@dcyfr/ai 2.1.3 → 3.0.0

package/dist/ai/src/plugins/tlp/tlp-classifier.d.ts

@@ -0,0 +1,55 @@
+/**
+ * TLP Classifier for Plugin Marketplace
+ *
+ * Analyzes a plugin's PluginPermissions manifest and derives an appropriate
+ * TLP 2.0 classification level using a deterministic rule-set. Rules are
+ * evaluated in escalating order; the highest triggered level wins.
+ *
+ * Classification rules (highest → lowest priority):
+ *   RED   — secret access, unrestricted shell execution, or deleting sensitive paths
+ *   AMBER — network egress, restricted shell, env-var access, or writing sensitive paths
+ *   GREEN — any filesystem write/delete, any MCP server access
+ *   CLEAR — read-only, no network, no shell, no secrets (default)
+ *
+ * @module plugins/tlp/tlp-classifier
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { TlpLevel, TlpBadge, TlpClassificationResult, PluginTlpInput } from './types.js';
+declare const BADGES: Record<TlpLevel, TlpBadge>;
+/**
+ * Classifies a plugin's permissions into a TLP 2.0 level.
+ *
+ * @param input - Plugin id + full PluginPermissions
+ * @returns A TlpClassificationResult with the level, all triggered reasons, and badge
+ *
+ * @example
+ * ```ts
+ * const result = classifyPlugin({
+ *   plugin_id: 'dcyfr/secret-detector',
+ *   permissions: { ...noNetworkReadOnly },
+ * });
+ * console.log(result.level); // 'CLEAR'
+ * ```
+ */
+export declare function classifyPlugin(input: PluginTlpInput): TlpClassificationResult;
+/**
+ * Returns the TLP badge metadata for a given level, for use in UI rendering.
+ *
+ * @param level - TLP classification level
+ * @returns TlpBadge with color, label, tooltip, and description
+ *
+ * @example
+ * ```ts
+ * const badge = getTlpBadge('AMBER');
+ * // { color: '#FFC000', label: 'TLP:AMBER', ... }
+ * ```
+ */
+export declare function getTlpBadge(level: TlpLevel): TlpBadge;
+/**
+ * Returns all four TLP badges, useful for rendering a legend.
+ */
+export declare function getAllTlpBadges(): TlpBadge[];
+export { BADGES as TLP_BADGES };
+//# sourceMappingURL=tlp-classifier.d.ts.map

package/dist/ai/src/plugins/tlp/tlp-classifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tlp-classifier.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/tlp-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EACL,QAAQ,EAER,QAAQ,EAER,uBAAuB,EACvB,cAAc,EACf,MAAM,YAAY,CAAC;AAMpB,QAAA,MAAM,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CA6BtC,CAAC;AAmJF;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,cAAc,GAAG,uBAAuB,CAwB7E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,QAAQ,CAErD;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,QAAQ,EAAE,CAE5C;AAGD,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,CAAC"}

