@dcyfr/ai 2.1.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (468) hide show
  1. package/CHANGELOG.md +81 -0
  2. package/README.md +75 -10
  3. package/config/default.json +11 -5
  4. package/config/default.yaml +13 -5
  5. package/dist/.tsbuildinfo +1 -0
  6. package/dist/ai/agents/agent-loader.d.ts.map +1 -1
  7. package/dist/ai/agents/agent-loader.js +1 -0
  8. package/dist/ai/agents/agent-loader.js.map +1 -1
  9. package/dist/ai/agents/agent-registry.d.ts.map +1 -1
  10. package/dist/ai/agents/agent-registry.js.map +1 -1
  11. package/dist/ai/agents/agent-router.d.ts +3 -3
  12. package/dist/ai/agents/agent-router.d.ts.map +1 -1
  13. package/dist/ai/agents/agent-router.js +6 -7
  14. package/dist/ai/agents/agent-router.js.map +1 -1
  15. package/dist/ai/config/schema.js +3 -3
  16. package/dist/ai/config/schema.js.map +1 -1
  17. package/dist/ai/core/provider-registry.d.ts.map +1 -1
  18. package/dist/ai/core/provider-registry.js +47 -16
  19. package/dist/ai/core/provider-registry.js.map +1 -1
  20. package/dist/ai/core/telemetry-engine.d.ts.map +1 -1
  21. package/dist/ai/core/telemetry-engine.js +5 -3
  22. package/dist/ai/core/telemetry-engine.js.map +1 -1
  23. package/dist/ai/delegation/capability-bootstrap.js +1 -1
  24. package/dist/ai/delegation/capability-bootstrap.js.map +1 -1
  25. package/dist/ai/delegation/contract-manager.d.ts +54 -5
  26. package/dist/ai/delegation/contract-manager.d.ts.map +1 -1
  27. package/dist/ai/delegation/contract-manager.js +122 -7
  28. package/dist/ai/delegation/contract-manager.js.map +1 -1
  29. package/dist/ai/delegation/feature-flags.d.ts +1 -1
  30. package/dist/ai/delegation/feature-flags.d.ts.map +1 -1
  31. package/dist/ai/delegation/feature-flags.js +3 -1
  32. package/dist/ai/delegation/feature-flags.js.map +1 -1
  33. package/dist/ai/delegation/index.d.ts +1 -0
  34. package/dist/ai/delegation/index.d.ts.map +1 -1
  35. package/dist/ai/delegation/index.js +2 -0
  36. package/dist/ai/delegation/index.js.map +1 -1
  37. package/dist/ai/delegation/monitoring.d.ts.map +1 -1
  38. package/dist/ai/delegation/monitoring.js +1 -0
  39. package/dist/ai/delegation/monitoring.js.map +1 -1
  40. package/dist/ai/delegation/session-manager.d.ts +16 -1
  41. package/dist/ai/delegation/session-manager.d.ts.map +1 -1
  42. package/dist/ai/delegation/session-manager.js +10 -1
  43. package/dist/ai/delegation/session-manager.js.map +1 -1
  44. package/dist/ai/delegation/session-queue.d.ts.map +1 -1
  45. package/dist/ai/delegation/session-queue.js.map +1 -1
  46. package/dist/ai/examples/integration-demo.d.ts.map +1 -1
  47. package/dist/ai/examples/integration-demo.js +1 -0
  48. package/dist/ai/examples/integration-demo.js.map +1 -1
  49. package/dist/ai/index.d.ts +7 -0
  50. package/dist/ai/index.d.ts.map +1 -1
  51. package/dist/ai/index.js +8 -0
  52. package/dist/ai/index.js.map +1 -1
  53. package/dist/ai/mcp/mcp-registry.d.ts.map +1 -1
  54. package/dist/ai/mcp/mcp-registry.js +1 -1
  55. package/dist/ai/mcp/mcp-registry.js.map +1 -1
  56. package/dist/ai/mcp/servers/analytics/index.d.ts.map +1 -1
  57. package/dist/ai/mcp/servers/analytics/index.js +1 -0
  58. package/dist/ai/mcp/servers/analytics/index.js.map +1 -1
  59. package/dist/ai/mcp/servers/content-manager/index.d.ts.map +1 -1
  60. package/dist/ai/mcp/servers/delegation-monitor/index.js +27 -27
  61. package/dist/ai/mcp/servers/delegation-monitor/index.js.map +1 -1
  62. package/dist/ai/mcp/servers/design-tokens/index.js +1 -1
  63. package/dist/ai/mcp/servers/design-tokens/index.js.map +1 -1
  64. package/dist/ai/mcp/servers/promptintel/index.d.ts.map +1 -1
  65. package/dist/ai/mcp/servers/promptintel/index.js +2 -1
  66. package/dist/ai/mcp/servers/promptintel/index.js.map +1 -1
  67. package/dist/ai/mcp/servers/shared/rate-limiter.d.ts.map +1 -1
  68. package/dist/ai/mcp/servers/shared/rate-limiter.js +1 -0
  69. package/dist/ai/mcp/servers/shared/rate-limiter.js.map +1 -1
  70. package/dist/ai/mcp/servers/shared/redis-client.d.ts.map +1 -1
  71. package/dist/ai/mcp/servers/shared/redis-client.js +2 -0
  72. package/dist/ai/mcp/servers/shared/redis-client.js.map +1 -1
  73. package/dist/ai/mcp/servers/shared/utils.js +12 -18
  74. package/dist/ai/mcp/servers/shared/utils.js.map +1 -1
  75. package/dist/ai/memory/dcyfr-memory.d.ts.map +1 -1
  76. package/dist/ai/memory/dcyfr-memory.js +11 -1
  77. package/dist/ai/memory/dcyfr-memory.js.map +1 -1
  78. package/dist/ai/memory/file-memory-adapter.d.ts +103 -0
  79. package/dist/ai/memory/file-memory-adapter.d.ts.map +1 -0
  80. package/dist/ai/memory/file-memory-adapter.js +532 -0
  81. package/dist/ai/memory/file-memory-adapter.js.map +1 -0
  82. package/dist/ai/memory/index.d.ts +6 -0
  83. package/dist/ai/memory/index.d.ts.map +1 -1
  84. package/dist/ai/memory/index.js +6 -0
  85. package/dist/ai/memory/index.js.map +1 -1
  86. package/dist/ai/memory/mem0-client.d.ts.map +1 -1
  87. package/dist/ai/memory/mem0-client.js +5 -2
  88. package/dist/ai/memory/mem0-client.js.map +1 -1
  89. package/dist/ai/memory/sqlite-index.d.ts +89 -0
  90. package/dist/ai/memory/sqlite-index.d.ts.map +1 -0
  91. package/dist/ai/memory/sqlite-index.js +295 -0
  92. package/dist/ai/memory/sqlite-index.js.map +1 -0
  93. package/dist/ai/memory/types.d.ts.map +1 -1
  94. package/dist/ai/memory/types.js +1 -0
  95. package/dist/ai/memory/types.js.map +1 -1
  96. package/dist/ai/memory/working-memory-persistence.d.ts +79 -0
  97. package/dist/ai/memory/working-memory-persistence.d.ts.map +1 -0
  98. package/dist/ai/memory/working-memory-persistence.js +220 -0
  99. package/dist/ai/memory/working-memory-persistence.js.map +1 -0
  100. package/dist/ai/permissions/attenuation-engine.d.ts.map +1 -1
  101. package/dist/ai/permissions/attenuation-engine.js.map +1 -1
  102. package/dist/ai/reputation/reputation-engine.d.ts +4 -0
  103. package/dist/ai/reputation/reputation-engine.d.ts.map +1 -1
  104. package/dist/ai/reputation/reputation-engine.js +1 -0
  105. package/dist/ai/reputation/reputation-engine.js.map +1 -1
  106. package/dist/ai/runtime/agent-runtime.d.ts.map +1 -1
  107. package/dist/ai/runtime/agent-runtime.js +9 -5
  108. package/dist/ai/runtime/agent-runtime.js.map +1 -1
  109. package/dist/ai/src/batch-processor.d.ts +6 -6
  110. package/dist/ai/src/batch-processor.d.ts.map +1 -1
  111. package/dist/ai/src/batch-processor.js +11 -4
  112. package/dist/ai/src/batch-processor.js.map +1 -1
  113. package/dist/ai/src/capability-bootstrap.d.ts.map +1 -1
  114. package/dist/ai/src/capability-bootstrap.js +1 -0
  115. package/dist/ai/src/capability-bootstrap.js.map +1 -1
  116. package/dist/ai/src/capability-registry.js +1 -1
  117. package/dist/ai/src/capability-registry.js.map +1 -1
  118. package/dist/ai/src/cli/telemetry-dashboard.d.ts +0 -11
  119. package/dist/ai/src/cli/telemetry-dashboard.d.ts.map +1 -1
  120. package/dist/ai/src/cli/telemetry-dashboard.js +12 -6
  121. package/dist/ai/src/cli/telemetry-dashboard.js.map +1 -1
  122. package/dist/ai/src/compaction/context-compactor.d.ts +149 -0
  123. package/dist/ai/src/compaction/context-compactor.d.ts.map +1 -0
  124. package/dist/ai/src/compaction/context-compactor.js +302 -0
  125. package/dist/ai/src/compaction/context-compactor.js.map +1 -0
  126. package/dist/ai/src/compaction/index.d.ts +11 -0
  127. package/dist/ai/src/compaction/index.d.ts.map +1 -0
  128. package/dist/ai/src/compaction/index.js +11 -0
  129. package/dist/ai/src/compaction/index.js.map +1 -0
  130. package/dist/ai/src/compaction/memory-compaction.d.ts +138 -0
  131. package/dist/ai/src/compaction/memory-compaction.d.ts.map +1 -0
  132. package/dist/ai/src/compaction/memory-compaction.js +630 -0
