npm - @dcyfr/ai - Versions diffs - 2.1.3 → 3.0.0 - Mend

@dcyfr/ai 2.1.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (468) hide show

package/dist/ai/src/plugins/incidents/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Plugin Incident Response — Barrel Export
+ * @module plugins/incidents
+ */
+export { IncidentResponseManager, IncidentError } from './incident-response-manager.js';
+export { DEFAULT_SLA, PLUGIN_INCIDENTS_SCHEMA_SQL } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/ai/src/plugins/incidents/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/incidents/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAmBxF,OAAO,EAAE,WAAW,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC"}

package/dist/ai/src/plugins/incidents/types.d.ts ADDED Viewed

@@ -0,0 +1,183 @@
+/**
+ * Plugin Incident Response SLA — Type Definitions
+ *
+ * Central type registry for the incident response system.
+ * Includes SQL DDL for persisting incidents to a relational store.
+ *
+ * SLA timers (measured from `createdAt`):
+ *   critical (CVSS ≥9.0) — 24 hours
+ *   high     (CVSS 7.0–8.9) — 48 hours
+ *   medium   (CVSS 4.0–6.9) — 7 days
+ *   low      (CVSS 0.1–3.9) — 30 days
+ *
+ * @module plugins/incidents/types
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+/** Severity aligned with CVSS v3.1 qualitative scale */
+export type IncidentSeverity = 'critical' | 'high' | 'medium' | 'low' | 'informational';
+/** Lifecycle status of a plugin security incident */
+export type IncidentStatus = 'open' | 'acknowledged' | 'in_progress' | 'resolved' | 'closed' | 'sla_breached';
+/** SLA response deadlines in milliseconds per severity */
+export interface SlaConfig {
+    /** Max ms to resolve a critical incident (default 24h) */
+    criticalMs: number;
+    /** Max ms to resolve a high incident (default 48h) */
+    highMs: number;
+    /** Max ms to resolve a medium incident (default 7d) */
+    mediumMs: number;
+    /** Max ms to resolve a low incident (default 30d) */
+    lowMs: number;
+}
+/** Default SLA configuration */
+export declare const DEFAULT_SLA: SlaConfig;
+/** A single plugin security incident */
+export interface Incident {
+    /** Unique UUID for this incident */
+    id: string;
+    /** Canonical plugin identifier (e.g. "author/plugin-name") */
+    pluginId: string;
+    /** Human-readable title */
+    title: string;
+    /** Detailed description of the vulnerability or issue */
+    description: string;
+    /** CVSS v3.1 numeric score (0.0 – 10.0) */
+    cvssScore: number;
+    /** Qualitative severity derived from cvssScore */
+    severity: IncidentSeverity;
+    /** CVE identifier(s), if applicable */
+    cveIds: string[];
+    /** Current lifecycle status */
+    status: IncidentStatus;
+    /** ISO-8601 timestamp when the incident was reported */
+    createdAt: string;
+    /** ISO-8601 timestamp when status changed to 'acknowledged' (or null) */
+    acknowledgedAt: string | null;
+    /** ISO-8601 timestamp when status changed to 'resolved' or 'closed' */
+    resolvedAt: string | null;
+    /** ISO-8601 deadline computed from createdAt + SLA for this severity */
+    slaDeadline: string;
+    /** Whether the plugin was automatically disabled due to CVSS ≥9.0 */
+    autoDisabled: boolean;
+    /** Assigned responder (name or email) */
+    assignee: string | null;
+    /** Free-text resolution notes populated on close */
+    resolution: string | null;
+    /** GitHub issue URL if one was created */
+    githubIssueUrl: string | null;
+    /** GitHub Security Advisory URL if one was created */
+    githubAdvisoryUrl: string | null;
+    /** Arbitrary metadata (reporter info, affected versions, etc.) */
+    metadata: Record<string, unknown>;
+}
+/** Input to create a new incident */
+export interface CreateIncidentInput {
+    /** Plugin identifier */
+    pluginId: string;
+    /** Short title */
+    title: string;
+    /** Detailed description */
+    description: string;
+    /** CVSS v3.1 score */
+    cvssScore: number;
+    /** CVE IDs (optional) */
+    cveIds?: string[];
+    /** Arbitrary additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/** Input to acknowledge an incident */