package/dist/ai/src/plugins/tlp/tlp-classifier.js

@@ -0,0 +1,232 @@
+/**
+ * TLP Classifier for Plugin Marketplace
+ *
+ * Analyzes a plugin's PluginPermissions manifest and derives an appropriate
+ * TLP 2.0 classification level using a deterministic rule-set. Rules are
+ * evaluated in escalating order; the highest triggered level wins.
+ *
+ * Classification rules (highest → lowest priority):
+ *   RED   — secret access, unrestricted shell execution, or deleting sensitive paths
+ *   AMBER — network egress, restricted shell, env-var access, or writing sensitive paths
+ *   GREEN — any filesystem write/delete, any MCP server access
+ *   CLEAR — read-only, no network, no shell, no secrets (default)
+ *
+ * @module plugins/tlp/tlp-classifier
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { TLP_RANK, } from './types.js';
+// ---------------------------------------------------------------------------
+// Badge definitions (TLP 2.0 spec colors)
+// ---------------------------------------------------------------------------
+const BADGES = {
+    CLEAR: {
+        level: 'CLEAR',
+        color: '#FFFFFF',
+        label: 'TLP:CLEAR',
+        tooltip: 'No restriction — safe to redistribute publicly',
+        description: 'This plugin has read-only, no-network, no-shell permissions. Safe for all users.',
+    },
+    GREEN: {
+        level: 'GREEN',
+        color: '#33FF00',
+        label: 'TLP:GREEN',
+        tooltip: 'Limited community distribution',
+        description: 'This plugin can write files or access MCP servers. Share within your organization.',
+    },
+    AMBER: {
+        level: 'AMBER',
+        color: '#FFC000',
+        label: 'TLP:AMBER',
+        tooltip: 'Limited distribution — need-to-know',
+        description: 'This plugin accesses the network, environment variables, or shell. Restricted to vetted users.',
+    },
+    RED: {
+        level: 'RED',
+        color: '#FF2B2B',
+        label: 'TLP:RED',
+        tooltip: 'Restricted — individual recipients only',
+        description: 'This plugin accesses secrets, runs unrestricted shell commands, or deletes sensitive paths. Human approval required.',
+    },
+};
+// ---------------------------------------------------------------------------
+// Sensitive path patterns
+// ---------------------------------------------------------------------------
+const SENSITIVE_WRITE_PATTERNS = [
+    '.env', 'secrets', '.ssh', '.aws', '.gnupg',
+    '.npmrc', '.docker/config.json', 'credentials',
+];
+const SENSITIVE_DELETE_PATTERNS = [
+    'src', 'node_modules', '.git', 'dist', 'build', 'package.json',
+];
+/**
+ * Write check: pattern contains a sensitive keyword anywhere (e.g. ".env.production" contains ".env").
+ */
+function matchesSensitiveWritePath(patterns, sensitiveList) {
+    return patterns.some(p => sensitiveList.some(s => p.toLowerCase().includes(s.toLowerCase())));
+}
+/**
+ * Delete check: pattern starts with a sensitive root directory name.
+ * Uses startsWith to avoid '/' matching any path that has a slash.
+ */
+function matchesSensitiveDeletePath(patterns, sensitiveList) {
+    return patterns.some(p => sensitiveList.some(s => p === s ||
+        p.startsWith(s + '/') ||
+        p.startsWith(s + '\\')));
+}
+const RULES = [
+    // -------- RED rules --------
+    {
+        id: 'RED:secret-access',
+        level: 'RED',
+        description: 'Plugin requests secret vault access',
+        test: (p) => ({ triggered: p.data.allowSecretAccess }),
+    },
+    {
+        id: 'RED:unrestricted-shell',
+        level: 'RED',
+        description: 'Plugin allows shell commands with no command allowlist',
+        test: (p) => ({
+            triggered: p.execution.allowShellCommands && p.execution.allowedCommands.length === 0,
+        }),
+    },
+    {
+        id: 'RED:sensitive-delete',
+        level: 'RED',
+        description: 'Plugin deletes sensitive filesystem paths',
+        test: (p) => ({
+            triggered: p.filesystem.delete.length > 0 &&
+                matchesSensitiveDeletePath(p.filesystem.delete, SENSITIVE_DELETE_PATTERNS),
+            detail: p.filesystem.delete.join(', '),