  133. package/dist/ai/src/compaction/memory-compaction.js.map +1 -0
  134. package/dist/ai/src/container/agent-container-dispatcher.d.ts +154 -0
  135. package/dist/ai/src/container/agent-container-dispatcher.d.ts.map +1 -0
  136. package/dist/ai/src/container/agent-container-dispatcher.js +329 -0
  137. package/dist/ai/src/container/agent-container-dispatcher.js.map +1 -0
  138. package/dist/ai/src/container/backend-factory.d.ts +89 -0
  139. package/dist/ai/src/container/backend-factory.d.ts.map +1 -0
  140. package/dist/ai/src/container/backend-factory.js +169 -0
  141. package/dist/ai/src/container/backend-factory.js.map +1 -0
  142. package/dist/ai/src/container/index.d.ts +13 -0
  143. package/dist/ai/src/container/index.d.ts.map +1 -0
  144. package/dist/ai/src/container/index.js +13 -0
  145. package/dist/ai/src/container/index.js.map +1 -0
  146. package/dist/ai/src/container/kubernetes-backend.d.ts +23 -0
  147. package/dist/ai/src/container/kubernetes-backend.d.ts.map +1 -0
  148. package/dist/ai/src/container/kubernetes-backend.js +39 -0
  149. package/dist/ai/src/container/kubernetes-backend.js.map +1 -0
  150. package/dist/ai/src/container/local-docker-backend.d.ts +77 -0
  151. package/dist/ai/src/container/local-docker-backend.d.ts.map +1 -0
  152. package/dist/ai/src/container/local-docker-backend.js +362 -0
  153. package/dist/ai/src/container/local-docker-backend.js.map +1 -0
  154. package/dist/ai/src/container/remote-docker-backend.d.ts +35 -0
  155. package/dist/ai/src/container/remote-docker-backend.d.ts.map +1 -0
  156. package/dist/ai/src/container/remote-docker-backend.js +189 -0
  157. package/dist/ai/src/container/remote-docker-backend.js.map +1 -0
  158. package/dist/ai/src/container/types.d.ts +270 -0
  159. package/dist/ai/src/container/types.d.ts.map +1 -0
  160. package/dist/ai/src/container/types.js +86 -0
  161. package/dist/ai/src/container/types.js.map +1 -0
  162. package/dist/ai/src/delegation/feature-flags.d.ts.map +1 -1
  163. package/dist/ai/src/delegation/feature-flags.js +1 -0
  164. package/dist/ai/src/delegation/feature-flags.js.map +1 -1
  165. package/dist/ai/src/delegation/liability-firebreak.d.ts.map +1 -1
  166. package/dist/ai/src/delegation/liability-firebreak.js +1 -0
  167. package/dist/ai/src/delegation/liability-firebreak.js.map +1 -1
  168. package/dist/ai/src/delegation/security-threat-model.d.ts.map +1 -1
  169. package/dist/ai/src/delegation/security-threat-model.js +1 -1
  170. package/dist/ai/src/delegation/security-threat-model.js.map +1 -1
  171. package/dist/ai/src/delegation-capability-integration.d.ts +1 -1
  172. package/dist/ai/src/delegation-capability-integration.d.ts.map +1 -1
  173. package/dist/ai/src/delegation-capability-integration.js +2 -7
  174. package/dist/ai/src/delegation-capability-integration.js.map +1 -1
  175. package/dist/ai/src/end-to-end-workflow-orchestrator.d.ts.map +1 -1
  176. package/dist/ai/src/end-to-end-workflow-orchestrator.js +2 -1
  177. package/dist/ai/src/end-to-end-workflow-orchestrator.js.map +1 -1
  178. package/dist/ai/src/enhanced-capability-detection.d.ts +1 -1
  179. package/dist/ai/src/enhanced-capability-detection.d.ts.map +1 -1
  180. package/dist/ai/src/enhanced-capability-detection.js +1 -1
  181. package/dist/ai/src/enhanced-capability-detection.js.map +1 -1
  182. package/dist/ai/src/gateway/index.d.ts +6 -0
  183. package/dist/ai/src/gateway/index.d.ts.map +1 -0
  184. package/dist/ai/src/gateway/index.js +6 -0
  185. package/dist/ai/src/gateway/index.js.map +1 -0
  186. package/dist/ai/src/gateway/message-gateway.d.ts +296 -0
  187. package/dist/ai/src/gateway/message-gateway.d.ts.map +1 -0
  188. package/dist/ai/src/gateway/message-gateway.js +415 -0
  189. package/dist/ai/src/gateway/message-gateway.js.map +1 -0
  190. package/dist/ai/src/intelligent-cache-manager.d.ts.map +1 -1
  191. package/dist/ai/src/intelligent-cache-manager.js +2 -1
  192. package/dist/ai/src/intelligent-cache-manager.js.map +1 -1
  193. package/dist/ai/src/mcp/index.d.ts +10 -0
  194. package/dist/ai/src/mcp/index.d.ts.map +1 -0
  195. package/dist/ai/src/mcp/index.js +10 -0
  196. package/dist/ai/src/mcp/index.js.map +1 -0
  197. package/dist/ai/src/mcp/mcp-tool-bridge.d.ts +186 -0
  198. package/dist/ai/src/mcp/mcp-tool-bridge.d.ts.map +1 -0
  199. package/dist/ai/src/mcp/mcp-tool-bridge.js +292 -0
  200. package/dist/ai/src/mcp/mcp-tool-bridge.js.map +1 -0
  201. package/dist/ai/src/mcp-auto-configuration.d.ts.map +1 -1
  202. package/dist/ai/src/mcp-auto-configuration.js +2 -1
  203. package/dist/ai/src/mcp-auto-configuration.js.map +1 -1
  204. package/dist/ai/src/performance-profiler.d.ts.map +1 -1
  205. package/dist/ai/src/performance-profiler.js +1 -0
  206. package/dist/ai/src/performance-profiler.js.map +1 -1
  207. package/dist/ai/src/plugins/anomaly/anomaly-detector.d.ts +58 -0
  208. package/dist/ai/src/plugins/anomaly/anomaly-detector.d.ts.map +1 -0
  209. package/dist/ai/src/plugins/anomaly/anomaly-detector.js +101 -0
  210. package/dist/ai/src/plugins/anomaly/anomaly-detector.js.map +1 -0
  211. package/dist/ai/src/plugins/anomaly/anomaly-monitor.d.ts +145 -0
  212. package/dist/ai/src/plugins/anomaly/anomaly-monitor.d.ts.map +1 -0
  213. package/dist/ai/src/plugins/anomaly/anomaly-monitor.js +245 -0
  214. package/dist/ai/src/plugins/anomaly/anomaly-monitor.js.map +1 -0
  215. package/dist/ai/src/plugins/anomaly/behavior-baseline.d.ts +79 -0
  216. package/dist/ai/src/plugins/anomaly/behavior-baseline.d.ts.map +1 -0
  217. package/dist/ai/src/plugins/anomaly/behavior-baseline.js +161 -0
  218. package/dist/ai/src/plugins/anomaly/behavior-baseline.js.map +1 -0
  219. package/dist/ai/src/plugins/anomaly/index.d.ts +15 -0
  220. package/dist/ai/src/plugins/anomaly/index.d.ts.map +1 -0
  221. package/dist/ai/src/plugins/anomaly/index.js +12 -0
  222. package/dist/ai/src/plugins/anomaly/index.js.map +1 -0
  223. package/dist/ai/src/plugins/anomaly/types.d.ts +150 -0
  224. package/dist/ai/src/plugins/anomaly/types.d.ts.map +1 -0
  225. package/dist/ai/src/plugins/anomaly/types.js +68 -0
  226. package/dist/ai/src/plugins/anomaly/types.js.map +1 -0
  227. package/dist/ai/src/plugins/certification/certification-manager.d.ts +102 -0
  228. package/dist/ai/src/plugins/certification/certification-manager.d.ts.map +1 -0
  229. package/dist/ai/src/plugins/certification/certification-manager.js +321 -0
  230. package/dist/ai/src/plugins/certification/certification-manager.js.map +1 -0
  231. package/dist/ai/src/plugins/certification/index.d.ts +12 -0
  232. package/dist/ai/src/plugins/certification/index.d.ts.map +1 -0
  233. package/dist/ai/src/plugins/certification/index.js +10 -0
  234. package/dist/ai/src/plugins/certification/index.js.map +1 -0
  235. package/dist/ai/src/plugins/certification/types.d.ts +128 -0
  236. package/dist/ai/src/plugins/certification/types.d.ts.map +1 -0
  237. package/dist/ai/src/plugins/certification/types.js +201 -0
  238. package/dist/ai/src/plugins/certification/types.js.map +1 -0
  239. package/dist/ai/src/plugins/escalation/escalation-trigger.d.ts +155 -0
  240. package/dist/ai/src/plugins/escalation/escalation-trigger.d.ts.map +1 -0
  241. package/dist/ai/src/plugins/escalation/escalation-trigger.js +183 -0
  242. package/dist/ai/src/plugins/escalation/escalation-trigger.js.map +1 -0
  243. package/dist/ai/src/plugins/escalation/index.d.ts +11 -0
  244. package/dist/ai/src/plugins/escalation/index.d.ts.map +1 -0
  245. package/dist/ai/src/plugins/escalation/index.js +10 -0
  246. package/dist/ai/src/plugins/escalation/index.js.map +1 -0
  247. package/dist/ai/src/plugins/incidents/incident-response-manager.d.ts +165 -0