+export interface AcknowledgeIncidentInput {
+    /** Incident UUID */
+    id: string;
+    /** Person or system acknowledging */
+    assignee: string;
+}
+/** Input to resolve or close an incident */
+export interface ResolveIncidentInput {
+    /** Incident UUID */
+    id: string;
+    /** Human-readable resolution summary */
+    resolution: string;
+    /** 'resolved' = fix deployed; 'closed' = won't fix / false positive */
+    finalStatus?: 'resolved' | 'closed';
+}
+/** Options for listing incidents */
+export interface ListIncidentsOptions {
+    /** Filter by plugin */
+    pluginId?: string;
+    /** Filter by status */
+    status?: IncidentStatus | IncidentStatus[];
+    /** Filter by severity */
+    severity?: IncidentSeverity | IncidentSeverity[];
+    /** Include only SLA-breached incidents */
+    slaBreached?: boolean;
+    /** Page number (1-based, default 1) */
+    page?: number;
+    /** Page size (default 20, max 100) */
+    pageSize?: number;
+}
+/** Paginated incident listing */
+export interface IncidentPage {
+    items: Incident[];
+    total: number;
+    page: number;
+    pageSize: number;
+    hasMore: boolean;
+}
+/** Payload passed to email notifier */
+export interface EmailNotificationPayload {
+    incident: Incident;
+    /** List of affected user emails to notify */
+    affectedUsers: string[];
+    /** Email subject */
+    subject: string;
+    /** Plain-text body */
+    body: string;
+}
+/** Payload passed to GitHub issue creator */
+export interface GithubIssuePayload {
+    incident: Incident;
+    /** Repo where the issue should be filed (e.g. "dcyfr/dcyfr-plugins") */
+    repo: string;
+    /** GitHub issue title */
+    title: string;
+    /** Markdown body */
+    body: string;
+    /** Label names to apply */
+    labels: string[];
+}
+/** Payload passed to GitHub Security Advisory creator */
+export interface GithubAdvisoryPayload {
+    incident: Incident;
+    repo: string;
+    /** Advisory summary (≤ 128 chars) */
+    summary: string;
+    /** Full description in Markdown */
+    description: string;
+    /** CVSS vector string (optional) */
+    cvssVectorString?: string;
+    /** GHSA severity mapping */
+    ghsaSeverity: 'critical' | 'high' | 'medium' | 'low';
+}
+/** Payload passed to Axiom alert sender */
+export interface AxiomAlertPayload {
+    incident: Incident;
+    alertType: 'sla_breach' | 'auto_disable' | 'new_critical';
+    message: string;
+}
+/** Pluggable email notifier — inject your provider (SendGrid, SES, etc.) */
+export interface EmailNotifier {
+    send(payload: EmailNotificationPayload): Promise<void>;
+}
+/** Pluggable GitHub client — inject real Octokit or a test double */
+export interface GithubClient {
+    createIssue(payload: GithubIssuePayload): Promise<string | null>;
+    createSecurityAdvisory(payload: GithubAdvisoryPayload): Promise<string | null>;
+}
+/** Pluggable Axiom logger — inject real Axiom client or a test double */
+export interface AxiomLogger {
+    logAlert(payload: AxiomAlertPayload): Promise<void>;
+}
+export declare const PLUGIN_INCIDENTS_SCHEMA_SQL = "\nCREATE TABLE IF NOT EXISTS plugin_incidents (\n  id              TEXT PRIMARY KEY,\n  plugin_id       TEXT NOT NULL,\n  title           TEXT NOT NULL,\n  description     TEXT NOT NULL,\n  cvss_score      REAL NOT NULL,\n  severity        TEXT NOT NULL,\n  cve_ids         TEXT NOT NULL DEFAULT '[]',\n  status          TEXT NOT NULL DEFAULT 'open',\n  created_at      TEXT NOT NULL,\n  acknowledged_at TEXT,\n  resolved_at     TEXT,\n  sla_deadline    TEXT NOT NULL,\n  auto_disabled   INTEGER NOT NULL DEFAULT 0,\n  assignee        TEXT,\n  resolution      TEXT,\n  github_issue_url      TEXT,\n  github_advisory_url   TEXT,\n  metadata        TEXT NOT NULL DEFAULT '{}'\n);\n\nCREATE INDEX IF NOT EXISTS idx_incidents_plugin_id ON plugin_incidents (plugin_id);\nCREATE INDEX IF NOT EXISTS idx_incidents_status     ON plugin_incidents (status);\nCREATE INDEX IF NOT EXISTS idx_incidents_severity   ON plugin_incidents (severity);\nCREATE INDEX IF NOT EXISTS idx_incidents_sla        ON plugin_incidents (sla_deadline);\n";
+//# sourceMappingURL=types.d.ts.map