+        }),
+    },
+    // -------- AMBER rules --------
+    {
+        id: 'AMBER:network-egress',
+        level: 'AMBER',
+        description: 'Plugin makes outbound network requests',
+        test: (p) => ({
+            triggered: p.network.allowed,
+            detail: p.network.allowedDomains.length > 0
+                ? `domains: ${p.network.allowedDomains.join(', ')}` : undefined,
+        }),
+    },
+    {
+        id: 'AMBER:restricted-shell',
+        level: 'AMBER',
+        description: 'Plugin executes shell commands (restricted allowlist)',
+        test: (p) => ({
+            triggered: p.execution.allowShellCommands && p.execution.allowedCommands.length > 0,
+            detail: `commands: ${p.execution.allowedCommands.join(', ')}`,
+        }),
+    },
+    {
+        id: 'AMBER:env-vars',
+        level: 'AMBER',
+        description: 'Plugin reads environment variables',
+        test: (p) => ({ triggered: p.data.allowEnvironmentVars }),
+    },
+    {
+        id: 'AMBER:sensitive-write',
+        level: 'AMBER',
+        description: 'Plugin writes to sensitive filesystem paths',
+        test: (p) => ({
+            triggered: p.filesystem.write.length > 0 &&
+                matchesSensitiveWritePath(p.filesystem.write, SENSITIVE_WRITE_PATTERNS),
+            detail: p.filesystem.write.join(', '),
+        }),
+    },
+    // -------- GREEN rules --------
+    {
+        id: 'GREEN:filesystem-write',
+        level: 'GREEN',
+        description: 'Plugin writes to the filesystem',
+        test: (p) => ({
+            triggered: p.filesystem.write.length > 0,
+            detail: p.filesystem.write.join(', '),
+        }),
+    },
+    {
+        id: 'GREEN:filesystem-delete',
+        level: 'GREEN',
+        description: 'Plugin deletes filesystem entries',
+        test: (p) => ({
+            triggered: p.filesystem.delete.length > 0,
+            detail: p.filesystem.delete.join(', '),
+        }),
+    },
+    {
+        id: 'GREEN:mcp-access',
+        level: 'GREEN',
+        description: 'Plugin calls MCP servers',
+        test: (p) => ({
+            triggered: p.mcp.allowedServers.length > 0,
+            detail: `servers: ${p.mcp.allowedServers.join(', ')}`,
+        }),
+    },
+];
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Classifies a plugin's permissions into a TLP 2.0 level.
+ *
+ * @param input - Plugin id + full PluginPermissions
+ * @returns A TlpClassificationResult with the level, all triggered reasons, and badge
+ *
+ * @example
+ * ```ts
+ * const result = classifyPlugin({
+ *   plugin_id: 'dcyfr/secret-detector',
+ *   permissions: { ...noNetworkReadOnly },
+ * });
+ * console.log(result.level); // 'CLEAR'
+ * ```
+ */
+export function classifyPlugin(input) {
+    const triggered = [];
+    for (const rule of RULES) {
+        const { triggered: hit, detail } = rule.test(input.permissions);
+        if (hit) {
+            triggered.push({
+                rule: rule.id,
+                reason: detail ? `${rule.description} (${detail})` : rule.description,
+                level: rule.level,
+            });
+        }
+    }
+    const finalLevel = triggered.reduce((max, r) => {
+        return TLP_RANK[r.level] > TLP_RANK[max] ? r.level : max;
+    }, 'CLEAR');
+    return {
+        level: finalLevel,
+        reasons: triggered,
+        elevated: TLP_RANK[finalLevel] >= TLP_RANK['AMBER'],
+        badge: BADGES[finalLevel],
+    };
+}
+/**
+ * Returns the TLP badge metadata for a given level, for use in UI rendering.
+ *
+ * @param level - TLP classification level
+ * @returns TlpBadge with color, label, tooltip, and description
+ *
+ * @example
+ * ```ts
+ * const badge = getTlpBadge('AMBER');
+ * // { color: '#FFC000', label: 'TLP:AMBER', ... }
+ * ```
+ */
+export function getTlpBadge(level) {
+    return BADGES[level];
+}
+/**
+ * Returns all four TLP badges, useful for rendering a legend.
+ */
+export function getAllTlpBadges() {
+    return ['CLEAR', 'GREEN', 'AMBER', 'RED'].map(l => BADGES[l]);
+}
+// Re-export badge map for advanced consumers
+export { BADGES as TLP_BADGES };
+//# sourceMappingURL=tlp-classifier.js.map