  248. package/dist/ai/src/plugins/incidents/incident-response-manager.d.ts.map +1 -0
  249. package/dist/ai/src/plugins/incidents/incident-response-manager.js +462 -0
  250. package/dist/ai/src/plugins/incidents/incident-response-manager.js.map +1 -0
  251. package/dist/ai/src/plugins/incidents/index.d.ts +8 -0
  252. package/dist/ai/src/plugins/incidents/index.d.ts.map +1 -0
  253. package/dist/ai/src/plugins/incidents/index.js +7 -0
  254. package/dist/ai/src/plugins/incidents/index.js.map +1 -0
  255. package/dist/ai/src/plugins/incidents/types.d.ts +183 -0
  256. package/dist/ai/src/plugins/incidents/types.d.ts.map +1 -0
  257. package/dist/ai/src/plugins/incidents/types.js +55 -0
  258. package/dist/ai/src/plugins/incidents/types.js.map +1 -0
  259. package/dist/ai/src/plugins/permissions/index.d.ts +17 -0
  260. package/dist/ai/src/plugins/permissions/index.d.ts.map +1 -0
  261. package/dist/ai/src/plugins/permissions/index.js +14 -0
  262. package/dist/ai/src/plugins/permissions/index.js.map +1 -0
  263. package/dist/ai/src/plugins/permissions/permission-attenuator.d.ts +29 -0
  264. package/dist/ai/src/plugins/permissions/permission-attenuator.d.ts.map +1 -0
  265. package/dist/ai/src/plugins/permissions/permission-attenuator.js +190 -0
  266. package/dist/ai/src/plugins/permissions/permission-attenuator.js.map +1 -0
  267. package/dist/ai/src/plugins/permissions/permission-audit-logger.d.ts +72 -0
  268. package/dist/ai/src/plugins/permissions/permission-audit-logger.d.ts.map +1 -0
  269. package/dist/ai/src/plugins/permissions/permission-audit-logger.js +176 -0
  270. package/dist/ai/src/plugins/permissions/permission-audit-logger.js.map +1 -0
  271. package/dist/ai/src/plugins/permissions/permission-enforcer.d.ts +99 -0
  272. package/dist/ai/src/plugins/permissions/permission-enforcer.d.ts.map +1 -0
  273. package/dist/ai/src/plugins/permissions/permission-enforcer.js +151 -0
  274. package/dist/ai/src/plugins/permissions/permission-enforcer.js.map +1 -0
  275. package/dist/ai/src/plugins/permissions/plugin-permission-validator.d.ts +39 -0
  276. package/dist/ai/src/plugins/permissions/plugin-permission-validator.d.ts.map +1 -0
  277. package/dist/ai/src/plugins/permissions/plugin-permission-validator.js +296 -0
  278. package/dist/ai/src/plugins/permissions/plugin-permission-validator.js.map +1 -0
  279. package/dist/ai/src/plugins/permissions/types.d.ts +116 -0
  280. package/dist/ai/src/plugins/permissions/types.d.ts.map +1 -0
  281. package/dist/ai/src/plugins/permissions/types.js +36 -0
  282. package/dist/ai/src/plugins/permissions/types.js.map +1 -0
  283. package/dist/ai/src/plugins/reputation/index.d.ts +9 -0
  284. package/dist/ai/src/plugins/reputation/index.d.ts.map +1 -0
  285. package/dist/ai/src/plugins/reputation/index.js +8 -0
  286. package/dist/ai/src/plugins/reputation/index.js.map +1 -0
  287. package/dist/ai/src/plugins/reputation/plugin-reputation-db.d.ts +29 -0
  288. package/dist/ai/src/plugins/reputation/plugin-reputation-db.d.ts.map +1 -0
  289. package/dist/ai/src/plugins/reputation/plugin-reputation-db.js +120 -0
  290. package/dist/ai/src/plugins/reputation/plugin-reputation-db.js.map +1 -0
  291. package/dist/ai/src/plugins/reputation/plugin-reputation-engine.d.ts +115 -0
  292. package/dist/ai/src/plugins/reputation/plugin-reputation-engine.d.ts.map +1 -0
  293. package/dist/ai/src/plugins/reputation/plugin-reputation-engine.js +528 -0
  294. package/dist/ai/src/plugins/reputation/plugin-reputation-engine.js.map +1 -0
  295. package/dist/ai/src/plugins/reputation/types.d.ts +149 -0
  296. package/dist/ai/src/plugins/reputation/types.d.ts.map +1 -0
  297. package/dist/ai/src/plugins/reputation/types.js +14 -0
  298. package/dist/ai/src/plugins/reputation/types.js.map +1 -0
  299. package/dist/ai/src/plugins/reviews/index.d.ts +11 -0
  300. package/dist/ai/src/plugins/reviews/index.d.ts.map +1 -0
  301. package/dist/ai/src/plugins/reviews/index.js +10 -0
  302. package/dist/ai/src/plugins/reviews/index.js.map +1 -0
  303. package/dist/ai/src/plugins/reviews/plugin-rating-aggregator.d.ts +116 -0
  304. package/dist/ai/src/plugins/reviews/plugin-rating-aggregator.d.ts.map +1 -0
  305. package/dist/ai/src/plugins/reviews/plugin-rating-aggregator.js +282 -0
  306. package/dist/ai/src/plugins/reviews/plugin-rating-aggregator.js.map +1 -0
  307. package/dist/ai/src/plugins/reviews/types.d.ts +113 -0
  308. package/dist/ai/src/plugins/reviews/types.d.ts.map +1 -0
  309. package/dist/ai/src/plugins/reviews/types.js +55 -0
  310. package/dist/ai/src/plugins/reviews/types.js.map +1 -0
  311. package/dist/ai/src/plugins/runtime/docker-plugin-runner.d.ts +77 -0
  312. package/dist/ai/src/plugins/runtime/docker-plugin-runner.d.ts.map +1 -0
  313. package/dist/ai/src/plugins/runtime/docker-plugin-runner.js +248 -0
  314. package/dist/ai/src/plugins/runtime/docker-plugin-runner.js.map +1 -0
  315. package/dist/ai/src/plugins/runtime/gvisor-plugin-runner.d.ts +99 -0
  316. package/dist/ai/src/plugins/runtime/gvisor-plugin-runner.d.ts.map +1 -0
  317. package/dist/ai/src/plugins/runtime/gvisor-plugin-runner.js +158 -0
  318. package/dist/ai/src/plugins/runtime/gvisor-plugin-runner.js.map +1 -0
  319. package/dist/ai/src/plugins/runtime/index.d.ts +13 -0
  320. package/dist/ai/src/plugins/runtime/index.d.ts.map +1 -0
  321. package/dist/ai/src/plugins/runtime/index.js +11 -0
  322. package/dist/ai/src/plugins/runtime/index.js.map +1 -0
  323. package/dist/ai/src/plugins/runtime/types.d.ts +143 -0
  324. package/dist/ai/src/plugins/runtime/types.d.ts.map +1 -0
  325. package/dist/ai/src/plugins/runtime/types.js +19 -0
  326. package/dist/ai/src/plugins/runtime/types.js.map +1 -0
  327. package/dist/ai/src/plugins/runtime/wasm-plugin-runner.d.ts +104 -0
  328. package/dist/ai/src/plugins/runtime/wasm-plugin-runner.d.ts.map +1 -0
  329. package/dist/ai/src/plugins/runtime/wasm-plugin-runner.js +307 -0
  330. package/dist/ai/src/plugins/runtime/wasm-plugin-runner.js.map +1 -0
  331. package/dist/ai/src/plugins/security/index.d.ts +24 -0
  332. package/dist/ai/src/plugins/security/index.d.ts.map +1 -0
  333. package/dist/ai/src/plugins/security/index.js +23 -0
  334. package/dist/ai/src/plugins/security/index.js.map +1 -0
  335. package/dist/ai/src/plugins/security/license-checker.d.ts +26 -0
  336. package/dist/ai/src/plugins/security/license-checker.d.ts.map +1 -0
  337. package/dist/ai/src/plugins/security/license-checker.js +137 -0
  338. package/dist/ai/src/plugins/security/license-checker.js.map +1 -0
  339. package/dist/ai/src/plugins/security/malware-scanner.d.ts +19 -0
  340. package/dist/ai/src/plugins/security/malware-scanner.d.ts.map +1 -0
  341. package/dist/ai/src/plugins/security/malware-scanner.js +121 -0
  342. package/dist/ai/src/plugins/security/malware-scanner.js.map +1 -0
  343. package/dist/ai/src/plugins/security/plugin-security-scanner.d.ts +36 -0
  344. package/dist/ai/src/plugins/security/plugin-security-scanner.d.ts.map +1 -0
  345. package/dist/ai/src/plugins/security/plugin-security-scanner.js +160 -0
  346. package/dist/ai/src/plugins/security/plugin-security-scanner.js.map +1 -0
  347. package/dist/ai/src/plugins/security/sbom-generator.d.ts +23 -0
  348. package/dist/ai/src/plugins/security/sbom-generator.d.ts.map +1 -0
  349. package/dist/ai/src/plugins/security/sbom-generator.js +115 -0
  350. package/dist/ai/src/plugins/security/sbom-generator.js.map +1 -0
  351. package/dist/ai/src/plugins/security/secret-detector.d.ts +19 -0
  352. package/dist/ai/src/plugins/security/secret-detector.d.ts.map +1 -0
  353. package/dist/ai/src/plugins/security/secret-detector.js +204 -0