package/dist/ai/src/plugins/incidents/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/incidents/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAMH,wDAAwD;AACxD,MAAM,MAAM,gBAAgB,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAC;AAExF,qDAAqD;AACrD,MAAM,MAAM,cAAc,GACtB,MAAM,GACN,cAAc,GACd,aAAa,GACb,UAAU,GACV,QAAQ,GACR,cAAc,CAAC;AAMnB,0DAA0D;AAC1D,MAAM,WAAW,SAAS;IACxB,0DAA0D;IAC1D,UAAU,EAAE,MAAM,CAAC;IACnB,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,gCAAgC;AAChC,eAAO,MAAM,WAAW,EAAE,SAKhB,CAAC;AAMX,wCAAwC;AACxC,MAAM,WAAW,QAAQ;IACvB,oCAAoC;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,8DAA8D;IAC9D,QAAQ,EAAE,MAAM,CAAC;IACjB,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,yDAAyD;IACzD,WAAW,EAAE,MAAM,CAAC;IACpB,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,uCAAuC;IACvC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,+BAA+B;IAC/B,MAAM,EAAE,cAAc,CAAC;IACvB,wDAAwD;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,yEAAyE;IACzE,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,uEAAuE;IACvE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,wEAAwE;IACxE,WAAW,EAAE,MAAM,CAAC;IACpB,qEAAqE;IACrE,YAAY,EAAE,OAAO,CAAC;IACtB,yCAAyC;IACzC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,oDAAoD;IACpD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,0CAA0C;IAC1C,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,sDAAsD;IACtD,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,kEAAkE;IAClE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAMD,qCAAqC;AACrC,MAAM,WAAW,mBAAmB;IAClC,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,uCAAuC;AACvC,MAAM,WAAW,wBAAwB;IACvC,oBAAoB;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACnC,oBAAoB;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,wCAAwC;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,uEAAuE;IACvE,WAAW,CAAC,EAAE,UAAU,GAAG,QAAQ,CAAC;CACrC;AAMD,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACnC,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,MAAM,CAAC,EAAE,cAAc,GAAG,cAAc,EAAE,CAAC;IAC3C,yBAAyB;IACzB,QAAQ,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,EAAE,CAAC;IACjD,0CAA0C;IAC1C,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uCAAuC;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,iCAAiC;AACjC,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB;AAMD,uCAAuC;AACvC,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,QAAQ,CAAC;IACnB,6CAA6C;IAC7C,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,oBAAoB;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,6CAA6C;AAC7C,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,wEAAwE;IACxE,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,2BAA2B;IAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,yDAAyD;AACzD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,4BAA4B;IAC5B,YAAY,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACtD;AAED,2CAA2C;AAC3C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,YAAY,GAAG,cAAc,GAAG,cAAc,CAAC;IAC1D,OAAO,EAAE,MAAM,CAAC;CACjB;AAMD,4EAA4E;AAC5E,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,OAAO,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACxD;AAED,qEAAqE;AACrE,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACjE,sBAAsB,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAChF;AAED,yEAAyE;AACzE,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAMD,eAAO,MAAM,2BAA2B,ogCA0BvC,CAAC"}