package/dist/ai/src/plugins/tlp/tlp-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tlp-classifier.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/tlp-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAEL,QAAQ,GAKT,MAAM,YAAY,CAAC;AAEpB,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,MAAM,GAA+B;IACzC,KAAK,EAAE;QACL,KAAK,EAAQ,OAAO;QACpB,KAAK,EAAQ,SAAS;QACtB,KAAK,EAAQ,WAAW;QACxB,OAAO,EAAM,gDAAgD;QAC7D,WAAW,EAAE,kFAAkF;KAChG;IACD,KAAK,EAAE;QACL,KAAK,EAAQ,OAAO;QACpB,KAAK,EAAQ,SAAS;QACtB,KAAK,EAAQ,WAAW;QACxB,OAAO,EAAM,gCAAgC;QAC7C,WAAW,EAAE,oFAAoF;KAClG;IACD,KAAK,EAAE;QACL,KAAK,EAAQ,OAAO;QACpB,KAAK,EAAQ,SAAS;QACtB,KAAK,EAAQ,WAAW;QACxB,OAAO,EAAM,qCAAqC;QAClD,WAAW,EAAE,gGAAgG;KAC9G;IACD,GAAG,EAAE;QACH,KAAK,EAAQ,KAAK;QAClB,KAAK,EAAQ,SAAS;QACtB,KAAK,EAAQ,SAAS;QACtB,OAAO,EAAM,yCAAyC;QACtD,WAAW,EAAE,sHAAsH;KACpI;CACF,CAAC;AAEF,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,MAAM,wBAAwB,GAAG;IAC/B,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ;IAC3C,QAAQ,EAAE,qBAAqB,EAAE,aAAa;CAC/C,CAAC;AAEF,MAAM,yBAAyB,GAAG;IAChC,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc;CAC/D,CAAC;AAEF;;GAEG;AACH,SAAS,yBAAyB,CAAC,QAAkB,EAAE,aAAuB;IAC5E,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvB,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CACnE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,0BAA0B,CAAC,QAAkB,EAAE,aAAuB;IAC7E,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvB,aAAa,CAAC,IAAI,CAChB,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC;QACP,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC;QACrB,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,CAC5B,CACF,CAAC;AACJ,CAAC;AAaD,MAAM,KAAK,GAAW;IACpB,8BAA8B;IAC9B;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,KAAK;QACZ,WAAW,EAAE,qCAAqC;QAClD,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;KACvD;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,KAAK;QACZ,WAAW,EAAE,wDAAwD;QACrE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,kBAAkB,IAAI,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;SACtF,CAAC;KACH;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,KAAK;QACZ,WAAW,EAAE,2CAA2C;QACxD,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;gBAC9B,0BAA0B,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,EAAE,yBAAyB,CAAC;YACrF,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;SACvC,CAAC;KACH;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,wCAAwC;QACrD,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;gBACzC,CAAC,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;SAClE,CAAC;KACH;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,uDAAuD;QACpE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,kBAAkB,IAAI,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;YACnF,MAAM,EAAE,aAAa,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC9D,CAAC;KACH;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,oCAAoC;QACjD,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC;KAC1D;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,6CAA6C;QAC1D,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBAC7B,yBAAyB,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,EAAE,wBAAwB,CAAC;YAClF,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;SACtC,CAAC;KACH;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,iCAAiC;QAC9C,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;YACxC,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;SACtC,CAAC;KACH;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,mCAAmC;QAChD,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACzC,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;SACvC,CAAC;KACH;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,OAAO;QACd,WAAW,EAAE,0BAA0B;QACvC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YAC1C,MAAM,EAAE,YAAY,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACtD,CAAC;KACH;CACF,CAAC;AAEF,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,cAAc,CAAC,KAAqB;IAClD,MAAM,SAAS,GAA8B,EAAE,CAAC;IAEhD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,GAAG,EAAE,CAAC;YACR,SAAS,CAAC,IAAI,CAAC;gBACb,IAAI,EAAI,IAAI,CAAC,EAAE;gBACf,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,WAAW,KAAK,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW;gBACrE,KAAK,EAAG,IAAI,CAAC,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAa,SAAS,CAAC,MAAM,CAAW,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QACjE,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC;IAC3D,CAAC,EAAE,OAAO,CAAC,CAAC;IAEZ,OAAO;QACL,KAAK,EAAK,UAAU;QACpB,OAAO,EAAG,SAAS;QACnB,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC;QACnD,KAAK,EAAK,MAAM,CAAC,UAAU,CAAC;KAC7B,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,WAAW,CAAC,KAAe;IACzC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAa,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,6CAA6C;AAC7C,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,CAAC"}