  354. package/dist/ai/src/plugins/security/secret-detector.js.map +1 -0
  355. package/dist/ai/src/plugins/security/signature-verifier.d.ts +21 -0
  356. package/dist/ai/src/plugins/security/signature-verifier.d.ts.map +1 -0
  357. package/dist/ai/src/plugins/security/signature-verifier.js +75 -0
  358. package/dist/ai/src/plugins/security/signature-verifier.js.map +1 -0
  359. package/dist/ai/src/plugins/security/sonarcloud-client.d.ts +20 -0
  360. package/dist/ai/src/plugins/security/sonarcloud-client.d.ts.map +1 -0
  361. package/dist/ai/src/plugins/security/sonarcloud-client.js +106 -0
  362. package/dist/ai/src/plugins/security/sonarcloud-client.js.map +1 -0
  363. package/dist/ai/src/plugins/security/trust-score.d.ts +58 -0
  364. package/dist/ai/src/plugins/security/trust-score.d.ts.map +1 -0
  365. package/dist/ai/src/plugins/security/trust-score.js +173 -0
  366. package/dist/ai/src/plugins/security/trust-score.js.map +1 -0
  367. package/dist/ai/src/plugins/security/types.d.ts +220 -0
  368. package/dist/ai/src/plugins/security/types.d.ts.map +1 -0
  369. package/dist/ai/src/plugins/security/types.js +12 -0
  370. package/dist/ai/src/plugins/security/types.js.map +1 -0
  371. package/dist/ai/src/plugins/security/vulnerability-scanner.d.ts +22 -0
  372. package/dist/ai/src/plugins/security/vulnerability-scanner.d.ts.map +1 -0
  373. package/dist/ai/src/plugins/security/vulnerability-scanner.js +109 -0
  374. package/dist/ai/src/plugins/security/vulnerability-scanner.js.map +1 -0
  375. package/dist/ai/src/plugins/tlp/index.d.ts +17 -0
  376. package/dist/ai/src/plugins/tlp/index.d.ts.map +1 -0
  377. package/dist/ai/src/plugins/tlp/index.js +17 -0
  378. package/dist/ai/src/plugins/tlp/index.js.map +1 -0
  379. package/dist/ai/src/plugins/tlp/tlp-classifier.d.ts +55 -0
  380. package/dist/ai/src/plugins/tlp/tlp-classifier.d.ts.map +1 -0
  381. package/dist/ai/src/plugins/tlp/tlp-classifier.js +232 -0
  382. package/dist/ai/src/plugins/tlp/tlp-classifier.js.map +1 -0
  383. package/dist/ai/src/plugins/tlp/tlp-validator.d.ts +97 -0
  384. package/dist/ai/src/plugins/tlp/tlp-validator.d.ts.map +1 -0
  385. package/dist/ai/src/plugins/tlp/tlp-validator.js +120 -0
  386. package/dist/ai/src/plugins/tlp/tlp-validator.js.map +1 -0
  387. package/dist/ai/src/plugins/tlp/types.d.ts +84 -0
  388. package/dist/ai/src/plugins/tlp/types.d.ts.map +1 -0
  389. package/dist/ai/src/plugins/tlp/types.js +20 -0
  390. package/dist/ai/src/plugins/tlp/types.js.map +1 -0
  391. package/dist/ai/src/resource-monitor.d.ts +1 -1
  392. package/dist/ai/src/resource-monitor.d.ts.map +1 -1
  393. package/dist/ai/src/resource-monitor.js +4 -3
  394. package/dist/ai/src/resource-monitor.js.map +1 -1
  395. package/dist/ai/src/runtime/agent-runtime.d.ts +77 -0
  396. package/dist/ai/src/runtime/agent-runtime.d.ts.map +1 -1
  397. package/dist/ai/src/runtime/agent-runtime.js +138 -2
  398. package/dist/ai/src/runtime/agent-runtime.js.map +1 -1
  399. package/dist/ai/src/scheduler/agent-scheduler.d.ts +365 -0
  400. package/dist/ai/src/scheduler/agent-scheduler.d.ts.map +1 -0
  401. package/dist/ai/src/scheduler/agent-scheduler.js +610 -0
  402. package/dist/ai/src/scheduler/agent-scheduler.js.map +1 -0
  403. package/dist/ai/src/scheduler/index.d.ts +6 -0
  404. package/dist/ai/src/scheduler/index.d.ts.map +1 -0
  405. package/dist/ai/src/scheduler/index.js +6 -0
  406. package/dist/ai/src/scheduler/index.js.map +1 -0
  407. package/dist/ai/src/session/index.d.ts +6 -0
  408. package/dist/ai/src/session/index.d.ts.map +1 -0
  409. package/dist/ai/src/session/index.js +6 -0
  410. package/dist/ai/src/session/index.js.map +1 -0
  411. package/dist/ai/src/session/session-manager.d.ts +380 -0
  412. package/dist/ai/src/session/session-manager.d.ts.map +1 -0
  413. package/dist/ai/src/session/session-manager.js +625 -0
  414. package/dist/ai/src/session/session-manager.js.map +1 -0
  415. package/dist/ai/src/skills/index.d.ts +10 -0
  416. package/dist/ai/src/skills/index.d.ts.map +1 -0
  417. package/dist/ai/src/skills/index.js +10 -0
  418. package/dist/ai/src/skills/index.js.map +1 -0
  419. package/dist/ai/src/skills/skill-registry.d.ts +181 -0
  420. package/dist/ai/src/skills/skill-registry.d.ts.map +1 -0
  421. package/dist/ai/src/skills/skill-registry.js +465 -0
  422. package/dist/ai/src/skills/skill-registry.js.map +1 -0
  423. package/dist/ai/src/telemetry/delegation-telemetry.d.ts.map +1 -1
  424. package/dist/ai/src/telemetry/delegation-telemetry.js +1 -0
  425. package/dist/ai/src/telemetry/delegation-telemetry.js.map +1 -1
  426. package/dist/ai/src/telemetry/runtime-telemetry-integration.d.ts +1 -1
  427. package/dist/ai/src/telemetry/runtime-telemetry-integration.d.ts.map +1 -1
  428. package/dist/ai/src/telemetry/runtime-telemetry-integration.js +3 -2
  429. package/dist/ai/src/telemetry/runtime-telemetry-integration.js.map +1 -1
  430. package/dist/ai/src/telemetry/telemetry-utils.d.ts.map +1 -1
  431. package/dist/ai/src/telemetry/telemetry-utils.js +1 -0
  432. package/dist/ai/src/telemetry/telemetry-utils.js.map +1 -1
  433. package/dist/ai/src/types/agent-capabilities.d.ts.map +1 -1
  434. package/dist/ai/src/types/agent-capabilities.js +1 -0
  435. package/dist/ai/src/types/agent-capabilities.js.map +1 -1
  436. package/dist/ai/src/types/delegation-contracts.d.ts +92 -0
  437. package/dist/ai/src/types/delegation-contracts.d.ts.map +1 -1
  438. package/dist/ai/src/types/delegation-contracts.js.map +1 -1
  439. package/dist/ai/src/validation-pipeline-integration.d.ts.map +1 -1
  440. package/dist/ai/src/validation-pipeline-integration.js +1 -2
  441. package/dist/ai/src/validation-pipeline-integration.js.map +1 -1
  442. package/dist/ai/src/verification/multi-modal-formatters.d.ts +1 -1
  443. package/dist/ai/src/verification/multi-modal-formatters.d.ts.map +1 -1
  444. package/dist/ai/src/verification/multi-modal-formatters.js +3 -2
  445. package/dist/ai/src/verification/multi-modal-formatters.js.map +1 -1
  446. package/dist/ai/src/verification/output-formatter.d.ts +1 -1
  447. package/dist/ai/src/verification/output-formatter.d.ts.map +1 -1
  448. package/dist/ai/src/verification/output-formatter.js +2 -1
  449. package/dist/ai/src/verification/output-formatter.js.map +1 -1
  450. package/dist/ai/src/verification/parser-integration.d.ts.map +1 -1
  451. package/dist/ai/src/verification/parser-integration.js.map +1 -1
  452. package/dist/ai/types/agent-capabilities.d.ts +7 -0
  453. package/dist/ai/types/agent-capabilities.d.ts.map +1 -1
  454. package/dist/ai/types/delegation-contracts.d.ts +75 -0
  455. package/dist/ai/types/delegation-contracts.d.ts.map +1 -1
  456. package/dist/ai/types/index.d.ts +3 -3
  457. package/dist/ai/types/index.d.ts.map +1 -1
  458. package/dist/ai/types/index.js.map +1 -1
  459. package/dist/ai/types/permission-tokens.d.ts +23 -0
  460. package/dist/ai/types/permission-tokens.d.ts.map +1 -1
  461. package/dist/ai/types/permission-tokens.js +65 -1
  462. package/dist/ai/types/permission-tokens.js.map +1 -1
  463. package/dist/ai/validation/validation-framework.d.ts.map +1 -1
  464. package/dist/ai/verification/policy-framework.d.ts +1 -1
  465. package/dist/ai/verification/policy-framework.d.ts.map +1 -1
  466. package/dist/ai/verification/policy-framework.js +4 -4
  467. package/dist/ai/verification/policy-framework.js.map +1 -1
  468. package/package.json +33 -4
package/dist/ai/src/plugins/permissions/plugin-permission-validator.js ADDED
@@ -0,0 +1,296 @@
1
+ /**
2
+ * Plugin Permission Validator
3
+ *
4
+ * Validates plugin permission requests against declared capabilities using
5
+ * glob pattern matching. Implements the capability-based least-privilege model.