package/dist/ai/src/plugins/incidents/types.js ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * Plugin Incident Response SLA — Type Definitions
+ *
+ * Central type registry for the incident response system.
+ * Includes SQL DDL for persisting incidents to a relational store.
+ *
+ * SLA timers (measured from `createdAt`):
+ *   critical (CVSS ≥9.0) — 24 hours
+ *   high     (CVSS 7.0–8.9) — 48 hours
+ *   medium   (CVSS 4.0–6.9) — 7 days
+ *   low      (CVSS 0.1–3.9) — 30 days
+ *
+ * @module plugins/incidents/types
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+/** Default SLA configuration */
+export const DEFAULT_SLA = {
+    criticalMs: 24 * 60 * 60 * 1000, // 24 hours
+    highMs: 48 * 60 * 60 * 1000, // 48 hours
+    mediumMs: 7 * 24 * 60 * 60 * 1000, // 7 days
+    lowMs: 30 * 24 * 60 * 60 * 1000, // 30 days
+};
+// ---------------------------------------------------------------------------
+// SQL DDL
+// ---------------------------------------------------------------------------
+export const PLUGIN_INCIDENTS_SCHEMA_SQL = /* sql */ `
+CREATE TABLE IF NOT EXISTS plugin_incidents (
+  id              TEXT PRIMARY KEY,
+  plugin_id       TEXT NOT NULL,
+  title           TEXT NOT NULL,
+  description     TEXT NOT NULL,
+  cvss_score      REAL NOT NULL,
+  severity        TEXT NOT NULL,
+  cve_ids         TEXT NOT NULL DEFAULT '[]',
+  status          TEXT NOT NULL DEFAULT 'open',
+  created_at      TEXT NOT NULL,
+  acknowledged_at TEXT,
+  resolved_at     TEXT,
+  sla_deadline    TEXT NOT NULL,
+  auto_disabled   INTEGER NOT NULL DEFAULT 0,
+  assignee        TEXT,
+  resolution      TEXT,
+  github_issue_url      TEXT,
+  github_advisory_url   TEXT,
+  metadata        TEXT NOT NULL DEFAULT '{}'
+);
+CREATE INDEX IF NOT EXISTS idx_incidents_plugin_id ON plugin_incidents (plugin_id);
+CREATE INDEX IF NOT EXISTS idx_incidents_status     ON plugin_incidents (status);
+CREATE INDEX IF NOT EXISTS idx_incidents_severity   ON plugin_incidents (severity);
+CREATE INDEX IF NOT EXISTS idx_incidents_sla        ON plugin_incidents (sla_deadline);
+`;
+//# sourceMappingURL=types.js.map

package/dist/ai/src/plugins/incidents/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/incidents/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAkCH,gCAAgC;AAChC,MAAM,CAAC,MAAM,WAAW,GAAc;IACpC,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAM,WAAW;IAChD,MAAM,EAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAM,WAAW;IAChD,QAAQ,EAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;IAC9C,KAAK,EAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAC,UAAU;CACvC,CAAC;AAsLX,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,CAAC,MAAM,2BAA2B,GAAG,SAAS,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;CA0BnD,CAAC"}

package/dist/ai/src/plugins/permissions/index.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Plugin Permissions System
+ *
+ * Exports all types, validators, enforcers, attenuators, and audit loggers
+ * for the DCYFR plugin permission model.
+ *
+ * @module plugins/permissions
+ */
+export type { FilesystemPermissions, NetworkPermissions, ExecutionPermissions, McpPermissions, DataPermissions, PluginPermissions, PermissionViolation, PermissionCheckResult, AttenuatedPermissions, PermissionAuditEvent, PermissionAuditEventType, } from './types.js';
+export { createDenyAllPermissions, createAllowAllPermissions } from './types.js';
+export { PluginPermissionValidator } from './plugin-permission-validator.js';
+export { PermissionDeniedError, PermissionEnforcer, } from './permission-enforcer.js';
+export type { EnforcementContext, RealFs, EnforcedFsApis, EnforcedFetch, EnforcedExec, } from './permission-enforcer.js';
+export { attenuatePermissions, isSubsetOf } from './permission-attenuator.js';
+export { PermissionAuditLogger } from './permission-audit-logger.js';
+export type { PermissionAuditLoggerConfig, AuditLogResult, } from './permission-audit-logger.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/ai/src/plugins/permissions/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,YAAY,EACV,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,wBAAwB,GACzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,wBAAwB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,kCAAkC,CAAC;AAC7E,OAAO,EACL,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,kBAAkB,EAClB,MAAM,EACN,cAAc,EACd,aAAa,EACb,YAAY,GACb,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,YAAY,EACV,2BAA2B,EAC3B,cAAc,GACf,MAAM,8BAA8B,CAAC"}

package/dist/ai/src/plugins/permissions/index.js ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Plugin Permissions System
+ *
+ * Exports all types, validators, enforcers, attenuators, and audit loggers
+ * for the DCYFR plugin permission model.
+ *
+ * @module plugins/permissions
+ */
+export { createDenyAllPermissions, createAllowAllPermissions } from './types.js';
+export { PluginPermissionValidator } from './plugin-permission-validator.js';
+export { PermissionDeniedError, PermissionEnforcer, } from './permission-enforcer.js';
+export { attenuatePermissions, isSubsetOf } from './permission-attenuator.js';
+export { PermissionAuditLogger } from './permission-audit-logger.js';
+//# sourceMappingURL=index.js.map