package/dist/ai/src/plugins/tlp/tlp-validator.d.ts

@@ -0,0 +1,97 @@
+/**
+ * TLP Clearance Validator for Plugin Marketplace
+ *
+ * Validates whether a user or agent has sufficient TLP clearance to
+ * install or execute a plugin at a given classification level.
+ *
+ * Clearance hierarchy (permissive upward):
+ *   CLEAR ⊂ GREEN ⊂ AMBER ⊂ RED
+ *
+ * A subject with clearance X may access any resource classified at X or below.
+ *
+ * Integration point: pair with classifyPlugin() from tlp-classifier.ts —
+ * classify the plugin first, then call checkClearance() before installing.
+ *
+ * @module plugins/tlp/tlp-validator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { TlpLevel, TlpClearanceProfile, TlpClearanceCheckResult, TlpClassificationResult } from './types.js';
+/**
+ * Checks whether a subject's clearance level permits access to a resource
+ * at the given TLP classification.
+ *
+ * @param subject  - Subject's clearance profile
+ * @param required - Required classification level of the resource
+ * @returns TlpClearanceCheckResult — allowed flag + denial reason if blocked
+ *
+ * @example
+ * ```ts
+ * const result = checkClearance(
+ *   { subjectId: 'user-123', clearance: 'GREEN' },
+ *   'AMBER',
+ * );
+ * result.allowed; // false — GREEN < AMBER
+ * ```
+ */
+export declare function checkClearance(subject: TlpClearanceProfile, required: TlpLevel): TlpClearanceCheckResult;
+/**
+ * Validates plugin installation for a given subject.
+ * Convenience wrapper combining a full classification result with a clearance check.
+ *
+ * @param subject        - Subject's clearance profile
+ * @param classification - Full TLP classification result from classifyPlugin()
+ * @returns TlpClearanceCheckResult
+ *
+ * @example
+ * ```ts
+ * const classification = classifyPlugin({ plugin_id: 'x', permissions });
+ * const check = validatePluginInstall(
+ *   { subjectId: 'agent-1', clearance: 'AMBER' },
+ *   classification,
+ * );
+ * if (!check.allowed) throw new Error(check.denyReason);
+ * ```
+ */
+export declare function validatePluginInstall(subject: TlpClearanceProfile, classification: TlpClassificationResult): TlpClearanceCheckResult;
+/** Result for a single plugin in a batch validation */
+export interface BatchValidationEntry {
+    pluginId: string;
+    level: TlpLevel;
+    result: TlpClearanceCheckResult;
+}
+/**
+ * Validates multiple plugins against a single subject's clearance.
+ * Useful for marketplace listing pages where each plugin has a pre-computed level.
+ *
+ * @param subject - Subject's clearance profile
+ * @param plugins - Array of { pluginId, level } pairs
+ * @returns Array of BatchValidationEntry with per-plugin results
+ */
+export declare function batchValidate(subject: TlpClearanceProfile, plugins: Array<{
+    pluginId: string;
+    level: TlpLevel;
+}>): BatchValidationEntry[];
+/**
+ * Returns true if the subject's clearance is sufficient for the given level.
+ * Lightweight alternative to checkClearance() when you only need the boolean.
+ */
+export declare function isCleared(clearance: TlpLevel, required: TlpLevel): boolean;
+/**
+ * Returns the minimum clearance level required to access a resource.
+ * Equivalent to the resource's TLP level — provided for symmetry with checkClearance.
+ */
+export declare function requiredClearance(level: TlpLevel): TlpLevel;
+/**
+ * Returns all TLP levels at or below the given clearance.
+ * Useful for constructing filtered marketplace views.
+ *
+ * @example
+ * ```ts
+ * accessibleLevels('GREEN'); // ['CLEAR', 'GREEN']
+ * accessibleLevels('AMBER'); // ['CLEAR', 'GREEN', 'AMBER']
+ * ```
+ */
+export declare function accessibleLevels(clearance: TlpLevel): TlpLevel[];
+//# sourceMappingURL=tlp-validator.d.ts.map