6
+ *
7
+ * Uses Node.js v22+ built-in `path.matchesGlob()` for filesystem patterns.
8
+ *
9
+ * @module plugins/permissions/plugin-permission-validator
10
+ * @version 1.0.0
11
+ * @date 2026-02-28
12
+ * @license MIT
13
+ */
14
+ import { matchesGlob } from 'node:path';
15
+ // ---------------------------------------------------------------------------
16
+ // Helpers
17
+ // ---------------------------------------------------------------------------
18
+ function matchesAnyGlob(path, patterns) {
19
+ return patterns.some((pattern) => {
20
+ try {
21
+ return matchesGlob(path, pattern);
22
+ }
23
+ catch {
24
+ return false;
25
+ }
26
+ });
27
+ }
28
+ function matchesDomain(hostname, allowedDomains) {
29
+ if (allowedDomains.length === 0)
30
+ return true; // no restrictions
31
+ return allowedDomains.some((domain) => {
32
+ // Support wildcard subdomains: *.github.com matches api.github.com
33
+ if (domain.startsWith('*.')) {
34
+ const suffix = domain.slice(1); // .github.com
35
+ return hostname === domain.slice(2) || hostname.endsWith(suffix);
36
+ }
37
+ return hostname === domain;
38
+ });
39
+ }
40
+ // ---------------------------------------------------------------------------
41
+ // Public validator class
42
+ // ---------------------------------------------------------------------------
43
+ /** Stateless validator — create once and reuse across permission checks */
44
+ export class PluginPermissionValidator {
45
+ permissions;
46
+ constructor(permissions) {
47
+ this.permissions = permissions;
48
+ }
49
+ // -------------------------------------------------------------------------
50
+ // Filesystem
51
+ // -------------------------------------------------------------------------
52
+ /** Check if the plugin may read a given file/directory path */
53
+ checkFileRead(path) {
54
+ const { read } = this.permissions.filesystem;
55
+ const violations = [];
56
+ if (read.length === 0) {
57
+ violations.push({
58
+ category: 'filesystem',
59
+ message: `No read patterns declared — read access denied for "${path}"`,
60
+ requested: path,
61
+ blocking: true,
62
+ });
63
+ return { granted: false, reason: `Filesystem read not declared`, violations };
64
+ }
65
+ if (!matchesAnyGlob(path, read)) {
66
+ violations.push({
67
+ category: 'filesystem',
68
+ message: `Path "${path}" does not match any declared read pattern`,
69
+ requested: path,
70
+ blocking: true,
71
+ });
72
+ return {
73
+ granted: false,
74
+ reason: `Path "${path}" outside declared read patterns`,
75
+ violations,
76
+ };
77
+ }
78
+ return { granted: true, violations: [] };
79
+ }
80
+ /** Check if the plugin may write to a given file/directory path */
81
+ checkFileWrite(path) {
82
+ const { write } = this.permissions.filesystem;
83
+ const violations = [];
84
+ if (write.length === 0) {
85
+ violations.push({
86
+ category: 'filesystem',
87
+ message: `No write patterns declared — write access denied for "${path}"`,
88
+ requested: path,
89
+ blocking: true,
90
+ });
91
+ return { granted: false, reason: `Filesystem write not declared`, violations };
92
+ }
93
+ if (!matchesAnyGlob(path, write)) {
94
+ violations.push({
95
+ category: 'filesystem',
96
+ message: `Path "${path}" does not match any declared write pattern`,
97
+ requested: path,
98
+ blocking: true,
99
+ });
100
+ return {
101
+ granted: false,
102
+ reason: `Path "${path}" outside declared write patterns`,
103
+ violations,
104
+ };
105
+ }
106
+ return { granted: true, violations: [] };
107
+ }
108
+ /** Check if the plugin may delete a given file/directory path */
109
+ checkFileDelete(path) {
110
+ const { delete: del } = this.permissions.filesystem;
111
+ const violations = [];
112
+ if (del.length === 0) {
113
+ violations.push({
114
+ category: 'filesystem',
115
+ message: `No delete patterns declared — delete access denied for "${path}"`,
116
+ requested: path,
117
+ blocking: true,
118
+ });
119
+ return { granted: false, reason: `Filesystem delete not declared`, violations };
120
+ }
121
+ if (!matchesAnyGlob(path, del)) {
122
+ violations.push({
123
+ category: 'filesystem',
124
+ message: `Path "${path}" does not match any declared delete pattern`,
125
+ requested: path,
126
+ blocking: true,
127
+ });
128
+ return {
129
+ granted: false,
130
+ reason: `Path "${path}" outside declared delete patterns`,
131
+ violations,
132
+ };
133
+ }
134
+ return { granted: true, violations: [] };
135
+ }
136
+ // -------------------------------------------------------------------------
137
+ // Network
138
+ // -------------------------------------------------------------------------
139
+ /**
140
+ * Check if the plugin may make a network request to the given hostname.
141
+ * Pass `url` as a full URL string (e.g. "https://api.github.com/repos/...").
142
+ */
143
+ checkNetworkRequest(url) {
144
+ const net = this.permissions.network;
145
+ const violations = [];
146
+ if (!net.allowed) {
147
+ violations.push({
148
+ category: 'network',
149
+ message: `Network access is not permitted`,
150
+ requested: url,
151
+ blocking: true,
152
+ });
153
+ return { granted: false, reason: `Network access disabled`, violations };
154
+ }
155
+ // Extract hostname from URL
156
+ let hostname;
157
+ try {
158
+ hostname = new URL(url).hostname;
159
+ }
160
+ catch {
161
+ violations.push({
162
+ category: 'network',
163
+ message: `Invalid URL: "${url}"`,
164
+ requested: url,
165
+ blocking: true,
166
+ });
167
+ return { granted: false, reason: `Invalid URL`, violations };
168
+ }
169
+ if (net.allowedDomains.length > 0 && !matchesDomain(hostname, net.allowedDomains)) {
170
+ violations.push({
171
+ category: 'network',
172
+ message: `Domain "${hostname}" is not in the allowed domains list`,
173
+ requested: url,
174
+ blocking: true,
175
+ });
176
+ return {
177
+ granted: false,
178
+ reason: `Domain "${hostname}" not in allowedDomains`,
179
+ violations,
180
+ };
181
+ }
182
+ return { granted: true, violations: [] };
183
+ }
184
+ // -------------------------------------------------------------------------
185
+ // Execution
186
+ // -------------------------------------------------------------------------
187
+ /** Check if the plugin may execute a given command */
188
+ checkCommandExecution(command) {
189
+ const exec = this.permissions.execution;
190
+ const violations = [];
191
+ if (!exec.allowShellCommands) {
192
+ // Shell commands entirely disabled
193
+ violations.push({
194
+ category: 'execution',
195
+ message: `Shell commands are not permitted`,
196
+ requested: command,
197
+ blocking: true,
198
+ });
199
+ return { granted: false, reason: 'Shell commands are not permitted', violations };
200
+ }
201
+ // Shell commands enabled — if allowedCommands is empty, allow all.
202
+ // If non-empty it acts as an explicit allowlist.