package/dist/ai/src/plugins/permissions/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAeH,OAAO,EAAE,wBAAwB,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACjF,OAAO,EAAE,yBAAyB,EAAE,MAAM,kCAAkC,CAAC;AAC7E,OAAO,EACL,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAQlC,OAAO,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/ai/src/plugins/permissions/permission-attenuator.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Permission Attenuation
+ *
+ * Implements the principle that a delegating agent can only grant a
+ * sub-agent permissions it already holds. Narrows permissions at the
+ * point of delegation, producing an `AttenuatedPermissions` record.
+ *
+ * Compatible with the delegation framework's security middleware chain.
+ *
+ * @module plugins/permissions/permission-attenuator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { PluginPermissions, AttenuatedPermissions } from './types.js';
+/**
+ * Attenuate `requested` permissions against `granted` (the parent's actual
+ * permissions). The result is guaranteed to be a strict subset of `granted`.
+ *
+ * @param requested - Permissions the plugin wants to delegate downstream
+ * @param granted   - Permissions the plugin currently holds
+ */
+export declare function attenuatePermissions(requested: PluginPermissions, granted: PluginPermissions): AttenuatedPermissions;
+/**
+ * Check whether `subset` is a strict subset of `superset`.
+ * Returns `true` when every capability in `subset` is also present in `superset`.
+ */
+export declare function isSubsetOf(subset: PluginPermissions, superset: PluginPermissions): boolean;
+//# sourceMappingURL=permission-attenuator.d.ts.map

package/dist/ai/src/plugins/permissions/permission-attenuator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permission-attenuator.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/permission-attenuator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EACV,iBAAiB,EAMjB,qBAAqB,EACtB,MAAM,YAAY,CAAC;AA2KpB;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,iBAAiB,GACzB,qBAAqB,CA4BvB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CACxB,MAAM,EAAE,iBAAiB,EACzB,QAAQ,EAAE,iBAAiB,GAC1B,OAAO,CAIT"}