package/dist/ai/src/plugins/tlp/tlp-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tlp-validator.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/tlp-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EACL,QAAQ,EAER,mBAAmB,EACnB,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,YAAY,CAAC;AAMpB;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,mBAAmB,EAC5B,QAAQ,EAAE,QAAQ,GACjB,uBAAuB,CAYzB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,mBAAmB,EAC5B,cAAc,EAAE,uBAAuB,GACtC,uBAAuB,CAEzB;AAMD,uDAAuD;AACvD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,QAAQ,CAAC;IAChB,MAAM,EAAE,uBAAuB,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,mBAAmB,EAC5B,OAAO,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,QAAQ,CAAA;CAAE,CAAC,GACpD,oBAAoB,EAAE,CAMxB;AAMD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAE1E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,QAAQ,GAAG,QAAQ,CAE3D;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,QAAQ,GAAG,QAAQ,EAAE,CAGhE"}

package/dist/ai/src/plugins/tlp/tlp-validator.js

@@ -0,0 +1,120 @@
+/**
+ * TLP Clearance Validator for Plugin Marketplace
+ *
+ * Validates whether a user or agent has sufficient TLP clearance to
+ * install or execute a plugin at a given classification level.
+ *
+ * Clearance hierarchy (permissive upward):
+ *   CLEAR ⊂ GREEN ⊂ AMBER ⊂ RED
+ *
+ * A subject with clearance X may access any resource classified at X or below.
+ *
+ * Integration point: pair with classifyPlugin() from tlp-classifier.ts —
+ * classify the plugin first, then call checkClearance() before installing.
+ *
+ * @module plugins/tlp/tlp-validator
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import { TLP_RANK, } from './types.js';
+// ---------------------------------------------------------------------------
+// Core clearance check
+// ---------------------------------------------------------------------------
+/**
+ * Checks whether a subject's clearance level permits access to a resource
+ * at the given TLP classification.
+ *
+ * @param subject  - Subject's clearance profile
+ * @param required - Required classification level of the resource
+ * @returns TlpClearanceCheckResult — allowed flag + denial reason if blocked
+ *
+ * @example
+ * ```ts
+ * const result = checkClearance(
+ *   { subjectId: 'user-123', clearance: 'GREEN' },
+ *   'AMBER',
+ * );
+ * result.allowed; // false — GREEN < AMBER
+ * ```
+ */
+export function checkClearance(subject, required) {
+    const allowed = TLP_RANK[subject.clearance] >= TLP_RANK[required];
+    return {
+        allowed,
+        subjectClearance: subject.clearance,
+        requiredClearance: required,
+        denyReason: allowed
+            ? undefined
+            : `Subject "${subject.subjectId}" has TLP:${subject.clearance} clearance ` +
+                `but the resource requires TLP:${required} or higher.`,
+    };
+}
+/**
+ * Validates plugin installation for a given subject.
+ * Convenience wrapper combining a full classification result with a clearance check.
+ *
+ * @param subject        - Subject's clearance profile
+ * @param classification - Full TLP classification result from classifyPlugin()
+ * @returns TlpClearanceCheckResult
+ *
+ * @example
+ * ```ts
+ * const classification = classifyPlugin({ plugin_id: 'x', permissions });
+ * const check = validatePluginInstall(
+ *   { subjectId: 'agent-1', clearance: 'AMBER' },
+ *   classification,
+ * );
+ * if (!check.allowed) throw new Error(check.denyReason);
+ * ```
+ */
+export function validatePluginInstall(subject, classification) {
+    return checkClearance(subject, classification.level);
+}
+/**
+ * Validates multiple plugins against a single subject's clearance.
+ * Useful for marketplace listing pages where each plugin has a pre-computed level.
+ *
+ * @param subject - Subject's clearance profile
+ * @param plugins - Array of { pluginId, level } pairs
+ * @returns Array of BatchValidationEntry with per-plugin results
+ */
+export function batchValidate(subject, plugins) {
+    return plugins.map(({ pluginId, level }) => ({
+        pluginId,
+        level,
+        result: checkClearance(subject, level),
+    }));
+}
+// ---------------------------------------------------------------------------
+// Utility helpers
+// ---------------------------------------------------------------------------
+/**
+ * Returns true if the subject's clearance is sufficient for the given level.
+ * Lightweight alternative to checkClearance() when you only need the boolean.
+ */
+export function isCleared(clearance, required) {
+    return TLP_RANK[clearance] >= TLP_RANK[required];
+}
+/**
+ * Returns the minimum clearance level required to access a resource.
+ * Equivalent to the resource's TLP level — provided for symmetry with checkClearance.
+ */
+export function requiredClearance(level) {
+    return level;
+}
+/**
+ * Returns all TLP levels at or below the given clearance.
+ * Useful for constructing filtered marketplace views.
+ *
+ * @example
+ * ```ts
+ * accessibleLevels('GREEN'); // ['CLEAR', 'GREEN']
+ * accessibleLevels('AMBER'); // ['CLEAR', 'GREEN', 'AMBER']
+ * ```
+ */
+export function accessibleLevels(clearance) {
+    const all = ['CLEAR', 'GREEN', 'AMBER', 'RED'];
+    return all.filter(l => TLP_RANK[l] <= TLP_RANK[clearance]);
+}
+//# sourceMappingURL=tlp-validator.js.map