203
+ if (exec.allowedCommands.length === 0) {
204
+ return { granted: true, violations: [] };
205
+ }
206
+ const allowed = exec.allowedCommands.some((c) => {
207
+ // Match full command or just the executable basename
208
+ const executable = command.split(/\s+/)[0] ?? command;
209
+ return c === executable || c === command;
210
+ });
211
+ if (!allowed) {
212
+ violations.push({
213
+ category: 'execution',
214
+ message: `Command "${command}" is not in the execution allowlist`,
215
+ requested: command,
216
+ blocking: true,
217
+ });
218
+ return {
219
+ granted: false,
220
+ reason: `Command "${command}" not in allowedCommands`,
221
+ violations,
222
+ };
223
+ }
224
+ return { granted: true, violations: [] };
225
+ }
226
+ // -------------------------------------------------------------------------
227
+ // MCP
228
+ // -------------------------------------------------------------------------
229
+ /** Check if the plugin may call a given MCP server */
230
+ checkMcpAccess(serverName) {
231
+ const mcp = this.permissions.mcp;
232
+ const violations = [];
233
+ // Deny takes precedence
234
+ if (mcp.deniedServers.includes(serverName)) {
235
+ violations.push({
236
+ category: 'mcp',
237
+ message: `MCP server "${serverName}" is explicitly denied`,
238
+ requested: serverName,
239
+ blocking: true,
240
+ });
241
+ return { granted: false, reason: `MCP server "${serverName}" denied`, violations };
242
+ }
243
+ // Check allowlist (wildcard '*' allows all non-denied)
244
+ const granted = mcp.allowedServers.includes('*') || mcp.allowedServers.includes(serverName);
245
+ if (!granted) {
246
+ violations.push({
247
+ category: 'mcp',
248
+ message: `MCP server "${serverName}" is not in the allowed servers list`,
249
+ requested: serverName,
250
+ blocking: true,
251
+ });
252
+ return {
253
+ granted: false,
254
+ reason: `MCP server "${serverName}" not in allowedServers`,
255
+ violations,
256
+ };
257
+ }
258
+ return { granted: true, violations: [] };
259
+ }
260
+ // -------------------------------------------------------------------------
261
+ // Data
262
+ // -------------------------------------------------------------------------
263
+ /** Check if the plugin may access environment variables */
264
+ checkEnvAccess() {
265
+ const violations = [];
266
+ if (!this.permissions.data.allowEnvironmentVars) {
267
+ violations.push({
268
+ category: 'data',
269
+ message: `Environment variable access is not permitted`,
270
+ requested: 'process.env',
271
+ blocking: true,
272
+ });
273
+ return {
274
+ granted: false,
275
+ reason: `Environment variable access disabled`,
276
+ violations,
277
+ };
278
+ }
279
+ return { granted: true, violations: [] };
280
+ }
281
+ /** Check if the plugin may access secrets */
282
+ checkSecretAccess() {
283
+ const violations = [];
284
+ if (!this.permissions.data.allowSecretAccess) {
285
+ violations.push({
286
+ category: 'data',
287
+ message: `Secret access is not permitted`,
288
+ requested: 'secrets',
289
+ blocking: true,
290
+ });
291
+ return { granted: false, reason: `Secret access disabled`, violations };
292
+ }
293
+ return { granted: true, violations: [] };
294
+ }
295
+ }
296
+ //# sourceMappingURL=plugin-permission-validator.js.map
package/dist/ai/src/plugins/permissions/plugin-permission-validator.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plugin-permission-validator.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/plugin-permission-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAOxC,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,cAAc,CAAC,IAAY,EAAE,QAAkB;IACtD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,IAAI,CAAC;YACH,OAAO,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,cAAwB;IAC/D,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,kBAAkB;IAChE,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QACpC,mEAAmE;QACnE,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc;YAC9C,OAAO,QAAQ,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,QAAQ,KAAK,MAAM,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,2EAA2E;AAC3E,MAAM,OAAO,yBAAyB;IACP;IAA7B,YAA6B,WAA8B;QAA9B,gBAAW,GAAX,WAAW,CAAmB;IAAG,CAAC;IAE/D,4EAA4E;IAC5E,aAAa;IACb,4EAA4E;IAE5E,+DAA+D;IAC/D,aAAa,CAAC,IAAY;QACxB,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;QAC7C,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,uDAAuD,IAAI,GAAG;gBACvE,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,UAAU,EAAE,CAAC;QAChF,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,SAAS,IAAI,4CAA4C;gBAClE,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,IAAI,kCAAkC;gBACvD,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,mEAAmE;IACnE,cAAc,CAAC,IAAY;QACzB,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;QAC9C,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,yDAAyD,IAAI,GAAG;gBACzE,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,UAAU,EAAE,CAAC;QACjF,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YACjC,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,SAAS,IAAI,6CAA6C;gBACnE,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,IAAI,mCAAmC;gBACxD,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,iEAAiE;IACjE,eAAe,CAAC,IAAY;QAC1B,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC;QACpD,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,2DAA2D,IAAI,GAAG;gBAC3E,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,EAAE,UAAU,EAAE,CAAC;QAClF,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YAC/B,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,YAAY;gBACtB,OAAO,EAAE,SAAS,IAAI,8CAA8C;gBACpE,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,IAAI,oCAAoC;gBACzD,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,4EAA4E;IAC5E,UAAU;IACV,4EAA4E;IAE5E;;;OAGG;IACH,mBAAmB,CAAC,GAAW;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;QACrC,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACjB,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,iCAAiC;gBAC1C,SAAS,EAAE,GAAG;gBACd,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,UAAU,EAAE,CAAC;QAC3E,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,iBAAiB,GAAG,GAAG;gBAChC,SAAS,EAAE,GAAG;gBACd,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,CAAC;QAC/D,CAAC;QAED,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YAClF,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,WAAW,QAAQ,sCAAsC;gBAClE,SAAS,EAAE,GAAG;gBACd,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,WAAW,QAAQ,yBAAyB;gBACpD,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,4EAA4E;IAC5E,YAAY;IACZ,4EAA4E;IAE5E,sDAAsD;IACtD,qBAAqB,CAAC,OAAe;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC;QACxC,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC7B,mCAAmC;YACnC,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,WAAW;gBACrB,OAAO,EAAE,kCAAkC;gBAC3C,SAAS,EAAE,OAAO;gBAClB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,kCAAkC,EAAE,UAAU,EAAE,CAAC;QACpF,CAAC;QAED,mEAAmE;QACnE,iDAAiD;QACjD,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,qDAAqD;YACrD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;YACtD,OAAO,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,OAAO,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,WAAW;gBACrB,OAAO,EAAE,YAAY,OAAO,qCAAqC;gBACjE,SAAS,EAAE,OAAO;gBAClB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,YAAY,OAAO,0BAA0B;gBACrD,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,4EAA4E;IAC5E,MAAM;IACN,4EAA4E;IAE5E,sDAAsD;IACtD,cAAc,CAAC,UAAkB;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;QACjC,MAAM,UAAU,GAA0B,EAAE,CAAC;QAE7C,wBAAwB;QACxB,IAAI,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,eAAe,UAAU,wBAAwB;gBAC1D,SAAS,EAAE,UAAU;gBACrB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,UAAU,UAAU,EAAE,UAAU,EAAE,CAAC;QACrF,CAAC;QAED,uDAAuD;QACvD,MAAM,OAAO,GACX,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAE9E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,eAAe,UAAU,sCAAsC;gBACxE,SAAS,EAAE,UAAU;gBACrB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,eAAe,UAAU,yBAAyB;gBAC1D,UAAU;aACX,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,4EAA4E;IAC5E,OAAO;IACP,4EAA4E;IAE5E,2DAA2D;IAC3D,cAAc;QACZ,MAAM,UAAU,GAA0B,EAAE,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAChD,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,8CAA8C;gBACvD,SAAS,EAAE,aAAa;gBACxB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,sCAAsC;gBAC9C,UAAU;aACX,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IAED,6CAA6C;IAC7C,iBAAiB;QACf,MAAM,UAAU,GAA0B,EAAE,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7C,UAAU,CAAC,IAAI,CAAC;gBACd,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,gCAAgC;gBACzC,SAAS,EAAE,SAAS;gBACpB,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,UAAU,EAAE,CAAC;QAC1E,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;CACF"}
package/dist/ai/src/plugins/permissions/types.d.ts ADDED
@@ -0,0 +1,116 @@
1
+ /**
2
+ * Plugin Permission Model Types
3
+ *
4
+ * Capability-based permission model for plugin sandboxing. Follows
5
+ * least-privilege (OWASP ASVS 4.0) and is compatible with the
6
+ * delegation security framework.