package/dist/ai/src/plugins/permissions/permission-attenuator.js ADDED Viewed

@@ -0,0 +1,190 @@
+/**
+ * Permission Attenuation
+ *
+ * Implements the principle that a delegating agent can only grant a
+ * sub-agent permissions it already holds. Narrows permissions at the
+ * point of delegation, producing an `AttenuatedPermissions` record.
+ *
+ * Compatible with the delegation framework's security middleware chain.
+ *
+ * @module plugins/permissions/permission-attenuator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { matchesGlob } from 'node:path';
+// ---------------------------------------------------------------------------
+// Intersection helpers (narrow A ∩ B)
+// ---------------------------------------------------------------------------
+/**
+ * Return only those patterns in `requested` that are covered by
+ * at least one pattern in `granted`. "Covered" = every path that
+ * matches `req` also matches at least one pattern in `granted`.
+ *
+ * For simplicity we use direct containment: a pattern is retained if it
+ * is equal to a granted pattern or if one of the granted patterns is the
+ * wildcard `**` (match all).
+ */
+function intersectGlobs(requested, granted) {
+    if (granted.includes('**'))
+        return requested;
+    return requested.filter((req) => granted.some((g) => {
+        if (g === req)
+            return true;
+        // If granted pattern ends with /** try to see if requested is a sub-path
+        try {
+            return matchesGlob(req, g);
+        }
+        catch {
+            return false;
+        }
+    }));
+}
+function intersectFilesystem(requested, granted) {
+    const read = intersectGlobs(requested.read, granted.read);
+    const write = intersectGlobs(requested.write, granted.write);
+    const delete_ = intersectGlobs(requested.delete, granted.delete);
+    const removed = [];
+    for (const p of requested.read) {
+        if (!read.includes(p))
+            removed.push(`filesystem.read: ${p}`);
+    }
+    for (const p of requested.write) {
+        if (!write.includes(p))
+            removed.push(`filesystem.write: ${p}`);
+    }
+    for (const p of requested.delete) {
+        if (!delete_.includes(p))
+            removed.push(`filesystem.delete: ${p}`);
+    }
+    return { result: { read, write, delete: delete_ }, removed };
+}
+function intersectNetwork(requested, granted) {
+    const removed = [];
+    const allowed = requested.allowed && granted.allowed;
+    if (requested.allowed && !granted.allowed) {
+        removed.push('network.allowed');
+    }
+    // Intersect domain lists
+    let allowedDomains = requested.allowedDomains;
+    if (granted.allowedDomains.length > 0) {
+        allowedDomains = requested.allowedDomains.filter((d) => granted.allowedDomains.includes(d));
+        for (const d of requested.allowedDomains) {
+            if (!allowedDomains.includes(d))
+                removed.push(`network.allowedDomains: ${d}`);
+        }
+    }
+    // Take the stricter (lower) request limit
+    let maxRequests;
+    if (requested.maxRequests === 0) {
+        maxRequests = granted.maxRequests;
+    }
+    else if (granted.maxRequests === 0) {
+        maxRequests = requested.maxRequests;
+    }
+    else {
+        maxRequests = Math.min(requested.maxRequests, granted.maxRequests);
+    }
+    if (requested.maxRequests === 0 && granted.maxRequests > 0) {
+        removed.push(`network.maxRequests: unlimited → ${granted.maxRequests}`);
+    }
+    return { result: { allowed, allowedDomains, maxRequests }, removed };
+}
+function intersectExecution(requested, granted) {
+    const removed = [];
+    const allowShellCommands = requested.allowShellCommands && granted.allowShellCommands;
+    if (requested.allowShellCommands && !granted.allowShellCommands) {
+        removed.push('execution.allowShellCommands');
+    }
+    const allowedCommands = granted.allowShellCommands
+        ? requested.allowedCommands
+        : requested.allowedCommands.filter((c) => granted.allowedCommands.includes(c));
+    for (const c of requested.allowedCommands) {
+        if (!allowedCommands.includes(c))
+            removed.push(`execution.allowedCommands: ${c}`);
+    }
+    let maxProcesses;
+    if (requested.maxProcesses === 0) {
+        maxProcesses = granted.maxProcesses;
+    }
+    else if (granted.maxProcesses === 0) {
+        maxProcesses = requested.maxProcesses;
+    }
+    else {
+        maxProcesses = Math.min(requested.maxProcesses, granted.maxProcesses);
+    }
+    return { result: { allowShellCommands, allowedCommands, maxProcesses }, removed };
+}
+function intersectMcp(requested, granted) {
+    const removed = [];
+    // Merge deny lists (union)
+    const deniedServers = [...new Set([...requested.deniedServers, ...granted.deniedServers])];
+    // Intersect allow lists
+    let allowedServers;
+    if (granted.allowedServers.includes('*')) {
+        allowedServers = requested.allowedServers;
+    }
+    else if (requested.allowedServers.includes('*')) {
+        allowedServers = granted.allowedServers;
+    }
+    else {
+        allowedServers = requested.allowedServers.filter((s) => granted.allowedServers.includes(s));
+        for (const s of requested.allowedServers) {
+            if (!allowedServers.includes(s))
+                removed.push(`mcp.allowedServers: ${s}`);
+        }
+    }
+    return { result: { allowedServers, deniedServers }, removed };
+}
+function intersectData(requested, granted) {
+    const removed = [];
+    const allowEnvironmentVars = requested.allowEnvironmentVars && granted.allowEnvironmentVars;
+    const allowSecretAccess = requested.allowSecretAccess && granted.allowSecretAccess;
+    if (requested.allowEnvironmentVars && !granted.allowEnvironmentVars) {
+        removed.push('data.allowEnvironmentVars');
+    }
+    if (requested.allowSecretAccess && !granted.allowSecretAccess) {
+        removed.push('data.allowSecretAccess');
+    }
+    return { result: { allowEnvironmentVars, allowSecretAccess }, removed };
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Attenuate `requested` permissions against `granted` (the parent's actual
+ * permissions). The result is guaranteed to be a strict subset of `granted`.
+ *
+ * @param requested - Permissions the plugin wants to delegate downstream
+ * @param granted   - Permissions the plugin currently holds
+ */
+export function attenuatePermissions(requested, granted) {
+    const removedCapabilities = [];
+    const fs = intersectFilesystem(requested.filesystem, granted.filesystem);
+    const net = intersectNetwork(requested.network, granted.network);
+    const exec = intersectExecution(requested.execution, granted.execution);
+    const mcp = intersectMcp(requested.mcp, granted.mcp);
+    const data = intersectData(requested.data, granted.data);
+    removedCapabilities.push(...fs.removed, ...net.removed, ...exec.removed, ...mcp.removed, ...data.removed);
+    return {
+        original: granted,
+        attenuated: {
+            filesystem: fs.result,
+            network: net.result,
+            execution: exec.result,
+            mcp: mcp.result,
+            data: data.result,
+        },
+        removedCapabilities,
+    };
+}
+/**
+ * Check whether `subset` is a strict subset of `superset`.
+ * Returns `true` when every capability in `subset` is also present in `superset`.
+ */
+export function isSubsetOf(subset, superset) {
+    const result = attenuatePermissions(subset, superset);
+    // If attenuation removed nothing AND the sets match, subset ⊆ superset
+    return result.removedCapabilities.length === 0;
+}
+//# sourceMappingURL=permission-attenuator.js.map