package/dist/ai/src/plugins/tlp/tlp-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tlp-validator.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/tlp-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAEL,QAAQ,GAIT,MAAM,YAAY,CAAC;AAEpB,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,cAAc,CAC5B,OAA4B,EAC5B,QAAkB;IAElB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAElE,OAAO;QACL,OAAO;QACP,gBAAgB,EAAE,OAAO,CAAC,SAAS;QACnC,iBAAiB,EAAE,QAAQ;QAC3B,UAAU,EAAE,OAAO;YACjB,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,YAAY,OAAO,CAAC,SAAS,aAAa,OAAO,CAAC,SAAS,aAAa;gBACxE,iCAAiC,QAAQ,aAAa;KAC3D,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAA4B,EAC5B,cAAuC;IAEvC,OAAO,cAAc,CAAC,OAAO,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC;AACvD,CAAC;AAaD;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAC3B,OAA4B,EAC5B,OAAqD;IAErD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3C,QAAQ;QACR,KAAK;QACL,MAAM,EAAE,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC;KACvC,CAAC,CAAC,CAAC;AACN,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,SAAmB,EAAE,QAAkB;IAC/D,OAAO,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAe;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAmB;IAClD,MAAM,GAAG,GAAe,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC3D,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AAC7D,CAAC"}