7
+ *
8
+ * @module plugins/permissions/types
9
+ * @version 1.0.0
10
+ * @date 2026-02-28
11
+ * @license MIT
12
+ */
13
+ /** Filesystem access permissions — controlled by glob patterns */
14
+ export interface FilesystemPermissions {
15
+ /** Glob patterns the plugin may read */
16
+ read: string[];
17
+ /** Glob patterns the plugin may write to */
18
+ write: string[];
19
+ /** Glob patterns the plugin may delete */
20
+ delete: string[];
21
+ }
22
+ /** Network access permissions */
23
+ export interface NetworkPermissions {
24
+ /** Whether any outbound network access is allowed */
25
+ allowed: boolean;
26
+ /** Allowlist of hostnames/domains (empty = allow all when allowed:true) */
27
+ allowedDomains: string[];
28
+ /** Maximum HTTP requests per plugin execution (0 = unlimited when allowed:true) */
29
+ maxRequests: number;
30
+ }
31
+ /** Shell/process execution permissions */
32
+ export interface ExecutionPermissions {
33
+ /** Whether arbitrary shell commands can be spawned */
34
+ allowShellCommands: boolean;
35
+ /**
36
+ * Allowlist of executable names the plugin may run.
37
+ * Only enforced when allowShellCommands:false.
38
+ */
39
+ allowedCommands: string[];
40
+ /** Maximum concurrent child processes (0 = no limit) */
41
+ maxProcesses: number;
42
+ }
43
+ /** MCP server access permissions */
44
+ export interface McpPermissions {
45
+ /** Names of MCP servers the plugin is allowed to call */
46
+ allowedServers: string[];
47
+ /** Names of MCP servers explicitly denied (takes precedence over allowedServers) */
48
+ deniedServers: string[];
49
+ }
50
+ /** Data / environment access permissions */
51
+ export interface DataPermissions {
52
+ /** Whether the plugin may read process.env */
53
+ allowEnvironmentVars: boolean;
54
+ /** Whether the plugin may access secrets (e.g. from a vault) */
55
+ allowSecretAccess: boolean;
56
+ }
57
+ /** Full set of permissions declared by a plugin */
58
+ export interface PluginPermissions {
59
+ filesystem: FilesystemPermissions;
60
+ network: NetworkPermissions;
61
+ execution: ExecutionPermissions;
62
+ mcp: McpPermissions;
63
+ data: DataPermissions;
64
+ }
65
+ /** A single permission violation */
66
+ export interface PermissionViolation {
67
+ /** Permission category that was violated */
68
+ category: keyof PluginPermissions;
69
+ /** Human-readable description of the violation */
70
+ message: string;
71
+ /** The requested resource/action */
72
+ requested: string;
73
+ /** Whether the violation is blocking (true) or a warning (false) */
74
+ blocking: boolean;
75
+ }
76
+ /** Result of validating a permission request */
77
+ export interface PermissionCheckResult {
78
+ /** Whether the permission is granted */
79
+ granted: boolean;
80
+ /** Reason for denial if granted:false */
81
+ reason?: string;
82
+ violations: PermissionViolation[];
83
+ }
84
+ /**
85
+ * Express that a set of permissions is a strict subset of a parent set.
86
+ * Used when a plugin delegates to sub-agents — the sub-agent can only receive
87
+ * permissions the parent already holds.
88
+ */
89
+ export interface AttenuatedPermissions {
90
+ /** Original granted permissions */
91
+ original: PluginPermissions;
92
+ /** Attenuated (narrowed) permissions to pass to sub-agent */
93
+ attenuated: PluginPermissions;
94
+ /** Human-readable description of what was removed */
95
+ removedCapabilities: string[];
96
+ }
97
+ /** Categories of permission audit events */
98
+ export type PermissionAuditEventType = 'permission_granted' | 'permission_denied' | 'permission_attenuated' | 'enforcement_violation';
99
+ /** Structured audit event for a permission decision */
100
+ export interface PermissionAuditEvent {
101
+ timestamp: string;
102
+ eventType: PermissionAuditEventType;
103
+ pluginId: string;
104
+ pluginVersion: string;
105
+ category: keyof PluginPermissions;
106
+ action: string;
107
+ resource: string;
108
+ granted: boolean;
109
+ reason?: string;
110
+ executionId?: string;
111
+ }
112
+ /** Create a fully-locked-down permission set (deny everything) */
113
+ export declare function createDenyAllPermissions(): PluginPermissions;
114
+ /** Create a maximally-permissive permission set (allow everything) */
115
+ export declare function createAllowAllPermissions(): PluginPermissions;
116
+ //# sourceMappingURL=types.d.ts.map
package/dist/ai/src/plugins/permissions/types.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAMH,kEAAkE;AAClE,MAAM,WAAW,qBAAqB;IACpC,wCAAwC;IACxC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,4CAA4C;IAC5C,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,0CAA0C;IAC1C,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,iCAAiC;AACjC,MAAM,WAAW,kBAAkB;IACjC,qDAAqD;IACrD,OAAO,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,mFAAmF;IACnF,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,0CAA0C;AAC1C,MAAM,WAAW,oBAAoB;IACnC,sDAAsD;IACtD,kBAAkB,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,wDAAwD;IACxD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,oCAAoC;AACpC,MAAM,WAAW,cAAc;IAC7B,yDAAyD;IACzD,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,oFAAoF;IACpF,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,4CAA4C;AAC5C,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,oBAAoB,EAAE,OAAO,CAAC;IAC9B,gEAAgE;IAChE,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAMD,mDAAmD;AACnD,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,qBAAqB,CAAC;IAClC,OAAO,EAAE,kBAAkB,CAAC;IAC5B,SAAS,EAAE,oBAAoB,CAAC;IAChC,GAAG,EAAE,cAAc,CAAC;IACpB,IAAI,EAAE,eAAe,CAAC;CACvB;AAMD,oCAAoC;AACpC,MAAM,WAAW,mBAAmB;IAClC,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,iBAAiB,CAAC;IAClC,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACpC,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,mBAAmB,EAAE,CAAC;CACnC;AAMD;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC,mCAAmC;IACnC,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,6DAA6D;IAC7D,UAAU,EAAE,iBAAiB,CAAC;IAC9B,qDAAqD;IACrD,mBAAmB,EAAE,MAAM,EAAE,CAAC;CAC/B;AAMD,4CAA4C;AAC5C,MAAM,MAAM,wBAAwB,GAChC,oBAAoB,GACpB,mBAAmB,GACnB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B,uDAAuD;AACvD,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,wBAAwB,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,iBAAiB,CAAC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAMD,kEAAkE;AAClE,wBAAgB,wBAAwB,IAAI,iBAAiB,CAQ5D;AAED,sEAAsE;AACtE,wBAAgB,yBAAyB,IAAI,iBAAiB,CAQ7D"}
package/dist/ai/src/plugins/permissions/types.js ADDED
@@ -0,0 +1,36 @@
1
+ /**
2
+ * Plugin Permission Model Types
3
+ *
4
+ * Capability-based permission model for plugin sandboxing. Follows
5
+ * least-privilege (OWASP ASVS 4.0) and is compatible with the
6
+ * delegation security framework.
7
+ *
8
+ * @module plugins/permissions/types
9
+ * @version 1.0.0
10
+ * @date 2026-02-28
11
+ * @license MIT
12
+ */
13
+ // ---------------------------------------------------------------------------
14
+ // Default / zero-permission factories
15
+ // ---------------------------------------------------------------------------
16
+ /** Create a fully-locked-down permission set (deny everything) */
17
+ export function createDenyAllPermissions() {
18
+ return {
19
+ filesystem: { read: [], write: [], delete: [] },
20
+ network: { allowed: false, allowedDomains: [], maxRequests: 0 },
21
+ execution: { allowShellCommands: false, allowedCommands: [], maxProcesses: 0 },
22
+ mcp: { allowedServers: [], deniedServers: [] },
23
+ data: { allowEnvironmentVars: false, allowSecretAccess: false },
24
+ };
25
+ }
26
+ /** Create a maximally-permissive permission set (allow everything) */
27
+ export function createAllowAllPermissions() {
28
+ return {
29
+ filesystem: { read: ['**'], write: ['**'], delete: ['**'] },
30
+ network: { allowed: true, allowedDomains: [], maxRequests: 0 },
31
+ execution: { allowShellCommands: true, allowedCommands: [], maxProcesses: 0 },
32
+ mcp: { allowedServers: ['*'], deniedServers: [] },
33
+ data: { allowEnvironmentVars: true, allowSecretAccess: true },
34
+ };
35
+ }
36
+ //# sourceMappingURL=types.js.map
package/dist/ai/src/plugins/permissions/types.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/permissions/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAwIH,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,kEAAkE;AAClE,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,UAAU,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;QAC/C,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC,EAAE;QAC/D,SAAS,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE;QAC9E,GAAG,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;QAC9C,IAAI,EAAE,EAAE,oBAAoB,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE;KAChE,CAAC;AACJ,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,yBAAyB;IACvC,OAAO;QACL,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE;QAC3D,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC,EAAE;QAC9D,SAAS,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE;QAC7E,GAAG,EAAE,EAAE,cAAc,EAAE,CAAC,GAAG,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE;QACjD,IAAI,EAAE,EAAE,oBAAoB,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE;KAC9D,CAAC;AACJ,CAAC"}
package/dist/ai/src/plugins/reputation/index.d.ts ADDED
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Plugin Reputation — barrel export
3
+ *
4
+ * @module plugins/reputation
5
+ */
6
+ export { PluginReputationEngine } from './plugin-reputation-engine.js';
7
+ export { openReputationDb, getSchemaVersion, DEFAULT_DB_PATH } from './plugin-reputation-db.js';
8
+ export type { PluginReputationEngineConfig, PluginReputationRecord, PluginIncidentRecord, PluginAuditRecord, PluginScoreResult, TopPluginResult, UpsertScanInput, PluginTrustScore, AuditEventType, IncidentSeverity, RegistryReputationEntry, } from './types.js';
9
+ //# sourceMappingURL=index.d.ts.map
package/dist/ai/src/plugins/reputation/index.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAChG,YAAY,EACV,4BAA4B,EAC5B,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,YAAY,CAAC"}
package/dist/ai/src/plugins/reputation/index.js ADDED
@@ -0,0 +1,8 @@
1
+ /**
2
+ * Plugin Reputation — barrel export
3
+ *
4
+ * @module plugins/reputation
5
+ */
6
+ export { PluginReputationEngine } from './plugin-reputation-engine.js';
7
+ export { openReputationDb, getSchemaVersion, DEFAULT_DB_PATH } from './plugin-reputation-db.js';
8
+ //# sourceMappingURL=index.js.map
package/dist/ai/src/plugins/reputation/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/reputation/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC"}
package/dist/ai/src/plugins/reputation/plugin-reputation-db.d.ts ADDED
@@ -0,0 +1,29 @@
1
+ /**
2
+ * Plugin Reputation Database
3
+ *
4
+ * SQLite schema initialisation and low-level helpers.
