+        if (typeof actual !== 'string' || !matchesPattern(actual, expected)) {
+            return false;
+        }
+    }
+    return true;
+}
+function matchesArgsRegex(patterns, args) {
+    for (const [key, pattern] of Object.entries(patterns)) {
+        const actual = args[key];
+        if (typeof actual !== 'string' || !new RegExp(pattern).test(actual)) {
+            return false;
+        }
+    }
+    return true;
+}
+function matchesPattern(value, pattern) {
+    const normalizedValue = normalizePatternValue(value);
+    const normalizedPattern = normalizePatternValue(pattern);
+    if (normalizedPattern === '*') {
+        return true;
+    }
+    if (normalizedPattern.endsWith(':*')) {
+        return normalizedValue.startsWith(normalizedPattern.slice(0, -1));
+    }
+    if (normalizedPattern.endsWith('*')) {
+        return normalizedValue.startsWith(normalizedPattern.slice(0, -1));
+    }
+    return normalizedValue === normalizedPattern;
+}
+function normalizePatternValue(value) {
+    return value.trim().toLowerCase();
+}
+function stringArg(args, key) {
+    const value = args[key];
+    return typeof value === 'string' ? value : undefined;
+}
+function riskRank(level) {
+    return { low: 1, medium: 2, high: 3, critical: 4 }[level];
+}
+function summarizeTarget(value) {
+    return value.length > 200
+        ? `${value.slice(0, 200)}...[${value.length - 200} chars truncated]`
+        : value;
+}
+export { default } from './extension.js';
+//# sourceMappingURL=index.js.map