package/dist/ai/src/plugins/tlp/types.d.ts

@@ -0,0 +1,84 @@
+/**
+ * TLP Classification Types for Plugin Marketplace
+ *
+ * Implements TLP 2.0 (Traffic Light Protocol) classification for plugins,
+ * mapping permission profiles to appropriate distribution levels.
+ *
+ * @see https://www.first.org/tlp/
+ * @module plugins/tlp/types
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+import type { PluginPermissions } from '../permissions/types.js';
+/**
+ * TLP 2.0 classification levels, ordered from lowest to highest sensitivity.
+ *
+ * - CLEAR: No restriction. Safe to redistribute publicly.
+ * - GREEN: Limited community distribution. Share within the organization.
+ * - AMBER: Limited distribution. Need-to-know basis inside the organization.
+ * - RED: Restricted. Individual recipients only; not for redistribution.
+ */
+export type TlpLevel = 'CLEAR' | 'GREEN' | 'AMBER' | 'RED';
+/** Numeric severity for ordering/comparison */
+export declare const TLP_RANK: Record<TlpLevel, number>;
+/** Visual badge metadata for marketplace UI rendering */
+export interface TlpBadge {
+    /** TLP level this badge represents */
+    level: TlpLevel;
+    /** Hex background color per TLP 2.0 spec */
+    color: string;
+    /** Human-readable label */
+    label: string;
+    /** Short tooltip shown on hover */
+    tooltip: string;
+    /** Longer description for detail views */
+    description: string;
+}
+/** Single rule that contributed to a TLP classification decision */
+export interface TlpClassificationReason {
+    /** The rule identifier */
+    rule: string;
+    /** Human-readable explanation */
+    reason: string;
+    /** The TLP level this rule produces */
+    level: TlpLevel;
+}
+/** Full result returned by the TLP classifier */
+export interface TlpClassificationResult {
+    /** Final assigned TLP level (highest level among triggered rules) */
+    level: TlpLevel;
+    /** All rules that were triggered */
+    reasons: TlpClassificationReason[];
+    /** Whether ANY elevated rule was triggered (AMBER or RED) */
+    elevated: boolean;
+    /** Badge metadata for UI rendering */
+    badge: TlpBadge;
+}
+/** User or agent TLP clearance profile */
+export interface TlpClearanceProfile {
+    /** Maximum TLP level the subject is cleared to access */
+    clearance: TlpLevel;
+    /** Subject identifier (user ID, agent name, etc.) */
+    subjectId: string;
+}
+/** Result of a clearance check */
+export interface TlpClearanceCheckResult {
+    /** Whether the subject is cleared to access the resource */
+    allowed: boolean;
+    /** Subject's clearance level */
+    subjectClearance: TlpLevel;
+    /** Required clearance level */
+    requiredClearance: TlpLevel;
+    /** Human-readable denial reason when allowed=false */
+    denyReason?: string;
+}
+/**
+ * Minimal plugin descriptor accepted by the TLP classifier.
+ * Accepts the full PluginPermissions type — extra fields are ignored.
+ */
+export interface PluginTlpInput {
+    plugin_id: string;
+    permissions: PluginPermissions;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/ai/src/plugins/tlp/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAMjE;;;;;;;GAOG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,CAAC;AAE3D,+CAA+C;AAC/C,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAK7C,CAAC;AAMF,yDAAyD;AACzD,MAAM,WAAW,QAAQ;IACvB,sCAAsC;IACtC,KAAK,EAAE,QAAQ,CAAC;IAChB,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;CACrB;AAMD,oEAAoE;AACpE,MAAM,WAAW,uBAAuB;IACtC,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,KAAK,EAAE,QAAQ,CAAC;CACjB;AAED,iDAAiD;AACjD,MAAM,WAAW,uBAAuB;IACtC,qEAAqE;IACrE,KAAK,EAAE,QAAQ,CAAC;IAChB,oCAAoC;IACpC,OAAO,EAAE,uBAAuB,EAAE,CAAC;IACnC,6DAA6D;IAC7D,QAAQ,EAAE,OAAO,CAAC;IAClB,sCAAsC;IACtC,KAAK,EAAE,QAAQ,CAAC;CACjB;AAMD,0CAA0C;AAC1C,MAAM,WAAW,mBAAmB;IAClC,yDAAyD;IACzD,SAAS,EAAE,QAAQ,CAAC;IACpB,qDAAqD;IACrD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,uBAAuB;IACtC,4DAA4D;IAC5D,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,gBAAgB,EAAE,QAAQ,CAAC;IAC3B,+BAA+B;IAC/B,iBAAiB,EAAE,QAAQ,CAAC;IAC5B,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,iBAAiB,CAAC;CAChC"}

package/dist/ai/src/plugins/tlp/types.js

@@ -0,0 +1,20 @@
+/**
+ * TLP Classification Types for Plugin Marketplace
+ *
+ * Implements TLP 2.0 (Traffic Light Protocol) classification for plugins,
+ * mapping permission profiles to appropriate distribution levels.
+ *
+ * @see https://www.first.org/tlp/
+ * @module plugins/tlp/types
+ * @version 1.0.0
+ * @date 2026-02-28
+ * @license MIT
+ */
+/** Numeric severity for ordering/comparison */
+export const TLP_RANK = {
+    CLEAR: 0,
+    GREEN: 1,
+    AMBER: 2,
+    RED: 3,
+};
+//# sourceMappingURL=types.js.map

package/dist/ai/src/plugins/tlp/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../packages/ai/src/plugins/tlp/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAkBH,+CAA+C;AAC/C,MAAM,CAAC,MAAM,QAAQ,GAA6B;IAChD,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,GAAG,EAAI,CAAC;CACT,CAAC"}

package/dist/ai/src/resource-monitor.d.ts

@@ -10,7 +10,7 @@
  * @date 2026-02-15
  * @module dcyfr-ai/resource-monitor
  */
-import { EventEmitter } from 'events';
+import { EventEmitter } from 'node:events';
 import { PerformanceProfiler } from './performance-profiler.js';
 /**
  * System resource usage snapshot