5
+ * Uses better-sqlite3 (already a dependency of @dcyfr/ai).
6
+ *
7
+ * Schema:
8
+ * plugins — one row per plugin; stores latest trust score + metadata
9
+ * incidents — security / compliance incidents (N per plugin)
10
+ * audits — append-only event log (N per plugin)
11
+ *
12
+ * @module plugins/reputation/plugin-reputation-db
13
+ * @version 1.0.0
14
+ * @date 2026-02-28
15
+ * @license MIT
16
+ */
17
+ import Database from 'better-sqlite3';
18
+ export declare const DEFAULT_DB_PATH: string;
19
+ /**
20
+ * Open (or create) the plugin reputation SQLite database.
21
+ * Creates parent directories if they don't exist.
22
+ */
23
+ export declare function openReputationDb(dbPath?: string): Database.Database;
24
+ /**
25
+ * Return the schema version recorded in the DB.
26
+ * Returns 0 if the table is empty (fresh database).
27
+ */
28
+ export declare function getSchemaVersion(db: Database.Database): number;
29
+ //# sourceMappingURL=plugin-reputation-db.d.ts.map
package/dist/ai/src/plugins/reputation/plugin-reputation-db.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plugin-reputation-db.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/reputation/plugin-reputation-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAStC,eAAO,MAAM,eAAe,QAAuD,CAAC;AA+EpF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,MAAwB,GAAG,QAAQ,CAAC,QAAQ,CASpF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,GAAG,MAAM,CAK9D"}
package/dist/ai/src/plugins/reputation/plugin-reputation-db.js ADDED
@@ -0,0 +1,120 @@
1
+ /**
2
+ * Plugin Reputation Database
3
+ *
4
+ * SQLite schema initialisation and low-level helpers.
5
+ * Uses better-sqlite3 (already a dependency of @dcyfr/ai).
6
+ *
7
+ * Schema:
8
+ * plugins — one row per plugin; stores latest trust score + metadata
9
+ * incidents — security / compliance incidents (N per plugin)
10
+ * audits — append-only event log (N per plugin)
11
+ *
12
+ * @module plugins/reputation/plugin-reputation-db
13
+ * @version 1.0.0
14
+ * @date 2026-02-28
15
+ * @license MIT
16
+ */
17
+ import Database from 'better-sqlite3';
18
+ import { mkdirSync } from 'node:fs';
19
+ import { dirname, resolve } from 'node:path';
20
+ import { homedir } from 'node:os';
21
+ // ---------------------------------------------------------------------------
22
+ // Default path
23
+ // ---------------------------------------------------------------------------
24
+ export const DEFAULT_DB_PATH = resolve(homedir(), '.dcyfr', 'plugin-reputation.db');
25
+ // ---------------------------------------------------------------------------
26
+ // Schema DDL
27
+ // ---------------------------------------------------------------------------
28
+ const SCHEMA_SQL = /* sql */ `
29
+ PRAGMA journal_mode = WAL;
30
+ PRAGMA foreign_keys = ON;
31
+
32
+ -- ── plugins ────────────────────────────────────────────────────────────────
33
+ CREATE TABLE IF NOT EXISTS plugins (
34
+ plugin_id TEXT PRIMARY KEY,
35
+ name TEXT NOT NULL,
36
+ version TEXT NOT NULL,
37
+ capabilities_json TEXT NOT NULL DEFAULT '[]',
38
+ trust_score REAL NOT NULL DEFAULT 0,
39
+ trust_dimensions_json TEXT NOT NULL DEFAULT '{}',
40
+ last_scanned_at TEXT NOT NULL,
41
+ scan_count INTEGER NOT NULL DEFAULT 0,
42
+ approved_at TEXT,
43
+ registry_source TEXT NOT NULL DEFAULT 'local'
44
+ CHECK (registry_source IN ('local', 'registry')),
45
+ created_at TEXT NOT NULL,
46
+ updated_at TEXT NOT NULL
47
+ );
48
+
49
+ CREATE INDEX IF NOT EXISTS idx_plugins_trust_score
50
+ ON plugins (trust_score DESC);
51
+
52
+ CREATE INDEX IF NOT EXISTS idx_plugins_last_scanned
53
+ ON plugins (last_scanned_at);
54
+
55
+ -- ── incidents ──────────────────────────────────────────────────────────────
56
+ CREATE TABLE IF NOT EXISTS incidents (
57
+ id INTEGER PRIMARY KEY AUTOINCREMENT,
58
+ plugin_id TEXT NOT NULL REFERENCES plugins (plugin_id) ON DELETE CASCADE,
59
+ severity TEXT NOT NULL
60
+ CHECK (severity IN ('critical', 'high', 'medium', 'low', 'info')),
61
+ description TEXT NOT NULL,
62
+ detected_at TEXT NOT NULL,
63
+ resolved_at TEXT
64
+ );
65
+
66
+ CREATE INDEX IF NOT EXISTS idx_incidents_plugin_id
67
+ ON incidents (plugin_id);
68
+
69
+ CREATE INDEX IF NOT EXISTS idx_incidents_severity
70
+ ON incidents (severity);
71
+
72
+ -- ── audits ─────────────────────────────────────────────────────────────────
73
+ CREATE TABLE IF NOT EXISTS audits (
74
+ id INTEGER PRIMARY KEY AUTOINCREMENT,
75
+ plugin_id TEXT NOT NULL,
76
+ event_type TEXT NOT NULL,
77
+ event_data_json TEXT NOT NULL DEFAULT '{}',
78
+ created_at TEXT NOT NULL
79
+ );
80
+
81
+ CREATE INDEX IF NOT EXISTS idx_audits_plugin_id
82
+ ON audits (plugin_id);
83
+
84
+ CREATE INDEX IF NOT EXISTS idx_audits_event_type
85
+ ON audits (event_type);
86
+
87
+ -- ── schema_version ─────────────────────────────────────────────────────────
88
+ CREATE TABLE IF NOT EXISTS schema_version (
89
+ version INTEGER NOT NULL,
90
+ applied_at TEXT NOT NULL
91
+ );
92
+
93
+ INSERT OR IGNORE INTO schema_version (version, applied_at)
94
+ VALUES (1, datetime('now'));
95
+ `;
96
+ // ---------------------------------------------------------------------------
97
+ // Factory
98
+ // ---------------------------------------------------------------------------
99
+ /**
100
+ * Open (or create) the plugin reputation SQLite database.
101
+ * Creates parent directories if they don't exist.
102
+ */
103
+ export function openReputationDb(dbPath = DEFAULT_DB_PATH) {
104
+ if (dbPath !== ':memory:') {
105
+ const dir = dirname(dbPath);
106
+ mkdirSync(dir, { recursive: true });
107
+ }
108
+ const db = new Database(dbPath);
109
+ db.exec(SCHEMA_SQL);
110
+ return db;
111
+ }
112
+ /**
113
+ * Return the schema version recorded in the DB.
114
+ * Returns 0 if the table is empty (fresh database).
115
+ */
116
+ export function getSchemaVersion(db) {
117
+ const row = db.prepare('SELECT version FROM schema_version ORDER BY version DESC LIMIT 1').get();
118
+ return row?.version ?? 0;
119
+ }
120
+ //# sourceMappingURL=plugin-reputation-db.js.map
package/dist/ai/src/plugins/reputation/plugin-reputation-db.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plugin-reputation-db.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/reputation/plugin-reputation-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;AAEpF,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,UAAU,GAAG,SAAS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmE5B,CAAC;AAEF,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,eAAe;IAC/D,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5B,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;IAChC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACpB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,EAAqB;IACpD,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CACpB,kEAAkE,CACnE,CAAC,GAAG,EAAqC,CAAC;IAC3C,OAAO,GAAG,EAAE,OAAO,IAAI,CAAC,CAAC;AAC3B,CAAC"}