package/dist/ai/src/plugins/permissions/permission-attenuator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permission-attenuator.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/permission-attenuator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAWxC,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,cAAc,CAAC,SAAmB,EAAE,OAAiB;IAC5D,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC7C,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QACjB,IAAI,CAAC,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAC3B,yEAAyE;QACzE,IAAI,CAAC;YACH,OAAO,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,SAAgC,EAChC,OAA8B;IAE9B,MAAM,IAAI,GAAG,cAAc,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAEjE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;QACjC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,gBAAgB,CACvB,SAA6B,EAC7B,OAA2B;IAE3B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;IAErD,IAAI,SAAS,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC1C,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAClC,CAAC;IAED,yBAAyB;IACzB,IAAI,cAAc,GAAG,SAAS,CAAC,cAAc,CAAC;IAC9C,IAAI,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtC,cAAc,GAAG,SAAS,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnC,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,CAAC;YACzC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,WAAmB,CAAC;IACxB,IAAI,SAAS,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC;QAChC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;IACpC,CAAC;SAAM,IAAI,OAAO,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC;QACrC,WAAW,GAAG,SAAS,CAAC,WAAW,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,SAAS,CAAC,WAAW,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,GAAG,CAAC,EAAE,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,oCAAoC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,CAAC;AACvE,CAAC;AAED,SAAS,kBAAkB,CACzB,SAA+B,EAC/B,OAA6B;IAE7B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,kBAAkB,GAAG,SAAS,CAAC,kBAAkB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAEtF,IAAI,SAAS,CAAC,kBAAkB,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,kBAAkB;QAChD,CAAC,CAAC,SAAS,CAAC,eAAe;QAC3B,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;QAC1C,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,IAAI,YAAoB,CAAC;IACzB,IAAI,SAAS,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;QACjC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IACtC,CAAC;SAAM,IAAI,OAAO,CAAC,YAAY,KAAK,CAAC,EAAE,CAAC;QACtC,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,EAAE,kBAAkB,EAAE,eAAe,EAAE,YAAY,EAAE,EAAE,OAAO,EAAE,CAAC;AACpF,CAAC;AAED,SAAS,YAAY,CACnB,SAAyB,EACzB,OAAuB;IAEvB,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,2BAA2B;IAC3B,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,CAAC,aAAa,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IAE3F,wBAAwB;IACxB,IAAI,cAAwB,CAAC;IAC7B,IAAI,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,cAAc,GAAG,SAAS,CAAC,cAAc,CAAC;IAC5C,CAAC;SAAM,IAAI,SAAS,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClD,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,cAAc,GAAG,SAAS,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CACnC,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,cAAc,EAAE,CAAC;YACzC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,aAAa,EAAE,EAAE,OAAO,EAAE,CAAC;AAChE,CAAC;AAED,SAAS,aAAa,CACpB,SAA0B,EAC1B,OAAwB;IAExB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,oBAAoB,GAAG,SAAS,CAAC,oBAAoB,IAAI,OAAO,CAAC,oBAAoB,CAAC;IAC5F,MAAM,iBAAiB,GAAG,SAAS,CAAC,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAEnF,IAAI,SAAS,CAAC,oBAAoB,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;QACpE,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,SAAS,CAAC,iBAAiB,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,EAAE,OAAO,EAAE,CAAC;AAC1E,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,SAA4B,EAC5B,OAA0B;IAE1B,MAAM,mBAAmB,GAAa,EAAE,CAAC;IAEzC,MAAM,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,kBAAkB,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,aAAa,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzD,mBAAmB,CAAC,IAAI,CACtB,GAAG,EAAE,CAAC,OAAO,EACb,GAAG,GAAG,CAAC,OAAO,EACd,GAAG,IAAI,CAAC,OAAO,EACf,GAAG,GAAG,CAAC,OAAO,EACd,GAAG,IAAI,CAAC,OAAO,CAChB,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,OAAO;QACjB,UAAU,EAAE;YACV,UAAU,EAAE,EAAE,CAAC,MAAM;YACrB,OAAO,EAAE,GAAG,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,MAAM;YACtB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,IAAI,CAAC,MAAM;SAClB;QACD,mBAAmB;KACpB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,MAAyB,EACzB,QAA2B;IAE3B,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACtD,uEAAuE;IACvE,OAAO,MAAM,CAAC,mBAAmB,CAAC,MAAM,KAAK,CAAC,CAAC;AACjD,CAAC"}

package/dist/ai/src/plugins/permissions/permission-audit-logger.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Permission Audit Logger
+ *
+ * Logs permission events to Axiom (when configured) or to
+ * stdout/stderr as a fallback. Used by the enforcer and validator
+ * to create an immutable audit trail for each plugin execution.
+ *
+ * @module plugins/permissions/permission-audit-logger
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { PermissionAuditEvent } from './types.js';
+/** Configuration for PermissionAuditLogger */
+export interface PermissionAuditLoggerConfig {
+    /** Axiom dataset name. Defaults to `AXIOM_DATASET` env var. */
+    axiomDataset?: string;
+    /** Axiom API token. Defaults to `AXIOM_TOKEN` env var. */
+    axiomToken?: string;
+    /** When true, always log to stdout regardless of Axiom config. Default false. */
+    alwaysConsole?: boolean;
+}
+/** Result of a log call (used for testing) */
+export interface AuditLogResult {
+    /** Where the event was dispatched */
+    destination: 'axiom' | 'stdout' | 'stderr';
+    /** Whether the dispatch succeeded */
+    success: boolean;
+    /** Error message, if any */
+    error?: string;
+}
+/**
+ * Logs permission audit events to Axiom or stdout.
+ *
+ * @example
+ * ```ts
+ * const logger = new PermissionAuditLogger({ axiomDataset: 'dcyfr-plugins' });
+ * await logger.log({
+ *   timestamp: new Date().toISOString(),
+ *   eventType: 'permission_granted',
+ *   pluginId: 'my-plugin',
+ *   pluginVersion: '1.0.0',
+ *   category: 'filesystem',
+ *   action: 'read',
+ *   resource: '/src/index.ts',
+ *   granted: true,
+ * });
+ * ```
+ */
+export declare class PermissionAuditLogger {
+    private readonly dataset;
+    private readonly token;
+    private readonly alwaysConsole;
+    constructor(config?: PermissionAuditLoggerConfig);
+    /**
+     * Whether Axiom is configured and events will be sent there.
+     */
+    get isAxiomEnabled(): boolean;
+    /**
+     * Log a single permission audit event.
+     * Returns a result object describing where the event was sent.
+     */
+    log(event: PermissionAuditEvent): Promise<AuditLogResult>;
+    /**
+     * Log multiple events in a single batch request (Axiom supports this).
+     */
+    logBatch(events: PermissionAuditEvent[]): Promise<AuditLogResult[]>;
+    private writeToConsole;
+    private sendToAxiom;
+    private sendBatchToAxiom;
+}
+//# sourceMappingURL=permission-audit-logger.d.ts.map

package/dist/ai/src/plugins/permissions/permission-audit-logger.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permission-audit-logger.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/permission-audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEvD,8CAA8C;AAC9C,MAAM,WAAW,2BAA2B;IAC1C,+DAA+D;IAC/D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,8CAA8C;AAC9C,MAAM,WAAW,cAAc;IAC7B,qCAAqC;IACrC,WAAW,EAAE,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;IAC3C,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,4BAA4B;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAoBD;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqB;IAC7C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAqB;IAC3C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAU;gBAE5B,MAAM,CAAC,EAAE,2BAA2B;IAQhD;;OAEG;IACH,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED;;;OAGG;IACG,GAAG,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,cAAc,CAAC;IAgB/D;;OAEG;IACG,QAAQ,CAAC,MAAM,EAAE,oBAAoB,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAsBzE,OAAO,CAAC,cAAc;YASR,WAAW;YA8BX,gBAAgB;CAuC/B"}